How to Improve Office 365 Security with Managed Detection and Response
Microsoft Office 365 is a Software as a Service (SaaS) offering that is being adopted on a mass scale by many enterprises because it has a number of business benefits. But, as a cloud application, it magnifies or introduces a number of security risks.
By choosing to use SaaS, you presumably have done your due diligence to make sure the SaaS provider has implemented proper practices to secure the underlying application and platform, responsibilities that can only be addressed by the SaaS vendor. Much of this is non-transparent and very difficult to audit. So it’s critical that the vendor has an excellent security reputation and security certifications to back it up. Microsoft certainly qualifies as such, having the resources to do SaaS security right with its Cloud App Security.
Nonetheless, the burden of monitoring Office 365 security analytics still falls largely on the customer. As a result, customers need to understand the risks that come with Office 365 enterprise deployments, what’s needed to effectively manage them, and how to leverage managed security service providers (like Masergy) in those efforts.
What are the SaaS customer’s security risks with deployments of enterprise cloud applications like Office 365?As a SaaS offering, the major security risks that should concern enterprises are related to:
- Who is accessing my Office 365 accounts? Is it a legitimate user, an attacker with stolen credentials, a malicious insider, or a careless employee sharing credentials?
- What data and files are being accessed and offloaded? Is it legitimate usage, an employee trying to steal information before leaving the company, or an attacker trying to exfiltrate sensitive data?
- What third-party Office 365 plugins are being used that create excessive data loss risks?
- Is there any malicious content (files, links, etc.) within the Office 365 environment that should be blocked?
What’s needed to manage these cloud application security risks?
These risks above are closely related to application security and are best tackled using advanced security analytics to identify such malicious activity. The optimal place to implement application security analytics is within the application itself. For example, Microsoft’s analytics solution, Cloud App Security (formerly called Advanced Security Management), will generate an alert if the user:
- is coming through an anonymous proxy, unusual ISP (e.g., in Russia), or suspicious IP address (on threat intel list)
- sets up email forwarding (potentially to exfiltrate data)
- attempts to download more than 50 files within the first 10 minutes
- attempts to log on from two different locations almost simultaneously
- is also a new administrator and attempts other unusual activities
- is using Office 365 plugins requesting risky application permissions not needed for business purposes
It’s critical that once suspicious activity is identified, immediate action is taken by a security analyst to validate any alerts and execute a response that could include suspending any compromised accounts. 24/7 monitoring and rapid identification of compromises followed by effective incident response is needed to stop the attacker before damage can occur.
How does Masergy enable 24/7 detection and response and improve Office 365 security?
Masergy’s Managed Detection and Response platform, Unified Enterprise Security (UES), is designed to readily integrate with any third-party tools aligned with our comprehensive detection and response mission. Microsoft’s Office 365 Cloud App Security is just such a tool, and its alerts are readily ingested into the UES platform via Microsoft’s SIEM connector. This occurs in real-time, 24/7 so that all alerts are immediately triaged by Masergy’s certified and tenured SOC analysts.
The UES incident response platform provides additional contextual data, including cross-correlation of any credentials used within other parts of the organization. More contextual data means faster and more effective response by the Masergy analyst, which can include suspending the Office 365 account if a threat is evident.
What is the cost of Masergy Security Monitoring for Office 365?
The new service is bundled with the UES baseline managed security service, so there is no additional charge. This resonates with our cost-sensitive mid-sized enterprise customer base as they look for turnkey, cost-effective managed detection and response (MDR) solutions that also cover Office 365.
How do I enable detection and response for other SaaS applications, other than Office 365?
There are countless SaaS offerings hitting the marketplace today, so scalability quickly becomes challenging. Furthermore, the large majority of SaaS applications simply don’t deliver integrated security analytics that tackles the most common security risks. Hence, a more comprehensive and scalable approach such as Cloud Access Service Brokers (CASB) is needed. CASBs are designed to work with any and all SaaS applications by delivering add-on security capabilities and analytics that are mandatory to enable detection and response.
Learn more about how to improve office 365 security with Masergy’s Security Monitoring for Office 365 service, and stay tuned for Masergy’s upcoming CASB announcement.