Back to blog

Managing Security in your Office 365 Environment: Part One

Dec 1, 2016 by Emma Robinson

Are you really in control of your Office 365 security?
As an Office 365 corporate subscriber it’s important to remember that, from a security perspective, you’re still in charge. You’ve outsourced a service, but not responsibility for security. It’s you, not Microsoft, that determines the right policies and procedures for your organisation, and it’s you that manages the software and systems that keep your organisation safe.
Key takeaways from this two-part blog series

  • You are not automatically more at risk by using Office 365 over on-premises solutions.
  • Threats like ransomware are using the same tricks that viruses were using 20 years ago, and they’re not unique to Office 365.
  • You’re still responsible for your own security and you need to take the same precautions you always have: policy, education, and monitoring.
  • Office 365 is actually easier to monitor for possible security anomalies than traditional environments, especially with the right tools.

Realistically, there are few threats that could affect the Office 365 environment as a whole. It’s a well-established, mature platform, and Microsoft is spending millions of dollars making sure you receive a reliable and secure service. This year, Microsoft reckons it has achieved a 500 per cent improvement in counterfeit detection using a blend of big data, strong authentication checks, and reputation filters in Exchange Online Protection for Office 365. And any potential flaw is soon patched – as Microsoft simply can’t afford to have it any other way.
Instead, your concerns should be essentially the same as if you were running an on-premises Office environment (admittedly with the added complexity of enforcing mobile device user policies). The big advantage is that, with the right tools, Office 365 is in many respects easier to manage, monitor and audit than traditional environments. This is especially true where multiple sites and geographies are involved. Office 365 has built-in data loss prevention (DLP) policy control, for example.
Most suspicious activity and security breaches can be traced back to internal users. Outside hacks tend to rely on data leakage from inside the business, and whether these leaks are deliberate or accidental you can’t rely on the staff in question to make themselves known; you need to be able to check what’s really going on. In fact, if someone compromises your system by doing something without thinking, then you may be even more vulnerable if you only have an on-premises solution – as we’ll see.
Let’s start by looking at an example of why an Office 365 deployment isn’t so different from a traditional environment.
Viruses, Ransomware and Office 365
It’s now five months since the infamous Cerber ransomware attack on Office 365 corporate users. At the time, sources estimated that nearly 60 per cent of organisations using Office 365 had received at least one copy of Cerber malware into one of their corporate mailboxes.
It’s reported that the virus was able to bypass Office 365’s built-in security tools through a private Office 365 mail account. A cursory glance at the headlines might have led you to believe the scare stories that this was a specific Office 365 vulnerability.
Cerber works by encrypting files and demanding a ransom to unlock them. It’s a particularly interesting development as it is being targeted at corporations in a ‘ransomware-as-a-service’ (RaaS) scheme, which can be bought into by technically illiterate cybercriminals. This has led to Cerber being termed “ransomware for dummies” by Check Point’s group manager of intelligence operations, Maya Horowitz. In its various forms, Cerber itself is estimated to be currently netting its authors and affiliates up to US $2.5 million a year.
So if you’re an Office 365 corporate user, does that mean you’re automatically more at risk from ransomware and viruses like Cerber? Microsoft told Infosecurity magazine that “Office 365 malware protection identified the [Cerber] attack and was updated to block it within hours of its origination on June 22. Our investigations have found that this attack is not specific to Office 365 and only a small percentage of Office 365 customers were targeted.”
Microsoft’s responses to Cerber included updating its Malicious Software Removal Tool and Windows Defender – in other words, the traditional tools needed to protect any Office or Windows installation from malware, whether data is in the cloud or not. And that’s hardly surprising: Cerber – and similar malware – turns out to be distributed using old-fashioned email attachments that trigger macros (yes, precisely the same macros that were spreading viruses back in the 1990s). If your emails aren’t scanned, if your policy is to have macros enabled, if your staff don’t understand the risks of clicking on dodgy attachments, and if you don’t monitor your environment – then you’re asking for trouble whether you’re in the cloud or not.
Cerber in action (image courtesy of Microsoft).
The bottom line in this case is most of the critical security decisions remain in your control: it would have been entirely your choice whether you had chosen to allow macros to be used in your business. That’s nothing to do with Office 365 being a cloud service. Microsoft itself points out that the data they’ve analysed indicates 98 per cent of Office-targeted threats use macros.
So, if most of the security decisions and processes are still in your control, what can you do to guarantee that your environment is fully protected?
Make sure you check back on the blog for our next post in the series: The Important of Monitoring.
Cogmotive is the leading global provider of enterprise level reporting and analytics applications for Office 365. Find out more now.