Assume Breach: Where Microsoft 365 Business misses on Security (and how to fix it)

Yeah yeah, we’ve all heard the sob story over Azure AD Premium before. I’m told things may be changing here in the near future, but assuming Conditional access falls into place soon, I believe Microsoft 365 Business would remain lacking when it comes to security.

The reason being, even with the mighty Office 365 ATP P1 included, we still only have coverage over the first half of a typical attacker kill chain. The second half is completely ignored. What am I talking about?

I have manipulated this graphic somewhat, but if any of you have been to a security presentation by Microsoft before, then you’ve probably seen some version of this slide. The deck is designed to sell E5, of course, but it illustrates a good point, too.

Where I have inserted a red dotted line in this image is basically at the point of breach. To the left of the dotted line we only attempt to prevent breach. To the right of the line, we are assuming breach–which gives us a much stronger posture and deeper visibility into our apps and data.

Everything I have been harping on you to do with your Office 365 or Microsoft 365 Business subscriptions lately speaks to which of these two models? Let’s review some examples:

• Turn on MFA
• Disable Basic auth
• Dial in the audit log
• Configure Office 365 ATP
• Configure Intune and enroll devices
• Enforce Conditional access policies
• Discover cloud apps and implement SSO

What do all of these have in common? In the words of the NSIT framework, these steps will basically help you to Identify and Protect your resources, but they will not provide you with much in terms of Detect, Respond or Recover. So they are only mitigating risks up to the point of breach.

But these days, it is necessary to move beyond mere breach prevention; don’t just “hope” that you are safe. Why do you suppose the average time an attacker goes undetected on a network is still 150 days or more? Therefore, you need to ask the question:

“What if I am breached?”

Assume breach. That is the mantra you need to live by. And that means you want to be alerted when risky or suspicious events happen in the environment. How do you get there? Well, the audit log has data for you, but you are going to need to parse that data and surface the interesting events–the indicators of compromise.

You probably won’t do this without the help of a machine (if you happen to be human like me). Microsoft offers several products that will help you out here, but they are almost all trapped up in E5 plans:

• Identity Protection is included in Azure AD Premium P2, and will alert on risky sign-in events, and allow you to automate a response via policy (e.g. challenge MFA or force password resets)
• Advanced Threat Analytics is an on-premises solution used for monitoring and analyzing network traffic from on-premises servers.
• Azure ATP provides a cloud dashboard for identity forensics and highlighting risky user activity from on-premises resources.
• Azure Sentinel – This is a full Security Information & Event Management (SIEM) solution in the cloud with built-in AI; it should take logs from just about anywhere (e.g. supports syslog)
• Microsoft Defender ATP – Endpoint detection & response (EDR)–risky activity on end-user devices can be stopped in its tracks; use Advanced Threat Hunting to follow up on suspicious chains of events
• Office 365 ATP P2 – includes a bunch of advanced alert policies and threat tracking tools which can surface indicators of compromise
• Microsoft Cloud App Security – some of the same alerts that you find in ATP P2 show up here too, but with a ton of other goodies for discovering and securing third-party cloud apps outside of 365
• And there are probably others

As I mentioned, the downside to all of this is… not one of the above is included with Microsoft 365 Business. Even the Enterprise E3 plan is lacking under the “assume breach” model, surprisingly.

Brief review of the various products

Now if Microsoft contacted me tomorrow and offered to fulfill just one wish for the Microsoft 365 Business subscription (besides the Conditional access thing–which was just an egregious oversight, and hopefully will be fixed soon), I would ask them to include Microsoft Cloud App Security.

Why? Because it focuses on security insights related to cloud-based resources, both first and third-party. This, I believe, is where most Small Businesses spend the majority of their time, and therefore provides the coverage we need for indicators of compromise. A lot of the other tools, I think, are unlikely to be leveraged to their fullest extent in the SMB.

ATA, Azure ATP, etc.–Don’t care. Hybrid is on the way out, and just how many dashboards will the SMB admin be willing to watch over, anyway? There are a lot of damn security products from Microsoft these days, but I would suggest that Microsoft Cloud App Security is a bare minimum to get you past that dotted line, and into the “Assume Breach” mentality.

Now I also like MDATP, but I still think that the features most likely to be leveraged by the SMB here will be “prevention-focused” or “hope-based” (e.g. I don’t know how many people will get into the “respond” aspect, or run with Advanced Threat Hunting, etc.–it takes a lot of effort to manage this product at scale). There are other EDR products out there worth comparing this to, especially since it is only officially supported on Windows 10 Enterprise (and now Mac, but sadly not Windows 10 Pro).

I’m interested in Azure Sentinel too, and it is only in public preview at this time. It is possible to connect it to your Office 365 data and try it for free basically, so I’ll have to do that and report back (I know… I’m behind–it’s been a long year for me already).

Licensing combos to consider

Microsoft 365 E5 includes everything you will ever need for Security (and probably some stuff you’ll never use too). It retails for USD 57.00 /user /month. The simplicity of one SKU is the real attraction here–remember that you are also displacing other products e.g. phone system, etc.

Microsoft 365 E3 is priced at USD 32.00 /user /month, and does not include Office 365 ATP P1, which is an additional 2.00 = 34.00; however to break over into “assume breach” territory you should probably add Microsoft 365 E5 Security (get all of the security goodness from Microsoft 365 E5 for 12.00/user/month) = USD 44.00.

Microsoft 365 Business + EM+S E5 comes out to 34.80, and includes almost every security goody Microsoft sells except for ATP Plan 2 and MDATP. This is probably my favorite combo for the SMB right now. It is easy to position this solution as a combination of the best in class productivity suite plus top-end enterprise-grade security, all for about the same price as Microsoft 365 Enterprise E3 plan. But look at how much more you get:

• Azure Information Protection Plan 2: Automatic labeling/classification
• Azure AD Premium Plan 2: Identity Protection, Privileged Identity Management, Risk-based Conditional Access
• Microsoft Cloud App Security: broker 3rd party apps, apply conditional access, monitor and alert on suspicious activity inside and outside Office 365
• Azure ATP & more (most SMB’s won’t really get into these is my guess–doesn’t matter since you get enough value out of the above anyway)

Now don’t forget, products can’t keep you safe on their own. Tools can provide insights and surface interesting data for you, but you need to also have your ducks in a row–an incident response plan, the skills and knowledge necessary to kick out the attackers, the wherewithal to work through remediation and so forth. Just a reminder that you can’t buy security in a box and hope you’re good to go. Doesn’t work like that.

Well, that is all I wrote today, folks. I hope all you wonderful people out there are moving past the breach prevention model and thinking about ways to increase your visibility and reduce your response time!