365 Total Protection for Microsoft 365

Introduction

Over the past few years, an increasing number of organisations have chosen to implement cloud computing, distributed system architectures, and as-a-service or subscription based operating models throughout their IT environments. The most popular example is Microsoft 365 (M365); providing SaaS (Software-as-a-Service) based versions of Microsoft’s productivity suite, which is embedded into the processes and technology stack of many businesses.

Due to the internet-hosted nature of the service, and its global popularity spanning nearly all sectors, Microsoft 365 is a common target for cyber security attacks. Email has long been the easiest and most successful attack vector for cyber criminals, using phishing attacks to either deploy malware and ransomware, or steal login credentials. Once attackers have penetrated corporate networks or resources using these methods, they can steal sensitive data, carry out malicious activities, impersonate people and systems, or simply monitor traffic and behavioural patterns over time to plan out a longer, sustained attack.

Securing a company from such attacks generally comes down to implementing layers of security, without restricting employees or users in such a way that they take measures to bypass security processes. Third-party tools can play a positive role in an organisation’s overall security posture.

365 Total Protection by Hornetsecurity is specifically designed for Microsoft 365, protecting your business from malicious emails and files before they reach the users mailbox. 365 Total Protection integrates seamlessly with M365 by connecting directly into the service in just 30 seconds. You select the security policies and protection to apply, without having to install and manage agents, servers, or other components.

365 Total Protection comes in two editions to enhance the security of your M365 accounts, and the wider organisation:

  • 365 Total Protection Business is a comprehensive security package providing email and data security for M365 accounts.
  • 365 Total Protection Enterprise builds on the functionality above, by adding AI-based advanced forensic analysis and intelligence, along with business continuity and legally compliant email archiving.  

365 Total Protection Business

When a user’s mailbox is secured by 365 Total Protection Business, they have a full overview of all emails for which they are the intended recipient. With real-time mail flow analysis, and Email Live Tracking, the user has at their fingertips an extensive list of filters and self-service actions to secure their email and data, without impacting productivity.

365 Total Protection is built upon a multi-stage, in-depth Threat Intelligence system, that analyses and filters new attacks or threats before they reach the users mailbox. Hornetsecurity’s Threat Blocking system will statistically block 99% of attempts to deliver spam, with the Threat Intelligence feature guaranteeing a detection rate of 99.99% for spam, and 99.9% for viruses. In both cases emails blocked or quarantined will not reach the users mailbox. The spam and malware protection systems are constantly learning and improving, through Hornetsecurity’s Security Lab and AI/ML based algorithms.

Integration of Hosted Spam Filtering and Malware Protection into the Email Management System

Emails quarantined as potentially unwanted can be released by the user, who can also manage their own safe and blocked sender lists, and crucially, see comprehensive detail on the status of each email communication. This helps a user to understand how a mail has been classified, for example spam, and the reason for the classification. Daily reports can help collate and stop marketing or info mails, with the user able to whitelist those relevant to them. Of course, the level of flexibility afforded to the user is defined by the company directive and policies configured.

Administrators can configure compliance filters and content control, for example to remove unwanted or unauthorised file attachments depending on the file type, content, or recipient. Outgoing emails can be encrypted, with granular control over the encryption method, and automated certificate management, protecting email communication from being viewed or changed by anybody other than the intended recipient. Where specific recipients are unable to provide email encryption the Websafe mailbox delivers a way of securely communicating with those external parties.

Finally, the implementation of a global mail security solution such as 365 Total Protection Business enables standardisation and enforcement of email signatures and company disclaimers. If desired, intelligent ads and social media buttons can also be embedded for external corporate communication.

Email Live Tracking from 365 Total Protection Features

365 Total Protection Enterprise

365 Total Protection Enterprise builds on the features outlined above, including further Forensic Analyses mechanisms to review and detect malicious behavioural patterns, fraud, spoofing attempts, targeted attacks, and identification of spy-out attacks and feign facts or click-bait. URL Malware control checks and secures all internet links and downloads, to protect against blended attacks, while the Advanced Threat Protection (ATP) Sandbox Engine adds a safe, sandpit environment to analyse suspect files. All activities can be monitored in real-time using the Real Time Threat Report.

Integration of Advanced Threat Protection into the Email Management System

In addition to ATP and the advanced threat capabilities, 365 Total Protection Enterprise provides GDPR-compliant email archiving, with a retention period up to 10-years. The email archive can be accessed by auditors on-demand using the web based front-end, taking advantage of the eDiscovery service for fast, complex queries or search filters.

As mentioned earlier, 365 Total Protection has a guaranteed spam detection rate of 99.9% and virus detection rate of 99.99%, with a false positive rate of only 0.00015. However, as cyber security professionals will attest, additional layers should act as a failsafe to mitigate risk as much as possible. 365 Total Protection Enterprise also caters for malware ex post alert and deletion, so that if a malicious mail has already been delivered then the threat can be quickly contained.

In the event of a Microsoft 365 service outage, 365 Total Protection Enterprise also enables users to carry on working with its Email Continuity Service, as a stand-by system. Furthermore, where 365 Total Protection Enterprise is in place, users can uplift to 365 Total Protection Enterprise Backup. This bolsters business continuity by adding automated backup and recovery, for user M365 mailboxes, Teams, OneDrive, SharePoint data, and Windows-based endpoints.

Summary

In summary, the advanced threat analysis and detection capabilities of 365 Total Protection make it a worthy addition to any security tool kit, with the logging, reporting, and business continuity capabilities affording extra peace of mind.

Whilst securing mailboxes and data, above all 365 Total Protection provides improved user experience with self-service flexibility. This dynamic approach means that the implementation is more likely to be successful in its aim to secure the organisation. As threats and attackers grow over time, the Security Labs and Threat Intelligence algorithms continue to adapt for future trends and attack vectors. The best way to see if 365 Total Protection adds value to your business is to get hands on and try it out yourself using the free trial.

What is VMware Cloud on Dell EMC?

VMware Cloud on Dell EMC is a fully managed Infrastructure-as-a-Service (IaaS) local-cloud deployment. A dedicated rack with all supporting hardware and equipment is wheeled into the customer site where it is maintained directly by VMware Site Reliability Engineering (SRE). The customer provides the physical location for the rack to sit, the power source, and the existing network for the data plane switches to plug into.

VMware Cloud on Dell EMC delivers a fully integrated software and hardware stack, jointly engineered by VMware and Dell EMC. The VMware Software Defined Data Centre (SDDC) overlay, and hardware underlay comprises of:

  • VMware vSphere and vCenter for compute virtualisation and management
  • VMware vSAN for storage virtualisation
  • VMware NSX-T for network virtualisation
  • VMware HCX for live migration of virtual machines with stretched Layer 2 capabilities.
  • 3-26 Dell VxRail Hyper-Converged Infrastructure (HCI) nodes per full-height rack
  • 1 non-chargeable standby VxRail node per rack for service continuity
  • Redundant Power Distribution Units (PDUs)
  • Uninterruptible Power Supply (UPS) for half-height rack configurations
  • Redundant Top of Rack data plane switches
  • Redundant VMware SD-WAN appliances for remote management

All of this is delivered in a dedicated rack, as a fully managed service, with a single point of support directly with VMware. VMware SRE will take care of updating and maintaining all components of the software overlay, firmware updates, and management or repair of the underlying hardware. The customer maintains responsibility for the virtual machines they run on the infrastructure, plus configuration like network and storage policies. You can find out more from the VMware Cloud on Dell EMC product page, or the VMware Cloud on Dell EMC Solution Overview Brief.

VMware Cloud on Dell EMC

Why VMware Cloud on Dell EMC?

You’ll see me advocate public cloud on this blog, but on-premises infrastructure often has its use cases. Data sovereignty, regulatory and compliance, workload to data proximity, latency requirements, local control, and existing investments all spring to mind. Running infrastructure at the edge is also becoming more prominent and overlaps with some of these use cases. As systems are more distributed, and consumers have more choice, there are many benefits in creating a consistent application, infrastructure, and operating experience across private cloud, public cloud, and edge locations.

VMware Cloud on Dell EMC benefits from a cloud operating and delivery model, whilst being classed as an on-premises service. This means that regulatory and data sovereignty requirements can be satisfied as all customer data is held on the local hardware. The VMware SD-WAN appliances and VMware Cloud portal are only used for management, without any further access into the customers network. VI admins continue to use vCenter Server as normal to manage virtual machines, however they no longer need to worry about maintaining the underlying infrastructure. IT teams now benefit from a managed service operating model with a predictable subscription-based monthly or annual outgoing, without the hardware ownership depreciation and management overhead.

VMware Cloud on Dell EMC Use Cases

A great use case for VMware Cloud on Dell EMC is VDI. Whether or not you have data or app proximity requirements, the node sizes and HCI configuration fit exceptionally well with virtual desktops utilising hyper-threading and instant clone technology. The SDDC can be built as a brand new pod, or used to extend an existing pod within the customers environment. At the time of writing Horizon perpetual licenses can be used to run virtual desktops on VMware Cloud on Dell EMC, along with existing Microsoft licensing. A common consideration of moving VDI to the cloud is around Microsoft license mobility, and Horizon perpetual to Horizon Universal flip. The implementation of a cloud-like service on-premises is able to offer the best of both worlds. You can read more about the VDI use case in the VMware Horizon Deployed on VMware Cloud on Dell EMC technical overview.

As well as VDI, other popular use cases for VMware Cloud on Dell EMC include data centre modernisation, a change in IT funding model, application modernisation, and services with low latency, sensitive data, or data sovereignty requirements. VMware Cloud on Dell EMC integrates seamlessly with existing on-premises environments, with continuity of third party tools and processes already in place, such as backups, monitoring, and security. Hybrid Linked Mode allows single pane of glass management of vCenter Servers across IaaS and self-managed infrastructure. You can find out more about the benefits of VMware Cloud on Dell EMC, including Total Cost of Ownership (TCO) improvements, in the VMware Cloud Economics data sheet.

Getting Started with VMware Cloud on Dell EMC

VMware Cloud on Dell EMC can be ordered, customised, and scaled through the VMware Cloud portal. Delivery and installation takes place in 4-6 weeks including a site survey. At the time of writing there are 6 different node sizes from a range of Dell VxRail models with flexible configurations from extra small through extra large. Full specifications for the nodes and racks can be found in the VMware Cloud on Dell EMC Service Data Sheet.

When ordering the service, the customer can select the rack type, with full details of the host capacity, network bandwidth, height in rack units, and power configuration. The customer will be asked to confirm that the site location meets the rack requirements, including rack dimensions, power source, and environmental variables such as temperature and humidity.

VMware Cloud on Dell EMC Example Requirements

Next the customer will be asked to select the host type and the number of hosts, and provide the networking settings. A CIDR block is needed for the management subnets, including rack out-of-band management, SDDC management, and the VMware SD-WAN appliances. Ports TCP 443 and UDP 2426 will need to be open outbound to connect to VMware Cloud. The term commitment is also selected during the order process, and the term begins when the SDDC is deployed and activated from the VMware Cloud console. You can track the status of the order at any time from the portal.

VMware Cloud on Dell EMC Example SDDC Order

When the rack arrives on-site it is fully cabled and ready to be connected to the customer environment. The ToR switches are physically connected to the existing upstream network using customer provided SFP adapters and copper or fibre cables. Dynamic routing can be configured using eBGP, facilitating fast routing failover in the event of a ToR switch failure or upstream switch failure. Static routing can also be used but is less optimal.

Once the SDDC is deployed the L3 ECMP uplink connectivity between the ToR switches and the existing upstream network can be configured from the VMware Cloud console. After setup is complete the service maintains operational consistency with existing VMware environments; for example virtual machines are managed using vCenter Server, and new networks are created using NSX-T. For more information on VMware Cloud on Dell EMC review the Technical FAQ. You can also test drive the ordering process with uplink configuration in the VMware Cloud on Dell EMC – Lightning Hands-on Lab.

VMware Cloud on Dell EMC Example SDDC Summary

Dell APEX and VMware Cloud on Dell EMC

One of the new announcements at VMworld 2021 was the availability of Dell Technologies APEX Cloud Services with VMware Cloud. So what’s the difference between Dell APEX with VMware Cloud, and VMware Cloud on Dell EMC? Put simply, not much. Dell’s APEX as-a-Service portfolio provides access to scalable, managed, subscription-based consumption of their popular technologies. The APEX portal consolidates ordering and management into a single service catalogue with a flexible range of financing options, aligning with many of the benefits of cloud computing. When you order VMware Cloud through Dell APEX, you’re buying from Dell, and all support and maintenance is carried out by Dell. When you buy direct from VMware, the service is delivered, supported, and maintained by VMware.

Since the solutions are provided by different companies, there may be some differences around service level agreements, time and delivery details. However under the hood the hardware and software stack is the same VMware Cloud on Dell EMC infrastructure. This gives the customer the flexibility to utilise their preferred partner or take advantage of existing commercial arrangements.

vRealize Operations Capacity Shows 100% Cluster Utilisation

Recently we were examining a vSphere cluster where vRealize Operations Manager was showing 100% CPU utilisation, with zero capacity remaining. However, the usage of all resources in the cluster was generally low. We know that the cluster capacity is based on demand rather than usage. CPU demand is the amount of CPU resources a virtual machine would use if there were no CPU contention or limit. Sometimes, this can cause a little confusion when we look at the utilisation metrics of the cluster.

This type of behaviour is actually expected because of how vRealize Operations interprets the data. When virtual machines have latency sensitivity set to high, all of the CPU is requested by the virtual machine in order to reserve it. Since vRealize Operations Manager cannot differentiate between latency sensitivity reservations and legitimate CPU requests, we see CPU and/or memory contention alerts. More information can be found in the KB article Virtual Machine(s) Workload badge reports constant 100+ score in VMware vRealize Operations Manager (2145552). The KB article suggests that if latency sensitivity cannot be set back to normal, then a custom group can be created to disable the alerts.

This scenario is well documented. However what if latency sensitivity is not enabled or configured beyond the default setting, but the symptoms are the same? In this case, the cluster is dedicated to running SQL workloads.

From using the metrics view of the cluster under the environment tab, we can see high peaks for the CPU co-stop and CPU ready values every night. The discrepency seems to be caused by the behaviour of the virtual machines in claiming all available CPU resource at a specific time. Whilst this might sound environmentally specific, there are a number of scenarios where this could be the case and a workaround is needed.

Beyond changing the behaviour of the virtual machines, some available options are as follows:

  • Action the rightsize recommendations to ensure we are not over allocating CPU resources
  • Follow the steps outlined in the KB article above to ignore/disable the alerts
  • Follow the steps outlined below to set a maintenance schedule, disregarding metrics where the peak is at a consistent time every day or night
  • In the capacity policy change the setting of the time remaining calculations

Updating how the time remaining is calculated may be a last resort, but can provide a slightly different interpretation of the data. You can see the description of each setting, and how the associated projection graph changes in the screenshots below. The default policy uses conservative capacity planning which takes the higher values, whereas aggressive uses the averages values of resource utilisation.

To update this setting either change the default policy, or create a new policy to assign to specific objects like a cluster. Follow the policy based steps outlined below, disregarding the maintenance schedule. You can find out more information on how remaining time is calculated in the blog Rightsizing VMs with vRealize Operations.

vRealize Operations Conservative Capacity Policy
vRealize Operations Aggressive Capacity Policy

Setting a Maintenance Schedule

The following steps will walk through creating a maintenance schedule with associated capacity policy. You can also change the time remaining calculations from the capacity policy, with or without a maintenance schedule. The screenshots are from vROps 8.6, but previous versions of 8.x should be a similar process.

  • First, create the maintenance schedule. From the left hand navigation pane, expand Configure and select Maintenance Schedules.
  • Click Add. Enter the name, time zone, and time configuration of the schedule. Click Save.
  • Next, we need to create a policy. From the Configure menu again, select Policies.
  • Click Add. Enter the name, and select a policy to clone. Click Create Policy.
  • Select the policy from the list, and click Edit Policy.
  • Select the Capacity block, and then choose the object type.
vRealize Operations Capacity Policy

Here if required you can change the policy for time remaining calculations, mentioned above, as well as manually change the alert thresholds. When considering the time remaining calculations, the default conservative policy will take the highest resource utilisation to project the time remaining before this crosses the usable capacity threshold. The aggressive policy will use the mean average resource utilisation to project the time remaining before this average crosses the usable capacity threshold. Both policies are of use, aggressive may be better suited to smaller organisations wanting to sweat hardware assets.

  • Make any desired changes to the policy per the description above. Scroll down to Maintenance Schedule and select the schedule created earlier. Click Save.
  • Next, select Groups and Objects. Choose a custom group or object to apply the policy to, and click Save.
vRealize Operations Assigned Policy
  • Now that the policy is configured and assigned to an object, it is active and in use.
vRealize Operations Active Policy
  • When we check back on the maintenance schedule we can now see the linked policy.
vRealize Operations Maintenance Schedule

There are additional ways of setting maintenance schedules, the example above is relevant to the described use case to disregard metrics during a certain time interval. You can also manually enter maintenance through both the vROps UI and API, see Maintenance Mode for vRealize Operations Objects, Part 1 by Thomas Kopton, or create dynamic groups containing hosts in maintenance mode, see Maintenance Mode for vRealize Operations Objects, Part 2.