This morning July 9th, 2020, Liam completed and published a document as part of Microsoft 365's Community documents. These documents can be found here.
The purpose of the document is to step through the top ten security capabilities and features that should be enabled for everything Microsoft 365 Tenant.
To view the article, click this link.
Zero Trust is a model that focuses on strict identity verification for any person or device trying to access resources with the corporate network. It does not matter whether the person or device is within the network, sitting at home, or working remotely from anywhere in the world. Zero Trust is not a product that you buy off the shelf and install or configure. It is a mindset that you need to get into by using various technologies and principles.
The most common network security utilized today is summed up in this old phrase, "I am the king of the castle." Most organizations focus on blocking people coming into the network, but users who are already in the network are inherently trusted. In the past, corporate data lived within the local network, in purpose-built server rooms, or even racks of servers located close to the physical locations. The apparent problem with enforcing security this way is that when I am inside the network, I would potentially have access to all the data. Today, however, content is stored locally and in cloud services, which makes it harder to protect. There is no single security control that can protect both internal, external, and cloud services.
Zero Trust Principles
The philosophy for Zero Trust Security assumes that malicious attackers, bad actors, and even hackers are both within and outside of the network. With this assumption in mind, this creates the idea that no user or device should be automatically trusted. Another fundamental principle of zero-trust security is least-privilege user access. Only assigning users the required access they need, can minimize each user's exposure to sensitive parts of the network.
Zero Trust requires network segmentation. Creating the network into smaller micro-segments allows for more granular control and administrative management and control. Organizations can enable users or devices access to the required segments, instead of allowing full access to the entire network. IT Administrators can control access to micro-segments much more straightforward and be assured that they are better secured.
Another part of Zero Trust is Multi-factor Authentication, which requires more than a piece of authentication evidence during a user authentication process. In addition to the standard password, users who enable 2-factor authorization (2FA) receive either a code via text, or use an application designed to validate the authentication request.
The last principle for Zero Trust requires device controls. Of course, this isn't very easy with the Bring-Your-Own-Device (BYOD) methodology. However, there are approaches available, such as "Mobile Application Management," which allows for application protection within a non-trusted device.
Each principle of Zero Trust is about minimizing the ability for users or devices to move throughout the network, which in turn reduces the attack surface.
Microsoft 365 Zero Trust
Organizations can achieve Zero Trust within Microsoft 365, by using the following features:
Windows Defender Advanced Threat Protection
Windows Defender Advanced Threat Protection (ATP) serves as an endpoint protection platform (EPP) and endpoint detection response (EDR) technology. In combination with built-in behavioral sensors, machine learning, and security analytics, ATP provides intelligence-driven protection, post-breach detection, investigation, and automatic response capabilities. Organizations can continuously monitor the state of devices and take remedial actions automatically. Windows Defender ATP mitigates breaches by automatically isolating compromised machines and users from additional cloud resource access.
Windows Defender System Guard Runtime Attestation
Windows Defender System Guard not only protects but also maintains the integrity of a system as it boots up as well as during use. Security admins can remotely attest to the security state of a device. The main objective of the Windows Defender System Guard process is to validate that system integrity is not violated.
Azure Active Directory
Azure Active Directory is the central cloud identity and access management platform allowing organizations to manage access to applications and protect user identities within the cloud and on-premises. Azure Active Directory provides the following features:
Conditional access policies are evaluated in real-time using these features, and enforced for any access request to Azure Active Directory connected applications
Microsoft Intune can manage mobile devices, PCs, and applications in the organization. Both Microsoft Intune and Azure have management and visibility of device assets and data that is valuable to the organization. Microsoft Intune is responsible for the enrollment of, registration of, and management of client devices, including mobile devices, laptops, and user's personal or Bring-Your-own-Devices (BYOD).
Intune combines the retrieved machine risk level from Windows Defender ATP with other compliance signals to determine the compliance status of a device. Azure Active Directory leverages the compliance status to block then or allow access to corporate or cloud resources.
What does it mean?
Adopting a Zero Trust mindset is no small task. It requires organizations to adopt new ways of thinking, removing old technology, and preconceived notions of security.
It means that as an organization, you need to adopt the following things:
For Microsoft 365, it means it is to time to perform an assessment and review of current configuration and features, as well as current licensing. It also involves the configuration and deployment of policies that cover all areas of access control, authorization, and device access.
If you need support to validate what you have, what you need, and how to deploy and implement security controls within Microsoft 365, then contact u s.
Hopefully by now you have realized that Microsoft Teams, as a platform is a lot bigger than either the free "lite" version you may be using or the full blown paid version provisioned within your organization. Teams as a solution includes a lot of features that most of us will never use. In reality the most common features used are:
There are however much greater capabilities relating to Voice calls, once your organization includes the Online Phone System (PBX), and starts to assign numbers to conference b=ridges, devices and users. An area in Teams that is important to me is the ability to define policies to control what happens within any of the core features. Polices can be created for:
However, in this uncertain time, for me, probably you too, having with my kids full-time made me wonder what technology could help them. Now the schools where I live all use Google Chromebooks, Google Classroom and few other ad hoc platforms, and honestly they are not using them at the moment for online / distance learning either. In fact I am not even sure how they would use them to create a rich online platform for learning. This is where Microsoft Teams Education comes in. A platform built over the top of Office 365 and Teams providing the ability to use all the core features, plus manage classes, assignments, teachers and even after school clubs.
When creating a Team within the regular Microsoft Teams, you only have a single option, albeit you can set the team to either public or private. However within Microsoft Teams Education you get the following:
This allows you to create a structure of Staff, Class, Learning and Club Teams, where you can then add users into it, as you would a normal team. For example if we select "Class", we get a couple of extra things that we can set.
If you choose to not add Teachers and Students at this point then you can do so later once you are inside the team itself.
Once the team is in place, as the Teacher, you can then perform some basic actions.
To create a Quiz or Assignment, the Teacher navigates into the Team, clicks Assignments, and then create, choosing what to create.
They can then complete the assignment details.
Once the assignment is created and save, it is listed in the assignment tab for Teachers and Students. It is also posted to the general channel as a chat for everyone to see.
When students then log into the Team they can access the assignment, complete as needed.
The Students can then either attach existing files, and then turn in the assignment.
The Teacher can then review the submitted work and grade it as needed.
As you can see Teams for Education works great for Teachers and Students. There are many more features that can be used as well :-)
This week has a been a good week. Liam, took the MS-500 Microsoft 365 Security Administration exam and passed earning him the Microsoft Certification title of "Microsoft 365 Certified: Security Administrator Associate".
Along with this, Liam also found that he has become a "Microsoft Certified Trainer (MCT)".
We can see exciting times ahead :-)
Over the past few years, Microsoft has implemented better Security features into all of its cloud offerings. Microsoft Defender capabilities are now very sophisticated and offer deep inspection into not only cloud services but also on-premises from Windows 10 devices.
The "Microsoft Defender Security Center" is your central entry point to identify, potential breach activity, overall security score, and threat analytics.
If you have the required license, you can access the dashboard from here: https://securitycenter.windows.com/dashboard.
Once authenticated, the primary Security operations dashboard loads displaying the following:
Each report allows you to click into further details. For example, clicking on the "Suspicious process injection observed" takes me to all the features needed to investigate further.
Upon clicking further, firstly, you are presented with base details of the overall issue and recommended actions. The actions drop down allows you to drill deeper and see, for example, the "Timeline" of events.
For example, looking deeper into this injection, we can see that an "Anomalous memory allocation" was identified within "PowerShell."
Clicking further into the backdoor reveals the command line used as well as process name, execution time, and process id.
Going back to the specific injection, we can use the "Alert process tree" to see the identified anomalous process.
To get a better view of attacks like this, we can expand the menu item "Automated investigations" and click the first sub menu item.
Clicking into any of the same observed injections will display the "Investigation graph" that identifies any Alerts, Machines, Key findings, Entities, Logs and offers specific Actions.
If we now click on the "Threats found" icon, the "Key findings" are listed.
If we now click on a row, we can then complete the "Approve or Reject" action.
As you can see, the tooling is excellent at traversing an observed anomaly or malicious attack. If we expand the "Threat & Vulnerability Management" menu and click "Dashboard," we get a breakdown of our security posture based on a detailed analysis of the tenant.
You can also see in the bottom table a list of software that either needs patching, is out of date or is vulnerable.
Clicking onto the "Windows 10" row displays further details. If you then click "Open software page," and then click "Update Windows 10", you are presented with a list of the "Exposed machines" and "CVEs" that are addressed by the various patches.
The last thing that is extremely helpful is the "Security recommendations." It provides a simple list of activities for completion, that will increase your overall security.
All in all, "Windows Defender ATP" and the other components of the "Microsoft Defender Security Center" are advanced enough to protect all areas of your cloud-connected infrastructure.
I spend most of my time working with organizations who are either considering, migrating, or have already migrated to Azure or Microsoft 365. Most of the conversations that organizations have are related to the cool new features that are available and how the end-users will be empowered to use them. On the flip-side, though I also have many conversations after companies have moved to Office 365, and that conversation usually is around how they can stop access, control sharing or best practice security capabilities in the service.
One critical area but a not so sexy topic is alerting and logging. Honestly, there are not many organizations that their first conversation about moving to the cloud is "what logging can we get, and I want lots of alerts." It is a boring subject, whether you are still using on-premises, cloud, or hybrid services. No IT or Security team enjoys looking at log files or receiving millions of alerts about user activity; however, it is a critical factor in a successful deployment and migration to the cloud.
Will we still be looking at logs in the cloud?
Yes, you will. Everything within the Microsoft 365 cloud platform gets logged and captured. Running within the service itself is Microsoft Telemetry platform that captures all kinds of information based on different signals. Then you have each application that logs values such as errors, activities to security issues. On top of that, you have all of this data normalized and then made available in various forms such as through log tools, web interfaces to the Restful APIs and Graph endpoints.
Security alerting and the Azure Security Center?
Alerts are the notifications that the Azure Security Center generates when it detects threats on your resources. It prioritizes and lists the alerts along with the information needed for you to investigate the problem quickly. To detect real threats and reduce false positives, the Azure Security Center collects, analyzes, and integrates log data from all Azure resources, the network, and other solutions, such as the firewall and endpoint protection. Azure Security Center analyzes this information, correlating information from multiple sources, to identify threats. If you are using on-premises and hybrid cloud, then the Azure Security Center can monitor those resources.
Security incidents in the Azure Security Center
A security incident is a collection of related alerts, instead of listing each alert individually. The Azure Security Center uses fusion to correlate different alerts and low fidelity signals into security incidents. Using incidents, the Azure Security Center provides you with a single view of an attack campaign and all of the related alerts.
How can I use the Azure Security Center?
The Azure Security Center is enabled with your Microsoft Azure subscription and accessed from the Azure portal. The Security Center is available in two tiers. The Free tier provides visibility into the security state of your Azure resources, basic security policy, security recommendations, and integration with security products and services from partners. The Standard tier adds advanced threat detection capabilities, including threat intelligence, behavioral analysis, anomaly detection, security incidents, and threat attribution reports.
Want to know how to use the Azure Security Center? We can help, just reach out.
Today Liam Cleary is renewed as a Microsoft Most Valued Professional (MVP) for "Office Apps and Services" for the 13th year in a row. MVP's get recognized as leaders in their fields, and for their work in the technology community. Liam is well known for speaking at conferences, webinars, and content authoring. He has a great passion for helping others be successful with technology. As an author for Pluralsight, Opsgility, and LinkedIn, he spends a lot of his time creating content to help others.
Liam is looking forward to another year in the MVP community and helping others.
A lot of our work is helping organizations to secure either Office 365 or the full Microsoft 365. In all of the work, the most common issue or problem is lack of knowledge of where to start. In fact, during a research project we worked on last year, that was a significant factor in why many organizations had suffered breaches even within Microsoft 365. Microsoft is doing a great job documenting the practical steps for a specific feature, function, or component, but you are often left reading very generic examples that don't quite for your scenario.
We were asked to help by writing a white-paper that is based around the question and answers idea. For example, a few common questions we often get are:
Can I be notified of potential user malicious behavior such as mass file downloads?
Can I apply a content security policy to a document no matter where it resides?
How can I ensure that personally identifiable information never leaves the organization?
How can we protect personal devices that connect to Office 365 services?
The purpose of the white-paper we produced is to answer questions rather than outline technical documentation. If you are interested in this, then head over to the link below:
Though the reading is excellent, that may not help you identify issues right now that need resolving. Introducing the Microsoft 365 Secure Score. You can access this for your tenant using this link. As soon as it loads, click the 'Improvement actions,' to see the list of identified items for improvement, as well as details of what that means.
Clicking into items reveals further details, including the following:
As you can see, this is such a simple thing to review with essential details on why the specific feature or component is critical and needs enabling or configuring. Don't hesitate, head over to the 'Microsoft 365 Secure Score' pages to improve your security posture.