InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
Monitoring the Microsoft 365 ecosystem is doable. However, 10 years after its beta release, M365 is still under evolution and changes to core functions still happen. Its default logging options are not always what most users need, but they can be adjusted
to suit almost any organization. This piece outlines some key logging rules and detection logic that can help uncover common risks within M365 environments.
Across all market verticals, M365 customers struggle to monitor their environments effectively. Microsoft provides ample logging options, but due to an ongoing stream of new feature enhancements and introductions of entirely new tools, adequate logging
is a continually moving target. This means standards from groups like the Center for Internet Security (CIS) and NIST are lagging. Fortunately, Microsoft is leading the charge to fill in this gap by providing reasonable logging suggestions as new
features roll out.
A quick check of recent breach announcements shows many organizations struggle to maintain minimum standards of due care. In M365’s case, changes to the cloud offering are now outpacing what most organizations can tolerate. In response, many are
either doubling down on their efforts or looking to external providers to manage these changes. Regardless of the course taken, organizations must take active steps to ensure they are keeping up.
Cloud office ecosystems have many risks, and perhaps the largest is the threat of business email compromise (BEC). This problem affects all cloud providers. Oddly enough, attackers are “forced” toward BEC attacks due to increased security
provided by the cloud providers. BEC is a type of hijack attack that has been on the rise for two main reasons:
To counter BEC attacks, many organizations find it helpful to create detections based on the earliest indicators of the attack. In the security administration center of M365, the following default rules can be helpful:
Although not enabled by default, multiple other detection triggers should be explored. Two useful detection triggers based on observed attacker behavior are:
The SolarWinds breach shifted attention to supply chain attacks. As a result, many organizations are revisiting their log collection and retention strategies. The SolarWinds attack leveraged techniques difficult to detect for most organizations, enabling it
to remain undetected for over nine months.
To combat these types of attacks, focus on attackers’ post-access activities. Early indicators of advanced adversaries potentially gaining access to your environment can include, but are not necessarily limited to:
READ: How to Detect and Remediate M365 & SSO Impacts of SolarWinds
Logging within M365 can be difficult because the product continues to evolve, with new features and tools added constantly. Consider the following tips help ensure you continue to log and detect what’s important in M365:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
September 29, 2022
By IANS Faculty
Understand the integration points between information security and enterprise architecture. Find guidance for functional organizational constructs to maintain a solid EA practice.
September 27, 2022
By IANS Research
Learn how to ensure full cyber insurance policy coverage and find 5 tips to help maximize your potential cyber insurance claims.
September 22, 2022
Find information on cyber insurance coverage types along with best practices to choose a cyber insurance carrier and policy for optimal security coverage.