How Secure is your Office 365 environment?

When implementing or migrating to Office 365, it is essential to ensure you secure your environment to protect against the myriad of internal and external threats that your organization will face. The UK National Cyber Security Centre advises of 14 Cloud Security Principles as guidance on how you should protect your cloud services. 

In our blog below, we will briefly touch on some of the technical areas of configuring your O365 environment that can align with those principles. 

Extended Detection and Response

Every Office 365 cybersecurity implementation strategy should include extended detection and response XDR tools. These systems are combinations of machine learning and rules to monitor suspicious activity across your environment, including Office 365 elements such as inboxes and software delivered through the cloud. 

Business Email Compromise

Phishing is a huge contributor to all breaches and cyber incidents within organizations, especially those with Microsoft 365. 

Analysis typically reveals the culprit is an email that has posed as a shared document hosted in a domain that looks like OneDrive. When the user clicks on the link they will arrive at a log in page that mirrors Microsoft's 365 login page. Unfortunately for the user, the credentials entered within this screen go straight to the attacker, who then has complete access to all the user's email and files.  

Multi-Factor authentication

Multi-factor authentication is one of the most efficient methods of preventing an attacker from gaining access even after they have compromised a password.

It's now a commonly used tool for security, your users understand it and you should implement it.

Audit Logging

It's also important that you recognize when a password has been compromised. It becomes even more critical if the attacker authenticates successfully to the target's data. 

To ensure you have sufficient stored data to detect these risks and perform a proper investigation if they occur, you must ensure your Microsoft 365 tenant is auditing all the crucial areas. In Jan 2019, Microsoft recognized the need for this information and enabled it with respect to mailbox auditing.
Conditional Access Policy

It is possible for administrators to enforce additional restrictions or ease certain policies such as MFA when users are accessing resources from a compliant device and a trusted location. These scenarios increase the likelihood of the user that is accessing the resource being trusted and therefore decrease the security requirements needed to authorize that user.  

This feature is a pragmatic balance between security and convenience.

Mobile Device Management

Mobile device management should be regularly reviewed and understood by your organization. It is essential to ensure that the proper policies are defined and agreements are in place for employees of your business. 

Techolony recommends that you configure Exchange Administration to define policies regarding which devices/users can communicate with the email servers. Compliance policies such as device encryption should also be enabled to define which devices can connect. 

Exchange Administration

There are a number of exchange administration activities that can tighten the security of your O365 environment, a number of which are listed below. For more information, contact Techolony's Cyber Security consulting team for more information on our services to assess your environment and implement the change.

Define Spoofing Filter Rule

A spoofing filter rule can be created via Exchange Admin Center to set the spam confidence level that will help limit the amount of phishing emails that are delivered.

Validating email with the configuration of DMARC and SPF Records 

Implementing Domain-based Message Authentication, Reporting and Conformance (DMARC) with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) is recommended for all organizations.  

These features provide an additional layer of protection against phishing and spoofing emails. They can also help to mitigate the risk of business email compromise attacks.

Data Exfiltration Rules

Business email compromise can result in attackers configuring mailbox forwarding rules to send a copy of email outside of the organization to a 3rd party email domain. Employees may also want to send copies of emails to personal email accounts for their own personal gain.  

Admins can create a rule in the Exchange Admin Center that will reject any messages and include an explanation that client forwarding rules to external domains are not permitted.

Configure your Connection Filters

Enabling the safe list of permitted IP addresses for each domain will help to reduce trusted senders from getting blocked.

Alert Policies

Configuring alert policies assists in tracking user and administrator activities, malware threats, and data loss incidents within your organization. Alerts should be defined for email forwarding/redirect rules, malware incidents, anomaly detection, and suspicious activity as a minimum. 

Techolony recommends that event data is transmitted to a SIEM solution for correlation and long-term event storage. Contact our Cyber Security Team for more information on our SIEM as a Service solution.

Security & Compliance Features

There are a number of features within Microsoft 365 that should be reviewed and configured with the appropriate settings. 

These features should each be used in accordance with your organization's IT Security requirements.

1. Data Loss Prevention: Policy protection to assist with identifying and protecting sensitive data.
2. Data Governance: Assists with classifying content, defining retention rules, and data destruction.
3. Classifications: Labels can be applied to email or documents to enforce policies such as retention settings or sensitivity.
4. Data Privacy: GDPR requirements and access to their personal data.
5. Threat Management: Threat tracking and attack simulators can be performed to assess risk.

__________________________________________________

Techolony specialise in Cyber Security, Project Change, and Infrastructure solutions complemented by 24/7 SIEM and Service Desk support solutions. 

If you'd like to learn more, call 0161 209 3922 or click below to book an appointment.

We look forward to speaking to you!