8 Suggestions from U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA)

By Dan Seyer, CMO, Edgile

When enterprises made the rapid shift to far more corporate work-from-home than they were used to due to COVID-19, many organizations were forced to prioritize extending the workforce over securing the workforce. This was confirmed by a recent memo from the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).

COVID-19 put CISOs into a no-win scenario. They had to get the workforce as remote as possible and that timeframe was often just a couple of days. But Security is trained to explore options, test new configurations in a safe sandbox to identify any unanticipated consequences and to implement changes thoughtfully. The required speed of the corporate remote workforce effort, which remapped an enterprise’s environment radically by adding a massive number of new endpoints to protect, forced corners to be cut that would never have happened under normal circumstances.

Although “the abrupt shift to work-from-home may necessitate rapid deployment of cloud collaboration services, such as O365, hasty deployment can lead to oversights in security configurations and undermine a sound O365-specific security strategy. CISA continues to see instances where entities are not implementing best security practices in regard to their O365 implementation, resulting in increased vulnerability to adversary attacks,” the memo said. “Due to the speed of these deployments, organizations may not be fully considering the security configurations of these platforms.”

CISA offered several specific configuration suggestions:

1. Enable multi-factor authentication for administrator accounts

Azure Active Directory (AD) Global Administrators in an O365 environment have the highest level of administrator privileges at the tenant level. This is equivalent to the Domain Administrator in an on-premises AD environment. The Azure AD Global Administrators are the first accounts created so that administrators can begin configuring their tenant and eventually migrate their users. Multi-factor authentication (MFA) is not enabled by default for these accounts. Microsoft has moved towards a “Secure by default” model, but even this must be enabled by the customer. The new feature, called “Security Defaults,” assists with enforcing administrators’ usage of MFA. These accounts are internet accessible because they are hosted in the cloud. If not immediately secured, an attacker can compromise these cloud-based accounts and maintain persistence as a customer migrates users to O365.

2. Assign Administrator roles using Role-Based Access Control (RBAC)

Given its high level of default privilege, you should only use the Global Administrator account when absolutely necessary. Instead, using Azure AD’s numerous other built-in administrator roles can limit assigning overly permissive privileges to legitimate administrators. Practicing the principle of “Least Privilege” can greatly reduce the impact if an administrator account is compromised. Always assign administrators only the minimum permissions they need to  perform their tasks.

3. Enable Unified Audit Log (UAL)

O365 has a logging capability called the Unified Audit Log that contains events from Exchange Online, SharePoint Online, OneDrive, Azure AD, Microsoft Teams, PowerBI and other O365 services. An administrator must enable the Unified Audit Log in the Security and Compliance Center before queries can be run. Enabling UAL allows administrators the ability to investigate and search for actions within O365 that could be potentially malicious or not within organizational policy.

4. Enable multi-factor authentication for all users

Though normal users in an O365 environment do not have elevated permissions, they still have access to data that could be harmful to an organization if accessed by an unauthorized entity. Also, threat actors compromise normal user accounts in order to send phishing emails and attack other organizations using the apps and services the compromised user has access to.

5. Disable legacy protocol authentication when appropriate

Azure AD is the authentication method that O365 uses to authenticate with Exchange Online, which provides email services. There are several legacy protocols associated with Exchange Online that do not support MFA features. These protocols include Post Office Protocol (POP3), Internet Message Access Protocol (IMAP), and Simple Mail Transport Protocol (SMTP). Legacy protocols can be disabled at the tenant level or at the user level. However, should an organization require older email clients as a business necessity, these protocols will presumably not be disabled. This leaves email accounts accessible through the internet with only the username and password as the primary authentication method. One approach to mitigate this issue is to inventory users who still require the use of a legacy email client and legacy email protocols and only grant access to those protocols for those select users. Using Azure AD Conditional Access policies can help limit the number of users who have the ability to use legacy protocol authentication methods. Taking this step will greatly reduce an organization’s attack surface.

6. Enable alerts for suspicious activity

Enabling logging of activity within an Azure/0365 environment can greatly increase the owner’s effectiveness in identifying malicious activity occurring within their environment. Creating and enabling alerts within the Security and Compliance Center to notify administrators of abnormal events will reduce the time needed to effectively identify and mitigate malicious activity. At a minimum, CISA recommends enabling alerts for logins from suspicious locations and for accounts exceeding sent email thresholds.

7. Incorporate Microsoft Secure Score

Microsoft provides a built-in tool to measure an organization’s security posture with respect to its O365 services and offer enhancement recommendations. These recommendations provided by Microsoft Secure Score do not encompass all possible security configurations, but organizations should still consider using Microsoft Secure Score because O365 service offerings frequently change. Using Microsoft Secure Score will help provide organizations a centralized dashboard for tracking and prioritizing security and compliance changes within O365.

8. Integrate Logs with your existing SIEM tool

Even with robust logging enabled via the UAL, it is critical to integrate and correlate your O365 logs with your other log management and monitoring solutions. This will ensure that you can detect anomalous activity in your environment and correlate it with any potential anomalous activity in O365.

These are all excellent suggestions. But security must be customized. That’s why it’s critical to have a third-party take a deep look into your specific environment taking into account the verticals and geographies where your enterprise operates to identify compliance recommendations, which, in turn, might impact security recommendations.

Edgile Recommendation:  Host a security workshop to understand the security impacts of the COVID-19-caused business changes

Our suggestion is to conduct your own COVID security workshop. Some enterprises can even qualify for a Microsoft-funded workshop provided by Edgile.

We are hosting sessions for our clients that cover the remote workforce situation and review the systems in place to enable the remote worker while understanding enterprise issues to be addressed. Edgile and Microsoft security specialists conduct a security assessment walkthrough with the Microsoft admin and identify high risk areas. Teams is also examined, with a focus on Teams security configuration best practices across the Microsoft 365 platform tailored to licensing.  

If you’re interested in discussing security work, please connect with your local Edgile contact: