Every organization doing business today faces a real and constant threats of cyberattacks. These attacks can come from external sources ranging from rudimentary “script kiddie” hacking to highly sophisticated nation-state-sponsored attacks. It is easy to think of security as an outside-in kind of problem. This is a mistake because often the most dangerous threats and successful attacks come from within the traditional network perimeter.
Additionally, software as a service (SaaS) and cloud applications have eroded the concept of a hardline network perimeter, so the protection of an organization’s data needs to adapt. This fourth installment in our series on Microsoft 365 security is intended to illustrate how Microsoft is approaching cloud security management and how their tools are used to increase an organization’s security posture.
Figure 1: Four components of Microsoft 365 Defender security suite.
What Is Microsoft’s Approach to Cloud Security Management?
Security management is much more than just the various firewall policies, user permissions restrictions, and data access controls. Security management should be thought of as an end-to-end, holistic approach to security which includes:
1. Visibility and Alerting – Before any response can be executed against a security incident, an organization’s security response team needs to receive alerts of malicious activity and they need visibility into the threat. Microsoft provides a robust platform with Microsoft 365 Defender. Through the Defender portal, security administrators can set up alerts that trigger on specific policies and data access when certain thresholds are exceeded or unusual user activity is detected. Alert categories include data loss prevention, information governance, mail flow, permissions, and threat management.
When creating cloud security policies, it is possible to configure alert severity attributes as low, medium, high, or informational. These severity settings can help filter out alert noise and reduce the tendency to become alert complacent. When an alert is triggered, the Microsoft 365 security portal will email security administrators.
After an administrator is alerted, the security incident must be investigated. The Microsoft 365 security portal provides a dashboard that lists all incidents by their evaluated risk level. From the dashboard, an administrator can filter by alerts, devices, users, and mailboxes.
2. Controls and Security Policies – Microsoft 365 is comprised of a suite of solutions that go by different names. The four core products are Defender for Endpoint, Defender for Office 365, Defender for Identity, and Cloud App Security. Using these products together can enable an organization to achieve a robust security posture.
Microsoft Defender for Endpoint protects “endpoint” devices such as employee laptops. Defender for Endpoint utilizes malicious behavioral triggers across all Microsoft customers. It includes application sandbox capabilities, controlled folder access, attack surface reduction, exploit protection, network protection, and blocks potentially unwanted applications. Defender for Identity monitors user account activity for unusual or potentially malicious behavior. It provides visibility into an attacker trying to move laterally in the environment and reports on compromised credentials.
Microsoft Defender for Office 365 is specially engineered to protect data and information flowing through the Office 365 platform. It includes anti-malware, anti-phishing, anti-spam, safe links, safe attachments, protection for SharePoint, OneDrive, and Teams, and zero-hour auto-purge (ZAP).
Cloud App Security monitors and analyzes usage patterns of user access, classifies sensitive information, enables data loss prevention (DLP), and allows administrators to create sanctioned and unsanctioned applications. Conditional access policies can be created to ensure clients connecting to company data are secure and trusted.
3. Compliance Evaluation – Microsoft 365 and its associated cloud-based products offer a wide range of global, U.S. government, and industry-specific compliance offerings. Microsoft has greatly automated compliance auditing. An administrator selects which compliance standards are required and a report is generated with recommendations containing remediation tasks to pass compliance.
4. Automated Threat Response – Microsoft 365 has automated investigation and response (AIR) capabilities that can be used to efficiently respond to the potentially high volume of alerts. When activity is detected that can trigger an alert, Microsoft 365 Defender uses machine learning to classify the activity as suspicious, malicious, or clean. Based on this classification, alerts are combined into security incidents and an automated remediation process begins.
Examples of remediation actions could be the blocking of a malicious application, blocking of a suspicious URL, or quarantining of an email message. As incidents are created, they are visible in a dashboard with an infographic that allows administrators to drill down into further detail on the event. In some situations, it is possible to configure manual approval mechanisms before actions can be taken. This allows granular control over the environment and provides for accountability of administrators.
5. Remediation Guidance – Microsoft has invested heavily in creating usable administrative portals for their security products. These portals provide a dashboard-style view of the environment and highlight any security threats that might exist. Administrators can then drill down further into any alert and learn more details. Microsoft will link to remediation recommendations when possible so quick action can be taken and potential damage minimized.
Why Is a Robust Security Management Solution Important?
Media continuously share stories of companies that have been the victims of cyberattacks. What is reported by the media is only a small fraction of the attacks that occur every day around the world. Companies of all sizes are targets of cyberattacks. Don’t fall into the mindset that a hacker wouldn’t think to attack your organization.
It is critical that organizations consider the real and inevitable threat of a malicious cyberattack and take proactive measures to defend against them. In the case of the recent SolarWinds attack, the organization’s network monitoring tools were infected with malware that went undetected for some time. This was possible because the criminals were able to gain control over the software update chain. SolarWinds customers thought they were downloading and updating with clean patches while in fact, they were infecting their internal system with malware.
Another example of a high-profile cyberattack in 2021 was the Colonial Pipeline shutdown. In this instance, the hackers were able to gain VPN access from a single user account that had a common password published on the dark web. Once the attack had access to internal Colonial Pipeline network resources, they left a digital ransom note demanding cryptocurrency payment. The administrators were unaware of the security breach for some time while the attackers fortified their foothold on compromised systems. A user’s credentials can be compromised for reasons including email phishing, password recycling or re-use between sites, and social engineering. There are many threat vectors an organization needs to recognize and secure. Some of these include:
Email – This is by far the most common source of malicious activity or applications. The targets of email attacks are usually employees who lack technical savvy and can be tricked into clicking on a malicious link or exposing their password.
Employee internet activity – It is important to implement an acceptable use policy (AUP) that restricts an employee’s internet activity to work related browsing. A URL filtering and scanning solution can block malicious sites before harm is done.
Internet exposed webservices or applications – Any company web applications that are exposed to the public internet should function behind a web application firewall (WAF). A WAF has advanced security features such as distributed denial of service (DDoS) protections and traffic inspection capabilities.
Malicious internal actor – Threats can come from within a company. By tight internal access controls and permissions, damage from an internal threat can be limited.
Compromised software – Keeping software patched and updated is critical for security. Organizations should develop robust change management controls so potential bugs in new software releases can be fully vetted before deployment into production.
Implementing Security Management Solutions for Microsoft Cloud Security
In even a small-to-medium-sized business, security management can be a complex project that can negatively impact users if not thoroughly understood. Microsoft 365 is a powerful platform that provides next-generation security controls that can integrate across many different systems.
In this article series, we demystified the tools that comprise the Microsoft 365 security suite while providing some insight through our experiences. Check out the previous articles in the series on Microsoft’s other three pillars.
Take Your Next Step in Cloud Security
At Credera, we have deep experience in helping clients take full advantage of their Office 365 and Azure licensing by enabling Microsoft 365 solutions. It is not uncommon for clients to decommission some or all third-party security software once the robust capabilities of Microsoft 365 are understood. This has the potential to reduce operational costs and streamline security response practices. We’ve helped our clients with a range of services from a simple business case analysis of security management through a complete turn-key deployment of the Microsoft 365 stack.