Follow me on Twitter @AntonioMaio2

Monday, December 19, 2016

A Practical Overview of Office 365 Advanced Security Management - Part 1
Introduction & Audit Logs

In June 2016, Microsoft released its first iteration of Office 365 Advanced Security Management, a new capability within the Office 365 platform that allows organizations to go above and beyond the typical security management features that let them secure users, permissions, content and apps. In September the team added the Productivity App Discovery feature, and in October the solution continued to progress with additional capabilities to manage app permissions.

This multi-part blog series will look at how to use the features that make up Advanced Security Management and share some technical details that you will hopefully find helpful.

In part 1 of this series we introduce Advanced Security Management and share technical details about how it works with the Office 365 Unified Audit Log.
Let's jump in...



Introduction to Advanced Security Management

Advanced Security Management, or ASM, is a new set of security tools integrated into Office 365 that perform advanced threat detection and policy enforcement across your Office 365 workloads.  It helps automatically identify high risk, suspicious activities and allows administrators to implement granular security policies.  It also provides discovery and insight capabilities so that you can provide visibility on 'shadow IT' within your organization.  ASM incorporates signals from several Office 365 services such as the Management Activity API and Microsoft Security Graph, and provides administrators with a dedicated management console for getting a dashboard overview, searching log data, configuring policies and reviewing alerts.

There are a few important background details about Advanced Security Management that are important for Office 365 administrators to understand before enabling it:

  • Office 365 Advanced Security Management (ASM) is a subset of the Microsoft Cloud App Security offering. Cloud App Security is a comprehensive service which provides security capabilities to a much broader set of applications beyond Office 365.  It provides features like discovery of a very wide range of cloud applications operating in your network and on all devices going through your company firewalls or proxies. It currently supports approximately 14,000 cloud services in its catalog, and its important to emphasize that devices must go through organization's firewalls or proxies or Cloud App Security will not see the traffic. It also provides granular controls and policy enforcement for data shared through your cloud applications. And finally it provides threat protection to detect abnormal user behavior through your cloud applications and help prevent threats. Office 365 ASM integrates the broad capabilities of Cloud App Security directly with Office 365, making it fairly easy to implement across the Office 365 workloads.  Learn more about the underlying technology here:  Microsoft Cloud App Security.
  • Office 365 ASM can be licensed in 1 of 2 ways: you may either license all of your Office 365 users with an E5 license (which gives you more than ASM), or you may specifically purchase the Office 365 ASM add-on license for all users (in addition to another Office 365 user license).  Office 365 does not actually check if all users in fact have one of the required ASM licenses.  So you can enable the feature for a subset of users initially, for evaluation, proof of concept and deployment planning. It is highly recommended that you license all of your users when running it in full production capacity, because you typically won't be able to predict who an attacker will target. However, it is possible to license it for just a portion of your organization if you have particular individuals that might be considered very high value or persistent targets (administrators, executives, etc.). 
  • Office 365 ASM has a very strong connection and reliance on Microsoft Azure.  Please continue reading to understand the capabilities usage of Azure.


Activating Advanced Security Management

After adding an E5 license to your Office 365 tenant, you must specifically activate Advanced Security Management:
  • Login to Office 365 as a Global Administrator
  • Click the Office 365 waffle icon and select Security and Compliance
  • In the left hand menu, click Alerts and Managed Advanced Alerts

The first screen presented will ask you to select a checkbox to 'Turn on Advanced Security Management for Office 365':



When the E5 or ASM license is added to the customer's Office 365 tenant, a new Azure tenant is automatically provisioned and associated with the customer's Office 365 tenant.  Selecting the 'Turn on...' checkbox will activate ASM and kick off a number of activities behind the scenes:
  • The Cloud App Security service within the new Azure tenant subscribes to the audit log data feed from the customer's Office 365 tenant.  This is the same audit log data you can search within the Office 365 Security and Compliance Center by clicking Search & Investigation > Audit Log Search.
  • Audit log data begins synchronizing from the Office 365 tenant to the new Azure tenant.  This data is not 'anonymized'.  By activating ASM, you are authorizing the audit log data to be transferred from your Office 365 tenant to the associated Azure tenant.
  • ASM begins to build a baseline model which will ultimately use to detect suspicious user behavior and issue automated alerts.  

The baseline model is built for every user and updated periodically as additional data is received.  It is based on both user logins and user activities like: 
  • Whether they access administrator activities or user activities
  • Frequency of activities
  • The device, browser and OS used to access Office 365 (through the user agent string)
This process does not currently use InTune so it cannot recognize the device itself - it cannot distinguish specific devices, nor whether the device is company managed or domain-joined.  This process also does not look at the amount of data downloaded by a user because the management activity API (audit log API) does not provide full metadata about files accessed. 

Activation only needs to occur the first time you access ASM.  The next time you login, you'll see the same screen without the checkbox.  Just click Go to Advanced Security Management to access its management console.


Audit Log Data Enrichment

At the core of ASM is the audit log data and signals it receives from your Office 365 tenant and other sources (data logs that you upload, the Microsoft Security Graph, etc.).

If you've ever searched or tried to work with audit log data provided within the built in Audit Log Search, you'll find that it is fairly extensive and very useful, but also quite raw.  It is just that: audit log data.  The interpretation is entirely up to you.  There is no threat intelligence built into it; no correlation of IP addresses to known malicious addresses; no heuristics or correlation between multiple events for the same user or location.  The work to understand and make use of that data is up to you. 

With ASM, as audit log data is transmitted from your Office 365 tenant it is enriched with additional threat analytics, logic and heuristics - for example, ASM will:
  • Standardize the incoming event: it is an admin activity, a user activity, an activity impersonated by another user, etc.
  • Is the IP address coming from a Microsoft Data Center
  • Incorporate Microsoft Security Graph data to determine if the IP address is from a known threat or risky location (ex. known TOR node or Botnet)
  • Interpret the user agent string to display the OS name/version, device type and browser type/version
  • Search for more user activities that are related to a specific activity (Ex. if a user uploaded and shared a file, quickly find out who accessed or downloaded the file)
  • An administrator can define known IP addresses for the organization which will then be incorporated into determining on which activities to raise alerts.  For example, they could list their VPN subnet addresses as known addresses and thereby make their alerts smarter.
We can easily compare audit log results from the 2 solutions by bringing them up side-by-side and immediately seeing some of the differences.

In the built-in Office 365 Audit Log Search function, here is an example of the results returned when we perform a search:

We get the date/time, originating IP address, username, activity name, item acted upon and a list of raw details.  If we click on a line we're presented with a list of that raw detail:


Many of the details are listed in their full technical form.  Again, this is all very useful data, but it is raw and requires your own interpretation and correlation with other events.

ASM allows us to perform simple or complex searches against the same data set.  If we look at an example of the search results, we get similar data but with a view that is easier to read and some details summarized for us.  We're presented with an activity name that is more meaningful, the user, the app from which the entry was reported, originating IP address, the physical location of that IP (country), the device type, OS version and browser type/version (seen by hovering over the icons), and the date/time.

If we click on a line in our search results, we're given a summarized view that may be much more meaningful depending on the event:


We get the city, state and country of the originating IP address.  The ISP which that IP is assigned through.  The full username and Azure AD groups which that user belongs to.  If the entry matches any currently configured policies those will be listed as well under 'Matched Policies'.  Here is another example of a file access entry:


In addition, we can easily determine if other there are other activities in the log which are related to this IP address, this user, this type of activity or this country/region by clicking the ... beside the entry and selecting one of the actions:



Audit log data enrichment is a big part of the value which Advanced Security Management provides Office 365 customers.  These are just some current, simple examples of logic and signals added to the management activity API feed as it comes into ASM.  We do hope to see some additional intelligence added over time, given the breath of data available from Office 365 workloads - in particular more specific data about our users, about our files and about the SharePoint and Office 365 groups that our users belong to.

Audit Log Data Retention

Another important distinction between the Office 365 audit log data feature and ASM is that Office 365 retains audit log data for a maximum of 90 days.  However, ASM retains audit log data for 6 months.  This is important when corporate security policies or regulations require you to be able to investigate data breaches for longer periods of time after they have occurred. 

Often, data breaches are not discovered for several months after they have occurred and this data becomes critical to performing analysis to determine how a breach occurred and how to prevent it in the future.  To be honest, even 6 months can seem a bit short.  In several organizations where I've performed cybersecurity audits, they often have requirements to maintain audit log data for up to 1 year.  If you're in that situation you may need to look for an additional solution to store such audit data longer term (for example, Microsoft Operations Management Suite).

What's Next...

This was just a quick introduction to the Office 365 Advanced Security Management solution, how to activate it and the data which is incorporated into policies and alerts.  There is a lot more exciting security capabilities too look at!

In part 2 and 3 of this series, we'll look at the Discovery Dashboard, how to bring in data from other internal systems and how to configure policies & alerts.

Enjoy.
   -Antonio

1 comment:

  1. Microsoft Office has always been safe and useful. To me, it is the most important thing for any of my device whether it is a mobile or a laptop. I am really glad that they improved their security management as well.

    ReplyDelete