Jul 2024
Top Five E5 Security features you aren’t using
We see a lot of organisations move to M365 E5 for the extra security features, but they stop after Defender for Endpoint, Defender for 365, and the extra identity security in Entra ID. E5 comes with a swathe of security features to greatly enhance your security posture, but often go unused as many businesses simply don’t realise they have access.
Lead Solutions Architect: Security
That’s where we come in; here are the five E5 security features we regularly see go unused.
Microsoft Defender for Cloud Apps (MDCA)
MDCA is a ’Cloud Access Security Broker’ (CASB) – a Swiss-Army-knife of cloud security tools. Almost everything online today is part of the cloud, so where a web filter or secure web gateway controls what users can access in the cloud, a CASB focuses more on the ’how‘ users interact with it (though it can do some of the what as well).
MDCA has five main jobs:
- Shadow IT discovery and protection for the cloud: monitoring connections to non-work-related services and pairing this data with Defender for Endpoint to block access or apps that are outside your risk appetite.
- SaaS SSPM (Security Posture Management): connecting to other cloud apps to give greater visibility of configuration and use, as well as providing insight into what’s happening inside your M365 tenant by pulling data through the audit log to give security teams a quicker and clearer picture of any situation.
- Adaptive access control and threat protection: Because MDCA can see what’s happening in M365 and all your connected cloud apps you can use it respond to threats or unwanted activity both statically and dynamically.
- Information protection: MDCA integrates with M365 Purview, increasing your DLP capabilities, can scan for sensitive files in connected SaaS apps, and introduces extra DLP capabilities, like blocking downloads of data, or even stopping copy/paste of text from inside company documents if using a personal device.
- App governance: Users can grant apps access to their M365 account to improve productivity, enable task automation and generally make their lives easier. This can be as simple as choosing to use a work account to sign into a service, or it can be more advanced like connecting your Outlook to a project management tool that can manage appointments for you.
In a world of increased ’as-a-service‘ technology, Defender for Cloud Apps fills a critical niche. With so many features, it can seem overwhelming, but MDCA can be initially deployed in a monitoring mode, letting you collect the data you need to decide which policies and controls are right for you.
Licensing options: Also available as a standalone add-on license, billed per user.
Microsoft Defender for Identity
Many organisations still use Microsoft Active Directory (AD), which is responsible for tracking and granting user access to resources across the environment, as their on-premises directory service and, as a critical component of their IT operations and needs to be protected as such. But, as a legacy solution, it doesn’t come with any capabilities for monitoring suspicious or malicious user activity, creating a significant security gap for organisations that still rely on AD.
Microsoft Defender for Identity (MDI) fills this gap by extending the user analytics and monitoring capabilities in Azure and M365 into AD. Agents get deployed to each of your Domain Controllers which monitor the event logs, network traffic and user authentications to look for suspicious or unusual patterns. Additionally, MDI looks for known threats to Active Directory such as Kerberoasting and credential replay attacks, providing additional insights that are tricky to detect without dedicated technology like SIEM tools.
Deploying MDI is a phased process; first you size up the environment to make sure your Domain Controllers have the right configuration and enough resources to support MDI. After making any necessary adjustments, you then configure the service and deploy the agents. After that, MDI sits in a ’learning period‘ for 30 days so it can figure out what ’normal‘ authentication activity looks like for your environment, before switching on its alerting. This can be customised and some threats will be alerted on immediately, but it’s worth leaving it to learn for the month so you get fewer false positives when it’s ready to go. After that, simply leave it to do its job, and because MDI is part of the wider Microsoft Defender suite, the user activity from AD feeds back into the other tools – so a risky user in AD will become a risky user in M365, and your other controls and tools can kick-in to take action
It’s worth noting that MDI replaces an older on-premises solution named Microsoft Advanced Threat Analytics (ATA) which is in extended support and will officially reach end of life in January 2026. MDI does all of the same things as ATA, plus adds in all of the power of cloud analytics and extra data from the Defender suite, so if you’re still running ATA, now is the time to move to MDI!
Licensing options: Also available as a standalone add-on license, billed per user.
Attack Simulation
Phishing attacks account for a substantial number of breaches because they target people, bypassing technical controls. Spam filters get better every day, but it’s a constant arms race between the good technology and the bad actors, so malicious mail can - and does - slip through. This is why end-user training is so important - training your users on how to spot and report phishing attempts is a key component in any defence in depth strategy, but how do you know your training is working?
E5 licenses include Attack Simulation Training, allowing you to create your own phishing campaigns to test user awareness. You can choose the type of simulation (adverts for discounts, financial emails etc), the users to test (some departments and personnel are at higher risk of being phished than others), and the type of attack (link to malware, steal credentials). Once its ready, you run the simulation to start sending emails to users – you’ll be able to see the exact types of attacks your users handle well, and where there are gaps.
You can also link your phishing simulation to actual training material, whether that’s Microsoft-provided training courses, or your own custom in-house training material if available. Users can even be directed to the training immediately upon falling for the simulation, enabling near real-time education of the risks. This can all be automated, meaning you receive ongoing feedback over the course of your subscription, ensuring a standard level of vigilance across the organisation.
The results of your simulation and the training are all captured in the Security dashboard, giving you actionable metrics to work off. If you run multiple campaigns over time then it can also show you trends, so you can refine your training material and measure its effect.
Regular phishing simulations educate employees and create a culture of security awareness, crucial for long-term organisational resilience against social engineering attacks. Regular usage does require someone to be keeping an eye on the campaign outcomes, responding to the feedback, and ensuring training is available (and followed), so this tool is best paired with a dedicated security function that can keep on top of it. But even if just for a one-off campaign now and then, Defender’s Attack Simulation provides a simple, cost-effective way of making sure you stay secure, beyond just your technical controls
Licensing options: Also available under the Defender for Office 365 P2 license, billed per user.
Microsoft Purview Insider Risk Management
The solutions so far have focused on external threats; attackers compromising user accounts through phishing emails and malicious apps. But risks are also introduced internally, such as inappropriate, unauthorised, or unethical behaviour, and actions by users in your organisation. These behaviours include a broad range of internal risks from users:
- Leaks of sensitive data and data spillage
- Confidentiality violations
- Intellectual property (IP) theft
- Fraud
- Insider trading
- Regulatory compliance violations
The tools that stop bad actors getting in aren’t effective in dealing with these sorts of threats, but Microsoft Purview Insider Risk Management seeks to solve this problem by monitoring all user behaviours across M365, and assigns an insider risk score (which you can tune for your organisation) that you can then configure policies to act against. You can also create situational policies, such as data leak protection that activates for departing users.
More recently, Insider Risk Management introduced adaptive protection, which will dynamically enforce controls in addition to any static policies you may have defined, providing automated protection alongside manual controls. For extra visibility, Purview can even be connected directly to well-known HR systems, meaning your security policies can be enacted by HR workflows, without the team ever needing to be directly involved. Insider Risk Management itself can be deployed in an audit mode too, where it can give you its impressions on your insider risk level, without taking any action.
Of particular note is the ’Forensic Evidence‘ feature which requires an agent installed on endpoints, but allows for capturing of recordings of device activity. This can help provide additional context when investigating an insider threat, helping validate whether a threat is truly present.
At the risk of being too Orwellian, Purview does balance organisation risk with user privacy as user information in the system is pseudonymised by default. This means identifiable information like username or email address are replaced with non-personal identifiers like “ANON2340” when looking in the Purview dashboard. The true user information can be accessed, but only following pre-defined approvals procedures and being granted the necessary permissions. Similar controls are in place for the Forensic Evidence feature, which requires dual authorisation before a policy can be implemented, so no individual can abuse the system.
Adopting something like Insider Risk Management may seem dauting given the privacy considerations. But, by implementing it correctly, user privacy can be protected, and you will get valuable insights and forewarning about threats to your environment that few other tools can deliver.
Licensing options: Also available under the M365 E5 Compliance Suite add-on, billed per user.
Microsoft Purview AI Hub
We said earlier that Microsoft brings out new things all the time; the ’AI Hub‘ is one of those things. We’re cheating the title of this article slightly, as right now this feature should be accessible for E3 and E5 users. However, AI Hub is still in preview at the moment, meaning licensing could change in the future. Should licensing change, E5 tends to keep more of the features, so there’s a bit more assurance there.
The AI Hub is intended as a central location from which you can proactively monitor AI usage and quickly secure data for/from AI apps like Copilot, ChatGPT, Google Bard and many more. A full list is maintained here: https://learn.microsoft.com/en-gb/purview/ai-microsoft-purview-supported-sites. It takes a bit of configuring, requiring the deployment of a browser extension and the Purview endpoint agent to collect the required data, but once this is done you can start auditing AI usage across the environment. The data here can be fed back into other M365 security tools, such as Insider Risk Management and DLP policies, so not only do you get visibility, but you can implement or extend your security policies to prevent misuse of AI services and wrap your existing governance around the use of AI LLMs. Purview even has native support for Microsoft Copilot, allowing you to apply controls like data classification and communication compliance policies to user’s interactions.
AI is a particularly hot topic at the moment, and its usage is outpacing the security controls applied to it. Organisations have to balance the need to be innovative with the need to be safe and responsible, and the AI Hub provides a means of doing this.
Are you maximising the security (and other) features in your 365 environment? It can be difficult to know where to start, but our experts can help you understand your current position, carry out gap analysis and configure the right solution for you. Get in touch at dan.morrison@waterstons.com to find out how.
If you want ongoing insight into Microsoft 365, the changes within it and how you can make the most of the tools available, join our Couch to 365 Community here: Couch To 365