Today, the number of events related to the Office 365 environment is effectively unlimited. IT teams are already saturated and security teams under-staffed in the face of this growing threat. The Security Operations Centre (SOC) is responsible for securing information – and this information is the core of Office 365’s communication and collaboration tools.
The limits of the SOC in the context of Office 365
If the SOC had to analyse every unusual event generated by the Office 365 environment, it would be unmanageable. Consider only events such as a new device or connection from a new IP address – and then multiply this by the number of employees. This gives an idea of the number of events to manage on a daily basis – and yet there is obvious interest in tracking these events as potential threat vectors. And now add in all other important events…
Contextualization and responsiveness are two essential components of a SOC. However, with current security methods and tools, it is almost impossible to react quickly to Office 365 events. Therefore, due to lack of visibility, these thousands of operations can jeopardize the integrity of the entire information system. The difficulty lies in not being able to identify what is fraudulent, malicious or illegitimate from what is usual, normal or unthreatening in the life of an organization.
If a person in the company accesses a sensitive file, is it legitimate? Are SOC resources well aware of the sensitive issues related to Office 365? Do more exposed people (executives, privileged account holders) receive more attention?
Solving Office 365 security issues is a major challenge for the information system. How to effectively detect and respond to Office 365 threats in this environment?
Distributed detection for Office 365
Given the volume operations in Office 365, the SOC will not be able to absorb and manage every alert that a SIEM may identify. To process these issues and risks, it is necessary to change the relationship of security to the rest of the company and gain in efficiency. The user must play a key role.
Detecting a compromise in the information system is a good start. We then need the user to participate in the management of non-threatening cases. The user should automatically receive reports of who is accessing their account or files. They can follow their own security and notify the security team in case of abnormal or malicious events.
At the same time, Security decides what to monitor and prioritizes alerts according to risk and context. Alerts or reports are sent directly to those who have the information and/or need the information as part of their job. This allows
- Users to become autonomous in the management of their own account and access to information
- Administrators to visualize and control the configuration of Office 365
- Security to analyze and protect sensitive areas, accounts and people.
Detection becomes collaborative and multiplied, like the Office365 environment.
MyDataSecurity: the extended arm of the security team
IDECSI has developed a solution that detects in real time any unauthorized or suspicious access in Office 365, along with malicious configuration changes.
Inspired by the way employees actually work, MyDataSecurity allows direct interaction with the user to minimize detection and resolution times on simple and routine cases. Its major advantage: improving the user’s digital experience around security – security becomes a positive experience for the user, without additional constraints.
Distributed detection thus makes it possible to improve operational efficiency within the SOC. The security team focuses on high-risk alerts, optimizing the use of this highly valuable resource.
