Not too long ago, we wrote an article on why we believe Microsoft’s Advanced Threat Protection is rendering equivalent 3rd-party solutions for Office 365 users obsolete. This opinion raised some fascinating debates amongst both colleagues and clients, so we decided to revisit the topic with a head-to-head comparison of what some of the biggest players in the space actually offer.
After a fair amount of digging, we discovered that the actual threat protection functionality that you get from top-tier providers differs very little on their premium products. Even their SLAs are identical: >99% spam effectiveness and 100% detection and blocking of known viruses.
So how do we recommend organisations go about choosing which threat protection solution to use?
In our opinion, it all boils down to these, five questions:
Whose SLA do I trust the most?
Every threat protection solution provider in our comparison made the same promises regarding efficacy, and yet not a single one of them has a 100% track record for email hygiene.
It’s a fact of life that there will always be some attacks that escape detection. Where one solution misses one threat, a different solution will miss another. Trying to figure out whose record is cleanest is a futile exercise at best.
The only real differentiator when it comes to performance is how much you trust the promises your solution provider makes. Years of working with their products has given us firm faith in Microsoft, but your experience and preferences may differ.
Do I want to “spread my bets” across multiple service providers?
Trust is also a factor in deciding whether to put all your eggs in one basket (i.e. use the same provider for your SaaS solution and your threat protection), or to spread your bets by adding a trusted external vendor to the mix. Again, there is no right answer to this question – it all depends on your corporate policies and preferences, and your environment’s requirements and risks.
Just keep in mind that if you’re operating in Office 365, you’re going to be using Microsoft’s base-level protection regardless of what other solutions you add to the mix. This can make it more difficult to justify the additional cost of third-party solutions, particularly since they won’t tie into the broader Office 365 environment and play nicely with your data loss protection rules and rights management, for example.
Do I need more than just email security?
Most modern workplaces (particularly those using Office 365) seldom share files and content via email anymore. Instead, most content is created and shared using apps like Teams, OneDrive for Business, SharePoint and the Office client itself. All of these are currently impossible for third-party threat protection solutions to protect.
Depending on your environment, this can leave a gaping hole through which threats can penetrate your security protocol. Unless, of course, you choose Microsoft’s Office 365 Advanced Threat Protection (ATP).
Microsoft ATP P1 and ATP P2 are literally the only solutions available on the market that can detect, prevent and remediate threats in SharePoint, OneDrive for Business, Office and Teams.
How important is integration into my broader Office 365 environment?
Threat protection is only one aspect of information protection in the corporate environment. Things like data loss protection and mobile device management strategies are equally important. If you’re using Microsoft solutions, these all integrate very neatly with each other and the Office 365 environment, creating a conveniently cohesive position from which to manage your entire security stance.
If, on the other hand, you choose to address each aspect individually using third-party providers, management can become a more complex proposition. This may or may not be an issue for you, depending on your use case and environment.
How experienced is my deployment/configuration partner?
Configuration is one area in which Microsoft sometimes struggles to compete. As a solution, Office 365 has extraordinary flexibility and customisation potential, but it needs expert configuration to perform optimally within a specific environment.
Both Exchange Online Protection (EOP) and Advanced Threat Protection (ATP) only provide base-level protection straight out the box. With the right setup, this protection increases exponentially, but that usually takes an experienced security partner to get right. Without this kind of expertise on hand, organisations risk creating misconfiguration gaps which could let the occasional, well-disguised threat slip through.
Don’t forget to secure your identities!
The majority of malicious attacks these days are identity attacks. These take more than just good threat protection to guard against.
We always recommend implementing the following controls, regardless of which threat protection solution you use.
- Enforce strong, 12-character length passwords.
- Implement Conditional Access (CA) policies to enforce multifactor authentication from untrusted locations, apps and devices.
- Implement CA policies to block legacy authentication (single-factor authentication protocols that cannot enforce a second factor as part of the flow).
- Put processes in place to detect and respond to leaked credentials and risky logons.
- Start planning for passwordless authentication in Windows 10 and Azure AD.
Today’s organisations are literally spoilt for choice when it comes to threat protection solutions. As long as you choose a trusted vendor with a large footprint and proven track record (and configure your system correctly), you should be safe from the majority of threats.
That said, when it comes to Office 365, there is no solution that can provide the same broad-spectrum protection and integration capabilities as Microsoft’s Office 365 ATP packages. Few third-party solutions can match the size and collective expertise within Microsoft’s security division either, not to mention their annual spend on security and current and future security-related acquisitions.
As such, we remain firmly of the belief that there is no need for organisations to look outside of the Microsoft stable for threat protection, unless they have specific concerns about risk management and trust.
These reasons may well be enough to keep third-party vendors in business for some time to come, but we fully expect to see Microsoft-only solutions becoming the norm for most businesses in the near future.