Microsoft 365 is a cornerstone for businesses worldwide containing invaluable intellectual property and business-critical applications. It is vital to understand the threats facing this landscape and how to mitigate the risks with security considerations and monitoring. In this blog, we will take a deeper look at these challenges, some steps you can take today to ensure these assets are protected and some of the potential risks accepted by not acting.
Understanding the Threat Landscape
Any attack a business faces can generally fit into one of three categories: people, process and technology. The most devastating attacks a company will face is a combination of these attack categories.
The human element in security is arguably the hardest control to predict and takes the most effort to protect. The most important thing to keep in mind when confronted with the human element is their job. People will often take the easiest path to do their job to stay efficient and on task. If a policy or procedure is difficult and time consuming, they will find an easier and likely less secure way to do their job.
Next is training. Training needs to be beyond a yearly one-hour video with questions we all click though mindlessly. Information and training needs to be provided often and in small impactful chunks. Monthly security emails that not only contain a refresher concept but something that will pull the reader in and make them feel informed. This can be as simple as a tasteful comic centered around a security topic. The email should also take no more than five to seven minutes to read with bolded headlines.
Policies are vital to consistency and efficiency in a business, until they are not. If a policy creates so much overhead that an employee cannot get work done or is not sensitive to their department’s needs, the policy has failed. To prevent this takes understanding what data flow and applications are needed for a department to function then start refining the security processes secure but not interrupt this flow.
One of the most overlooked process failures is alert fatigue. If someone receives so many emails for non-business critical errors, it can become very easy to miss when something really needs attention. This can be mitigated by tailoring alerts to only be emailed in high-risk cases and customizing the alerts to only the necessary stakeholders. Other alerts that may need attention on a lower SLA should be sent to a ticket system or group monitored dashboard.
Some of the most well-known attacks come from attacking the technology itself: Logj4, WannaCry and Y2K. These attacks are terrifying and get worse when you add in things like zero-day attacks, but we often overlook one of the most devastating technological faults — misconfiguration. This is a concept of “you don’t know what you don’t know” can leave your company open for extended periods of time waiting for an attack. Subsequently, technology can and will fail — have a backup plan. This backup plan can consider things like cloud outage, resilient backup data and alternative forms of communication.
The perfect example of these threat vectors causing unintentional potential damage, is enforcing periodic password reset. Having a policy that enforces password resets on a scheduled basis often leads users to create a system that leads to weaker passwords or to them writing their passwords down, making their account more vulnerable. It has been observed that policies only requiring password resets based on risky behavior and a two-way multifactor authentication helps users create stronger words and lessens the likelihood of breaches.
Principle of Least Privilege
The principle of least privilege is having enough privileges to do your job, no more no less. There are a couple of core concepts to help mitigate over provisioning of privileges. Many of these concepts are based on Identity and Access Management which is the concept of who can access what. IAM happens in two processes: authentication and authorization. First, a user will authenticate with the dedicated authentication authority then once authenticated the IAMs data based will be queried for the user is authorized to access. This is generally suitable for everyday users who need access to data and reports to do their job.
Admin accounts present a special kind of risk in an organization known as an accepted risk. These accounts can be especially damaging to an organization if compromised and extra policies and controls should be used around these accounts. First is to not overlap user and admin accounts, if this account is being used to sign into your email it should not have administrator permissions. Admin accounts should also have configured alerts to department stakeholders when they are used to log into a system. A feature offered in Microsoft Entra, called Privileged Identity Management, PIM allows time expirations and approval scopes in order to activate the administrative privileges on the accounts.
When authenticating an application, it is best practice not to use a username and password for that authentication process. This is for a few reasons. First and most importantly if the password on that account is reset the application also loses access and can silently fail. Next there is no safe way to use multifactor authentication without needing to manually authenticate the application every time it runs. When an application needs authentication use an enterprise application with certificates.
Why Protecting Microsoft 365 Data Is Important
One of the biggest misconceptions when moving to SaaS is you’re no longer responsible for the data or the loss of that data. This is not the case; an organization is always responsible for their data. Data is vulnerable on many fronts, like accidental deletion, hacking and misconfigurations. We explore this data loss in business across many industries and explore Gartner’s advice on this in “What Are the Risks to Microsoft 365, According to Gartner?”
Every organization would like to follow best or better practices but one of the largest constraints and security vulnerabilities is around operations. Simple concepts like separation of data and network traffic can be the difference between a small segment going down in an attack and entire business outage. Creating layers in a defense is one of the more obvious challenges but every organization is different and the best solution to the problem will vary. Arguably MFA has become the standard concept organizations need to adopt for better security practices but when you look at education this is not always possible. Administration cannot count on students to have cell phones or count on students who forget their pencils to remember a USB token. This is one example of how any organization must overcome or accept risk.
The Importance of Monitoring
Early detection and rapid response are the key to ensuring data is protected and damage is mitigated. It is important to monitor and alert action teams when there is an issue that needs to be corrected. It is equally important to not spam these teams where they get alert fatigue and become blind to when there is an urgent issue that needs immediate attention.
Having a tiered approach to issues based on priority can help to ensure teams take action in the appropriate SLA. For information alerts a dashboard that is configured for stakeholders helps to keep everyone up to date but no spammed. A highlight reel from the dashboard is also appropriate once a day. Issues that may not need immediate attention but do need to be addressed should be sent to a ticket system where all stakeholders can work from. When something is critical and has immediate potential for a system down should be sent out in alerts. These alerts depending on the criticality could include emails, SMS and automated phone calls.
Preparing for Attacks
Just like with anything the more you prep the smoother your mitigation and recovery in an attack. The attacks business face today are much more sophisticated than they were 10 years ago, pivoting though an infrastructure and causing more damage along the way. Even the best laid plans can fail but untested plans are likely to fail. Running simulations of various attacks and outages is the best way to refine an action plan with any certainty. These simulations also help understand what expectations to set if something does happen and what users will need to be trained on.
To read more about preparing for a cyberattack check out “The Cyber Battlefield: A Tactical Guide To Preparing For, Engaging in and Triumphing Over Cyberattacks”
Microsoft 365 contains critical applications and intellectual property that keeps your business running. This data and security are the responsibility of the organization. Organizations should be leveraging PIM, enterprise applications and data separated backups. This kind of layered approach with native Microsoft 365 and a secure recovery plan go a long way in ensuring data security in this environment.