Many organizations are still wondering whether to move to the Cloud or not. One of the main reasons for their hesitancy is concerns about security and control. Microsoft has always put security at the core of all its platforms and products, and this includes Office 365, their #1 cloud productivity solution. And to make it a more compelling proposition, they’ve been constantly adding various features to the solution.
One of these is called Advanced Security Management and comes as a standard feature within E5 licenses. For any other license, it can be purchased as an add-on from your provider.
It is important to note that there are other security features like Cloud App Security, which is also part of Office 365, but licensed differently; it’s an add-on license that has even more capabilities.
You do not need the Cloud App Security tool unless there is a specific need or you require a Security Information and Event Management (SIEM) based solution.
Are you managing multiple Office 365 tenants? If yes, read our guide, 15 Tricks to Succeed in Managing Multiple Office 365 Tenants to help you save time. Click here to learn how.
Advanced Security Management: 3 High Level Functions and Features
1) Threat Detection
Advanced Security Management enables you to set up anomaly detection policies. These allow you to be alerted of potential breaches on your network. Anomaly detection works by scanning user activities and evaluating their risk against many different indicators, such as sign-in failures, administrator activity, and inactive accounts.
Advanced Security Management also uses behavioral analytics as part of its anomaly detection to assess potentially risky user-behavior. This is done by understanding how users normally interact with Office 365, looking for anomalies and giving the anomalous activity a risk score to help IT decide whether to take further action. Microsoft’s Cybersecurity insights into the threat landscape around the world are also used to ensure early detection and prevention of issues.
2) Enhanced Control
Advanced Security Management lets you set up activity policies that can track specific activities. Using out-of-the-box templates, you can easily create policies that flag such items as:
- Downloading unusually large amounts of data
- Multiple failed sign-in attempts
- Sign-ins from a risky IP address.
Policies can be customized to your environment. With activity filters, you can look for the location of a user, device type, IP address, or to identify someone who is granted admin rights. Once these policies are defined, alerts can also be scheduled so that immediate email or text messages can be sent, which will assist in a more proactive IT service.
3) Discovery and Insights
The service also provides an app discovery dashboard that allows you to visualize your organization’s usage of Office 365 as well as any other productivity Cloud service. This helps you to maximize investments in IT-approved solutions instead of users accessing non-approved and unsanctioned applications.
The ability to discover thousands of applications in categories, such as collaboration, Cloud storage, webmail and others can assist you in determining to what extent shadow IT is occurring within your organization. Reporting will also give you details about the top apps by category as well as other values. All of this is done without the need to install devices to check for this. Simply load the data into the dashboard by uploading logs from your network devices directly into Advanced Security Management.
How to Enable Advanced Security Management for Office 365
Once Advanced Security Management is available, you can access it from within your tenant’s Admin Center.
To get started, you will first need to sign-in to Office 365 as a Global Administrator or Security Administrator for Advanced Security Management. You will also need to turn on the feature using the following steps:
- Sign-in to Office 365 as a Global Administrator or Security Administrator for Advanced Security Management.
- Go to the Security & Compliance Center, and on the left, choose Alerts, then Manage advanced alerts.
- Check Turn on Advanced Security Management for Office 365, and then click Go to Advanced Security Management
How to Setup Policies and Alerts in the Portal
Once the service is enabled, use the Advanced Security Management portal to define alerts that are triggered by anomalies or specific activities. You can also perform App discovery, which will help you understand and manage application usage in your organization. You’ll be able to secure your Apps with permissions and control which third-party apps can connect to Office 365.
It’s important to carefully choose what activities make sense for your organization. Choosing whether to capture individual user activity versus repeated user activity has a direct impact on successfully auditing security for your Office 365 tenant.
1) Creating a Policy in the Portal
To create a policy, simply click the Create policy button and select one of the available options.
For an Activity policy, you’ll be able to use an existing policy template instead of building it from scratch.
Configuration settings include the policy name description, as well as the severity and category. Based on the severity and category, events will appear with different icons and colors when captured in the log.
Note: Be careful not to add too many filters to avoid causing false positives or making the filter less effective.
The creation process is completed by clicking on the Apply template button. Once created, the new policy will be listed within the console.
2) Why Alerts Are so Important
The real win with Advanced Security Management is the alerting mechanism for the policies that you create mapped to the core security, monitoring, and control options that are built-in.
Once the policy has been set, choosing the right alerting mechanism can be the difference between capturing a potential issue versus it being ignored. Every policy does not require a text message and, of course, no one needs to be constantly bombarded by irrelevant alerts.
Setting email notifications for most filters will suffice for less critical activities. Highly concerning issues, such as Impossible login (login from two places, for example,-countries within an improbable time, such as a successful login in Canada, followed by another login in India an hour later), should be sent as text messages to be captured and resolved instantly.
You can choose to send alerts to the end-user’s manager or an administrator, depending on how you manage security events. Resolving an alert can involve temporarily suspending the account.
For this example, we’ve created an Activity Policy with the Threat Detection category. We’ve called it “Logon from risky IP address”.
Whenever someone logs in from a risky IP address (associated with anonymous proxies or Tor), it will be captured in the log, and a notification will be sent. The rule is set to specifically check for these two IP address types by adding a filter, as shown in the following picture.
You can set the rule yourself for testing and manually add an IP address as risky. Browse or remotely connect from the IP by using the Tor browser or a VPN connection. The rule will work when accessing a SharePoint or OneDrive site in your Office 365 tenant and you’ll be able to see the notifications in the Advanced Security Management portal.
Note that the rule flags the IP address and then, on the far right, displays the browser that was used. In the picture above, you see that the alerts comes from Firefox, meaning from the Tor Browser tool.
Security Center Dashboard
The Office 365 Advanced Security Management dashboard is your security center for everything related to your tenant. It provides a single view of potential issues and helps you make sure users are taking advantage of all Office 365 services as expected and securely.
With Advanced Security Management, you can be assured that access is controlled and monitored, and stay proactive about threats.