6 steps to build a holistic

security strategy with

Microsoft 365
November 6 steps to build a holistic security strategy with Microsoft 365 2
2019

Meeting the challenge

Securing data and systems is a top priority for organisations. But meeting this sophisticated attacks by more effectively protecting a growing
challenge gets more difficult every day as attacks grow more sophisticated, footprint of users, devices, applications, data and infrastructure with
employees use a wider array of devices and applications, and data flows into fewer people.
and out of your business in more ways.
Today’s CISOs need agile security frameworks that enable digital
Leaders have to balance these challenges with the need to collaborate, transformation, supported by holistic strategies embedded into
innovate and grow a business. You need a multifaceted security approach technologies, processes and training programmes. This eBook shares
that constantly protects all endpoints, detects early signs of a breach and the strategies and best practices of CISOs who have made security the
responds before damage occurs. And, no matter how strong your defences cornerstone of business success.
are, preventative measures are no longer sufficient – you also need to adopt
an “assume breach” posture that includes detection and response measures. Microsoft 365 Enterprise is the world’s productivity cloud, including
Office 365, Windows 10 Enterprise and Enterprise Mobility + Security,
Risk management is now an obligation for many Chief Information Security that empowers everyone to be creative and to work together, securely.
Officers (CISOs). It includes minimising the potential impact of increasingly
November 6 steps to build a holistic security strategy with Microsoft 365 3
2019

Every hour of the day, you need to be

prepared. And so that means you have
to exercise this operational security
posture on a continuous basis.

– Satya Nadella, CEO

Microsoft
November 6 steps to build a holistic security strategy with Microsoft 365 4
2019

Contents
Step 01 Step 04

Planning for Protecting information

rapid response end-to-end
Page 5 Page 19

Step 02 Step 05

Protecting Managing
identities cloud use
Page 9 Page 23

Step 03 Step 06

Defending Moving to the

against threats cloud securely
Page 15 Page 28
November 6 steps to build a holistic security strategy with Microsoft 365 5
2019

Step 01

Planning for
rapid response
November 6 steps to build a holistic security strategy with Microsoft 365 6
2019

Threats have evolved from “smash-and-grab” attacks to those that

compromise systems in the hope of maintaining a persistent, long-term
presence. Attackers now use a variety of vectors and an increasingly advanced
array of tools and techniques: stealing credentials, installing malware that
erases itself to avoid detection, modifying internal processes, rerouting
network data, using social engineering scams and even targeting employee
mobile phones and home devices. The average large
Of course, organisations are deploying more and more security tools against
this rapidly evolving landscape. While meant to address specific issues, these
solutions rarely work together. Many use proprietary dashboards, consoles
organisation has 75
and logs. Difficulty of integration makes it hard to have an overarching view
and prioritise threats quickly, and causes an even greater challenge when security products.2
dealing with both cloud and on-premises resources. As a result, attacks can go
undetected for around 140 days.1
November 6 steps to build a holistic security strategy with Microsoft 365 7
2019

Best practices
01 Gain a holistic view of your entire network,
including cloud and hybrid environments.
Microsoft’s security
management capabilities
The traditional approach is to correlate information
from a variety of tools using Security Information To gain visibility and control over your security,

02
Streamline and simplify the ecosystem
and Event Management (SIEM) solutions. But Microsoft 365 provides a holistic approach to
of security products for better visibility,
detection still requires security teams to do out-of- security, from protecting at the front door to
management and protection.
band processing of logs and data, then prioritise protecting your data anywhere to detecting and
and investigate incidents. Data gathering and remediating attacks. This helps you consolidate
reconciliation are difficult, and the lack of a unified
view complicates response and management.
As rapid detection and response become more
03 Partner with technology vendors that
collaborate and share information across the
security industry.
tools while ensuring that your security specialist
teams have the flexibility and freedom to address
their specific workloads.
important, these best practices have emerged:

04
Combine data insights with human
intelligence from security analysts,
researchers and threat hunters to further
enhance the ability to quickly assess and
prioritise events.
November 6 steps to build a holistic security strategy with Microsoft 365 8
2019

Key
takeaways:
The lack of integration between security
products makes it hard for security teams to
quickly see and combat threats holistically.

Seek out products designed to

integrate with others.
November 6 steps to build a holistic security strategy with Microsoft 365 9
2019

Step 02

Protecting
identities
November 6 steps to build a holistic security strategy with Microsoft 365 10
2019

Enterprises know that a data breach can have enormous costs, and they
still face the very real challenge of establishing sufficient security controls

Organisations can
to gain the visibility they need into threats and attacks. They also have to
support consumerised IT, where employees no longer work exclusively
on tightly controlled, corporate-issued devices, and expect to work

protect their data anywhere, on any device or any platform, regardless of whether it has been
sanctioned by corporate IT.

regardless of where it’s

In this world, identity-driven security strategies tie access to identity so
the organisation can transcend devices and apply controls based on role
and need – no matter how the user connects. This focus on authenticating

stored, how it’s accessed and managing users as they access corporate assets also lets organisations
protect their data regardless of where it’s stored, how it’s accessed or with
whom it’s shared.

or with whom it’s Two other technologies bear mention: identity and access management
(IAM) solutions and mobile application management with data loss

shared. prevention (DLP) solutions. Both help reduce risk by protecting access
to applications and data in corporate resources and in the cloud. IAM
can eliminate the need for multiple credentials by giving employees a
single identity to access cloud and on-premises resources. Cloud-based
IAM systems can also leverage threat intelligence and analysis from the
technology provider to better detect abnormal logon behaviour and
automatically respond appropriately.
November 6 steps to build a holistic security strategy with Microsoft 365 11
2019

Multifactor authentication (MFA) offers another layer of protection

by requiring that a user present something they know (their password)
and something they have (secondary authentication through a device

Automatically
or fingerprint/facial recognition). Other robust tactics include basing
access on user risk, device risk, application risk and even location risk.
These capabilities can automatically allow, block or require MFA of

allow, block or
a user in real time based on the policies you set, essentially letting
organisations increase protection at their own front door.

require multifactor
These modern tools also provide pre-breach endpoint security. The
best solutions help encrypt devices at all levels from hardware to
application, and provide enterprise-wide visibility into attack dynamics.

authentication in
More advanced tools provide a post-breach layer of protection,
including insight into adversary techniques and similarity to known
attacks, with built-in tools to quickly block, quarantine or wipe

real time.
company data.

Microsoft 365 works with existing infrastructure – unifying IT

management across users, devices, apps, data and services – so your
IT team can consolidate and simplify solutions and save money. It also
supports hybrid environments, giving you the flexibility to integrate
cloud and on-premises solutions.
November 6 steps to build a holistic security strategy with Microsoft 365 12
2019

Simplified and intelligent security management

helps you gain visibility and control

Understand your security posture: get insight into your

The key for a CISO’s success is not a single console for everything, but
security state and the risks across resources in your
integration where it makes the most sense. Microsoft 365 provides intelligent
organisation to deliver effective detection and response.
security management with specialised controls based on your security teams’
needs, visibility where you need it and guidance on how to harden your
organisation’s security posture based on unmatched intelligence. This lets you
benefit from the flexibility and freedom to easily manage security with built-in Define the data protection you need: create and customise
controls, plus take advantage of security intelligence and guidance to enhance consistent security policies and enable controls crucial to
your security posture and defend against threats. intelligent security management.

Keep up to date with security intelligence: use built-in

intelligence, recommendations and guidance to elevate
your organisation’s security.
November 6 steps to build a holistic security strategy with Microsoft 365 13
2019

Increasing security through identity and access controls

Microsoft’s identity and access management solutions help you protect user
identities and control access to valuable resources based on user risk level.

60%
Microsoft 365 Enterprise offers protection across identities (Windows Hello,
Touch ID, Credential Guard, Conditional Access, Azure Active Directory), apps
and data (Office DLP, Azure Information Protection, Cloud App Security) and
devices (Device Guard, Intune).

Microsoft’s identity and information

protection solutions

Refocus your efforts to protect identities and information. Microsoft’s

identity and access management solutions help protect users’ identities and
secure access to apps and data, while our information protection solutions
help ensure information is protected wherever it is, even in motion.
60% of breaches stem from a
compromised endpoint. 3
November 6 steps to build a holistic security strategy with Microsoft 365 14
2019

Key
takeaways:
Establish identity and An identity-driven security
access management strategy turns focus from
controls. tracking an ever-growing
number of endpoints to
managing users accessing
corporate data.
60% of breaches stem
from a compromised
endpoint.³ More robust endpoint
protection provides post-
breach insight into adversary
techniques.
November 6 steps to build a holistic security strategy with Microsoft 365 15
2019

Step 03

Defending
against threats
November 6 steps to build a holistic security strategy with Microsoft 365 16
2019

Identity protection is an important step in securing data. But that’s only

a start. In an increasingly connected world, any internet-connected
device is an entry point for hackers who are highly motivated to find
their way in. Hackers know that every organisation has multiple entry
points. They use phishing scams, malware and spyware attacks, browser
and software exploits, access through lost and stolen devices, social The average large
organisation has to sift
engineering and other tactics to breach your security. It takes constant
vigilance to maintain visibility across the threats you know and to
become aware of emerging vulnerabilities.

Some tools can help maintain an always-on security approach, but

a broader approach makes more sense. Traditional tools focus on
through 17,000 malware
prevention, but that’s no longer sufficient. Organisations must assume
that a breach has either already occurred or that one will occur soon,
then find ways to significantly reduce the time required to detect and
alerts each week.4

recover from it.

November 6 steps to build a holistic security strategy with Microsoft 365
2019

Many security applications use built-in analytics and machine learning Microsoft’s threat protection solutions
capabilities to produce insights into incidents, and the activities and steps
that attackers took. This is still a look at the past that may not speed up Protect against advanced threats and recover quickly when attacked.
reaction and recovery. More security and advanced analytics solutions Microsoft believes threat protection should enable organisations
leverage those insights, automatically acting to prevent and respond to to protect themselves from advanced cyberattacks. It should also
similar breaches, which helps significantly reduce the time to mitigation. provide solutions that can help detect suspicious behaviour within the
Tremendous breadth and depth of signal and intelligence are behind these organisation. Finally, since no security solution is ever 100% effective,
solutions and, when combined with the experience and knowledge of there must be processes and tools to quickly respond to threats, enable
human experts, these solutions can be powerful tools against fast-moving damage control and limit the effects of an attack.
threat actors.
Microsoft threat protection solutions offer a combination of traditional
Security leaders should work with the C-suite and the board to understand approaches, such as anti-malware, and new innovations, such as user and
and maintain an acceptable level of risk and to balance it with the security entity behaviour analytics (UEBA) and endpoint detection and response
budget. There is no one-size-fits-all solution for every organisation, but a (EDR). Microsoft is investing in both the prevention of attacks and post-
risk management approach can help you decide where and how to invest breach detection and response.
in light of what’s right for your organisation.
November 6 steps to build a holistic security strategy with Microsoft 365 18
2019

Key
takeaways:
Adopt an "assume breach" Take a risk management
approach to your security. approach to security to help
decide where to invest.

Choose solutions that reduce

the time it takes to detect and
recover from a breach.
November 6 steps to build a holistic security strategy with Microsoft 365 19
2019

Step 04

Protecting information
end-to-end
November 6 steps to build a holistic security strategy with Microsoft 365 20
2019

Data leaves your control now more than ever as your employees, partners and to classify it properly introduces errors and delays, so it’s best to classify and
customers share it. This drives productivity and innovation, but it can have label data as it’s created. You can sidestep human error by automating data
significant consequences if highly sensitive data falls into the wrong hands. classification. Tools can understand the context of data, such as credit card
Security leaders must manage and secure data stored in multiple locations numbers within a file, or the sensitivity of data based on data origination.
and shared across international borders. Organisations doing business in Once labelled, visual markings like headers, footers and watermarks, and
the EU must prioritise data protection as a result of General Data Protection protection like encryption, authentication and use rights, can be automatically
Regulation (GDPR) enforcement. GDPR has a significant impact on how applied to sensitive data.
companies store and manage customer data, report breaches, communicate
policies and invest in internal resources. Security teams should also be able to track activity on highly confidential or
high-business-impact shared files and revoke access if needed. This persistent
Employees will tolerate only so much inconvenience before finding security protection travels with the data and protects it at all times – regardless of
requirement workarounds. Classifying and encrypting data are the best ways where it’s stored or with whom it’s shared.
to keep it safe while still allowing productive use and sharing of information.
Expecting employees to remember which data needs protecting and how
November 6 steps to build a holistic security strategy with Microsoft 365 21
2019

Microsoft’s information protection solutions

Protect against data leaks and accidental mishandling by securing

We have to reconsider how information no matter where it is.

we’re going to protect data

Microsoft’s information protection solutions help you protect sensitive
data throughout the lifecycle – across devices, apps, cloud services and
on-premises locations.

in this mobile-first, cloud- Microsoft’s approach to comprehensive protection of sensitive data

first world. The reality is,

throughout the lifecycle – inside and outside the organisation – is to
identify, classify, protect and monitor critical data, no matter where it
lives or travels. Microsoft 365 provides a more consistent and integrated
nobody has the expertise, approach to classification, labelling and protection across our core
information protection technologies.

the time and the resources

to do this on their own.
Detect Classify Protect Monitor
– Brad Anderson
Microsoft Corporate Vice
President for Enterprise Mobility

Devices Cloud On-premises

November 6 steps to build a holistic security strategy with Microsoft 365 22
2019

Key
takeaways:
Security leaders need to Data classification and encryption
focus on security at the are becoming increasingly
data level. important. Data classification and
labelling should occur at the time
of creation, and security teams
should be able to monitor activities
on files and take rapid action.
November 6 steps to build a holistic security strategy with Microsoft 365 23
2019

Step 05

Managing cloud use

November 6 steps to build a holistic security strategy with Microsoft 365 24
2019

By 2020, a third of
Even if your organisation doesn’t use cloud-based solutions, your
employees probably do. This trend, known as shadow IT, is far bigger
than most people know. In fact, only 8% of companies know the
scope of shadow IT within their organisations, and the number of
cloud services used by corporate employees is rapidly outpacing
internal IT estimates.5
successful attacks
End users often accept terms and conditions without reading them
and without fully understanding what they’re granting access to.
experienced by
Traditional network security solutions aren’t designed to protect data
in SaaS apps and can’t give IT visibility into how employees are using
enterprises will be
on their shadow IT
the cloud. At the same time, blocking shadow IT is a poor solution –
employees always find ways around restrictions. Overly rigid
control deters innovation, conflicts with unplanned and demanding
technology requirements, stifles productivity and can decrease
engagement and increase turnover among high-calibre talent. resources. 6

Gartner’s Top 10 Security

Predictions 2016
November 6 steps to build a holistic security strategy with Microsoft 365 25
2019

Ultimately, we all have to accept that shadow IT is the new normal. Allowing end
users and teams to use the cloud applications that are best suited for their type
of work helps drive productivity and innovation. Gaining visibility, control and
threat protection of shadow SaaS apps are the first steps in managing risk and
facilitating the digital transformation that has already started at your company.

8% Find out how employees are using the cloud

Cloud access security brokers (CASBs) provide organisations with

a detailed picture of how their employees are using the cloud.

01 Which cloud apps are

employees using? 04 What sort of data is being
sent to and shared from
these applications?

Only 8% of companies know 02 What risk do these apps

pose to the organisation? 05
What does the upload/
download traffic look like?

the scope of shadow IT within

their organisations.6
03 How are these applications
being accessed? 06 Are there any anomalies in
user behaviour like impossible
travel, failed logon attempts
or suspicious IPs?
November 6 steps to build a holistic security strategy with Microsoft 365 26
2019

Better visibility and control over these apps and services lets security Users frequently access apps where sensitive business or customer data may
leaders develop and enforce reasonable, effective SaaS policies without be stored. The ability to control what happens after the data is accessed is
sacrificing the security and compliance that the organisation demands. critical, and to bring the security of your on-premises systems to the cloud,
with deeper visibility, granular data controls and enhanced threat protection.
Microsoft’s information protection solutions
Our mobile application management (MAM) capabilities and app
Your organisation can use the cloud without putting sensitive data at risk. protection policies can help protect the data at the app level including
Microsoft’s information protection solutions can give you visibility and app-level authentication, copy/paste control and save-as control.
extend your security policies into the cloud. Microsoft Cloud App Security
helps you: Configurable policies give you fine-grain control over what users can
do with the data they access.
Discover and assess risks: identify cloud apps on your network, gain
You can apply policies to applications to protect data with or without
visibility into shadow IT and get risk assessments and ongoing analytics.
enrolling the device for management, allowing you to protect
Control access in real time: manage and limit cloud app access based on corporate information without intruding on a user’s personal life.
conditions and session context, including user identity, device and location.
You can encrypt company data within apps with the highest level of
Protect your information: get granular control over data and use built-in device encryption provided by iOS and Android.
or custom policies for data sharing and data loss prevention.
You can also protect your company data by enforcing PIN or
Detect and protect against threats: identify high-risk usage and detect credential policies.
unusual user activities with Microsoft behavioural analytics and anomaly
detection capabilities.
November 6 steps to build a holistic security strategy with Microsoft 365 27
2019

Key
takeaways:
CASBs can give you a detailed Rather than blocking shadow IT,
picture of how employees are look for solutions that allow you
using the cloud. to monitor and assess risk.

With better visibility, you can

then set policies that track and
control how employees use
these apps.
November 6 steps to build a holistic security strategy with Microsoft 365 28
2019

Step 06

Moving to the
cloud securely
November 6 steps to build a holistic security strategy with Microsoft 365 29
2019

Public cloud providers

Every organisation is at a different stage of their journey to the cloud.
offer better security than
Compliance requirements, local regulations and other migration
challenges mean that not every organisation is ready to move critical a small business or even
a big enterprise is able to
workloads to the cloud.

But moving to the cloud doesn’t have to be a departure from

your existing systems and processes. In a fully integrated hybrid IT
environment, the cloud becomes an extension of your data centre and achieve. This is due to the
investments that cloud
the policies through which you control it. Hybrid cloud strategies also
offer security leaders a measured approach to moving to the cloud,
letting them move business functions to the cloud only when they are
confident that the service offers the right amount of control.
providers are making to
build and maintain their
Cloud service models affect how service providers and customers share
responsibilities. This raises issues for CISOs as they navigate the challenges
of relinquishing some of the controls of on-premises solutions for the
greater security that cloud vendors can provide.
cloud infrastructure.
– Rene Buest
Senior Analyst and Cloud
Practice Lead, Crisp Research7
November 6 steps to build a holistic security strategy with Microsoft 365 30
2019

Questions to Ask Your Cloud Provider

The rule of thumb for cloud security is that it’s a shared responsibility. Assessing cloud providers isn’t just choosing a service, it’s choosing
Cloud providers need to have state-of-the-art security and encryption, but who to trust with your data. Critical questions about security and access
customers must ensure that the services they purchase are in fact secure, and control include:
that they extend required security policies into their new cloud resources.

01
Look for transparency when planning a cloud migration: vendors should Is my data protected by strong security and state-
publish detailed information on the security, privacy and compliance of of-the-art technology?
their services. They should also produce audit reports and other materials
to help you verify their statements and help you understand where their
responsibilities end and yours begin. 02 Is privacy by design incorporated to allow control
of my data in my enterprise cloud?

03
Are there deep investments in robust and innovative
compliance processes to help my organisation meet
its compliance needs?

04 Where will my data be stored, who has

access to it and why?

05 Does a third party review the cloud service

provider annually?

06 What other countries’ compliance and regulatory

standards does the cloud service provider adhere to?
November 6 steps to build a holistic security strategy with Microsoft 365 31
2019

The trusted cloud

People only use technology they can trust. You can move to the cloud securely Migrate email and content to Microsoft 365 services – including
when you’re armed with the knowledge from your cloud provider on their assessment and remediation guidance to help prep your
security, privacy, compliance and transparency. Microsoft cloud services are infrastructure for the cloud.
built on these four principles, and the Trusted Cloud Initiative drives a set
Deploy and securely manage devices including Microsoft 365
of guidelines, requirements and processes for delivering rigorous levels of
powered devices.
engineering, as well as legal and compliance support for our cloud services.

Enable your business and gain end-user adoption.

Realise value faster with Microsoft cloud
services and FastTrack
Microsoft engineers deliver FastTrack to help you migrate to the cloud at
FastTrack has already helped more than 40,000 customers maximise ROI, your own pace and to help you get access to qualified partners if you need
accelerate deployment and drive adoption. additional services.
November 6 steps to build a holistic security strategy with Microsoft 365 32
2019

Key
takeaways:
Moving to the cloud When evaluating cloud
does not have to mean a service providers, ensure that
departure from existing they adhere to international
systems and processes. standards.

A hybrid cloud offers a Look for vendors that publish

measured approach to detailed information about
cloud migration. how they operate their
services and handle data.
November 6 steps to build a holistic security strategy with Microsoft 365 33
2019

The multifaceted nature of cyberthreats means that only solving some of your ¹ “Threat Landscape: By the Numbers,” FireEye, 2016.
² According to Balaji Yelamanchili, executive vice president and general
security challenges is no longer sufficient. Disparate solutions can still protect
manager of Enterprise Security Business, Symantec, as
critical endpoints, detect breaches and limit damage, but the persistent nature quoted in: Symantec. “Symantec Introduces New Era of Advanced
of today’s cyberthreats demands equally persistent defences, which in turn Threat Protection,” 27th October, 2015.
demand a more holistic security approach. ³ Johnson, Ann. “Top Five Security Threats Facing Your Business and
How to Respond.” Microsoft Secure Blog. 18th October, 2016.
Securing data and systems is now a top priority for every organisation. ⁴ “The Cost of Malware Containment,” Ponemon Institute (sponsored
by Damballa), 2015.
Every company’s security needs are unique, but companies face the same
⁵ “Cloud Adoption Practices & Priorities Survey Report,” Cloud Security
challenges and share the same responsibility to protect their data, people and Alliance, 2015.
systems while encouraging innovation and growth. You need agile security ⁶ “Gartner’s Top 10 Security Predictions 2016,” Gartner, 2016.
frameworks that enable digital transformation, supported by holistic security ⁷ Rene Buest, quoted in “Top Cloud Security Fears & How The C-Suite Is
Tackling Them,” CIO, 2015.
strategies embedded into technologies, processes and training programmes.
Microsoft 365 Enterprise offers a complete, intelligent solution that supports
your digital transformation with security and compliance functionality built
into every level.

Learn more about Microsoft 365 Contact us

© 2019 Microsoft Corporation. All rights reserved. This document is provided ‘as-is’. Information and views expressed in this document, including URLs and other internet website references, may change
without notice. You bear the risk of using it. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your
internal, reference purposes.