“This is how it happened,” said Tas Jalali, AC Transit’s head of cybersecurity, in an interview with Industry Insider — California. “I was hired in late 2019, early 2020 to build the cybersecurity practice. At that point, AC Transit was running a traditional security email gateway. I do not want to mention the vendor, but it was not effective; there were a lot of challenges with it.”
“Within a week of me joining, we discovered there was an ongoing ATO (account takeover) attack, and it was impacting the entire issue of transit, because that guy managed to compromise the inbox email box of some important person, and then they were able to kind of move laterally, because the email is coming from person A to person B within a strand that another person is trusting and clicking on the link, and so it kind of was spreading now,” Jalali said.
“The problem was, it was affecting almost 1,000 users, but … the bigger problem was that now it was also affecting our partners — all the transit agencies … so it was kind of getting out of control,” he said. “We needed a solution which would do two things pretty quick: One, kind of stop the bleeding, it needed to be deployed pretty quick. We didn’t have time to build a secure email gateway, build the rules, build the policies — that was not an option. Second, we needed to prevent this bleeding that was happening — the spread. And third, we needed to remediate what had happened — all these phishing emails that were sitting in these thousands of users’ inboxes. We didn’t have time to go and figure out which email inbox has this phishing email or link. … So I researched solutions, I was already looking into kind of replacing the vendor.”
That's where Abnormal Security stepped in. Jon Jardim, Abnormal’s senior account rep, acknowledged the urgency of AC Transit’s problem:
“They had a need,” Jardim told Industry Insider — California. “They came to us, and we were able to show value — that we could basically … solve their problems within just a few days. Working with their team was great. They were very communicative and saw the value in getting everything, including our contracts, wrapped up to happen in just a few months. So, it was a very seamless transaction. They’ve been kind of a very close partner. And since then, they’ve tried some beta products.”
Jalali said he contacted Abnormal.
“I needed a solution that would be easy and fast to deploy and help us with remediation,” Jalali said. “We looked at three other vendors in the same space. … The reason we chose Abnormal was obviously this team was supportive.” He said Abnormal involved its senior executives and senior engineers on calls almost every day, learning about the problem and figuring out how to address it.
Now, almost three years later, Jalali reflected on the project and why he chose Abnormal.
“A few things about Abnormal: No. 1, the solution was very quick, fast and easy to deploy. No. 2, it offered this clawback feature which allowed us to get in and remediate the infected mailboxes. And No. 3 is the team was very responsive. Like I said, the speed was important, and the team was very responsive, very supportive, understanding our needs. So, that’s where we decided to move forward with the goal,” he said.
Jalali continued: “As we move forward with Abnormal, there are other things that really are nice. No. 1 was reporting — figure out how many spearphishing attacks, who’s being targeted, how often, and what kind of attacks. It uses an intelligence to kind of figure out, based on the conversation, based on the behavior. For example, user A sends an email to user B, usually from San Francisco, now user A suddenly sends an email from New York or from Paris. Obviously, that’s kind of an anomaly, and this tool automatically detects these are problems.”
Jardim noted that Abnormal’s solution covered inbound email and account protection.
“We recently added new functionality as well,” he said. “So we definitely have a close partnership with them that continues. They have the full suite now, and we do have some really exciting stuff coming out relatively soon — nothing that they’ve committed to yet or anything on offer, but this next year is going to be big for our company. In terms of the innovation, we’re doing and realizing some of the broader product road maps we have, putting the $210 million we just raised to work right by investing in the product. I could definitely see them continuing to invest in the relationship and, you know, purchasing more of the products that we’re continuing to roll out.”
Jalali said the implementation was a success by any measure.
“It was pretty quick,” Jalali said. “That’s what I really liked. It really didn’t take more than five hours to kind of really get it up and running, to kind of fine-tune it. All the process took about a week. Boy, that’s quick. In pure honesty, I was planning to cut costs, and cutting Abnormal would be part of that cost-cutting.
“But then we did the cost-benefit analysis, and it didn’t really make any sense to take Abnormal out and, you know, increase the risk. Our cyber exposure would have significantly gone up had we removed Abnormal.
“So Abnormal stays at AC Transit.”