Newly discovered Exchange mailbox auditing bug cripples your security intelligence.
I already had a webinar planned this week on the very feature of Exchange that this newly discovered bug affects so I'm expanding this webinar to deal with this issue.
Executive mailboxes are full of secret and potentially damaging information. It's unacceptable to not know if someone is reading the CEO's mailbox or otherwise tampering with it. You will find out eventually, but your SIEM should be the one to tell you – not the Wall Street Journal.
That's what I was going to talk about in this week's webinar.But my LOGbinder team has discovered something that makes this topic even more urgent:
While investigating a support case we discovered a non-obvious yet critical bug in Exchange audit logging that essentially delays your ability to detect non-owner mailbox access for 24 hours.
We notified Microsoft and after investigation they have confirmed it as a bug. Microsoft is tracking the issue and working on a resolution but have no timeline. The bug affects Exchange 2010, 2013 and 2016.
This is a big deal. A lot can happen in 24 hours (#JackBauer #EdwardSnowden). When someone jacks your CEO's mailbox how soon do you want to know?
So I'm expanding this webinar to explain the bug and share options we have identified for dealing with it.
Background on Exchange mailbox auditing:
Without help, your SIEM can't tell you that someone other than the CEO is reading his or her email. This is a big-time problem, and one I'm happy to say comes with a solution.
Exchange Server allows you to audit non-owner mailbox access. In this webinar I will show you how to configure and use Exchange non-owner mailbox auditing, and how to best leverage the security intelligence with your SIEM or log management solution. I will show you how to detect and report serious activities inside of Exchange using mailbox auditing of events such as:
· User viewing of executive emails
· Impersonated (fraudulent) emails
· Administrator export of mailbox files
· Deleted emails (attempts to destroy evidence)
But in the live session of this webinar - and this part has taken priority in my mind - we will dissect this newly discovered bug in Exchange auditing, analyze its impact on your security and compliance requirements and discuss the options you have for working around it.
In addition, we will announce tactical and strategic enhancements we are developing in LOGbinder to ensure your SIEM immediately knows when unauthorized access occurs on high priority mailboxes.
My software company, LOGbinder is sponsoring this webinar because the best audit intelligence is useless if it can't be accessed by your SIEM, and LOGbinder is the only solution I know of to reliably inform the SIEM of Exchange security audit information. Plus, we are working on a solution to solve the timeliness solution that is inherent to Exchange mailbox audit.
Don't miss this webinar! It will be an awesome technical event for security analysts and their operations team. The live discussion will be invaluable to you! Live attendees get to ask questions and get immediate answers.