Microsoft announces expansion of cloud logging to customers worldwide – for free!
In an announcement yesterday, Microsoft declared it will be expanding access to wider cloud security logs in the coming months to customers worldwide at no additional cost. Specifically, with the new changes, log data previously only available at the Microsoft Purview Audit (Premium) subscription level will soon become accessible to Microsoft Purview Audit (Standard) subscription level customers. Additionally, Microsoft announced that it is also increasing the default retention period for Audit Standard customers from 90 days to 180 days.
Why is this important?
Every day, organizations across the country fall victim to unauthorized intrusions of their email environment (commonly referred to as a business email compromise or BEC). The response to a BEC can and in many cases must include a detailed review of applicable logging to identify which emails and documents, if any, the intruder interacted with during the period of unauthorized access. Ultimately, the investigation can only be as conclusive as the data available to analyze.
Historically, visibility into any actions taken by an intruder during a BEC event have depended greatly on subscription level (whereby Audit Premium customers often have deeper visibility into the actions taken by an intruder than Audit Standard customers). Key questions of an email security investigation, as phrased by Microsoft, typically include:
- Which user accounts logged in, and from where?
- What emails were read, sent or forwarded?
- Who read or modified confidential documents?
- What searches were performed in email
Moving forward, more organizations will have the ability to answer these critical questions, because Audit Standard customers will now be able to gain access to crucial and previously unavailable forensic artifacts during security investigations.
The determination of any potential legal obligations following a BEC incident, including possible notification to individuals whose personally identifiable information (“PII”) was exposed, often entails a detailed analysis of what protected information (if any) was potentially accessed and/or acquired by an unauthorized party. The more advanced the logging is, the greater confidence an organization will have in moving toward a narrowly tailored resolution of a BEC event.
Access to expanded logging will eliminate or at least mitigate forensic blind spots, thus allowing organizations in some instances the ability to conclude with demonstrated confidence that unauthorized parties did not interact with protected information. Alternatively, in instances in which unauthorized parties do interact with protected information, the advanced logging will allow organizations to focus in on specifically identifying that information in an effort to narrowly tailor legal notification obligations.
Organizations that wish to follow Microsoft’s rollout can bookmark Microsoft’s Security Blog for the latest coverage on security matters.
As always, McDonald Hopkin’s national cybersecurity and data privacy team is available to effectively and efficiently assist clients through all manner of cybersecurity events, including BECs.