Gain enhanced visibility and control with Office 365 Advanced Security Management

Joseph Finney

Jun 22, 2016

Collaboration teamwork concept pointing finger

IT administrators need powerful tools to understand how their network is being used. Microsoft has delivered with the new Office 365 Advanced Security Management tool. Global communication may be easy, but security and management on a global scale is not. Advanced Security Management (ASM) helps it see and truly understand how their resources are being used. From usage reporting to automatic account suspension ASM gives admins the tools they need to keep their company safe.

How does it work?

All companies have a standard for what they would consider ‘typical user behavior’ and consider this behavior safe. This typical behavior becomes a baseline from which to judge what could be malicious activity. The threat detection within ASM will send warnings and can be configured to suspend accounts automatically for strange behavior. Administrators can pick from common policies, or build their own custom policies to flag behavior. Policies are composed of different triggers to deem activity anomalous. These triggers can be: sign-in failures, activity from new IP addresses, activity on accounts previously considered inactive, and more.

Activity Policy and Anomaly Detection Policy

Anomaly detection alert of suspicious administrator activity. – via Microsoft

Policies are grouped into two categories Activity Policy and Anomaly Detection Policy. Activity Policies are simply alerts to important activities such as administrator activity from a new IP address, mass data downloads, new IP used to access corporate data, and more. Alerts can be sent via email or text message depending on their severity. Alerts can be used to understand behavior that is not malicious but also not routine. Activity Policies help admins understand resource misuse not necessarily malicious behavior. Your users could be using data in ways which puts stress on your network when there are better ways to get the job done.

Anomaly Detection Policies are more focused on strange behavior that could signal malicious behavior. For example, this could be a brute force login attempt, or distant geographic logins close together in time. Additionally, Anomaly Detection Policies can be configured to keep an eye on behavior outside your network to better understand the current state of activity. Automatic rules can be set up to suspend accounts depending on their risk score. Each alert is given a score which is calculated using over 70 different metrics.

Activity policy being created from an out-of-the-box template. – via Microsoft

Third-Party App Insights

Advanced Security Management is not limited to user-based access of corporate data. But it can also be extended to understand how third-party services access cooperate data. Administrators can see, evaluate, and revoke access on an app-by-app basis. If they deem any application(s) to be insecure or undesirable. Data access can help people work better with the tools they are comfortable with. However, comfort should not be at the expense of data security.
On top of all these features Microsoft has included the ability to view uploaded network reports on a dashboard. This data rich view helps admins understand network activity such as how much data is being sent to different cloud storage providers. If your company uses OneDrive for Business you would expect lots of traffic to that domain. But maybe some employees are uploading data separately to Dropbox or Box. This tool helps identify behavior like this which could be impairing network health.

Availability

Any E5 subscriber can access the Office 365 Advanced Security Management tool today from the Office 365 security and compliance app. If you are not an E5 subscriber you can add this to your current plan for $3 per user, per month. This tool helps protect data by giving insight and control over behavior and access.