The COVID-19-driven move to remote brings two issues – IT must secure M365 users who are no longer in the office, and hacker attempts exploded with cybercriminals exploiting Coronavirus, to sneak their way into YOUR network. The pandemic ups the security ante, as hackers are launching new phishing and ransomware attacks exploiting Coronavirus fears – plus myriad other invasions. These risks will last long after the pandemic disappears.
On top of new threats, enterprises moved at lightning speed to remote work, something they are not used to. There was little time to address the myriad training, adoption, and SECURITY issues that must be mastered for this remote work to be safe and productive. That is one reason we wrote the Remote Work Security Checklist.
Why else is the security of remote work suddenly such a hot topic? “The platforms we all use are getting very complex. And there is an openness to these platforms, making them easy to access. By moving to the cloud, we expose and increase the attack surface of the platform to the rest of the world,” said Matt Smith, CoreView Solution Architect. “Now as we move into work from home, we are exposing not just our work PCs to the corporate environment, but our home PCs. My wife is home right now teaching over the Zoom client from our home PC that my 14-year-old plays Minecraft on.”
Key Microsoft Office 365 security best practices include strong password policies, multi-factor authentication, tight mailbox security, and file storage security. Proactively establishing best practices in these areas dramatically reduces security risks – especially in these times of increased remote work. Basic layered and defense in-depth security tools simply do not dig into Microsoft Office 365 specific vulnerabilities and security problem areas.
Locking down end-user accounts through secure passwords and rigorous authentication is also essential. Multi-factor authentication (MFA) requires at least two forms of personal user identification and is recognized by the National Institute of Standards and Technology (NIST) guidelines for password security. The United States Department of Homeland Security now recommends that all Microsoft Office 365 users implement MFA. Making MFA adoption easy, Microsoft offers tools such as Microsoft Authenticator for users to install on their smartphones, as well as Smartcards, to work in combination with pass worded logins. Multi-factor authentication is a surefire way to prevent unauthorized logins, and there is little excuse not to use it.
Meanwhile, monitoring employee activities such as their mailbox practices can identify risky behavior and proactively secure business-critical data. Preventing risky activities such as auto-forwarding to external email addresses and limiting access rights to other users’ mailboxes can prevent the spread of malware and the leakage of data through emails. In addition, being aware of unusual email activity prevents targeted spam or social engineering tactics common among today’s cybersecurity threats.
Now that workers are scattered over hill and dale, IT needs to track users to make sure all these remote logins are legit. The answer is to monitor suspicious M365 sign-in activities. Knowing how many suspicious sign-in attempts are happening, where they are coming from, and what they are targeting is a key security best practice – and especially critical during this crisis. Here are suspicious sign-ins you should track:
Even better is to have reports to identify not only remote login attempts, but also to discover targeted accounts, MFA status, and the reasons the login failed.
Remote work clearly raises the bar for device management. ”As we expand the surface and the usability of the Microsoft Office 365 platform, we have expanded it now from inside the corporate walls to the internet, and now to home devices — configuration becomes critical.
It was much easier for IT when there was a single brand of laptop, or a single brand of desktop that had the corporate image on it and the applications installed, and you could only access the file server when you were in the office plugged into the wired network,” Smith explained. “Wireless introduced a bigger attack surface, and cloud SaaS platforms increase that surface. Connecting from home has increased it yet again, and each time it is exponentially bigger.”
CoreView’s Matt Smith
CoreView gathers configuration information from all these devices. Our management platform rests on top of the data and alerts you when the configurations are not what you expected, or not configured to company standards.
Here is an example of why this is important. Earlier this year (2020) there was a highly critical Microsoft security flaw. It was so bad that the U.S. National Security Agency pointed out the flaw and instructed every government agency to report on which machines had that version of Windows that needed patching — and gave them a whopping two days to do it.
“If you can imagine the federal government doing anything within two days, that is amazing. They gave them seven days to report back on exactly how many of those devices they fixed with the patch,” Smith said. “This is a big problem in IT. Knowing what devices are attaching to the tenant is an issue. Doing that inventory is an issue, and correlating the devices with the user is an issue.
The good news is that CoreView can help. “CoreView has all that data. We are wickedly fast, and leverage the power of Azure to throw a ton of computing resources at very large reports and information requests,” Smith explained. “Plus, CoreView has already correlated the data, which we call data enrichment. As information comes in, we combine user information, department, all the Active Directory information, with those devices, so data correlation is already there. We produce reports, and on top of it, communicate directly with users from within the platform.”
Gathering data from devices is critical for security. So is getting deeper into device management for remote devices. “We talked about devices, enabling remote users, the ability to report on specifically what devices users have, communicating directly with users, provide them training, and configuration information. We are not a device configuration platform. What we do though is report back and show that policies were applied to these devices correctly, or these devices do not have any policies applied. That is a security event. Who has these devices and how they are being used for what applications are something the Microsoft products do not show. Microsoft’s native M365 Admin Center does not tell you that a user used a device to access an application and transferred or uploaded a specific file and the name of that file,” Smith said.
This is crucial in the event of a compromise. “Let us say IT finds a device that has been compromised, since CoreView surfaces devices with malware. IT can dive further. CoreView shows that user has malware on a device, and since that device is compromised and that user is suspect, IT can see everything he touched, all the files he has uploaded, all the files he has accessed, where he logged in from, what IP addresses, and what devices were used. This is critical because they are all now suspect,” Smith argued. “In this specific case, IT identified a risk, and can now look at a user and everything that they have done versus always looking at 10,000 users. That is the Splunk approach of casting a wide net and hoping you catch something. With CoreView, you get a risk signal, and then can do a deep dive exactly on that specific event. That is something nobody else does.”
Get the full story on securing M365 remote workers with a custom CoreView demo.