Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Monitoring the Microsoft 365 ecosystem is doable. However, 10 years after its beta release, M365 is still under evolution and changes to core functions still happen. Its default logging options are not always what most users need, but they can be adjusted
to suit almost any organization. This piece outlines some key logging rules and detection logic that can help uncover common risks within M365 environments.
Across all market verticals, M365 customers struggle to monitor their environments effectively. Microsoft provides ample logging options, but due to an ongoing stream of new feature enhancements and introductions of entirely new tools, adequate logging
is a continually moving target. This means standards from groups like the Center for Internet Security (CIS) and NIST are lagging. Fortunately, Microsoft is leading the charge to fill in this gap by providing reasonable logging suggestions as new
features roll out.
A quick check of recent breach announcements shows many organizations struggle to maintain minimum standards of due care. In M365’s case, changes to the cloud offering are now outpacing what most organizations can tolerate. In response, many are
either doubling down on their efforts or looking to external providers to manage these changes. Regardless of the course taken, organizations must take active steps to ensure they are keeping up.
Cloud office ecosystems have many risks, and perhaps the largest is the threat of business email compromise (BEC). This problem affects all cloud providers. Oddly enough, attackers are “forced” toward BEC attacks due to increased security
provided by the cloud providers. BEC is a type of hijack attack that has been on the rise for two main reasons:
To counter BEC attacks, many organizations find it helpful to create detections based on the earliest indicators of the attack. In the security administration center of M365, the following default rules can be helpful:
Although not enabled by default, multiple other detection triggers should be explored. Two useful detection triggers based on observed attacker behavior are:
The SolarWinds breach shifted attention to supply chain attacks. As a result, many organizations are revisiting their log collection and retention strategies. The SolarWinds attack leveraged techniques difficult to detect for most organizations, enabling it
to remain undetected for over nine months.
To combat these types of attacks, focus on attackers’ post-access activities. Early indicators of advanced adversaries potentially gaining access to your environment can include, but are not necessarily limited to:
READ: How to Detect and Remediate M365 & SSO Impacts of SolarWinds
Logging within M365 can be difficult because the product continues to evolve, with new features and tools added constantly. Consider the following tips help ensure you continue to log and detect what’s important in M365:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
September 26, 2023
By IANS Faculty
Access key data sets from the 2023 edition of IANS and Artico Search’s Security Budget Benchmark Report. Gain valuable insights on security budget increases and the drivers behind them.
September 21, 2023
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.