Microsoft 365 security: Where to look?

Microsoft 365 is a comprehensive suite that encompasses a broad area of products and services and, what is more important, it has access to our data. All of these should be adequately protected and secured, but where to look, where to start, what to configure first?

You must understand that security landscape of today is much different than it was five, ten or more years ago. Data residency changed over the years, consequently security boundaries changed, and, after all, security products (thankfully!) followed the change as well.

Today, identity is a new security boundary, everyone talks about Zero Trust security principles, data is everywhere, the only constant is change and suddenly, a dozen of security and compliance-related products and services are available. Yes, it is a chaos out there, but only at first sight. Let’s look at what kind of security Microsoft 365 has in its sleeves.

To know why and how Microsoft built security around data and security products that protect your data, you should look at a security from a higher level.

To combat new, known, and unknown threats, Microsoft (and everyone else) recommends implementing Zero Trust security model approach, which is based on three principles:

  • Assume breach
    Implement segmented access principles, use encryption and analytics, for example.
  • Least privilege access
    It means you should use just enough administration (or just enough access) (JEA) and just in time (JIT) principles, adaptive access policies.
  • Verify explicitly
    You should always authenticate and perform authorization on all data points, whenever and wherever possible, on devices and identities, examining important entity signals.

Zero Trust security model and verify explicitly principle defined protection around:

  • Identities.
    Constant monitoring of identity activities, authenticating and authorizing properly.
  • Applications
    Discovering use of unauthorized applications, monitoring and analysing authorized applications use, controlling user actions.
  • Endpoints (or devices)
    Monitoring health and use of authorised endpoints.

The first step to secure your Microsoft 365 environment should be implementing Azure Active Directory capabilities to protect identities. As an identity is a new security boundary now, and as most of attacks target identities, it is of utmost importance to focus on identities first. Consider implementing the following:

  • Multi-Factor Authentication (MFA). MFA requires use of a second factor of authentication, adding an additional layer of security to identities. It greatly reduces the risk of using stolen credentials and, according to some research and studies, it can prevent more than 96% of identity-related identity compromises.
  • Conditional Access. Evaluating user and device sign-in conditions to determine whether access is allowed.
  • Azure AD Identity Protection. Determine user and sign in risk and block access if an identity risk is above normal.
  • Azure AD password protection. Implement automatic global banned password lists, detect, and prevent using specific and weak passwords and their variants.
  • Azure AD Privileged Identity Management. Reduce the number of permanent privileged, administrative accounts and implement just-in-time (JIT) principle to their usage.

After this first step or, better to say, steps, you must protect your Microsoft 365 environment across all security fronts – identities, endpoints, applications, and emails.

Fortunately, Microsoft has an ideal security suite, tailored to protect your data and digital estate across entire enterprise.

Microsoft 365 Defender is a comprehensive protection product designed to span and protect across all four critical points, containing four distinct services, or products, each tailored to protect one of four critical areas.

  • Microsoft Defender for Identity and Azure Active Directory Identity Protection
  • Microsoft Defender for Endpoint
  • Microsoft Defender for Cloud Apps
  • Microsoft Defender for Office 365

Microsoft Defender for Identity and Azure Active Directory Identity Protection

Microsoft Defender for Identity as a cloud-based protection solution uses Active Directory signals to detect, identify and investigate advanced identity threats, compromised identities and malicious insider actions. It monitors and analyses user activities and actions and identifies anomalies.

It can identify multiple advanced threats across the attack kill chain, such as reconnaissance, compromised credentials, lateral movements, domain dominance and others.

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint is an advanced enterprise security platform designed to prevent, detect, investigate, and respond to advanced threats in protecting endpoints. It includes a combination of various technologies to provide endpoint protection: threat intelligence, cloud security analytics and endpoint behavioural sensors. It comprises various technologies:

  • Threat and vulnerability management
  • Attack surface reduction
  • Next-generation protection
  • Endpoint detection and response
  • Automated investigation and remediation
  • Microsoft secure Score for Devices
  • Microsoft Threat Experts
  • Integration with other Microsoft Defender and security solutions and products

Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps or formerly, Microsoft Cloud App Security, is a comprehensive SaaS protection solution for cloud applications. It is a Cloud App security broker that can work across multiple clouds to provide control over data travel. Microsoft Defender for Cloud provides four core protection elements:

  • Discovering and controlling the use of Shadow IT – identifying cloud applications, IaaS and PaaS services used by your organisation
  • Assessing the compliance of cloud applications – assess cloud applications’ compliance status
  • Protect sensitive data anywhere in the cloud – classify and protect sensitive information, including Data Loss Prevention (DLP) capabilities
  • Protect against anomalies and cyberthreats – detect applications and user anomalous behaviour, using user entity behavioural analytics (or UEBA) and anomaly detections.

Microsoft Defender for Office 365

Microsoft Defender for Office 365 protects your organisation against threats coming from collaboration tools, email messages and links (URLs). Some capabilities include automated investigation and response, threat investigation and response, threat protection policies and real-time performance reporting.

Microsoft Defender for Office 365 is available in two plans, Plan 1 and Plan 2.

Plan 1 includes:

  • Safe Attachments
  • Safe attachments for SharePoint, OneDrive, and Microsoft Teams
  • Safe Links
  • Anti-phishing protection
  • Real-time detections

In addition to all Plan 1 capabilities, Plan 2 includes:

  • Threat Trackers
  • Threat Explorer
  • Attack simulation training
  • Automated investigation and response
  • Campaign Views

We explained what Zero Trust security model is, and what are the first, crucial steps to secure your enterprise. As a second step, we took a high-level overview of Microsoft 365 comprehensive security products, that cover and protect across all four critical areas: identity, applications, emails, and endpoints, and showed what their fundamental capabilities are. With a better understanding of core capabilities of each Microsoft Defender product, you will be empowered to take next steps in protecting your enterprise with Microsoft 365 security portfolio.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.