{"id":10934,"date":"2018-11-30T13:28:54","date_gmt":"2018-11-30T21:28:54","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=10934"},"modified":"2023-06-15T15:50:29","modified_gmt":"2023-06-15T22:50:29","slug":"microsoft-365-helps-create-a-secure-modern-workplace","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsoft-365-helps-create-a-secure-modern-workplace\/","title":{"rendered":"Microsoft 365 helps create a secure modern workplace"},"content":{"rendered":"
This content has been archived, and while it was correct at time of publication, it may no longer be accurate or reflect the current situation at Microsoft.<\/p>\n<\/div>\n<\/div>\n
The significant increase in mobile data usage, cloud adoption, digitization, and personal devices in the enterprise brings new opportunities and security risks. Microsoft uses many Microsoft 365 security technologies to help ensure a productive and secure environment for the company and our customers. Together, these Microsoft 365 security tools enable us to strengthen authentication, employ conditional access, better protect data, and automate threat protection\u2014all while streamlining our security management through a tightly integrated set of tools.<\/p>\n
Enterprises in today\u2019s digital world are onboarding more devices and creating, using, and storing more data in cloud-based services than ever. While this shift to the digital realm brings unprecedented opportunities to the business\u2014allowing employees to be more productive\u2014it also carries security risks if not done properly. Cyberthreats are increasing in sophistication, which requires organizations\u2014including Microsoft\u2014to place greater focus on digital security.<\/p>\n
At Microsoft, we\u2019re constantly exploring new technologies and processes to help ensure we have the most productive and secure environment for the company and for our customers and partners. Like many large enterprises, we need to ensure that we are implementing security controls that keep pace with the significant increase we\u2019re seeing in mobile data usage, cloud adoption, digitization, and Bring Your Own Devices (BYODs).<\/p>\n
This technical case study describes the multifaced approach that Microsoft is taking to create a secure modern workplace. The key is Microsoft 365, our solution of integrated and intelligent components that includes Office 365, Windows 10, and\u00a0Enterprise Mobility + Security<\/a>. We\u2019re using Microsoft 365 to enhance digital security in the following four areas:<\/p>\n We explore how Microsoft Digital\u00a0is addressing each of these areas in the following sections.<\/p>\n The Microsoft security team implements Microsoft 365 security technologies to help secure the Microsoft enterprise.<\/p>\n Figure 1 below illustrates the array of security components that are available to enterprise Microsoft 365 subscribers. Although we use many of the technologies listed in the wheel, the larger slices are the focus for this case study. For each security area, we describe some of the challenges and concerns we have had, how we\u2019re implementing specific Microsoft 365 technologies to address those issues, and we highlight the benefits we\u2019re gaining by adopting these technologies.<\/p>\n As organizations continue to move applications and data to cloud services, the effectiveness of the network boundary as a security control is diminished. Today, identity authentication and authorization become the primary security control. The verification we used to perform when someone connected to the network must now be done when the user authenticates to a corporate app or service, regardless of the user\u2019s location, network, or device. In this section, we discuss the challenges and concerns that we\u2019ve had with shifting our authentication strategy to identity protection, and then illustrate how we\u2019re using Microsoft 365 technologies with two-factor authentication and Microsoft Windows Hello to address those issues.<\/p>\n We\u2019ve been working to eliminate passwords for users who can use alternative authentication methods such as two-factor authentication and Windows Hello. Why is password-based protection such a concern? From a security perspective, attackers are becoming more sophisticated and successful at compromising users\u2019 password-based credentials, primarily through phishing attacks. Industry analysts indicate that 90% of security breaches start from a successful phishing campaign. In addition, the high number of passwords required for daily Internet usage results in 24% of password reuse\u2014meaning that one compromised password can provide access to multiple resources.<\/p>\n Windows Hello<\/a>, is one of the key technologies we\u2019ve employed to not only move away from password-based protection but also boost employee productivity. This technology improves identity protection and enables our employees to save time through single sign-on. Windows Hello biometrics and other nonpassword-based authentication features free employees from having to manage an unwieldy array of passwords. Moreover, Windows Hello utilizes two-factor authentication to generate a strong credential that\u2019s safely stored locally on the PC or device; unlike with passwords, nothing is transmitted across the network.<\/p>\n The transition away from a perimeter mindset requires new methods to ensure that people use strong authentication mechanisms. Microsoft Authenticator is a phone-based authentication tool in Microsoft 365 that we have implemented to increase our employees\u2019 authentication options. Available on Windows, Android, and iOS devices, Microsoft Authenticator allows employees running non-Windows and Windows systems alike to enroll their devices so that they can reach corporate resources securely. For example, a person working on a Mac OS system could use Microsoft Authenticator on a Windows, Android, or iOS device as their second authentication factor.<\/p>\n As BYOD becomes more prevalent, organizations incur the risk that personal devices might bring security vulnerabilities and exploits with them when employees and other users connect to the cloud. When devices aren\u2019t patched with updated antivirus signatures, they might be running malware that can infect the network at the first opportunity.<\/p>\n Our approach to ensure device health at Microsoft is to utilize Azure Active Directory (Azure AD) in tandem with Microsoft Intune to implement conditional access.\u00a0Users enroll their devices with Intune<\/a>\u00a0(the unified endpoint management solution in Microsoft 365), which applies appropriate policies to ensure that the device is encrypted by using a strong password, is malware free, and is up to date and running the latest security patches. When the user needs to use the device to access a cloud-based corporate resource, Intune communicates the device\u2019s health compliance status to Azure AD as it processes the user\u2019s authentication.<\/p>\n Conditional access enables Microsoft to require a device health certificate when access is requested to company data or applications. This approach helps ensure that access to company data or applications is only granted after Microsoft validates device health and compliance status, in addition to authorized user credentials. By doing so, we prevent compromised or potentially risky systems from gaining access to other devices or company services and spreading viruses or unknowingly granting access to attackers. This automated approach to ensuring healthy devices has greatly simplified and streamlined our device\/identity protection processes. We\u2019re also taking advantage of additional features in Azure AD that enable us to be more proactive with security responses, such as blocking a user ID whose credentials are likely compromised. With devices running Windows 10, we can detect cases where the full system has been compromised\u2014something difficult to detect on earlier versions or third-party platforms.<\/p>\n From a cultural perspective, some employees were concerned about privacy and allowing Microsoft Digital to apply policies to personal devices. This highlighted the need to provide education and awareness training on why this is a critical aspect of helping protect our people, devices, and data.<\/p>\n At Microsoft, data is our business\u2019 currency. We recognize the critical importance of protecting our data and our customers\u2019 data wherever it resides, all the time. As with many enterprises, the sheer amount of data can make data protection appear as an insurmountable challenge. In this section, we discuss the challenges and concerns we\u2019ve encountered with information protection, and then illustrate how we\u2019re using Microsoft 365 technologies to address those issues.<\/p>\n Microsoft maintains the world\u2019s largest Office 365 tenant for our employees, and it encompasses multiple petabytes of data, with an additional 350 terabytes of data residing in on-premises systems. The enormous amount of data across this hybrid environment presents a huge challenge for data discovery and protection.<\/p>\n Previously, we relied on a combination of third-party products to try to identify and track sensitive data. Those solutions burdened our security administrators with navigating multiple interfaces and screens, and the different systems frequently produced inconsistent findings. Without having a good understanding of the nature of the data, how could we determine the sensitivity of information in each document? How was the sensitive data being stored? Who was accessing it? Where was it going?<\/p>\n We needed to implement a new, holistic data discovery and protection solution that could seamlessly protect data for Microsoft and our customers, partners, and suppliers. Additionally, the proper protection methods\u2014encryption, permissions, or both\u2014needed to be applied instantly.<\/p>\n Office 365 Data Loss Prevention (DLP) is the tool within Microsoft 365 that we chose for our holistic data protection solution. Instead of having to create multiple classifications in each separate third-party system, classifications in Office 365 DLP can be used everywhere in the cloud\u2014in SharePoint Online, OneDrive for Business, Teams, and more. We can even use the same classifications in our on-premises environment via the Azure Information Protection scanner, another technology available in Microsoft 365. This not only helps secure our data better but also increases our security administrators\u2019 productivity by presenting a single integrated interface.<\/p>\n Office 365 DLP gives us insight into the types of content that are stored, where each data item resides, and how people use and share the data. This information is critical to improving our business practices\u2014for example, we can now identify when sensitive information is being transmitted via insecure email attachments. Our Data Loss Prevention team can immediately notify and raise awareness within the affected department and continue monitoring to confirm that appropriate changes to daily practices which enhance data security have been adopted.<\/p>\n Another key aspect of data protection is establishing a data classification system that detection and monitoring technologies can utilize to determine how a certain file should be treated, based on its content\u2019s sensitivity. Classification at Microsoft has traditionally been a manual process in which we relied on each employee to correctly label and classify their own work. With many people interpreting our classification system differently, we saw inconsistencies in labeling, misclassification, or no classification at all.<\/p>\n At Microsoft, we needed to ensure that all documents within the enterprise are properly and consistently classified and labeled\u2014and we needed to automatically tag data as much as possible. One important change we made to improve our data classification was to update our classification taxonomy. We worked with representative stakeholders from numerous departments to achieve consensus on what terminology should be used and what terminology all employees would likely understand and adopt. In addition, we\u2019re implementing unified labels to help us integrate labeling across multiple apps and platforms.<\/p>\n We deployed Azure Information Protection across the enterprise to classify and label employee data. Azure Information Protection is a Microsoft Office 365 plug-in. It is implemented and available within the apps that our employees already use. Word, Excel, and other Office 365 productivity tools feature a new toolbar that visually reminds people to label and protect each document.<\/p>\n We\u2019re seeing Azure Information Protection boost employee productivity by automatically classifying sensitive information and recommending appropriate labels based on the types of data being entered. Additionally, our Data Loss Prevention team benefits from Azure information Protection by utilizing the labeling and document properties that Azure Information Protection places in each file to gauge how sensitive content is used and how it\u2019s shared across the enterprise.<\/p>\n There are two main areas of threat protection and response: managing events that raise alerts and using analytics to gain visibility into the underlying data. In this section, we discuss the challenges and concerns we\u2019ve encountered with both these aspects of threat protection, and then illustrate how we\u2019re using Microsoft 365 technologies to address them.<\/p>\n It\u2019s becoming all too common to learn that another large enterprise has been victimized by a hacker and that sensitive data has been accessed. The prevalence and scale of these attacks mandate better protection of internal data and customer data\u2014and the ability to swiftly respond to attacks as soon as they occur.<\/p>\n Technologies such as antivirus and antimalware programs are still an important tool, but as attacks increase in complexity, protecting an enterprise from digital security threats requires a more complete toolkit. Although next generation antivirus solutions like Windows Defender ATP can block clearly malicious PowerShell scripts, such solutions are not designed to block or alert on anomalous or potentially suspicious behaviors. It might or might not notice that a process has been injected, or that someone accessed passwords by using routine system commands that are available to the operating system. So how can your security operations personnel (SecOps) notice these things\u2014how do you notice a single process doing something suspicious to the system? And how do you scale that capability to support the hundreds of thousands of devices that are part of an enterprise?<\/p>\n At Microsoft, a key technology that we use to protect employees\u2019 systems is\u00a0Windows Defender Advanced Threat Protection<\/a>\u00a0(Windows Defender ATP). Windows Defender ATP is a unified Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR) suite for Windows and third-party platforms that brings intelligence to preventative and post-breach protection. Its ability to learn, grow, and adapt through machine learning is enabling our security teams to become more proactive with threat response.<\/p>\n Windows Defender ATP performs automated investigation and response, automatically picking alerts out of the queue and then investigating. It incriminates all entities related to an identified threat, and then remediates the issue. If Windows Defender ATP identifies that malicious code has been injected into a process, it sends an alert to the Windows Defender Security Center web console. Windows Defender ATP delivers instant, detailed visibility into what\u2019s going on in the system or over the network, providing context about the nature of the event. We use Windows Defender ATP to look at that compromised system, examine incidents, and then work back to see where they came from. The depth of the data that the technology provides increases the speed of our response to the threat at the exact moment when time is of the essence\u2014which can be the difference between quarantining malware or blocking an intrusion immediately rather than giving it the opportunity to spread across the enterprise.<\/p>\n One of the most frequent vectors that malware takes into an organization is through phishing, in which employees inadvertently reveal sensitive information such as usernames, passwords, or credit card details to a hacker who sends an electronic communication (most commonly email) by masquerading as a trustworthy entity.<\/p>\n At Microsoft, we chose\u00a0Office 365 Advanced Threat Protection<\/a>\u00a0(Office 365 ATP) to programmatically address phishing and other email-based malware. Part of the Microsoft 365 suite of technologies, Office 365 ATP does much more than filter spam into the junk mailbox; it allows us to review a suspect email\u2019s header, determine who received it, find out whether the recipient clicked any links within the file, and determine whether the message was forwarded to others. We can then either send the message to the junk folder or delete it. Essentially, Office 365 ATP enables us to qualify the severity of the message\u2019s malware and act accordingly.<\/p>\n The largest benefit we\u2019re seeing, however, is the synergistic effect of combining Office 365 ATP with Windows Defender ATP. The tight integration of these technologies means that we can move seamlessly back and forth between them during investigations, which significantly improves our overall malware remediation capabilities while simultaneously reducing our response time.<\/p>\n For example, if we receive a report of a phishing incident, we can use Office 365 ATP to both examine an email\u2019s header and determine what actions any users have taken within the email (such as clicking links or forwarding the message). With the click of a button, we can then connect into Windows Defender ATP for the same user who received the email to determine whether the malware wrote a file to the device or if it led to a network connection to another site.<\/p>\n The synergy between these products enables our team to respond to alerts much more quickly. Instead of sending emails or calling people who might have been impacted by the malware, we now have a greatly simplified means of analyzing a phishing event, determining precisely what happened, and immediately beginning remediation. In this same scenario, we can use Office 365 ATP and Windows Defender ATP to determine, for example, that 60 people received the message, five people opened it, and two people now have malware in their systems. We can delete the phishing message right from the Office 365 ATP console to ensure that people who haven\u2019t seen it never open it. We can then move straight to the user\u2019s infected systems in Windows Defender ATP to quarantine and remove the malware from infected systems\u2014all without disrupting the employee\u2019s productivity.<\/p>\n These integrated technologies also work from the opposite direction as the situation merits. If, for example, an alert is first raised in Windows Defender ATP, we can start our investigation by examining the system that generated the alert, determine how any malware got onto the system, and identify where it came from in an email. Then we can search for instances of that same email file on other systems, and then quarantine and repair all infected systems. Next, we can link back to Office 365 ATP to get a broader picture of how many users received the message and the scope of the phishing attack, and then delete the message from any inboxes where the message hasn\u2019t been opened.<\/p>\n Our response times have reduced dramatically by using these tools. No matter which investigation direction we take\u2014phishing to system, or system to phishing\u2014Office 365 ATP and Windows Defender ATP together give us all the details we need to properly analyze and respond within minutes. This is a significant improvement from processes that previously could take days or weeks to find and respond to the suspicious activity. Having the right information available at our fingertips enables us to respond immediately. We no longer must contact the owners of the affected systems and then wait for them to respond before we start remediation. Furthermore, our analysts can spend more time investigating true threats instead of sifting through insurmountable mounds of log files, searching for suspicious activity.<\/p>\n One of the major security challenges that enterprises face is understanding threats in the context of the organization\u2014and what sort of risk each threat poses. Security teams must be able to work with alerts from multiple siloed products to build a coherent picture of their security landscape. In this section, we illustrate how we\u2019re customizing the Microsoft Graph Security API to bring together all our digital security inputs\u2014both Microsoft and third-party solutions\u2014into a single dashboard and how we\u2019re promoting intelligent security management by supporting the organizational context.<\/p>\n Large enterprises commonly use an assemblage of different security products to better protect their infrastructure. Moreover, each product has its own portal, data model, schema, and API. At Microsoft, this combination of Microsoft and third-party products traditionally has been an obstacle to building a holistic view of our security landscape. Although we\u2019ve been using our Intelligent Security Graph to synthesize the threat intelligence and security signals from our Microsoft products, the third-party security tools we used provided no standardized means of integration.<\/p>\n Until recently, we\u2019ve either had to spend significant development resources to custom code and maintain an interface or rely on our security analysts to manage without any integration. In the latter case, moving back and forth between the Microsoft and third-party portals made it much more challenging to obtain a complete situation awareness. We needed a means to extend our reach into third-party security tools and display their information side by side with our Microsoft technologies.<\/p>\n\n
Our approach to security<\/h2>\n
Emphasizing identity-based protection<\/h3>\n
Eliminating passwords and improving productivity with Windows Hello<\/h4>\n
Expanding two-factor authentication options with Microsoft Authenticator<\/h4>\n
Employing conditional access with Azure Active Directory and Microsoft Intune<\/h4>\n
Identity-based protection guidelines<\/h4>\n
\n
Protecting information wherever it goes<\/h3>\n
Detecting and monitoring sensitive data with Office 365 Data Loss Prevention<\/h4>\n
Simplifying and automating data classification with Azure Information Protection<\/h4>\n
Information protection guidelines<\/h4>\n
\n
Detecting and responding to attacks more quickly<\/h3>\n
Automating threat protection with Windows Defender Advanced Threat Protection<\/h4>\n
Protecting email from phishing attacks with Office 365 Advanced Threat Protection<\/h4>\n
Gaining synergy with Office 365 ATP and Windows Defender ATP<\/h4>\n
Threat detection and response guidelines<\/h4>\n
\n
Building intelligent security management<\/h3>\n
Bringing security management under one dashboard<\/h4>\n