This interview was orignially published in TAG Cyber’s Second Quarterly 2021.
Microsoft provides the prevailing business productivity suite across the world. Microsoft 365 (formerly Office 365) includes more than 30 different applications to help workers communicate, collaborate, and create.
With such deep business roots, the security of the suite, its applications, and its configurations are a concern for companies wanting to maintain the confidentiality and integrity of the work done on their behalf in M365. Considering Microsoft is also a leading cyber security provider, businesses would be wise to think that M365 has extensive security baked in. And it does. Except it’s nuanced.
Aaron Turner, CEO at Siriux, has his own long history with Microsoft. Turner’s latest venture is helping businesses understand their security posture and exposure from M365. We spoke with Turner about why companies need to pay more attention to what they don’t see in the suite.
TAG Cyber: You’ve worked for, built, and sold many successful security companies over the years. How did you come up with your newest idea, and what problem does Siriux solve?
SIRIUX: A few years ago, I was advising a large insurance company on how best to apply security governance and policy for a migration of 50,000 users to Microsoft 365 within a few weeks. Microsoft’s documentation was lacking, and the staff didn’t know what had been configured. I realized the source of truth was in the software itself, but I didn’t have access to it. If I could have queried the security settings automatically, I could have efficiently identified their true M365 security configuration. Then, while on mandatory lockdown last spring in Luxembourg during the pandemic, I decided to put my research to use and start Siriux. A few months later, after getting permission to relocate my family back to the U.S., I found great technical folks to help polish my ideas and get the Siriux scanning platform ready for testing. Last fall, the M365 ecosystem suffered tremendous security disruptions and Siriux was in the right place at the right time. We were invited to help several Dark Halo victims remediate the vulnerabilities in their tenants and harden them against future attacks. We learned how sophisticated adversaries exploited the complexity of M365’s configuration options and started to hunt for those adversaries through our scanning tools.
TAG Cyber: Why are these settings not more transparent or easy to manage?
SIRIUX: Ease of use often conflicts with security! To be fair, Microsoft has built a complex 2021 SECURITY ANNUAL 5 0 TAG CYBER collaboration platform designed for worker productivity and collaboration. In its default state, it is ideal for marketing folks or other business units who don’t have an inherent need to keep information secret. However, most organizations need more customization to effectively protect the identities and data stored in M365’s applications. Some security settings are harder to discover in M365 due to interface limitations more than anything. Most of the highcriticality security settings are only available through either the M365 PowerShell modules or the Graph API. Those don’t have user-friendly interfaces so security personnel must discover and configure them through command-line tools.
TAG Cyber: In your experience, are enterprises, even ones with large security teams, aware of the scope of the problem?
SIRIUX: Microsoft has done an excellent job of building trust with customers. Their Security and Compliance Center provides an excellent starting point to improve security. However, they struggle to educate security teams about the true risks. For example, most IT operations teams synchronize the on-premises Active Directory without fully understanding its potential vulnerabilities. Most organizations we work with don’t restrict which M365 services and applications users can consume. Do they know what Kaizala, Sway, Delve, Power Automate, and others mean to overall cyber risk posture? Maybe not. Siriux helps expose these risks.
TAG Cyber: The media love to make a big deal when Microsoft is compromised, but the reality is that they’re a big target, a big prize. Does this cause a trickledown effect for businesses and how they approach security of their Microsoft deployments?
SIRIUX: Microsoft has always had a huge security target on its back because of market share; attackers go where the victims are. I get a bit defensive when Microsoft is criticized too harshly because I participated in security improvement projects there in the late 90s and early 2000s. Plus, Microsoft has shown the industry how to respond to a global-scale security incident more recently. Their transparency has helped businesses better understand the risks associated with using their technology. Just like Microsoft customers suffer en masse, they also enjoy the benefits of Microsoft’s security investments, which will bear fruit for years to come.
TAG Cyber: The Microsoft Exchange breach in March was a wake-up call to companies with on-prem deployments. But the cloud brings different challenges. Aside from using Siriux, what are the top strategies for protecting cloud deployments?
SIRIUX: We get this question a lot. Here’s what I recommend:
- Follow the NSA’s guidance: If you’re an M365 customer, eliminate third-party identity providers; they don’t offer much value for protecting M365. Yes, this can break SSO deployments, but the potential for badness in the identity provider trust chain is just too great until we see further innovation.
- Eliminate the use of authenticator apps by privileged users. SMS one-time codes, mobile app code generators, and push authenticators are all major attack targets. Smartphonedependent technologies are just one iOS or Android vulnerability away from being cloned. The iOS vulnerabilities fixed in a recent iOS security update were directly related to authenticator compromises observed among global M365 enterprise users.
- Disable any unapproved M365 service to block users from accessing them. Just like any attack surface reduction process, enabling fewer applications will result in near- and long-term security benefits.
- Endpoint security matters now more than ever. A strong focus on endpoint hygiene (security update installation as well as EDR) will help in the battle against attackers who are trying to pivot into M365 tenants to persist and exfiltrate data undetected.