Auditing Can Improve Your Secure Score
In my last post I reviewed the ways we’ve been working to walk up our Secure Score. Reviewing the Azure audit log for risky sign-in’s (successful sign-in’s after repeated failed attempts) showed… nothing. But nothing is good! It means there were no risky sign-in’s, which is a good thing.
And conducting the review bumped our Secure Score up by 45 points!
But there’s no resting on one’s laurels in cyber security. So, this week our Secure Score retreated, given that I hadn’t re-examined the risky sign-in audit log. This time around, I’ve chosen a few other auditing tasks that are important to accomplish.
- Changes in role group status
- Review of audit logs
Changes to Role Groups
One of the tried-and-true methods for compromising a network has been to gain access through stolen/compromised credentials and then elevate the role of the compromised account to have administrative privileges. From there, the attacker can often access any system, network and file store.
It’s critical to keep an eye on this potential elevation of privileges.
First, Secure Score explains what this activity is all about.
Overview of monitoring role group status changes
Next, we click “Learn More” and get a more detailed explanation, with a button (not in the picture) to launch the activity.
Details on reviewing changes to role group status
Now, what I would like to see if a report or an alert that tells me which users have had their roles changed or privileges escalated. I chose to check each user and inspect their account to see what role they had. Here’s an example of this, using the account of a former CGNET staffer.
Example check of role group status
Checking on user roles is useful, but it feels a bit like looking for the proverbial needle in the haystack. As it turns out, I could have run an audit log report (like the one below) to see all these changes. That would be a much better approach and the one I’ll use next time.
Check the Audit Logs
Next, I moved on to another recommendation: “use audit data.” OK, sounds great if a bit vague. But wait, there’s an explanation!
An explanation of using audit data
It certainly makes sense to look at the audit data your system is collecting. Let’s proceed.
Details on using audit data
Aha! Now we’re in Azure nerd-land, and there are lots (and I mean lots) of different audit logs we can generate and examine. They cover lots of Office 365 services, including ones you might not have expected: Power BI and Sway, to name two.
I decided to run an audit log search for instances of malware being downloaded.
Audit log search for detected malware
Fortunately, the report showed no entries. All clean here.
Next, I looked at users who created links that are shareable within the company. This activity doesn’t raise security alarm bells. If they were links shareable outside the company, or anonymously, that would be more troubling. But I wanted to generate an audit log search that I knew would yield some results, and here they are.
Example audit log search: creating a company-shareable link
This screenshot shows that a number of users have been creating company-shareable links; it even lists an instance where the system modified a folder. Why all this activity? We’re using Teams regularly now, and we often upload files and then announce them via a shared link.
What’s Next
It would be a “best practice” for me to schedule regular review of role groups, risky sign-in’s and other security-related audits. I will have to get on that.
I’d also like to turn on mailbox auditing, as the user mailbox is where a lot of mischief can happen. Activating mailbox auditing requires executing PowerShell commands, and I want to check with our technical folks before I click the button and cause unintended havoc on our production system.
If you get inspired to look at your Office 365 Secure Score, let me know what you found. I won’t tell anyone, promise! As a customer pointed out to me recently, the percentile rankings of Secure Scores indicate that lots of people are not yet paying attention to it. So, you can be the first on your block, as they say.
0 Comments