By Ben Kast   /   Oct 26th, 2023

M365 Security: Leveraging CIS Standards for Optimal Security and Advanced Threat Mitigation

M365 security imageThere are many configuration settings within Microsoft 365 (M365) that can greatly improve an organization’s overall security posture. However, these configurations often go overlooked due to lack of awareness, the complexity of the cloud-based services offered within M365, budget constraints, and overconfidence in default security settings established by Microsoft. In this blog, we’ll review some of the overall M365 security threats and offer advice on how to reduce your organization’s risk.

Protecting Your Organization From Email-based Attacks

We’ve all heard horror stories of what can result from phishing attacks and business email compromise (BEC). Successful phishing attacks and BEC provide a gateway for malicious actors to gain initial access into an organization’s IT environment. (Read our guide to BEC attack tactics and prevention strategies for more information.)

These email attack tactics can result in significant financial and reputational damage to organizations. When phishing and/or BEC results in a data breach, financial losses, introduction of malware or ransomware, monetary extortion, loss of intellectual property, identify theft, or all of the above, the consequences can not only be expensive, but can also present internal staffing challenges, customer and/or partner breaches, compliance consequences, and more.

Beyond the top root cause vulnerabilities like phishing and BEC, M365 also presents additional attack vectors that, if not addressed appropriately through sound configuration management, are far from immune to threats. It’s no secret that many organizations use a range of Microsoft’s cloud-based services, so ensuring M365 security and proper configuration is important for your organization’s overall security posture. Let’s dive into the details and our M365 security recommendations.

M365 Security and Configuration Recommendations

At LMG, we believe that the Center for Internet Security (CIS) M365 Foundations benchmarks provide a solid approach to tackling these top security challenges head-on. The CIS benchmarks are a compilation of secure configuration guidelines created through a community consensus process specifically tailored for Microsoft 365.

We recommend that you configure your M365 controls in alignment with the CIS best practices to reduce your organization’s risk. Here’s a recap of the top threats and the corresponding CIS recommended control:

  • Threat: Phishing & Account Compromise. Recommended Control: Use Multi-Factor Authentication (MFA). The most common way attackers access sensitive data is through compromised accounts, often resulting from phishing attacks. Enforcing MFA ensures that even if passwords are intercepted or guessed, malicious actors need an additional verification method to gain access.
  • Threat: Unauthorized Data Access. Recommended Control: Audit Logging & Monitoring: With the specter of insider threats and unauthorized data accesses, having a robust audit log system is crucial. By enabling unified audit logging and actively monitoring these logs, organizations can detect and respond swiftly to irregularities. Watch our on-demand webinar for more information on how to use proactive monitoring and logging.
  • Threat: Data Breaches & Exfiltration. Recommended Control: Data Protection & Encryption. Protect sensitive data from breaches by using Data Loss Prevention (DLP) policies. Additionally, by encrypting data at rest and in transit, the information remains unreadable, even it if falls into the wrong hands.
  • Threat: Business Email Compromise (BEC). Recommended Control: Restrict Mail Forwarding. BEC often involves forwarding emails to external addresses. By disabling automatic mail forwarding to external domains, organizations can prevent potential data loss and unauthorized communications. Additionally, alerting on new forwarding rules is another useful measure.
  • Threat: Malware & Ransomware Attacks. Recommended Control: Secure Endpoints. Infected endpoints can introduce malware into an organization’s M365 environment. Ensure that devices accessing M365 are secure, patched, and have advanced threat protection. Microsoft Defender for Endpoint integrates with M365 and can be leveraged to further reduce risk in this area.
  • Threat: Privilege Escalation. Recommended Control: Privileged Access Management. Attackers often aim to escalate privileges once inside a system. Apply the principle of least privilege and manage access closely in order to thwart such attempts.
  • Threat: Uncontrolled Data Sharing. Recommended Control: Secure SharePoint and OneDrive: Carelessly sharing files can lead to data leaks. Disabling anonymous and external sharing, as well as diligently monitoring permissions can mitigate this risk.
  • Threat: Social Engineering & User Errors. Recommended Control: Review & Training. Even using configuration best practices, human error remains a constant vulnerability. By regularly reviewing policies, audit logs, guest and external users’ access, external email forwarding and mailbox forwarding rule alerts and role assignments, monitoring shared mailboxes, setting up alerts for security configuration changes, and continuously training staff on security awareness through the use of phishing tests, you can reduce the risk of unintentional mishaps.

Maintaining a strong security posture requires a comprehensive, integrated security management approach to your overall security, as well as your M365 security. Your organization should have ongoing reviews and adjustments of your configurations, factoring in the evolving threat landscape and evolving organizational needs. M365 also provides the Microsoft Secure Score, which is an automatic, continually updated starting point to get a quick, high-level view of the effectiveness of your organization’s current M365 security controls.

While there are many configuration settings within M365 that can greatly improve your organization’s security posture, these M365 security best practices are some of the top control recommendations for minimizing risk and ensuring the confidentiality, integrity, and availability of the IT assets in your M365 environment.

Please contact us if you need help with an M365 configuration assessment or policy recommendations. Our expert team is happy to help!

About the Author

Ben Kast

Ben Kast is a Principal Consultant at LMG Security. He has conducted penetration testing engagements for companies ranging in size from multi-billion dollar publicly traded companies to small and medium sized organizations. He has over 20 years of IT experience that includes software product development, project management, implementation and consulting. He has a degree from the University of Montana, and is a GIAC-certified penetration tester (GPEN).