Blog IDECSI

Optimise your SIEM with the right Microsoft 365 alerts

Written by Mona Piquet | Jun 6, 2019 12:08:00 PM

In this age of cloud and collaboration, fighting the digital threat demands a high budget. Tools such as the Office 365 suite, combined with new user behaviours, put additional pressure on CISOs and security teams by forcing them to manage an impossible and ever increasing amount of data.

The risks associated with Microsoft 365 

The strength of collaboration tools is simultaneously their security weakness. The paradox is such that exploiting the tools to their maximum encourages actions that can jeopardize security: broad access to files or mailboxes, configuration changes, creation of automatic rules (such as email transfer), updated permissions, and much more. 

The risks for the company are real, often invisible and frequently complex for security teams, from  

  • an external intrusion into the platform via email fraud or a phishing campaign 
  • an internal employee abusing rights (accessing confidential files, unauthorised access to a mailbox)  
  • or sharing between different users and groups. 

Share, synchronise, access, configure,... so many common place operations performed daily by hundreds and thousands of employees. How can your security tools or SIEM quickly identify the real threats? 

Classify alerts according to the level of risk 

It is critical to know where the vulnerabilities are located, in order to report the "right alerts". The level of risk is related to several factors:  

  • The user’s behaviour, their different permissions, their way of working and habits (business travel, assistant, smartphone, …).  
  • The content of the resources more or less sensitive, confidential data 
  • Applications such as SharePoint, Messaging, OneDrive, and Microsoft Teams have many sophisticated features and settings. Some actions have a global impact (e.g. message flow rules). It’s necessary to identify potentially dangerous actions when they happen. 

To identify the right alerts in their SIEM, IDECSI allows security managers to manage Office 365 risks based on  

  • their internal needs  
  • the use cases provided by IDECSI's expertise. 

Focus on "high-risk alerts" 

The IDECSI platform acts as an Office 365 preprocessor to the SIEM, based on expert knowledge of Office 365 and its applications.  IDECSI alerts as soon as suspicious or potentially dangerous behaviour is detected (new access, change of configuration, suspicious sharing, etc.).  For highly accurate and personalised detection, IDECSI establishes a profile for the normal use of the protected resource, through an automated learning phase. 

IDECSI's technology correlates all relevant factors to assess risk: the user’s normal behaviour, the action taken, its context (geolocation, schedule, connection protocol, etc.), and the application concerned (what could the impact be?).

Thanks to automatic learning and personalized protection, only genuine issues are alerted and reported to the security team – in real time. 

MyDataSecurity

MyDataSecurity dashboard is a component of the IDECSI platform, it acts as a Personal SIEM. Each user can view, through a mobile or web interface, the list of people who access their resources (inbox, libraries,...) or who have the rights to access them. If the alerting function is activated, the user will be able to receive notifications of suspicious behaviour, (as configured by the security team).
The user can indicate if the alert is a breach or instead corresponds to a new acceptable use case. In the case of a legitimate operation, the user’s profile is automatically updated. In the case of a breach, the information is immediately forwarded to the security team.

This reduces false positives, allows constructive communication with the user and efficient event management. 

Safety, efficiency and profitability

This approach allows security managers to monitor the entire Office 365 estate while optimising the management of daily events and risks.

IDECSI collects and analyses logs without ever having access to the email or document content. The platform provides the most relevant and reliable information, which can be directly qualified by the user, ensuring that the security team only processes events relating to real issues.