Today’s threat landscape is more complex than ever before, and the attacks just keep getting more sophisticated. An organization can’t expect to stay safe just by protecting its individual areas, such as files, email, or endpoints. Today’s attackers are targeting the most vulnerable resources—the “low-hanging fruit”—and then traversing laterally to target high-value assets.
What’s needed is a new approach: extended detection and response. Intelligent, automated, and integrated security systems, implemented across domains, represent the best way to connect seemly disparate alerts and get ahead of attackers. In this post, I’m going to talk about Secure Score, which is a Microsoft method of analyzing your organization’s risk level and share with you seven ways to improve that score for your Microsoft 365 tenant.
Understanding Zero Trust
The Zero Trust Framework is a pragmatic model for today’s hostile reality that includes a mindset, an operating model, and architecture tuned to the threat. It starts with the assumption that there’s no such thing as an impermeable perimeter. It’s not a matter of “if” but “when” you get breached. So, the idea is, you assume a breach is coming and prepare for it by trusting nobody and nothing. In other words: Better safe than sorry.
The Zero Trust Framework is designed around explicitly verifying users and giving them the least privileges possible while still being able to do their work. The latest iterations of zero trust have also focused on automation intelligence insights—letting the software do the monitoring for you, across platforms and systems.
There are various diagrams used to illustrate the Zero Trust framework; the one in the following graphic is from Forrester. At the center is your data—the thing you are trying to protect. Interacting with data are people, devices, networks, and workload (in other words, the apps that do your work).
Protecting those interactions is a Zero Trust ring that contains visibility and analytics. You can see what’s going on and analyze it in different ways to make sure you understand what’s happening. Also in that ring are insights and automation. In other words, you don’t have to manually view and analyze what’s going on; you can set up the monitoring processes to be automated and coordinated across systems.
Microsoft’s 12 Key Tasks
Microsoft has identified 12 key tasks to help security teams implement the most important security capabilities as quickly as possible with remote work in mind. Here they are:
How many of these can you confidently say your organization is excelling at? Probably not all of them. See, that’s where it gets tricky. Microsoft offers a variety of protection features, but they’re not consolidated, so you have to jump around to different systems to use them.
For example, you have various conditions that depend on factors such as employee and partner users and roles, trusted/untrusted devices, physical and virtual locations, client apps, and authentication methods. For appropriately securing based on those conditions, you have various controls, such as allowing/blocking access, requiring MFA, forcing password resets, and blocking legacy authentication methods. And all of that happens across multiple platforms, including the Microsoft Cloud, Cloud SaaS apps, and on-premises and web apps.
Further complicating this process is the fact that Microsoft keeps changing the names of things. Some of the names in the above list, like Advanced Threat Protection, aren’t even called that anymore. The following table decodes the old and new names and provides some URLs where you can learn more about them.
Not all of these services are available for all plans. Here’s a graphic that shows the differences among the different Office 365 and Microsoft 365 plans, so you’ll know what you have to work with.
What’s Your Secure Score?
Microsoft has enabled a set of security services that can help you harden your systems, and they give you a score to let you know how well you’re doing—a Secure Score. The score is based on how well you are complying with the 12 key tasks. The higher the score, the more secure you are.
Here’s a graphic that outlines the different levels of analysis. Some of these levels are the same as in the Zero Trust Framework graphic I showed you earlier: Identity, Workloads, Networks, and Devices. Microsoft also includes Apps and Infrastructure in its model. This model also adds some detail to each level and ties the levels into Microsoft services. (There will be information about Secure Score at the end of this article, including how to get your organization’s score.)
Seven Ways to Harden Microsoft 365
We’ve put together seven keys to hardening Microsoft 365 to share with you. Each one of these seven steps helps you understand the tools available and which tools can be used for what purpose.
#1: Enable Secure Access for Users with Azure Active Directory
Azure Active Directory gives you the ability to use multi-factor authentication and create secure access for your users. That’s also where you would set your password policies. The information you get from your Secure Score report will tell you what you need to do there.
There are three key things you can do in this area:
- Secure access with MFA
- Strong passwords
- Blocking legacy authentication
Let’s zoom in on one of those in particular: strong passwords. Here are some useful tips for user passwords:
- Avoid the same or similar password you have used elsewhere.
- Don’t use a single word or a common phrase.
- Make passwords are to guess.
- Avoid names, birthdays of family, favorite bands, or phrases you like.
As an admin, you may be in charge of creating password complexity requirements. Here are Microsoft’s recommendations for that:
- Maintain an 8-character minimum length requirement—but longer isn’t necessarily better.
- Don’t require character composition requirements such as insisting on a non-alphanumeric symbol.
- Don’t require mandatory periodic password resets for user accounts.
- Ban common passwords
- Enforce registration for multi-factor authentication
- Enable risk-based MFA challenges
Depending on several factors, such as protection level, device type, and environment, different levels of authentication security may be required. Here’s a graphic from Microsoft that shows some recommendations broken down in each of those ways.
Tiered Config: Identity, Devices & Protection
#2: Identify Compromised Identities or Malicious Insiders with Microsoft Defender for Identity
With Microsoft Defender for Identity (formerly called Azure Advanced Threat Protection), you can move beyond just configuring Active Directory and be proactive in looking for suspicious activity. It uses your on-premises Active Directory to identify, detect, and investigate threats, compromised identities, and malicious insider actions.
Here’s some of what it can do:
- Monitor user behaviors and activities with learning-based analytics. It creates a behavioral baseline for each user and then identifies any anomalies that might point to suspicious activities or compromised accounts. For example, is the same user logged into two different places at the same time? Or from an unusual geographic location?
- Protect user identities and credentials stored in Active Directory. For example, it uses visual lateral movement paths to help you quickly understand how an attacker might move laterally inside your organization and helps you patch those vulnerabilities.
- Identify and investigate suspicious user activities and advanced attacks throughout the kill chain. Attacks are typically launched against a low-privileged user and then moved laterally to gain access to valuable assets. Defender for Identity notices rogue users, compromised credentials, lateral movements, and domain dominance to put a stop to attacks quickly.
- Provide clear incident information on a simple timeline for fast triage. Defender for Identity’s attack timeline view enables you to quickly see what’s happening.
For more information about Microsoft Defender for Identity, click here.
#3 Protect and Encrypt Sensitive Data with Microsoft Information Protection
Microsoft Information Protection (MIP) helps you discover, classify, and protect sensitive information, no matter where or how it is stored, transferred and used. It can help you to:
- Know your data: Understand your data landscape and identify important data across your hybrid environment.
- Protect your data: Apply flexible protection actions including encryption, access restrictions, and visual markings. You can:
- Define who can access data and what they can do with it.
- Configure policies to classify, label, and protect data based on its sensitivity.
- Assure proper oversight and control of data at rest, in transit, and use.
- Add classification and protection information for persistent protection that follows the data, ensuring that it remains protected regardless of where it’s stored or who it’s shared with.
- Track activities on shared data and revoke access if necessary.
- Prevent data loss: Detect risky behavior and prevent accidental oversharing of sensitive information.
- Govern your data: Automatically retain, delete, and store data and records in a compliant manner.
Learn more about Microsoft Information Protection here.
#4 Manage and Protect Devices with Microsoft Defender for Endpoint
Microsoft Defender for Endpoint is a security platform that helps enterprise networks prevent, detect, investigate, and respond to advanced threat attacks. It combines several technologies to do its work:
- Endpoint behavioral sensors: These built-in Windows 10 sensors collect and process behavioral signals from Windows and send that data for analysis to a private, isolated cloud instance of Defender for Endpoint.
- Cloud security analytics: The data gathered from the behavioral sensors are translated into insights, detections, and recommended responses to advanced threats.
- Threat intelligence: Defender for Endpoint has access to advanced threat intelligence gathered from multiple sources, enabling it to identify attacker tools, techniques, and procedures and generate alerts when it detects them in collected sensor data.
Learn more about Microsoft Defender for Endpoint here.
#5 Prevent Unauthorized Access and Sharing with Microsoft Cloud App Security
Do you know what cloud apps your users are using? Are they sticking with Office 365 tools, or are they branching out into things like Dropbox, Amazon Web Services, Google Cloud, and the like? With Microsoft Cloud App Security, you can block or allow certain web app usage. If there are external services that users need to access, you can increase their security by enforcing multi-factor authentication to those services. You can also get a handle on who is using your cloud app services and what kind of work they are doing with them.
Learn more about Microsoft Cloud App Security here.
#6 Secure Your Email and Files with Microsoft 365 Rights Management Policies and Defender for Office 365
This one deals with workload security, such as for Exchange, Teams, SharePoint, and OneDrive. Each of the individual workloads has its own security features you can configure, such as data loss protection (like with the Teams video you saw under #4), Safe Links, BitLocker, Windows Information Protection, and lots more. The following graphic provides a partial list of capabilities.
For example, all office 365/Microsoft 365 plans include a variety of threat protection features you can enable, including:
- Anti-malware protection
- Anti-phishing protection
- Anti-spam protection
- Safe links
- Safe attachments
- Threat trackers
- Threat explorers
- Attack simulators
- Real-time attack detection
To read a guide that explains the various Office 365 threat protections, click here.
#7 Use Intelligent Insights and Guidance to Strengthen Your Organization’s Security Posture with Microsoft Secure Score
This “Top Seven” list ends up with Secure Score, but it should be number one in your thoughts because it’s where you want to start. You find out your score, and then you start working with all the other services to improve it as much as possible. Each time you re-check your score, you can watch it rise, along with your confidence that your organization is better protected.
When you view your Microsoft Secure Score report, you’ll see the overall score, along with a list of actions to review. Some of the Microsoft services you’ll work with to raise your score include:
Here’s an example of a Secure Score report.
How CoreView Can Help
Are you getting everything you need from Microsoft in security administration? As you’ve seen in this article, Microsoft provides plenty of tools and capabilities, but they’re spread out across multiple interfaces and platforms, and it can be hard to know which ones to access and what settings to configure. There are so many moving parts and different layers! That’s where CoreView can help.
CoreView is a SaaS management platform that protects, manages, and optimizes Microsoft 365 and other SaaS environments by augmenting and extending the Microsoft Admin Centers and providing a single view across them all. Here’s a simple view of our architecture:
CoreView is a SaaS platform that runs in Azure, essentially right next to your tenant. As you use the CoreView interface to make changes, we then proxy all those changes out to the tenant. This allows you to have much more granular control over which administrators can do what. For example, you can have someone who is a full administrator in CoreView who in Azure AD is just a standard user with no elevated administrative permissions. That’s possible because everything is being done through a proxy.
How many global administrators do you have right now? If you have more than five, you’re definitely out of compliance, but maybe you justify it by saying that it’s the only way to give people the permissions they need to do their jobs. With CoreView, you can reduce that number, and hopefully get it down to two or three. We do this through a feature called virtual tenancy. With virtual tenants, you can segment someone’s visibility by location, region, department, or any other Active Directory attribute. So, for example, you could have one person who is authorized to do just one thing—change passwords—in just one small part of the company, such as the Marketing department of the London office.
Automation is key, and CoreView has a very powerful workflow engine that not only can work with Microsoft 365, in activities like user provisioning and deprovisioning, but also with other SaaS platforms. So, as you deprovision a user, such as when someone leaves employment, it doesn’t just get rid of them in 365, but also across multiple other SaaS applications, such as Salesforce, so you can be confident that they are fully deprovisioned.
The heart of everything is reporting. If you’re tired of using PowerShell to get data out of your tenant, you’ll appreciate CoreView’s powerful reporting engine that allows you to create, modify, and generate all sorts of custom reports. You can also easily take action from within the reports. For example, we have an adoption engine that can let you know who isn’t using a particular tool, such as Teams, and send them an automated message that provides training resources on it.
Want to Learn More?
Want to learn more about CoreView and how it can help you administer your Microsoft 365 system—including Teams? Here are some resources:
- Read about CoreSuite, CoreView’s SaaS management platform for Microsoft 365.
- Take advantage of CoreView’s free Microsoft 365 Health Check.
Check out CoreView’s Resources page, where you’ll find links to dozens of guides, whitepapers, and videos.