When it comes to Microsoft Office 365, many organizations go through the setup process until they get their software working and then think they are done. Outlook is setup, users can upload to their OneDrive, and a user’s phone even buzzes when they get an email. A job well done, right? Well, I wouldn’t quite say the job is done.
Did You Enable Logging Capabilities?
Something that gets frequently overlooked, or simply gets no attention at all, is the logging capability of Office 365. Of course, nothing would ever happen to the users in your organization, but let’s take a look at what you could learn if something did happen to your users. If you called it a day after email was working and didn’t think to enable some of the additional capabilities of Office 365, the answer might just be NOTHING. Yep, that’s right. If you didn’t take the opportunity to go through and enable Office 365 audit logs via the Security & Compliance Center, you might not be able to see when someone else logged into a user’s account or what IP address they were using. You may not be able to see if new mail rules were created for an inbox of which you weren’t aware. Even if all you need from Office 365 is basic email use, it is always a good idea to enable the Office 365 audit logs.
The good news is that Microsoft is starting to enable this feature by default, but the keyword here is starting. It’s all too common that, when a client asks us to help them recover from a cyber attack, there are no logs available for us to review, all because they didn’t know that they needed to enable logging. This makes it extremely difficult to tell how or when the attack happened. Sure, you may be able to see the sign-in history for a few days, but how often are you able to successfully detect, mitigate, and start the review of a mailbox breach within just a few days? Within one week, the could be gone, and you have almost nothing to review.
Even more good news, there’s no extra cost! That’s right, there is no additional cost to enable the logging capabilities. There are, however, two different tiers for the logging. For an Office 365 E3 license, the logs are kept for up to 90 days. In order to get a full year of logs, you will need to have an Office 365 E5 license. Microsoft does support the use of a security information and event management (SIEM) solution for their audit logs, so if you’re looking to retain logs for an extended period, that’s always an option as well.
The point is, should an incident occur related to your Office 365 environment, log data will become a critical part of telling the story of what happened, and perhaps more importantly, how to prevent it from happening again. Take this opportunity to check if audit logs are enabled in your Office 365 environment and, if they’re not, enable them now.
Other Best Practices Post-Office 365 Deployment
While you’re enabling those audit logs, it may not be a bad idea to follow a few other best practices as well. Based on our experience with clients, setting up multi-factor authentication and disabling auto-forwarding to external email can help thwart a variety of email-based attacks. Microsoft has a list of their top 10 ways to secure Office 365 and Microsoft 365 Business plans, and I would highly recommend reviewing the suggestions. In this day and age, security can no longer be an afterthought, and the easy process that Microsoft provides to enable these security features makes doing so a no brainer.
Should you need any assistance reviewing and configuring your Office 365 environment, feel free to reach out to our team at Sikich and we’ll be happy to help.