Microsoft Defender 365 security: The story of unused Microsoft 365 E5 license capabilities
The goal of this series will be to introduce, in practical words, the features and capabilities of the security tools included in the Microsoft 365 E5 license and provide examples how it can optimize your cyber security program - both in effort and spending terms. Microsoft E5 contains Microsoft Defender 365, which is part of the overall Microsoft Defender XDR, also including Microsoft Defender for Cloud.
Format each of your headings below to Heading 2 to keep your post neat and SEO-friendly.
In the coming posts I will look at what protection each part of Microsoft Defender 365 provides, how is that covered by the Microsoft E5 license and provide some comparison of effort and cost with other products.
I decided to start this blog post series after several conversations with partners and customers about the cybersecurity practices they have, tools they use and problems they face.
I found a common lining - they all had Enterprise Agreements with Microsoft and E5 licenses, but they never got to implement most if any of the security features that come with this license. They still relied on other vendors - sometimes best-in-class point solutions, sometimes legacy ones, to tick the compliance boxes of security. And strangely enough, they were looking to tick the unticked boxes, by obtaining yet another point solution, while they already had the tools in their hands - they just didn't know about it. As you can imagine this results in greater budgets for cybersecurity, it makes the skills problem bigger - as for every point solution, the skill gap of the internal security team is increased, and ultimately results in worse off security than the initial state (except for that compliance checkbox).
Microsoft Defender 365 Overview
Microsoft Defender 365 is an XDR (Extended Detection and Response) security platform which provides means to protect Endpoints, Identities, Cloud Apps and Data.
Each element of the platform delivers prevention and detection capabilities to stop threats before they damage the organization.
The elements speak to each other to provide coordinated protection, automatic healing, unified threat intelligence and cross-domain threat hunting all in one unified portal.
The immediate benefit to organization is the reduction of effort in setup and operations, the narrow skill-gap. Each platform element is built to have the same feel for the security engineers. Automation and integration is continuously improved by Microsoft security. The platform provides an open query language for custom prevention and detection rules.
Microsoft Defender for Office 365
The first product I am going to take a look at is Microsoft Defender for Office 365.
This is the product that protects Office 365 apps and data - email, Teams, Share Point online, One Drive.
Many organizations are today using Office 365 for their email platform, but they still use 3rd party email security gateways in-front of the Office 365 cloud. Some example services are Mimecast, Cisco Cloud Email Security, Symantec Email Security Cloud, etc.
While these platforms provide great security and functionality, this usually comes at a cost: expensive setup costs, non-trivial and expensive licensing models - consisting of multiple addons for functionalities such as message encryption, DLP or SIEM integration, and hard and expensive upskilling to avoid the "set-and-forget" situation of the tool.
Don't get me wrong, setting this up correctly still requires an experienced engineer with skills both in email security and the Microsoft Defender 365 platform, but it is an order of magnitude faster to set up when you're already using Office 365.
The platform capabilities can be summed as:
Protecting your email system at the edge of the Microsoft Office 365 infrastructure, leveraging all security intelligence available to the cloud to protect against:
Known bad email server
Known bad domains
Unknown threats - based on anomalous behavior of sending servers and domains
Protecting your email system against basic and advanced spoofing attacks by:
Detecting account compromise of sender
Verifying sending server identity - DKIM,DMARC,SPF, ARC
Using spoof intelligence to detect who is spoofing you and should that be allowed
Detecting bulk emails and qualifying them as SPAM or marketing
Detecting user and domain impersonation
Protecting against malicious or suspicious email content by:
Utilizing multiple AV engines to detect known bad files
Blocking files by type
Sandboxing unknown files to qualify them as malicious or benign
Detonating URL links to determine if they are malicious
Using multiple ML models to detect advanced multi-staged attacks
Using predefined and custom Information classifiers to detect and prevent infiltration of sensitive data (DLP)
Post delivery protection
Protecting you against unknown threats after message delivery by:
Retroactively searching and purging emails and attachments that have been qualified as malicious post delivery
URL rewriting in emails and attachments to prevent visiting malicious sites - such that are weaponized post delivery, while being benign at delivery time
As part of the unified portal, there is an Alert and Incident dashboard, Reporting module with multiple customizable canned reports, an easy to use Explorer - where each email can be tracked, analyzed and qualified by security admins, a query center - where threat hunting can be done and a Threat Analytics dashboard that provides threat intelligence of recent and ongoing threat campaigns and the impact of the organization
There are other very cool features part of the platform:
The Report Message Add-in by Microsoft
The Attack Simulation Training Module
Secure Posture Analyzer
The Report Message Add-in is an Outlook Add-in that works for all Outlook clients (web, desktop app, mobile app) and provides the functionality of end users to directly report messages as SPAM, Phishing or Not-Spam. This report encapsulates all the details of the message and can be submitted both to internal security teams and Microsoft security for analysis and improvement of the security system. No more email forwarding, back-and-forth communication trying to get users to send the original email as attachment, and spending time logging tickets.
The Attack Simulation Training allows for creating of one off and scheduled email phishing campaigns with tons of canned templates. The biggest benefit as compared to other platforms is the integration with the user security signals already present in the platform, which gives you an idea of repeated offenders and the actual impact of an offending user.
If your organization is into such kind of trainings (its controversial really) this is an amazing addition.
The Secure Posture analyzer helps maintain your policy configuration up to date with evolving protections and newly introduced features. It also provides visibility of user settings that override best practices and provides suggestions for remediating it.
Note: I will look at the advanced DLP and Email Encryption features as part of the Microsoft Information Protection features included in the E5 license.
Cost and efficiency improvement
What is the actual cost saving if you already have Microsoft E5 license, but are using an external email security platform? It really depends on the features, but list price for many vendors range like this:
Standard email protection package (Antivirus, Anti Spam): 2$-3$ per user per month
Advanced features addons(Sandboxing, URL detonation, Retroactive detections): 3$-5$ per user per month
Phishing Awareness Training: This ranges between 1$ and 5$ per user per month, as vendors are usually bundling these with features normally present in the email security gateway.
A calculation (taking average prices excluding advanced DLP and Email Encryption) shows that a medium sized organization of 500 users could save ~45000$ a year by making use of the security features included in their E5 license . And if you don't have any Microsoft Security license, it will still cost you less - ~30000 to get the Microsoft Defender for Office P2 plan.
In terms of effort efficiencies, it really depends on your current process and other toolset, but if utilizing all security features of Microsoft Defender 365, there is a significant security operations effort reduction for ingesting, analyzing data and responding to security incidents.
In the next post, I will cover the Microsoft Defender for Endpoint next generation Antimalware and EDR solution part of the E5 license.
if you need help with making use of your E5 license, or you want to generally adopt a strategy of platform security, rather than point security solutions, you can always reach us at firstname.lastname@example.org