With all of the ransomware news as of late, companies are asking what kind of protection and what to do in case the protection fails and the need presents to recover from a cyber attack. Many of the organizations I interface are using Microsoft 365 and / or Office 365 already. So the natural question for them to ask is how does Microsoft tools protect our organization against a ransomware attack?
I begin to answer the question by stating that Microsoft 365 platform is maintained and run by Microsoft out of their cloud-based infrastructure which they are constantly monitoring not only within your “tenant”, but across the thousands / millions of customers they have. This is a huge advantage in spotting cyber attacks and bad actors, which leads to quickly reacting, alerting and preventing further spread.
The second thing I mention is that although Microsoft has employed robust cloud security measures, the software isn’t completely ransomware-proof. Because of its popularity and prevelance in business, Microsoft 365 is a primary target for ransomware attacks.
Finally, I state the fact that cybersecurity protection needs to follow a zero-trust layered approach starting with continuous monitoring of identity, endpoints, cloud apps and emails/document which also involves end-user education.
Every Office 365 subscription comes with security capabilities. The goals and actions that you can take depend on the focus of these different subscriptions. In Office 365 security, there are three main security services (or products) tied to your subscription type.
When I talk about this, I typically break the conversation by the different workloads Office 365 / Microsoft 365
- Windows Security / Windows Defender
- OneDrive for Business
- Email – Exchange Online
- SharePoint / Teams
- Advanced Thread Protection
Windows Security / Windows Defender
Although not directly ransomware protection one at the top of the defense line is Windows Security / Windows Defender which is available for Windows devices. Windows Security is built-in to Windows 10 and includes an antirvirus program called Microsoft Defender Antivirus. With Windows Security, your device will be actively protected from the moment you start Windows 10. Windows Security continually scans for malware (malicious software), viruses, and security threats. In addition to this real-time protection, updates are downloaded automatically to help keep your device safe and protect it from threats.
Further, Microsoft introduced the Microsoft 365 Defender (https://security.microsoft.com) which combines protection, detection, investigation, and response to email, collaboration, identity, and device threats, in a central portal. Microsoft 365 Defender brings together functionality from existing Microsoft security portals, like Microsoft Defender Security Center and the Office 365 Security & Compliance center. The security center emphasizes quick access to information, simpler layouts, and bringing related information together for easier use.
OneDrive for Business
OneDrive has built-in detection for ransomware and will alert you when a lot of files get changed, allowing you to quickly restore them. When Microsoft 365 detects a ransomware attack, you’ll get a notification on your device and receive an email from Microsoft 365
SharePoint / Teams
Versioning helps to protect SharePoint Online lists and SharePoint Online and OneDrive for Business libraries from some, but not all, of these types of ransomware attacks. Versioning is enabled by default in OneDrive for Business and SharePoint Online. Since versioning is enabled in SharePoint Online site lists, you can look at earlier versions and recover them, if necessary. That enables you to recover versions of items that pre-date their encryption by the ransomware. Some organizations also retain multiple versions of items in their lists for legal reasons or audit purposes.
Email – Exchange Mail
All email messages for Exchange Online travel through Exchange Online Protection (EOP), which quarantines and scans in real time all email and email attachments both entering and leaving the system for viruses and other malware. Administrators do not need to set up or maintain the filtering technologies; they are enabled by default. However, administrators can make company-specific filtering customizations using the Exchange admin center.
Advanced Thread Protection
Microsoft Defender Advanced Thread Protection (ATP) is an incredibly powerful post-breach solution that provides automated endpoint detection and response. Formerly known as Windows Defender ATP (or WDATP), Microsoft rebranded the product to reflect the fact that it is now also available on other operating systems (OSs) such as macOSX, Linux and Android. However, this article solely focuses on the product from a Microsoft and Windows 10 perspective.
Microsoft Office 365 Advanced Threat Protection (available with A5/E5 licensing) on is a cloud-based filtering service to protect your company against viruses and other malware, including zero-day attacks (attacks performed with malware by using new found vulnerabilities that have not been fixed yet by patches or updates). Microsoft Office 365 Advanced Threat Protection can protect Exchange Online and other Microsoft 365 services in your organization against the newest viruses and unidentified complex threats that have not been studied yet and cannot be recognized by the latest virus signature databases of most antiviruses.
Microsoft Docs: Malware and ransomware protection in Microsoft 365
Microsoft Support: Ransomware detection and recovering your files