Today’s threat landscape is more complex than ever before, and the attacks just keep getting more sophisticated. An organization can’t expect to stay safe just by protecting its individual areas, such as files, email, or endpoints. Today’s attackers are targeting the most vulnerable resources—the “low-hanging fruit”—and then traversing laterally to target high-value assets.
What’s needed is a new approach: extended detection and response. Intelligent, automated, and integrated security systems, implemented across domains, represent the best way to connect seemly disparate alerts and get ahead of attackers. In this post, I’m going to talk about Secure Score, which is a Microsoft method of analyzing your organization’s risk level, and share with you seven ways to improve that score for your Microsoft 365 tenant.
The Zero Trust Framework is a pragmatic model for today’s hostile reality that includes a mindset, an operating model, and architecture tuned to the threat. It starts with the assumption that there’s no such thing as an impermeable perimeter. It’s not a matter of “if” but “when” you get breached. So, the idea is, you assume a breach is coming and prepare for it by trusting nobody and nothing. In other words: Better safe than sorry.
The Zero Trust Framework is designed around explicitly verifying users and giving them the least privileges possible while still being able to do their work. The latest iterations of zero trust have also focused on automation intelligence insights—letting the software do the monitoring for you, across platforms and systems.
There are various diagrams used to illustrate the Zero Trust framework; the one in the following graphic is from Forrester. At the center is your data—the thing you are trying to protect. Interacting with data are people, devices, networks, and workload (in other words, the apps that do your work).
Protecting those interactions is a Zero Trust ring that contains visibility and analytics. You can see what’s going on and analyze it in different ways to make sure you understand what’s happening. Also in that ring are insights and automation. In other words, you don’t have to manually view and analyze what’s going on; you can set up the monitoring processes to be automated and coordinated across systems.
Microsoft has identified 12 key tasks to help security teams implement the most important security capabilities as quickly as possible with remote work in mind. Here they are:
How many of these can you confidently say your organization is excelling at? Probably not all of them. See, that’s where it gets tricky. Microsoft offers a variety of protection features, but they’re not consolidated, so you have to jump around to different systems to use them.
For example, you have various conditions that depend on factors such as employee and partner users and roles, trusted/untrusted devices, physical and virtual locations, client apps, and authentication methods. For appropriately securing based on those conditions, you have various controls, such as allowing/blocking access, requiring MFA, forcing password resets, and blocking legacy authentication methods. And all of that happens across multiple platforms, including the Microsoft Cloud, Cloud SaaS apps, and on-premises and web apps.
Further complicating this process is the fact that Microsoft keeps changing the names of things. Some of the names in the above list, like Advanced Threat Protection, aren’t even called that anymore. The following table decodes the old and new names and provides some URLs where you can learn more about them.
Not all of these services are available for all plans. Here’s a graphic that shows the differences among the different Office 365 and Microsoft 365 plans, so you’ll know what you have to work with.
Microsoft has enabled a set of security services that can help you harden your systems, and they give you a score to let you know how well you’re doing—a Secure Score. The score is based on how well you are complying with the 12 key tasks. The higher the score, the more secure you are.
Here’s a graphic that outlines the different levels of analysis. Some of these levels are the same as in the Zero Trust Framework graphic I showed you earlier: Identity, Workloads, Networks, and Devices. Microsoft also includes Apps and Infrastructure in its model. This model also adds some detail to each level and ties the levels into Microsoft services. (There will be information about Secure Score at the end of this article, including how to get your organization’s score.)
We’ve put together seven keys to hardening Microsoft 365 to share with you. Each one of these seven steps helps you understand the tools available and which tools can be used for what purpose.
Azure Active Directory gives you the ability to use multi-factor authentication and create secure access for your users. That’s also where you would set your password policies. The information you get from your Secure Score report will tell you what you need to do there.
There are three key things you can do in this area:
Let’s zoom in on one of those in particular: strong passwords. Here are some useful tips for user passwords:
As an admin, you may be in charge of creating password complexity requirements. Here are Microsoft’s recommendations for that:
Depending on several factors, such as protection level, device type, and environment, different levels of authentication security may be required. Here’s a graphic from Microsoft that shows some recommendations broken down in each of those ways.
With Microsoft Defender for Identity (formerly called Azure Advanced Threat Protection), you can move beyond just configuring Active Directory and be proactive in looking for suspicious activity. It uses your on-premises Active Directory to identify, detect, and investigate threats, compromised identities, and malicious insider actions.
Here’s some of what it can do:
For more information about Microsoft Defender for Identity, click here.
Microsoft Information Protection (MIP) helps you discover, classify, and protect sensitive information, no matter where or how it is stored, transferred, and used. It can help you to:
Learn more about Microsoft Information Protection here.
Microsoft Defender for Endpoint is a security platform that helps enterprise networks prevent, detect, investigate, and respond to advanced threat attacks. It combines several technologies to do its work:
Learn more about Microsoft Defender for Endpoint here.
Do you know what cloud apps your users are using? Are they sticking with Office 365 tools, or are they branching out into things like Dropbox, Amazon Web Services, Google Cloud, and the like? With Microsoft Cloud App Security, you can block or allow certain web app usage. If there are external services that users need to access, you can increase their security by enforcing multi-factor authentication to those services. You can also get a handle on who is using your cloud app services and what kind of work they are doing with them.
Learn more about Microsoft Cloud App Security here.
This one deals with workload security, such as for Exchange, Microsoft Teams, SharePoint, and OneDrive. Each of the individual workloads has its own security features you can configure, such as data loss protection (like with the Microsoft Teams video you saw under #4), Safe Links, BitLocker, Windows Information Protection, and lots more. The following graphic provides a partial list of capabilities.
For example, all office 365/Microsoft 365 plans include a variety of threat protection features you can enable, including:
To read a guide that explains the various Office 365 threat protections, click here.
This “Top Seven” list ends up with Secure Score, but it should be number one in your thoughts because it’s where you want to start. You find out your score, and then you start working with all the other services to improve it as much as possible. Each time you re-check your score, you can watch it rise, along with your confidence that your organization is better protected.
When you view your Microsoft Secure Score report, you’ll see the overall score, along with a list of actions to review. Some of the Microsoft services you’ll work with to raise your score include:
Are you getting everything you need from Microsoft in security administration? As you’ve seen in this article, Microsoft provides plenty of tools and capabilities, but they’re spread out across multiple interfaces and platforms, and it can be hard to know which ones to access and what settings to configure. There are so many moving parts and different layers! That’s where CoreView can help.
CoreView is a SaaS management platform that protects, manages, and optimizes Microsoft 365 and other SaaS environments by augmenting and extending the Microsoft Admin Centers and providing a single view across them all. Here’s a simple view of our architecture:
CoreView is a SaaS platform that runs in Azure, essentially right next to your tenant. As you use the CoreView interface to make changes, we then proxy all those changes out to the tenant. This allows you to have much more granular control over which administrators can do what. For example, you can have someone who is a full administrator in CoreView who in Azure AD is just a standard user with no elevated administrative permissions. That’s possible because everything is being done through a proxy.
How many global administrators do you have right now? If you have more than five, you’re definitely out of compliance, but maybe you justify it by saying that it’s the only way to give people the permissions they need to do their jobs. With CoreView, you can reduce that number, and hopefully get it down to two or three. We do this through a feature called virtual tenancy. With virtual tenants, you can segment someone’s visibility by location, region, department, or any other Active Directory attribute. So, for example, you could have one person who is authorized to do just one thing—change passwords—in just one small part of the company, such as the Marketing department of the London office.
Automation is key, and CoreView has a very powerful workflow engine that not only can work with Microsoft 365, in activities like user provisioning and deprovisioning, but also with other SaaS platforms. So, as you deprovision a user, such as when someone leaves employment, it doesn’t just get rid of them in 365, but also across multiple other SaaS applications, such as Salesforce, so you can be confident that they are fully deprovisioned.
The heart of everything is reporting. If you’re tired of using PowerShell to get data out of your tenant, you’ll appreciate CoreView’s powerful reporting engine that allows you to create, modify, and generate all sorts of custom reports. You can also easily take action from within the reports. For example, we have an adoption engine that can let you know who isn’t using a particular tool, such as Microsoft Teams, and send them an automated message that provides training resources on it.
Want to learn more about CoreView and how it can help you administer your Microsoft 365 system—including Microsoft Teams? Here are some resources:
Check out CoreView’s Resources page, where you’ll find links to dozens of guides, whitepapers, and videos.
