What do you mean 90 days isnt enough
•Download as PPTX, PDF•
0 likes•333 views
Slides from my session at the European Collaboration Summit on options for extending the 90 days audit period in Office 365.
Recommended
More Related Content
Similar to What do you mean 90 days isnt enough
Similar to What do you mean 90 days isnt enough (20)
More from Paul Hunt
More from Paul Hunt (15)
Recently uploaded
Recently uploaded (13)
What do you mean 90 days isnt enough
- 1. WHAT DO YOU MEAN 90 DAYS AUDIT ISN’T ENOUGH? Paul Hunt MVP O365 Apps & Services Trustmarque
- 3. ♡ DIAMOND AND PLATINUM SPONSORS ♡
- 4. Who am I?
- 5. Who am I?
- 6. Agenda • Why do we need Audit? • What do we get out of the box? • What can I do with the Microsoft Stack? • What can I build myself? • What Third parties can do this for me?
- 7. What’s the point of auditing? “If I were to run, I’d run as a republican. They’re the dumbest group of voters in the country. They believe anything on Fox News. I could lie and they’d still eat it up. I bet my numbers would be terrific” Donald Trump – People Magazine 1988
- 8. What’s the point of auditing? •People magazine keep every copy of every magazine that has been printed. •There was no record of a 1998 interview. •No article printed in the 80s or 90s contain mention of the Republican party in articles about Donald Trump.
- 9. What’s the point of auditing? When King Leonidas and the 300 Spartans took on the Persian army at the battle of Thermopylae, they believed that they could hold their ground due to the mountain’s impenetrable walls.
- 10. What’s the point of auditing? They forgot about the goat paths! The Persian army snuck in behind their defences and surrounded them, defeating the Spartans.
- 11. What’s the point of auditing? Employee behaviours and needs are potentially your goat paths. • Demand for agility • Lack of awareness • Phishing e-mails • Unsecured networks • Poor storage of sensitive data • Malicious attack
- 12. But we can help to protect against a lot of this!
- 13. Assume Breach!
- 15. Sobering stats UK Gov – Cyber Security Breaches Survey 2018 123 days.
- 16. 123 days.
- 17. O365 Log Retention Period 90 Days Retention
- 18. O365 Log Retention Period 90 Days Retention 365 Days Retention
- 19. **Assuming mailbox auditing is enabled!
- 20. *Azure logs have lower latency for AD logs!
- 21. What’s wrong with Office 365 auditing? • 90 days retention isn’t enough • The search interface isn’t brilliant (and it’s now hidden away (in some tenants!)!).
- 22. Do What are the options?
- 23. • Doing nothing – Out of the box audit • D.I.Y – using the Management Activity API • Azure Log Analytics • Additional services MCAS & Sentinel • Third Party Options What are the options?
- 24. • Doing nothing - The Office 365 Audit Log
- 25. DIY – Extracting data using APIs Office 365 Management Activity API Supports: Audit.AzureActiveDirectory Audit.Exchange Audit.SharePoint Audit.General DLP.ALL http://bit.ly/O365ManagementAPI
- 26. DIY – Extracting data using APIs Pull ModelPush Model • Requires subscription • On demand, request a list of available blobs. • Process blobs to extract data. • Save data somewhere • Can run as a timer job or Azure Runbook. • Requires subscription • Requires Webhook & Validation • On Notification, a list of available blobs is downloaded • Process blobs to extract data • Save data somewhere
- 27. DIY – Considerations • Webhooks – Must be responsive • Manage throttling • Where to put the data? Azure SQL, On-prem? • How to consume the data? • Can monitoring be automated? • Cost of development on top of storage. • Option to apply business logic to reduce storage need. • Limited to the O365 APIs.
- 28. • Extracting Audit Log data using the API
- 29. Microsoft Azure Options •Everything begins with Log Analytics (Used to be OMS) • Once a Log Analytics workspace has been created • Add Office 365 Management Solution • Configure App Permissions • Run some PowerShell to subscribe**** http://bit.ly/Office365ManagementSolution •But easier to configure in Azure Sentinel! • One click..ish • And free ingestion of Office 365 data!
- 30. • Examining the Azure options
- 31. Azure – Considerations • No real control over what is stored, only ingestion/retention period. • Confusing number of options & price plans (Log Analytics, CAS, Sentinel) & limited to 730 days. • Powerful query capability. • Additional sources (Azure AD, Azure Identity Protection). • Automated alerting. • Potential for Case Management and intelligent SIEM.
- 32. Third Party Options • A number of available providers of Audit & SIEM systems exist.
- 33. Vendor O365 Audit Log (via API) Azure events via Event Hub On-prem / Cloud Third Party Options
- 34. Transvault
- 35. Syskit – Security Manager
- 36. • Looking at Transvault
- 37. Third Party – Considerations • May be limited to what is available through the Office 365 Rest APIs. • Some SIEM systems allow additional export from Azure using Eventhubs. • Variety of cost/licensing options. • Variety of retention options and costs. • Potential to extract alert data from MCAS to SIEM systems.
- 38. JUST HOW IMPORTANT IS RETENTION TO YOU?
- 39. 123 days.
- 40. System Log Type Retention Period Office 365 Audit log 90 days* Azure AD Audit log Sign-ins Azure MFA usage 30 days** Azure Identity Protection User at Risk Risky Sign-ins 30 days (AAD P1)** 90 days (AAD P2) Log Analytics Any streamed logs 30-730 days*** Azure Sentinel (Preview) Office 365 Azure AD Azure IP Others… Driven by log analytics*** Cloud App Security Activity Log Discovery Data Alerts 180 days 90 days 180 days Transvault Office 365 1-3 Years**** Hubstor Office 365/Azure Event Hub Unlimited IBM/Splunk Office 365/Azure Event Hub Not known. Syskit Office 365 Unlimited
Editor's Notes
- We can build out mountain walls, but we also need to pay attention to the goat paths. Look at DLP and AIP to protect the data rather than the perimeter. Look at MCAS/ATP and other automated monitoring systems
- But to be properly protected, we need to take an Assume Breach mindset. When not If.
- For this session, we’re not looking too deeply at Threat Investigation. But we do need to understand how retention affects your abilities to detect and investigate.
- Stats from UK Gov – Cyber Security Breaches Survey 2018
- Stats from UK Gov – Cyber Security Breaches Survey 2018
- Coming into preview shortly will be 365 days retention for M365 and O365-E5 subscriptions. (Currently Private Preview only!) Also with the Advanced Compliance Add-on license (in conjunction with E3 or EXO P1. https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Updates-to-Advanced-Data-Governance-Unified-labeling-analytics/ba-p/261876 https://docs.microsoft.com/en-gb/office365/securitycompliance/search-the-audit-log-in-security-and-compliance – For sign up link to Private Preview
- Exactly what can we audit in Office 365? Note: Exchange Mailbox Auditing should now be defaulted to on Unless previously configured or disabled Tenant wide.
- The search interface doesn’t include all actions (E.g. List item actions) Not even sure 365 days is enough?
- At what cost? If we’ve suffered a breach, how do we investigate. If a breach is discovered, is being able to audit up to 90 days enough to protect your reputation? A client of mine who suffered a breach was unable to identify who was affected, so they had to inform ALL of their client base.
- Searching the Log – “Audit Test C” Setting up an Audit Alert Searching Docs – Audit Text C – Credit License Changes – Group Based Versus Direct Can’t search for list item updates (but they appear when nothing is selected)
- https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference
- Webhooks have a minimum time to respond. Especially during setup Costs of storage How to consume.. Audit is no good if it isn’t viewed.
- Used to be part of operations Management Suite but was split out. ****Needs an AppId configuration - https://docs.microsoft.com/en-us/azure/azure-monitor/insights/solution-office-365 There’s a bug in the script to Subscribe… read the closed issues as the first one has the updated script.
- Log analytics
- SIEM = Security Information and Event Management
- Transvault – SaaS on Transvault storage Syskit – On-prem or Azure – Your storage Hubstore – SaaS on theirs or your own Azure instance. IBM (Qradar) – On-prem/SaaS options Splunk – On-prem/SaaS options
- Webhooks have a minimum time to respond. Especially during setup Costs of storage How to consume.. Audit is no good if it isn’t viewed.
- Close out..back to 123!
- Stats from UK Gov – Cyber Security Breaches Survey 2018
- *Office 365 E5 users will go to 365 days later this year. **Assumes AD Premium (else 7 days) Option to auto export Azure AD to Azure Storage *** Ingestion and retention charges will apply beyond basic included coverage. Note Azure Sentinel is in preview and costs are not fully known. **** Transvault are considering higher limits.