InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
Moving from an E3 to an E5 license for Microsoft 365 (M365) services can be an expensive proposition, both in time and money. This piece outlines the key decision points organizations
should consider when evaluating M365 licensing options (vs. third-party security platforms) for email hygiene, endpoint protection and eDiscovery/compliance.
Microsoft frames the E5 license either as a way to get the increased security benefits of using Microsoft-provided security monitoring and response services, or to gain additional business and data analytics services such as Power BI, Teams Phone System
PBX capabilities or compliance tools for eDiscovery, audit and data retention.
From a purely security perspective, however, the cost to upgrade to E5 should be assessed against both the potential cost savings realized by eliminating third-party email hygiene or endpoint detection and response (EDR) platforms and the need for increased
M365 security training when moving away from third-party security tools and to an all-Microsoft setup.
Microsoft says the upgrade from E3 to E5 represents a list price increase of 75 percent. For M365 customers with thousands of users, this can be a significant cost that requires reallocation of resources across IT. It’s not uncommon that the security
team is tasked with eliminating third-party security tools to help recover the costs and apply those dollars toward the E5 license costs.
While Microsoft has significantly improved the security services available as part of the E5 license, there may still real benefits to using third-party provided services for your particular organization.
In the case of email hygiene, incumbent platforms have more granular controls. They can also provide a separation-of-duties of sorts that you may not have with Microsoft-native tools.
For example, consider the case of an attacker using a combination of a browser exploit and an MFA bypass attack to compromise an Exchange administrator account. The attacker then uses those admin privileges to disable key email hygiene functions for high-value
executive users, and then proceeds to run targeted spear-phishing attacks against those executives. Such an attack would likely be more difficult to coordinate with a diverse email hygiene supply chain (because it would require multiple sets of credentials
Another perspective to consider, though, is the fact that Exchange Online Protection (EOP) does a much better job of reducing the risk of email-delivered ransomware for intra-company attacks. For example, if one user is compromised with a ransomware dropper,
and the attacker uses that compromised email account as a distribution point for the ransomware executables, third-party email hygiene products would not be able to look as closely at that attack situation as would the native M365 Office Defender
and EOP controls in an E5 licensing scenario. In cases where companies are using an email hygiene platform that only scans inbound emails from third parties, that email scan would not catch an internal ransomware delivery attempt.
The Microsoft Defender for Endpoint (MDE) platform has gone through a significant transformation over the last 24 months, with feature improvements and capabilities enhancements that in some cases exceed those of competitors (at least for fully updated
Windows 10 endpoints). However, organizations with diverse endpoints (Mac, Linux, etc.) will see less value and greater operational burdens.
A justifiable situation for leveraging an E5 license is one where the organization has a fully modernized endpoint fleet, uses Microsoft Endpoint Manager as the configuration management platform and updates all systems within three weeks of release of
If third-party tools are used for configuration management and a full-featured EDR is in place across a highly diverse set of endpoints, the value of MDE is very difficult to realize.
In addition to email and endpoint security, organizations often have significant investments in the eDiscovery realm that could potentially be redirected toward paying the cost of an E5 license. However, at the time of this writing, Microsoft’s
compliance solutions are more focused on organizations with fewer than 10,000 users.
An enterprise with under 10,000 users could conceivably rely on the E5 license to replace the costs of another compliance platform, but it will be important to make that changeover after a full evaluation of Microsoft’s capabilities.
Relying on security tools provided via Microsoft’s E5 M365 licensing can provide an acceptable level of cybersecurity risk management for some organizations. Before that decision is made, however, security teams should perform a thorough risk analysis
of the Microsoft services and capabilities versus third-party-provided services. Important areas to focus on include:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
May 19, 2022
By IANS Faculty
Understand potential security risks for executives on social media. Find information on attack trends and guidelines to help identify potential attacks and keep both social media accounts and the organization secure.
May 17, 2022
Learn how to make progress with zero trust, including common zero trust use cases, success stories, tooling guidance and tips for effectiveness.
May 12, 2022
Gain an understanding of the role executives play in incident response (IR). Find guidance on key actions to take before, during and after a security incident.