Tier 1 clouds from vendors like Microsoft are secure, but customers must use them securely. Because of the complexities in the various features that compose the Office 365 suite, leveraging the appropriate set of controls is challenging. Microsoft is adding new services and improving existing features in Office 365, but the company has not fully integrated and optimized the security management aspects of the suite. For your organization, this means that, as you deploy Office 365, your security team will have an array of inconsistent and overlapping tools to help secure your Office tenant. However, the team will have to either manage each service in different ways or augment Office 365 with a third-party security solution, such as a cloud access security broker (CASB). The latter approach will help to simplify and centralize not only Office 365 management and security, but also all major and even some custom SaaS applications to a single console. The scope of this assessment encompasses Office 365 security management and access.
Microsoft has built basic anti-malware protection into Exchange and SharePoint in all Office 365 license levels. These basic anti-malware features are tightly integrated with Office 365 and are a good starting point for securing your tenant.
Exchange Online Protection
EOP is a cloud-based email-filtering solution that can protect both on-premises and Office 365- based Exchange infrastructures from spam and malware. EOP contains three anti-malware engines: Windows Defender and two other unnamed solutions. Microsoft states that the other two engines are monitored for performance and can be changed if their efficacy starts to fall. The multiple antimalware engines provide a higher chance of detecting known malware versus a single engine. The EOP service can update each anti-malware engine as fast as every hour. Microsoft has made enhancements in this area, and now we see fewer clients reporting issues. However, we still recommend that companies run EOP and their in-house anti-spam solution in parallel for several months. This approach allows time to tune the EOP spam detection feature. Microsoft has observed that when it investigates such complaints, it sees two patterns:
- Several customers have very permissive or wrong configurations that bypass a majority of the EOP filtering stack using overly open transport rules and safe-sender lists.
- A lot of what customers report as spam is actually “bulk” email, which can be adjusted with the bulk setting at the tenant level.
To help with this, Microsoft has recently made enhancements, not only to improve the filtering stack, but also to offer customers insights into configurations that are impacting their efficiency. For bulk email, Microsoft recommends adjusting the setting from the default to ensure it matches the needs of the organization.
SharePoint/OneDrive Anti-Malware (Updated)
Microsoft’s anti-malware engine is enabled by default on all systems across the service. For any file uploaded to a document library, the engine will scan for malware, but the scan is not in real time. There is a short period between the file upload and the malware detection, in which another user could possibly download an infected file. The malware scanning used to work only on files that were 25 MB or smaller, but now the malware scanning will handle files of any size. The anti-malware engine does not support automatic deletion of infected files. Once a file is detected as infected, it remains in SharePoint, and users get an on-screen warning message when they try to download it, or when they block other actions on the file, such as sharing and copying. An audit event is generated when an infected file is found, and admins can generate a custom alert in the Office 365 SCC.
The SharePoint anti-malware setting is not manageable in Office 365, so you will have to rely on the effectiveness of Microsoft’s engine to prevent malware, along with the other limitations mentioned above. Microsoft’s SLA does state that the company will detect 100% of known viruses. For more advanced and zero-day attacks, Microsoft has rolled out its Safe Attachment sandboxing technology, which is currently part of ATP, for more advanced malware protection. This will help with detecting attacks like ransomware.
With the release of Safe Attachments for OneDrive and a new feature added to the client experience, end users have the capability to restore files after ransomware has encrypted their files. The end user logs into OneDrive for Business through a browser and navigates to “Restore your OneDrive.” There they can roll back their files to a time before the ransomware attack. Currently, this is only on the client, and there is no way for administrators to either automatically set a policy or restore files for their end users.
To provide protection for more advanced types of attacks, Microsoft offers:
- Office 365 Advanced Threat Protection (ATP), which has extended ATP to SharePoint/OneDrive and Teams and Office clients
- Office Cloud App Security (based on its existing CASB, Microsoft Cloud App Security)
- Office 365 Threat Intelligence (TI)
O365 TI helps to improve efficiency when security teams investigate, detect, and respond to attacks, building on the prevention and reporting capabilities that come natively in Office 365. But this visibility comes at the price of the Office 365 E5 or stand-alone Threat Intelligence license, which is a problem for many organizations. Without this capability, you will have to manually aggregate this through a SIEM with the Office 365 Management Activity API and log exports.
Advanced Threat Protection
ATP is composed of three features:
- Safe Attachments provides advanced sandbox scanning for Exchange, SharePoint, OneDrive and Microsoft Teams.
- Safe Links provides time-of-click link protection for Exchange, SharePoint, OneDrive, Office 2016 desktop clients, iOS and Android. Microsoft plans to roll out to macOS and web applications in the future.
- Anti-Phishing provides machine learning models, impersonation detection and URL analysis to help prevent basic phishing, spear-phishing attacks and zero-day phishing attacks.
This service provides protection for zero-day malware by routing messages and attachments to a hypervisor environment (Azure Virtual Machines), where a behaviour-based engine using machine learning and analytics scans email and files. If no malicious behaviours are detected, the messages are released. This service is meant to augment the signature-based anti-malware protection of EOP.
ATP also provides a Safe Links feature that augments the malicious-hyperlink-blocking feature of EOP with deep URL analysis (detonation) and looks for unsafe redirection and dynamically prevents the malicious action. ATP also provides reporting and URL-tracing capabilities for security forensics. However, this advanced sandboxing technique has some impact on user experience. Because the attachment has to be detonated in the virtual container, there can be a delay in delivery of the email to the end user. To address this delay, a feature called Dynamic Delivery of ATP Safe Attachments helps decrease the end-user impact of the scanning process. This feature will send the body of the email with a placeholder attachment. Once the attachment has been scanned, the feature will replace the placeholder, and the user can view the file. Microsoft has added a feature called Document Preview where the user can read the contents of the attachment while it is being scanned. Dynamic Delivery + Document Preview can remove any impact from the sandbox detonation delay.
Windows Defender Advanced Threat Protection
Microsoft has also built an EDR type of solution for Windows 10 clients called Windows Defender Advanced Threat Protection (WD ATP). Windows Defender ATP is a part of the Windows 10 Enterprise E5 license, and it will provide information about malware on endpoints. This data can be fed into the Microsoft Intelligent Security Graph. Despite including the term “ATP” in its name, Windows Defender ATP is not a sandbox or a safe-URL capability. Built into the Windows 10 anniversary update, it is an agent that sits alongside Windows Defender or third-party anti-malware solutions. It monitors events and anomalous behaviours that can be indicators of possible attacks or compromises.
Office 365 Cloud App Security
Originally named Advanced Security Management, Office 365 Cloud App Security (OCAS) is a derivative of Microsoft’s Cloud App Security CASB, offering controls targeted at protecting only Office 365. OCAS can be purchased stand-alone or as part of the Office 365 E5 license.
OCAS provides visibility, investigation and control capabilities for access control, cloud discovery, compliance, configuration control, privileged accounts, sharing control and threat detection. Using OCAS, your security team will be able to detect malicious attacks and leverage Microsoft’s global threat intelligence network to understand the source of the attempts. Because OCAS’ detection is based on analysis of user behaviours, it will help you identify both external malicious attacks and insider threats. In OCAS, you can see when your users are mass-downloading files, creating numerous sharing links or engaging in other potentially inappropriate actions. OCAS is one of the most critical security capabilities Microsoft offers for protecting and managing security incidents in your Office tenant. You should consider OCAS a mandatory requirement unless you have, or are planning in the short term to add, Microsoft Cloud App Security (MCAS) or a third-party CASB solution.
Kanoo Elite has several years of experience in providing strategic and tactical technology support for many clients in the Middle East. We offer integrated email, cloud and employee awareness security solutions to help you identify, block and resolve Microsoft 365 threats. Our Managed Digital Operations services provide various flavours of managed IT services for customers through a combination of onsite, nearshore, and offshore skills with state-of-the-art tools for proactive operations management. Kanoo Elite, unlike a traditional managed services provider, also assists our clients in transforming their business while managing their Information Security risks.