Apr 24 2020
Using Data to Secure Microsoft 365 -Based Remote Workers
The move to remote work adds all manner of new security concerns. Many of these workers depend on Office 365 (being renamed Microsoft 365) and Microsoft Teams.
We spoke with CoreView Solution Architect Matt Smith about how proper O365 data collection, analysis, and actionable reports keep these workers and the O365 tenant safe.
The Use and Importance of Data
CoreView: You talked about signals, or data related to the use of Office 365. These now increasingly encompass remote workers and their devices. How does CoreView make sense of all these signals – all this data?
Smith: A big issue is all the signals IT is getting. There are so many log files, so many different places to look for data. CoreView, by extracting that data and putting it into a single pane of glass, gives IT a macro view of how the entire organization is doing.
As IT finds points of interest, they can drill down into the micro view of how the users configure specific activities that they are taking and so forth. IT sees not only if these end users are using the platform, which is a top-level signal, but how they are using the platform, and is it appropriate, and what other device configurations and security configurations are coming into play as they access the platform.
Keep in mind, some 85% of security events happen because of configuration issues.
CoreView: Can you describe data enrichment in detail? How does it differ from what Microsoft provides through basic logs?
Smith: A log file is just information that says a certain event occurred at a certain time by a user. It is not contextual. It is just a single line in a long report. If you imagine single space text on a big sheet of paper, that is how the Microsoft audit logs look before CoreView gets a hold of them.
As the data comes into CoreView, we correlate that information with information about specific users. Take Joe User. What department is he in? Who is his manager? What devices does he have? What are his software licenses? We add all that information to that single event.
Now IT starts to see trends across the data. They may be getting security events — all from people who have iPhones with a certain version of iOS. As that data comes in, correlating it with other aspects of device information and user configuration information gives us a more complete picture compared to just knowing that an event happened to a specific person.
CoreView: Sounds like CoreView is not just collecting log files. Instead, the log file is just one component of what CoreView does. CoreView enriches the data, allowing IT to gain better metrics and insights into what is actually happening within the O365 environment. In fact, there is no way IT using the native Microsoft admin tools can see, for instance, every time the marketing department downloaded files. There is simply no way to do it from the native console.
Smith: That is a great point. Layered on top of that is a workflow engine that is very powerful. When IT sees events they are concerned about based on the level of severity, they can kick off a workflow engine that does not just notify IT of issues. The workflow can automatically do things like clear user sessions when malware is detected on a device, notify multiple people to the event, or put a user account in a locked out state until somebody can perform deeper analysis.
CoreView has actionable reports, not just data. That is what differentiates us from a tool like Splunk and from the Microsoft platform itself.
How Data Protects O365 Security
CoreView: How does CoreView reduce security threats by changing user and admin behavior?
Smith: We talked already about how CoreView knows all the user activity. You can also run a report on every single administrative activity that has ever been taken within the platform. That is very difficult to do within Office 365.
I can run a report on all the administrative activities an individual has taken within CoreView, schedule that report, and send it to the security director for review on a weekly basis. So not just the user activities, but also the administrative activities. If you think about it, we expect that information from bank tellers, who can show every check they have cashed and every deposit they have done. Why can’t I do that for Office 365 admins?
We found that when people know
that you have this capability from CoreView, it improves behavior all around.
That is why there are security cameras in retail stores and banks. It is not
just to catch the bad guys. Those cameras are out there for everybody to see,
so they know people are looking and can rewind the tapes. Public schools are
another great example. You put the cameras right in the hallway and suddenly
you have fewer fights in the hallway. CoreView gives you that ability to rewind
and see every single thing that occurred. Maybe it was not malicious, maybe it
was just a mistake, but why aren’t we doing that as soon as we turn on Office
If IT has not done it, just by installing the CoreView application, we turn on all the auditing for all the workloads. Most O365 customers do not know this auditing is not turned on by default. Microsoft does not turn on this information for every single customer because it would be a severe strain on their system.
Studies show it takes up to 200 days to determine you’ve had a data breach, CoreView keeps log and audit information for customers for at least a year — and they can sign up for longer data retention. It is inexpensive for CoreView to do that extended data retention.
Let us say a data breach happened in November. IT may not detect it until May. Microsoft, believe it or not, cannot tell you who signed into Office 365 (using the native Microsoft Admin Center platform) 31 days ago. How does IT go back if the data breach occurred in November and I am just now detecting it? How can IT find out what happened? They cannot. Microsoft will allow you now with an additional SKU, an E-5 license, to save that data, but it is by individual user.
How do you enable that data retention for, say, 10,000 users, and each one individually? You really cannot. Even if data retention is enabled through E-5 licenses, it is not correlated, and the data has not been enriched. It is incredibly important to be able to step back and find out exactly what happened. Whether it is just misconfiguration and user, administrator error, or bad actor, we cannot notify people that we have a problem unless we have that data. CoreView has all that data.
CoreView: Is there a way to easily visualize this data?
Smith: A great example is finding sign-in failures with a worldwide map showing sign-ins from China, but the company does not have any people in China. Then IT can drill down to see what accounts are under attack. With data enrichment, we can set up and see conditional access policies, and discover what is working and what is not.
CoreView shows the audit log for
all the administrative access. We also have workflow. And there is a dashboard.
We call it a compliance dashboard, where we operationalize all these reports
and put them into a daily, weekly, monthly, quarterly format — exposing
activities that need an administrator check. These activities could be sharing
OneDrive files, which may be safe or the source of data leakage depending on
the circumstances. CoreView surfaces these activities in reports.
This data and reporting allows IT to focus their activities, and delegate those reports out to other individuals in the organization.
Once again, just the fact that people know that IT has this capability helps. IT can send emails to people saying, ‘I saw you shared something. Do you still need that up?’ CoreView can take the same action when people do things they are not supposed to. IT can use CoreView communications ability to send a message – ‘You did something that was outside of policy. Did you know the policy?’ That improves your security stance as well.
Secure Remote Workers with CoreView’s Help
Learn more about making remote workers happy and productive with a CoreView demo.
Get your O365 user workload usage and security profile FREE with our new CoreDiscovery solution. You can get your free software now at the CoreDiscovery sign up page: https://www.coreview.com/core-discovery-sign-up/
ABOUT THE WRITER
Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.