Security Monitoring and Risk Analysis for Office 365 - A maintainable Journey

Featured Post

Security Monitoring and Risk Analysis for Office 365 - A maintainable Journey

Understanding the NIST Security Journey

The NIST framework tells us that it is crucial to treat security as both an action that is not a singular fix but a chorus of proactive and reactive measures. It also teaches us that it is a continuous journey.

There are three main measures; Protect, Detect and Respond. Firstly, we start by protecting (securing) our environments but must always assume that our security efforts are not perfect and hence secondly, we must monitor and detect breaches regardless of how robust the protection. Thirdly we must assume that some breaches will succeed in getting through, and we must be able to respond and recover quickly and comprehensively. 

Once we have addressed these three measures (Protect, Detect, Respond), we must recognize that our security journey is continuous.

We must continue to check and maintain our security posture in the presence of changing organizational needs, employees, and business goals. Remember that security must always be in balance with the fluidity of our organizations.

In this article, we shall apply these concepts of measures and continuous journeys to some real-world examples. Here we choose Office 365 as, for many organizations, it exposes the dominant risk surface. In each case, we will ask the questions:

  1. How do we protect
  2. How do we detect incidents?
  3. How do we respond
  4. How do we maintain this security continuously?

User Account Security

Protect: There have been many IT security guides out there to provide details on this matter. Put very briefly, using a robust and unique password for every account, storing all unique passwords in a company managed password manager and turning on MFA for every user, or at least your admins. After this, you should consider what access methods each user requires. For example, do they require the ability to run PowerShell commands and do they need to access outlook on the web (OWA)? Turning both off, if not required, can go a long way to reducing the risks in the event of a breach. Finally, if not already configured, ensure an effective outbound spam filter policy prevents malicious external forwarding from breached accounts.

Detect: Use a monitoring tool such as the Security and Compliance centers audit log, Cloud App Security or, better still, Octiga's simple monitoring and alerting. Look for User Login Events from risky IP addresses or locations from which you do not operate. Octigas' monitoring lets you configure country "allow" lists and alerts you when an IP address is associated with a high chance of fraudulent activity.

Respond: When you suspect a breached account, immediately restrict the user by resetting their password and remove any logged-in sessions. Then check the mailbox for risky rules and remove them.

Continuous Security: Ensure your monitoring solution is alerting you by email to risky events. Adopt an onboarding and leaving policy for employees. Ensure all new accounts are configured for MFA, OWA as required.

Conversely, when employees leave, ensure that accounts are disabled and archived. All too often, old accounts are left active, and ex-employees can hurt you. Run frequent checks for risky mailbox rules as a process. 

Phishing and Malware Threats

Protect: Consider a mail endpoint protection solution. Microsoft has one called Defender (formerly ATP). Third-party alternatives such as Mimecast are also a good bet. They prevent phishing and malware from hurting you. Train your staff on malware and phishing attacks. Also, consider device endpoint protection such as Defender for Endpoint. 

Detect: If using Microsoft ATP, check for ATP events in your monitoring solution. There is one for suspicious mail items (TIMailData), and another one is triggered when a suspicious unsafe link is clicked in an email.

 (TIUrlClickData). Configure alerts on these. 

Respond: If malware is suspected, run a deep virus scan on affected devices. If phishing, reset the affected accounts' password and check for unauthorized entry using the security audit logs in the security and compliance center.

Continuous Security: Again, training is vital. Your employees must have a culture of suspicion for unsolicited emails containing attachments and links. If you have Microsoft ATP plan 2, you can run attack simulations to keep them on their toes. Third-party solutions are also available.

User access, Sharing and Data Loss

Protect: SharePoint underpins Microsoft sharing and collaboration tools such as teams. Consider the structure of SharePoint sites and plan who should have access to each SharePoint site and folder. Privileged access groups are a fantastic way to ensure the right people get the right access easily. For external sharing, it is all too common for users to inadvertently share substantial amounts of SharePoint data at the same location when sharing SharePoint location externally. It is tough to manage. Prevent this by creating "sharing" areas where users are encouraged to place externally facing content and sharing accordingly. They will naturally not place sensitive items in these areas. 

Consider conditional access policies to prevent unusual access further, access to unsafe devices or from unsafe locations. These policies are now available on Business Premium Licenses, and you should make use of them. For example, if you only operate in one country and do not have a bring your device policy, these policies can help you prevent access from abroad, from unknown IP addresses, and unknown devices. 

Detect: Audit who has access to shared locations using MS access reviews. Check the audit logs for SharePoint page viewed and downloaded events from unusual users or locations. Again, a good alerting solution should come in handy as per above.

Respond: Watch leaving employees. Restrict their SharePoint access, monitor what they download, share, and remove their shared links after they have gone. If you have a data breach, you will need to check the affected SharePoint area for sensitive data, and above all, personal data. You do not want a GDPR breach on your hands.

Continuous Security: I must sound like a broken record, but employee training is key. Train them to share via links and not using file attachments. That way, you have control. Frequently audit SharePoint structure and access privileges. It is time-consuming, but your organization will have a responsibility to do so. 


And it's a wrap! The practices mentioned above for Office 365 security monitoring and risk analysis help protect cloud assets and ensure that organizations are prepared to tackle the full threat landscape. If you are looking for hassle-free automated Continuous Protect Tooling to get your security configurations right and alert you when they diverge from this compliance, reach out to Octiga and embark upon your guided security journey today.