It’s easy to take advantage of the Microsoft 365 service, but are you taking the steps to properly secure all the data your company is storing inside of it?
For security teams, the threat landscape has changed with the rise of work from home triggered by the pandemic. PowerShell threats grew 208%, Microsoft 365 (M365) malware increased by 199%, while malware targeting mobile devices rose 118% between the third and fourth quarters of 2020. COVID-19 related malware and threats increased by 114%.
A large portion of the cloud attacks in Q4 targeted Microsoft 365 accounts. The attacks could be classified as either distributed login attacks on hundreds or thousands of Office 365 accounts via compromised consumer devices, or targeted attacks on a small number of potentially high-value accounts.
Despite the wide range of applications and features in the Microsoft 365 platform, the primary communication and collaboration tool for most users – and the core of Microsoft 365’s functionality – continues to be email. By any measure, email is arguably the most challenging application to deploy, manage and secure. At the same time, Microsoft adds new features and security options at a mind-bending pace.
Here is a summary of hot tips, including many new ones from Microsoft that you need to be sure to consider.
Weak spot – compromised on-premises environment
The Microsoft 365 cloud environment itself benefits from an extensive monitoring and security infrastructure. Using machine learning and human intelligence, Microsoft looks across worldwide traffic to rapidly detect attacks.
However, if you have deployed a hybrid mode to connect on-premises infrastructure to Microsoft 365, you have most likely delegated trust to on-premises components for critical authentication and directory object state management decisions. If the on-premises environment is compromised, these trust relationships give attackers an avenue to put your Microsoft 365 environment in jeopardy.
The two primary threat vectors are federation trust relationships and account synchronization. Both vectors can grant an attacker administrative access to your cloud.
Harden Microsoft 365
One way to protect your company’s assets is by taking advantage of what’s already built in and paid for. Utilize the Secure Score feature available in the Security Center. From a centralized dashboard, you can monitor and improve the security of your Microsoft 365 identities, data, apps, devices, and infrastructure. You are given points for configuring recommended security features, performing security-related tasks (such as viewing reports), or addressing recommendations with a third-party application or software.
You can reduce your attack surface considerably regardless of your subscription level with these five steps:
- Enable multi-factor authentication – This is the easiest and most effective way to increase the security of your organization. It protects against password theft.
- Use dedicated admin accounts – These enjoy elevated privileges and are primary targets for attackers. Use admin accounts only for administration. Admins should have a separate user account for regular, non-administrative use and only use their administrative account when necessary to complete a task associated with their job function.
- Block email attachments with file types commonly used by malware – In the Security & Compliance Center, in the left navigation pane, under Threat management, choose Policy > Anti-Malware
- Protect against ransomware with mail flow rules – Create mail flow rules to block file extensions that are commonly used for ransomware, or to warn users who receive these attachments in email.
- Stop auto-forwarding of email – Hackers who gain access to a user’s mailbox can exfiltrate mail by configuring the mailbox to automatically forward email. This can happen even without the user’s awareness. Prevent this from happening by configuring a mail flow rule.
In addition to the aforementioned steps, you can leverage this Microsoft 365 Monitoring Checklist to ensure you are doing all you can to secure the Microsoft 365 platform.
While Microsoft makes every effort to protect their infrastructure as a Security-as-a-Service provider and keep the server up and running smoothly, it is up to the Microsoft 365 account owner to manage data safety.
Microsoft 365 currently supports reactive capabilities such as incident response, User and Entity Behavior Analytics (UEBA), sharing settings and data loss prevention. Proactive responses include conditional access, encryption, and data classification. Compliance capabilities include audit logging, governance, and data discovery.
These tools provide an excellent foundation for security but are just the start to locking down the data-rich Microsoft 365 environment. To adopt a strong security posture, you must add more prevention and detection measures to build upon the current capabilities Microsoft provides and fill the gaps they leave behind.
Monitor the M365 environment 24/7
Around-the-clock monitoring includes changes across the Azure Active Directory, Exchange, OneDrive, SharePoint, and Teams. All suspicious behavior should be investigated, and any threats mitigated ASAP.
For Azure Active Directory, this could mean monitoring admin actions such as adding or deleting user accounts, escalating privilege requests, unusual changes to passwords or policies, tracking login activities with geo-locations, and more. For Exchange, this includes auditing administrator actors for mailbox creation/deletion, forwarding rules or policy changes. And for OneDrive, SharePoint and Teams, this means monitoring added, deleted or modified sites, uploaded files and shares with external users.
DIY vs. co-managed solutions
Constant vigilance is necessary to keep an eye on all these moving parts but staffing and maintaining an IT team for this purpose can be difficult. An external Security Operations Center (SOC) can help to fill this gap, providing the skilled workforce required to fulfill this demand, oftentimes at a lower cost than directly employing an internal SOC.
Respond to attacks with an incident response plan
As the Department of Homeland Security says “If you see something, say something.” When detection reveals a potential problem, an active response is necessary. You should be aware of the potential attacks that may be uncovered and have a documented incident response plan.
The plan should include playbooks which list the specific procedures to be followed in the event of a specific type of attack. For example, if there are reasons to suspect that admin passwords have been compromised, who will reset these and verify them? Also, consider your course of action if an internal user is detected unexpectedly or uncharacteristically exfiltrating large amounts of data. What are the next steps?
Microsoft 365 is SaaS provided by Microsoft. However, becoming a subscriber to this service does not absolve you of all security responsibility. There is shared responsibility for security as explained in this article. In particular, the responsibility for accounts, identities, information/data and devices are always borne by the subscriber.
Given the richness of the feature set and pervasiveness of the threat landscape, it can be overwhelming to address for non-experts. Co-managed solutions can help by bring not just technology but also technical experts and process discipline to tame the beast.