2. Our expertise + Microsoft 365 Business
We can manage your security operations
remotely so you don’t have to…
Supporting point #1
Supporting point #2
Supporting point #3
We can help you integrate your…
Supporting point #1
Supporting point #2
Supporting point #3
We’re the expert in cloud deployment…
Supporting point #1
Supporting point #2
Supporting point #3
3. Introductions
Project Overview and Scope
Approach and Scope
Timeline
Engagement Process
Technology Overview
Microsoft 365 Business Overview
Windows Defender Exploit Guard
Office 365 Advanced Threat Protection (ATP)
Office 365 Data Loss Prevention (DLP)
Device Management Policies
Azure Information Protection (AIP)
Closing
Questions & Answers
Next Steps
4. Workflow and Schedule
Two weeks ago
Pre-Engagement meeting
Last week
Secure executive sponsor and
align resources to complete the
offer
Now
Complete the Microsoft 365
Business Secure Deployment
offer
One week from now
Present the findings, discuss
remediation and next steps.
Deliver prioritized roadmap
5. Workshop Description Outcome Customer attendees Time Scheduled time, room
Day 1
Engagement Kickoff
Provides an overview of the
offer goals as well as an
opportunity to cover Q&A and
project governance.
Agreed plan and schedule for
the 2-day on-site assessment.
Confirm schedule and logistics
All project team 2 hours <Time>, <Room>
Start Assessment &
Remediation
Answer the questions from the
offline assessment and
examine Office 365 Secure
Score if applicable
Remediation Checklist Selected customer responders 6 hours <Time>, <Room>
Day 2
Day 1 Review
Review progress from day one,
discuss any open items and
identified issues.
Ready to move on with
completion of the Microsoft
GDPR Detailed Assessment.
All project team 0.5 hours
<Time>, <Room>
Complete Deployment
Workshop
Microsoft 365 Business
Deployment Plan
Selected customer responders
1.5 hours <Time>, <Room>
Deployment, outcome analysis
& Write-Up
Microsoft 365 Business
Deployed
IT Team
6 hours <Time>, <Room>
Microsoft 365 Business Secure Deployment Agenda
6. Workshop Description Outcome Customer attendees Time Scheduled time, room
Day 3
Day 2 Review
Review progress from day two,
discuss any open items and
identified issues.
Ready to move on with
completion of Security
Workshop
All project team 30 minutes <Time>, <Room>
Start Security Workshop
Security Plan Selected customer responders 1.5 hours <Time>, <Room>
Deployment, outcome analysis
& Write-Up
Security features implemented IT Team 6 hours <Time>, <Room>
Day 4
Day 3 Review
Review progress from day
three, discuss any open items
and identified issues.
Ready to move on with
completion of Sensitive Data
Workshop
All project team 0.5 hours
<Time>, <Room>
Complete Sensitive Data
Workshop
Data Governance Plan Selected customer responders
1.5 hours <Time>, <Room>
Deployment, outcome analysis
& Write-Up
Data governance features
implemented
IT Team
6 hours <Time>, <Room>
Microsoft 365 Business Secure Deployment Agenda
7. Workshop Description Outcome Customer attendees Time Scheduled time, room
Day 5
Day 4 Review
Review progress from day
four, discuss any open items
and identified issues.
Ready to move on with
completion of Migration
Workshop
All project team 30 minutes <Time>, <Room>
Start Migration Workshop
Migration Plan Selected customer responders 1.5 hours <Time>, <Room>
Migration, outcome analysis &
Write-Up
Migration started IT Team 6 hours <Time>, <Room>
Days 6-10
Daily Review
Review progress from prior
day, discuss any open items
and identified issues.
Ready to continue with
migraiton
All project team 0.5 hours
<Time>, <Room>
Migration
Email and files migrated to
Office 365 Business
Selected customer responders
6.5 hours <Time>, <Room>
Outcome analysis & Write-Up
Status report & project close
on final day
IT Team
1 hours <Time>, <Room>
Microsoft 365 Business Secure Deployment Agenda
8. Customer Team - Workshop Attendees
Role Description Title Contact information
Project Executive
Sponsor
• Executive sponsor who is responsible for driving the strategic vision for the
organization & making key decisions
• Ultimate authority and accountability for the project and delivery on project
objectives
• Helps resolve issues escalated by project team
• Provides guidance and clarity regarding overall security strategy, standards
and policies for the organization
Project Manager
• Coordinates partner and working teams engaged in the project
• Schedules all meetings with appropriate resources
• Is the central point for dissemination of the engagement deliverables
• Records and manages project issues, including escalations
• Liaises with, and provides updates to, project executive sponsors
• Ensures that the on-site requirements are met in time for the on-site
workshops
IT Administrator(s)
and Security team
• Responsible for IT security strategy defined by the organization
• Analyses and chooses products for the organization that meets business goals
• Accountable for creating and maintaining the infrastructure
• Provides insights into current and planned IT & security guidelines,
requirements and standards for the organization
9. Partner Team - Workshop Attendees
Role Description Title Contact information
Project /
Engagement
Manager
• Develops and maintains project timeline
• Coordinates partner and working teams engaged in the project
• Manages project deliverables
• Records and manages project issues, including escalations
• Liaises with, and provides updates to, customer Project Manager
DeliveryArchitect
s / Consultants
• Prepares the workshop materials and delivers the workshops
• Performs deployment, configuration, and migration tasks
• Accountable for creating the engagement deliverables
10. Team Introductions
Please share your name and where you are from
Please share your role in the company
Please share your expectations of the session
11.
12. 14
Assist with the deployment of:
Microsoft 365 Business
Intune Device Management
Office 365 Advanced Threat Protection (ATP)
Data Loss Prevention (DLP)
Azure Information Protection (AIP)
13. We will utilize the Online Services Lifecycle methodology (OSL) to complete
this project:
15
Initiation Assess Remediate Enable Migrate
14. We will utilize the Online Services Lifecycle methodology (OSL) to complete
this project:
16
Initiation Assess Remediate Enable Migrate
Initiate team formation and
communicate expectations.
Conduct a detailed walk-
through of the SOW.
Complete the project
initiation and launch
prerequisites.
15. We will utilize the Online Services Lifecycle methodology (OSL) to complete
this project:
17
Initiation Assess Remediate Enable Migrate
Conduct the assessment
workshop.
Complete the Secure Score
assessment
Document the remediation
checklist.
16. We will utilize the Online Services Lifecycle methodology (OSL) to complete
this project:
18
Initiation Assess Remediate Enable Migrate
Provide the customer up to
½ day of remediation
activity assistance.
Update and finalize the
remediation checklist based
on Customer Name’s
feedback.
Customer to perform
remaining remediation
activities, resolving or
mitigating all items in the
remediation checklist.
17. We will utilize the Online Services Lifecycle methodology (OSL) to complete
this project:
19
Initiation Assess Remediate Enable Migrate
Conduct the deployment
workshop.
Update the deployment
plan based on Customer
input.
Assist with the deployment
of the products in scope.
Assist with the functional
testing of the deployed
solution.
18. We will utilize the Online Services Lifecycle methodology (OSL) to complete
this project:
20
Initiation Assess Remediate Enable Migrate (optional)
Plan for migration of email
Plan for migration of files
Execute migration
19. The following items are considered out of scope for
this engagement—
For Office 365 ATP:
Deployment or configuration of non-Microsoft message hygiene solutions.
Migration of email block/allow lists.
Configuration of Domain Name System records required for DomainKeys
Identified Mail.
SIEM integration.
Creation of custom reports, dashboards, or delivery schedules.
Integration of Office 365 Advanced Threat Protection with other email
antivirus or antimalware solutions, whether on-premises or cloud-based.
21
20. The primary risks to the success of the
engagement are:
Delays in necessary changes to DNS for Office 365 custom
domains.
Unknown/Insecure mail flow ingress (bypassing EOP/ATP).
22. Complexity
Initial setup, fine-tuning, creating rules, policies, thresholds, and
baselines can take a long time.
Prone to false positives
You receive too many reports in a day with several false
positives that require valuable time you don’t have.
Designed to protect the perimeter
When attackers successfully compromise a user, your current
defenses provide limited detection and protection.
25
28. What’s new?
We’ve recently added advanced security features to Microsoft 365 Business to help businesses
protect against cyberthreats and safeguard sensitive information.
1. Office 365 Advanced Threat Protection
Attachment scanning & ML detection to catch
suspicious attachments
Link Scanning/Checking to prevent users from
clicking suspicious links
2. Windows Exploit Guard Enforcement
Preventing devices from ransomware and malicious
websites at device end points
Cyber Threats
1. Data Loss Prevention
Does Deep Content Analysis to easily identify, monitor,
and protect sensitive information from leaving org
2. Azure Information Protection
Controls & Manages how sensitive content is accessed
3. Intune Availability
Protecting data across devices with E2E Device and
app management
4. Exchange Online archiving
100GB Archiving & preservation policies to recover
data or remain compliant
5. BitLocker Enforcement
Encrypt Data on devices to protect data if device
lost or stolen
Safeguard Sensitive Information
29. [1] Indicates Office 365 has Plan 2 and Microsoft 365 Business has Plan 1 of the functionality
[2] Available in US, UK, Canada
Features (new in blue)
Office 365
E3
Microsoft 365
Business
Estimated retail price per user per month $USD (with annual commitment) $20 $20
Maximum number of users unlimited 300
Office Apps Install Office on up to 5 PCs/Macs + 5 tablets + 5 smartphones per user (Word, Excel, PowerPoint, OneNote, Access), Office Online ProPlus Business
Email & Calendar Outlook, Exchange Online 100GB 50GB
Chat-based Workspace,
Meetings
Microsoft Teams, Skype For Business
File Storage OneDrive for Business, Unlimited 1 TB
Social, Video, Sites Stream, Yammer, Planner, SharePoint Online1, Power Apps1, Flow1
Business Apps Scheduling Apps – Booking, StaffHub
Business Apps – Outlook Customer Manager, MileIQ1 Business center2, Listings2, Connections2, Invoicing2
Threat Protection Office 365 Advanced Threat Protection
Windows Exploit Guard Enforcement
Identity & Access Management Azure Active Directory - SSPR Cloud Identities, MFA, SSO >10 Apps
Device & App Management Office 365 MDM
Microsoft Intune, Windows AutoPilot, Windows Pro Management
Upgrade rights to Windows 10 Pro for Win 7/8/8.1 Pro licenses
Information Protection 100 GB Exchange Archiving, Office 365 Data Loss Prevention4
Azure Information Protection Plan 1, BitLocker Enforcement
On-Prem CAL Rights ECAL Suite (Exchange, SharePoint, Skype)
Compliance Litigation Hold, eDiscovery, Compliance Manager, Data Subject Requests
Comparison of Microsoft 365 Business and Office 365 E3
[3] Currently in public preview in US, UK, Canada
[4] Data Loss Prevention Features will be available summer 2018
30. Safeguard your data
Protect your company against
external threats and data leaks
Protection
fromthreats
Protectionfrom
dataleaks
Control
dataaccess
31. Safeguard your data:
Protectionfromthreats
AI-powered attachment scanning
detects malware previously not seen
Links are checked in real time to warn
you if the destination is a malicious site
Windows devices are monitored for
suspicious processes like ransomware
32. Safeguard your data:
Protectionfromdataleaks
Apply data loss prevention policies to
help keep sensitive information from
falling into the wrong hands*
Enforce BitLocker device encryption to
protect data if a computer is lost or
stolen
Manage all your devices—PCs, Mac, iOS,
and Android—with full-featured Intune
management
33. Safeguard your data:
Controldataaccess
Apply encryption and restrictions like
do not forward to emails and
documents
Remotely wipe business data without
affecting personal information
Require PIN or fingerprint to access
business documents and data
34. Security that travels with you
Protect your data and devices against malware, malicious
attacks, and device loss or theft. BitLocker, BitLocker to
Go, and Windows Information Protection help protect
business data on mobile devices by ensuring all business
data is encrypted and accessible only by authorized users.
Further protect Windows 10 devices from unauthorized
access using Windows Hello multi-factor authentication
to strengthen your users’ device credentials.
Perform a remote Selective Wipe of company data easily
on lost or stolen devices.
35. Reduce your security risk
Centralize control of your company data on
personal devices.
Reduce your risk profile with security features
for SMB customers.
Apply a consistent security configuration
profile, across managed devices.
Establish a baseline of security policies across
managed devices.
Configure devices consistently to help ensure
that your data and devices are protected from
malware and external threats.
36. Help protect your devices, data, and people
Know that lost or stolen devices are protected with Windows 10 built-in encryption
capabilities like BitLocker and BitLocker to Go.
Help prevent accidental data leaks by securely separating business information from
personal information with Windows Information Protection, and perform a remote
Selective Wipe of business data on demand while leaving personal data untouched.
Make sure employees always have access to files while confining company
information to Office apps, using App Protection for Office mobile apps capabilities
for personal iOS, and Android devices.
Make accessing Windows 10 devices more convenient, simple, and secure by using
Windows Hello biometric authentication2 to unlock devices with a look or a touch.
Help make sure that devices boot securely and that only trusted software can run
during start-up with Windows Trusted Boot used in combination with the PC industry
hardware standard, UEFI Secure Boot.
Enforce Windows Defender to always be on from within the admin console.
37.
38. Windows Defender Exploit Guard
Antivirus/antimalware detection and protection enhanced by cloud-
based analysis and insights.
Office 365 Advanced Threat Protection
Detection of—and protection against—malware and malicious links for
your Office 365 email and productivity apps.
Data Loss Prevention
Identify and protect sensitive information
Device Management Policies
Protect & secure devices and the business data access by and stored
on devices
Azure Information Protection
Classify, label, and protect files no matter where they are or where they
go 41
42. Apply policies that provide pre-breach threat resistance in Windows 10,
reducing the attack and exploit surface area of Windows and your
applications.
Automatically applies a number of exploit mitigation techniques on both the
operating system processes and on individual apps.
• Attack surface reduction
• Controlled folder access
• Network Protection
45
43. Targets specific behaviors that are typically used by malware and malicious
apps to infect machines, such as:
• Malware included as executable files and scripts in Office apps or email.
• Scripts that are obfuscated or otherwise suspicious.
• App behaviors that are not usually initiated during normal day-to-day work.
46
44. Protect company data from modification by suspicious or malicious apps,
such as ransomware. These types of apps are blocked from making changes
in protected folders.
Executable files (.exe, .scr, .dll files and others) are assessed by to determine if
the app is malicious or safe. If the app is determined to be malicious or
suspicious, then it will not be allowed to make changes to any files in any
protected folder.
47
45. Helps reduce the attack surface of your devices from Internet-based events.
Prevents employees from using any application to access dangerous domains
that may host:
• Phishing scams
• Exploits
• Other malicious content
48
Network protection
48. Advanced threat protection: Time-of-click protection for malicious links.
51
Web servers
perform latest URL
reputation check
Rewriting URLs to
redirect to a web
server.
User clicking URL is
taken to EOP web
servers for the latest
check at the “time-
of-click”
51. Our systems continuously update and enhance: Updating known ”malware” after discovery
of unknown file hash.
54
Email with attachment
Signature based AV
blocks known threats
#
52.
53. With DLP
, you can:
• Identify sensitive information across many locations.
• Prevent accidental sharing of sensitive information.
• Help users learn how to stay compliant without interrupting their workflow.
• View DLP reports showing content that matches your organization’s DLP
policies.
56
55. You may scope a policy to specific locations or all locations
All locations includes:
• SharePoint Online
• OneDrive for Business accounts
• Exchange mailboxes
58
56. • Over 80 built in sensitive item types
• Custom sensitive item types
59
57.
58. BitLocker is a data protection feature that encrypts drives on your computer
to help prevent data theft or exposure.
Simple setting to enforce BitLocker device encryption on all Windows devices
to help protect against data theft or exposure if a protected device is lost or
stolen
61
61. Automatically to protect a device that is lost or stolen
• Delete work files from an inactive device
• Save all work files to OneDrive for Business
• Encrypt work files
64
62. Settings that control how users access Office files on mobile devices
• Require a PIN or fingerprint to access Office apps
• Reset PIN when logins fail
• Require users to sign in again after Office apps have been idle
• Deny access to work files on jailbroken or rooted devices
• Don't allow users to copy content from Office apps into personal apps
65
63. Files used by these apps can be protected:
66
iOS / Android Windows 10
Word Mobile Office Desktop
Excel Mobile OneDrive
PowerPoint Mobile OneNote
Outlook Mobile Mail and Calendar
OneDrive Skype for Business
OneNote Microsoft Edge
Skype for Business Internet Explorer
Teams
64. Windows 10 devices have additional protection options:
• Prevent copying of company data
• Enable recovery of personal data
• Protection for additional company cloud locations
67
67. Challenges with the complex environment
Employees
Business partners
Customers
Apps
Devices
Data
Users
Data leaks
Lost device
Compromised identity
Stolen credentials
68. The problem is ubiquitous
Intellectual Property theft has
increased
56% rise data theft
Accidental or malicious breaches due
to lack of internal controls
88% of organizations are Losing control of
data
80% of employees admit to
use non-approved SaaS app 91% of breaches could have
been avoided
Organizations no longer confident in
their ability to detect and prevent threats
Saving files to non-approved cloud
storage apps is common
Sources:
72. SECRET
CONFIDENTIAL
INTERNAL
NOT RESTRICTED
IT admin sets policies,
templates, and rules
PERSONAL
Classify data based on sensitivity
Start with the data that is most
sensitive
IT can set automatic rules; users can
complement it
Associate actions such as visual
markings and protection
73. Policies for specific
groups/departments
Can be viewed and applied only
by the members of that group
Customization options for
labels, sub-labels, and settings
like mandatory labeling, default
label, and justifications
74.
75.
76. Reclassification
You can override a
classification and
optionally be required
to provide a justification
Recommended
Based on the content you’re
working on, you can be
prompted with suggested
classification
User set
Users can choose to apply a
sensitivity label to the email
or file they are working on
with a single click
77. Label and protect any file through
the windows shell-explorer
Select either one file, multiple files
or a folder and apply a label
78. Query for file labels and protection
attributes
Set a label and/or protection for
documents stored locally or on file
shares
79. Classified as Microsoft Confidential
Role: Finance
Group: Contoso Finance
Office: London, UK
INTERNAL
Azure information
protection
Identifies document tagged
INTERNAL being shared publicly
Move to
quarantine
Restricted
to owner
USER
Uploaded to
public share
Admin notified
about problem.
CLOUD APP
SECURITY PORTAL
80. FINANCE
CONFIDENTIAL
Persistent labels that travel with the document
Labels are metadata written to
documents
Labels are in clear text so that other
systems such as a DLP engine can read
it
81. VIEW EDIT COPY PASTE
Email
attachment
FILE
Protect data needing protection by:
Encrypting data
Including authentication requirement and a
definition of use rights (permissions) to the data
Providing protection that is persistent and travels
with the data
Personal apps
Corporate apps
83. Use rights
+
Azure RMS never
sees the file content,
only the license
Apps protected with
RMS enforce rights
SDK
Apps use the SDK to
communicate with the
RMS service/servers
File content is never sent
to the RMS server/service
aEZQAR]ibr{qU@M]B
XNoHp9nMDAtnBfrfC
;jx+Tg@XL2,Jzu
()&(*7812(*:
Use rights
+
LOCAL PROCESSING ON PCS/DEVICES
84. Authentication & collaboration BYO Key
RMS connector
Authorization
requests go to
a federation
service
Data protection for
organizations at different
stages of cloud adoption
Ensures security because
sensitive data is never
sent to the RMS server
Integration with on-premises
assets with minimal effort
AAD Connect
ADFS
85. Authentication & collaboration BYO Key
RMS connector
Authorization
requests go to
a federation
service
Data protection for
organizations at different
stages of cloud adoption
Ensures security because
sensitive data is never
sent to the RMS server
Integration with on-premises
assets with minimal effort
Hold your key on premises
(roadmap)
AAD Connect
ADFS
HYO Key
86. Share internally, with business partners, and customers
Bob
Jane
Internal user
*******
External user
*******
Any device/
any platform
Sue
File share
SharePoint
Email
LoB
87. Leverage ad-hoc end user controls
or automatic policies
Protect
Mitigates risk of unintended disclosure
through encryption and rights protection
Control
Leverage automatic policies or ad hoc end-
user controls, for emails shared with anyone
Compliance
Meet obligations that require encrypting
data
Recipients can read
protected messages using
consumer identities
Easily read protected
emails on any device
88. Azure Active Directory
On-premises organizations
doing full sync
On-premises organizations
doing partial sync
Organizations completely in cloud
…and all of these organizations
can interact with each other.
Organizations created
through ad-hoc signup
ADFS
Using Azure AD for authentication
89. Monitor use, control and block abuse
Sue
Joe blocked in North America
Jane accessed from India
Bob accessed from South America
MAP VIEW
Jane blocked in Africa
Jane
Competitors
Jane access is revoked
Sue
Bob
Jane
90. WHY AZURE INFORMATION PROTECTION?
Persistent
protection
Safe
sharing
Intuitive
experience
Greater
control
91. Best Practice - Start small, do it now, and move quickly
1. Classify Take simple steps, it generates high-impact quickly (ie.‘Do Not
Forward’ for HR and Legal)
2. Label Test, phase the roll out, and learn – IT can’t know it all
3. Protect Control sensitive internal email flow across all PCs/Devices
4. Monitor ‘Share Protected’ files with business partners (B2B)
5. Respond Teach and enable users to revoke access
This deck is frequently updated with new insights and feedback from the field. Please keep version history up to date.
[Note: This customizable slide is for talking about your company and its value. You can fill it out with your own information and add your company logo.]
The time line provided is indicative and needs to be tailored to customers requirements and availability.
The pre-engagement meeting is there to set things in motion and to start the process of identifying the right people and take care of logistics. This usually takes a week.
The actual on-site engagement will start after the online re-engagement meeting and will take 1-2 weeks.
After completion a close out meeting will be conducted in which the outcomes will be presented.
Customize to match your assessment timeframe.
Customize to match your assessment timeframe.
Customize to match your assessment timeframe.
Update team member titles and names during the workshop.
Update team member titles and names prior to the workshop.
Ask everyone on the meeting to present themselves.
Note takers should capture this information in the provided template.
Limit to 30 seconds per person.
It is important to understand the role of the attendees, this will help in identifying the right responders for the questionnaire.
Adapt this slide based on the scope of the project
Instructions: Please remove items that are not in scope for your delivery. You may consider keeping the red text. If you choose to do so, please change the font to match the blue text.
Instructions: Update the timeframe for your scope and remove items that are out of scope for your delivery.
Customize this slide for your customer’s situation
Users face multiple threats—from credential theft (like Mimikatz, password spray, or breach harvesting) to malware (viruses, ransomware, and the like), to phishing (gaining access to a user’s computer and credentials) and infrastructure attacks (including improperly-secured virtual machines and resources in Azure).
Highlight the challenges with traditional tools, and remind them that most companies (including, most like, their own) have deployed numerous solutions from different vendors to address different threat vectors.
Emphasize that while attackers have had advantages in the past, defenders now have a number of advantages as well. Encourage them to think of technological shifts as “force multipliers”, capabilities which greatly enhance an organization’s ability to defend its own assets.
Deliver this section if customer will benefit from a primer on Microsoft 365 Business. We will touch on the major security components again so this section may be unnecessary for customers that already have a solid grasp on Microsoft 365 Business features & functionality.
In designing Microsoft 365 Business, we wanted to address the day to day technology challenges SMBs are facing.
Keeping your Technology Current: As an SMB it is hard to keep up with the changes in Technology and update your current systems. Any tech refresh is time consuming, possibly business disrupting – what you need is Technology that keeps up with your needs, that is agile with no down time
Mobile distributed workforce: Add to these, the challenges of a Mobile distributed workforce. According to a Yougov survey, 71% of employees in Small and Midsized business admit to accessing work content on their personal mobile devices. The technology demands of catering to a mobile, distributed workforce requires strong collaboration capabilities that transcends devices
Protecting Sensitive Data: 53% of SMBs collect sensitive information Like Social Security Number and 1 in 5 SMBs collect Bank account details. Given this and the rise in data breaches it is important to have technology to protect the intentional or unintentional transmission of sensitive data that could put you out of compliance or cause business threatening downtime
Cyber Threats & Phishing Schemes: 72% of SMBs believe that their company is very vulnerable to becoming a victim of Cyber-Attack. Again having technology in place that helps prevent you and your employees from being victims to phishing attacks and social engineered ransomware attacks is Paramount given current climate
What is Microsoft 365 Business?
Microsoft 365 Business is a complete integrated solution powered by Office 365 and windows 10 designed to help you securely run and grow your business.
It brings together the best-in-class productivity capabilities of Office 365 that enable you and your employees to create, connect and co-author from anywhere, on any device while also providing you peace of mind through sophisticated security features to safeguard your business information from threats.
Microsoft 365 Business also helps you build your business through specific tools that help you interact with and find new customers
With Microsoft 365 Business you have one subscription that enables collaboration, has tools that help you grow your business while providing you peace of mind by safe guarding your business information.
Now before we begin, let us take a minute to see what we’re going to cover today in Microsoft 365 Business:
You’re going to Learn how you can get more done with Intelligent tools built into the Office you love along with enterprise grade email and file storage
We’ll show you how you can work better together with the new Microsoft Teams and how you can collaborate as a group with your co-workers, customers and suppliers.
Microsoft 365 Business also includes specific business apps designed to help build the business Like Bookings and Outlook customer Manager for Example. These help you Get more customers and improve the efficiency of your business operations
We’ll also show how Microsoft 365 Business safeguards your data by Helping protect your company against external threats like phishing and malicious emails. It also includes features to help you protect sensitive information like Social security numbers, Credit card information etc from leaving the organization
Finally, we’ll show you how you can easily enable all of these features along with simplifying device setup so you can unlock the value of your Microsoft 365 Business subscription faster
let’s take a deeper dive in to what you get with your Microsoft 365 Business Subscription
Today, no matter what your small business does, data has never been more valuable. Your business contacts. Your SOWs and invoices. Your accounts information. Your methods and processes. Your templates. Your email.
Technology gives you the ability to access these things, to carry them around on a laptop or a mobile phone, but all of that access exposes them to risk. Employees who don’t understand how to create secure passwords or take precautions, or who forget a device, need guidance. That’s where simplified device management empowers you to take advantage of the enterprise-level security features of Windows 10 Pro.
In addition to Enabling all of these amazing productivity and collaboration features, M365 B gives you peace of mind by Safeguarding your business. It helps protect your company against external threats and data leaks of sensitive business information
And it does this by taking a layered approach to security:
First, you get Protection from sophisticated threats hidden in email attachments and links, and get cutting-edge defenses against zero-day threats, ransomware, and other advanced malware attempts.
Second, you get Protection from data leaks helping you prevent sensitive information like SSNs and customer credit card numbers from being shared outside your business
3rd you get to control and manage access to information. With M365 B, you can control who has access to company information by applying restrictions like Do not Copy and Do Not Forward. You can Enjoy peace of mind by remotely wiping business data on lost or stolen devices without affecting personal information
The top layer focuses on protecting your business from external threats by giving you access to the same enterprise-grade service and protection but without the need for an enterprise-sized IT department.
Our threat protection tools keep your business free of hazards such as spam, malware, viruses, phishing attempts, malicious links, etc. while helping to protect from sophisticated threats cunningly disguised as email attachments or links, zero-day ransomware, and other advanced threat techniques.
These capabilities come from our built-in malware protection capabilities that not only help you prevent threats, but also alert you if a breach has taken place and notify you when additional actions are required, and from advanced file encryption made possible through our BitLocker technology.
Unfortunately, we live in a day and age when virus and malware attacks are a common occurrence. When successful, these attacks can cause several issues for a company—from loss of customer trust to financial woes resulting from business-threatening downtime and more. ATP helps Protects your business from sophisticated phishing attacks, unsafe attachments, suspicious links, ransomware, and other advanced malware
The Threat Protection Features in Microsoft 365 Business scan each & every attachment coming in via email. It does a comprehensive, real time analysis of the behavior of the file to determine its intent (whether normal or malicious), thereby leading to better intelligent protection against unsafe attachments that are the basis for phishing schemes and ransomware infections
While it would be ideal for employees to understand they shouldn’t click on hyperlinks sent to them from people they don’t know—or messages with other obvious red flags—it’s not realistic to think that all of them will avoid phishing schemes. [Dave edit… replace the previous sentence with: Today’s “bad actors” are more clever than ever. Even your staff who understand that they shouldn’t click on hyperlinks sent from people they don’t know, could be easily fooled by today’s sophisticated phishing schemes.] These features remove the guesswork by doing the check for you and protecting your users from clicking through to malicious or unsafe sites or the system takes users to a warning page before allowing them access to the link.
These Threat Protection capabilities also extend to Device end points helping prevent users from interacting with Ransomware and malicious web locations
The second layer helps you protect your business data or sensitive customer or employee information from accidental leaks by utilizing Data Loss Prevention capabilities and mobile device management functionality across both iOS and Android devices which protect your sensitive data from being accessed from unauthorized locations or through unauthorized applications.
What you really get, in other words, is peace of mind that a file isn’t going to be magically lost or corrupted. The threat of information loss is what keeps you up at night, but with your files securely backed up in the cloud, and accessible only by you or your employees – even in the event of a lost or damaged device – you will never lay awake worrying about the security of your data again.
Small businesses deal with a variety of sensitive information like Customer credit card numbers, SSN, DOB or even intellectual property that is core to the running of the business. Keeping this information safe can be a challenge because expecting employees to manually check every email or document shared for sensitive information can be hard. The Data Loss Prevention policies in M365 Business help businesses easily identify, monitor, and protect sensitive information through deep content analysis
It Includes preconfigured templates that can help businesses detect specific types of sensitive information being communicated such as Credit Card Numbers, SSN, DOB or even locale-specific personally identifiable information (PII).
It also provides policy tips, which can help educate and prevent end users from accidental sharing of sensitive info by displaying a policy tip in Outlook.
Enforce device encryption with BitLocker to help protect against data theft or exposure if a computer is lost or stolen. Get End to End Intune Device Management across all your devices – PCs, Macs, Mobile devices to protect sensitive information from leaking
Controlling and managing access to who has access to content is the 3rd layer of your security strategy. A challenge that small businesses have is controlling & managing who has access to the company’s sensitive information. Enabling these controls without hindering productivity is also hard. Information Protection Policies in M365B provide capabilities to control & manage how information is accessed and making sure that only the right folks have access to the right data
Enjoy peace of mind with features such as:
The ability to communicate and collaborate securely while controlling access to sensitive information with controls like “Do No Forward”; “Do not copy” etc
The ability to classify sensitive information like “Confidential” and enable specific restriction for how classified can be shared outside and inside the business
The ability to securely share sensitive content with authorized external parties through easy to enable encryption controls
Instructions: Update this slide to match the scope of your delivery. Remove items that are not in scope or change the items in red to match the font used for the others.
The slide contents are relatively straightforward; highlight one or two capabilities based on your customer’s profile/history (for example, customers in the health care industry have been hugely impacted by ransomware, so that would be an excellent capability to discuss in more detail).
To tell this story more effectively, consider using content from the MSRC blog on recent success stories involving Windows Defender (for example, https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak/ or https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses/).
Attack Surface Reduction = Use rules that reduce the attack surface of devices
Controlled folder access = Protect folders from threats such as ransomeware
Network protection = Prevent network access to potentially malicious content on the Internet
Safe Links provides real-time, time-of-click protection against malicious URLs in email by redirecting suspicious URLs to an internal web server that checks them against a list of known malicious sites which updated every 20 minutes. When users click on the rewritten URLs, Safe Links redirects them — based on the verdict from inspection — to either the original webpage or a page that warns the user that the site has been determined to be malicious.
Safe Links utilizes URL trace capabilities that allow you to track individual malicious links in messages that have been clicked to support faster remediation.
Safe Attachments helps to protect against zero day malware in email attachments by blocking messages that could be malicious. It is designed to detect malicious attachments even before antivirus signatures are available.
After passing through Office 365’s normal protection of three anti-virus engines and multiple spam filters provided by Exchange Online Protection, email with a suspicious attachment enters the Safe Attachments’ sandbox environment where we spin up multiple hypervisor environments, each running various versions of a Windows operating system, Office and common 3rd party applications. Attachments are not released until a behavior analysis is performed and the attachments are determined to be safe.
Safe Attachments will analyze attachments that are common targets for malicious content, such as Office documents, PDFs, executable file types and flash files. The administrator can establish separate policies for Safe Attachments. Each policy can be applied to a specific set of users, distribution groups or domains. It is also possible to have unique policies within Safe Attachments and so each group of users can have custom settings. The administrator can configure the settings to receive an email notification when an unsafe attachment is identified.
In the Safe Links policy window, click Safe Attachments to scan downloadable content and with the URL detonation feature turned on.
URL Detonation provides deeper protection against malicious URLs. Not only do we check a list of malicious URLs when a user clicks on a link, but Office 365 ATP will also perform real-time behavioral malware analysis in a sandbox environment against malicious attachments at destination URLs. For example, if an email includes a link to a Word document on a web server, the document is downloaded into our sandbox environment and detonated as if it were an attachment.
The administrator can establish separate policies for Safe Links. Each policy can be applied to a specific set of users, distribution groups, or domains. It is also possible to have unique policies within Safe Links and so each group of users can have custom settings. When a user clicks on an unsafe link, they receive a notification from Office 365.
Our services harness the power of Microsoft’s machine learning capabilities and continuously update and enhance our basic filters. In the example shown here, an email arrives with an attachment which initially gets past our basic filters. However, with the additional protection offered by our advanced threat protection, the attachment is detonated in a sandboxing event and found to be malicious. We then update ALL of our filters across so that the file hash goes from being unknown to known and on the subsequent arrival of an email carrying the attachment, we now block it. That is the power of machine learning which enables our systems to enhance themselves with each new piece of malware we detect.
This illustration shows the options for creating a DLP policy:
Choose the protection to apply. Protection can include:
Policy tips for users
Email report for admins
Prevent sharing externally, internally, or both
Choose the criteria for applying the protection. Apply the protection to documents with this type of content: you can configure the policy to use sensitive information types and/or labels.
Built in sensitive item types include things such as credit card numbers, SWIFT codes, personal identifiers, etc.
Custom sensitive items types can be defined using regular expressions, keywords, built in functions, additional patterns such as dates or addresses, and different combinations of evidence.
Attack Surface Reduction = Use rules that reduce the attack surface of devices
Controlled folder access = Protect folders from threats such as ransomeware
Network protection = Prevent network access to potentially malicious content on the Internet
We recommend you accept the default values during setup to create application policies for Android, iOS, and Windows 10 that apply to all users. You can create more policies after setup completes.
We recommend you accept the default values during setup to create application policies for Android, iOS, and Windows 10 that apply to all users. You can create more policies after setup completes.
By default, work files are encrypted using a secret key that is stored on the device and associated with the user's profile. Only the user can open and decrypt the file. However, if a device is lost or a user is removed, a file can be stuck in an encrypted state. The Data Recovery Agent (DRA) certificate can be used by an admin as a sort of master key to decrypt the file.
You may specify additional domains or SharePoint locations to make sure those files are protected too.
You have these entities – users, devices, apps and data
Data is being shared with employees, customers and business partners
You have to manage the complexity of protecting your users’ identities, and data stored on their devices and apps
You need to prepare to mitigate the risks of providing freedom and space to your employees.
You need to meet compliance and regulatory standards, maintain
company security policies and requirements, and detect threats — all the while giving workers a better and more productive experience
The cloud is here to stay
The ‘cloud accepting’ population is growing… VERY rapidly
Your managers (CxO) are changing their minds… or soon will… or are being replaced
Microsoft is meeting organizations ‘in the middle’: abilities like lockbox, ‘going local’, etc.
Your competition will use the cloud to their advantage
You can’t compete with cloud vendors on substrate services (time, cost, innovation)
You can’t lay the substrate and do value-add at the same rate as your cloud peers
There will be breaches… both in the cloud and on-premises
Cloud vendors, with billions invested and far better ‘signals’, will act/evolve far quicker
We heard from you..
And you are not alone
You had control over your data when it resided within your boundaries
Now that boundary has expanded with managed devices and cloud assets. MDM solutions help but not when data moves outside of your controlled environment
Once shared outside your environment, you lose control over your data.
1.For years, RMS helped businesses provide persistent protection over their data through encryption, access control and policy enforcement
2.We added tracking and revocation capabilities for greater control over shared data
3. Now we also have classification and labeling capabilities so that you can identify what data needs protection and protect only the data that needs protection
1.For years, RMS helped businesses provide persistent protection over their data through encryption, access control and policy enforcement
2.We added tracking and revocation capabilities for greater control over shared data
3. Now we also have classification and labeling capabilities so that you can identify what data needs protection and protect only the data that needs protection
Data is born protected,
Using companies’ criteria
Enforced by IT
Enforced on any device
<keep personal data.... Personal>
Scoped Policies allow you to build sets of labels that are only visible and usable to specific employees and groups of employees such as teams, business units or projects.
In all instances, a global set of policies is made available to all users. The new scoped policies are layered over this global set, available to just users in the specified security group membership. It is important to note that scoped policies are an admin concept, users will not be aware as they just see a combined set of labels they are assigned.
Each set of scoped policies allows for customization, including labels, sub-labels, and settings like mandatory labeling, default label, and justifications. The scoping model is consistent with Azure RMS template scoping, in that it is based on Azure Active Directory users and groups.
A few important notes on scoped policies:
Scopes are optional, you don’t have to define a set or group for a policy. If not set, the policy has global scope for everyone in the tenant.
Policies are ordered by administrators. This order defines which scopes are considered higher than others. Policies are combined into an effective policy, which is given to the client.
Flexibility for users to reclassify because policies won’t get it right all the time. But everything is logged so IT can audit in case of violation
Users also have the option to label if they deem necessary, even when not automatically classified
With the new, unified AIP client, Classification, Labeling and Protection support is now extended beyond ‘just’ Office files. We have brought together the existing AIP client with the RMS Sharing App features to provide a more complete Information Protection experience in AIP. When you install this new client, you can now classify, label and protect your files through Office applications, through the Windows Explorer shell extension and through PowerShell commands.
A user can label and protect any file through the windows shell-explorer, select either one file, multiple files or a folder and apply a label. (Note: some file types do not offer an ability to attach persistent metadata, for these file types you can only label when protecting).
RMS PowerShell commands have been updated to support Label and Protection actions based on Azure Information Protection policies. Administrators and data-owners can label and protect files in bulk on File stores, or query for the file’s status. The PowerShell cmdlets, which are installed as part of the new unified client, are now GA and enable our customers to:
Query for a files Label and Protection attributes
Set a Label and/or Protection for documents stored locally or on file servers and network shares that are accessible through SMB/CIFS (e.g. \\server\finance\)
In this example, sensitive data is protected even as it is uploaded to a cloud app
This has become a very common scenario, as workers store and share data across potentially several cloud storage services and SaaS apps.
When a user creates a document that contains sensitive data, such as credit card information or confidential project information, Azure Information Project labels the document as “INTERNAL”, which means it shouldn’t be shared with others.
If the user then tries to upload this document to a cloud storage location, such as using Box, this is detected by Microsoft Cloud App Security
MCAS will understand the INTERNAL label and enforce policy to move the file to quarantine and then restrict access to only the file owner
Labels stay with the data to enforce the policies and classification
Extra protection is available for sensitive data
Not just encryption, but rights of who can access it and what they can do with the data
-
Context: Email is also main source of sharing information therefore Email prone to unintended disclosure. Encryption typically is also too difficult to use. For a lot of organizations one of their biggest hurdles is making it easy enough so users can adopt the technology and collaborate securely.
At Ignite we announced new capabilities in Office 365 Message Encryption that protect and control your sensitive emails. These enhancements are aimed squarely at helping you better safeguard your sensitive email communications without hampering the ability for your users to be productive and to easily collaborate with those inside or outside of your organization.
PROTECT: Mitigate the risk of unintended disclosure of emails to anyone inside or outside your organization, so that only the indented recipient with the right identity can read the encrypted message. Recipients outside of the organization can use their email provider. OME provides added layer of encryption at the content level. OME also enables organizations to rights protect the email so only the people with the right identity can read the message and the Office application that’s attached also inherit the protections applied to the email.
Ex. Greg from Big Bank needs to send a sensitive message to his client on his recommended stock picks but does not want him to forward.
CONTROL: Admins can apply automatic policies and end users can be empowered to apply ad hoc policies that encrypt and rights protect messages sent inside and outside the organization. Additionally, recipients can easily read protected messages using their consumer identities such as Google, Yahoo or Microsoft Accounts – or use a one time passcode.
Ex. secret acquisition, company wishes to encrypt all messages between the external company. Admin applies mail flow rule.
Ex. Doctor wants to communicate with his/her patients who uses gmail. Patient can authenticate using their Google identity to read and reply to the protected message
COMPLIANCE: We’re also providing more enterprise grade capabilities - for regulated customers, Office 365 Message Encryption will enable you to provide and manage your own tenant encryption keys with BYOK with Azure Information Protection for Exchange Online.
Only use this slide for customers that have obligations with regard to the GDPR
Summary of the key benefits
Protect all data with the right level
Help share
Easy to use with great IT control
Data is born protected,
Using companies’ criteria
Enforced by IT
Enforced on any device
<keep personal data.... Personal>
