Millions of companies around the world depend daily on Microsoft 365, including yours. So to better understand its native security tools, and any gaps within them, we’ve partnered with Enterprise Strategy Group (ESG Global) to produce a new report exploring Microsoft 365’s security environments.
The report covers several topics of Microsoft 365, both E3 and E5, including capabilities and gaps for protecting against ransomware, phishing, accidental data loss and sensitive data exfiltration, as well as architectural challenges to consider. The full report, ESG Whitepaper: Closing Critical Gaps in Microsoft 365 Native Security Tools can be found here.
- Phishing was involved in 43% of breaches in the past year
- Over two-thirds (69%) of respondents to the ESG research survey report that email security has become one of their top 5 cybersecurity priorities
- 18% cite email security as their most important cybersecurity priority
- 62% of organizations are reevaluating all security controls currently available natively
- Ransomware ranks as a top-3 risk concern, with 77% of organizations classifying ransomware as high or medium risk.
- 45% or organizations report that more than 40% of their sensitive data flows through their email application.
- Cloud-delivered email solutions aren’t a panacea. Moving on-prem email solutions to the cloud replaces the operational infrastructure but doesn’t necessarily fully replace security controls.
- Successful credential phishing attacks can lead to email account takeover (ATO), enabling hackers to appear as legitimate insiders, facilitating BEC, data exfiltration, and ransomware.
As the report states, email continues to be the backbone of enterprise communications and is considered the most critical infrastructure to daily operations for most. Cloud-delivered email infrastructure has rapidly become the preferred approach to enable email communications, with over 2.3m companies depending on Microsoft 365.
For many, handing over email infrastructure to a cloud service provider means transferring and trusting email security and resilience to the provider. Yet as phishing, which was involved in 43% of breaches in the past year, continues at epidemic levels, over two-thirds (69%) of respondents to an ESG research survey report say that email security has become one of their top 5 cybersecurity priorities, with 18% citing email security as their most important cybersecurity priority.
While cloud-delivered email providers promise security and resilience, most fall short of what many security and IT teams would consider adequate. Further, adversaries are capitalizing on these homogenous security systems to bypass controls. As a result, ESG research found that 62% of organizations are re-evaluating all security controls currently available natively, with many turning to third-party email security and resilience solutions to supplement native controls.
Organizations that are planning to move or have recently moved to cloud-based email should strongly consider the use of third-party email security solutions to ensure that critical email infrastructure and data are adequately secured against the expanding email threat landscape.
Unpacking Microsoft 365 native security controls in E3 and E5
While Microsoft has invested significantly in strengthening security controls for Microsoft 365 (M365), organizations report continuing gaps in the controls included in both E3 and E5 licensing bundles.
While EOP provides many valuable security features, it is limited in its ability to protect against more sophisticated email attacks, such as social engineering (or “spear-phishing”), business email compromise, account takeover, and many types of ransomware. Detecting these types of more sophisticated attacks requires both behavioral analytics and a contextual understanding of individual communication activities, which don’t exist in EOP. So, while native controls are effective at detecting mass/generic phishing campaigns, they are less effective at detecting highly targeted attacks. For example, EOP uses block lists to detect spam and known malware. Safe Links (available in E5) rewrites URLs and checks them against known lists of malicious URLs before allowing the user to visit the link.
Microsoft 365 E5 bundle includes additional security features by adding the Microsoft 365 Defender endpoint security solution. Additional protection against phishing and ransomware is provided through more advanced malicious URL and attachment protection, including link re-writing and attachment sandboxing. Both approaches, however, can still be vulnerable to new URLs and attacks without “payloads.” Microsoft Defender depends on multiple scan engines to detect malware attachments and malicious URL links, leveraging both signature matching and machine learning to perform behavioral analysis. Because BEC and ATO impersonations often contain no malicious links or attachments, these threats can commonly escape this approach.
Data loss prevention
Minimal data loss protection capabilities are included in the E3 bundle, relying on end-users to manually label documents as sensitive to protect them. Relying on end-users to accurately and consistently classify content puts organizations at risk. On the other hand, applying blanket policies and blocking sensitive information is highly disruptive to users’ productivity and can be an immense burden on security teams.
Further, companies that opt for applying a default classification to all documents and emails end up with the same label being applied to everything, while lacking any new visibility into sensitive data. As a result, organizations most often resort to tracking and post remediation instead of proactive detection and real-time response. Additionally, E3 lacks capabilities natively to detect and manage insider risk (for example, preventing data theft by departing employees). Native controls also often lack the ability to properly classify non-Microsoft data and files, requiring admins to use workarounds to achieve consistent protection.
Data loss prevention is included in the E5 bundle for emails, Teams, and files. Advanced email encryption functionality is also provided, as well as email retention policies. Customer keys for Office 365 are also supported, and some level of insider risk management capabilities is also included.
Context matters in data loss prevention
M365 Email DLP capabilities are, however, not context-aware (meaning that they lack context between parties exchanging email), resulting in an inability to proactively identify wrong recipients or unintended inclusion of attachments. M365 detection instead utilizes a rules-based approach to define DLP policies and classify data (regex pattern matches, proximity of certain keywords to the matching patterns, exact data matching, and fingerprinting). These techniques alone are often unable to detect when email recipients are misaddressed or when wrong attachments are involved.
Additionally, because these capabilities rely on rule-based techniques or trainable classifiers to align specific data types with DLP policies and to label data (using Azure Information Protection), effectively detecting sensitive information in unstructured data can be problematic (legal, mergers and acquisitions, work orders, bidding documents, and other non-Microsoft formatted files), resulting in users exfiltrating sensitive data and additional false positives.
While encryption is often mistakenly perceived as a solution to solve for misdirected emails, recipients included by mistake can still often decrypt emails to gain access to sensitive data. User experience/friction when encrypting emails can also be a barrier to use.
“Detecting misaddressed emails and emails with unintended attachments requires a contextual understanding of the parties exchanging email. Without this context, misaddressed emails and untended attachments are often missed.
Email security has long been focused on inbound filtering and the monitoring of user activities looking for well-known patterns of misuse. Yet email usage patterns are more often unique to individual users, those that they communicate with, what they communicate, and how they communicate. This individual usage context is required to detect and stop many of today’s more sophisticated attacks such as spear phishing, BEC, and ATO.
Much of this personal context can be derived through behavioral analytics of historical email, including the analysis of who, what, and when emails were sent in the past. When individual historical patterns, along with context, can be matched against future activity, modern email threats can be detected and stopped, often with little to no user or administrator involvement.
Microsoft 365, the dominant cloud-delivered email solution adopted today, may lack critical security controls needed for certain organizations, therefore motivating many to add supplemental security solutions to close gaps. Whether in the planning stage, implementation stage, or post-implementation, third-party email security controls should be considered with all cloud-delivered email solutions.
To learn more, download the full report.