Microsoft’s cybersecurity focus is founded on delivering security operations that work for you, enterprise-class technology, and driving partnerships for a heterogenous world.  These themes feature heavily in new advanced automation capabilities for threat detection, investigation, and response for Office 365 E5 announced at Microsoft Ignite.   The features help strengthen our customers SecOps teams and are powered by the Microsoft Intelligent Security Graph which provides unparalleled visibility into the threat landscape (analyzing 6.5 trillion daily signals from email alone), integration across Microsoft’s security services, and powerful intelligence from our sophisticated machine learning (ML) algorithms and team of 3500 in-house security professionals.  



ISG_pic.pngFigure 1. The Microsoft Intelligent Security Graph



Solving Customer Pain Points

Last year, we added Office 365 Threat Intelligence to the set of Office 365 threat protection services.  Threat Intelligence helps enable security teams address threats post-delivery, through rapid detection and effective response.  As figure 2 shows, the Office 365 threat protection solution offers a powerful set of features from the trigger of alerts to effective response, reducing threat detection and resolution times. 



 TI_now.pngFigure 2. Office 365 threat protection capabilities currently available to Office 365 E5 customers


Since last year, numerous conversations with customers suggested a critical need for deeper investigation and remediation capabilities powered with automation.   Most security teams we speak with must secure organizations from:


  • Compromise
  • Known attackers
  • Targeted attacks
  • Volume based attacks
  • Data leakage or exfiltration
  • Configuration flaws
  • Insider threats
  • Reputation/Brand Damage


However, most teams have limited time, budget, and human resources.  We realized organizations require solutions addressing the evolving threat landscape within these constraints.  Office 365’s new automated detection, investigation, response and remediation capabilities were designed with the customer needs in mind and with the intent of filling the gaps stemming from limited time, budget, and human resources.  


New Detection, Investigation, and Response Features in Office 365

              Our customer conversations and own experience made us focus our investments on several new automation features which enhance each aspect of the detection, investigation, and response path of threats as shown in figure 3.


 Office_365_E5_feature_evolution.pngFigure 3. New automated hunting, investigation, and remediation capabilities for Office 365 E5 customers launching sequentially later this fiscal year



Also, leveraging the signal sharing offered by the Intelligence Security Graph, signal from Azure Active Directory, Windows Defender ATP, and Microsoft Cloud App Security will also surface in Office 365.  With these capabilities, Office 365 E5 offers a level of SecOps features which continue to elevate the Office 365 threat protection services over competitors.  As we mentioned, automation is a key theme in many of the new capabilities, helping  improve overall security and directly addressing our customers critical needs.  Automation is not limited to remediation, but also includes playbooks automating investigations which are triggered by pre-defined alerts.  These playbooks are powerful tools that help reduce detection and remediation times which currently can take many hours or even days to address.  The automated functionalities surface in a user-friendly, detailed interface that outlines the investigation graph showing the different aspects of the investigation (figure 4).


 Investigation_Graph.pngFigure 4. Interface showing the summary Investigation graph of a weaponized URL alert from Office 365 Advanced Threat Protection


 Forrester Total Economic Impact Study Results

              The new automated capabilities will address the customer limitations on time, budget, and human resources.  However, the quantitative benefits of tools are frequently difficult to measure before implementation.  In the last quarter, Microsoft sanctioned Forrester Research to conduct a Total Economic Impact (TEI) study on the current Office 365 Threat Intelligence (The Total Economic Impact of Microsoft Office 365 Threat Intelligence, September 2018), before any of the new automated features go live.  Through customer interviews and an industry wide survey, Forrester discovered most customers felt Office 365 Threat Intelligence helped admins better understand risks and take actions to protect end users (figure 5). 

 Customer_Findings.pngFigure 5. Forrester customer interview and industry survey results on Office 365 Threat Intelligence.



Forrester also did a rigorous quantitative analysis of Threat Intelligence, simulating the benefits vs. costs of the service at a composite enterprise with 6,000 mailboxes.  The analysis demonstrated significant risk-adjusted benefits from improved consolidation, better remediation, reduced downtime, and lower business impact.  The study results showed nearly 3x greater present value (PV) for benefits versus costs.  Forrester was able to summarize the study by calculating an ROI, NPV, and time to payback for Office 365 Threat Intelligence (figure 6).  It is important to remember that this study is for the value in Office 365 Threat Intelligence for customers already using Office 365 E5 or standalone Threat Intelligence which does not include the new automated investigation and hunting capabilities described in this blog and announced at Microsoft Ignite.  We are excited that the new capabilities will add even greater customer value to Office 365 E5.


TI_ROI.pngFigure 6. Forrester Office 365 Threat Intelligence TEI results from cost/benefit analysis



Learn More and Begin a Trial

To learn more, please see our session from Microsoft Ignite. Your feedback is one of the most important drivers of our innovation, so please let us know what you think. If you are not already benefiting from the security of Office 365 E5 threat protection services, begin your Office E5 trial today. 




1 Comment
Super Contributor

In Automated Investigations, the sorting of the column thread count is incorrect (it's alphabetically instead of numerical):