Image of Hooded hacker typing on keyboard with binary code background

In this blog, Peter Holland explains why Intrusion Detection is vitally important and why Microsoft’s solutions within Azure and Office 365 are not the intruder’s friend.

What is Intrusion Detection?

Not long ago, most organisations considered intrusion detection something to do with identifying an external party illegitimately connecting to internal systems and resources. The network security team would be alerted to the intruder by logs from firewalls, VPN, or other access endpoints.

Screen shot of logs from Forefront Mgt Gateway
In reality, intrusion detection has always been a lot more than this. At a base level, intrusion detection is really the ability to detect, report, and facilitate remediation of access to corporate systems, services, and resources by unauthorised or illegitimate users.
This includes the most common method of intrusion, using valid organisation account credentials to access resources for which the account has permission. User Identity has thus become the perimeter boundary of the organisation. Breach a user’s identity and you can access everything they can.

What the cynics say

“Hey someone can look at documents, memos and things that the receptionist has”.
In some circles, there is a perception that only users with minimal access privileges are susceptible to having their credentials stolen. So when an intruder gets in they can’t access anything of importance.

So why is it important?

Intruders often use the most powerful tool within the hacker’s toolset – social engineering.
Breaching a low-level account, such as a receptionist or other user with minimal access to business critical resources, provides an ideal launch pad to rapidly gain the “keys to the kingdom”.

For example; once such an account is breached, intruders can query the organisation directory, address book and identify access methods available to all users. From the address book, they will be able to identity high privilege (admin) user accounts and VIP users, who could then be sent internal messages laced with malware or other vulnerability payloads. They may also upload exploit and malware-laden files to shared storage areas, such as a weekly bulletin document.

In all honesty, how likely are your VIPs not to open an email, IM, calendar appointment, internal document link which is sent from an internal account with a relevant description and request?

• “Hi boss, just looking at the process for the project kick off for that new marketing campaign, can you look over the details?”
• “Hi, how many people were coming to the department meeting on Thursday again? can you check the attached refreshments order is correct?”

Remember, the average time that an intruder has to poke around, learn your internal systems, staff, processes, secrets, and obtain copies of confidential data, is known to be in excess of 100 days. Plenty of time to craft convincing messages.

How do we differentiate the actions of an intruder to those of genuine users?

Leaving this just to humans is not practical. This sort of differentiation does not come naturally to most human minds. Instead you need the input of some significant machine learning and data intelligence resources, with the ability to consume massive amounts of data, analyse the day to day behaviour of users, and spot things that are out of the ordinary.

So how can Microsoft Azure and Office 365 help?

Thankfully Office 365 and Azure provide some, frankly, incredible capabilities, leveraging machine learning to process the unending swathes of data around the actions of users within Office 365 to help you deal effectively with intruders.

Screen shot of Microsoft Azure AD Dashboard showing users flagged for risk

For example, behaviour analytics provides alerts to unusual behaviour such as when a user has logged on from an unfamiliar location, connected from disparate geographical locations within an unfeasible timescale, or accessed resources that they haven’t previously shown interest in.
Further functions will show when a user has attempted to escalate permissions within their own permission set, to modify permissions.

Screen shot of Windows Defender Security Center Investigation flow chart

Current and forthcoming functionality even includes automation of remediation. The ability to disallow the user to authenticate until a password change has been performed once a defined warning or alert level has been breached. And to force additional authentication factors, to automatically find all emails sent which contained an unidentified exploit, and remove it from the mailbox of all recipients.

Video: Announcing Windows Defender Advanced Threat Protection

The protection services within Office 365 and Azure don’t just match the legacy vision of intrusion detection, they really take the enterprise to the next level, facilitating greater trust and flexibility of working whilst dynamically raising the security bar.

How can Silversands help?

We understand the importance of getting to the heart of the matter and talking to the right person with a clear agenda. We are offering a complimentary 1-2-1 Skype session with one of our top specialists in this field. This will give you an opportunity to ask any questions that this blog raises or start a conversation about how to get the best out of Microsoft’s Intrusion Detection capabilities.

Tap into our expertise at one of our events

We run regular events where our consultants share the latest in Microsoft developments. They also help the audience address some of the current challenges they face. So please do join us.

View forthcoming events

Contact us

  • This field is for validation purposes and should be left unchanged.