Contributions by Vasil Michev, Sharon Breeze, and Terence Jackson
For Microsoft 365 organizations, it’s no longer a question of if their tenant will be breached. It’s a question of when (and how often). With a strong cyber resilience strategy for Microsoft 365, you can build layers of resilience into your tenant. That way you can withstand attacks when they happen.
This article covers:
Microsoft 365 isn’t just an app. It’s a prime target for cybercriminals. The average Microsoft 365 tenant contains 58% of an organization’s sensitive cloud data and, arguably, has the most powerful privileged accounts a business has.
Industry surveys have revealed that Microsoft 365 tenants are still facing a constant barrage of attacks.
Your tenant will be breached. Cyber resilience techniques for Microsoft help you withstand attacks and recover more quickly.
NIST defines Cyber Resilience as:
“The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”
Let’s break this down into its four constituents and look at what this may involve for Microsoft 365.
Whereas traditional security builds defenses based on an existing understanding of best practices, cyber resilience implores security teams to look ahead and anticipate emerging threats and trends.
No one can predict the future, but you can ensure you partner with vendors and service providers who react quickly to the threat landscape. And you can implement an internal process to review emerging threats frequently and adapt your internal standards appropriately.
Implementing this process is a strong starting point. But it should also include a practical way to make changes quickly. For example, if you identify a requirement that your existing toolset cannot deliver, you will be able to adapt faster if you have an extensible platform.
It’s obvious that every organization should implement strong access-level security for its tenants, such as email filtering, zero-trust authentication, and cloud access control.
However, withstanding an attack means implementing robust security measures to minimize the impact when someone successfully outwits or bypasses these controls.
To minimize the impact when your tenant is breached, you will want to make it as difficult as possible for cybercriminals to move laterally, elevate their privileges, persist in your tenant, and reach their final objective.
For the full list of best practices to withstand a tenant attack, access the full Microsoft 365 Cyber Resilience guide.
There are now over 10,000 unique policy elements across Microsoft 365’s many configuration types, with many of these designed to have multiple variations (e.g., multiple user groups or conditional access policies).
This means the day-to-day operation of a Microsoft 365 tenant may rely on hundreds of thousands (or in some cases millions) of unique configurations.
With this complexity, it is now critical that organizations keep their Microsoft 365 tenant configurations backed up, ready to be restored in the event of a disaster.
The final element in the NIST definition of cyber resilience is the ability to adapt and continuously improve your tenant security based on what you learn from past incidents. To ensure you can do this, it is critical to ensure you are working with platforms that are extensible and allow you to adapt them to your unique requirements.
Dive deeper into best practices you can implement today to be more resilient with our complete guide: Microsoft 365 Cyber Resilience Maturity Model.
Without a clear plan, attackers can spread laterally, escalate privileges, and exfiltrate data before you even detect them. This maturity model is designed to help you detect intrusions early, contain threats, and recover before attackers cause serious damage.
At this level, the goal is to reduce the likelihood of initial compromise in your tenant. Implementing the controls associated with Level 1 will help you enforce strong user access, email filtering, and data access controls for your tenant—all things that drive down the risk of an initial breach.
The controls of this level include:
At level two, you’re aiming to reduce the impact of compromise once someone has accessed your tenant. The controls here include backing up your configurations, deploying secure configurations, detecting configuration drift, enforcing configuration change management, and detecting and testing new Microsoft updates before they’re rolled out.
With your configurations now tamper-proof, Level 3 looks to remove common escalation vectors and pathways that cybercriminals love to exploit. Controls for level 3 include:
By the time you come to Level 4, you have put layers of resilience into your tenant to slow attackers down to a crawl. The next step is to implement governance and automation to keep your attack surface lean and your response time fast.
This level involves implementing sprawl and lifecycle management, user access reviews, enhanced audit and reporting, secure task management, and rapid extensibility.
The Cyber Resilience Maturity Model for Microsoft 365 covers each level of the maturity model in-depth, including recommendations and best practices from Microsoft experts to build cyber resilience into your day-to-day operations.
To get inside your tenant, attackers use all kinds of tactics—some new, some old. Stay up-to-date on the latest attack tactics from cybercriminals to strengthen your organization’s defenses against evolving threats.
See how in the Anatomy of a Microsoft 365 Attack.
It takes attackers just 16 hours to reach your directory.
And, once inside your tenant, attackers will find and hijack high-privilege accounts. Counteract these attacks by identifying accounts with excessive permissions and reducing exposure with the Admin Permissions Scanner for Microsoft 365.
With CoreView, you get the tools you need for true cyber resilience for your Microsoft tenant. Our rapid response and secure automation tools make tenant protection more than just a preventative measure:
See how your peers use CoreView to build resilience in Microsoft 365. Or, schedule a demo to dive deeper into our cyber resilience capabilities.