Managed Security Services

Harrby reviews the current security posture, covering identity, endpoint protection maturity, email security configuration, cloud security posture, existing tooling, alert volumes, response capability, and Essential Eight maturity. Gaps, risks, and critical exposures are documented.

Harrby defines the security operating model, covering detection scope, alert triage process, response playbooks, escalation paths, identity protection design, endpoint security policy, and integration between Microsoft Defender products and Sentinel where applicable.

Harrby implements and tunes security controls, configures and validates Defender policies, establishes identity protection rules, hardens email security, documents response playbooks, and transitions the environment to a monitored baseline.

Harrby provides ongoing alert monitoring, triage, and response. Identity risk reviews, endpoint security oversight, threat intelligence integration, incident management, and structured security reporting with defined response times and escalation paths for incidents of varying severity.

Harrby conducts regular security posture reviews, assesses the threat landscape and Microsoft release waves, tunes policy, and drives Essential Eight maturity progression aligned to the organisation's risk profile.

Microsoft Defender is enabled, alerts are being generated, and nobody is systematically reviewing them. The security stack exists but provides no active coverage.

A compromised account, a phishing campaign that got through, a ransomware attempt, or a notifiable data breach. Incidents reveal gaps that were previously invisible — and the most common response is to prevent a second one.

Insurers and auditors are asking harder questions about security posture, detection capability, and incident response readiness. The answers need to be backed by an operating model, not just a tooling list.

Stale accounts, unreviewed guest access, administrative privilege creep, MFA gaps, and weak conditional access coverage are among the most common attack vectors in Microsoft environments. Identity security requires active management.

Security operations require dedicated attention. An IT team that is also managing endpoints, supporting users, and handling service requests cannot give security alerts the consistent, timely triage they require.

Notifiable data breach obligations, Essential Eight reporting requirements, government panel supplier standards, or sector-specific regulatory requirements are creating accountability that needs an operational security model to support.

Leadership is asking for evidence of security posture, incident response capability, and compliance alignment — not just reassurance. A managed security service provides reporting, metrics, and documented processes that support that assurance.

Azure workloads, Microsoft 365 data, and identity-based access models are expanding the attack surface beyond what traditional perimeter security was designed to protect.

Identity, endpoints, email, cloud posture, and collaboration security operated as a connected security model.

Defender for Endpoint, Defender for Identity, Defender for Office 365, Entra ID Protection, and Sentinel integrated into one operational service.

All eight ASD Essential Eight mitigation strategies tracked, mapped, and progressively improved as part of the managed security service.

Alert monitoring, triage, response, posture review, and improvement, operating continuously.

Identity is the most commonly exploited attack vector in Microsoft environments. Harrby applies identity risk policies, reviews risky sign-ins, manages conditional access coverage, and ensures MFA is enforced consistently — so compromised credentials are detected and contained faster.

Alerts from Defender for Endpoint, Defender for Identity, Defender for Office 365, and Sentinel are reviewed and correlated — giving a more complete picture of security events across identity, endpoints, email, and cloud.

Defined playbooks, documented escalation paths, and clear responsibilities mean incidents are handled consistently rather than improvised. Response time is measured. Actions are recorded. Post-incident review happens.

Security baselines, endpoint hardening, email security tuning, identity protection rules, and cloud security posture management reduce the opportunities for attack.

Harrby maps security controls to the Australian Government's Essential Eight framework and tracks maturity progression over time — providing the documentation and evidence needed for assessments, audits, and reporting.

Regular reporting on security posture, incident activity, identity risk trends, and maturity progress gives boards, executives, and risk committees the visibility they need without requiring technical interpretation.

Entra ID Protection risk policy management, risky user and sign-in review, MFA enforcement oversight, conditional access architecture review, privileged identity management, and stale identity remediation. Managed actively and continuously.

Endpoint security policy management, threat and vulnerability management oversight, EDR alert triage, incident investigation support, and attack surface reduction rule management via Microsoft Defender for Endpoint. Alerts are reviewed, triaged, and actioned.

Anti-phishing, anti-malware, safe links, safe attachments, impersonation protection, and email security configuration management via Defender for Office 365. Email is the primary attack delivery channel. Harrby treats it that way.

Microsoft Defender for Cloud posture management, secure score tracking, misconfiguration identification, and cloud workload protection alignment for Azure environments where in scope. Cloud adoption without cloud security visibility is a compounding risk.

Sentinel workspace management, analytics rule management, incident triage, watchlist maintenance, and integration with Microsoft Defender data connectors where Sentinel is included in scope. Sentinel provides cross-product correlation across the Microsoft security stack.

Microsoft security baseline implementation and maintenance across Microsoft 365, Intune, and Azure. Configuration hardening aligned to CIS benchmarks, Microsoft best practices, and Essential Eight technical controls. A hardened baseline is cheaper than remediating a breach.

Control mapping across all eight mitigation strategies, maturity level tracking, gap identification, and improvement roadmap support. Documentation suitable for assessment, audit, and reporting purposes.

Monthly security posture reporting, incident summaries, identity risk trends, maturity progress, and security change records. Reporting designed for both technical teams and non-technical leadership.

Commonwealth and State agencies, local government, and government-adjacent organisations where Essential Eight maturity, PROTECTED data handling, ISM alignment, and supplier security standards create specific and accountable security obligations.

Law firms, accounting practices, financial advisers, and consulting businesses handling sensitive client information — where a data breach carries both regulatory consequences and severe reputational damage.

Healthcare providers, aged care organisations, and community services where My Health Record obligations, patient data handling requirements, and sector-specific privacy frameworks demand active security management.

Superannuation funds, mortgage brokers, insurance providers, and financial planning businesses operating under APRA CPS 234 and ASIC cyber obligations — where security posture is increasingly a regulatory accountability.

Universities, TAFEs, and schools managing large identity estates, student data, research IP, and federated access — environments targeted specifically because of their combination of valuable data and historically lower security maturity.

Growing businesses where cyber risk is a board-level concern and a managed service provides specialist coverage without requiring a full internal security operations function.

Essential Eight uplift for a government-adjacent organisation

A state government service delivery organisation needed to demonstrate Essential Eight maturity Level 2 compliance for a government panel tender. An internal review had identified significant gaps across patch management, MFA coverage, administrative privilege controls, and application control. The IT team had the Microsoft tooling in place but lacked the operational security depth to drive the uplift and produce defensible documentation.

Harrby conducted a structured Essential Eight gap assessment against the current Microsoft 365, Intune, and Azure environment. A remediation roadmap was agreed against each of the eight strategies. Controls were implemented — including MFA enforcement, privileged identity management, application control through Intune, and patch policy hardening — then documented and established as ongoing maturity tracking under the managed security service.

The organisation achieved Level 2 maturity across all eight strategies within the required timeframe, successfully qualified for the government panel, and retained Harrby to maintain and improve posture on an ongoing basis.

Incident response and post-incident managed security

A mid-market professional services firm experienced a business email compromise incident. An executive account was used to send fraudulent payment redirection emails to clients. The incident was detected by a client, not by the firm's internal IT team. No security monitoring was in place for identity risk events, and no incident response process existed.

Harrby was engaged for incident containment — revoking active sessions, securing the compromised account, auditing other identities for similar exposure, reviewing email forwarding rules and delegations, and implementing emergency conditional access controls. Following containment, Harrby conducted a post-incident review presented to the board. The firm then engaged Harrby for ongoing managed security covering identity protection, email security, endpoint security, and monthly reporting.

The incident was contained within hours of Harrby engagement. Three additional high-risk accounts with similar exposure were identified and remediated before exploitation.

Co-managed security for an internal IT team

A 500-person enterprise had an internal IT team managing infrastructure, endpoints, and service desk. The team had Microsoft Defender deployed across endpoints and Microsoft 365 but no dedicated security operations capability — alerts were reviewed sporadically, and nobody owned the response process. The CISO needed to demonstrate to the board that security events were being actively managed.

Harrby established a co-managed security model. Harrby took ownership of daily alert triage across Defender for Endpoint and Defender for Office 365, managed identity risk reviews in Entra ID Protection, and produced monthly security reporting for the CISO. The internal team retained service desk, endpoint lifecycle, and escalation involvement for confirmed incidents. Microsoft Sentinel was introduced to provide cross-product correlation.

Alert review became systematic. Three medium-severity identity incidents were identified and remediated in the first 90 days that would not have been caught under the previous model. The CISO had a monthly report with metrics and trends to present to the board.