Three Lessons from CSRB Report on Microsoft Exchange Online Intrusion

Last month the Cyber Safety Review Board released its report  regarding the Microsoft Exchange Online intrusion, initially reported in July 2023. The incident impacted a wide range of senior government officials—both in the U.S. and abroad—affecting professional and private email accounts alike.

There are multiple posts online referring to the Cyber Safety Review Board’s (CSRB) "scathing report" towards Microsoft (another example here). Even Microsoft itself weighed in on the incident, publishing a series of blog posts regarding its findings  (also here and here). 

The CSRB report lays out twenty-five findings and recommendations. The harshest criticisms were directed at Microsoft, painting a grim picture of the tech giant’s deficient security culture.

Other recommendations were directed at cloud providers. The report even included guidance around FISMA and FedRamp. Perhaps one of the more interesting suggestions was that cloud service providers should stop charging more for security logs, given they are crucial for investigating any cybersecurity incident.  

Four Lessons from CSRB’s Report on the 2023 Microsoft Exchange Online intrusion

As I read through the full CSRB report, I kept thinking about the bottom line, both as a consumer and a concerned citizen. If I were in a leadership or decision-making position and worked in an organization or agency already dependent on these cloud providers, what conclusions should I be drawing?

As such, I have three thoughts to share and help draw a central lesson from this report. They reflect life lessons I either learned the hard way or heard from others in the past.

1. "No one will value one's property better than oneself." This might resonate better with those who have rented or lent their house or car to a family member or a third party.
2. "Do not place all your eggs in one basket." In this case, it means not depending on a single provider and treating cloud providers like they are utility companies. Especially when you have the powerful option to use a multi-cloud approach.
3. "Anyone can share or delegate responsibility but never accountability." This last one is more in line with the fact that it does not matter where the deficiency occurred; organization and agency leaders are accountable for the outcome and must take ownership of their decisions.  
4. “When it comes to security, never trust anyone; like an onion, having different layers might be wise.” It’s imperative to have separate and independent solutions from the cloud platform to ensure security is not compromised when one link in the chain fails. This is so important, and a very tough lesson to learn the hard way.      

Three Takeaways from CSRB’s April 2024 Report

With that in mind, here are three things to consider when evaluating solutions independent of the cloud service provider's offerings.

The right IAM tools and controls are essential.

The report especially calls for better Identity and Authentication controls across cloud platforms. This will require a robust solution that seamlessly covers all IAM (Identity and Access Management) capability areas and can support on-prem, cloud, and hybrid deployment models, including multi-cloud. The goal of an effective IAM solution is to ensure the right user is given the right access level to the right resource at the right time for the right reasons.

NetIQ provides IAM solutions such as PAM (Privilege Access Management), IdM (Identity Management), MFA (Multi-Factor Authentication), and IGA (Identity and Governance Administration), to mention a few. It delivers superb usability through synergistic integrations and increased security across the entire IT landscape. 

Agencies need AI and ML tools that go beyond traditional IAM solutions.

The report also asks for a solution far beyond traditional IAM solutions. In my opinion, it’s asking for a UEBA (User and Entity Behavior Analytics) solution to identify risky behaviors quickly.

The ArcSight Intelligence unsupervised machine learning (uML) solution paired with its built-in SOAR can promptly detect and significantly reduce incident response times. Incidentally, the State Department's custom SIEM (Security Incident Event Management) rule, which was named “Big Yellow Taxi”, is the only reason the Microsoft security breach was detected in the first place. One could say it adds more validity to ArcSight's layered analytics approach.

Another important point is that Microsoft's log retention policy was only 30 days, which is far from compliance requirements. ArcSight's storage compression ratio would have helped expand that policy, since it can provide around or up to 90% savings in storage needs. 

If or when an incident occurs, your Data Management and Data Governance solution could be the difference between a cyber incident and full-scale disaster. So, plan accordingly.

The report clearly states that the primary vector of this incident was the compromise of signing keys; Microsoft has yet to figure out how the actor group obtained them.

My first thought is about Information (Data) Management and Governance (IMG) since it is crucial for agencies to know where, when, and who accesses their data. IMG solutions help improve security by minimizing risks, improving data quality, and improving regulatory compliance, while reducing costs and increasing collaboration and the value of your data.

Conclusion

IMG offerings, such as Intelligent Data Operating Layer (IDOL), Content Manager, or File Analysis Suite (FAS), would have helped in knowing and detecting where those keys were located and who had access to them. Additionally, data protection solutions such as Voltage Fusion help discover and classify data anywhere it lives while protecting the data and retaining its value and usability.  

As the trusted software advisor to the DoD, MFGS, Inc. offers enterprise-grade software solutions and a deep understanding of how U.S. federal government agencies operate. Our team of experts will support your entire software development lifecycle, enabling you to securely Plan, Build, Deliver, and Run your mission.