Figuring out what you should do to protect your SaaS infrastructure like Office 365—especially if you’re newer to cloud—can feel overwhelming.
After all, your users over in sales, marketing or R&D probably aren’t going to think twice about how strong their passwords are, or notice the cleverly disguised phishing scam that just landed in their inboxes.
We get it.
And you’re not alone if you’re kinda freaking out: According to the PhishLabs 2018 Phishing Trends and Intelligence Report, attacks targeting SaaS applications exploded in 2018, growing by more than 237 percent.
SaaS-based applications: a cloudier view of your data
Things like email, word processing and document sharing tools are ubiquitous. This makes them prime targets for attackers. Long gone are the days when IT ran their own email servers. Today, SaaS-based applications like Microsoft Office 365 offer lots of convenience and cost savings—but because they operate in the cloud, it also means your former front row seats to your data and infrastructure now come with a slightly obstructed view.
While cloud providers like Amazon Web Services, Microsoft Azure and Google are responsible for securing their infrastructure, the bottom line is that your organization is still responsible for protecting your company’s data – whether you’ve only got one app in the cloud or you’ve moved all of your apps and data up there. (Psst: If your cloud security strategy needs a tune-up, you won’t want to miss this article.)
No matter where you are in your cloud journey, if you run Office 365 here are five important things you can do right away to keep attackers (and wiley insider threats) at bay.
What do I need to do to keep Office 365 secure?
If you’re running Microsoft Office 365, there are 5 Office 365 security best practices you want to check out right now to keep your org and your data safe:
- Enable audit logging. This is one of the most impactful things you can do when it comes to securing Office 365. Why? Office 365 audit logs record all activities across Office 365 apps. When an incident occurs, this makes it a lot easier to investigate because you’ve got access to all the actions users took in Office 365, ranging from viewing and downloading documents to resetting passwords. Here’s a full list of the actions that Office 365 audit logs record, and instructions for turning on audit logging.
- Use multi-factor authentication everywhere. Multi-factor authentication is a lot like building a fence around the perimeter of your house (or data, in this case) to deter bad actors. It shrinks your risk of falling victim to the most common attacks like simple phishing and password spraying. Phishing is still one of the top initial attack methods of choice. For example, take a look at this example of a crafty phishing campaign that hid malicious URLs in SharePoint files.
- Implement controls to stop the most common things attackers and users do. Look for security controls that address issues like phishing prevention, malware scanning, user behavior analytics and DLP scanning. Depending on your organization, this could mean implementing native Office 365 security tools, or exploring 3rd-party options.
- Tighten up your Office 365 policy configurations. Microsoft offers good advice on ways to better secure your data in Office 365. Based on the Office 365-related incidents the Expel team has investigated and resolved for our customers, we recommend that, at a minimum, you review your organization’s conditional access policies, restrict or disable public SharePoint and OneDrive links and disable mailbox forwarding.
- Plan ahead for account compromises—they’re inevitable. Not to be all “doom and gloom” over here, but as anyone in security knows, it’s always wise to prepare for the worst. Know that when an incident occurs, investigations are probably different than the good ol’ days when you had your email server tucked away safely in your server room. For starters, there aren’t any endpoints or network devices to review. Also absent are files, processes and network traffic—all of which helped us determine the scope and impact of an intrusion in the past.
Instead, SaaS incident investigations rely heavily on audit logs (see best practice #1) that are user-centric because they can help us determine what’s normal or abnormal for a particular user’s account. What location does the user normally authenticate from, and what device does he or she normally use? What actions does he or she take after logging into the account? To answer these questions, you’ll need to be familiar with Office 365 audit logs.
Last but not least, keep our handy cheat sheet for managing your next security incident nearby (and give a copy to every team member!).