Introducing Three New Knowledge Bases and the Email Security Posture Management Add-On
Over 70% of organizations have made the move to cloud email, and they’re seeing the benefits: endless interoperability, seamless collaboration, and better employee productivity. There’s something magical about the way SaaS solutions can work with email for a 1+1 = 3 effect. For example, these days, I’m enjoying using a new productivity app that automatically changes my Slack status and blocks my calendar during peak focus hours.
Such third-party applications like the one I installed for this application utilize read/write access to employee calendars and email. These third-party applications gain access to employee mailboxes through a quick and simple authorization flow that grants the app permission to take dozens of actions within email and calendar on my behalf. In doing this, productivity-focused third-party applications can make employees more productive and happier, but they also inadvertently open an entry point that ill-intended attackers could exploit. If attackers discovered the credentials that I use for this third-party productivity app, they could utilize this entry point to move laterally into my Microsoft 365 account itself, where they could carry out further social engineering attacks on fellow employees.
This is only one example of an increasingly common type of email attack— one that we at Abnormal Security are coining an “email platform attack.” Unlike inbound email attacks that target accounts by sending an email, an email platform attack utilizes unguarded entry points within a cloud email platform to access either an individual account or the entire email platform. The configurations that govern access to cloud email platforms, such as which applications have permissions in the environment and which groups of users can have administrator roles, are the primary vehicle through which enterprises can manage the risks of their entry points today. But unfortunately, email platform attacks continue to rise because cloud configurations have become exceedingly difficult for security teams to track and manage.
Every company has a set of security principles they strive to enforce to guard their exposure points, like MFA everywhere, the principle of least privilege, and privacy reviews of all third-party applications that have access to sensitive data, to name a few. But security teams often struggle to align the reality of the enterprise’s cloud email configurations to the vision of security goals for three primary reasons:
- Security teams share responsibility for the configuration and management of cloud email platforms and must work alongside IT and messaging teams with differing priorities.
- Information about the most business-critical cloud email configuration settings is often scattered across multiple control panes that can be difficult to find.
- Existing posture management solutions—whether they are manual, home-baked fixes, native cloud solutions, or third-party security tools—are incredibly noisy and overwhelming to manage. Their hallmarks are minimal business context, low explainability, and long to-do lists.
The Abnormal Solution to the Posture Management Problem
Abnormal Security started four years ago to better protect enterprises from the advanced, socially-engineered email attacks that were bypassing legacy solutions. In order to do this better than any other solution, we integrated with the cloud email platforms (Microsoft or Google) via an API, allowing our detection system to ingest tens of thousands of activity and context signals about each employee, vendor, and third-party application in the environment.
While we focused our first set of products on applying this intelligence to the still-growing problem of inbound email attacks, our latest solution extends this identity and context-focused detection to the protection of the entire email platform.
Today, we’re excited to introduce three new Knowledge Bases and a new add-on product called Email Security Posture Management.
Risk Visibility Starts with Three New Knowledge Bases
Increased visibility to email platform entry points begins with three new no-cost Knowledge Bases, now available to all customers as part of the Abnormal platform. Starting today, any organization that deploys the Abnormal platform in their Microsoft 365 environment will receive access not only to the previously available VendorBase, but also AppBase, PeopleBase, and TenantBase.
These Knowledge Bases ingest signals derived from the API integration with Microsoft 365 to present comprehensive profiles of each employee, vendor, third-party application, and email tenant.
PeopleBase: Provides a directory of each of the active users in the environment. It uses contextual, behavioral data to build a dynamic user genome. PeopleBase also provides an activity timeline of recent events, including sign-on patterns, suspicious email activity, and more.
VendorBase: Offers a database of every vendor the organization collaborates with over email, with recent email communications, key contacts, a federated risk score, and more.
TenantBase: Provides a catalog of each of the email tenants Abnormal Security protects and the relevant permissions governing access to them.
AppBase: Provides a running inventory of all of the third-party applications that have access to data within Microsoft 365, both add-in and enterprise. It offers a summary of important information about application permissions and data access, as well as an activity timeline of recent events.
Using the Knowledge Bases is a quick and simple way for security teams to gain visibility into potential risk areas, such as a new third-party emoji application from an unverified publisher that provides read/write access to mailboxes, or a new user role assignment that provides global administrator rights. Each Knowledge Base is deep-linked to the others so, for example, clicking to view an Activity Timeline of a new third-party app in AppBase reveals more information about the user who installed it in PeopleBase.
Risk Visibility Continues with Email Security Posture Management
Email Security Posture Management improves the risk posture of cloud email environments by helping security teams understand and take action on configuration gaps and drifts. No painful manual efforts, spreadsheets, or PowerShell scripts are needed to perform discovery and mitigate risk.
Instead, Email Security Posture Management monitors the environment for high-risk configuration drifts—including privilege escalations, new third-party apps, and conditional access policy exceptions. Changes are highlighted in a dashboard in real-time, allowing security teams to see the context of the change and identify the appropriate next steps in only one click. Email Security Posture Management can also alert security teams to high-risk changes that may have bypassed typical approval workflows in real-time.
As changes occur, Email Security Posture Management allows security teams to acknowledge configuration shifts, clear those that are relatively low risk, and feel confident that the email platform’s entry points are well guarded.
The Business Impact of Improved Risk Visibility
We’re proud to extend Abnormal’s capabilities to help security teams gain the visibility needed to protect against the email platform attacks that seek to compromise their users, applications, and data. With real-time risk visibility into posture gaps, it’s that much easier for security teams to understand their potential entry and exit points, and take the right downstream actions to mitigate them.