The cloud offers many security benefits to
organizations, but also raises new security considerations. It can also add to
existing ones such as shadow IT, the use of software that is not formally
sanctioned by the organization. Office 365 Advanced Security Management,
a new set of capabilities powered by Microsoft Cloud App Security gives you greater visibility and control over your
Office 365 environment.
Advanced Security Management includes:
Threat detection - Helps you identify high-risk and abnormal usage, and security
Enhanced control - Shapes your Office 365 environment leveraging granular controls
and security policies.
Discovery and insights - Get enhanced visibility into your Office 365 usage and shadow IT
without installing an end point agent.
Advanced Security Management enables you to
set up anomaly detection policies, so you can be alerted to potential
breaches of your network. Anomaly detection works by scanning user
activities and evaluating their risk against over 70 different indicators,
including sign-in failures, administrator activity and inactive accounts. For
example, you can be alerted to impossible travel scenarios, such as if a user
signs in to the service to check their mail from New York and then two minutes
later is downloading a document from SharePoint Online in Tokyo.
Advanced Security Management also leverages
behavioral analytics as part of its anomaly detection to assess
potentially risky user behavior. It does this by understanding how users
typically interact with Office 365, spotting anomalies and giving the anomalous
activity a risk score to help IT decide whether to take further action.
Advanced Security Management lets you set
up activity policies that can track specific activities. With
out-of-the-box templates, IT can easily create policies that flag when someone
is downloading an unusually large amount of data, has multiple failed sign-in
attempts or signs in from a risky IP address. Policies can also be customized
to your environment. Using activity filters, IT can look for the location of a
user, device type, IP address or if someone is granted admin rights. Alerts can
be created to notify an IT lead immediately via email or text message.
Default activity policy templates that
Administrative activity from
a non-administrative IP address Alert when an admin
user performs an administrative activity from an IP address that is not
included in a specific IP range category.
User logon from a
non-categorized IP address Alert when a user logs
on from an IP address that is not included in a specific IP range category.
Mass download by a single
user Alert when a single user performs more than 30
downloads within 5 minutes.
Multiple failed user log on
attempts to an app Alert when a single user
attempts to log on to a single app, and fails more than 10 times within 5
Logon from a risky IP
address Alert when a user logs on from a risky IP
address to your sanctioned services. The Risky IP category contains, by
default, anonymous proxies and TOR exits point.
After reviewing an alert and investigating
a user’s activities, IT may deem that the behavior is risky and want to stop
the user from doing anything else. This can be done directly from the alert.
Some activities may be deemed so risky that IT may want to immediately suspend
the account. To help with this, IT can configure the activity policy so that an
account is automatically suspended if that risky activity takes place.
Advanced Security Management also shows
which apps are connected to Office 365 in their environment, who is using
them and the permissions they have. For example, if a user grants a scheduling
application access to their Office 365 calendar data, IT will be able to see
the details of the connection and revoke that application’s permissions with
one click if they deem it a security risk.
Discovery and Insights
Advanced Security Management also provides
an app discovery dashboard that allows IT Pros to visualize your
organization’s usage of Office 365 and other productivity cloud services, so
you can maximize investments in IT-approved solutions. With the ability to
discover about 1,000 applications in categories like collaboration, cloud
storage, webmail and others, IT can better determine the extent to which shadow
IT is occurring in your organization. Advanced Security Management will also
give you details about the top apps in each category. For example, you can see
how much data is being sent to OneDrive for Business, Box, Dropbox and other
cloud storage providers.
You can do all this without installing
anything on device end points. To load the data into the dashboard, all you
have to do is take the logs from your network devices and upload them via an
Many organizations allow users to connect
apps to Office 365 without IT intervention to help them be more productive. The
challenge is that it reduces the visibility and control that IT has over what
apps are doing with the data. App Permissions as part of Office 365
Advanced Security Management can help mitigate that risk.
App Permissions provides information to IT
about which applications in their network have access to Office 365 data, what
permissions they have and which users granted these apps access to their Office
Based on this information, IT admins can
choose to approve the app or revoke its access to Office 365. If they choose to
revoke permissions to the app, it will no longer be able to access the
information for any of the users in the Office 365 tenant. App Permissions also
makes it easy for IT admins to notify users who have installed the application
that is going to be banned.
- Office 365: Everything You Wanted to Know - Jan 2017 - Microsoft