Migrating Business Operations into an M365 Essential Eight Maturity Level 3 Environment

Chamonix’s customer had a legacy on-premise environment that was nearing end of life. The environment had been compromised and while there were no signs of data exfiltration or continued infection, we proposed the replacement of the environment with a cloud native M365 environment. This presented: 

• A shorter time to alignment with ACSC Essential 8 Maturity Level 3
• A significant reduction in complexity of their operating environment
• An opportunity to enable significant productivity improvements for mobile workers

Our customer had an existing in-house infrastructure team and were looking for Chamonix to provide guidance, oversight and increased capacity. Chamonix was engaged to:

• Design the future state
• Lead a hybrid team through the implementation of the future state
• Migrate data, identity and email into the M365 cloud environment, leveraging SharePoint and Teams to replace the legacy SAN
• Up-skill our customer’s in-house team to enable handover for on-going management

Our customer’s in house team had already provisioned a base M365 environment and were migrating data into this environment. Chamonix’s cyber security team was engaged to review and identify the necessary cybersecurity controls and processes to meet suggested mitigation strategies for alignment with Essential Eight Maturity Level 3 and to subsequently develop an appropriate model to maintain the implemented cyber posture uplift. These services included developing processes for investigation of log data in the event of an incident, enabling a robust post-incident investigation process, and stakeholder reporting. The hybrid team led by Chamonix then assembled a program of work to deliver our customer’s cybersecurity uplift to ML3 within a 3-month period. This included: 

Application Control
Enforcing control of executables to an approved set across all work units, maintaining a list of approved applications including drivers, enabling control solution in logging mode to identify any rules blocking legitimate applications or software, implementation of Microsoft’s recommended ‘block rules’ and the centralised logging of application control events for incident interrogation and administrative reporting.

Third-Party Application Patching Strategy
For compatible applications, automatic updates within 48 hours of release were configured to ensure that our customer was operating with the most recent patch levels upon release of an update, providing automation as a response to published vulnerabilities. Where not supported or patching may not have been an option to address a critical vulnerability, a mitigation strategy was developed and utilised.

Restriction of Administrative Privileges
Review of administrative roles and redesign of administrative structure was performed, to ensure that internal resources with elevated permissions were operating only with the permissions required to complete their role.

Chamonix provisioned a dedicated administration workstation for all management traffic in our customer’s environment. This added a defence-in-depth control for all administration of SaaS platforms utilised by our customer. 

Patch Operating Systems
Central configuration and management of Operating System patching was deployed using the Microsoft Endpoint Manager platform, to ensure that the latest security updates were applied to all our customer’s Windows endpoints.

Configuration of Microsoft Office Macro setting and central logging of blocked macros
Where possible, Microsoft Office macros were disabled across the entire organisation. Where macros were required by specific users, additional security was applied to prevent execution of non-organisation approved macro content. For organisation approved macros, a process for signing macro content was developed. This meant that if a malicious actor attempted to replace the macro with malicious content, it would not execute.

User Application Hardening
Legacy or unused functionality in business productivity applications was removed or disabled, to prevent common attack vectors. This included enforcement of common exploitable Microsoft Office security settings, removal of unused operating system components, and a restricted set of web browser extensions.

Establish Multifactor Authentication, leveraging Azure AD
A registration campaign was established to uplift users to make use of the recommended multi-factor authentication method of a software token rather than an SMS or phone-based authentication method. Where possible, additional SaaS applications were onboarded to utilise the central AzureAD identity, improving the user experience and providing centralised control of multi-factor authentication. As a result of this improvements to identity management, the procurement process of SaaS applications was improved to consider the use of applications that only support modern authentication methods.

Regular backups and Recovery
By primarily leveraging the service offerings and capabilities of the Microsoft 365 platform, our customer’s resilience and capability to recovery from a cyber incident was drastically improved. Retention policies, and granular control over administrators that hold the backup administrator function were enforced.

Toolsets and Licensing Recommendation
The uplift in Microsoft 365 licensing capability for administrative accounts helped to improve identity and access management, while improved licensing capabilities for frontline staff enabled better use of the Microsoft 365 platform for productivity and collaboration as a modern workforce.