Article Written by Jim Hansen, VP of Product Marketing at AlienVault

Although companies are rapidly adopting cloud computing
technologies and services, many organizations are aware that their cloud security
isn’t up to snuff. This was recently illustrated by the results of an
AlienVault survey of infosec professionals, which revealed
that 42 percent of respondents were concerned about their lack of visibility in
the cloud, while one-third described their cloud security monitoring as
“complex and chaotic.” However, when it comes to cloud security, the lack of a
comprehensive strategy could potentially be an extremely costly oversight for a
company, particularly if it fails to monitor Microsoft Office 365. Employees
use Office 365 services such as Exchange, OneDrive, and SharePoint, which are
targeted by an average of 2.7
new threats per month, to share
confidential and sensitive information internally and sometimes externally. For
this reason, it’s critical that organizations take steps to monitor and protect
against such threats. Below are five strategies that can help organizations secure
Office 365 environments.

1.     
Take a unified approach to security
management 

Organizations typically need a number of different security
capabilities to adequately monitor, effectively detect, and quickly respond to
threats in environments that include physical infrastructure, virtual
infrastructure, cloud infrastructure, and cloud services like Office 365. The
essential security monitoring capabilities include asset discovery,
vulnerability assessment, intrusion detection, behavioral monitoring and SIEM,
and organizations have traditionally leveraged point solutions to provide each
of these capabilities independently. However, managing multiple solutions
separately requires not only significant time and resources, but also creates
additional work as teams attempt (often unsuccessfully) to integrate new tools
into the existing infrastructure. For smaller or resource-constrained teams, which
generally don’t have the time or ability to do this effectively, the result is
often a deployment that fails to meet their security needs. In contrast, unified
security solutions, which incorporate all the necessary security
functionalities into a single platform, eliminate this issue entirely. By
providing organizations with the tools they need to gain comprehensive and
continual visibility into their cloud environments, a unified platform will enable
them to monitor their infrastructure, Office 365, and other cloud applications.

2.     
Prioritize direct access

While a unified solution simplifies security monitoring of Office
365 applications, it is also important to look for tools that have direct
access to Office 365’s rich API so organizations can better access, understand and
act on the comprehensive data that is unique to this environment. Such solutions
give organizations the ability to collect and analyze information around any activity
in Office 365 – such as what users are doing, what they’re accessing and where
they’re located – and also makes it easier for organizations to monitor for
potential threats against Office 365 applications.

3.     
Establish baseline metrics

Organizations can use the data obtained from the Office 365
API to establish a baseline of “normal” user activity. Once they have this,
they can easily identify anomalies, which are often indicators of suspicious activity
or threats. Because Office 365 internally tracks everything a user does (with each
activity receiving its own “event”), organizations can determine a range of “normal”
behavior for every type of user activity. These activities can range from
typical employee behaviors, such as sending emails and file creation, views and
deletions, to administrative tasks like the creation of new users, deletions of
users and modifications of permissions. Any activity that deviates from the
norm should then trigger a vulnerability assessment to reveal whether the anomaly
is an actual threat or merely a harmless irregularity.

4.     
Analyze events 

It’s critical that organizations monitor for and inspect all
anomalous events, but some are better than others at indicating a potential
threat. The following anomalous events in particular should be the most
alarming, and by extension are also the ones that demand the most immediate
attention:

• Modifications
  of user privileges
• User
  additions or deletions
• Sharing
  of information with people from external organizations
• Content
  sharing policy changes (such as via SharePoint or OneDrive)
• Changes
  in malware filter policy
• Changes
  in password policy
• Audit
  logging policy changes

Be
sure to prioritize response to these types of events to ensure that malicious
behavior is detected and can be remediated as quickly as possible to minimize
damage.

5.     
Automate Threat Detection 

Finally, organizations should implement correlation rules so
that they are alerted with a notification whenever suspicious activity is
detected on the network to ensure an appropriate response as quickly as
possible. For example, a rule should be created to alert the organization
whenever there’s an unexpected user login from an abnormal location. Upon
receiving that alert, the IT / security team can immediately check on that
user’s activity in real-time and contact the user to verify, if necessary. If the
person who logged in turns out to be an imposter, then the organization can
immediately take defensive actions to mitigate any potential damage.

Because it is so widely used, Office 365 provides a potential
springboard for hackers to launch malware, ransomware, phishing attacks and
other threats with the objective of penetrating an organizations internal
infrastructure and stealing sensitive information. These attacks are often
successful because they target vulnerable human employees, who can easily make
mistakes. Fortunately, with the right mix of security best practices and
unified solutions, organizations can effectively secure and monitor applications
like Office 365, greatly reducing the need to rely on the actions of their
users.

##

About the Author

Jim Hansen is vice president of product management overseeing all of AlienVault’s product development initiatives. He is responsible for providing strategic and tactical direction for the AlienVault Unified Security Management (USM) and Open Threat Exchange (OTX) product lines, as well as introducing new products into the marketplace. Jim joined AlienVault in 2013, bringing with him more than 15 years of experience in software consulting and product management, including most recently a director of product management role at Splunk.

Jim holds a BA in Information & Computer Science from UC Irvine.