Defense in Depth for Microsoft 365

Do you need a defense-in-depth strategy for Microsoft 365?

MS 365, the new name for Office 365, Microsoft’s cloud-based office productivity suite, serves more than three-quarters of the business email users in the U.S., according to analysts,[1] and with more employees telecommuting and conducting business from home due to the COVID-19 pandemic, corporate reliance on email is only going to grow.

It is this ubiquity, however, that also makes email the most frequent target for malicious actors and the starting point for 94 percent of all cyber attacks.[2] Not coincidentally, Microsoft is the no. 1 spoofed brand.[3]

Keenly aware of all this, Microsoft provides a robust set security tools for MS 365. So why should you consider investing in additional third-party tools to build out a defense-in-depth strategy for the office suite? The answer has to do with the inevitable gaps in Microsoft’s sprawling native defense system. I’ll describe some of those here—and you can find out more about MS 365 security gaps and how to close them at Mimecast’s Cyber Resilience Summit, which takes place online June 23-24, 2020. Register here.

Extensive Native Security

The security mechanisms built into MS 365 are extensive. In some cases, they exceed the security controls found at many companies on-premises data centers. Native threat protection for Microsoft Outlook, for instance, goes beyond spam, viruses and malware to include:

• A feature called Safe Attachments, which uses sandboxing to provide protection against previously unidentified threats.
• Real-time protection that identifies and blocks malicious URLS.
• Robust URL tracking and reporting that lets organizations identify who in their ranks is being targeted by malware, which emails have been blocked due to a potential threat and the source of any malicious URLs.

Microsoft also helps businesses thwart man-in-the-middle attacks, wiretaps and other types of data interception by letting their users send and receive encrypted data. To limit the actions that users can perform when sharing company data, corporate security professionals can apply custom policies to the encryption. They do this via Microsoft Azure’s Rights Management Service (RMS), which is included with MS 365.

The potential snag here is that in order to use the cloud-oriented Azure RMS, Microsoft’s on-premises Active Directory RMS first needs to be migrated to Azure. This can be a roadblock for large enterprises that work with a lot of business partners, since in order to share encrypted files with these organizations, they must also migrate to Azure.

There are other limitations to MS Office’s security features that expose business users to a variety of different risks. Some of the more important ones include:

Limited app discovery and risk assessment. End-users tend to blindly grant permissions when prompted by third-party applications, without regard to the potential risk. Although Microsoft’s Cloud App Security function keeps tabs on and assesses the security risks associated with over 16,000 cloud apps, the version included in MS 365 only tracks around 750 of these.[4] Corporate IT remains blind to how users are utilizing and what data they’re sharing with any cloud apps that fall outside this relatively small assortment.

Limited DLP capabilities. Protecting customer data is a top priority at most businesses today. MS 365’s data-loss prevention solution, however, is only available to businesses with an E3 subscription and above. This leaves those—mostly smaller—businesses that have opted for a more affordable MS 365 subscription without data leak protection.

Limited threat and anomaly detection. In a similar vein, Microsoft only provides its advanced threat management services to MS 365 customers with an E5 subscription. Those with lower subscription levels only receive basic mail filtering and anti-malware tools.

Limited backup and recovery. Using OneDrive for Business, MS 365 customers can restore damaged files, but only for up to 30 days and only for files that were stored on OneDrive. Other MS 365 services are not covered by even this limited recovery capability.

Defense in Depth

Which brings us to defense in depth, a layered approach to cyber security that, when used in conjunction with MS 365’s already robust native security components, can plug holes and compensate (to a degree) for end-user negligence when conducting business via email.

Under a DiD strategy, if one defense fails, another is used to fill the breach. By integrating different protective mechanisms from different vendors, the DiD model eliminates security gaps that threats can fall through.

Some of the more important elements of a defense in depth strategy include:

Network security controls are the first line of defense when securing a network is analyzing its traffic. Firewalls block access based on a set of security rules derived in part from this analysis. Intrusion protection systems can work in tandem with a firewall to identify potential threats, also based on this analysis.

Anti-malware guards against viruses and other forms of malware. The best of these programs go beyond signature-based detection and include heuristic features that scan for suspicious patterns and activity.

Data integrity analysis software uses a file’s checksum to verify its source and frequency of use, in order to spot any discrepancies. Incoming files that are completely unique to the system can be flagged as suspicious. Likewise, data integrity solutions can also check the source IP address to ensure that it is both known and trusted.

Behavioral analysis software is the belt to the DiD suspenders. When the firewall or intrusion protection solutions have failed, behavioral analysis picks up the slack and can either send alerts or execute automatic controls to halt a breach in progress. But for behavioral analysis to work effectively, organizations need to establish a baseline for "normal" behavior.

The Bottom Line

MS 365 offers businesses a powerful set of productivity apps, including a user-friendly email platform with some good security features. Businesses, however, should be aware of the gaps in the security coverage provided by Microsoft and compensate accordingly. A comprehensive way to do this is by adopting a defense-in-depth security strategy and employing a range of trusted third-party security solutions.

[1] “Understanding Office 365 Security Concerns,” Osterman Research

[2] “2019 Data Breach Investigations Report,” Verizon

[3] “Phishing Activity Trends Report,” AntiPhishing Working Group

[4] “What are the differences between Microsoft Cloud App Security and Office 365 Cloud App Security?,” Microsoft