Using Security Intelligence to Detect Insider Threats From Cloud-Based Applications

Microsoft Office 365 is popular — very popular. In 2016, Gartner reported that 78 percent of enterprises surveyed used or planned to use Office 365. With access to a range of user activity events from a variety of sources, including Exchange Online, SharePoint Online and Azure Directory, how can Office 365 administrators correlate all this valuable data with other security events across their enterprises?

Applying Security Intelligence to Office 365 Audit Logs

Office 365 provides application program interfaces (APIs) that work in tandem with security intelligence platforms to deduce what’s occurring in your cloud installation and alert you to potential issues. It also includes forensic analysis features and, of course, event logging. However, security information and event management (SIEM) isn’t a core concept for Microsoft, so you’ll need to enlist a dedicated third-party offering such as IBM QRadar for the analytics you need.

The benefit of ingesting Office 365 audit logs into your IBM QRadar security intelligence platform is that you can perform powerful use cases. This integration enables you to:

  • Augment your enterprise’s security compliance posture by including Office 365 events into existing regulatory compliance reports and correlation rules.
  • Detect potential system breaches.
  • Identify possible data leaks.
  • Track user and admin activities for Exchange Online and Sharepoint Online. Activities include file and folder actions such as view, create, edit, upload, delete and download, in addition to file sharing and collaboration.
  • Report on Azure Active Directory authentications by users, and IPs for all of your Microsoft cloud apps such as Skype, Yammer, Exchange Online and others.

Watch the on-demand Webinar: How To Solve the Insider Threat Puzzle

Investigating Insider Threats With UBA

But IBM QRadar doesn’t stop there. In addition to correlating and analyzing cloud-based application logs with security analytics, it can be used within IBM QRadar User Behavior Analytics (UBA) to take user profiling to the next level. This process can help you:

  • Discover risky user behaviors and fraudulent activity.
  • Identify at-risk users, calculate risk scores and place users on a watchlist.
  • Understand the risk profile of the environment and the total of all user scores at a particular time.
  • Drill down into potential threats and gain insights for taking corrective action.

If you don’t think you need UBA as part of your security intelligence infrastructure, consider this: Insider threats account for roughly 60 percent of cyberattacks, many of which leverage phished or otherwise stolen credentials. By cross-referencing a baseline of normal activity, IBM QRadar UBA can alert analysts when anomalous behavior occurs and stop insider threats in their tracks.

To learn more about how QRadar can help you defend your network against insider threats, watch the on-demand webinar, “How To Solve the Insider Threat Puzzle.” You can also download a trial of the UBA app.

Share this Article:
J.O. Leger

Offering Manager for QRadar Integrations, IBM

J.O. Leger is an Offering Manager for IBM QRadar and is an expert in security intelligence, analytics and operations. Since 1996, he has worked in IT as a support consultant, software developer and client technical professional and has been part of the QRadar product team since 2003. J.O. holds a Bachelor of Computer Science degree from the University of New Brunswick.