Cybersecurity Best Practices

Microsoft Defender for Office 365: Security Guide - Tech Heads Inc.

Written by Landy Kindle | Oct 12, 2021 7:58:20 AM

In our modern technology-driven era, it’s critical for organizations of all shapes and sizes to seriously embrace cybersecurity. One of the most fundamental aspects of a robust security infrastructure is designing and maintaining high levels of security across an organization’s most important systems. 

For many organizations, there’s no tool more central to the way they do business than Microsoft Office 365: tools like Outlook and Excel are foundational to day-to-day business activities. Unfortunately however, the popularity of Office 365 has rendered it an attractive target for cyber criminals, and consequently, organizations need to prioritize securing their Office 365 environments against attacks. 

Microsoft Defender is an antivirus software program that is included with Windows 10 enterprise subscriptions. It features a range of antivirus features, and helps organizations to better protect themselves from attacks across their Office 365 suite. In addition to basic features, there are a number of options for organizations looking to upgrade their overall security posture.

In this guide, we’ll explore Microsoft Defender for Office 365 in detail, unpacking the various features and sharing how you can deploy them to improve the overall security of your organization. 

What is Microsoft Defender?

Microsoft Defender is an anti-malware cloud-based software that comes with Office 365 subscriptions. The software enables security operations teams to better detect, investigate, and respond to security incidents in their Office 365 environment. 

Every Office 365 subscription comes with Exchange Online Protection (EOP) by default. It’s possible to upgrade to more sophisticated levels of protection, that include email and malware protection, as well as post-breach investigation and response capabilities. By adding these additional capabilities, organizations can layer on additional levels of security to their Office 365 environments.

For many, the primary use case for Defender for Office 365 is to safeguard their organization from threats present in emails, links, or other collaboration platforms including Teams, SharePoint, and OneDrive. The solutions available span threat protection policies, real-time performance reports, and cutting-edge threat investigation and response tools

In all, Microsoft Defender for Office 365 provides a powerful range of tools and policies that offer comprehensive protection of an organization’s entire Office 365 environment. 

How Does Microsoft Defender for Office 365 Work?

Microsoft Defender for Office 365 is part of the wider Microsoft 365 Defender product suite, which also includes Defender for Endpoint and Extended Detection and Response solutions. Altogether, Microsoft Defender 365 combines a variety of protection, detection, investigation and response capabilities in one central portal. 

Defender for Office 365 protects and secures an organization’s Office 365 environment by detecting threats present in email and collaboration tools. The three distinct components to Defender for Office 365 each provide unique features, which can be summarized as follows: 

Exchange Online Protection (EOP): prevents known, high-volume attacks. 

Microsoft Defender for Office 365 Plan 1: protects against zero-day malware, phishing attacks, and email compromise.

Microsoft Defender for Office 365 Plan 2: provides post-breach tools for investigation, hunting, and response. Also comes with simulation tools for training purposes.  

All Office 365 accounts (E3 or below), come with EOP, and the option to upgrade to Microsoft Defender for Office 365 Plan 1. Office 365 E5 accounts come with Defender for Office 365 Plan 2. 

Defender for Office 365: Choosing the Right Option

One of the key benefits of Defender for Office 365 is the comprehensive, native approach the software brings to managing a broad threat landscape. It’s easier for security teams to manage one unified system than coordinate a range of different tools. In addition, Defender for Office 365 offers industry leading technology, with sophisticated capabilities across the entire threat protection landscape, from prevention to response and remediation. 

There are three different tiers of Defender for Office 365. Unless you’re a cybersecurity expert, choosing the right level of protection for your organization can be a tough task. To help you get started, we’ve broken down the key use cases and capabilities of each level of protection.

Exchange Online Protection (EOP)

EOP ships included with all Office 365 enterprise packages, and primarily serves to protect Exchange Online mailboxes from broad, volume-based attacks by filtering incoming mail. The majority of the technologies included in EOP are geared towards attack prevention and detection.

When an email is received, EOP passes it through a series of filters before delivering it to the recipient’s mailbox. These include:

  1. Connection Filters: check sender reputation, eliminating the majority of spam.
  1. Malware Filters: inspect the message for malware and quarantine any suspicious messages. 
  1. Policy Filters: mail is passed through filters specific to your organization’s security policies, known as mail flow rules. Messages which fail to pass this filter are routed to the recipient’s Junk Mail folder.
  1. Content Filters: these anti-spam and anti-spoofing filters identify incoming mail as spam or phishing. Organizations can specify their own policies as to how they want these emails to be treated i.e. moved to quarantine, or sent to Junk Mail folders.  

Only once an email has successfully passed all of these filters is it delivered to the recipient’s mailbox. Organizations can configure many of these filters to best suit their own needs, but for many, particularly Small and Medium Enterprises (SMBs), it makes most sense to stick with the default filters enabled by Microsoft. 

Microsoft Defender for Office 365 Plan 1

Organizations who decide to upgrade their security stack to Microsoft Defender for Office 365 Plan 1 get all the features included in EOP, in addition to a range of other tools which help them to better prevent, detect and investigate attacks which make it past their EOP security protocols. 

Some of the additional features included in Microsoft Defender for Office 365 Plan 1 include:

  • Scanning technology to establish the safety of links and attachments sent in emails
  • Protection for other Office 365 applications, including SharePoint, Teams, and OneDrive
  • Tools to detect user and domain impersonation
  • Real-time detections and alerts to enable threat hunting
  • SIEM integration API

For end-users, both EOP and Defender for Office 365 Plan 1 focus on boosting awareness, enabling users to report suspicious messages to their security teams for analysis. All told, these tools serve to enable security teams to be much more proactive in how they protect their Office 365 environment. 

Microsoft Defender for Office 365 Plan 2

Defender for Office Plan 2 offers organizations the highest level of protection for their Office 365 environments, featuring all of the security features in EOP and Plan 1, as well as an expanded suite of investigation and response tools. From a prevention and detection perspective, there are no added features, but there are a range of features that aid with the automation of complex tasks as well as end-user education. 

Some of the most important features that are only available in Defender for Office 365 Plan 2 include:

  • Threat Trackers: these trackers act as a threat intelligence tool, providing organizations with the most up-to-date intelligence on the latest cybersecurity threats. Security teams can review these to ensure that their organization is adequately protected.
  • Threat Explorer: real-time threat detection and reporting tool that enables security teams to identify and analyze any threats present in their systems. 
  • Training & Simulation Tools: security teams can conduct a variety of simulated attacks to perform vulnerability assessments and identify employees that would benefit from security awareness training. A selection of common attacks are available, from spear phishing to brute force password attacks. 
  • Automated Investigation & Response (AIR): this relatively new tool enables security teams to respond more quickly to potential breaches by deploying a range of security policies automatically as an attack is detected. 
  • Campaign Views: phishing attacks tend to be part of a larger campaign against many organizations. Campaign views enable security teams to see the bigger picture, build a better understanding of the attack, and respond in a more effective way. 

These more sophisticated tools combine to enable organizations to respond to threats far more effectively, therefore significantly strengthening the overall security posture of the organization. 

Managed Microsoft 365 Security Services

Microsoft Office 365 is foundational to the way that many organizations operate today, housing everything from communication tools to critical documents. It’s important for firms of all sizes to ensure that their Microsoft 365 environment is optimally configured. 

For many SMBs, the best way to do this is to partner with a Managed Security Service Provider like TechHeads. At TechHeads, we’ve partnered with Microsoft to identify the highest leverage security controls available for Office 365. 

When you join forces with our team, you can select from three distinct service levels, all of which feature Microsoft Defender for Office 365 Plan 2, as well as a wide range of additional security protocols and software. With a 25 year track record and a deep bench of experts across the entire Microsoft Security tool suite, our team is ready to help design, implement, and maintain a strong security infrastructure. 

If you’re interested in learning more about how to best secure your Microsoft 365 environment, schedule a consultation with our experts today