All the Cloud Controls You Have Been Waiting For
When company credentials have been compromised, all corporate data is instantly at risk. Hackers only need one victim to begin to access an entire organization – do you have a plan in place to prepare, detect or stop the threat before it’s too late?
Account compromise and credential harvesting attacks are occurring at alarming rates. In the event of a successful account compromise, time is crucial and the ability to respond quickly can significantly decrease the damage to your organization. Incident response teams should have a clear understanding of the steps involved in remediating unauthorized access events. These steps should be clear and concise to avoid confusion and delayed containment. Microsoft helps with these steps by providing one single tool that covers many of the core incident response tasks.
Office 365 Cloud App Security is a subset of Microsoft Cloud App Security that provides enhanced visibility and control for Office 365. The robust capability instantly enhances incident response efforts by providing a combination of in-depth visibility into user activity and automated governance actions based on defined policy. Minimal setup and out of the box detection make this a quick win for security administrators and incident response teams. With just one tool you can cover multiple steps in developing an effective strategy to mitigate credential theft attacks. Office 365 Cloud App Security can be used to cover three core stages of the NIST 800-61 Incident Response Lifecycle - Detection, Analysis, and Containment when responding to unauthorized access activity. This allows improved performance by decreasing the time it takes to detect potential risk events, the time to analyze and classify security incidents, and the time to contain threats and prevent further damage. Ability to decreasing these time-consuming actions decreases mean time to resolve an incident which directly improves overall security posture.
Detection – Recognize Abnormal Activity
Recognizing anomalies in your environment is key to effective incident response. Once audit logging is enabled, Cloud App Security provides deep visibility into your Office 365 activity and allows for comprehensive policy creation. An example may be detecting activity from abnormal geographic locations. If users located in the US are logging in from Nigeria, you need the ability to detect this anomaly and respond quickly. Office 365 Cloud App Security improves detection by providing the following:
- Insight into all user activity
- OneDrive/SharePoint File Activity
- Interactive Logins to Connected Apps
- Exchange Online Activities (requires audit logging enabled)
- Recognize third-party app usage
- Understanding of who has access to files/folders
- Recognize where sensitive data lives
- Out-of-the-box policies to recognize anomalous and suspicious activity
- Out-of-the-box queries provide insight into interesting activities
- Customized policy based on the activity you find interesting
- Integration with Windows Defender Advanced Threat Protection (ATP) to discover app usage and shadow IT
Analysis – Assess the Risk
Once anomalies are detected an assessment must occur to determine potential risk and plan your strategy for containment. For example, if you detect a user logging in from an abnormal IP address you may be interested in the ISP and/or location of the IP Address to determine if this is a true positive security event. You may also search for other activities from the suspicious source IP to check for abnormal behavior patterns such as a high volume of downloads or the creation of an inbox rule to forward mail externally. You can easily view all activity performed by the compromised account during the time of breach and distinguish the authorized and unauthorized. Office 365 Cloud App Security provides all activity data and allows you to query for further information related to potential incidents for quick but in-depth analysis. This tool provides the following functionality to improve the analysis of security events:
- Easily create queries to search the activity log
- Point and click filtering
- Use advanced queries to filter results to specific indicators
- Save queries for continuous monitoring
- Interactive Graphical User Interface to pivot and analyze
- Rich useful data included in alerts
- Check user access to recognize sensitive data at risk
- IP address information embedded in activity logs
- SIEM Integration for correlating logs
- Export logs for further analysis, litigation, insurance, and/or reporting
Containment – Stop the Threat
If unauthorized access is suspected, you must act quickly to stop the intrusion and reduce the potential for data loss. These actions must be verified to ensure the access no longer exists before moving forward in the incident response lifecycle. It is best to take “initial containment” steps prior to analysis if there are signs of a potential compromise. If your analysis determines unauthorized activity you can take immediate action to kill all active sessions and suspend the user directly from the portal.
Below are containment opportunities provided by Office 365 Cloud App Security:
- Automate by setting policy to take a governing action if triggered
- Require user to sign-in again by revoking refresh tokens and session cookies
- Suspend user, thus preventing access until the incident is resolved
- Pivot to Azure Active Directory for password reset
Cloud App Security is a very powerful tool and when used and implemented correctly, provides substantial value to your security efforts. If you have additional questions about Cloud App Security or want to know how it would benefit your company specifically, reach out to Interlink and we can talk you through the process and answer any questions.