Office 365 Security Use Case #4: Detect Compromised Accounts & User Threats

By on Jan 17, 2018

Others posts in this series:

Use case #1: managing external data sharing

Use case #2: Preventing storage of regulated data in the cloud

Use Case # 3: Block Download of O365 Data to Personal Devices

Per cloud security’s shared responsibility model, Office 365 customers are responsible for actions users take within the platform that compromise data, and McAfee (formerly Skyhigh Networks) has found the average enterprise experiences 2.7 such threats in the platform each month. This number includes compromised accounts, insider threats, and privileged user threats.

Insider threats can generate headlines. In a lawsuit Google subsidiary Waymo filed against Uber in February 2017, the company alleges a former Google employee downloaded 14,000 sensitive documents related to self-driving car technology before leaving the company. The former employee subsequently led the self-driving car project for Uber and Uber’s technology bears a striking resemblance to components developed by Waymo.

Compromised accounts are also a significant threat, as evident by two recent discoveries McAfee made. In one instance, McAfee uncovered a targeted brute force attack on high-value Office 365 accounts targeting 48 customers. In the second, McAfee detected a new botnet attack against Office 365 accounts, dubbed “KnockKnock” because attackers were attempting to knock on the backdoor system accounts to infiltrate entire Office 365 environments.

While both attacks were thwarted in time, a successful account compromise could have devastating impact. This is because enterprises store a significant volume of business-critical data in Office 365.

According the McAfee research, 17.1% of data stored in OneDrive and SharePoint contain sensitive information. Broken down by type of data, 9.4% of data is confidential (financial records, source code, etc.), 4.1% contains personally identifiable information (phone numbers, tax ID numbers, etc.), 1.9% contains protected health information (patient diagnoses, medical record IDs, etc.), and 1.7% contains payment information (credit card numbers, bank account numbers, etc.).


How McAfee MVISION Cloud Helps with Slack Security

McAfee enforces DLP policies, detects anomalous user activity, and supports forensic investigations in Slack.

Download Now

Typically, cyber criminals gain access to corporate Office 365 accounts by exploiting stolen user credentials gathered via phishing attacks, passwords leaked from other cloud services that employees reuse for Office 365, and guessing common passwords.

Analyzing stolen passwords for sale on the Darknet, McAfee found the top 20 most common passwords, which include “123456” and “password”, account for 10.3% of all passwords. Furthermore, research by Joseph Bonneau at the University of Cambridge has found that 31% of people reuse passwords across multiple applications. Both of these trends make it easier for third parties to compromise Office 365 accounts.

The Challenge of Detecting Threats in the Cloud

Detecting threats is challenging because, while they are often signaled by behavior patterns that are anomalous, there’s no single threshold that can be applied to all users for all time frames that will accurately detect these threats while not also generating many false positives. For instance, it may be unusual for a one user to download a series of documents with company financial performance at home on the weekend, while it may be normal for another user to periodically download the most recent of these documents on the last Friday of each month.

Alert fatigue is a serious issue. In a survey of IT security professionals, 31.9% report that they ignore alerts because so many are false positives. User and entity behavior analytics (UEBA) technology leverages machine learning to overcome many of these challenges, and CASBs can make use of this technology to accurately detect threats. UEBA technology builds models of user behavior that can accurately detect deviations from behavioral norms that signal insider threats, privileged user threats, and compromised accounts.


How McAfee Helps

McAfee accurately detects insider threats, privileged user threats, and compromised accounts leveraging machine learning. Unlike threshold-based solutions that require enterprises to define policies that detect activity outside an arbitrary static threshold, McAfee connects to Office 365 and immediately begins building behavior models based on actual user activity. In doing so, the solution can begin detecting threats automatically without any input from an administrator using an approach known as “unsupervised learning”.

Cloud threats can involve the use of multiple cloud services. McAfee cross-references activity in Office 365 with other cloud services in order to detect threats. For example, a user who logs in to Salesforce from New York City and then five minutes later logs in to OneDrive from London may indicate a compromised account since it would be impossible to travel this distance in such a short time frame. Downloading a significant amount of corporate data from SharePoint and then uploading the content to an anonymous file sharing service may also indicate an insider threat.

Recognizing that security incidents often involve more than one signal, McAfee leverages a threat funnel that combines multiple anomalous events together into a higher-order threat object before generating an alert. For example, a user who successfully logs in after several failed attempts may not require attention, unless the user is also logging in from a new location and exhibits behavior that deviates from their usual pattern, more strongly indicating account compromise. By focusing IT security analysts on the highest probability incidents, the solution reduces the potential for alert fatigue. Investigators can also view all single-event anomalies.

While unsupervised learning makes it easy to get started, over time enterprises often want to provide input to fine tune alerts. McAfee delivers three ways for security analysts to provide feedback to models of behavior, known as “supervised learning.” When reviewing incidents, marking an alert as a false positive is incorporated into behavior models.

Analysts can also whitelist specific users or types of events to suppress them. For example, if an IT administrator is tasked with cleaning up dormant accounts and deleting large numbers of them, this activity can be suppressed for the user.

Finally, McAfee supports adjusting sensitivity with a real-time preview of how the adjustment would change the anomalies detected by the system, so security can optimize the balance between true positives and false negatives.

McAfee offers a comprehensive incident review and remediation interface for all cloud threats and also supports sending threat incidents to a SIEM via syslog.

How it works: Deployment Architecture

The API deployment mode offers the most complete coverage for threat protection use cases. Privileged user threats and administration anomalies are not fully supported by an inline proxy because the context of the user’s permissions are not available. Furthermore, when an unauthorized third party attempts to connect to Office 365 using compromised login credentials, a forward proxy does not have the ability to see this traffic since it generally originates off the corporate network from an unmanaged device.

About the Author

McAfee Cloud BU

Learn about cloud threats, the latest cloud security technologies, and the leading approaches for protecting data in cloud services.

Read more posts from McAfee Cloud BU

Categories: Cloud Security

Subscribe to McAfee Securing Tomorrow Blogs