Office 365 seems like a safe and secure environment. After all, many viruses and malware aim at on-premises software, with Windows and on-premises Office being key targets. But while O365 is in the cloud, it is still very much in hackers’ crosshairs, and there are myriad cybercriminal entry points. Just take a glance at these fact and figures.
- Nearly 60% of sensitive data held in the cloud is in the form of Office documents.
- Over 71% of O365 shops experience one or more compromised accounts every month
- Over 57% suffer one of more insider threats each months.
- 93.5% experience at least one privileged user threat each month.
- The average O365 shop experiences 2.7 threats every month.
Meanwhile, SkyHigh Networks (now owned by McAfee), finds that 17.1% of data held in SharePoint Online and OneDrive is sensitive. Here is how the company breaks it down:
- “9.4% of data is confidential (e.g. financial records, business plans, source code, trading algorithms, etc.)
- 4.1% of data contains personally identifiable information (e.g. Social Security numbers, tax ID numbers, phone numbers, date of birth, etc.)
- 1.9% of data contains protected health information (e.g. patient diagnoses, medical treatments, medical record IDs, etc.)
- 1.7% of data contains payment information (e.g. credit card numbers, debit card numbers, bank account numbers, etc.)”
Office 365 security experts have a few specific tips to keep tenants safe. Security consultancy TrustSec blogged about the issue, advising:
- “Use multi-factor authentication (MFA). By default, passwords in O365 are set to never expire. Brute-forcing attacks often take time, but even if passwords are updated regularly, i.e., every 30 days, the efforts of attackers can still potentially overcome it.
- Enable Audit Logging and perform periodic analysis of O365 audit logs. Until recently, Microsoft had not enabled audit logs by default, so if you began using O365 before the beginning of the year, you should recheck this setting. It often takes months for attackers to infiltrate a network, and users can filter and search through audit logs for possible indicators of compromise (IoCs), noting when usage patterns become abnormal. This can also be automated. Logs should be retained for at least six (6) months.
- Enable mailbox auditing. By default, the ability to search individual mailbox events is disabled, which minimizes the user activities visible in the audit log search. By enabling mailbox auditing, the size of the audit log will increase with more robust information.”
Meanwhile, a May 2019 report from the U.S. Department of Homeland Security spelled out O365 risks, and how to confront them. The report found several configuration issues that lowered the security posture of organizations who use Office 365, and provided recommendations to reduce attack surfaces. The two biggest items, also noted by TrustedSec, are:
- Multi-factor authentication for administrator accounts not enabled, and
- Mailbox auditing not enabled
CoreView to the O365 Security Rescue
Fortunately, CoreView has the solutions to make these essential security tasks a piece of cake. CoreView works by collecting all available information from the Microsoft O365 platform, including audit logs, application-specific APIs such as Exchange Web Services, and all Azure Active Directory information. This data is stored in an Azure subscription in MongoDB; and action-enabled, which gives CoreView customers very specific advantages for configuration issues.
Auditing, as experts point out, is critical. CoreView saves logs for a minimum of one year, and does so securely. CoreView data collection and administrative actions are proxied via our customer’s service account, which is securely stored in Azure Key Vault Service. CoreView Operators sign in with their Azure AD credentials, including MFA, and need no administrative access to the O365 Admin Center at all. We also have action-enabled reports, which show the exact administrative access and whether the admin has MFA – alert on this configuration as well!
CoreView enables not just mailbox auditing in Exchange Online, but auditing for all the major O365 workloads, including Azure AD, PowerBI, SharePoint, OneDrive, etc. With CoreView, data retention is for one year by default for all workloads.
Here are five more ways CoreView safeguards your O365 tenant.
1. Create strong unique passwords that are changed regularly.
Run CoreAdmin Reports to identify accounts that do not have password expiration set — especially service accounts — and apply changes in bulk using CoreAdmin delegated admin facilities.
2. Enable Multi-Factor Authentication, especially for remote logins.
Use CoreSecurity Audit Sign-In Reports to identify not only remote login attempts, but also discover targeted accounts, MFA status, failure reasons, and get the remediate MFA status directly from the CoreView reports.
If any devices are flagged as infected, either from CoreView’s CoreSecurity or from other platforms, run a CoreSecurity fileaccess and fileaccessextended report for the device owners. For known affected organizations or departments, run the report for all users. You can also contact CoreView Support and get a proactive CoreView Office 365 Health Check.
3. Modernize legacy systems and ensure software is as current as possible.
CoreView can validate your workstations and ensure software is up to date, AND you can run CoreSecurity Azure AD Reports to document 3rd-party applications granted and utilizing access to Azure AD.
4. Limit the granting of administrative access.
Giving global admin rights to too many people is one of the worst things you can do to your network security. Instead, leverage CoreAdmin’s functional least-privilege access and Role-Based Access Control (RBAC) functions to quickly create a least-privilege access model that restricts admin rights to only what is actually needed.
5. Audit all workloads for end users and admins.
CoreView stores an external, immutable log of every administrative action for the life of the platform. Every agency should be able to produce this type of information.
At the same time, ensuring that auditing is enabled across all workloads is also crucial as it lets you perform forensic analysis and see in detail how malware spread. You should store, access and audit logs in a separate and immutable location and define how long you want these logs retained by enabling CoreSecurity.
Enabling CoreSuite activates auditing for all Office 365 workloads, and surfaces all of the Microsoft E5 security tools, even if there is only one E5 license enabled.
With CoreView, you can ensure your Microsoft environment is correctly configured. This greatly increases your chances of blocking or at least surviving malware.
Learn About 26 Office 365 Security Pain Points – and How to Cure Them
CoreView has four white papers showing 26 common O365 security problems. Topics include: