Feb 4 2020
Office 365 Security Pain Points – Improper Administration and Non-Compliance
Solutions to Nine Administration and Compliance Problems
Two of the biggest threats to Office 365 are a lack of compliance with security policies, and unsafe administration through excessive and poorly defined global privileges. Meanwhile, IT must still face regulatory compliance issues such as GDPR.
Virtually all organizations have some basic forms of security protection, such as anti-virus and firewalls – but nothing for Office 365-specific security issues. The basic tools they have make them feel safe. Meanwhile, larger shops likely have defense-in-depth for general security and compliance and regulatory controls and solutions – but again, nothing for Office-365 specific administration and security compliance concerns.
Osterman Research surveyed Office 365 IT managers and found that 57% of those asked identified “the ability to centrally manage security policies across all communication channels, both within Office 365 and on other platforms,” as a major pain point.
Here are nine Office 365 administration and security compliance pain points – and how to handle them.
Improper Administration and Non-Compliance
1. The Pain: The Problem of Misconfiguration
Gartner and Forrester both indicate that 80% of SaaS breaches stem from misconfiguration, inappropriate user behaviors, or incorrectly elevated user permissions.
Gartner argues, “Nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement and mistakes.” Correctly understanding your company’s existing configuration and management is the first step towards implementing solutions that immediately improve a tenant’s security. Meanwhile, monitoring and enforcing policies is the responsibility of Office 365 IT professionals, and is a must-do best practice to reduce your breach perimeter.
For enterprises, correctly defining configurations and appropriate user behaviors are best practices. However, misconfiguration is still possible due to operator workarounds or operator error. That is why it is so important to monitor and enforce your configuration best practices including policies and baselines, and thus fully secure your SaaS environment.
CoreView defines administrators that are specific to a location, functional sets of users, or other attributes. This means admins know who their users are, and have a manageable set of end users to handle.
At the same time, CoreView tracks application usage, so you know which applications handle the most work, and when end users are misusing the system. The ‘single pane of glass’ CoreView console offers deep insight into how end users are configured, and where they might be misconfigured.
With CoreView, you can monitor your configurations and usage policies, and report and alert on account and device misconfiguration. If a misconfiguration or a misusage has been detected, you can immediately remediate it as well as enforce those policies using the CoreView workflow automation capability. Moreover, with CoreView, policy management moves from a manual and error-prone process to one that is intuitive, easy and automated.
And the CoreView secret sauce – we maintain the account ID hash with the user account when it’s disabled. This maintains account immutability when names are reused.
With CoreView automation, deprovisioning goes from up to 20 hours down to under 10 minutes. This saves a typical organization about 1,000 hours a year in manual IT admin activities, while at the same time improving quality of service and reducing human errors. We found that a company with 10,000 employees could save 950 hours of administration time per year, at a projected savings of $45,600 a year – just by properly using Role-Based Access Control (RBAC) to set Office 365 admin permissions.
2. The Pain: Insider Breaches and End User Malfeasance
Suffering breaches from insiders, including IT itself, is something too rarely talked about. Verizon tracks insider activities in its annual Data Breach Investigations Report, and sees many of these insiders as shockingly brazen. “The corporate LAN was the vector in 71% of these incidents, and 28% took advantage of physical access within the corporate facility. This means the majority of employees perpetrated their acts while in the office right under the noses of coworkers, rather than hopping through proxies from the relative safety of their house,” a recent Verizon report said.
These breaches are far too common, as the Verizon report finds that 14% of breaches come from insiders. Insiders are more dangerous than most outsiders are. Insiders are already on the network, and sometimes with high-level privileges. There are different types of insiders who pose specific and varied risks. For instance, many insiders, such as human resources professionals, IT staff, and high-level managers – all have higher-level computer privileges.
The higher the level of privilege, the bigger the problem. “You have managers (including those in the C-suite) that came in higher than in prior years. You know the type – one of those straight shooters with upper management written all over him. They often have access to trade secrets and other data of interest to the competition and, tragically, are also more likely to be exempted from following security policies because of their privileged status in the company,” Verizon said.
To fight off the insider threat, you need a full approach to security, along with the ability to address Office 365-specific vulnerabilities. A key issue is knowing what is going on in the network and controlling dangerous activity.
Verizon advises IT to implement strong access controls and provide access levels fitted to true needs, trust, and levels of responsibility. “Having identified the positions with access to sensitive data, implement a process to review account activity when those employees give notice or have been released,” Verizon suggested.
IT pros are stewards of the IT infrastructure, responsible for securing computer infrastructure and protecting data. This means protecting the company against insider threats – not just blocking outside actors.
The answer is to identify internal and external threats to your environment – then step up your defenses. Here, CoreSecurity alerts give you an early warning system for internal and external threats to your Office 365 environment, so you can identify and defend yourself against security breaches before they occur.
Meanwhile, CoreView reporting is fine grained so data can be analyzed by department, business unit, country and more, so it’s easier to determine exactly where breaches first occur.
3. The Pain: Failure to Log and Audit
Systems such as Office 365 collect literally millions of bits of information – for larger shops it takes little time at all to reach this many data points. Unfortunately, from a security standpoint, these data points do not exist for long, and far too few are ever used for protection or forensics.
CoreView provides 1-year audit data collection, which can be extended however long the customer wants, where Microsoft historically offers logs for only the last 30 days – which is being increased to a year but only for E5 licenses. However, ask yourself:
- Why do you need to collect these data logs?
- How does this impact regulatory regulations?
- What happens if you do not save and mine that audit data?
- What is the business impact?
Did you know it takes more than 4 months on average to detect a data breach? At the same time, active hackers reside on the network for a median of 146 days before being detected, all the while digging deeper and deeper into your data and quietly wreaking havoc.
Before you can even think about leveraging audits, you have to turn on logging to make sure you can detect what happened. And of course, you need to save log data far longer than Microsoft keeps the data, which is just 30 days for Azure AD sign-in events.
Are you logging all the events? Even when you set up logging, tracking all events is not enabled by default.
This functionality puts CoreView in the same camp as Splunk and Azure Sentinel. CoreView is a better solution than Splunk because we have no logging and auditing infrastructure required, data collection takes minutes, we are much faster, the data never leaves the Microsoft platform, and we do not have to have throttling. Plus, customers can perform administrative actions right from the reports. We beat Azure Sentinel because of our O365 expertise and pre-configured playbooks, workflow, and reports – saving months of development time.
With CoreView, IT can produce a log in seconds for every administrative action taken in Office 365 since the platform was initiated. This is not the case with the native O365 Admin Center. Ask yourself, if a bank teller has a transaction log of every deposit and withdrawal, why don’t we have this for O365?
Real-time monitoring and alerts for security compliance issues is the engine that drives much of the data that forms the logs. Smart IT shops now enable real-time monitoring and alerts for potential security compliance issues in their Office 365 environment.
One enterprise organization based in the northeastern US, reported that CoreView saved their IT team over 1,000 hours last year when researching and analyzing security related incidents.
The KnockKnock and ShurL0ckr attacks that focus on Office 365 have been active since May 2017 and are still running. Finding the audit trail to identify these types of attacks is extremely difficult and requires assistance from specialized tools that have powerful security auditing and analysis capabilities. That’s where the CoreView solution comes in handy. Our customers have reported that they are saving more than 50-hours per incident investigation by leveraging the built-in analysis tools in CoreView.
Finding security issues that occur within the Office 365 environment quickly and shutting down the problem is a constant challenge for IT administrators and security teams. With millions of activity events from a variety of Office 365 log file sources, it’s difficult to correlate relevant data and make sense of it. CoreView provides that intelligent, crystal ball view by aggregating data from all different Office 365 logs to help IT admins locate the corresponding security events and connect the dots to see if valuable information was included, when it occurred, and who was involved. Being able to locate where the breach, or security issue, originated and what documents or messages were involved can make the world of difference, especially when it was an event that happened months ago.
CoreView stores all log file information for at least one-year and can store data longer if a customer requires more historic information to perform security audits. This empowers IT admins to perform the detailed background research to know when the actual security issue first began and where it originated. This helps close the loop on the security audit and finalize the incident report with the necessary information to document the root-cause of a security breach or data loss incident. Learn more in our Office 365 Security Monitoring blog.
4. The Pain: Can’t Implement Zero Trust
An important security management and protection paradigm is zero trust. IT used to have a trusted network and trusted users, and an external network and untrusted users. As part of this approach, IT installed a DMZ.
With the zero trust model, the organization only allows access between IT entities that have to communicate with each other. There is no such thing as a trusted user anymore, or even a trusted server. Instead, IT secures every communications channel, because IT does not know who is listening in on the router. IT removes generic access to anything; that access has to be granted specifically. It cannot be inherited, and it has to have a purpose. This is Microsoft’s way to implement zero trust throughout an organization.
One problem is that implementing zero trust in Azure Active Directory (Azure AD) is highly complicated. “I think the Microsoft approach would probably get you there – eventually. In contrast, CoreView has a straightforward check box model that gets you to zero trust and least privilege access through our operator access and functional access control model,” explained CoreView solution architect Matt Smith. “Now contrast Microsoft’s complexity with the simple CoreView approach. Our permissions model is all check box-based. The example I typically use is mailboxes. If I want to give someone the ability to create mailboxes, I check a box. Now that person can create mailboxes. If I want to scope it, I put that person in a virtual tenant that is created in a couple of minutes just by looking at properties of Azure Active Directory. Now that person can only create mailboxes for people in the sales department, for example.”
This ties into role-based administration since those mailbox permissions are functional-based. CoreView can truly dive deep, and offer highly granular role-based permissions – even offer short-term admin roles. “If I want to give you the function as a help desk person of forwarding SMTP mail because somebody is out on long-term leave, I check some boxes. If I want to give it for just a period of time, I set off a workflow engine that says, ‘Grant this operator the ability to forward SMTP mail for a period of an hour or two. That works really well with workstation folks, who have to roll out OneDrive to workstations; you want to give these folks the ability to change the password on a desktop, but just for the next hour and a half or so while they are rolling OneDrive,” Smith said.
This is far simpler than the Microsoft role-based administration model. In Azure Active Directory, Microsoft has defined many roles. One is Application Administrator, which includes 71 different attributes an Application Administrator gets permission to do something with – to read or write or change. “Nobody, not even folks at Microsoft, knows precisely what all of these attributes exactly mean and what this functionally gives the ability to do. How can an IT admin look the chief security officer (CSO) in the eye and say, ‘I gave them Application Administrator rights, and know precisely what he’s now able to do?’ They cannot. Moreover, Microsoft does not define what those rights are,” Smith argued.
In the CoreView model, if IT checks the box so a person can create mailboxes, that person can create mailboxes – but cannot do anything else. They cannot change somebody’s password, or look up what they are doing in Skype or in Teams. “This is a critical security area. Nobody has truly deployed least privilege access within the Microsoft Office 365 ecosystem – unless they use CoreView,” Smith said.
These concerns are too often overlooked – much to the detriment of O365 tenant security. “It’s a hard conversation to walk into the CSO’s office and say ‘You’ve been running at significant risk from a least privilege access standpoint since you implemented Office 365, which might’ve been several years ago. You’re not following best practices, and you don’t know what people are able to do in the platform.’ That is a tough conversation to have, and it has to be very delicate as well,” Smith argued.
5. No Real-time Monitoring and Alerts for Security and Compliance Issues
Malware often gets through anti-virus/anti-malware defenses, especially zero day attacks. “CoreView addresses those issues by providing auditing tools for cloud operations. Any anti-virus software in the world can show there is malware on a particular device. CoreView shows you every single file accessed, and every single action taken by an administrator or a user since they had a security event on one of their devices. That is how we prevent malware like ransomware from going on, and on, and on, and on – spreading throughout the organization. We proactively see and report on what was touched and then do a deeper dive analysis on those actions,” Smith said. No anti-virus or end point protection tools do this.
By speeding up security audits and performing more efficient forensic analysis, IT quickly closes any security issues when they are identified. And these issues are out there. The KnockKnock and ShurL0ckr attacks that focus on Office 365 have been active since May 2017 – and are still running – along with other O365-specific malware exploits. Finding the audit trail to identify these types of attacks is extremely difficult, and requires assistance from specialized tools that have powerful security auditing and analysis capabilities – like those offered by CoreView.
6. The Pain: No Way of Tracking and Blocking Spread of Malware
When it comes to alerts, IT either has so many it can’t see the ones that really matter, or too few, with little to no visibility into critical issues. The answer is enabling real-time monitoring and alerts for potential security compliance issues in the Office 365 environment.
One CoreView customer used to spend 10 to 50 hours every month writing and running custom PowerShell scripts to decipher the millions of log entries and search for security problems. Now they leverage CoreView to provide automated alerts for security issues on an almost real-time basis. Whenever a known issue is reported within any of the different Office 365 event logs, the CoreView monitoring agent creates an alert and notifies the specific IT admins to take action. Common examples of this type of security compliance monitoring and alerting include the following:
Once alerted with the appropriate information about the security issue, the IT admins can take immediate action to rectify the situation and close the security concern. Another customer said they now have hundreds of these CoreView security compliance alerts configured within their environment to empower them with the real-time knowledge of noncompliance activities so they can be remediated quickly.
7. Pain Point: Falling Prey to Ransomware
CoreView vs Ransomware: Helping Texas Take a Stand
In late August 2019, a massive and coordinated ransomware attack crippled computers and locked data in 22 small Texas towns, bringing local government agencies to their knees.
Hoping to prevent a repeat of the ransomware debacle, the Texas Department of Information Resources (DIR) sent out a bulletin to State and Local Government Entities across Texas. The directives offered step-by-step actions to prevent further spread of the existing attack, and create more ransomware-resistant Texas agency systems.
We read the DIR bulletin and closely analyzed its directives: CoreView’s SaaS Management Platform (SMP) for Office 365 can help Texas government entities effectively and efficiently implement these DIR directives.
1. DIR recommendation: Keep software patches and anti-virus tools up to date.
To insure an update and safe environment, run CoreView CoreAdmin Reports to validate workstation and especially mobile device reports for appropriate versions of up-to-date software. You can also view Mobile Device Management (MDM), Multi-Factor Authentication (MFA), and other policy applications.
2. DIR recommendation: Create strong unique passwords that are changed regularly.
Run CoreAdmin Reports to identify accounts that do not have password expiration set – especially service accounts – and apply changes in bulk using CoreAdmin delegated admin facilities.
3. DIR recommendation: Enable Multi-Factor Authentication, especially for remote logins.
Use CoreSecurity Audit Sign-In Reports to identify not only remote login attempts, but also discover targeted accounts, MFA status, failure reasons, and get the remediate MFA status directly from the CoreView reports.
If any devices are flagged as infected, either from CoreSecurity or from other platforms, run a CoreSecurity fileaccess and fileaccessextended report for the device owners. For known affected organizations or departments, run the report for all users. You can also contact CoreView Support and get a proactive CoreView Office 365 Health Check.
4. DIR recommendation: Modernize legacy systems and ensure software is as current as possible.
CoreView can validate your workstations and insure software is up to date, AND you can run CoreSecurity Azure AD Reports to document 3rdparty applications granted and utilizing access to Azure AD.
5. DIR recommendation: Limit the granting of administrative access.
Enabling CoreSuite activates auditing for all Office 365 workloads, and surfaces all of the Microsoft E5 security tools, even if there is only one E5 license enabled.
Giving global admin rights to too many people is one of the worst things you can do to your network security. Instead, leverage CoreAdmin’s functional least-privilege access and Role-Based Access Control (RBAC) functions to quickly create a least-privilege access model that restricts admin rights to only what is actually needed.
CoreView also stores an external, immutable log of every administrative action for the life of the platform. Every agency should be able to produce this type of information. At the same time, ensuring auditing is enabled across all workloads is also crucial as it lets you perform forensic analysis and see in detail how the ransomware spread. You should store, access and audit logs in a separate and immutable location and define how long you want these logs retained by enabling CoreSecurity.
With CoreView, you can ensure your Microsoft environment is correctly configured, and meet guidelines such as those that are part of these Texas DIR requirements. All this greatly increases your chances of blocking or at least surviving ransomware.
CoreView Bonus: Taking Full Advantage of an E5 License
CoreView can do amazing things with even one Office 365 E5 license. Enabling CoreSuite activates auditing for all Office 365 workloads, and surfaces all of the Microsoft E5 security tools, even if there is only one E5 license enabled. “As long as there is one E5 or Azure ADP2 in the tenant, we surface all of the security data for the entire tenant. Therefore, it is not necessary to have an E5 license for everyone,” Smith explained. “E5 is a very valuable SKU, but you can take advantage of the security controls without all users being equipped with that high-end license. Microsoft turns on E5 security controls at a tenant level – meaning you can take advantage of things like the malware reports across all O365 end users.”
CoreView brings to the forefront all of the security data that is available in E5 so that customers can take actions on it.
Another item is granting short-term admin access. “CoreView has a workflow engine that can apply administrative access on the fly, which is similar to a Microsoft E5 feature. However, we can do it for any account,” Smith said.
8. The Pain: Not Taking Care of Compliance
Compliance is a big security and economic issue. There are almost daily incidents of fines occurring due to GDPR and other issues, and IT is not usually able to respond quickly.
If you are not aligned with what your top peers are saying and doing, it is a sign of security weakness. How does a shop know how well it handles security? Looking at peers shows you have at least done your due diligence. If we have not approached best practices, if we cannot measure ourselves with how others are doing in the industry, then we are likely at a severe deficit. That is a career-limiting move.
The way that CoreView surfaces this information is through our enhanced version of Secure Score, which shows exactly how Office 365 shops are doing against their peers, measuring items such as doing proper configuration management, and applying least privileged access.
Many compliance regulations ask shops to collect data logs for a specified period of time. However, Microsoft gives you only the last 30 days of data logs (now moving to a full year), but just for E5 licenses. So how do you manage this regulatory requirement?
9. The Pain: Dealing with GDPR and the Right to Be Forgotten
There is much involved in being compliant with GDPR that many IT pros do not always think about. A critical flaw in GDPR, in fact one of the foundations of GDPR, is the right to be forgotten. “How can I forget you, if I do not know precisely who you are and what you did while you were here?” asked CoreView’s Smith. “I cannot forget those things unless I have a record of what you did.”
Fortunately, with CoreView, not only do you know who ‘Joe User’ is, but in the CoreView system, that user has a unique serial number that is stored and used as an account ID. If that ‘Joe User’ leaves and a new user with the same name starts later, IT will know which ‘Joe User’ performed a particular action or was the owner of this particular file. That is because all the actions of both Joe Users are tracked and audited. Without CoreView, all that information goes away as soon as IT deleted Joe User and is not stored externally in an audit log, the way CoreView does.
“You cannot be GDPR compliant unless you capture and store that kind of information. How do I apply compliance regulations that say I have to be able to notify people when there is a breach – and at the same time, be able to forget somebody when they file their right to be forgotten?” Smith asked.
That is a deep pain point that requires a deep solution. Fortunately, CoreView tracks and stores all this information for admins and end users. On the admin side, for instance, CoreView can produce a report in seconds of every single administrative action an IT staffer has taken on the Office 365 platform since they started. End users are tracked in a similar way. “Why can’t I do that in Office 365 Admin Center? A bank teller can tell you every single check they have cashed, exactly how much money came in for deposits, and how much money went out. Banks keep those logs for seven years due to banking regulations. However, Office 365 shops using the native Admin Center cannot tell today exactly what administrators did in the platform – and yet CoreView can,” Smith explained.
How CoreView Protects Your Environment, and More
Get Started with CoreView – for Free Our new CoreDiscovery solution will help admins understand, manage, secure, and drive application adoption for their O365 tenant. Learn more on the CoreDiscovery product page: https://www.coreview.com/ corediscovery/.
Get your free software at the CoreDiscovery sign up page: https://www.coreview.com/core-discovery-sign-up/.
Want to learn how CoreView prevents overspending on licenses, underusing applications, or mismanaging security and configurations? Our free CoreView Office 365 Health Check diagnoses all your Office 365 problems. Sign up for an Office 365 Health Check and we will build a detailed 20-page report to cure all your Office 365 ills.
Not ready for a full custom report? You can still take a look at a Health Check sample report.
Want to see firsthand how CoreView solves Office 365 problems and tightens security, just request a demo.