Q&A
Why Intune is Key (and why IT Isn't Using It)
Microsoft MVP Émile Cabot breaks down why Microsoft Intune is essential for endpoint security, and tackles some of our pressing questions on the state of IT security.
The shift to remote and hybrid work environments over the past few years has fundamentally transformed endpoint security for IT professionals. This rapid pivot required organizations to quickly adopt new strategies and technologies, exposing gaps in preparedness and infrastructure.
Émile Cabot, a seasoned Microsoft MVP with a wealth of experience in datacenter and deployment solutions, knows the game and shares the varying levels of readiness among IT pros and the critical role of modern security solutions. He also delves into the efficacy of tools like Microsoft Intune in securing remote endpoints and the importance of establishing robust security baselines.
For more insight from Cabot into how IT can fully use the many capabilities of Intune to keep their environments secure, join us during his TechMentor (taking place in Redmond, Wash. Aug. 5-9) presentation, "Locking Down a Modern Desktop with Security Baselines." Register by June 7 to save $400!
Redmond: In your opinion, how prepared were IT pros for how significantly the remote/hybrid work era would change endpoint security?
Cabot: The readiness of IT Pros to handle the security and support challenges created by the sudden shift to remote and hybrid work models varied significantly across organizations. Companies that had previously transitioned to a modern workplace and invested in advanced cybersecurity measures fared extremely well, leveraging the ability to scale up a proven framework. Consequently, organizations with limited off-premises connectivity and legacy systems were overwhelmed with a rapid implementation of cloud-based platforms, zero-trust architectures, vulnerability management and user training. Size and industry were minor factors in an organization's ability to adapt to requirements introduced in 2020, rather a combination of flexibility, modernized infrastructure and organizational innovation that enabled companies to excel when corporate boundaries became less defined.
While this underscored the need for flexible and robust security solutions capable of accommodating these dynamic work environments, it has taken many organizations these past few years to stabilize this framework. Although the rapid implementation of modern solutions was ultimately successful, forced timelines have prevented operational teams from acquiring the necessary training to master these new solutions.
Companies that transitioned to a modern workplace due to technology adoption have been able to use these past years to continually innovate instead of react, focus on modern threat response and avoid budget overruns, effectively enhancing the employee experience and competitive advantage over organizations that did not adequately fund and innovate their workplace before it was required.
How valuable is Intune today for locking down mobile and remote endpoints? Is it as feature-rich as some third-party offerings?
Intune has become increasingly valuable for managing and securing client devices. Systems management solutions, like most enterprise products, required on-premises servers and device agents to operate. Although cloud device management has been a thing for more than 15 years, the adoption rate was slow. With a forced effort to modernize the workplace, an over reliance on VPN technologies for full functionality of on-premises solutions quickly became obsolete.
For organizations that utilize Microsoft technologies, especially Microsoft 365, Intune and Azure Active Directory (now Entra ID), it allows them to easily transition their workstation environment to cloud-only management, while still utilizing Active Directory, Configuration Manager, etc. to manage user accounts and on-premises workloads.
With security being top-of-mind for most organizations taking their first step into a hybrid workplace, Microsoft's suite of products provided a comprehensive view into the new operating landscape. Integrations between Intune and Entra ID, Purview, Conditional Access, the Defender Suite, as well as on-premises solutions like Active Directory and Configuration Manager, not only provided the tools required to manage and protect a borderless enterprise, but helped organizations with their hybrid transitions through an established community, partner and support framework that organizations were already comfortable with.
" The process an organization undergoes to establish security baselines is determined by the source of truth and systems management capabilities available."
Émile Cabot
Your abstract mentions "security baselines." Can you define what a security baseline is and how an organization should go about establishing them?
A security baseline is a set of minimum security controls that are defined for an application, network or operating environment. These baselines represent the standard level of security that any given system should meet before it is considered compliant and ready for operational deployment.
There are several reasons why baselines are important, though individual requirements vary greatly. The process an organization undergoes to establish security baselines is determined by the source of truth and systems management capabilities available.
Financial, healthcare, government, public and some private sectors all have individual compliance requirements for the protection of sensitive data. Organizations operating in some regions, such as the European Union, have additional requirements that must be followed. While these requirements are strictly defined, they are not always presented in a manner that can be consumed by our systems management solutions. The first step in the baseline journey is to determine what level of compliance is required, and why.
Many organizations are not required to protect their data, but implement baselines as a corporate security measure. These, like the regulated sectors mentioned earlier, turn to industry standard recommendations for security baselines required for protection. ISO/IEC has computing security standards that can be used, as well as the Center for Internet Security (CIS) or the National Institute of Standards and Technology (NIST) in the United States. Microsoft also provides a list of security recommendations as a baseline. Each of these organizations provide different tools to ease the burden of the implementation process.
CIS, for example, provides three different levels of protection that an organization can choose to implement, and offers its subscription members downloadable files that can be directly imported into Active Directory Group Policy or Microsoft Intune for endpoint configuration. There is also a community-driven product on GitHub that utilizes components of each set of standards to compile a complementary list of protections that are proven to be less-impactful to a production environment.
Unfortunately, due to lax security measures and poor application development practices over the years, enabling these protections are likely to impact a production enterprise in some capacity, and the implementation must be closely managed and tested as an initial baseline is enabled. An organization, any organization, would not deploy unadulterated CIS Level-3 benchmarks to all devices and not experience issues. Depending on the organization, this process can be costly, requiring software updates and application rewrites that were not considered as part of a hardening budget. While individual controls can be omitted from implementation using any benchmark mentioned in this article, this would uncertify the baseline and leave an identified vulnerability exposed in the environment. While Risk can be accepted, the question of accountability exists in the event the vulnerability is the cause of a breach. Essentially, when a required control breaks a production system, it's the system that would need to be fixed instead of the control. This is why people tend to adopt Level-1 benchmarks initially, then slowly work towards Level 2 as vulnerabilities in production systems are remediated. Once a level of control is put in place, it becomes the responsibility of project implementations to harden new systems to the appropriate level.
What's the biggest misconception or pitfall that IT teams have when it comes to endpoint/desktop security?
One of the biggest misconceptions that IT teams encounter regarding endpoint security is the assumption that traditional security measures, such as antivirus software and firewalls, are sufficient to protect against modern threats. Significant investments have been made in perimeter defenses, and processes were defined to operate behind this protection.
Effectively operating in a bubble, organizations experienced a lack of role-based access control, an over-use of privileged accounts, and a failure to remediate known vulnerabilities across enterprise systems. Breaking the barriers of an on-premises organization to allow a hybrid workforce and datacenter not only enhanced the exposure of these vulnerabilities, but also required a significant effort to remediate these deficiencies in a compressed timeframe; effort that would be better utilized during this stage implementing advanced protections of endpoints and corporate data.
Many modern cyber insurance policies have evolved to address the complexity and sophistication of current cyber threats, and they often require insured entities to demonstrate that they have implemented a broad range of cybersecurity practices beyond just basic antivirus and firewall protection, but also including behavioral monitoring, patch and vulnerability management. Organizations that fail to meet these requirements may be faced with exponentially increasing deductibles or even an ineligibility to claim.
Given the rapid changes we're seeing in the industry today, especially around AI, how do you see endpoint security strategies changing to adapt to them?
Rapid advancements in AI are reshaping virtually all aspects of technology and security is no different. Threat protection services are already offering AI-driven security tools that provide predictive and behavioural analytics, while also helping to automate patch management and policy enforcement.
As this new technology continues to proliferate through the cybersecurity landscape, endpoint security strategies must evolve to leverage its strengths while mitigating AI risks. This involves not only implementing new technologies, but also addressing the broader impacts on security architecture, policies and governance. The goal is to create a dynamic, intelligent security environment that can anticipate threats, adapt to changes, and protect endpoints against the increasingly sophisticated attacks towards connected enterprises.