What is Security Posture Management and Why is it Essential?
Back in November, we announced the initial release of our Security Posture Management add-on. Since then, we’ve worked with customers from a variety of industries to help them gain greater visibility into potentially high-impact changes to third-party app permissions, user privileges, and mail tenant conditional access policies that could open the door for threat actors if not properly managed.
However, we’ve also received a fair amount of questions asking, “what is an email security vendor doing in the posture management space?” or, similarly, “is this a new SaaS Security Posture Management (SSPM) or Cloud Security Posture Management (CSPM) solution on the block?” And we wanted to make sure you had the answers.
So, let’s dig into exactly what we mean when we say Security Posture Management—and why it’s a critical piece of the cloud email security puzzle.
Minor Misconfigurations, Major Consequences
To answer the question of why Abnormal, or more specifically, why a vendor primarily focused on email is worried about misconfiguration, it’s important to consider the scale of the typical cloud email platform.
On average, our customers have more than 300 third-party applications integrated into their Microsoft 365 environments, according to behavioral data aggregated and analyzed by our Knowledge Bases. Beyond that, those environments are often populated by hundreds or thousands of individual users and mailboxes. These combined applications and users are either stuffed into one sprawling tenant or sliced into groups across hundreds.
And while phishing is still a favorite tool in threat group toolboxes, one change to a tenant conditional access policy to allow legacy authentication can be an inviting open door for an attacker with stolen user credentials hoping to bypass MFA. Worse still, one application from an unknown publisher that suddenly gains write access to a VIP mailbox can be a sign of an attack in progress.
One thing we often heard from customers is that security teams didn’t have visibility into these changes—or if they did, it required time-consuming manual audits to surface this data. As a result, teams would spend significant amounts of time correlating activity across disparate or noisy tools or polling various stakeholders to determine if a change was risky …or if it was business as usual. And that says nothing about the times when a change was made without anyone in security being the wiser.
So, to address this problem, and ensure that Abnormal keeps its promise to protect cloud email platforms, we built the Security Posture Management add-on, which enhances posture visibility by:
Leveraging Abnormal Knowledge Base data and querying the cloud email platform to continually centralize and surface new, high-impact events to help minimize configuration gaps.
Delivering granular before-and-after views of configuration changes, along with links to entities involved and their activity patterns.
Providing links to relevant documentation, suggesting next steps, giving the option to schedule email notifications or SIEM event exports, and providing an acknowledgment workflow to indicate when changes are being addressed.
An Abnormal Approach to Posture Management
At the heart of Abnormal’s Security Posture Management is Inbound Email Security. The purpose of this add-on is to further enhance the Abnormal Platform. The goal is to offer complete cloud email security since, let’s face it, the attack surface extends far beyond the inbox. In fact, one breach caused by a misconfiguration carries an average price tag of $4.14M–and due to the aforementioned lack of visibility that security teams must endure, it can take 183 days to even discover that a breach occurred.
Beyond the conceptual conversation, from a product capability perspective, our Security Posture Management offering is a bit different than the traditional definition of 'posture management'. Security Posture Management is meant to action the data found within the Abnormal Knowledge Bases–accounting for the entities solely within the cloud email platform. As described earlier in this article, the Knowledge Bases are activity hubs in the Abnormal portal, which build dynamic behavioral profiles for each application, user, and tenant in a given mail environment.
Security Posture Management is then meant to report when potentially risky changes occur and support remediation, but layers on from behavioral profiling in the Knowledge Bases to go beyond simple identification and response–giving greater context to a change, helping Security teams understand the difference between whether something is a benign policy change or a potentially malicious over-permissioned app.
Stand a Little Taller with Security Posture Management
Maybe this article answered your questions. Maybe it left you with newer, stranger questions. Either way, we want to hear from you, and we invite you to reach out to your Abnormal representative today or visit the Security Posture Management page to request a demo. Cloud email security is only as strong as its weakest link, and we are finding in conversations with customers that many times a weak link can be fixed with effective cloud email security posture management. Let Abnormal be your email chiropractor.
Interested in learning more about the Abnormal platform?