Source: CISA warns of cyberattacks targeting the US oil and gas infrastructure | CSO Online Author: unknown URL: https://www.csoonline.com/article/3979073/how-to-capture-forensic-evidence-for-microsoft-365.html

ONE SENTENCE SUMMARY:

Enterprise endpoint protection is insufficient without robust cloud security measures, including forensic logging, OAuth protection, and resource allocation.

MAIN POINTS:

1. Endpoint protections alone no longer fully secure enterprise environments.
2. Attackers now exploit cloud services and OAuth workflows to gain unauthorized access.
3. Phishing attacks via applications like Signal and WhatsApp target cloud authentication.
4. OAuth tokens provide attackers extensive access to Microsoft 365, AWS, or Google Workspace.
5. Cloud resources often lack sufficient monitoring, logging, and forensic capabilities.
6. Forensic logging in Microsoft 365 requires specific E5 licenses and configurations.
7. Microsoft Purview Insider Risk Management enables capturing forensic evidence from cloud resources.
8. Configuring forensic evidence capturing requires specific roles and administrative steps.
9. Forensic evidence policy settings should include activity types, bandwidth, and offline capturing limits.
10. Cloud forensic investigations may involve vendor dependencies and additional storage budget requirements.

TAKEAWAYS:

1. Strengthen cloud security as attackers shift away from traditional endpoint attacks.
2. Prioritize OAuth security to protect sensitive cloud-based resources.
3. Ensure appropriate Microsoft licensing and roles are in place for forensic logging.
4. Clearly define forensic evidence policies, including bandwidth and storage considerations.
5. Plan for cloud forensic investigations, accounting for vendor cooperation and potential delays.