We have an increasing number of customers that have either migrated to cloud productivity solutions like Office 365 and G-Suite or plan on doing it soon. The migration is usually paired with a decent dose of anxiety over the degree of security control that is relinquished in the process. In particular, the ability to prevent account takeovers is a significant point of concern.

As stewards of the tough to tackle security challenges “estate,” we feel obligated to share the various ways that our MDR+ security team addresses this problem. While we can’t disclose all of the ingenuity we provide to our customers, there are certainly a few things we can share that every organization can use to bolster the security posture of their productivity suite. For this post, we’ll focus on G-Suite (and save Office 365 for another series).

This is the part in the story where I tell you to turn on multi-factor authentication and all your worries will be addressed. Unfortunately, there’s plenty of recent evidence reconfirming that MFA is not a knight in shining armor. It turns out, that sand-filled “DEFENSE-IN-DEPTH” sock that you’ve been pummeling your executive leadership with still carries the best message. So with that groundwork laid, here’s the approach we recommend for our customers:

1) Yes, we do still think you should enable and enforce 2-step verification
2) Enable and enforce Mobile Device Management
3) Enable and enforce Endpoint Verification or Managed Browsers
4) Require administrative approval of managed mobile devices and endpoints/browsers 
5) Set up a device loss reporting process

The mobile device management endpoint/browser features I’ve referenced above are built into G-Suite at no additional cost, so you don’t necessarily need to make a purchase to achieve these capabilities. But there is a caveat. G-Suite’s built-in endpoint verification and browser management only work with the Google Chrome browser. That said, it’s not the worst requirement. In fact, the managed browser capability provides some policy enforcement features that might be worth looking into all on their own. It’s also worth mentioning that steps four and five above involve a bit of manual labor so our final post in this series will discuss the methods we use for automating those processes. But for now, let’s focus on the threat detection benefits that come from the features described above.

The benefits of 2-step verification are well established so I’ll focus on suggestions 2 through 5. If every user in your organization is accessing email through a managed mobile device or browser, any login from a non-managed device is instantly suspicious and should thus require a few additional hurdles to obtain access. Forcing access to go through an administrative approval process can be one of those hurdles, which gives your team (and ours if you’re an MDR+ customer!) an opportunity to take a closer look at the situation. For example, maybe the login is associated with a new user that doesn’t have a managed device yet.

We also perform a series of machine learning supported user behavior modeling techniques to further determine if such a login is a significant deviation from the norm - such as a login from a country that hasn’t formerly been observed for a particular user. Such detections layered on top of this already strong enforcement serve to increase our confidence as to whether a login is a threat or not. In the world of incident response, a high degree of confidence improves our ability to take immediate (and in some cases even automated) action. I’ll cover a few of the machine learning supported threat detection techniques we use in the next post of this series. Let’s take a look at some simple ways we can leverage managed device details in an account takeover scenario.

When a user registers a managed device, a mobile audit event is generated that we can use to build a device tracking list.

When a user’s managed device is deleted by an administrator, an admin audit event is generated, which we can use to prune the list as needed.

We can also accomplish this type of device tracking by calling the G-Suite Admin API directly as needed to get a list of a user’s managed devices but that can get resource intensive if the organization isn’t fully migrated to managed devices, so we opt for the list-building from audit events route. With devices under management, it’s fairly easy to track logins that are coming from non-managed devices and generate cases.

As we’re investigating this login attempt, we can call the managed device tracking list to find out if this user already has a managed device.

As you can see from the screen capture above, this user already has a managed Windows device so a new login from an unmanaged device could indeed be an account takeover attempt.

With the basic concepts covered, it’s worth noting that a typical organization is not likely to make a full transition to managed devices overnight. It’s also possible that a user might need to occasionally login from a non-managed device, which is why we’ve built a much more comprehensive threat detection and response playbook that I will cover in the next post of this series. The final post will address how we can automate the manual tasks of mobile device management.

I’ll wrap up with a brief note about suggestion #5. As pervasive as BYOD has become, I’m amazed by how little attention is given to device loss reporting. It’s a simple process that can provide an opportunity to mitigate a decidedly low-tech (in other words, easy to execute) attack vector. Do you have a stated policy? Better yet, do employees know what to do and who to contact in the event they lose a device?

Thanks for reading! Stay tuned for the next post in the series.


Related Posts

June 22, 2022 Willy Leichter

Replace Your SIEM with Neural Net Technology

Security Information Event Management (SIEM) systems are an outdated technology. It’s no longer...

Learn More

June 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: June 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

June 14, 2022 Tessa Mishoe

Follina Zero-Day Vulnerability Breakdown: Analysis and Remediation

Background The newest Microsoft Office zero-day vulnerability, Follina, has been causing a buzz...

Learn More

June 8, 2022 Ryan Thomas

Five Reasons for Alert Fatigue and How to Make It Stop

Alert (or alarm) fatigue is the phenomenon of becoming desensitized (and thus ignoring or failing...

Learn More

May 31, 2022 Kumar Saurabh

The 3 Biggest Challenges Faced by Today's SOCs & One Smart Solution

As a security operations professional, you've put in your fair share of late nights. You know what...

Learn More

May 24, 2022 Ryan Thomas

LogicHub MDR - Jump Start for AWS Applications

Funny thing about cloud infrastructure - it is well documented that running applications in the...

Learn More

May 20, 2022 Willy Leichter

Automating Threat Detection: Three Case Studies

Demystifying the technology with case studies of AI security in action Many automation tools, such...

Learn More

May 17, 2022 Willy Leichter

It's Time to Put AI to Work in Security

While we’ve been talking about and imagining artificial intelligence for years, it only has...

Learn More

May 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: May 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

May 9, 2022 Tessa Mishoe

Bad Luck: BlackCat Ransomware Bulletin

Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...

Learn More