Microsoft 365 is a comprehensive suite with a broad range of products and services. And most notably, it has access to our data. You want all this data to be adequately protected and secured — but how do you do it, where do you start, and what should you configure first? To better understand this issue, I recently had a chat with Sasha Kranjac, the CEO and cloud security architect at Kloudatech. Sasha is a security specialist, consultant, and cloud architect who helps companies and individuals embrace the cloud while using proper security safeguards. Sasha specializes in crafting Microsoft Azure solutions for government agencies and large multinational companies. He has developed his own custom Azure and security courses and regularly conducts Microsoft, EC-Council, and PowerClass workshops. He is also a Microsoft Most Valuable Professional (MVP), a Microsoft Certified Trainer (MCT), an MCT Regional Lead, and a Certified EC-Council Instructor (CEI). What follows is a digest of our conversation that summarizes some of Sasha's thinking about securing Microsoft 365 for your environment.
You first need to understand that today's security landscape is very different than it was five or ten years ago. Data residency has changed. Security boundaries have changed. Thankfully, security products have kept up with the change. Today, identity is a new security boundary. Everyone is talking about Zero Trust security principles. Data is everywhere and the only constant seems to be change. Now suddenly, dozens of security and compliance-related products and services are available. It appears to be chaos out there, but only at first glance.
Let's take a look at the security measures Microsoft 365 has developed.
To better understand how Microsoft has built security into its data and security products, it's important to take a high-level view at security. To combat new, known, and unknown threats, Microsoft (and everyone else) recommends implementing the Zero Trust security model approach. It is based on three principles:
- Assume breach: Implement segmented access principles and (for example) use encryption and analytics.
- Least privilege access: Use just enough administration — or just enough access (JEA) — and just in time (JIT) principles, as adaptive access policies.
- Verify explicitly: Always authenticate and perform authorization on all data points — whenever and wherever possible — on devices and identities, examining important entity signals.
Implement the Zero Trust security model and the verify explicitly principle defined protection around:
- Identities: Constant monitoring of identity activities, authenticating, and authorizing properly.
- Applications: Discovering the use of unauthorized applications, monitoring and analyzing authorized applications use, and controlling user actions.
- Endpoints (or devices): Monitoring the health and use of authorized endpoints.
The first step to secure your Microsoft 365 environment should be implementing Azure Active Directory capabilities to protect identities. An identity is a new security boundary and most attacks target identities. Thus, it is of the utmost importance to focus on identities first. Consider implementing the following:
- Multi-Factor Authentication (MFA): MFA requires the use of a second factor of authentication — adding an additional layer of security to identities. It greatly reduces the risk of using stolen credentials and, according to some research and studies, it can prevent more than 96% of identity-related identity compromises.
- Conditional Access: Evaluate user and device sign-in conditions to determine whether access is allowed.
- Azure AD Identity Protection: Determine user and sign in risk and block access if an identity risk is above normal.
- Azure AD password protection: Implement an automatic globally-banned password list. Detect and prevent using specific and weak passwords and their variants.
- Azure AD Privileged Identity Management: Reduce the number of permanent privileged, administrative accounts and implement the just-in-time (JIT) principle for their usage.
After these steps, protect your Microsoft 365 environment across all security fronts: identities, endpoints, applications, and emails. Fortunately, Microsoft has an ideal security suite, tailored to protect your data and digital estate across the entire enterprise.
Microsoft 365 Defender is a comprehensive protection product designed to protect all four of these security fronts. It has four distinct products and each is built to protect one of the four critical fronts.
- Microsoft Defender for Identity and Azure Active Directory Identity Protection
- Microsoft Defender for Endpoints
- Microsoft Defender for Cloud Apps
- Microsoft Defender for Office 365
Let's examine each of these products in more detail.
Microsoft Defender for Identity and Azure Active Directory Identity Protection
Microsoft Defender for Identity is a cloud-based protection solution that uses Active Directory signals to detect, identify, and investigate advanced identity threats, compromised identities, and malicious insider actions. It monitors and analyses user activities and actions and identifies anomalies. It can identify multiple advanced threats across the attack kill chain, such as reconnaissance, compromised credentials, lateral movements, domain dominance, and others.
Microsoft Defender for Endpoints
Microsoft Defender for Endpoints is an advanced enterprise security platform designed to protect endpoints by preventing, detecting, investigating, and responding to advanced threats. It combines various technologies to provide endpoint protection using threat intelligence, cloud security analytics, and endpoint behavioral sensors. These technologies include:
- Threat and vulnerability management
- Attack surface reduction
- Next-generation protection
- Endpoint detection and response
- Automated investigation and remediation
- Microsoft secure Score for Devices
- Microsoft Threat Experts
- Integration with other Microsoft Defender and security solutions and products
Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) is a comprehensive SaaS protection solution for cloud applications. It is a cloud app security broker that can work across multiple clouds to provide control over data travel. Microsoft Defender for Cloud provides four core protection elements:
- Discover and control the use of Shadow IT — identifying cloud applications, IaaS, and PaaS services used by your organization.
- Assess the compliance of cloud applications — assessing cloud applications' compliance status.
- Protect sensitive data anywhere in the cloud — classifying and protecting sensitive information, including Data Loss Prevention (DLP) capabilities.
- Protect against anomalies and cyberthreats — detecting applications and user anomalous behavior, using user entity behavioral analytics (UEBA) and anomaly detections.
Microsoft Defender for Office 365
Microsoft Defender for Office 365 protects your organization against threats coming from collaboration tools, email messages, and links (URLs). Some capabilities include automated investigation and response, threat investigation and response, threat protection policies, and real-time performance reporting.
Microsoft Defender for Officer 365 is available in two plans: Plan 1 and Plan 2.
Plan 1 includes:
- Safe attachments
- Safe attachments for SharePoint, OneDrive, and Microsoft Teams
- Safe links
- Anti-phishing protection
- Real-time detections
In addition to all Plan 1 capabilities, Plan 2 includes:
- Threat trackers
- Threat explorer
- Attack simulation training
- Automated investigation and response
- Campaign views
In conclusion, begin by understanding the Zero Trust security model and what are the first, crucial steps to securing your enterprise. As a second step, make sure you have an in-depth knowledge of Microsoft 365 comprehensive security products. Understand the capabilities of these security products that protect all four security fronts: identity, applications, emails and endpoints. With a better understanding of the core capabilities of each Microsoft Defender product, you will then be empowered to take the next steps in protecting your enterprise with the Microsoft 365 security portfolio.