In our previous post, we shared some tips on how to better secure your Office 365 deployment. We covered:
Applying multifactor authentication to your synced Active Directory and cloud passwords
Addressing common security exposure points we’ve seen in Exchange Online
Enabling the audit features in Office 365
These are all relatively simple steps that can be taken. We’re going to cover a couple more of the easier actions you can take to further secure Office 365.
Now, let’s walk through the remaining steps:
4. Protect Against Ransomware/Phishing and Spoofing
Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting, & Conformance (DMARC) are email protection standards that have been around for some time now. However, we still find that many organizations have a poor or non-existent deployment of these email protection methods. Implementing SPF, DKIM and DMARC can help protect your organization from malicious misuse of your email domains by protecting your organization from spoofing and phishing attempts and can keep your organization running by preventing your domain reputation from being added to dreaded email blacklists.
SPF is the simplest of these to implement, with a primary purpose of establishing trusted senders for email domains you own. When SPF records are implemented via DNS, the receiving organization can check your SPF records to determine whether a message was sent from an IP Address or service that you note as a trusted sender. This helps protect your domain reputation and provides the receiving organization an opportunity to reject messages that may be compromised.
DKIM is another method of validation that an email is being sent by a valid sender. DKIM works by signing all outbound messages with a unique hash value that receiving organizations can then use to validate that the email was sent from a user or service that is a trusted sender. While the end result is similar to SPF, DKIM adds additional security by helping to ensure that a message has not been altered in transit. Exchange Online can sign all outbound messages natively, and with a bit of DNS work DKIM can be enabled quickly and easily.
DMARC is at the top of the email protection pyramid as it depends on a successful implementation of both SPF and DKIM to provide proper protection. DMARC policies give instructions to receiving organizations to tell them what to do when they receive a message that fails either SPF or DKIM checks. If a message fails SPF or DKIM checks, you can instruct receiving organizations to quarantine or reject the message.
Additionally, when a DMARC record is published via DNS, DMARC reporting records will be generated to an account or service you specify. These reports can be reviewed by your organization so that you can get a better picture of exactly what types of email are being sent via your domain, and if there are parties actively using your domain maliciously.
While some of this can get a bit complicated, starting with SPF and DKIM should be a simple process that can be enabled quickly. When your organization is ready to implement DMARC, Microsoft has made this process a bit simpler by teaming up with Valimail to offer a free DMARC monitoring service that will allow you to quickly and easily view DMARC reports and keep an eye on how your domain is being used across the globe.
5. Upgrade to E5 Licensing
While upgrading a new licensing package may not be for every organization because of the costs, it is a simple and easily executable option that organizations can utilize to increase their security options immediately. While the traditional Enterprise E1 and E3 plans offer some great security capabilities, E5 plans build on these by providing features that are not available in the existing E1 and E3 packages. Some of these advanced security features include:
- Office 365 Advanced Threat Protection
- Customer Lockbox
- Advanced Data Governance
- Office 365 Cloud App Security
- Advanced E-Discovery
If any of these security options are needed, it may make sense to look at the E5 licensing package or consider options for adding these security features as an a la carte add-on to your existing E1 or E3 licensing plan.
The above recommendations are the quick and simple options for beginning to move your organization towards a more robust cybersecurity posture in Office 365. However, these suggestions certainly do not address all the possible attack vectors used by external hackers. These attack vectors are becoming more sophisticated each day and the capital required to launch such attacks is becoming less costly and easier to execute. Making sure your organization is prepared for these attacks and has the proper protections in place takes proper planning, execution, and an understanding of the best ways to close these security holes with the tools available at your disposal. As always, CDW is here to help your organization navigate these scenarios and help you make informed decisions.
Until next time — stay safe out there!