Here's a post I had authored for my company's newsletter after the disclosure of the Storm-0558 breach of US government institutions. Enjoy.
As a leader, are you confident that your teams have the necessary logs to dissect incidents in your cloud landscape?
What you should know: In the aftermath of a breach disclosed by Microsoft earlier this month, the cybersecurity industry has cast an uneasy spotlight on audit and event logging within Microsoft's Azure and M365. The primary concern is that the provision of cloud logs isn't incorporated into standard security product pricing tiers - an outcome of several factors inflating the costs associated with delivering these logs.
Microsoft reported a hack of their cloud infrastructure that targeted government organizations like the State Department. The severity of the breach is analogous to threat actors gaining control over a passport printing machine, capable of issuing passports to a wide spectrum of users, from ordinary citizens to government officials.The threat actors named Storm-0558, known for their alignment with the interests of the Chinese state, reportedly used stolen signing keys for Microsoft's cloud services. Microsoft identified 25 government organizations, including the State Department, as targets.
To Microsoft’s credit, they have rushed to remediate this hack by revoking signing keys and making their provisioning and use much more secure. They also have made audit logs available for free for 180 days (about 6 months). Customers were also notified that they can use Microsoft Purview Audit to access and visualize a range of logs in their environment.
It's worth pondering Eric Goldstein's, (CISA's Executive Assistant Director for Cybersecurity), comment, "When organizations are asked to pay more for essential logging, it can result in inadequate visibility during cybersecurity investigations, potentially handing adversaries unsettling levels of success against American entities."
Microsoft might have done a better job clarifying to clients the limitations of providing logs at no extra cost and being more forthright about potential blind spots if clients aren't equipped with the necessary licenses. Currently, highlighting their Purview Audit product as an alternate solution is confusing messaging at best.
What you should consider: As leaders, understanding the detailed needs of security teams should be an ongoing process. It's essential to move past a primary compliance-oriented approach to recognize emerging threats. In this specific example, without logs, security analysts were seriously hampered in their ability to investigate complex breaches.
Key Takeaway: As CISOs and IT leaders, you should not only gauge whether your organization has the bandwidth and appetite to maintain logs for a given duration but also determine how these logs can be leveraged to bolster your security. For instance, are your network logs being employed to detect shadow IT and undesired software usage via Microsoft Defender for Cloud?