I recently joined Vectra CMO, Jennifer Geisler for an inside look at the recent spotlight report: Vision and Visibility: Top 10 Threat Detections for Microsoft Azure AD and Office 365. We wanted to peel back some of the layers of the report and really get into what a threat detection truly means, what makes detecting threats so challenging and how organizations can create a vision and visibility to help measure whether or not their security approach is successful. If you didn’t catch the webinar, don’t worry—you can download the report.
The report details the most frequent threat detections Vectra customers see and use to help ratify attacks across Microsoft Azure AD and Office 365. Not all of the detections are malicious, however, they are all received by customers due to infrequent behavior that is either determined to be abnormal or unsafe across these cloud platforms. You’ll get a look at how the detections measure up based on company size, what each could mean in terms of potential attack activity and how the detections would map back to a real-life supply chain attack.
While the report offers insightful data and research, it can also be a helpful resource for security teams that are establishing vision and visibility—we were able to take all of those areas a step further during the webinar. One of the questions that came up was, “what makes threat detection so challenging?”
I wish there was a simple one-line answer for this, but that question has to go back to actionability. You have to first define what is actually considered a threat. Is it an exploit, a compromise or unusual activity? Then, if you’re going to capture threats, you should have the ability to identify something that isn’t obvious because today’s adversaries are getting crafty and much less obvious with their motions. As you’ll see in the spotlight report, adversaries take actions towards their goals that look very similar to authorized user activity—not only do you need to be able to detect that, but also apply the necessary remediation and response against it.
It might go without saying, but the fact that we now have Top 10 threat detection data available for these popular Microsoft services is a testament to just how many organizations are using these platforms. Microsoft has over 250 million Office 365 paid seats, and there’s certainly a good reason for this—the tool is incredibly valuable, especially in terms of keeping a remote workforce connected and productive. It just so happens that cybercriminals are taking notice of the large audience, which makes detecting their behavior more important than ever.
The top 3 threat detections
1. O365 Risky Exchange Operation
Abnormal Exchange operations have been detected that may indicate an attacker is manipulating Exchange to gain access to specific data or further attack progression.
2. Azure AD Suspicious Operation
Abnormal Azure AD operations have been detected that may indicate attackers are escalating privileges and performing admin-level operations after regular account takeover.
3. O365 suspicious Download Activity
An account was seen downloading an unusual number of objects which may indicate an attacker is using SharePoint or OneDrive download functions to exfiltrate data.
It’s like when the notorious bank robber Willie Sutton was asked why he keeps robbing banks. He said, “that’s where the money is.”
We cover why attacker behavior is heading towards the cloud along with which threat detections carry the most potential for attack behavior—like why an O365 Risky Exchange Operation detection could mean an adversary is disabling protections and exfiltrating data. We’ll show you why the idea that you can stop a bad actor no longer works, and how you can think about measuring success—by actually knowing what’s going on in your environment.
We hope you enjoy the discussion and find the Spotlight Report useful as well.