Sep 02 2018 08:41 AM - last edited on Nov 30 2021 02:10 PM by Allen
I was involved in big implementation to Azure ATP, Office 365 and Windows ATP in large enterprise with thousands of users and across 60+ countries across the globe.
I also providing consulting to many enterprises when it comes to cloud security.
I noticed that organizations and businesses do not get the big picture when it comes to all security features available in Azure and Microsoft 365, with all new updates and zero trust network approach.
There are just a lot of services and it is hard to understand how to build and re-imagine a new defense in depth strategy for organizations moving to the cloud.
So, I put this blog post and video, illustrating and showing how to think of security in modern workplace utilizing all security features in Azure AD, Office 365 and EMS E5.
I do not want to sounds like marketing post to my blog post, but I would love to share my thoughts and engage in conversation with the community about this subject.
Please tell me if this makes sense, and let me know if you have further questions.
Sep 05 2018 05:02 PM
I thought it was well written and well intentioned. In fact, I wish I wrote it! Very well done.
There are dozens of things I could compliment you on, but for the purpose of cutting right to some suggestions for improvement (since you asked for feedback), I would suggest these:
1. The statement that "Azure ATP is a threat protection for identities." I suggest adding "on-premises" in front of "identities" because the small businesses that buy M365 E5 and have no on-premises AD are not good candidates for Azure ATP, in fact, they can't use it at all, because Azure ATP is 100% dependent up on on-premises domain controllers and can only detect attacks in on-premises AD. These users should instead of Cloud App Security, which can be used to detect compromised identities in nearly the same way that Azure ATP does for on-premises identities. Therefore, I recommend emphasizing the "on-premises" exclusive focus of Azure ATP when you describe this solution. And be sure that when you describe Cloud App Security, that you do not limit it to just the Application layer security or discovering Shadow IT, be sure to mention that it also has nearly the same (or sometimes better!) identity detection features as Azure ATP.
2. I recommend mentioning that Spoof Intelligence is limited to a maximum of 60 users, as the way it is written now makes it seem as if it protects all users, whereas it was only designed to protect the top officers in "CEO Fraud" or more commonly described today as "Business Email Fraud."
3. When you discuss the benefits and pros of Office ATP, I think it is important to discuss some of the things it cannot do, so that prospective customers go in with eyes wide open. For example, it is unable to scan hyperlinks in PDF documents, and it also cannot scan encrypted or password protected zip files - those get passed through unblocked unless you create an Exchange transport rule to block those.
4. I recommend placing greater emphasis on MFA in general, because attacks usually start with compromised identities. And so if organizations had MFA to begin with, then the spoofed emails containing hyperlinks would be as big of a concern, because if that email gets the user to provide their username and password, the attacker still can't logon. In other words, a failure in ATP can be overcome by an identity protected with MFA.
5. You mentioned the Azure Identity Protection service in passing, but I think it deserves greater justice, because it detects and blocks, TOR web browsers, Impossible Travel, Leaked Credentials, and botnet infected devices. Many of these features (and more) are uniquely why I recommend Azure AD P2 (EMS E5) or M365 E5.
Otherwise a fantastic article and contribution to the community. I could have listed 100 things I loved about the article, but I hope you instead found value in these small 5 items.
Sep 06 2018 11:08 AM
Thanks for your reply and feedback. Taking the time to review the video and giving this feedback is highly appreciated.
If it is up to me, I will do a complete week workshop 8 hours a day, just to cover the basics of Advanced Threat Protection in M365. I realized though, that most businesses DO NOT know what is included in their subscription, or they are sticking to E3 and do not know the value of E5.
In either cases, I wanted to do a quick 20 minutes video, listing all security features inside M365 as a reference so that the listener can have 360 degree on all services, and then he can go and search for Secure Score for example of Azure PIM. At least he knows by know there is something called PIM, and it is part of E5.
I agree with you when it comes to Azure ATP and the need to mention the on-premises piece indeed.
I am planning to have a video for each of those security services by its own to zoom in what are those services, and how they can create business value, and use this video as an introduction and pointing out to the other videos coming later.
Again, thanks for the feedback, please let us connect on twitter @ ammarhasayen