By Andrew Garcia
Microsoft 365 service owner – Subject Matter expert, ACTS
Microsoft 365 is a massive and tantalizing attack surface. Adding to the risk, M365 holds the bulk of its enterprise users’ critical data.
Threats to M365 get worse every year, so much so that the US Cybersecurity and Infrastructure Security Agency (CISA) regularly releases notices of risks, along with advice on how to secure the popular Microsoft cloud productivity platform.
While there are myriad M365 risks, CISA focuses on the most pressing and current, and offers excellent guidance on areas of IT mitigation. Get these right, and you have safeguards to most common current attacks.
Taking these 8 protective steps outlined in a recent CISA bulletin is part of an overall strategy to protect your M365 tenant – but these are really just tip of the iceberg tasks.
1. MFA for all M365 Admin Accounts
Microsoft argues that using multi-factor authentication (MFA) wards off 99% of breach attempts, especially since there are so many accounts with password-only protection just ripe for the picking – including privileged M365 admin accounts.
While MFA should be used for all M365 accounts, CISA focuses first on those accounts with the most privileges which, when compromised offer the most access to data as well an entry point into accounts of others in the organization, and so advises MFA for M365 admin accounts.
“Azure Active Directory (AD) Global Administrators in an O365 environment have the highest level of administrator privileges at the tenant level. This is equivalent to the Domain Administrator in an on-premises AD environment. The Azure AD Global Administrators are the first accounts created so that administrators can begin configuring their tenant and eventually migrate their users,” CISA argued. “Multi-factor authentication (MFA) is not enabled by default for these accounts. Microsoft has moved towards a ‘Secure by default’ model, but even this must be enabled by the customer.”
2. Use Role-Based Access Control (RBAC) for all M365 Admins
MFA is advised for all M365 admins because these are the accounts hackers want most and attack most ferociously. The allure and power of these accounts is also why privileges should be constrained. Because of the danger of high level default privileges, Global Admin accounts should be limited to only those that need them, “Instead, using Azure AD’s numerous other built-in administrator roles instead of the Global Administrator account can limit assigning of overly permissive privileges to legitimate administrators,” CISA advised in its Azure Benchmark Guide. CISA recommends adopting ‘Least Privilege’ to minimize the damage if an admin account with its high level permissions is compromised. With Least Privilege, you give administrators only the permissions they absolutely need to do their job.
3. Track and Retain Security Data with the Unified Audit Log (UAL)
Audit logs are critical to spotting dangerous current activity, and investigating what happened after a security event to make it worse. As such, auditing for M365 must be enabled, which doesn’t always happen by default, and these logs should be kept long enough to help determine trends, track activities that occur after an incident, and even show compliance regulators your that company took the right steps in dealing with a breach attempt or actual incursion.
“O365 has a logging capability called the Unified Audit Log that contains events from Exchange Online, SharePoint Online, OneDrive, Azure AD, Microsoft Teams, PowerBI, and other O365 services. An administrator must enable the Unified Audit Log in the Security and Compliance Center before queries can be run,” the CISA bulletin said. “Enabling UAL allows administrators the ability to investigate and search for actions within O365 that could be potentially malicious or not within organizational policy.”
4. Insure all M365 Users have MFA Enabled
We already talked about how critical MFA is for privileged accounts, but regular old end users have access to plenty of data you’d rather not hand over to hackers. ”Though normal users in an O365 environment do not have elevated permissions, they still have access to data that could be harmful to an organization if accessed by an unauthorized entity,” CISA said. These end users can also be malware and phishing super spreaders. “Threat actors compromise normal user accounts in order to send phishing emails and attack other organizations using the apps and services the compromised user has access to.”
This is especially important since end users often have the simplest, most easily guessed and cracked passwords.
5. Legacy Authentication Protocols Should be Retired
There’s a reason legacy protocols are called legacy – they are old and have been supplanted by newer, more secure approaches. Unfortunately, these protocols remain a key (and unsafe) way many users access M365 services such as email.
“Azure AD is the authentication method that O365 uses to authenticate with Exchange Online, which provides email services. There are a number of legacy protocols associated with Exchange Online that do not support MFA features. These protocols include Post Office Protocol (POP3), Internet Message Access Protocol (IMAP), and Simple Mail Transport Protocol (SMTP). Legacy protocols are often used with older email clients, which do not support modern authentication,” CISA explained in its Azure Benchmark Guide. The good news is that IT can and should disable these legacy protocols, which can be done at either the tenant or user level. “However, should an organization require older email clients as a business necessity, these protocols will presumably not be disabled. This leaves email accounts accessible through the internet with only the username and password as the primary authentication method. One approach to mitigate this issue is to inventory users who still require the use of a legacy email client and legacy email protocols and only grant access to those protocols for those select users. Using Azure AD Conditional Access policies can help limit the number of users who have the ability to use legacy protocol authentication methods. Taking this step will greatly reduce an organization’s attack surface.” the guide said.
6. Track Suspicious Activity Through Alerts and Reports
There are many reports and alerts available in M365 to track suspicious log-ins and other incursion signs. Having these measures available does little if not applied, monitored and acted upon. “Enabling logging of activity within an Azure/0365 environment greatly increases the owner’s effectiveness of identifying malicious activity occurring within their environment and enabling alerts will serve to enhance that. Creating and enabling alerts within the Security and Compliance Center to notify administrators of abnormal events will reduce the time needed to effectively identify and mitigate malicious activity,” the CISA bulletin said. CISA advises that IT enable alerts so IT knows when there are suspicious logins and other cybercriminal activity.
7. Track Microsoft Secure Score and Act on its Recommendations
Did you know that Microsoft 365 has its own report card built in which grades your security posture? Microsoft Secure Score measures the security posture of a Microsoft 365 tenant, and suggests what can be done to improve security. These Secure Score recommendations are a starting point – there are far more things IT can do boost security. “Using Microsoft Secure Score will help provide organizations a centralized dashboard for tracking and prioritizing security and compliance changes within O365,” CISA recommends.
A smart approach is to collect your Secure Score, adopt its recommendations, then take it again to check your progress. Repeat as often as needed to achieve the score you desire.
8. Fully Utilize and Retain Logs By Integrating them with SIEM
M365 logs are a treasure trove of vital information. We already mentioned logging should be enabled and logs retained as long as is feasible and affordable to support forensics. They should also be part of a holistic security picture. If you have a Security Information and Event Management (SIEM) solution, make M365 logs an integrated part of that view. “Even with robust logging enabled via the UAL, it is critical to integrate and correlate your O365 logs with your other log management and monitoring solutions. This will ensure that you can detect anomalous activity in your environment and correlate it with any potential anomalous activity in O365,” CISA advised.
(Andrew Garcia is a Microsoft 365 Service owner and subject matter expert with a focus on Cloud modern workplace transformations focused on Azure and Microsoft 365. He is an experienced cloud deployment and enablement specialist for ACTS guiding clients through long term strategic cloud journeys, along with security Harding and value discovery engagements)