7 Ways to Harden and Secure Microsoft 365
1. Enable Secure Access for Users with Azure Active Directory MFA
2. Identify compromised identities or malicious insiders with Microsoft Defender for Identity
3. Protect and Encrypt Sensitive Data with Microsoft Information Protection
4. Manage and Protect Devices and with Secure Score for Devices
5. Prevent Unauthorized Access and Sharing with Cloud App security
6. Secure your Email and Files with Microsoft 365 Rights Management Policies and Defender for Microsoft 365
7. Use Intelligent Insights and Guidance to Strengthen Your Organizational security posture with Microsoft Secure Score
Sponsored by CoreView
“How do we operate as a multi-tenant environment while, from Microsoft’s perspective, on a single tenant? CoreView brought all of that to the table with the V-tenant capabilities. We can slice and dice administration into functional areas. We can have user managers, Teams managers, Teams administrators, or security administrators. All of those functions and feature sets are critical to the solution we have today”
2. Agenda
• Zero Trust Model
• Understanding Microsoft Security Tools
• Harden Microsoft 365 & introduction to Secure Score
• Identity
• Devices
• Data
• Workloads
• Networks
• Even more with Partners
• CoreView Simplified Administration
3. Zero Trust – Security Strategy
There is no impermeable perimeter. It’s not a matter of
if, but when…
ASSUME BREACH!
The Zero Trust framework is the pragmatic model for
today’s hostile reality that includes a mindset, operating
model, and architecture tuned to the threat.
• Explicit Verification of User & Device
• Least Privileged Access
• Automation & Intelligence
Credit: Forrester – Zero Trust
Framework
"Every service request made by a user or machine is
properly authenticated, authorized, and encrypted end-to-end."
4. Microsoft 365: A Path to Zero Trust and Secure Cloud Services
Microsoft has identified 12 key tasks to help security teams implement the most important security capabilities as quickly
as possible with remote work in mind.
1) Enable Azure multi-factor authentication
(MFA)
2) Protect against threats in Office 365
3) Configure Office 365 advanced threat
protection
4) Configure Azure advanced threat protection
5) Turn on Microsoft Advanced Threat Protection
6) Configure intune mobile app protection for
phones and tablets
7. Configure MFA and conditional access for
guests, including intune mobile app
protection
8. Enroll PCs into Device Management and
require compliant PCs
9. Optimize your network for cloud connectivity
10. Train Users
11. Get started with Microsoft cloud app security
12. Monitor for threats and take action
5.
6. Data
Files & Content
Identity
Accounts, Access,
Authentication and
Beyond
Workloads
SAAS, PAAS, and IAAS
Clouds & Datacenters
Networks
From the Client to
the Edge to the
Service
Devices
Laptops, Desktops
Phones everything in
between
Insights & Automation
Visibility & Analytics
Zero
Trust
Zero
Trust
Based on the
Forrester – Zero Trust Framework
8. MS Security Defender Decoder Ring
Old name New name
-> Microsoft Secure Score securescore.Microsoft.com
Microsoft Threat Protection
Microsoft Defender Security
Center
security.microsoft.com
Microsoft Defender Advanced Threat
Protection
Microsoft Defender for Endpoint securitycenter.microsoft.com
Office 365 Advanced Threat Protection Microsoft Defender for Office 365 protection.microsoft.com
Azure Advanced Threat Protection Microsoft Defender for Identity
Azure Security Center Standard Edition Azure Defender for Servers
Azure Security Center for IoT Azure Defender for IoT
Advanced Threat Protection for SQL Azure Defender for SQL
Azure Sentinel *New!
-> Compliance Center compliance.Microsoft.com
10. Data
Files & Content
Identity
Accounts, Access,
Authentication and
Beyond
Workloads
SAAS, PAAS, and IAAS
Clouds & Datacenters
Networks
From the Client to
the Edge to the
Service
Devices
Laptops, Desktops
Phones everything in
between
Insights & Automation
Visibility & Analytics
Zero
Trust
Zero
Trust
Based on the
Forrester – Zero Trust Framework
11. Identity
Secure access with MFA
Strong Passwords
Block legacy Auth
Password recommendations for Admins
• Maintain an 8-character minimum length requirement
(longer isn't necessarily better)
• Don't require character composition requirements. For
example, *&(^%$
• Don't require mandatory periodic password resets for
user accounts
• Ban common passwords, to keep the most vulnerable
passwords out of your system
• Enforce registration for multi-factor authentication
• Enable risk-based multi-factor authentication
challenges
Recommendations for Users
• Avoid same or similar to one you use elsewhere
• Don't use a single word or common phrase
• Make passwords hard to guess avoid names, birthdays
of family, favorite bands, and phrases you like
14. Data
Files & Content
Identity
Accounts, Access,
Authentication and
Beyond
Workloads
SAAS, PAAS, and IAAS
Clouds & Datacenters
Networks
From the Client to
the Edge to the
Service
Devices
Laptops, Desktops
Phones everything in
between
Insights & Automation
Visibility & Analytics
Zero
Trust
Zero
Trust
Based on the
Forrester – Zero Trust Framework
15. Microsoft Information Protection: Protect
your sensitive information—anytime,
anywhere
https://azure.microsoft.com/en-us/services/information-protection/
18. Data
Files & Content
Identity
Accounts, Access,
Authentication and
Beyond
Workloads
SAAS, PAAS, and IAAS
Clouds & Datacenters
Networks
From the Client to
the Edge to the
Service
Devices
Laptops, Desktops
Phones everything in
between
Insights & Automation
Visibility & Analytics
Zero
Trust
Zero
Trust
Based on the
Forrester – Zero Trust Framework
20. Data
Files & Content
Identity
Accounts, Access,
Authentication and
Beyond
Workloads
Exchange, Teams,
SharePoint, OneDrive
Networks
From the Client to
the Edge to the
Service
Devices
Laptops, Desktops
Phones everything in
between
Insights & Automation
Visibility & Analytics
Zero
Trust
Zero
Trust
Based on the
Forrester – Zero Trust Framework
21. Capability Description
Archive Any content stored in any Teams related workload needs to be preserved immutably
Compliance Content search
Any content stored in any workload can be search through rich filtering capabilities and be exported to a specific container for compliance and litigation
support.
eDiscovery – Messaging/Files
Rich in-place eDiscovery capabilities including case management, preservation, search, analysis and export to help our customers simplify the eDiscovery
process to quickly identify relevant data while decreasing cost and risk.
Legal hold
When any team or individual is put on In-Place Hold or litigation hold, the hold is placed on both the primary and the archive messages (No edits or
deletes).
Auditing and reporting All Team activities and business events must be captured and available for customer search and export.
Conditional Access and Intune MAM
Ensure that access to Microsoft Teams is restricted to devices that are compliant with IT Admin or Corporate Organization set policies and security rules
both for the Teams Apps and the services it uses under the hood. Includes MAC Support for Conditional Access as well.
Moderator support
The ability to have a moderator (owner of team) of a Team delete data from any user in the team that is inappropriate and mute users in a
team/channel.
Windows Information Protection
Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage
without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps like MS Teams.
Allowed List of Apps An Admin can control the list of 3P apps (bots, connectors, tabs) that can be used by end users within a tenant.
Retention / Preservation
Help organizations reduce the liabilities associated with messaging. The Customer can configure their tenant to retain data for a fixed period of time or
retain it with unlimited storage for different Teams workloads.
eDiscovery – Calling/Meetings
Rich in-place eDiscovery capabilities including case management, preservation, search, analysis and export to help our customers simplify the eDiscovery
process to quickly identify relevant data while decreasing cost and risk.
Data loss prevention (DLP)
Identify any sensitive data stored being transferred within or outside of Customer Organization in Teams to intercept and prevent leakage for Files and
Chat/Channel Messages.
Advanced Threat Protection
Support for safe files and safe links in Microsoft Teams to protect your organization from malicious attacks with the power of Office 365 Advanced threat
protection
Business Information Barriers Prevent exchanges or communication that could lead to conflicts of interest. (a.k.a. Ethical walls)
Conversation/Chat Supervision
Supervision policies in Office 365 allow you to capture employee communications for examination by designated reviewers. You can define specific
policies that capture internal and external email, Microsoft Teams, or 3rd-party communications in your organization.
AvailableTodaySecurity & Compliance Capabilities
22. Protect Against Messenger Threats
In Office 365
All Office 365 / Microsoft 365 plans include a variety of threat protection
features.
• Anti-malware protection
• Anti-phishing protection
• Anti-spam protection
• Safe links
• Safe attachments
• Threat Trackers
• Threat Explorers
• Attack Simulators
• Real Time Attack detection
Office 365 Message Encryption (OME) is an online service
that's built on Microsoft Azure Rights Management
BitLocker and Distributed Key Manager (DKM) for Encryption
Protect against threats in Office 365
Office 365 includes a variety of threat protection features. Here's a
quick-start guide you can use as a checklist to make sure your threat
protection features are set up for your organization.
24. Data
Files & Content
Identity
Accounts, Access,
Authentication and
Beyond
Workloads
SAAS, PAAS, and IAAS
Clouds & Datacenters
Networks
From the Client to
the Edge to the
Service
Devices
Laptops, Desktops
Phones everything in
between
Insights & Automation
Visibility & Analytics
Zero
Trust
Zero
Trust
Based on the
Forrester – Zero Trust Framework
25.
26.
27. Security Capabilities
& Licensing
Utilizing our enterprise plans, Microsoft recommends
you complete the tasks listed in the following table
that apply to your service plan.
If, instead of purchasing a Microsoft 365 enterprise
plan, you are combining subscriptions, note the
following:
• Microsoft 365 E3 includes Enterprise Mobility +
Security (EMS) E3 and Azure AD P1
• Microsoft 365 E5 includes EMS E5 and Azure AD
P2
Microsoft’s 12 Steps for Zero Trust
All Office 365
Enterprise Plans
Microsoft 365
E3
Microsoft
365 E5
1. Enable Azure Multi-factor Authentication
(MFA)
2. Protect Against Workload Threats In
Office 365
3. Configure Defender for Office 365
(Advanced Threat Protection)
4. Configure Defender for Azure (Advanced
Threat Protection) (ATP)
5. Enable Notifications for Microsoft
Defender Security Center
6. Configure EndPoint with Intune Mobile
App Protection For Phones And Tablets
7. Configure MFA And Conditional Access
For Guests, Including Intune Mobile App
Protection
8. Enroll Pcs Into Device Management And
Require Compliant Pcs
9. Optimize Your Network For Cloud
Connectivity
10. Train Users
11. Get Started With Microsoft Cloud App
Security
12. Monitor For Threats And Take Action
28. Harden Microsoft 365 and Azure
Networks and Infrastructure (Azure Defender)
Azure Resource Protection (Azure Defender for Servers) Extended Detection Response (IoT, Multi-cloud, SQL) Secure Hybrid Workloads
Workloads (Microsoft Defender for Office 365)
Threat Protection
Safe links, Safe Documents, Safe Attachments Anti-spam, Anti-malware & Anti-phishing
Apps (Cloud App Security)
API & App Log collection Reverse proxy, Control & Visibility Identify and combat cyberthreats
Devices (Microsoft Defender for Endpoint)
Endpoint behavioral sensors Cloud security analytics Threat intelligence
Data (Microsoft Information Protection)
Identify & Classify Apply & Monitor Policies Encrypt Sensitive Data
Identity (Azure Active Directory, Microsoft Defender for Identity)
Secure access with MFA Strong Passwords Block legacy Auth
Microsoft 365 Defender (includes Exchange Online Protection and ATP 1 & 2), Azure Active Directory, Microsoft Defender for Endpoint
(includes InTune & Secure Score for Devices), Microsoft Information Protection, Microsoft Defender for Identity, and Cloud App
Security, Azure Defender, Azure Sentinel
Microsoft Defender Portal (Microsoft 365 Defender)
Advanced Hunting Incident Correlation Rule Based Detection
29. Resources:
Microsoft 365 includes several ways to monitor status and take appropriate actions.
Your best starting point is the Microsoft 365 Security Center, where you can view your
organization's Microsoft Secure Score, and any alerts or entities that require your
attention.
Get Started:
• Get Started With The Microsoft 365 Security Center
• Monitor And View Reports
• See The Security Portals In Microsoft 365
Get Started With Cloud App Security Now:
• QuickStart: Get started with Cloud App Security
• Get instantaneous behavioral analytics and anomaly detection
• Learn more about Microsoft Cloud App Security
• Review new features and capabilities
• See basic setup instructions
31. Are you getting everything you need from
Microsoft in Security & Administration?
• No, I’m evaluating
Security tools
• No, I’m evaluating
Admin/Management
tools
• I’m overwhelmed. Too
much! Wish I had a tool
to simplify all this
• Yes
33. SaaS, Mastered
CoreView is a SaaS management platform that
protects, manages, and optimizes
Microsoft 365 and other SaaS environments
by augmenting and extending Microsoft Admin Center
Protect Manage Optimize
35. SaaS, Mastered
• Limits Admin scope and delegates
appropriate functions for M365 least
privilege access
• Enriches and retains audit data, enhancing
e-discovery
• Enforces identity and access configurations
based on security recommendations
• Automates workflows, including
deprovisioning of access
• Classifies and tags sensitive info
Protect Manage Optimize
36. SaaS, Mastered
Protect
• Allows delegation of appropriate M365
Admin functions
• Automates workflows, including Hybrid
agent to synchronize on-prem AD and
Exchange with Azure AD and Exchange
Online
• Controls M365 and other SaaS with
actionable analytics
Manage Optimize
37. SaaS, Mastered
Protect Manage
• Manages M365 licenses and SaaS
usage/payments intelligently
• Responsibly manages license costs with
knowledge of Microsoft and SaaS services
actually being used
• Drives adoption of desired applications with
knowledge of what is actually being used,
and then perform targeted email
campaigns to encourage adoption and
drive users to context-sensitive How-To
video instruction
Optimize
40. SaaS, Mastered
Office 365
Health Check
It’s Easy to Get Started:
• Login to Microsoft and consent to CoreView utilizing
Microsoft API to review your tenant
• (While there, we suggest reviewing who else has
access!)
• CoreView will review your O365 account data against
recommendations
• No passwords required
• No requirement to remove MFA
Complementary checkup
on your security settings
compared to general
recommendations
https://www.coreview.com/office-365-health-check-report/
41. Thank you!
Least privilege access to M365
and other SaaS
Enhanced e-discovery with
enriched data
Security policies
Automated workflows
Document classification
Protect
Delegated administration
for segregation of duties
Automated workflows
Actionable analytics
Manage
License management and
chargebacks
License consumption
optimization
Workload adoption and
proficiency
Optimize
42. Next Steps!
• Find more on CoreView.com bit.ly/hardeninginfographic
• Download slides at slideshare.net/joeloleson
• Join us for the next webinar in this series in January!
• Join CoreView tomorrow for “8 Ways People are Your Biggest Threats
to Office 365 Security” bit.ly/coreviewwebinar
Joel Oleson
Joel@joel365.com
Linkedin.com/in/joeloleson
Editor's Notes
All Office 365 plans include a variety of threat protection features. Bumping up protection for these features takes just a few minutes.
Anti-malware protection
Protection from malicious URLs and files
Anti-phishing protection
Anti-spam protection
See Protect against threats in Office 365 for guidance you can use as a starting point.
https://techcommunit
Microsoft Teams is a powerful hub for teamwork, whether you’re working at the office, on the road, or from home. It enables your team to work seamlessly together, integrating chat, calling, meetings, business process, task management and file collaboration.
Communities, on the other hand, connect with people across teams, and across the organization, to share knowledge and experience. In the past, Yammer and Teams were separate experiences, adding friction by requiring people to bounce back and forth between applications.
Today, you can add an important Yammer community to your team. Click “+” to add a tab, pick Yammer, and configure the community you want to display. For example, you can add a crisis response tab to your team, allowing you to follow and engage with conversations in the community without leaving your hub for teamwork.
Very soon, Microsoft will be releasing the new Yammer app for Teams, which will bring the new Yammer experience, in full fidelity, into Teams. This will give Teams customers a more powerful hub for teamwork that integrates their investments in Yammer. Stay tuned for more as we near the release of the Yammer app for Teams.
y.microsoft.com/t5/yammer-blog/keeping-employees-informed-and-engaged-during-difficult-times/ba-p/1216032
Thanks for meeting today, really appreciate you taking the time.
Let's talk a little bit about what CoreView is, and then get into seeing if it's a fit to help solve your problems.
Turning to what we actually do, here’s how to think about CoreView.
We’re a SaaS management platform that extends and augments Microsoft Admin Center, and other SaaS admin consoles, and we add value on top of them.
We certainly make it easier to manage things.
The big thing is, we add new functionality to do things you just can’t do in any other way, so you can solve really thorny, persistent problems.
And that’s across 3 areas: protecting your environment, managing it much more effectively on a day-to-day basis, and optimizing customer’s investment in M365 & SaaS. Thus, it means both getting people to use the right stuff, so you get the maximum value out of what you’ve already paid for, and not paying for stuff you don’t use.
So the first question you have is, well, how does it actually work?
This picture shows you the key functional elements of the CoreView system, and how they interact with your M365 tenant. And it works not just in the Azure cloud, but also in a hybrid environment, like yours, by synchronizing on-premises AD and Exchange.
As you can see, CoreView collects data from many sources. Then we process it, enrich it, store it, present it, and most importantly, allow you to act on it. That means you don't get just the hundreds of detailed reports to SEE what's going on, but also get to FIX everything that might be wrong.
There is common functionality that works across each of those Protect, Manage and Optimize wheelhouses,
First, with virtual tenants, you split your environment up into logical segments.
With role-based access control, operators are only allowed to do a very small set of actions on users and objects that fall within their scope of responsibility, which is tied to those virtual tenants. You can control to a very fine level who can do what limited set of actions on a limited set of items.
That action can be manual or automated with workflows.
We collect and enrich a ton of data, that is otherwise really time-consuming – and brittle – if you do it on your own. We have the tools to show you what matters about that data. So you see the most important things. And then you can take action on them.
And then knowing what users are using what, we can help you increase adoption of desired tools with adoption campaigns to only the users that need the help, not all users.
So we will get into those elements, but the most important thing isn’t the underlying technology, it’s what people DO with it. Let’s look at that next.
Starting with the goal of protecting your environment from security issues, there are 5 really popular ways that customers use CoreView.
Limiting what some admins can do, so you can delegate those limited rights to selected people, is a huge one.
And it is so much better than what Microsoft can do, because Microsoft groups various rights and permissions into predefined roles.
That's clumsy and limited.
But CoreView lets you select VERY granular rights and permissions on a per-user basis, so it's elegant, easy to use, and much more powerful.
CoreView takes data from many sources and enriches it with attributes from AD – so you have a name and a device tied to an action, not just an IP address, for example.
You'll see many customized recommendations to secure your environment, based on frameworks from CIS – the Center for Internet Security – and NIST. We can profile identity and access management configurations
And what good is all that configuration work if the wrong people still have access, like after they leave the organization? Why not automate the deprovisioning process, to ensure former employees, contractors, etc., no longer have access?
Another very powerful thing you can do is point CoreView at your content, and have it automatically classify and tag what info is in there – in office docs, emails, any repository! – so you comply with regulations and policies.
Now let's turn to another area.
Management of M365 environments has become more complex:
More employees, contractors, partners – now all remote with lots of personal devices
More applications and restful APIs between them
No longer behind the corporate firewall on the corporate network, now that perimeters have disappeared
And obviously the explosion of traffic, including video impacting the volume of traffic, and logs!
CoreView enables you to separate and divide and then simplify the administration of M365 environments, as it allows you to slice & dice the Global Admin role.
First by the *scope* of what can be administered, using virtual tenants.
And second by using RBAC to delegate the functions you operators to have – at a very granular level.
And then automate the workflows – like provisioning and deprovisioning users and processes – and synchronize those changes across hybrid environments – Azure AD as well as AD and Exchange on-prem.
Finally, the reporting is just amazing. It's extensive, and unlike home-grown stuff driven by PowerShell and PowerBI, it work at scale, and it works all the time.
And now, on to the third area.
Since you're spending a lot on your M365 and SaaS tools, why not get the most out of your investment? That's what we mean by optimize.
CoreView allows you manage M365 & SaaS licenses – identify what's in use and set up license pools to allocate them by department, geo, whatever. That allows you to view allocations and all expenses per license pool, which is great for chargebacks.
And you’ll want to mange license costs, based on knowing what is actually being used, like which services of E3 and E5 licenses are being used versus what license is currently assigned. CoreView makes it extremely easy to get a handle on what you're using, and what you should be paying.
Once you know what people are using, there's bound to be software that is not the company standard. So you can set up Adoption campaigns – which are email campaigns specifically for the users who aren’t using the desired tools. That way they will start using them. And the emails can even point to a library of How-To videos that show the users exactly how to do what they need to do in each application. They're quick snippets of useful info – without pushing them to YouTube, where searching for help might result in a long, unrelated video that then rolls into a series of distractions like cat videos!
To start a Health Check, and see a detailed report of your settings compared against recommended settings, all you need to do is:
Log into Microsoft.com with your tenant admin account and consent to CoreView being able to use the Microsoft API
CoreView will then review your account data against recommendations.
As I said, no need to provide CoreView any login credentials, or for you to remove any MFA requirements.
When you go in to do this, this message is displayed:
In order to request your Office 365 Health Check, you will need to login as Tenant Admin on Microsoft side and grant consent to CoreView. We will never ask for your password; the authentication process is performed by Microsoft.
Fill out the request form below, we will immediately begin ingesting your Office 365 account data, and we will notify you when the report is ready.
Again, thanks for your time.
We are really looking forward to following up with _______ and _______, and seeing what the Health Check turns up!