The cloud has changed everything we know about security. With the rapid deployment of the cloud during a global crisis, cyber threats also have continued to evolve, prompting businesses to place greater emphasis on protecting their data and applications.
With the new work-from-home paradigm, the proliferation of data-driven applications, and the advancement of technologies such as artificial intelligence (AI) and Internet of Things (IoT) in the enterprise, cybercriminals too are using more advanced tools and sophisticated methods to attack organisations and breach privacy.
A virtual workplace has also meant that some layers of security are difficult to manage. In efforts to maintain productivity and business continuity, remote workers are now accessing more data and critical business software and systems from networks, and maybe sometimes even devices, that are not managed by their organisation.
As a leader in the productivity space with over 250 million active users, Microsoft Office 365 has also piqued the interest of looming cybercriminals due to the platform’s large audience.
In fact, during a recent global survey of 1,112 security professionals by Vectra AI, results showed how criminals are regularly bypassing security controls including multi-factor authentication (MFA), proving that determined attackers are still able to gain access. User account takeover in Office 365 is the most effective way for an attacker to move laterally inside an organisation’s network.
A new study has now revealed the top 10 threat detections for Microsoft Azure AD and Office 365, representing a large attack surface that businesses need to manage. These include Abnormal Exchange operations, suspicious sharing activity and mail forwarding, O365 external Teams access and unusual eDiscovery search.
According to the study, a number of these threat detections represent activities that provide ease of use, collaboration with external parties, and provisioning of administrative access to the Azure AD environment.
Detecting the “out of the ordinary”
In this landscape, enterprises are coming to realise that cyber threat defence and mitigation against increasingly sophisticated attacks are becoming ever harder to identify.
Constantly evolving threats means a round-the-clock effort and highly specialised skills are required to bolster enterprise cybersecurity, particularly within a hybrid cloud environment.
It’s for these reasons and more that collecting the right data analytics and having meaningful AI are fast becoming forces of change in cybersecurity strategies.
On a basic level, AI security solutions are programmed to identify “safe” versus “malicious” behaviours by cross-comparing the behaviours of users across an environment to those in a similar environment.
Deploying AI as a core pillar when extracting informative data from a network, both on-prem and off, is critical in obtaining an advantage against malicious threat actors and attacks that can be progressed by abnormal exchange operations.
For example, attackers with the ability to manipulate exchange can arbitrarily access information contained in an email and siphon off information by forwarding emails externally. Further, they may also have the ability to trigger the execution of scripts which can help them move laterally.
When it comes to suspicious operations in an Azure AD environment, businesses that are unable to detect adverse behaviours and may suffer privilege escalations or account takeover that lead to data loss or critical cloud services.
Better visibility for better detection
To better protect an organisation from inside and external threats, I’d like to share some best practice tips:
1. Apply a mix of subject matter experts and technology
It’s not enough to just invest in the tools but it matters to build knowledge and establish stringent governance frameworks.
That’s where vendors with true cybersecurity expertise drive value, helping organisations not only to draw upon the expertise and intelligent, AI-driven detection tools but to also gain deep visibility into security and compliance gaps.
2. Understand your threat landscape
It is imperative that organisation truly understand their new enterprise network. We have seen perimeters of the network vanish during 2020 as organisations have shifted to the cloud; the modern enterprise network is now Datacentre, IaaS, SaaS and PaaS.
It is vital that the enterprise has visibility into all of these networks and be able to track attackers as they pivot through these environments. We must build detection and response capabilities that can shine a light into all these environments and track attacker behaviour as they attempt to move laterally through these environments.
3. Prioritise and respond at speed and scale
Enterprises can not only identify attackers as they pivot through the modern network, but they must have the ability to respond rapidly and in a consistent way across all network stacks be that IaaS, SaaS, PaaS, or Datacentre.
The only way the enterprise can achieve this is via prioritisation of incidents leveraging AI and automation. This will then ensure that the limited capacity of the SOC will have the best chance to drive down metrics such as mean time to remediation, therefore reducing the impacts of attackers and reducing the risk of a widespread breach.
Know your threats from inside out
With the scarcity of cybersecurity talent, many organisations struggle with experience shortfalls in their cybersecurity team. Meaningful AI can help close the gap in your Office 365 and Azure AD accounts, so are equipped with the right data to detect and mitigate when suspicious behaviours are detected.
How quickly an entity responds to a breach and identifies the attacks quickly and effectively will determine who is secure in the ‘new normal’ and succeeds in this fast-changing time.