Proactive Posture Management in a Reactive Security Landscape

“At What Point Are We Going to Experience a Data Breach?”

No, we aren’t asking about ourselves. That title is a direct quote from an Abnormal Security customer while they discussed current and future security concerns. The context for the quote is more important than the content, in that this customer operated in a highly regulated industry–think finance, healthcare, government–but was concerned about the rising tide of breaches across all sectors.

In 2022 alone, high-profile breaches have been increasingly concentrated at non-traditional targets: from retail giants to social media platforms to digital fashion houses to online wineries. While most organizations have made the investment in multiple security tools, controls, and processes, many of these new members of the “breached club” typically become more disciplined after an incident–hiring external cybersecurity firms to investigate how the breach occurred, investing in new tools and a larger in-house security team, and all of the other checklist items that should’ve happened before the breach.

But if you’re reading this, chances are you know all of this, right? The problem isn’t that your organization lacks the strategy. The problem is that lobbying for a larger security investment to execute that strategy often comes up short. The most frustrating part is often that the same people within your organization who put the brakes on security spending are also acutely aware of how critical security is to the continued success of the business.

What can be done? Well, it isn’t all bad news. There is certainly a way to do more with less through proactive security, specifically proactive security posture management–and more specifically, proactive email security posture management for the cloud email platform. Posture management, in general, has historically been a distributed task–stretched across the teams responsible for identity, app integration and hygiene, and line of business owners needing access to new digital tools.

As Abnormal introduces the Email Security Posture Management add-on, there is a case for security teams to be in the driver’s seat. This is doubly crucial when considering the thousands of user and privilege changes, app integrations and permissions, and mail tenant security policies that make up those hubs of communication and collaboration–cloud email platforms, the front door and town square of most organizations.

The vast majority of attacks over the past year began with either a phishing email that led to a malicious link or application download or some form of social engineering (which would be used to either bypass employee-configured MFA or help attackers embedded inside the organization gain elevated account privileges).

You may be thinking: those have nothing to do with misconfigurations, so what’s the point? Put a pin in that for one second, and we’ll get back to it. But first, it’s worth noting that some of the most impactful breaches were the direct result of a misconfiguration: from sensitive databases holding information on 213 million users being accessible without a password to applications being configured by end users in a way that allowed internal data to be publicly available, exposing 30+ million records.

In an expansive cloud email environment where security teams note a lack of visibility into platform configurations and permissions, it’s not a stretch to imagine a mail tenant conditional access policy may not be as airtight as it should be. Beyond visibility into those generic misconfigurations, however, is visibility into the malicious configurations that follow a successful phishing or social engineering event. As mentioned above, a significant amount of attacks still begin with phishing or social engineering. While Abnormal Security helps ensure those phishing emails do not make it to the end user, there is always a chance that a personal email on a BYOD device, a phone call from a convincing scammer, or in some cases the right price, could lead to compromised account credentials.

Then what? That attacker will bide their time attempting to fly under the radar, piloting the account and gradually ramping up activity over time. Maybe that user suddenly becomes a global admin on a mail tenant they would otherwise have no need to access. Maybe the user downloads and integrates a new application into the organization’s cloud email environment, an application that somehow gains permission to read and write to executive mailboxes.

From there, the attack begins to take shape. If the security team did not have appropriate posture management visibility–and real-time insights into the impact of changes to the IT and security posture of the organization–that unexpected rights change and malicious app download could go entirely unnoticed.

At Abnormal Security, we've rethought how Email Security Posture Management should be done, connecting it directly to our Inbound Email Security platform to provide holistic cloud email security that protects both the inbox and those entry points beyond it.

Armed with the information in the Abnormal Security Knowledge Bases–real-time event streams detailing occurrences and changes across applications (AppBase), mail tenants (TenantBase), and corporate users (PeopleBase)–Email Security Posture Management distills this data into posture-specific configuration changes across App Posture, Tenant Posture, and People Posture.

In particular, security teams from a variety of organizations have detailed the pain that comes with knowing users are installing applications but not fully understanding what permissions those applications have and when those permissions change. This pain, coupled with the early detection of unexpected user privilege changes and identifying security policy changes across mail tenants, is the reason email Security Posture Management exists.

While Abnormal Security will find the threats that others can’t when it comes to email communications, staying proactive with dynamic posture monitoring, is the first step in ensuring that if a threat does make it through the perimeter, it doesn’t get far. So, if you ask yourself, “At what point are we going to experience a breach?” it may feel the answer is inevitably, “Soon,” but with appropriate steps towards security posture hygiene, that “soon” may eventually become "never".

Interested in learning more about Email Security Posture Management? Schedule a Demo today!