Hey Microsoft, Security Logs Want to be Free!

Microsoft recently suffered a significant breach of their Exchange Online and Azure Ad services following the compromise of a signing key resulting in the compromise of several organizations, including government agencies. Microsoft still needs to learn how the key was compromised. However, it was detected first by the US government, which had access to Microsoft’s advanced logging capabilities. Historically if an organization wanted access to Microsoft’s Cloud Services logs or additional security tools, they would have to opt-in to premium licenses such as E5. 

Many in the security community have had issues with this model from Microsoft, particularly given the additional levels of security to protect against potential vulnerabilities in their product, some drawing the analogy that it’s equivalent to a car manufacturer charging extra for seat belts, airbags, and other safety features. My friend and respected security practitioner across the pond, Daniel Card, pointed out how vital access to the tools and services provided by the Microsoft E5 license is to protect the  organizations he works with:

The Shared Responsibility Model

Although unfortunate that Microsoft waited so long and that it took such a catastrophic incident for them to finally take action and provide logging capabilities to their lower licensing tiers, it may have provided the realization of their potential liabilities when it comes to the shared responsibility model where both the cloud service provider and the customer play vital roles. Recognizing the importance of this partnership, Microsoft has taken a significant step by extending logging capabilities to non-premium customers, reinforcing the shared responsibility model, and enabling enhanced security measures for all users. Microsoft’s recent decision to offer these logging capabilities to non-premium customers will level the playing field, granting equal access to invaluable security insights to mitigate today’s threats. 

The shared responsibility model is built upon the premise that while cloud service providers are responsible for securing the infrastructure, customers must take ownership of their applications, data, and user access. By extending logging capabilities to non-premium customers in September 2023, Microsoft will better empower the customer’s ability to fulfill their responsibilities effectively. This move aligns with evolving cloud threats and helps Microsoft’s commitment to securing its customers with the tools necessary to safeguard their digital assets.

Log Liberation

As businesses increasingly rely on cloud services, the responsibility for securing and monitoring data has shifted towards a shared model, where both the cloud service provider and the customer play vital roles. Microsoft, one of the leading technology giants, has been collaborating with CISA to identify critical log data that should be provided to all its cloud customers for free. Historically, advanced logging capabilities were only available to premium customers. However, Microsoft’s recent decision following this security incident to offer these logging capabilities to non-premium customers has leveled the playing field, granting equal access to invaluable security insights and strengthening the shared responsibility model.

Benefits of Logging Capabilities

• Enhanced Visibility: Logging is critical in enabling proactive threat detection and incident response. By extending logging capabilities to non-premium customers, Microsoft empowers organizations of all sizes to gain greater visibility into their cloud environments. This increased visibility facilitates the early detection of potential security breaches, allowing for rapid mitigation and reducing the risk of data loss or unauthorized access. 
• Improved Threat Intelligence: With expanded logging capabilities, customers can tap into rich, detailed data logs, providing invaluable insights into their systems’ activities. This wealth of information helps organizations identify patterns, anomalies, and potential threats. Leveraging this enhanced threat intelligence, customers can make informed decisions to bolster their security posture and respond effectively to emerging risks. 
• Streamlined Compliance: Compliance with industry regulations and standards is crucial to data security. By making logging capabilities available to non-premium customers, Microsoft empowers organizations to meet compliance obligations more effectively. Comprehensive and centralized logging enables easier auditing, monitoring, and reporting security events, contributing to a more streamlined compliance process. 
• Collaboration and Learning: The shared responsibility model recognizes that both the cloud service provider and the customer contribute to the system’s overall security. By democratizing logging capabilities, Microsoft fosters collaboration and mutual learning between providers and customers. Customers gain access to the same powerful tools and insights as premium customers, encouraging a collective effort toward maintaining a secure environment.

Democratizing Access to Microsoft Logs

Microsoft’s new free logging capabilities will also help Panther customers, as they no longer will need to purchase the higher subscription tiers to onboard logs into their Panther instances. This evolution will allow Panther customers to leverage our integration with Microsoft and easily correlate with other data sources and tools. 

Microsoft’s decision in collaboration with CISA to provide logging capabilities to non-premium customers is a significant development that reinforces the shared responsibility model. By democratizing access to advanced logging features, Microsoft empowers organizations of all sizes to take a more proactive and vigilant stance in securing their cloud environments. This move serves as a testament to the power of the infosec community, along with Microsoft’s dedication to promoting collaboration, transparency, and continuous improvement in data security. 

As more workloads move to the cloud and threats evolve to target them, initiatives like this are vital in fostering a more resilient and secure online ecosystem to make the cloud more confident. I hope more cloud providers will follow suit in making logs free and easily accessible.