What does the Allure solution do for my Office 365 environment--how does it help me?
Allure provides the visibility, forensics, document tracking to deal with insider threats, third-party data leakage, and external attacks on your Office 365 environment, specifically all the files you store there.
What part of Office 365 do you mean?
We cover the files stored there--in OneDrive, SharePoint, Teams, and OneNote.
How is Allure's solution unique?
We focus 100% on the data--the files you need to protect. The solution is simple to use and gives you the power to do forensics much faster and more reliably than alternatives. We also enrich the Microsoft events with geographic and organizational insights.
Additionally, our unique, patented beacons let you track files even after they’ve left Office 365. This includes decoy documents that can detect leaks and breaches.
What data does Allure collect?
Allure reads log information from Office 365, which includes user names, file names and paths, and IP addresses.
We filter those, clean up the data in some cases, enrich them with geographic and organizational insights, and store them for the long term. (Microsoft typically deletes the logs after 30 days).
Do you store file contents or other highly sensitive data?
No, Allure doesn’t store file contents.
Do I need to give you my Microsoft credentials to use the service?
No, Allure makes a request to access the logs, directly to Office 365. You then need to log into Office 365 and allow us access, but we never see your credentials.
Can I monitor just a subset of the files, if I want to?
Yes, you can specify specify folders or directory trees, if you wish.
Beyond storing events, what functionality do you have?
After filtering and data cleansing the events, we add geo-location and organizational insights.
Then, we do a risk assessment on every individual event, and assign it a risk score from 0 to 100.
If the risk score is high enough, you can have an email alert sent to you, and/or you can have Allure create what we call a "Notable Event"--something to look into and follow up with in our web interface.
How does the risk scoring work?
Risk scoring is based on many indicators that you can change yourself--including geo-location, sensitivity of the file, type of operation being performed (e.g. downloads), etc. There are many criteria available.
Each factor, or policy, is typically additive. So, a download might be fine, and accessing a sensitive file is fine, but a combination of sensitive files being downloaded to risky locations--that combination results in a high risk score.
There are built-in scoring policies that come pre-configured, and they’re simple to change.
How do alerts work?
You can set a risk score threshold that represents when you’d like to be alerted. Any file that reaches a score above that threshold will then generate an email alert. The email alert contains the basic info, plus a map of the geo-location for the event. You can completely disable alerts, too, if you wish.
Is there a dashboard?
Yes, there’s a powerful dashboard that shows the top risky activity, most active users, geo-mapping of alerts and overall activity, what kinds of risky activity is happening, overall event volumes over time, etc.
Are there reports?
Yes, there are two reports--one that summarizes and details alert-level events over a period of time, and one that provides insights into decoy file deployment.
Each can be run on a weekly or monthly basis and delivered in HTML or PDF format.
Do I need to beaconize files in order to track files in my cloud share?
No. When monitoring cloud shares, Allure integrates with the API to monitor activity. However, if you want to track file activity after any downloads have occurred, then you may want to beaconize the files.
Can you automatically beaconize files in my cloud share?
Yes. You can specify specific folders or directory trees, and which types of files - Word, PowerPoint, Excel, and PDF.
Will I always get notification when someone opens a beaconized file? What about if they’re off-network, e.g. on an airplane?
This depends on the type of beacon, and the type of file.
For PDF documents, you’ll always get a signal. The files are encrypted and won’t open unless we get a notice to decrypt them, which is our signal.
For Office documents, the signal is “best effort”. The documents should always open, and if the user is online, we’ll get the signal.
What are the beacons? Are they macros in the documents?
No, they’re not macros. In the case of PDF documents, we leverage Adobe encryption capabilities. So, Adobe Reader signals us. With Office documents, we embedded special information within the file that causes the native programs (Word, Excel, and PowerPoint) to do a web lookup, which we then note as a signal.
Do beaconized files trigger antivirus programs?
No, we haven’t seen that.
Do beacon signals get through firewalls?
Yes, it’s a normal https (port 443) connection,. As long as the network isn’t completely locked down, the signals get through.