In the rush to enable a remote workforce with Office 365 capabilities like Microsoft Teams, organizations may not have fully planned and researched security configurations for Office 365 and Azure Active Directory. This is the concern of the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and why they issued alert AA20-120A last week.
This blog post will outline the CISA alert, prior CISA advice for securing Office 365 and point you to a TEC Talk by Microsoft Certified Master Sean Metcalf (@PyroTek3) that addresses the 10 (and more) Azure AD and Office 365 security tasks to do now!
CISA AA20-120A & AR19-133A: Microsoft Office 365 Security Observations & Recommendations
In May 2019, the CISA issued an Analysis Report (AR19-133A) to help organizations take even simple steps to harden their Office 365 security, especially if they relied on a third-party provider to setup and configure their environment. They had found that organizations had several security features disabled (e.g., mailbox auditing, unified audit log, multi-factor authentication on admin accounts), which was creating more vulnerabilities, like mailbox compromise and establishing persistence.
Given the rapid nature of O365 and Teams deployments due to “work from home” orders, CISA felt it necessary to issue an alert reminding organizations of the observations of their earlier alert and re-iterating their mitigation recommendations. Specifically, they encourage organizations to implement the following:
- Use multi-factor authentication (did you know only 11% of enterprise accounts use MFA and 99% of compromised accounts did not use MFA? That’s according to Microsoft).
- Protect Global Admins from compromise and use the principle of “Least Privilege.”
- Enable unified audit logging in the Security and Compliance Center.
- Enable Alerting capabilities.
- Integrate with organizational SIEM solutions.
- Disable legacy email protocols, if not required, or limit their use to specific users.
Where do I start on the journey to secure my Office 365 environment?
Starting with the CISA alert and report is a good first step, but you actually need to implement these recommendations.
We recently held a TEC Talk with Microsoft Certified Master and The Experts Conference (TEC) 2019 and 2020 keynote speaker, Sean Metcalf, on the 10 Security Actions to Take Now for your Office 365 and Azure AD environment. This is an excellent place to start to get the “how-to” for starting down securing your environment. Sean always goes out of his way to provide information you can use immediately and he did just that in our TEC Talk with him.
This is not a Quest product pitch, but pure training in the spirit of our AD and Office 365 training conference: www.TheExpertsConference.com (November 17-18, 2020 in Atlanta, GA).
- Current Threat Landscape, including password spraying, password reuse/replay and consent abuse
- Top 10 Security Best Practices (OK, more like 12)
- Putting it all together, including links to resources and his Office 365 security checklist
- Recorded Q&A from the live event
Watch it here as well as our other recorded TEC Talks (more to be uploaded soon)!
Then download this eBook: “Office 365 and Azure AD Security Events to Monitor During the COVID-19 Crisis. This eBook will help you:
- Identify the pitfalls you are most likely to encounter when pulling audit reports natively
- Understand the subtle differences in auditing between Azure and Office 365
- Track 10 security events that will keep your cloud environment secure