Three Changes Organizations are Making to Reduce Risks of a Security Breach
Over the past several weeks we’ve had the fantastic opportunity to interview some of our oldest customers about how they are using CoreView. The most surprising result was the similarity in use cases around security. Without discussing their ideas with each other, a majority of our customers came to the same conclusion; they can leverage CoreView to bolster their defenses against a security breach.
The goal of this blog is to share the ideas of these customers with our online community and see if the changes they implemented might help other organizations improve their own security compliance. The three changes that our customers reported making include the following:
– Improve proactive monitoring and reporting for suspicious sign-in activity
– Implement real-time alerts for known security compliance issues
– Increase speed of security audits to quickly remediate identified problems
Monitoring Suspicious Sign-in Activity for Office 365
A big priority for customers has been ramping up their proactive monitoring and reporting for suspicious sign-in activity for Office 365 to protect against security breaches. Many breaches come from botnet driven, brute-force attacks on user accounts by trying different passwords combinations at segmented intervals until they gain access over time. This was the method used by the “KnockKnock” attack which successfully targeted Office 365 system accounts last year. The Azure AD security monitoring and auditing reports available in CoreView provide the type of proactive, fast analysis capabilities to quickly sniff-out suspicious activities for user account sign-ins. Identifying those hackers early on allows IT teams to quickly block those IP addresses and enable extra security to any of the accounts that are being targeted.
This is extremely helpful for distributed organizations with multiple sites and geographic locations. The enterprise organizations we talked to said that they have improved their response time to block remote hacker attempts by over 500%. One customer based in the mid-western US said that they used to spend approximately 80 hours/month running their own PowerShell scripts and sifting through the piles of data to search for anomalous sign-ins across their different geographic locations. Now they spend about 10 hours/month monitoring for suspicious sign-ins and can take immediate action when they find an issue.
Example: Suspicious sign-in failures from different geographic locations over 90 days (CoreView Mapping Report)
**Note: CoreView also enables the configuration of automated alerts for a specific suspicious sign-in activity.
Real-time Monitoring and Alerts for Security Compliance Issues
The next area customers are focusing on to avoid the risk of a security breach is enabling real-time monitoring and alerts for potential security compliance issues in their Office 365 environment. Previously their IT teams would spend 10 to 50 hours every month writing and running custom PowerShell scripts to decipher the millions of log entries and search for security problems. Now they leverage CoreView to provide automated alerts for security issues on an almost real-time basis. Whenever a known issue is reported within any of the different Office 365 event logs, the CoreView monitoring agent creates an alert and notifies the specific IT admins to take action. Common examples of this type of security compliance monitoring and alerting include the following:
– Permission changes to executive mailboxes
– Users auto-forwarding their email outside the organization
– Major policy changes to account security rules
– Accounts with incorrect password settings
– Users sending out email messages with Malware included
– Users sending a large number of e-mail messages daily (possible Malware infection)
– Users sharing OneDrive or SharePoint folders with external addresses
– Suspicious sign-in activity for executive accounts
Once alerted with the appropriate information about the security issue, the IT admins can take immediate action to rectify the situation and close the security concern. One customer said they now have hundreds of these CoreView security compliance alerts configured within their environment to empower them with the real-time knowledge of non-compliance activities so they can be remediated quickly.
Speedy Security Audits Lead to Faster Remediation of Issues
The final area that customers are targeting to protect against security breaches are auditing tasks for incidents that previously occurred. The majority of our customers are focused on speeding up security audits and performing more efficient forensic analysis to quickly close any security issues when they are identified. The KnockKnock and ShurL0ckr attacks that focus on Office 365 have been active since May 2017 and are still running. Finding the audit trail to identify these types of attacks is extremely difficult and requires assistance from specialized tools that have powerful security auditing and analysis capabilities. That’s where the CoreView solution comes in handy. Our customers have reported that they are saving more than 50-hours per incident investigation by leveraging the built-in analysis tools in CoreView. One enterprise organization based in the northeastern US, reported that CoreView had saved their IT team over 1,000 hours last year when researching and analyzing security related incidents.
Finding security issues that occur within the Office 365 environment quickly and shutting down the problem is a constant challenge for IT administrators and security teams. With millions of activity events from a variety of Office 365 log file sources, it’s difficult to correlate relevant data and make sense of it. CoreView provides that intelligent, crystal ball view by aggregating data from all different Office 365 logs to help IT admins locate the corresponding security events and connect the dots to see if valuable information was included, when it occurred, and who was involved. Being able to locate where the breach, or security issue, originated and what documents or messages were involved can make the world of difference, especially when it was an event that happened months ago.
CoreView stores all log file information for at least one-year and can store data longer if a customer requires more historic information to perform security audits. This empowers IT admins to perform the detailed background research to know when the actual security issue first began and where it originated. This helps close the loop on the security audit and finalize the incident report with the necessary information to document the root-cause of a security breach or data loss incident.
As we hear about additional best practices from our customers being more proactive and vigilant against security breaches, we will continue to pass those along so that all organizations can guard against cyber-attacks. If you are interested in finding out more about our CoreView’s SaaS Management Platform and how it can help reduce the risk of security breaches for your Office 365 environment, please reach out to us at firstname.lastname@example.org and we will setup a customized demo.