Follow me on Twitter @AntonioMaio2

Monday, December 19, 2016

A Practical Overview of Office 365 Advanced Security Management - Part 1
Introduction & Audit Logs

In June 2016, Microsoft released its first iteration of Office 365 Advanced Security Management, a new capability within the Office 365 platform that allows organizations to go above and beyond the typical security management features that let them secure users, permissions, content and apps. In September the team added the Productivity App Discovery feature, and in October the solution continued to progress with additional capabilities to manage app permissions.

This multi-part blog series will look at how to use the features that make up Advanced Security Management and share some technical details that you will hopefully find helpful.

In part 1 of this series we introduce Advanced Security Management and share technical details about how it works with the Office 365 Unified Audit Log.
Let's jump in...



Introduction to Advanced Security Management

Advanced Security Management, or ASM, is a new set of security tools integrated into Office 365 that perform advanced threat detection and policy enforcement across your Office 365 workloads.  It helps automatically identify high risk, suspicious activities and allows administrators to implement granular security policies.  It also provides discovery and insight capabilities so that you can provide visibility on 'shadow IT' within your organization.  ASM incorporates signals from several Office 365 services such as the Management Activity API and Microsoft Security Graph, and provides administrators with a dedicated management console for getting a dashboard overview, searching log data, configuring policies and reviewing alerts.

There are a few important background details about Advanced Security Management that are important for Office 365 administrators to understand before enabling it:

  • Office 365 Advanced Security Management (ASM) is a subset of the Microsoft Cloud App Security offering. Cloud App Security is a comprehensive service which provides security capabilities to a much broader set of applications beyond Office 365.  It provides features like discovery of a very wide range of cloud applications operating in your network and on all devices going through your company firewalls or proxies. It currently supports approximately 14,000 cloud services in its catalog, and its important to emphasize that devices must go through organization's firewalls or proxies or Cloud App Security will not see the traffic. It also provides granular controls and policy enforcement for data shared through your cloud applications. And finally it provides threat protection to detect abnormal user behavior through your cloud applications and help prevent threats. Office 365 ASM integrates the broad capabilities of Cloud App Security directly with Office 365, making it fairly easy to implement across the Office 365 workloads.  Learn more about the underlying technology here:  Microsoft Cloud App Security.
  • Office 365 ASM can be licensed in 1 of 2 ways: you may either license all of your Office 365 users with an E5 license (which gives you more than ASM), or you may specifically purchase the Office 365 ASM add-on license for all users (in addition to another Office 365 user license).  Office 365 does not actually check if all users in fact have one of the required ASM licenses.  So you can enable the feature for a subset of users initially, for evaluation, proof of concept and deployment planning. It is highly recommended that you license all of your users when running it in full production capacity, because you typically won't be able to predict who an attacker will target. However, it is possible to license it for just a portion of your organization if you have particular individuals that might be considered very high value or persistent targets (administrators, executives, etc.). 
  • Office 365 ASM has a very strong connection and reliance on Microsoft Azure.  Please continue reading to understand the capabilities usage of Azure.


Activating Advanced Security Management

After adding an E5 license to your Office 365 tenant, you must specifically activate Advanced Security Management:
  • Login to Office 365 as a Global Administrator
  • Click the Office 365 waffle icon and select Security and Compliance
  • In the left hand menu, click Alerts and Managed Advanced Alerts

The first screen presented will ask you to select a checkbox to 'Turn on Advanced Security Management for Office 365':



When the E5 or ASM license is added to the customer's Office 365 tenant, a new Azure tenant is automatically provisioned and associated with the customer's Office 365 tenant.  Selecting the 'Turn on...' checkbox will activate ASM and kick off a number of activities behind the scenes:
  • The Cloud App Security service within the new Azure tenant subscribes to the audit log data feed from the customer's Office 365 tenant.  This is the same audit log data you can search within the Office 365 Security and Compliance Center by clicking Search & Investigation > Audit Log Search.
  • Audit log data begins synchronizing from the Office 365 tenant to the new Azure tenant.  This data is not 'anonymized'.  By activating ASM, you are authorizing the audit log data to be transferred from your Office 365 tenant to the associated Azure tenant.
  • ASM begins to build a baseline model which will ultimately use to detect suspicious user behavior and issue automated alerts.  

The baseline model is built for every user and updated periodically as additional data is received.  It is based on both user logins and user activities like: 
  • Whether they access administrator activities or user activities
  • Frequency of activities
  • The device, browser and OS used to access Office 365 (through the user agent string)
This process does not currently use InTune so it cannot recognize the device itself - it cannot distinguish specific devices, nor whether the device is company managed or domain-joined.  This process also does not look at the amount of data downloaded by a user because the management activity API (audit log API) does not provide full metadata about files accessed. 

Activation only needs to occur the first time you access ASM.  The next time you login, you'll see the same screen without the checkbox.  Just click Go to Advanced Security Management to access its management console.


Audit Log Data Enrichment

At the core of ASM is the audit log data and signals it receives from your Office 365 tenant and other sources (data logs that you upload, the Microsoft Security Graph, etc.).

If you've ever searched or tried to work with audit log data provided within the built in Audit Log Search, you'll find that it is fairly extensive and very useful, but also quite raw.  It is just that: audit log data.  The interpretation is entirely up to you.  There is no threat intelligence built into it; no correlation of IP addresses to known malicious addresses; no heuristics or correlation between multiple events for the same user or location.  The work to understand and make use of that data is up to you. 

With ASM, as audit log data is transmitted from your Office 365 tenant it is enriched with additional threat analytics, logic and heuristics - for example, ASM will:
  • Standardize the incoming event: it is an admin activity, a user activity, an activity impersonated by another user, etc.
  • Is the IP address coming from a Microsoft Data Center
  • Incorporate Microsoft Security Graph data to determine if the IP address is from a known threat or risky location (ex. known TOR node or Botnet)
  • Interpret the user agent string to display the OS name/version, device type and browser type/version
  • Search for more user activities that are related to a specific activity (Ex. if a user uploaded and shared a file, quickly find out who accessed or downloaded the file)
  • An administrator can define known IP addresses for the organization which will then be incorporated into determining on which activities to raise alerts.  For example, they could list their VPN subnet addresses as known addresses and thereby make their alerts smarter.
We can easily compare audit log results from the 2 solutions by bringing them up side-by-side and immediately seeing some of the differences.

In the built-in Office 365 Audit Log Search function, here is an example of the results returned when we perform a search:

We get the date/time, originating IP address, username, activity name, item acted upon and a list of raw details.  If we click on a line we're presented with a list of that raw detail:


Many of the details are listed in their full technical form.  Again, this is all very useful data, but it is raw and requires your own interpretation and correlation with other events.

ASM allows us to perform simple or complex searches against the same data set.  If we look at an example of the search results, we get similar data but with a view that is easier to read and some details summarized for us.  We're presented with an activity name that is more meaningful, the user, the app from which the entry was reported, originating IP address, the physical location of that IP (country), the device type, OS version and browser type/version (seen by hovering over the icons), and the date/time.

If we click on a line in our search results, we're given a summarized view that may be much more meaningful depending on the event:


We get the city, state and country of the originating IP address.  The ISP which that IP is assigned through.  The full username and Azure AD groups which that user belongs to.  If the entry matches any currently configured policies those will be listed as well under 'Matched Policies'.  Here is another example of a file access entry:


In addition, we can easily determine if other there are other activities in the log which are related to this IP address, this user, this type of activity or this country/region by clicking the ... beside the entry and selecting one of the actions:



Audit log data enrichment is a big part of the value which Advanced Security Management provides Office 365 customers.  These are just some current, simple examples of logic and signals added to the management activity API feed as it comes into ASM.  We do hope to see some additional intelligence added over time, given the breath of data available from Office 365 workloads - in particular more specific data about our users, about our files and about the SharePoint and Office 365 groups that our users belong to.

Audit Log Data Retention

Another important distinction between the Office 365 audit log data feature and ASM is that Office 365 retains audit log data for a maximum of 90 days.  However, ASM retains audit log data for 6 months.  This is important when corporate security policies or regulations require you to be able to investigate data breaches for longer periods of time after they have occurred. 

Often, data breaches are not discovered for several months after they have occurred and this data becomes critical to performing analysis to determine how a breach occurred and how to prevent it in the future.  To be honest, even 6 months can seem a bit short.  In several organizations where I've performed cybersecurity audits, they often have requirements to maintain audit log data for up to 1 year.  If you're in that situation you may need to look for an additional solution to store such audit data longer term (for example, Microsoft Operations Management Suite).

What's Next...

This was just a quick introduction to the Office 365 Advanced Security Management solution, how to activate it and the data which is incorporated into policies and alerts.  There is a lot more exciting security capabilities too look at!

In part 2 and 3 of this series, we'll look at the Discovery Dashboard, how to bring in data from other internal systems and how to configure policies & alerts.

Enjoy.
   -Antonio

67 comments:

  1. Microsoft Office has always been safe and useful. To me, it is the most important thing for any of my device whether it is a mobile or a laptop. I am really glad that they improved their security management as well.

    ReplyDelete
  2. Today, an important aspect of corporate security apart from security guard services is the use of technological devices. guarantor loans

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. Oh, I'm really glad to see how cool you can explain hard things in easy way. I think you should write more. Maybe even teach others and make money on that. I think you should check prices of Writemyessay4me.org and then you can make a decision. I'm sure that a lot of people would be glad to receive a paper, written by you.

    ReplyDelete
  5. I might want to thank you for the endeavors you have made in composing this article. I am trusting the same best work from you later on too..  vpn guide

    ReplyDelete
  6. A portable fish finder has other benefits too. They are light-weight and simple to use. Plus they let you use a fish finder in eventualities where you will not be able to employ a fixed one. https://diebestenvpn.de

    ReplyDelete
  7. I am come here first time, i find the perfect article. Thanks for sharing interesting and informative post. vpnveteran

    ReplyDelete
  8. I really enjoy simply reading all of your weblogs. Simply wanted to inform you that you have people like me who appreciate your work. Definitely a great post. Hats off to you! The information that you have provided is very helpful. internet

    ReplyDelete
  9. Amazingly accommodating post. This is my first time i visit here. I found such an extensive number of captivating stuff in your blog especially its trade. Genuinely its unprecedented article. Keep it up. https://www.lemigliorivpn.com

    ReplyDelete
  10. Security Operations to Invest More in System Intelligence: Companies have at this point, surely knew the estimation of enormous information to increase noteworthy astuteness for their business basic leadership.Data Analytics Courses

    ReplyDelete
  11. I feel very grateful that I read this. It is very helpful and very informative and I really learned a lot from it.360DigiTMG big data in malaysia
    360DigiTMG artificial intelligence in malaysia
    360DigiTMG machine learning course
    360DigiTMG

    ReplyDelete
  12. aws training in hyderabad
    https://360digitmg.com/amazon-web-services-aws-training-in-hyderabad
    AWS training will give the students obtain expertise in the theories of AMI Creation, EBS Persistent Storage, Amazon Storage Services S3, Route 53, AWS EC2 and AWS S3 Instances & further high-level concepts.

    ReplyDelete
  13. Such a very useful article. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article.
    data science course

    ReplyDelete
  14. I am looking for and I love to post a comment that "The content of your post is awesome" Great work!

    Simple Linear Regression

    Correlation vs Covariance

    ReplyDelete
  15. I want to say thanks to you. I have bookmark your site for future updates.
    Data Science Institute in Bangalore

    ReplyDelete
  16. Interesting post. I Have Been wondering about this issue, so thanks for posting. Pretty cool post.It 's really very nice and Useful post.Thanks
    Data Science Certification in Bangalore

    ReplyDelete
  17. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article. This article inspired me to read more. keep it up.
    Correlation vs Covariance
    Simple linear regression
    data science interview questions

    ReplyDelete
  18. Really impressed! Everything is very open and very clear clarification of issues. It contains truly facts. Your website is very valuable. Thanks for sharing.
    360DigiTMG

    ReplyDelete
  19. You have provided finicky information for a new blogger so it has turned out to be really obliging. Keep up the good work!
    SAP training in Kolkata
    SAP training Kolkata
    Best SAP training in Kolkata
    SAP course in Kolkata

    ReplyDelete
  20. Fantastic post found to be very impressive to come across such an awesome blog. I really felt enthusiast while reading and enjoyed every bit of your content. Certainly, since this blog is being more informative it is an added advantage for the users who are going through this blog. Once again nice blog keep it up.

    360DigiTMG IoT Course

    ReplyDelete
  21. Wonderful blog found to be very impressive to come across such an awesome blog. I should really appreciate the blogger for the efforts they have put in to develop such an amazing content for all the curious readers who are very keen of being updated across every corner. Ultimately, this is an awesome experience for the readers. Anyways, thanks a lot and keep sharing the content in future too.

    360DigiTMG Artificial Intelligence Course

    ReplyDelete
  22. Awesome blog. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work! 360DigiTMG

    ReplyDelete
  23. I am looking for and I love to post a comment that "The content of your post is awesome" Great work!

    Simple Linear Regression

    Correlation vs covariance

    KNN Algorithm

    Logistic Regression explained

    ReplyDelete
  24. Amazing Article ! I would like to thank you for the efforts you had made for writing this awesome article. This article inspired me to read more. keep it up.
    Correlation vs Covariance
    Simple Linear Regression
    data science interview questions
    KNN Algorithm
    Logistic Regression explained

    ReplyDelete
  25. A beaming piece of writing can really enlarge your frame of mind. I wish to read much more articles from you.
    Data Science training in Mumbai
    Data Science course in Mumbai
    SAP training in Mumbai

    ReplyDelete
  26. of luck for all your blogging efforts.
    a href="https://www.excelr.com/data-analytics-certification-training-course-in-pune/"> Data Analytics Course in Pune/">It is perfect time to make some plans for the future and it is time to be happy. I've read this post and if I could I desire to suggest you some interesting things or suggestions. Perhaps you could write next articles referring to this article. I want to read more things about it!
    I have express a few of the articles on your website now, and I really like your style of blogging. I added it to my favorite’s blog site list and will be checking back soon…

    ReplyDelete
  27. very well explained. I would like to thank you for the efforts you had made for writing this awesome article. This article inspired me to read more. keep it up.
    Logistic Regression explained
    Correlation vs Covariance
    Simple Linear Regression
    data science interview questions
    KNN Algorithm

    ReplyDelete
  28. I need to communicate my deference of your composing aptitude and capacity to make perusers read from the earliest starting point as far as possible. I might want to peruse more up to date presents and on share my musings with you.
    https://360digitmg.com/course/certification-program-on-big-data-with-hadoop-spark

    ReplyDelete
  29. I need to communicate my deference of your composing aptitude and capacity to make perusers read from the earliest starting point as far as possible. I might want to peruse more up to date presents and on share my musings with you.
    https://360digitmg.com/course/machine-learning-using-python-r

    ReplyDelete
  30. good information seeking more such blogs in future.
    https://360digitmg.com/course/machine-learning-using-python-r

    ReplyDelete
  31. We very much appreciate your hard work as knowledge provider, which has helped us through a difficult period.
    machine learning course malaysia

    ReplyDelete
  32. Really exciting to see this blog. I would like to appreciate you for the efforts you had performed in writing this impressive article.
    advantages of ai
    applications of net
    what is hadoop
    list of devops tools
    selenium interview questions and answers for experienced

    ReplyDelete
  33. This post is extremely easy to peruse and acknowledge without forgetting about any subtleties. Incredible work!
    data scientist training

    ReplyDelete
  34. Get Your Custom Hair Straightener Boxes – Wholesale Hair Straightener Packaging Boxes Made in Custom Shapes, sizes, and layouts. We offer quality and error-free packaging services with free shipping in all UK. Get low-priced ceramic hair straightener box online at wholesales. Packaging Papa helps you use up less money on more high superiority ceramic hair straightener box. Hope you have a happy shopping practice. Hence, the beautifully customized Retail and Wholesale Boxes is a perfect pick for your products collection.

    ReplyDelete
  35. Highly appreciable regarding the uniqueness of the content. This perhaps makes the readers feels excited to get stick to the subject. Certainly, the learners would thank the blogger to come up with the innovative content which keeps the readers to be up to date to stand by the competition. Once again nice blog keep it up and keep sharing the content as always.
    Data Science Training

    ReplyDelete
  36. Thanks for your nice post I really like it and appreciate it. My work is about Custom Vape Cartridge Boxes. If you need perfect quality boxes then you can visit our website.

    ReplyDelete
  37. Thanks for posting the best information and the blog is very helpful.data science interview questions and answers

    ReplyDelete
  38. I want to leave a little comment to support and wish you the best of luck.we wish you the best of luck in all your blogging enedevors.
    data analytics courses in bangalore

    ReplyDelete
  39. nice blog!! i hope you will share a blog on Data Science.
    certification of data science

    ReplyDelete
  40. I want to leave a little comment to support and wish you the best of luck.we wish you the best of luck in all your blogging enedevors.
    data science course in chennai

    ReplyDelete
  41. I am sure it will help many people. Keep up the good work. It's very compelling and I enjoyed browsing the entire blog.
    Business Analytics Course

    ReplyDelete
  42. I don't have time to read your entire site right now, but I have bookmarked it and added your RSS feeds as well. I'll be back in a day or two. Thank you for this excellent site.

    Best Data Science Courses in Bangalore

    ReplyDelete
  43. If you are looking for Illinois license plate sticker renewals online, you have to go to the right place. We have the fastest Illinois license plate sticker renewals in the state.

    Data Analytics Course in Bangalore

    ReplyDelete
  44. I want to leave a little comment to support and wish you the best of luck.we wish you the best of luck in all your blogging enedevors.
    data science training in chennai

    ReplyDelete
  45. It's acceptable to check this sort of site. I figure I would such a great amount from you.
    Data Science Training in Hyderabad
    Data Science Course in Hyderabad

    ReplyDelete



  46. I was basically inspecting through the web filtering for certain data and ran over your blog. I am flabbergasted by the data that you have on this blog. It shows how well you welcome this subject. Bookmarked this page, will return for extra. data science course in jaipur

    ReplyDelete
  47. Looking for a good deal on bulk glitter? Explore a wide range of the best bulk glitter on GlitterMall to find one that suits you! Besides good quality brands, you’ll also find plenty of discounts when you shop for bulk glitter during big sales. Don’t forget one crucial step - filter for items that offer bonus perks like free shipping & free return to make the most of your online shopping experience!

    ReplyDelete
  48. Stupendous blog huge applause to the blogger and hoping you to come up with such an extraordinary content in future. Surely, this post will inspire many aspirants who are very keen in gaining the knowledge. Expecting many more contents with lot more curiosity further.

    Data Science Certification in Bhilai

    ReplyDelete
  49. Extraordinary blog went amazed with the content that they have developed in a very descriptive manner. This type of content surely ensures the participants to explore themselves. Hope you deliver the same near the future as well. Gratitude to the blogger for the efforts.

    Data Science Training

    ReplyDelete
  50. I want to leave a little comment to support and wish you the best of luck.we wish you the best of luck in all your blogging enedevors.
    aws training in hyderabad

    ReplyDelete
  51. Extremely overall quite fascinating post. I was searching for this sort of data and delighted in perusing this one. Continue posting. A debt of gratitude is in order for sharing. data scientist course in delhi

    ReplyDelete
  52. I am sure that this is going to help a lot of individuals. Keep up the good work. It is highly convincing and I enjoyed going through the entire blog.
    data science course in malaysia

    ReplyDelete
  53. I want to leave a little comment to support and wish you the best of luck.we wish you the best of luck in all your blogging enedevors.
    business analytics courses

    ReplyDelete
  54. This is my first time visiting here. I found a lot of funny things on your blog, especially your discussion. From the tons of comments on your posts, I guess I'm not the only one who has all the free time here. Keep up the good work. I was planning to write something like this on my website and you gave me an idea.

    Business Analytics Course

    ReplyDelete
  55. Very good message. I stumbled across your blog and wanted to say that I really enjoyed reading your articles. Anyway, I will subscribe to your feed and hope you post again soon.

    Best Data Science Courses in Bangalore

    ReplyDelete
  56. You have completed certain reliable points there. I did some research on the subject and found that almost everyone will agree with your blog.

    Data Analytics Course in Bangalore

    ReplyDelete
  57. I'm looking for and I like to post a comment that says "The content of your post is amazing" Great job!
    Digital Marketing Course in Bangalore

    ReplyDelete
  58. blood pressure watch Keep your workout schedule fresh and invigorating. Create your own custom running, cycling, cardio or strength workouts, and download them to your watch. Then, your smartwatch will keep track of the exercises, reps, sets and rest time for you.

    ReplyDelete
  59. bp doctor 3.0 pro wearable blood pressure smartwatch If you want to find an accurate fitness tracker, just try this smartwatch.

    ReplyDelete
  60. yhe bp doctor smartwatch Have a smart watch that you can use for exercise and daily life

    ReplyDelete