The client, a Fortune 500 enterprise technology company, adopted Microsoft E5 in 2017, relying on the default settings supplied at implementation. When presented with the option of a license upgrade in 2020, the client, concerned about the overwhelming number of security alert notifications generated by Defender for Cloud Apps, preferred to gain more visibility into how users interacted with cloud applications within the active directory (API) before making a decision.
Microsoft turned to Collective Insights for its expertise with E5 implementations to assess the client’s concerns and develop a solution and initiatives that would allow the company to more effectively manage threat analysis and reduce the risk of non-secure cloud applications.
The client’s most immediate challenge was dealing with such an overwhelming quantity of security alerts in real-time, many of which proved to be not applicable and/or duplicative in nature. Monitoring so many different potential security threats and trying to identify which were credible had become more hassle than it was worth, and as a result, the client had ignored the alerts and did not know where to start.
Our team also needed to consider the broader operational impact of blocking the unsecure cloud applications in the effort to reduce the quantity of security alerts. The client would need established workflows for sanctioning apps, as well as a protocol for managing requests for unsanctioned ones. In order to ensure a successful solution, they would have to pinpoint, and remedy, the impact to day-to-day operations across several departments with clear governance and communication protocols.
Key considerations and concerns included:
- Should there be a weekly executive summary report for risky apps, new popular apps, new high-volume apps?
- What is the escalation path when a user identifies a legitimate business use for an unsanctioned app?
- Will the client provide end users with alternative business approved apps when blocking unsanctioned apps?
- Should backend automation permissions be used to block anything net new at a certain risk level?
At the core of all these challenges was the need to strike a balance between optimizing security levels while maintaining sufficient usability and enabling productivity for everyday users.
“By delivering an operational process and policies for dealing with risky business applications, we helped the security team not only get comfortable using Defender but also manage the expectations and requests of various departments moving forward. As a result, they were able to prepare the broader organization and help them anticipate and understand changes that would ultimately strengthen the company’s security posture and operating system as a whole.”
– Chris Garber, Solution Architect
Solutions & Approach
The first goal was to reduce the level of intel security personnel would have to sort through on a daily basis to a specific, core set of alerts relevant to the organization. The solution would allow the security team to receive alerts only from the original source and not across multiple areas.
Our team launched a shadow IT discovery, first identifying which apps were being used, then labeling the risk associated with those apps based on 70+ risk factors including security factors, use cases and industry and legal regulations. We then evaluated which apps complied with industry standards, as well as overall user-based patterns and high-risk volume users. Having completed this analysis, we then began decommissioning risky apps while establishing continuous monitoring that would automate alerts when new, risky or high-volume apps surfaced in the environment.
Throughout this process, we encouraged the security team to engage with other departments that would need to have a role in the removal of risky apps. By facilitating this discovery, we were able to establish a decision tree to help the team manage and optimize the exception process. The process we created helped them determine whether or not they should accept risk and then identify the appropriate controls to activate.
We also worked with the security team to create a communications plan toolkit, including email templates and helpdesk training, to effectively detail sanctioning procedures for users, build security awareness across the organization and handle direct response when users visited unsanctioned apps.
Results & Lessons Learned
By taking a holistic approach, we were able to reduce the number of security alerts the client was receiving from Defender while setting up the security team for long-term success with clear workflows, governance policies and communication tools. At the end of the five-month engagement, the client integrated Defender into their SecOps procedures and chose to upgrade their existing E5 license. The security team became comfortable using the tool and even recently requested help leveraging a new feature in preview.
Based on our work for this project, Collective Insights was later named a finalist for the Microsoft Security 20/20 Azure Security Deployment Partner of the Year award. We continue to assist Fortune 100 companies in successfully implementing and activating Microsoft E5 using a tailored approach bolstered by best practices and technology expertise.