Skip to content
microsoft-tooling
10 min read

Are you maximising your Microsoft tooling for security?

This is a question we frequently encounter, sparked by recent news involving Crowdstrike issues and reports of nation states infiltrating Microsoft. It can be a complex topic to navigate, so we aim to provide a high-level overview of Microsoft's offerings and when considering third-party options may be beneficial.

Microsoft licensing is complex

To begin, it's important to note that this article isn't a comprehensive guide on Microsoft licensing. Such a guide would delve much deeper level and wouldn't be easily digestible at a summary level.

 

Additionally, there is a primary licensing option that functions akin to enterprise licensing, allowing you to enhance your security measures by adding on a security or security and compliance license to upgrade to F5 status.

Business licenses are categorised as Basic, Standard, and Premium, while Enterprise licenses come in the forms of E1, E3, and E5. There are also options available to add the aforementioned upgrades to E3 for advanced security.

The information shared today primarily pertains to Microsoft 365 Business Premium, E5, or E3 with the Security add-on. There are some nuances and distinctions that I will address below.

P1 and P2

Microsoft utilises a somewhat universal naming convention across its range of products, distinguishing between Plan 1 and Plan 2. While some products are solely designated as Plan 1, others may have alternative names, like the Defender Vulnerability Management Add-on.

Typically, P1 comes packed with a range of useful features, while P2 includes functionalities that are commonly needed by larger organisations or those with more intricate cyber security needs.

A noteworthy mention is Microsoft 365 Business Premium's exclusive EDR (Endpoint Detection and Response) offering known as Microsoft Defender for Business. This product surpasses the features of Defender for Endpoint P1, although it doesn't encompass all the functionalities of P2. In my view, it stands out as one of the most cost-effective solutions, and it's a recommendation we frequently make. Moreover, it's accessible as an add-on for both Business Basic and Business Standard subscriptions.

What is Microsoft Defender?

A frequently asked question that often leads to confusion is the identity of Microsoft Defender, now rebranded as Microsoft Defender XDR. This renaming signifies a shift from being solely an Endpoint protection product, offering a broader spectrum of security measures.

At a broad perspective, Microsoft Defender XDR comprises various components, although the list provided is not exhaustive. It's worth noting that there are certain limited versions for specific product areas, with Information Protection being an aspect that is not encompassed within the domain of Defender XDR.

  • Microsoft Defender for Endpoint (confusingly there is also Microsoft Defender for Endpoint for Servers, as well as Microsoft Defender for Cloud, which has a server element but is licensed differently)
  • Microsoft Defender for Identity
  • Microsoft Defender for Office 365
  • Microsoft Defender for Cloud
  • Microsoft Defender for Cloud Apps
  • Microsoft Defender for IoT
  • Microsoft Defender Vulnerability Management

Included in various licenses, particularly E5 and Business Premium, are core products such as Defender for Endpoint, Office 365, and Cloud Apps. Some licenses, like P1 versions in E3 and Business Standard, also offer these essential security tools.

Cloud and IoT Defender have distinct licensing models; cloud licensing is per asset, with a complimentary foundational CSPM (Cloud Security Posture Management) included. In contrast, IoT has limited capacity under E5 licensing but is otherwise licensed separately.

What do I have included in my 365 license?

I will explore the two prevalent scenarios we often encounter: Business Premium and E5.

For Microsoft 365 Business Premium users, you'll benefit from the powerful Defender for Endpoint for Business, a robust endpoint protection solution. Additionally, you'll have Defender for Office 365 P1 safeguarding your email and communication tools like Microsoft Teams. While there is a more advanced 365 P2 option available, the P1 level is usually sufficient for most small businesses. Included as well is Defender for Cloud Apps in the form of "Discovery," allowing you to visualize your cloud app usage, although control features are not included in this package. It's worth noting that Cloud Apps Discovery, technically part of Entra ID P1, is encompassed within the Business Premium package.

For E5 subscribers, you unlock an array of additional features by upgrading to P2 for Endpoint protection. This upgrade includes advanced threat hunting, enhanced incident handling capabilities, and access to Microsoft Threat Experts. Furthermore, you gain access to Defender for Identity, which scrutinises user behaviours for any signs of malicious activity. While Entra ID P1/ P2 offers some controls, Defender for Identity extends its scope for a more comprehensive security approach. Additionally, the upgrade elevates Defender for Office 365 from P1 to P2, empowering organisations to thoroughly investigate threats with automated investigations and Phishing Simulation options. Not to mention, you also receive Defender for Cloud Apps, enabling you to monitor and control cloud applications through auditing and blocking features, despite some limitations in protection coverage.

Is Microsoft Defender enough?

Deciding on the right XDR solution can be a daunting task. With a plethora of excellent products in the market, each offering unique benefits, the choices can be overwhelming. For instance, Microsoft boasts a vast infrastructure that aids in collecting and enhancing detection for its users, while Trend Micro's renowned Zero Day Initiative sets the standard for swift protection against zero day threats.

Assessing these tools can be quite challenging due to the varied nature of attacks. A valuable resource for evaluating them is MITRE's ATT&CK evaluations, known for their comprehensive testing of EDR/XDR solutions against a range of Advanced Persistent Threat scenarios.

In evaluations, Microsoft Defender consistently ranks highly alongside top-tier products like CrowdStrike and Trend Micro. However, specific tools may offer advantages in areas such as non-Microsoft operating systems, where third-party solutions can provide enhanced detection and response capabilities.

Microsoft Defender is a reliable product, although it does have its drawbacks. Complaints often arise about the management interface, yet its detection capabilities are generally strong, covering both traditional detection methods like Endpoint and Identity if you use Microsoft's Active Directory or Entra ID. While it's worth considering third-party options, especially for non-Microsoft users, there is compelling evidence to suggest that Defender is a solid choice for Microsoft 365 customers.

Closing thoughts

The question of whether you need third-party security tools as a Microsoft customer is a common one, especially given recent security concerns involving CrowdStrike and nation-state attacks targeting Microsoft. Navigating the complexities of Microsoft’s licensing and understanding its security offerings can be confusing. In conclusion, Microsoft Defender is a strong contender for comprehensive security within Microsoft 365 environments. Yet, for organisations with diverse needs or mixed IT environments, exploring third-party solutions can provide additional layers of protection. Ultimately, the best approach is a tailored one, aligning with your specific security posture and organisational goals.

avatar
I genuinely love working in an industry where technology and business intersect, always believing doing better with real world Cyber Security can benefit everyone. I consider it a privilege to have been able to delivery Cyber Security advice and guidance to some of the greatest organisations with some of the most brilliant people around and look forward to continuing in what is certainly an exciting and dynamic future for technology.

COMMENTS