Broadcom ESG User guide

Brand: Broadcom

Model: ESG

Type: User guide

This ESG Guide was commissioned by Symantec and is distributed under license from ESG.

Beyond Microsoft Office 365 Basics

In the past, IT knew exactly what they had to protect. They provided users with a standard operating system

image and standard apps—the environment was predictable. Applications, users, and devices were protected by

a traditional security stack (Firewall, IPS, etc.) behind a defined network perimeter. However, they do not have

this luxury today since the end-user environment has become unpredictable due to changing user behavior,

BYOD programs, and the reality of new devices and cloud/mobile applications. Through all of this, IT attempts to

maintain control and offer an adequate means of protection in a multi-cloud environment. IT has made some

changes to make sure that they keep control of support for smartphones, tablets, and alternative workstyles, but

in other cases, businesses are being forced to adopt alternative cloud consumption models. Microsoft Office 365

(O365) is one such example, which triggers security concerns and potential new opportunities. O365 adoption

has triggered companies to think of how they can replicate their cloud strategy and security posture across

multiple clouds and an entire suite of business applications they need to support and protect.

O365 Business, Employee, and IT Benefits

The number of applications delivered via cloud software services

has risen over the last five years, despite the fact that companies

remain apprehensive about storing sensitive data in the cloud.

Software-as-a-service provides a service-based, offsite

alternative to the traditional process of internally hosting

applications and delivering them to users.

• 74% of organizations are already using software-as-a-

service in some capacity.

A Guide to Protecting Microsoft Office 365 from

Security Threats

Date: August 2018 Author: Mark Bowker, ESG Senior Analyst

Abstract:

It’s no secret that cybersecurity permeates the mindsets and priorities of key business executives all the way

up to the CEO level. At the same time, IT has to manage a balanced corporate security posture that provides a

frictionless approach to protecting employees and the business in the midst of device proliferation, cloud consumption

initiatives, and changes in where work is getting done.

What Symantec Customers Are

Saying

“What Microsoft doesn't tell you about all their

security features is that you really need to be on the

latest and greatest of everything that they have in

order to take full advantage of its security

solutions."

- Director of Information Security/Financial Services

Enterprise Strategy Group | Getting to the bigger truth.™

A Guide to Protecting Microsoft Office 365 from Security Threats 2

• In 2013, 61% of SaaS users delivered no more than 20% of their applications via SaaS. Today, nearly two-

thirds (63%) report that SaaS currently accounts for more than one out of five of their business

applications.

• More than one-third of all organizations surveyed in 2017 said that they currently used cloud-based email

(39%) and/or office productivity software (37%).

Microsoft is aggressively migrating companies to O365—inclusive of Exchange email, OneDrive (file sharing and

storage), and SharePoint/Sites/Teams/Groups/Yammer (collaboration)—and also transforming the way IT

services (inclusive of security) are delivered. As a result, businesses are finding themselves investigating ways to

embrace and protect O365 along with a plethora of other cloud-based applications and data. For instance, O365

users are enrolled in Azure Active Directory, which provides identity and access management for cloud services.

While some may see this move as a simple way to authenticate 0365, others will choose to integrate third-party

authentication or single sign on solutions for all their SaaS choices, including O365, and, a lesser recognized

benefit, the ability to sign on to cloud applications from Windows, Mac, Android, and iOS devices.

As companies (willingly or not) adopt cloud-based applications, they need to consider their broad ecosystem of

applications and cloud providers as well as the implications of O365. Businesses that have embraced O365 or are

in the midst of the decision to migrate to O365 are recognizing its many benefits, including:

•

Cost savings:

Primarily driven by a shift toward OpEx consumption models and a consolidation of IT tools.

•

Simplified IT management

: Simplified application of patches and updates, automation of tasks, and

proactive recognition of suspicious behavior.

•

Data security and control:

Leveraging the intelligence of the cloud to detect sophisticated threats, malware,

and user credentials theft, as well as adhere to compliance mandates.

•

Productivity and availability

: Secure, safe, and consistent access across devices, independent of end-user

location.

Threats Can Strike Any Time, Any Place…

As companies migrate to Microsoft O365 and other cloud applications, they are not always aware of potential

threats, policies with limited effectiveness, and vulnerabilities resulting from accidental configuration. Businesses

are still responsible for monitoring and controlling how applications are used, content is monitored, and data is

secured. As a result, they may find themselves at risk without fully understanding where they are truly

vulnerable.

To secure this range of cloud applications—some sanctioned and supported by the IT organization, and other

shadow IT constituents bending the rules based on application preference without the knowledge or support of

IT—some organizations have initially recognized the need for cloud access security broker (CASB) solutions to

provide user behavior analytics (UBA) to determine anomalous user patterns, data protection status, threat

detection/prevention strength, and breadth of overall security coverage across a variety of cloud applications

(O365 and beyond). In fact, 57% of respondents identified 0365 as one of the (top five) applications most in

need of the user access and data loss prevention controls and policies that CASB products provide.

Source: ESG Master Survey Results, 2018 IT Spending Intentions Survey, December 2017.

Source: ESG Research Report, 2017 Public Cloud Computing Trends, April 2017.

A Guide to Protecting Microsoft Office 365 from Security Threats 3

ESG research further discovered that the top types of cloud applications survey participants cited as being most

in need of security controls and monitoring oversight are enterprise file sync and share (48%) and email (38%).

Email continues to be a top attack vector for malicious attacks and data breaches. The challenges are nonstop

for IT and security professionals as email phishing has become a common attack vector and method to introduce

malware for cyber criminals launching and distributing threats. Phishing attacks, via a link or an opened

attachment, was the top attack variety found in over 90% of both incidents and breaches. Email requires the

oversight due to the pervasiveness of successful phishing attacks (7.3% of users were successfully phished over

the course of a year).

• 66% of malware is installed via malicious email attachments.

• 90% of incidences and breaches included a phishing element.

• 21% of ransomware involved social actions, such as phishing.

• 43% of all breaches included social tactics.

• 93% of social attacks were phishing related.

• 28% of phishing attacks were targeted.

There is also a rise in file-less malware (i.e., weaponized content) and, according to the 2018 Verizon data breach

incident report (VDBIR), 68% of breaches took months or longer to discover.

Security threats and attack sophistication have also evolved:

•

Advanced attacks:

Advanced and zero-day threats are much more difficult to detect and stop than

traditional malware.

•

Email Phishing:

Today’s attacks use spear phishing and business email compromise (BEC) scams.

•

Downloaders:

Cyber criminals rely on first-stage downloaders to install the final payload of Office

documents containing malicious macros and Java scripts.

As a result, businesses are looking to IMPROVE in these areas:

• Data security

• Aligning existing IT security policies, processes, and technologies with cloud computing

• Deploying a CASB product coincident with a sanctioned IT application

• Shadow IT monitoring, blocking, etc. via the use of a CASB product

With these considerations:

Source: ESG Research Report, The Visibility and Control Requirements of Cloud Application Security, May 2016.

Source: Verizon, 2017 Data Breach Investigations Report, 2017.

Source: Verizon, 2018 Data Breach Investigations Report, 2018.

Source: ESG Research Report, The Visibility and Control Requirements of Cloud Application Security, May 2016.

A Guide to Protecting Microsoft Office 365 from Security Threats 4

• Data security controls such as encryption, and data loss prevention

• The sensitivity of data associated with the application

• The cloud application providers’ security reputation, policies, certifications, procedures, and credentials

• Regulatory compliance requirements associated with data privacy

• The type of user(s) that needs access and the level of access they should be granted

• Auditability of user access and behavior (i.e., data accessed, modified, etc.)

• The geographic location where users reside

… and Vulnerabilities Can be Left Exposed

A security breach is not merely inconvenient. It can be costly,

stressful, and even damaging. Businesses must consider how to

provide visibility, control, access governance, data security, and

threat protection for Office 365 along with other SaaS apps and

infrastructure services. Too often, businesses embrace O365

without considering all the security implications across the

organization or the potential external vulnerabilities. Adoption

of Office 365 moves key information outside of corporate

control and creates risk to intellectual property and compliance-sensitive information.

As a result, IT organizations, security teams, and business executives are currently dealing with the following

concerns:

• Multiple new security requirements have arisen with the shift to cloud consumption models that potentially

put confidential data at risk.

• Lack of visibility, monitoring, and control across all applications and data.

• Fragmented vendor base promises built-in security and overlapping bolt-on toolsets.

• IT organizations and business units are moving quickly to adopt many cloud applications (not just O365).

• Regulatory compliance risk is increasing, especially with the adoption of new regulations such as GDPR.

• Organizations don’t have enough qualified IT security experts on staff.

51% of ESG research respondents cited cybersecurity as an area in which they continue to have a shortfall of

skills.

The lack of cybersecurity skills threatens the ability of organizations to execute on the implementation of

budgeted cybersecurity projects such that some cybersecurity initiatives will likely be funded but not resourced.

With no indication that such a problematic shortage of cybersecurity skills will abate, organizations will need to

What Symantec Customers Are

Saying

“My concerns with O365 come down to the

proliferation of sensitive information and PCI

compliance."

- Director of Information Security/Financial Services

A Guide to Protecting Microsoft Office 365 from Security Threats 5

consider investing in developing skills, using managed security services, and seeking products that improve

operational efficiency.

Common considerations include:

• Guard against new and emerging multi-vector attacks (web, email, endpoint, and collaboration apps).

• Protect SaaS applications, inclusive of O365 and other business SaaS apps.

• Gain control of content: tracking, access, email, sharing…across all business applications.

• Keep key information under corporate control for consistency and visibility.

Goals to Guide Safe O365 Migration

ESG has witnessed some common goals that have helped

organizations to address the known and unknown challenges

that they face as they scale O365 implementations and prepare

for further O365 migrations:

• Secure accounts for sanctioned and unsanctioned

applications.

• Create a cohesive strategy to secure the movement to

cloud.

• Embrace high-efficacy threat protection.

• Maintain compliance and protect sensitive information within O365, existing business applications, and

existing data across on-premises and cloud consumption models.

• Reduce security operational costs with a solution that supports Office 365, other cloud apps, and hybrid

cloud environments.

• Improve security processes by using solutions that embrace automation and integration across all business

applications to help reduce administrative overhead.

• Consider the value of artificial intelligence (AI)-driven user and entity behavioral analytics (UEBA),

automated data classification, and automated policy responses.

• Consider the value of advanced machine learning and threat isolation technologies to address sophisticated

and evolving malicious threats.

Are You Prepared to Embrace and Secure O365?

As you prepare for your O365 implementation, this checklist will serve as a guide to assist you through the

multiple dimensions of an O365 migration and the selection of your solution for securing it.

What Symantec Customers Are

Saying

“During a recent acquisition and IT integration

project I was able to displace 12 other vendors and

get them out of my hair and get my users on

Symantec."

- Director of Information Security/Financial Services

A Guide to Protecting Microsoft Office 365 from Security Threats 6

Contextual Visibility

Continuously scan

Office 365 content, emails, and transactions to remediate

and prevent the proliferation of ransomware, advanced persistent threats

(APTs), and other malware.

Strive to achieve a single console

for visibility and policy controls, including

access governance, data security, threat protection, account hijacking, and

compliance reporting across SaaS apps and infrastructure services. These

services might include file sharing, data storage, email, messaging,

collaboration, and other business enablement services.

Activate advanced threat analytics,

inclusive of indicators of compromise

(IoCs), for efficient discovery and remediation.

Alerts

Create passive mode alerting

to test existing policies to reduce triggering false

positives that could introduce friction to employees.

Categorize alerts

based on severity (low, moderate, or high) in an effort to

begin to see where automation opportunities may exist.

Report and communicate

anomalies across all applications, data sources, and

clouds to internal teams and executive champions.

Policies

Create access controls and authentication methods

that protect the front

doors into businesses systems, inclusive of polices that trigger additional

means of authentication based on behavior.

Enforce usage controls

and authorization policies based on location, device

type, user group, and user behavioral risk level. Ideally, create a single policy

that encompasses email, file sharing, collaboration, Office 365, and other

cloud apps.

Reduce operational complexity

in a multi-cloud world with consistent policy

controls and directory integration.

Protection

Embrace data loss prevention

(DLP) in the cloud that automatically classifies

and tracks structured, unstructured, and interactive content in OneDrive,

email, SharePoint sites, Teams and Groups, and Yammer.

Implement one solution

to protect across all cloud services while triggering

encryption of sensitive data.

Test

for detection efficacy and false positive rates.

A Guide to Protecting Microsoft Office 365 from Security Threats 7

Detection

Continuously analyze

external and internal email content, activity in apps,

transactions with apps, and content in motion and at rest in Office 365 to

detect, block, or quarantine threats.

Utilize machine learning,

email threat isolation, impersonation controls, link

protection, cloud sandboxing, user behavior analytics, and threat analytics.

Be prepared

for sophisticated attacks that cannot be stopped or detected with

single point security tools.

Automation

Create security and access controls

over data-in-motion and data-at-rest end-

to-end from the user to the cloud for your Office 365 and other SaaS and IaaS

accounts.

Automatically identify

high risk user accounts, compromised accounts, and

insider threats with data science-driven user behavior analytics and adaptive

authentication that forces policies based on user behavior.

Leverage artificial intelligence

(AI) built into the cloud that provides visibility

into external and internal vulnerabilities and helps to remediate issues without

manual intervention.

Symantec: Protect Information and Protect against Advanced Threats in Email and Apps in Office 365

and Beyond

Security, Compliance, and Threat Protection for Office 365 with CloudSOC CASB and Email Security

Symantec is helping businesses achieve their O365 migration goals through a set of security and information

compliance controls that protect Office 365 and provide:

•

Security

for Office 365 Exchange email, OneDrive, SharePoint sites, Teams, Groups, Yammer, online Office

apps, and Dynamics, which also extends to other non-Microsoft cloud SaaS apps, as well as AWS and Azure

apps. This security solution encompasses visibility, data security, threat protection, and policy controls.

•

Threat protection

against malicious files and URLs in email and other O365 apps and services.

•

UEBA

to automatically detect and mitigate insider threats, compromised accounts, and other attacks.

•

Email threat protection

against phishing attacks such as credential theft, malicious file downloads, and

business email compromise.

•

DLP

that automatically classifies and protects key intellectual property and compliance-sensitive information

and tightly controls access to sensitive data, with an option to integrate with your enterprise-wide DLP

solution.

•

Tracking

of inactive O365 user accounts and risk analysis of third-party cloud apps integrated with O365.

•

Integrated phishing assessment

tools allowing for the testing and education of the user base.

A Guide to Protecting Microsoft Office 365 from Security Threats 8

All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group

(ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change. This publication is copyrighted by

The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to

persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an

action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.

www.esg-global.com

contact@esg-global.com

P. 508.482.0188