Lessons from the Cyber Safety Review Board’s Mar. 2024 Report on Microsoft

• Although Microsoft promotes its ability to offer cloud services, it may not have the competency that organizations attribute to it; therefore, it is necessary to maintain internal security expertise and vigilance.
• To understand the threat environment as well as current vulnerabilities and incidents, customers must monitor multiple information sources.
• Organizations should request complete access to all log data and log analysis tools, without a requirement to pay for premium products or subscriptions.

In Mar. 2024, the U.S. Cyber Safety Review Board (CSRB) released its report on the 2023 Storm-0558 Microsoft Exchange Online compromise by way of Entra ID (previously called Azure Active Directory). Although the report focuses on Microsoft’s need to improve its security culture, it also recommends that Microsoft improve the overall security of its products and services, as well as improve incident detection, response, and communications. Overall, the report concludes Microsoft may be overselling its security competencies, may not be adequately documenting incidents, and is not providing customers with the log data and tools necessary to monitor their use of the services for incidents.