Cloud security insights recap
In last week’s security panel discussion, I joined Sarah Armstrong-Smith from Microsoft and Lisa Forte from Red Goat Cyber Security to discuss how the pandemic has affected digital transformation and share how organizations can adapt.
This discussion followed the publication of findings from a recent survey of 1,112 IT security decision makers around the world. The survey asked for their views on the biggest threats facing their Microsoft Office 365 environments, and their ability to defend against them. The shift to cloud, and adoption of remote working has heightened the threat of cyberattacks, with four in five security professionals saying that cybersecurity risks have increased in the last twelve months.
During the panel, Sarah remarked, "I think over the last year, many companies have been really challenged with regards to remove working. Many of them weren't set up to be able to work remotely en masse and at scale." A year into the pandemic, however, she says that organizations have shifted from crisis management to instead be more strategic.
Lisa and I doubled down on this sentiment as the conversation touched on returning to physical workplaces, adhering to compliance standards, navigating emerging threats, and more.
Now, let's dig into the information that we didn't get a chance to cover in the discussion.
Microsoft Office 365 and the new cloud landscape
Cloud adoption, and the efficiency and agility it delivers, has been at the head of board discussions for several years now, with cloud capabilities swiftly transitioning from strategic advantage to business necessity.
According to our survey, 97% of IT security decision makers have extended their use of Microsoft Office 365 as a result of the pandemic. As one of the go-to software-as-a-service (SaaS) platforms for business collaboration, this comes as little surprise. In March, 2020, Microsoft reported 258 million active users, an increase of more than 70 million from the previous year.
Microsoft Office 365 often forms the basis of an enterprise’s business operations, facilitating almost all data storage and sharing in addition to being the identity provider brokering access to various other SaaS applications. This type of centralization is a boon to both employees and threat actors. Why? Microsoft Office 365 and other cloud environments are far more accessible than a traditional application protected behind a perimeter.
The quick pivot and subsequent surge in Microsoft Office 365 and Azure AD deployments have forced many enterprises to reckon with expanded attack surfaces and isolated workforces that they may not be equipped to effectively monitor and protect. 48% of respondents shared that their top priority is securing Microsoft Office 365. The following top concerns were tied at 45% each: 1) the risk of credential abuse leading to account takeovers by unauthorized users, and 2) the ability of hackers to hide their racks using legitimate Microsoft tools such as Power Automate and e-Discovery. All in all, 71% of Microsoft Office 365 users suffered an average of 7 account takeovers of a legitimate user’s account within the last year.
Account takeovers, lateral movement, and reconnaissance, oh my!
Compromised Microsoft Office 365 accounts can be exploited to inflict massive damage in a short span of time. Our Spotlight Report on Microsoft Office 365 – which investigated more than four million accounts – found that 96% exhibited some sign of lateral movement. High amounts of lateral movement suggest that attackers are quick to access information and begin reconnaissance once successfully bypassing perimeter security. Though most lateral movement could be benign, normal user activity, the real challenge is pinpointing malicious lateral activity. Searching through this noise to discern attacker behavior is resource intensive for security operations centers (SOC), especially without the help of artificial intelligence.
Despite this, 76% of respondents remained confident in their abilities to detect lateral movement and 79% believed they had good visibility into attacks that bypass preventative security defenses. If breached, a minority of respondents reported that they would need weeks to remediate a compromised account. On the flip side, 64% said they could stop account takeovers within hours or days, and almost 30% say their team could identify and stop account takeovers immediately. The difference between hours, days, and weeks is much different when responding to threats – which is why rapid responses are vital to contain compromises as soon as they’re detected.
When considering that the average attack dwell time is estimated to be 43 days, an enterprise may not have “weeks” to address a threat. Attacks that achieve long dwell times represent the biggest threat to organizations, particularly if they involve a compromised Microsoft Office 365 account. This perhaps speaks to the 58% of respondents, particularly among directors and C-level executives, who believe the gap between the capabilities of attackers and defenders is widening.
Other key findings from the report include:
Securing your Office 365 and related cloud deployments
Ultimately, unless security investments are made into response capabilities, the gap in security capabilities will grow. The fact that 3 in 4 companies have experienced malicious account takeover attacks highlights the need to track and secure identities as they move from on-prem to the cloud.
With Microsoft Office 365 continuing to play an essential role in holding together business operations, organizations must ensure they have the capabilities to secure their cloud environments. This is a particularly pressing challenge for those organizations that have had to adapt their operations quickly over the last year and may struggle adapting perimeter-based defenses to the more insubstantial borders presented by the cloud. Planning for the inevitability of some adversary foothold, which may include account takeover, should be the lead priority.
At Vectra, we can protect Microsoft Office 365 and Azure AD workloads with our AI-driven network detection and response (NDR) solution, Cognito Detect for Office 365. Cognito can identify and stop attackers operating in your Microsoft Office 365 environment as well as any federated SaaS application using Azure AD. We know that attackers don’t operate in silos, and can track signs of attacker behavior across enterprise, hybrid, data center, IaaS and SaaS, all from a single point of control.
For more information about how your organization can better defend against identity-based attacks on Microsoft Office 365, we share ten steps in the survey eBook.
Keep an eye out for our forthcoming blogs that go into detail about the ways you can prevent and remediate these identity-based attacks. In the meantime, if you'd like to test-drive our solution for Office 365, start your free trial now!
Tim Wade brings over fifteen years of security engineering and operational experience into his role as the Technical Director of Vectra’s Office of the CTO, and is a firm advocate of privacy, fairness, liberty and protection for individuals in the digital age. Over the course of his career he’s crossed through both federal and private sectors, including decorated service as a member of the U.S. Air Force, and most recently as the Head of Application and Information Security in an EdTech sector enterprise. Tim holds a M.S. in Computer Science from the University of Southern California and maintains industry credentials issued by Offensive Security and (ISC)2.