In the previous article, which is aimed at smaller businesses, we discussed the transition to Office 365 cloud services, secure access and device management.
Microsoft 365 and security: what tools does it offer?
In this article, we will discuss the most well-known tools that Microsoft uses for security and protection.
Microsoft calls its entire security suite Advanced Threat Protection (ATP) and includes dozens of smaller and larger security tools. In this article we therefore discuss only the most important ones.
Microsoft Defender for O365
A basic security tool used to protect file sharing applications such as Outlook, Teams and Sharepoint. The tool includes a Microsoft Safe Attachments feature that automatically checks all files (attachments), whether they come from outside or internally from colleagues.
In practice, an automatic check is performed on every file sent or received. If the tool detects that the file is infected, it will remove it immediately. It then checks to see if other users have also received this file. If so, it will block access to the attachment and quarantine it.
Microsoft Safe Links works on a similar principle. When a user receives a link to a file, the O365 checks the link and if it assesses that it contains malicious code, it blocks it, preventing an attack on the network. Microsoft 365 ATP also includes antiphishing or antimalware.
Windows Defender Advanced Threat Protection
This tool protects endpoint devices on which an attacker could execute malicious code. The tool includes Windows Defender Smart Screen, which can prevent access to a dangerous website or file download.
Endpoint Protection is used to protect your device if a malicious file has already entered it. If a user or attacker wants to execute an infected file, Endpoint Protection will check the file and block the execution if it detects malicious code.
Endpoint Detection and Response handles situations where a malicious file or application has already started. The tool analyzes the behavior of the file or application, evaluates its danger, takes defined actions and passes the information to other end devices in the company. It uses, among other things, machine learning directly in the Microsoft cloud. Microsoft collects information from all devices registered in Microsoft 365, evaluates the data and can warn other users in time.
What does it look like in practice? The user downloads the file they want to open. The device sends information to the Microsoft cloud, which immediately verifies that the file or application is not a malicious code. If Microsoft does not know the code, it sends information to the device that it is an unknown code. The device then performs basic tests using machine learning at the local level and simultaneously sends the code sample to the Microsoft cloud, where it is further examined and tested.
If everything looks OK, the system will allow the application to run. The whole process takes seconds, the user does not even know what is happening on his device. However, Microsoft continues to analyse the file and if it later determines that it is risky, it sends information to the device about a possible attack and blocks, isolates and sends an alert to all devices in the company.
Azure Advanced Threat Protection (Azure ATP)
Also called Microsoft Defender for Identity, it can prevent or counter attacks on an internal network if an attacker has already entered the network. This tool profiles users and where they communicate from, or differentiates their permissions to access the internal network. If it detects that a user’s device is making an excessive number of requests, including, for example, requests under a different identity to the domain controller, it will evaluate this behavior as an attempt to crack the password and gain higher privileges.
In practice, the way it works is that an Azure ATP sensor, which is installed on a domain controller or as a stand-alone solution, collects all the information that comes into the domain controller. By analyzing network traffic, you can see where and which user is requesting access to a specific application or access for another user. This information is used to profile users, including a model of their usual behaviour.
IP Resolution creates a map of devices, including their IP addresses and functions, based on Azure ATP data. You can take advantage of this if, for example, an attacker sends a request to replicate data to a domain controller from the IP address of a personal computer – replication commands are exchanged only between domain controllers and never come from end stations. The system will therefore assess such behaviour as risky and take appropriate action in a timely manner.
All Azure ATP sensor data is processed in the Microsoft cloud and only within your organization. With data processing in the cloud, almost unlimited power is available for analyzing the collected data. The result is real-time processing and reporting of potential threats.
One more example from practice. If the endpoint device on which one user is working starts receiving requests for unsuccessful authentication of other users, the system again evaluates this as an attempt to guess the passwords of other users and a possible attack.
In addition, you can connect Azure ATP to Windows Defender ATP to get a comprehensive view of a potential attack across the timeline.
Microsoft Cloud App Security
This tool protects other cloud services. It analyses network communications by installing a probe on a firewall or proxy server to detect so-called shadow IT. That is, whether users are using apps they don’t control, or whether they are sharing data in an unofficial way, such as through Dropbox.
If it finds such an app “in the shadows”, it will allow you to see its rating in the Microsoft cloud App Catalog, which lists approximately 15,000 apps. You can then block the app based on the rating.
The tool can also evaluate abnormal user behavior, such as downloading large amounts of files to a local computer from cloud storage. In this case, you can cut the user off and block their access. It also helps with ransomware protection.
Azure Privileged Identity Management (Azure AD PIM)
Use this tool to set user permissions for access to the corporate network. In particular, it prevents attacks on users with the highest privileges, thereby preventing an attacker from obtaining the highest privileges of the global administrator.
Azure AD PIM can also add permissions just in time. Each user has standard permissions, and only when they need higher permissions do they request them. After a specified period of time, his permissions are transferred back to the standard user. Multifactor authentication or approval by another user can then be required when assigning roles and permissions.
Microsoft Identity Protection is also related to identity protection. This tool assesses the risk of users logging into Microsoft 365. For example, if they are reporting from an anonymised network, from a non-standard time and place, or from an IP address where infected computers normally communicate, the login will be blocked or force an additional authentication factor.
The list of security applications is not definitive, it just outlines the options you have when deploying Microsoft 365. Due to the robustness and complexity of the tools , we recommend deploying Microsoft 365 with a certified partner. In the Czech Republic, this is for example the Brno-based company System4u ( ), which as a Microsoft Gold Partner has extensive experience with this topic.
