Headquartered in Kuala Lumpur, Malaysia, edotco Group faced ever-increasing cyberthreats and needed additional security measures to protect its company data. It deployed a variety of Microsoft security products including Azure Active Directory Identity Protection, Office 365 Advanced Threat Protection, Microsoft Cloud App Security, and Microsoft Defender Advanced Threat Protection to detect and remediate threats such as unauthorized access, data leakage, and phishing attempts. Now, edotco plans to deploy Azure Sentinel, a cloud-native security information and event management (SIEM) solution, that collects security for threat hunting and custom use case monitoring.
As the infrastructure arm of the Axiata Group, edotco Group builds and manages telecommunication and power systems infrastructure for telecom companies throughout Asia. The company specializes in end-to-end solutions in the tower services sector with more than 31,820 towers under management. Because it works with critical telecom infrastructure and has employees on sites across eight countries, edotco has a need for strong security measures in its highly mobile and distributed IT environment.
Managing identity from the cloud
To help make its IT environment as secure as possible, edotco has decided to use Microsoft Azure Active Directory (Azure AD) as its identity management solution. “Today more than 90 percent of our infrastructure is authenticated by Azure AD via SAML 2.0. ,” says Choon Wai Ng, Senior Specialist, Information Security at edotco.
Utilizing Azure AD domain join, with configuration and security policy deployments through Microsoft Endpoint Manager (a unified platform that now includes Microsoft Intune) to authenticate all of its 1,400 endpoints, edotco isolates most applications and devices from the corporate office network.
To further improve security, edotco implemented Azure Multi-Factor Authentication along with Conditional Access policies in Azure AD for all users. “When employees sign into our systems, we look at their device and their location and then determine the verifications required,” says Ng. “Implementing Azure AD Identity Protection and Azure Multi-Factor Authentication has already helped us detect account compromises and prevent unauthorized access.” Additionally, edotco has implemented passwordless authentication, using the Microsoft Authenticator app, for a few privileged accounts and is in the process of planning an organization-wide rollout.
Further taking advantage of the Microsoft security platform, edotco uses Microsoft Cloud App Security, a cloud access security broker (CASB) solution, which works with Azure AD to deliver additional visibility into potentially insecure authentication attempts by monitoring for misuse of applications or suspicious data uploads or downloads.
To enhance its Azure AD environment by ensuring user data is accurate, edotco plans to sync employee data directly from its HR system to Azure AD. “We plan to use an off-the-shelf connector to sync our HR system data,” says Ng. “We’ll keep Azure AD up to date and even provision licenses exactly when they are needed.”
Layering on threat protection
Deploying an endpoint detection and response (EDR) solution was the next step to improve detection and response capabilities. After testing a few competing solutions, Microsoft Defender Advanced Threat Protection (ATP) was the clear choice. “We found Microsoft Defender ATP easy to deploy and configure. Once a new device joins to our Azure AD domain, we can automatically enroll the EDR solution along with other baseline security configurations,” says Max Chan Wai Kuang, IT Technologist at edotco.
Chan continues, “We immediately benefited from the Microsoft Defender ATP reports on unpatched applications on our systems. We were able to resolve issues with several applications right away.” The Threat Vulnerability Management capability in Microsoft Defender ATP provides updates on application configuration and patching regardless of where the PC is located, which is a critical piece in maintaining the organization’s security posture.
Now, edotco automates investigation and remediation in Microsoft Defender ATP to reduce the number of alerts and tasks generated for IT operations. “We have reduced the workload on IT operations through automated remediation, and Microsoft keeps adding new capabilities, so we have regular reviews of our policies and continue to automate more items,” says Ng. With Microsoft Intune security tasks, threats that aren’t automatically remediated can often be resolved with one click, helping to maintain rapid response times. Some examples of items that can be remediated with Microsoft Intune security tasks include updating a vulnerable app, uninstalling a vulnerable app, updating an operating system, or hardening devices based on Center for Internet Security (CIS) benchmarks.
“We also use the threat intelligence alerts to put the correct protection in place when we learn about specific malware,” Ng adds. The threat analytics capabilities in Microsoft Defender ATP provide accurate information about the threat in addition to potential systems that may be exposed to it. In fact, the team has rapidly improved its response time because of the Microsoft Defender ATP alerts.
The company is in the process of deploying many of the capabilities in Microsoft Defender ATP for desktop protection. It was impressed with the investment Microsoft has made into antivirus capabilities over the past few years. “We rolled out Windows Defender Antivirus a few months back. We replaced our existing product because it was easy to deploy, gave us similar capabilities, and is easy to manage,” says Ng. “Not only did we save money, but we also have a more holistic view into the analytics provided.”
edotco is currently configuring Windows Defender Application Control and Windows Defender Credential Guard. Introduced with Windows 10, Application Control allows organizations to control what drivers and applications can run on their Windows 10 clients. Credential Guard uses virtualization-based security to isolate credentials in memory, effectively preventing attackers from stealing them. “We are testing these capabilities to enhance our desktop security. Microsoft makes them easy to implement, but we need to ensure that the controls are configured in accordance with our business needs,” says Chan.
Protecting email and files
To protect incoming emails and stored files, edotco deployed Office 365 Advanced Threat Protection (ATP). It uses Safe Links, which provides real-time validation of web addresses, and Safe Attachments, which identifies malicious email attachments, and take appropriate action. “We often see sophisticated phishing attacks, and Office 365 ATP helps reduce the chances that our users get phished,” says Ng. “As antivirus filters get better at blocking links, we’ve noticed that hackers are using malicious attachments more often, so we are glad to have Safe Attachments in place.”
edotco also uses Office 365 ATP to analyze files on its SharePoint and OneDrive environments. “That was a quick win for us because when we turned it on, we received a few alerts of malicious files already inside OneDrive and we removed them,” says Chan.
Pulling it all together
As it deployed Microsoft 365 security capabilities, edotco made use of the intelligent suggestions provided by Microsoft Secure Score. edotco uses Secure Score to get a holistic view of its security posture and discover additional security controls that could improve that posture.
After seeing the richness of the data provided by its Microsoft security investments, edotco is now testing Azure Sentinel to get a near real time view of security events and have the tools to investigate and respond to incidents quickly. “We leverage that data to improve our intrusion detection capabilities and also prevent data leakage,” says Chan. “When we receive an identity alert, we can now tie it to a user account and then see which services or files were accessed.”
Even with a small security team, edotco takes advantage of advanced security capabilities delivered by Microsoft because of their ease of implementation, and it uses them to meet the demands of its leadership to protect against ever-increasing cyberthreats.
We often see sophisticated phishing attacks, and Office 365 ATP helps reduce the chances that our users get phished.