Source: CISA warns of cyberattacks targeting the US oil and gas infrastructure | CSO Online Author: unknown URL: https://www.csoonline.com/article/3979073/how-to-capture-forensic-evidence-for-microsoft-365.html
-
ONE SENTENCE SUMMARY: Enterprise endpoint protection is insufficient without robust cloud security measures, including forensic logging, OAuth protection, and resource allocation.
-
MAIN POINTS:
-
Endpoint protections alone no longer fully secure enterprise environments.
-
Attackers now exploit cloud services and OAuth workflows to gain unauthorized access.
-
Phishing attacks via applications like Signal and WhatsApp target cloud authentication.
-
OAuth tokens provide attackers extensive access to Microsoft 365, AWS, or Google Workspace.
-
Cloud resources often lack sufficient monitoring, logging, and forensic capabilities.
-
Forensic logging in Microsoft 365 requires specific E5 licenses and configurations.
-
Microsoft Purview Insider Risk Management enables capturing forensic evidence from cloud resources.
-
Configuring forensic evidence capturing requires specific roles and administrative steps.
-
Forensic evidence policy settings should include activity types, bandwidth, and offline capturing limits.
-
Cloud forensic investigations may involve vendor dependencies and additional storage budget requirements.
-
TAKEAWAYS:
-
Strengthen cloud security as attackers shift away from traditional endpoint attacks.
-
Prioritize OAuth security to protect sensitive cloud-based resources.
-
Ensure appropriate Microsoft licensing and roles are in place for forensic logging.
-
Clearly define forensic evidence policies, including bandwidth and storage considerations.
-
Plan for cloud forensic investigations, accounting for vendor cooperation and potential delays.