Underneath Microsoft’s various clouds are a series of graph databases. These allow its various systems to map out links between documents and users, and between identities and authorisations. They’re linking users and PCs, and tracking security incidents and their causes. These various graphs are being exposed to users in many different ways. Office 365 and identity are merged together as the Microsoft Graph, a tool that helps to build a map of both ongoing work and how knowledge is distributed around your organization.
Querying across multiple graphs can provide new insights into networks, showing who is doing what and how they’re doing it. That information can be used to build up a picture of platform security, both on-premises and in the public cloud. Those queries are also an important tool in handling regulatory compliance, providing visibility on who has access to sensitive information and what they are doing with it.
Introducing the Security Graph
Microsoft is starting to turn its graphs into products. Some features of its Security Graph have already been exposed in Azure Active Directory, letting you trap ‘impossible’ logins. By comparing login locations, it’s possible to spot compromised accounts: a login in London less than five hours after a login in New York is unlikely to be Concorde coming out of retirement — instead, it’s most likely to be a cyber-attacker. Accounts exhibiting unusual behaviours like this can be quickly locked out, notifying administrators and triggering breach responses.
Another part of the process is a simple set of security scores — a quick way of comparing your operations with Microsoft’s best practices. Integrated into the Microsoft 365 security center, your Secure Score brings in information from Office 365, from Intune, and from Azure Active Directory. Armed with the information in the security center dashboard, you can make informed decisions about what changes are required in your Windows and Office deployments.
SEE: 20 pro tips to make Windows 10 work the way you want (TechRepublic download)
While security is one part of the Microsoft 365 platform, compliance is another key feature. New compliance regimes are quickly added to the Microsoft 365 compliance center, so you can check your readiness for GDPR, for ISO 27001, and even the State of California’s new privacy regulations. Because it’s built on graph queries, it’s easy for Microsoft to add support for new regulations as they’re released by national and regional governments.
Using your Office 365 Secure Score
Office 365 administrators get access to a similar portal, as part of its protection service. As well as providing details of your tenant’s Secure Score, there are quick links to support for compliance and governance, as well as other security tools you may want to take advantage of. If you click on your score, you’re taken to another site, where you can drill down into the various metrics Microsoft uses to build your score.
Usefully Microsoft has put together a list of features you should enable to increase your score. These include ensuring all your users (or at least your admins) are using MFA to reduce the risk of account compromise, enabling self-service password reset, using document protection tools, and turning on Office 365’s data loss prevention tools. By pointing out the changes that can make the most difference, Microsoft is helping you prioritise actions rather than overwhelming you with hundreds of features.
There’s more information in the Score Analyzer, which shows how your score varies over time and compares it to the average Secure Score across all of Microsoft’s Office 365 tenants. Looking at this, it’s clear that not enough administrators are taking advantage of the service as the current average score is only 37, out of a maximum of 416.
Links from the Score Analyzer take you straight to the appropriate sections of Office 365, its various security tools, and Azure Active Directory. While it doesn’t prescribe settings, it does make suggestions as to the approach you should take. It’s clear that Microsoft is treating security as explicit decisions you need to make, and isn’t automating it. Office 365 security can’t be a one-size-fits-all approach, and you’re going to need to think about how each setting affects your business before clicking ‘Apply’.
From Security Graph to Power BI and beyond
You’re not limited to looking at dashboards: security needs to be an active process, and the Security Graph can generate a lot of useful signals that can help quickly remediate security issues. Microsoft now provides tooling to link its security graph with tools like Power BI and its Flow workflow automation service. By using Power BI as a hub for handling security queries, you can bring in security information from other applications and display your own custom dashboards, mixing historical queries with real-time feeds and machine learning-powered alerts.
Data from your Power BI dashboards can go a lot further, feeding into Flow to generate alerts as and when security incidents occur, or when there’s a change in your score. With support for many different line-of-business and service-management applications, as well as newer chat-based ops tools like Slack and Teams, it’s easy to imagine a Flow that automates generating a ticket and notifying the appropriate member of your SecOps team.
SEE: How we learned to talk to computers, and how they learned to answer back (cover story PDF)
More complex workflows can use the Graph Security connectors that have recently been added to Microsoft 365. These generate triggers based on alerts from the Security Graph, and can be used with both Flow and Logic Apps. You need to be an Azure Active Directory administrator to set up the connector, either pre-registering it through the Azure command line or registering it on first-run.
Once registered, you can use the connector to query the graph for alerts, filtering them appropriately. Alerts can be found by ID, and then passed on to security teams for analysis and response. Tools like Flow and Logic Apps can build a workflow around the security graph, triggering from webhook responses. By building webhooks around ODATA queries, you’ll be able to pick and choose the alerts and severity levels you want to use to trigger actions.
Microsoft’s Security Graph is a powerful tool, and it’s good to see it being exposed to more users. By using it to generate a Secure Score, there’s now the opportunity for Office 365 tenant administrators to improve their security and to reduce the risk of critical data leaving their organization. The result should be a safer online world for us all.