[MUSIC PLAYING] When you see the news all of the breaches that are occurring, it kind of gives you pause. You kind of go, gee, I don't want to be the next top headline. So the things that I always think about in terms of Office 365 and making sure that my people in my office are not the next phishing attackees is I make sure, first off, that they have education and tools. So I make sure that Office ATP is turned on, and then, secondly, me as the administrator, I'm doing some tools on the back end.
So, if I don't say it enough, multi-factor authentication. Let me say that again. Multi-factor authentication. And then the second part follow-up to that is turn off basic auth, basic authentication. The basic authentication is default in the Microsoft 365. The MFA is not default, and the reason why you want to do those two things is attackers going after the basic off.
If you are looking at your audit logs and seeing people doing failures that they're trying to break in and you see all these failures, those are attackers going after you. And all it takes is one stupid password and, yes, you know you have them out in your organization. And guess what? They're inside your organization, and it's relatively easy today to Google up tools on the internet that allow attackers to then pivot up inside the organization and get more information.
So obviously in a breach situation the question you should ask yourself is not if, but when. So how do you handle the when? First off, you need to make sure that you have in front of you a plan, a breach plan. If you go out there and Google a lot of the SANS organization-- s-a-n-s.org, as well as the NIST organization. There's government organizations that have lots of good information out there.
Have a breach plan. First off, don't panic. Get that breach plan in front of you so you know the steps to take. Determine what happened first. Make sure you have logging enabled from the get go. In Office 365 they're turning on more default auditing. You may have to double check and make sure. If the auditing and logging is not enabled, then make sure it's turned on.
Right now we need some P1. Some Azure P1 licenses to do some additional auditing. Investigate that. I would highly recommend that you turn on some auditing. You don't have to buy P1 audits for everyone in the organization. Again, just go after those admin accounts, and then once you have the audit logs you obviously need to comb through those and see what happened, and make your determination. You may then have to pull in outside experts.
02:42