More and more organizations are moving their email services to Microsoft Office 365 (O365). When moving services to the cloud, organizations should be conscious of the vulnerabilities and risk involved during the transition. The Cybersecurity and Infrastructure Security Agency (CISA) has been investigating the move into O365 of several organizations and found that that many of the organizations overlook their security posture during configuration leading to compromises.
Many of the vulnerabilities arise during the transitional phase because many of the necessary controls are left disabled. It is important to note, that before January 2019, many of the configurations were automatically disabled by O365. Any organization that set up O365 before January 2019, have to enable these functions on their own.
These key security checks that are often left disabled include mailbox auditing, unified audit log, and multi-factor authentication (MFA) for admin accounts.
Mailbox auditing is important because it keeps logs of all events occurring in the user’s mailbox. Unified audit logging keeps track of all events in 0365, such as Sharepoint Online, OneDrive, Microsoft Teams, PowerBI, and Exchange Online. Logging is crucial because in the event of an incident, you can go back and track when and where the incident occurred. Further, turning on MFA for administrators is crucial because it minimizes the gap for potential attacks. Administrators in O365 have the highest privileges and if exposed malicious actors can gain access and maintain persistence in O365.
To protect and secure your O365 environment, Microsoft recommends following a three-phase process. The first phase includes the first 30 day of setup. During this time, the IT team should enable basic admin protections, logging, and identity protections. 0365 should also be connected to Microsoft Cloud App security, so monitoring of the cloud can begin. Note, it takes seven days to develop a baseline for anomaly detection.
During the next 90 days, advanced protections should be implemented, such as extra preparation and planning. During this time, protections for admin accounts should be put in place. This means configuring Privileged Access Workstations (PAWs) and Azure AD Privileged Identity Management (PIM) for admins. PAWs are hardened workstations capable of handling sensitive business functions and PIM assists in managing access rights. Further, a security information and event management (SIEM) tool should be configured to begin collecting logs from all services, like Cloud App security. For security management, you should begin monitoring all activity in the Cloud App Security, Microsoft 365 security center, and SIEM tools. Additionally, begin preparing and consulting with your compliance manager to ensure all regulations like GDPR are implemented.
During the third phase, Beyond, you should begin perfecting your policies regarding information protection and operational processes. You should also begin to monitor your O365 for insider threats using Azure AD Identity Protection. Further, make sure all software updates are issued promptly. All future planning and actions can be planned according to the recommendations from Secure Score in Office 265 Security and Compliance Center: https://securescore.office.com.
Contact LIFARS for security advisory services