©  Matthew Katzer 2018
Matthew KatzerSecuring Office 365https://doi.org/10.1007/978-1-4842-4230-8_6

6. Using Office 365 Compliance Center

Matthew Katzer1 
(1)
Hillsboro, OR, USA
 
Office 365 is a suite of software products that Microsoft offers via a software-as-a-service subscription. The goal of the service is to reduce the IT costs for business implementations. The Security & Compliance Center is an admin center that provides security dashboards for the subscription you purchased. A good way to view the Security & Compliance Center is as a data aggregation site of the different security services in Office 365. The driving factor for Office 365 security features are regulatory standards and user feedback. As an example, services are set up to meet the requirements of the National Institute of Standards and Technology Cybersecurity Framework (NIST-CSF ) or the NIST-800-53 compliance standard for government contractors (see the Microsoft Compliance Manager). If you explore the NIST-CSF standard, which is based on the pillars of identify, protect, detect, and response, you will see a detailed relationship with Office 365 security features. As an example, in Figure 6-1, the four pillars are built into Windows Defender ATP (part of the Microsoft 365 E5 subscription) to remediate attacks.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig1_HTML.jpg
Figure 6-1

The Windows Defender Advanced Threat Protection services (courtesy of Microsoft)

In previous chapters, we looked at some of the components of the Security & Compliance Center. In this chapter, we will expand our discussion into additional areas, such as alerts, data governance, and threat management. The configuration of the admin center (see Figure 6-2) is based on our subscription, which here is the Microsoft 365 E5 suite. The Security & Compliance Center is your one-stop location where you can review the security logs and configure the services to support your business.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig2_HTML.jpg
Figure 6-2

Office 365 Security & Compliance Center

In previous chapters, we walked through the different configuration options available in the Security & Compliance Center. These previous configurations supported a unique feature, such as labels or data loss prevention (DLP ). We added DLP rules for encrypting e-mail communications and documents. In Chapter 3, we completed a detailed review of Microsoft Secure Score to give administrators guidance on the configuration of the security-related capabilities of Office 365 (see Figure 6-3).
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig3_HTML.jpg
Figure 6-3

Microsoft Secure Score from the Compliance Center

The document classification that we set up in Chapter 4 (see Figure 6-4) led to the configuration of the DLP rules. Traditionally, the DLP rules were configured in the Office 365 Exchange Admin center and Azure. Now, we will configure the rules in the Office 365 Security & Compliance Center. In Figure 6-5, we have a number of DLP rules configured to address HIPAA, the Gramm–Leach–Bliley Act (a 1999 federal act to enhance competition in the financial market), and PII data protection. The Security & Compliance Center also gives an overview of how the rules are being used, both from a policy rule execution viewpoint and a false match analysis viewpoint (this is where the end user overrides the DLP rule).
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig4_HTML.jpg
Figure 6-4

Document classification

../images/429219_1_En_6_Chapter/429219_1_En_6_Fig5_HTML.jpg
Figure 6-5

DLP rules in place for different data loss policies

Compliance is a way of life for any organization that has a digital footprint. I know it seems like a lot of information, but IT administrators need to fulfill our roles as custodians of information and help organizations manage information to ensure it is in compliance with the new data breach and privacy laws, such as the CCPA. Where a data breach is assumed to have happened, it is now up the IT professional to prove that the breach did not happen.

Note that the CCPA is about presumed breaches. In previous years, any claim for a data breach had to be proven by the person who was damaged. Under the new CCPA regulation (passed June 2018), the cyberbreach damage is assumed, and it is up to the organization to prove the breach did not happen and the information was not compromised. A task of this magnitude requires the ability to review historical data and the activities of the organization. As an example, Figure 6-6 shows the type of data in an organization that needs to be managed. In addition to this data, historic logs need to be reviewed. This is the purpose of the Security & Compliance Center.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig6_HTML.jpg
Figure 6-6

Types of content in the organization

In this chapter, we will review the areas that we have not already reviewed in this book. Specifically, we will be looking into the data governance, defining what it is and how to use it. Our review will look at the threat management systems and how to use the threat dashboard and the different activities with mail flow analysis and Exchange Advanced Threat Protection. We will look into data privacy, and finally we will walk through requests for production with eDiscovery in the Search & Investigation Center. The eDiscovery capability allows you to search and compile information to satisfy requests for production (in response to document requests from court-ordered subpoenas). This is where we will investigate user messages and document content for compliance. Let’s begin our investigation into the capabilities of the Security & Compliance Center.

Overview of Office 365 Security & Compliance Center

Security is built from the ground up. When you look at the Microsoft Cloud (in other words, the core Microsoft infrastructure that hosts Office 365, Azure, and other services), you’ll see it meets all current and future compliance and security regulations. When you build a cloud infrastructure that has a security mind-set, the applications and services that run on it have the same mind-set. Likewise, if you are building a set of services designed to sell information, then any application that is built on those services has inherent security flaws built into it for the simple reason that the core service is to sell information, not to protect it.

Microsoft cloud services are transparent. The service offerings (see Figure 6-7) are based on a model of security and transparency. The data your company places in Office 365 and Azure is your data. Microsoft has as strict policy not to mine or process your data for business purposes. Microsoft’s policy is that the customer owns the data, and if you choose to leave Office 365 for some other service, the data you leave behind will be destroyed within 90–120 days of your subscription termination.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig7_HTML.jpg

There are two parts to compliance in the cloud with Office 365: your business processes in the management of your Office 365 data and Microsoft’s management of Office 365 and Azure services. Earlier, we talked about the service trust with Office 365. Microsoft has published the standards that are used to meet its side of the compliance issue on the Microsoft Trust Center (see Figure 6-7). If you are looking for a Health Insurance Portability and Accountability Act (HIPAA ) of 1996 business associate agreement certification or want to request a copy of the service audit logs, you can request them directly from Microsoft. Microsoft is transparent in its process on Office 365 and built the service around protecting your company information. This is in contrast to other cloud services that require an intellectual property rights assignment, which allows them to use your information to sell advertising, among other things. The business process starts with your organization and specifically with your business processes that you use to manage Office 365. The best guide for all business to use to meet your portion of the compliance requirement is for you to deploy the Compliance Manager from the Service Trust Portal ( https://servicetrust.microsoft.com/ ).

Compliance is a shared responsibility between Microsoft and you. The Service Trust Portal deploys the Compliance Manager (see Figure 6-8), which has implemented with the necessary standards for management. This includes the Service Organization Controls (SOC), International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), Federal Risk and Authorization Management Program (fedRAMP), and Global Data Protection Regulation (GDPR). As an organization, security and compliance are requirements for the organization to manage and the IT staff to deploy. The IT staff uses the Compliance Manager (see Figure 6-9) to define the organization’s business process for security management. The Compliance Manager will lead you through the audit process and help you define the ownership of the management processes for your organization.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig8_HTML.jpg
Figure 6-8

Office 365 and Azure Service Trust Portal ( https://servicetrust.microsoft.com )

Most organization do not have a compliance requirement. However, what all organizations can do is deploy the Compliance Manager and set up a necessary process for either NIST 800-35 or NITS-CSF and see the areas that are lacking controls for a cyber security defense. The Compliance Manager helps you to define the necessary processes and controls that your organization needs to follow. The issue many of us have is where to begin on a large task like this. How do we make our organization compliant, and what are the things we need to do to make our business more secure? The steps are easy now: launch the Compliance Manager and start an assessment. Usually NITS 800-53 will get you started. This has many of the requirements that you need to run your organization on a daily basis.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig9_HTML.jpg
Figure 6-9

Office 365 and Azure Service Compliance Manager

Once you have started the process with the Compliance Manager, the next step is to deploy the various alerts of organization changes that you need to follow to ensure that your organization has the necessary processes in place.

Compliance Settings

When we refer to Office 365 compliance, we are referring to the capabilities of Office 365 data governance to preserve and manage information. Compliance and regulatory settings are the services you enable on the Office 365 site and that meet your business needs or regulatory requirements. As an example, you can group information into three categories: compliance, information review, or business data retention.
  • Compliance (HIPAA as an example)
    • Rights management and the protection of personal information

    • Encryption of personal information external to your organization

    • Document classification and encryption

  • Information review (regulatory like the Financial Industry Regulatory Authority [FINRA]) or judicial order
    • Litigation hold and eDiscovery

    • E-mail review to meet FINRA requirements

  • Business data retention
    • Business processes on age of data

    • Data management: how to archive, how to delete

In the discussion in this chapter, we will group information into these categories. For example, HIPAA requires you to manage certain types of data in a way to protect information. To meet HIPAA requirements, you must protect personal information by encrypting the information before it is sent externally to the organization. One of the HIPAA requirements is that the service you are using provides a Business Associates Agreement (BAA ) for the services you are using. If you are subject to HIPAA, you need to ensure that you have completed a yearly a HIPAA assessment audit to make sure you comply with the regulations. The fines are significant, and the federal government is looking into business of all sizes to make sure the business complies with the regulation.

Information review typically means that the information is subject to an audit and is immutable—meaning it cannot be changed or deleted by the users or the organization—prior to review. Any type of regulator review requires that the data is immutable. The most common is litigation. When an organization enters into litigation, all information is frozen at that period in time. We refer to that as a litigation hold . Regulator reviews such as FINRA and SEC are nothing more than an extension of a litigation hold in conjunction with business process reviews.

Business data retention is nothing more than the business processes used to maintain information, subject to the regulatory requirements. As an example, if the business policy (or user policy) deletes information subject to the retention policy, the information is deleted from the user perspective but may be kept for a very long time subject to the compliance needs of the organization. The user may delete information, but the compliance setting keeps the information in an area where it is immutable and fully searchable and hidden from the user.

The Office 365 administrator has complete control over the configuration of the compliance and retention polices. The administrator can enable these settings, and all actions are auditable. The settings can be changed by using the Security & Compliance Center or by using PowerShell commands. As Microsoft enhances the Office 365 service, these settings will be simplified in an easy-to-use graphical interface. The rest of this chapter discusses these concepts for data governance and provides a step-by-step implementation with examples of data loss protection (compliance), regulatory review (discovery), and business data retention policies.

Best Way to Proceed

The best way to understand the Security & Compliance Center is to look at the Trust Center. After looking at the Trust Center, the next step is to review NIST-CSF, the cybersecurity framework, and to review the NIST-800-35 compliance framework. There is a lot of work to be completed.

Note

There are three sets of logs that you need to collect monthly: the Azure login logs, the Azure sign-in logs (located in Azure Active Directory), and the audit logs located in the Security & Compliance Center. These logs need to be stored in a SharePoint site for future analysis.

The Security & Compliance Center gives you a focal point for the security process in the organization. However, security starts with your IT team. If your IT team lacks the capability to do the necessary work, you need to address this quickly and either fix the internal problem or contract the security services externally. This book was designed to help you determine what you need to do and how you should do it. If you consciously choose not to secure your Office 365 environment, you are the breach. The ownership is with you and your IT team and not your license provider. Let’s continue our journey through the Compliance & Security Center.

Data Governance

Governance has taken on a new meeting in the cloud. The best way to look at governance in the cloud is in the role of cloud custodian. In today’s model, the polices are put in place to manage the business operation and roles and controls. Once governance is put in place, then developers and the operation teams can implement the necessary changes and help drive the business to be more innovative. This is cloud governance in Office 365 and Azure. This is to make sure the right people have access to the right resources and the behavior is governed by a set of rules and polices that is baked into the platform.

The best way to view Microsoft governance is to think of a road with guard rails. As you drive down the road, you are kept from going off-track because the guard rails are there to keep you aligned on the role. The Security & Compliance Center and the governance activity are guiderails for organization policies. This applies to older resources and new resources. The difference with governance today is that the polices that are deployed are consistent with the policy that is deployed for the organization. The enforcement of governance in Office 365 begins with the Security & Compliance Center and through the Compliance Manager and the new Azure Blueprint platform. The goal is to build compliance into the Azure and Office 365 subscriptions that are the base of all activities. The new strategy is to use management groups, which are container groups on top of a subscription (or a resource group). This allows a policy to be deployed as a management group with full access and control. This is the only way an organization can scale and empower the individuals in the organization to innovate. Governance in the Microsoft Cloud was built into the core of the platform, not as an afterthought like with the other major cloud providers.

We explored some data governance issues in the previous chapters. Specifically, we deployed labels and DLP. These services were deployed in different administration centers, including the Exchange admin center, Azure Information Protection, and finally with the Security & Compliance Center. All of these services could be deployed from the Security admin center in the Data Governance section, and they apply to all subscriptions in the organization. In Figure 6-10, we have a summary dashboard of the different governance sections that we have deployed. In this example, we have deployed 11 different labels for data, and we have long-term compliance for data retention. The top label that was used is Attorney-Client Privilege.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig10_HTML.jpg
Figure 6-10

Overview of data governance in the Security & Compliance Center

Data Governance Concepts

Data governance provides a policy-based management service on Office 365 that meets or exceeds the regulatory compliance. The policy-based service is applied across subscriptions and aligns with the Azure policy manage process. The data in Office 365 (and the subscription types) is managed and owned by the company. The Office 365 business owners need to look at the business and decide what makes business sense based on the needs of the business. To put this in perspective, when an external entity looks at e-mail storage, it is considered modifiable by the user and is noncompliant to certain regulations. A compliant system requires that the email and document storage systems must be incapable of being modified, or immutable. The owner of a mailbox must not be able to go in and delete information or documents. These capabilities are options in the Office 365 enterprise plan and are included at no charge in some of the subscription suites (such as the Enterprise E3/E5 subscription).

You are probably familiar with the various CSI and NCIS shows on TV. A key message that these shows highlight lies in the evidentiary collection of information and that there must be a “chain of custody” regarding information collected. Think of data governance in the same context. It is all about chain of custody. Data governance on Office 365 is the same. Access to information that is under discovery or access cannot be tampered with. Further, access is recorded and auditable for all those who access the information. This is the data governance model of Office 365.

Traditional approaches, such as journaling, record information external to the organization structure and mostly just contain copies of the e-mail communications. This archaic journaling approach does not address the changing landscape of data governance and data management. Journaling does not link data from storage sites and draft documents in an integrated form. An archive is nothing more than another mailbox that is used to store information.

Immutability, audit policy, archive/retention, and data loss prevention are all part of the Office 365 data governance structure. It is designed around chain of custody and the preservation of information. If information is tampered with, then a full audit trail of access, as well as the original information that was modified, is created.

Before we discuss the practical aspects of the configuration of retention policy and eDiscovery, we need to frame the discussion with a definition of each of the four key areas of data governance to put them in perspective. There has been much written about information immutability, and there are many misconceptions as to what this is and how it is managed in Office 365. The definition is simple: the preservation of data in its original form cannot be changed and is kept in a form that is discoverable.

Recall the discussion of chain of custody. The information that you are accessing and providing for data governance needs cannot be changed, and you must not have the ability to change it. In addition, any access to the information must be fully traceable. If you access information, the information that you extract will not change the underlining information.

The best example is to look at an e-mail that flows in or is created by a user in the cloud (see Figure 6-11). In this case, information that arrives or is in a user mailbox can be changed and modified by the user. This is the normal process that we use in writing an e-mail. An e-mail that is immutable, on the other hand, keeps all parts of the message in a form that can be fully discoverable through searches. When an e-mail message is drafted, all changes and drafts are kept and not deleted. Nothing is purged—all information is fully discoverable.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig11_HTML.jpg
Figure 6-11

Life of an e-mail message (courtesy of Microsoft)

When we refer to compliance, we are referring to our ability to access communications and documents that are immutable. Retention rules are based on business policies in the management of e-mail communications, specifically what e-mail is visible to the user in the mailbox and what is kept in the archive. For example, you may have a business policy that dictates the movement of e-mail from a user mailbox to an archive if the e-mail is too old or if the user deletes an e-mail. One company has a retention policy of 90 days; after 90 days, a user’s incoming e-mail is moved into the compliance archive. These retention rules move the mail from the user mailbox (or delete folder) into the archive. These rules can be systems level (the user has no control), they can be local level (the user has complete control), or they can be any combination thereof.

A litigation hold is an action that is placed on a mailbox to meet compliance requirements for future discovery and searching. What a litigation hold does is to ensure that the data in a user mailbox is immutable. As an example, if the user tries to delete an e-mail, the e-mail is deleted (or purged) from the user’s view, but the litigation hold function blocks the e-mail from being deleted in the system and is fully discoverable by the administrator (or compliance officer).

Note

When data is placed under litigation hold, the data is locked from deletion. Once the litigation hold is lifted, the data will automatically be deleted subject to the retention tags. If your policy is to stop data from deletion, then set up the retention policy to move data to the online archive after deletion.

Referring to Figure 6-11, we see the life of an e-mail in a user’s mailbox. In Figure 6-11, the user only sees the message in steps 1–3. The compliance officer has access to all transactions in steps 1–6. When a discovery action—a search—is executed, all information is displayed in the search request, including the information in the deleted items, purges, and draft folders.

Audit Policy

Companies in the cloud need to know who has access to their company data. The ability to monitor and produce the necessary reports are part of the Office 365 audit capability. Companies need to do the following:
  • Verify that their mailbox data isn’t being accessed by Microsoft

  • Enforce compliance and privacy regulations and access by nonowners

  • Have the ability to determine who has access to data at a given time in a specific mailbox

  • Have the ability to identify unauthorized access to mailbox data by users inside and outside your organization

The ability to monitor the mailbox data is a fundamental part of the Office 365 organization (see Figure 6-12). Once the audit capabilities are enabled (via PowerShell), the audit reports can be generated by the administrator or an individual who has been given this capability.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig12_HTML.jpg
Figure 6-12

Audit and retention capabilities

The audit reports are displayed in the search results shown in Figure 6-12. However, the audit report must be enabled. To enable the audit reports, select the “Start recording user and admin activities” option. The audit reports are only for 90 days and can be extended via PowerShell. Typically, I set audit reports for a 12-month period. Each audit report contains the following information:
  • Date of access

  • IP address of the access

  • User who performed the activity

  • Activity performed

  • Detailed description of the item

  • Detailed description of the activity (usually the object’s name such as a file name)

The first step in setting up a compliant organization is to enable the audit capabilities to ensure that you have a complete record of all accesses to user mailbox data by nonowner users. This information is used to supplement future reports.

Note

Earlier we mentioned that the organization needs to have a policy of collecting the primary three logs and archiving them in a SharePoint site for future forensic analysis. This is extremely important. Every month you need to download a copy of the audit logs, the Azure sign-in logs, and the Azure audit logs.

The audit reports that are generated contain detailed information about who has accessed the information and how they have changed it. As you’ll see in Figure 6-8, once audit logs are enabled, all information is tracked. The discovery center adds another level of detail in tracking information accessed under legal hold.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig13_HTML.jpg
Figure 6-13

Tracing access of users through the administrative center audit log search

Information Immutability

Information immutability takes this one step further and integrates Skype for Business and SharePoint documents (as well as OneDrive for Business document synchronization) into the equation. The Office 365 approach is designed to reduce the amount of information by removing duplicate information. This reduces the complexity of the searches and allows the compliance officer to clearly see the thread of the information and the root cause (if any) of the discovery request. The searched data can be exported in the industry-standard Electronic Discover Reference Model (EDRM) standard in an XML format to provide content to a third party. The Office 365 approach is designed to remove duplicate data from searches and does not remove any data from the user’s SharePoint or e-mail mailbox. The data stays where it is and is immutable.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig14_HTML.jpg
Figure 6-14

Setting up an eDiscovery search

The configuration of the eDiscovery search is robust and allows you to specify the areas and mailboxes that you need to search. The scope of the discovery is reduced to the specific set of key words and mailboxes (see Figure 6-14) and can be easily restricted to a few users in question. It is not uncommon that an eDiscovery request on Office 365 would cost 90 percent less than an eDiscovery request using an older journaling system for e-mail communication management.

As you read the rest of this chapter, the discussion on archive and retention polices is built around data immutability to manage an organization’s compliance needs. In Office 365, this is referred to as compliance management . Administrators are enabled to set up controls based on the business polices of the organization.

Office 365 Archiving and Retention

The term archive is overused. It often implies more than what it really is. An archive is nothing more than a second mailbox designed for long-term storage. The relevancy of an archive is based on the business process rules that are used to manage it. This is where immutability and retention policies come into play. Immutability refers to how information is retained (in a form that can’t be changed) in the mailbox and the archive. Retention policies describe the length of time you need to keep the data that is not subject to any legal action (legal hold to guarantee immutability).

It is important to describe the length of time you need to keep the data that is not subject to any legal action (legal hold to guarantee immutability). These policies are located under Retention (see Figure 6-15).
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig15_HTML.jpg
Figure 6-15

Retention policies

It is easy to create a new retention policy. In Figure 6-15, just click + Create and set up the policy. The wizard will walk you through the process. The retention policy created is almost the same way the retention policy was created in the Exchange admin center. So, depending on how you want to approach the problem, you can create a legacy retention policy or a new policy. The legacy retention policy is composed of retention tags. A group of retention tags constitutes a retention policy, as shown in Figure 6-16. The new retention policy is a wizard that allows you to fill in the same information.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig16_HTML.jpg
Figure 6-16

Retention policies (legacy view located in the Exchange admin console)

There are two types of archives in Office 365: personal archives and Office365 Exchange server mailbox archives. The Office 365 Exchange server archives can be immutable (meaning they can be configured to ignore any change via a litigation hold or in-place hold). Personal archives are stored locally on the user desktop and are not immutable (users can change the contents). The retention policies refer only to the moving of data from the user mailbox to the archive. To make an archive and retention policy work, you need to enable the archive in the Exchange admin console (edit the mailbox in the Exchange admin console and select Enable for archive; this is discussed in Chapter 8). This feature will be moving to the Security & Compliance Center at a later date. Litigation hold (or in place hold) locks the Office 365 Mailbox from having contents deleted - regardless if it is in the main mailbox or the archive mailbox. Users will see data being deleted, but administrators can access data in the Security & Compliance center under Search and Discovery.

Retention Policy

A retention policy consists of the business processes that define the movement of data to the archive or delete folders. Retention policies are a set of rules that are executed concerning a message (see Figure 6-17). A retention policy is a combination of different retention tags, which are actions placed on a message. You can have only one retention policy applied to a mailbox. In an organization where you have compliance requirements, retention tags are used to manage the user mailbox information and to control mailbox sizes. As an example, you can have a retention tag that deletes messages in a mailbox after 30 days. If the mailbox is under legal hold, the user will see the data deleted, but the deleted data is recoverable.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig17_HTML.jpg
Figure 6-17

Retention policy created in the Security & Compliance Center

../images/429219_1_En_6_Chapter/429219_1_En_6_Fig18_HTML.jpg
Figure 6-18

Legacy Office 365 retention tags (courtesy of Microsoft)

Retention tags define and apply the retention settings to messages and folders in the user mailbox. These tags specify how long a message is kept and what action is taken when a message reaches the retention age. Retention tags are used to control the amount of information that is on the user’s desktop. Typically, this means that a message is moved to the archive folder or it is deleted. Looking at Figure 6-17, you can see three types of retention tags: default retention tags, policy retention tags, and personal retention tags.

Default

The default policy applies to all items in a mailbox that do not have a retention tag applied.

Policy

Policy tags are applied to folders (inbox, deleted items, and so on) and override the default policy tags. The only retention action for a policy is to delete items.

Personal

Personal tags are used only for Outlook clients to move data to customer folders in the user’s mailboxes.

Keep in mind that a retention policy directly affects the amount of information kept in a user mailbox. A retention policy requires that an archive mailbox is enabled. The default configuration of Office 365 is to have the archive mailboxes disabled. Retention tags (which make up the retention policy) are just another tool used for information management. Depending on your business needs, you may have different retention polices to manage information of different groups in your organization. In one organization we managed, the data retention policy was 90 days, unless the mailbox was placed on an in-place hold for litigation or discovery.

Compliance archives may or may not have a retention policy applied to them. Typically, a compliance rule requires that all documents (emails, files etc) are placed on legal hold for the regulation hold period. The legal hold also includes documents in OneDrive and SharePoint site through the Compliance & Administration site. User mailboxes that are placed under a litigation hold with the external audit enabled meet all compliance requirements because the data is immutable. Later in this chapter, I will walk you through an eDiscovery search to collect information in response to a court-ordered subpoena. For now let’s continue with our review of the other features of the Security & Compliance Center.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig19_HTML.jpg
Figure 6-19

Office 365 alert dashboard with trends

Alert Structure

Looking back over any of the NIST compliance reviews, there is one requirement that will need to be deployed, and that is alerts to provide an early warning of potential problems. The type of alerts depends on the business and what processes you need to examine. The place to start is with the alert dashboard. To add a new threat, just add a new threat policy, and the wizard will walk you through the threats and what to add. Looking back to our NIST-CSF discussion, one of the pillars is to detect the security incident. In Figure 6-20, we have a couple of different threat detection ranging from accessing data to forwarding e-mail.

After you have deployed the alerts, the next step is to review the threat dashboard and establish a policy of review and analysis on the threats. In the Compliance Manager, we need to put in place business processes where we review the alerts in the logs and look for trends to decide. Because of the Compliance Manager activity, we put in place the necessary alerts and processes that we use to analyze the alerts.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig20_HTML.jpg
Figure 6-20

Alert dashboard with CAS integration

Alert Types

There are different alert types that you can create or add. Some of the alerts are system-wide and are enabled based on other dashboards. The alert dashboard is a data aggregation dashboard in Office 365 (see Figure 6-20) with integration to other services. “Manage advanced alerts” is a link to Cloud App Security (CAS). Depending on how you configure CAS, you can have a number of alerts that show up in the alert dashboard. Figure 6-19 shows the alert dashboard with two types of alerts, those that are from other services (not highlighted) and those that were created in the alert dashboard (highlighted with an on/off slider). As the compliance officer in Office 365/Azure, you want to enable alerts to help you manage the environment for the necessary processes.

Adding new alerts from the dashboard is a simple process. Just click “New alert policy” and create an alert. The following are the key items to set in an alert:
  • Name and description

  • Severity

  • Class of alert

The issue that we all face is the quantity of information that we need to manage. It is important that you define a model for data collection and classification. If you have not set up a classification model, then step back and define the model that you want. In our case we organized information based on class of alerts, such as threat management and severity. Follow the wizard and add additional customization to the alert (see Figure 6-20). Once you are satisfied with the alert, click Save to create the alert (see Figure 6-21).
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig21_HTML.jpg
Figure 6-21

Alert dashboard with alerts highlighted created locally

../images/429219_1_En_6_Chapter/429219_1_En_6_Fig22_HTML.jpg
Figure 6-22

Adding an alert to the Azure notification

The processes that you use to create and review the alerts are the same. As you expand your security polices, you will establish different capabilities on access and how you want to enable the tracking in the environment. Alerts give you an early warning. You leverage information that is in the Security & Compliance Center along with the security information located in the Azure Security Center.

Threat management

Once you have defined the alerts, the next step is the configuration of Threat management for the threat dashboard . The threat dashboard is a summary of the different threats that are active in your Office 365 tenant. The threat dashboard is another data aggregation function that allows you to see data differently. Threats are about having multiple eyes on a group of systems.

Figure 6-24 shows the threats as they are attacking users, and what we have configured in Office 365 to block is an AI-driven engine; over time you will see trends on the attack and what you did as part of the threat attack. The threat dashboard is expanding and will include other services such as Advanced Threat Protection (ATP), Cloud App Security (CAS), and other solutions that track threats. The Threat management dashboard present a summary of the information to the various services. As an example, the threat management dashboard allows the simulation of phishing attacks and keeps track of the threats and activities to address them. The dashboard information used in the analysis is based on the raw information from the security and audit logs.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig23_HTML.jpg
Figure 6-23

Adding additional customization to the alert

../images/429219_1_En_6_Chapter/429219_1_En_6_Fig24_HTML.jpg
Figure 6-24

Finalizing the alert that was created in the Security & Compliance Center

Threat management provides an overview of the threats that are affecting the Office 365 organization. The trend analysis can let you know which users are being targeted and what approach is being used. If this is a coordinated attack, you will see a number of attempts to attack all users in your 365 tenants. In this case, we have a limited attack, probably based on e-mail addresses that we captured in sites that were attacked (see Figure 6-24).

The threat management dashboard also includes simulated attack phishing e-mails. This is a new feature that has been added to the Security & Compliance Center. All of the new regulations such as GDPR, CCPA, HIPAA, and NIST standards require security training (or penetration testing) for the end users. Traditionally this has been contracted to third-party service providers, such as HIPAA Secure, Breach Secure, Knowb4, and others. Office 365 now includes the ability to send out simulated penetration attacks to test users. The attacks are measured and reported. The Office 365 penetration testing includes the ability to modify the security e-mail to test to design it so it is appropriate for the industry. The simulated campaigns are no different than any modern marketing campaign. You pick the target campaign and set up a number of e-mails to trick the end users into clicking the campaign and executing it (see Figure 6-26). To launch a campaign, click Attack Simulator and then the phishing campaign to execute.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig25_HTML.jpg
Figure 6-25

Threat dashboard in the Security & Compliance Center

../images/429219_1_En_6_Chapter/429219_1_En_6_Fig26_HTML.jpg
Figure 6-26

Attack summary with details on targeted users and methods

As an example, let’s select the prize campaign. This campaign is about harvesting user credentials. To make the campaign effective, you have the option to modify the text in the campaign. If you wanted, you could build this as an Amazon campaign or even mirror a gift campaign that one of your businesses sends out in your local community. Executing the campaign is easy; just follow the steps outlined next.

Step 1: Select the Campaign

The campaign we are using is the credential harvesting campaign. Click Launch to start the campaign. Name the campaign and click Use Template. Make sure you do not send more than a one campaign a week (see Figure 6-27).
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig27_HTML.jpg
Figure 6-27

Attack Simulator options

Step 2: Customize the Offer

It is important to customize the offer so it mirrors an offer in your local market. A modification may be a free Amazon gift card, for example. Pick something that is unique and you can clone from your existing e-mail offers (see Figure 6-28). In this case of a “prize offer” I would use an Amazon gift notification or a survey, such as “Take the Survey, Get a $25 Amazon Card.” The goal is to make this as real as possible.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig28_HTML.jpg
Figure 6-28

Selecting a campaign and naming the campaign

Step 3: Select the Distribution List for the Campaign

Select the distribution list to send to. If you do not have one, then create one for your organization. I recommend you create a dynamic list that is targeted to all users who have a license (see Figure 6-29).
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig29_HTML.jpg
Figure 6-29

Customizing the offer

Step 4: Select the Distribution List for the Campaign

Build out a web portal with a message to the end user. Let them know you been phished. Your web portal could contain a description of the attack and what to look for. Train your users, and be creative (see Figure 6-30)!
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig30_HTML.jpg
Figure 6-30

Target the campaign to the users in your tenant

Step 5: Customize the E-mail

The best e-mail to use is one that you have received. Figure 6-32 shows one that I received from a vendor on a survey for IT services.

Step 6: Execute the Campaign

Send the e-mail (see Figure 6-32) and look for the responses from the simulated phishing.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig31_HTML.jpg
Figure 6-31

Fill out the campaign and create the destination portal

../images/429219_1_En_6_Chapter/429219_1_En_6_Fig32_HTML.jpg
Figure 6-32

Be creative with the campaign

Once you have executed the campaign, the next step is to review the results (see Figure 6-33). Like any other marketing campaign, you want to make the campaign as realistic as possible. Invest the time to train the user.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig33_HTML.jpg
Figure 6-33

Execute the campaign

Make sure you review the threat dashboard for the status and trends. You have a responsibility to set up the necessary business process and training to keep your users informed. It is a battle between the good guys and bad guys. Figure 6-34 shows a status dashboard of the attacks against some users.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig34_HTML.jpg
Figure 6-34

Review the results

Search and Investigate

Organizations that perform electronic document discovery (attorneys, compliance officers, etc.) are empowered based on the rules in the organization. Typically, there are three levels of management with eDiscovery cases. These management roles are the compliance officer, compliance manager, and reviewer. In small organizations, you have one person completing tasks in all three roles. In a larger organization, this is either completed with a large staff, and some functions are contracted to a third party such as management specialist. Figure 6-35 shows the permission structure in the Security & Compliance Center used to manage these roles. In our small company example, the compliance officer could be the compliance administrator/compliance manager and eDiscovery manager. Usually the IT pro will partner with the compliance officer to set up the environment. The first step in the eDiscovery process is to add the roles that are needed to access information as part of the document review process. The IT pro may not have a role in the discovery process.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig35_HTML.jpg
Figure 6-35

Summary dashboard of the attacks in an Office 365 organization

My philosophy on eDiscovery issues when using the Security & Compliance Center is to upgrade the subscriptions to an E5. This will give you access to all of the advanced eDiscovery tools available in Office 365. There is an additional cost, but it is significantly less than the sanctions, fees, and penalties associated with losing a case because of poor discovery in the document production phase. As an IT professional, your job is to provide all the information requested as soon as possible.

There are many questions that IT professionals have when setting up the Security & Compliance Center. This chapter is a compilation of the best-known methods in use to implement a compliant cloud storage system that meets the needs of various regulation entities. Our implementation for Office 365 is using the Microsoft 365 E5 subscription, which contains the Office E5 component (see Figure 6-36). I will now show how you can set up service to provide documents in response to a request for production (if you have a been served a court order for document production). Our discussion will review two aspects of Office 365 data collection: the compliance capabilities of Office 365 and later suppling documents to a request.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig36_HTML.jpg
Figure 6-36

Office 365 eDiscovery roles

Note

Figure 6-5 shows two different types of eDiscovery search tools: Search Content and eDiscovery. These tools are similar but different. Search Content is a scalable eDiscovery tool that can handles large amounts of data, searching SharePoint, OneDrive for Business, and multiple mailboxes (no limit). The eDiscovery tool does similar functions but is limited in scope. What I do is create a blanket search in eDiscovery to lock the mailboxes under legal hold and perform searches in Content Search.

The Security & Compliance Center roots are in the eDiscovery process. Organizations have discovery requests from presiding authorities, and as part of different request, they need to product documents. Sometimes these documents are covered under a protective order, and sometimes they are not.

Setting Up an Office 365 Discovery and a Retention Policy

Office 365 is flexible in how the different policies for the management of information can be set up. The problem is where to start. Earlier, we reviewed the different capabilities that you have in Office 365. There are three different areas that need to be configured before you can begin to use the services. The following section outlines the steps required to set up the 365 organization for a compliance, discovery, and retention policy. Follow the steps to set up the different features. Note that you will find additional details about compliance steps in the section “Configuring Compliance.”

What you are trying to avoid is the generation of paper documents. Figure 6-37 is a sample of the old way of producing documents for eDiscovery. This is a sample of what you want to avoid. Litigation is expensive, and discovery is an expensive process (from $1–$2 a page). In this example, there were 200,000 pages of documents generated to satisfy a request. Cost-wise, this was $250,000 to $400,000 worth of work. Office 365 allows you to create a “discovery center,” where you can process the queries and generate a SharePoint library that has the information requested in the response. In this case, information was generated for the other side’s attorneys that was in response to a judicial order. Access to the discovery search results can be shared with the other side’s attorneys. This discovery center approach is a lot lower in cost than the traditional document production shown in Figure 6-37.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig37_HTML.jpg
Figure 6-37

Subscription types supporting the Security & Compliance Center

../images/429219_1_En_6_Chapter/429219_1_En_6_Fig38_HTML.jpg
Figure 6-38

Production in response to a judicial discovery order (approximately 200,000 documents produced)

Discovery Walk-Through

The discovery process seems daunting at the start. The simplest way to understand the eDiscovery process is to walk through an eDiscovery search; then we can look at the process to set up the search. I have found that if you understand the end game, then it is easier to understand how to create an advanced search. To frame the situation, you are a compliance officer and your IT pro has set up your Office 365 site with the correct permissions and access. The IT pro has sent you an e-mail with a notification that your site is set up. Your response (like many of us) is simply, “Great, what do I do now?” Let’s walk through the process on what do you do next to put our mind at ease. Discovery is not that difficult; it just takes time.

Step 1: Log In to Office 365 and Click the Security Icon

To access the Security & Compliance Center, log in to Office 365, and click the Security & Compliance Center icon. Users need to be an Office 365 global administrator or a member of one or more Security & Compliance Center role groups. The Security & Compliance role groups are different than the Exchange Online Organization Management role group. These permissions are not shared.

If you do not see the Security & Compliance Center, this is because you do not have access. To access the Security & Compliance Center, a global admin will need to grant you permissions by adding you to the Organization Management role group.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig39_HTML.jpg
Figure 6-39

Security & Compliance Center landing page

Step 2: Select Search & Investigation, and Review Logs

Earlier, the IT support staff added us into the group where we have the correct permission to access the features in the Security & Compliance Center. Our job is simple; it is to perform a search on the data that we were requested to provide. In Figure 6-40, we expand Search & Investigation to begin our query on the eDiscovery process. There are three areas that we focus on: Content search, Audit log search, and eDiscovery.

In Figure 6-40, we are looking at the audit logs to verify who has access to the data and who has recently accessed the data in Office 365. The audit log search will provide that information to you. In our example, the admin has recently logged into the Security & Compliance Center and retrieved the compliance configuration.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig40_HTML.jpg
Figure 6-40

Audit log search

Once you are satisfied, the next step is to review that a hold has been placed on the data for the content search.

Step 3: Verify That a Case Has Been Created to Place Data on Hold

There are different philosophies on this, but what works the best is to make sure that you have at least one case where all data that you are looking for has been placed on hold. The Office 365 Security & Compliance Center allows you to place multiple data sources on hold for specific searches. However, it is easy to lose yourself in the searches and accidently remove a legal hold and delete data. To prevent this from happening, go to the eDiscovery tool and verify that we have a case and the subject matter of our inquiry is placed on hold (see Figure 6-41).
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig41_HTML.jpg
Figure 6-41

Placed on hold

If the data has not been placed on hold, a case needs to be created to lock the appropriate mailboxes and SharePoint sites and put the user’s OneDrive for Business sites on hold. Once this case is in place, our focus will be on using the Content Search tool.

Note

If you do not see a case, create a case and place the accounts you want to search on hold to protect data from accidently being deleted. If you make a mistake and delete the hold, the data will be deleted according to the retention policy. The case in this example has two mailboxes selected, and all data has been placed on hold. The hold is visible only to users who have permission to view the case (more about this later).

Step 4: Start the Content Search

The next step is to start the search for data and export the data for review. So far we have the data on hold (step 3), and we are searching for specific information. We select the content search and look for an existing case. If we do not see one, we create a new case and begin our search for information.

In Figure 6-42, we are creating a new search called Smart Phone Search, and we are looking at three different users’ mailboxes: Dan Jump (CEO), Karen Berg (VP of sales/marketing), and Amy (product manager). The process is similar to the actions in the eDiscovery Center; the difference in this case is that we are looking at specific information in user mailboxes, and we do not need to worry about the data being deleted since we have verified that we have all of the user mailboxes and SharePoint sites on hold.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig42_HTML.jpg
Figure 6-42

Setting up the content search

As part of the search configuration, you specify the area of search. In this case, we are looking for all phones and what to exclude the term cell phone. If you have an existing case, you can edit the query or create a new query as part of the search setup (see Figure 6-43). Click Add and then Run. Correct any errors that you have (usually the location is not specified correctly); then click Save and name the search.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig43_HTML.jpg
Figure 6-43

Doing a content search

Step 5: Preview the Data

As the content search engine crawls the mailboxes, the information is displayed on the number of items and size of the items. The compliance officer can add additional searches as needed.

To preview the search data, select “preview search results” in Figure 6-44 to see the initial set of documents (documents in this case are any forms of communications: e-mails, Skype conversation, marketing materials, etc.)
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig44_HTML.jpg
Figure 6-44

Initial search statistics

Note

The compliance officer can add and delete searches as needed. Therefore, it is important to have a case created with all of the content under hold for eDiscovery. In the case of a content search, when the content search is deleted, the hold is also removed, unless you have another hold in a content search or under a case in the eDiscovery Center.

If your access is blocked at the preview stage, you need to request permission from the admin on the Security & Compliance Center to give you access to the search results. Otherwise, your results on the search preview will be displayed as shown in Figure 6-44. Keep in mind that search preview is limited. Complete review will require you to export the documents.

Step 6: Export the Documents

Once you are satisfied that you have all of the documents you are looking for, the next step is to export the documents for a full review. To export the document, click More and then “Export results” (see Figure 6-45). Follow the wizard to generate the document export. The documents are exported in PST format to be loaded in a local version of Outlook. At this stage you are creating an export job. The export data will need to be collected by Office 365 and scheduled for download.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig45_HTML.jpg
Figure 6-45

Content search on documents for query “phone Not ‘Cell Phone’”

../images/429219_1_En_6_Chapter/429219_1_En_6_Fig46_HTML.jpg
Figure 6-46

Exporting the documents to a PC

Click Export, which will start the document export wizard. The first step is to confirm the export and destination. Because of the privacy concerns, documents exported are encrypted, and you will need to keep a copy of the key to decode the documents.

Select the Export tab and then select the job that was created (see Figure 6-47). This will start the data export process. The data will be downloaded to your PC in the format you specified earlier.

Note

If you are responding to a request for production (RFP) on a court order discovery order, you want to export all documents from the eDiscovery Center after you place the documents on hold. I have found it better to give all documents requested and not duplicate information. Most likely you will be using a third-party tool to process the documents and stamp them. We will look at document production later in this chapter.

../images/429219_1_En_6_Chapter/429219_1_En_6_Fig47_HTML.jpg
Figure 6-47

Start the export process by clicking the case

The export process runs smoothly in the background. The export process starts and displays the status of the job (see Figure 6-48).
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig48_HTML.jpg
Figure 6-48

The export process begins to assemble the data for export

The export wizard handles large downloads. I completed a recent eDiscovery project where the export PSTs were over 30GB in size (about 407,000 e-mails and attachments.). To export the documents, select “download export results” to download the documents to your local system. When you download the documents, the documents are encrypted in transit (se Figure 6-48). Make sure you keep a copy of the key. You will need this key on the client to remove the encryption to access the PST files.

Note

If you are searching for information, the best way to search for information is to use the Content Search Center. In a discovery request, what I have found works is that you define a new user account for the response to an RFP, and you upload the data into the OneDrive for Business. This way you can use the Content Search tool to look for data. Also, if you are building bates-stamped documents, upload them to your OneDrive for Business account. This way you can search for the original document and find the bates-stamped document that matches your search. This saves a lot of time in preparing for litigation.

Once the data is ready, you can download the results. You will need the encryption key to unencrypt the data. All search data in the Compliance Center is encrypted. Once you have copied the key, click Download Results to start the download process. The files will be downloaded to your PC in an Exchange folder structure (see Figure 6-49). We will go through this process later in the chapter; I wanted you to understand the end results and what the discovery process looks like in a response to an RFP.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig49_HTML.jpg
Figure 6-49

Export data process, loading the data on the desktop

After the data is downloaded, it will be in a directory similar to Figure 6-26. Once the data is exported, you can now bates-stamp the material and filter it out as needed.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig50_HTML.jpg
Figure 6-50

Export data structure

Step 7: Bates-Stamp the Discovery Production

Once we have completed the export of the data, the only step left is to bates-stamp the material in a response for production. Depending on your business size, you may have a department that will handle the production of the material. Most IT professionals stop at this step and turn over the production to the legal staff. However, if you are a small business, you will need to produce the material yourself to keep costs under control and add bates stamps. There are different tools that you use to process the production. I use a tool called Bates Express. What this tool from Bates Express provides is a unique number that is used to track documents in the legal system. This is called a bate-stamp. When you complete electronic discovery, you are producing millions documents, each page of the document needs to be numbered. This is one of the tools available to bate-stamp documents. I used this tools to process millions of pages in electronic discovery project.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig51_HTML.jpg
Figure 6-51

Bates Express website ( www.batestexpress.com )

What I like about this tool is that it is really easy to use. In the e-discovery production that I am creating in response to the subpoena, I have filtered Exchange information with 120,000 messages in each PST. With Bates Express, I configure the bates stamp (the header and footer on the document), and I point the tool to the downloaded PST. A few hours later, I have 120,000 PDF files, all searchable and all bates-stamped for production (see Figure 6-52).
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig52_HTML.jpg
Figure 6-52

Bates Express processing a document from Office 365 exported archive

The documents are produced with the necessary header and footers for your discovery project. Bates Express produced documents similar to those in Figure 6-53. The bates stamp I use in this production request is the string “Confidential - <case number> - < document ID>.”

Note

Every document that will be produced will need to be bates-stamped, and the document header “Confidential” may be optional but is subject to the production order. In some cases, there will be material designated as “Attorney Eyes Only.” In this case, “Confidential” is replaced with “Attorney Eyes Only.”

Production of material is not that difficult; it is just time-consuming. Traditional discovery firms charge around $1 a page for each document produced. You can see with automated tools you can sharply reduce the amount of time that it takes to produce material. At this point, you understand the discovery process enough that you can do your own search and produce the documents required. In the final sections of this chapter, we will review some additional configuration process configuration that you can use in your discovery project.
../images/429219_1_En_6_Chapter/429219_1_En_6_Fig53_HTML.jpg
Figure 6-53

Bates-stamped document with case header

Building Discovery Searches

In some cases you may want to delete e-mails; in others you may want to preserve them in the long term. When you are experimenting with retention policies, use a mailbox with a trial set of sample data. If you are afraid of deleting information, then enable a litigation hold (or in-place hold) on the account that you are setting up the retention tags for. If the retention tags are not set up correctly, information will be deleted.

Before we address any of the examples, we need to step back for a brief review of advanced query strings (AQS ). The syntax can become complex. AQS is provided by the Windows operating system using Windows Desktop Search (WDS ). All AQS searches must be fully qualified. A fully qualified search requires that you add parentheses every time you add a Boolean operator (AND OR NOT) to a search query. (The queries are processed based on the location of the parentheses.) There is a good description of AQS queries at https://docs.microsoft.com/en-us/windows/desktop/lwef/-search-2x-wds-aqsreference .

Sample AQS Query for Financial Review

You can use an AQS query to address compliance-related issues (such as FINRA audit reviews by the compliance officer). The AQS can be any combination of words. The more complex, the longer it takes to generate the query request. Here’s an example:
(Guarantee OR Money OR Compliant OR Attorney OR Transfer OR Security OR Loss OR Loan OR Misrepresented OR Unauthorized OR Yield OR Stock OR Bond OR Security OR Percent OR Pay* OR Promise OR Funds OR Risk OR Secure OR Take* OR Pissed OR Churn)

Summary

The focus of this chapter was on the Security & Compliance Center as well as on data collection and analysis of the data via the different discovery tools. The Security & Compliance Center is a hub or data aggregation service that contains a repository of the different types of information used in security analysis tools. As an example, the eDiscovery Center has become a key compliance tool used to show that a company has complied with federal and state regulations. This is the audit logs that we enabled in chapter 2 in our initial configuration of the Security & Compliance. The stored logs can be exported and analyzed via tools like Power BI.

It is extremely important that your IT team actively manages the data and records information. The days of not reviewing logs or storing logs on a long-term basis are over. At a minimum, you need to have a process that does the following:
  1. 1.

    Download and archive the Office 365 Compliance & Security Center audit log on a monthly basis.

     
  2. 2.

    Download the archive of the Azure Active Directory log on a monthly basis.

     
  3. 3.

    Download and archive the Azure audit log on a monthly basis.

     

Where do you store the logs? Create a SharePoint collaboration site and upload the logs to that site. At KAMIND IT, this is what we do for all of our customers who are on one of our security plans. The logs are available for forensic analysis. If you are looking at an automatic way to store logs, you can configured this features in the Azure log analytics site. In this case the logs are uploaded to an azure data storage area. This is no longer just nice to have; it is a requirement to be compliant - you need long term archive of the logs.

References

There is a lot of information about Office 365 on the Web—the issue is finding the right site. The information contained in this chapter is a combination of my experience doing deployments and of support information that has been published by third parties.

Microsoft Office 365 Blog: Latest News about Office 365
Searching Mailboxes on Legal Hold
Understanding Retention Policy PowerShell Commands
Understanding Permissions on Discovery Mailboxes
Benoit’s Corner – Useful Tips and Tricks on Exchange and SharePoint
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.16.48.122