Microsoft Succumbs to Demands: Cloud Security Logs Now Accessible to All

Microsoft Bows to Pressure to Free Up Cloud Security Logs

Microsoft has announced plans to expand logging defaults and increase retention periods for threat-hunting data in response to criticism of its M365 licensing structure. The move comes after Chinese hackers used a stolen Azure AD enterprise signing key to break into M365 email inboxes, resulting in the theft of email from approximately 25 organizations. Customers complained that they had no visibility to investigate the breach because they were not paying for the high-tier E5/G5 license.

Accessibility of Cloud Security Logs

One of the major issues at the center of the criticism of Microsoft‘s M365 licensing structure was the limited access to cloud security logs for customers with lower-tier licenses. Microsoft only made detailed forensics data available to customers with higher-tier licenses, essentially charging extra for access to this critical security information during active malware investigations.

This lack of accessibility to cloud security logs left many customers vulnerable, as they were unable to investigate and respond promptly to potential cyber threats. It became evident during the recent Chinese APT hack that the absence of logging for lower-priced M365 licenses hindered organizations’ ability to detect and mitigate attacks effectively.

Microsoft‘s Response: Expanding Logging Defaults and Increasing Retention Periods

In response to the intense pressure and criticism, Microsoft announced that starting in September, it will expand logging defaults for lower-tier customers. These customers will now receive deeper visibility into security data, including detailed logs of email access, previously only available at the Microsoft Purview Audit (Premium) subscription level.

Additionally, Microsoft plans to increase the default forensics data retention period for Audit Standard customers from 90 days to 180 days. This increase in retention periods will provide customers with a longer window for investigating and analyzing threat-hunting data.

Collaboration with U.S. Government’s Cybersecurity Agency

Microsoft‘s licensing modifications and accessibility improvements were made in collaboration with the U.S. government’s cybersecurity agency, CISA. CISA had issued an advisory during the Chinese APT hack, highlighting the absence of logging for lower-priced M365 licenses as a significant vulnerability. CISA director Jen Easterly welcomed Microsoft‘s decision and emphasized the importance of enhancing visibility into products for all customers in the adoption of Secure by Design principles.

Editorial: The Importance of Cloud Security Logs

The recent incident involving the Chinese APT hack and Microsoft‘s response shed light on the crucial role that cloud security logs play in detecting, investigating, and mitigating cyber threats. Without access to detailed security logs, organizations are severely limited in their ability to proactively identify and respond to attacks.

Cloud security logs provide critical visibility into user activity, email access, and various other types of log data generated across an enterprise. These logs are invaluable for detecting suspicious behavior, identifying compromised accounts, and gathering evidence for forensic investigations.

Given the increasing sophistication and persistence of cyber threats, it is imperative that organizations have unrestricted access to cloud security logs. Reliable and efficient logging and retention mechanisms enable organizations to efficiently monitor their environments, quickly identify anomalies, and respond promptly to potential threats.

Advice: Prioritizing Cloud Security and Access to Logs

Organizations should prioritize cloud security and ensure that they have appropriate licenses and configurations in place to access detailed security logs. Microsoft‘s decision to expand logging defaults and increase retention periods for lower-tier customers is a step in the right direction, but organizations need to go beyond specific licensing structures and take a proactive approach to their overall cloud security.

Here are some key steps organizations should consider:

1. Evaluate Licensing Tiers and Alternatives

Review the licensing tiers offered by cloud service providers, such as Microsoft, and determine which tier provides the necessary visibility and access to security logs. Consider the specific needs and risk profile of your organization to determine if higher-tier licenses are necessary or if there are alternatives that provide similar levels of access to security logs.

2. Implement Robust Logging and Retention Policies

Establish robust logging and retention policies that align with industry best practices and regulatory requirements. Ensure that your organization captures and retains critical security logs, including user activity logs, email access logs, and other relevant log data. Regularly review and update these policies to stay aligned with evolving threats and compliance standards.

3. Leverage Security Information and Event Management (SIEM) Solutions

Consider implementing Security Information and Event Management (SIEM) solutions that enable real-time monitoring, analysis, and correlation of security events and logs from various sources within your cloud environment. SIEM solutions can help detect and respond to potential threats by aggregating and analyzing logs from different systems and alerting security teams to suspicious activities.

4. Invest in Threat Intelligence and Incident Response Capabilities

Invest in threat intelligence services and develop robust incident response capabilities. Stay informed about the latest threats, vulnerabilities, and attack techniques through threat intelligence feeds, industry forums, and partnerships. Establish a well-documented incident response plan and conduct regular tabletop exercises to test and refine your organization’s ability to respond to security incidents effectively.

5. Foster Collaboration with Cybersecurity Community and Vendors

Collaborate with the cybersecurity community, government agencies, and technology vendors to stay informed about emerging threats and best practices. Engage in open discussions and share insights and experiences to collectively improve cybersecurity defenses. Work with your preferred cloud service providers to provide feedback, express concerns, and advocate for improved accessibility to critical security logs.

Conclusion

Microsoft‘s decision to expand logging defaults and increase retention periods for lower-tier customers is a positive step towards improving cloud security accessibility. However, organizations must take additional measures to prioritize cloud security, including evaluating licensing tiers, implementing robust logging and retention policies, leveraging SIEM solutions, investing in threat intelligence and incident response capabilities, and fostering collaboration with the cybersecurity community and vendors.

With cyber threats becoming increasingly pervasive and sophisticated, organizations cannot afford to overlook the critical role of cloud security logs in detecting and mitigating potential attacks. By prioritizing cloud security and access to logs, organizations can better protect their digital assets and maintain a proactive security posture.