fbpx
watchmen

Watchmen – What can you report on?

Forget the film – the original comic book, by Alan Moore (probably England’s greatest comic book writer) is one of my favourite comics.

So with that not so subtle segway done what I want to talk about today is the third part of the triple “A”s of security.

For good security you must authenticate (A number one) who has access to your information. Then, once they have proven beyond a doubt who they are, that should authorise (the second A) them to access only that information they are entitled to and no more.

That leaves the third A – accountability. The question is – are people who access your information accountable for what they do? Could you prove to an annoyed client that it was not one of your team that had unauthorised access to their business secrets?

Microsoft considered the three “A”s when designing Microsoft 365 for Business – skipping over the first two I want to give you an idea of the report tool in the Compliance and System Centre.

There are a couple of things before you get too excited:

  • It is not the simplest of tools to use – understanding the criteria is sometimes a challenge
  • You need elevated administrator rights to use it – so it is not really a tool for HR to use to see if someone is working – although it could do that job
  • Once the log audit is done there are quite a few steps to go through before you get to evidence
  • And then that evidence needs interpretation

The type of question your Security admin can answer for you is:

  • Who accessed the “secret” folder and when
  • Which files did they look at in the secret folder?
  • Did they copy or synchronise those files?

These are all useful questions when carrying out a compliance investigation.

All activity has the IP address of the person who carried out the action recorded – not really proof of who did it, but if the IP is odd then it is a strong indication of foul play.

I have been involved in a number of cyber incident investigations where this reporting tool has been invaluable to explain what happened.

None of the investigations, I used the audit tool for were carried out for existing Octagon clients. We are exceptionally discreet when dealing with these tasks with very few people at Octagon knowing the names of the clients we are working for and we never name them in our promotional material.

So, if you are using Microsoft 365 for Business and need a compliance or security question answered, I can help you.

Clive Catton MSc (Cyber Security) by-line and other articles