Security in Microsoft 365 (part 2 of 3)

By Ashwin Venugopal -

 




To read part 1, please click here
To read part 3, please click here






Account Breach

An account can be considered as breached when a user's account is compromised such that it can be easily used by an attacker to access network resources and if its an administrative account, then the hacker can immediately begin scouring the network to gain access to critical data, but if its a regular user's account, then the hacker can use various techniques to obtain administrator privileges which is called elevation of privilege.

Mitigating an Account Breach

It's recommended to use Multi-factor Authentication (MFA) to mitigate an account breach where the users must perform an additional step to log on to services. Another authentication method can be an SMS text message, key FOB, or a phone call, which makes it much harder for an attacker to steal an identity without the actual account owner knowing about it. Directory controls can also be enabled against multiple failed logon attempts (like disabling the account after three failed attempts) to secure against the password cracking attempts. 

Tip- If you implement either of the solutions after a breach, then, you should also monitor the account for a period to make sure that it hasn't been re-breached. 

Elevation of Privilege

This scenario means that an attacker has already compromised your one or more accounts and is now working to increase his or her power. The target is generally Global Administrator privileges in Microsoft 365, but specific privileges are also desirable if the targeted data is in that product or service. The hacker can also simply create a new account and promote to a global administrator to 'hide in plain sight', i.e. he or she will now have an account that no one else is using and which likely won't be noticed unless the other administrators are regularly reviewing the global administrator's account population. 

Preventing an Elevation of Privilege Attack

Since the account is the main concern of the attack pattern, the same set of protection controls can be used as an account breach. Hence, it is recommended to use MFA specifically with admin accounts or ones with access to sensitive content, you can also keep the number of global administrators small (i.e. a minimum of two and maximum of five global admins for any size of tenant) to keep the target area small and making more difficult for an attacker to hide. 

However, if a breach of this nature still occurs, then you should carefully determine everything that the attacker may have done to your data or further entrench themselves in your tenancy. Generally, once you have successfully regained control of the breached accounts, you can easily reverse the changes made, and then determine what (if any) communication steps must be taken if data was exfiltrated or deleted. It is also recommended to enable MFA on the affected accounts.

Data Exfiltration

It's an unauthorized retrieval of data from a computer or service, which can be stolen in any number of ways such as through the breach of an account with access to the data, or through system and infrastructure attacks that can give the attacker local or system admin privileges o the computers having data outside of Microsoft 365. The data itself comes in  various forms such as email, documents, instant messaging conversations, Yammer threads, and even enumerating your directory information can be useful to an attacker further making it difficult to protect them.   

Preventing Data Exfiltration

Protecting your service from account breaches and elevation of privilege should be your first step in protecting your data, while following are the various methods inherent in the data itself that can be pursued:
  • Access control lists- You should establish standards for determining who should have access to specific kinds of data, and then create processes to monitor as well as maintain those access controls. 

  • External sharing policies- Data leakage to an external endpoint must be prevented by configuring your tenant to restrict certain types of sharing but as these policies are restrictive in nature, then, you might require to strike a balance between risk and productivity.

  • Least privilege- You should always take your time to only grant minimum privilege to the smallest group of users that you can instead of granting permissions to documents and document libraries that exceeds the required access.  

  • Data classification schemes- You can also set up and use data classification metadata especially with the data shared on SharePoint sites and OneDrive. This one requires you to determine a set of risk tiers and then sites as well as documents to tag data in your systems with a proper classification allowing you to monitor very sensitive data, as well as leverage specific technologies to further protect high business impact data.  

  • Data Loss Prevention (DLP)- The above data classification scheme is the most effective when used in combination with the DLP feature of Microsoft 365.It allows you to configure rules about how to handle the data moving in and out of your tenant while also preventing your sensitive document content from being emailed to any external parties as well as your users from social security numbers via email. 

Microsoft 365 administrators can also enable auditing, alerts, and Advanced Security Management to detect any suspicious behaviors or activities in the tenant. 











To read part 1, please click here
To read part 3, please click here















Comments

  1. sabarvalachovicMarch 4, 2022 at 12:58 PM

    The Best Casino in Kansas City | JTG Hub
    With over 100 of the hottest 전라남도 출장안마 casino games and the 영주 출장안마 hottest slots and the nicest 울산광역 출장샵 slots in town for the poker, dining, entertainment 밀양 출장마사지 and more, 의왕 출장안마

    ReplyDelete
  2. Nanfor IbéricaMay 22, 2022 at 10:04 AM

    It is really a helpful blog to find some different source to add my knowledge.
    MS-201T02: Managing Messaging Security, Hygiene and Compliance

    ReplyDelete

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different groups of computers, re
Read more

Project Resourcing (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning of alert rule parameter
Read more

Design Planning (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Complex Organizational Structures SIEM can be an expensive security control, hence, it is common multiple businesses to contribute to the overall expense. Various organizational units may require a level of access to specific dashboards or sets of data. Microsoft Sentinel offers the ability to assign table-level permissions and limit the level of access to the minimum required to perform requisite job functions.  Role-based Access Control (RBAC) Requirements Microsoft Sentinel offers an extensive list of Azure built-in roles that can be used to provide granular access according to the job requirements and permitted level of access. Some of them are various Microsoft Sentinel dedicated roles: Microsoft Sentinel Contributor- Can perform all engineering-related configuration, such as creating alert rules, configuring data connectors, and additional similar tasks.  Microsoft Sentinel Reader- Can query the log data stor
Read more