When company credentials have been compromised, all corporate data is instantly at risk. Hackers only need one victim to begin to access an entire organization – do you have a plan in place to prepare, detect or stop the threat before it’s too late?
Account compromise and credential harvesting attacks are occurring at alarming rates. In the event of a successful account compromise, time is crucial and the ability to respond quickly can significantly decrease the damage to your organization. Incident response teams should have a clear understanding of the steps involved in remediating unauthorized access events. These steps should be clear and concise to avoid confusion and delayed containment. Microsoft helps with these steps by providing one single tool that covers many of the core incident response tasks.
Office 365 Cloud App Security is a subset of Microsoft Cloud App Security that provides enhanced visibility and control for Office 365. The robust capability instantly enhances incident response efforts by providing a combination of in-depth visibility into user activity and automated governance actions based on defined policy. Minimal setup and out of the box detection make this a quick win for security administrators and incident response teams. With just one tool you can cover multiple steps in developing an effective strategy to mitigate credential theft attacks. Office 365 Cloud App Security can be used to cover three core stages of the NIST 800-61 Incident Response Lifecycle - Detection, Analysis, and Containment when responding to unauthorized access activity. This allows improved performance by decreasing the time it takes to detect potential risk events, the time to analyze and classify security incidents, and the time to contain threats and prevent further damage. Ability to decreasing these time-consuming actions decreases mean time to resolve an incident which directly improves overall security posture.
Recognizing anomalies in your environment is key to effective incident response. Once audit logging is enabled, Cloud App Security provides deep visibility into your Office 365 activity and allows for comprehensive policy creation. An example may be detecting activity from abnormal geographic locations. If users located in the US are logging in from Nigeria, you need the ability to detect this anomaly and respond quickly. Office 365 Cloud App Security improves detection by providing the following:
Once anomalies are detected an assessment must occur to determine potential risk and plan your strategy for containment. For example, if you detect a user logging in from an abnormal IP address you may be interested in the ISP and/or location of the IP Address to determine if this is a true positive security event. You may also search for other activities from the suspicious source IP to check for abnormal behavior patterns such as a high volume of downloads or the creation of an inbox rule to forward mail externally. You can easily view all activity performed by the compromised account during the time of breach and distinguish the authorized and unauthorized. Office 365 Cloud App Security provides all activity data and allows you to query for further information related to potential incidents for quick but in-depth analysis. This tool provides the following functionality to improve the analysis of security events:
If unauthorized access is suspected, you must act quickly to stop the intrusion and reduce the potential for data loss. These actions must be verified to ensure the access no longer exists before moving forward in the incident response lifecycle. It is best to take “initial containment” steps prior to analysis if there are signs of a potential compromise. If your analysis determines unauthorized activity you can take immediate action to kill all active sessions and suspend the user directly from the portal.
Below are containment opportunities provided by Office 365 Cloud App Security:
Cloud App Security is a very powerful tool and when used and implemented correctly, provides substantial value to your security efforts. If you have additional questions about Cloud App Security or want to know how it would benefit your company specifically, reach out to Interlink and we can talk you through the process and answer any questions.