Whenever IT managers hear the terms security, compliance, and audit, they tend to run and hide. Executive management fears the cost and additional regulations required. In fact, all levels of management are concerned. People think, does the government have access to my information? Are there federal regulations from the Department of Homeland Security to address? Has my company been sued? Executives and IT managers assume compliance and security mean nonplanned budget expenses.
The challenge that we all have is that we do not know what we do not know. It may sound trite, but this is the way people operate. Therefore, we need to change and adapt to a new security mind-set.
Today, all of us have a responsibility to manage information in a secure way. We are the custodians of information. Our role is to manage and protect not only our employees and fellow co-workers’ information but also that of our clients and vendors. This is the new security and compliance mind-set I’m talking about. Many times, we abdicate this duty and do not realize the impact that we have on the users and businesses we support.
This book addresses the issues of security and compliance with Office 365. For us to reach the same destination together, we need to have a common understanding of the problem and the potential solutions that are available. In this book, you will learn how to use Office 365 security services to defend your organization from internal and external threats.
The purpose of this book is to provide you with the necessary tools and information to secure your Office 365 services. There are many solutions that you can use, but there are also many different ways you use those services. My goal is to assist you with additional information that you can use to manage your Office 365 services—in the most secure manner possible. On this journey together, we’ll look at the threats we’re facing in the current environment. Our first task as a team is to understand the threats and the Office 365 tools that can be used to combat the threats.
Security and Hackers
“There are two kinds of companies: those who’ve been hacked and those who don’t know they’ve been hacked.”
—James Comey, Former Director, FBI
To understand hackers (also known as bad actors) today, you need to understand that they are after information in all forms for the sole purpose of selling the information. When an organization is hacked (such as Equifax), the attacker first tries to get into the organization by any means. The bad actor uses phishing attacks or overt trojans on USB memory stick (One of the classic trojans intrusions is to randomly drop a number of USB drives on the side walk in front of a building you want to penetrate. Statistically 1 out of 5 people will pick up the USB memory stick and plug it into their work computer to see what is on the USB memory stick and infect their system with a trojan). Once the hacker is in an organization, the bad actor goes quiet, and there is little detectable movement. The bad actor slowly probes the organization for weaknesses with the sole purpose of understanding the organization. The bad actor covertly learns the organizational structure and begins to understand the business practices and how to subvert them. This is what happens to all organizations, and you can see the results with large data breaches such as Sony and Target. The organizations do not even know their security has been breached.
Compliance and Security Are a Mind-Set
Vigilant companies must protect their environment with methodical planning and security best practices. Security and compliance audits are simple to achieve and do not break the bank. How you service these compliance audits is simply planning for them. This is where Office 365 is a must-have tool. Office 365 makes compliance audits simple because the compliance tools are built into Office 365. When you look at compliance, Microsoft cloud products are far simpler to use and easier to deploy than other methods. For years, Microsoft has been under the scrutiny of the Department of Justice (DOJ) and Federal Trade Commission (FTC) for many of its business practices in early 2000. This oversight has driven Microsoft to develop a common set of software-as-a-service (SaaS) products that are focused on business security.
It is also ironic that the pressures that Microsoft faced in years past are now the pressures that we all face in our businesses. That is, how can we create full transparency and information controls in our business practices? As I said, to start we need to change our mind-set. It is all about security and the road map that we use to get to our destination.
Note
Office 365 security/compliance is a large topic. To simplify the view for new users, the approach I will take in this book is to look at Office 365 as an application that runs in Azure. Looking at this from the book’s perspective, Azure provides identity services/management for Office 365. So, this book is about using Azure identity services to manage Office 365 security and configuring those services. I will not go into Azure in much detail, unless it helps clarify Office 365.
Note
Not on Office 365 yet and wondering what to do next? Chapter 7 covers how to migrate to Office 365.
All new security models for preventing attacks comes down to the analysis of information. Microsoft published the Intelligent Security Graph as the basis of its security backbone. It is the collection of information from billions of devices and data from endpoints around the world. This information is analyzed to look at the user usage of Microsoft programs and at different attacks by bad actors. The data shows trends of attacks, which provides Microsoft with the necessary responses. In other words, this data allows the analytic tools to detect a bad actor and take the appropriate actions to combat the threat. The different Microsoft technologies such as Windows 10 Defender and Windows 10 Advanced Threat Protection (WATP) deploy these defenses automatically to the connected devices. WATP uses new behavioral analysis to defend the desktop and is included in the office 365 subscriptions for Windows 10 E5.
The simplest example of the impact of information collected in the Intelligent Security Graph is to look at the Office 365 login process. You have probably run into the situation where you try to log in to Office 365 in your browser and get prompted to try again. You know that the password is correct and cannot understand why you can’t log into the service.
As another example, say you use Microsoft security services to manage your account. You can link additional information about you to your account such as cell phone, e-mail address, office phone number, and answers to those pesky security questions. Any information like this is linked into the multifactor authentication (MFA) service and is integrated with Azure Identity Protection (more about this in Chapter 4). Combine this new security information along with a customized Office 365 portal and compute devices that are “joined to Azure Active Directory” and you have a secure compute environment. The integrated security of Office 365 is further enhanced with your credentials and user identity protection.
As a side note, look at your neighbors’ homes as you drive home from work. Do you see homes with alarm signs on them? Are the homes well-lit or dark? If you are a bad actor, which home would you pick to break into? Which home would give you the best opportunity as a thief? Would you pick the well-lit home with the alarm sign on it or the dark house with few lights on and no posted alarm sign? Your Office 365 organization is very much like your home. What are the tools that you need to look at to make it so the bad actors look somewhere else? What changes do you need to make in your business processes and basic configuration so that the environment is much more difficult to clone? Do you have a universal cloud-based signature (like Crossware, https://www.crossware.co.nz ) that signs all e-mail from all devices in the same way so you can easily tell whether your e-mail has been spoofed? You need to approach your SaaS security from this mind-set—assume that you could be breached and put tools in place to make it difficult for the bad actors to impersonate you.
Deployed custom login screens to help users detect phishing attacks
Deployed multifactor authentication (using cell phones and a non-Office 365 e-mail account)
Deployed Azure privilege identity to manage the security aspects for your administrative user account
These items are simple to complete. These capabilities (and others) exist within the Office 365 security license. Once you add these capabilities, you have drastically improved the security of your Office 365 service, and in the process you have made your company less susceptible to attacks by bad actors. Remember, security is a mind-set. The way I approach security is to review weekly (and sometimes daily and hourly) the accounts that my organization manages for security. On these accounts we deploy the Microsoft 365 Enterprise E5 suite (a combination of Office E5, Enterprise Mobility Suite [EMS] E5, and Windows 10 E5 security software). This allows us to handle both proactive and reactive security. During my weekly review session, I look at the security of the Office 365 organization. I review a set of key reports that cover the health of the behavior of the employees. These behavior reports flag actions based on incorrect privacy data releases or bad actors impersonating users in the organization.
Cloud App security (CAS) dashboard, showing the dashboard access
Service assurance status of the Office 365 and Azure tenants
Azure Advanced Threat Protection security dashboard and reports
Windows Security Center for Windows Advanced Threat Protection (WATP)
Microsoft Secure Score value
In Chapter 2, we will build the baseline reporting structure and detail of the reports that you need to review. After you set up and enable some basic Azure services, in Chapter 3 you will look at your Microsoft Secure Score for your cloud-based services and make changes to improve that score. You will use the Microsoft Secure Score for both Office 365 and Windows 10 E5 Advanced Threat Protection.
Note
The DPO is the person responsible for the data management and privacy policies in the company. This is different than the compliance officer. The compliance officer looks for governance activity, such as related to a FINRA or SEC policy. The DPO looks for data privacy violations. In small organizations, these are the same person. Under the new data protection laws (in the European Union and California), all companies (no matter how small) must have a DPO role assigned.
Detection today looks at how applications work and how users use the applications. This combination of data and usage collection develops an operational profile for the users. As an example, let’s look at Microsoft Word, which is a fancy text editor. It does not run administrator scripts or look at permissions (or change user permissions and access). You would not expect Word to invoke an administrator application that changes a user’s password or performs other administrative functions. The next-generation security software operates in this manner. It analyzes the applications (on a Mac or PC) and logs (or blocks) the nonstandard behavior when it is detected.
In addition, we are not faced with just security for the sake of security; we are also faced with new requirements on how governments expect us to manage our employees and customers’ information. Security is a broad topic, and Office 365 contains hundreds of product codes. This book is based on the configuration of a specific security suite called Microsoft 365 Enterprise E5.
To simplify the process, you will use the Microsoft 365 Enterprise E5 subscription as a base for all configurations. To continue on our security journey, you will need to deploy a Microsoft 365 E5 subscription and an Azure subscription. Azure Cloud Service Provider (CSP) subscriptions are nothing more than a payment commitment through a Microsoft cloud partner.
My goal in this chapter is to expose you to the different aspects of security in Office 365 and slowly help you configure your Office 365 and Azure security service. To get started on this journey, let’s look at the European regulation—the General Data Protection Regulation (GDPR)—that will have a major impact on how you manage personal information. Office 365 is designed around privacy. But for privacy to work, you need to conform to the new and upcoming regulations. The U.S. version of GDPR is coming. In fact, California has recently passed the California Consumer Privacy Act (CCPA), and many states are about to clone the same law. We all need to change our view about security and data privacy. Let’s take a quick look at the GDPR and then step through some Office 365 security features.
General Data Protection Regulation and Privacy Policies
All IT managers and compliance officers need to recognize that there will be a significant change starting in 2018 that will affect personal privacy and how we as both businesses and consumers need to understand our responsibilities under the European Union General Data Protection Regulation. The law was introduced in May 2016 and became fully enforceable in May 2018. The GDPR put in place privacy policies, strengthening data protection controls and making breach notification procedures highly transparent. Breaking the GDPR rules can generate fines of 20 million euros or 4 percent of the worldwide revenue of the corporation—there are no business exemptions. California, in June 28, 2018, enacted the California Consumer Privacy Act. The CCPA, like the GDPR, has stiff fines. If the CCPA was in effect when the Target breach occurred a few years ago, Target’s fines would have been $5 billion.
The impact for business is significant. The GDPR puts in place transparent policies for data management . This policy is a requirement for all entities that have a business transaction with the EU and all entities that consume EU information. Why should you care if your business operates only in the United States? The answer is simple: if your business transacts or allows any product or service to be purchased or consumed in a country that is covered under the GDPR, you have no choice but to conform. Again, the penalties are severe. The GDPR measures the fines in a percent of the gross sales of the organization. The California CCPA measure fines per data record. In both regulations, the fines are extreme.
Office 365 is a foundational service that is designed to meet the GDPR requirements . Office 365 with Azure services collects information for audit and analysis for millions of endpoints. What each of us needs to do next is to look at our organization and discuss how we need to change our business processes and business practices to conform to the new regulations. This is important because these standards will take over worldwide as the new privacy standards. There are requirements for breach reporting and significant penalties for noncompliance. There are skeptics who say this will never happen, but the California CCPA has disproven that theory.
The world is a global economy, and as large multinational corporations are required to adapt to maintain their competitive advantage, they will lobby various nations (and states) to adopt the same regulations, thereby leveling the playing field. Business is competitive. The new CCPA, the HIPAA, and the GDPR all require companies to report data breaches quickly. The GDPR requires that the report is made to the relevant supervisory authority no later than 72 hours after the data breach occurs (note this is not business hours).
Personal privacy and individual rights to access collected information
Controls and notifications that an organization must deploy under new regulations
Transparent policies with data management
IT training and responsibilities for the organization collected data
Personal Privacy and Individual Rights
The new GDPR rules require that any “personal” information that you access needs to provide the end user with the ability to manage that information. The definition of personal information is broad. Personal information is any information that is identifiable to the individual. If you collect information on videos and share information with affiliates, all of that information needs to be fully disclosed, and the end user must be given the ability to access their personal information, correct any errors associated with that data, erase the personal information from your business records, and object to the processing of the information (if you are a processor under the EU regulations, you can be exempt from managing any information about individuals and export all information that you have collected on them).
Note
Some people think that in the United States they are not subject to personal data protection laws. However, because of the GDPR, there has been an increase in audits and fines associated with all sorts of data privacy violations. Check out https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf .
As a business manager, you need to seriously look at how you manage personal data and what controls you have on that data. If you are a multinational company that does business in the European Union, you are subject to data regulations—even if you are based in the United States. The privacy laws (worldwide, not just in the United States) are changing, and the data breach laws and the penalties for noncompliance are significant. One of the new features that Google is providing in the European Union to comply with the GDPR is the ability to destroy all information collected in Gmail accounts and the Chrome browser. This capability is slowly being introduced in the United States.
Note
Organizations tend to collect much more personal information than what is needed to complete a job or support customers. For example, IT service companies do not need to know the sex, home address (unless you support computers in the home), or any personal characteristics of the people we support—and we should not know their home phone numbers. As a business, unless we have a business reason to collect information, we do not want or care to have any personal information. Too many times we collect personal information for no apparent reason. Everyone should look at the information they collect in their businesses and ask the question—is there a business reason for the information? If there is no business reason, then remove the information from your systems.
Controls and Notifications
The GDPR requires different rules for data controllers and for data processors. As an IT manager, you are required to manage the audit logs and security associated with different data types. In some cases, you will be the data processor, and in other cases you will be the data controller. In either case, how you manage, supervise, and review access to information is critical. How you use the different tools to manage this service (such as Compliance Manager in the Microsoft Security and Trust center to managed GDPR compliance) reduces your business liability as well as your personal liability.
Note
Data processors are entities that receive data from data controllers and process personal information (security lookup, credit references, etc.). Under the GDPR regulations, the management of the data is a shared responsibility. Data controllers control the personal information. In this case, this is the Office 365 service.
Transparent Privacy Policies with Data Management
The latest federal laws require notification of the usage of private information, but the laws are so broad that no one really understands what is going on. What the GDPR has done is simplify the requirements. The GDPR has defined organizations that process information and organizations that supply information. The California CCPA does something similar. Under the GDPR, all data controllers and data processors are required to provide a clear statement (which needs to be approved by regulators) about data collection and what type of data is collected. There are also requirements on data processing as well as a full audit process for the data (what has been done, what was changed) and the data retention policy associated with that information and audit logs. In other words, you need a 100 percent transparent policy in how data is used, who it is shared with, and why. Along with this is a new requirement that the personal data can be deleted at any time if requested by the individual. This is also part of the California CCPA. As IT managers and CISOs, we need to look to the future and expect that personal information (from consumers, business associates, employees) management regulation will be more stringent; therefore, we need to develop the processes and learn to use the tools with Microsoft Security and Compliance center to address these new requirements.
IT Training and Responsibilities
All types of security require training . You need to establish the necessary process rules and train the IT personnel to manage the information according to the regulations. It is imperative that information is managed properly. GDRP requires that every company have a data protection officer (DPO) who has the responsibility to manage the information. The regulation also provides methods of contact and requirements for the users who have access to personal information.
Organizations will need to train individual who have access to personal information under the new GDPR privacy requirements. There needs to be a full audit of information access. In addition, vendors that transact against data from a data collector must be fully complaint with the GDRP requirements.
GDPR Next Steps
As the Corporate Information Security Officer (CISO) , my role has just expanded to the DPO role in addition to my traditional compliance role. It is no longer acceptable to use older tools that no longer meet the new data regulations. As the CISO, I need to be proactive and look at how to minimize my organization’s risk. The GDPR is a wake-up call on data management. The call to action for all of us is to reduce the amount of personal information that we collect and to implement additional management tools to manage our employees’ and client information. Information management is the key to managing our business securely.
Microsoft Trusted Cloud
Do you know who is accessing your data?
Can you grant access to your data based on risk in real time?
Can you find and react to a breach?
Can you protect your data on devices, in the cloud, and in transit?
Is security integrated into a user’s day-to-day activities with little effort?
Exchange e-mail gateway/anti-malware services called Office 365 Advance Threat Protection (ATP)
Windows Defender with Advance Threat Protection (WATP)
Cloud App Security (CAS)
Azure AD Identity Protection
Azure Security Center
Azure Advance Threat Protection
Log Analytics workspace
Mobile Application Management, Windows Information Protection and Mobile Device Management
Most data breaches originate from some form of identity management breach. This type of breach is either because of incorrect permissions or a bad actor getting access to a user identity through various phishing means. The goal of the Office 365 security services is to provide detection and remediation of data breaches; Office 365 also uses the information gained to be proactive in managing the services. The Office 365 security services are designed to look at the behavior of the user based on the user role. These services are a combination of different service offerings and are described next.
Exchange E-mail Gateway/Advanced Threat Protection
Office 365 Advanced Threat Protection protects users from unsafe e-mail attachments and message URLs. The service can work in Office 365, work stand-alone, or in a hybrid environment when the e-mail services are routed through Office 365. ATP processes all URLs and e-mails that are sent to the user’s mailbox. These URLs are examined in real time and blocks access to bad sites and code. ATP also deals with dynamic threats. Dynamic threats are when the links in the e-mail are valid when initially processed by the service and later turn bad because of delayed execution payload. Figure 1-11 is an example of the ATP service executing on a delayed payload link.
Office 365 ATP also validates attachments. Office 365 ATP not only looks for unsafe links but also looks for unsafe attachments and will block them from the user’s mailbox. The user can still override the unsafe attachments, so no data is lost in the case of mischaracterization.
Windows 10 Defender Advanced Threat Protection
Windows 10 Defender Advanced Threat Protection ( https://securitycenter.windows.com ) is the next generation of behavioral threat and deep learning tool. This tool is included in the Microsoft 365 E5 security suite and is an optional tool of other Office 365 subscriptions (such as Windows 10 E5 subscription). Windows Defender Advance Threat Protection not only blocks malicious activity but also provides postbreach detection, investigation, and response to ongoing attempts.
Windows Defender is built into the core of Windows 10 operating systems. In other words, it is not a third-party add-on, and it is integrated with the Microsoft intelligent security graph. Simply, this means that when a breach is detected in the various endpoints, Windows Defender ATP (the Windows 10 that includes the Windows E5 with Advance Threat Protection extensions) begins to monitor and block malicious activity in all connected endpoints.
As you deploy Windows Advanced Threat Protection in this book, you will also collect Windows Telemetry data. Windows Telemetry, when used with Windows Advanced Threat Protection, will give you the ability to identity lateral attacks that the bad actors use to penetrate your environment.
A lateral attack is an attack used to breach the defenses in a company. The bad actor looks for a weak entry point (such as a Mac with an out-of-date version of OS X or a 3-year-old BIOS). The bad actor breaches the system, and the help-desk folks try to remotely address the problem. The bad actors use the information from the help-desk access to attack other systems in the network. Windows 10 Defender ATP and Azure ATP help protect and identify this threat.
Cloud App Security
Cloud App Security (CAS) is a key component in the ongoing identification of security breaches. There are new apps released daily with new features and exploits, and users do not know whether an app is valid when they install it. They just download the cloud application and try the service and then uninstall the application. This is where malicious services will creep into the enterprise environment and exploit the user credentials and supply personal data to third-party services. Under the new data privacy laws, this is a data breach.
When Cloud App Security (CAS) is deployed, you have access to analytics on user behavior. You have the tools to block activities and remediate problems. CAS supports detections for ransomware, access to subscriptions, and access to unauthorized data. This is a key tool that is used for compliance and data governance and is included as part of the Microsoft 365 E5 subscription.
There have been numerous situations where I had to review the logs of different activities to understand potential threats in SaaS-based environments. Cloud App Security is a must-have tool for security analysis .
Azure Identity Protection
Cloud App Security provides the tools to better understand the behavioral side of the user and provides the tools for remediation. There is another side of security management, and this is the Azure Identity Protection management. Azure Identity Protection allows you to detect potential vulnerabilities affecting your organization’s identities, configure automated responses to detected suspicious actions, and investigate suspicious incidents and take appropriate action to resolve them. The vast number of security breaches take effect when a user identity is stolen. The issue is knowing what to do to identify risk-based activities so you can track the activity and take appropriate action—leveraging the different ways to authenticate a person who is accessing your systems.
Note
Nothing is absolute. The closest you can get to true security is to make the access composed of three different types of information. This includes something you have (like a smartphone), something you are (like fingerprints or biometric), and something you know (like a password). These three pieces of information comprise true security.
Figure 1-15 shows users who are at high risk. In this case, you have policies in place to act on when users are flagged for risk events and vulnerabilities. These are reports such as “Users flagged for risk,” “Risk events,” and “Vulnerabilities.” Risk events could include logging in from multiple addresses, logging in from nontrusted locations, or logging in from devices that are not registered with the Azure identity suite. These policy settings can enable multifactor authentication, password reset, and a reduction in access to different areas of Office 365. The goal of the Azure Identity Protection service is to mitigate risk while managing a user’s credentials. Integrate into this the Azure threat protection’s DNS detection services and you have significantly strengthened the security capability of your deployment.
Azure Security Center
When you think about security, you need to think of incident response and the processes that you have in place to address an incident. Typically, there are five phases with an incident: detect, assess, diagnose, stabilize, and close. The Azure Security Center has been designed around these five basic steps. The Security Center assists you in the management of the incident by giving you the necessary information to address the event .
Cloud based Advanced Threat Protection for endpoints
Advanced Threat Protection (previously called Advanced Threat Analytics) is about detecting threats using behavior analytics in your enterprise. What is unique about Azure ATP is it uses self-learning to build a behavior profile that represents your organization. Azure ATP is deployed on your domain controller and integrates into the Windows Security Center. The detection tool supports Windows desktops, Windows servers, Linux servers. The simplest example is to look at how your organization uses multiple devices to access information. When you access information from multiple sources, using multiple tools, this creates a blind spot in the organization on data management and user behavior. What happens is that you leave backdoors open for bad actors to gain access to your credentials. This opens the door for data breaches. Keep in mind that in this post-GDPR world, those breaches will need to be reported within 72 hours of the event.
Note
I mention EU GDPR a lot in this chapter, and I am sure you are wondering why you should care about a European law if you are in the United States. The simple answer is that a U.S. version of the GDPR is slowly making its way through Congress. So, eventually there will be a GDPR-like law in the United States. So, from an IT perspective, we need to look at our business processes and start making changes now. The GDPR is a wake-up call for the United States, and California has already responded with the CCPA.
Azure Log Analytics Suite
Search and analyze data logs
Manage alert rules
Manage usage and cost
Customize data views for work process automation
Mobile Device Management and the Enterprise Mobility + Security Suite
Mobile Device Management (MDM) , Mobile Application Management, Windows Information Protection and the Enterprise Mobile + Security (EMS) suite are core components of the Microsoft security strategy. The main component of the EMS strategy is the Azure identity feature and how this relates to mobile device deployment. I have dedicated Chapter 5 to Mobile Application Management(MAM), Windows Information Protection (WIP) and Mobile Device Management (MDM). There are simple deployments (MAM/WIP) and compliance deployments (full MDM). In Chapter 5, I will go through the details of how to deploy this in your organization. MDM is managed from the intune dashboard Azure.
- Enterprise Mobility + Security E5
Azure Active Directory Premium P2
Microsoft Cloud App Security
Azure Information Protection Premium P2
- Enterprise Mobility + Security E3 (included in E5)
Azure Active Directory Premium P1
Microsoft6 Advance Threat Analytics
Microsoft Intune
Azure Information Premium P1
Microsoft Secure Score
Microsoft Secure Score is a key tool that the CISO will use to verify that the Office 365 tenant has been configured correctly. This tool continuously analyzes the 365 configurations (updated nightly) and looks for security configuration problems. The tool is a key component in the compliance officer toolbox. In Chapter 3, you will look at the best-known methods for configuring your Office 365 tenant , and the Microsoft Secure Score is the tool that you will use to complete this analysis.
Typical Security Offerings
Basic-level security (usually notifications and data mining on the dark web)
Midrange package (these usually are reports of a predictive nature)
High-end package (this is where the real work begins and includes threat modeling)
As a CISO, you will be looking at either the midrange package or the high end. Which one you pick is determined by your staff capabilities. Smaller organizations will typically select a higher-end package. Established organizations with a well-defined process will select a midrange package. Where does your organization fit in? It depends on your business process and how you view security. The low-end packages make sense only if you already have deployed many of the capabilities discussed in this book. If you have not deployed security packages like the ones I have discussed and you consider security as “not” important, then you have a fundamental business problem. In the past 20 years, there are hundreds of fast-growing businesses that are now defunct because they lost their competitive advantage and intellectual property due to cyber-theft.
The basic monitoring package assumes that the organization has the necessary security structure in place. This is an incremental addition to an organization. Most organizations select the middle package. This way they have the best of both worlds: active detection and predictive monitoring of potential threats. The third package is a proactive package that leverages the predictive package to take corrective action on the organization. Which package should you use? Again, this depends on the capabilities of the organization. If you lack infrastructure and resources, choose the higher-end packages. If you have an individual who can monitor what is going on in your organization, then select the middle package. Looking at the security plans offered earlier, we have 3 different plans, and each of the plans are composed of a cyber security early warning detection system. The Shield, Armor and Fortress security plans include dark web monitoring. The reason for this, is that dark web monitoring provides and early warning on potential compromised of information breaches in a business. When a user account is compromised this gives teh bad actor an additional insight into potential security holes in the organization. These security holes are where data breaches occur. There is a company called idagent (www.idagent.com) that specializes collecting data that is for sale on the dark web. Any security operations center uses this data to look for potential data breaches. When a user credentials is discovered in the dark web, the impact to a security team is significant. What is the bad actors will try different combinations of passwords (based on the information for sale in the dark web) in an attempt to get access to the user accounts? This approach is known as password spray. You know the user credentials, but you do not have their passwords, but you have a good suspicion that it is a certain combination of numbers and letters. You draw this conclusion because the user credentials have been breached a number of times and they are for sale on the dark web. The bad actor has either purchased the credentials, or is using a service that has collected data about this user and will sell the information on a subscription basis to the bad actor. Once a bad actor is armed with the information, you begin to see a slow attack to compromise the user credentials. As an example, Equifax in 2018 had a credential breach of over 146M accounts and finical records. Just recently Marriott was breached with 500M data records. My credentials happen to be in both breaches. The bad actors now have a pattern of passwords that they can use to access my accounts. In my case, I thwart this with Multifactor authentication and restricted access accounts. However, most clients are not that lucky, so we need to be prepared. Cybercrime is a profit-making business that sells our digital assets. Dark web monitoring is key to a healthy cybersecurity program.
The security packages are described in the following sections.
Shield: Basic Monitoring
The Shield class of products is designed to provide basic monitoring services to any client. Companies that have a process-oriented infrastructure will use these packages to augment additional security service offerings. Companies that use MobileIron, a third-party antivirus package, will use this product. Most vendors will have an offering that looks like this. This basic package offers enough security products to provide basic monitoring, but if you are being targeted or are in a high-risk industry, you need to look at a higher-end offering.
Armor: Predictive Security Class
The Armor class will typically include predictive monitoring. In this case, I am referring to the configuration of services that can show you trends and analysis on your infrastructure. Data is collected from different endpoints (including Microsoft’s intelligent cloud) and presented in a series of dashboards that the IT manager/CISO can review to make business decisions. Data is collected and analyzed, and reports are generated. Companies that use this class of product have an existing IT staff that has experience in remediation and analysis of the company’s data. Basically, you have data being presented in a logical fashion where knowledgeable individuals can decide on the appropriate changes to the infrastructure.
Fortress: Proactive Security Class
The third class of products you typically see are the proactive security products. In this case, the example is the Fortress class. This is the high-end product with different types of security offerings targeted at high-risk industries. High-risk industries are defense contractors, financial businesses with compliance requirements, and any organization that manages large amounts of personal data. Products in this class include two distinct offerings: predictive analysis and proactive management. In this case, you need to have the skills to read the reports and make decisions on the different data that is being collected. The vendor that provides this service will proactively make changes in your security infrastructure to keep the bad actors out of the organization and protect the organization data.
As you look at different security products, you need to look at the offerings in respect to Office 365 because you want to use an integrated service offering. Table 1-1 shows the different options of the security products and how they overlap with Microsoft’s threat detection road map discussed earlier.
Table 1-1. Office 365 Security Product Feature Comparison (Courtesy of KAMIND IT)
It is important to look at product positioning and at what you are doing internally to make sure that you are aligned with the business. As you look at different product offerings, you need to step back and look at the services that are available in Office 365 and Azure. My goal in this book is to provide you with a good introduction to the various elements of Office 365—from a security perspective—and allow you to use those services as it makes sense for your business. There are two key security dashboards in Office 365 that you need to manage. These are the Security & Compliance Center dashboard and the Azure Advanced Threat Protection dashboard.
Secure & Compliance Center
- 1.
Work with the Microsoft partner to purchase an Azure CSP subscription and Microsoft 365 E5 licenses.
- 2.
Configure Azure security services (see Chapter 2).
- 3.
Configure Secure Score (see Chapter 3).
- 4.
Deploy Cloud App Security (see Chapter 3).
- 5.
Deploy Privilege Identity Management (see Chapter 4).
- 6.
Deploy Azure Identity Protection (see Chapter 4).
- 7.
Deploy Azure Information Management/Protection (see Chapter 4).
- 8.
Deploy Mobility Application Management (see Chapter 5).
- 9.
Deploy Mobile Device Management (see Chapter 5).
- 10.
Manage Compliance (see Chapter 6).
- 1.
Manage the day-to-day activity through the Security & Compliance Center. Look for alerts and breaches.
- 2.
Resolve alert notices, and focus attention on Cloud App Security (CAS).
- 3.
On a weekly basis, check the Microsoft Security Score for changes once you set your baseline.
- 4.
On a weekly basis, check the Compliance Manager score in the security and trust center.
If you are new to Office 365, you may notice that your tenant is not configured with all the features shown in Figure 1-23. The reason for this is that you have the incorrect subscription. To enable all the features in the Office 365 Security & Compliance Center, you need to purchase the Microsoft 365 E5 subscription for your account. This will give you the complete set of rights to manage and set the permissions for your Office 365 tenant.
Once you have the complete set of permissions, you can enable the different features for the organization. This way you can define the necessary business processes required to grow your organization. Note I said grow. Businesses that use Office 365 are growing businesses because Microsoft has designed the solution to allow your business to scale. All the features that I described earlier are available to you as an administrator.
Summary
This chapter gave you an overview of the security features in Office 365. My approach was to show you the possibilities that exist and explore what you can do with Office 365. Our road map (refer to Figure 1-1) is the Microsoft threat detection road map. Everything that you do in Office 365 are choices you make as the custodian for your company’s data and your customers’ information. We all need to be vigilant on our responsibilities.
I wanted this book to be a useful guide to IT managers on what they need to configure and do to manage an Office 365 environment, so I wrote the chapters from a CISO’s perspective. I wanted to give you insight into the capabilities of Office 365 and open your mind up to the possibilities in managing a secured environment. As we walk through the chapters in the book, I will expose you to the configuration of Microsoft Secure Score (configurations for your industry), monitoring techniques on handling the Security & Compliance Center, and configuration of Office 365 and Azure services. This will lead us into the management of privilege information and risk analysis of our users, and we will end up with Mobile Application and Mobile and Mobile Device Management. Once we reach this point, we will walk through the configuration of the Mobile Device Management to see how you can lock down your environment. The goal of chapter 1 was to give you an overview of what is coming in the next chapters. We are going to configure for Office 365 and Azure services that we just reviewed. If you have not deployed the Microsoft 365 E5 and an Azure CSP services subscription, go deploy those subscriptions before we proceed.
The processes discussed in the chapter revolved around the GDPR and CCPA. My goal was to provide you with the necessary information to ensure that your organization has the fundamental business processes and security processes to meet the data protection and privacy requirements.
Note
Before you proceed, you will need to purchase Microsoft 365 E5 and an Azure CSP subscription. To fully understand the concepts in this book, you must have these subscriptions deployed on your administrator account. You can deploy these subscriptions from your current partner. If you are worried about the long-term commitment for Office 365, check out www.kamind.com/csp for the different subscription offerings.
Next Steps
I have assumed that your Office 365 environment is fully set up and you are using the service. If you are not on Office 365, refer to Chapter 7 and migrate your company to Office 365. (You can also refer to my previous book, Moving to Office 365). The chapters in this book are written based on the assumption that you are have Office 365 and are looking for a better way to securely manage it. As we proceed through the book, we will deploy Office 365 and Azure services based on the deployment of the Microsoft 365 E5 subscription and an Azure Cloud Solution Provider (CSP) consumption subscription for Azure. If you do not have these subscriptions, please acquire them as soon as possible.
Reference Links
There is a lot of information about Office 365 on the Web—the issue is finding the right site. The information contained in this chapter is a combination of my experience performing deployments and of support information published by third parties.