Over the course of the past few decades, Microsoft has gone from being unfairly perceived as an outcast in the security world to being a leader. Recognising that more people and businesses than ever before rely on its technologies, from the smallest of home businesses to the largest international powerhouses, Microsoft has invested limitless effort and resources into its security offerings. A perfect example of this is the advanced security features available with the Microsoft 365 E5 license.
As the highest tier that Microsoft offers, it includes all of the features from the lower-tier licenses such as Office, E3 and below. While it may be easy to assume that those lower tiers are “good enough”, the investment in E5 and the advanced security features it provides make it well worth it. In the end, it makes sense to invest in the security technology that protects your critical systems and data within the same ecosystem and avoid costly complexity that may actually increase your risk.
The Microsoft 365 E5 services and product offerings accomplish this seamless security, by reducing unwanted complexity through fewer disjointed layers, improved integration, and increased visibility. As a familiar environment, everyone in your business can quickly learn, adapt to, and become proficient in this ecosystem without having to learn dozens of varied (and at times incompatible and competing) vendor systems.
Virtually everyone in the workforce today is familiar with Microsoft platforms and the consistent look and feel of its applications. From the early days of the Windows desktops and Office applications, we’ve become quite proficient at using their technology to perform our jobs. We edit documents, send emails, build applications and websites, conduct business, and store our data, from the most critical to the mundane, in the Microsoft world.
Unfortunately, this convenience came at a price and there have been many well-documented security incidents impacting the Microsoft platform. Terms like “Patch Tuesday” became part of the IT lexicon. While there were other alternatives and a whole industry seems to have arisen to secure the Microsoft world, the convenience and ease of use was too hard to ignore. As one of the most innovative companies on the planet, Microsoft took note and did something about its security image.
Sparing you the antiquity lesson (lest you fall asleep like you did in year 10 history class), Microsoft has improvised, adapted, developed, refined, and matured its security offerings to the point where even crusty old veterans like me think they’ve finally got it right. Sure, Microsoft has the largest footprint and is the target of untold volumes of nefarious people and programs, but when you’re the biggest kid on the block, you’re also the one the best equipped to defend yourself and those around you. Enter the E5 license.
Instead of having to pick and choose various services and products, E5 includes all of them. Of course, having more systems and data means you bear more risk. Bigger might be better, but it’s also riskier. Admittedly, E5 is not for everyone, and not everyone has the budget to implement it, but for many with a lot at stake, the investment in E5 may pale in comparison to the cost associated with managing a disparate, complex suite of systems or, goodness forbid, cleaning up after a security incident. Those can and will occur, but an investment in E5 improves your prevention, mitigates the impacts of an incident when they occur, and facilitates the recovery after the incident has passed.
The Microsoft 365 E5 license has many products and services included by default that are not bundled in the other tiers (and I won’t delve into them here), but the security features alone are worth discussing. Some of the components I would strongly urge you to consider include:
While you can still get this with an E3 subscription and the Advanced Compliance add-on, it’s a key piece worth investing in E5 for. We all have untold volumes of unstructured data in our infrastructures and Advanced eDiscovery helps you find relevant documents with important content, reduce duplication (think about email threads and their infinite repetition), and helps classify and sort information in a more meaningful format. If you use online versions of Exchange, SharePoint, OneDrive for Business, Skype, and Teams in your business, you’ll quickly realise the value.
In my experience, the information a business needs might always be at hand, but just not easily found. Yet, the ones you don’t want to have access to this data always seem to find it! Other sources of pain are gaps and overlaps – we have multiple, uncontrolled copies of one thing yet none of another we actually need. Visibility and control of your data and documents is crucial.
Easily one of my favourite parts of the default E5 security offerings, ATP is gold when digging into nefarious activity. Even if you don’t have E5, ATP is still worthwhile. A recent Forrester study found that ATP – built-in to Windows 10 – contributed to a 40% reduction in risk of a data breach and caught 1.7 times as many threats as other endpoint detection and response tools1.
ATP helps secure you at the most fundamental and primary communication levels such as email, web, and collaboration tools. Malicious content in emails and websites is, and remains, one of the most pervasive problems in cybersecurity. Phishing emails alone account for 39% of all breaches2, as reported by the Australian Notifiable Data Breaches Scheme.
An untold number of breaches and incidents begin with clicking on links and opening malevolent attachments. A recent blog I wrote dealt with just such an incident in Office 365 that impacted many educational facilities. More importantly, how Office 365 and E5 have the controls to effectively fight back.
I suggest you start with a consulting engagement to understand your threat profile (Data#3 can assist through our Assurance Assessment offerings) and develop your ATP policies. Avoid the draconian approach of just locking everything down and logging everything because you’ll quickly become more of a preventer than an enabler and lost in a sea of irrelevant information.
Of particular interest to me are the Threat Investigation and Response Capabilities (including the automated ones) since one of my key responsibilities are the forensics of an event. The more of these you have enabled and configured, the better it will be for everyone. On this note, the reports available from ATP are incredibly valuable.
This is a valuable one to protect yourself from changes that Microsoft may be making by preventing them from accessing your content for services purposes without explicit consent. While you may not think this is a problem, when was the last time your computer restarted due to updates or other problems while you were in the middle of something? Exactly. From a security perspective, this means you have more control over your environment.
It isn’t all about Microsoft. Nearly every business relies heavily on applications from other vendors for their very existence, and many of those applications are cloud-based. In a perfect world, we wouldn’t need Cloud App Security but the reality of Shadow IT dictates otherwise. Some benefits of this unique CASB solution include:
When combined with some of the security features in Microsoft Azure, you can quickly establish a secure ecosystem built on the Microsoft platforms, and I’ll discuss Azure security in a future article. You can also take a read of this blog for more on cloud app security; Tackling Cloud App Security with Microsoft 365.
We should agree up front that our Microsoft environments serve as the source-of-truth for many aspects of our business from email to databases, to identity and access management, to role-based access controls, to core network services like DNS and DHCP. Our accounts exist in Active Directory, we are governed by Group Policy Objects, and we use Word, Excel, PowerPoint, and Outlook without a second thought.
A perfect starting point is performing an Assurance Assessment, and specifically, considering some of the Microsoft security and compliance offerings, like a Microsoft 365 Security Assessment. This will establish what exists, what does not, what is needed, and how best to proceed.
This is where I always recommend getting the right people involved and asking the right questions. Starting with “Do we currently have an E5 license?”, and if confirmed, then asking, “Are we doing everything we can with it?” If you discover you don’t have an E5 license, then it’s time to ask why not. Sure, there are reasons to forgo the upgrade (or initial investment if you’re not already using Office 365), which generally arise from heavy investment in other technologies that provide the same or similar services found in E5, or from budgetary constraints.
When considering the investment in other technologies, also ask if you’re realising the full potential from those investments. If the rationale for not having E5 is budgetary, then consider the cost and benefit of upgrading against potential risks like downtime, data loss, and breaches. Quick fact, application downtime costs Australian businesses an average of more than $762,000 per incident3. Even if, after you review all of the E5 security features, you’re undecided, please consider the Advanced Threat Protection (ATP) at a minimum and what it can do for your business.
Whether you’re a current user of Microsoft 365 or not, take your time to consider all the options available and make security a priority. You may find that in the end, E5 may be worth the extra investment. I certainly think it is when considering the additional safeguards.
Getting started is as easy as contacting Microsoft and signing up, but I would strongly recommend working with a Microsoft partner such as Data#3 to ensure that you get exactly what you need and realise the most value from your investment. This way, you can fully understand your current security posture, likely by beginning with an assurance assessment, and using a consultative approach to define requirements and expected outcomes.
It also helps immensely to work with a Microsoft partner to fully understand the day-to-day operations of your E5-licensed systems and services, especially the security features like ATP. Armed with this knowledge, you’ll be able to prepare, protect, detect, respond, and recover from incidents using these advanced features.
A common train of thought in securing one’s Microsoft environment is vendor diversity by leveraging the best-of-breed solutions from other partners. While there may be some merit to seeking security solutions from other vendors with whom it is a specialisation, it ultimately adds complexity and complexity may inadvertently introduce risk. For those who attended one of Data#3’s JuiceIT conferences this year, you may have seen me speak on how simplicity is the ultimate sophistication when it comes to cybersecurity.
Another common pitfall comes from overinvestment and underutilisation. Ask yourself if your business has invested in E5 but are not actively using all it offers. It’s like buying a Ferrari, but leaving it in the garage because your Ford still works well enough. Admittedly, E5 may not be for everyone despite the advanced security features but you must still be mindful of your security posture.
Failing to invest in people can lead to costly human errors, so consider engaging experts to begin your journey. Working with a Microsoft partner is far better than trying to sort it out on your own, even if just for the initial implementation and deployment.
Your ghosts in the Microsoft 365 machine are much more of a physical variety, taking on the forms of the very people the systems intend to serve. Ensure that in addition to the advanced technical controls in E5 that you also invest in your administrative controls. Policies and procedures must exist, be reviewed regularly, and enforced when necessary.
Human error is still one of the leading causes of security incidents, so an investment in security awareness and behaviour training won’t go astray, especially where you can no longer just “pull the blue wire” in the on-site data centre. Microsoft provides a wealth of material and training for users of its systems and offers many incentives as part of its E5 subscription; take advantage of them.
Always consider your data in its three states: in motion, in use, and in transit. To that end, consider your access to the cloud and make sure your localised connectivity is adequately secured. Even if you are a fully virtualised environment with nothing more than a wired or wireless LAN on-site, the endpoints you use every day could be the weakest links. When undertaking assurance assessments, always include your workstations, local networks, mobile devices, and local infrastructure equipment that connects you to your Office 365 environment.
Encrypt your links and be wary of uncontrolled networks like public Wi-Fi. Be mindful of your devices as an unlocked laptop or lost mobile phone could allow access to your private data by compromising a “trusted” device or user. While E5 and ATP can help with the “during” and “after” a breach, it’s best to prevent a compromise in the first place.
As a Microsoft Gold Partner, Data#3 has unique capabilities to secure your Modern Workplace. We also offer a number of assessments, to help you understand your security posture. Please contact a local Security Specialist to discuss or book a Security Strategy Workshop, Shadow Data Audit or any of our Security Threat Assessments, today.
1. Forrester Consulting. (July,2017). The Total Economic Impact Of Microsoft Windows Defender Advanced. [Online] Available at: https://info.microsoft.com/WNDWS-Forrester-TEI-Registration.html
2. Office of the Australian Information Commissioner. (April, 2019). Notifiable Data Breaches Scheme 12-month Insights Report. [Online] Available at: https://www.oaic.gov.au/resources/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-statistics/ndb-scheme-12%E2%80%91month-insights-report.pdf
3. Stephen Withers iTWire. (Mar 2019). Downtime costs Australian businesses dearly. [Online] Available at: https://www.itwire.com/enterprise-solutions/86343-downtime-costs-australian-businesses-dearly.html