How to Better Secure Your Microsoft 365 Environment
Security experts offer Microsoft 365 security guidance as more attackers target enterprise cloud environments.
Cloud security concerns have long been top-of-mind for many IT security pros tasked with protecting data, applications, and infrastructure in cloud environments, but they became a priority for just about everyone in 2020 as businesses scrambled to support remote employees.
Securing Microsoft 365 is a big part of this conversation, both because of its ubiquity in global organizations and a recent surge in cyberattacks targeting enterprise cloud platforms. A Jan. 13 alert from the DHS' Cybersecurity and Infrastructure Security Agency (CISA) warned companies of "several recent successful cyberattacks" against cloud services. Many attacks occurred when employees worked remotely and used corporate and personal devices to access cloud services.
This trend was underscored by the recent discovery of the SolarWinds cyberattack, a large, complex campaign targeting US government agencies and businesses, including Microsoft. While many victims were infected via SolarWinds software updates, it was recently revealed Malwarebytes was targeted by the same attackers via another vector that gained privileged access to Microsoft 365 and Azure.
While SolarWinds was an especially complicated and widespread attack, there are many more common cloud threats that businesses should be worried about.
Organizations experienced an average of 2.8 cloud security incidents in the past 12 months, Netwrix researchers found in their Cloud Data Security Report. Most common are phishing attacks (40%), ransomware or other malware attacks (24%), accidental data leakage (17%), targeted attacks on cloud infrastructure (16%), and account compromise (16%).
Fortunately for IT and security teams, there are many steps they can take to lock down Microsoft 365 environments and protect businesses from these common cloud-focused attacks. For starters, it's essential to learn which security tools come with your Microsoft 365 package.
"Despite the rebranding to Microsoft 365, Microsoft licensing remains complex," says Rick Holland, CISO and vice president of strategy at Digital Shadows. Customers must choose from one of several options: Business Basic, Business Standard, Business Premium, Enterprise F3, Enterprise E3, and Enterprise F5, each of which has different range of tools and functionalities.
"It is essential to understand what security features your license entitles you to and what you may be missing," Holland says.
When businesses are required to rapidly adopt new technologies, such as moving to the cloud, the need for accessibility is sometimes prioritized over security, says FireEye Mandiant director Matthew McWhirt.
As a direct result, security teams often aren't included in the initial cloud journey, which can lead to poor visibility and detection capabilities, insufficient hardening, and false assumptions of default security controls and settings based on the cloud's shared responsibility model.
"When security is not prioritized in the initial planning and understanding process related to cloud platforms, organizations will be constantly playing catch-up -- and attempting to review and bolster security controls and detections after the fact," McWhirt explains. By neglecting security in use-case planning and design, they create a gap that is never successfully closed.
Businesses must properly identify specific use cases for the cloud and ensure security teams are included in the planning process from the start. This ensures they're using the right scope of security controls, logging, detections, and hardening capabilities relevant to the cloud platform.
"As an additional measure to avoid drift, organizations can also leverage specific technologies to continually test and validate the effectiveness of enforced security controls and monitoring for cloud environments," he adds.
Businesses must take time to review default configurations and determine whether they meet their security needs, says Patrick Hevesi, vice president and analyst with Gartner for Technical Professionals (GTP). Oftentimes they may need to adjust the default settings.
"It's about reviewing the default, does it make sense to your organization, and then coming up with whatever posture management you need to have," he says. Over time, they will need to continue checking the settings to ensure their security posture suits the business needs.
Cloud security misconfigurations are among the most prominent cloud security issues seen since the COVID-19 pandemic started and cloud adoption escalated, says Chris Hass, director of information security and research at Automox.
"Rushing into any technology often opens your organization up to potential security issues," he says. "It's crucial that organizations do their due diligence in evaluating cloud adoption and that their security teams are involved from the very beginning." It's much easier to build around security controls already in place, he adds, than to fit them in later.
Microsoft advises sticking as close to the default settings as the environment allows; however, it's worth noting the defaults aren't right for everyone. If a business uses Conditional Access to make decisions and enforce business-wide policies, or uses Azure Active Directory Premium licenses, default settings are likely not the best choice. If an organization has complex security requirements, they should consider Conditional Access (more details on this later on).
Ensuring the right data controls are in place is usually a major part of any conversation about Microsoft 365 security, Hevesi says of his calls with customers.
"Data protection is probably the biggest trend," he notes. "How do I protect my data, how do I know where it's going, is it secured, making sure sensitive data is encrypted when it leaves."
Many businesses inadvertently leave data vulnerable when they turn on Teams, email, SharePoint, and other applications without turning on data loss prevention (DLP), Hevesi says.
"A lot of organizations are opening things up now, especially as we're working from home," he says. Employees may be using personal devices to access corporate resources; as a result, they may need access to Microsoft applications from laptops or desktops that lack protections.
But when left permissive, these apps open the door for employees to create a new team, share information externally, or take other risky actions. Once shared data starts to circulate, IT and security teams then have to scan what's out there to see if they can lock it down.
He advises practitioners to enable stricter permissions early on, so they have time to properly configure DLP and educate employees on security practices. These restrictions can then be lifted when tools are in place, features are turned on, and employees know how to use them.
"We say start with locked down external sharing until you get the DLP and the data classification and data monitoring of the CASB (cloud access security broker) in place, and then train employees on how to do this properly," he explains. It's safer to be more restrictive while employees are being trained, then open up permissions so they can meet business needs.
Administrative accounts in a Microsoft 365 environments have elevated privileges, which are valuable attacker targets and should only be used for administrative tasks. Microsoft advises admins to keep a separate user account for regular, non-admin use to limit privileged access.
Admin accounts should be configured with MFA and used carefully. Before using an admin account, an employee should close unrelated browser sessions and apps, including personal email accounts; after completing admin tasks, they should log out of the browser session.
Accounts with privileged permissions are oftentimes more than just those assigned the "Global Administrator" role, says McWhirt. He encourages admins to review and validate the scope of accounts assigned privileged permissions and roles within Microsoft 365, and to use separate cloud-only accounts for managing the Microsoft 365 tenant.
"It's not uncommon to provide too many administrative accounts when quickly adopting a new technology," says Hass. "These permissions are rarely restricted later on." Following the rule of least privilege, he adds, is "extremely important."
Privileged accounts used to access and manage Microsoft 365 resources should only be allowed to connect from trusted locations, FireEye experts write in a whitepaper on hardening Microsoft 365 in the wake of SolarWinds. These locations usually consist of public IP address blocks managed by the business.
Before enabling this policy, experts warn admins to test in Report-Only mode to ensure that the configuration works as expected. This prevents accounts from being locked out of Microsoft 365, they say.
Focusing on identity is one of the key steps to protecting Microsoft 365 environments.
MFA is an effective way to boost account security and a must-have for all accounts with access to a Microsoft 365 tenant. It should at least be used for admin access to Microsoft 365, including access to Exchange Online and Azure AD PowerShell Management, FireEye experts write in their whitepaper.
"MFA, as we just saw, is not infallible," says Hevesi, citing the SolarWinds attack. However, MFA, combined with user behavior analytics around identity, can be essential to detecting anomalies that indicate an attack.
Businesses using Microsoft 365 can add a setting that requires users to log in using MFA. When this option is enabled, they'll be prompted to set up MFA on their phone next time they log in. MFA is enabled when security defaults are turned on, Microsoft notes in a security blog post.
"Password spray attacks are still some of the most common and effective techniques," a Microsoft spokesperson says, noting employees still pick passwords that are easy to predict. "So, enabling MFA is really the number one thing you can do to protect organizations against the most common threats."
Hevesi says a common problem with enabling MFA has been providing smartphones for employees who either don't have one, or don't want to use their personal device to access a call, text, or Authenticator-style app that could serve as the second factor.
"It's becoming more commonplace now," he says of MFA. But while IT and security teams say they understand the value of MFA, there remain obstacles that stand in the way of implementation.
Some attackers try to breach Microsoft 365 environments using legacy authentication protocols that haven't been disabled (SMTP, IMAP, and POP), says McWhirt. Unfortunately, he adds, businesses may not realize legacy protocols are enabled for their tenant and some resources and services may be access using a valid username and password, bypassing security controls.
Cloud access security broker (CASB) tools have grown to become an essential part of data protection as businesses more heavily depend on cloud applications, Hevesi says.
"CASB has been one of those tools that, as you adopt cloud, becomes one of those mission critical tools," he explains. Microsoft Cloud App Security (MCAS) is a CASB that operates across multiple clouds and helps IT and security teams gain more visibility into data so they can detect threats. Gartner advises Microsoft 365 admins to deploy MCAS or a third-party CASB for more visibility.
The CASB is there to double-check DLP and data classification, and catch actions like sharing highly sensitive files. If an employee suddenly starts sharing critical documents, or starts syncing their OneDrive to another machine, a CASB tool will pick up on it.
"It's that analysis of what's happening deeper into Microsoft 365, or whatever cloud apps you're using -- that becomes key," Hevesi says of the CASB's role. Admins benefit from a single place where they can view activity across cloud applications.
"Now that you have one cloud application, let's make sure you get all the other applications underneath the CASB so you have a single pane of glass to protect all your cloud applications and you can understand the risk across that," Hevesi says. An IT security admin must know the risk across cloud apps, and a CASB can help them do that.
Conditional Access lets admins control the apps and devices that connect to their corporate resources. This gives them more detailed access control to protect corporate data, and they can define conditions that restrict access to data based on the location, device, user, and app.
"Conditional Access is about, what do I need to feel safe about the user, about the device, about the location they're coming from to allow them access to the service," Hevesi says. It's a key concern among businesses that want to manage devices in a more modern way, he says.
The functionality is part of Azure Active Directory with an Azure AD Premium license, Microsoft says. With Microsoft Intune, companies can build on Conditional Access by adding mobile device compliance and app management.
IT and security teams can use Conditional Access to determine the risk profile of mobile devices. It works with Windows Defender ATP and third-party mobile threat defense (MTD) tools as well and checks for malicious apps, network threats, suspicious behavior, vulnerabilities, and potentially dangerous configuration changes, then grants access based on the device risk.
To enable this, admins can access the Conditional Access and Sign-In Risk device threat protection settings under the policy section of the Intune or Azure AD management console. Gartner recommends the step for businesses with large mobile deployments; this would ensure that only secure mobile devices access Microsoft 365 environments.
Microsoft 365 comes with malware protection built in; however, admins can take additional steps to block malware and ransomware by configuring their mail settings to block attachments with file types commonly used for malware or ransomware.
The processes for creating both mail flows are outlined in detail on Microsoft's website. Admins essentially create two rules: the first warns users before opening file attachments that include macros; the second blocks file types that could contain ransomware or other malicious code.
In the same post are steps to prevent auto-forwarding, a measure to defend against attackers who gain access to an employee's email account. This helps ensure intruders can't leverage their access to exfiltrate emails or gain further access in an employee's account, Microsoft says.
Office Message Encryption, also included in Microsoft 365, lets employees send and receive encrypted email messages between people inside and outside the business. When sending mail with Office Message Encryption, employees have the option to encrypt, or add "do not forward" to a message.
There are some training aspects involved behind all these steps, Hevesi says, and it's essential to teach employees how to use Microsoft 365 securely.
"Most people want to do the right thing, but you need to explain to them what the right thing is," he says.
Microsoft advises training employees on basic Microsoft 365 security practices, which can go a long way in protecting both personal and enterprise data.
"Employee training should center first on strong passwords and social engineering awareness, using integrated simulation and training programs," a Microsoft spokesperson said in a statement to Dark Reading. Attackers continue to rely on social engineering and tailor their phishing lures to include current events, using common concerns to trick people into clicking links.
Employees should know to avoid opening attachments or clicking links in unsolicited emails, texts, or calls -- even if it comes from a source they recognize, and especially if it requests information. They should know to delete emails that pretend to come from official sources but have typos or grammatical errors, or any message that request they download software.
"Basic cyber hygiene can go a long way," Hass says.
There are some training aspects involved behind all these steps, Hevesi says, and it's essential to teach employees how to use Microsoft 365 securely.
"Most people want to do the right thing, but you need to explain to them what the right thing is," he says.
Microsoft advises training employees on basic Microsoft 365 security practices, which can go a long way in protecting both personal and enterprise data.
"Employee training should center first on strong passwords and social engineering awareness, using integrated simulation and training programs," a Microsoft spokesperson said in a statement to Dark Reading. Attackers continue to rely on social engineering and tailor their phishing lures to include current events, using common concerns to trick people into clicking links.
Employees should know to avoid opening attachments or clicking links in unsolicited emails, texts, or calls -- even if it comes from a source they recognize, and especially if it requests information. They should know to delete emails that pretend to come from official sources but have typos or grammatical errors, or any message that request they download software.
"Basic cyber hygiene can go a long way," Hass says.
Cloud security concerns have long been top-of-mind for many IT security pros tasked with protecting data, applications, and infrastructure in cloud environments, but they became a priority for just about everyone in 2020 as businesses scrambled to support remote employees.
Securing Microsoft 365 is a big part of this conversation, both because of its ubiquity in global organizations and a recent surge in cyberattacks targeting enterprise cloud platforms. A Jan. 13 alert from the DHS' Cybersecurity and Infrastructure Security Agency (CISA) warned companies of "several recent successful cyberattacks" against cloud services. Many attacks occurred when employees worked remotely and used corporate and personal devices to access cloud services.
This trend was underscored by the recent discovery of the SolarWinds cyberattack, a large, complex campaign targeting US government agencies and businesses, including Microsoft. While many victims were infected via SolarWinds software updates, it was recently revealed Malwarebytes was targeted by the same attackers via another vector that gained privileged access to Microsoft 365 and Azure.
While SolarWinds was an especially complicated and widespread attack, there are many more common cloud threats that businesses should be worried about.
Organizations experienced an average of 2.8 cloud security incidents in the past 12 months, Netwrix researchers found in their Cloud Data Security Report. Most common are phishing attacks (40%), ransomware or other malware attacks (24%), accidental data leakage (17%), targeted attacks on cloud infrastructure (16%), and account compromise (16%).
Fortunately for IT and security teams, there are many steps they can take to lock down Microsoft 365 environments and protect businesses from these common cloud-focused attacks. For starters, it's essential to learn which security tools come with your Microsoft 365 package.
"Despite the rebranding to Microsoft 365, Microsoft licensing remains complex," says Rick Holland, CISO and vice president of strategy at Digital Shadows. Customers must choose from one of several options: Business Basic, Business Standard, Business Premium, Enterprise F3, Enterprise E3, and Enterprise F5, each of which has different range of tools and functionalities.
"It is essential to understand what security features your license entitles you to and what you may be missing," Holland says.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024