What’s included in Microsoft 365 E5 Security?
The following plans and technologies are included in the Microsoft 365 E5 Security SKU:
Azure AD Premium Plan 2
As part of E5 Security, you’ll get access to Azure AD Premium Plan 2 (AADP2), which contains some effective identity management features:
- Access reviews:Manage group memberships, access to applications, and review user access privileges. Helps ensure the right users have the access they need to be productive – but also enables you to remove access as people leave or move throughout your organisation.
- Azure AD Identity Protection:Draws on Microsoft’s security telemetry to automate the detection and remediation of identity-based risks.
- Privileged identity management (PIM):Control and monitor access to sensitive resources. Limit elevated access privileges to only those who need them with just-in-time access – and remove it when the task is completed.
- Entitlement management:An identity governance feature, entitlement management helps you manage your identity lifecycles at scale. Automate the provision and removal of access to users within your environment as well as those in external partners and suppliers.
Microsoft Defender for Office 365
One of three ‘Defender’ suites included in E5 Security, you’ll get both Plan 1 and Plan 2 versions ofDefender for Office 365.
Plan 1 includes:
- Anti-phishing:With phishing attacks accounting for 91% of large organisation breaches (UK Gov, 2021), it’s important to have robust anti-phishing capabilities in place. Defender for Office 365 provides everything you need to identify, isolate, and nullify attempts to phish your users.
- Real-time detections:Using the Threat Explorer function, detect and respond to phishing attacks as they happen. See who was targeted and when then preview the phishing emails and identify what action was taken.
- Safe attachments:Safe attachments uses a virtual environment to check email attachments before they’re delivered to a recipient. Scanned in a secure detonation chamber, URLs and links are validated before the document is approved for delivery.
- Safe links:Safe links covers URLs found within emails, Microsoft Teams, and Office 365 apps. Links are rewritten, scanned, and compared against a list of known malicious destinations.
Plan 2 includes:
- Attack simulation training:Run a variety of realistic phishing attack scenarios in your environment to help identify vulnerable users before a real attack does. Then provide relevant training to educate and improve your security.
- Automated investigation and response (AIR):Takes the legwork out of identifying and responding to threats. Potential dangers are flagged with prepared remediation actions – simply awaiting approval from your security team.
- Threat explorer:See all detected malware and phishing activity and launch investigation and remediation activity from one location.
- Compromised user detection:Quickly locate compromised accounts through suspicious activity, such as spam emails coming from a verified user.
Microsoft Defender for Endpoint Plan 2
In a case of ‘doing what it says on the tin’,Defender for Endpointhelps protect endpoint user devices and access.
Using a combination of embedded behavioural sensors in Windows 11, Microsoft threat intelligence and cloud security analytics, Defender for Endpoint will help you identify compromised devices and activity – shutting down lateral movement attacks, fast.
Some of Defender for Endpoint’s features will be available in E3 under Plan 1 in 2022, but as part of Plan 2, you’ll get access to the following:
- Advanced hunting:Explore up to 30 days of raw data with query-based threat hunting to identify both known and unknown threats. Create custom detection rules to automatically check for suspicious activity.
- Evaluation lab:Run simulations and configuration tests to see how Defender for Endpoint would perform in your environment before applying it. Use lab results to refine and target vulnerable areas for improvement.
- Automated investigation and response (AIR):Prioritising and investigating alerts is time-consuming, Defender for Endpoint’s AIR acts like a virtual analyst working 24/7 to determine if a threat requires action, what action to take, applying that action, and then investigating the alert further.
- Threat and vulnerability management:Find and focus on endpoint weaknesses that pose the most risk based on threat landscape intelligence, detections in your environments, sensitive device data, and more.
- Endpoint detection and response:Detect attacks in near real-time and take effective action in response. Defender for Endpoint organises and categorises attacks for easy investigation, storing behavioural data for 6 months for in-depth analysis.
- Device discovery:Mapping all the devices in use in your network can be a challenge, particularly when it comes to unmanaged devices. Device discovery helps you identify laptops and mobiles not yet onboarded as well as other devices such as routers, printers and cameras.
Microsoft Defender for Identity
With 61% of breaches attributed to leveraged credentials (Verizon, Data Breach Investigations Report, 2021), monitoring and reacting to compromised identities is key to securing your environment – which is exactly what Defender for Identity was designed to do.
Defender for Identity utilises your on-premises Active Directory to detect and investigate suspicious user behaviour. Identity-based attacks typically target low-privileged users and then move laterally through your network to gain access to sensitive data and privileged accounts.
Defender for Identity helps you build a timeline of suspicious activity, identifying not only where the original breach occurred but the attacker’s direction of travel through your environment.
Microsoft Defender for Cloud Apps
Defender for Cloud Apps(previously called Cloud App Security) is a cloud access security broker, providing controlled access to cloud-based apps and services.
It does this by analysing things like device/user location and security configuration – this helps identify the use of any shadow IT devices and protects against suspicious access attempts.
It also helps you to identify any unapproved applications in use and keep sensitive data in the Cloud secure.
By employing Defender for Cloud Apps, managing the security and compliance of your cloud apps and resources becomes much easier.
What is Microsoft 365 E5 Compliance?
The second sub-set of Microsoft’s E5 licence allows you to add Microsoft’s top-tier compliance technologies to your E3 licence.
As legislation and data protection laws only increase in their importance, these technologies will become essential for enterprises that possess large amounts of sensitive data that needs to be identified, managed, and secured.
This will help show compliance at audit, offering detailed reports of what you have, where, and the proven ability to keep it safe.
What’s included in Microsoft 365 E5 Compliance?
The below are all available as individual licences, but as part of the E5 Compliance add-on, you’ll get access to:
Advanced eDiscovery and audit
Designed to help you respond to legal investigations or requests, Advanced eDiscovery enables you to easily identify persons of interest, associated data sources, and apply legal holds to that data.
Advanced eDiscovery identifies in-place data from across Teams, Yammer, SharePoint Online, OneDrive for Business, and Exchange Online. This functionality can also be extended to third-party sources via data connectors.
Adhering to the Electronic Discovery Reference Model, Advanced eDiscovery allows you to perform the following steps to reduce and manage relevant data on a case-by-case basis:
- Identification– Add persons of interest as custodians to a case.
- Preservation– Place a legal hold on data sources associated with custodians.
- Collection– Search and collect live data relevant to the case.
- Processing– Gain a static view of data in an Azure-based review set.
- Review– View, tag, and annotate specific documents.
- Analysis– Use integrated tools to cull irrelevant data quickly and accurately.
- Production and Presentation– Export documents for review either in their native format or formatted for use by third-party software.
Insider risk management
When it comes to cyber security, the focus is typically on those trying to get in rather than those already inside.
But internal users can also pose a significant threat – whether by accident or deliberate action.
Insider risk management helps prevent various illegal, unauthorised, inappropriate, or unethical behaviour within your organisation. Using pre-defined policy templates and conditions, you can easily define what actions trigger an alert and what preventative or precautionary measures are implemented as a result.
When an alert has been triggered, your analysts can then create cases to investigate suspicious activity in greater detail and take any appropriate action required.
Utilising insider risk management can help you guard against:
- Sensitive data leaks
- Confidentiality violations
- Intellectual property theft
- Fraud
- Insider trading
- Regulatory compliance violations
Key features of the insider risk management suite are:
- Communication compliance:Isolate and identify communications or messages containing profanity, threats, abuse, or sensitive information both inside and outside your organisation.
- Customer Lockbox:Grant Microsoft support access to data in Exchange Online, SharePoint Online, and OneDrive for Business. Access must be approved by you and all action taken is logged for audit to ensure sensitive information stays secure.
- Information barriers:Supported in Teams, SharePoint, and OneDrive, information barriers can be established to prevent communications between groups of users to prevent the sharing of confidential information.
- Privileged Access Management:Reduce standing access to sensitive data and documents. Implement just-in-time access rules so users only have approved access for the task required – and that access is removed upon completion.
Information protection and governance
Microsoft’s information protection and governance suite is designed to help you achieve four things: know what data you have, protect that data, prevent data loss, and effectively govern it.
Having the ability to locate and protect data wherever it travels is key to remaining compliant with increasingly stringent data protection regulations.
Microsoft’s governance technologies will be especially important to highly regulated organisations such as those operating in financial services, healthcare, legal services, etc.
Key features of the information protection and governance suite are:
- Endpoint data loss prevention (DLP):Classify certain data and documents as sensitive and use DLP to monitor the actions taken on them, whether they’re moved, copied, printed, or renamed.
- Trainable classifiers:Auto-label sensitive information based on keywords or previously identified information such as credit card numbers. Use classifiers to apply protections based on item types by providing examples to speed up identification and security.
- Customer Key:You provide and control the encryption of your Microsoft 365 data. Similar to Customer Lockbox, visibility of data and documents can only be granted to services approved by you.
- Information governance:Keep on top of your data with processes that automatically keep what you need and delete what you don’t. Set retention policies and archive data for easy audit and compliance proof.
- Records management:Place restrictions on items by labelling them as a ‘Record’ preventing them from being edited, deleted, or copied to ensure records are preserved and cannot be tampered with.
Microsoft 365 E5 Security and Compliance add-on pricing
The Microsoft 365 E5 Security and Compliance add-ons are available if you already have any of the following licences:
- Enterprise Mobility + Security E3
- Office E3
- Microsoft 365 E3
Primarily used as add-ons for Microsoft 365 E3 licence holders, it should be noted that individual licensing plans are also available for Defender for Office 365, Defender for Endpoint, and Azure AD Premium, as well as the three licences that make up the Microsoft 365 E5 Compliance SKU.
Each complete E5 add-on will cost you around £9 per user/per month. If you were to purchase both the Security and Compliance add-ons you would have access to nearly all the E5-level technologies (barring audio conferencing, a phone system, and Power BI Pro).
But if that’s something you may be considering, then simply upgrading to a full E5 licence would be the recommended option – both to simplify your licensing costs and to ensure you get the full benefits.
Naturally, prices are subject to change, but E5 has remained fairly constant in recent times. So, it’s worth looking into what your preferred licensing combination could cost you per user/per month as you may be paying close to, or even more than, an E5 licence.
Are the Microsoft 365 E5 Security and Compliance add-ons worth it?
In 2021, Microsoft, the Government Digital Service, and the National Cyber Security Centre, updated theirsecurity and compliance guidance for UK public sector organisations using Microsoft 365.
Based on a tiered approach of ‘Good’, ‘Better’, and ‘Best’, the advice is that most organisations need to be hitting the ‘Better’ standard.
To do that, you’ll need access to the E5 level security technologies at least, to hit the ‘Best’ level you would need both add-ons or an E5 licence.
The ability to prove you have effective security and compliance capabilities in place will put your organisation in good stead for future threats and data legislation.
Whether it’s one add-on, both, or a full E5 licence, the security and compliance technologies included in Microsoft 365 E5 are becoming crucial to the success of modern enterprises – so it’s well worth putting some thought into what combination or solution works best for you.
Can I trial the Microsoft 365 E5 Security and Compliance add-ons?
It’s possible to trial some of the individual technologies included in E5 Security and Compliance, but not as an entire licence. Our recommendation is to use a Microsoft Partner to help you identify the best course of action, as they can support you through the entire process from selecting a solution to design and deployment.
Using a Partner will also enable you to take advantage of Microsoft’s FastTrack programme, giving you access to resources and specialist expertise to get you up and running much sooner.