Organizations have spent billions in various cybersecurity controls and countermeasures, yet many fail to maximize the potential of these investments to drive the ROI we should demand. One key area where organizations can realize significant value is within the Microsoft security stack. By focusing on core features like multi-factor authentication (MFA), conditional access policies, and automated investigation & response (AIR), organizations can strengthen their security posture without additional spend—it’s all about making the most of what you already have.
Recommendation 1: Multi-Factor Authentication
I’m not going to spend much time reinforcing the importance of MFA. By now, we should all understand that MFA isn’t an option, it’s a necessity. However, where organizations can ensure they are getting as much value as possible from MFA is in its deployment and configuration. MFA should be applied on as many accounts as possible. Nothing highlights this more than Microsoft’s recent announcement enforcing MFA for Azure sign-in.
While holistic MFA coverage and enforcement is critical, equally as critical is how we configure MFA. The quick and dirty is that we should avoid using SMS authentication for MFA at all costs:
- SMS messages can be intercepted through various methods, including SIM swapping and man-in-the-middle attacks.
- Users may be tricked into providing their SMS codes through phishing attacks.
- SMS depends on mobile networks, which can be unreliable or compromised.
Organizations should push to use authenticator apps by any means necessary and identify compensating controls and proper alerting mechanisms when certain users cannot use an authenticator app.
Recommendation 2: Conditional Access Policies
First, it’s important to know if you have access to use conditional access policies. Conditional access policies in Microsoft are not available to all users regardless of their license type. These policies are primarily offered with Microsoft 365 Business Premium, Enterprise E3, and Enterprise E5 licenses. Users with lower-tier licenses, such as Microsoft 365 Business Basic or Microsoft 365 E1, do not have access to conditional access capabilities.
Next, let’s highlight why conditional access policies are so beneficial. Conditional access policies enhance security by enforcing access controls based on specific conditions, such as user location, device health, and risk level. This approach enables organizations to ensure that only authorized users can access sensitive resources, reducing the risk of unauthorized access and data breaches. By dynamically assessing risk and adapting security measures in real time, conditional access helps maintain compliance and protect against evolving threats, thereby strengthening an organization’s overall security posture.
A lesser-known feature of Microsoft’s conditional access policies are session controls. Beyond just granting or blocking access, conditional access policies can apply session controls through Microsoft’s Cloud App Security (MCAS). For example, you can limit what users can do with their sessions in certain applications, such as preventing file downloads or restricting access based on user risk level.
Recommendation 3: Automated Investigation & Response (AIR)
Many customers we speak to are unaware of AIR and the value it can provide. It’s important to understand that AIR is not available for all license models. It is primarily included with Microsoft 365 Enterprise E5 and certain Microsoft Defender for Endpoint plans. Users with lower-tier licenses, such as Microsoft 365 Business Basic or E3, do not have access to AIR capabilities.
Microsoft’s AIR is a feature that leverages artificial intelligence to detect, investigate, and respond to security threats within an organization. It automates the analysis of security incidents, significantly reducing the time and effort required for incident response. By providing detailed insights and suggested actions, AIR enhances an organization’s ability to quickly mitigate threats, improve overall security posture, and reduce the risk of human error in response processes. This efficiency allows security teams to focus on more strategic tasks rather than manual investigations.
For those without an E5 license, this is a great opportunity to quantify why an investment in E5 is worth it. Organizations leveraging E5’s enhanced security features can achieve an estimated 20-25% improvement in overall security efficiency, translating to reduced costs related to breaches, incident handling, and regulatory compliance. A study by Microsoft noted that automated responses can save up to 40% of the time security teams spend on threat investigations. This time saved translates into significant financial savings.
Conclusion
Optimizing your existing Microsoft security investments can significantly bolster your organization’s defense mechanisms without incurring additional costs. By strategically deploying multi-factor authentication (MFA), harnessing the power of conditional access policies, and utilizing automated investigation & response (AIR), you can achieve a robust security posture. These measures not only enhance security efficiency but also yield substantial financial savings by minimizing the time and resources required for incident response and compliance. Implement these recommendations to fully leverage your Microsoft security stack and realize the ROI your organization deserves.
Is your organization getting the most out of its cybersecurity investments? Don’t leave your security potential untapped. Contact us today to schedule a security assessment and discover how you can fully leverage your existing investments to boost protection, enhance efficiency, and stay ahead of evolving threats. Let’s ensure your cybersecurity is working as hard as you are.
References
