Microsoft Defender for Office 365 vs Mimecast: Evaluate and migrate

Email is the primary attack vector for most cyber attacks so, as a result, deploying a comprehensive, best-in-breed email protection solution remains one of the very first (and most critical) security investments organisations make.

Considering its importance, it’s vital you have the best tools for the job – but changing email protection solutions can seem like a really big deal.

I can understand the reluctance to change:

• Don’t all vendors offer pretty much the same thing? With so many solutions offering seemingly similar capabilities.
• Migrations to alternate solutions feel too risky, all-encompassing and insurmountable.
• And lastly, there’s no easy way to ‘try before you buy’ when considering a switch.

This blog will dispel the most common questions and challenges I typically see when it comes to choosing a new email protection tool.

I’ll outline the key advantages of Microsoft Defender for Office 365 compared with Mimecast (and other vendors). I’ll also show you a new method to test and evaluate a potential switch, and explain how to migrate in a way that causes minimal disruption to your organisation.

Microsoft Defender for Office 365 vs Mimecast

At a high level, Mimecast’s Secure Email Gateway and Microsoft Defender for Office 365 may seem similar. Both offer the protection features you would expect: Anti-phishing, Anti-malware, Anti-spam, URL and attachment protection and so forth.

It’s only when you look beyond the headline features that you begin to realise the additional capability and value Defender for Office 365 delivers over its competitors.

There are some unique threat protection advantages that shouldn’t be ignored when it comes to integration between Office 365 and Microsoft Defender.

For example, there are no additional infrastructure components or connectors to configure, protection for URLs within Word, Excel and PowerPoint are natively integrated into the application, and protection of internal mail requires no additional complex journaling to achieve.

These are capabilities no third party vendor can provide currently.

Here’s a useful list of Defender for Office 365 key features and advantages you don’t get with Mimecast (or other email protection tools):

Email protection features unique to Defender for Office 365

• Native time-of-click URL protection integration in Word, Excel, PowerPoint and Office Online.
• Native hover-over experience shows original URLs for wrapped links.
• Native URL protection for internal email, on all licences (with no journaling set-up or product add-ons).
• Enhanced spoof protection beyond DMARC checks.
• Malware protection for files in SharePoint, OneDrive and Microsoft Teams.
• Compromise detection and response, based on anomalous patterns and Office 365 activities.
• Powerful and feature-rich Attack Simulator with integrated training modules.
• Built-in Best Practice Configuration Analyzer.

Microsoft cross-platform integration advantages

• Integrated admin portals between endpoint, identity and application protection tools.
• Native alert correlation and incident creation across endpoint, identity, email and application.
• One-click integration with Azure Sentinel Cloud SIEM.
• No additional infrastructure components or deployments required (assuming you already have M365).

Whilst these features are impressive, they are not the only advantages. To understand the greater value provided by Defender for Office 365 it’s vital to look beyond email protection in isolation and understand the part it plays in the wider Microsoft 365 Defender platform.

Holistic security advantages

With the current threat landscape necessitating a shift in thinking toward a “Zero Trust” mindset and “assume breach” security posture, Kocho is increasingly seeing organisations coming up against the limitations and integration challenges posed by security strategies with multi-vendor point solutions.

With Microsoft Defender for Office 365, not only do you have a cutting-edge standalone solution, but you also have a key component of Microsoft 365 Defender, the unified pre- and post-breach enterprise defence suite from Microsoft.

With the complete Microsoft 365 Defender suite, your organisation can natively coordinate detection, prevention, investigation, and response across all endpoints, identities, email, and applications – providing integrated protection against sophisticated attacks all from within a single common interface.

By automatically analysing and correlating signals across endpoints, email, applications and identity, Microsoft 365 Defender automatically creates incidents based on multi-platform signals, automating the manual “joining of the dot” type activities that consume valuable analyst time in poorly integrated multi-vendor environments.

This cross-product integration facilitates huge increases in response and remediation capability, as well as the operational efficiency of your security teams. As the integration is native to the platform, configuration requires little effort to allow you to realise an almost immediate return on investment.

Leverage threat intelligence on a never-before-seen scale

Up until a few years ago, this was perhaps a more difficult case to argue. The initial feature set offered by Office 365 Advanced Threat Protection (as it was named at the time) struggled to compete against the established and dominant vendors (such as Mimecast) in the email protection space.

This situation has changed dramatically over the last few years. Microsoft has annually invested over $1 billion in security R&D and continued to leverage its unique market position, scale and native integration capabilities.

When we talk about scale the numbers are truly astronomical, with over 470 billion emails analysed per month and 8 trillion threat signals a day. In 2019, Microsoft protected more mailboxes with Defender for Office 365 than ALL of their competitors combined (and more than three times that of their nearest competitor).

This volume and scale allows Microsoft to have an unparalleled view of global email traffic, which they then leverage using their advanced machine learning (ML) and artificial intelligence (AI) models to provide industry-leading protection to their clients.

The constant innovation and enhancement across all Microsoft security products shows no signs of slowing, and with a team of over 3,500 cyber security engineers, this capability already exceeds the total revenue and headcount of many of their competitors. So, Microsoft has the scale and innovation but how does that translate to protection?

How can I evaluate email security tools before I switch?

Historically, accurate evaluation of email protection solutions has been difficult to perform – for a test to be truly effective there is no substitute for real email traffic from real senders sent to real recipients.

As organisations are understandably reluctant to risk changing their email routing and protection platform to support an evaluation, vendors have resorted to using journaling or PST ingestion-based evaluations.

Evaluations of this nature bypass key indicators and detection components of mail protection solutions and provide an inaccurate picture of capability which often leads to an organisation’s evaluation and production deployment experience being significantly different.

To facilitate an accurate evaluation based on real email data, Microsoft has recently released “Evaluation Mode” – a new 30-day evaluation capability for Microsoft Defender for Office 365 into Public Preview.

This unique capability doesn’t require any MX record configuration changes to email routing, yet still allows Microsoft Defender for Office 365 to accurately filter email by preserving IP address and sender information, which are ordinarily lost when email passes through an upstream email security solution such as Mimecast.

Once configured, Evaluation Mode provides administrators with reports highlighting messages that would have been blocked if Microsoft Defender for Office 365 policies were implemented. As no action will be taken on email analysed by Defender for Office 365 in evaluation mode, there is no risk of end-user impact.

It’s a nifty little tool that’s well worth a look.

How to migrate from Mimecast to Microsoft Defender for Office 365

At Kocho, we have a tried and tested, collaborative approach to Microsoft Defender for Office 365 migrations. Typically, the process of migration would involve an organisation and all key stakeholders working through a phased approach.

Here’s a very high-level outline of the phases and typical activities involved in a migration.

Conclusion

The Microsoft Defender for Office 365 (and wider security offering) has come on leaps and bounds in the last two years to a point where it can truly offer you the ‘best-in-breed’ product for email protection, whilst still integrating perfectly into a holistic cloud-native security strategy.

If you’re interested in trialling Microsoft Defender for Office 365 then speak to us. We have experience in migrating protection of many thousands of client mailboxes from Mimecast (and other email protection solutions) to Defender for Office 365 and we understand that migration to a new platform can be a daunting prospect.

Engaging Kocho to assist your organisation with a Mimecast migration reduces your risk and ensures your Microsoft Defender for Office 365 implementation provides the highest levels of protection and ROI.

Key takeaways