SaaS Alerts Platform Development and Challenges
Anthony, Benjamin, and David discussed the development and functionality of their software platform, SaaS Alerts. They also discussed the challenges of obtaining complete device information for all events, with Microsoft and Google being noted as exceptions. Benjamin mentioned ongoing work to improve data enrichment, especially from Google. Lastly, they welcomed a new team member, Austin, who had previously shared an idea for identifying a single factor login.
Software Tool Risks and Monitoring
Anthony highlighted the potential risks of using certain software tools, such as Perfect Data Software and EM Client, which can be misused to gain access to sensitive information. He advised the team to be vigilant and regularly monitor for any suspicious activity. Benjamin further explained that while these software tools have legitimate uses, they can also be weaponized by cybercriminals to exfiltrate data.
Enhancing Security Measures for SharePoint/OneDrive
Benjamin and Anthony discussed the potential risks of users storing sensitive information in their SharePoint or OneDrive files and the need for enhanced security measures. They considered disabling user consent for app installations to prevent unverified applications from being added, despite this requiring more administrative work. They also discussed the importance of securing their platform against potential hacking attempts, the need to fine-tune default policies, and the idea of developing a list of known bad actor software. Lastly, they examined the security settings of applications in relation to Microsoft's best practices and the option to require user consent for applications.
Application Tracking, Permissions, and SharePoint
DJ discusses tracking failures for specific applications to detect compromised credentials. Anthony expresses a desire for a report summarizing application permissions, which Benjamin confirms is being developed. Enrique asks about disabling anonymous SharePoint sharing, and Benjamin agrees to explore creating a GUI for managing SharePoint guest sharing permissions. Steve mentions a Respond rule that detects successful brute force attacks.
Addressing Authentication Failures and Filters
Steve raised concerns about numerous authentication failures, suspecting them to be hacker attempts. He proposed adding a filter to prevent false positives from unified matching devices. Benjamin agreed with the idea and suggested additional filters to further reduce false positives. The team decided to implement the filter on successful authentication rather than failed ones, to prevent constant false positives from regular users. They also discussed potential causes of the authentication failures.
Addressing Technical Issues and Solutions
Benjamin, Enrique, Anthony and Austin discussed various technical issues and potential solutions. There was also a discussion about the use of Apollo AI as a threat vector and the creation of a rule schedule to block certain actions during weekday hours. Lastly, the team discussed the time zone functionality of a specific platform and the potential use case of activating certain rules only when out of the office.
Handling Security Threats and Authentication
Austin proposed a strategy for handling potential security threats by taking the minimum necessary action to remove them, while also considering the impact on legitimate users. The team also discussed the need for a stronger response to certain authentication methods, such as bad IPs or unknown devices. Anthony confirmed that they are developing measures to incorporate account statuses into their rules, and that different actions would be taken based on whether a user has Multi-Factor Authentication (MFA) enabled or not.
ASN, VPN Traffic, and Intune Integration
Benjamin suggested using the ASN (Autonomous System Number) name of Total's IP owner to differentiate between their legitimate VPN traffic and suspicious traffic. Todd raised concerns about keeping Total's IP addresses updated. Enrique proposed blocking users not connecting from the company's VPN solution to force them to log in. The team discussed ongoing work to integrate Intune data for device management, with a goal of supporting mobile devices by the end of the year.
Improving Threat Identification and Reporting
Benjamin and Anthony discussed the need for improved threat identification and reporting within their system. Benjamin emphasized the importance of recognizing suspicious activity from unidentified ASNs and the desire to generate their own threat feeds. Anthony acknowledged this concern and shared that they've been working on incorporating machine learning and AI to better identify and respond to malicious activity. He also mentioned that any new rules or Fortify templates developed through the MSA program would be available to the community.
Негізгі бет SaaS Alerts' Office Hours | 07.16.24
Пікірлер