Pricing Login
Interactive demos

Click through interactive platform demos now.

Live demo, real expert

Schedule a platform demo with a Sumo Logic expert.

Start free trial
Back to blog results

February 5, 2020 By Sridhar Karnam

How to secure Office365 with Cloud SIEM

SaaS adoption is continuously on the rise and so is the number of companies migrating their email services to Microsoft Office365. It’s the most popular SaaS service and while over 90% of enterprises use it, only less than a quarter of them have already migrated to the cloud-based suite. Nonetheless, this number is growing steadily, as cloud adoption rates are increasing.

The Cybersecurity and Infrastructure Security Agency (CISA) noted that a lot of companies moving their core operations to the cloud use third parties to do so. There are significant security risks involved in the process: O365 Suite is a hacker’s favorite target as well as a vector for email phishing attacks. Of course, this shouldn’t stop you from using the world’s most productive collaboration suite; instead, you should learn how to use it safely with an O365 SIEM or SIEM integration with Office 365.

In this article, we will learn:

  • The most common cloud misconfiguration risks related to Office365 Suite
  • How to mitigate those risks
  • Why Sumo Logic Cloud SIEM is the best option for securing your Office365 cloud Suite

O365 SIEM: Understanding Office365 default configuration vulnerabilities for cloud migration

As more companies move to the cloud with their O365, CISA identified a set of misconfigurations that pose migration security risks. Best practices for mitigating those risks follow in the next section.

1. Multi-factor authentication is disabled for administrator accounts.

According to CISA, Active Directory (AD) Global Administrators in an O365 environment have the highest level of administrator privileges at the tenant level. These accounts are created so that administrators could begin configuring their tenant and eventually migrate their users, but by default, multi-factor authentication (MFA) is not enabled for these accounts“There is a default Conditional Access policy available to customers, but the Global Administrator must explicitly enable this policy in order to enable MFA for these accounts. These accounts are exposed to internet access because they are based in the cloud. If not immediately secured, these cloud-based accounts could allow an attacker to maintain persistence as a customer migrates users to O365.” - CISA reports.

2. Mailbox auditing is disabled.

    The O365 mailbox auditing function logs actions that mailbox owners, delegates and administrators perform. However, this function was only enabled by default in January 2019. If you bought your O365 package before 2019, you have to manually enable mailbox auditing.

    What’s more, the O365 environment still does not enable the unified audit log by default. This function (which contains events from Exchange Online, SharePoint Online, OneDrive, Azure AD, Microsoft Teams, PowerBI and other O365 services) must be enabled by an administrator in the Security and Compliance Center before queries can be run.

    3. Password sync is enabled.

      When users migrate to O365, Azure AD Connect integrates on-premises environments with Azure AD. When the Password Sync function is enabled, the password from on-premises overwrites the password in Azure AD. If the on-premises AD identity was compromised before migration, an attacker can enter the cloud directly when accounts are synced during migration.

      4. Authentication isn’t supported by legacy protocols.

        O365 uses Azure AD to authenticate with Exchange Online, which provides email services. However, some protocols associated with EO authentication do not support modern authentication methods with MFA features. These protocols include Post Office Protocol (POP3), Internet Message Access Protocol (IMAP), and Simple Mail Transport Protocol (SMTP). Older email clients use legacy protocols and do not support modern authentication methods.

        O365 SIEM: Eliminating Office365 vulnerabilities with SIEM

        Make sure you set and implement a cloud strategy across your entire organization to protect your infrastructure assets. It’s key to defend against attacks related to your O365 migration and service usage. Here are the best practices administrators should follow:

        1. Implement multi-factor authentication and change passwords often. This is by far the best technique to protect your O365 user credentials from theft. You can find a useful training video for how to set up MFA here, and another video on completing the setup, here.

          2. Enable unified audit logging in the Security and Compliance Center. This function tracks every user and their behavior across all of the O365 services. You can find instructions on how to switch on this function right here.

            3. Enable mailbox auditing for each user. From January 2019, mailbox audits are being stored for all user mailboxes by default. If you purchased O365 before that date, you have to manually enable this function. If you’re not sure when you purchased it, you can verify if this function is enabled by following the instructions outlined here.

              4. Ensure Azure AD password sync is planned for and configured correctly, prior to migrating users. Find out everything you need to know about this process here.

                5. Disable legacy email protocols, if not required, or limit their use to specific users. This can be done with Conditional Access and the process is described here.

                  Securing your Office365 cloud suite with Cloud SIEM integrations

                  In addition to the risks outlined above, poor visibility into the business-critical apps, including Office365, is one of the biggest pain points for security professionals. Luckily, Cloud SIEM gives you full security and compliance visibility for all of your key SaaS apps, including O365. It is indeed your best choice for securing your cloud infrastructure when migrating to the cloud.

                  Sumo Logic Cloud SIEM covers all three pillars of SaaS security that are often neglected by businesses shifting to the cloud. With our solution, you not only gain full visibility into O365 and other business apps, but you also gain the ability to monitor, audit and analyze them in real-time. We already have 250 satisfied customers!

                  The top use cases of cloud SIEM for Office365 include the following:

                  FOR USERS:

                  1. Monitoring all user actions to detect compromised accounts. You have to know who logs in, from where, when and what for and Sumo Logic Cloud SIEM ensures you have it all.
                  2. Monitoring all Active Directory logins. You need to have an understanding of what behavior is normal for users and be alerted of any anomalies immediately.

                  Admin Activities with Exchange overview: you can see all the activities of admins and privilege users on Office 365 with the Sumo Logic Cloud SIEM solution.

                  FOR ADMINISTRATORS:

                  1. Monitoring availability of service. Our Cloud SIEM solution allows you to analyze the state of the service and alert immediately on availability issues, allowing you to ensure maximum performance.
                  2. Monitoring network performance. It will help you plan your network bandwidth and adjust requirements accordingly.
                  3. Monitoring mailbox deletion on Exchange. You will be alerted against unwanted data losses.

                  FOR DATA:

                  1. SharePoint: monitoring sites shared outside your organization. Make sure you are alerted when sites are shared with external entities or known malicious hosts.
                  2. SharePoint: monitoring data loss. Integrity of your data should be your top cloud security concern, therefore you must know who has access to it, who is making any changes and who is sharing them outside your company.

                  Complete visibility for DevSecOps

                  Reduce downtime and move from reactive to proactive monitoring.

                  Sumo Logic cloud-native SaaS analytics

                  Build, run, and secure modern applications and cloud infrastructures.

                  Start free trial
                  Sridhar Karnam

                  Sridhar Karnam

                  Senior Director of Product Marketing

                  Sridhar Karnam leads the security product marketing for Sumo Logic. Sri has a decade of experience with SIEM, Security Analytics, Cloud Security, and IT Operations. He has led product management & marketing for SIEM solutions at ArcSight, Arctic Wolf, and at Oracle. He has written hundreds of blogs on SIEM, and has also spoken at many security and IT events.

                  More posts by Sridhar Karnam.

                  People who read this also enjoyed