|In June 2016, Microsoft released its first iteration of Office 365 Advanced Security Management, a new capability within the Office 365 platform that allows organizations to go above and beyond the typical security management features that let them secure users, permissions, content and apps. In September the team added the Productivity App Discovery feature, and in October the solution continued to progress with additional capabilities to manage app permissions. |
This multi-part blog series will look at how to use the features that make up Advanced Security Management and share some technical details that you will hopefully find helpful.
In part 1 of this series we introduce Advanced Security Management and share technical details about how it works with the Office 365 Unified Audit Log.
Let's jump in...
Introduction to Advanced Security ManagementAdvanced Security Management, or ASM, is a new set of security tools integrated into Office 365 that perform advanced threat detection and policy enforcement across your Office 365 workloads. It helps automatically identify high risk, suspicious activities and allows administrators to implement granular security policies. It also provides discovery and insight capabilities so that you can provide visibility on 'shadow IT' within your organization. ASM incorporates signals from several Office 365 services such as the Management Activity API and Microsoft Security Graph, and provides administrators with a dedicated management console for getting a dashboard overview, searching log data, configuring policies and reviewing alerts.
There are a few important background details about Advanced Security Management that are important for Office 365 administrators to understand before enabling it:
- Office 365 Advanced Security Management (ASM) is a subset of the Microsoft Cloud App Security offering. Cloud App Security is a comprehensive service which provides security capabilities to a much broader set of applications beyond Office 365. It provides features like discovery of a very wide range of cloud applications operating in your network and on all devices going through your company firewalls or proxies. It currently supports approximately 14,000 cloud services in its catalog, and its important to emphasize that devices must go through organization's firewalls or proxies or Cloud App Security will not see the traffic. It also provides granular controls and policy enforcement for data shared through your cloud applications. And finally it provides threat protection to detect abnormal user behavior through your cloud applications and help prevent threats. Office 365 ASM integrates the broad capabilities of Cloud App Security directly with Office 365, making it fairly easy to implement across the Office 365 workloads. Learn more about the underlying technology here: Microsoft Cloud App Security.
- Office 365 ASM can be licensed in 1 of 2 ways: you may either license all of your Office 365 users with an E5 license (which gives you more than ASM), or you may specifically purchase the Office 365 ASM add-on license for all users (in addition to another Office 365 user license). Office 365 does not actually check if all users in fact have one of the required ASM licenses. So you can enable the feature for a subset of users initially, for evaluation, proof of concept and deployment planning. It is highly recommended that you license all of your users when running it in full production capacity, because you typically won't be able to predict who an attacker will target. However, it is possible to license it for just a portion of your organization if you have particular individuals that might be considered very high value or persistent targets (administrators, executives, etc.).
- Office 365 ASM has a very strong connection and reliance on Microsoft Azure. Please continue reading to understand the capabilities usage of Azure.
Activating Advanced Security Management
- Login to Office 365 as a Global Administrator
- Click the Office 365 waffle icon and select Security and Compliance
- In the left hand menu, click Alerts and Managed Advanced Alerts
- The Cloud App Security service within the new Azure tenant subscribes to the audit log data feed from the customer's Office 365 tenant. This is the same audit log data you can search within the Office 365 Security and Compliance Center by clicking Search & Investigation > Audit Log Search.
- Audit log data begins synchronizing from the Office 365 tenant to the new Azure tenant. This data is not 'anonymized'. By activating ASM, you are authorizing the audit log data to be transferred from your Office 365 tenant to the associated Azure tenant.
- ASM begins to build a baseline model which will ultimately use to detect suspicious user behavior and issue automated alerts.
- Whether they access administrator activities or user activities
- Frequency of activities
- The device, browser and OS used to access Office 365 (through the user agent string)
Audit Log Data Enrichment
If you've ever searched or tried to work with audit log data provided within the built in Audit Log Search, you'll find that it is fairly extensive and very useful, but also quite raw. It is just that: audit log data. The interpretation is entirely up to you. There is no threat intelligence built into it; no correlation of IP addresses to known malicious addresses; no heuristics or correlation between multiple events for the same user or location. The work to understand and make use of that data is up to you.
- Standardize the incoming event: it is an admin activity, a user activity, an activity impersonated by another user, etc.
- Is the IP address coming from a Microsoft Data Center
- Incorporate Microsoft Security Graph data to determine if the IP address is from a known threat or risky location (ex. known TOR node or Botnet)
- Interpret the user agent string to display the OS name/version, device type and browser type/version
- Search for more user activities that are related to a specific activity (Ex. if a user uploaded and shared a file, quickly find out who accessed or downloaded the file)
- An administrator can define known IP addresses for the organization which will then be incorporated into determining on which activities to raise alerts. For example, they could list their VPN subnet addresses as known addresses and thereby make their alerts smarter.
Audit log data enrichment is a big part of the value which Advanced Security Management provides Office 365 customers. These are just some current, simple examples of logic and signals added to the management activity API feed as it comes into ASM. We do hope to see some additional intelligence added over time, given the breath of data available from Office 365 workloads - in particular more specific data about our users, about our files and about the SharePoint and Office 365 groups that our users belong to.
Audit Log Data RetentionAnother important distinction between the Office 365 audit log data feature and ASM is that Office 365 retains audit log data for a maximum of 90 days. However, ASM retains audit log data for 6 months. This is important when corporate security policies or regulations require you to be able to investigate data breaches for longer periods of time after they have occurred.
Often, data breaches are not discovered for several months after they have occurred and this data becomes critical to performing analysis to determine how a breach occurred and how to prevent it in the future. To be honest, even 6 months can seem a bit short. In several organizations where I've performed cybersecurity audits, they often have requirements to maintain audit log data for up to 1 year. If you're in that situation you may need to look for an additional solution to store such audit data longer term (for example, Microsoft Operations Management Suite).
What's Next...This was just a quick introduction to the Office 365 Advanced Security Management solution, how to activate it and the data which is incorporated into policies and alerts. There is a lot more exciting security capabilities too look at!
In part 2 and 3 of this series, we'll look at the Discovery Dashboard, how to bring in data from other internal systems and how to configure policies & alerts.