Guest post by Conor Magee, Solutions Consultant, Ergo
The rising popularity of cloud service platforms presents a unique challenge for IT security. These platforms can hold user identity and organisational data, but because of their separation from the corporate network, tend to be outside the reach of traditional on-premises security analytics software. This gives rise to a blind-spot in terms of security for IT administrators that can be difficult to resolve.
On the user side, it is often not possible to see centrally if third party applications are granted access to cloud data by users, for example unauthorised email or calendar tools. These applications can provide legitimate services to users but if there are flaws in their design, critical or sensitive data may be left exposed and become a target for hackers.
This issue is made more difficult with the widespread use of unmanaged personal smartphones, computers and tablet devices for business use, potentially leading to privileged information being accessed through third-party applications on devices with an unknown security or patching status.
Microsoft’s is a large cloud service provider and their Office 365 suite of applications run on encrypted servers within their world-leading datacentres. These datacentres are protected with layers of advanced security and certified by leading certification providers including: ISO 27001, HIPAA, UK G-Cloud and EU-US Privacy Shield. While this highly secure infrastructure ensures that information is stored in an environment that is as safe as it can be, user identity is left as the path of least resistance for malicious access to gain access to organisation data. This can be achieved in a number of ways including: weak user passwords, users continuing to use previously compromised passwords or “brute-force” password attacks where huge numbers of passwords are tried against each account and made easier if users are using weak passwords or the same password across a number of services.
Office 365 Advanced Security Management
To help secure against these type of threats, Office 365 Advanced Security Management monitors 70+ different metrics for each user account within Office 365. This allows alerts to be automatically generated when policies are triggered and manual or automatic actions to be taken to prevent security breaches.
Advanced Security Management policies are created and customised to monitor for specific user account activity with the aim of identifying suspicious behaviour. Each one can be set to look for specific actions and thresholds; for example, downloading large amounts of data in a short space of time or repeated login failures from an unexpected location. Once an alert is generated, administrators have the option to take an action on the users account right from the alert page or, if it’s a particularly serious scenario, have the account suspended automatically on detection pending further investigation.
General behavioural analytics are also performed on this stream of data, learning what normal activity looks like for each user and a “Risk Score” is generated based on the full range of parameters. The score is based on how unusual or risky the behaviour is; this can be logging in at an unusual time, making administrative changes from an unexpected location or many other metrics. The risk score is attached to each alert to assist IT administrators in deciding what further action to take.
Advanced Security Management also includes an “App Discovery” dashboard within the Office 365 control panel. This service can analyse logs uploaded from firewalls and proxies and produce reports on cloud application activity within the organisation across a large range of non-Microsoft cloud platforms. This can give a view of how many potentially unapproved cloud services are in use by users across the organisation and how much data they are uploading to them.
For organisations that have Office 365 Enterprise E5 licensing in place, these Advanced Security Management services are already included as part of the licensing package and just need to be configured and enabled. For organisations that have any other Office 365 licensing, Advanced Security Management can be added as an add-on license to enable these features.