We all know that change is constant the only thing that does not change is change.
And we have seen that peoples work expectations have really changed a lot. They want to bring their own device to work. They want to have easy access to information wherever they are and from whatever device they have.
When you think about securing company data there is also an evolving threat landscape. The way that hackers are approaching hacking has really changed and so the ways that we need to protect ourselves have also changed.
And lastly industry regulations and standards have not only changed but also increased. As we have things like cloud computing we see people ask how do the existing and new industrial regulations and standards that companies have to comply with apply to this new world where customers don’t have the computing resources on premise.
Many of these issues have influenced how organizations look at SaaS solutions.
For example, we have heard that 73% of enterprises indicated security as a top challenge holding back SaaS adoption.
We also know that 80% of employees admit to using non-approved SaaS apps in their jobs and 87% of senior managers admit to regularly uploading work files to a personal email or cloud account. We have also heard that 75%+ of all network intrusions are due to compromised user credentials and that once someone in is, that the median number of days that attackers reside within a victim’s network before detection is over 140.
Many organizations tell us that they have limited if not any visibility and lack the controls necessary to help solve issues like these.
Enhanced visibility and control for Office 365
Insight into potential breaches
Identify anomalies in your Office 365 environment which may be indicative of a breach
Assess your risk
Leverage behavioral analytics to assess risk
Leverage Microsoft’s threat intelligence
Identify known attack pattern activities originating from risky sources leveraging Microsoft’s threat intelligence
To provide the threat detection that some organizations are looking for, Advanced Security Management gives you a robust policy and alerting engine that provides insight into potential breaches by being able to setup anomaly detection policies for your Office 365 environment. Anomalies are detected by scanning user activity and evaluating its risk. The risk is determined by looking at over 70 different indicators. Some of the risk factors are things like: login failures, administrator activity, inactive accounts, location, impossible travel, and device and user agent.
Setting up an anomaly detection policy is fairly straight forward. Most of the work is around deciding which of the risk factors if not all you want to monitor for, what the sensitivity of the policy and the maximum amount of daily alerts you want to receive. The reason you might want to limit the number of alerts is an anomaly might not be an issue. For example, if your company opens up a new office, Advanced Security Management may see all the new logins from that office as an anomaly until it learns that this is normal.
Advanced Security Management also leverages behavioral analytics as part of anomaly detection to assess risk in what your users are doing. It does this by understanding how the user interacts with Office 365 on a daily basis. Once it has this baseline it can then determine if a user’s activity/session is suspicious and give it risk score to help you determine as part of your investigation if you should take further action.
Advanced Security Management is also enhanced with the vast amount of threat intelligence information that Microsoft has. Microsoft’s unique insights into the threat landscape, informed by trillions of signals from billions of sources uniquely positions them to better protect customers and their data.
As I mentioned earlier another big focus for Advanced Security Management is around providing enhanced controls which is done through another set of policies called activity policies. These policies give you the ability to track specific activities that you are interested in. This is done with out of the box there are templates that you can use to easily create policies that can help you see when someone is downloading a lot of data, has multiple failed logon attempts, or logs in from a new ip address. You will also likely want to create additional policies that are more customized to your unique environment and you can do this too. Using activity filters you can look for specific items like the location of the person, a user or group, the device type (mobile, PC, tablet), ip address, if a new user is created, or if someone is granted admin rights. Based on these activities happening once or a repeated number of times in a specific timeframe, you can create an alert, or notify or someone in IT.
The alerts are what give you the visibility into the activities that you want monitored and Advanced Security Management gives you an easy way to see all of these and start your investigation. Some alerts alone like a user logging in from a new location might not be an issue as they might be on vacation and leveraging Office 365 to check mail. However, you might want to check to see if they are doing other things that might be suspect like accessing documents that you know are sensitive, or failing to log in multiple times. To help you with this, Advanced Security Management give you the power to drill down and get additional details around what else the user was doing or the IP address being used as it might have additional activities that this user or other users have done.
Based on the investigation, you might deem that the behavior is risky and you want to stop the user from doing anything else. Instead of going into another section of the Office 365 management console to suspend the user’s account, you can do that directly from the alert. Microsoft also knows that sometimes the activities you are monitoring for are so risky that if they are discovered you may not want to wait for an IT Pro to review the alert and suspend the account. To help with this, you can configure a policy so that an account is automatically suspended if the activity takes place.
We have also heard from organizations that they are also looking for better control and visibility into applications that users are plugging into Office 365. Usually when users leverage applications they are unaware of what the app has permissions to. They are just trying to be more productive. To help IT Pro’s get better visibility and context into these apps we give them a way to see these apps, which users are using them, and the permissions they have. Based on this info, they have the ability to ban that applications use for all the users.
Advanced Security Management also gives you the ability to discover information and get insights into your Office 365 usage and other cloud services to help you with any shadow IT problems. How this is done is through the Productivity App Discovery dashboard that makes it easy for you to get a snapshot of pertinent information around your Office 365 usage. You can see things like the amount of traffic your Office 365 use is generating and the number and who are the top users of O365.
It also gives you the ability to see if your users are leveraging other productivity cloud services. With the ability to discover about 1000 applications that fall into categories like collaboration, cloud storage, webmail, and others, you can better determine if there shadow IT happening in your organization. Advanced Security Management also gives you details around the top apps in each category. For example, you can see how much data is being sent to cloud storage services like OneDrive for Business, Box, Dropbox and other similar providers.
What is also great about this solution is that there is nothing to install on the user end points to collect this data. Microsoft knows that it is not always possible to install an agent on a device maybe because you have a BYOD program and you don’t want to install an agent on the user’s device. To load the data into the dashboard, all you have to do is take the logs from your network devices like your firewall or proxy and upload them via an easy to use UI. There is support for many network vendors like Blue Coat, Check Point, Cisco, Juniper, Microsoft, Palo Alto, and Websense.