Security breach solutions: Microsoft Office 365 & Azure

Image of security related word montage in shades of red
By Peter Holland on

The “Assume Breach Paradigm” seems a bit alarmist and unnecessary you may think. “In fact it’s probably just a way of making our organisation spend more” you might say. It is indeed alarmist, but there is substance behind it and unfortunately I have personal experience of breaches. Hence, my view is that some investment is preferable to the fines and/or reputation and business damage resulting from a security breach. Let me explain how traditional approaches are flawed and alleviate any concerns arising, with a quick introduction to some solutions from Microsoft which mitigate risk.

Why complex password policies aren’t the solution?

Attackers/Hackers most commonly and easily breach security with user account details leaked to/or obtained by them. Historically this wasn’t thought common and as a result, most organisations have complex password policies requiring regular user password changes (30/60/90 days typically). Yet ironically, this approach delivers the polar opposite of what it is designed to achieve. Increased password fatigue!

Image of red panic button

Password fatigue spells danger

If users only had to contend with your organisations’ logons, then the fatigue effect would take a lot longer to kick in. However, users today have on average 3+ digital devices and dozens of services requiring logons with complex password requirements (although typically not with frequent change). They know they should have different passwords for each, so they create a handful of complex passwords. But they can’t always remember which site uses which password, get themselves locked out and have to reset the password. Yet another new password to remember!

Your user will at some point log into your organisational resources with their Netflix password. Or Facebook, gmail, dating site; which may not seem horrific. When they use a corporate password to log on to other third-party sites and services it gets scary. Because, many of these operate poor account and password storage practices, plus reversible encryption on password databases, if any, is commonplace. Furthermore, the frequency of breaches to these services is shocking. If they’re not looking after their customer’s data, they’re probably not practising good security elsewhere.

How intruders move? The anatomy of a breach

So, what happens when an attacker gets account details for one of your users? Surely there are so many details out there that the volume of data to process almost provides a level of safety? Attackers are really upping their game here.

Automated processes are available, which slowly roll through known breached account details, trying them against known identities for organisation users. Believe it or not, they’re even available as cloud-based subscription services! Running on a “slow burn” basis 24x7x365 until they get success, they spread the login attempts out long enough not to trigger account lockouts. As a result they remain under the radar.

Once an attacker gets into your systems with valid credentials, they start looking around. They ascertain lots of information about your organisation, even via the lowest access level user. Especially information useful to launch social engineering attacks against higher privilege accounts, or to step through systems using file-less exploits. Gaining greater and greater access, with each step.

Many very detailed and well written explanations of these methods and attack vectors are published. I recommend these two Microsoft blogs which provide significant detail about some commonly seen attack types:

• Windows Defender ATP machine learning: Detecting new and unusual breach activity

• Detecting stealthier cross-process injection techniques with Windows Defender ATP: Process hollowing and atom bombing

What can we do?

Well, that’s all a bit intimidating isn’t it. The good news is that Microsoft Office 365 and Azure, plus on premise elements of the Microsoft product portfolio, provide a wide range of solutions to protect your organisation. Together we can significantly reduce the probability of a breach in the first place and mitigate the effects of a successful security breach.

Security Breach Prevention

Image showing mobile phone with Microsoft Authenticator Approve or Deny prompt

First of all, there is Multi-Factor Authentication, the need to provide a secondary authentication to be permitted access to resources. Microsoft provides this via Office 365 and Azure in a graceful manner, minimising intrusion to the users working day. When a user signs in for the first time that day/that session, from a location or device, the process triggers an MFA prompt. The Microsoft Authenticator App on the user’s phone pops up and the user taps a button to authorise sign in. Therefore, If the user isn’t currently logging in, they shouldn’t authorise the login, and the attacker is prevented from authenticating.

Taking action against intruders

When an attacker is beyond the organisation’s boundary and has gained access to servers or computers, it means big trouble. They can now use native tools, such as PowerShell remoting, to step through systems and inject into processes. And elevate their permissions to System or Administrative contexts. Stepping across to different computers and servers, they don’t need to install backdoors, trojans, viruses, or malware on the system. Consequently, there is nothing for classic Antivirus or anti-malware agents to identify and stop.

Image showing screenshot of Victims machine next to Attacker's machine

*screenshot courtesy of Maddie Egan article

Whilst this is an area that is very difficult to mitigate, Microsoft now covers you. Windows Defender ATP (Advanced Threat Protection) is a native part of the Windows 10 (and Server 2016) Kernel. Part of the Operating System that puts calculations through the CPU. The attacker has nowhere to hide as everything that happens on the system is visible. Machine learning identifies any activities, process injection, token theft, left-to-right, elevation, that are seen by the kernel and reports to the ATP portal.

Furthermore, automation, thanks to recent Microsoft purchase of Hexadite, is then used to mitigate these attacks. Execution of these methods and code is blocked, not only on the identified system, but on all organisation systems.

Image showing screenshot of WIndows Defender security operations dashboard

This is just the tip of the iceberg! A taster of the enhancements available via Windows Azure, Office 365, and on-premise systems.

You may also like to read another of my blogs:

Intrusion detection with Microsoft Azure & Office 365

How can Silversands help?

Suffice to say, we can help improve your organisation’s confidence in the security of modern working practices. In addition, we may also be able to help reduce administrative overhead. We are offering a complimentary 1-2-1 Skype session with one of our top specialists in this field. So, take this opportunity to ask any questions that this blog raises and begin a conversation about how to get the best out of Microsoft’s security capabilities. Complete and submit the form below.

Contact us

  • This field is for validation purposes and should be left unchanged.

We have the expertise and the experience to provide specialist solutions and drive your business forward

Get in touch

How can we help you?

Get in touch

What updates would you like?