Why Should You Care About Incident Response for Your Microsoft 365 Solutions

Vanessa Tois · 24:05 · 2024

cloudincident-response

Vanessa Tois, a Microsoft 365 Solutions architect turned data security advocate, delivers a deep dive into why M365 admins belong in incident response planning. She covers the daily reality of ransomware, critical gaps in Microsoft's native data protection, and how today's backup architecture decisions determine tomorrow's recovery success.

Open on YouTube โ†—

What This Talk Covers

Vanessa Tois brings serious practitioner credibility to this talk. As a former M365 Solutions architect who migrated companies to the cloud and now works at Druva (a data protection company), she has seen firsthand how organizations fail at security during cloud migrations. Her central argument: M365 admins are not prepared for their role in incident response, and the consequences are severe.

Key Insights

The talk opens with a gut-punch anecdote - the sound of a ransomware attack is the shaking of an admin's hands clicking the keyboard during an active incident call. This sets the tone for a talk that is grounded in real operational experience.

Several data points stand out. Only 40-60% of M365 tenants have MFA enabled. Adversary-in-the-middle attacks are up 200%. Microsoft's Digital Defense Report shows 99% of attacks attempt to compromise backups. The stat about encryption decreasing by 33% while attacks quadruple is a critical insight - the net effect is still more encrypted files, not fewer.

The Architecture Argument

Vanessa makes a compelling case against using SSO for backup systems. If a compromised account has SSO access to your backup platform, attackers can delete your snapshots. She challenged Druva's own engineering team to eliminate the Global Admin requirement and now supports conditional access policies and IP restrictions for backup platform access.

The concept of Unusual Data Activity (UDA) is the technical highlight. Just as you would notice if someone broke their daily routine at home, changes in file metadata - size, modification patterns, encryption status - are detection signals that M365 natively cannot provide because it only has one point-in-time view of data.

Who Should Watch

M365 administrators, cloud security architects, and anyone involved in backup and disaster recovery planning. Also valuable for IR teams who need to understand what M365-specific data they should be collecting before an incident occurs.

Notable Moments

The story about a company losing their building lease because encrypted files were recovered a week old and they could not remember their contract changes is a perfect illustration of time-sensitive vs. sensitive data. The cyber insurance angle - requiring proof that recovered data is clean - adds a compliance dimension most talks miss.