The Essential 8 in a Microsoft 365 World

2 August, 2024

Good security is challenging to define with desktops, cloud, on-prem, and mobile devices. According to Robert Crane, Director at CIO Ops during a recent webinar, good security is about reducing risk and applying consistent, repetitive processes, such as updating OS, using firewalls, and implementing MFA. Studies show that 99% of common threats can be prevented by MFA, yet over 50% of applications still lack it.

Effective security relies on dependable mechanisms that allow secure work without significant impact. Applying a framework is crucial, providing standardised guidelines, tools, and best practices. This enables automation, reducing labour and time spent managing environments. Microsoft 365 offers a consistent base level of services, simplifying the application of standardised security measures. Tools like PowerShell and Power Automate can further enhance efficiency through automation.

Security frameworks are vital for measuring and demonstrating security improvements to stakeholders, including boards of directors and insurance companies. As businesses sign cybersecurity policies, adherence to recognised frameworks becomes essential. Competitors offering Essential 8-style services highlight the need for implementing such frameworks to maintain credibility.

In Australia, the Essential 8 framework offers cybersecurity measures to reduce risk and prevent unauthorised access. It includes:

  1. Patch applications
  2. Patch operating systems
  3. Multi-factor authentication
  4. Restrict admin privileges
  5. Application control
  6. Restrict Microsoft Office macros
  7. Use application hardening
  8. Regular backup

The Essential 8 introduces maturity levels to gauge progress, but its definitions can be vague. It focuses on Windows devices, not addressing cloud environments, mobile devices, or SMBs’ diverse needs. It is a framework, not a standard, and requires continuous review and maintenance.

For MSPs, maintaining the Essential 8 can offer ongoing revenue opportunities. However, the framework does not address emerging technologies like AI, which introduces new risks. Key limitations include:

  1. Designed for Windows devices only
  2. Does not address mobile devices
  3. Not designed for the cloud
  4. Not aimed at SMBs
  5. It’s a framework, not a standard
  6. Requires continuous updates and reviews
  7. Does not address emerging technologies like AI

Despite these limitations, the Essential 8 provides a valuable starting point for enhancing security in a Microsoft 365 environment.

Achieving the Essential 8 in the Microsoft Cloud

To align with the Essential 8 in a Microsoft Cloud environment, several standard Microsoft tools are necessary:

  1. Identity Management: Use EntraID (formerly Azure AD) for managing identities and user logins. While you can link on-premises AD, the latest improvements are in EntraID.
  2. Device Management: Intune is essential for managing Windows 10 devices and others like iOS or Android. Group Policy is limited to on-prem domains and doesn’t cover mobile devices.
  3. Endpoint Security: Consider Defender for Endpoint or another XDR/EDR tool for threat evaluation, policy application, and providing telemetry for monitoring and logging. Defender integrates well with EntraID, Intune, and other Microsoft tools.
  4. Centralised Logging: Azure Sentinel provides comprehensive security management and threat intelligence with extended log retention, crucial for centralised logging and monitoring.
  5. Compliance: Purview focuses on data loss prevention, information protection, and retention policies.
  6. Microsoft 365 Business Premium: This is the minimum starting point, offering Defender for Business, Intune, Litigation Hold for indefinite email retention, and Conditional Access.

Tips to achieve the Essential 8:

  1. Patching Applications and Tools: Use WinGet, a utility in Windows 11, for managing application updates. Intune provides patching capabilities with the Enterprise App Catalog for streamlined application management.
  2. Defender for Endpoint: Offers insights into missing KBs and vulnerabilities. It provides a comprehensive software inventory for various OSes but does not perform updates—use tools like WinGet or Intune for that.
  3. Multi-factor Authentication (MFA): EntraID offers various MFA methods. The Microsoft Authenticator is recommended for optimal integration and security.
  4. Conditional Access: Enforces MFA, authentication strength, compliant devices, and approved app access. Available with Business Premium and above, it evaluates settings in real-time for dynamic policy enforcement.
  5. Application Control:
    • AppLocker: Available on Pro or Enterprise Windows endpoints for blocking unauthorised applications.
    • Intune App Control for Business: Allows creating policies to trust apps with good reputations.
    • Windows Defender Application Control (WDAC): A powerful application control approach using a wizard to define acceptable applications.
  6. Office Macros and ASR: Intune can block Office macros and implement Attack Surface Reduction (ASR) policies via PowerShell, registry settings, or Intune.
  7. User Application Hardening: Microsoft Intune allows settings to prevent remote shell access, basic authentication, and more.
  8. Backup Strategy: Discuss the best approach with your customer. Microsoft Cloud environments offer built-in retention policies for Exchange and OneDrive, with third-party options for additional coverage.
  9. Data Retention and Logging: Extend OneDrive for Business retention from 30 days to 10 years at no extra cost. Use the command auditpol to review logs and consider sending logs to Microsoft Sentinel for long-term retention and risk analysis

So, where do we start? Here’s some initial steps:

  1. Conduct a Risk Assessment.
  2. Use Secure Score for a straightforward evaluation of security posture.
  3. Maintain a Hardware and Software Inventory.
  4. Enable Auditing options, including Exchange auditing.
  5. Implement Sentinel for log shipping and threat monitoring.
  6. Utilise Conditional Access for robust policy enforcement.
  7. Apply Intune’s Baselines aligning with best practices and Essential 8 requirements.
  8. Implement Attack Surface Reduction (ASR).
Additional Notes:
    • ASR is cost-effective and can be implemented standalone in Windows environments.
    • Consider the Secure Cloud framework (AU), CIS Scuba (US), and NIST (US) standards for comprehensive security. These integrate closely with US-based frameworks, which might focus more on compliance reporting than Essential 8.
    • Modern device management should focus on cloud data storage to ensure critical data remains secure even if a device is compromised.

Pro-tip: Start off with some sort of security, whether or not that’s with Essential 8 or creating your own framework.

Some handy tips for Essential 8 can be found in these documents:

Scan the QR code to access more resources from Ciaops:

For further assistance in implementing a security framework, please contact our CSP team at 📩csp@au.synnex-grp.com.

Source and credit: Some content in this article is extracted from the ‘The Essential 8 and how we can align it in the Microsoft 365 World’ webinar hosted by Synnex on 25 August 2024 and presented by Robert Crane, Director at CIO Ops.