Review: How Avanan defends cloud-based email platforms

Avanan can catch the advanced threats that Microsoft, Google or other cloud-based email providers miss, identifying dangers like phishing, malware, data leakage and even full account takeovers.

Cybersecurity  >  Email security threats, such as phishing
CHUYN / Getty Images

In the early days of the internet, email was one of the first enterprise applications organizations embraced. Since then, countless trends, services and software providers have come and gone, yet email remains a cornerstone for business, government and even private users. It also has historically been, and still remains, one of the top vectors that both human attackers and malware programs use to compromise networks. Fully defending that channel can go a long way to securing an organization’s network.

The Avanan platform is designed to make managing email security across a vast corporate landscape both effective and accessible. Avanan takes a unique approach to accomplish this with a multi-vendor solution that layers protections within the security stack, tying them together into a centrally managed dashboard that supports whatever native protections already exist in cloud-based email platforms. The idea is that Avanan can catch the advanced threats that Microsoft, Google or other cloud-based email providers miss, identifying dangers like phishing, malware, data leakage and even full account takeovers.

Avanan dashboard CSO

From the main Avanan dashboard, you can easily see which email programs the platform is protecting, add new ones and respond to events across the entire enterprise.

Avanan is also unique because of how it is deployed. Regardless of how many third-party solutions are added to the threat stack, all of them, as well as the main Avanan platform, are attached directly to cloud-based email with an application programming interface (API). The API acts as an in-line filter for all email within the protected network. That includes any mail sent and received using only internal addresses, an important channel that many other protection platforms can’t see.

For this evaluation, a test network was used that mimicked a typical, multi-user corporate environment. It was populated with everything from C-suite users to rank and file workers to temporary helpers. The test network used Microsoft Office 365 as its cloud-based email platform.

Setting up Avanan was extremely easy, especially given the complexity of the network. All we needed was a global administrator’s credentials. Once provided to the platform, it checked about 15 permissions that would be needed to ensure that the administrator account could fully complete the installation. This pre-install check makes the installation of the API-based Avanan platform impossible to mess up. Once confirmed, it was fully up and running in just a few minutes.

Avanan uses artificial intelligence to learn about how users communicate within the organization, so it will get smarter over time. However, because every organization keeps copious email records, Avanan simply goes back and analyzes traffic patterns for the previous two weeks to collect its initial baseline. This eliminates the need for a detailed learning period. Even so, the company normally implements a 14-day installation and a trial plan that includes things like restricting the platform to running in monitoring mode for several days. Potential users who are worried about, for example, legitimate mail getting blocked by the platform can follow that plan to alleviate any concerns by fully activating all the features whenever they are ready.

Setting up the policies to configure the Avanan platform involved a straightforward process of checking boxes and defining actions. We had a lot of variables to work with. For example, users could be notified of mail that had been quarantined with options to request that it be released if it was something they were expecting. Mail could also be outright halted without letting a user know. We could even tag email as potentially dangerous but still allow it to go to its destination inbox. All of the options within the policy engine could be applied to specific groups within the organization or even individual users. That way, suspect mail going to C-suite executives, finance employees, different offices or any other type of worker can be handled differently from mail for everyone else. You can set up an unlimited number of mail policies using the interface.

Avanan Policy CSO

It’s easy to set policies using the Avanan interface. Policies can be deployed globally, set to certain user groups or even individual people. They include how threats are handled and processed, user notifications and which tools are used for scanning and detection.

Several types of mail-based attacks as well as suspicious actions were taken to see how Avanan would react. It was able to stop every threat attempting to come into the test network via email. The cloud-based platform takes intelligence from everywhere that it’s deployed. If any one of the hundreds of deployments finds and identifies a new threat, all of the users at other organizations will also quickly gain protection from it. Avanan quickly captured and quarantined whatever we threw at it.

From the Event tab within Avanan, we could see all of the quarantined threats the platform had captured. This gave us a full forensic profile of the attack including the raw header information and the full text of the mail. From there we could do a little threat hunting, asking the platform questions about the mail in quarantine using plain English language. For example, we asked if there were any other copies of the captured mail sitting in other mailboxes. And with just a few clicks, we could pull it out of every affected mailbox and set the program to prevent it from ever coming back.

Avanan Events CSO

Everything the program is detecting is available from the Event tab. From here you can take actions such as quarantining, marking a threat for further study, alerting the owner about a suspicious email, releasing mail from quarantine or almost anything else.

The process was essentially the same when using internal email that never crossed a network gateway. Avanan was able to find threats within internal email because the platform is installed using an API to the core Office 365 platform. This is a big advantage over mail gateways that only see traffic as it enters or leaves a network. Avanan can see everything.

The platform was also able to flag suspicious activity within email, even if there was no malware or even any programs attached. For example, it alerted us when a user tried to reset their password several times in sequence. It also triggered when mail was sent to or from company officers with invoices or other requests for money or information, especially if that kind of request had never been made before or the people involved had never previously corresponded about financial matters. The program is smart enough to recognize both the titles of company officials from the directory and the context of emails. We couldn’t find a social engineering scam that could get around Avanan.

Avanan Event Profile CSO

The Event profile tab gives access to tools for forensic investigations. You get direct access to the message as well as raw headers. Queries such as asking if specific mail exists in other locations can be entered in plain English.

Avanan is very forthcoming about pricing, even putting details on their website. For midsized organizations, depending on the level of protection, it should cost between $4 and $10 per user, per month. Discounts are available for larger enterprises with more than 1,000 users that need to be protected.

On average, email threats that avoid detection and make it to inboxes take an average of about one minute and 40 seconds for a user to click on or activate. After that, the threat has left the email channel and other network protections would need to stop it. Avanan almost always beats that fairly short clock, keeping threats from ever landing in protected email boxes in the first place and pulling them back out quickly if they are detected after arriving.

Given that Avanan’s protection sits behind whatever defenses Microsoft, Google or others are providing natively in their cloud-based email, it makes for a highly advanced, clearly focused last line of defense. The importance of email for doing business and its popularity with hackers make Avanan a useful and necessary defensive tool that also happens to be simple to deploy, easy to use, and highly effective at protecting this vital lifeline.