Is MFA enough to protect your data?

Multi-Factor-Authentication (MFA) is quickly becoming a global standard in identity security, with many platforms enforcing usage by default. Microsoft introduced the concept of “Security Defaults” on all new Microsoft 365 environments, enforcing MFA registration, further enforcing the criticality of this feature. In this blog, we look at this trend and ask if this is enough to secure your organization's data.

Background

It is becoming universally recognized that passwords alone are not a strong enough identity security measure, nearly all guidance now points to using MFA as a standard. Even with MFA implemented, there are still ways you may be exposed. See this blog on the risk of legacy authentication for one of these ways. Organizations are now starting to look at security with a different approach and are moving towards risk-based controls with an end goal of zero trust access to their resources. When referring to zero trust, we assume that there is no traditional perimeter network, and addresses the following guidelines: Continuous verification, limiting exposure/blast radius of attacks and automation of data collection for incident response.

3 Pillar approach

When working with organizations to understand their security architecture, we make use of a 3-pillar approach:

1. Identity: How is the identity protected? MFA is an example control in this pillar.
2. Device: How is the device protected? Controls include EDR (Endpoint Detection and Response) and vulnerability assessments.
3. (Workload) Apps: How are the workloads protected? Controls include CASB (Cloud App Security Broker) and Message Hygiene solutions.

An important question following the analysis of the controls is how do these systems speak to each other? In an ideal scenario, a member of your security team should easily be able to track a threat between each area and understand the impact and blast radius of an attack. Not having the right solution to accomplish this in place might mean missing further compromises or longer downtime to identify the impact.

XDR (Extended detection and response) is a solution that automatically analyzes data from all these sources and makes it easier to understand the attack story should it be successful. An XDR solution leverages AI (Artificial Intelligence) to stop attacks as they happen based on the data collected.

Secure score – a great start

Microsoft Secure Score is a great way for your organization to start understanding gaps in your current configuration as it provides actionable insights and a percentage score-based system to improve on.

Secure Score is broken down into three categories (Device, Identity and Apps), sound familiar? This is one of the main reasons we use this model when speaking with customers. You can see below an example of the interface and the action items associated to the score of my test organization:

As your team works through the Secure Score items, you can track completion which will increase your score percentage overall:

We always recommend Secure Score as a starting point within Microsoft 365, it can quickly bolster your security posture and help ensure that you are getting more value out of your licenses. The historical score changes report can be used as a tool to demonstrate value to the business based on progress made by the relevant teams.

Secure Score however, just like MFA is not enough to cover every scenario. A well-architected identity policy will be far more in-depth than just enforcing MFA for access, which is one of the main score points within Secure Score. When working with customers who have rolled out MFA as an identity security policy we like to dig deeper into individual scenarios:

• What is stopping an employee on a home computer that isn’t protected by your controls from downloading all your data?
• What is stopping an infected machine from accessing your corporate apps and data?
• What happens if the user just accepts every MFA prompt they get because they are so used to them?

There are just a few of the scenarios we go through when speaking with customers about their security strategy, reflecting on each one. In short, MFA alone is not sufficient to prevent a compromise.

Organizations should now be working towards a Zero-Trust architecture, taking into account all the different ways employees should be interacting with corporate systems and the controls needed to make sure this happens securely without affecting productivity.

Not a one-time activity

Many organizations have implemented MFA as a one-time activity and moved on, but as highlighted above, this will not hold up to the challenges we now face in an ever-evolving world of threat actors. The same applies to any other controls put in place. Security should be an on-going and critical function within your organization.

When you implement a solution, it may be the best industry recommended practice at the time, but within six months there are likely to be new and emerging threats that you need to implement controls against. Thankfully, a lot of these solutions include threat and vulnerability management, however this is a function that needs managing.

Organizations must either assign staff to maintain the function or reach out to a trusted partner to manage the service for them. Without this component they will not benefit from the full potential of the solution they have invested in.

MFA is a great step that every organization should be taking, but it simply isn’t enough, even in the identity pillar of security. Organizations must start looking at the bigger picture and ensuring that individual solutions work together to give a single-pane of glass view into their environment.

Implementing a robust workplace security model is more important than ever, but even more important, is having a team who can drive continuous service improvement and rapidly respond to new and emerging threats.