THE GREEK PHILOSOPHER Heraclitus said, “The only constant in life is change.”
Flying to my first ASCII event of 2021, I am considering much of what has changed this past year. Writing this on an airline tray feels like a slow return to normal. Wearing my KN95 mask feels a bit less so. In many ways, what has changed the most is the ubiquity of our new Microsoft 365-centric workforce and the high-profile target it has become. This has been the biggest impact we have felt from the plague year, which many of us will look back upon with “2020 vision.”
Now in 2021, with its new reality of distributed work, even our most premise-centric clients are really engaging with M365, including OneDrive, SharePoint, Teams, and more. This reality has brought a great shift in focus by miscreants of the web, especially the “more professional” bad actors. M365 has become the target of choice, with impersonation, admin hijacks, and other compromises the wave of the future. M365 has effectively become a new “endpoint” and must be protected just as you protect your desktops and laptops.
While calling M365 an endpoint may sound like a stretch, it is susceptible to compromise, hijack, and data loss—just like a traditional endpoint. That means we must armor M365 as we would any endpoint. Even though nearly every mailbox today is protected by anti-spam software, whether M365 native or third-party products like Mailprotector, Proofpoint, or others, most of those products fall short when it comes to targeted attacks like spear phishing. That’s why so many of us also layer anti-phishing products such as those from Avanan or others and engage a security operations center (SOC) to monitor M365 logs. We bundle complete, frequent backups with every M365 seat as well, as so much data lives there now.
Mail Filtering and Anti-Phishing
Until just last year, I was convinced that mail filtering alone was sufficient to stop both “traditional” spam and email-borne malware attempts, including just about any sort of phishing attempt. And then I came a few keystrokes away from falling for a particularly well-crafted spear-phishing attempt that employed impersonation and some data that had most likely been culled from a colleague’s social media posting(s). I realized that dedicated anti-phishing was the only answer. To be effective, an anti-phishing solution must do more than scan mail headers; it must deal effectively with impersonation, verify links are safe, and more. That is quite a tall order and one that we have now filled with Avanan, provided through Solutions Granted.
The next step is to attach active monitoring and alerting to your M365 endpoints, much like the endpoint detection and response (EDR) protection for your traditional endpoints. There are many clearly malicious actions that can easily be flagged here. For example, logins to the same mailbox from geographically disparate locations close in time (aka “impossible logins”) are a red flag. But the creation of global admins, rules that copy or redirect messages to outside addresses, and lateral movement within M365 (to SharePoint, for example), should be noted and alerted as well. And of course, any actions that clear logs are also highly suspect. Having a live set of eyes on your M365 endpoints is critical, and here again, we chose to work with Solutions Granted.
As we began our transition from premise to hosted solutions such as M365, one of my first concerns was how we were going to back up all this newly “clouded” data. As a traditional MSP, we had developed significant expertise with managing Exchange servers but had always struggled with SharePoint backup, not to mention identifying and securing remote storage. The good news here is that this is far easier in M365, as all this data is effectively in one place. We shopped the market across several vendors and ended up working with Vault America to deploy Dropsuite. It provides frequent data snapshots that cover all the backup bases (OneDrive, Outlook, SharePoint, and Teams), and allows for genuinely easy, highly granular restores.
Some of you may note that we are weaving together offerings from several different vendors and adding significant costs to our M365 delivery. You might also argue that you can replicate a lot of this by delivering more advanced versions of M365 with advanced threat protection and email archiving, for example. Those are valid points and worth considering. But I would point out that our stack is just three vendors (Microsoft, Solutions Granted, and Vault America) and costs me under $6 per M365 “endpoint” in total, far less than moving “up stack” in M365. This means you can deliver all of this with M365 Business Standard at $20 or so per mailbox or price the bundle at $10 and attach it to any version of M365. While you do have more to manage, I have found the functionality of third-party options to be superior.