Secure Modern Workplace with Microsoft 365 Advanced Threat Protection
I decided to write a blog post about Microsoft 365 Advanced Threat Protection and how to think of security when planning how to secure Modern Workplace. The whole thing started when I noticed that organizations fail to get the big picture when it comes to the security side of the modern workplace.
When you start thinking about the modern workplace, you naturally start thinking about Office 365 and all the collaboration tools available like SharePoint Online and Microsoft Teams. Then you quickly realize that Azure Active Directory is the identity and access management arm of Office 365, and you might o need to sync your users to Azure AD.
The next thing you find is that people start to download all these new Office 365 mobile apps like Microsoft Planner, Microsoft Teams, OneDrive, and you want a way to protect corporate data on mobile devices, which what Microsoft Intune Mobile Management can help you with. This is where EMS or Enterprise Mobility and Security services from Microsoft is here to help you with. It helps you manage and protect your existing Office 365 investments.
And finally, Windows 10 is your operations system choice as it provides many security features like BitLocker , Windows Defender and VBS which stands for Virtualized Based Security like Credential Guard and Device Guard.
So together, Office 365, EMS and Windows 10 are offered as Microsoft 365, and the story does not end here. If you are worried about security and your business cannot afford being hacked due to a security incident, then Microsoft 365 offers a lot of services for you to secure modern workplace. Office 365 can be extended to include Office 365 ATP service to handle zero day attacks.
EMS can be extended to provide a lot of services like PIM or Privileged Identity Management, a highly recommended product that provides just in time access (JIT) for admins. There is also an Identity Protection service to evaluate user and session risk levels, and there is Microsoft Cloud App Security service and also Azure ATP.
From the Windows 10 side, you can use Windows Defender Advanced Threat Protection which operates as an endpoint detect and response solution.
It is worth mentioning that all these advanced security features are offered under the E5 licenses of Microsoft 365.
Microsoft 365 Advanced Threat Protection
To understand how to secure modern workplace, let us focus on the advanced threat protection solutions in Microsoft 365. Microsoft 365 Advanced Threat Protection services provide complete solution that covers devices, email and SharePoint, and corporate identities. Windows ATP is a threat protection service to protection Windows devices, Office 365 ATP is a threat protection service for Office 365, and Azure ATP is a threat protection for on-premises identities. If your business is running completely without on-premises domain controllers, then you might want to consider Microsoft Cloud App Security and Microsoft Identity Protection to detect anomalies for authentications happening int he cloud.
Secure modern workplace is a key part of any modern workplace implementation. The Microsoft 365 advanced threat protection capabilities provide an integrated experience. I like to think of Office 365 ATP as the first line of defense, as most attacks come in the form of phishing email or an infected email attachment. If the attack bypass Office 365 ATP or the attack did not come from email for example, then Windows ATP is the next level of protection. If the attack bypass both protection services, or it did not pass through them, then Azure ATP can help detect the existence of attack by observing unusual behaviors and privilege escalations.
What is unique with Microsoft 365 advanced threat protection offering, is the level of integration between these products. If an attack is in a form of malicious attachment was not detected by Office 365 ATP, then Windows ATP can detect that this attachment is in fact a malicious code that is trying to do bad things on the Windows device. Not only that Windows ATP can detect and stop the attack from happening on that machine, but it will send the attachment file information to Office 365 ATP asking it to block this file in the future, and to find out who received the same attachment in the enterprise, and to go and delete the attachment from other recipients’ mailbox.
Office 365 ATP
Let us talk about Office 365 ATP and how it helps secure modern workplace. Office 365 ATP helps protecting your organization from malicious attacks by:
- Scanning email attachments with ATP Safe Attachments feature.
- And scanning web addresses or URLs in email messages and office documents with ATP safe Links feature
Even if the URL inside an email message is pointing to a document to evade detection, Office 365 ATP will take that document and send it to ATP safe attachment if you configure the service to do so.
Office 365 ATP works with email messages and with SharePoint Online and OneDrive for Business, so files you upload there will be inspected with safe attachments.
Office 365 ATP can also check email messages for unauthorized spoofing with Spoof Intelligence Feature, and can defect when someone attempts to impersonate your users with ATP Anti-Phishing Capabilities in Office 365.
Office 365 ATP is a must to have feature for any enterprise or business that is using Office 365, and it is part of the Office 365 E5 licenses or it can be purchased alone. You do not even need to do complex configurations to make all this magic happen, it is so simple to configure, and the business benefits are definitely high.
Windows Defender ATP
Let us talk about Windows Defender ATP and how it helps secure modern workplace. Windows Defender and Windows Defender ATP provide a complete solution to protect your Windows endpoints. We have Windows Defender Smart Screen, Windows Defender Endpoint Protection, and Windows Defender Endpoint Detection and Response.
With Windows Smart Screen, you can block low reputation web downloads and malicious websites, so if a user accidentally or intentionally browse to a malicious website, you can block that website to protect your users. Same applies for web downloads.
Windows Defender Endpoint from the other side, will help protect your Windows box from malicious programs and quickly terminate bad processes.
The extra step that I want to focus on in this article is the Windows Defender Endpoint Detection and Response, which helps you in detection and remediation. It is an after execution solution to monitor post breach signals, and then do what ever actions needed to remediate and reverse the damage. It is like there is someone watching if there is unusual behaviors happening on the machine that might be related to a breach, and then taking actions to stop and block that attack before further damage happens.
And the new way of defending against attacks is by utilizing the power of the cloud. Microsoft Intelligent Security Graph provides rich signals from vast security intelligence, machine learning and behavioral analytics that Microsoft allows you to consume and use to enhance your protection and detection speeds.
So when Windows Defender encounters a new file (It does not know if it is bad or good file), it sends a file query to the cloud (only meta data about the file). If the cloud knows about this file, it provides a feedback to the endpoint, else it asks for a sample.
The client holds the file and uploads a sample to the cloud. The cloud services processes the sample and checks against machine learning classifiers, trying to find out if this is malicious file. If the file turns out to be malicious, it generates a new signature for that file and sends it back to the client along with all other clients, so that when they encounter this file, they know already it is malicious file and block it immediately without the need to consult the cloud all over again.
And you might be asking, does this mean the client needs to consult the cloud and wait for an answer, and what if there is no internet connection at that time?
Well, here is how things are designed. Each Windows Defender client has local machine learning models, and behavior-based detection algorithms, so that it can use all that logic offline and without consulting the cloud. This operation takes only milliseconds.
The client can consult the cloud services by sending only metadata so that the cloud can use metadata based machine learning models to determine if the file is malicious or not. This only takes milliseconds.
If the cloud requested a sample, then sample analysis based machine learning models are used in the cloud which might takes seconds.
In certain scenarios, detonation based machine learning models can be invoked which might take minutes, and big data analysis can take up to hours.
It makes no sense that the client waits for hours for the cloud to get an answer back. In fact, the client will wait and hold the file for milliseconds only. If the file is infected and the cloud could not determine it is a bad file in seconds, the client will allow that file to run. In the background, the cloud continues working and analyzing and might do detonation based ML models and big data analysis to get the truth about that file, so other clients can be notified and updated, although we lost patient zero in the process.
Here is a great poster that lists all Windows Defender ATP features. Windows Defender ATP can detect zero day attacks, and the most complex malware including polymorphic and metamorphic malware threats
Let us talk about Azure ATP and how it helps secure modern workplace. Azure Advanced Threat Protection (ATP) is a cloud service that helps protect your enterprise hybrid environments from multiple types of advanced targeted cyber attacks and insider threats. I have a lot of blog posts about Azure ATP which you can read to understand how it works.
The need for new Defense in Depth
Do you remember back then you all your important assets are protected by top of art firewalls, IDS IPS devices and even VPN access controls in place. You simply have full control on the network, switches, and what users are allowed to access.
But now companies are moving gradually to the cloud, whether it is Office 365, Azure services or any other SaaS application. And they are doing that from the public internet that you do not control over. And since these cloud services are available from the internet, then users can do that from anywhere and using any device. That means it is time to think of a new defense in depth techniques as traditional security perimeters are no longer effective alone.
I like to think of defense in depth from the perspective of four entities. You have a user (or identity) who is using a device, to access an application, and read or consume data.
Any defense in depth technique in this “cloud first mobile first” world we are living in, should provide identity and access controls to all of those four entities.
It starts with an identity or user. The risks we are trying to mitigate here is compromised identities or stolen credentials. Our defense techniques at the identity level can be implementing Azure ATP to detect identity unusual behaviors, Azure Identity protection to assign a risk to users and sessions, and implementing Azure MFA to provide stronger authentication.
Let me add something here about Azure Identity Protection. If your users are authenticating to Office 365 for example or any applications that is using Azure AD for authentication, then Azure Identity Protection worth your time and money. It detects and blocks, TOR web browsers, Impossible Travel, Leaked Credentials, and botnet infected devices. Azure Active Directory Identity Protection is more than a monitoring and reporting tool. To protect your organization’s identities, you can configure risk-based policies that automatically respond to detected issues when a specified risk level has been reached. These policies, in addition to other conditional access controls provided by Azure Active Directory and EMS, can either automatically block or initiate adaptive remediation actions including password resets and multi-factor authentication enforcement.
Azure MFA (multi-factor authentication) is one of the highly recommended security measure to consider when planning your overall security solutions. You can combine MFA with Azure Conditional Access to set conditions to control when an MFA is required. For example, you can say that if someone is trying to access corporate email from outside corporate network, then MFA should be performed. This highly helped mitigate the risk if phishing emails trick users to click on suspicious hyperlinks. Azure MFA is by far one of the important measures that you should consider during the process.
Next we have the device the user is using. Here we have many management and security solutions like System Center Configuration Manager, Microsoft Intune MDM and MAM policies, and even an hybrid management model where a Windows device can be managed using SCCM and Intune at the same time. Windows 10 devices can now be joined to Azure AD and managed by Microsoft Intune, which provides a new security and management offering from Microsoft along with Windows Hello for Business for stronger authentication. And finally Windows Defender ATP can be used to protect the endpoint as explained earlier.
Now that we have a user who is using a device to access your applications, if these applications are using Azure AD for single sign-on, then you can use Azure AD conditional Access as your first identity based cloud firewall. Here you can specify conditions like : who are the users trying to connect, and what applications they want to access. What is the compliance state of the devices they are connecting from, are they connecting from inside your corporate network? And what is the risk score for that user? All those conditions can help you decide whether you want to allow access, deny access, require the user to do MFA, or event limit access to the application. A good example could be the ability to prevent users to download documents from SharePoint online if they are connecting from a non domain joined device.
Azure AD can do more here, as it can help you to do SSO with many SaaS applications, and it helps you deploy an effective Self Service Password Reset capability to your users, so that they can reset their own passwords, and do group management and register for MFA.
Another layer of security here is Microsoft Cloud App Security or CAS, which helps you detect shadow IT inside your organization, and apply policies for data control when accessing SaaS applications. Microsoft CAS is your application layer security and there are a lot to say about CAS that I urge you to consider when planning your security.
At the data layer, we have DLP for Office 365, mobile app policies with Intune, Azure Information Protection for labeling, classifying and protection documents and files, so that even if the document got leaked, it is already protected and encrypted with Azure Information Protection.
I also urge you to look at Office 365 Secure Score , which will help you tune the configuration of your office 365 deployment to enhance you security score. Office 365 Threat Explorer is also something worth looking at, as it cluster attacks into campaigns and gives security administrators the ability to do actions right from within the threat explorer console.
Download the PowerPoint
I am making the PowerPoint slides available at SlideShare here. The slides contains FULL narration (script) so that you can use it do your own presentation very quickly. Remember that the slides are subject to “Creative Commons Attribution-NonCommercial-ShareAlike” license.
In this webinar, I will introduce you to Microsoft 365’s threat protection services and demonstrate how Microsoft 365’s threat protection leverages strength of signal, integration, machine learning and AI to help secure modern workplace from a advanced persistent threats or APT.