Advanced is the new Standard - Part 1

Cybersecurity and reduction of associated risks have been topping every CIO, CISO and CEO survey I have read this year, and that is no surprise given the quantity and severity of some of the recent attacks both globally and within Australia and New Zealand. 

The ASD’s Australian Cyber Security Centre received 76,000 reports of cybercrime in the 2021-22 fiscal year, or an average of one every seven minutes. There has been a 25 per cent increase in the number of publicly reported software vulnerabilities.  Source here

As cliché as it feels to repeat this message, the exponential increase in remote working has created both significant challenges and opportunities for our partners, as well as new attack vectors for our adversaries. 

With the change in work patterns forever changed, regulation has consequently had to move as well. In the last 2 years we’ve seen Notifiable Data Breach legislation come into effect, Australian Cyber Security Centre (ACSC) and Essential 8 gaining more awareness and cyber security insurance and security auditing become top of mind for many of the MSPs we speak to everyday.

Our partners know security is critical, however the rate that threats are evolving and becoming more sophisticated is unfortunately outpacing skills across everyday businesses. Due to this knowledge gap, we often see customers so focused on basic security that they become complacent and feel secure from all threats once standard security controls are implemented, only to be breached.

So, how do we stay on top of this moving target? Cultivating cyber security through rigor in people is a good place to start, for example through education, awareness training and principles throughout the business.

Over the following 2 blogs, I’ll explore a few ways partners can meet the growing level of sophistication we are seeing in the cyber threat landscape with Microsoft for their SMB customers.  

Zero Trust 

Zero Trust is now a widely followed approach that asks us to Verify Explicitly, Use Least Privilege Access and most importantly, Assume Breach. Unfortunately, I can speak to many instances that I have witnessed where this principle has not been followed, and a breach has occurred as a result.  

Gone are the days where we can rely on simply protecting the identity and running antivirus on an endpoint; this level of security cannot protect against modern threats.  

I cannot stress this enough - it is time to stop simply talking about Zero Trust principles; we must  adopt these principles; we must assume breach and protect and monitor all assets.

In November 2021, Microsoft released Defender for Business, the SMB edition of the flagship  Defender for Endpoint solution and it was a particularly timely move. Tailored to businesses up to 300 users, Defender for Business has built-in enterprise grade technology to help SMBs proactively protect their devices, be informed about trending threats, and have systems automatically respond to security incidents.

This advanced Endpoint Security solution must form part of the new standard offering for all Microsoft partners servicing the SMB market.   

Think Laterally 

Assuming a breach occurs, how are we defending against lateral movement? 

Previously called Microsoft Defender Advanced Threat Protection (MDATP), Defender for Business provides advanced endpoint security including: 

• Threat and Vulnerability Management
• Next Generation cloud driven protection
• Automated Investigation and Response
• Endpoint Detection and Response

If any of you have joined my  M365 Security Labs  sessions over the last year or so, you will have heard me recommended using Defender for Business (and Defender for Endpoint) as a way of uplifting endpoint security via Threat and Vulnerability Management recommendations.  

I often demonstrate how Defender for Business seamlessly integrates with Microsoft’s Mobile Device Management (MDM) solution, Endpoint Manager, and provides step-by-step guides on how to deploy best practice endpoint security.  Microsoft could not have done a better job at this, it leaves nothing to the imagination when it comes to securing endpoints including Windows, Mac OS, iOS, Android, Google Chrome OS, and Linux. 

From a lateral perspective, remote workers are exposed in several key areas: 

• Identity
• Device
• Applications

With Azure Active Directory, we can implement Multi-Factor Authentication, Conditional Access, and Privileged Identity Management. Defender for Business can then help protect the device and applications installed on the device. We can also add Defender for Cloud Apps to help protect businesses when using web and SaaS applications – Microsoft has extensive capabilities and is a leader in all the key security solutions. 

Defender for Business key capabilities covering device and applications: 

Attack Surface Reduction 

• Attack Surface Reduction (ASR) Rules
• Controlled folder access
• Device control
• Exploit protection
• Network protection
• Web protection
• Ransomware protection
• Application control (Essential 8)
• Hardware-based isolation

Additional Defender Protections 

• Windows Defender Credential Guard
• Microsoft Defender SmartScreen
• Windows Defender Firewall

Protect Identity

Identity protection still forms a significant aspect of my day-to-day conversations with partners, and quite rightly so, as it is still the number one attack vector.  Yes, multi-factor and passwordless authentication should be used for standard users. More importantly, FIDO2/certificate-based authentication along with Identity Protection capabilities should be used for privileged users, without exception! 

For example, Microsoft’s Azure Active Directory Premium Plan 2 includes:  

• Privileged Identity Management
• Entitlement Management
• User Risk
• Sign-in Risk
• Risk Based Conditional Access
• Access Reviews

All this capability must be used for any privileged identity being used today, it is critical to reducing risk and protecting both your own business and your customers’ business.   

At Dicker Data, we hear about breaches that have included AITM (Adversary in The Middle) attacks, whereby the MFA token is highjacked and used to authenticate using privileged identities, highlighting why these Identity Protection capabilities are no longer considered advanced, they must also be the new standard for Microsoft Partners and their customers. 

Keen to learn more about Microsoft Defender for Business?

Stay tuned for the second instalment of the blog series, where I’ll further explain the concept of ‘Advanced is the new Standard’ for defending your SMBs from cyberattacks, and dissect some of the specific features you can be turning on right now in Defender for Business.