Empowering Small IT Teams with Big Security Superpowers

•  “Our priorities are defined but we don’t have the bandwidth to meet them all” 
• “Too much time putting out fires; not enough time to plan ahead” 
• “We’re new to Microsoft 365 and don’t know how to use all our security tools to their full advantage” 

Sound familiar?  If so, you’re not alone!   Many institutions are eager to improve their security capabilities but just don’t know where or how to start.  Forsyte assigns a dedicated engineer and Client Success account manager to every Guardian 365 customer, which ensures each client has a clear plan, current best practices, proper guidance, and the technical expertise to meet and overcome their unique security challenges.  

Recently, Forsyte delivered our Guardian 365 Managed Security Service to a higher education client with a security team that was new to the Microsoft security stack. Their small IT team was struggling with investigating a large amount of alert activity in their environment; juggling Help Desk tickets for thousands of users; and managing the burden of ongoing infrastructure improvements across multiple disparate systems.  Further, they asked for assistance in monitoring their environment for threats and sharing guidance on which alerts needed immediate attention for their team. 

The Forsyte team performed a thorough assessment of their current tenant configuration, led the deployment of best-practice Microsoft 365 and Defender security recommendations, learned which alerts could be automatically resolved and which deserved additional escalation to the on-site security team, and continues to provide 24x7x365 threat monitoring and remediation. 

HERE’s HOW WE DID IT!

Focusing on Assessments 

When first meeting with an organization, we conduct a thorough security assessment with technology leaders and security admins to better understand the services that exist in their environment.  This understanding allows us to build a customer-specific plan to augment security protections. 

Cybersecurity is ever evolving, and staying up to date is a constant challenge! When having access to a wide array of security solutions available to protect the enterprise, it can be overwhelming to understand where to look for actionable information. Our consultation during the assessment phase highlights where IT staff can view user and device activity, allowing us to highlight the areas of the institution’s environment that are in good standing while suggesting areas of improvement to ward off attackers using new techniques. 

For our recent customers, even before beginning configuration work, they appreciated the guidance Forsyte provided in how the IT team should navigate the security portals available to them. Knowing where to search for information and how to effectively respond to alerts was critically important. Bringing this clarity allowed their IT team to create processes for student activity validation and empowered them to make improvements to their existing security policies as they believed necessary. 

Best Practice Technology Deployments 

Our deployment process walks through the various Defender portals systematically, highlighting areas where we can improve an institution’s ability to detect threats and minimize vulnerabilities. Areas we were able to aid this institution included: 

• Auditing administrative roles granted to staff members in the organization. Adhering to the principles of Least Privilege Access and Just-In-Time Access, Forsyte recommends giving users the least number of privileges needed to perform their duties to reduce access to attackers in the event of a compromise. There were dozens of dormant accounts still in the environment, and dozens more where administrators were over permissioned for their day-to-day duties. Performing this audit helped reduce the likelihood an attacker could create serious disruption in case of an account compromise. 
• Making improvements to anti-spam and anti-malware policies to help protect the institution and its users from phishing, malware and ransomware campaigns. Augmenting these policies improves automated remediation capabilities and generates alerts for potentially malicious activity so IT staff can act quickly to potential threats. With the academic year ending, it is an opportune time for attackers to create targeted campaigns about financial aid, graduation ceremonies and job fairs. Improving email security and hygiene reduced the number of support tickets given to the IT team while protecting their end users from data exfiltration during a popular time of year for email attacks. 
• Running quarterly Attack Simulation Training campaigns to build end-user awareness around common tactics used by malicious actors to exfiltrate data. Phishing attacks have become increasingly prevalent in higher education, and the onset of generative AI tools has allowed attackers to create more sophisticated campaigns. Running quarterly attack simulations increases user awareness and helps the institution lower the risk of account compromise. 
• Configuration of custom branding in Entra ID including the institution’s logo and colors. It’s important for the end-user experience to remain consistent to help students and faculty discern legitimate communications from potentially malicious ones. Creating custom branding helps reduce the likelihood a user enters sensitive information in a malicious web portal. 
• Deploying recommended Attack Surface Reduction rules. We worked with technology leadership to help protect endpoint devices in their environment by deploying policies meant to detect behaviors that malware typically uses to infect computers. With thousands of devices found in the environment throughout the state, these Attack Surface Reduction help catch potential threats early in the attack process so IT staff can quickly act to address the threat. 

Constant Vigilance and Ongoing Engagement  

Cybersecurity infrastructure requires consistent nurturing and development to support protection against evolving threats. At Forsyte, we look to make things easier on a small IT team by providing 24x7x365 monitoring of their technology environment. 

In our recent example, the institution receives over 400 alerts a week, which can be difficult for smaller teams to investigate. Forsyte’s SOC team reduces that burden by having analysts investigate each alert generated in the environment and informing IT leadership when remediation actions are taken.  In just the past month, we’ve been able to: 

• Reduce the frequency of alerts generated by sign-ins from unfamiliar locations. This institution has hundreds of students attending classes remotely, and the IT team simply did not have the bandwidth to verify each login from outside their county. Our analyst team, aided by the policies Forsyte helped deploy, filters out the signal from the noise so the IT team can focus on activities requiring immediate attention. 
• Help remove intrusive software from user devices that opens the institution to vulnerabilities. When a USB drive was inserted into a managed device, the Forsyte SOC team was able to at once isolate the device and quarantine suspicious files.  
• Stop two separate phishing campaigns from leaving users at risk by removing malicious emails and blocking senders the moment the threats were discovered. When potentially malicious emails are left to linger in inboxes, unaware users can click links or access files that could lead to account compromise. Our enhanced detection capabilities thwarted these campaigns before they had a chance to gain any sensitive information. 

To help the organization’s environment remain protected from emerging threats, we meet regularly to help simplify the enormous amount of data available in the Microsoft security portals. We methodically revisit security policies and fine tune them as needed to filter out noise and ensure the most pertinent alerts are surfaced to IT leadership. The institution is appreciative of how Forsyte helps distill the large volume of alert information into actionable items for the IT team, empowering the IT Team to ask targeted questions and seek security improvements pertinent to their organization.  

Forsyte also looks to help by reviewing recommended Microsoft Secure Score items that can help close vulnerabilities still persistent in the environment. We often hear thoughts like “Everything is red, and we don’t know where to start!” The guidance Forsyte engineers provide during these monthly meetings helps our self’s and the institution set up a plan for continual improvement to help keep the environment protected against increasingly sophisticated threats.