Security in Microsoft 365 (part 2 of 3)

By Ashwin Venugopal -

 




To read part 1, please click here
To read part 3, please click here






Account Breach

An account can be considered as breached when a user's account is compromised such that it can be easily used by an attacker to access network resources and if its an administrative account, then the hacker can immediately begin scouring the network to gain access to critical data, but if its a regular user's account, then the hacker can use various techniques to obtain administrator privileges which is called elevation of privilege.

Mitigating an Account Breach

It's recommended to use Multi-factor Authentication (MFA) to mitigate an account breach where the users must perform an additional step to log on to services. Another authentication method can be an SMS text message, key FOB, or a phone call, which makes it much harder for an attacker to steal an identity without the actual account owner knowing about it. Directory controls can also be enabled against multiple failed logon attempts (like disabling the account after three failed attempts) to secure against the password cracking attempts. 

Tip- If you implement either of the solutions after a breach, then, you should also monitor the account for a period to make sure that it hasn't been re-breached. 

Elevation of Privilege

This scenario means that an attacker has already compromised your one or more accounts and is now working to increase his or her power. The target is generally Global Administrator privileges in Microsoft 365, but specific privileges are also desirable if the targeted data is in that product or service. The hacker can also simply create a new account and promote to a global administrator to 'hide in plain sight', i.e. he or she will now have an account that no one else is using and which likely won't be noticed unless the other administrators are regularly reviewing the global administrator's account population. 

Preventing an Elevation of Privilege Attack

Since the account is the main concern of the attack pattern, the same set of protection controls can be used as an account breach. Hence, it is recommended to use MFA specifically with admin accounts or ones with access to sensitive content, you can also keep the number of global administrators small (i.e. a minimum of two and maximum of five global admins for any size of tenant) to keep the target area small and making more difficult for an attacker to hide. 

However, if a breach of this nature still occurs, then you should carefully determine everything that the attacker may have done to your data or further entrench themselves in your tenancy. Generally, once you have successfully regained control of the breached accounts, you can easily reverse the changes made, and then determine what (if any) communication steps must be taken if data was exfiltrated or deleted. It is also recommended to enable MFA on the affected accounts.

Data Exfiltration

It's an unauthorized retrieval of data from a computer or service, which can be stolen in any number of ways such as through the breach of an account with access to the data, or through system and infrastructure attacks that can give the attacker local or system admin privileges o the computers having data outside of Microsoft 365. The data itself comes in  various forms such as email, documents, instant messaging conversations, Yammer threads, and even enumerating your directory information can be useful to an attacker further making it difficult to protect them.   

Preventing Data Exfiltration

Protecting your service from account breaches and elevation of privilege should be your first step in protecting your data, while following are the various methods inherent in the data itself that can be pursued:
  • Access control lists- You should establish standards for determining who should have access to specific kinds of data, and then create processes to monitor as well as maintain those access controls. 

  • External sharing policies- Data leakage to an external endpoint must be prevented by configuring your tenant to restrict certain types of sharing but as these policies are restrictive in nature, then, you might require to strike a balance between risk and productivity.

  • Least privilege- You should always take your time to only grant minimum privilege to the smallest group of users that you can instead of granting permissions to documents and document libraries that exceeds the required access.  

  • Data classification schemes- You can also set up and use data classification metadata especially with the data shared on SharePoint sites and OneDrive. This one requires you to determine a set of risk tiers and then sites as well as documents to tag data in your systems with a proper classification allowing you to monitor very sensitive data, as well as leverage specific technologies to further protect high business impact data.  

  • Data Loss Prevention (DLP)- The above data classification scheme is the most effective when used in combination with the DLP feature of Microsoft 365.It allows you to configure rules about how to handle the data moving in and out of your tenant while also preventing your sensitive document content from being emailed to any external parties as well as your users from social security numbers via email. 

Microsoft 365 administrators can also enable auditing, alerts, and Advanced Security Management to detect any suspicious behaviors or activities in the tenant. 











To read part 1, please click here
To read part 3, please click here















Comments

  1. sabarvalachovicMarch 4, 2022 at 12:58 PM

    The Best Casino in Kansas City | JTG Hub
    With over 100 of the hottest 전라남도 출장안마 casino games and the 영주 출장안마 hottest slots and the nicest 울산광역 출장샵 slots in town for the poker, dining, entertainment 밀양 출장마사지 and more, 의왕 출장안마

    ReplyDelete
  2. Nanfor IbéricaMay 22, 2022 at 10:04 AM

    It is really a helpful blog to find some different source to add my knowledge.
    MS-201T02: Managing Messaging Security, Hygiene and Compliance

    ReplyDelete

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more