SlideShare a Scribd company logo
1 of 26
Download to read offline
{elysiumsecurity}
OFFICE 365 SECURITY
Version: 1.2a
Date: 25/07/2018
Author: Sylvain Martinez
Reference: ESC9-MUSCL
Classification: Public
cyber protection & response
{elysiumsecurity}
cyber protection & response
2
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT
• What is Office 365? • Misconception • Dual Factor
Authentication;
• Enable Audit Logs;
• Review Email
Protection Settings;
• Admin as a Separate
User;
• Limit Usage of Admin
Account;
• Microsoft Security
Score.
• Enforce Dual Factor
Authentication;
• Enable Advanced
Audit Logs;
• Advanced Threat
Protection;
• Create ATP Policies;
• Disable OWA by
default;
• Regular Log Reviews;
• Limitations;
• Where to start?
• What to look for?
CONTENTS
Public
{elysiumsecurity}
cyber protection & response
3
WHAT IS OFFICE 365
Public
EXCEL, WORD, POWERPOINT,
OUTLOOK/EMAIL
STARTED IN 2010
INTEGRATES WITH AZURE ACTIVE
DIRECTORY
MICROSOFT CLOUD OFFERING
FOR OFFICE TOOLS
Icons from the noun project unless specified otherwise
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT
{elysiumsecurity}
cyber protection & response
4
MISCONCEPTION
Public
NO NEED FOR EXTRA SECURITY
CONFIGURATION
PHISHING ATTACKS AND
CREDENTIALS COMPROMISE ARE
NOT POSSIBLE
HOSTED MY MICROSOFT SO IT
CANNOT BE HACKED
MANY SECURITY FEATURES
TURNED OFF BY DEFAULT
RISK CAN BE REDUCED BUT NOT
REMEDIATED COMPLETELY
THERE IS NO SUCH A THING AS A
100% SECURE SYSTEM
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT
{elysiumsecurity}
cyber protection & response
5
OVERVIEW
Public
ENABLE DUAL FACTOR
AUTHENTICATION
ENABLE AUDIT LOGS
REVIEW EMAIL PROTECTION
SETTINGS
SET YOUR ADMIN ACCOUNT AS A
SEPARATE USER
LIMIT USE OF ADMIN/ENTERPRISE
ACCOUNT
LOOK AT YOUR SECURITY SCORE
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT
{elysiumsecurity}
cyber protection & response
6
DUAL FACTOR AUTHENTICATION
Public
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT
{elysiumsecurity}
cyber protection & response
7
ENABLE AUDIT LOGS
Public Images from slashadmin.co.uk
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT
{elysiumsecurity}
cyber protection & response
8
REVIEW EMAIL PROTECTION SETTINGS
Public
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT
{elysiumsecurity}
cyber protection & response
9
ADMIN AS A SEPARATE USER
Public
STATUS: UNLICENSED
NO NEED FOR MAILBOX
NO NEED TO LOGON TO DOMAIN
ONLY NEED TO LOGON TO ADMIN PORTAL
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT
{elysiumsecurity}
cyber protection & response
10
LIMIT USAGE OF ADMIN ACCOUNT
Public Images from Dreamstime
NO HUMAN RISK
NO HUMAN ERRORS =
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT
{elysiumsecurity}
cyber protection & response
11
MICROSOFT SECURITY SCORE
Public
SECURITY COMPLIANCE HOME &
https://securescore.microsoft.com
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT
{elysiumsecurity}
cyber protection & response
12
OVERVIEW
Public
ENFORCE DUAL FACTOR
AUTHENTICATION FOR ALL USERS
ENABLE ADVANCED AUDIT LOGS
INSTALL ADVANCED THREAT
PROTECTION
CREATE ATP POLICIES
DISABLE OUTLOOK WEB ACCESS
BY DEFAULT
REGULAR LOGS REVIEW
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT
{elysiumsecurity}
cyber protection & response
13
ENFORCE DUAL FACTOR AUTHENTICATION
Public
https://blogs.technet.microsoft.com/office365/2015/08/25/powershell-
enableenforce-multifactor-authentication-for-all-bulk-users-in-office-365/
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT
{elysiumsecurity}
cyber protection & response
14
ENABLE ADVANCED AUDIT LOGS
Public
READY?
DONE?
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT
START POWERSHELL AS ADMIN1
Set-ExecutionPolicy RemoteSigned2
$UserCredential = Get-Credential3
NO
MFA!
$Session = New-PSSession –
ConfigurationName Microsoft.Exchange –
ConnectionUri
https://outlook.office365.com/powershell-
liveid/ -Credential $UserCredential –
Authentication Basic -AllowRedirection
4
Import-PSSession $Session5
CHECK
STATUSGet-Mailbox ”myname"| FL Audit*6
CHECK
STATUS FOR
ALL USERS
Get-Mailbox -ResultSize Unlimited -Filter
{RecipientTypeDetails -eq "UserMailbox"} |
FL Name,Audit*
7
ENABLE
LOGS FOR
ALL USERS
Get-Mailbox -ResultSize Unlimited -Filter
{RecipientTypeDetails -eq "UserMailbox"} |
Set-Mailbox -AuditEnabled $true
8
BY DEFAULT ONLY
UPDATEFOLDERPERMISSION IS ENABLED
FOR NORMAL USERS.
9
{elysiumsecurity}
cyber protection & response
15
ENABLE ADVANCED AUDIT LOGS
Public
Get-Mailbox -ResultSize Unlimited -Filter
{RecipientTypeDetails -eq "UserMailbox"} | Set-
Mailbox -AuditOwner
@{Add="MailboxLogin","HardDelete","SoftDelete
", " Create", "Move", "MoveToDeletedItems"}
https://support.office.com/en-us/article/enable-mailbox-auditing-in-office-365-
aaca8987-5b62-458b-9882-c28476a66918#ID0EABAAA=Step-by-step_instructions
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT
10
{elysiumsecurity}
cyber protection & response
16
ADVANCED THREAT PROTECTION
Public
OFFICE 365
ADVANCED
THREAT
PROTECTION
$2 user/month
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT
{elysiumsecurity}
cyber protection & response
17
ADVANCED THREAT PROTECTION
Public
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT
{elysiumsecurity}
cyber protection & response
18
CREATE ATP POLICIES
Public
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT
{elysiumsecurity}
cyber protection & response
19
CREATE ATP POLICIES
Public
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT
{elysiumsecurity}
cyber protection & response
20
DISABLE OWA BY DEFAULT
Public
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT
{elysiumsecurity}
cyber protection & response
21
REGULAR LOGS REVIEW
Public
LOOK FOR UNUSUAL ACTIVITIES AND IP SOURCE
FOR KEY USERS
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT
{elysiumsecurity}
cyber protection & response
22
LIMITATION
Public
POTENTIAL TIMEZONE
DIFFERENCE OF THE SERVER
CLOUD ENVIRONMENT MEANS
NO FULL ACCESS TO RAW DATA
INFORMATION LIMITATION
WEB REPORTS BUGS
ENABLE AUDIT LOGS
(Not a default option!)
NO OFFLINE LOGS BACKUP
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT
{elysiumsecurity}
cyber protection & response
23
WHERE TO START
Public
https://protection.office.com
https://portal.office.com/adminportal
https://portal.azure.com
USE A GOBAL ADMIN ACCOUNT OR
PROVIDE ENOUGH ROLES/RIGHT TO
YOUR INVESTIGATION ACCOUNT
-> SECURITY & COMPLIANCE
-> REPORT DASHBOARD
-> SEARCH & INVESTIGATION
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT
{elysiumsecurity}
cyber protection & response
24
WHAT TO LOOK FOR?
Public
MAIL FORWARDING RULES
ADMIN CENTERS -> EXCHANGE -> MAILBOXES -> Select mailbox /
double click -> mail box feature -> mailflow -> view details
Not part of the Audit Logs!
AUDIT SEARCH FILTER INTERESTING KEYWORDS
UserLoggedIn
New-Inboxrule
Set-InboxRule
Set-Mailbox
IP ADDRESS AND IMPOSSIBLE LOGINS
SUSPICIOUS ACTIVITIES
SUSPICIOUS DATE AND TIME
FORENSICS
ADVANCED
SECURITY
BASIC SECURITYRISKSCONTEXT
{elysiumsecurity}
cyber protection & response
A LOT OF THE TIPS DISCUSSED TODAY COME FROM THE EXCELLENT
“FORENSIC LUNCH” SHOW:
https://www.youtube.com/watch?v=WgRxPCofIrA
Presentation starts at 15 minutes in
Devon Ackerman
“Forensically sound incident response in Microsoft’s Office 365”
HIGHLY RECOMMENDED!
{elysiumsecurity}
cyber protection & response
© 2018 ElysiumSecurity Ltd.
All Rights Reserved
www.elysiumsecurity.com
ElysiumSecurity provides practical expertise to identify
vulnerabilities, assess their risks and impact, remediate
those risks, prepare and respond to incidents as well as raise
security awareness through an organization.
ElysiumSecurity provides high level expertise gathered
through years of best practices experience in large
international companies allowing us to provide advice best
suited to your business operational model and priorities.
ABOUT ELYSIUMSECURITY LTD.
ElysiumSecurity provides a portfolio of Strategic and Tactical
Services to help companies protect and respond against Cyber
Security Threats. We differentiate ourselves by offering discreet,
tailored and specialized engagements.
Operating in Mauritius and in the United Kingdom,
our boutique style approach means we can easily adapt to your
business operational model and requirements to provide a
personalized service that fits your working environment.

More Related Content

What's hot

Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Open Source IDS - How to use them as a powerful fee Defensive and Offensive toolOpen Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Open Source IDS - How to use them as a powerful fee Defensive and Offensive toolSylvain Martinez
 
2019 CYBER SECURITY TRENDS REPORT REVIEW
2019 CYBER SECURITY TRENDS REPORT REVIEW2019 CYBER SECURITY TRENDS REPORT REVIEW
2019 CYBER SECURITY TRENDS REPORT REVIEWSylvain Martinez
 
Moti Sagey CPX keynote _Are All security products created equal
Moti Sagey CPX keynote _Are All security products created equal Moti Sagey CPX keynote _Are All security products created equal
Moti Sagey CPX keynote _Are All security products created equal Moti Sagey מוטי שגיא
 
Ivan dragas get ahead of cybercrime
Ivan dragas   get ahead of cybercrimeIvan dragas   get ahead of cybercrime
Ivan dragas get ahead of cybercrimeDejan Jeremic
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
Cisco 2015 Midyear Security Report Slide Deck
Cisco 2015 Midyear Security Report Slide DeckCisco 2015 Midyear Security Report Slide Deck
Cisco 2015 Midyear Security Report Slide DeckCisco Security
 
Slides to the online event "Creating an effective cybersecurity strategy" by ...
Slides to the online event "Creating an effective cybersecurity strategy" by ...Slides to the online event "Creating an effective cybersecurity strategy" by ...
Slides to the online event "Creating an effective cybersecurity strategy" by ...Berezha Security Group
 
Data Center Security Challenges
Data Center Security ChallengesData Center Security Challenges
Data Center Security ChallengesCisco Security
 
Ict 2015 saga - cisco cybersecurity rešenja- Viktor Varga
Ict 2015   saga - cisco cybersecurity rešenja- Viktor VargaIct 2015   saga - cisco cybersecurity rešenja- Viktor Varga
Ict 2015 saga - cisco cybersecurity rešenja- Viktor VargaDejan Jeremic
 
Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere Cisco Canada
 
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Cristian Garcia G.
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Shah Sheikh
 
Mobile Security: 2016 Wrap-Up and 2017 Predictions
Mobile Security: 2016 Wrap-Up and 2017 PredictionsMobile Security: 2016 Wrap-Up and 2017 Predictions
Mobile Security: 2016 Wrap-Up and 2017 PredictionsSkycure
 
Re solution - corona virus cyber security infographic
Re solution - corona virus cyber security infographicRe solution - corona virus cyber security infographic
Re solution - corona virus cyber security infographicJacob Tranter
 
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response TeamBGA Cyber Security
 

What's hot (20)

OFFENSIVE IDS
OFFENSIVE IDSOFFENSIVE IDS
OFFENSIVE IDS
 
Talk2 esc4 muscl-ids_v1_2
Talk2 esc4 muscl-ids_v1_2Talk2 esc4 muscl-ids_v1_2
Talk2 esc4 muscl-ids_v1_2
 
Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Open Source IDS - How to use them as a powerful fee Defensive and Offensive toolOpen Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool
 
Ecosystem
EcosystemEcosystem
Ecosystem
 
2019 CYBER SECURITY TRENDS REPORT REVIEW
2019 CYBER SECURITY TRENDS REPORT REVIEW2019 CYBER SECURITY TRENDS REPORT REVIEW
2019 CYBER SECURITY TRENDS REPORT REVIEW
 
Moti Sagey CPX keynote _Are All security products created equal
Moti Sagey CPX keynote _Are All security products created equal Moti Sagey CPX keynote _Are All security products created equal
Moti Sagey CPX keynote _Are All security products created equal
 
Ivan dragas get ahead of cybercrime
Ivan dragas   get ahead of cybercrimeIvan dragas   get ahead of cybercrime
Ivan dragas get ahead of cybercrime
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
 
Cisco 2015 Midyear Security Report Slide Deck
Cisco 2015 Midyear Security Report Slide DeckCisco 2015 Midyear Security Report Slide Deck
Cisco 2015 Midyear Security Report Slide Deck
 
Slides to the online event "Creating an effective cybersecurity strategy" by ...
Slides to the online event "Creating an effective cybersecurity strategy" by ...Slides to the online event "Creating an effective cybersecurity strategy" by ...
Slides to the online event "Creating an effective cybersecurity strategy" by ...
 
Data Center Security Challenges
Data Center Security ChallengesData Center Security Challenges
Data Center Security Challenges
 
Ict 2015 saga - cisco cybersecurity rešenja- Viktor Varga
Ict 2015   saga - cisco cybersecurity rešenja- Viktor VargaIct 2015   saga - cisco cybersecurity rešenja- Viktor Varga
Ict 2015 saga - cisco cybersecurity rešenja- Viktor Varga
 
Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere
 
INFINITY Presentation
INFINITY PresentationINFINITY Presentation
INFINITY Presentation
 
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
 
Mobile Security: 2016 Wrap-Up and 2017 Predictions
Mobile Security: 2016 Wrap-Up and 2017 PredictionsMobile Security: 2016 Wrap-Up and 2017 Predictions
Mobile Security: 2016 Wrap-Up and 2017 Predictions
 
Re solution - corona virus cyber security infographic
Re solution - corona virus cyber security infographicRe solution - corona virus cyber security infographic
Re solution - corona virus cyber security infographic
 
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team
 

Similar to OFFICE 365 SECURITY

ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!ITCamp
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen? Claranet UK
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesKai Wähner
 
Microsoft Security Advice ISSA Slides.pptx
Microsoft Security Advice ISSA Slides.pptxMicrosoft Security Advice ISSA Slides.pptx
Microsoft Security Advice ISSA Slides.pptxMike Brannon
 
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloudKoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloudTobias Koprowski
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Luca Bongiorni
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
20171207 we are moving to the cloud what about security
20171207 we are moving to the cloud what about security20171207 we are moving to the cloud what about security
20171207 we are moving to the cloud what about securityArjan Cornelissen
 
Walls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application SecurityWalls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application SecurityAbdul Jaleel
 
Change auditing: Determine who changed what, when and where
Change auditing: Determine who changed what, when and whereChange auditing: Determine who changed what, when and where
Change auditing: Determine who changed what, when and whereGiovanni Zanasca
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsCisco Canada
 
Be Aware Webinar – Office 365 Seguro? Sym, Cloud!
Be Aware Webinar – Office 365 Seguro? Sym, Cloud!Be Aware Webinar – Office 365 Seguro? Sym, Cloud!
Be Aware Webinar – Office 365 Seguro? Sym, Cloud!Symantec Brasil
 
2018 11-19 improving business agility with security policy automation final
2018 11-19 improving business agility with security policy automation final2018 11-19 improving business agility with security policy automation final
2018 11-19 improving business agility with security policy automation finalAlgoSec
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM
 
December 2019 Microsoft 365 Need to Know Webinar
December 2019 Microsoft 365 Need to Know WebinarDecember 2019 Microsoft 365 Need to Know Webinar
December 2019 Microsoft 365 Need to Know WebinarRobert Crane
 
Proteja seus clientes - Gerenciamento dos Serviços de Segurança
Proteja seus clientes - Gerenciamento dos Serviços de SegurançaProteja seus clientes - Gerenciamento dos Serviços de Segurança
Proteja seus clientes - Gerenciamento dos Serviços de SegurançaCisco do Brasil
 
Addressing the Cyber-Security Landscape
Addressing the Cyber-Security LandscapeAddressing the Cyber-Security Landscape
Addressing the Cyber-Security LandscapeePlus
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security SessionSplunk
 
1.3. (In)security Software
1.3. (In)security Software1.3. (In)security Software
1.3. (In)security Softwaredefconmoscow
 

Similar to OFFICE 365 SECURITY (20)

ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen?
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed Microservices
 
Microsoft Security Advice ISSA Slides.pptx
Microsoft Security Advice ISSA Slides.pptxMicrosoft Security Advice ISSA Slides.pptx
Microsoft Security Advice ISSA Slides.pptx
 
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloudKoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
20171207 we are moving to the cloud what about security
20171207 we are moving to the cloud what about security20171207 we are moving to the cloud what about security
20171207 we are moving to the cloud what about security
 
Walls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application SecurityWalls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application Security
 
Change auditing: Determine who changed what, when and where
Change auditing: Determine who changed what, when and whereChange auditing: Determine who changed what, when and where
Change auditing: Determine who changed what, when and where
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced Threats
 
Be Aware Webinar – Office 365 Seguro? Sym, Cloud!
Be Aware Webinar – Office 365 Seguro? Sym, Cloud!Be Aware Webinar – Office 365 Seguro? Sym, Cloud!
Be Aware Webinar – Office 365 Seguro? Sym, Cloud!
 
2018 11-19 improving business agility with security policy automation final
2018 11-19 improving business agility with security policy automation final2018 11-19 improving business agility with security policy automation final
2018 11-19 improving business agility with security policy automation final
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
 
December 2019 Microsoft 365 Need to Know Webinar
December 2019 Microsoft 365 Need to Know WebinarDecember 2019 Microsoft 365 Need to Know Webinar
December 2019 Microsoft 365 Need to Know Webinar
 
Proteja seus clientes - Gerenciamento dos Serviços de Segurança
Proteja seus clientes - Gerenciamento dos Serviços de SegurançaProteja seus clientes - Gerenciamento dos Serviços de Segurança
Proteja seus clientes - Gerenciamento dos Serviços de Segurança
 
Logicalis Security Conference
Logicalis Security ConferenceLogicalis Security Conference
Logicalis Security Conference
 
Addressing the Cyber-Security Landscape
Addressing the Cyber-Security LandscapeAddressing the Cyber-Security Landscape
Addressing the Cyber-Security Landscape
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 
1.3. (In)security Software
1.3. (In)security Software1.3. (In)security Software
1.3. (In)security Software
 

More from Sylvain Martinez

More from Sylvain Martinez (17)

INTRODUCTION TO CRYPTOGRAPHY
INTRODUCTION TO CRYPTOGRAPHYINTRODUCTION TO CRYPTOGRAPHY
INTRODUCTION TO CRYPTOGRAPHY
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATION
 
DATA LOSS PREVENTION OVERVIEW
DATA LOSS PREVENTION OVERVIEWDATA LOSS PREVENTION OVERVIEW
DATA LOSS PREVENTION OVERVIEW
 
INCIDENT RESPONSE CONCEPTS
INCIDENT RESPONSE CONCEPTSINCIDENT RESPONSE CONCEPTS
INCIDENT RESPONSE CONCEPTS
 
PHISHING PROTECTION
PHISHING PROTECTIONPHISHING PROTECTION
PHISHING PROTECTION
 
INCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWINCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEW
 
IOT Security
IOT SecurityIOT Security
IOT Security
 
ARE YOU RED TEAM READY?
ARE YOU RED TEAM READY?ARE YOU RED TEAM READY?
ARE YOU RED TEAM READY?
 
GDPR SECURITY ISSUES
GDPR SECURITY ISSUESGDPR SECURITY ISSUES
GDPR SECURITY ISSUES
 
Risk on Crypto Currencies
Risk on Crypto CurrenciesRisk on Crypto Currencies
Risk on Crypto Currencies
 
INTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSINTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICS
 
Talk1 esc7 muscl-gdpr_debate_v1_2
Talk1 esc7 muscl-gdpr_debate_v1_2Talk1 esc7 muscl-gdpr_debate_v1_2
Talk1 esc7 muscl-gdpr_debate_v1_2
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
INCIDENT HANDLING IN ORGANISATIONS
INCIDENT HANDLING IN ORGANISATIONSINCIDENT HANDLING IN ORGANISATIONS
INCIDENT HANDLING IN ORGANISATIONS
 
SOCIAL MEDIA AS A CYBER WEAPON
SOCIAL MEDIA AS A CYBER WEAPONSOCIAL MEDIA AS A CYBER WEAPON
SOCIAL MEDIA AS A CYBER WEAPON
 
Talk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2bTalk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2b
 
Talk1 muscl club_v1_2
Talk1 muscl club_v1_2Talk1 muscl club_v1_2
Talk1 muscl club_v1_2
 

Recently uploaded

Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 

Recently uploaded (20)

Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 

OFFICE 365 SECURITY

  • 1. {elysiumsecurity} OFFICE 365 SECURITY Version: 1.2a Date: 25/07/2018 Author: Sylvain Martinez Reference: ESC9-MUSCL Classification: Public cyber protection & response
  • 2. {elysiumsecurity} cyber protection & response 2 FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT • What is Office 365? • Misconception • Dual Factor Authentication; • Enable Audit Logs; • Review Email Protection Settings; • Admin as a Separate User; • Limit Usage of Admin Account; • Microsoft Security Score. • Enforce Dual Factor Authentication; • Enable Advanced Audit Logs; • Advanced Threat Protection; • Create ATP Policies; • Disable OWA by default; • Regular Log Reviews; • Limitations; • Where to start? • What to look for? CONTENTS Public
  • 3. {elysiumsecurity} cyber protection & response 3 WHAT IS OFFICE 365 Public EXCEL, WORD, POWERPOINT, OUTLOOK/EMAIL STARTED IN 2010 INTEGRATES WITH AZURE ACTIVE DIRECTORY MICROSOFT CLOUD OFFERING FOR OFFICE TOOLS Icons from the noun project unless specified otherwise FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 4. {elysiumsecurity} cyber protection & response 4 MISCONCEPTION Public NO NEED FOR EXTRA SECURITY CONFIGURATION PHISHING ATTACKS AND CREDENTIALS COMPROMISE ARE NOT POSSIBLE HOSTED MY MICROSOFT SO IT CANNOT BE HACKED MANY SECURITY FEATURES TURNED OFF BY DEFAULT RISK CAN BE REDUCED BUT NOT REMEDIATED COMPLETELY THERE IS NO SUCH A THING AS A 100% SECURE SYSTEM FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 5. {elysiumsecurity} cyber protection & response 5 OVERVIEW Public ENABLE DUAL FACTOR AUTHENTICATION ENABLE AUDIT LOGS REVIEW EMAIL PROTECTION SETTINGS SET YOUR ADMIN ACCOUNT AS A SEPARATE USER LIMIT USE OF ADMIN/ENTERPRISE ACCOUNT LOOK AT YOUR SECURITY SCORE FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 6. {elysiumsecurity} cyber protection & response 6 DUAL FACTOR AUTHENTICATION Public FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 7. {elysiumsecurity} cyber protection & response 7 ENABLE AUDIT LOGS Public Images from slashadmin.co.uk FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 8. {elysiumsecurity} cyber protection & response 8 REVIEW EMAIL PROTECTION SETTINGS Public FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 9. {elysiumsecurity} cyber protection & response 9 ADMIN AS A SEPARATE USER Public STATUS: UNLICENSED NO NEED FOR MAILBOX NO NEED TO LOGON TO DOMAIN ONLY NEED TO LOGON TO ADMIN PORTAL FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 10. {elysiumsecurity} cyber protection & response 10 LIMIT USAGE OF ADMIN ACCOUNT Public Images from Dreamstime NO HUMAN RISK NO HUMAN ERRORS = FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 11. {elysiumsecurity} cyber protection & response 11 MICROSOFT SECURITY SCORE Public SECURITY COMPLIANCE HOME & https://securescore.microsoft.com FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 12. {elysiumsecurity} cyber protection & response 12 OVERVIEW Public ENFORCE DUAL FACTOR AUTHENTICATION FOR ALL USERS ENABLE ADVANCED AUDIT LOGS INSTALL ADVANCED THREAT PROTECTION CREATE ATP POLICIES DISABLE OUTLOOK WEB ACCESS BY DEFAULT REGULAR LOGS REVIEW FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 13. {elysiumsecurity} cyber protection & response 13 ENFORCE DUAL FACTOR AUTHENTICATION Public https://blogs.technet.microsoft.com/office365/2015/08/25/powershell- enableenforce-multifactor-authentication-for-all-bulk-users-in-office-365/ FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 14. {elysiumsecurity} cyber protection & response 14 ENABLE ADVANCED AUDIT LOGS Public READY? DONE? FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT START POWERSHELL AS ADMIN1 Set-ExecutionPolicy RemoteSigned2 $UserCredential = Get-Credential3 NO MFA! $Session = New-PSSession – ConfigurationName Microsoft.Exchange – ConnectionUri https://outlook.office365.com/powershell- liveid/ -Credential $UserCredential – Authentication Basic -AllowRedirection 4 Import-PSSession $Session5 CHECK STATUSGet-Mailbox ”myname"| FL Audit*6 CHECK STATUS FOR ALL USERS Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | FL Name,Audit* 7 ENABLE LOGS FOR ALL USERS Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true 8 BY DEFAULT ONLY UPDATEFOLDERPERMISSION IS ENABLED FOR NORMAL USERS. 9
  • 15. {elysiumsecurity} cyber protection & response 15 ENABLE ADVANCED AUDIT LOGS Public Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set- Mailbox -AuditOwner @{Add="MailboxLogin","HardDelete","SoftDelete ", " Create", "Move", "MoveToDeletedItems"} https://support.office.com/en-us/article/enable-mailbox-auditing-in-office-365- aaca8987-5b62-458b-9882-c28476a66918#ID0EABAAA=Step-by-step_instructions FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT 10
  • 16. {elysiumsecurity} cyber protection & response 16 ADVANCED THREAT PROTECTION Public OFFICE 365 ADVANCED THREAT PROTECTION $2 user/month FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 17. {elysiumsecurity} cyber protection & response 17 ADVANCED THREAT PROTECTION Public FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 18. {elysiumsecurity} cyber protection & response 18 CREATE ATP POLICIES Public FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 19. {elysiumsecurity} cyber protection & response 19 CREATE ATP POLICIES Public FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 20. {elysiumsecurity} cyber protection & response 20 DISABLE OWA BY DEFAULT Public FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 21. {elysiumsecurity} cyber protection & response 21 REGULAR LOGS REVIEW Public LOOK FOR UNUSUAL ACTIVITIES AND IP SOURCE FOR KEY USERS FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 22. {elysiumsecurity} cyber protection & response 22 LIMITATION Public POTENTIAL TIMEZONE DIFFERENCE OF THE SERVER CLOUD ENVIRONMENT MEANS NO FULL ACCESS TO RAW DATA INFORMATION LIMITATION WEB REPORTS BUGS ENABLE AUDIT LOGS (Not a default option!) NO OFFLINE LOGS BACKUP FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 23. {elysiumsecurity} cyber protection & response 23 WHERE TO START Public https://protection.office.com https://portal.office.com/adminportal https://portal.azure.com USE A GOBAL ADMIN ACCOUNT OR PROVIDE ENOUGH ROLES/RIGHT TO YOUR INVESTIGATION ACCOUNT -> SECURITY & COMPLIANCE -> REPORT DASHBOARD -> SEARCH & INVESTIGATION FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 24. {elysiumsecurity} cyber protection & response 24 WHAT TO LOOK FOR? Public MAIL FORWARDING RULES ADMIN CENTERS -> EXCHANGE -> MAILBOXES -> Select mailbox / double click -> mail box feature -> mailflow -> view details Not part of the Audit Logs! AUDIT SEARCH FILTER INTERESTING KEYWORDS UserLoggedIn New-Inboxrule Set-InboxRule Set-Mailbox IP ADDRESS AND IMPOSSIBLE LOGINS SUSPICIOUS ACTIVITIES SUSPICIOUS DATE AND TIME FORENSICS ADVANCED SECURITY BASIC SECURITYRISKSCONTEXT
  • 25. {elysiumsecurity} cyber protection & response A LOT OF THE TIPS DISCUSSED TODAY COME FROM THE EXCELLENT “FORENSIC LUNCH” SHOW: https://www.youtube.com/watch?v=WgRxPCofIrA Presentation starts at 15 minutes in Devon Ackerman “Forensically sound incident response in Microsoft’s Office 365” HIGHLY RECOMMENDED!
  • 26. {elysiumsecurity} cyber protection & response © 2018 ElysiumSecurity Ltd. All Rights Reserved www.elysiumsecurity.com ElysiumSecurity provides practical expertise to identify vulnerabilities, assess their risks and impact, remediate those risks, prepare and respond to incidents as well as raise security awareness through an organization. ElysiumSecurity provides high level expertise gathered through years of best practices experience in large international companies allowing us to provide advice best suited to your business operational model and priorities. ABOUT ELYSIUMSECURITY LTD. ElysiumSecurity provides a portfolio of Strategic and Tactical Services to help companies protect and respond against Cyber Security Threats. We differentiate ourselves by offering discreet, tailored and specialized engagements. Operating in Mauritius and in the United Kingdom, our boutique style approach means we can easily adapt to your business operational model and requirements to provide a personalized service that fits your working environment.