Top Threat Detections Can Identify Suspicious Activity
Here’s an understatement: the cloud has changed everything. Another one: Microsoft is a target of threat actors.
So, it seems to track that 71% of users have suffered an account takeover of a legitimate user’s account, on average, seven times in the year prior, according to an ebook recently released by Vectra.ai.
But the more important question is how companies detect what’s out of the ordinary, an important step in figuring out how to guard against these kinds of threats. That’s what Vectra.ai seeks to answer in a new report, Vision and Visibility: Top 10 Threat Detections for Microsoft Azure AD and Office 365.
By gleaning information from its customer base, Vectra.ai has compiled the top 10 threat detections “that help ratify attacks across Microsoft Office 365 and Microsoft Azure AD.”
The researchers noted that obviously malicious actions are clearly the easiest to detect and respond to; however, bad actors are increasingly coopting and misusing existing services and access used across an organization, which makes it easier to fly under the radar.
It’s critical, therefore, “that modern network defenders understand the intersection that may exist between the types of actions an adversary would need to take to progress towards their objectives and the behaviors routinely taken by authorized users across the enterprise,” the report noted. In other words, it’s critical to determine what is legitimate user activity versus the actions of attackers with ill intent.
Not all threat detections in all instances indicate malicious activity. Intent, context and authorization are key factors in determining who’s an adversary and who’s a benign user, the research stressed.
“The cloud requires a different mindset and strategy for security. The pace of application and network deployment is much higher with ephemeral workloads and infrastructure-as-code in the cloud,” said Confluera CEO John Morgan. “The security tools and processes need to change to keep up with this pace.”
Morgan added that “the strategies involved require security to be inserted into a shift left and runtime security model; with more emphasis on build and deployment time security than has been seen in the past.”
The Vectra report identified the following top 10 threat detection vectors and broke down their frequency by company size:
- O365 Suspicious Download Activity
- O365 Risky Exchange Operation
- Azure AD Suspicious Operation
- O365 Suspicious Download Activity
- O365 Suspicious Sharing Activity
- Azure AD Redundant Access Creation
- O365 External Teams Access
- O365 Suspicious Power Automate Flow Creation
- O365 Suspicious Mail Forwarding
- O365 Unusual eDiscovery Search
- O365 Suspicious Sharepoint Operation
Researchers found Office 365 Risky Exchange Operation at or close to the top in every company size category. The report called it “concerning” and said it “could range from the collection and exfiltration of sensitive information, the running of scripts or providing a backdoor.”
Azure AD suspicious operation, which identifies environmental changes that could be attributed to an actor doing an account takeover and elevating account privileges, was among the top three for medium and small companies. That the attack vector did not share the same status in larger companies could indicates that in “large organizations, more frequent administration of Azure AD may be required compared to smaller organizations.”
As modern enterprises continue their march to the cloud, Tim Bach, AppOmni vice president of engineering said, “just as internal infrastructure security posture must be continuously monitored and assessed with best-in-class security automation, so too must cloud services as they become equally critical in terms of an organization’s overall security stance.”
Bach explained that “to fully protect cloud and SaaS data, security teams need to have ongoing visibility of the internal and external users who have access to data, including which third-party applications are connected to their cloud and SaaS environments.”
In short, he said, “organizations should augment their CASB with a tool or process that can discover and monitor non-network data access.”
Indeed, gaining visibility and continuous monitoring are gaining momentum as must-haves for today’s cloud-first organizations.
