InfoSec-Specific Executive Development for CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive labs to build you and your team's InfoSec skills
Monitoring the Microsoft 365 ecosystem is doable. However, 10 years after its beta release, M365 is still under evolution and changes to core functions still happen. Its default logging options are not always what most users need, but they can be adjusted
to suit almost any organization. This piece outlines some key logging rules and detection logic that can help uncover common risks within M365 environments.
Across all market verticals, M365 customers struggle to monitor their environments effectively. Microsoft provides ample logging options, but due to an ongoing stream of new feature enhancements and introductions of entirely new tools, adequate logging
is a continually moving target. This means standards from groups like the Center for Internet Security (CIS) and NIST are lagging. Fortunately, Microsoft is leading the charge to fill in this gap by providing reasonable logging suggestions as new
features roll out.
A quick check of recent breach announcements shows many organizations struggle to maintain minimum standards of due care. In M365’s case, changes to the cloud offering are now outpacing what most organizations can tolerate. In response, many are
either doubling down on their efforts or looking to external providers to manage these changes. Regardless of the course taken, organizations must take active steps to ensure they are keeping up.
Cloud office ecosystems have many risks, and perhaps the largest is the threat of business email compromise (BEC). This problem affects all cloud providers. Oddly enough, attackers are “forced” toward BEC attacks due to increased security
provided by the cloud providers. BEC is a type of hijack attack that has been on the rise for two main reasons:
To counter BEC attacks, many organizations find it helpful to create detections based on the earliest indicators of the attack. In the security administration center of M365, the following default rules can be helpful:
Although not enabled by default, multiple other detection triggers should be explored. Two useful detection triggers based on observed attacker behavior are:
The SolarWinds breach shifted attention to supply chain attacks. As a result, many organizations are revisiting their log collection and retention strategies. The SolarWinds attack leveraged techniques difficult to detect for most organizations, enabling it
to remain undetected for over nine months.
To combat these types of attacks, focus on attackers’ post-access activities. Early indicators of advanced adversaries potentially gaining access to your environment can include, but are not necessarily limited to:
READ: How to Detect and Remediate M365 & SSO Impacts of SolarWinds
Logging within M365 can be difficult because the product continues to evolve, with new features and tools added constantly. Consider the following tips help ensure you continue to log and detect what’s important in M365:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
October 19, 2021
By IANS Faculty
Continuous compliance requires continuous monitoring and validation of controls in the environment, as well as integration with governance, risk management and compliance tools and platforms. Understand the processes, tools, stakeholders and focus required for a best practice continuous compliance program.
October 14, 2021
Learn how the DDoS threat is evolving and get a step-by-step playbook to ensure your organization is protected against DDoS attacks and has a response plan in place.
October 12, 2021
Uncertain how to secure your M365 environment? Our Faculty identify and explain the five primary areas of M365 that will provide the best security return-on-investment with the least user experience impacts.