According to the Identity Theft Resource Centre, data breaches in 2021 were up 17% over 2020 (source). The average cost of data breaches was also escalating with a report by IBM indicating the typical cost was $4.24m per breach (source).

This represents a worrying trend for our industry, and it is no wonder that data security has now become top of mind for CIOs and key decision-makers.

While Customer Relationship Management (CRM) systems are invaluable in managing your client relationships in a central datastore, they also present a soft target for nefarious actors.

In today’s blog post, I will explain what the recently released Continuous Threat Monitoring for Dynamics 365 is and how it can be used to secure your CRM.

Moreover, Microsoft is keen to hear your thoughts on how to better improve security and I will be including a survey link to provide feedback directly to the CTM product team.

Native Security features of Dynamics 365

Microsoft Dynamics 365 uses a granular security management model that enables segregation of business data at a record level and field level (via Field Level Security) and a permissions model that is assigned based on business unit, team or Active Directory security group.

Permissions include CRUD operations on records but also extends to feature usage, such as bulk export to Excel or API only (no UI).

And additionally enabling the Auditing functionality ensures that record all user interactions and record modifications are captured and centralised within the Office 365 Security and Compliance Centre.

However as robust as the Dynamics 365 security model is, it was not designed for breach detection and incident management. This would typically be performed through a SIEM solution.

What is SIEM?

SIEM stands for Security Information and Event Management and is the category of products that deal with enterprise-level security.  They provide sophisticated tools that enable your organisation to detect and rapidly act on potential threats to your infrastructure and data.

Microsoft Sentinel (formerly known as Azure Sentinel) is Microsoft’s current flagship offering for their enterprise clients.  They state that the differentiator for their product is that it enables the collection of data at a cloud-scale across all devices and applications, detect previously undetected threats whilst minimising false positives, artificial intelligence-based investigation of suspicious activities and built-in orchestration that enable rapid response.

Figure 1 – Core capabilities of Microsoft Sentinel

For a detailed overview of Microsoft Sentinel see the following webpage:
https://docs.microsoft.com/en-us/azure/sentinel/overview

So now that we understand what a SIEM solution is, how can we connect our SIEM solution to Dynamics 365 to detect threats and manage security incidents. This is where Continuous Threat Monitoring for Dynamics 365 comes in.

Continuous Threat Monitoring for Dynamics 365

Continuous Threat Monitoring for Dynamics 365 is a newly developed integration for monitoring and responding to events from Dynamics 365 from within the Microsoft Sentinel solution.  It is available in public preview mode today from the Azure Marketplace:

https://azuremarketplace.microsoft.com/en-us/marketplace/apps/sentinel4dynamics365.sentinel4dynamics365?tab=overview

And can be summarised as a solution that enables enhanced investigation and response capability centred around protecting your D365 instance from within the Sentinel solution.  It does so through a series of analytic rules that can be defined within the solution, that detect suspicious activities and events and through Sentinel enable you to rapidly respond on several different levels.

To better explain this take for example the following scenario.  A Salesperson who leaves the company, and then attempts to exfiltrate all your customer data.  Typically, Dynamics 365 standalone does not have a way to automatically raise this as an alarm and act, but with Continuous Threat Monitoring for D365 this exfiltration attempt will trigger an alert, which may then alert your corporate security personnel on say Microsoft Teams.  This is one example that is completely supported via some very well-defined rulebooks within the Sentinel solution.

What is deployed with the Continuous Threat Monitoring solution?

When you download and install Continuous Threat Monitoring, the solution is deployed with the following:

  • Data Connector – Enables the log information and other pertinent security information to be retrieved from Dynamics 365.  They include:
    • Dynamics 365 Audit Logs
  • Analytic Rules – Detection rules that detect activities such as:
    • D365 – Encryption Settings Changed
    • D365 – Mass Export of Records to Excel
    • D365 – New Admin Activity
    • D365 – New Office User Agent Detected
    • D365 – New User Agent Detected
    • D365 – Unusual record retrieval
  • Workbooks – enabling you to visualise your data sources, workbooks deployed are as follows:
    • Dynamics 365 Solution
  • Hunting Queries – some example queries that run continuously for suspicious activity include:
    • Dynamics 365 Activity After Azure AD Alerts
    • Dynamics 365 Activity After Failed Logons
Figure 2 – Example of Hunting Query

Are there any limitations in this preview?

Currently, it only supports Dynamics 365 Customer Engagement apps (not Finance, Supply Chain) and it is not currently supported in Sovereign cloud deployments (e.g. US Gov, Azure China, AU Protected).

Future roadmap

Continuous Threat Monitoring for Dynamics 365 is currently in public preview, when it launches in 2022 it will feature a great deal more rules, workbooks, queries and enhancements to get you up and running quickly.

The product team is especially keen to hear more from the community on security challenges that you want to solve, I do ask if you have 5 minutes to help them by completing the following survey.

Continuous Threat Monitoring for D365 Survey Link