Advanced Threat Protection in Microsoft 365

There are many security tools built into the O365 platform, but when you move to M365 E3 or E5, you unlock a whole new set of advanced features for securing your business.

In this article, we’re going to look at these tools, except for Endpoint Manager, which we have covered here, and Windows 11, which we covered in this article.

Nearly all of Microsoft’s M365 focused security products have the Defender brand, and the central console to work with them is security. microsoft.com.

Here you’ll find a comprehensive Extended Detection and Response (XDR) service that collects data from email, identity, endpoints, cloud services and alerts you to intruders across your M365 digital estate.

Here’s a rundown of the different Defender services:

• Microsoft Defender for Office 365 – This provides protection for emails, SharePoint sites, OD4B and Teams
• Microsoft Defender for Identity – This monitors your on-premises Active Directory (AD), integrates with your Security Information and Events Management (SIEM) tool and alerts you to account breaches, lateral movement and attacks involving AD
• Microsoft Defender for Endpoint – Centralized management of anti-malware on all endpoints in your environment (Windows, Linux, macOS, Android and iOS)
• Microsoft Defender for Cloud Apps – A Cloud App Security Broker (CASB), adding features to match the more modern buzz word, SaaS apps security posture management.

Microsoft also offers Microsoft Sentinel – a cloud based SIEM; Microsoft Defender for Cloud (for Azure, AWS and GCP IaaS and PaaS workloads) and Entra for identity management and protection.

Microsoft Defender for Endpoint (MDE) is a full-fledged Endpoint Detection and Response (EDR) security solution using Machine Learning (ML) behavior analytics for Windows, MacOS, Linux servers, iOS, and Android devices.

It inventories installed applications (Windows and MacOS) and through Threat and Vulnerability Management (TVM) prioritizes which applications bring the most severe risks to your organization based on how widely deployed each application is and the severity of the disclosed vulnerability.

MDE also provides Attack surface reduction rules and Next generation protection, along with many other security features. MDE is available with, M365 E5 / E5 Security or as a standalone license.

With M365 E5 you can step up to Defender for Identity (MDI) which monitors your Active Directory Domain Controllers, and your Active Directory Federation Servers with only lightweight agents, the rest is taken care of by the cloud service.

Any attacker that establishes a foothold on a device in your network must touch AD to move laterally and escalate privileges and MDI will catch them when they do.

Once upon a time when your users stayed in the corporate office all you needed to protect them was a good firewall but in today’s world of “work anywhere, on any device” you need a new type of tool to protect them, a cloud access security broker.

Microsoft Defender for Cloud Apps (MDA) is part of M365 E5 and protects your users in real time when they access cloud services. The catalogue of over 31,000 different cloud services gives IT a way to discover and manage Shadow IT (cloud services that users have provisioned without the IT department knowing) across your user base.

How do you know what’s most important to attend to? And where in all the different portals (or PowerShell) do you go to configure each setting? The answers to these questions are in Secure Score, now part of the Security portal.

Here you see an overall score for your tenant (for Identity / Data / Device / Apps and Infrastructure controls) and can compare it to the global average across M365, the average for your industry and for businesses of the same size.

As you implement more controls you score increases (it can take 24-48 hours), and you track your progress on the History tab. Secure Score is the BEST place to start improving your tenant’s security posture.

I’d like to highlight another control (apart from MFA) that’ll gain you a quick win to improve overall security – blocking legacy authentication. This is because even if you have enabled MFA, attackers can still access your user’s accounts with just a username and password through older protocols that don’t support MFA.

To investigate if there are any legitimate connections using these older protocols (which will need to be upgraded or exempt from your block legacy authentication policy) go to the Azure AD portal, click on Sign-ins under monitoring, click Add filters, pick Client app, then click “None selected” and add all 13 legacy connection options.

Once you’re certain there are no legitimate needs for legacy authentication, use CA policies to block it.

The concept of Secure score has spread to other parts of M365, in Compliance Manager there’s Compliance Score to indicate how compliant your business is with regulatory frameworks you have to comply with.

Microsoft has recently added hundreds of additional regulations from all over the world to help you track your compliance, assign tasks users to achieve and maintain compliance.

To manage compliance for your SharePoint and OneDrive sites and their security posture / sharing settings using the built in tools is an exercise in frustration as they’re spread across several portals.

In contrast, Hornetsecurity’s 365 Permission Manager provides a single pane to see the settings for every site in your tenant, apply policies, remediate compliance violations, see all access that a particular user has, produce reports and much more.

The sad truth is that most small to medium businesses don’t implement nearly enough of the features they have already paid for and even large enterprises struggle to get these protections in place for all their users.

This is partly due to the inherent complexity of many of Microsoft’s native security features – remember the saying, “Complexity is the enemy of security”.

That’s why many organizations are turning to third-party security solutions like Hornetsecurity to help them make key security features more accessible and reduce complexity.

On the other hand, security neglect is also due to a certain carelessness, which stems from the fact that in many businesses a mindset from the on-premise era still prevails, in which it was thought that (almost) everything was already done with a firewall – and IT shops will take care of it.

The world is a different place today: We must understand that the responsibility for security is in all of our hands and that our cyber defense chain can only be as strong as its weakest link.

Consider security awareness training for employees since it is essential to reduce the risk of cyberattacks, prevent data breaches, and ensure compliance with regulations. It empowers employees to recognize and respond to security threats, fostering a strong cybersecurity culture and protecting both company assets and reputation.

Ultimately, investing in awareness training leads to cost savings and a safer digital environment.

To properly protect your Microsoft 365 environment, use Hornetsecurity one-of-a-kind services:

• 365 Total Protection
• 365 Total Backup
• 365 Permission Manager
• 365 Total Protection Compliance & Awareness
• 365 Total Protection Enterprise Backup

To keep up with the latest Microsoft 365 articles and practices, visit our Hornetsecurity blog now.

If the thought of paying for the underlying platform from Microsoft, and then paying again for the additional security features on top doesn’t sit right with you, consider a third-party solution for your M365 security and compliance needs.

Hornetsecurity offers several different plans with powerful Advanced Threat Protection for your email, data loss prevention (DLP), security awareness service (end user phishing simulation and training), email encryption, email archiving and more.

Hornetsecurity also offers an entire free eBook focused on securing a Microsoft 365 tenant, The Microsoft 365 Security Checklist. It covers all the security settings and configurations you need to know for each M365 license to properly secure your environment and goes into more detail of the actual settings than outlined here.