Virtualization Technology News and Information
5 Tips For Securing Microsoft Office 365


Article Written by Jim Hansen, VP of Product Marketing at AlienVault

Although companies are rapidly adopting cloud computing technologies and services, many organizations are aware that their cloud security isn't up to snuff. This was recently illustrated by the results of an AlienVault survey of infosec professionals, which revealed that 42 percent of respondents were concerned about their lack of visibility in the cloud, while one-third described their cloud security monitoring as "complex and chaotic." However, when it comes to cloud security, the lack of a comprehensive strategy could potentially be an extremely costly oversight for a company, particularly if it fails to monitor Microsoft Office 365. Employees use Office 365 services such as Exchange, OneDrive, and SharePoint, which are targeted by an average of 2.7 new threats per month, to share confidential and sensitive information internally and sometimes externally. For this reason, it's critical that organizations take steps to monitor and protect against such threats. Below are five strategies that can help organizations secure Office 365 environments.

1.      Take a unified approach to security management 

Organizations typically need a number of different security capabilities to adequately monitor, effectively detect, and quickly respond to threats in environments that include physical infrastructure, virtual infrastructure, cloud infrastructure, and cloud services like Office 365. The essential security monitoring capabilities include asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring and SIEM, and organizations have traditionally leveraged point solutions to provide each of these capabilities independently. However, managing multiple solutions separately requires not only significant time and resources, but also creates additional work as teams attempt (often unsuccessfully) to integrate new tools into the existing infrastructure. For smaller or resource-constrained teams, which generally don't have the time or ability to do this effectively, the result is often a deployment that fails to meet their security needs. In contrast, unified security solutions, which incorporate all the necessary security functionalities into a single platform, eliminate this issue entirely. By providing organizations with the tools they need to gain comprehensive and continual visibility into their cloud environments, a unified platform will enable them to monitor their infrastructure, Office 365, and other cloud applications.

2.      Prioritize direct access

While a unified solution simplifies security monitoring of Office 365 applications, it is also important to look for tools that have direct access to Office 365's rich API so organizations can better access, understand and act on the comprehensive data that is unique to this environment. Such solutions give organizations the ability to collect and analyze information around any activity in Office 365 - such as what users are doing, what they're accessing and where they're located - and also makes it easier for organizations to monitor for potential threats against Office 365 applications.

3.      Establish baseline metrics

Organizations can use the data obtained from the Office 365 API to establish a baseline of "normal" user activity. Once they have this, they can easily identify anomalies, which are often indicators of suspicious activity or threats. Because Office 365 internally tracks everything a user does (with each activity receiving its own "event"), organizations can determine a range of "normal" behavior for every type of user activity. These activities can range from typical employee behaviors, such as sending emails and file creation, views and deletions, to administrative tasks like the creation of new users, deletions of users and modifications of permissions. Any activity that deviates from the norm should then trigger a vulnerability assessment to reveal whether the anomaly is an actual threat or merely a harmless irregularity.

4.      Analyze events 

It's critical that organizations monitor for and inspect all anomalous events, but some are better than others at indicating a potential threat. The following anomalous events in particular should be the most alarming, and by extension are also the ones that demand the most immediate attention:

  • Modifications of user privileges
  • User additions or deletions
  • Sharing of information with people from external organizations
  • Content sharing policy changes (such as via SharePoint or OneDrive)
  • Changes in malware filter policy
  • Changes in password policy
  • Audit logging policy changes

Be sure to prioritize response to these types of events to ensure that malicious behavior is detected and can be remediated as quickly as possible to minimize damage.

5.      Automate Threat Detection 

Finally, organizations should implement correlation rules so that they are alerted with a notification whenever suspicious activity is detected on the network to ensure an appropriate response as quickly as possible. For example, a rule should be created to alert the organization whenever there's an unexpected user login from an abnormal location. Upon receiving that alert, the IT / security team can immediately check on that user's activity in real-time and contact the user to verify, if necessary. If the person who logged in turns out to be an imposter, then the organization can immediately take defensive actions to mitigate any potential damage.

Because it is so widely used, Office 365 provides a potential springboard for hackers to launch malware, ransomware, phishing attacks and other threats with the objective of penetrating an organizations internal infrastructure and stealing sensitive information. These attacks are often successful because they target vulnerable human employees, who can easily make mistakes. Fortunately, with the right mix of security best practices and unified solutions, organizations can effectively secure and monitor applications like Office 365, greatly reducing the need to rely on the actions of their users.


About the Author


Jim Hansen is vice president of product management overseeing all of AlienVault's product development initiatives. He is responsible for providing strategic and tactical direction for the AlienVault Unified Security Management (USM) and Open Threat Exchange (OTX) product lines, as well as introducing new products into the marketplace. Jim joined AlienVault in 2013, bringing with him more than 15 years of experience in software consulting and product management, including most recently a director of product management role at Splunk.

Jim holds a BA in Information & Computer Science from UC Irvine. 

Published Tuesday, June 13, 2017 7:02 AM by David Marshall
Filed under: ,
Moving Collaboration to the Cloud; SharePoint OOTB is Not an Intranet; Azure OpenDev Event - (Author's Link) - June 13, 2017 8:08 AM
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<June 2017>