One of the biggest reasons many organisations are hesitant to move to the cloud is down to Security. The problem is not really end user security as such but more, high level security and control. Microsoft has been trying to address this by adding various features to Office 365, making it a more compelling argument, and ensuring that Security is now a core part of all platforms and products they build.
One such feature is called Advanced Security Management and comes as a standard feature within an E5 license. For any other license, it can be purchased as an add-on by accessing your subscriptions within the Admin Center and choosing the Office 365 Advanced Security Management option.
Note: If you purchase your licenses through a Cloud Service Provider (CSP), then there are other options and costs available.
When looking at the licenses and features there are two options as available. The first is Advanced Security Management; the second is called Cloud App Security, which is the big brother of the Advanced Security Management components. They are also licensed differently, one comes as part of the E5, or the add-on license, the other is a completely different add-on license that adds even more capabilities on-top of the core features.
You do not need to move to the Cloud App Security tool unless there is a specific need or you have very specific requirements that are more SaaS application based, or you require a Security Information and Event Management (SIEM) based solution. Cloud App Security is a great tool and if you do need to combine Cloud and On-premises monitoring and application control then that is what you need.
Advanced Security Management will help you protect your entire Office 365 tenant by allowing you to perform the following actions:
- See how your organisation’s data in Office 365 is accessed and used
- Control access to Office 365 data on mobile devices/apps
- Define policies that trigger alerts for atypical or suspicious activities
- Suspend user accounts exhibiting suspicious activity
- Require users to log back in to Office 365 apps after an alert has been triggered.
There are three high level components that make up Advanced Security Management:
Threat Detection
Advanced Security Management enables you to set up anomaly detection policies. These allow you to be alerted to potential breaches of your network. Anomaly detection works by scanning user activities and evaluating their risk against many different indicators, such as sign-in failures, administrator activity and inactive accounts. Advanced Security Management also uses behavioural analytics as part of its anomaly detection to assess potentially risky user behaviour. This is done by understanding how users normally interact with Office 365, looking for anomalies and giving the anomalous activity a risk score to help IT decide whether to take further action. Microsoft’s Cybersecurity insights of the threat landscape around the world are also used to ensure early detection and prevention of issues.
Enhanced Control
Advanced Security Management lets you set up activity policies that can track specific activities. Using out-of-the-box templates, you can easily create policies that flag such items as:
- Downloading unusually large amounts of data
- Multiple failed sign-in attempts
- Signs in from a risky IP address.
Policies can be customised to your environment. With activity filters, you can look for the location of a user, device type, IP address or if someone is granted admin rights. Once these policies are defined alerts can also be scheduled, so immediate email or text messages can be sent assisting in a more proactive IT service.
Discovery and Insights
The service also provides an app discovery dashboard that allows you to visualise your organisation’s usage of Office 365 as well as any other productivity cloud services. This helps you to maximise investments in IT-approved solutions, instead of users accessing un-approved and unsanctioned applications. The ability to discover thousands of applications in categories such as collaboration, cloud storage, webmail and others, can assist you in determining to what extent shadow IT is occurring within your organisation. Reporting will also give you details about the top apps by category as well as other values. All of this is done without the need to install devices to check for this. Simply load the data into the dashboard, by uploading logs from your network devices directly into Advanced Security Management.
Enabling Advanced Security Management within Office 365
Whichever option you have, either an E5 or an add-on license, once it is available you can access it from within your tenant’s Admin Center. Once the service is enabled and you are in the Advanced Security Management console, you can keep your organisation protected by defining alerts that are triggered by anomalies or specific activities. You can also perform app discovery, which will provide information to help you understand and manage application usage in your organization and as well as securing them using App permissions, controlling third-party apps that can connect to Office 365.
To get started, you will first need to sign in to Office 365 as a Global Administrator or Security Administrator for Advanced Security Management. You will also need to turn on the feature using the following steps:
- Sign in to Office 365 as a Global Administrator or Security Administrator for Advanced Security Management.
- Go to the Security & Compliance Center, and on the left, choose Alerts, then Manage advanced alerts.
3. Check Turn on Advanced Security Management for Office 365, and then click Go to Advanced Security Management.
The main feature within Advanced Security Management outside of policies that is key to protecting Office 365 is the alerting mechanism. These alerts are assigned to the policies that you create, which in-turn are mapped to core security, monitoring and control options.
To create a policy that is specific to your organisation, follow these simple steps:
- Click the Create Policy button
- Select the Template you wish to use
- Select Activity policy
- Select the Policy template
- Choose the Logon from a risk IP address
- Press the Apply template button
You can now set the policy name, description, severity and category. As an example you can set it to Threat detection. Defining a category will display different icons and colours when the items are captured in the core log.
When defining the policy, you need to choose whether to capture individual activity versus repeated activity by users. Choosing the correct option can have an impact on whether the alerts are successful. The base activity filter can be seen in the configuration, adding more to this, can often cause more false positives or render the activity filter useless.
Carefully choosing the right activities that make sense for your organisation will help capture the maximum activities. Once the policy has been set, choosing the right alerting mechanism can be the difference between capturing a potential issue versus it just being ignored. Be aware that every policy does not warrant a text message and of course you do not need to be constantly bombarded with messages.
Setting email notifications for most filters will suffice, for the most important activities such as Impossible login (login from two places such as countries within an impossible time, such as Canada login, then a login in India an hour later) should be sent as text messages to be captured and resolved instantly.
Lastly for the policy, when the filter is met, a message can be sent to the end users manager, or other email accounts as needed for notification. Secondly, the account can be suspended stopping the user from logging in and isolating the issue, as well as notifying as needed. The new policy will then be listed within the console.
Once a new policy has been saved, it becomes available and starts logging data. If for example you were checking for risky IP addresses (normally associated with anonymous proxies and Tor) it will now get captured in the log and send a notification.
At any point you can modify the current rule to specifically change a rule, such as adding other technologies to an existing filter.
To test something like a risky IP address rule, you will need to use something like the Tor browser or a VPN. Navigating to the SharePoint or OneDrive site for the Office 365 tenant from that address, it will now log a risky IP entry and will then notify you.
What is great is that it does not just log the service you are trying to connect to, IP address you came from, but also will display the browser that was used, operating system and device used to connect. If a policy is matched at any time, then an email or text message, depending on the policy settings will be sent so that remedial action can be sent. The key here is that you define one or more policies that include different criteria that serve as the trigger for the alerts.
Within the Advanced Security Management service, there is a dashboard that is provided as your centre for everything security related. It will give you a single view of potential issues and also where things are working as expected, and are secured.
With Advanced Security Management you can be assured that access is controlled, monitored and you can be proactive in any potential issues.
One thing to really understand about Advanced Security Management, is that even though the process for defining policies, setting alerts and even searching logs is easy, knowing what to configure is the most important and can be the most complicated task. For more details visit: https://support.office.com/en-us/article/Overview-of-Advanced-Security-Management-in-Office-365-81f0ee9a-9645-45ab-ba56-de9cbccab475
By Liam Cleary (MVP), Contributor
Liam Cleary is a 10 time SharePoint MVP, focusing on Architecture but also crosses into Development. His speciality over the past few years has been security in SharePoint and its surrounding platforms. He spends most of his days designing solutions for SharePoint in many different industries and business sectors from Defense, Financial, Non-profit, Commercial and Corporate. Liam is a Pluralsight Author, the main content contributor for SharePoint Pro Mag and has been a speaker at various international conferences including Microsoft Ignite and TechEd.
