Abstract Purple Corner

Introducing Three New Knowledge Bases and the Security Posture Management Add-On

Security Posture Management gives organizations insight into cloud configuration risks and gaps across user and app privileges.

November 15, 2022

Over 70% of organizations have made the move to cloud email, and they’re seeing the benefits: endless interoperability, seamless collaboration, and better employee productivity. There’s something magical about the way SaaS solutions can work with email for a 1+1 = 3 effect. For example, these days, I’m enjoying using a new productivity app that automatically changes my Slack status and blocks my calendar during peak focus hours.

Such third-party applications like the one I installed for this application utilize read/write access to employee calendars and email. These third-party applications gain access to employee mailboxes through a quick and simple authorization flow that grants the app permission to take dozens of actions within email and calendar on my behalf. In doing this, productivity-focused third-party applications can make employees more productive and happier, but they also inadvertently open an entry point that ill-intended attackers could exploit. If attackers discovered the credentials that I use for this third-party productivity app, they could utilize this entry point to move laterally into my Microsoft 365 account itself, where they could carry out further social engineering attacks on fellow employees.

This is only one example of an increasingly common type of email attack— one that we at Abnormal Security are coining an “email platform attack.” Unlike inbound email attacks that target accounts by sending an email, an email platform attack utilizes unguarded entry points within a cloud email platform to access either an individual account or the entire email platform. The configurations that govern access to cloud email platforms, such as which applications have permissions in the environment and which groups of users can have administrator roles, are the primary vehicle through which enterprises can manage the risks of their entry points today. But unfortunately, email platform attacks continue to rise because cloud configurations have become exceedingly difficult for security teams to track and manage.

Every company has a set of security principles they strive to enforce to guard their exposure points, like MFA everywhere, the principle of least privilege, and privacy reviews of all third-party applications that have access to sensitive data, to name a few. But security teams often struggle to align the reality of the enterprise’s cloud email configurations to the vision of security goals for three primary reasons:

  1. Security teams share responsibility for the configuration and management of cloud email platforms and must work alongside IT and messaging teams with differing priorities.
  2. Information about the most business-critical cloud email configuration settings is often scattered across multiple control panes that can be difficult to find.
  3. Existing posture management solutions—whether they are manual, home-baked fixes, native cloud solutions, or third-party security tools—are incredibly noisy and overwhelming to manage. Their hallmarks are minimal business context, low explainability, and long to-do lists.

The Abnormal Solution to the Posture Management Problem

Abnormal Security started four years ago to better protect enterprises from the advanced, socially-engineered email attacks that were bypassing legacy solutions. In order to do this better than any other solution, we integrated with the cloud email platforms (Microsoft or Google) via an API, allowing our detection system to ingest tens of thousands of activity and context signals about each employee, vendor, and third-party application in the environment.

While we focused our first set of products on applying this intelligence to the still-growing problem of inbound email attacks, our latest solution extends this identity and context-focused detection to the protection of the entire email platform.

Today, we’re excited to introduce three new Knowledge Bases and a new add-on product called Security Posture Management.

Risk Visibility Starts with Three New Knowledge Bases

Increased visibility to email platform entry points begins with three new no-cost Knowledge Bases, now available to all customers as part of the Abnormal platform. Starting today, any organization that deploys the Abnormal platform in their Microsoft 365 environment will receive access not only to the previously available VendorBase, but also AppBase, PeopleBase, and TenantBase.

SPM Blog1

These Knowledge Bases ingest signals derived from the API integration with Microsoft 365 to present comprehensive profiles of each employee, vendor, third-party application, and email tenant.

  • PeopleBase: Provides a directory of each of the active users in the environment. It uses contextual, behavioral data to build a dynamic user genome. PeopleBase also provides an activity timeline of recent events, including sign-on patterns, suspicious email activity, and more.

  • VendorBase: Offers a database of every vendor the organization collaborates with over email, with recent email communications, key contacts, a federated risk score, and more.

  • TenantBase: Provides a catalog of each of the email tenants Abnormal Security protects and the relevant permissions governing access to them.

  • AppBase: Provides a running inventory of all of the third-party applications that have access to data within Microsoft 365, both add-in and enterprise. It offers a summary of important information about application permissions and data access, as well as an activity timeline of recent events.

SPM Blog2

Using the Knowledge Bases is a quick and simple way for security teams to gain visibility into potential risk areas, such as a new third-party emoji application from an unverified publisher that provides read/write access to mailboxes, or a new user role assignment that provides global administrator rights. Each Knowledge Base is deep-linked to the others so, for example, clicking to view an Activity Timeline of a new third-party app in AppBase reveals more information about the user who installed it in PeopleBase.

Risk Visibility Continues with Security Posture Management

Security Posture Management improves the risk posture of cloud email environments by helping security teams understand and take action on configuration gaps and drifts. No painful manual efforts, spreadsheets, or PowerShell scripts are needed to perform discovery and mitigate risk.

Instead, Security Posture Management monitors the environment for high-risk configuration drifts—including privilege escalations, new third-party apps, and conditional access policy exceptions. Changes are highlighted in a dashboard in real-time, allowing security teams to see the context of the change and identify the appropriate next steps in only one click. Security Posture Management can also alert security teams to high-risk changes that may have bypassed typical approval workflows in real-time.

SPM Blog3

As changes occur, Security Posture Management allows security teams to acknowledge configuration shifts, clear those that are relatively low risk, and feel confident that the email platform’s entry points are well guarded.

SPM Blog4

The Business Impact of Improved Risk Visibility

We’re proud to extend Abnormal’s capabilities to help security teams gain the visibility needed to protect against the email platform attacks that seek to compromise their users, applications, and data. With real-time risk visibility into posture gaps, it’s that much easier for security teams to understand their potential entry and exit points, and take the right downstream actions to mitigate them.

Discover more about Security Posture Management here or request a demo to see it in action.

 

See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

See a Demo
 
Integrates Insights Reporting 09 08 22

Related Posts

B 1500x1500 Types of Email Platform Attacks L1 R2
Discover the most common types of email platform attacks in your cloud network and how you can prevent them.
Read More
B 1500x1500 Lilac Wolverine L1 R1
Threat group Lilac Wolverine is fine-tuning the art of exploiting people’s willingness to help others in some of the largest gift card attacks we've seen.
Read More
B 1500x1500 Modern Email Attacks Webinar Series L4 R2
Our Modern Email Attacks series has wrapped! Here are some of the biggest takeaways from Chris Krebs, Troy Hunt, and Theresa Payton.
Read More
B 1500x1500 Gartner Insights L1 R1
See our commitment to providing our customers with the best possible solution and support with these reviews from Gartner® Peer Insights™.
Read More
B 11 14 22 SPM Launch Blog Graphics
Security Posture Management gives organizations insight into cloud configuration risks and gaps across user and app privileges.
Read More
B 11 14 22 SPM Launch Blog 2
Cloud email platforms enable better collaboration, but they also create new entry points, making sensitive data more accessible to attackers.
Read More
B 1500x1500 Q3 Ransomeware L1 R2
This post explores the continuation of the sharp decline in ransomware attacks as well as a few other notable data points from Q3 2022.
Read More
B 10 05 22 Cloud Email Security Platform Essentials
Learn the 7 key capabilities a cloud email security platform should have in order to address and resolve common email security challenges.
Read More
B 11 07 22 Valimail
Discover the benefits of a modern, best-of-breed solution to email security with Abnormal Security and Valimail’s New Partnership.
Read More