Abnormal Security Migration: Purpose
Purpose
Migrate email security from Cisco ESA (inline/MX gateway) to Abnormal Security (API-based behavioral AI). Part of CHLA’s broader strategic shift from Cisco to Microsoft security ecosystem.
Strategic Context: Cisco → Microsoft
CHLA is moving away from Cisco security products across the board:
| Domain | Retiring (Cisco) | Replacing With |
|---|---|---|
Email Security |
Cisco ESA (inline gateway) |
Abnormal Security (API-based, M365 Graph) |
SIEM |
QRadar (IBM, legacy) |
Microsoft Sentinel (Azure, KQL) |
XDR/EDR |
Cisco XDR |
Microsoft Defender XDR |
Network Access Control |
Cisco ISE (STAYING — no Microsoft equivalent) |
— |
ISE is the exception — Microsoft has no NAC product. This makes the MSCHAPv2 → EAP-TLS migration and Linux 802.1X work even more critical since ISE is the one Cisco product that stays.
Why Abnormal Over ESA
| Factor | Cisco ESA (Inline) | Abnormal (API) |
|---|---|---|
Deployment |
MX record change, mail flows through appliance |
M365 Graph API, no mail flow change, deploys in minutes |
Detection |
Signature + reputation (known threats) |
Behavioral AI (unknown threats, BEC, account takeover) |
Single Point of Failure |
YES — if ESA goes down, mail stops |
NO — mail delivery unaffected |
Log Integration |
Syslog to SIEM |
API to Sentinel (native Azure integration) |
Maintenance |
Firmware, HA, certificates, MX management |
SaaS — vendor managed |