Author: admin

MS365

Microsoft Office 365 Secure Score Limitations for MSPs

There is no doubt that in the rapidly changing environment of cybersecurity, Microsoft Office 365 Secure Score plays a vital role in organisations attempts to enhance their security postures. Although there is no doubt that there are many benefits to using this tool, especially for single-tenant assessments, there are many limitations that the managed service providers will face when attempting to use it in the context of multiple clients. Therefore, this article aims to provide information regarding the identified limitations, enabling the MSPs to navigate the restrictions in their application of evaluation systems.

Login Link: https://security.microsoft.com/exposure-secure-score?viewid=overview&tid=801b5ab0-7515-4c24-bd61-9e74a7bd4e80


Help/Application to Single Tenant Assessment

365SS was undoubtedly designed to offer a quantifiable measure of security posture of an organisation. Titled as M365 Secure Score, it is deemed an overall security tool that evaluates the behaviour of an organisation and provides actionable recommendations with the purpose of enabling the organisation to be more secure. There are many benefits its utilisation as a SES in a single-tenant assessment, and some of them include:

1. Centralised Security Overview

In other words, since all security status can be easily viewed in a centralised manner, administrators will have a higher degree of ability to see some basic vulnerabilities and some challenging spots that they may need to address. This clearly demonstrates how this tool can be beneficial for single-tenant assessments.


2. Actionable Recommendations

Secondly, this tool provides actionable recommendations that can be utilised to improve the status of the tenant. Because these recommendations are based on the specific configurations and the activities of the tenant, the implementation of the recommendations leads to improved security. This benefit can be regarded as another reason for this tool to be explicitly used in the context of single-tenant assessments.

3. Track Progress

Another reason why 365SS is beneficial for single-tenant application is the ability to track progress. In other words, this tool offers the ability to see and understand whether the changes have a positive impact on preventing security issues and security-related risks.

4. Benchmark

Finally, the discussed tool is beneficial for single-tenant assessment application purposes because it allows benchmarking it against industry standards and similar organisations. This provides a critical component of analysis necessary for successfully understating the overall score and the areas that need work the most.

benchmark


Identifying Limitations of M365SS for MSPs

Even though this tool is beneficial for use in single-tenant assessments, there are many limitations that the MSPs are bound to face in the context of application and managing multiple clients using it. In other words, while it is beneficial for single-tenant evaluations, it is not an effective tool for MSP. This can be attributed to the main limitation of the fact that 365SS is not a multi-tenant security tool and does not support this kind of application. The effective application of this tool requires that MSP should be able to manually view the dashboard, and this can be cumbersome and lead to inconsistencies when they are dealing with multiple clients.

Identifying Limitations of M365SS for MSPs

1. Inconsistent Scoring Criteria

The criteria for scoring can differ widely depending on the actual configurations and usage patterns of each tenant. Such inconsistency might present obstacles in normalising security evaluation across the different clients. It could be challenging for MSPs to deploy a uniform approach to security assessment, which can result in oversight over several security aspects.

2. Limited Customisation

The score recommendations affect application based on best practices, which do not always comply with the context and peculiarities of individual tenants. According to the specific operational and regulatory demands of their clients, MSPs need a high level of customisation. Hence, the lack of this possibility naturally impacts the outcome of the client evaluation in a negative manner.


3. Resource Intensive

Running assessments of security status also tend to be resource-specific activities if it were done using the available toolkit. It means that MSPs have to dedicate substantial time and effort for each tenant to assess their security performance and evaluate the recommendations. Such an approach tends to overload the resources of the MSPs, which is critical for smaller companies that might have limited personnel and technical coverage.

How MSPs Can Improve Client Security Evaluation?

Despite the limitations, the MSPs could apply the following approaches to upgrade their security evaluation and provide the highest level of protection to the clients.

1. Implement Automation Tools

MSPs can use various types of automation to ease the manual burden of evaluating the security of multiple tenants. The life can be facilitated in terms of data aggregation from disparate sources, providing a single dashboard for evaluation of the security score, and generation of various reports. The efforts of the MSPs can be used to design more strategic activities, whereas automation can adjust tactical dimension.

2. Standardise Security Frameworks

MSPs can accept standardised and regulated systems to provide a high level of security. The development of unified evaluation methodology would ensure that all the clients are evaluated more thoroughly and fairly. The common vulnerabilities tend to be overlooked if it they are not generalised, and the MSPs risk to fail to apply best practices in all the necessary situations.

3. Customise Security Recommendations

MSPs try to understand the environment of each individual tenant and, according to their unique operation pattern and restrictions, have to redesign the proposals. It is also essential to recreate proposals for the business context and special circumstances of the customer’s implants. It means that they need to make them themselves, if not all, at least some of the recommendations.

4. Continuous Monitoring and Improvement

According to standard evaluations, the main condition for evaluating systems to the client will give rise to new assessment and rating analyzes. Continuous system monitoring should allow at MSPs responsible for evaluating the provision of other applications using other sources and tools to ensure the necessary security tools.


5. Educate and Train Clients

An informed client is indeed your best friend. Therefore, any MSP should encourage its clients to take an active part in the evaluation of their systems. Such education may concern general security principles, the necessity of regular security assessments, or the interpretation of the SS dashboard results. Finally, informing the MSPs customers about a potential threat or an action required after an evaluation increases the probability of taking necessary security measures on time.

Summary: Office 365 Secure Score for MSPs

In conclusion, it can be stated that the application of Microsoft’s M365 Secure Score for single tenants is efficient in many cases. However, there are multiple factors that prevent MSPs IT providers from benefitting from this application to the full extent. Non-multi-tenant support, inconsistency in reporting, inability for customisation in many cases, and a high level of operational investment required to perform manual checks represent the most vivid shortcomings that defy the given application.

To overcome these challenges, MSPs are advised to apply automation, standardise the SSPs, customise different requirements for security checks, perform continuous monitoring with the help of special tools, and, last but not least, educate their clients. Therefore, all of these takes may help to put both the client of an MSP and its infrastructure into safer conditions.

Popular Posts

UNCATEGORISED

The truth behind MFA and 365 security

MFA and 365 security is part of a journey. The first step of that journey is the discovery that security isn’t an binary situation. The question shouldn’t be “are we secure?”, rather “how secure are we?”. Seeing security from this perspective is critical to maintaining a healthy level of safety. MFA (Multi-Factor Authentication), involves extra steps to help prove that it is really you trying to access a system. This is part of the security process, but it isn’t the only process, and it is far from bullet-proof.

When undertaking a security review, we often hear comments along the lines of: “We have MFA, so we should be good”. The first comment I need to make to this type of statement is that from experience it is almost always incorrect. Many times some users in an organisation have coverage, but it is almost always never complete. At the time of writing, upon initial engagement we are yet to find an organisation that has MFA setup and activated, and enforced on every account. Even when enforced, there are often accounts that have not logged in to and set it up. CatchBefore is fantastic at raising awareness of gaps within MFA, and helping to achieve complete MFA coverage.

Once 100% MFA coverage is achieved, the security task is not yet complete. There are other areas that can provide access to data (bypassing MFA) – and, even accounts with MFA enabled and enforced are not completely secure. As an example of this: One of our clients had MFA setup on all their users, and they still ended up with a compromised account. A notification of a suspicious login was promptly detected by CatchBefore. This turned in to an notification for the client to review, and at this point it was clear that there was unapproved activity on the account. Our team helped regain control, and restored the account to health. How did this attack happen? It appears that the password used by the client was compromised, and a MFA authentication request may have been inadvertently (accidentally) approved by the end user.

The compromise was only discovered due to the suspicious login detection features of CatchBefore. Another benefit of early detection was the speed in which the situation was corrected, limiting further impact.

What is the lesson from this issue? MFA and 365 security is fantastic, but it isn’t a complete security solution. Undertaking regular security monitoring can also play a critical role in helping you manage your 365 security risks.

Popular Posts

UNCATEGORISED

365 Security in 2023

After years of development, CatchBefore was released early in 2022. A big thank you to the many clients that have joined our journey. Each sign-up represents another organisation prepared to take a positive step, and shine light on an area that in many cases they didn’t previously have any real understanding about. The demand for security improvements is coming from a broad range of sectors. Our client range includes organisations from professional service industries, construction, manufacturing, not for profit, and other areas. There is no sector immune from being targeted by those with malicious intent.

What are our biggest take-outs from the year?

  • We have yet to see a client join that has 100% Multi-Factor-Authentication (MFA) coverage. In fact, many thought they had everyone with MFA, only to find they had dramatically low coverage
  • Most clients are not aware that there are a raft of other security issues besides MFA
  • Those that were least convinced that they needed to improve their security often had the largest gaps and needed the most improvements
  • Information and understanding is critical – unfortunately a lot of organisations are not aware of the risks that need to be managed and mitigated
  • Detected attack attempts tend to increase when we are away from work (especially on weekends and major public holidays periods).

What kind of situations has CatchBefore commonly helped with?

  • Improving the security position of clients. The proactive security configuration checks help our client improve their security score, lowering the risk of an incident.
  • Discovering compromised accounts. We have picked up a number of accounts that had unauthorised logins. This information enabled our clients to take proactive steps to close down weaknesses, and take proactive steps to prevent a repeat.
  • Discovering almost compromised accounts. CatchBefore has a fantastic feature that helps detect logins where the username and password have been successful, but MFA failed. This situation typically means that the username and password have been compromised, and the only thing stopping a complete account compromise is the MFA feature. In this situation we have been able to guide our clients through the safe change of password.
  • Discovering excess licences and old users. It is not uncommon that clients have more inactive users than active ones, and in many cases wasted/excess licenses. We have hit situations where CatchBefore can almost pay for itself due to excess licence discoveries.
  • Discovering previously forgotten external email forwarders and rules. Some email rules can be ‘malicious’ in nature, deliberately forwarding email and hiding their tracks. Others are meant as temporary, and then forgotten about. In both situations it can result in email data being silently forwarded outside your organisation without alert. CatchBefore helps detect emailbox rules, including to external addresses.
  • Quota issues, where clients are running out of space. Perhaps one of the most easily preventable emergencies. Every service has its storage limits, and it is important to know when your accounts are approaching their capacity. CatchBefore actively monitors and alerts when space is becoming a tight.

What in store for CatchBefore and 365 security in 2023?
Additional features and checks are in the development stage. CatchBefore plans to release enhancements during 2023. In addition to the planned improvements, we will continue to monitor the evolving threat landscape.

Popular Posts

UNCATEGORISED

Welcome, and what a time to launch

A brief history of how we ended up here

CatchBefore was an idea long before it became a service. Our team has been helping corporate clients move to the cloud for many years. As the cloud products matured, the (optional) security features have also improved.

The age-old problems were there however. The system that you are using is only as secure as its configuration (the same problem that existed with onsite servers). Clients were removed from the restraints of having an onsite servers. No more rolling server upgrades every 4-5 years. No more outdated server software, or worrying about a hardware failure in the office. You can add 100 new accounts and not have to worry about buying a new server.

Instead of your data being accessible just in your office, it is now accessible globally. This is great when you are travelling, however it also means that anyone in the world can also try to access your data in the cloud.

365 does provide the tools to help you protect your data. But this is just part of the problem, you have to enable and use the tools correctly. You need to make sure they are applied to every account. There are still limits (quotas) in place, you still need to make sure you are not wasting licenses, or having more accounts than you require. If an account is compromised, you need a way to find out (and quickly!).

Overtime we have developed a reliable tool-kit of configuration and general health checks. We hit three problems however:

  1. The checks were only good up to the time we run them.
  2. The checks were time intensive to run.
  3. It can be difficult to maintain a best-practice configuration over time.

CatchBefore was created to make it possible to run regular health checks, and alert on any suspicious activity, or sub-standard configuration. This enables us to deliver levels of protection that would not be feasible with manual health checks. CatchBefore automates hours worth of checks and reviewing each day, bringing discovered issues to your attention.

Launch timing

Many years ago a number of nation/state actors tried to be reasonably discrete when attempting cyber-attacks. For a number of years western governments have been ringing alarm bells about the risk to business. The frequency of attack attempts is only increasing. Some foreign governments appear to be involved, or at least not doing anything to reign in attacks from their countries.

At the same time many organisations have moved to the cloud, and unfortunately have not taken adequate steps to prevent or detect an intrusion in their 365 tenancy.

CatchBefore is here to help organisations minimise risk, and utilise the fantastic benefits of the cloud with confidence.

Where we are heading

We initially had a short list of checks (under 10) that we wanted to have ready at launch time. Each check is designed to alert on a specific problem. For example, check and an alert if an account is missing Multi-Factor Authentication. Another example is check and alert if an overseas login is detected. We kept on finding additional important items to add to the list, and we have ended up releasing with 29 active checks!

We have plans to continue to add useful checks. Each time we see a problem, it may be the inspiration for another check.

Author, Category

Popular Posts