There is no doubt that Microsoft has a very large tech footprint and just by the numbers is more likely to experience a security breach of some kind over time compared to smaller companies.
However, that also means they have a lot of experience in dealing with security issues with users on Office 365 and therefore are a great source for learning how to deal with some of these situations. In addition, they host a lot of customers with Office 365, 85 million as of last month, so that adds to their expertise in managing these types of situations.
That of course brings me a resource I recently came across on the Microsoft Download Center - a white paper from Microsoft titled Security Incident Management in Microsoft Office 365.
The eleven page PDF file (956KB) covers the companies approach to incident management and the response process they use on a regular basis to be ready for an incident and how to react to it with a specific plan.
"Microsoft works continuously to provide highly secure, enterprise-grade services for Office 365 customers. This document describes how Microsoft handles security incidents in Office 365. A security incident refers to any unlawful access to customer data stored on Microsoft’s equipment or in Microsoft’s facilities, or unauthorized access to such equipment or facilities that has the potential to result in the loss, disclosure, or alteration of customer data. Microsoft’s goals when responding to security incidents are to protect customer data and the Office 365 services."
That response management process, which follows the National Institute of Standards and Technology approach, involves four key areas and each have their own focus steps/processes.
"Refers to the organizational preparation that is needed to be able to respond, including tools, processes, competencies, and readiness."
- Compliance Control
- Security Development Lifecycle
- Penetration Testing
- Wargames (Red and Blue Teams)
Detection & Analysis
"Refers to the activity to detect a security incident in a production environment and to analyze all events to confirm the authenticity of the security incident."
- Notifications & Alerts
- Security Incident
Containment, Eradication, Remediation
"Refers to the required and appropriate actions taken to contain the security incident based on the analysis done in the previous phase. Additional analysis may also be necessary in this phase to fully remediate the security incident."
- Containment and/or Remediation Plan
- Classify security incident as either requiring a Microsoft Security Response Center or Software Security Incident Plan response
- Contain the incident to prevent further access by attacker
- Eliminating the root cause for the incident and remove the attacker from the network
- Recovery of services after removing attacker and data recovery as necessary
- Notification customer(s)
"Refers to the post-mortem analysis performed after the remediation of a security incident. The operational actions performed during the process are reviewed to determine if any changes need to be made in the Preparation or Detection & Analysis phases."
- Post Mortem
- Process Improvement
The document has much more information including links to a library of materials that can be used by customers for their own process development/improvement relating to security incidents.