6 min readLast Updated on September 22, 2020 by Satyendra
With increasingly more people working from home as a result of the ongoing coronavirus pandemic, many organizations have been switching to Microsoft Office 365, and other cloud-based collaboration platforms to help streamline their business operations.
However, there are a number of security implications that need to be considered before doing so, and organizations need be aware of the configuration options that exist, to help them secure their O365 implementation.
In light of this, the Cybersecurity and Infrastructure Security Agency (CISA) has published security recommendations to help organizations configure their systems securely, as well as detect and respond to anomalous events. Below is a summary of these recommendations.
Enable Multi-Factor Authentication for Administrator Accounts
Multi-factor authentication (MFA) is not enabled by default for administrator accounts. Even-though Microsoft has been shifting towards a “Secure by default” model, customers are still required to enable MFA for administrator accounts.
Unlike on-premise user accounts, accounts hosted in the cloud can be accessed via the internet, which makes them especially vulnerable to attack. It is a good idea to enable MFA immediately to prevent an attacker gaining persistent access to your network.
Assign Administrator Roles Using Role-Based Access Control (RBAC)
Since Azure AD’s Global Administrator accounts have the highest level of privilege, they should only be used when absolutely necessary. Otherwise, administrator accounts that have specific privileges for specific tasks should be used.
Restricting access according to roles will help to ensure that an attacker will not be able to move laterally throughout the network, were they to gain unauthorized access to one of the administrator accounts.
Use the permissions reporting capabilities within the Lepide Data Security Platform to spot whenever permissions change. Report on users with excessive permissions that increase risk to your sensitive data and restrict access from within the solution.
Enable Unified Audit Log (UAL)
The Unified Audit Log records events from Exchange Online, SharePoint Online, OneDrive, Azure AD, Microsoft Teams, PowerBI, and other O365 platforms. UAL must be enabled in the Security and Compliance Center, before it can be used by administrators to keep track of changes that either show signs of suspicious activity or violate the organizations security policies.
Enable Alerts for Suspicious Activity
In the Security and Compliance Center you can setup an enable alerts that notify administrators of suspicious events, which can help them respond to potential security threats in a timely manner.
At a minimum, CISA recommends enabling alerts for logins from suspicious locations and for accounts exceeding sent email thresholds.
Using the Lepide Data Security Platform, you can receive real time alerts whenever any anomalies are spotted in user behavior, logons, permission changes and more. With a combination of single event, threshold-based and anomaly-based alerts delivered in real time, you can ensure you are constantly monitoring your environment for suspicious activity.
Enable Multi-Factor Authentication for All Users
Even-though normal user accounts have relatively few privileges compared to administrator accounts, it’s still worth enabling MFA where possible. After all, a compromised user account with restricted privileges can be used to launch social engineering attacks, thus potentially allowing a hacker to gain access to other user accounts with higher privileges.
Disable Legacy Protocol Authentication When Appropriate
Office365 uses Azure AD to authenticate with Exchange Online, which supports MFA. However, Exchange Online also supports legacy protocols that do not support MFA, such as Post Office Protocol (POP3), Internet Message Access Protocol (IMAP), and Simple Mail Transport Protocol (SMTP), which are used by older email clients.
The problem with keeping these protocols enabled is that it makes it easier for hackers to bypass the MFA provided by Azure AD. As such, it is a good idea to disable these protocols if none of your users are using older email clients.
In situations where some users still require legacy protocols, it is a good idea to create an inventory of those users and use Azure AD Conditional Access policies to enable them for those users only.
Incorporate Microsoft Secure Score
Microsoft Secure Score is a system that enables organizations to gain an understanding about the strength of their security posture, and offers possible recommendations, which can help them boost their score.
Using the dashboard in the Microsoft 365 security center, organizations can monitor and improve the security of their identities, data, apps, devices, and infrastructure. However, it should be noted that this feature does not provide a comprehensive measurement of an organization’s security posture, but it does provide a useful addition to your existing security strategy.
Integrate Logs with Your Existing SIEM Tool
While the Unified Audit Log (UAL) may provide organizations with a basic overview of how their data is being accessed and used, it shouldn’t be seen as a replacement for your existing SIEM/UBA solution – assuming you have one.
A comprehensive data security platform, such as the Lepide Data Security Platform, will provide a number of additional features and enhancements to add context and value to your logs. These include:
Data discovery and classification: Automatically discover and classify sensitive data, including PII, PHI, PCI, IP and more.
AI-backed anomaly detection: Use sophisticated machine learning algorithms to determine typical usage patterns which can be used as a benchmark for detecting potentially anomalous behaviour.
Advanced real-time alerting: If an event, or series of events are detected, which either don’t conform to the typical usage patterns, or involve highly sensitive data, a real-time alert will be sent to the administrator, either via email or SMS.
Threshold alerting: Automatically respond to events that match a pre-defined threshold condition, such as multiple failed login attempts, or when multiple files have been encrypted within a short timeframe. In the event that a threshold condition is met, a custom script can be executed, which may include stopping a specific process, disabling or restricting the relevant user accounts, changing the security settings, or even shutting down the affected server – assuming you have the ability to do so.
Automatically detect and manage inactive user accounts: Automating the process of detecting, reporting and removing inactive user accounts will help to minimize the attack surface, and thus make it harder for an attacker to gain unauthorized persistent access to your network.
Aggregate and correlate event data from multiple platforms: Instead of having to scrutinize the event logs for each platform you use, whether on-premise on the in the cloud, Lepide Data Security Platform will aggregate, correlate and display all changes via a single, intuitive console, which can be easily searched and filtered.
If you’d like more information on how Lepide can help you implement Microsoft Office 365 security recommendations and ensure your sensitive data is protected, schedule a demo with one of our engineers today.
