The COVID-19 pandemic has resulted in significant changes to working patterns for most organisations, with a more geographically dispersed workforce than ever before. Many organisations are making more and more user of Microsoft 365 (formally known as Microsoft Office 365) for collaboration. Security of a Microsoft 365 tenant starts with visibility of operations, yet many organisations remain unaware of the day to day activities and usage of the platform.
In the box
Microsoft provide both a Security and Compliance centre for Microsoft 365 that allow you to view alerts. You can also enable alert policies to send emails but these need to be configured for all combinations of severity and type, a significant setup and maintenance task. In addition, depending on your license, you may have access to Microsoft 365 Cloud App Security. However, this is more aimed as a high level CASB style dashboard across all your Cloud applications. It relies on ingesting data from your network appliances.
None of these solutions make it easy to get a handle on your Microsoft 365 security posture and to quickly identify threats or patterns of behaviour.
As a Cloud services organisation specialising in security, RedBear has considerable experience working with both small and large organisations to support their remote working solution. RedBear offers a fully managed NIST based security service involving monitoring and triage of incidents before passing to the customer for remediation. For AWS based solutions, we also offer full remediation and automated response capability of the environments.
Security Monitoring of Microsoft 365
Microsoft 365 provides a Cloud based platform for business productivity, including Email (Exchange), SharePoint, Active Directory, Teams and OneDrive (as core offerings). The rich functionality also means that there are several opportunities for unseen security issues to arise. RedBear has built and run Microsoft 365 security monitoring for our existing financial services and Government clients for several years and is a mature and comprehensive offering significantly beyond that of the standard Microsoft out of the box security monitoring offering.
As a response to organisations’ teams now working remote RedBear has unbundled the 365 monitoring service as a stand alone offering to provide low cost high value enhanced security where required.
Some of the key areas that RedBear’s Security Monitoring of Microsoft 365 include are:
- Detection and alerting of failed logins from inside and outside Australia for Azure Active Directory;
- Anomalous user behaviour access patterns (failed and successful) across the core products, including location and behaviour changes;
- Identification of impossible travel scenarios (login attempts from geographically disperse locations) across the core products;
- Access to SharePoint and OneDrive objects from external domains, including public sharing of objects;
- Identification of privileged operations within Microsoft 365;
- Security Compliance centre alerting such as suspected phishing emails;
- Usage statistics across Exchanges, OneDrive and Exchange statistics (information such as top sites/URLs, upload/downloads);
- Behaviour that may indicate a compromised Exchange mailbox;
- Administrator changes to their own account or group membership in Azure Active Directory;
RedBear uses both dashboards and alerts as part of our Security Managed Services solution.
How RedBear can help immediately?
Let us get it up and running and demonstrate the value!
To help our clients gain immediate security visibility of Microsoft 365 environments, RedBear is offering a proof of concept trial for monitoring of 365 into our existing managed services security platform. Note that all your data will be encrypted and will remain in Australia (within the AWS Sydney region).
For Microsoft 365, you will need to authenticate your tenant into our platform. We don’t require a specific user and store no credentials. We give you the control to enable and disable the access. Once we have access to the log data, we will enable the dashboards and alerts. From an alerting perspective, we can deliver notifications to you via a variety of channels including SMS, email, ServiceNow and Slack.