Seven months after a serious cloud email breach, Microsoft has started making good on a promise to give customers free access to enhanced logging capabilities that could help detect similar attacks.
Last July the software giant revealed a China-based threat group, Storm-0558, had acquired a private encryption key, enabling hackers to access email accounts of at least two dozen organizations, including the U.S. State and Commerce departments. Secretary of Commerce Gina Raimondo’s email account was among those compromised.
In the wake of the attack, Microsoft was criticized for charging its cloud services customers extra to access security logs that could have detected the intrusions. The company eventually said it would make the logs available for free.
This week Microsoft said it was beginning to make expanded logging available to all U.S. Federal Civilian Executive Branch (FCEB) agencies using Microsoft Purview Audit, regardless of license tier. Expanded logging was previously only available to Purview Audit (Premium) customers.
Microsoft would automatically enable the logs in customer accounts and increase the default log retention period from 90 days to 180 days.
The Cybersecurity and Infrastructure Security Agency (CISA) said in a statement it had worked with Microsoft, the Office of Management and Budget (OMB) and the Office of the National Cyber Director (ONCD) over the past six months to roll out expanded logs to a pilot group of agencies.
“Last summer, we were glad to see Microsoft’s commitment to make necessary logging available to federal agencies and the broader cybersecurity community. I am pleased that we have made real progress toward this goal,” said Eric Goldstein, CISA’s executive assistant director for cybersecurity.
Last year CISA released Secure by Design guidance, including a recommendation all technology providers provide “high-quality audit logs to customers at no extra charge or additional configuration”.
Casey Kahsen, a senior technical specialist with Microsoft’s federal security team, said in a post, that while the company was committed to making the additional audit capabilities available to all customers as soon as possible, it had prioritized federal agencies.
“This shift to provide increased logging for all customers worldwide will take time,” Kahsen said.
“A phased rollout approach will be utilized to ensure that backplane capacities and other performance metrics are closely monitored.”
Microsoft has suffered other embarrassing security failures since the Storm-0558 incident. Last month it revealed its own corporate email accounts, including some belonging to senior executives and members of its cybersecurity and legal teams, had been breached by Russian threat group APT29.
Critics say the company needs to improve its overall security posture and culture, especially given the vast number of customers whose data it is tasked with protecting.
A lawmaker with a history of campaigning to get the software giant to do better on security, Sen. Ron Wyden, D-Ore., responded to news of the new FCEB logging initiative by comparing Microsoft to “an arsonist selling firefighting services”.
“Microsoft has profited from the vulnerabilities in its own products and built a security business generating tens of billions of dollars a year,” he said in a statement to CyberScoop.
“There is no clearer example of the need to hold software companies liable for their negligent cybersecurity.”
In August, the Department of Homeland Security’s Cyber Safety Review Board (CSRB) announced it would review last year’s Storm-0558 attack as part of an investigation that would also look into the wider issue of how government, industry, and cloud service providers could strengthen identity management and authentication in the cloud. Microsoft’s own investigation into the incident revealed a string of security failings.
