Know the Signal, Trust the Signal

I’ve been doing a lot of traveling and speaking about Microsoft security products. One of the areas I like to talk about is alerting from the Office 365 Protection Center and Cloud App Security. The talking point goes that Microsoft relies on alerts generated within Cloud App Security to predict, with a high degree of accuracy, when someone is preparing to leave the organization.

There are a number of metrics that can be enabled for alerting, like suspicious logins, activity from anonymous IP’s, and impossible travel events, but there are a pair of canned alert policies in CAS that, when triggered together, generally add up to “job hunting:”

1. Unusual file deletion activity (by user)

2. Unusual file download (by user)

The theory is that generally MS employees are allowed to keep personal data in their OneDrive for Business account, and that data is classified as either “general” or “personal” data. When the employee is preparing to leave, though, they typically move that content to Dropbox or Google Drive or some other competitive solution. That might not be a big deal, generally, but the corresponding deletion from OneDrive is what triggers the concern. Maybe there’s a business reason to put data in Dropbox. Maybe it’s a set of project files that a customer wants to view in a different platform. Whatever, but deleting it from the source? Uh oh.

So I talk about this vector pretty regularly with IT departments, because they’re generally blind-sided by staffing changes, and often there’s little to no opportunity to pre-hire a replacement and get that person trained up on the systems.

But what if you could predict that in your organization? What if you could get someone hired and on-boarded before the Security guy walks out the door?

Recently I was helping a client untangle the myriad signals in their own Microsoft 365 deployment, and I came across an interesting set of signals. They hadn’t done much with Cloud App Security, but Office 365 alerts were detecting an “unusual volume of file deletions.” Kind of repeatedly, actually. But while the alerts were being received by their admin team, they didn’t really know what to do with them, and were considering suppressing the alerts.

A little poking revealed that these were all one user, and guess what: that user just tendered their resignation. What I found particularly useful was that this was all 100% pre-canned reporting. The client had done nothing at all to enable it: it’s a default policy.

So the signal was there, and the signal was correct: the user was planning to depart. And though it was only detected after the resignation was tendered, this organization now knows how to correlate the data to protect themselves from future staffing challenges!

Adrian Amos