Many novice Microsoft 365 shops do not know where M365-specific security vulnerabilities lie, or even that they exist. These threats do not cause pain until they rise up and bite – then the agony is fierce.
More experienced organizations know threats exist, but not exactly where they are or how to address them. The results can be a disaster. A survey of 27 million users across 600 enterprises found that 71.4% of Microsoft 365 business users suffer at least one compromised account each month.
Virtually all organizations have some basic forms of security protection, such as anti-virus and firewalls – but nothing for Microsoft 365-specific security issues. The basic tools they have to make them feel safe. Meanwhile, larger shops likely have defense-in-depth for general security and compliance and regulatory controls and solutions – but again, nothing for Office-365 specific security and compliance concerns.
This is a thorn in the side of Microsoft 365 IT pros. Osterman Research surveyed Microsoft 365 IT managers and found these pain points and areas of administrative weakness:
While Microsoft 365 does come with some security features and configuration options – and all O365 shops should take advantage of them, native or built-on tools do not address many vulnerabilities and issues such as those raised by Osterman.
The good news is that CoreView solutions handle all of Osterman’s concerns – and more. CoreView manages well over 7 million Microsoft 365 end points, and knows exactly where the pain and problems lie, and how to neutralize threats and achieve compliance.
Here are twenty-six Microsoft 365 Security Pain Points – and how to relieve the discomfort.
With native Microsoft 365 security, intercepting the sharing of sensitive and confidential files is nearly impossible. IT can create alerts on a per file basis or per user basis and notify IT or a group of users – but this approach is ineffective. IT receives thousands of alerts per day: these new alerts are just extra noise in an already loud world.
In a CoreView world, when a user from the sales department, for instance, (CoreView’s unique enriched audit log grants the capability to identify users by location or department) shares a file with an external user, a workflow starts. This notifies the user sharing the file, his/her manager, and the external user that this activity has been logged, and any following activities on the file will be audited. In this case, IT is not even involved, responsibility is shared among all actors involved and security is increased.
OneDrive being shared with external users is a particular pain point and security threat, and is something CoreView easily addresses.
Companies that develop products, conduct research, or have leading edge business practices rely on critical intellectual property. Your competition, and a good many hackers – even foreign entities, would love to steal this hard-won information.
CoreView blocks IP theft, and if it does somehow occur, helps IT figure out what the heck happened by performing forensics on IP theft.
IP theft events occur for two main reasons – either an external threat or an internal threat. To CoreView, external and internal threats are the same. The solution logs internal threats the same way it does external threats – and treats them with the same level of security.
When it comes to IP theft prevention, one CoreView report is particularly critical – sign-in fails. CoreView builds a map that displays where signins are coming from across the globe. A customer may have people in North America and EMEA, but nobody in Southeast Asia – so sign-ins from that region are clearly suspicious and need to be flagged. CoreView also has long-term maps – such as showing 90 days’ worth of failed sign-in data. “Security professionals tell me they know people are trying to sign-in from China, Indonesia, India, and so forth,” said Matt Smith, solution architect for CoreView. “They are telling the truth – they do. Where we are different, is CoreView shows precisely what accounts they are targeting from the application perspective, not just the network perspective. CoreView, thanks to its unique enrichment capability, shows what users, departments, or even privileged accounts, hackers are targeting. In addition, what measures have been put in place, such as if they have multi-factor authentication or not, as well as conditional access policies that were utilized to try to block them from gaining access. And, at the end of the day, what was the actual sign-in failure reason?”
With CoreView, IT can block these breaches by only allowing log-ins from allowed locations. If a user account is attacked this way, CoreView will know it and can investigate. Moreover, a CoreView-equipped Microsoft 365 administrator can reach out to the user that was targeted, perform a workstation refresh, find out what other devices they are using, and what licenses they have on other devices, among other items.
These insights and reports are schedulable. “What we are trying to do from a security standpoint is operationalize these reports and create daily, weekly, monthly, and quarterly touchpoints. The daily touchpoints are items we surface through the CoreView management console. Items like devices with malware. IT can get a daily report showing if a device shows up with malware. You can then run an additional report that shows the files that users accessed since malware was detected on their account,” Smith explained.
For full IP protection, IT needs reports showing who was provisioned incorrectly so it can perform proper configuration management, if there are mobile devices that did not have an MDM policy applied, or which members of a department’s executive team did not get litigation hold enabled. “That is how we apply both the forensic capability and the blocking capability to our data repository to give you insights into exactly what is going on, and reduce the number of signals so they are actually consumable by M365 administrators,” Smith said. “Plus, if CoreView finds a sign-in from an infected device in our report, you can link that to an audit report that shows that particular user and everything that they have accessed since that malware was detected.”
Data leakage is similar, and in some ways overlaps with IP theft – but instead of the data stolen by an external entity, it is leaked by an insider – either for nefarious reasons or through accident, neglect, poor configuration or lack of security oversight. For instance, a fired employee may post confidential or even damaging data online.
This is a particularly critical issue for Microsoft 365, as a study shows that 58.4% of sensitive data held in the cloud is stored in Office documents. Another issue is when mistakes are made by admins. “There has been a notable increase in errors caused by system administrators publishing sensitive data in public cloud spaces open to everyone,” found the Verizon 2019 Data Breach Investigations Report.
Users who normally have access to data as part of their jobs, such as client account spreadsheets, aren’t triggering DLP rules. Fortunately, CoreView records this access for review at critical events such as legal requests and HR events such as separation.
CoreView knows where sensitive data rests, who has access, and what they do with it. “The first thing I show about security is the landing page in the CoreView dashboard, and explain how we collect security-related data. The real power of the platform is not that we have pretty charts and graphs, it is the security data we collect in a unique way that nobody else can do,” Smith said. “We connect to Microsoft 365 via every available API. There is a Graph API, most IT professionals working with Microsoft 365 know about that. We also take the audit log push from Microsoft and that allows us to gather and analyze the same data as Splunk and the new Microsoft Azure Sentinel.”
CoreView dives into every one of the application APIs. Exchange has Exchange web services for example. Skype has activity logs, and SharePoint and Microsoft Teams all have their own APIs. Finally, CoreView gets data from Azure Active Directory (Azure AD). All this data is stored externally in a Microsoft Azure subscription. “The data never leaves the Microsoft platform. You are not pulling it across the internet, not pulling it down to the desktop, not sending it over to Amazon Web Services. It all stays within Azure. Because Microsoft 365 runs on Azure, and CoreView runs on Azure, it stays in the Microsoft data centers.
“You can store that data for as long as you want, and enrich the data as it comes in. Since you have data from all these different sources, you can use the audit log to get a deep view. For instance, you will not just know that it was ‘Joe User’ who accessed a file in OneDrive, but understand the complete path to the file – how he accessed it, with what mobile device, and what MDM policy his mobile device had, including who ‘Joe User’ was: department, country, company as well as administrative roles in the tenant. Also, when did he it, and from what IP address,” Smith said.
With CoreView, IT knows every single transaction that occurs within the Microsoft platform, and the configuration information. That means IT knows when a document is created, when it is replicated to Microsoft 365, when it is accessed, and when it is changed. CoreView stores all of that information externally in an immutable (meaning it cannot be changed) database. That, in essence, is the complete block chain information for every single transaction in Microsoft 365.
Ponemon’s ‘Cost of a Data Breach’ Survey sponsored by IBM explains the damage of data breaches best. What is the cost of losing a file? They say $141. The average cost to an enterprise of a breach – $3.62 million. It is about 191 days on average to figure out that you have had a data breach.
The best defense is stopping breaches before they happen. Finding and retaining trusted IT talent is a critical security component. “An IT study says over 50% of the data breaches are because we did not configure things correctly. That leads to the two poor IT people in the basement who have to do everything. Alternatively, we had to give out global administrative rights to 167 people and just pray they do not press the wrong button,” Smith said.
From a prevention standpoint, CoreView takes the signals that Microsoft provides and greatly enriches them. For instance, CoreView has a global suspicious sign-in attempt map showing not only what IP address hackers were attacking from and failed, but also what accounts they went after. It also shows if the configuration included multi-factor authentication or not, and whether or not conditional access policies were effective for a specific attempt. Finally, it details the end-result of the sign-in attempt.
Let’s face it. Breaches sometimes bust through the best barriers. And most IT shops discover the incursion months or even over a year after it happened. How then do you figure out how and why it happened?
The answer is forensics that rely on long-term log data quality and retention so you can perform a proper security audit. Here you discover what happened so you can minimize ongoing damage, and by finding the source, stop it from happening again.
This point speaks directly to CoreView’s auditing capabilities. “If I do not know what is going on, then how on earth do I investigate issues? One core security pillar is ‘know thyself’,” said CoreView’s Smith. “From a Microsoft perspective, they keep application data for 30 days, and just announced that they will increase this to one year, but only for E5 licenses. How can I be effective if I cannot even tell you who signed in a year ago?” The answer is that IT should keep records on access attempts for as long as they have the O365 platform.
Once a data breach or malware infection occurs, you need to find out everything about it. That is where basic security tools fall short. “From a forensic standpoint, anti-virus will tell you that Joe’s PC had a virus on Monday. However, there is no anti-virus platform in the world that shows exactly what he touched since he got that virus,” Smith said.
CoreView, though, quickly gets to the heart of the matter. A CoreView enabled administrator can choose ‘file access’ and see all the files, the names, and the paths to the files that were accessed after the breach or malware attack. “CoreView can save off these reports as well. The next step is to track where the malware may have spread. For instance, you can see all the files people have accessed within the OneDrive platform where the malware may have landed. These people are now suspected of having malware because one particular user touched this file after he was reported as having malware. The last thing an admin can do is look at OneDrive reports and then external invitations,” Smith argued.
E-mail is the most common way hackers breach your systems, so insecure mailboxes, and poor e-mail user practices are perhaps your biggest security exposure. Mailboxes are made vulnerable through insecure, weak, and never expiring passwords, as well as a lack of multi-factor authentication (MFA).
Meanwhile, monitoring employee activities such as their mailbox practices can identify risky behavior and proactively secure business critical data. Preventing risky activities such as auto-forwarding to external email addresses and limiting access rights to other users' mailboxes can prevent the spread of malware and the leakage of data through emails. In addition, being aware of unusual email activity prevents targeted spam or social engineering tactics common among today’s cybersecurity threats.
Key rules applied to mailbox security relate to access rights. CoreView flags user accounts with anomalous permissions such as with access rights to more than five other user mailboxes, accessing mailboxes of other departments, disabled accounts are able to access mailboxes, and more. These are not for Room, Shared, or Team mailboxes, but rather actual User Mailbox accounts. Users who have this type of advanced access rights to other users’ mailboxes should be investigated to ensure they are being used for acceptable business purposes.
Often, mailbox security can be compromised by spam and malicious malware. CoreView can discover instances of malware sent from your organization via e-mail – and track this spread in minute detail.
Did you know that 80% of SaaS breaches involve privileged permissions? And that admins have the most privileges of all?
So how do you mitigate/reduce the breach risk related to your Microsoft 365 operator’s rights? IT veterans may chime in with role-based access control (RBAC), low levels of which indeed exist within Microsoft365.
However, Microsoft simply does not provide a granular RBAC. With CoreView, you can segregate your operator responsibility by implementing a truly granular RBAC – but first, ask yourself:
With Microsoft 365, administrative rights are an all or nothing affair. Under the M365 centralized admin model, all administrators have global credentials, which means they can touch each and every user. Not only is this deeply inefficient, but it also creates huge security problems in two ways. First, if an O365 admin account is compromised, the hacker can access the entire environment, wreaking widespread security havoc. Second, the M365 admins themselves may have bad intentions, and become your worst security nightmare.
The native Microsoft 365 Admin Center focuses on providing global admin rights, giving admins who tend to work locally too much power and privileges they do not need. This centralized management model of setting privileges with Microsoft 365 entirely relies on granting “global admin rights” – even to regional, local, or business unit administrators. There is simply no easy facility for setting up regional and other geographic-based rights. Nor can you easily set-up rights based on business unit, country, or for remote or satellite offices. In addition, you cannot easily limit an admin’s rights granularly so they can only perform limited and specific functions, such as changing passwords when requested.
CoreView addresses these pain points with our Role-Based Access Control (RBAC) features that give you fine-grained control over what admins can, and cannot do.
A proper approach to Microsoft 365 permissions and privileges is partitioning permissions based on roles through RBAC, resulting in far fewer, truly trusted global administrators. These global admins are augmented by a set of local, or business unit focused admins with no global access, all leading to far better protection for your Office 365 environment.
Using a simple, intuitive interface, CoreView lets IT segment the Microsoft 365 tenant in myriad ways — for example, by department, business unit, or location. After these groups are set up, IT can dive deeper, using CoreView’s RBAC capabilities to define specific permissions for administrators who then can only perform certain tasks and only against a specific subset of users.
With CoreView, IT can take the entire organization served by Microsoft 365 and break it into logical groups, or sub-tenants, perhaps based on Active Directory (AD) attributes or custom tags on the CoreView side. Once the organization is logically divided, regional admins can be assigned to the sub-tenants.
CoreView further allows you to fine-tune what actions each admin can perform, and which reports they can see. Instead of using the Microsoft 365 Admin Center, your administrators simply log into the CoreView portal. Here, they are limited to making changes only to their assigned users, and can only perform actions they are specifically assigned.
Credential cracking and theft is a growing issue. “One of the big lessons organizations should take away from this year’s report is that stolen credentials are becoming a bigger problem. There were many (stolen credentials incidents), including dumps of billions of stolen credentials across a number of different underground sites. It is important for organizations to monitor for stolen credentials, especially given the tendency of people to reuse passwords across personal and business accounts,” according to the Verizon 2019 Data Breach Investigations Report. “60% of attacks against web applications involved the compromise of cloud-based email accounts using stolen credentials,” the Verizon report concluded.
Also according to this report, 80% of all hacking-based breaches exploited weak or compromised credentials. Moreover, 29% of all breaches, including all attack types, relied on stolen credentials.
Implementing a Role-Based Access Control (RBAC) system in your Microsoft 365 environment can mitigate these risks, as well as prevent Shadow IT and malicious IT personnel, but it is often not enough.
What exactly is privilege? “Privileged accounts are those granted privileges beyond everyday user accounts. Having access to privileged accounts provides a threat actor (or legitimate user) with access to additional systems and services. These are often among the first targets of external attackers or malicious insiders intending to cause financial loss, data loss, and reputational damage,” explained the Verizon Insider Threat Report.
One of the best practices is to ensure that privileged accounts are used for administrative tasks only, without any active services that can be used as an attack vectors. The problem is that it is not possible to monitor and enforce this easily on Microsoft 365 standard admin tools.
In CoreView there is a dedicated report showing this problem that can be addressed with a targeted e-mail campaign to educate users, or with a workflow enforcing the removal of services after notification to end users and then a grace period.
So how does CoreView address that issue both in terms of admin credentials – which is the biggest exposure because of the access that they have, and end user credentials and privileges?
Admins, given their high-level privileges, are themselves a security threat through nefarious actions (not all admins are saints). Just as important, if admin credentials are cracked, hackers have the keys to the kingdom. Knowing what is happening with ALL admin accounts is critical. “IT should have a monthly report of everybody who has performed administrative access against non-owned information assets. IT needs to know when admins accessed somebody else’s mailbox. CoreView has a report for that. You can schedule that report, and you should review it on a monthly basis. If nothing else, when people know that you have the capability of watching and you are watching, they are more careful,” explained Matt Smith, CoreView solution architect.
CoreView also has reports for accounts with passwords that do not expire, and can see which administrative accounts are also used as user accounts. “That is not a best practice. You should separate out your administrative access from your user access,” Smith said. One solution is to grant temporary privileges for limited tasks. “CoreView has a workflow engine that can apply administrative access on the fly, which is similar to a Microsoft E5 feature. However, we can do it for any account,” Smith said. With CoreView, you don’t need an E5 license to give admin rights ‘on the fly’ and we can do it in a highly granular way.
A common assumption many have is that IT, which controls the infrastructure, apps, and data, is inherently trustworthy. The truth is, IT folks are just like everyone else, the vast majority are good and some aren’t. When they go bad, the damage is immense.
Too often those in IT blindly trust others in IT, and give these workers higher level privileges than they need, and can be used to abuse access to corporate and personal information. According to a survey by Cyber-Ark, a third (35%) of IT pros spy on other company employees. Many times, it is simple human curiosity. Unfortunately, there are other times when critical and confidential data is lifted. The bottom line is just as IT controls end user privileges, IT privileges should be limited and controlled as well.
A Network World article, What to do When the Insider Threat is IT Itself, details the problem rogue IT presents. Here are the stats. A sizeable portion of insider breaches come from technical staff: 6% from developers and another 6% from admins, according to the Verizon Data Breach Investigations Report. Many insider incursions result from privilege abuse, though there are many other ways IT abuses its access.
“The first step in protecting your data is in knowing where it is and who has access to it,” the report reads. “From this, build controls to protect it and detect misuse.”
Great importance should be given to the moral character of your IT admins, after all, they do hold a lot of power at their fingertips, especially when a sizeable chunk of the business goes through IT systems.
Giving admins too many privileges and then not tracking what they do opens the door to IT insider malfeasance.
The first defense is using RBAC to only grant privileges that are absolutely needed, and only for the time, these privileges are absolutely needed for. At the same time, have a system for tracking admin activities and let admins know tracking is in place. This alone can ward off many dangers.
Even IT should fall under strict data access privilege policies, and all network activity, including activity from IT, should be tracked for security threats.
Meanwhile, CoreView maintains an immutable log of every administrative action, from the time the platform is put in place, for regular review by IT Security. By watching and reviewing, CoreView positively influences behavior. It is the same reason Wal-Mart and public schools have so many cameras. Not just to capture events, but to influence behavior through diligence.
Gartner and Forrester both indicate that 80% of SaaS breaches stem from misconfiguration, inappropriate user behaviors, or incorrectly elevated user permissions.
Gartner argues, “Nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement, and mistakes.” Correctly understanding your company’s existing configuration and management is the first step towards implementing solutions that immediately improve a tenant’s security. Meanwhile, monitoring and enforcing policies is the responsibility of Microsoft 365 IT professionals, and is a must-do best practice to reduce your breach perimeter.
For enterprises, correctly defining configurations and appropriate user behaviors are best practices. However, misconfiguration is still possible due to operator workarounds or operator errors. That is why it is so important to monitor and enforce your configuration best practices including policies and baselines, and thus fully secure your SaaS environment.
CoreView defines administrators that are specific to a location, functional sets of users, or other attributes. This means admins know who their users are, and have a manageable set of end users to handle.
At the same time, CoreView tracks application usage, so you know which applications handle the most work, and when end users are misusing the system. The ‘single pane of glass’ CoreView console offers deep insight into how end users are configured, and where they might be misconfigured.
With CoreView, you can monitor your configurations and usage policies, and report and alert on the account and device misconfiguration. If a misconfiguration or a misusage has been detected, you can immediately remediate it as well as enforce those policies using the CoreView workflow automation capability. Moreover, with CoreView, policy management moves from a manual and error-prone process to one that is intuitive, easy, and automated.
And the CoreView secret sauce – we maintain the account ID hash with the user account when it’s disabled. This maintains account immutability when names are reused.
With CoreView automation, deprovisioning goes from up to 20 hours down to under 10 minutes. This saves a typical organization about 1,000 hours a year in manual IT admin activities, while at the same time improving quality of service and reducing human errors. We found that a company with 10,000 employees could save 950 hours of administration time per year, at a projected savings of $45,600 a year – just by properly using Role-Based Access Control (RBAC) to set Microsoft 365 admin permissions.
Suffering breaches from insiders, including IT itself, is something too rarely talked about. Verizon tracks insider activities in its annual Data Breach Investigations Report, and sees many of these insiders as shockingly brazen. “The corporate LAN was the vector in 71% of these incidents, and 28% took advantage of physical access within the corporate facility. This means the majority of employees perpetrated their acts while in the office right under the noses of coworkers, rather than hopping through proxies from the relative safety of their house,” a recent Verizon report said.
These breaches are far too common, as the Verizon report finds that 14% of breaches come from insiders. Insiders are more dangerous than most outsiders are. Insiders are already on the network, and sometimes with high-level privileges. There are different types of insiders who pose specific and varied risks. For instance, many insiders, such as human resources professionals, IT staff, and high-level managers – all have higher-level computer privileges.
The higher the level of privilege, the bigger the problem. “You have managers (including those in the C-suite) that came in higher than in prior years. You know the type – one of those straight shooters with upper management written all over him. They often have access to trade secrets and other data of interest to the competition and, tragically, are also more likely to be exempted from following security policies because of their privileged status in the company,” Verizon said.
To fight off the insider threat, you need a full approach to security, along with the ability to address Microsoft 365-specific vulnerabilities. A key issue is knowing what is going on in the network and controlling dangerous activity.
Verizon advises IT to implement strong access controls and provide access levels fitted to true needs, trust, and levels of responsibility. “Having identified the positions with access to sensitive data, implement a process to review account activity when those employees give notice or have been released,” Verizon suggested.
IT pros are stewards of the IT infrastructure, responsible for securing computer infrastructure and protecting data. This means protecting the company against insider threats – not just blocking outside actors.
The answer is to identify internal and external threats to your environment – then step up your defenses. Here, CoreSuite alerts give you an early warning system for internal and external threats to your Microsoft 365 environment, so you can identify and defend yourself against security breaches before they occur.
Meanwhile, CoreView reporting is fine grained so data can be analyzed by department, business unit, country, and more, so it’s easier to determine exactly where breaches first occur.
Systems such as Microsoft 365 collect literally millions of bits of information – for larger shops it takes little time at all to reach this many data points. Unfortunately, from a security standpoint, these data points do not exist for long, and far too few are ever used for protection or forensics.
CoreView provides 1-year audit data collection, which can be extended however long the customer wants, where Microsoft historically offers logs for only the last 30 days – which is being increased to a year but only for E5 licenses. However, ask yourself:
Did you know it takes more than 4 months on average to detect a data breach? At the same time, active hackers reside on the network for a median of 146 days before being detected, all the while digging deeper and deeper into your data and quietly wreaking havoc.
Before you can even think about leveraging audits, you have to turn on logging to make sure you can detect what happened. And of course, you need to save log data far longer than Microsoft keeps the data, which is just 30 days for Azure AD sign-in events.
Are you logging all the events? Even when you set up logging, tracking all events is not enabled by default.
This functionality puts CoreView in the same camp as Splunk and Azure Sentinel. CoreView is a better solution than Splunk because we have no logging and auditing infrastructure required, data collection takes minutes, we are much faster, the data never leaves the Microsoft platform, and we do not have to have throttling. Plus, customers can perform administrative actions right from the reports. We beat Azure Sentinel because of our O365 expertise and pre-configured playbooks, workflow, and reports – saving months of development time.
With CoreView, IT can produce a log in seconds for every administrative action taken inMicrosoft 365 since the platform was initiated. This is not the case with the native M365 Admin Center. Ask yourself, if a bank teller has a transaction log of every deposit and withdrawal, why don’t we have this for O365?
Real-time monitoring and alerts for security compliance issues is the engine that drives much of the data that forms the logs. Smart IT shops now enable real-time monitoring and alerts for potential security compliance issues in their Microsoft 365 environment.
One enterprise organization based in the northeastern US, reported that CoreView saved their IT team over 1,000 hours last year when researching and analyzing security related incidents.
The KnockKnock and ShurL0ckr attacks that focus on Microsoft 365 have been active since May 2017 and are still running. Finding the audit trail to identify these types of attacks is extremely difficult and requires assistance from specialized tools that have powerful security auditing and analysis capabilities. That’s where the CoreView solution comes in handy. Our customers have reported that they are saving more than 50-hours per incident investigation by leveraging the built-in analysis tools in CoreView.
Finding security issues that occur within the Microsoft 365 environment quickly and shutting down the problem is a constant challenge for IT administrators and security teams. With millions of activity events from a variety of Microsoft 365 log file sources, it’s difficult to correlate relevant data and make sense of it. CoreView provides that intelligent, crystal ball view by aggregating data from all different Microsoft 365 logs to help IT admins locate the corresponding security events and connect the dots to see if valuable information was included, when it occurred, and who was involved. Being able to locate where the breach, or security issue, originated and what documents or messages were involved can make the world of difference, especially when it was an event that happened months ago.
CoreView stores all log file information for at least one-year and can store data longer if a customer requires more historic information to perform security audits. This empowers IT admins to perform the detailed background research to know when the actual security issue first began and where it originated. This helps close the loop on the security audit and finalize the incident report with the necessary information to document the root-cause of a security breach or data loss incident.
An important security management and protection paradigm is zero trust. IT used to have a trusted network and trusted users, and an external network, and untrusted users. As part of this approach, IT installed a DMZ.
With the zero trust model, the organization only allows access between IT entities that have to communicate with each other. There is no such thing as a trusted user anymore, or even a trusted server. Instead, IT secures every communications channel, because IT does not know who is listening in on the router. IT removes generic access to anything; that access has to be granted specifically. It cannot be inherited, and it has to have a purpose. This is Microsoft’s way to implement zero trust throughout an organization.
One problem is that implementing zero trust in Azure Active Directory (Azure AD) is highly complicated. “I think the Microsoft approach would probably get you there – eventually. In contrast, CoreView has a straightforward check box model that gets you to zero trust and least privilege access through our operator access and functional access control model,” explained CoreView solution architect Matt Smith. “Now contrast Microsoft’s complexity with the simple CoreView approach. Our permissions model is all check box-based. The example I typically use is mailboxes. If I want to give someone the ability to create mailboxes, I check a box. Now that person can create mailboxes. If I want to scope it, I put that person in a virtual tenant that is created in a couple of minutes just by looking at properties of Azure Active Directory. Now that person can only create mailboxes for people in the sales department, for example.”
This ties into role-based administration since those mailbox permissions are functional-based. CoreView can truly dive deep, and offer highly granular role-based permissions – even offer short-term admin roles. “If I want to give you the function as a help desk person of forwarding SMTP mail because somebody is out on long-term leave, I check some boxes. If I want to give it for just a period of time, I set off a workflow engine that says, ‘Grant this operator the ability to forward SMTP mail for a period of an hour or two. That works really well with workstation folks, who have to roll out OneDrive to workstations; you want to give these folks the ability to change the password on a desktop, but just for the next hour and a half or so while they are rolling OneDrive,” Smith said.
This is far simpler than the Microsoft role-based administration model. In Azure Active Directory, Microsoft has defined many roles. One is Application Administrator, which includes 71 different attributes an Application Administrator gets permission to do something with – to read or write or change. “Nobody, not even folks at Microsoft, knows precisely what all of these attributes exactly mean and what this functionally gives the ability to do. How can an IT admin look the chief security officer (CSO) in the eye and say, ‘I gave them Application Administrator rights, and know precisely what he’s now able to do?’ They cannot. Moreover, Microsoft does not define what those rights are,” Smith argued.
In the CoreView model, if IT checks the box so a person can create mailboxes, that person can create mailboxes – but cannot do anything else. They cannot change somebody’s password, or look up what they are doing on Microsoft Teams. “This is a critical security area. Nobody has truly deployed least privilege access within the Microsoft Microsoft 365 ecosystem – unless they use CoreView,” Smith said.
These concerns are too often overlooked – much to the detriment of M365 tenant security. “It’s a hard conversation to walk into the CSO’s office and say ‘You’ve been running at significant risk from a least privilege access standpoint since you implemented Microsoft 365, which might’ve been several years ago. You’re not following best practices, and you don’t know what people are able to do in the platform.’ That is a tough conversation to have, and it has to be very delicate as well,” Smith argued.
Malware often gets through anti-virus/anti-malware defenses, especially zero day attacks. “CoreView addresses those issues by providing auditing tools for cloud operations. Any anti-virus software in the world can show there is malware on a particular device. CoreView shows you every single file accessed, and every single action taken by an administrator or a user since they had a security event on one of their devices. That is how we prevent malware like ransomware from going on, and on, and on, and on – spreading throughout the organization. We proactively see and report on what was touched and then do a deeper dive analysis on those actions,” Smith said. No anti-virus or end point protection tools do this.
By speeding up security audits and performing more efficient forensic analysis, IT quickly closes any security issues when they are identified. And these issues are out there. The KnockKnock and ShurL0ckr attacks that focus on Microsoft 365 have been active since May 2017 – and are still running – along with other O365-specific malware exploits. Finding the audit trail to identify these types of attacks is extremely difficult, and requires assistance from specialized tools that have powerful security auditing and analysis capabilities – like those offered by CoreView.
When it comes to alerts, IT either has so many it can’t see the ones that really matter, or too few, with little to no visibility into critical issues. The answer is enabling real-time monitoring and alerts for potential security compliance issues in the Microsoft 365 environment.
One CoreView customer used to spend 10 to 50 hours every month writing and running custom PowerShell scripts to decipher the millions of log entries and search for security problems. Now they leverage CoreView to provide automated alerts for security issues on an almost real-time basis. Whenever a known issue is reported within any of the different Microsoft 365 event logs, the CoreView monitoring agent creates an alert and notifies the specific IT admins to take action. Common examples of this type of security compliance monitoring and alerting include the following:
Once alerted with the appropriate information about the security issue, the IT admins can take immediate action to rectify the situation and close the security concern. Another customer said they now have hundreds of these CoreView security compliance alerts configured within their environment to empower them with the real-time knowledge of noncompliance activities so they can be remediated quickly.
In late August 2019, a massive and coordinated ransomware attack crippled computers and locked data in 22 small Texas towns, bringing local government agencies to their knees.
Hoping to prevent a repeat of the ransomware debacle, the Texas Department of Information Resources (DIR) sent out a bulletin to State and Local Government Entities across Texas. The directives offered step-by-step actions to prevent further spread of the existing attack, and create more ransomware-resistant Texas agency systems.
We read the DIR bulletin and closely analyzed its directives: CoreView’s SaaS Management Platform (SMP) for Microsoft 365 can help Texas government entities effectively and efficiently implement these DIR directives.
To ensure an updated and safe environment, run CoreView CoreSuite Reports to validate workstation and especially mobile device reports for appropriate versions of up-to-date software. You can also view Mobile Device Management (MDM), Multi-Factor Authentication (MFA), and other policy applications.
Run CoreSuite Reports to identify accounts that do not have password expiration set – especially service accounts – and apply changes in bulk using CoreSuite delegated admin facilities.
Use CoreSuite Audit Sign-In Reports to identify not only remote login attempts, but also discover targeted accounts, MFA status, failure reasons, and get the remediate MFA status directly from the CoreView reports.
If any devices are flagged as infected, either from CoreSecurity or from other platforms, run a CoreSuite file access and file access extended report for the device owners. For known affected organizations or departments, run the report for all users.
CoreView can validate your workstations and ensure software is up to date, AND you can run CoreSuiteAzure AD Reports documenting 3rd party applications granted and utilizing access to Azure AD.
Enabling CoreSuite activates auditing for all Microsoft 365 workloads, and surfaces all of the Microsoft E5 security tools, even if there is only one E5 license enabled.
Giving global admin rights to too many people is one of the worst things you can do to your network security. Instead, leverage CoreSuite’s functional least-privilege access and Role-Based Access Control (RBAC) functions to quickly create a least-privilege access model that restricts admin rights to only what is actually needed.
CoreView also stores an external, immutable log of every administrative action for the life of the platform. Every agency should be able to produce this type of information.
At the same time, ensuring auditing is enabled across all workloads is also crucial as it lets you perform forensic analysis and see in detail how the ransomware spread. You should store, access, and audit logs in a separate and immutable location and define how long you want these logs retained by enabling CoreSuite
With CoreView, you can ensure your Microsoft environment is correctly configured, and meet guidelines such as those that are part of these Texas DIR requirements. All this greatly increases your chances of blocking or at least surviving ransomware.
CoreView can do amazing things with even one Microsoft 365 E5 license. Enabling CoreSuite activates auditing for all Microsoft 365 workloads, and surfaces all of the Microsoft E5 security tools, even if there is only one E5 license enabled. “As long as there is one E5 or Azure ADP2 in the tenant, we surface all of the security data for the entire tenant. Therefore, it is not necessary to have an E5 license for everyone,” Smith explained. “E5 is a very valuable SKU, but you can take advantage of the security controls without all users being equipped with that high-end license. Microsoft turns on E5 security controls at a tenant level – meaning you can take advantage of things like the malware reports across all M365 end users.”
CoreView brings to the forefront all of the security data that is available in E5 so that customers can take action on it.
Another item is granting short-term admin access. “CoreView has a workflow engine that can apply administrative access on the fly, which is similar to a Microsoft E5 feature. However, we can do it for any account,” Smith said.
Compliance is a big security and economic issue. There are almost daily incidents of fines occurring due to GDPR and other issues, and IT is not usually able to respond quickly.
If you are not aligned with what your top peers are saying and doing, it is a sign of security weakness. How does a shop know how well it handles security? Looking at peers shows you have at least done your due diligence. If we have not approached best practices, if we cannot measure ourselves with how others are doing in the industry, then we are likely at a severe deficit. That is a career-limiting move.
The way that CoreView surfaces this information is through our enhanced version of Secure Score, which shows exactly how Microsoft 365 shops are doing against their peers, measuring items such as doing proper configuration management, and applying least privileged access.
Many compliance regulations ask shops to collect data logs for a specified period of time. However, Microsoft gives you only the last 30 days of data logs (now moving to a full year), but just for E5 licenses. So how do you manage this regulatory requirement?
There is much involved in being compliant with GDPR that many IT pros do not always think about. A critical flaw in GDPR, in fact, one of the foundations of GDPR, is the right to be forgotten. “How can I forget you, if I do not know precisely who you are and what you did while you were here?” asked CoreView’s Smith. “I cannot forget those things unless I have a record of what you did.”
Fortunately, with CoreView, not only do you know who ‘Joe User’ is, but in the CoreView system, that user has a unique serial number that is stored and used as an account ID. If that ‘Joe User’ leaves and a new user with the same name starts later, IT will know which ‘Joe User’ performed a particular action or was the owner of this particular file. That is because all the actions of both Joe Users are tracked and audited. Without CoreView, all that information goes away as soon as IT deleted Joe User and is not stored externally in an audit log, the way CoreView does.
“You cannot be GDPR compliant unless you capture and store that kind of information. How do I apply compliance regulations that say I have to be able to notify people when there is a breach – and at the same time, be able to forget somebody when they file their right to be forgotten?” Smith asked.
That is a deep pain point that requires a deep solution. Fortunately, CoreView tracks and stores all this information for admins and end users. On the admin side, for instance, CoreView can produce a report in seconds of every single administrative action an IT staffer has taken on the Microsoft 365 platform since they started. End users are tracked in a similar way. “Why can’t I do that in Microsoft 365 Admin Center? A bank teller can tell you every single check they have cashed, exactly how much money came in for deposits, and how much money went out. Banks keep those logs for seven years due to banking regulations. However, Microsoft 365 shops using the native Admin Center cannot tell today exactly what administrators did in the platform – and yet CoreView can,” Smith explained.
Credential cracking and elevation of privilege attacks demonstrate that we must treat identity as a primary security perimeter. This is a shift from the traditional focus on network security. Network perimeters keep getting more porous, and that perimeter defense cannot be as effective as it was before the explosion of BYOD devices and cloud applications.
Both types of attacks exploit the risk of granting too many global privileges. In fact, CoreView has rewritten the rules for RBAC in the Microsoft 365 world. The new best practice is to segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. Instead of giving everybody unrestricted permissions in your Microsoft 365 tenant, allow only certain actions at a particular scope.
There are other identity management issues, many of which were settled in the on-premises world but have to be readdressed in the world of SaaS and hybrid networks.
If your future involves the Cloud and SaaS, you really should talk to CoreView. We offer delegated administration and role-based access control built for your network today – and tomorrow. Our user provisioning and lifecycle management of identities are built for modern cloud and hybrid environments.
While we serve your user management and identity needs, we go far further. There is so much we do that Azure AD doesn’t – such as finding malicious log-in attempts, sign-ins from infected devices, or from out of the norm geographies. We also track end user activities relative to Azure, and provide rich auditing and reporting.
That is the tip of the CoreView end user and identity management iceberg. At the same time, CoreView offers deep Microsoft 365 management, security and helps your end users more fully adopt O365 services.
There is little more dangerous than an ex-employee – except an employee who is soon to leave and wants to create damage or take confidential competitive information with them when they go.
An all too common scenario is to have a current employee planning to go work for a rival company. The key is their knowledge and experience of the market, but also any of your confidential data they can steal such as customer lists, contracts, and product plans. An active employee may be forwarding all their emails to personal accounts and share files externally to themselves and new business partners. If you were tracking email forwards and external data sharing, you would spot this data theft before it gets out of hand.
If IT learns an employee is leaving, and has given, say, two weeks’ notice, the antenna should go up. This is the time to make sure there is no external sharing of confidential data, or other sketchy activity.
Once a worker leaves, forensics should kick in to ensure nothing untoward has happened, and if it did, action can be taken. With CoreView, every time an employee leaves the organization, IT can run an audit report of every file accessed for the past whatever number of days, email forwarding to non-company accounts, and sharing data such as OneDrive volumes externally.
A common scenario is sharing calendar or mailbox access with other colleagues, the problem is that no one is taking care of removing this access — if this is not done by the owner of the shared resource.
Access to resources is usually needed for a limited amount of time, and you should ensure that this principle is applied. When access is granted to final users and it’s removed only when a person leaves the company or reminds IT to remove it – this potentially opens security breaches that are not monitored by anyone.
CoreView helps governance of this process through a workflow, where a user can ask for resource access to target users for a limited amount of time and the workflow will remove it automatically after it expires.
Digital interactions between different companies are the core of productivity. Employees share files with external users, invite them to share in Microsoft Teams chat or meetings, and add them to distribution groups every day.
Usually, these interactions are limited in time, and the external user accesses a resource for a specific project or moment in time and then goes back to his normal activity. Unfortunately, this guest account is still active in the tenant and he can log-in whenever he wants.
What happens if his account is breached several months after the invitation? The attacker will be able to access shared resources, read emails exchanged, and act on behalf of the real users.
What happens if the employee who invited him leaves the company? Who is responsible for removing the guest user from the tenant? Probably it will remain there forever.
CoreView addresses all these problems through a workflow that can be used to force users to add detailed information when an external user is invited such as department, company, manager, country, and validity. CoreView will take care of removing the invited user or renew it based on a customizable approval process.
CoreView automation can also be used to identify external users inactive in the last 60 days and automatically start a process of cleanup with approval.
Any external user is an additional endpoint to your tenant – keeping them active indefinitely is a common bad practice that can be easily addressed with CoreView.
Hackers have raised password cracking to an art form. With so many weak passwords, it doesn’t take a rocket scientist to break them. The answer is multi-factor authentication (MFA). In fact, US government Microsoft 365 security guidelines strongly advise MFA, especially for admins.
“Multi-factor authentication for administrator accounts not enabled by default: Azure Active Directory (AD) Global Administrators in an M365 environment have the highest level of administrator privileges at the tenant level. Multi-factor authentication (MFA) is not enabled by default for these accounts,” the advisory stated.
Locking down end-user accounts through secure passwords and rigorous authentication is also essential. MFA requires at least two forms of personal user identification and is recognized by the National Institute of Standards and Technology (NIST) guidelines for password security. The United States Department of Homeland Security now recommends that all Microsoft 365 users implement MFA. Microsoft provides tools such as Microsoft Authenticator for users to install on their smartphones, as well as Smartcards, to work in combination with pass worded logins. Multi-factor authentication is a surefire way to prevent unauthorized logins, and there is little excuse not to use it.
Azure is the host to Microsoft 365 and a key way end users are identified in the cloud. This also makes Azure and Azure AD the main thoroughfare for cybercriminals making their way into the network.
A piece by Microsoft: Azure Identity Management and Access Control Security Best Practices, lists a handful of tips, including:
Fortunately, this checklist is a roadmap of many CoreView security features. One key item is CoreView’s Azure Activity Reports, which include:
With Azure monitoring and reporting, customers audit and report on suspicious login activity, different device access methods, and DLP activities, and perform security and compliance auditing, all from a common management interface. These capabilities also allow customers to configure automated alerts to notify administrators when security compliance issues with Azure AD are identified. In total, CoreView now allows auditing and alert notifications based on over 500 actions in Microsoft Office 365 and Azure AD.
One of the biggest items is tracking AD suspicious sign-in activity. The Azure AD security monitoring and auditing reports available in CoreView provide the proactive, bloodhound type trail to sniff-out suspicious activities for user account log-ins. Many security breaches come from botnet driven brute-force attacks on user accounts by trying different password combinations until they gain access over time. This was the method used by the “KnockKnock” attack which targeted Microsoft Office 365 system accounts. Add to this the ShurL0ckr type attacks in 2018 that are still ongoing and infect OneDrive collaborate storage folders, and you can see how IT admins have their hands full with monitoring security breaches and infestations.
Monitoring suspicious sign-in activities on user accounts have quickly become a critical security task for IT administrators responsible for managing Microsoft Office 365. The customizable reports from CoreView enable IT admins to easily monitor these suspicious activities, identify who performed the sign-in, when it happened, and from what geographic location (which IP address). The anomalous AD activity reports combine suspicious sign-in details from the following categories:
In fact, CoreView can easily establish and manage AD identities, and have this work automated in a pre-set, serial workflow process with full auditing implemented by default. Here are the steps that can be automated, and done without error:
Knowing how many suspicious sign-ins attempts are happening, where they are coming from, and what they are targeting is a key security best practice. Unfortunately, this is difficult work if all you have is the native M365 Admin Center from Microsoft.
Many breaches come from botnet driven, brute-force attacks on user accounts by trying different passwords combinations at segmented intervals until they gain access over time. This was the method used by the “KnockKnock” attack, which successfully targeted Microsoft Office 365 system accounts. The Azure AD security monitoring and auditing reports available in CoreView provide the type of proactive, fast analysis capabilities to quickly sniff-out suspicious activities for user account signins. Identifying those hackers early on allows IT teams to quickly block those IP addresses and enable extra security to any of the accounts that are being targeted.
This is extremely helpful for distributed organizations with multiple sites and geographic locations. One enterprise organization we talked to said that they have improved their response time to block remote hacker attempts by over 500%. One customer based in the mid-western US said that they used to spend approximately 80 hours/month running their own PowerShell scripts and sifting through the piles of data to search for anomalous sign-ins across their different geographic locations. Now they spend about 10 hours/month monitoring for suspicious sign-ins and can take immediate action when they find an issue.
This report showcases the account logins that were performed from infected devices that are now part of a botnet. We correlate IP addresses of user sign-ins against IP addresses that are known to be in contact with botnet servers. These are important to quickly identifying users infected with malware or other infestations that need immediate remediation. These reports are completely customizable.
This report shows sign-ins from IP addresses where suspicious activity has been detected. Suspicious activity in this case is defined as an unusually high ratio of failed sign-ins to successful sign-ins, which may indicate that an IP address is being used for malicious purposes.
This report includes successful sign-ins for the same account where two sign-ins appeared to originate from different geographical regions during a specific timeframe. The report takes into consideration the time difference between the sign-ins to provide more details to the administrator so they can determine whether it was possible for the user to have traveled between those regions.
These types of questionable sign-ins are identified on the basis of an “impossible travel” condition combined with an anomalous sign-in location and device. This means that a successful sign-in occurs from a single account over multiple geographic locations in overlapping time sequences. This may indicate that a hacker has successfully signed in using this account.
So what do security IT executives need to know about security that they don’t already? “It is a delicate conversation. How do you tell them? – ‘You have been operating unsafely for four years and should have been examining every file that got touched after a malware event.’ It is going to happen. If it happens to the US Department of Defense, you will be hacked too. Somebody will get a virus. Somebody will leave the organization and not be 100% happy that they are leaving. Some administrators will do something they should not. Why haven’t they turned on all these controls?” said Matt Smith, solution architect for CoreView.
The best advice for a Microsoft Office 365 environment of any size is to get a free CoreView Microsoft Office 365 Health Check today. At the same time, make sure you have enabled all the data Microsoft has to offer for detecting and correcting a security event. Then subscribe to the CoreView solution so you can rationalize all that information into actionable reports.
“A huge benefit of having a CoreView Microsoft Office 365 Health Check scan and analysis performed on your entire O365 environment is that auditing is not turned on by default by Microsoft. Many people do not realize this. When we do a Microsoft Office 365 Health Check, we flip on auditing for every single workload. Even if they do not buy CoreView, it is a value add in that at least all that data is there,” Smith concluded.