3. 3
New approaches to cybersecurity are needed more than ever!
The pandemic has led to exponential growth in remote employees, expanding the attack surface for companies
big and small. Security teams struggle to cobble together solutions consisting of technologies from multiple
vendors, many of which were only designed to operate in legacy environments. Integration complexities, a lack
of security resources, and unrelenting attacks from cyber criminals have made securing the organization a
seemingly unattainable goal.
So what is the solution to eliminating this pain while also providing the security your company needs in a
cloud-first world? We believe a cloud-native, fully integrated security solution is what makes the most sense. To
bring our vision to life, we partnered with Microsoft to build consulting, implementation, and managed security
services around their SIEM and XDR tools that deliver the outcomes needed by companies operating in today’s
dangerous, highly interconnected world.
This Mighty Guide, one of three in a series, was written to help you better understand how specific Microsoft
security tools are being used by companies today and help you benefit from the lessons they have learned.
Enjoy the book!
Milan Patel
Global Head of Managed Security Services
BlueVoyant
BlueVoyant is an expert-driven
cybersecurity services company
whose mission is to proactively defend
organizations of all sizes against
today’s constant, sophisticated
attackers and advanced threats.
Led by CEO - Jim Rosenthal,
BlueVoyant’s highly skilled team
includes former government cyber
officials with extensive frontline
experience in responding to advanced
cyber threats on behalf of the National
Security Agency, Federal Bureau of
Investigation, Unit 8200, and GCHQ,
together with private sector experts.
BlueVoyant services utilize large real-
time datasets with industry-leading
analytics and technologies.
Founded in 2017 by Fortune 500
executives and former Government
cyber officials and headquartered in
New York City, BlueVoyant has offices
in Maryland, Tel Aviv, San Francisco,
London, and Latin America.
FOREWORD
4.
5. OSCAR MONGE
Rabobank,
Security Solutions Architect,
pg. 15
MEET OUR EXPERTS
TOM DUGAS
Tom Dugas,
Assistant Vice President and
Chief Information Security Officer,
pg. 23
SAJED NASEEM
New Jersey Courts,
CISO,
pg. 21
JAMES P. COURTNEY II
J&M Human Capital and
Cybersecurity Consultants, LLC,
CEO/CISO,
pg. 6
REBECCA WYNN
Global CISO & Chief
Privacy Officer,
pg. 18
MAARTEN LEYMAN
delaware BeLux,
Senior Security Consultant,
pg. 12
LAWK SALIH
Independent Community
Bankers of America,
Vice President, Technology
Systems and Services,
pg. 9
6. 6
“A big advantage of Microsoft 365 Defender is its
breadth of integrated security functions combined with
the fact that you do not need to enable everything in
the suite at once.”
More Integrated Data Delivers a Bigger Security Picture
Microsoft 365 Defender (formerly Microsoft Threat Protection) is a suite made
up of four security tools:
• Microsoft Defender for Endpoint (endpoint and cloud behavioral analytics,
device risk scoring, threat intelligence, and automated investigation and
remediation)
• Microsoft Defender for Office 365 (security for email and collaboration tools)
• Microsoft Defender for Identity
• Microsoft Cloud App Security
Many of the Microsoft 365 Defender security tools work across platforms to
cover non-Windows environments, although Microsoft product integrations
make the tools easier to implement in a purely Microsoft environment. These
security applications are well suited to on-premises infrastructures and hybrid
infrastructures with cloud-based resources and applications.
A big advantage of Microsoft 365 Defender is its breadth of integrated security
functions combined with the fact that you do not need to enable everything in
James P. Courtney II is a Certified Chief
Information Security Officer with two decades
of diversified experience in cybersecurity. He
focuses on FAIR risk management; information
systems security; database security; policy;
and governance based on NIST, GDRP, FISMA,
and FedRAMP as well as maintaining a high
standard for setting benchmarks that promote
growth and a mature system security plan to
achieve strategic goals.
James P. Courtney II, J&M
Human Capital and Cybersecurity
Consultants, LLC, CEO/CISO
7. the suite at once. This flexibility gives you the opportunity to consider your current
security needs while thinking about where you want to be in the next three to five
years. Activating more security functions in the Microsoft 365 Defender suite involves
turning on the licenses for those features—no additional deployment necessary. This
design is a big advantage over piecemeal security solutions that require rolling out
agents on all your systems for each new tool. With Microsoft 365 Defender, you add
security capabilities by turning on features that then tap into the data flow already
being monitored and analyzed.
Some aspects of Microsoft 365 Defender may be challenging for those new to
the product. For instance, the tools use machine learning to analyze activity data,
but they look at more than typical endpoint detection and response features. If the
security team is not used to the way Microsoft 365 Defender receives and delivers
information for analysis and how it integrates that information into its automation
features, the learning curve could be significant because with these tools, analysts
will see information that they may not be used to seeing. As a result, you may need
to develop new policies and procedures on how your team analyzes and responds
to data. For instance, if your team has been conducting risk assessment in a certain
way as part of incident evaluation to support decisions about escalation, having more
information could affect those risk scores. Now, you must adjust that risk-scoring
process because you have access to more data than you had before.
In contrast, from a security perspective, more data is always better. If I’m getting a
view of my email, my endpoints, my identity, my apps and my overall infrastructure,
and I can see more information or more events and better correlate them than I could
before, I can react more quickly to an incident.
7
If I’m getting
a view of my email,
my endpoints, my
identity, my apps, my
overall infrastructure,
. . . I can react more
quickly to an incident.
8. 8
Having the ability and bandwidth to process all the data coming in centrally is
an important success factor. A more integrated view of what is happening in the
environment also helps you increase efficiency across the board—for your security
teams; for your security operations center investment; even for your networking
teams, which will have information to more easily spot failings in the network. If
you do not have the resources to use the additional data that the integrated tools
of Microsoft 365 Defender provides, consider working with a managed security
services provider to either gain that support or help you make that transition.
Key Points
1
2
Activating more security functions
in Microsoft 365 Defender involves
turning on the licenses for those
features—no additional deployment
necessary. This is a big advantage
over piecemeal security solutions
that require rolling out agents on all
your systems for each new tool.
Microsoft 365 Defender looks at
more data than typical endpoint
detection and response tools, which
may require developing new policies
and procedures on how you score
risk when evaluating alerts and
incidents.
8
James P. Courtney II, J&M
Human Capital and Cybersecurity
Consultants, LLC, CEO/CISO
9. 9
“A big advantage of Microsoft Defender is the amount
of visibility it provides. When an alert comes in, you
want to be able to get to your logs right away to see
what’s going on.”
Consolidation and Visibility Add Real Value
For us, implementing the Microsoft 365 Defender suite was part of a
consolidation strategy. Consolidation was, in turn, part of our digital
transformation strategies. We wanted to improve security, save money, and
reduce management overhead. It was not just about consolidating vendors:
It meant consolidating and centralizing all the logs generated from the
endpoints and infrastructure so that we could go to one dashboard for all of
our security monitoring, detection, and remediation.
When coronavirus disease 2019 (COVID-19) hit, suddenly everyone was taking
laptops home. While our devices had the endpoint protection, we could not
put any kind of protection on the employee's home routers or those similar
on corporate infrastructure. For example, in the corporate environment we
have access to a 24/7 security operations center known as SOC to monitor
unauthorized activities on the network. We wanted to monitor the exposure
level of the traffic and risk level and set alerts as necessary. Additionally, we
wanted to set controls over what was and was not authorized at the endpoint.
Cloud app and endpoint security tools in Microsoft 365 Defender enabled us
to do that with much detailed analysis into discovered apps, total throughput,
bandwidth-intensive apps, and remediation policies to protect our employees.
Lawk Salih is Vice President of Technology
Systems and Services for Independent
Community Bankers of America (ICBA). In his
role, Lawk leads cloud migration efforts, the
cybersecurity program, infrastructure, and
customer service support in alignment with the
ICBA’s strategic goals. He has more than twenty
years of experience in IT, including fifteen
years with nonprofit organizations and trade
associations.
Lawk Salih, Independent Community
Bankers of America, Vice President,
Technology Systems and Services
10. A big advantage of Microsoft Defender is the amount of visibility it provides. When
an alert comes in, you want to be able to get to your logs right away to see what’s
going on. This is what the dashboard does. It is simple to follow and it enables you
to hunt for threats and navigate around IP addresses involved in an incident; where
applicable, the incident also includes the remediation steps for your security analysts.
It’s best to use Microsoft 365 Defender with the latest version of the Windows
operating system on your endpoints, especially your virtual machines. Some of
the remediation capabilities are only available with the latest operating systems.
Some functions, such as auto-remediation, do not work on older Windows versions.
In addition to Microsoft Defender, we use Microsoft Intune for our mobile device
management on all endpoints. Whether on a laptop or a smartphone, Intune assists
us to set compliance policies and profiles to defend against security threats. Intune
can also be used as a deployment configuration tool to push apps to your employees
in an automated fashion. While we continue to work remotely, this feature has been
instrumental to our system administrators. Of course, always test your configurations
with a few machines in your environment before rolling it out across the organization.
Do all your learning at the proof-of-concept stage to avoid service disruptions and to
better manage your deployments.
Some challenges are associated with Microsoft 365 Defender that may be more
significant for smaller organizations. One is cost. There is a lot of value in these
integrated tools, but the cost may be different from what you expect. Start with those
baseline configurations, and scale up the licenses to meet your needs. Another is
learning the system. Microsoft makes a lot of good information available on the tools
it provides, but you need to own this process to understand how best to configure
them for your environment.
10
A key success
factor in any security
deployment is
monitoring the
dashboards. You
can never monitor
enough.
11. 11
Key Points
1
2
Always test your configurations on
a few machines in your environment
before rolling them out across the
organization. Do all your learning at
the proof-of-concept stage to avoid
service disruptions and to better
manage your deployments.
Microsoft has made their security
tools simple to learn, deploy, and
adopt. However, organizations that
do not have the internal skills may
find it beneficial to outsource to an
MSSP to achieve the greatest value
possible.
Lawk Salih, Independent Community
Bankers of America, Vice President,
Technology Systems and Services
A key success factor in any security deployment is monitoring the dashboards. You
can never monitor enough. You must continuously monitor and train the ML/AI if
the alerts it generates are good alerts versus false positives. This is the only way
the system will improve and stay tuned to your environment.
Many organizations outsource their security monitoring and detection controls to
managed security service providers (MSSP). Some organizations may need help
with the 24/7 monitoring and tuning necessary to keep the system optimized.
Or, they may need expertise in configuration or building playbook remediation
processes. Microsoft has made their security tools very simple to learn, deploy, and
adopt. However, some organizations may not have this skill set internally; therefore,
it may be beneficial for them to outsource to an MSSP to achieve the greatest value
possible. I always recommend building knowledge internally to be effective at using
the security tools.
12. 12
“When implementing these security tools, I suggest
beginning with those that are easiest to implement.”
When Deploying Microsoft 365 Defender, Start with the
Easiest Tools in the Suite
Microsoft 365 Defender is a set of products that includes Microsoft Defender
for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Office 365,
and Microsoft Cloud App Security. When implementing these security tools, I
suggest beginning with those that are easiest to implement. The easiest of all is
Microsoft Defender for Office 365.
Microsoft Defender for Office 365 uses features such as Safe Attachments, Safe
Links, and anti-phishing policies to protect user emails and files shared through
SharePoint, OneDrive, and Microsoft Teams. For example, when Safe Links is
enabled, Microsoft Defender for Office 365 scans links in emails, files, and email
attachments. If it detects a malicious link, it prevents anyone from opening it.
If someone tries it, Defender for Office 365 displays a message that the link is
unsafe and stops them.
Microsoft Defender for Office 365 also has an attack simulator that enables
you to target your organization with a phishing campaign using a fake link to
trick users into giving up their passwords. It’s a great tool for creating user
awareness, and it gives you insight into how users in the organization respond
Maarten Leyman is a Senior Security Consultant
with experience in the full Microsoft 365
security suite and Azure security. In 2013, he
started his career at delaware BeLux, where he
performs security assessments and conducts
workshops at customer sites to identify security
risks. He also helps fine-tune IT architecture and
implementations to increase overall security
at customer locations and mitigate possible
threats.
Maarten Leyman, delaware BeLux,
Senior Security Consultant
13. to phishing attacks. In the past, you needed separate tools to run attack simulations.
Those tools are now built into Microsoft 365 Defender.
Microsoft Defender for Office 365 is the easiest tool to start with because as an IT
administrator, you can enable it with just a few clicks. It also has no disruptive impact
on users. The only thing they might notice is that the tool rewrites URLs in emails and
documents.
The next-easiest tool is Microsoft Defender for Identity, which simply involves
installing a sensor on each domain controller. This sensor monitors user activities
and sends that data to the cloud, where the tool looks for unusual behavioral
patterns. Microsoft Defender for Identity also correlates security activity through all
the domain controllers, which you can see in a portal.
Microsoft Defender for Endpoint provides more comprehensive protection of
your entire environment. It is an endpoint detect and response (EDR), threat
and vulnerability management, and attack surface reduction solution with auto
investigation and remediation capabilities. Its implementation is a bit more complex.
It has strong integration capabilities with the other Microsoft 365 Defender features.
Some examples are:
• Integration with Cloud App Security for detection and control of shadow IT.
• Integration with Microsoft Defender for Identity to track, correlate, and map user
behaviors involving multiple machines, making it easier to understand an alert
that is occurring in the environment.
• Integration with Endpoint Manager to easily reduce the attack surface and
vulnerabilities on the devices.
13
The Microsoft 365
security center
consolidates data
from all the tools
into one view, which
makes it much easier
to detect a problem
and take correct
actions.
14. When implementing these tools, begin with a pilot involving a small group of users,
such as a security team, to make sure that everything works as it should. Then,
expand to a workgroup of real users. If everything goes well, you can scale more
widely across the organization.
In addition, use the Microsoft 365 security center. Microsoft 365 Defender solutions
have their own portals, which can become confusing when you are using multiple
tools. The Microsoft 365 security center consolidates data from all the tools into one
view, which makes it much easier to detect a problem and take corrective actions.
You should also evaluate the knowledge and expertise of your security team. When
using these tools together, it can take time to set them up and configure them
properly. They also require continuous monitoring and refinement. Every organization
is different, but many will benefit from having a managed security services provider
(MSSP) involved in deploying, monitoring, and optimizing the tools. MSSPs can speed
time to value through customized deployment templates, and they have expertise in
interpreting all the information coming out of the tools.
14
Maarten Leyman, delaware BeLux,
Senior Security Consultant
Key Points
1
2
With Microsoft Defender for Identity
enabled, you can track, correlate,
and map individual behaviors
involving multiple machines, making
it easier to understand an event that
is occurring in the environment.
Consider having an MSSP involved
in deploying, monitoring, and
optimizing Microsoft 365 Defender.
MSSPs can speed time to value
through customized deployment
templates, and they have expertise
in interpreting all the information
coming out of the tools.
15. 15
“Microsoft 365 Defender is a suite of individually
licensed products, and you have choices about which
parts of the suite to implement.”
Engage with Experts Who Can Help Optimize Your
Deployment
Whenever you adopt any new technology in an organization, you should first
go through the product documentation and become familiar with all the
features available to you. The organization needs to understand the benefits
and constraints of each license type—and not just the money. It’s about
aligning the features you require with your organization’s needs in a way that
gets you the best return on your investment. That approach is important for
successful adoption of the technology within the organization.
Whether you work with in-house subject matter experts or external
consultants, matching the technology to your requirements should be done
by someone who can act as an evangelist within the organization. This
person does not have to be someone who thinks that a particular product
is the best on the market. Rather, this person should be someone who can
review and understand the documentation, understand how to apply the
technology to meet the organization’s goals, and help roll out the technology
in an optimized manner.
Microsoft 365 Defender is a suite of individually licensed products, and you
have choices about which parts of the suite to implement. At the end of
Oscar Monge is a seasoned information
security professional with more than seventeen
years of experience. He is a Security Solutions
Architect at Rabobank, where he helps shape
security monitoring direction and technology
integration. Oscar is passionate about
technology and its alignment to IT business
needs.
Oscar Monge, Rabobank, Security
Solutions Architect
16. the day, product selection must align to the needs of the business, which means
aligning to the organization’s risk appetite, mid- and long-term security strategies,
and technical capabilities.
Microsoft makes it easy to enable and start using the products in Microsoft 365
Defender. The bigger challenge is effectively using the Microsoft 365 Defender
controls to operate the business in a more secure fashion. You must be able to
consume the data and use automation features effectively. Just turning on an
automation does not mean it will magically perform the way you want. Someone
who understands the technology must observe its function to determine if it is
doing what the organization expects or if it must be tuned. Microsoft makes it
easy to communicate with its experts, who can provide insights into problems
you may encounter with the product. It’s a good idea to use that communication
channel.
One of the great advantages of Microsoft 365 Defender is that it so easily
integrates with other Microsoft products. This is an important feature because
from a security standpoint, you typically have only one point of view of an
incident. The level of integration built into these products enables you to
evaluate a single event from different points of view. In the past, Microsoft had
separate dashboards for each security solution. Now, it has consolidated those
dashboards into a single admin center. Multiple data sources in one portal make
it easier to gain a complete picture of an observed activity. Analysts can see the
16
The level of
integration built
into these products
enables you to
evaluate a single
event from different
points of view.
17. 17
whole kill chain of an incident more quickly, and then take decisive action.
When implementing Microsoft 365 Defender, I suggest:
• Implementing all out-of-the-box controls and automations that are pertinent
to your organization;
• Monitoring the performance of those automations to make sure that you
are getting the automated responses you need and can step in when more
information and fine-tuning is required; and
• Using product and data integrations as much as possible.
Also, consider using outside expertise to help accelerate and optimize your
implementation.
17
Key Points
1
2
You need to understand the benefits
and constraints of different license
types so that you can align the
features you require with your
organization’s needs in a way that
gets you the best return on your
investment.
Microsoft makes it easy to enable
and start using the products in
Microsoft 365 Defender. The bigger
challenge is effectively using
the tool’s controls to operate the
business in a more secure fashion.
Oscar Monge, Rabobank,
Security Solutions Architect
18. 18
“The Microsoft 365 Defender tools provide a holistic
view of what is happening in the environment.”
Intelligent Security Tools Do Not Replace
Knowledgeable Security Administrators
When deciding where to begin with Microsoft 365 Defender, the primary
objective is to reduce risk as quickly and efficiently as possible. There are a
couple of ways to look at that. One is to identify what the greatest impact of
an attack would be, and then protect against that risk first. The other is to
look at where your greatest exposure is and protect that first.
Most organizations think in terms of reducing exposure first, and the best
place to start is with users. The quickest way to reduce user exposure with
the Microsoft 365 Defender tools is to begin with Microsoft Defender for
Office 365. This tool protects Microsoft Outlook email, OneDrive, SharePoint,
and Microsoft Teams—the places where most users are exposed daily.
Implementing this tool is easy, and its cost is based on the number of Office
365 licenses you have.
As you prepare to roll out these tools, first review the documentation.
Microsoft does a good job of providing online videos and documentation
about how to use the products. The documents support not only security
and compliance professionals but also administrators. Another important
Dr. Rebecca Wynn received the 2017
Cybersecurity Professional of the Year–
Cybersecurity Excellence Award, was Chief
Privacy Officer of SC Magazine, is a Global
Privacy and Security by Design International
Council member, and was 2018 Women in
Technology Business Role Model of the Year.
She is lauded as a “gifted polymath and game-
changer who is ten steps ahead in developing
and enforcing cybersecurity and privacy best
practices and policies.”
Rebecca Wynn,
Global CISO & Chief Privacy Officer
19. step is to take a thorough IT asset inventory. You need to understand the types
of systems you have, where they are, and the networking devices in use—all
elements that affect your use of the security tools. Finally, talk to the core
stakeholders in the organization’s IT systems. The success or failure of your
implementation depends on their support.
The Microsoft 365 Defender tools provide a holistic view of what is happening
in the environment. One challenge organizations have is choosing the right
person to be the security system administrator. That person needs to monitor the
dashboards, take actions when appropriate, and fine-tune the tools. This person
must have security analytical skills. The tools are excellent, and they use machine
learning to reveal issues that require action. It’s easy to forget that even if you
need few staff members looking at those dashboards because the tool is now
correlating everything for you, you still have to have people who know how to do
the work of answering difficult questions, taking critical actions, and optimizing
the tools.
An important part of tool optimization is being mindful of the data you collect.
The tools in Microsoft 365 Defender can consume enormous amounts of
data, and that can have costs and create analytical noise. Do you care about
every time in a workday a computer went to sleep and the user pressed the
spacebar to wake it back up? That’s not a mindful event. Why is a user in a
different geolocation suddenly getting locked out of his or her system? That’s an
interesting anomaly.
For some companies, it makes sense to have a managed security services
provider (MSSP) help monitor and administer these tools. Microsoft’s tools are
changing, and you no longer need an army of people staring at screens and
19
An important part of
tool optimization is
being mindful of the
data you collect.
20. 20
correlating every event. When you think about system administration needs, the
important consideration is not the number of events you are dealing with but the
number of actual items producing alerts of critical, high, or medium risk.
Microsoft 365 Defender is driving greater security process efficiency. For many
companies, the best model is not necessarily a fully managed security operations
center (SOC) but a hybrid model in which the MSSP comes in periodically to
work with the team for greater effectiveness and efficiency. One advantage of a
managed SOC is that the MSSP can typically source talent more quickly than your
in-house security team and, if that talent isn’t quite working for you, quickly make
changes.
20
Key Points
1
2
It’s easy to forget that even if you
need fewer staff members looking
at those dashboards because a tool
is now correlating everything for
you, you still need people who know
how to do the work of answering
difficult questions, taking critical
actions, and optimizing the tools.
When you think about system
administration needs, the important
consideration is not the number of
events you are dealing with but the
number of items producing alerts of
critical, high, or medium risk.
Rebecca Wynn,
Global CISO & Chief Privacy Officer
21. 21
21
“If an alert comes in through our security information
and event management tool, we can look at it, isolate
the machine, and check it out with just a few clicks.”
Microsoft 365 Defender Delivers Fast Answers If You
Know How to Interpret the Data
Microsoft 365 Defender is a product that is made up of several tools, all included
in a Microsoft 365 E5 license. The suite has significant functionality in terms
of being able to install sensors and use indicators of compromise. It also has a
networking interface so that if somebody is attacked by a particular virus, you
can easily search the entire organization for all other occurrences of that virus.
You can also access threat intelligence information to see the global extent of a
particular attack you are experiencing.
When a machine is compromised, Microsoft 365 Defender enables you to use
automation to isolate that machine quickly and prevent anyone from signing in
to it. In fact, Microsoft 365 Defender allows a lot of customization in terms of the
functions and actions you can automate.
One tool in the Microsoft 365 Defender suite is Microsoft Cloud App Security, a
cloud-based cloud access security broker that monitors all user activities with
cloud-based apps. The tool looks at IP addresses associated with user activity
and can alert you if things are happening in the network that should not be. For
example, if somebody is signed in to a computer in New York City, and then signs
in again an hour later in San Jose, the system will flag that as something that
should not be happening.
Sajed (Saj) Naseem is Chief Information
Security Officer (CISO) of New Jersey Courts,
where he focuses on cybersecurity readiness
and performance, information governance, and
network security. Sajed has more than twenty
years of experience and holds master’s degrees
from St. John’s University and Columbia
University, where he is an adjunct professor.
Sajed Naseem, New Jersey Courts,
CISO
22. 22
An important and powerful feature of Microsoft 365 Defender is its ability to track
activity in great detail. You see detailed activity and timelines for anyone working in the
environment. This information is also searchable, so if you query the system about who
clicked a particular link, that search will encompass the entire organization and provide
a detailed track of that activity. It does this quickly, which speeds alert analysis and
enables you to get fast answers to questions. If an alert comes in through our security
information and event management tool, we can look at it, isolate the machine, and
check it out with just a few clicks.
When installing Microsoft 365 Defender on endpoints, it’s important that all your
server operating systems be up-to-date. Microsoft 365 Defender will not run on older
Windows Server and Windows operating systems. For some organizations, particularly
if you have a large environment with decentralized IT groups, this can be a time-
consuming task.
Another important point to keep in mind is that Microsoft 365 Defender is different
from traditional antivirus and other siloed security solutions. Microsoft 365 Defender
integrates many different security functions. To use it effectively, your security team
needs a deeper, more holistic understanding of what is going on in your environment so
that they better interpret the alerts and information the system provides. It is important
that team members have training in these areas; depending on the depth of expertise in
the organization, you may need to consider working with a security service provider to
get the most out of Microsoft 365 Defender.
22
Key Points
1
2
Microsoft 365 Defender provides
highly searchable information. If you
query the system about who clicked
a particular link, it will search the
entire organization and provide a
detailed track of that activity. It does
this quickly, which speeds alert
analysis and enables you to get fast
answers to questions.
It is important that the security team
be trained to understand what the
system is telling them. Depending
on the depth of expertise in the
organization, you may need to
consider working with a security
service provider to get the most out
of Microsoft 365 Defender.
Sajed Naseem, New Jersey Courts,
CISO
23. 23
23
“One big advantage for us in using Microsoft Defender
for Office 365 is that it seamlessly plugged into our
existing environment.”
Rapidly Reduce Email-Based Attacks
When the Chief Information Officer brought me in to create the first-ever
Information Security Office at Duquesne University, we discovered that we were
getting inundated with email attacks related to phishing, spear phishing, spoofing,
and various scams. We actually had hundreds of compromised accounts every
year, largely because each year we had new students and new faculty who did not
know what to expect. They were unfamiliar with each other and people on campus.
Exploits typically began with email attacks on new students. Stolen student
credentials would then be used to attack faculty and staff.
To find a solution, we created a proof of concept with top vendors. We chose
Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection),
which is part of the Microsoft 365 Defender suite. Implementing that tool reduced
the number of compromised accounts on campus by 95 percent.
Note that when deploying this or any security solution, it’s important to talk to peers
and partners who have done this before and can suggest lessons they learned from
their experiences.
Tom Dugas is Assistant Vice President and
Chief Information Security Officer (CISO) of
Duquesne University, where his responsibilities
include cybersecurity, identity and access
management, and data governance. In 2019,
Tom was recognized as CISO of the Year by
the Pittsburgh Technology Council. Tom is an
alumnus of Robert Morris University, the 2009
EDUCAUSE Leading Change/Frye Leadership
Institute, and the 2006 EDUCAUSE Institute
Leadership Program.
Tom Dugas, Tom Dugas,
Assistant Vice President and Chief
Information Security Officer
24. 24
Two essential features are added when you implement Microsoft Defender for Office
365. One is Safe Links, which rewrites familiar links in your emails so that they become
long Safe Links addresses. This behavior enables the tool to check links for malicious
activity and detonate them in a sandbox to make sure there is no malware. The tool also
checks against a safe sender list to make sure that emails are sent from a reputable site.
The second feature is Safe Attachments, which inspects all attachments sent into your
community to determine whether they contain malware. The Microsoft 365 Defender
product line does a great job inspecting attachments and files to make sure that they are
safe to use.
It is important that you have the ability to decipher logs and respond to issues quickly.
You still need an incident response plan; you need to understand how to respond to
the particular malicious activities that surface; and, most importantly, you need a way
to communicate that risk to the environment in case something is happening. As you
become more comfortable with the suite, you can tune it up or down to optimize it for the
level of risk your organization can tolerate.
One big advantage for us in using Microsoft Defender for Office 365 is that it seamlessly
plugged into our existing environment. That really reduced the time we needed to get it up
and running. We were surprised at how quickly it became productive in our environment
and how much time it saved us because we were no longer chasing down so many email
attacks.
24
It is important that
you have the ability
to decipher logs and
respond to issues
quickly. You still need
an incident response
plan.
25. 25
Another nice thing about the Microsoft Defender for Office 365 is that it works across
the entire Office 365 stack. Whether you are in OneDrive, Microsoft Outlook, Microsoft
Teams, or another tool, it all seamlessly fits together in that product stack. Although we
do not have all the other products within the Microsoft family yet, I know it will be easy to
layer them in when we are ready.
25
25
Key Points
1
2
Microsoft Defender for Office 365
uses Safe Links to check links in
email and documents for malicious
activity. It uses Safe Attachments to
inspect attachments to make sure
they are safe.
Even with Microsoft Defender for
Office 365 implemented, you need
to understand how to respond to the
particular malicious activities that
surface, and—most importantly—
you need a way to communicate
that risk to the environment in case
something is happening.
Tom Dugas, Tom Dugas,
Assistant Vice President and Chief
Information Security Officer