Pratum Blog

Jason Popillion, GCommerce, Presents at Secure Iowa Conference

As executives evolve their companies out of mere “compliance mode” toward the development of an active and anticipatory information security culture, the primary challenge they face is in developing an adaptive balance between security, privacy, costs and efficiency.

Jason Popillion of GCommerce (now a part of SPS Commerce) spoke at the 10th Annual Pratum Secure Iowa Conference during one of the breakout sessions to discuss the corporate and technical role of the Chief Information Security Officer (CISO) and the challenges of balancing risk management with nimble strategic information security decision-making.

The security risk environment continues to evolve. According to the IBM Security Cost of a Data Breach Report 2022, the average reported cost of a successful data breach in the United States is $9.4M. 83% of organizations have suffered more than one breach in their history. About 60% of the organizations studied in the report who suffered a breach reported an increase in prices to their products and services as a result of a breach. This means that organizations should no longer justify a failure to invest in security in the name of cost savings. Furthermore, according to Popillion, ransomware attacks have increased in frequency, from one attack every 40 seconds in 2016 to one every 11 seconds in 2021. IBM Security indicates that ransomware attacks are also more expensive than a typical data breach, and that expense excludes the cost of the ransom itself, if paid!

Popillion was quick to point out that approximately 95% of all breaches are due to, or at least involve a component of, human error. Approximately 75% of organizations are not prepared for such a costly risk. In fact, one factor that allows attacks to proliferate is a culture of silence among organizations victimized by ransomware attacks.

In the case of a more traditional data breach, organizations have adapted to the best practices of identifying, responding and reporting it. In the case of ransomware, however, organizations who only suffer a data loss (via encryption or deletion) but not an exposure of personally identifiable client or employee information are more reluctant to broadcast their perceived security failures to the world. Popillion believes this to be a mistake. As the leader of an organization that suffered, and survived, a ransomware event, Popillion says, “I want to be able to say someone attacked me, I fought it off and I’m better for it.”

Companies who develop a security culture are more likely to contribute to the global defense against ransomware, because they are more likely to share their strategic victories and setbacks, contributing to an overall lower-risk business environment.

Most organizations will have some leadership on board with the strategic development of a security culture, but it really takes everyone at the top to be on the same page, It is the job of Information Security leaders in an organization to assist executives through the changes. Popillion identifies two overarching challenges to developing such a culture and strategy.

Challenge 1 – Effectively Communicating Security Demands with Executives and Boards

Every organization needs consensus on security culture and clear information on security initiative costs and benefits. Security leaders must communicate those needs effectively to the rest of the C-Suite in order to foster that consensus.

Popillion identified 5 keys to doing that:

1. Keep it Simple

Security technology and strategy is complex, but if you communicate the complexity of an initiative and include technical details to justify its adoption, you are likely to lose an executive’s interest.

Instead focus on the value of the technology and keep your message simple and direct.

2. Communicate With Numbers

While the security expert may be most persuaded by subjective illustrations of the potential defense of an initiative, an executive wants to be able to trust security staff, and needs measurables to adopt recommendations confidently.

Instead of spending time trying to explain how a new technology or initiative works, concentrate more on communicating how its success might be measured and reported. Use hard numbers.

3. Get to The Point in Under 60 Seconds

Brevity may be the soul of wit, but it is also critical to persuasion. Executives suffer numerous long meetings and large chunks of information on a daily basis.

If you can condense important information into a true elevator pitch, you’ll provide leaders with memorable, actionable clarity.

4. Use Visuals

Most people can more deeply recall information that has a visual component. Words and visuals exercise different parts of the brain.

Executives also appreciate seeing something that they could imagine using in their own presentations to justify or advocate important decisions.

5. Do Not Make Assumptions

It is very tempting to waste time and energy equivocating against, instead of advocating for, an initiative simply because knowledge, aptitude or even an attitude is assumed of executives.

Don’t try to change minds or win hearts when you don’t necessarily know the state of those hearts and minds.

Instead advocate the position, justify it quickly, and identify the value.

Here is an example of how Popillion’s keys to communication might be used in order to promote an initiative to an executive:

Perhaps you believe that it is time for your organization to implement some type of XDR and you need a particularly resistant executive to buy in to the idea. You could assume that the executive’s resistance is based on a general ignorance of the technical advantages of XDR and schedule an educational 30-minute presentation on the options, detailing the technical benefits of increased visibility into the corporate network, the various models available (managed or unmanaged) and the potential for significantly reducing the organization’s exposure to risk.

Such a seemingly reasonable and common approach may be much less effective than simply saying something like, “I think we should implement XDR. Even though only 44% of our competition is doing it right now, that figure is growing, and research indicates that organizations implementing any form of XDR will reduce the time spent on a data breach by nearly a full month -- 29 days. On top of that, take a look at these cost savings:”

By keeping it simple, communicating with numbers, getting to the point quickly, using visuals and not making assumptions, the trusted security expert at a company will make cleaner, more persuasive, more efficient advocacy for risk mitigation and network visibility and defense.

Challenge 2 – How do you grow security while managing resources and investment?

Even with leadership support of initiatives, cost management and growth will always be the prime directive driving executive strategy. So, it is important for Information Security to position its goals in some sort of alignment with cost objectives.

Cost Center Mentality

The problem is that most organizations view Information Security as a cost center at a company, and has been conditioned to associate every new security initiative with a directly proportional increase in expenditure. Popillion recommends a culture-first, investment-second approach to begin to change this view.

In other words, if your organization can develop a security-minded culture first, then demand for innovative security investments will be viewed more correctly as investments in the health and growth of the organization and will be more closely tied to both loss prevention and production cost management. After all, if data breaches are correlated to service and production cost increases, improved security will better prevent runaway costs.

A Security-Minded Culture

Popillion believes it begins with employees. Because the vast majority of successful attacks involve some sort of human error, the employee base is the absolute best environment to shore up. Training and education is critical, but it is not enough to foster a security-minded culture, however.

Most organizations have policies and procedures, as well as training modules or sessions. In order to foster a culture, an organization should make private and work environment safety of employees a major strategic stake. Employees are the hands and feet of an organization. Their conduct and personal security is not only what is more likely than that of executives to connect with third parties such as vendors on a daily basis, but is also what enables the company to perform its core mission. Employees are critical resources in the ongoing promotion of Information Security, and also provide latent promotion and training for vested outsiders. Vendors rarely are put through an organization’s security training process, but a vendor who has a business relationship with a well-educated, security-minded employee is more likely to support, rather than unintentionally thwart, an organizations’ security culture.

The security relationship between a business and its employees, at its best, is symbiotic: the more the employee is kept safe and encouraged to understand and promote a security-minded culture, the better protected the corporate network becomes…and vice versa.

Tabletop Exercises and Low Cost, High Impact Security Growth

A second component to this challenge lies with the security team itself. No matter how strong the overall security culture at an organization is, Information Security will obviously be the first line of defense. A high-value approach to increasing the efficiency and effectiveness of the security team contributes to the growth of security but doesn’t have to cost a lot. Popillion recommends regularly scheduled tabletop exercises once every month. Executing simulated events using the existing services not only hones the skills of security specialists, but also allows for the introduction of new models, the documentation of findings and regular reviews of remediation without any of the real costs associated with actual attacks and their aftermaths. The Roman general Vegetius once lamented the decline of the quality of the army when he wrote, “"if you want peace, prepare for war." Tabletop exercises provide effective preparation, and once implemented as a regular part of the workcycle, provide valuable ongoing improvements to an organizations security without correlated increases in costs.

Jason Popillion, GCommerce

Jason Popillion, Chief Information Officer/Chief Technology Officer at GCommerce is the two-time recipient of the Technology Association of Iowa Chief Information Officer of the Year award. Prior to GCommerce, Jason architected and developed an EDI and Customer Relationship Management (CRM) system for the State of Iowa that received 8 national awards including CIO’s top 100 innovations, Harvard Innovation, and Gartner–High Performance Workplace awards. In 2021, Jason earned the designation of Certified Information Security Systems Professional (CISSP). He is also co-founder and co-host of the Cyber Distortion podcast.

CISOs Meg Anderson, Principal, Ben Schmitt, Mary Greeley, James Johnson, John Deere, sit on Panel at Secure Iowa Conference

Leading information security executives gathered at the 10th Annual Pratum Secure Iowa Conference during one of the breakout sessions to discuss the corporate and technical role of the Chief Information Security Officer (CISO) and the challenges of balancing risk management with nimble strategic information security decision-making.

CISO Panel Members:

Meg Anderson, Principal Financial
James Johnson, John Deere
Ben Schmitt, Mary Greeley Medical Center

A CISO’s Role: Fostering a Security Culture

The panel was asked by moderator David Cotton what first steps a new CISO should take in approaching security and business interests, and the panel was quick to point out that the advice is the same, whether a CISO is new to the role, whether the role itself is new or even if the CISO has been in the position for a long time: fostering a security culture is the key.

Anderson identified that corporate security policy was not mature when she first became a CISO, but even as company policies have matured, security culture does not necessarily follow suit. Thus, one of the objectives of any CISO should be to identify and foster a healthy security culture. That means speaking to the technical and business sides of the company. Making ongoing comprehensive discussions with both helps to identify pain points, opportunities for improvement, and clarifying questions regarding budget.

Johnson emphasized the need to read, understand and act on reports and audits, both ones that precede a new CISO and ones conducted under a CISO’s watch. Knowing how predecessors handled and addressed reports can not only give guidance for current results, but can also provide better understanding to the overall security culture at the company.

Schmitt believes strongly in a CISO building – or building on existing – business and client relationships. As a former product manager, Schmitt gained invaluable insights into the client experience. In his current role as a CISO in healthcare, he takes advantage of a clinical mentor – a person who serves as a bridge connecting him to the patients of the medical center. In order to become an organization’s trusted advisor on security issues, a CISO must first learn the business before making big splash technical changes. A good CISO will master controls, understanding vulnerabilities and operations, but in addition to that, must also be trusted in those areas, and the way to do that is through understanding the business.

Corporate Mistakes to Avoid and Correct

There are a number of mistakes that can be made in Information Security, but there are also a lot of misconceptions that corporations have about security. According to Johnson, it is still not uncommon to find a deeply held belief that “security is security’s problem” in many organizations. He views the CISO as having a unique opportunity to humbly educate engineers and leadership. When an organization begins to understand that the security department should not be the only line of defense and that security begins at the cultural level, it – as an organization – can then be positioned to be active in its own defense and growth.

Anderson concurred. A common frustration the CISO faces is when the Security department or team as the computer police at an organization. “It is not about following Security’s rules so they can check a box. It is really about establishing a secure environment for the clients and employees to freely conduct business.”

Schmitt approached the problem from a philosophical angle. “If you can implement ‘guardrails over gates’ you can help your organization and its people go where they want to go with the protection of guardrails with less temptation to circumvent a lot of gates. “Technically this includes mastering the basics and implementing them consistently and not becoming distracted by chasing the latest “shiny object” to pre-empt innovations at the cost of ignoring fundamentals.

Balancing Risk and Building Business

The balance between risk management and business growth is delicate, and according to the entire panel, has no perfect model or silver bullet. All three CISOs agreed: knowing the risks is key and weighing the probability of those risks (especially when they are measurable) needs to be deliberate, consistent, but also fast. As Anderson put it, it is a “continuous dynamic decision process.” Johnson emphasized hiring “great people that you can trust…and then trust them!” Schmitt drilled down into the measurables in some detail and emphasized the importance of trusting those measurements when performing trade-offs.

However, there is ample opportunity to take advantage of fostering a security culture in order to build the business as well. The CISO can engage leadership across departments, learn the business and simultaneously communicate technical opportunities in non-technical ways. Johnson put it this way: despite the technical aspect of security decision-making, there is still a lot of “what does our gut tell us? And how do we approach that experience?” By having trustworthy staff and good relationships across the security culture, the CISO can focus less on persuading for “buy-in” because the non-technical leadership already feels invested and connected. Anderson strongly recommends regularly connecting with leadership outside of security, and communicating wins, losses and opportunities in a non-technical way. She also believes that the security team – not just security leadership – needs to know where the business is going. “From a security team point of view, where is the business going?,” she said, “How does that impact the team today? How do we resource those initiatives?” Then, it is the CISO’s job to ensure that the alignment with business goes all the way up through the hierarchy of the organization. Don’t assume the organization knows what security is doing it and why. Tell them.

So, You Want to Be a CISO?

The panel of CISOs found worthwhile certifications to be those credentials that symbolized passion, interest and curiosity, but saw little value in pursuing a certification unless an employer required it. In fact, one CISO held no certifications, one held many, and yet another had a few. They all said that the far more important attribute of a good CISO was adaptability and an undying curiosity. In fact, Johnson mentioned that it was possible to be overcertified to such a degree that he might question whether or not you even had the time to exercise practical skills in a CISO capacity. A passion-based approach might be better. “Certification can show that you have a desire to be in this space,” he said.

Schmitt said that certifications are useful as long as you actually have an interest in the certified subject, but that the key is to be engaged in the security community, to participate in tabletop exercises and capture-the-flag-style events, and to be an evangelist for security culture. For the CISO who really wants to target a high-value certification, Anderson recommends cloud security certifications, as there is currently a high and growing demand for cloud security expertise, and a certification can distinguish candidates.

Final Thoughts

As the session wrapped up, David asked the panelists to share any last words of wisdom for the working or aspiring CISO:

Schmitt: “Is your team moving the needle and if they are, are they getting positive feedback every day? Make small improvements every day, and ask yourself, are you better every day, just a little bit? And do you know how you measure that?”

Anderson: “Back in 2008, it [Information Security expertise] wasn’t daily news. Today it is. Cybersecurity opens the door. Don’t ask to be invited. Meet with leadership.”

Johnson: “Fundamentals – a business should invest in talent – basic controls, MFA, patching, security should matter when you are buying products of course but what is critical is that you hire trusted advisors.”

Meg Anderson, Principal

Meg Anderson of Principal Financial has been with the company for 35 years. She began her career in the Insurance Division as a COBOL programmer and advanced through the corporate ranks to lead a variety of network architecture, SASS, data warehouse and other data leadership roles. In 2008, she took the opportunity to become Principal’s CISO, a move she described to be at the time – technically – a “lateral move.” Driven more by career growth and an interest in learning more about infrastructure than in promotion, she found the new role – which she initially believed would be a relatively short-lived one for her – to be ideally suited to her natural curiosity, technical expertise and interest in fostering culture.

James Johnson, John Deere

James Johnson’s background as IT manager at Pella Windows, pen tester, engineer and CISO at Honeywell provided the path for him to become global CISO at John Deere.

Ben Schmitt, Mary Greeley Medical Center

Ben Schmitt, CISO for Mary Greeley Medical Center has recently ascended to his position with a diverse background in product management, telecommunications and forensics at TDS Telecom, Danfoss and Dwolla, all of which he believes contributes to his “client-centered” approach to his duties at CISO.

Microsoft Office 365 Security Best Practices and Recommendations

Microsoft continues to up its game, and it’s critical for you to review, configure and tune the appropriate settings within Microsoft 365’s various services to ensure that you’re meeting proper risk tolerance levels.

Microsoft leverages a defense-in-depth approach in an effort to adhere to operational best practices to provide physical, logical, and data layer protections. These layers help to protect all 365 users, but every organization must ensure that their implementation and configuration of their tenant are configured securely.

Pratum highly recommends that you review the following guide and implement its ideas as needed. Remember: These defaults impact new mailboxes. Audit settings should be reviewed for any accounts created prior to January 2019.

The Missing Piece in Your O365 Strategy

Every Office 365 cybersecurity strategy should include extended detection and response (XDR) tools. These next-generation systems combine machine learning and rules created by analysts to monitor suspicious activity across your entire system, including Office 365 elements such as inboxes and software delivered through the cloud. Visit this page for an overview of managed XDR.

Enable and Enforce Multi-Factor Authentication

Pratum highly recommends the use of multi-factor authentication. User accounts are compromised daily resulting in the increased risk to losing control of key data and information. Business email compromise and credential harvesting attacks are a constant threat to an organization. One of the best security defenses to thwart this loss is requiring users to use multi-factor authentication (MFA) to access key systems, such as email and file sharing. MFA can significantly decrease the success of an attacker tactics even when they compromise the user’s password, as they would also need to compromise the additional factor. These additional factors can be in many forms, such as a hard token or an application on a smart device. There exist multiple methods and solutions for multi-factor authentication for Microsoft 365, and the configuration options will vary depending on licensing. Azure, Intune, and Enterprise Mobile Device Management plans offer additional capabilities when deploying or enforcing this security feature.

Reference: Enabling Azure Multi-factor Authentication, Requiring MFA for Intune Enrollment

Conditional Access Policies

Administrators can review and enforce additional restrictions or relax certain policies such as multi-factor authentication requirements when users are accessing resources from a trusted location or compliant device. These scenarios increase the likelihood the user accessing the resource is trusted and therefore decrease the security requirements needed to authorize the user. This feature works very well to find the right balance between security and convenience. Furthermore, restricting access from locations and devices that employees should never be logging in from can also be enforced and alerted against. An Azure AD Premium license is required for use of conditional access policies.

Reference: Configuring Conditional Access Policies, Azure AD License Comparison

Business E-mail Compromise

Phishing causes a considerable share of all breaches and cyber incidents within organizations, especially those with Microsoft 365. Forensic analysis typically reveals the culprit is an e-mail that posed as a shared document hosted in a domain that looks remarkably like OneDrive. When the user clicks the link, they arrive at a sign-in page that mirrors Microsoft’s 365 login page. Unfortunately, the credentials entered within this fake screen go straight to the attacker, who may then have complete access to the user’s e-mails and files. That’s what makes multifactor authentication (MFA) one of the most successful ways of preventing an attacker from gaining access even after they have compromised a password.

It’s also critical that you recognize when a password has been compromised. It becomes even more important if the attacker successfully authenticates to the victim's data. This information is key to investigating what activity was performed or determining whether it triggers breach notification requirements.

To ensure you have sufficient data to detect these threats or perform a proper investigation, you must ensure your Microsoft 365 tenant is auditing all the crucial areas. In January 2019, Microsoft recognized the need for this information and enabled it with respect to mailbox auditing.

Reference: Manage Mailbox Auditing

Verify mailbox auditing is on by default
Get-OrganizationConfig | Format-List AuditDisabled

Enable Audit Logging

Event data containing critical information; such as user and system activity, changes, authentication details, etc.; is extremely important to have captured log data to detect threats, especially when performing an investigation. An administrator must manually enable the “Office 365 audit log search.” This feature may record user and admin activity for 90 days; however, it is best to validate which retention settings are configured based on licensing/configuration. This data can typically and should be piped to a security information and event management (SIEM)/XDR Solution for additional monitoring and correlation. Note that only mailbox audit events for E5 users are available in the audit log searches within the Security & Compliance Center or through the Office 365 Management Activity API.

Reference: Enabling Audit Logging

Use the Security & Compliance Center to turn on audit log search
  • In the Security & Compliance Center, go to Search & investigation > Audit log search.
  • Click Start recording user and admin activities.
Enabling auditing via Powershell
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Validate whether auditing is enabled/disabled via Powershell
Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled

Enable Mailbox Auditing

In Office 365, administrators should enable mailbox audit logging to record mailbox access activity. By default, mailbox auditing is disabled. If a security incident occurs, there may be very little data if any regarding an attacker’s activity. However, once audit logging is enabled, the audit log can be searched for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default. It is recommended to enable at a minimum the default logs as well as the referenced commands below; however, each organization should determine what logging level is needed.

We highly recommend enabling the ‘UpdateInboxRules’ setting for all types of users. Attackers commonly set up a forwarding rule that forwards a copy of the user's inbox to a second address such as a Gmail account. This provides them persistent access to the user’s e-mail even after they update their password! We recommend auditing and reviewing these rules. Be prepared to add logic to filter out legitimate, employee-created forwarding rules. We recommend using logic that looks for forwarding rules that are redirecting e-mail outside of the organization or tenant domain. Even if an employee is attempting to forward e-mail to their personal mailbox, this is a bad practice, as the data is no longer controlled or protected by company policies.

Reference: Enabling Mailbox Auditing, Mailbox Auditing Actions

Enabling auditing via Powershell for all user mailboxes in your organization
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true
Increasing audit levels via Powershell for all user mailboxes in your organization
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditOwner @{Add="MailboxLogin","HardDelete","SoftDelete","MoveToDeletedItems"}
Validate whether auditing is enabled/disabled via Powershell
A value of True for the AuditEnabled property verifies that mailbox audit logging is enabled.
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | FL Name,Audit*

Mobile Device Management

Mobile device management (MDM) should be reviewed and understood by each organization. Ensuring the proper policies are defined and agreements are in place for employees of the business. Exchange Administration can be configured to define policies on which devices/users can communicate with the email servers. Policies to enforce compliance to company policies such as device encryption should be enabled as well as which devices can connect. For additional features and control, plans can be purchased for Microsoft Intune and/or Enterprise Mobility Security.

Reference: MDM for Office 365 versus Microsoft Intune

Exchange Administration

Configuring Exchange Email Encryption Rule

Users that are communicating via email, and have a E3 or higher license, can leverage Office 365’s Message Encryption feature. An administrator can also define a mail flow rule to encrypt email messages that contain a keyword in the subject. Encryption with Rights Protection can be leveraged to reduce the ability for users that receive encrypted messages to forward them to unintended recipients, print, or access them within certain time restrictions.

Reference: Define a Mail Flow Rule to Encrypt Email

Define Spoofing Filter Rule

A rule can be created via Exchange Admin Center to set the spam confidence level (SCL) to ‘9’ if the messages sender’s address domain belongs to any of the organizations valid domains and the message is received from ‘Outside the organization.’ A spoofing filter rule definition will help limit the amount of phishing emails that are delivered.

Define Spoofing Filter Rule
Protecting High Trust Accounts from Spoofing

A very popular vector for malicious actors is spoofing a company’s executives or high trust individuals. The actor will spoof accounts such as the CEO, HR or IT leader asking staff to perform actions that can lead to a breach or loss. Examples of this are as simple as asking to purchase gift cards, login to a web site to approve something or providing private company information. For organizations that have Microsoft 365 Defender you can easily remedy this vector. Microsoft 365 Defender has additional Anti-phishing capabilities that can protect organizations from impersonation. Microsoft 365 Defender also protects your domains from spoofing in a much better way that the old method of transport rules.

Licensing requirements: Microsoft 365 Defender prerequisites

Configure DMARC and SPF Records to Validate Email

Implementing DMARC (Domain-based Message Authentication, Reporting and Conformance) with SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) is recommended for all organizations. These features provide an additional layer of protection against spoofing and phishing emails. They can also help to reduce the risk of business email compromise attacks. DMARC settings will tell the Exchange servers what to do with messages that were transmitted with the organization’s domain that fail SPF or DKIM validation checks.

A DMARC TXT Record also helps to prevent spoofing and phishing attacks by verifying the IP address of an email's author against the alleged owner of the sending domain. The DMARC TXT record identifies authorized outbound email servers. The destination email server can validate the message that originated from the authorized outbound email servers.

An SPF record is used to define IP’s that are authorized to transmit email for a given domain. This way, if an attacker spoofs the organizations domain from an IP address not on the list it can fail delivery to the recipient automatically.

DKIM should be configured once the SPF and DMARC records have bene created. DKIM adds a digital signature to each email message’s header information. It is highly recommended the DMARC settings are reviewed and deployed with careful consideration such not to disrupt intended mail flow.

Reference: Define DMARC to Validate Email

Define DMARC Failure Rule

After DMARC is configured for an organization a rule should be created in the Exchange Admin Center to direct where mail that fails the DMARC validation is directed. A definition can be created such as ‘Deliver the message to the hosted quarantine’ if ‘authentication-results’ header contains “dmarc=fail” and sender’s address domain portion belongs to any of the organizations valid domains and the message is received from ‘Outside the organization.’ Under Additional properties the Sender address matches should be set to Header.

Define Data Exfiltration Rule Restrictions

Business email compromise can result in attackers configuring mailbox forwarding rules to send a copy of email outside of the organization to a 3rd party email domain. Employees may also desire to send copies of emails to personal email accounts. These forwards reduce the overall security of the organization. A rule can be created in the Exchange Admin Center to reject any messages and include an explanation that client forwarding rules to external domains are not permitted. This rule can be defined if a message is sent ‘outside the organization’ and the message type is ‘auto-forward’ and the email is received from ‘inside the organization.’ It may also be beneficial to configure alert definitions based on these conditions to ensure an account was not compromised. An alert definition can be defined while creating the rule to email a notification to the defined contact upon triggering.

Configure Connection Filters

Enabling the safe list of IP addresses that are permitted for each respective domain can help to reduce trusted senders from getting blocked.

Reference: Connection Filters

Configure Alert Policies

Configuring alert policies can help track user and administrator activities, malware threats, and data loss incidents within each organization. Alerts should be defined for malware incidents, email forwarding/redirect rules, anomaly detection, and suspicious activity at a minimum. It is highly recommended event data is also transmitted to a SIEM solution for correlation and long-term event storage. If a traditional SIEM is not being leveraged, consider Microsoft's Cloud Native SIEM, Sentinel. They allow for free logging of many Microsoft 365 events for 30 and even 90 days in certain scenarios. Additional fees may apply and typically include data storage within log analytics or any custom event sources. Consider a managed service provider such as Pratum to assist with a fully managed environment.

Manage Office 365 Secure Score

Microsoft Secure Score will help analyze each organizations Office 365 security based on administrative activities as well as audit security settings and make recommendations. A score is then provided based on the settings and is re-evaluated in an on-going basis. Secure score is a fantastic tool that will help you understand and evaluate how you are offsetting risk by leveraging the various security features across 365. It is highly recommended all of the results are evaluated and considered for your organization. *Note: Settings should be carefully reviewed and exceptions may need to be made to not disrupt mail flow for legitimate emails which are being spoofed intentionally. The Secure Score feature is being heavily supported and being rolled out across multiple areas of the Microsoft 365 cloud. This scoring feature should be reviewed on a reoccurring basis as it provides a valuable amount of data and is becoming more sophisticated with each release.

Reference: Secure Score Overview

Security & Compliance Features

There exists a multitude of features highlighted below within Microsoft 365 that should be reviewed and configured with appropriate settings. These features should each be used in accordance to the business’s IT Security requirements, the following should also be considered/configured within the Security and Compliance section.

Data Loss Prevention – Policy protection to assist with identifying and protecting sensitive data.

Data Governance – Assists with classifying content, defining retention rules and data destruction.

Classifications – Labels can be applied to email or documents to enforce policies such as retention settings or sensitivity.

Data Privacy – GDPR requirements and access to their personal data.

Threat Management – Threat tracking and attack simulators can be performed to assess risk.

Customer Lockbox

Customer lockbox requests allow organizations to control how a Microsoft support engineer accesses company data when necessary to do so. It is available through the E5 plan or with the advanced compliance license. This feature should be enabled if available.

Reference: Enable Customer Lockbox

The Microsoft Platform

Opening the aperture from looking just at email, Microsoft offers an expansive set of tools to protect organizations. Having a well-integrated security program will create efficiencies and help keep the organization up to date with today’s modern threats. Organizations should evaluate their current licensing with Microsoft and make sure they are leveraging everything they have. They should also look at the benefits of adjusting it by either stepping up or adding individual licenses to improve their security posture. Implementing tools like Microsoft Defender for Office 365 has features like safe links that can protect emails from malicious links by rewriting them and using AI to test them prior to the end user receiving the message. Microsoft has the tools available to give administrators insights into malicious emails and office attachments.

Reference: Microsoft 365 Defender

Reference: Microsoft Defender for Office 365

Reference: Microsoft Defender for Cloud

Reference: Microsoft Sentinel


Microsoft has millions of users leveraging Microsoft Office 365 with expectations of over two thirds of its business customers being in the cloud by 2019. Microsoft leverages a defense-in-depth approach in effort to adhere to operational best practices to provide physical, logical, and data layer protections. These layers help to protect all individuals that leverage 365, however, it is the responsibility of each organization that uses 365 ensure their implementation and configuration of their tenant is also configured securely. Each business has the responsibility to review, configure and tune the appropriate settings within the various areas of Microsoft 365’s services to ensure proper risk tolerance levels are met.

For assistance with evaluating your organizations risk or cyber security needs, please contact Pratum.

Editor's Note: This post was originally published in July 2018 then updated in November 2020 and has again been updated for accuracy and comprehensiveness.
The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.