Advanced Security Management helps users identify high-risk and abnormal usage, and security incidents. It helps shape the Office 365 environment leveraging granular controls and security policies and gives enhanced visibility into the Office 365 usage and shadow IT without installing an end point agent.
Identifying threat
Advanced Security Management sets up anomaly detection policies that alert potential breaches in the network. Anomaly detection works by scanning user activities and evaluating their risk against over 70 different indicators, including sign-in failures, administrator activity and inactive accounts. For example, a user can be alerted to impossible travel scenarios, such as if a user signs in to the service to check their mail from New York and then two minutes later is downloading a document from SharePoint Online in Tokyo.
It also leverages behavioral analytics as part of its anomaly detection to assess potentially risky user behavior. It does this by understanding how users typically interact with Office 365, spotting anomalies and giving the anomalous activity a risk score to help IT decide whether to take further action by incorporating Microsoft’s insights into the threat landscape.
Activity policy control
Advanced Security Management has the ability to track specific activities. With out-of-the-box templates, IT can easily create policies that flag when someone is downloading an unusually large amount of data, has multiple failed sign-in attempts or signs in from a risky IP address. Policies can also be customized to the environment by using activity filters. IT can look for the location of a user, device type, IP address or if someone is granted admin rights. Alerts can be created to notify an IT lead immediately via email or text message.
After reviewing an alert and investigating a user’s activities, IT may deem that the behavior is risky and want to stop the user from doing anything else. This can be done directly from the alert. Some activities may be deemed so risky that IT may want to immediately suspend the account. To help with this, IT can configure the activity policy so that an account is automatically suspended if that risky activity takes place.
Third party check
Microsoft claims that organizations are in need of a way to monitor the applications users are connecting with Office 365. Users are often unaware of which Office 365 data their third-party applications may have access to. With Advanced Security Management, admins can keep a check on the apps that are connected to Office 365 in their environment, who is using them and the permissions they have. For example, if a user grants a scheduling application access to their Office 365 calendar data, IT will be able to see the details of the connection and revoke that application’s permissions with one click if they deem it a security risk.
App discovery dashboard
Advanced Security Management provides an app discovery dashboard to visualize an organization’s usage of Office 365 and other productivity cloud services. With the ability to discover about 1,000 applications in categories like collaboration, cloud storage, webmail and others, IT can better determine the extent to which shadow IT is occurring in the organization. Advanced Security Management will also give details about the top apps in each category. For example, organizations can see how much data is being sent to OneDrive for Business, Box, Dropbox and other cloud storage providers. All this can be done by taking the logs from the network devices and upload them into the interface.
Microsoft claims that the Office 365 Advanced Security Management is included in Office 365 E5 and is also available as an add-on to other Office 365 enterprise plans. With the threat detection and activity policy creation features already rolled out, the company plans to release the ability to view an application’s permissions into Office 365 and the application discovery dashboard by the end of the third quarter of 2016.
