Microsoft to stop locking vital security logs behind $57-per-user monthly plan

By | July 20, 2023
In this photo illustration a padlock appears next to the Microsoft Corporation logo
Getty Images | SOPA Images

Microsoft will expand access to important security log data after being criticized for locking detailed audit logs behind a Microsoft 365 enterprise plan that costs $57 per user per month. The logging updates will start rolling out “in September 2023 to all government and commercial customers,” the company said.

“Over the coming months, we will include access to wider cloud security logs for our worldwide customers at no additional cost. As these changes take effect, customers can use Microsoft Purview Audit to centrally visualize more types of cloud log data generated across their enterprise,” Microsoft announced yesterday.

Microsoft Purview Audit Premium is available on the $57-per-user Microsoft 365 E5 plan for businesses as well as the similar A5 education plan and G5 government plan. There’s also a Purview Audit Standard service that comes with a much wider range of plans, including the Microsoft 365 Business Basic tier that costs $6 per user per month.

Purview Audit Standard will soon get access to features currently only available in the premium audit service, Microsoft’s announcement said.

“As our expanded logging defaults roll out, Microsoft Purview Audit (Standard) customers will receive deeper visibility into security data, including detailed logs of email access and more than 30 other types of log data previously only available at the Microsoft Purview Audit (Premium) subscription level. In addition to new logging events becoming available, Microsoft is also increasing the default retention period for Audit Standard customers from 90 days to 180 days,” Microsoft said.

“Pay-to-play security”

As we wrote last week, Microsoft has faced criticism for restricting access to detailed audit logs, calling it “pay-to-play security.” The advanced logs available only on the most expensive plans were useful in detecting breaches that gave a Chinese hacking group access to email accounts.

“If you’re not an E5-paying customer, you lose the ability to see that you were compromised,” Will Dorman, senior principal analyst at Analygence, told Ars.

The US Cybersecurity and Infrastructure Security Agency (CISA) said in a security advisory last week that a federal executive branch agency discovered a breach of Exchange Online data “by leveraging enhanced logging—specifically of MailItemsAccessed events—and an established baseline of normal Outlook activity (e.g., expected AppID).” This “enables detection of otherwise difficult to detect adversarial activity,” CISA said.

CISA and the FBI even said they “strongly encourage organizations to Enable Purview Audit (Premium) logging,” while acknowledging that the “logging requires licensing at the G5/E5 level.”

“CISA and FBI are not aware of other audit logs or events that would have detected this activity,” the advisory said. “Critical infrastructure organizations are strongly urged to implement the logging recommendations in this advisory to enhance their cybersecurity posture and position themselves to detect similar malicious activity.”

CISA urged Microsoft to expand access

CISA had been talking to Microsoft about expanding access to the logs. “CISA and Microsoft have been working for the past several months to identify key logging activities to include in their offerings,” CISA Executive Assistant Director for Cybersecurity Eric Goldstein wrote in a blog post yesterday.

Goldstein said the Microsoft move will “make necessary logs identified by CISA and our partners as most critical to identifying cyber-attacks available to customers without additional cost. While we understand it will take time to roll out such a major step, this effort will enhance cyber defense and incident response for every Microsoft customer.”

Goldstein also criticized the approach of making security logs exclusive to higher-priced subscriptions. “While vendors can offer wider logging access at specific cloud licensing levels, this approach makes it harder to investigate intrusions,” he wrote. “Asking organizations to pay more for necessary logging is a recipe for inadequate visibility into investigating cybersecurity incidents and may allow adversaries to have dangerous levels of success in targeting American organizations.”

Microsoft said its decision to bring advanced logging to all business plans is “the result of close coordination with commercial and government customers, and with the Cybersecurity and Infrastructure Security Agency (CISA) about the types of security log data Microsoft provides to cloud customers for insight and analysis.”

The log “data plays an important role in incident response because it provides granular, auditable insight into how different identities, applications, and devices access a customer’s cloud services,” Microsoft said. “These logs themselves do not prevent attacks, but they can be useful in digital forensics and incident response when examining how an intrusion might have occurred, such as when an attacker is impersonating an authorized user.”

Purview Audit Premium will still be differentiated from Audit Standard by providing “longer default retention periods and automation support for importing log data into other tools for analysis,” Microsoft said.

Source