Microsoft Office 365 Attacks on the Rise

It’s not surprising the COVID-19 pandemic that pushed workers home also accelerated cloud migration and digital transformation, but new research from unearthed a troubling trend – 71% of Microsoft Office 365 deployments in medium to large companies suffered, on average, seven legitimate account takeovers at a time when remote workforces were more dependent than ever on the suite of apps to get their jobs done.

While that number is high, Tim Wade, technical director of the Vectra CTO team, said he expected it will “trend down as security teams evolve past thinking about solving the problem with preventative controls and start focusing on additional controls like detection, response and recovery.”

Wade attributes the rise in attacks to the relative newness of operating in the cloud for many organizations. “They need to build muscle here, and until they do, it’s reasonable to expect the risks to be higher,” Wade said.

Despite the uptick in attacks over the past year and growing concerns over identity-based attacks and the security of IoT/connected devices going forward, most of the 1,112 survey respondents said the best thing about their roles as security professionals is the satisfaction of stopping attacks and protecting their companies, even as they admitted the gap between attackers and defenders is widening.

Four out of five claimed good visibility into those attacks that bypassed perimeter defenses, though confidence levels differed between practitioners and those respondents who identified as management, with the latter group showing the highest confidence.

At first blush, that disconnect might be because “executives are just removed from the problem and therefore haven’t calibrated to the true risks – for example, in a traditional IT data center, not using some services means you may not inherit the attack surface associated with those services.” But that doesn’t necessarily tell the whole story in the cloud, where services, Wade explained, “may be available strictly as a byproduct of operating in the cloud, forcing organizations to inherit risks from capabilities entirely outside of their expectations.” He said practitioners agree that security metrics and performance indicators that make it to executives’ desks often don’t provide a meaningful and actionable view into the problem.

The research showed twin frustrations among security pros – over the lack of understanding of cybersecurity by end users and the amount of time it takes to manage existing security solutions. On the latter point, Wade said practitioners must understand that total cost of ownership includes the soft costs of operationalizing around solutions’ capabilities. “When it takes a full team just to tune and manage or build correlation rules to keep a piece of technology operating, that’s a good sign it’s beginning to outlive its usefulness,” he said.

While security leaders must rapidly acclimate to risks in the short term, the same forces that caused an uptick in attacks – an accelerated move to the cloud and digital transformation – can also offer a security opportunity. “There’s tremendous opportunities for defenders to leap-frog the current state of offensive trade-craft,” Wade said. “For example, cloud adoption can accelerate zero-trust principles and capabilities that may have been more difficult to bolt on to traditional data centers.”

It’s also time for practitioners to concede that they’ll never have a perfect asset inventory and acknowledge that a significant percentage of IoT/connected devices will always prove challenging to fully inspect, Wade said, and instead, in both the short and long term, must “get comfortable with detection and response capabilities that zero in on when devices begin to exhibit adversary behaviors.”

Employing AI and automation can help bolster an organization’s security posture, as well, and will provide relief going forward. While 58% of the businesses surveyed said they were going to increase investment in people and technology, 52% will sink dollars into AI and automation.

In the future, those investments will work in concert, with AI and machine learning empowering people, Wade said, by offloading tasks best suited to a machine and “freeing up cycles for the higher-order tasks where humans excel,” like contextualizing and investigating attacker behaviors.

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson