Securing Enterprise Mailboxes with Hornetsecurity

Introduction

In 2020 Microsoft reported over 258 million monthly commercial users of its Office 365 productivity suite. For decades Microsoft has been powering business with software like Outlook, Word, and Excel. As technology and connectivity have improved, so has functionality and user requirements. Now, over 75 million people use Microsoft Teams every month for virtual meeting experiences. Consumers of Microsoft technology have moved away from self-managed instances of services like Microsoft Exchange for email communication, and instead shifted to Software-as-a-Service (SaaS) hosted directly through Microsoft’s cloud services.

Acceleration of such services has been increased through a shift to remote working and migration to the cloud. As such, data centre and network architectures have changed to accommodate both distributed users and systems. Cyber criminals are more advanced than ever, and organisations security posture is now a priority at every board level. Financial and reputational damage from security breaches can be a huge uphill task to recover from, and in-depth security defence systems are often built-in layers to protect digital corporate assets like data. The challenge with security has always been that despite an abundance of technical solutions and investment, there are often weaknesses in the chain disguised as legitimate day to day work requirements. Email is one such example.

Email is perhaps the most widely used tool across companies, both internally and externally. It’s also the easiest and most common penetration point for multiple attack vectors. A quick internet search demonstrates eye watering statistics around the number of companies suffering security breaches, email breaches, and Office or Microsoft 365 breaches. Microsoft recorded an increase of cyber-attacks of 250% on Microsoft 365 users in the last two years, with 57% of SMBs falling victim to phishing emails in the last year. Sometimes excessive security hardening and configuration can be completely bypassed by the actions of a user acting upon what they believe to be a genuine email.

365 Threat Monitor

Hornetsecurity has released a brand new free mobile app, available from the iOS and Android store. In just a few steps, 365 Threat Monitor can be enabled on Office or Microsoft 365 enterprise mailboxes, adding monitoring, and alerting for malicious or suspicious emails that have made it through the built-in standard defences. Further email security helps provide protection against malware (ransomware, viruses, spyware), phishing, spoofed senders and content, targeted attacks on specific data or people, and spam or unwanted advertisements.

The 365 Threat Monitor app is based on key areas of Hornetsecurity’s proprietary technologies. Threat Defense and Forensic Analyses detect attacks through real-time scanning for harmful content, heuristic filtering, and authenticity and integrity verification. In Threat Monitor customer administrators gain transparency through a detailed UI about the types of threats their users and whole organisation are facing including statistics. From within the app itself administrators can immediately delete malicious emails upon detection, deflecting or containing harmful content.

To setup 365 Threat Monitor, sign up to receive a link to the free app, or download the app from the app store and sign up during the process. Once the app is installed, follow the steps on-screen to connect your Microsoft 365 administrator account. Now you’re up and running, when 365 Threat Monitor detects a suspicious email, an alert is sent directly to your phone. Information is provided on the mailbox and the context of the threat detected, with the option to delete in just 1 click. The great thing about this process is that 365 administrators can try out the functionality, examine the number of threats detected and the need for a solution, carry out end to end testing, and then scale out the product if required.

The mobile app presents information in a clear and concise format, with a clean and colourful interface. IT administrators are generally part of an on-call team to protect the organisation from security threats and outages 24/7. Providing advanced email security functionality through a mobile app is another option in the IT team’s toolkit to respond quickly and easily, without needing to open a laptop or log into a company VPN.

Customers may decide after successfully implementing 365 Threat Monitor across their enterprise mailboxes to upgrade or activate the 14-day free trial for 365 Total Protection Enterprise. 365 Total Protection Enterprise can block threats even before they reach end user mailboxes, and wraps around additional features like attachment content control, allow and deny lists, compliance filter rule engine, and email archiving with up to 10-year retention. Equally, customers may decide that the 365 Threat Monitor app, which stays completely free forever with manual and limited deletions, offers sufficient protection and visibility into their Microsoft 365 mailboxes. Either way, whether it’s a pre-cursor to a wider security rollout, or an enhancement on the default Exchange Online security, the 365 Threat Monitor app is worth running to improve potential blind-spots in security within your user mailboxes and behaviours.

Summary

In summary, the 365 Threat Monitor mobile app is a welcome addition for Microsoft 365 administrators concerned with protecting valuable company assets like data and information, much of which either resides in, or is accessible from, corporate mailboxes. Common threats we see day to day in the news, like ransomware, and targeted phishing attacks on high-risk roles such as C-level, HR, or finance, all keep security professionals up at night. 365 Threat Monitor delivers validation that the person in the email is who they say they are, and the content or links you click on are not incorporating underhand tactics to divert you elsewhere. The ease and speed of initial setup means that even just trying this software out is time well spent. Straight away you’re protected with real-time scanning, and will see your overall and individual threat levels, delivering some welcome peace of mind for many! The 365 Threat Monitor can be downloaded directly from Hornetsecurity here.

Multi-Cloud Management with vRealize Operations

This post will take a look at how vRealize Operations (vROps) can provide a single monitoring and visibility tool into your on-premises data centre, native public cloud services, and hybrid cloud platforms like VMware Cloud on AWS, or Azure VMware Solution. vRealize Operations provides VMware customers with monitoring and alerting, troubleshooting and remediation, dashboards and reporting, performance and capacity management, cost visibility and comparison, and security compliance.

vROps for Cloud-First

The vRealize Operations Manager instance itself can either be self-hosted (on-premises) where the customer is responsible for lifecycle management, hosting and availability, or Software-as-a-Service (SaaS). When using SaaS, vRealize Operations Cloud is hosted and maintained by VMware, and consumed as a service by the customer. Whilst the self-managed vRealize Operations is packaged into Standard, Advanced, and Enterprise editions, vROps Cloud comes in one edition only which has feature parity with enterprise, plus some additional capabilities like near-real-time 20 second monitoring. You can compare features between Standard, Advanced, Enterprise, and Cloud editions in the vRealize Operations Solution Brief.

In the UK, the closest locality for vROps Cloud is currently Frankfurt, you can review compliance and data processing information in the VMware Cloud Trust Centre. When looking at public cloud or hybrid cloud, including SaaS options, you may also want to review VMware’s award winning sustainability initiatives including a commitment to net zero carbon emissions by 2030 across VMware global operations, all VMware Cloud solutions and VMware Cloud Provider Partners.

vROps also now integrates with CloudHealth, providing advanced financial management and optimisation recommendations for native cloud resources in Azure, AWS, Google Cloud Platform, and Oracle Cloud Platform. As well as overall cost savings, finance teams can use cloud health with resource tagging to bill individual departments for the exact capacity they have used. This empowers service or application owners to look after their digital assets and only use resources or hold data that they really need. The power of CloudHealth can be brought into vROps using the new management pack.

Hybrid Cloud Examples

The example below shows a customer with a hybrid cloud setup. In this scenario they may choose to host big data services in the Microsoft Azure cloud, and VMware workloads across on-premises and Azure VMware Solution. The hyperscaler is interchangeable and could be AWS, Google Cloud, Oracle Cloud, or a combination of cloud providers. Using vRealize Operations we are able to provide a consistent operating model across platforms from a single SaaS based UI.

When onboarding with vRealize Operations Cloud, the primary contact on the account will receive an activation email to enable the subscription. A Cloud Customer Success Manager will carry out the activation steps with you. Once onboarded rolling updates are carried out automatically for new features. You can also take a look at the vRealize Operations Cloud Solution Overview.

vRealize Operations with Azure

The cloud proxy is an OVF appliance deployed to the vCenter Server. This proxy forms a tunnel using HTTPS to send data to the SaaS based control plane. The OVA requires HTTPS access outbound to a set of URLs, which can be found in the vRealize Operations Cloud Documentation.

The same cloud proxy model can be used for Azure VMware Solution. There are some points to be aware of with Azure VMware Solution, such as limited visibility into management VMs (as this is part of a managed service). Nothing problematic but these are listed in the Known Limitations section of the documentation. If you are running an ‘on-premises’ or self-managed version of vRealize Operations, instead of the SaaS version, then at this time the vRealize Operations Manager appliance cannot run directly on Azure VMware Solution.

Native Azure services can be added using an Azure AD app registration with service principal/client secret. Instructions can be found in the Configuring Microsoft Azure section of the documentation, you can also find a list of Supported Azure Services for vROps. Again, this doesn’t have to be Microsoft Azure, it could be AWS.

AWS works slightly different in that, when configuring VMware Cloud on AWS for use with vRealize Operations Cloud, the integration happens through an API token, since both solutions are native to the VMware Cloud Services Portal (CSP), see Configuring VMC on AWS in vROps Cloud.

Native AWS services can be added using an IAM generated access key and secret. Instructions can be found in the VMware documentation under Add a Cloud Account for AWS, you can also find a list of Supported AWS Services for vROps.

vRealize Operations with AWS

Additional Resources

VMware Hands-on-Labs are a fantastic free resource giving access to sandpit environments with step by step instructions for nearly all VMware solutions. Some example Hands-on-Labs for vROps are listed below, along with further video and written documentation.

  • HOL-2101-91-CMP – Getting Started with vRealize Operations – Lightning Lab
  • HOL-2101-06-CMP – vRealize Operations Advanced Topics
  • HOL-2101-04-CMP – vRealize Operations – Optimize and Plan vSphere Capacity and Costs
vRealize Operations Troubleshooting Workbench

The following sessions are available at VMworld 2021, and if you’re reading this after the event the sessions will also be made available on-demand.

  • A Big Update on vRealize Operations [MCL1277] Technical level 100
  • vROps Dashboarding 101 and Beyond [VMTN2843] Technical level 200
  • Manage Public Cloud with CloudHealth and vRealize [MCL1247] Technical level 100
  • An End-to-End Demo of Taming Public Clouds with CloudHealth and vRealize [MCL1439] Technical level 300 (Tech+ pass)
  • Track Sustainability Goals in Datacenter with vRealize Operations [VMTN2802] Technial level 200
  • Accelerate Your VDI Management with vRealize Operations [MCL1899] Business level 100
  • Next-Gen Infra and Apps Operations Management with vROps – Design Studio [UX2539]
  • Consistent Cloud Operations with vCenter and vRealize Operations [MCL2611] Technical level 100
  • An End-to-End Demo – Operationalizing VMware Cloud Foundation with vRealize [MCL1442] Technical level 300 (Tech+ pass)
  • A Cloud Management Journey from Monolith to Modern Apps with vRealize Suite [GWS-HOL-2201-08-CMP] Technical level 200 (Tech+ pass)
  • Design Principles: Cloud Architecture Design and Operations [MCL2151] Technical level 200
  • Get Close to 100% Automation to Get to True Cloud Operations at Scale [MCL2023] Technical level 300 (Tech+ pass)
vRealize Operations ESXi Configuration Dashboard

Why Bother With VMworld 2021?

Why Bother With VMworld 2021?

VMworld is VMware’s flagship event, typically attracting 20,000+ people in the US (San Francisco) and 13,000+ in EMEA (Barcelona). As with 2020, VMworld 2021 is virtual and online. The annual conference is in its 18th year, currently focused on accelerating business innovation by delivering and securing modern applications, managing multiple clouds, and seamlessly supporting an anywhere workspace.

This year at VMworld 2021 the content catalogue is a reflection of how fast technology and society have moved as events unfolded over the past 12-18 months. There is an increase in sessions focused on enabling the anywhere workforce with Secure Access Service Edge (SASE), as well as break out sessions and customers stories on responding to the global pandemic. Noticeable additions also for sustainable data centres and operating carbon neutral businesses and IT. Modern applications and multi-cloud continue to grow whilst there are a lot of new topics and trends coming out of the security business unit across all of VMware’s solutions. Finally, Raghu Raghuram will lead the VMworld 2021 key note in the first flagship event since Pat Gelsinger made the switch to Intel.

The general pass for the event is completely free, which opens the content up to more people who previously could not get funding or could not take time out to travel. A Tech+ pass is also available for certain sessions. I’ve been fortunate enough to attend VMworld in-person in 2018 as a customer, and 2019 as a partner and speaker. In essence the benefits of VMworld haven’t been taken away. Technical content ranges from levels 100 through to 300 delivered in breakout sessions, panel discussions, meet the expert roundtables, design studios, and tutorials, ensuring there is something for everyone. Expert-led Hands-on-Labs provide sandpit environments for you to test and break with someone on hand when you need assistance. These types of sessions for someone like me who learns ‘doing’ have always been more beneficial than reading a textbook or completing a training course.

The entertainment elements of the event are still there although this time you can bring family along too. Clearly what’s missing are mass social gatherings with peers to build relationships and talk tech over a drink. But there are no hangovers, no hefty bar tab, no sore feet, and no queueing. All in whilst I’m looking forward to VMworld in-person again one day, the virtual event is absolutely worth the effort, for training, certification, and development, for industry announcements on the latest tech, for career progression, and just for taking some time out of meetings and emails! I’ve picked out some of the sessions I’m looking forward to below, you can register now and view the content catalogue at vmworld.com.

Starting with application modernisation, these 3 sessions look like they’ll give a great overview on deploying VMware’s Kubernetes runtime across platforms, first by enabling it in vSphere, and then at the edge with VMware Cloud Foundation. EDG1294 in particular will include a customer story around supporting the Ministry of Health in the midst of a pandemic.

  • Cloud Infrastructure Transformation with VMware Tanzu Basic and Tanzu Standard [APP2454] Technical level 100
  • Deploying VMs and Kubernetes with VMware Cloud Foundation at the Edge [EDG1294] Technical level 100
  • Get Started with vSphere with Tanzu [MCL1648] Technical level 200

Onto security, and I think it’s worth looking at how far NSX has come since the Distributed Firewall, with Network Detection and Response, Distributed IDS/IPS, and Layer 7 firewall capabilities, and another customer example from William Hill. The final session I’ve picked demonstrates the implementation of security guard rails across AWS accounts and Azure subscriptions using CloudHealth Secure State.

  • The Last Line at VMware – The Security AI in Our Pocket [SEC2103] Technical level 200
  • NSX IDS/IPS – Design Studio [UX2555] Design studio
  • Get Connected Rapidly with Airtight Security, Featuring William Hill [SEC2087] Business level 200
  • Detection to Response: Operationalizing Cloud Security Posture Management [SEC1397] Technical level 200

My 3 wildcards now and I’ve gone with the completely unglamorous Oracle and SQL licensing on VMware, because this is actually useful to customers. Project Monterey is certainly worth checking out if you’re interested in data centre hardware and how ESXi will run on SmartNICS. Then finally one of a number of sessions around SASE and SD-WAN, this one though focusing on how both a distributed workforce and distributed systems can be joined together and secured.

  • Licensing Oracle and SQL Server on the VMware Hybrid Cloud [MCL1997] Technical level 200
  • 10 Things You Need to Know About Project Monterey [MCL1833] Technical level 200
  • Cloud First: Secure SD-WAN & SASE – Complete & Secure Onramp to Multi-Cloud [EDG2813S] Technical level 200

All of the sessions above are included in the free general pass. I also picked out an additional 4 deep dive sessions that look great but are open to Tech+ pass holders only:

  • Architecting Multi-Cloud Horizon [EUS1547] Technical level 300
  • Azure VMware Solution: Deployment Deep Dive [MCL2036] Technical level 300
  • Detecting and Preventing Threats with NSX Advanced Threat Prevention [SEC2208] Technical level 300
  • Using Contextual Search and the MITRE ATT&CK Framework to improve Public Cloud Security [SEC1518] Technical level 300

In summary, for VMware customers or anybody interested in the industry, this is a great opportunity for technical teams to get up to speed on the latest technology innovations, and capabilities of solutions they either already manage or are looking to deploy. If you’re working towards being VMware certified then this really is a no-brainer! There are over 800 sessions listed in the content catalogue as it stands and expect more entertainment sessions to be added over the coming weeks.

VMworld Online 2021