Just because you get Office 365 installed and working properly doesn’t mean that it’s automatically secure. In this episode of Digital Detectives, hosts Sharon Nelson and John Simek talk to Brandon Koeller about the Office 365 Secure Score and other best practices to keep you secure in the cloud. While the Secure Score can help, they also discuss where the score falls short and how lawyers can tend to high level risks in order to address key threats within the cloud.
As a principal program manager lead for customer-facing security, Brandon Koeller is responsible for delivering a core set of security capabilities to every Office 365 customer.
Special thanks to our sponsor, PInow.
Securing Office 365: An Ethical Imperative for Lawyers
Intro: Welcome to Digital Detectives, reports from the battlefront. We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches; not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.
Sharon D. Nelson: Welcome to the 95th edition of Digital Detectives. We are glad to have you with us. I am Sharon Nelson, President of Sensei Enterprises, a digital forensics, cybersecurity and information technology firm in Fairfax, Virginia.
John W. Simek: And I am John Simek, Vice President of Sensei Enterprises. Today on Digital Detectives our topic is Securing Office 365: An Ethical Imperative for Lawyers.
Sharon D. Nelson: Before we get started, I would like to thank our sponsors. We would like to thank our sponsor SiteLock, the global leader in website security solutions. Learn more at sitelock.com/legal/digitaldetectives.
We would also like to thank our sponsor PInow.com. If you need a private investigator you can trust, visit pinow.com to learn more.
John W. Simek: Our guest today is Brandon Koeller, who is responsible for delivering a core set of security capabilities to every Office 365 customer. He runs a team of program managers who are designing the next generation of security assessment and protection experiences in Microsoft 365.
Brandon has worked for more than 20 years in technologies ranging from US Navy submarine weapon systems, to LAMP stack development, to .Net custom application development in dozens of different problem spaces. Security is the hardest problem space he has ever worked on, and also his favorite.
Lastly, and this is according to Brandon, Star Wars is better than Star Trek, although I don’t agree.
Having said that, thanks for being with us Brandon.
Brandon Koeller: My pleasure. Thanks for having me.
Sharon D. Nelson: Well Brandon, let’s start by talking about what Office 365 is, how many flavors of it Microsoft is offering and maybe why I am hearing the words — as opposed to Office 365, I am hearing Microsoft 365 these days. So take all that in any order you want.
Brandon Koeller: Sure. Yeah, thanks for the question. It’s a good one. So Office 365 is a productivity office offering that Microsoft has had in the Micro place for a few years now. It consists of a bunch of different components, including Identity Management, Exchange and messaging features, document storage through SharePoint Online and OneDrive for Business, including Microsoft Teams and Yammer and yadi, yada, yada, a bunch of stuff that’s in that sort of package.
What Microsoft has realized is that, that is great, but that a lot of our customers also buy other services like Windows, and Windows Services, they buy a lot of Azure and so forth. And so Office 365 continues to be in the marketplace. It’s got I would say three basic flavors.
There is a consumer version, so you and your family could have Office 365 to basically run Office on your desktops and so forth. There is a small and mid-sized business version, where you get kind of just the basics; you get basic email, basic document storage, Outlook desktop client and full versions of Office.
And then there is the enterprise version and there is a bunch of different flavors of that and there is a bunch of fancy features often focused on Premium Security value on top of that.
So all that is just Office 365 and Microsoft 365 is an extension of all that to bring everything at Microsoft that’s services oriented into one big offering so that a customer basically buys Microsoft 365 and has everything they need to run their entire IT operations.
John W. Simek: Well Brandon, do you have any sense as to how many lawyers are using Microsoft 365 and what’s driving them there?
Brandon Koeller: So it’s often difficult to categorize organizations by lawyers or not lawyers and Microsoft has surprisingly little information about exactly what all of our customers do as their day-to-day business. I do know that 90% of the Fortune 500 companies are on Office 365 and that 100% of those companies employ lawyers in some form or fashion.
So my sense is that there is a lot of lawyers that are using it, there is a lot of features that are built into Microsoft 365, including data loss prevention, e-discovery, a bunch of compliance features and retention and legal hold and things like that that lawyers are very, very interested in and that are very useable in the Office 365 platform.
Sharon D. Nelson: Yeah, we have been asking the question a lot and we see between 30% and 50% of hands go up when we give CLEs Brandon, so that’s kind of — I think that’s kind of where the small market is to medium market for lawyers, but I can believe that the larger enterprises are — it’s a much higher percentage. But we have certainly seen in the last two years, we have seen law firms drive like crazy to get Office 365.
So let’s move on to Microsoft 365 Secure Score. Please tell us what it is because most lawyers don’t seem to know and they are confused when we tell them that getting Microsoft 365, which they know as Office 365, that getting it installed and working doesn’t necessarily mean that it is installed securely. I know that there are a lot of pieces to that question, but help us underscore for our listeners why just getting it working doesn’t mean it’s installed securely.
Brandon Koeller: Yeah, that’s a good question. So I will take that in two parts. I will first talk about the Microsoft Secure Score and then I will talk about why we sort of designed and built the Secure Score, how Microsoft thinks about the division of labor between organizations that are on our platform and what we kind of do on their behalf.
So the Microsoft Secure Score is a couple of years old and was invented by my team. And the reason why we built the service was because we had a lot of customers telling us that they didn’t understand what security features were available in Office 365 and that they didn’t understand what the value of any given feature was. And so at the time there was a lot of security features for Exchange that would be in the Exchange Administration Console. Security features for Identity would be in the Active Directory Portal and features for Skype for Business would be in the Skype for Business Portal, so it was sort of spread all over the place and customers were like, I don’t know where to go and I don’t know which one is more important than the other. I am not an IT professional. You tell me what I should be doing.
And so we decided to police up all the different security features that a customer had control over and to essentially just do an evaluation and say okay, how effective is this control, this configuration or particular activity, how effective is it at mitigating some specific risk, an attack or targeting you to do any given thing? And then we assigned it points. And the points, there’s a certain amount of subjectivity in them.
So when we say a control is worth 50 points, objectively it might be 49.5 or 51.2 or whatever, but it gets you in a sort of magnitude of this control, this recommendation is twice as valuable as some other control that’s maybe worth 10 points.
So we essentially put all that together and exposed it in a website that customers can go to. We did a lot of explaining in the Secure Score about what it is that we were asking them to do and why we wanted to do it, and every single control has the ability to take the action right then and there.
And when we shipped it to customers, they were delighted that they had a nice clean stack ranked list of all the stuff that they could do and with enough information there to make a decision like this control will make this sort of change and impact these users and I can decide whether that impact is acceptable to me or not. So this balance between security and productivity was an important consideration for most of our customers.
In the past, in the Wayback Machine, customers would do these things. They would run these tools called Baseline Security Analyzers and they would do it fairly infrequently, and what would happen is the Baseline Security Analyzer would come back and say these are the 10 things you must do and these 20 things are moderate value, moderate importance, and these things were low value. And customers would look at that list and they would be like all 10 of the things that you are telling me that I have to do are not possible for me, because my organization has some kind of idiosyncrasy and they were frustrated by that. Like you are telling me I have to do this and I am telling you this doesn’t work for my organization.
So the Secure Score basically denudes the narrative there of any like subjective evaluation, like this is critical, or medium, or high and instead just says look you can either do one thing for 50 points or 5 things for 10 points, same security value. You make the choice about what works for your organization specifically. All right, so that’s the first part of the question, what is a Microsoft Secure Score?
The second part of the question is really about a division of labor. A lot of customers are used to their IT operations being kind of on-prem focus, we call it on-prem, on-premises. They have got a computer that’s in their office and maybe they have got some servers that do some set of things for them and so forth. But over the last five years most productivity services and a huge number of other types of services people have used have moved to the cloud.
And basically what that means is that you, the organization, the customer don’t have any control over the server that’s running in a particular piece of software. You are storing your data in a place where you have no idea where it’s at. The service provider has put it somewhere that makes it super convenient for you, that makes it — it’s usually geographically close to where you are, and they have added a lot of special sauce to make sure that it’s secure so that you don’t have to do any of that stuff. You don’t have to know how to patch servers or install software or configure firewalls or any of that kind of stuff. So in this case, in Office 365’s case, Microsoft does all that for you.
So everything that is super far down the stack, networking, machine hardware, operating systems, configuration core operating systems, all the scanning and patching and antivirus configuration, all of the deployments of new versions of Exchange or SharePoint or whatever, we handle all that, and we do it in a way that’s functionally transparent to the end user. They don’t notice that Exchange, for example, is doing deployments every single day to hundreds of thousands of servers all over the world. You don’t notice it. So that’s all great, most customers sort of get that they don’t have to do that work and they are happy to let Microsoft make sure that that infrastructure is all super secure.
But in the end there are still users out in the world with computers and mobile devices that are connecting to that data, they are authoring that data, they are uploading it to the servers and so forth, and attackers are onto that. They know that it doesn’t matter how good Microsoft is, there is still what we call front door interfaces that users interact with that are vulnerable. And so what the Secure Score does is basically lay out all the things that you the customer, you the organization can do to make sure that the interfaces that your users are interacting with are as secure as they can be.
All right, that was a long answer, I am sorry.
Sharon D. Nelson: No, but it was really good and it was very understandable to listeners, I think, because they do need to understand why Microsoft has one job that it does, but maybe their cybersecurity folks or IT folks also have a job to do on their end and that’s very helpful.
John W. Simek: And that’s a good dovetail to my question Brandon is that who should be using this Secure Score or taking advantage of it? Is it really the IT folks or is it more business-driven? It sounds to me like it’s more business-driven and then their IT support people, the business users, in our case our lawyers, if you will, the partners or whatever should be saying this is the way I want to operate and I want to have this kind of a level of security because I am dealing with all this client confidential data.
Brandon Koeller: So the Secure Score, I think it is being both a very tactical tool that some sort of administrator or operator needs to log on to with some regularity, review and take some sort of action. But the score itself, that sort of top-line number and how it moves in an organization, that is a strategic number, that the organization as a whole, the executives in the organization, key partners or whoever, they should be aware of what that score is saying about their overall security posture and should be looking to hold the organization accountable to improving it.
So when people ask me who is supposed to use the Secure Score, I say tactically your IT administrators, whether they are security specialists or not, those are the people that should be logging into Secure Score and actually taking action.
Now, your end users likely won’t even — like the Secure Score itself, just from a technical perspective, you have to have some kind of an administrative role in the organization in order to log on to it and review the controls and take actions and things like that.
That being said, there’s a bunch of ways you can export data from the Secure Score, specifically to report out about what your organization’s score is, what the trend is, and my sense is that should be shared broadly inside an organization, department heads, everyone in the C Suite, everybody in your organization to be like okay, here is where our Secure Score is today and here’s what we think we can do over the next three months or six months or one year in order to improve our security posture given these constraints, given our budget, given how much time and expertise our IT administration folks have or whatever.
I like to think of it as the Secure Score represents your posture and that’s everybody’s business, but the sausage making of improving that posture is often constrained to your IT administration.
John W. Simek: It’s that getting to good, right?
Brandon Koeller: Yeah, exactly.
Sharon D. Nelson: Yeah, that’s right, get to good. So for a lot of folks, they don’t really understand the key threats that law firms and other organizations might need to be concerned about in the cloud. Can you help them out just a little bit with that?
Brandon Koeller: Yes, the threats are, I don’t want to say they are complicated, they oftentimes are very straightforward, but there’s a fairly long list of them. I try to group them into the way that the security community typically talks about risk is by focusing on the types of attackers that they are being targeted with and those attackers execute something called a kill chain.
A kill chain is a military term used to sort of walk through these are the steps that an enemy will take to achieve some sort of goal. Step one, get your tanks to the front line. Step two, give those tanks giant bullets. Step three, shoot the bullets at the enemies for advance.
And so IT organizations or attackers that are going after organizations have a very similar sort of thing. It usually starts with some sort of identity breach; it’s often considered a toehold. And so protecting your identities is usually a P0, like a Priority 0, you must do that, because with an identity inside of an organization, you can do a huge number of other things. And those things include lateral movement. If you have one user’s account, usually you can tell what other users are in that same organization and target them.
So just as an example, let’s say I send you a spear phishing email and you get suckered by that, you decide you really — you love the Seattle Seahawks, go Hawks, and you want to catch a pass from Russell Wilson, you click the link, you log in, and it redirects you back and you are like oh, that’s weird. But what the hacker has done is stolen your identity and they now use it to login as you. And they look at your global address list and they say oh, look at all these users, I am going to dump that out. And let’s say oh, this guy is a CEO and this guy is the Chief Financial Officer and this person works in accounting and these people all work in IT and these people are administrators and so I am going to go after these five people and send them phishing emails, and very similar thing and they want to catch a pass from Russell Wilson too and so they get suckered in.
Once that happens, usually the attacker is trying to do something called Elevate Privilege. So being a regular user, not that valuable, you can do a certain number of things, you can steal all the data that that one user has, but not necessarily all the data in the organization.
And so usually the toehold identity theft is for any regular _______00:15:48. Attacks very quickly pivot, they move laterally and they look to elevate their privilege. Now, once they have done that, they like to do things like entrench themselves, which is to say find ways to maintain their access to that organization, even though you do things like change the password. So there’s a bunch of techniques that they use there.
They can install malware on your local computer. They can do things like inject mail forwarding rules into your Exchange accounts, so that if somebody sends you an email that says here’s the invoice, can you check that out? The mail forwarding rule will say oh, if you see invoice in the subject line, I want you to forward it to this Yahoo! account and the attacker who is sitting over there on that Yahoo! account gets that invoice and says, check this out, I am going to change the bank routing number on this invoice and send it on to the final user of that and then that end user will pay that invoice, not to the person who originally wrote it, but to the attacker, because they will pay to the other bank rep is an example of how that works. Entrenchment is a big thing.
And then data exfiltration is super common. Attackers very often are looking for information, very specific information, especially legal organizations or folks that deal with any kind of intellectual property and they can often be stolen and resold on the black market. They will often look to disrupt your operations by deleting critical data or they will look to do things like data spillage, if you happen to have some protections like data loss prevention or whatever. They will look for data that fits the bill but doesn’t have that protection and they will try to basically get it outside of the normal boundaries.
So I am always a little reticent to do the like here’s all the scary things that attackers can do to you, the list is super long, but in general, the identity theft, the lateral movement, elevation of privilege, data exfiltration, entrenchment, those are high-level risks that every organization needs to be concerned about.
Sharon D. Nelson: I think that was pretty scary, thank you. Thank you, I think.
John W. Simek: Well, before we move on to our next segment, let’s take a quick commercial break.
At least 80 of the 100 biggest law firms in the country have been hacked since 2011. Protect your firm and your clients from cyber attacks with SiteLock. Their industry leading cloud-based suite of website security solutions includes website scanning, web application firewall, including distributed denial-of-service mitigation, and 24×7, 365 US-based customer support. Give your firm and your clients’ peace of mind knowing their information is secure. Learn more at sitelock.com/legal/digitaldetectives.
Advertiser: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhere in the US and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology, and have extensive experience in many types of investigation, including workers’ compensation and surveillance. Find a prescreened private investigator today. Visit www.pinow.com.
Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is Securing Office 365: An Ethical Imperative for Lawyers. Our guest today is Brandon Koeller, who is responsible for delivering a core set of security capabilities to every Office 365 customer.
So we certainly have heard a lot about Secure Score, tell us what gaps there might be that lawyers should be aware of in Secure Score.
Brandon Koeller: Yeah, that’s a good question. So I think the Secure Score itself strives very much to show organizations every possible thing that they can do. We consider it a complete inventory. I think lawyers in particular have kind of a unique set of problems that they have to deal with in their day-to-day lives.
Once a Secure Score captures, there are controls in there that sort of explain why you should do them and a lot of it just has to do with data security.
So I think lawyers work with a lot of privileged and confidential information and there’s a bunch of features in Office 365 that help them do that. They include data loss prevention, e-discovery, data classification and categorization and things like our information protection offerings.
And so what those allow you to do is as a lawyer say this information is part of some litigation, needs to be retained and protected. This information needs to be classified in a specific way and some policies applied, like this particular email or this document can never go to anybody outside of my organization as an example. So, data loss prevention will make that possible.
Other things include this particular type of information always must be encrypted or it has to have some sort of data policy applied to it, that it can’t be exposed beyond the set of people that I have specifically granted permissions to see it. So the Secure Score captures all of that.
I think lawyers typically use that in their day-to-day lives. In the conversations I have had, and admittedly I don’t have a ton of lawyer friends, but most organizations that I talk to are often surprised by the breadth of security features that are available and they are often surprised by what we consider to be core security features, so things like multi-factor authentication is something — it’s literally at the very top of the list. We tell every single person to do it and lawyers are often surprised by that, like why would I have to do that, what value does that have?
John W. Simek: Well Brandon, I know that Secure Score can be anywhere from the tens up to the several hundreds and I think you talked a little bit about this earlier about what some of the enterprises are doing, where they focus and how they can balance these things, but if I am a smaller law firm, what kind of scores should we realistically be shooting for?
Brandon Koeller: Yeah, that’s a good question. I get this question a lot from a whole variety of organizations. One of the little bits of genius that I point to in the Secure Score is that it is functionally a game, it’s a gamified experience. The score itself, you can compare it to yourself, but it also includes averages and aggregates for customers that have the same number of people in their organization.
There are aggregates by industry verticals. So if you work in specifically legal services, you can see what the average Secure Score is for other legal organizations. And so people can get some anxiety, like my score is lower than the average or not as high as companies of the same size and so forth, and that was intentional. We wanted people to have some contextualizing information.
All that being said, it doesn’t matter how big of an organization you are, you can basically achieve all the points. That being said, we never encourage customers to try to achieve all of the points. So if you were to turn on every single control, the Office 365 Suite would become very difficult to use.
And so what we want you to do is to make smart intelligent decisions about what tradeoffs you are willing to make and in general, it doesn’t matter that much what your score is, what matters is that you are aware what your score is and that you are constantly working to improve it incrementally over time.
So if your score out of the gate is a 50 out of a possible of 350, first of all, you should feel pretty pumped because the average right now is about 31. You should be looking to take your score from 50 to 55 next month and from 55 to 57 the month after that, 57 to 62 the month after that and so forth. Small incremental change results in much bigger impact over the long term than trying to out of the gate get a score of 250, all of your users revolt, and you end up having to regress all those back anyway.
John W. Simek: I am sure you don’t have any cheat codes, right?
Brandon Koeller: No, no cheat codes for that, at least not yet. We are trying to build some easy buttons in there, but yeah.
Sharon D. Nelson: Can you briefly let our listeners know some of the best practices they might follow to get, be, and stay secure in the cloud?
Brandon Koeller: Yes. So I will highlight four things. First of all, everybody should go look at the Secure Score. It is a great piece of information to get you in the right headspace, contextualize what your particular configuration is and you will get a sense of what all the options are. So use the Secure Score is usually the first best practice that you should go after.
The second thing that I tell everybody to do is to apply a requirement for multi-factor authentication for everyone in an administrative role in your organization. Earlier I was talking about elevation of privilege and attackers targeting administrative roles, once the attacker has an administrative role, they can usually really run roughshod over you. They can do everything that they want to, any user they want inside of your organization. And so making sure those accounts in particular are very, very difficult to breach is the second best practice.
And if you look at the Secure Score, the number one recommendation is to enable MFA for administrators. It’s worth 50 points. The next closest one is like 20 or 30 points, so it’s the best thing you can do.
Third, I would tell everybody to enable auditing for everything. So there is something called the Unified Audit Pipeline and Exchange has a bunch of auditing features and so forth, and what this is, is basically a feature to enable all of the interactions that your users have with the service to be recorded. And what this will do down the road is if you get breached and everyone should assume they will get breached at some point, you will be able to effectively figure out what the bad guy did. So that’s a super key thing.
And the last thing that I would recommend for most organizations is to figure out how to use the native security management features, being able to do detections and investigations in Office 365 or find a third party — there’s two kind of like broad categories, either a SIEM, a Security Information & Event Management platform or CASB, a Cloud App Security Broker.
Microsoft has a CASB called MCAS, Microsoft Cloud App Security and it’s got a bunch of very cool features in it and is crucial that you are actually doing something valuable to detect and be able to effectively respond to any sort of malicious activity. Those are four things I would say.
John W. Simek: Perfect. Well Brandon, you talked about some of this stuff earlier, but some of the common security gaps in all organizations, including law firms, do you want to expand on anything you have already said?
Brandon Koeller: Yeah, I mean I pretty much hit on the top ones there. Even as awesome as the Secure Score is, not nearly enough people go and look at it, so I wish more people used it. I think we would find a lot fewer breaches in The New York Times, being reported in The New York Times that people did.
That Admin MFA thing, our adoption rates are still much lower than we want them to be, although Microsoft is taking significant steps to change those to essentially insert friction in your organizations by making mandatory policies that those are all by default.
The auditing and the MCAS SIEM point is definitely.
Bigger companies, the point at which your organization is large enough where you start hiring security specialists is the point at which most organizations — those are kind of the big gaps. It’s the small and mid-sized companies that they have got the IT guy and the IT guy is the all-things guy and they are often not security specialists, and so using the Secure Score makes those sorts of features just much more accessible to them. It’s like a security education and action platform all sort of rolled into one.
John W. Simek: Well, I am with you for that MFA, we are harping about that all the time.
Sharon D. Nelson: Yes, yes, you are preaching to the choir there, for sure.
We only have just a very brief time left, but I certainly wanted to give you the chance to tell us what Microsoft does to secure lawyers and their data in the cloud.
Brandon Koeller: So I described this division of labor between Microsoft and our organizations. What Microsoft does in the cloud is — like the amount of investment, the number of people, like thousands and thousands of people it is, like tens and hundreds of millions of dollars a year that Microsoft spends to make sure that everything that’s in our cloud is super secure.
If I had 10 hours, I could walk you through all the very complicated systems that we have in place to ensure, for example, that none of our operators have any standing access to anything inside the data center. We have got features where if you call Microsoft and said we want you to like restore this mailbox and the service, it would require your approval, like we would generate a request that would go to you. You would have to say I allow Microsoft to do this particular data access point and only at the point which they approved it would that thing actually happen. So there is a lot of stuff that sort of goes into that, on the service side, on the cloud side.
In terms of what Microsoft does for organizations to help them, Secure Score is a good example of that, although there are many, many other things. We are constantly innovating to add new features, and more importantly, we listen to our customers, we pay attention to how we see them get breached and we use that information to change configuration. So that Admin MFA is a good example.
Today there is a feature, it’s available in preview called Baseline Protection that allows a customer to apply as a policy, everyone in an admin role will be required to use MFA and in the not too distant future, I am hoping basically early next year that feature will be on by default, like customers won’t be able to — they won’t have to opt into it, it will just be on by default. That sort of stuff is crucial for helping organizations get right and protect themselves in the long term.
Sharon D. Nelson: Well, this has been just an extraordinary podcast and there’s been so much great information. I think people probably after listening to this that our listeners will understand Secure Score a whole lot better and I will bet the point of greatest confusion is still the difference between Office 365 and Microsoft 365, and I don’t think we are going to fix that today.
But Brandon, you are tremendously eloquent, obviously doggone smart, and I think you have helped lawyers come a long way toward understanding that you can’t just install 365 and then just let it go, you have got some ethics rules that demand that you do more than that and Secure Score is where they should be going.
So we thank you so much for joining us today Brandon. It’s been a wonderful discussion.
Brandon Koeller: It’s been my pleasure. Thank you so much for having me.
John W. Simek: Well, that does it for this edition of Digital Detectives. And remember, you can subscribe to all the editions of this podcast at legaltalknetwork.com or in Apple Podcasts. And if you enjoyed our podcast, please rate us on Apple Podcasts.
Sharon D. Nelson: And you can find out more about Sensei’s digital forensics, technology and cybersecurity services at senseient.com.
We will see you next time on Digital Detectives.
Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.