Extension of Microsoft 365 E3 and E5
Upgrade established technology platform to an integrated operating model for IT security with RIEDEL Enterprise Defense [R.E.D.]
Microsoft 365 E3 and E5 are among the most widely used enterprise platforms, but fulfill different roles in the context of IT security. While E3 creates a solid foundation and primarily controls access and provides basic protection mechanisms, E5 extends this foundation significantly in the direction of threat detection and analysis. Functions such as Identity Protection, Endpoint Detection and Response and XDR enable a much deeper view of potential attacks.
Despite these differences, both license models share a common structural characteristic: they are primarily technology platforms, not fully integrated operating models for IT security. Events are detected, risks are assessed, but continuous monitoring, correlation and response to incidents are not automatically part of the overall system.
This is exactly where RIEDEL Enterprise Defense [R.E.D.] comes in. The platform supplements existing Microsoft environments with an operational security layer that combines SIEM, XDR, UEBA and SOAR with a round-the-clock Security Operations Center. This shifts the focus from pure technology to an actively operated security model.
Microsoft E3: Access control without in-depth detection
The standard version of Microsoft E3 focuses on controlling access and enforcing basic security guidelines. Identities are managed via Entra ID P1, with conditional access and multi-factor authentication defining the conditions under which resources may be accessed. Endpoint protection is available, but remains primarily preventative and does not offer comprehensive EDR functionalities. Email security is also primarily designed to filter known threats.
This model is suitable for ensuring a basic level of security, but reaches its limits as soon as attacks go beyond the preventive protection mechanisms. It lacks the ability to correlate events across the board, detect behavioral anomalies and respond to security incidents in a structured manner.
The integration of RIEDEL Enterprise Defense [R.E.D.] fundamentally changes this initial situation. By introducing a central SIEM, log data from endpoints, network components, cloud services and applications are brought together and analyzed in context. UEBA supplements this view with a behavioral perspective so that deviations from normal user or system behavior can be detected.
At endpoint level, EDR+ significantly expands detection capabilities. The combination of a Wazuh-based XDR agent and Cisco Secure Endpoint combines detailed telemetry data with advanced threat detection and automated response capabilities. This approach corresponds to established architectures in the MDR environment, but remains transparent in its technical composition.
A key difference lies in the operational side. Security events are no longer simply logged, but are continuously analyzed, prioritized and processed by a Security Operations Center SOC. Automated responses, controlled by SOAR, ensure that incidents are handled consistently and promptly.
In combination, E3 creates a security architecture that not only has a preventative effect, but also actively detects and responds.
Microsoft E5: Advanced detection without operational anchoring
Microsoft E5 significantly expands the security functions. With Entra ID P2, identity becomes a dynamic risk factor that is continuously evaluated. Functions such as risk-based authentication and privileged identity management increase control over critical access.
At the same time, Defender for Endpoint Plan 2 and Defender for Office 365 Plan 2 provide significantly deeper telemetry and advanced detection mechanisms. Microsoft Defender XDR links these signals together and places them in a common context.
Nevertheless, E5 is still dependent on how effectively this information is used. The platform detects suspicious activity and generates high-quality alerts, but does not automatically ensure that these are analyzed in real time or translated into coordinated action.
RIEDEL Enterprise Defense [R.E.D.] therefore complements E5 not primarily on the detection level, but on the operational side. The SIEM extends visibility beyond the Microsoft ecosystem and integrates additional data sources such as network devices, servers and third-party applications. UEBA strengthens the analysis by correlating behavior patterns across different systems.
SOAR takes over the orchestration of responses and ensures that measures are implemented in a standardized way across systems. While Microsoft already offers automation approaches, [R.E.D.] goes one step further here by coordinating processes across different technologies.
Continuous operation by the SOC is also crucial here. Security events are not only made visible, but are actively evaluated, investigated and - if necessary - escalated or contained. As a result, E5 is evolving from a powerful detection platform into a fully operational security solution.
Positioning of RIEDEL Enterprise Defense [R.E.D.] in the Microsoft context
The interaction between Microsoft licenses and [R.E.D.] can best be described as a clear division of tasks. Microsoft provides the technological basis for detection and access control. RIEDEL Enterprise Defense [R.E.D.] ensures that these technologies are continuously monitored, meaningfully correlated and effectively used.
In an E3 environment, this means a fundamental development towards a complete detection and response architecture. In an E5 environment, the added value lies primarily in operationalizing the existing capabilities and extending them beyond the Microsoft world.
Conclusion
Microsoft E3 and E5 both offer powerful security functions within their intended framework. E3 focuses on control and basic protection, while E5 significantly expands detection and analysis. However, both approaches remain incomplete without an operational security layer.
RIEDEL Enterprise Defense [R.E.D.] fills this gap by combining technology with continuous operations. It creates transparency across system boundaries, interprets security events in context and ensures that incidents are responded to in a structured and timely manner.
For organizations with E3, this means a significant maturity gain in the security architecture. For organizations with E5, it ensures that the available options are used consistently and transferred into an effective security operation. In both cases, the result is a more robust, responsive and holistic security strategy.
The relationship between Microsoft licensing and [R.E.D.] can be summarized as follows:
E3 → Security foundation
E5 → Advanced detection platform
[R.E.D.] → Security operations level
This results in two different value propositions:
E3 + [R.E.D.]
transforms a basic security environment into a complete MDR solution.
E5 + [R.E.D.]
adds full operational capabilities and cross-domain visibility to an advanced platform.
Functional comparison E3 & RIEDEL Enterprise Defense [R.E.D.]
[R.E.D.] effectively raises E3 to a level that is comparable to E5 from an operational perspective and even surpasses it in some areas.
| Capability | E3 alone | E3 and [R.E.D.]. |
|---|---|---|
Endpoint detection |
Basic AV |
Extended EDR (Wazuh + Cisco) |
Identity monitoring |
Restricted |
SIEM + UEBA correlation |
E-mail threat analysis |
Base |
SOC-controlled examination |
Incident Response |
Manual |
Automated + SOC |
Security Operations |
None |
Fully managed |
Functional comparison E5 & RIEDEL Enterprise Defense [R.E.D.]
[R.E.D.] does not replace E5, but unlocks its full added value through additional operational capabilities and broader visibility.
| Capability | E5 alone | E5 and [R.E.D.]. |
|---|---|---|
Detection |
Extended (XDR) |
Improved (multiple data sources) |
Correlation |
Microsoft-centered |
Entire infrastructure |
Response |
Partially automated |
SOAR + SOC |
Operations |
Not included |
Fully managed |
Threat visibility |
High |
Comprehensive |