I constantly meet infosec professionals tasked with monitoring for non-owner access to mailboxes. That's understandable when you think about the highly refined level of secret and critical information found in mailboxes – especially executive mailboxes.
Exchange does have a mailbox audit feature but it becomes increasingly difficult for enterprise infosec teams to leverage this capability with each version of Exchange.
Last year I alerted you to the disturbing fact that you can't count on organizational level audit reports from Exchange 2013/2010 until at least 24 hours have passed since the time period being reported on. In the first 24 hours the data you get in the report will usually be incomplete but there is no error reported. You just have to know.
That has not changed in Exchange 2016. But there is a new limitation in 2016 that throttles how many mailbox audit log queries you can perform within a 12-hour time period. This is true both at the organizational level and on individual mailboxes. This has big implications for any organization trying to be reliably and continuously monitor for email security breaches.
In this real training for free ™ webinar I will help you understand
- How Exchange non-owner mailbox audit works
- Why Exchange may take so long to process audit report requests and how to address
- The 24-hour delay issue
- The new query limit in Exchange 2016 and its implications for enterprise infosec
I will show you the work arounds we've developed (or, are developing in the case of 2016) in LOGbinder for Exchange to work around these issues.
And I'll show you how LOGbinder for Exchange gets these events out of Exchange and into your SIEM – whatever SIEM you use.