- CISA releases new playbook for government firms and enterprises
- The guidebook addresses expanded cloud logs from Microsoft
- Microsoft expanded its cloud logs after July 2023 Outlook incident
Microsoft has recently expanded logging capabilities for its cloud services, which could mean significant changes for US government organizations.
In July 2023, a Chinese state-sponsored threat actor, found a way to access email accounts belonging to government officials working in the State Department, and the Department of Commerce. The fallout was major, and resulted in Microsoft expanding free logging capabilities for all Purview Audit Standard users, among other changes.
Now, the US Cybersecurity and Infrastructure Security Agency (CISA) has released its guidance, explaining to government agencies and enterprises how to take advantage of the changes.
Navigating expanded logs
The new guidance is a 60-page playbook, so the changes could be quite major.
“These capabilities also allow organizations to monitor and analyze thousands of user and admin operations performed in dozens of Microsoft services and solutions,” CISA said. “These logs provide new telemetry to enhance threat-hunting capabilities for business email compromise (BEC), advanced nation-state threat activities, and possible insider-risk scenarios.”
The guidance also discusses navigating the expanded logs within Microsoft 365, and using them with both Microsoft Sentinel, and Splunk Security Information and Event Management (SIEM) systems.
In July 2023, the Chinese cyber espionage group Storm-0558 exploited a vulnerability in Microsoft’s Outlook email system to gain unauthorized access to email accounts belonging to U.S. government agencies and other organizations. The attackers used a stolen Microsoft security key to forge authentication tokens, bypassing security measures.
As a result, Microsoft was forced to revoke the compromised security key, bolster its token validation systems, and enhance transparency by providing detailed incident reports and security updates to affected customers. Additionally, it faced scrutiny over its cloud security practices and was pressured to improve safeguards to prevent similar breaches in the future.
Microsoft also launched its Secure Future Initiative (SFI) in November 2023, a comprehensive cybersecurity program aimed at enhancing security resilience across its products and services. It invested heavily in advanced threat detection, prevention, and response capabilities.
Via BleepingComputer
