This text is an extract from Chapter 19 of the eBook “Office 365 for IT Pros”. We’re commonly asked at what level the content of the book is pitched and how up to date it is. Well, this topic was announced by Microsoft on June 1 and you can judge the level for yourself. For more information about Office 365 for IT Pros, see ExchangeServerPro.com (for PDF and EPUB versions and some bonus material) or Amazon (for the Kindle version).
Advanced Security Management
The Advanced Security Management application is included in the E5 enterprise plan and also available as an $3/month add-on for the other enterprise plans. Every user in the tenant needs to be licensed for Advanced Security Management as it is not possible to exclude the audit data for individual users from the anomaly detection and analysis.
The current implementation of Advanced Security Management is part of a long-term plan to provide Office 365 customers with much better oversight about what’s happening in their tenant based on the audit data that is accumulated in the Office 365 unified audit data mart, with the major advantage of the approach being that no agents or other software needs to be deployed to support the gathering and analysis of the data to detect the threats that might lie in the anomalies that are picked up. Analyzing the audit data also reveals how the actions taken by individual users might compromise the security of the organization through suspicious behavior, such as someone downloading all of the documents from a library containing confidential information within a short period. Other indications are taken into account, such as suspicious IP addresses that might originate from anonymous proxies or known botnets.
Advanced Security Management allows administrators to create tenant-specific policies to fire alerts when specific events happen or when a particular pattern of actions occur. For instance, you could create a policy that will alert administrators by email or SMS whenever certain conditions occur. Microsoft provides a preconfigured “General anomaly detection” policy to get the ball rolling. This policy covers common conditions that should cause suspicion, such as a user logging in from two places that are widely separated in distance within a short period. Other anomaly detection policies can be added to highlight specific activities that are of concern to the organization. For example, a policy could be created to look for attempted log-ins from IP addresses outside the corporate IP range. Policies can be tailored to turn off or on different risk factors or to increase sensitivity to a risk.
Alerts show up in the Advanced Security Management Console
The screen shot above shows how a set of alerts appear in the Office 365 Advanced Security Management console. In this case, a set of alerts have been signaled because Advanced Security was recently enabled for the tenant. When this happens, Advanced Security examines the current state of the tenant to establish a baseline and to report any events that it believes should be brought to the attention of an administrator. The fact that someone accesses an application, like SharePoint Online or OneDrive for Business, from a location for the first time is an example of a built-in anomaly alert that helps the system to set a baseline. The first alert shows that Paul Cunningham accessed SharePoint from Australia (AU). If this is expected because Paul always accesses Office 365 from Australia, the administrator can resolve the alert (to mark it done) and the alert will no longer appear because Advanced Security knows that this is a normal condition. On the other hand, if Paul’s account is used to access SharePoint Online from Egypt when he is known to be sunning himself in his back garden in Brisbane, then we might have a problem. When the security administrator resolves an alert, they can enter a comment to explain why the condition is satisfactory and deemed to be resolved.
Reviewing Office 365 Advanced Security Alerts
If more information is needed to understand the pattern behind a user’s behavior or another aspect of an alert, such as the IP address, the administrator can click the item to have Advanced Security Management reveal what it has recorded in its Activity Log. For example, all events logged for Paul Cunningham are shown if his account name is clicked.
Each alert is rated a high, medium, or low risk. The risk level is determined using behavioral analytics to compare normal user interaction with Office 365 against the information contained in the audit data. The analytics are based on Microsoft’s collected knowledge about the threats that exist and their origin gathered from across Office 365 and other cloud services. Assigning a risk value allows an administrator to filter for high risk alerts and prioritize their resolution.
Another example of an alert is when an account is detected to have elevated permissions (a “New admin user” alert). Again, if the permissions were assigned purposely, the alert can be resolved and Advanced Security knows that it does not have to signal the issue again. However, it could be the case that someone has been assigned permissions in error or that they hold permissions for too long, in which case the resolution is different and might require the account to be suspended or to have its permissions adjusted. User accounts can also be suspended as an action contained in a policy to ensure that action is taken to protect the organization without requiring an administrator to do something manually. Suspended users show up in Office 365 as blocked users. If this turns out to be the wrong thing to do, you can reverse the suspension from Advanced Security Management or the Office 365 Admin Center.
It’s possible that an alert highlights an event that is uninteresting or invalid. In these instances, you can dismiss the alert or mark it as a false positive. These actions are recorded in the Activity Log and the fact that the user’s location or their admin status is deemed to be valid will be taken into account by Advanced Security Management when it processes audit and other data to detect anomalies and suspicious activity in the future.
Filters are available to focus in on one or more of the Office 365 applications or to look for selected users. The latter filter is valuable when you might be concerned about the activities of a particular individual. You can also search for high, medium, or low severity alerts or for alerts that have been previously dismissed or resolved. You can also filter by category (access control, compliance, configuration control, privileged accounts, sharing control, and threat detection). The filters can be combined together to focus in on certain actions, meaning that even a very large volume of alerts can be quickly refined to produce a set of alerts that need to be examined. You can also export alerts to a CSV file if required.
Advanced Security Management is accessed through the Alerts section of the Security and Compliance Center where the Manage Advanced Alerts option connects to Microsoft Cloud App Security, a platform designed to analyze very large amounts of information relating to security events. Cloud App Security has no dependency on Office 365 and is available for purchase as a standalone product. The version used with Office 365 only handles Office 365 data; the standalone version is capable of handling data extracted from many other cloud applications.
When a tenant opts-in to use Office 365 Advanced Security, a link is created between the Office 365 tenant and an equivalent tenant automatically created within Cloud App Security. The link allows audit data to be extracted from Office 365 and analyzed by the Cloud App Security analytics engine, which detects suspicious activity and other potential problems. It takes about a week after a tenant is enabled before a satisfactory model is created of its normal activity and build a baseline that suspected anomalies can be measured against.
Audit entries extracted from Office 365 can be examined in the Activity Log along with other logged items, such as those recorded when an administrator resolves or dismisses an alert. Again, a range of filters are available to reduce the number of log entries down to a manageable amount. In the example shown below, the filters have been used to extract events relating to document check-outs by users based in Bulgaria in a certain period. Note the option in the top right-hand corner of the screen to create a new policy based on search criteria, meaning that you can easily create a new policy to create alerts if similar events occur in the future.
Filtering Audit events
One issue for non-U.S. customers is that Cloud App Security is currently based on an Azure data store that runs in a U.S. datacenter. However, only audit data and information about tenant users and groups is moved to the Azure data store and personal information belonging to tenant users remains within Office 365. Microsoft plans to extend Cloud App Security so that its data is stored in other datacenter regions in the future. When this happens, Cloud App Security data for a tenant will be stored in the same region as Office 365.
In some respects, apart from the analytics used by Advanced Security Management to pick up suspicious activity by correlating events, the technology is not rocket science. You could argue that a skilled administrator who knows what is happening in their tenant is likely to be able to detect and resolve the same kind of issues that Advanced Security highlights. However, an application like Advanced Security scores through its ability to handle massive quantities of information of the type generated by audit events and to reduce the mass down to what’s important. A human can do this too, but will struggle with:
- The volume of data to process (especially as the environment scales).
- The time required to recognize complex suspicious audit events and to learn the characteristics that mark new threats
- The need to be consistent in how events are treated.
It’s also likely that the human administrator will forget that some events have happened (or not) in the past, so when something happens, they have to consider the event on its merits. Computers are better at remembering things, so Advanced Security Management quickly recognizes when an event is rare (and therefore potentially out of the norm) or normal.
In addition, the machine learning that lies behind analytics is much faster at correlating events to detect suspicious activity. Once software learns what it should be looking for, it generally produces more consistent results than a human can, 24 hours a day, 365 days a year, which is why applying technology to automate the collection and validation of information drawn from multiple sources is a good solution to understanding the kind of threat introduced by how individuals behave.
Follow Tony @12Knocksinna