I recently joined Vectra CMO, Jennifer Geisler for an inside look at the recent spotlight report: Vision and Visibility: Top 10 Threat Detections for Microsoft Azure AD and Office 365. We wanted to peel back some of the layers of the report and really get into what a threat detection truly means, what makes detecting threats so challenging and how organizations can create a vision and visibility to help measure whether or not their security approach is successful. If you didn’t catch the webinar, don’t worry—you can watch or listen to it on-demand and you can still download the report as well.
The report details the most frequent threat detections Vectra customers see and use to help ratify attacks across Microsoft Azure AD and Office 365. Not all of the detections are malicious, however, they are all received by customers due to infrequent behavior that is either determined to be abnormal or unsafe across these cloud platforms. You’ll get a look at how the detections measure up based on company size, what each could mean in terms of potential attack activity and how the detections would map back to a real-life supply chain attack.
While the report offers insightful data and research, it can also be a helpful resource for security teams that are establishing vision and visibility—we were able to take all of those areas a step further during the webinar. One of the questions that came up was, “what makes threat detection so challenging?”
I wish there was a simple one-line answer for this, but that question has to go back to actionability. You have to first define what is actually considered a threat. Is it an exploit, a compromise or unusual activity? Then, if you’re going to capture threats, you should have the ability to identify something that isn’t obvious because today’s adversaries are getting crafty and much less obvious with their motions. As you’ll see in the spotlight report, adversaries take actions towards their goals that look very similar to authorized user activity—not only do you need to be able to detect that, but also apply the necessary remediation and response against it.
It might go without saying, but the fact that we now have Top 10 threat detection data available for these popular Microsoft services is a testament to just how many organizations are using these platforms. Microsoft has over 250 million Office 365 paid seats, and there’s certainly a good reason for this—the tool is incredibly valuable, especially in terms of keeping a remote workforce connected and productive. It just so happens that cybercriminals are taking notice of the large audience, which makes detecting their behavior more important than ever. Below you can see a snapshot of the top 3 threat detections.
It’s like when the notorious bank robber Willie Sutton was asked why he keeps robbing banks. He said, “that’s where the money is.”
We cover why attacker behavior is heading towards the cloud along with which threat detections carry the most potential for attack behavior—like why an O365 Risky Exchange Operation detection could mean an adversary is disabling protections and exfiltrating data. We’ll show you why the idea that you can stop a bad actor no longer works, and how you can think about measuring success—by actually knowing what’s going on in your environment.
Tim Wade brings over fifteen years of security engineering and operational experience into his role as the Technical Director of Vectra’s Office of the CTO, and is a firm advocate of privacy, fairness, liberty and protection for individuals in the digital age. Over the course of his career he’s crossed through both federal and private sectors, including decorated service as a member of the U.S. Air Force, and most recently as the Head of Application and Information Security in an EdTech sector enterprise. Tim holds a M.S. in Computer Science from the University of Southern California and maintains industry credentials issued by Offensive Security and (ISC)2.