Microsoft 365 is the cornerstone of business communication worldwide, containing invaluable intellectual property and business-critical applications. It is vital to understand the threats to this landscape and how to mitigate the risks with native security and monitoring tools. In this blog, we will take a deeper look at these challenges, some steps you can take today to ensure these assets are protected, and some of the potential risks accepted by not acting. Lastly, we’ll cover how Veeam’s backup service can help with Microsoft 365 compliance needs.
Understanding the Threat Landscape
Any attack a business faces can generally be divided into three categories: people, processes, and technology. The most devastating attacks a company will face are a combination of these categories.
People
The human element in security is arguably the most complicated control to predict and takes the most effort to protect. The important thing to keep in mind when confronted with the human element is their job. People will often take the easiest path to do their job to stay efficient and on task. If a policy or procedure is difficult and time-consuming, they will find an easier and likely less secure way to do their job.
Training is a key tool to mitigate this threat. Training needs to be beyond a yearly one-hour video with questions we all click though mindlessly. Information and training needs to be provided often and in small impactful chunks. Monthly security emails that not only contain a refresher concept but something that will pull the reader in and make them feel informed. This can be as simple as a tasteful comic centered around a security topic. This email should also take no more than five to seven minutes to read with bolded headlines.
Process
Policies are vital to consistency and efficiency in a business until they hinder work. If a policy creates so much overhead that an employee cannot get work done or is not sensitive to their department’s needs, the policy has and will fail. To prevent this, take time to understand how business processes flow and what applications are needed for a department to function. Then, start refining the security processes to secure but not interrupt this flow.
One of the most overlooked process failures is alert fatigue. If someone receives so many emails about non-business critical errors, it can become very easy to miss when something needs attention. This can be mitigated by tailoring alerts only to be emailed in high-risk cases and sending them to only the necessary stakeholders. Other alerts needing attention on a lower SLA should be sent to a ticket system or group-monitored dashboard.
Technology
Some of the most well-known attacks come from attacking the technology itself: Logj4, WannaCry and Y2K. These attacks are terrifying and get worse when you add in things like zero-day attacks, but we often overlook one of the most devastating technological faults — misconfiguration. This concept of “you don’t know what you don’t know” can leave your company open for an attack. Subsequently, technology can and will fail — have a backup plan. This backup plan can consider things like cloud outages, resilient backup data, and alternative forms of communication.
The perfect example of these threat vectors causing unintentional potential damage is enforcing periodic password reset. Having a policy that enforces password resets on a scheduled basis often leads users to create a system that leads to weaker passwords or to them writing their passwords down, making their accounts more vulnerable. Policies that only require password resets based on risky behavior and a two-way multifactor authentication help users create stronger passwords and lessen the likelihood of breaches.
Microsoft native Security and Compliance tools
When navigating through Microsoft administrative portals, you will find many subsections and features that will help you make your environment more secure. Security should be considered in every environmental aspect, including software as a service. Both Veeam and Microsoft have signed the Cyber Defense Agency (CISA) Secure by Design Pledge to build and deploy more security features into our software by default. Although there are many security features throughout the Microsoft 365 environment, you will find a large chunk of these controls in the Microsoft Defender and Purview portals.
Microsoft Defender
The Microsoft Defender admin portal contains many features and controls for securing and testing your environment. This portal is a key part of the Microsoft Defender XDR solution, which aims to help protect your environment from vulnerabilities and remediate after a breach. This protection plan lets you break up your environment into asset groups like email, Endpoints, Identity management, and applications.
Microsoft Purview
Many businesses must comply with some government body to secure and monitor the data produced. The Microsoft Purview admin portal provides many tools to assist with these compliance concerns. Tools like Data Loss Prevention allow you to create tags that can be applied to content like emails or files. These tags can be applied automatically or manually and can prevent emails or files from leaving the company domain or zone. The Audit is another tool that can be used to check actions and activities that happen in your tenant.
Security Best Practices
Security is an overwhelming topic, and it can be hard to know where to start. Microsoft Defender and Purview hold many of the tools you will need along the way, but to fully secure the environment, you must familiarize yourself with all the admin portals. Before diving directly into each admin portal, you will want to create a game plan and make some guiding principles. This will help unify your protection across these portals.
Principle of Lease Privilege
The principle of least privilege is having enough privileges to do your job: no more, no less. There are a couple of core concepts to help mitigate over-provisioning privileges. Many of these concepts are based on identity and access management, which refers to who can access what. IAM happens in two processes: authentication and authorization. First, a user will authenticate with a dedicated authentication authority. Then, once authenticated, the IAM data will be queried for the user authorized to access it. This is generally suitable for everyday users who need access to data and reports to do their job.
Admin accounts
Admin accounts present a unique risk in an organization known as an accepted risk. These accounts can be especially damaging to an organization if compromised. Extra policies and controls should be used to manage these accounts. The first is not to overlap user and admin accounts; if this account is being used to sign into your email, it should not have administrator permissions. Admin accounts should also have configured alerts to department stakeholders when they are used to log into a system. A feature offered in Microsoft Entra called Privileged Identity Management, PIM allows time expirations and approval scopes to activate the administrative privileges on the accounts.
Preparing for an attack
Just like with anything the more you prep the smoother your mitigation and recovery in an attack. The attacks business face today are much more sophisticated than they were 10 years ago, pivoting though an infrastructure and causing more damage along the way. Even the best laid plans can fail but untested plans are likely to fail.
To read more about preparing for a cyberattack check out “The Cyber Battlefield: A Tactical Guide To Preparing For, Engaging in and Triumphing Over Cyberattacks”
The Importance of Monitoring
Early detection and rapid response are the keys to ensuring data is protected, and damage is mitigated. It is important to monitor and alert action teams when there is an issue that needs to be corrected. It is equally important not to spam these teams where they get alert fatigue.
Having a tiered approach to issues based on priority can help to ensure teams act in the appropriate SLA. For information alerts, a dashboard for stakeholders helps keep everyone up to date but not spammed. Issues that may not need immediate attention but need to be addressed should be sent to a ticket system from which all stakeholders can work. When something is critical and has immediate potential for a system down should be sent out in alerts. These alerts, depending on the criticality, could include emails, SMS, and automated phone calls.
Break Glass Account
During a breach an account might be taken and locked out from the end user. When this happens to an admin account, it can leave you with no way back into your environment. This is where a “Beak Glass Account” comes into play. This account has elevated permissions in the system but is never logged into unless there is a problem with the main accounts. To help secure this account you can set up alerts to multiple stakeholders if this account is ever used. Additionally, this account may be excluded from conditional access policies so that it does not get locked out.
How To Stay Microsoft Compliant and How Veeam Can Help
Maintaining compliance within the Microsoft 365 environment is essential for several reasons. Firstly, compliance ensures that organizations adhere to legal and regulatory requirements, reducing the risk of fines, penalties, and legal repercussions. Secondly, compliance helps protect sensitive data from unauthorized access, breaches, and misuse, safeguarding the organization and its stakeholders. Finally, compliance fosters trust and confidence among customers, partners, and stakeholders, enhancing the organization’s reputation and competitive advantage in the market.
Given the critical importance of Microsoft 365 compliance, organizations must prioritize and invest in compliance measures. This includes implementing robust security controls, data protection mechanisms, and governance frameworks within the Microsoft 365 environment. It also involves regularly assessing and monitoring compliance posture, addressing gaps and vulnerabilities, and staying updated with evolving regulatory requirements and industry standards.
Ready to ensure compliance for your Microsoft 365 data? Request a custom demo of Veeam Data Cloud for Microsoft 365 today. Unveil the power of complete access, control, and protection of your data with the simplicity of a backup service! Check out the additional resources below!
- Try an interactive walkthrough right now with a free clickable demo
- Watch the demo series for a technical overview of Veeam Data Cloud for Microsoft 365
- Read the Buyers’ Guide to understand key capabilities when evaluating Microsoft 365 backup offerings.
