As organizations push data center operations off-premise, cloud services are leading the way. While this trend is ubiquitous across most organizations, the cyber security risks have yet to be fully realized.
Continuing our mission to defend digital health, CI Security has adapted the Managed Detection and Response (MDR) platform to connect to O365 and Salesforce to monitor for security events. CI Security’s connectors utilize native APIs to facilitate user monitoring and identify events such as failed logins, aberrations in user behavior, anomalous activity, and “impossible journeys”.
We sat down with CTO Mike Simon to get the full scoop on the benefits our MDR customers can expect from these new services.
The Cloud and Cyber Security have been “A Tale of Two Trends” on opposite trajectories. What caused this, and why is it a problem?
Cloud technology has been disruptive for all of IT, and in particular, for Information Security. We’ve seen a rush to the cloud. Whether to save money or scale rapidly in a volatile business environment, folks are eager to make the move. A lot of cloud migration projects precede secure design – and that can be a pricey oversight.
Users with poor passwords, determined attackers with control of user workstations, and inside threats with granted access to data can all potentially expose some of the most sensitive data the organization controls. While most teams have a handle on how to monitor this information on internal systems, acquiring and analyzing the required information from most cloud services including O365 and Salesforce is beyond the capabilities of most organizations. Customers additionally recognize that they don’t control the perimeter for cloud service providers, and they are hungry for insight into the security of their cloud environments.
O365 and Salesforce monitoring and alerting are a natural extension of our MDR service, and part of our new service line to provide MDR services for customers of cloud PaaS and IaaS providers.
What prompted CI Security to add these new services?
It started with an interest in the development of the O365 connector – most of our customers use O365, so once Microsoft provided a beta version of the API, we added the connector to our tech stack. It really was an obvious integration, and we jumped on it – it’s easy to implement for our customers, and we’ve done the integration work on our end.
While both services make the raw data regarding logins, failed logins, and data access available for free (in O365 there can be costs at some service levels), most organizations are not equipped to process this information, perform the analysis required, and reduce the volume of incoming data to actionable observations. When integrated with our MDR service, customers are finally able to effectively monitor O365 and Salesforce as key components of their environment.
For our customers using either O365 with or without Salesforce, we’ve seen interest in the way these data feeds can help reduce risk of compromise of confidentiality, integrity and/or availability of their email, leads, or customer data.
Tell us about the InfoSec trends driving the development of these Cloud Connectors.
O365 includes at least 5 of the most popular pieces of software used in business today, including Outlook, Word, Excel, PowerPoint, and SharePoint. Vast amounts of business intellectual property and confidential information is documented in O365-hosted software. The kinds of information stored in O365 and Salesforce creates the potential for organizational risk if threat actors choose to attack a platform which most organizations do not watch with the same level of rigor as they do their on-premise networks.
How do customers get the O365 Connector implemented?
With appropriate licensing from Microsoft, O365 logs can be streamed real-time to our Cloud Connector, ingested and exposed to our suite of analytics, and compared with other data sources. This improves the MDR services we can deliver to our customers and ensures that well-known avenues for network and asset compromise are managed.
Salesforce – why is this Cloud Connector important?
We currently can launch this connector for companies that use both Salesforce and O365. We do not currently support Salesforce for companies without an O365 license.
The reason Salesforce was a critical connection is because this SaaS has been the leader in CRM services for the last decade. Understanding Salesforce usage and how it impacts security programs was a critical factor to rolling this connector out for our customers. Knowing the users of these cloud-based systems may not be technical experts, it is even more important to support this data connection for our customers with Salesforce-enabled teams.
What is the cost of O365 monitoring?
For our existing MDR customers, O365 monitoring can be added for a modest platform fee. Additionally, we are exploring a streamlined, O365-only MDR offering, and any interested organizations can reach out for a quote at email@example.com.
Are there more cloud connections on the roadmap for CI Security?
We have several active programs to monitor cloud-native environments, including AWS and Azure. Our team works closely with organizations to configure MDR for their particular use of cloud or hybrid environments.