How Perch helps you tackle Microsoft 365 log fatigue

Posted:
06/22/2020
| By:
Patrick Snyder
Microsoft 365 is a PITA

Establishing and managing Microsoft 365 for an entire organization is a tough task. Your organization’s most critical data, communications, response times, and availability are all dependent upon a working and ready-to-go environment. Taking on the challenges of configuring that environment, along with maintaining security best practices and setting up logging to meet those needs, adds significant complexity and time requirements. Handling misconfigurations, reading extensive documentation, and managing substantial volumes of security alerts just compounds the work needed for a Microsoft 365 environment.

Consider all the different applications and services that create activity and security logs for a team to review:

  • Azure Active Directory authentication
  • Microsoft 365 mail threats
  • Microsoft 365 content such as SharePoint and OneDrive
  • Traditional Microsoft online apps such as Word, Excel, and PowerPoint

However, all those security and audit logs are too important to just ignore. Serious threats to your organization’s health are out there.

Fortunately, Perch has integrated Microsoft 365 security monitoring into our platform to manage the onslaught of Security and Compliance Center content generated by every organization. Our team of analysts and security experts are actively reviewing these logs and alerts to identify and respond to threats. We also provide recommendations and guidance along the way.

We’ll outline the different ways Perch combats Microsoft 365 log fatigue and the innovative methods of visualization and alerting on any portion of the M365 raw logs you’ve integrated.

patrick-blog-2149-01.png

Threats in Microsoft 365: Are you seeing them clearly?

Microsoft 365 provides a high-quality, managed ecosystem for your organization to use. Included in this are state-of-the-art security features and analytics that monitor for threats and notify you of potential issues.

However, according to the shared responsibility model above, someone still needs to review these identified issues, search for the ones that slip through Microsoft’s fingers, and provide an appropriate response. Reviewing and securing the authentication into your environment, what applications are allowed for whom and when, what data should and should not be accessible, and ensuring users operate safely within their email content all fall on the organization.

Perch forwards all Microsoft 365 data and logging from the Microsoft Security and Compliance Center and Graph API into our platform. This enables us to build on top of the existing security and alerting infrastructure in place by Microsoft.

The prevalence of cloud services has continued to grow, and Microsoft 365 has become a central component for small businesses and large enterprises alike. What was once traditionally recorded and investigated on-premise – Exchange, file sharing, login tracking, and administration activity throughout the suite – is now carried out on Microsoft’s network of resources in their structured, hosted ether in “the cloud.”

For Perch, that means that for any given security event that could have arisen from the M365 suite should be logged, visible, and able to be turned into actionable communication.

Perch integration with Microsoft 365 empowers users with enhanced capabilities for viewing, sorting, and alerting on the abundant wealth of information generated from your organization in M365. Our platform provides functionality and support around all these options and does so with powerful technology and the experts who crafted it.

Here are 3 big things to consider when evaluating how to manage and secure your Microsoft 365 ecosystem:

1. Does the Security Information and Event Management (SIEM) integrate a “total” view of what is happening in Microsoft 365? Does it connect with the rest of the applications, services, and tools that my organization uses?

2. What’s the current quality level and expected innovation offered with the SIEM?

3. Is the expertise to review and respond to threats on you, or does the SIEM provider help as well?

patrick-blog-2149-02.png

Totality — A complete look

In an ideal world, your SIEM platform would seamlessly integrate all the tools, products, services, and generally anything that creates an event or log into a single place. This eases the burden on analysts, improves response times for critical issues, and allows all the relevant data to handle a threat to exist in one place. Feeding Microsoft 365 logs into Perch’s SIEM offers additional benefits on top of the existing Microsoft Security and Compliance Center:

  • Depth — Every single event, audit log, security log, and otherwise from Microsoft 365 are automatically parsed and can be searched, sorted, and filtered in powerful ways.
  • Full View — Microsoft 365 log records can be shown intertwined with other logs from host machines, network devices, and firewalls to see the “big picture” around an event.
  • Visibility — Deep-dive through tricky logs yourself to solve events and false positives, without having to call a support team.
  • Assistance — Perch’s security analysts and Microsoft experts are actively monitoring and reviewing what happens in your environment, responding to the issues identified by Microsoft, and hunting for threats that may have been missed.

Innovation — Visualizing data

A modern SIEM should offer two aspects of visual content: a large pool of high-quality, existing visualizations to immediately start realizing value, and a content development team that is actively updating and creating new content.

Perch’s product and team offer both, as well as give users the ability to create these content objects all on their own. Objects can be created around specific security issues or events and saved for future review, visualization, reporting, and alerting. These objects act as permanent data “searches” through your collected log data that can be customized to be specific and unique to any piece of information you have in your organization’s log data.

Customizable reports can then be made of these data search objects to visually represent your log data in analytical ways that make sense to you and then solve problems:

Visualize — Based on a specific query against your log data, build a visualization object to show analytical-style views of your data to assist in comprehension and a “bigger picture” meaning of the information you are looking for in your query.
Examples: Bar Chart, Pie Chart, Line Graph, Heat Index Map, Threshold Gauge

Dashboard — A collection of visualizations that can be customized for in-app experimentation, printing, and scheduling that is generated to serve as a report-style overview of any area you wish to find data on and visualize.
Examples in Perch: M365 Logins, M365 Email, SharePoint, OneDrive.

patrick-blog-2149-03.png

Event Notifications — Unique, self-made alerts (also based on querying) with the ability to add scheduled searching, throttling, trigger mechanisms, default data, and more.

patrick-blog-2149-04.png

Expertise — The know-how

We’ve now gone through the expert tool (the SIEM) with expert functional improvements (Perch content), and now all we’re missing are the expert support humans to help us use and understand the tool. That’s why Perch has employed legitimate experts in the following fields to create a platform possible of solving the M365 log issues above:

  • Application development to enhance product capability for creating Perch content.
  • Decision making to incorporate SIEM functionality.
  • API development to properly ingest and parse M365 logs.
  • Research of Microsoft 365 adversarial tactics and techniques to create actionable alerts.
  • Investigation of what logs are seen across several different client environments.
  • Detection signature creation to catch previously seen and unseen threats.
  • Log analysis for looking around several different event types, not just Microsoft 365 logging.
  • Community knowledge to foster knowledge transfer within the Perch community.
  • Managed SOC – the cornerstone human element of support and security expertise for Perch.
  • The US-based Perch SOC works 24/7 to triage every alert you receive, escalate real threats when detected, and support you through the response process.

06-22-20-m365-group-pic.png

Perch is here to help

The Microsoft 365 and Azure digital transformation can certainly seem like an immense project that’s difficult to navigate through. Finding expertise in partners and excellence in modern technology can get you on the right track to securing your business, timely and effectively.

Instead of trying to find your way through Microsoft’s maze of documentation links or spending all your time creating alert policies that should be default anyway, have a conversation with Perch about what we can do to get you the expertise and research you need, as well as the tool to enable your own investigations (which we also help with!).

Recommended