Getting Started with the Office 365 Security and Compliance Center

Transcription

1 Getting Started with the Office 365 Security and Compliance Center

2 CONTENTS Introduction...3 Features overview...7 Licensing...8 Part One: Reports...9 Part Two: Permissions...16 Part Three: Data Loss Prevention...22 Part Four: Data Management...28 Part Five: Service Assurance...31 Part Six: Search and Investigation...33 Part Seven: Alerts...39 Final Advice...42 References and further reading...43 All commentary, evaluation, and images are representative of the Office 365 Security and Compliance Center as it appeared in July

3 INTRODUCTION: Data Security and the Cloud WHITE PAPER People tend to believe that their possessions are more secure when they are located where they can be seen and safeguarded. This is also true for data, and has often been a serious consideration when organisations evaluate the suitability of cloud services: Where exactly is my data? How is it protected? Do I have any control over its security? This belief and the questions it provokes have both shaped the way that many organisations approach the cloud. But it has also shaped the way the technology itself has been developed and refined, prompting providers to educate their audience, dispel the myths and most importantly demonstrate their security credentials through the creation of innovative and effective solutions. When dealing with the cloud, most organisations require a balanced approach to security and compliance: they need to feel confident that their data is protected to the highest degree, but also that their information is always accessible to them, enabling appropriately qualified staff to monitor and manage their environment. At its core, it is a matter of building and maintaining trust, as explained by Microsoft, Moving to a cloud service shouldn t mean losing access to knowing what s going on. With Office 365, it doesn t. We aim to be transparent in our operations so you can monitor the state of your service, track issues, and have a historical view of availability. If you are involved in managing your services and data across Office 365, then it s likely that you will have come into contact with the Compliance Center, an area where Office 365 admins are able to control security and permissions and meet any legal, regulatory, and organisational compliance requirements. You also may have noticed that it s recently received a makeover... 3

4 The New Security and Compliance Center Positioning itself as the One stop shop for security and compliance, the new center has all of the compliance functionality of its predecessor, split into seven areas: Reports, Permissions, Data Loss Prevention, Data Management, Service Assurance, Search and Investigation, and Alerts. 4

5 The previous Office 365 Compliance Center looked like this As you can see, the new center looks very different from the previous one. The options listed in the left-hand navigation appear to have changed, but no features have been lost. Some of the options have been grouped into sections alongside new additions - as you can see in the expanded navigation pane from the new center (right). For the most part, this layout groups complementary tools by their overall objective - if you need to manage your data, you can find all the features you would need in that area. 5

6 In all the documentation both inside and outside the new Security and Compliance Center, Microsoft has been keen to emphasise that it is a work in progress, and the current offering is far from fully-fledged. Their vision isn t without some challenges, creating a framework that enables every organisation to coordinate their own security, and achieve compliance will not be simple, particularly when most organisations have unique needs, and some industries require extremely stringent regulation. According to Microsoft: This new management interface represents our evolving compliance offering, which will eventually span all Office 365 compliance-related features and help you meet your legal, regulatory, and organizational compliance requirements. Consolidating compliance functionality across services into this single area will make compliance features easier to access and enhance your end-to-end task-based experience. In this white paper, we will be exploring the new Security and Compliance Center, investigating each feature, highlighting its functionality, and evaluating its capabilities. But before we jump into each section of the center, we ll take you through some of the basics of access and licence requirements to ensure that you know what you can use, and what to expect. 6

7 Features Overview Let s start with the basics what are the features of the Security and Compliance Center, and how can you use them? The table below explains the key features of the Center, which also conveniently forms the structure for this white paper as we will look at each of them in turn. If you re looking to find out more about a specific feature, you can click the link below and go straight to that section. Further overview information is available on Microsoft s support pages here. Security and Compliance Feature Reports Permissions Data Loss Prevention Data Management Service Assurance Search and Investigation Alerts Overview In this area you can find user activity reports such as sign-ins for SharePoint Online, Exchange Online, and Azure Active Directory. Grant permissions for compliance tasks like device management, data loss prevention, ediscovery, and retention in this section. Set up, review and amend DLP policies, allowing you to monitor, and automatically protect sensitive information across Office 365. Use this area to import from other systems. You can also enable archive mailboxes or set policies for retaining and other content. Review details about how Microsoft keeps Office 365 customer data safe, and how this meets industry compliance requirements. Search for content and review user activity. Use ediscovery to manage cases and Supervisory review to define policies that help you capture communication for review. View and manage alerts for your Office 365 environment, including Advanced Security Management alerts. 7

8 Before we begin Find out which features you re licenced for All Enterprise or Business licences include access to the Security and Compliance Center but be aware until other permissions are set, the center can only be accessed by the Global Office 365 admin. Global admins can configure user permissions immediately, assigning access to areas of the center, but initially they re the only ones who can get in. Below is a breakdown of the main features available in the center, and their availability depending on your Office 365 licence type. Features Business Essentials Business Business Premium Education Enterprise E1 Enterprise E3 Enterprise E4 Enterprise E5 Access to the Center Yes Yes Yes Yes Yes Yes Yes Yes Yes Enteprise K1 Archiving Yes Yes Yes Yes Yes Yes Yes Yes Yes Data Loss Prevention No No No Yes No Yes Yes Yes Yes Mobile Device Management Yes Yes Yes Yes Yes Yes Yes Yes Yes ediscovery Search Yes Yes Yes Yes Yes Yes Yes Yes Yes ediscovery Litigation Hold No No No Yes No Yes Yes Yes No Advanced ediscovery No No No No No No No Yes No ediscovery Export No No No Yes No No Yes Yes No Import Yes Yes Yes Yes Yes Yes Yes Yes Yes Permissions Yes Yes Yes Yes Yes Yes Yes Yes Yes Retention Yes Yes Yes Yes Yes Yes Yes Yes Yes Content Search Yes Yes Yes Yes Yes Yes Yes Yes Yes This information has been gathered from Microsoft s platform service description. One new feature that isn t mentioned is Advanced Security Management which is part of the Alerts section of the Security and Compliance Center. This is available to all Enterprise E5 licences, but it can also be purchased as an add-on to other licence types for an additional cost ($3 per user per month). 8

9 Part One: Reports If you are involved in managing Office 365 for your organisation, you will know how important it is to be able to see what s actually happening in your environment, and be able to use that data to inform decisions around the protection, optimisation and adoption of your platform. There are three areas of reporting that can be found in the Security and Compliance Center currently: Auditing, Supervisory Review, and Data Loss Prevention (DLP). The reports are also available under the Reports section of the new Office 365 Admin Center. 9

10 But in the Security and Compliance Center, they are listed as follows: Auditing: Many organisations have very strict requirements when it comes to auditing, and Office 365 has been developed over time so that it increasingly attempts to meet these needs natively. The new reports enable admins to: view activity in SharePoint Online and OneDrive for Business sites ; and see sign-in activity and mail related activity in Exchange Online. The reports available at the time of writing are Office 365 audit log report, Azure AD reports, Exchange audit reports. 10

11 The Audit Log allows you to drill down into user activity. If you need to see whether a certain individual viewed, copied, deleted or altered an item, it is possible to do this here. It is a unified audit log, which means that you can search for: User activity in SharePoint Online and OneDrive for Business User activity in Exchange Online (Exchange mailbox audit logging) Admin activity in SharePoint Online Admin activity in Azure Active Directory (the directory service for Office 365) Admin activity in Exchange Online (Exchange admin audit logging) The search functionality and the filtering is easy to use, with the capability to search within specific timeframes, and for a wide number of activities. You are able to export the results to a.csv file, but it is not possible to download more than 50,000 entries from a single search. In order to get around this limit, you can run multiple searches with smaller data ranges and collate the information once it has been exported. 11

12 Things to note before you begin audit logging: 1. You must turn on audit logging otherwise you won t be able to use the feature. You will not be able to gather any information on the period before this is enabled, so it is important to be proactive if you wish to use audit information for a specific task or timeframe. 2. To turn it on, click Start recording user and admin activity on the Audit log search page in the Security and Compliance Center. Once you enable this, you cannot search immediately, and will need to wait a couple of hours while the data is being prepared. 3. If this link is not visible on this page, it means that logging has already been enabled for your organisation. 4. In order to search the Office 365 audit log, you must be assigned the View-Only Audit Logs or the Audit Logs role in Exchange Online. Microsoft s Support page states that: To be assigned one of these roles, a user must have an Exchange Online license. By default, these roles are assigned to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange Admin Center. To give a user the ability to search the Office 365 audit log with the minimum level of privileges, you can create a custom role group in Exchange Online, add the View-Only Audit Logs or Audit Logs role, and then add the user as a member of the new role group. 5. Permission has to be assigned in Exchange Online, not just through the Permissions page in the Security and Compliance Center. This is because the underlying cmdlet used to search the audit log is an Exchange Online cmdlet. 6. You can currently only search for activities in the last 90 days. 7. It can take up to 15 minutes for the audit log entry to appear after an event has occurred in SharePoint Online and OneDrive for Business. In Exchange Online and Azure Active Directory it can take up to 12 hours for the event to be logged. 12

13 The main consideration when using auditing features within Office 365 is evidently one of timing. You need to ensure that logging is enabled for when you need it, and that the information you want from it will be available at the point at which it is required. Supervisory Review: Many organisations need to have a supervisory review policy, which allows you to capture employee communications for examination by internal or external review. Industries that operate under strict regulation, such as financial or legal services, may require this policy, and it is possible to set it up to review any communications that contain certain phrasing. The supervisory review report can be used to get the status of all supervisory review policies in your organisation. Data Loss Prevention: Data loss prevention policies take time and effort to set up, so it is important to verify that they are working, and that they contribute towards ensuring that your organisation remains compliant. There are two DLP reports available, enabling you to view information about the SharePoint Online and OneDrive for Business items in your organization, and review any DLP matches, overrides, or false positives for your configured DLP policies and rules. Currently this section has two reports. The DLP policy and rule matches report allows you to filter activity using date, location (SharePoint Online, OneDrive for Business and Exchange Online), and you can drill down into the different policies in place, and then click into the specific incidents. The DLP false positives and overrides report shows where the DLP policy has flagged sensitive data incorrectly, or where a user has overridden the organisation s policy. 13

14 If the user has included sensitive information in an , such as financial details or company information, they would be alerted using a Policy Tip (as seen below), warning about sensitive content. A false positive is where the user has clicked Report because they do not think that it is applicable for the content that they are sending. An override is where a similar Policy Tip notifies the sender that: (recipient) is not authorised to receive this . To send this message, you must override your organisation s policy. Depending on the way in which Policy Tips are configured, they can merely warn workers, block their messages, or even allow them to override the block with a written justification, that is then sent to the Admin. The DLP report allows you to review how your users are interacting with your policies, and to check whether this is working effectively to achieve compliance. The reports make it possible to identify any areas for improvement or refinement to existing policies. 14

15 The reports section of the Security and Compliance Center is a great place to start reviewing your policies, and monitor user activity within the platform. As Microsoft have mentioned throughout the new center it is not finished yet, and this sense of incompletion is visible in some places. In their current form, the reports don t have the breadth and depth necessary to provide the details that many admins need, but they re close. The main concern is timing. When it comes to these reports, if you re not careful you may not realise what you need until it s too late to get it. If the features are not enabled in time, or if you fail to capture data within the center s time constraints you might lose valuable information. In order to get the most out of the current Security and Compliance Center, it is important to have a proactive and forward-thinking approach, and while most people aim for this, it is not always achievable in reality sometimes it s nice to have a margin of error. 15

16 Part Two: Permissions The permissions area enables you (if you are a global Office 365 admin) to assign permissions which allow other users to perform tasks in the Compliance Center. These tasks might include: Data Loss Prevention Device Management ediscovery Archiving, auditing and retention in Exchange* *It is not possible to assign permissions for all features through this portal any that relate to Exchange use an underlying Exchange Online cmdlet which requires permissions through the Exchange admin center. Individuals who are given permissions are only able to perform the task(s) that they are explicitly granted access to. In order to access the Security and Compliance Center itself, you have to be an Office 365 global administrator, or assigned membership to one or more Security and Compliance role groups. 16

17 Roles and Role Groups This is how Microsoft defines roles and role groups for the center: A role grants permissions to do a set of tasks; for example, the Case Management role lets people work with ediscovery cases. A role group is a set of roles that lets people perform their job across the Security & Compliance Center; for example, the Compliance Administrator role group includes the roles for Case Management, Content Search, and Organization Configuration (plus others) because someone who s a compliance admin will need the permissions for those tasks to do their job. The Security & Compliance Center includes default role groups for the most common tasks and functions that you ll need to assign people to. We recommend simply adding people (individual users or groups) as members to the default role groups. These different options provide admins with the choice when assigning permissions, enabling them to grant the access that users need, whilst ensuring that the user is only able to view the data they need to do the task or job required. It is important to note that role group memberships are not shared between Exchange Online and the Security and Compliance Center. More details on role groups and access to the center can be found here. Once inside the permissions section, there are a number of default role groups listed: Compliance Administrator, ediscovery Manager, Organization Management, Reviewer, Service Assurance User, Supervisory Review. 17

18 We will go through each of these areas individually and explore which permissions are available in which role groups. 1. The Compliance Administrator Role Group members are able to manage the compliance tasks listed above, and within the group there are a number of different roles. For example, if an individual in your organisation needs to deal with compliance search only, then they can be assigned this role only, not full membership to the group. 2. Electronic or ediscovery is the term used for identifying, preserving and providing electronic information, which can be used as evidence in legal cases or investigations. It is a very powerful tool, and due to its potential to expose sensitive information, permissions for ediscovery need to be controlled and assigned carefully. Like all areas of the permissions section, this area is a role group, split into roles, however ediscovery is also structured into cases (the specific incidents being investigated). This adds an extra layer of protection to the contents as it means that permissions can be split into managers and administrators. 18

19 3. The Reviewer is a role group that is part of ediscovery. There is only one role available and it has a limited set of analysis features in Office 365 Advanced ediscovery. Members of this group are able to see the specific documents that are assigned to them. Members can t create, open, or manage an ediscovery case. 4. Organization Management members are able to control permissions for the other features of the Security and Compliance center, including management of data loss prevention, reports, preservation and device management settings. All global Office 365 Admins are automatically added to this role group. As you can see by the list of roles, this group assigns permissions to many other aspects of the default role groups, such as case management, service assurance view and compliance search. 5. Members of the Service Assurance User group can access the service assurance section of the Security and Compliance Center. This area contains reports and documents that outline Microsoft s security practices for stored Office 365 customer data. It also contains independent audit reports on Office

20 6. In the Supervisory Review role group members can create and manage the policies that dictate which communications are subject to review in an organisation. By creating a supervisory review policy, you can gather certain employee communications for examination by internal or external review. These can be set up using the advice in this TechNet article. Custom role groups and roles The permissions area also offers the option to create a new role group and add roles and members. This allows you to customise and combine different roles. Microsoft advise using the default list provided, but if you had a unique set of requirements for example if you had a number of users who needed (for whatever reason) to use a combination of compliance search, ediscovery reviewer, and service assurance view, you could create a role group formed of these elements rather than adding users to different roles in each group. 20

21 Summary of all Role Groups and Roles Role Group Compliance Admin ediscovery Manager Reviewer Organization Management Service Assurance User Supervisory Review Custom Role Group Roles Case management Compliance search Hold Organization configuration View-only audit logs View-only recipients Case management Compliance search Export Hold Preview Review Review Audit Logs Case management Compliance search Hold Organisation management Role management Search and purge Service Assurance view Supervisory Review administrator Custom role(s) 21

22 Part Three: Data Loss Prevention Data loss can occur due to a number of events: breaches, leaks, malware, hacking the list goes on. But, surprisingly (and more often than not) user error is a much greater risk to an organisation s data. While software and security solutions can be used to protect against the former, the latter is much harder to tackle how can you stop someone in the organisation from making a mistake? To err is human after all. In the Security and Compliance Center, there is a section that deals with data loss prevention (DLP) policies. This feature enables you to set DLP policies in order to protect sensitive data and ensure that it is not accidentally or inadvertently exposed. Many organisations have very stringent policies on sensitive information such as financial data and personally identifiable information (PII), so policies can be used to remain compliant. As you can see, all policies can be set using the Security and Compliance Center apart from any policies, which must be configured through the Exchange Admin Center. For more information on this, see Data loss prevention in Exchange Online. 22

23 According to Microsoft s Support pages, with a DLP policy you can: Identify sensitive information across many locations, such as SharePoint Online and OneDrive for Business. For example, you can identify any document containing a credit card number that s stored in any OneDrive for Business site, or you can monitor just the OneDrive sites of specific people. Prevent the accidental sharing of sensitive information. Across all sites, you can identify any document containing a health record that s shared with people outside your organization, and then automatically block access to that document for everyone except the primary site collection administrator, document owner, and the person who last modified the content. Monitor and protect sensitive information in the desktop versions of Excel 2016, PowerPoint 2016, and Word Just like in SharePoint Online and OneDrive for Business, these Office 2016 desktop programs include the same capabilities to identify sensitive information and apply DLP policies. Help users learn how to stay compliant without interrupting their workflow. You can educate your users about DLP policies and help them remain compliant without obstructing productivity. View DLP reports showing content that matches your organization s DLP policies. To assess how your organization is complying with a DLP policy, you can see how many matches each policy and rule has over time. 23

24 If you want to begin using Data Loss Prevention Policies, here s what you ll need to know before you get started. What does a DLP policy contain? Location(s) specifying where the content is, e.g SharePoint Online or OneDrive for Business sites it is possible to select all sites or specific ones, and you can also apply the same policy to multiple areas. Rules, comprising of: o Conditions: the content must match these in order for the policy to work effectively. These can be based around content rules, but also on who the document is shared with. o Actions: when content matching the conditions is found, the specified action will be made automatically. These must be outlined by the policy-maker, and it is important to ensure that the framework of the conditions encompasses all of the content that needs to be found, and that the automatic action is applicable for all information and situation types. The condition options include: Apply to all content Content contains sensitive information Content is shared with Document properties contain any of these values 24

25 A Policy Example: Location: An organisation s Sales sites, folders, documents and libraries in both SharePoint Online and OneDrive for Business. Conditions: The content must match the organisation s financial information. This includes at least one of the following: account number, sort code, account name. There must be an attempt to share these details externally in order to meet these conditions. Actions: If the conditions are met, the individual will be blocked from completing this action. They will need to contact their organisation s Compliance Officer in order to justify their action, then depending on their judgement, they may be permitted to continue. While it is possible to block access to the particular action, a less drastic or obstructive option is by enabling notifications called Policy Tips. These pop up in a window within the interface and warn the user of the breach of policy. The Policy Tip offers an option to reconsider, override the notification, or report it as a false positive if the user does not believe that the item in question conflicts with the policy. This allows for any extenuating circumstances, or errors in the DLP policy to be individually considered by the policy-maker. A false positive is when content appears to match a policy but does not actually contain sensitive data, and therefore should not be flagged by the conditions. It is possible to report on these to monitor the effectiveness of your DLP policy, and make any necessary amendments to avoid false positives. The Data Loss Prevention section has a number of policy templates for common concerns, these are broken down into three areas: Financial, Medical, Privacy, as well as a custom template for other needs. 25

26 As you can see to the right, the templates already define what they perceive as sensitive information (Credit Card Number, EU Debit Card Number and SWIFT Code). The existing templates can be customised to your organisation s needs, so if you need to include UK passport number into the protect this information section, or want to remove Swift Code, you can do this very easily. You can also make larger amendments perhaps if you need to change it completely to reflect another country altogether (as shown below). 26

27 Microsoft explains the identification process as such: When a DLP policy looks for a sensitive information type such as a credit card number, it does not simply look for a 16-digit number. Each sensitive information type is defined and detected by using a combination of: Keywords Internal functions to validate checksums or composition Evaluation of regular expressions to find pattern matches Other content examination This helps DLP detection achieve a high degree of accuracy while reducing the number of false positives that can interrupt peoples work. Test Mode If you want to test out DLP policies in your organisation, the best way to explore the functionality (without confusing or restricting your users in its initial stages) is by using it in test mode. This means that there will be no Policy Tips to notify end users, but you can collect the data and use the reports to assess your policy and its needs. As you refine the policy, you can then enable the Policy Tips for your users, this will also allow them to report any false positives or problems that they encounter. If you have any issues, you can turn off a DLP policy at any time, you can also turn off certain rules individually to further refine your approach. 27

28 Part Four: Data Management The Data Management area is made up of three features: Import, Archive and Retention. It enables you to import data from your on-premises servers into your Office 365 environment, as well as offering the option to manage the archiving and preservation of content in the following locations: Exchange Online mailboxes, SharePoint Online sites, and OneDrive for Business. Managing data that is stored in the cloud can feel a little daunting. You can no longer see the physical location of your information unlike previous on-premises solutions, so you may feel like a level of proximity between yourself and the data you manage has been lost. But as Microsoft claims, there s a secure feeling that comes with storing your data in physical servers that you can see, touch, and give a little kick every now and then. But just because you can t kick the cloud doesn t mean you have less control over your Office 365 data. The Data Management area of the Security and Compliance Center looks to provide functionality that puts you back in the driver s seat when it comes to data, and here s how it aims to do this. Data Import This allows you to transfer data from your organisation s servers to Office 365. Microsoft offers two ways to do this: Network Upload uploading the data files over the network and then using the Office 365 Import service to upload the files. 28

29 The other option is Drive Shipping copying your data files to an encrypted hard drive and physically posting it to Microsoft. Once the drive is received, data center personnel upload the data to a temporary storage area, after this is complete the Office 365 Import service can be used to move the data to mailboxes and sites in your Office 365 platform. Data Archive The Archive section in Data Management allows you to see users that have Archive Mailboxes enabled. Also known as an In-Place Archiving in Exchange Online, Archive Mailboxes offer users additional mailbox storage space outside of their default mailbox. In-Place Archiving using Archive Mailboxes can help organisations to meet any message retention, ediscovery, and hold requirements. You can search in the list of users displayed, and enable or disable the feature individually. It also shows you an overview of user-level usage including: Mailbox Usage, Archive Usage, and Recoverable Items Usage. 29

30 Data Retention Finally, the Retention feature allows you to manage the life-cycle of content in Office 365. You can create and apply retention tags and policies for Exchange Online, specifying how long an item should be kept for before being removed. There are a number of links listed which will redirect you to different retention and deletion options. You create deletion policies that will delete , documents, and Skype for Business conversations, as well as document deletion policies for SharePoint Online and OneDrive for Business. Once set, these policies will delete qualifying items after the period of time specified. In addition, preservation policies can be added to help you retain the data you need. The content placed under this policy is immutable, meaning that a copy is preserved even if the item has been changed or deleted. As you can see below, these policies can be added directly through the center. The data management features listed above allow you to take control of how your data is dealt with, but perhaps more importantly, it also enables smarter management. It provides you with the visibility you need to feel in control, but also offers functionality like the wide range of policies in Retention or the advanced search in Archive to streamline management processes. 30

31 Part Five: Service Assurance As a whole, the Security and Compliance Center is geared up to enable you to achieve compliance in your organisation. Alongside this, there is also a section in the center which displays Microsoft s own Service Assurance, providing documentation on how they maintain the security, privacy and compliance of Office 365. This information demonstrates how Office 365 complies with the regulatory and security standards which govern it, but as Microsoft point out, these Compliance Reports and Trust Documents can be also used to perform your own risk assessment and gain confidence that Office 365 meets the security and regulatory requirements of your organisation. The portal requires that you specify your location and industry in order to tailor the resources to your needs. As the area also contains confidential information about Microsoft it also asks that the contents are not shared without prior written consent. 31

32 The documentation is split into Compliance reports (as shown below) and Trust documents, containing white papers, FAQs, end of year reports and other trust-related documents provided by Microsoft. As an organisation s compliance objectives and measures will usually extend beyond just the IT department to all areas of the business, it is likely that non-admins may need to see or compile information regarding Office 365 compliance. If other people in your organisation need to review the Service Assurance documents, it is possible to add or on-board non-admin users. More information on how to do this can be found in the Onboarding Guide here. 32

33 Part Six: Search and Investigation No matter the context, it is always frustrating when you can t find what you need when you need it. Phone, keys, a missing sock we ve all done it, but it s all the more frustrating when the item you re looking for is business-critical, and in data-form, meaning that you have to rely on keywords, dates, and potential locations to try and unearth it (there s no option to look down the back of the sofa, or under the bed). The Search and Investigation feature of the Security and Compliance Center aims to alleviate these frustrations as they occur through enhanced search capabilities, as well as putting the tools in place that inform you of the various activities that are going on in your organization, so you can quickly assess them and, if needed, take action. Let s take a look at these tools: Content Search Previously called Search in the old Compliance Center, Content Search is the area you should head to if you need to find a particular piece of content within your Office 365 environment whether this is an , document or Skype for Business conversation. Content Search looks in mailboxes, SharePoint Online sites, and OneDrive for Business locations. There are no restrictions on the number of mailboxes or sites you can search, and there are also no limits to the number of searches that can be run at the same time. Things you need to know before you can search: To access and use the Content Search, you must be a member of the ediscovery Manager role group in the Security and Compliance Center. This can be configured in the Permissions section of the center. There are certain limits on Content Search these are listed on this support page for reference. You can also use this tool to search for content in Office 365 groups, including the group mailbox, shared calendar and the SharePoint sites associated with a group. 33

34 As you see, the search options are relatively self-explanatory, and allow for wide and narrow searches, depending on your needs. Add in the areas you would like to search and click Next. On the page below, you can add any relevant keywords and select the conditions that you would like to be placed on to the search. The conditions available are split into three types: Common: Date, size, sender, author, subject, title. Mail: Participants, senders, recipients, subject, received, date, sent date, message type. Documents: Author, title, created date, last modified date, file type. 34

35 Once you have put in your search criteria, click Search, and the list of results should include the items that match your search terms. You can preview the search results by clicking Results in the details pane, and then selecting Preview Search Results. It is possible to search within the results based on different attributes, and when you find an item you would like to see, select it by clicking Show Item. It is also possible to update, edit and export the search results: When a search is updated, the query is rerun against the same criteria. On the Content search page, select the search you want to update. In the details pane, under Results, click Update Search Results. By re-running the query, you will return the most recent data for the search. To edit a search, select it from the list and in the details pane, under Query, click Edit Search. Using the Locations page, you can make any changes to the areas you would like to search, and on the Query page, you can edit the search query then just click Search on either page to rerun it. You can export search results to a local computer but only if you are assigned the Export management role in the Office 365 Security & Compliance Center (this role is part of the ediscovery Manager role group). If there are results, they will be downloaded to your computer as PST files. When the search content is from SharePoint or OneDrive for Business, copies of native Office documents are exported. There are a number of limitations to export, based around size and quantity, a full explanation is given on Microsoft s support pages. 35

36 Audit Log Search Audit Log search is a great compliance tool, with the potential to unearth some detailed information about user activity. As we have mentioned before when we talked about reports, one very very important thing you must do before you can use it, is turn Audit Logs on. You will not be able to run an audit log search until this is done and you won t be able to gather any log information prior to enabling it. It is easy to come unstuck with this, so try to pre-empt any need you may have, or err on the side of caution and turn it on as soon as possible. Once it is enabled, it will take a couple of hours to prepare the log, and there is also some delay on the log events it can take up to 15 minutes for a SharePoint or OneDrive for Business event to show up in the log, an Exchange Online or Azure Active Directory event can take up to 12 hours. You also have to be assigned the View-Only Audit Logs or Audit Logs role in Exchange Online to search the Office 365 audit log. These roles are assigned to the Compliance Management and Organization Management role groups by default, and are located on the Permissions page in the Exchange admin center. 36

37 In this area you can see a number of user and administrator activities over the last 90 days, for example whether a user has viewed or downloaded a specific document or perhaps they ve deleted an item from their mailbox. It is a unified audit log, which means that you can search for: User activity in SharePoint Online and OneDrive for Business User activity in Exchange Online (Exchange mailbox audit logging) Admin activity in SharePoint Online Admin activity in Azure Active Directory (the directory service for Office 365) Admin activity in Exchange Online (Exchange admin audit logging) User and admin activity in Sway To search the Audit log, add your requirements into the fields below, then click Search. As with Content search, it is possible to filter and export the results. Detailed guidance for Audit log search can be found here. ediscovery Electronic or ediscovery is the term used for identifying, preserving and providing electronic information that can be used as evidence in legal cases or investigations. It is a very powerful tool, with the potential to expose sensitive information, so the Search and Investigation area can be used to manage the cases, and control who can create, access, and modify ediscovery cases in your organisation. Recently Microsoft has also added a new case management, hold, search, and export experience, which offers enhanced case management, better preservation of data that has been put on hold and improved granular search capabilities. They have also announced that this area will continue to improve, and will receive additional ediscovery enhancements, such as keyword statistics, source statistics and export de-duplication in the coming months. 37

38 You can add a case by clicking the + button, and filling out the name and description. Once it is completed, your new case will show in the list, and you can go into it, make any changes, add holds, searches or assign access to other users. Due to the nature of ediscovery, it is essential that the correct permissions are set, and that the data can only be accessed by the appropriate users. You can set various levels of access in the Permissions section of the Security and Compliance Center. There are a couple of features in the Security and Compliance Center that need to be configured before they are able to work in your environment. While this isn t exactly a limitation of the center, it could cause issues with usability, and it does mean that users are required to be proactive and possess some level of foresight in order to get what they need. Who knows, later updates may remove this need to turn on features, but for the meantime, it is definitely something to keep in mind. Our advice? Head into the center and make sure you enable audit logging as soon as possible, as well as configuring any features you plan on using. That way, when you need compliance-related information, you will have some data to work with and you won t come unstuck! 38

39 Part Seven: Alerts Alerts are part of the new Advanced Security Management a new set of capabilities powered by Microsoft Cloud App Security to give you greater visibility and control over your Office 365 environment. This feature is a new addition to the center, and is available with Office 365 E5 licences, or as an add-on to other Enterprise plans ($3 per user per month). It began rolling out at the start of June, and is a great indication of Microsoft s plans to build on the center, and refine it further as time goes on. According to the release blog Advanced Security Management includes: Threat detection Helps you identify high-risk and abnormal usage, and security incidents. Enhanced control Shapes your Office 365 environment leveraging granular controls and security policies. Discovery and insights Get enhanced visibility into your Office 365 usage and shadow IT without installing an end point agent. 39

40 When you go into the Alerts section of the center, there is a button that directs you to Advanced Security Management. As you can see above, there is a list of different activities with a range of insights such as: User, App, IP Address, Location, Device and Date. You can search or filter items, and the portal also allows you to create new activity policies. The Alerts section shows you any activity that could be deemed odd, suspicious or harmful. There are anomaly detection alerts automatically set up for certain actions based on Microsoft s algorithms, but you can also set up personalised alerts (activity alerts) for example if you have a certain document that you want to monitor for viewing/download/modification activity, you can set this up here. It is important to note that you have to enable Advanced Security Management. 40

41 To do this: 1. Sign in to Office 365, and go the Security & Compliance Center. 2. Select Alerts, then Manage advanced alerts. 3. Turn on Advanced Security Management for Office 365, and then choose Go to Advanced Security Management. Once enabled, it will be 7 days before you start receiving any anomaly detection alerts allowing the algorithm some time to understand what is normal activity and what isn t. The alerts are ranked on a scale of low, medium and high severity. It can take some time for the data to sync, so you may not have a full view of all activity when you first enter the portal. As you can see above in the blue banner, we got the message: Sync in progress it might take a few hours for all the data to appear. 41

42 Our final piece advice log in and take a look around. As we have seen during our exploration, the Security and Compliance Center has a range of useful tools that can help you to review your environment, and implement compliance and security policies to regulate and safeguard it. When using the center in its current form, pre-empting your compliance needs and usage is a priority if you try to do this when you actually need the data it will be too late. A handful of the features need to be turned on in order to work or require prior configuration, so if you need to set policies and permissions for different elements of the center it is best to do this sooner rather than later, so that your requirements are in place, and no data goes uncollected or unseen. At this stage, the best practice might be to make your configurations, and create basic policies as early as possible then test the changes you make, they can always be amended, refined, or even removed based on the results. While it is likely that certain industries that have strict regulation or perhaps rigid security requirements may not have all of their needs met by the current Security and Compliance Center, the ever-growing set of features and functionality are a solid starting point for mapping out these requirements in Office 365. We hope that this white paper has given you a preliminary introduction to the center, so that you can now explore it for yourself, and begin to test and configure the features for your organisation s needs. 42

43 References and Further Reading Office 365 Platform Service Description b5a8-ae83e7768c85?ui=en-us&rs=en-us&ad=us

44