As more remote work from home happens, your collaboration tools need more scrutiny. A popular choice for instant messaging and video conferencing is Microsoft’s Teams, and securing this application will be a challenge.
Teams already has had one major exploit that would allow a malicious actor to use the Microsoft Teams Updater to download any binary or malicious payload. Researchers discovered it earlier this summer by using a workaround for a previous patch issued for Teams. The exploit involves many steps: It leverages a remote Server Message Block (SMB) share to bypass limitations placed on Teams to update via a URL. What this means is that an attacker needs to be on a nearby network to the intended victim and use a variety of scenarios to install the malware of their choice.
When researchers contacted Microsoft, the software giant claimed this was a feature, not a bug, and that several of their customers use the remote SMB access to update their Teams installation. So. it still remains an issue.
In another case, a ransomware attack on Canon brought down its Teams installation. While not directly related to the security of Teams, it shows the need for securing this channel and having a contingency plan in your post-attack playbooks for how to communicate if you can’t access Teams.
Microsoft has been busy updating Teams recently. Most of its newest features are only available on the latest version of its Windows desktop app that was released at the end of July; the web browser and Mac versions are not yet anywhere near feature parity. If you haven’t yet updated your Teams clients, you should do so ASAP.
All these features mean that you will want better centralized management of Teams, and Microsoft has also beefed up the Teams Admin Center where you can manage all of your Teams endpoints from a central screen. This includes automated device enrollment and automated software updates, as well as the ability to install Teams apps directly from the admin center.
How Microsoft secures Teams
When it comes to securing Teams, Microsoft has two basic paths: those that are Teams-specific and those that are general Office 365 or Azure-related. You’ll need to do both to obtain the best security.
Getting a grasp on securing Teams means understanding your overall Microsoft online configuration. You’ll have to touch a lot of menus and navigate across your entire Microsoft software infrastructure to lock it down. This increases the chances that you miss something: a user with the wrong series of permissions, an app that has too much access to critical data, or an overlooked group security policy. It might help to have a colleague check your work.
This webinar shows you how to set up basic configuration options. A Teams security guide covers other general issues.
The second path is to understand group policies and Azure Active Directory choices that will secure your overall Office 365 installation. For example, visit your SharePoint settings for managing your file-sharing security and Azure AD settings for managing user authentications. A good place to get started in understanding these issues is this list of suggestions.
Third-party Teams security app support
Third-party tools are available to boost Teams' native security features. Microsoft has a catalog of Teams apps, but only a few can remotely be considered security-related, including:
- eSentire’s Security Assistant, for eSentire customers only, sends cloud service alerts directly to their Microsoft Teams Channel for triage.
- Cyberday helps make sure user activity within Teams remains in compliance with privacy and security regulations and policies.
- Clearedin generates security reports for suspicious messages and users.
- FileMaster is a data loss prevention (DLP) tool to monitor and control sensitive information.
Probably the most robust third-party security tool for Teams is Avanan, which was one of the early vendors in this space. It controls access to confidential data, quarantines malicious content, and informs users of security events. It catches shortened URLs and augments the compliance reporting found natively in Teams.
Given the growth of Teams, expect more vendors to offer security tools and features to support the platform. Before committing to any of them, ask the add-on vendors the following questions:
- What risks are you trying to prevent? A user typing in a bad URL? Or passing on phishing bait to download malware? A malicious user joining one of your discussion groups? Or someone posting a Social Security number by mistake?
- What information is available on dashboards? Typically, these tools work in conjunction with a web-based dashboard where you set up various threat policies such as adding to the prohibited word dictionary or tuning the response of the tool to an event.
- Does it catch shortened URLs? This is a must-have, where a tool automatically expands the shortened links and then check to see if they are malicious or benign.
- How real time is the protection? The delay in reporting an issue might matter to your SOC team.
Comparing Slack and Teams for native security
If you’re in the process of choosing or upgrading a collaboration platform, it’s likely Teams and Slack—the market leaders—are on your short list. Teams isn’t quite where Slack is when it comes to security. The chart below shows areas where both products could use improvement. Slack is ahead on the number of available third-party apps, but Teams offers a mechanism for producing basic third-party compliance audits. (More on these in a moment.)
One of the biggest risks is allowing external users to participate in discussions. Teams now allows this, which means any user can invite anyone into a group.
When it comes to end-to-end data protection, Teams still has a long way to go. Yes, you can employ Windows Server’s own TLS encryption, but that doesn’t protect the complete path. If you are concerned about this, you should consider buying a CASB.
Finally, Teams is busily recruiting third-party app developers to extend its functionality. Microsoft has even published this guide for users to extend its functionality with just a few mouse clicks. However, there isn’t a formal vetting of these apps for best security practices.
That should be a concern, particularly as users add apps willy-nilly and increase the area of potential exposure. Many of the summer’s functional improvements have made Teams a lot more useful for building apps inside Excel (think Power BI) and elsewhere across the Microsoft ecosystem. This means open season on security issues.
CSO / IDG