Meta Review: Microsoft 365’s Enterprise Security Features
- COVID-19 encouraged digitalisation in organisations all around the world. On one hand, this digitalisation has made internal business processes more efficient. But on the other, it also increased the attack surface and introduced new threats that need to be tackled.
- Microsoft 365 Enterprise is one of the many remote collaboration solutions available on the market. Among other things, it offers a wide array of security features to help you protect your IT environment.
What Is Microsoft 365?
Microsoft 365 (building on the Office 365 suite) is Microsoft’s cloud collaboration suite intended to facilitate and streamline enterprise IT workflows. The suite is available to consumers, SMBs and large organisations, as well as educational institutions.
Along with your Windows operating system, Microsoft 365 Enterprise plans include the following apps and solutions:
- Office 365 apps such as PowerPoint, Word, Excel, OneNote, Publisher, and Access.
- Email and calendar apps such as Outlook, Exchange, and Bookings.
- Remote collaboration and video conferencing with Microsoft Teams.
- File sharing and social interaction apps such as SharePoint, Yammer, and OneDrive.
- Work management apps such as Planner, Power Apps, and Power Automate.
- Advanced analytics with MyAnalytics and Power BI Pro.
- Device and app management with Windows Enterprise, Microsoft 365 Admin Centre, Microsoft Intune, and others.
- Identity and access management with Windows Hello, Direct Access, Credential Guard, and others.
- Threat protection with Microsoft Advanced Threat Analytics and Microsoft 365 Defender, among other solutions.
- Information protection and data loss prevention with Azure Information Protection, Windows Information Protection, BitLocker, and others.
Microsoft 365 Enterprise receives updates on an ongoing basis, so it could well be the last security system you’ll have to implement – Microsoft will no longer have step-change releases.
The purpose of this Meta-Review
The goal of this meta-review is to introduce you to Microsoft 365 – specifically its E3 and E5 versions – set proper expectations, and help you bring your IT security to a whole new level in 2021 and onward.
We are going to examine the main features offered by this platform. Additionally, we will highlight a number of Microsoft 365 security reviews to help you get a well-rounded idea of the solution.
Microsoft 365 Enterprise Security Features
Microsoft 365 Enterprise possesses a wealthy feature set when it comes to security.
Note that feature availability varies between Microsoft 365 Enterprise plans. E5 is the most full-featured plan of them all – as for E3 and F3, check out the comparison page to find out what’s missing in them.
The security system of Microsoft 365 Enterprise is quite complex, and your IT team will need to read hundreds of documentation webpages to obtain a full grasp of its capabilities. Below, we’ll provide you with a simplified overview of Microsoft’s security platform.
Device and app management
Microsoft 365 Enterprise offers the following security solutions for device and app management:
- Windows Enterprise. Compared to its Home and Pro counterparts, Windows Enterprise offers more advanced security feature, including but not limited to:
- AI-powered threat detection and response against phishing attacks, ransomware, or IoT threats (e.g. weak passwords, insecure interfaces, or poor device management);
- Integration with BitLocker encryption. BitLocker encrypts data to protect it in case it is stolen or left on an unprotected device, among other things. With BitLocker, you may also lock the normal startup process on your device until a PIN is provided.
- Resilient File System (ReFS) to handle data corruption. ReFS proactively scans data to identify errors or corruption. Upon detecting issues, ReFS restores the data (from a backup copy) or removes it to ensure an unimpeded data flow.
- Microsoft 365 Admin Centre. The Admin Centre allows you to manage users, groups, existing domains, turn on multifactor authentication (MFA), and view service health.
- Microsoft Intune. Intune simplifies device management, including company-owned and bring-your-own (BYO) devices. Among many other things, you may create security policies that define access levels for each employee (and their devices) in the company.
Identity and access management
For identity and user access management, Microsoft 365 Enterprise offers the following features:
- Windows Hello for Business. A part of Windows Enterprise, Windows Hello for Business replaces passwords with more secure multifactor authentication (MFA). This MFA is based on certificate or asymmetrical key pair authentication and employs biometric data (fingerprint or face recognition) and PIN for added security.
- Credential Guard. Windows Defender Credential Guard is designed to protect employee credentials from theft by isolating them in a virtual environment.
- DirectAccess. DirectAccess allows employees to connect to your corporate network remotely without using a traditional VPN (Virtual Private Network). DirectAccess ensures a constant connection to your organisation, and it also allows IT admins to manage DirectAccess client computers.
- Azure Active Directory. Azure Active Directory helps you manage employee access to internal resources – such as your corporate network – and external resources, such as the Azure portal or Microsoft 365.
The threat protection of Microsoft 365 Enterprise is based on Microsoft 365 Defender. This security tool can monitor the behaviour of entities (such as users or processes with access to sensitive data), identify suspicious activity, and provide clear incident reports.
Defender features a number of sub-apps that protect specific parts of your network – more below.
- Microsoft Defender for Identity. Formerly Azure Advanced Threat Protection (ATP), Defender for Identity is aimed at protecting your network by monitoring users, entity behaviour, detecting malicious insider activities, and identifying compromised user identities and credentials through atypical behaviour.
- Microsoft Defender for Endpoint. Defender for Endpoint ensures cloud-based protection from threats like malware, ransomware, or phishing on endpoints (such as servers or mobile devices, including non-Windows ones), with a particular focus on email attachments. This solution can also help you reduce your attack surface and perform automatic investigation and remediation.
- Microsoft Defender for Office 365. Defender for Office 365 solidifies your defense lines associated with email and document security. Features like Safe Links and Safe Attachments allow you to open and analyse attachments in a secure environment where malicious files can do no harm.
- Microsoft Defender Antivirus and Device Guard. Microsoft Defender Antivirus and Device Guard are Windows tools intended to protect the device they are on from malware, spyware, and other threats across apps, the web, the cloud, and email. Protection is based on behaviour monitoring and a perpetually updated database of known threats.
Note that the availability of these features varies between Enterprise plans.
Also, as of this meta-review’s writing, all plans had a component called Microsoft Advanced Threat Analytics (ATA). It was designed to protect networks from external and internal threats.
ATA was succeeded by Azure Advanced Threat protection (Azure ATP), now known as Microsoft Defender for Identity. Mainstream support for ATA ended on January 12, 2021, while extended support is set to continue until January 2026.
For information protection, Microsoft 365 Enterprise offers the following features:
- Microsoft 365 data loss prevention. The data loss prevention capabilities of Microsoft 365 allow you to prevent the accidental sharing of information, monitor sensitive data, and help employees stay compliant with your DLP (Data Loss Prevention) policies. Among other things, DLP lets you reduce the risk of the inadvertent disclosure of sensitive data like financial records or personally identifiable information.
- Windows Information Protection and BitLocker. Windows Information Protection (WIP) is there to help you prevent accidental data leaks through personal devices, personal email, social media, or other channels that are beyond your enterprise’s control. At the same time, BitLocker gives you another layer of protection via data encryption.
- Azure Information Protection. Azure Information Protection has been engineered to help you discover, classify, and protect sensitive documents and emails.
- Cloud App Security. Microsoft Cloud App Security connects with Microsoft and third-party cloud apps to deliver better control over data flows, better visibility, and advanced analytics to allow you to catch and neutralise threats.
Microsoft 365 Enterprise security management features help you assess the performance of your security measures. To this end, it offers two solutions:
- Microsoft Secure Score. The Secure Score assigns points based on how many recommended security features you’ve implemented, whether or not you perform security-related tasks, and whether you’ve configured proper security for third-party apps. This score gives your team solid insight into the state of your system.
- Security & Compliance Centre. The Security & Compliance Centre is a management tool that enables you to control your policies in one place and ensure compliance with them across your organisation.
Advanced compliance management
Microsoft 365 Enterprise offers tools for compliance management as well. These tools allow you to protect sensitive data, monitor compliance in your organisation, respond to regulatory requirements, and identify security risks.
Among the compliance and risk management solutions provided by Microsoft 365 Enterprise are:
- Advanced eDiscovery. Advanced eDiscovery allows you to preserve, collect, review, and analyse data that is relevant to internal and external investigations. This solution also allows legal teams to manage the entire legal hold notification workflow.
- Customer Lockbox. Customer Lockbox allows you to ensure that Microsoft cannot access protected content without your explicit approval.
- Service Encryption with Customer Key. Service Encryption with Customer Key works with BitLocker and Distributed Key manager to ensure that content at rest is encrypted at the service layer. The service layer, if you didn’t know, mediates communication between an app (or process) and its data sources.
- Privileged Access Management. Among other things, Privileged Access Management allows you to reduce the risk of privileged account credentials being stolen and to isolate and re-establish control over a compromised environment by keeping groups with significant privileges in a separate bastion environment.
What Others think of Microsoft 365 Security
The security of Microsoft 365 Enterprise has been deeply reviewed by many respectable sources, so you can find a large amount of information if you aren’t quite sure about its security capabilities.
The security reports we’ll have a look at below have investigated different aspects of Microsoft’s security platform, which potentially provides a more objective, developed look into its capabilities.
Forrester Q1 Enterprise Detection and Response Report
In March 2020, Forrester published a report on enterprise detection and response platforms. Forrester named Microsoft as one of the leading providers of enterprise security and highly praised the following aspects of the company’s offering:
- Endpoint telemetry (which encompasses event monitoring, reporting, alerts, and data collection).
- Security analytics.
- Threat hunting.
- ATT&CK (adversarial tactics, techniques, and common knowledge) mapping. ATT&CK mapping allows organisations to define which defensive techniques should be applied based on the nature of the attack (e.g. exfiltration or data collection).
- Response capabilities.
- Planned enhancements.
MITRE Engenuity APT29 Evaluation
In the 2020 APT29 evaluations by MITRE Engenuity, the response of multiple security solution vendors to a simulated APT29 attack was measured. Also known as Cozy Bear, APT29 is a hacker group thought to be associated with Russian intelligence agencies. The group allegedly steals data from pharmaceutical and academic institutions.
The evaluation was designed to determine how each of the reviewed security platforms responded to the successive steps of the attack. MITRE Engenuity counted actions such as misses, alerts, telemetry detections, or Managed Security Service Provider (MSSP) requests.
Microsoft Threat Protection (MTP) performed excellently. According to Microsoft’s own analysis of the report, Microsoft was one of only three vendors that made no modifications to ensure security and had no delays during the test.
Aside from that, MTP had the least number of misses among the competing solutions. MTP covered 95% of the techniques used during the APT29 simulation as well, putting the solution in the number 3 spot after Trend Micro and SentinelOne platforms.
AV-Test Defender Antivirus Overview
The September/October 2020 AV-Test Product Review and Certification Report evaluated the capabilities of a number of endpoint protection products, among them Defender Antivirus. Defender Antivirus is part of Microsoft 365 security, as pointed out earlier.
Defender Antivirus achieved the following results:
- Protected against 100% of newest (0-day) malware attacks (97.9% industry average). Remarkably, Defender Antivirus has had a 100% protection rate against 0-day attacks since April 2020. Before that, protection reached as low as 95.4% in March and 96.7% in January.
- Detected 100% of prevalent and widespread malware discovered within 4 weeks prior to testing (100% industry average).
When it comes to security, the capabilities of Defender Antivirus appear to be substantially better than the industry average. Not only that, but this security solution has shown dramatic and consistent improvement since early 2020.
Additionally, Defender Antivirus had no false detections of malware during a system scan, whereas the industry average was 12 (as of September and October 2020).
Defender Antivirus also has a remarkably low performance impact (for standard and high-end PCs respectively):
- Performance slowdown of 7% and 6% when launching popular websites (19% and 14% industry average).
- Download slowdown of 0% (for both standard and high-end PCs, 1% industry average).
- Application launch slowdown of 8% and 9% (13% and 11% industry average).
- Application installation slowdown of 27% and 20% (26% and 20% industry average).
- File copying slowdown of 1% for both standard and high-end devices (6% and 10% industry average).
Defender Antivirus negatively impacted application installation speed on standard PCs compared to its peers, but otherwise, its performance impact has been impressively low.
Netwrix Microsoft 365 Security Overview
Microsoft’s security solutions aren’t infallible, unfortunately. Netwrix, a California-based IT security software developer, highlighted the following security concerns of Microsoft 365:
- Unauthorised file sharing outside of an organisation. However, we should note that this can be prevented with careful security configuration. DLP (Data Loss Prevention) can be set up to keep sensitive information from being shared outside your enterprise. BitLocker encrypts data for an added layer of protection as well.
- Privilege configuration for individual business or country units can be tricky. Granular granting of admin rights to perform specific functions, e.g. resetting user passwords, is challenging as well.
- Global admin accounts can be devastating if they become compromised.
- Audit logs are disabled by default.
- Short log retention time – from 90 days to a year.
With that said, Netwrix points out that correct setup (e.g. enabling ATP Safe Links or Attachments) and the use of third-party software can solve these issues.
Microsoft 365 Enterprise Security Is Extremely Secure – If Implemented Right
During the early COVID-19 months, negligence of best practices led to millions of Microsoft business accounts being compromised.
According to Microsoft, enabling MFA would have prevented the vast majority of the breaches. Only 11% of enterprise users had MFA enabled!
Out of the box, Microsoft 365 Enterprise Security offers great protection against advanced threats, but it requires careful configuration and perhaps third-party solutions to cover some drawbacks.
Still, if you want little to no fuss and flawless integration with your Microsoft workflow, Microsoft 365 Enterprise Security is likely the right solution. It deserves the accolades, and it’s hard for us to find too much to fault considering the value the Microsoft 365 stack offers.