Resource: Handling Security Incidents in Office 365
Learn from one of the largest tech companies in the world about how they handle security incidents that occur within Office 365.
There is no doubt that Microsoft has a very large tech footprint and just by the numbers is more likely to experience a security breach of some kind over time compared to smaller companies.
However, that also means they have a lot of experience in dealing with security issues with users on Office 365 and therefore are a great source for learning how to deal with some of these situations. In addition, they host a lot of customers with Office 365, 85 million as of last month, so that adds to their expertise in managing these types of situations.
That of course brings me a resource I recently came across on the Microsoft Download Center - a white paper from Microsoft titled Security Incident Management in Microsoft Office 365.
The eleven page PDF file (956KB) covers the companies approach to incident management and the response process they use on a regular basis to be ready for an incident and how to react to it with a specific plan.
"Microsoft works continuously to provide highly secure, enterprise-grade services for Office 365 customers. This document describes how Microsoft handles security incidents in Office 365. A security incident refers to any unlawful access to customer data stored on Microsoft’s equipment or in Microsoft’s facilities, or unauthorized access to such equipment or facilities that has the potential to result in the loss, disclosure, or alteration of customer data. Microsoft’s goals when responding to security incidents are to protect customer data and the Office 365 services."
That response management process, which follows the National Institute of Standards and Technology approach, involves four key areas and each have their own focus steps/processes.
Preparation
"Refers to the organizational preparation that is needed to be able to respond, including tools, processes, competencies, and readiness."
Training
Compliance Control
Security Development Lifecycle
Penetration Testing
Wargames (Red and Blue Teams)
Detection & Analysis
"Refers to the activity to detect a security incident in a production environment and to analyze all events to confirm the authenticity of the security incident."
Notifications & Alerts
Escalations
Security Incident
Evaluation
Containment, Eradication, Remediation
"Refers to the required and appropriate actions taken to contain the security incident based on the analysis done in the previous phase. Additional analysis may also be necessary in this phase to fully remediate the security incident."
Containment and/or Remediation Plan
Classify security incident as either requiring a Microsoft Security Response Center or Software Security Incident Plan response
Contain the incident to prevent further access by attacker
Eliminating the root cause for the incident and remove the attacker from the network
Recovery of services after removing attacker and data recovery as necessary
Notification customer(s)
Post-Incident Activity
"Refers to the post-mortem analysis performed after the remediation of a security incident. The operational actions performed during the process are reviewed to determine if any changes need to be made in the Preparation or Detection & Analysis phases."
Post Mortem
Document
Process Improvement
The document has much more information including links to a library of materials that can be used by customers for their own process development/improvement relating to security incidents.
But, wait...there's probably more so be sure to follow me on Twitter and Google+.
About the Author
You May Also Like