Building your Security Practice with Microsoft Threat Protection and Azure Sentinel
I have some exciting news today. I have a new publication available covering Microsoft 365 E5 Security and Microsoft Threat Protection, with a bonus section at the end featuring Azure Sentinel (which is a separate product, not included with Microsoft 365). The document is available here if you want to check it out, with a downloadable copy available for purchase at GumRoad.
My aim in writing this guide was twofold. One, to help introduce newcomers to Microsoft 365’s amazing security-related products and features. But more importantly, I would like to impress upon my co-workers at large (as I call my fellow consultants and MSP’s) the growing importance of having a fully developed security practice.
A Wake-up Call to the Managed Services Industry
Managed Services Providers are being targeted now more than ever, and you don’t have to go searching far to find numerous examples of these businesses being hacked. After all, MSP’s have privileged access to customer environments, so attackers can enjoy one-stop-shopping and load up on several breaches all in one go! This has been in the news so much lately, that I think it is only a matter of time before MSP’s become a highly regulated industry.
And to be clear, the point I am making is not specific to Microsoft 365, per se. Yes, the material covers Microsoft tools, but the point I want to get across is simply that you need to up your security game, in a big way, and soon. And that means either partnering up with a security provider to outsource it, or building your own Security Operations Center (a.k.a. the SOC–which you can also extend to your customers as another managed service). This is a completely different set of skills than your typical IT generalist of yore. There is a whole Info Sec field out there, and it goes deep–so it may mean making new hires or making some investments to grow your security talent in-house.
Whether you ultimately end up building your security practice using Microsoft tools specifically does not so much matter–but what does matter is that you start working on your strategy, because stuff is getting real out there. Hopefully the guide does its job and opens some eyes, and demonstrates that these are not the kind of tools you can just set on autopilot.
So what are the tools?
The products I am covering in this guide are everything that is included with the add-on bundle called Microsoft 365 E5 Security (which has all of the pieces of Microsoft Threat Protection), plus Azure Sentinel.
Now I know I am going to get this question: “Can I add Microsoft 365 E5 Security to Microsoft 365 Business Premium?”
This is still a bit muddy, and I have not found any clear statements from Microsoft suggesting this is an approved license combo (yet). The E5 Security add-on was originally developed as an upgrade to Microsoft 365 E3 specifically, and there is still literature out there that suggests this is the case.
However, now that Microsoft Defender ATP is available standalone, and supported for use with Windows 10 Pro, and the Business Premium SKU contains Azure AD Premium P1, in my mind this should remove the barriers we had with this SKU historically. After all, you can add any or all of the products as standalone, so why not just get them via this bundle, instead? Here is what it includes:
- Azure AD Premium P2 – Advanced identity-based protections and alerting in the cloud
- Azure ATP – Visibility into on-premises Active Directory identity attacks and incidents
- Office 365 ATP P2 – Adds Threat Intelligence, with some additional reporting and other tools, to the policies and protections you may already be familiar with in the P1 plan
- Microsoft Cloud App Security – CASB solution that sucks in and analyzes data from cloud apps (Microsoft and several popular third-party apps are supported), as well as a bunch of other cool capabilities like enforcing policies and governance actions in real time
- Microsoft Defender ATP – Full featured EDR for Data analysis and insights from the Defender-protected endpoints in the environment
But even if the majority of your customers are in the small business market segment, and forgo the Microsoft Threat Protection stuff, as a service provider you can still build a security practice which includes Azure Sentinel, Microsoft’s cloud-native SIEM/SOAR product. Note: You can ingest data from Microsoft Threat Protection products at no charge, similar to Office 365. And so I included some detail about Sentinel in the guide, as well.
E5 = Post-Breach
What all of these tools have in common, besides being part of the E5 SKU, is that they are heavily geared toward post-breach detection and response, not necessarily protection or prevention strategies. Sadly, most IT providers out there have not yet broken over into detection & response. But developing this is critical. You can leverage these tools to limit your exposure in the event of a breach, and also to contain and remove attackers as quickly as possible, before they are able to carry out more malicious actions like data exfiltration, domain takeover and persistence, ransom and so on.
While the guide is basically a quick tour through Microsoft’s security products, on the journey I explain that the tools do not equal security, either. Indeed, the entire point is to highlight that these products require someone to drive them. When you read the marketing for Microsoft Threat Protection it can sound like the magic bullet that everyone’s been waiting for: Let the fancy AI do security for you, because IT IS MAGIC!
But that’s not how it actually works (shocker–I know). Yes–these tools will save security analysts time and allow you to more effectively scale your services, but you cannot just turn a few dials and then walk away assuming you are covered. You still need talented people who understand how to work with these tools, and with capacity dedicated to reviewing alerts and improving detections and processes.
So the point is not the tools, as I have said, but rather getting an introductory look at them to understand how they are used. This in turn should get your gears turning about your own security posture and the types of protections you are currently offering to your customers (hint: you might want to think about upgrading your own ground game first).
Obtaining the guide
If you have already purchased my “Whole kit and caboodle” package on GumRoad, then you already have access to the downloadable copy today (it is also available as a standalone purchase if you just want this one document).
Later this year, I plan to have a separate product available, designed to teach MSP’s how to build a security practice (not necessarily focused on Microsoft products). I am debating about the format for delivering this information–it might not be written, or it may not contain only written components. I will plan to have a poll out shortly to collect ideas from the audience; I am interested in what you think would be most helpful. More on that soon. I hope you enjoy the reading; I am very grateful to be able to write to an audience who has been so receptive of my message, and so engaged with the content. Cheers!
Comments (6)
Hi Alex,
Really appreciate this resource and plan on purchasing a copy very soon also. As far as teaching how to build an MSP/MSSP practice I would be all in. Perhaps you could do something on Udemy? Someone already has: https://www.udemy.com/course/start-and-run-a-successful-it-support-company/ or maybe LinkedIn Learning.
Just from a personal perspective, I would prefer something with a Microsoft focus as I am starting my MSP/MSSP journey focusing on the Microsoft platform and I think they have a very well developed security platform now for both Azure and M365.
Perhaps you could teach through some of their books like: https://www.microsoftpressstore.com/store/microsoft-azure-sentinel-planning-and-implementing-9780136485452
or https://www.microsoftpressstore.com/store/microsoft-azure-security-center-9780135752036
Also, I recently participated in Microsoft’s 3 day Virtual Security Bootcamp and a lot of good ideas there:
https://aka.ms/SecurityBootcamp
(and no, I don’t work for Microsoft)
Thanks again for all the great resources, they have really helped me a lot in securing the M365 environments I’m currently managing.
Thank you this is very valuable feedback as I think about this project.
We have implemented the whole comprehensive suite of Microsoft 365 security products including Azure Sentinel. We have also given every employee instruction about avoiding phishing links and have implemented a host of policies for blocking them from coming into the company in the first place. Our infrastructure is cloud only with no hybrid. Question, has anyone determined a way to sensibly block the use of Powershell through the Endpoint Manager except for the one or two users in our company who require it? We have already removed it from the Windows Powershell 2.0 which was enabled by default in Windows Features, users still have Powershell functions available through the application residing at \Windows\System32\WindowsPowerShell\. I know how this can be done through a group policy in a hybrid environment, but am not sure how to configure this in Intune.
A friend of mine, Rudy, discovered a neat way of accomplishing this. I haven’t tried it out myself; if you test it with a pilot device let us know how it goes!
https://call4cloud.nl/2020/06/blocking-administrative-apps-like-the-command-prompt-in-intune/
After some experimentation I finally got this working. I wrote a brief blog post about how to do it here:
https://www.ufcinc.com/how-to-block-the-use-of-powershell-in-windows-10-by-implementing-an-applocker-policy-through-microsoft-endpoint-manager/
I included a link to your site. Thanks for much for all of your excellent contributions.
Thanks Alex, I am going to try that neat solution. Thanks for your excellent articles.