Improve your Office 365 Security Governance New

Office 365 security governance is critical. Modern IT systems are at the heart of any organisation. They carry all your critical data, from client information, work-in-progress, procedures, payroll, sales leads, the list goes on.

The information stored within these systems is so valuable that any loss of data may spell the end of an organisation. Like you protect your physical assets, your digital assets also needs to be protected.

Unfortunately with the move to the cloud, it is not uncommon to see that many of the traditional best-practice methods of risk reduction have not been adopted.

CatchBefore was built to help simplify the management of a number of key risk points for organisations. Our software provides a practical solution to address a number of the key security issues raised below.

Best Practice / Traditional IT Governance key-points

  1. Access Controls. Access controls provides a method of enforcing rules around which users can access what data or systems. Restricting access to the minimum required reduces risk.
  2. Privilege separation. Normal day-to-day activities should be undertaken as a regular user. Administrative functions should be undertaken on a separate, dedicated administrative accounts.
  3. Protect user accounts. Password quality and management is critical to make sure user accounts are not compromised.
  4. Monitor logs and systems for integrity. It is critical that access logs and systems are continuously monitored to ensure that a breach has not occurred, and that the security of your environment is preserved.
  5. Monitor system configuration. The system is never stagnant. It is a moving object, and continuously changing. Unfortunately it is very easy to make a configuration mistake which may negatively impact the security of your organisation.
  6. Backup your data. Human error, hardware failures, fires, power surges, software failures, malicious staff, external threat-actors. There are many ways in which your data could be lost. Having a complete and up to date backup system in place is critical for your risk management.
  7. Utilise anti-malware/anti-virus software. Actively seeking out malicious software helps reduce risk. The sooner that an attack can be prevented, the sooner the risk can be limited and managed.
  8. Monitor and manage server hardware health. Hardware does fail, and can have catastrophic consequences when it does. It is important to manage this risk by continuously monitoring server hardware, and keeping your server within its planned lifespan.
  9. Server patch-management. The battle for security is forever ongoing. Attackers find exploits, and vendors provide ‘patches’ to their software to close these exploits. It is critical that software on your server is kept up to date with the latest patches.

Changes since moving to the cloud

Lets have a look at the list , with a perspective of having your data in the cloud:

  1. Access Controls. This requirement still applies. In addition to having to worry about limiting access to those within your office, your data is now accessible globally.
  2. Privilege separation. The concept of privileged access has been adopted in the move to the cloud. The risk of escalation via administrative privileges applies to 365 tenancies as well.
  3. Protect user accounts. The exploitation of user accounts is as problematic as ever in the cloud. Attackers are busy trying to break in to accounts, and in many ways their efforts are helped by reducing the variances in software versions and platforms.
  4. Monitor logs for system integrity. Access logs are still generated, however they may not be retained for as long as you have been accustomed to with onsite servers. These logs still provide important information about access to your data.
  5. Monitor system configuration for faults. Many of the features with on-premise solutions are also available in the cloud. This means that the configuration options available are vast, and there is a need for regular monitoring for incorrect configuration that may lead to security vulnerabilities.
  6. Backup your data. 365 does have some data-versioning capacity. The system does have a grace period before deleting data. Best practice suggests that you have independent backup, with a much longer retention. This will help minimise the risk of data loss due to accidental deletion, malicious removal, or other system failure.
  7. Utilise anti-malware/anti-virus software. Although the server running security is no longer your responsibility, it is advisable to still ensure that your tenancy configuration settings are high, and that any devices that connect to your tenancy are secure (fully patched, and running security software).
  8. Monitor and manage server hardware health. If you are no longer using an on-premises server, then you do not have to worry about this.
  9. Server patch-management.If you are no longer using an on-premises server, then you do not have to worry about this. We should raise that it is still important to ensure that other devices that connect to your 365 tenancy are up to date with their patching.

Most of the IT security governance requirements still exist, even with the move to the cloud. We strongly suggest that all organisations take serious steps to minimise the risks associated with the management of their data.


The truth behind MFA and 365 security

An example of how MFA didn’t save the day, and an account with MFA was compromised.

MFA and 365 security is part of a journey. The first step of that journey is the discovery that security isn’t an binary situation. The question shouldn’t be “are we secure?”, rather “how secure are we?”. Seeing security from this perspective is critical to maintaining a healthy level of safety. MFA (Multi-Factor Authentication), involves extra steps to help prove that it is really you trying to access a system. This is part of the security process, but it isn’t the only process, and it is far from bullet-proof.

When undertaking a security review, we often hear comments along the lines of: “We have MFA, so we should be good”. The first comment I need to make to this type of statement is that from experience it is almost always incorrect. Many times some users in an organisation have coverage, but it is almost always never complete. At the time of writing, upon initial engagement we are yet to find an organisation that has MFA setup and activated, and enforced on every account. Even when enforced, there are often accounts that have not logged in to and set it up. CatchBefore is fantastic at raising awareness of gaps within MFA, and helping to achieve complete MFA coverage.

Once 100% MFA coverage is achieved, the security task is not yet complete. There are other areas that can provide access to data (bypassing MFA) – and, even accounts with MFA enabled and enforced are not completely secure. As an example of this: One of our clients had MFA setup on all their users, and they still ended up with a compromised account. A notification of a suspicious login was promptly detected by CatchBefore. This turned in to an notification for the client to review, and at this point it was clear that there was unapproved activity on the account. Our team helped regain control, and restored the account to health. How did this attack happen? It appears that the password used by the client was compromised, and a MFA authentication request may have been inadvertently (accidentally) approved by the end user.

The compromise was only discovered due to the suspicious login detection features of CatchBefore. Another benefit of early detection was the speed in which the situation was corrected, limiting further impact.

What is the lesson from this issue? MFA and 365 security is fantastic, but it isn’t a complete security solution. Undertaking regular security monitoring can also play a critical role in helping you manage your 365 security risks.


365 Security in 2023

Highlights and security lessons from 2022, and what needs to happen in 2023


After years of development, CatchBefore was released early in 2022. A big thank you to the many clients that have joined our journey. Each sign-up represents another organisation prepared to take a positive step, and shine light on an area that in many cases they didn’t previously have any real understanding about. The demand for security improvements is coming from a broad range of sectors. Our client range includes organisations from professional service industries, construction, manufacturing, not for profit, and other areas. There is no sector immune from being targeted by those with malicious intent.

What are our biggest take-outs from the year?

  • We have yet to see a client join that has 100% Multi-Factor-Authentication (MFA) coverage. In fact, many thought they had everyone with MFA, only to find they had dramatically low coverage
  • Most clients are not aware that there are a raft of other security issues besides MFA
  • Those that were least convinced that they needed to improve their security often had the largest gaps and needed the most improvements
  • Information and understanding is critical – unfortunately a lot of organisations are not aware of the risks that need to be managed and mitigated
  • Detected attack attempts tend to increase when we are away from work (especially on weekends and major public holidays periods).

What kind of situations has CatchBefore commonly helped with?

  • Improving the security position of clients. The proactive security configuration checks help our client improve their security score, lowering the risk of an incident.
  • Discovering compromised accounts. We have picked up a number of accounts that had unauthorised logins. This information enabled our clients to take proactive steps to close down weaknesses, and take proactive steps to prevent a repeat.
  • Discovering almost compromised accounts. CatchBefore has a fantastic feature that helps detect logins where the username and password have been successful, but MFA failed. This situation typically means that the username and password have been compromised, and the only thing stopping a complete account compromise is the MFA feature. In this situation we have been able to guide our clients through the safe change of password.
  • Discovering excess licences and old users. It is not uncommon that clients have more inactive users than active ones, and in many cases wasted/excess licenses. We have hit situations where CatchBefore can almost pay for itself due to excess licence discoveries.
  • Discovering previously forgotten external email forwarders and rules. Some email rules can be ‘malicious’ in nature, deliberately forwarding email and hiding their tracks. Others are meant as temporary, and then forgotten about. In both situations it can result in email data being silently forwarded outside your organisation without alert. CatchBefore helps detect emailbox rules, including to external addresses.
  • Quota issues, where clients are running out of space. Perhaps one of the most easily preventable emergencies. Every service has its storage limits, and it is important to know when your accounts are approaching their capacity. CatchBefore actively monitors and alerts when space is becoming a tight.

What in store for CatchBefore and 365 security in 2023?
Additional features and checks are in the development stage. CatchBefore plans to release enhancements during 2023. In addition to the planned improvements, we will continue to monitor the evolving threat landscape.


Welcome, and what a time to launch

Years of experience with cloud products have come together for a positive goal.

A brief history of how we ended up here

CatchBefore was an idea long before it became a service. Our team has been helping corporate clients move to the cloud for many years. As the cloud products matured, the (optional) security features have also improved.

The age-old problems were there however. The system that you are using is only as secure as its configuration (the same problem that existed with onsite servers). Clients were removed from the restraints of having an onsite servers. No more rolling server upgrades every 4-5 years. No more outdated server software, or worrying about a hardware failure in the office. You can add 100 new accounts and not have to worry about buying a new server.

Instead of your data being accessible just in your office, it is now accessible globally. This is great when you are travelling, however it also means that anyone in the world can also try to access your data in the cloud.

365 does provide the tools to help you protect your data. But this is just part of the problem, you have to enable and use the tools correctly. You need to make sure they are applied to every account. There are still limits (quotas) in place, you still need to make sure you are not wasting licenses, or having more accounts than you require. If an account is compromised, you need a way to find out (and quickly!).

Overtime we have developed a reliable tool-kit of configuration and general health checks. We hit three problems however:

  1. The checks were only good up to the time we run them.
  2. The checks were time intensive to run.
  3. It can be difficult to maintain a best-practice configuration over time.

CatchBefore was created to make it possible to run regular health checks, and alert on any suspicious activity, or sub-standard configuration. This enables us to deliver levels of protection that would not be feasible with manual health checks. CatchBefore automates hours worth of checks and reviewing each day, bringing discovered issues to your attention.

Launch timing

Many years ago a number of nation/state actors tried to be reasonably discrete when attempting cyber-attacks. For a number of years western governments have been ringing alarm bells about the risk to business. The frequency of attack attempts is only increasing. Some foreign governments appear to be involved, or at least not doing anything to reign in attacks from their countries.

At the same time many organisations have moved to the cloud, and unfortunately have not taken adequate steps to prevent or detect an intrusion in their 365 tenancy.

CatchBefore is here to help organisations minimise risk, and utilise the fantastic benefits of the cloud with confidence.

Where we are heading

We initially had a short list of checks (under 10) that we wanted to have ready at launch time. Each check is designed to alert on a specific problem. For example, check and an alert if an account is missing Multi-Factor Authentication. Another example is check and alert if an overseas login is detected. We kept on finding additional important items to add to the list, and we have ended up releasing with 29 active checks!

We have plans to continue to add useful checks. Each time we see a problem, it may be the inspiration for another check.

Author, Category