Introduction to Microsoft 365 security

Microsoft 365 is a comprehensive service, spanning diverse productivity, collaboration, and communication spheres, along with wide identities, devices, and data areas that need equally comprehensive and diverse protection against malicious actors and increasingly sophisticated attacks. Obviously, such a service that spans vast endpoints, identity, and application areas cannot be protected by one product, but by using multiple specialized products and solutions.

Moreover, all these products and components need to communicate and exchange information and signals to provide complete protection across all protected points.

Microsoft 365 Defender is an integrated enterprise protection collection of solutions and products that provides protection across all areas, assessing threat signals from multiple sources or products:

• Microsoft Defender for Office 365
• Microsoft Defender for Endpoint
• Microsoft Defender for Identity
• Microsoft Defender for Cloud Apps
• Microsoft Defender Vulnerability Management
• Microsoft Entra ID Protection
• Microsoft Data Loss Prevention
• Application Governance

Most Microsoft 365 security products and features have their place under one roof – the Microsoft 365 Defender portal, available at https://security.microsoft.com. Of course, there are many places that other security-related products can call their home, but lately, this is becoming a go-to place for managing and overseeing security from one unified roof. For example, Microsoft Defender for Cloud Apps is undergoing a transition from its dedicated home portal to a unified Microsoft 365 Defender portal. Other products have their dedicated portals, such as the Entra family of products, for example. The following figure is a screenshot of the Microsoft 365 Defender portal, showing some of the dashboards and menu options available:

Figure 1.1 – Microsoft 365 Defender Portal

Microsoft Defender for Office 365 provides protection to email messages, links (URLs), and attachments across collaboration tools such as Teams, Outlook, and SharePoint. Some important protection features include the following:

• Threat protection policies involve defining policies that establish a suitable level of protection for your organization.
• Reports can be accessed to monitor the performance of Microsoft Defender for Office 365 in real time
• Utilize advanced tools to investigate, comprehend, simulate, and proactively prevent threats, enhancing your threat investigation and response capabilities
• Efficiently save time and resources by employing automated investigation and response (AIR) capabilities to investigate and mitigate threats

Microsoft Defender for Office 365 has two plans, where Microsoft Defender for Office 365 Plan 1 includes the following features:

• Safe Attachments: This checks email attachments and provides protection against malicious content
• Safe Links: This proactively scans for malicious links in messages and documents, allowing safe links, but blocking malicious links
• Safe Attachments for SharePoint, OneDrive, and Microsoft Teams: This identifies and blocks malicious files in team sites and document libraries
• Anti-phishing protection: This detects and protects user impersonation attempts
• Real-time detections: This monitoring capability includes a real-time report that allows you to identify, analyze, and prioritize threats

Including all essential protection features in Plan 1, Microsoft Defender for Office 365 Plan 2 introduces more protection tools:

• Threat Trackers: This provides cybersecurity intelligence issues that allow you to take proactive, timely countermeasures before threats occur.
• Threat Explorer: A real-time report that allows users to identify and analyze recent threats.
• AIR: This enables users to initiate automated investigation processes in response to existing, recognized threats. By automating specific investigation tasks, security operations teams can enhance their efficiency and effectiveness. Remedial actions, such as deleting malicious email messages, can be completed upon approval from a security operations team.
• Attack simulation training: Enables the execution of authentic attack scenarios within your organization to identify vulnerabilities. These simulations assess the effectiveness of your security policies and practices while also providing training opportunities for security professionals.
• Advanced hunting: This proactively hunts for threats using a Kusto Query Language (KQL)-based threat hunting tool.
• Microsoft 365 Defender integration: This efficiently detects, examines, and responds to incidents and alerts.

Microsoft Defender for Endpoint provides an endpoint platform for threat protection, detection, prevention, protection, automated investigation, and response. Microsoft Defender for Endpoint P1 Plan includes the following features:

• Unified security tools and centralized management
• Next-generation antimalware
• Attack surface reduction rules
• Device control (such as USB)
• Endpoint firewall
• Network protection
• Web control / category-based URL blocking
• Device-based Conditional Access
• Controlled folder access
• APIs, SIEM connector, custom threat intelligence
• Application control

Microsoft Defender for Endpoint P2 Plan contains all capabilities in Plan 1, including these features:

• Endpoint detection and response
• Automated investigation and remediation
• Threat and vulnerability management
• Threat intelligence (threat analytics)
• Sandbox (deep analysis)
• Microsoft Defender Experts

Microsoft Defender for Identity protects on-premises identities using cloud-based intelligence. It monitors and analyzes user behavior and activities to create a baseline for a user, and identifies suspicious identity-related activities, which helps prevent attacks.

Microsoft Defender for Cloud Apps is a cloud access security broker (CASB), a SasS cloud application protection solution that performs cloud app discovery, discovers and controls the use of shadow IT, protects against anomalous behavior across cloud apps, and assesses cloud apps’ compliance.

Microsoft Defender Vulnerability Management is a solution to identify, assess, remediate, and track vulnerabilities across critical assets, through three main ways:

• Continuous asset discovery and monitoring: This includes the following features:
  • Security baselines assessment
  • Visibility into software and vulnerabilities
  • Network share assessment
  • Authenticated scan for Windows
  • Threat analytics and event timelines
  • Browser extensions assessment
  • Digital certificates assessment
  • Hardware and firmware assessment
• Risk-based intelligent prioritization: This emphasizes the following points:
  • Focus on emerging threats
  • Pinpoints active breaches
  • Protects high-value assets
• Remediation and tracking: This consists of the following actions:
  • Remediation requests sent to IT
  • Block vulnerable applications
  • Alternate mitigations
  • Real-time remediation status

Microsoft Entra ID Protection examines and assesses trillions of signals gathered daily with Microsoft Entra ID, Microsoft accounts, and from Xbox, to detect and remediate identity-based risks, ultimately securing access through policy enforcement.

Application Governance is a Defender for Cloud Apps governance add-on feature that enables you to get visibility into how OAuth-enabled applications and their users handle sensitive data in Microsoft 365.

We have briefly described the main Microsoft 365 security features and products, mainly the ones that we will talk about more deeply and thoroughly in the next chapters. Now is the time to briefly look at Microsoft 365 compliance products and capabilities, primarily the ones that we will discuss in this book.