Microsoft infrastructures have traditionally been on-premise. This is about to change as Microsoft is getting incredible traction with Office 365 deployments. As the corporate infrastructure is changing, many security professionals are concerned about security and transparency of their new strategic cloud services and need to change their incident detection and response programs. This blog post is a quick introduction to this topic. If you're interested in more info, check out our webcast Increasing Security and Transparency for Office 365.

Related Resource: Download our beginner's guide to User Behavior Analytics with UserInsight Toolkit

Office 365 is now the most widely used cloud service

The following graph shows the rapid acceptance of Office 365 as a service, which now makes it the most-used cloud service in corporations ahead of Box.com and Salesforce.com, according to a recent Okta study:

It's important to remember that Office 365 is more than just email and spreadsheets - it brings a lot of the mainstream IT services to the cloud, including file storage, user management, and collaboration:

Lateral movement must also take cloud services into account

This raises new questions around how intruders are attacking and moving laterally through your environment. For example, lateral movement should no longer be limited to domain and local user accounts but must take cloud services into account. These credentials don't have to be stolen from Windows endpoints but can also be obtained by phishing a user to log onto a fake Outlook 365 website (or Outlook Web Access, if you prefer an on-premise version) to obtain domain credentials and log onto the cloud services to access sensitive data.

Leveraging Micosoft's new Office 365 Activity Feed API for incident detection

Microsoft has recently made its new Office 365 Activity Feed API available for preview (MSDN documentation). In other words, Office 365 customers can now access this API to get a sneak peek of the functionality and benefit from it before it's publicly available. Earlier this year, Rapid7 announced its status as Microsoft Early Access Partner and Rapid7 UserInsight's integration with the new API. Now that it's available, UserInsight customers get transparency and security across their entire infrastructure, from the Windows endpoint to Office 365.

Incident detection and investigation with UserInsight

Rapid7 UserInsight helps detect attacks through behavior analytics, investigate incidents faster with user context, and expose risky behavior from endpoint to cloud. The User and Entity Behavior Analytics solution complements your SIEM to identify stealthy attack methods, such as compromised credentials and lateral movement, with high confidence to eliminate alert fatigue. UserInsight accelerates investigations up to 20x through an investigations interface that enables your entire team to collaborate. Unlike other monitoring solutions that only look at network logs, UserInsight monitors endpoints, cloud services, and mobile devices and sets traps for intruders. Rapid7's unique understanding of attacker methodologies is the key for evolving highly accurate detection techniques.

How UserInsight leverages Microsoft's new Office 365 API

Integration with the new Microsoft API, allows Rapid7 to automatically collect data from Office 365, SharePoint, Azure Active Directory, and OneDrive and add to its comprehensive view of network and user behavior, giving organizations the ability to detect attacks across network, cloud, and mobile environments. UserInsight builds a baseline understanding of a user's behavior in order to identify changes that would indicate suspicious activity and help security professionals detect an attack. Because UserInsight uniquely collects, correlates and analyzes data across all users and assets, including cloud applications, it can identify suspicious behavior other solutions can't. Examples of potential threats detected within Office 365 include:

  • Advanced Attacks: UserInsight automatically correlates user activity across network, cloud and mobile environments. UserInsight can detect advanced attacks such as lateral movement from the endpoint to the cloud, including Office365.
  • Privileged user monitoring: Privileged users are often the ultimate target for intruders. UserInsight monitors Office 365 administrator accounts and alerts the security team of suspicious activity.
  • Geographically impossible access: The key to protecting the environment is to be able to unify the network, mobile, and cloud environments. For example, a customer would receive an alert if an employee's cell phone synchronizes email via Office 365 from Brazil within an hour of the same user connecting to the corporate VPN from Paris -- clearly one of the connections cannot be legitimate.
  • Account use after termination: UserInsight detects when a suspended or terminated employee accesses their Office 365 account, helping to stop stolen intellectual property and other business-critical information.
  • Access to Office 365 from an anonymization service: UserInsight correlates a constantly-updated list of proxy sites and TOR nodes with an organization's Office 365 activity, detecting attackers that are trying to mask their identity and location.

Once suspicious behavior is detected, security teams and incident responders can investigate the users and assets involved in context of various activity from the endpoint to the cloud, now including Microsoft Office 365 activity, and determine the magnitude and impact of the attack. Due to UserInsight's visual investigation capabilities, customers can combine asset and user data on a timeline to rapidly investigate and contain the incident.

UserInsight covers more than just Microsoft infrastructures

No network is a pure Microsoft environment, so UserInsight covers a whole lot more than just Microsoft technologies. The solution monitors Mac and Linux endpoints, integrates with infrastructure such as DNS and Firewalls and security components such as SIEMs and sandboxes. Beyond Office 365, UserInsight integrates with many strategic cloud services:

Where to learn more about monitoring Office 365 with UserInsight

If you'd like to learn more about monitoring your Microsoft infrastructure, including Office 365, check out our webcast Increasing Security and Transparency for Office 365. If you are already a Rapid7 UserInsight customer and would like to integrate your Office 365 environment, check out our documentation "Preparing UserInsight to monitor Office 365".