Many companies are moving towards Microsoft Office 365 (O365) due to the numerous benefits it provides in today’s remote world. Businesses are also migrating on a cloud-hosted infrastructure at an exponential speed. However, in an attempt to migrate quickly for minimized downtime and seamless services, organizations are ignoring the appropriate security configurations of these platforms, which is essential for cybersecurity.
Although Office 365 has built-in security features, they are not enough to secure your IT ecosystem today. The threat landscape is constantly evolving, and adversaries are leveraging new tactics every day to penetrate standard security measures. Hence, 24/7 monitoring for suspicious behavior on these systems is vital.
E-mail Security: An Overview of Threats
The E-mail system is the most vulnerable part of Office 365. E-mails are usually received and sent to untrusted, external networks. These networks are outside your company’s security boundaries. Without appropriate security, these e-mails can be a welcome card for threat actors that can be accessed, read, and modified at any point while being transferred over the network.
Securing the e-mail systems is a joint responsibility of your IT department and the e-mail administrator. However, even your employees and everyone else who is using the e-mail system should have a basic understanding of the common threats and how to detect and prevent them.
E-mail is a common target for threat actors, primarily because they are ubiquitous, well understood, and used by almost everyone to communicate with external networks. These are some threats that are usually used for targeting e-mails:
- Spam and Phishing: Spam, also referred to as e-mail spam or junk e-mail, is the practice of sending unsought e-mail messages in bulk. These bulk e-mails can usher employee productivity, occupy IT resources, and help the threat actors distribute malware. Somewhat similar to spam is phishing. This attack procedure refers to the practice of sending fraudulent e-mails to someone and deceit them as if they are from trusted sources. This helps lure the victim into disclosing financial or other sensitive information. Compromised e-mail systems are used to deploy and distribute malware. They are also used to send phishing e-mails to other addresses.
- Social Engineering: As the name gives out, the social engineering attack refers to manipulating victims into making security mistakes. Rather than hacking into a system, the threat actor will use psychological manipulation to trick the victim into performing actions that can weaken security. E-mail spoofing is a common example of social engineering where the attacker deceives himself or herself as a trusted person by falsifying the sender details on e-mail messages.
- Unintentional Acts by Authorized Users: Some threats are unintentional as well, wherein an authorized user ends up sending sensitive information to an untrusted e-mail address, leading to embarrassment and cyberattack consequences.
- Malware: The use of e-mail to deliver and deploy malware software is on the rise. Several cyber adversaries are sending e-mails with malicious attachments to carry out a wide array of attacks, including Trojan horses, bots, worms, viruses, and spyware. If these attacks are successfully deployed, the attacker can get administrator access to change privileges and exploit vulnerabilities.
Office 365 Security Best Practices:
To ensure prevention against the common e-mail threats, businesses can follow the bellowing best practices:
1. Enforce Regular Password Change Policy:
Implement a password change policy in your organization to enforce users to change passwords after regular intervals for securing access to data and servers.
2. Regulate Right Management to Protect Documents:
Encrypt your sensitive data and appropriately regulate the rights to access and use it so that only the intended recipients can see and modify it.
3. Enable Multi-Factor Authentication:
Multi-factor authentication or MFA is an authentication process that validates a user multiple times before providing access to data. Besides the password, it will mandate a secondary source of validation, such as your device, one-time password (OTP), etc. MFA is a built-in feature in Office 365 and helps minimize the impact that a compromised account or password can have on enterprise cyber risk.
4. Deploy SIEM security solutions:
One of the best ways to secure Office 365 is by integrating it with a SIEM (Security Information and Event Management) solution to monitor and identify all the standard as well as advanced threats.
Even with the strong security offered by the UAL (Unified Audit Log) and MFA, it is vital to integrate O365 with SIEM for correlating the O365 logs with other monitoring solutions. Seamless integration ensures real-time detection of anomalous activity across the IT posture.
5. Block Password Reuse:
Reusing a password can offer an advantage to cyber attackers. Hence, whenever a password is reset by a user, the system needs to compare it with the passwords for other systems and the entire list of previous passwords. Blocking password reuse reduces the chances of using password stuffing for deploying attacks. It also ensures that a single password doesn’t become the key to access other O365 accounts.
Securing O365 by Monitoring The Logs Using SIEM
As we have established, integrating with a SIEM solution can be the most excellent method to secure yourO365. Here, we will be discussing how monitoring O365 logs with a SIEM can secure them. The use cases discussed here mainly apply to O365 logs. But some cases might be helpful in other scenarios as well. The SIEM solution you select to deploy should be capable of detecting the following:
- E-mails Going Outside Your Organization: Many companies restrict their employees from sending e-mails outside the organization. The reason behind this is simply that it makes it easy for attackers to target an employee and penetrate your systems. A SIEM solution can monitor the e-mail logs and the recipient address to alert if any e-mail is sent to an untrusted network. Leveraging SIEM-as-a-Service, like the one provided by SharkStriker, can help create a list of malicious hosts and alert whenever an e-mail is received or sent to that address.
- Policy Modifications: Cyber attackers can try to modify or disable some policies to elude detection and ease the process of lateral movement in the organization to get access to multiple systems. Hence, monitoring any policy modification using a SIEM solution becomes vital.
- Disabling Exchange Audit Log: O365 provides capabilities to audit exchange logs, which helps detect malicious activities. The easiest way for threat actors to evade detection through the audit is to disable it. Hence, disabling of auditing should be kept on alert using a SIEM solution.
- Login Attempts After Working Hours: If your company has specific working hours, login attempts outside those are not likely. It can be some cybercriminal trying to use a combination of different passwords to exploit O365. Hence, the SIEM solution you deploy should be capable of identifying both failed and successful login attempts.
- Activity From Remote Geographical Location: Several companies operate in one or more specific locations. Hence, any activity outside the common business regions can indicate malicious activities. You can use a modern-day SIEM solution’s Geo IP database capabilities to create location rules and monitor them.
Using SIEM solutions for monitoring O365 logs can enhance your company’s security posture. However, owning a SIEM and hiring the right expertise to manage it is the biggest challenge facing most organizations. It can be both costly and time-consuming for businesses. A Managed Security Services provider like SharkStriker can help address all these difficulties. SharkStriker’s SIEM-as-a-Service enables you to create multiple rules to monitor all the activities listed above and secure Office 365. In fact, we also provide you with the right expertise to develop robust correlation rules, which are the key metrics for evaluating the strength of a SIEM solution.