OFFICE 365 Introducing Advanced Security Management 9/11/2018 Microsoft Office365 9/11/2018 OFFICE 365 Introducing Advanced Security Management Advanced Security Management provides enhanced visibility and control to an organization’s Office 365 environment. Today you will see the first set of features being released for Advanced Security Management which focus on: Investigating an anomaly detection alert. Creating an anomaly detection policy using custom settings. Creating an activity policy using a template. Now let’s get started!!! CLICK STEP(S) Click anywhere on the slide to begin © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
To start things off let me show you where you can find Advanced Security Management. If you go to the Security and Compliance Center and find manage advanced alerts under the alerts section this will take you to the page where you can launch Advanced Security Management CLICK STEP(S) Click Go To Advanced Security Management.
Upon accessing the Advanced Security Management console, you will land on the Policies page. Here you have visibility of all active policies with an “at glance” alert count and severity rating for each of these policies. Lets take a look at the open alerts in General anomaly detection policy by clicking on the alert counter CLICK STEP(S) Under the Count column, click 2 open alerts on the General anomaly detection line.
Let’s take a closer look at the 2nd anomaly alert regarding the user, claude@acme.com. CLICK STEP(S) Click General anomaly detection claude@acme.com.
By clicking on the alert you are now presented a summarized explanation of why the alert was generated. As you can see from the alert summary: The risk score calculated is 86% The IP address used was from an anonymous proxy The user claude@acme.com is an administrator There were 3 failed login attempts The fact that this type of activity is occurring on an administrative account is very concerning. Now, if it is deemed necessary, you do have the ability to take immediate action and suspend the user through the Resolution options. CLICK STEP(S) Click Resolution options drop down menu.
But before taking action let’s take minute to review the Activity Log to be sure it is necessary. CLICK STEP(S) Click outside of drop down menu to close.
CLICK STEP(S) Click scroll bar to scroll down.
Details provided in the Activity log are the specific activities used to calculate the overall alert score. Here you can see there is quite a bit of suspicious activity occurring. The Activity Logs also provides you the capability to investigate IP addresses used. Let’s see what kind of information this IP provides. CLICK STEP(S) Click on any 109.163.234.2.
CLICK STEP(S) Click scroll bar to scroll down.
As you can see that there are numerous users logging in from this IP. It seems that all of the alerts seem to be log on related. Let’s take a closer look at these failed login attempts. CLICK STEP(S) In the middle of the page, click the 1st instance of Failed log on anthony111@acme.com.
The description states, the user anthony111 entered an invalid password. This type of activity is a little suspicious. It’s not uncommon for a user to enter an invalid password a few times in a row but in this case, it is not an isolated incident involving only one user but a repeat incident involving numerous users. Now, let’s filter similar types of activities using the More information button. CLICK STEP(S) On the far right side, click on the more options icon (3 vertically stacked dots).
Since this type of activity is very suspicious, let’s see how many other instances of this specific activity is actually occurring. CLICK STEP(S) Click View activity of the same type.
As you can see, there is a total of 24 failed log on attempts. To say this is a possible concern, may be an understatement. Let’s scroll down to get a scope of the situation. CLICK STEP(S) Click scroll bar to scroll down.
Through the power of Advanced Security Management’s enhanced visibility you are now able to discover, identify and address various types of security concerns in a very short amount of time, reducing the amount of damage a malicious user can cause. After reviewing the results of an already created policy, let’s see how easy it is to create one. First, let’s create a custom Anomaly detection policy. CLICK STEP(S) Click Control menu.
CLICK STEP(S) Click Policies.
CLICK STEP(S) Click Create policy.
CLICK STEP(S) Click Anomaly detection policy.
For this policy creation, let’s use the following values: Policy template: Let’s leave it as No Template Policy Name will be Admin Activity CLICK STEP(S) Click Policy name field.
Description: Will be Monitor Admin Activity for Anomalies CLICK STEP(S) PowerPoint will type Admin Activity. Once typing is complete, click Description field.
Category: Will be left as Threat Detection. CLICK STEP(S) Click scroll bar to scroll down.
Activity filters: Will be changed from All monitored activity to Administrative Activity CLICK STEP(S) Under Activity filters, click All monitored activity drop down menu.
CLICK STEP(S) Click Selected activity.
CLICK STEP(S) Click Select a filter… drop down menu.
CLICK STEP(S) Click Administrative activity.
Now that the Activity filter has been set, let’s move on to the Risk Factor section. This section contains a total of 6 subcategories: Logon Failures Admin Activity Inactive Accounts CLICK STEP(S) Click scroll bar to scroll down.
4. Location Impossible Travel Device and User Agent All of subcategories within the Risk factor section can be left to their default setting of on as you see them now or they can be turned off or applied to specific activities. Now lets move on to the Alerts section. CLICK STEP(S) Click scroll bar to scroll down.
Within the Alerts section, you have the ability to set the Alerting threshold and enable email/text alerting. To get a better understanding of Alerting threshold, let’s uncheck the Alerting threshold checkbox to expand this section. CLICK STEP(S) Under Alerting threshold, uncheck the checkbox “Use default severity threshold settings (recommended)”.
Alerting threshold is a numeric value that will determine when alerts are generated. The generation of alerts depends on what the Risk score bar below is set to. The default score is 65, which means that any incidents with a Risk score of 65 or higher will generate an alert. For this demonstration, let’s set the Risk score to 85. CLICK STEP(S) Click Risk score bar 4x.
Now let’s move on to the Alerts configuration section. Here, you have the ability to alter how many alerts you receive daily, enable email alerts and/or sending alerts via text message. If you click on the Daily alert limit drop down menu, you can set your daily alert limit to any of the following values. CLICK STEP(S) Under Alerts configuration, click Daily alert limit drop down menu.
For today, let’s leave the daily alert limit as it’s default value of 5. CLICK STEP(S) Click outside of the drop down menu.
Now let’s configure the email and text alerts. To enable email alerts, first check the checkbox. CLICK STEP(S) Click Email alert checkbox.
Then enter a valid corporate email address and hit Tab. And yes, you are also able to enter multiple email addresses as well. CLICK STEP(S) Click To: field.
Email alerts have been configured, let’s move on to configure the text message alerts CLICK STEP(S) Click Send alert as text message checkbox.
As you can see, the phone number field provides you a template to follow. If you do not use the correct phone number format, the field will not allow you to Tab out or you may receive an error message when you attempt to create the policy. CLICK STEP(S) Click the phone number field.
Now that the policy configuration is complete, it’s time to deploy it. CLICK STEP(S) Click Create.
Now that the policy has been successfully created, let’s move on to creating a new Activity policy using a template. CLICK STEP(S) Click Create policy.
CLICK STEP(S) Click Activity policy.
First, let’s select a policy template from the policy template drop down menu. CLICK STEP(S) Click Policy template drop down menu.
As you can see there are a variety of templates to choose from. For this demonstration, let’s use the Mass download by a single user template. CLICK STEP(S) Click Mass download by a single user.
CLICK STEP(S) Click Apply template.
Now you can see that the template has been applied, filling out most of the essential fields. Let’s continue reviewing the remaining policy settings. CLICK STEP(S) Click scroll bar to scroll down.
Since you are now developing a policy to monitor a specific type of activities, Mass downloads by a single user, versus a more general anomaly/incident detection policy, the parameters which you monitor would naturally be more targeted. This is where the Activity match parameter section comes into play, allowing you to select the specific conditions that will trigger an alert. In this case: The number of repeated activities is set to 30 The timeframe which this occurs (measured in minutes) is currently 5 minutes And whether from just the same user or the same user/app. As you can see here. CLICK STEP(S) Under Activity match parameters, click from the same drop down menu.
CLICK STEP(S) Click outside of the drop down menu.
Moving on to Alerts. CLICK STEP(S) Click scroll bar to scroll down.
For this policy, let’s enable the email alerts and suspend user options. CLICK STEP(S) Click Email alert checkbox.
CLICK STEP(S) Click To: field.
Now that the Email alerts have been configured, let’s enable the Suspend user option by checking it’s checkbox. CLICK STEP(S) Under Governance: Office 365, click Suspend user checkbox.
Now the policy is ready for deployment. CLICK STEP(S) Click Create.
With the email alerts and the suspend user features enabled, you now have the peace of mind knowing whenever a user violates this policy he/she will automatically be suspended by the time you receive the email notification. Closing remarks: As you can see Office 365 Advanced Security Management provides you with enhanced visibility and control into your Office 365 environment though: The ability to detect threats by helping you identify high-risk and abnormal usage, security incidents, and threats. Providing you with enhanced control by leveraging granular controls and security policies that can help you shape your Office 365 environment. Giving you enhanced visibility and context into your Office 365 usage and shadow IT though the discovery and insights that the solution provides, all without installing an end point agent. Thank you for your time and happy to take any additional questions. CLICK STEP(S) Click anywhere to end the presentation.