Resource: Handling Security Incidents in Office 365

Learn from one of the largest tech companies in the world about how they handle security incidents that occur within Office 365.

Richard Hay, Senior Content Producer

December 14, 2016

3 Min Read
Resource: Handling Security Incidents in Office 365

There is no doubt that Microsoft has a very large tech footprint and just by the numbers is more likely to experience a security breach of some kind over time compared to smaller companies. 

However, that also means they have a lot of experience in dealing with security issues with users on Office 365 and therefore are a great source for learning how to deal with some of these situations. In addition, they host a lot of customers with Office 365, 85 million as of last month, so that adds to their expertise in managing these types of situations.

That of course brings me a resource I recently came across on the Microsoft Download Center - a white paper from Microsoft titled Security Incident Management in Microsoft Office 365.

The eleven page PDF file (956KB) covers the companies approach to incident management and the response process they use on a regular basis to be ready for an incident and how to react to it with a specific plan.

"Microsoft works continuously to provide highly secure, enterprise-grade services for Office 365 customers. This document describes how Microsoft handles security incidents in Office 365. A security incident refers to any unlawful access to customer data stored on Microsoft’s equipment or in Microsoft’s facilities, or unauthorized access to such equipment or facilities that has the potential to result in the loss, disclosure, or alteration of customer data. Microsoft’s goals when responding to security incidents are to protect customer data and the Office 365 services."

That response management process, which follows the National Institute of Standards and Technology approach, involves four key areas and each have their own focus steps/processes.

Preparation

"Refers to the organizational preparation that is needed to be able to respond, including tools, processes, competencies, and readiness."

  • Training

  • Compliance Control

  • Security Development Lifecycle

  • Penetration Testing

  • Wargames (Red and Blue Teams)

Detection & Analysis

"Refers to the activity to detect a security incident in a production environment and to analyze all events to confirm the authenticity of the security incident."

  • Notifications & Alerts

  • Escalations

  • Security Incident

  • Evaluation

Containment, Eradication, Remediation

"Refers to the required and appropriate actions taken to contain the security incident based on the analysis done in the previous phase. Additional analysis may also be necessary in this phase to fully remediate the security incident."

  • Containment and/or Remediation Plan

  • Classify security incident as either requiring a Microsoft Security Response Center or Software Security Incident Plan response

  • Contain the incident to prevent further access by attacker

  • Eliminating the root cause for the incident and remove the attacker from the network

  • Recovery of services after removing attacker and data recovery as necessary

  • Notification customer(s)

Post-Incident Activity

"Refers to the post-mortem analysis performed after the remediation of a security incident. The operational actions performed during the process are reviewed to determine if any changes need to be made in the Preparation or Detection & Analysis phases."

  • Post Mortem

  • Document

  • Process Improvement

The document has much more information including links to a library of materials that can be used by customers for their own process development/improvement relating to security incidents.

But, wait...there's probably more so be sure to follow me on Twitter and Google+.

About the Author

Richard Hay

Senior Content Producer, IT Pro Today (Informa Tech)

I served for 29 plus years in the U.S. Navy and retired as a Master Chief Petty Officer in November 2011. My work background in the Navy was telecommunications related so my hobby of computers fit well with what I did for the Navy. I consider myself a tech geek and enjoy most things in that arena.

My first website – AnotherWin95.com – came online in 1995. Back then I used GeoCities Web Hosting for it and WindowsObserver.com is the result of the work I have done on that site since 1995.

In January 2010 my community contributions were recognized by Microsoft when I received my first Most Valuable Professional (MVP) Award for the Windows Operating System. Since then I have been renewed as a Microsoft MVP each subsequent year since that initial award. I am also a member of the inaugural group of Windows Insider MVPs which began in 2016.

I previously hosted the Observed Tech PODCAST for 10 years and 317 episodes and now host a new podcast called Faith, Tech, and Space. 

I began contributing to Penton Technology websites in January 2015 and in April 2017 I was hired as the Senior Content Producer for Penton Technology which is now Informa Tech. In that role, I contribute to ITPro Today and cover operating systems, enterprise technology, and productivity.

https://twitter.com/winobs

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like