No one outside of a military base can comply with all the STIGs, because there are specific things related to military bases in there. It is, however, so in depth that it can show some holes that other security audits have missed throughout the years. And once we got our results, we got to work fixing as many issues as we could, behind the scenes.

First off, we decided to come up with a new set of security baselines for all our clients, not just this one. Each MSP is free to decide how much security they want to enforce for a client, and most of the time, the clients have very little understanding of what that requires. Since we use the Microsoft SMB Platform exclusively, we have some tools at our disposal that most MSPs don’t necessarily have. Since our clients’ data is primarily stored in SharePoint and Exchange, we can enforce retention policies for them through Purview. This ensures that needed information is stored for regulatory compliance.

We can also enforce Attack Surface Reduction policies on devices, only allowing programs to interact with system services as needed and expected. We use Microsoft Defender and Microsoft Intune for this. It makes it so that processes like Microsoft Office can’t launch other programs, system tools like Java aren’t impersonated, and ransomware executables are blocked before they can run.

We are also in the process of deploying 802.1x and WPA3-Enterprise authentication across the board for all devices that connect to the network. We are still testing this internally, but feel like it can be a game changer, pushing anonymous devices to a guest VLAN while awaiting authentication to get into the Private VLAN. We start with Microsoft NPS for RADIUS and then utilize the authentication options in HP’s Instant On devices. This eliminates one of the biggest issues with WPA-Personal, sharing the password with guests.

We’re also leveraging Microsoft EDR with Lighthouse, Defender, and Intune to ensure that we’re notified as soon as possible if one of our clients has an issue. We’re enforcing disk encryption across all devices, not just laptops and mobile devices. We’re developing application controls to specify what programs are allowed on the devices. And once this is all done, we’ll turn on compliance rules to disallow access to resources if anything is awry with the setup. Finally, we’re going to be sending all of this into Microsoft’s SIEM platform along with server logs and anything else we can get access to.

In a recent meeting with our client, he asked, “How much will all of this cost me?” I replied, “it’s all included.” That answer surprised him. He could tell that we were putting in a lot of time and effort into all these things, but until it was all laid out in front of him, he never realized to what extent we were working in the background to ensure his data’s safety and compliance. And the fact that a single $22 per month subscription from Microsoft can do all of this is just amazing. Most MSPs use several products that are loosely tied together, if at all, to provide similar protection at a much higher cost.

-Nate