How to Detect Office 365 Anomalies Using SIEM

  • SIEM

Microsoft Office 365 (also known as Microsoft 365 or Office 365) is a cloud-based service that enables online collaboration and real-time data sharing via Microsoft solutions such as SharePoint, MS Teams, and OneDrive. Microsoft Office 365 brings together familiar Microsoft Office desktop applications together with business-class email, shared calendars, instant messaging, video conferencing, and file sharing, making it an integral part for many in times of pandemic. In fact, a large portion of Microsoft’s success in 2020 is thanks to MS Teams which attracted over 95 million new users, being one of the fastest-growing apps during the pandemic.

MS 365 Office users growth

And despite the widespread use of these applications, they still share a barrier to adoption to bigger enterprises  – security concerns.

To ensure regulatory compliance, as well as compliance with some of the most common security standards such as ISO 27001, big enterprises need to ensure they have taken the highest security measures to prevent security incidents and data leaks concerning personal data. To do this for cloud services, where real-time collaboration is the main feature, enterprises need to integrate solutions scanning logs and sending notifications for anomalies in real-time.

In this article, we reviewed how SIEM software can help you secure your Office 365 service and ensure your security team will be notified immediately in case of some of the most common security incidents.

What are the Top Microsoft 365 Security Concerns and How to Address Them?

Video Conferencing

With remote work becoming the “new normal”, video conferencing became an integral part of our office routine. 

This, however, caused new security concerns. Cybercriminals are now looking to breach video conferencing platforms and gain access to sensitive IPs including corporate data and know-how.

But with exponential growth come the subsequent security problems that have continually bothered these companies. The problem is that most video conferencing systems weren’t developed with security in mind. They were built solely to facilitate online meetings. But we have reached a point where businesses (not to mention schools and government agencies) are concerned that hackers could potentially be listening to conversations and can’t fully trust the security of their virtual meetings.

From small to mid-sized businesses (SMBs) and larger corporations and enterprises, every company needs the guarantee that they can communicate safely in a virtual environment.

In June 2021, for example, a new MS Teams vulnerability was discovered, which grants attackers access to emails, messages, and personal files.

In order to ensure full security, businesses need to have confidence that such platforms will provide strong two-factor authentication (2FA) for every user who needs to join a meeting. Currently, meeting requests for video conferencing platforms like Zoom and Teams are a single click-to-join link that everyone can potentially access. But this is the problem itself – anyone who has the meeting link can join a meeting because there is no required authentication process. This is a big security issue, and the most popular videoconferencing platforms do not require every user to authenticate every time. As a result, businesses will continue to have sensitive, corporate, and customer data stolen by hackers, leading to more data breaches and a loss of confidence that their private conversations, sensitive documents, and proprietary data won’t be compromised.

Another security layer of threat prevention, besides setting up a 2FA, is monitoring video conferencing logs and setting up alerts in case of anomalies such as unknown IPs joining the conference.

Phishing Attacks

According to a new report from PhishMe, 91% of cyberattacks start with a phishing attack. 

“Fear and urgency are a normal part of everyday work for many users,” says Aaron Higbee, co-founder, and CTO of PhishMe. “Most employees are conscientious about losing their jobs due to poor performance and are often driven by deadlines, which leads them to be more susceptible to phishing.”

Negligence in cybersecurity training delivered to all the staff can often be the reason why companies suffer from major cyber attacks. To prevent this, organizations should improve phishing awareness across the employees, and get an extra layer of protection by monitoring for suspicious emails received on the server.

Account Breaches

Earlier this year, the news reported that hackers had been secretly monitoring email accounts and exchanges between US government officials tasked with identifying foreign threats to national security for months. The attackers gained access through malicious code injected in SolarWinds software installation, which allowed them to access the network unnoticed which they then used to break into Microsoft’s email client. 

This incident shows the need for security measures taken to make sure that the emails do not get compromised. 

One of the security measures needed is using a 2FA to all work accounts and implementing this as a company policy, and another is keeping track of logs and their anomalies concerning sending and receiving emails, and login activities outside of usual working hours.

User Access Privileges

The way Office 365 is architected can make it challenging for large or diverse organizations to create the right team of admins with the right mix of permissions for effectively managing digital workspaces (Groups, Teams, SharePoint sites, etc).

If organizations decide to choose MS Office 365, they need to make a hard decision – should they let escalate the users’ levels of access and therefore hinder admins’ abilities to manage them, or should they get admins involved in these processes, which means they will have access to all scopes in Office 365.

It’s important to regularly review and audit your Office 365 admin roles to ensure consistency. Also, it’s important to monitor logs related to privilege access changes. This can help you prevent security breaches from both – internal malicious actors, and from hackers stealing users’ credentials.

Best Practices to Keep Your Office 365 Secure

To secure your MS Office 365, you need to take certain security measures. Below we have listed some of the most important ones:

  1. Regularly backup data, either with another cloud provider or locally
  2. Use DLP Tools
  3. Perform data classification of the data you process and store
  4. Secure videoconferencing
  5. Get password alerts 
  6. Set up an MFA
  7. Train users (make them more cyber aware)
  8. Set up admin roles  
  9. Increase email malware protection  
  10. Protect against ransomware  
  11. Limit email auto-forwarding  
  12. Use office message encryption  
  13. Increase email phishing protection 
  14. Protect against malicious attachments and files  
  15. Protect against phishing attacks with Safe Links   

How Can LogSentinel SIEM Help You Improve Office 365 Security

LogSentinel SIEM will help you take control over all your systems in users, having a unified command center from which you can monitor for anomalies and take actions on time.

Here are the MS Office 365 Security use cases where LogSentinel SIEM will help you guard your data better and easier:

Prevent Phishing Attacks

Leveraging phishing detection tools for your Outlook is important in order to add an extra layer of security to your mail. With LogSentinel SIEM, you will be able to monitor the stream of emails in real-time. This will help you to detect and respond to threats in phishing emails using built-in rules and machine learning.

LogSentinel SIEM will be scanning all emails (preferably sent automatically by a shared inbox and deleted after being scanned) for indicators of phishing. We use a set of heuristics to detect phishing, spear-phishing, and whaling attacks, including link inspection, content inspection, and similarity of brands and images to popular ones. Even if you already have a phishing protection solution, chances are it will miss a phishing attempt, so an extra layer of protection may save the day.

Office 365 Phishing Detection in Real-time

LogSentinel SIEM has a single-instance agent with a simple configuration for the entire organization, which means that you will be able to integrate the phishing detection feature very quickly.

With LogSentinel SIEM, you will gain insights by analyzing correlated data from emails and sources with flexible custom queries and charts.

Get Password Alerts

Alerts are an important part of a SIEM system as they will allow you to define anomalous behavior in the early stage – from both insiders’ and outsiders’ threats. LogSentinel SIEM supports three types of rules that generate alerts:

  • Correlation rules – specify specific sequences of events
  • Behavior rules – specify rules for anomalous behavior over a period of time
  • Machine learning – use unsupervised machine learning to detect anomalous behavior

There are hundreds of predefined correlation rules for various systems and use-cases available in your LogSentinel SIEM. They can be searched and imported for minutes.

Once you enable a certain rule, you will immediately start receiving notifications of anomalous activities, if any.

Real-time alerts setup for Office 365

Secure Videoconferencing

As we mentioned, videoconferencing security has been underestimated and yet essential to any company, nowadays. With LogSentinel SIEM, you will be able to secure videoconferencing by tracking logs, call metadata, and admin activity for possible issues. You can integrate LogSentinel SIEM with most of the popular tools like Webex, Zoom, Meet, but also with Microsoft Teams.

Secure video conferencing via Teams

Unauthorized Access Monitoring

LogSentinel SIEM will help you monitor the applications that your company uses to prevent unauthorized access.

You will be able to see in real-time if someone logs in outside of working hours, or is trying to access applications where they shouldn’t have access.

Data Exfiltration

There are traditional methods for preventing data exfiltration such as blicking unauthorized communication channels and revoking data access for former employees. Others, such as identifying and responding to malicious and unusual network traffic, are harder to handle if your SIEM does not track network logs. To prevent data exfiltration, make sure to keep an eye on unusual upload/download volumes, malicious database requests, etc.

Privilege Abuse

Comprehensive monitoring of privileged accounts can be challenging, especially for mid-sized or bigger organizations. You need to monitor privileged users with administrators’ rights, those with root access, with access to firewalls, databases, services, automated processes, etc. By using MS Office 365, in particular, you need to monitor if anyone abuses their rights and accesses the data in the cloud, or accesses someone else’s email, for example.

With every additional user, group, or policy monitoring account the security monitoring activity gets unbearably difficult. Furthermore, once a malicious actor acquires MS Office 365 credentials, it can be very difficult to detect their activity on the network in time. One of the most effective methods of detecting compromised credentials is monitoring for suspicious (or anomalous) activities such as login failures or attempts to escalate permissions.

LogSentinel SIEM can monitor in real-time user activity, as well as access to various groups, logins from suspicious IPs, etc. You can set up rules once for any use cases that need your special attention, and then get notified every time the rule fires. This will dramatically decrease the manual work of your security team and at the same time improve the visibility when it comes to privilege abuse.


Are you looking for a SIEM to protect your MS Office 365? Talk to us today and find out how LogSentinel can help you protect your systems!

 

REQUEST DEMO

Like this article? Share it with your network!