In our last blog post, we mentioned some of the biggest security risks to your company’s Microsoft 365 suite. It may have seemed like there were a lot of concerns to have over your data’s confidentiality and availability-which is right, your data’s security is your organization’s responsibility-there are also a few steps to take that can help ensure the security of your data. Today, we’ll look at just a few ways to meet those security challenges and use 365 with confidence.
Defender for Office 365
Microsoft Defender for Office 365 is the main offering that helps businesses secure their 365 tenants. The suite of services is included in a couple of tiers of 365 licenses, with most of its features available to those who subscribe to Business Premium, or Office 365 E3 and higher. Some of the features are available to Office 365 Business Standard users, including the majority of what we’ll talk about today. Data loss prevention (DLP), on the other hand, is only available as part of Microsoft Purview, which is included in E3 and higher, but not Microsoft 365 Business Premium; to get DLP for Endpoints, you’ll need E5 Compliance licenses.
Obviously, the details about these different licenses are very fine-grained, so refer to the 365 homepage to see what features apply to which licenses, and keep Defender in mind when choosing the license that’s right for your organization. We consistently find that additional protections are necessary depending on the size of organization, and by the industry an organization does business in. Many organizations could benefit from enhanced scanning and detection inside 365, just as many organizations could benefit from protections that are in addition to the native 365 protections.
1) Use Strong Phishing Defenses
A few of the top threats to 365 involve user authentication and protection against impersonation and phishing attacks. Having a strong defense against unauthorized users through strong identity management and access controls is a great strategy for defending your systems (see below). A strong user identification system is a second-line defense, though. The first option is to stop phishing attempts as they’re delivered: in emails.
Microsoft 365 has built in anti-phishing email policies that can stop many phishing and spam emails. These policies differ by what level of licensing you have for your 365 plan. Exchange Online Protection, the lowest level of defense, includes anti-spam and anti-phishing policies that can protect again scams that are asking for login credentials, or send you to servers that are maintained by attackers. These policies can be set-by your administrator-to be more strict or lenient, using technologies like DMARC checks to verify that emails come from who they say they come from.
These policies protect your organization from the most straightforward attempts at fraud and trickery. If an email isn’t authenticated against its address, it doesn’t get delivered. It instead, ends up in quarantine for being a possible phishing attempt. If the email can’t be delivered, then nobody in your organization can click the harmful links.
These policies are only a first step to stopping attacks, though. Other products exist to do more “intelligent” blocking, by looking at the volume of emails coming from particular senders, scanning the contents of emails and attachments to find patterns, and ultimately trying (in real-time) to understand what is and isn’t a scam regardless of where it comes from. Having protection from both Microsoft and Proofpoint, for example, provides greater variety in signals and ultimately boosts your protection beyond where it would be with just one offering.
2) Set up Your Malware Defenses
Malware can also spread through email attacks, although it isn’t necessarily the main source of it. In your 365 programs, files that would be malicious executables are scanned upon upload. Similar to anti-phishing and anti-spam policies, Microsoft Defender scans attachments with its anti-malware protection, ensuring that the attachments coming into your inbox don’t contain known malicious code.
Strong Endpoint Detection and Response (EDR) is necessary to monitor unusual program behavior on your organization’s systems. Notice, in the last paragraph, that malware scans are looking for known code, meaning things that have been studied by the security community and declared malicious. But new attacks aren’t known code-how are they stopped? EDR looks for evidence of maliciousness by asking whether or not the things that are actually happening on your machines
Safe Attachments is Defender for 365’s equivalent, which scans files in SharePoint, OneDrive, and Teams. There is, in all 365 subscriptions, a virus scanning platform that checks for malicious files, but it doesn’t work in real time across all platforms. Defender for Office 365, on the other hand, uses Safe Attachments to open files and run them in a sandboxed environment to see if they are a virus. It then blocks the file-that is, it makes the file unable to open, download, or do anything other than delete the file. This keeps you from opening an attacker’s malware, no matter how it got into your cloud-stored files.
3) Institute Permissions Reviews for Files
One way that attackers access your data is by gaining unauthorized access through old accounts or external accounts that you don’t have control over. If you’ve shared SharePoint or OneDrive files with someone who subsequently has their account compromised, your data is also compromised. The main way to get ahead of this problem is to institute a review of permissions on a regular basis-likely once or twice a year, but more frequently, depending on the sensitivity of the data.
Identity management is a managerial process used to control access to any data in your organization and is best understood as a lifecycle comprised of provisioning à review à revocation. The review should make sure that permissions that have been granted are still current needs, based on the roles of those in the organization, as well as a review of any external collaborators and their need for continued access to share documents and files. Permissions, in other words, aren’t just a set-it-and-forget-it affair, and regular review decreases the possibility that your data can be accessed by the wrong person.
In the 365 platform, access reviews are a part of Entra ID’s feature set, included in E5 and higher licenses. Access Reviews can be set up for guest users, administrators, and other units that are governed by Entra ID’s policies. The reviews can be set up to recur at a specific number of days and show up for your administrators in their portal.
4) Implement a Data Loss Prevention Policy
Sometimes, that wrong person is someone inside of your organization, however. One of the ways to make sure that your data isn’t accidentally or maliciously deleted by someone in your organization is a Data Loss Protection policy. When implemented as a technical control, this policy watches for deletions and bulk copying of files and blocks the action if it seems inappropriate. This helps organizations preserve and protect their data, and different levels can be implemented in Microsoft Purview and in some third-party offerings. Implementing these policies requires that you consider what kind of data is labeled confidential or sensitive within your ecosystem, and can be implemented for specific locations, sites, groups, mailboxes, etc.
5) Step up to Xdr-Level Protection
eXtended Detection and Response (XDR) offering is the culmination of all of Defender and Purview’s protections. It brings together all of the threat information that can be gathered from Office 365, from your endpoints (servers and workstations) that are protected by Defender, the Data Loss Prevention policy, and more. By bringing all the information together, your security team can understand threats and vulnerabilities to your organization’s data in full.
When all of these signals are taken together, it becomes possible to understand what caused the vulnerability or threat, how it got through your defenses, what it aimed to do, and how to protect against it in the future. It works in real time against any of the threats above and can take automatic action to intervene in threat actors’ or malicious users’ attacks on your data. This includes the ability to self-heal some attacks or problems that arise from internal and external threats.
There are certainly good solutions out there in third-party XDR as well, but if your organization primarily uses 365, those third-party solutions might be a little more reactive than the ones offered by Microsoft. XDR typically works by monitoring your endpoints and network infrastructure, but not 365. While the results may be similar, there’s likely an advantage to having the protection live in 365 if it’s where your organization gets most of its business done.
-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team