Speed up time to detect and respond to user compromise and limit breach scope with Office 365 ATP

Speed up time to detect and respond to user compromise and limit breach scope with Office 365 ATP

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Attackers are driven by the desire to cause damage or build their brand. They focus on gaining access to sensitive data to expose it, use it, sell it or hold it for ransom. Or they focus on impacting critical infrastructure – whatever will increase their bottom line, be it financial gain or notoriety. Regardless of their goals, attackers often look to achieve them by first gaining a foothold in the organization through a compromised user, device, or application. And then exercising a variety of steps in the ‘kill-chain’ of their attack to achieve their intent. 

A compromised entity in an organization can therefore have serious repercussions. And the longer a compromise goes undetected, the larger the potential for widespread impact and cost to the organization, their customers, and partners. Early detection and remediation of compromise is therefore critical to limit the scope of a breach.

To speed-up that time to detection, limit the scope of the breach and help security teams more effectively and efficiently detect and respond to compromised users, I’m excited to announce the preview of new enhanced compromise user detection and response capabilities in Office 365 ATP

Let me give you a quick look at what these enhanced detections look like, the alerts we raise in the Office 365 Security Center and the insights and powerful automation we offer security teams to investigate and respond to end-user compromise to limit the spread of the attack across the organization.

 

Figure1a.png

 Figure 1: Office 365 ATP auto-investigation into user suspected of being compromised

 

Improving detections across the kill chain

In the past few years, attacks targeting users using identity-based attacks, like password spray attacks, or social engineering attacks, like phishing, to try and compromise credentials has become increasingly common and sophisticated. For instance, over the past year across Office 365 we’ve seen a 60 percent increase in phishing attacks.

Attackers target users to land their exploit and then look to expand their attack scope. They compromise users and then leverage the victim’s contacts, accessible resources, applications they use, and more, to launch a variety of internal attacks to spread across the organization. These can include internal phishing campaigns orchestrated through emails and other collaboration tools to target other users, systems and data repositories inside the organization or in partner organizations.

 

Internal detections of such attacks are therefore a key piece of an organization’s protection and detection strategy. Paired with advanced investigation and response mechanisms, this can help ensure that compromised entities are detected quickly, and the breach does not prove too costly.

The attacker’s activities when using a compromised account are often atypical or anomalous relative to the user’s regular behavior. For instance, there is no good reason for trusted users to be sending any phish or spam emails to other recipients. Being able to detect anomalies in user activity is therefore a key signal source for detection. Office 365 ATP is able to detect these anomalies in email patterns and collaboration activity within Office 365.

 

The attacker may or may not trigger a suspicious login. And often suspicious login alerts, when viewed in isolation can be noisy. However, by pairing these O365 detections with other identity and endpoint-related suspicious signals we can greatly enhance the speed and accuracy of compromise detection

We’ve also built-in automation to investigate the source of the breach, determine if there are other potentially impacted users, and to the analyze the impact of the compromise. Further recommendations are then provided the security teams to remediate and ultimately reduce their attack surface.

 

Alerting security teams to potential compromise

A common attack technique is to use a compromised account to ‘spray’ a phishing campaign and target other users. The compromised mailbox is used to send phishing messages to a large number of users inside and outside the organization with the intent of compromising these other recipients.

When Office 365 detects suspicious email or anomalous activity patterns it will raise an alert to call out the suspicious activity. For example, figure 2 below shows an alert that was raised because of suspicious sending patterns of a user.

 

Fgure 2.png

Figure 2: Office 365 alert raised when suspicious email sending patterns were observed for a user

 Office 365 also allows security teams to define sending limits for users in advance to limit the scope of a possible breach. As shown in Figure 3 below, the admin can set hourly and daily sending limits for users and also specify the action to take if those limits are hit. And when these thresholds are breached, admins are alerted.

 

Figure 3.png

 Figure 3: Office 365 policy for internal and outbound email sending thresholds configuration with notification options

 

In some cases, as shown in figure 4 below, Office 365 will automatically restrict the user from sending any more emails and raise the alert below. 

 

Figure 4.png

 Figure 4: Office 365 alert when user is restricted from sending email detecting compromise

 

These alerts are meant to raise the awareness of security teams so they can quickly contain and investigate the issues.

 

Containing and investigating the threat

As called out above, there are cases where Office 365 will automatically block the user’s ability to send further emails to contain the impact. While an alert is raised, the user is also put on a “restricted” user list, as shown in figure 5 below. Admins can then unblock the user’s ability after investigating the user and assessing impact of the compromise.

 

Figure 5.png

 Figure 5: Users suspected of compromise and therefore restricted from sending email

 

O365 also offers recommendations to guide security teams through the process of unblocking a user manually. As shown in figure 6 below, specific recommendations are offered to check relevant user settings and activity logs to assess the potential impact of the breach. And specific remediation steps are recommended to ensure that the user is secured before re-enabling mail flow. O365 ATP P2 customers get the benefit of automation (covered in next section) where these investigation steps automatically carried out by the system.

 

Figure 6.png

 Figure 6: Admin workflow for mitigating and containing compromised users detected by Office 365

 

Automating investigation and response

Office 365 ATP P2 customers get the added benefit of automation to help with quick investigation and response. When any of the above alerts are raised, they are automatically investigated using detailed, built-in playbooks to determine the scope, impact and cause of the attack. The playbook intersects signals from identity sources, mail flow, DLP and mailbox settings and other O365 events to investigate and analyze the alert.

 

Doing the analysis above quickly and comprehensively is critical to reducing the cost of breach to the organization and preventing data theft or exfiltration. And automating the process achieves this.

 

Figure 7.png

 Figure 7: Office 365 ATP auto-investigation into user suspected of being compromised

 

Figure 7 below shows the automatic investigation results summary. The other tabs in the investigation offer up more details. The ‘Alerts’ tab, includes the other alerts aggregated into the investigation. The ‘Email’ tab includes details of how the automation looked for other emails matching the suspicious emails sent to see if there were other users impacted. The analysis also includes looking for the source of the compromise. The ‘users’ tab highlights other user activity anomalies detected. All the detailed steps of the playbook are captured in the ‘Log’ tab.

These details capture a comprehensive analysis of the alert to determine cause, scope and impact. And offer ways for security teams to verify the investigation steps and results should they choose to. Best of all, because it is the system doing this analysis, it can save security teams a lot of time and effort.

 

The ‘Actions’ tab, shown in figure 8, captures the list of recommended actions for the security teams to take based on the investigation results. This gives security teams the opportunity to review the recommendations prior to taking action.

 

Figure 8.png

 Figure 8: Office 365 ATP recommended response actions as a result of the investigation.

 

Try if for yourself!

These new updates are available in preview worldwide. If you’re not signed up for Office 365 Advanced Threat Protection, check it out here to experience the full security benefits and built-in protection, detection, response and automation capabilities of Office365 ATP.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Simplify compliance and reduce risk with Microsoft Compliance Score

Simplify compliance and reduce risk with Microsoft Compliance Score

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

More than half of risk management decision makers state that IT and cybersecurity risks are their biggest concern[1]. Amid all the challenges in risk management, identifying and assessing risks continue to be the most time-consuming tasks[2]. Many companies rely on manual and point-in-time assessments like annual auditing, which can quickly go out of date and expose companies to unidentified risks between audits. It’s more important than ever to equip IT professionals with the knowledge and tools to work across compliance and risk teams to effectively assess and monitor risks.

 

We are excited to announce the public preview of Microsoft Compliance Score, which helps you simplify compliance and reduce risks. Even if you are not an expert in complex regulations like GDPR, you can still quickly learn the actions recommended to help you progress toward compliance.

01_Microsoft Compliance Score.gifMicrosoft Compliance Score helps demystify compliance and provides recommended actions that help reduce risk.

With Microsoft Compliance Score, you can now continuously assess and monitor data protection controls, get recommendations on how to reduce compliance risks, and leverage the built-in control mapping to scale your compliance effort across global, industrial, and regional regulations and standards.

 

Continuously assess and monitor controls with a risk-based score

Microsoft Compliance Score can scan through your Microsoft 365 environments and detect your system settings, continuously and automatically updating your technical control status[3]. For example, if you configured a compliance policy for Windows devices in the Azure AD portal, Microsoft Compliance Score can detect the setting and reflect that in the control details. Conversely, if you have not created the policy, Microsoft Compliance Score can flag that as a recommended action for you to take. With the ongoing control assessment, you can now proactively maintain compliance, instead of reactively fixing settings following an audit.

 

automated assessments.pngAutomated assessments help you continuously monitor your data protection controls.

Improve your score with recommended actions and solutions

Microsoft Compliance Score provides you with improvement actions in different areas, such as information protection, information governance, device management, and more. This allows you to easily understand the contribution you are making towards organizational compliance by category. Each recommended action has a different impact on your score, depending on the potential risk involved, so you can prioritize important actions accordingly.

 

Score breakdown by category.pngScore breakdown by category helps you identify categories that need more immediate attention.

Risk managers and compliance professionals can assess controls using the assessments view, which shows you the scores of GDPR, ISO 27001, ISO 27018, NIST CSF, NIST 800-53, HIPAA, FFIEC, and more. To help you better prepare for new waves of privacy regulations coming in 2020, we have released the new California Consumer Privacy Act (CCPA) assessment. Microsoft Compliance Score helps make connections between each regulatory requirement and the solutions that can help you enhance your controls, thus increasing your overall score.

Assessment view.pngMicrosoft Compliance Score provides more than 10 out-of-box assessments across global, regional, and industrial regulations and standards.

Scale your compliance effort with built-in control mapping

With more than 220 updates every day from 1,000 regulatory bodies around the world, it’s overwhelming for organizations to keep up to date with the evolving compliance landscape. At Microsoft, we have a team of subject matter experts building out and maintaining a common control framework to scale our compliance effort. We are sharing this knowledge by building it into Microsoft 365 so you can scale your compliance program across global, industrial, and regional regulations and standards. With the built-in control mapping in Microsoft Compliance Score, when you implement one common control, the status and the evidence of the control will be automatically synchronized to the same control in other assessments, helping you reduce duplicate work.

Control mapping view.pngBuilt-in control mapping helps you scale your compliance effort.

Get started today

Microsoft Compliance Score is available to all Microsoft 365 and Office 365 enterprise licenses. You can sign up for a trial or navigate to the Microsoft 365 compliance center (compliance.microsoft.com) to get started today. You can learn more about Microsoft Compliance Score in this supporting document.

 

Compliance Score is a risk-based score that helps you simplify and automate risk assessments and provides recommendations to help you address risks. It does not express an absolute measure of organizational compliance with any particular standard or regulation. It expresses the extent to which you have adopted controls which can reduce the risks to personal data and individual privacy. Compliance Score should not be interpreted as a guarantee in any way.

 

[1] Integrated Risk Management (IRM) market landscape web survey, Gartner, May 2019 (n=500, buyers and influencers of IRM solutions, 1000+ employees)

[2] Deloitte’s 2019 survey of risk management

[3] Note that this functionality is currently available to part of the technical actions. Over the next few months, we will continue integrating more solutions to automate additional control assessments.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Integrated and intelligent data governance with Microsoft 365

Integrated and intelligent data governance with Microsoft 365

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Organizations are rapidly embracing digital transformation, and as a result the amount of data generated is growing exponentially across environments and endpoints. As data continues to grow, organizations are challenged with the lack of information protection and governance solutions across on-premises, cloud and hybrid environments. According to Gartner, approximately 80% of the data in organizations is unstructured, not classified, protected, or governed, with little visibility into what is happening with their sensitive and business critical data. As a result, organizations are forced to use traditional and fragmented information protection and governance solutions that work in silos and are not designed to be scalable. This makes it challenging to not only protect and govern data efficiently, but also to navigate through the ever changing compliance requirements.

 

The Information Governance capabilities from Microsoft 365 help you in this journey by providing a unified solution that integrates data from heterogeneous environments, intelligently classifies data with machine learning capabilities, provides remediation and enables records management to meet regulations. This helps users and organizations to intelligently govern data across their environment to reduce risk, thereby easing the path towards meeting compliance needs.

 

clipboard_image_0.png

 

Automation at scale

Not all information is created equal and every organization on the planet has data that is unique to them, whether these are contracts, invoices, or customer records. Organizations need to review, classify and assign policies in a way that is automated and scalable. Today, we are excited to announce the public preview of trainable classifiers that will harness the power of machine learning capabilities to help you detect and classify data in your organization. We have ‘built-in’ classifiers to detect resumes, offensive language, or source code. You can also create your own classifiers by providing sample data to look for information that is unique to your organization, such as customer records, HR data, contracts, etc.

 

clipboard_image_0.png

 

At preview, these trainable classifiers can be used with retention labels to help you automatically apply the associated retention or deletion policy. Let us know what you would like to see next in this exciting space through UserVoice.

 

clipboard_image_1.png

 

Integrated with data within and beyond Microsoft 365

Having your information where it can be easily discovered, retained and purged is critical to meeting your compliance needs and reducing risk. Microsoft 365 compliance center provides you streamlined capabilities that allows you to set policies across services.  

 

clipboard_image_2.png

 

Today, you already have available options for bringing your data into Microsoft 365 through both our PST email import and the SharePoint migration tool. This year, we have further broadened the data ingestion capabilities by introducing native connectors to third-party systems. These set of connectors allow you to import relevant information from corporate accounts on social media, instant messaging, and document collaboration platforms into the Microsoft cloud to meet numerous compliance requirements.

 

clipboard_image_3.png

 

Today, we are announcing the public preview of the native connectors gallery within the Microsoft 365 compliance center to discover and manage data from Instant Bloomberg, LinkedIn, Twitter and Facebook. These data connectors benefit Microsoft Information Governance, and a broad set of other solutions from Information Protection to eDiscovery, and we will continue to enhance their scope to include more categories of data outside of Microsoft 365.

 

Meet legal and regulatory requirements with Records Management

For business critical or sensitive data, your organization requires specific workflows to manage regulatory and legal record-keeping compliance. Records Management in Microsoft 365 gives you the ability to manage your complex records retention and disposition workflow efficiently.

 

clipboard_image_4.png

 

The Records Management solution is currently in public preview. This solution lets you easily onboard and manage complex retention schedules, declare items as immutable records, automate retention based on events. Today, we are excited to announce the public preview of trainable classifiers integrated into Records Management to help categorize your records.

 

Today, we are also rolling out new records versioning capabilities for SharePoint Online which enables continuous record declaration on selected versions of a single document. This capability unlocks collaboration on records while maintaining the necessary immutability required by policies and regulations.

 

clipboard_image_5.png

 

The new capabilities in Information Governance and Records Management enhance the already rich set of features available in Microsoft 365, including auto-expanding email archive, retention policies, retention labels, disposition review and more. 

 

Information Governance and Records Management solutions are part of the broader set of capabilities in Microsoft Information Protection and Governance. Get access to the new features with the Microsoft 365 E5 trial here https://aka.ms/M365E5ComplianceTrial or navigate to the Microsoft 365 Compliance Center to get started.

 

 

 

 

 

 

 

 

 

 

 

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Manage eDiscovery for Teams – Announcing conversation reconstruction and more

Manage eDiscovery for Teams – Announcing conversation reconstruction and more

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Reconstruct conversations to provide context for chats

We are excited to announce that the new conversation reconstruction capability is now generally available in the Microsoft 365 Advanced eDiscovery. This capability threads the Microsoft Teams messages into conversations, allowing you to efficiently review and export complete dialogues with context, not just individual messages.

 

Automatically identify and preserve chat content based on people of interest

Today, when you add people of interest (custodians) in Microsoft Advanced eDiscovery, the system can automatically identify these people’s Exchange mailboxes, OneDrive for Business accounts, SharePoint sites, and Teams in which they are members. Through this, you can easily identify the locations where the relevant Teams content may be stored and place a legal hold on it.

 

picker2.PNG

 

Review chat content with context

With our new built-in conversation reconstruction capability, you can identify relevant chats by using targeted queries and include contextual messages in your collection. You will no longer need to run multiple searches to understand the context surrounding your search results.

 

chat threaded.PNG

 

Messages in conversations are processed individually but displayed in a conversation view. You can annotate, tag, and redact messages inside a chat conversation, instead of in individual messages. This makes the review process much more intuitive.

 

Export conversations, not just individual messages

Chats can be exported as threaded conversations or as individual messages. You can choose the format that integrates better with your downstream processes. Regardless of your export format, your export will include all the metadata unique to each message such as sender, time sent, etc. You also have the option to export all your case work on the content, including tags and redactions.

 

export.PNG

Smart tag to intelligently detect attorney client privileged communications

A major and costly aspect of the eDiscovery process is reviewing documents to identify privileged content. We are thrilled to announce the smart tag feature to make this process more intelligent and efficient.

 

The new smart tag capability leverages a pre-trained machine learning model to identify attorney client privileged communications. Once enabled, Advanced eDiscovery will analyze your documents and let you instantly search, identify, and tag potentially privileged documents.

smarttag.png

 

eDiscovery for Yammer to broaden services coverage

We are  excited to let you know that eDiscovery for Yammer is coming soon! We will support hold, search, review and export Yammer content natively in Advanced eDiscovery by end of calendar year 2019.

Get started today

If you have the Microsoft E5 suite, you have access to all features in this announcement. Simply navigate to the Microsoft 365 Compliance Center to get started.

 

If you have not had the Microsoft E5 suite yet, sign up today for a trial!

Visit the following resources to learn more about eDiscovery in Microsoft 365

 

Misha Desai, Program Manager 2, Microsoft 365 Security and Compliance Engineering 

 

 

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Leveraging AI and automation to quickly identify and investigate insider risks

Leveraging AI and automation to quickly identify and investigate insider risks

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

I spent several years in the Microsoft internal digital security and risk organization helping to develop various programs to identify insider risks, threats and code of conduct policy violations in collaboration with our human resources (HR) and legal teams. The ability to identify these risks and policy violations and then take action to minimize the negative impact is a priority for organizations worldwide.
 
Modern workplaces offer innovative technology that employees love, empowering them to communicate, collaborate, and produce with agility. Trusting your employees is the key to creating a dynamic, inclusive workplace and increasing productivity. But, with trust also comes risk. In fact, a survey by Crowd Research Partners indicated that 90% of organizations feel vulnerable to insider risks and 53% confirmed insider risks against their organization in the previous 12 months.
We know from our own experience that it’s hard to maintain trust without the right visibility, processes and control. However, the effort required to identify these risks and violations is not trivial. Think about the number of people accessing resources and communicating with each other, as well as the natural cycle of people entering and leaving the company. How do you quickly determine what is an intentional risk vs. an unintentional one at scale? And how do you achieve this level of visibility, while aligning to the cultural, legal and privacy requirements in which you operate? For example, truly malicious insiders do things such as intentionally stealing your intellectual property, turning off security controls or harassing others at work. But there are many more situations in which an insider might not even know they are causing a risk to the organization or violating your policies, like when they’re excited about something new they’re working on and send files or photos to tell others about it.
 
Ultimately, it’s important to see the activities and communications that occurred in the context of intent, in order to take the right course of action. The only way to do this efficiently and at scale is by leveraging intelligence and machine learning, as human driven processes can’t keep up and aren’t always that accurate. Furthermore, a holistic solution to this problem requires effective collaboration across security, HR and legal, as well as a balanced approach across privacy and risk management.
 
Today I am excited to announce two new Microsoft 365 solutions, Insider Risk Management and Communication Compliance.  These solutions can help you and your organization to leverage intelligence to identify and remediate insider risks and code of conduct policy violations, while meeting regulatory requirements. 

 

Insider Risk Management
Insider Risk Management leverages the Microsoft Graph, security services and connectors to human resources (HR) systems like SAP, to obtain real-time native signals such as file activity, communications sentiment, abnormal user behaviors and resignation date.

 

irm1.png

 

A set of configurable playbooks tailored specifically for risks – such as digital IP theft, confidentiality breach, and HR violations – use machine learning and intelligence to correlate these signals to identify hidden patterns and risks that traditional or manual methods might miss. Using intelligence allows the solution to focus on actual suspicious activities, so you don’t get overloaded with alerts. Furthermore, display names for risky users can be pseudonymized by default to maintain privacy and prevent bias.
 
A comprehensive 360° view provides a curated and easy-to-understand visual summary of individual risks within your organization. This view includes an historical timeline of relevant in-scope activities and trends associated with each identified user. For example, you could see if a user submitted their resignation, downloaded some files and copied some of them to a USB device. The system also evaluates whether any of those files had classification labels on them and whether they contained sensitive information. With the right permission, the files accessed from Microsoft cloud resources like SharePoint Online can also be made available for the investigator to view, which further helps with the risk determination. Having all this information at your fingertips allows you to quickly decide whether this risk is one that warrants further investigation, saving you considerable time.

 

irm2.png

 

Finally, end-to-end integrated workflows ensure that the right people across security, HR, legal and compliance are involved to quickly investigate and take action once a risk has been identified. For example, if the risk was determined to be unintentional, you could send an email saying this is a violation of company policy with a link to training or the policy handbook. If the risk was determined to be malicious, you could open an investigation that would collate and preserve all the evidence collected, including the documents, and create a case for legal and HR to take appropriate actions.
 
Insider Risk Management is available as part of the Microsoft 365 E5 suite and is currently in limited private preview. You can sign up for an opportunity to participate here.

 

Communication Compliance
Communication Compliance is a brand-new solution that helps all organizations address code-of-conduct policy violations in company communications, while also helping organizations in regulated industries meet specific supervisory compliance requirements. Communication Compliance supports a number of company communications channels, including Exchange email, Teams, Skype for Business Online, Twitter, Facebook and Bloomberg instant messages.

 

Organizations need the ability to improve investigating potential violations and facilitate taking adequate remediation action based on local regulations. To provide granularity in identifying specific words and phrases, we have three out-of-box machine learning models to identify physical violence, harassment, and profanities. You can also build-your-own trainable classifiers that understand meaning and context that are unique to your organization’s need such as insider trading or unethical practice, freeing you from a sea of false positives.   

 

Once a violation has been flagged and the designated supervisor is alerted, it is important that the review process enables them to efficiently act on violations. Communication Compliance includes features such as historical user context on past violations, conversation threading and keyword highlighting, which together allow the supervisor to quickly triage the violation and take the appropriate remediation actions.

 

cc1.png

 

The interactive dashboard provides an effective way to manage the growing volume of communications risks to ensure violations aren’t missed.  Proactive intelligent alerts on policy violations requiring immediate attention allows the supervisor to prioritize and focus on the most critical violations first. In addition, violations, actions and trends by policy provide a quick view on the effectiveness of your program.

 

cc2.png

 

The Financial Industry Regulatory Authority (FINRA) Rule 3110 is a good example of a requirement for regulated organizations to have solutions in place to detect violations in communications. For example, safeguarding against potential money-laundering, insider trading, collusion, or bribery activities between broker-dealers is a critical priority. For organizations in regulated industries, Communication Compliances provides a full audit of review activities and tracking of policy implementation to help you meet the regulatory requirements you may be subject to.

 

Communication Compliance is available today as part of the Microsoft 365 E5 suite, and you can sign up for a trial or navigate to the Microsoft 365 Compliance Center to get started today. 

 

We encourage customers who are currently using Supervision in Office 365 to use the new Communication Compliance solution to address your regulatory requirements with a much richer set of intelligent capabilities.

 

Thank you,

Talhah Mir, Principal Program Manager, Microsoft 365 Security and Compliance Engineering

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Introducing remote deployment guidance for Microsoft Defender ATP and Office 365 ATP

Introducing remote deployment guidance for Microsoft Defender ATP and Office 365 ATP

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Microsoft Defender ATP and Office 365 ATP are two critical components of the suite of Microsoft security products that work seamlessly together to provide protection across the entire attack kill chain, using built-in intelligence from the Microsoft Intelligent Security Graph to protect identities, email, applications, endpoints, and data from evolving threats.

 

clipboard_image_0.png

 

At Microsoft, we are fully committed to helping customers realize the value of our Microsoft 365 security solutions by deploying them more quickly to address their business needs. FastTrack is responsible for making this commitment a reality by advising and supporting customers during the deployment of their technologies. We are now expanding the support we already provide for securing identities to email and endpoints with remote deployment guidance for customers that want to leverage advanced tools to secure their email and endpoints. Together, identity, email and endpoints represent the three most common entry points for attackers.

 

Microsoft FastTrack enables customers to deploy Microsoft 365 security solutions at no additional cost for eligible subscriptions in North America. FastTrack has an engagement model built on learnings and expertise gained through engineering work with more than 60,000 customers since 2014. We use and share these best practices as part of a deployment process that enables customers to onboard to new services quickly and reliably.

 

The FastTrack team provides remote guidance, engaging directly with customers or partners. This is an ongoing benefit throughout the life of the subscription, delivered by Microsoft and approved partners.

 

This service is initially available in English only. Worldwide availability and additional language support is scheduled for early 2020.

 

To request assistance, visit www.microsoft.com/FastTrack.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Introducing new videos on security and risk fundamentals of the Microsoft cloud environment

Introducing new videos on security and risk fundamentals of the Microsoft cloud environment

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

We are excited to announce some great new videos to help you familiarize yourself with the Microsoft Cloud security, privacy and risk practices!

If you are performing risk and security assessments you could benefit from these videos to learn how Microsoft is managing risks appropriately to ensure your customer data is secure and protected.

A Cloud Adoption Risk Assessment requires a thorough understanding of your Cloud Service Provider (CSP)’s security, privacy, and risk practices. These videos are designed to help you understand how Microsoft deploys a “defense in depth” strategy to secure hardware, software, and processes to safeguard customer data. 

Every business has different needs along their journey to the cloud and these videos are a great way to easily get information regarding the fundamentals of our cloud environment.

We have six videos in all, and they can be found on Microsoft Office 365 YouTube Channel:

 

Audit Videos.pngA screenshot of YouTube Playlist

•           Microsoft Online Services Incident Management This video will walk you through how Online Services investigates, manages, and responds to security concerns so that customers’ data is secure and protected.

•           Microsoft Online Services Continuity Management – This video will walk you through how Online Services anticipates, plans for, and addresses failures at the hardware, network, and datacenter levels.

•           Office 365 Security Development and Operation – This video will walk you through how Online Services combines holistic and practical approaches to reduce the number and severity of vulnerabilities and the Security Development Lifecycle–or SDL.

•           Office 365 Access Controls – This video will walk you through how Online Services operates under the principle of Zero Standing Access, meaning our personnel, by default, never have standing access to customer data; learn the ins-and-outs of access, including the varying types of customer accounts and the limits to access.

•           Office 365 Vulnerability Management – This video will walk you through how Online Services employs vast resources to stop attackers from compromising the integrity, availability, or confidentiality of services.

•           Office 365 Audit Logging and Monitoring – This video will walk you through how Online Services provides many capabilities to evaluate and strengthen the security posture of customer-managed environments; learn about services and features such as security auditing, logging, and reporting.

 

More resources can be found on Service Trust Portal.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Announcing ServiceNow, Microsoft Teams and Planner integration with Microsoft Secure Score

Announcing ServiceNow, Microsoft Teams and Planner integration with Microsoft Secure Score

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

It seems like just yesterday it was July and we were at Microsoft Inspire talking to partners about Microsoft Secure Score. Like years past they had a ton of ideas to share but one request was nearly universal between them. That request was the ability for security administrators to more easily assign secure score related Improvement Actions to co-workers for investigation, implementation, and remediation.

 

This is a scenario that partners and customers alike have asked about for some time, and so we’re excited to announce the general availability of Microsoft Secure Score integration with ServiceNow, Microsoft Teams and Microsoft Planner. With it, security administrators can create ticket, tasks, and send messages directly from the Microsoft Secure Score experience.

 

Introducing the new Share experience

With Microsoft Secure Score it’s all improving your security posture by implementing recommendations and best practices that we call Improvement Actions (e.g.: Do not allow the use of email forwarding rules to external domains). The more Improvement Actions an organization implements the better their score and the more resistant they’ll be to attacks.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 01 - Secure Score.PNG

 

In the previous version of the Microsoft Secure Score experience, as administrators identified interesting Improvement Actions they would need to switch to another application if they wanted to create a ticket and assign it for follow-up. Now with ServiceNow, Microsoft Planner and Microsoft Teams integration into Microsoft Secure Score this experience has been streamlined and automated.

 

“From the very beginning, ServiceNow’s Now Platform was built to help digitize workflows and make work, work better for people,” said Matt Schvimmer, Vice President and General Manager of IT Service Management (ITSM) at ServiceNow. “The integration of ServiceNow’s ITSM capabilities with Microsoft Secure Score helps customers address one of the biggest challenges they face, which is maintaining and maximizing their security posture.”

 

To take advantage of the new functionality you will use the new Share button which has been added to the upper right hand side of the Improvement Action’s details page.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 02 - Secure Score - Share Button.png

 

When the administrator selects the Share button, they will be given several options which include Copy Link, Email, Microsoft Team, Microsoft Planner and Service Now.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 03 - Share Button Clicked.PNG

 

The Service Now option is the first example of the Microsoft 365 security center integrating with a 3rd party product and it makes creating tickets in ServiceNow super easy. Most of the fields will automatically be completed for you and you can edit fields, like priority and due date, before submitting the ticket.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 04 - ServiceNow Selected.PNG

 

Of course, once a Microsoft Secure Score related Service Now ticket has been created security administrators will want to be able to track their status directly from Microsoft 365 security center. To address this, need we’ve added a Card that will enable you view a Microsoft Secure Score scoped listed of ServiceNow tickets.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 05 - ServiceNow Card.PNG

 

Creating tasks in Microsoft Planner and sending messages to a team in Microsoft Teams is just as easy. To create a task in Microsoft Planner just select the Microsoft Planner option from the Share menu, update any fields as necessary, and then select the Create Planner Task button to create it.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 06 - Planner Clicked.png

 

To post a message to a Team in Microsoft Team’s use the same type of process after selecting the Microsoft Team option from the Share menu.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 07 - Teams Clicked.png

 

In addition to the options just mentioned we also added a Copy Link option that administrators can use to copy a link to an Improvement Action’s details page directly into the clipboard. From here it can be pasted in documents and other resources.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 08 - Copy Link.PNG

 

Finally, there is the Email option which enables administrators to automate the process of adding a link to a specific Improvement Action to a draft email.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 09 - Email Clicked.PNG

 

How to Integrate Microsoft Planner and Microsoft Teams with Microsoft Secure Score

One of the beauties of using cloud-based Microsoft products is a lot of auto-magic can happen in the background to get them integrated talking to each other. In the case of Microsoft Planner and Microsoft Teams there is nothing for you to setup.

 

How to Integrate ServiceNow with Microsoft Secure Score

For ServiceNow there is a series of steps that must be completed before Microsoft 365 Security Center and ServiceNow can communicate with one another.

 

The first thing you need to do is install the Security and Compliance Connector for Microsoft 365 from the ServiceNow Store. You can find it by searching for “365”. From here choose the Install button to enable the connector within your ServiceNow instance.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 09.1 - Search for Connector.png

 

Once installed, the connector must be configured so that it can communicate with Microsoft 365 services. To locate the configuration experience for the connector type “365” in ServiceNow’s Filter navigator which can be found on the left-hand side of its navigation experience. From here select Microsoft 365 Connector and then the Installation Checklist option in the navigation.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 11 - Install List Menu.JPG

 

Once the Installation Checklist option has been selected you will be asked to complete a series of steps. The first step is to Create an OAuth Endpoint. To complete this step, you will need to copy the redirect URL’s from the ServiceNow user experience into your clipboard. See the image below for an example of the text you’ll need to copy into your clipboard. Next select the Create OAuth Endpoint button.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 12 - OAuth.JPG

 

Next you will complete the OAuth Endpoint form to define the connection information to your Microsoft 365 services. The Name, Client ID, Client Secret fields will automatically be completed for you. To simplify things for the future change the Name field to “Microsoft 365 Connector”. Next paste in the redirect URLs you copied into the clipboard in the previous step into the Redirect URL field.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 13 - OAuth.JPG

 

Next choose the Submit button complete the OAuth Endpoint form and Step 1 of the process. Once it’s been successfully submitted the Microsoft 365 Installation checklist will indicate its complete as shown in the image below.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 14 - OAuth and User card.JPG

 

For Step 2 you will create a user account in Service Now called an ‘Integration user’. This is the account that Microsoft 365 Security center will use to connect to your ServiceNow instance. Please note this account is created with the minimum set of privileges necessary for Microsoft 365 security center to create and manage the tickets it adds to ServiceNow. Input a username and appropriate password in the Username and Password fields. This will be used shortly in one of the subsequent steps.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 15 - User integration card.JPG

 

Next choose the Create user button complete Step 2. Once the account has been successfully created the Microsoft 365 Installation checklist will indicate so as shown in the image below.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 16 - User integration card.JPG

 

For Step 3 you will need to authorized Microsoft 365 Security center to connect to ServiceNow using the Microsoft 365 Security and Compliance Connector.

 

To do this type “OAuth” in Service Now’s filter navigator on the left-hand navigation. Next click the Application Registry option from menu. From here select the name of OAuth Endpoint that you created in Step 1 to open its details page. Unless you failed to change its name as instructed in one of the previous steps the name should be “Microsoft 365 Connector”.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 17 - OAuth table.JPG

 

From the details page take note of the Client-ID and Client-Secret text as you will need this information in subsequent steps to configure Microsoft 365 security center to communitate with ServiceNow.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 18 - Oauth screen.JPG

 

Next log out of ServiceNow and log back in with the Integration User account created during Step 2 to ensure its accessible.   

 

Now that the ServiceNow side of things is configured and it’s time to set things up things on the Microsoft 365 security center side of the house. Logon to the Microsoft 365 security center and scroll down the page until you see the ServiceNow card. Next select the Connect to ServiceNow button.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 18.1 - Do You Use.png

 

Once on the Provisioning ServiceNow page you will find that you have already completed Steps 1-3 so you can skip down to Step 4. All you need to do at this point is input the values for Client ID and Client Secret that we asked you to take note of during Step 3. From here enter the URL for your ServiceNow tenant into the Instance Name field. Next select Authorize to allow Microsoft 365 Security center to connect to your ServiceNow instance.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 18.2 - Provision SvcNow.png

 

Once authorization is complete you will be prompted to login to ServiceNow. Please user your integrated user login and password here.

 

# 19 Login screen.PNG

 

Once completed you be brought to a ServiceNow screen where you will click Allow.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 20 - Allow Screen.png

 

Once Allow has been selected you will be brought to a Permissions requested page to accept permissions.

 

#21 Accept image.png

 

Once you Accept, the permissions request you will be brought back to the Provisioning ServiceNow page where you will have the option of mapping Microsoft 365 Security center ticket states to those from ServiceNow. For instance, for the Select which states represent completed change requests

option select the options that makes the most sense for your organziation. Do the same for the Select which states represent completed incidents option.

 

#25 - Connect to SvcNow.png

 

Once done select the Save button and you’ll be ready to start creating Microsoft Secure Score related tickets directly in ServiceNow.

 

Wrapping it up

So, there you have it – a quick introduction of our new Microsoft Secure Score integration with ServiceNow, Microsoft Planner and Microsoft Teams along with the step by step instructions you’ll need to get everything operational within your environment.

 

We encourage you to start taking advantage of this new functionality at the earliest opportunity and we look forward hearing your feedback. More information on Microsoft Secure Score and ServiceNow integration can be found at Microsoft Docs and Managing tickets through ServiceNow respectively.

 

 

 

 

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Improve your Cloud Security posture with Microsoft Secure Score

Improve your Cloud Security posture with Microsoft Secure Score

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Microsoft Secure Score provides you with an prioritized list of the key controls you can enable to improve the security posture for your environment. The recommendations and best practices it suggests includes those from across Microsoft 365 Security and Azure Microsoft Cloud App Security  which is a Cloud Access Security Broker (CASB), a new generation of security solutions, that is essential to any modern security strategy. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across cloud, on-premises and custom apps.

To ensure that customers enable key use cases to detect cloud-native attacks and protect against risky apps in their environment with Microsoft Cloud App Security, we will explore the top 5 most impactful Cloud App Security related Improvement Actions that Microsoft Secure Score has to offer. These will allow you to get the most out of your CASB investment and up-level the security for all your cloud apps, whether they’re Microsoft or 3rd party apps.

 

Get started with these top 5 Improvement Actions for Microsoft Cloud App Security

To maximize Microsoft Cloud App Security’s impact on your overall security posture, here are five of the top improvement actions you should start with:

  1. Use Cloud App Security to detect anomalous behavior
  2. Create a custom activity policy to discover suspicious usage patterns
  3. Discover Shadow IT and application usage
  4. Set automated notifications for new and trending cloud applications in your organization
  5. Review permissions & block risky OAuth applications connected to your environment

 

Use Cloud App Security to detect anomalous behavior

Designed with security professionals in mind, Microsoft Cloud App Security makes it easy to get started. It’s designed for a simple deployment, centralized management, and innovative automation capabilities. When you turn on the Cloud App Security console you can easily connect your apps and instantly leverage numerous built-in threat detection policies. They enable you detect insider threats, compromised accounts and brute force attempts. In addition, Microsoft Cloud App Security provides risk scores for all of the users in your organization, which enables the Security Operations team to prioritize their investigations.

 

1.png

 

Create a custom activity policy to discover suspicious usage patterns

Activity policies enable you to monitor suspicious user activities and be alerted on policy violations such as downloading a large number of files in a short period of time or sharing sensitive files with external users. Microsoft Cloud App Security also allows you to take manual remediation actions or setup automatic remediation to lighten the workload on your SecOps team.

 

Discover Shadow IT and application usage

In today’s modern enterprises, apps run the workplace. While we see an average of 129 IT-managed applications, our CASB discovery data shows that the total number of apps accessed by employees in large organizations exceeds 1,000. In Microsoft Cloud App Security, you have several options to activate the Discovery of Shadow IT, either by a single click enablement via Microsoft Defender Advanced Threat Protection, leveraging lots from your firewall, or using an existing Secure Web Gateway. Once discovered, Microsoft Cloud App Security assesses all apps against more than 90 risk and compliance factors and allows you to manage future access.

 

3.png

 

 

 

Set automated notifications for new and trending cloud applications in your organization

The initial Discovery and assessment of the apps in your organization can be time consuming depending on how many apps are in use. To ensure you can stay on top of the Shadow IT in your organization, it is recommended to implement continuous monitoring. Microsoft Cloud App Security allows you to setup policies to be alerted when new, risky or high-volume apps are discovered in your environment, so you can immediately evaluate and manage them according to the requirements of your organization.

 

 4.png

 

Review permissions & block risky OAuth applications connected to your environment

OAuth is a web-based industry standard protocol that enables users to grant web apps access to their accounts and data without sharing their credentials. The use of OAuth in enterprises is increasing as a result of the continued adoption of cloud-based solutions. While extremely convenient, OAuth introduces a new threat vector to the security of organizations and enables potential back doors into corporate environments when malicious apps are authorized.

Microsoft Cloud App Security enables you to identify all OAUth apps that have been authorized against your corporate apps such as Office 365, GSuite and Salesforce, evaluate their risk and ban them if necessary. You can find additional details in this blog post.

 

5.png

 

 

Wrapping It Up

So, there you have it – a quick tour of the top Microsoft Secure Score related Improvement Actions for in Microsoft Cloud App Security. Start using Microsoft Cloud App Security today to get better visibility into your cloud environment and take control of all your cloud apps. More information on Microsoft Cloud App Security and Microsoft Secure Score can be found at Microsoft Docs (Microsoft Cloud App Security and).

 

More info and feedback

  • Haven’t tried Microsoft Cloud App Security yet? Start a free trial today.
  • As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.
  • For more resources and information on Microsoft Cloud App Security go to our website.

 

 

 

 

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Sensitivity labeling now built into Office apps for Windows to help protect sensitive information

Sensitivity labeling now built into Office apps for Windows to help protect sensitive information

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Microsoft Information Protection solutions help you better protect your sensitive information, wherever it lives or travels – across devices, apps, cloud services and on-premises. Our goal is to provide a consistent and comprehensive approach to discovering, classifying, labeling and protecting sensitive data.

 

Earlier this year we released built-in sensitivity labeling in Office apps for Mac, iOS and Android. These capabilities enable users to easily apply sensitivity labels to documents and emails – based on the policies defined by your organization. The built-in labeling experiences are integrated directly into Office apps – there’s no need for any special plugins or add-ons.

 

We’re expanding to additional Office apps, and now sensitivity labeling is available in Office apps for Windows. With this release, end-user driven sensitivity labeling is now available in:

  • New! Office for Windows: Word, PowerPoint, Excel & Outlook
  • Office for Mac: Word, PowerPoint, Excel & Outlook
  • Office mobile apps for iOS: Word, PowerPoint & Excel (Outlook coming soon)
  • Office mobile apps for Android: Word, PowerPoint & Excel (Outlook coming soon)

The labeling experience in Office apps for Windows is similar to the labeling experience on other platforms – making it easy and familiar for your end-users. Once you define and configure your sensitivity labels and policies, the same labels are published out and made available across the supported Office apps.

 

The screenshots below show examples of the end-user experience in Office apps for Windows. Users select the Sensitivity drop-down menu to view the available labels and select the appropriate label. The experience is similar across Word, PowerPoint, Excel and Outlook.

clipboard_image_1.pngApply sensitivity labels in Office apps for Windows – your label policy will apply the configured protection actions, such as encryption, rights restrictions or visual markings.

 

clipboard_image_2.pngApplying sensitivity labels in Outlook for Windows is a similar experience.

 

clipboard_image_3.pngAn email labeled “Highly Confidential” in Outlook for Windows get encrypted, and headers & footers are applied.

Getting started

Similar to publishing labels for use in other Office apps, you need to first configure your organization’s sensitivity labels in the Office 365 Security & Compliance Center or the Microsoft 365 Compliance center. If your organization has sensitivity labels configured in the Azure portal for Azure Information Protection, you will first need to migrate your labels to the Microsoft 365 Compliance center, and then the labels can be used by the supported Office apps. You can find more information on migration steps here.

 

You can also learn more about sensitivity labels in our documentation, and additional details on supported Office apps is including in this article. Sensitivity labeling in Office apps for Windows is rolling out now to customers who have Office 365 E3 or E5 (built-in sensitivity labeling is supported on the Office 365 Pro Plus version of Office), and the rollout is expected to be completed by the end of September or October, 2019.     

    

We’re excited to expand sensitivity labeling to Office for Windows, enabling more comprehensive protection of sensitive information across your environment. We plan to release sensitivity labeling in the Office apps for the Web and Outlook mobile soon. Please check the Microsoft 365 roadmap for the latest information.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Security Policy Advisor for Office 365 ProPlus is now Generally Available!

Security Policy Advisor for Office 365 ProPlus is now Generally Available!

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Hello everyone,

Today we are pleased to announce the general availability of Security Policy Advisor, a new service that can help enterprises improve the security of Office 365 ProPlus clients in their organization.

 

Security Policy Advisor has been in preview for the past few months and we wanted to first thank all our previewers who have evaluated this service and provided us with feedback that has helped us improve the service.

 

Security Policy Advisor enables IT admins who have deployed Office 365 ProPlus to manage the security of their Office applications with confidence by providing the following capabilities:

  • Tailored recommendations for specific security policies that can provide a high value in helping raise the overall security posture of an enterprise and protect against contemporary attacks.
  • Rich data insights about the security and productivity impact of applying a policy recommendation. These insights can help admins weigh the benefits and costs of applying a policy and make a data-informed decision.
  • One-click deployment of policies to end users through the recently released Office cloud policy service that enables admins to enforce Office policies for Office 365 ProPlus clients directly from the cloud. No on-premises infrastructure or MDM services are required.
  • Monitoring and reporting on policy impact, which allows an admin to have visibility into how a security policy is affecting users without having to wait to hear from them.

clipboard_image_0.png

 

 

This service is now generally available and supported for customers with Office 365 ProPlus.

 

Get started today by visiting and signing into the Office client management portal, turning on Security Policy Advisor, and creating Office cloud policy configurations.  For each policy configuration you create and assign to a group of users, Security Policy Advisor will generate recommendations with supporting data that you can review and deploy to users as a policy. Once you have applied a policy, you can continue to monitor its ongoing impact on users through the management portal.

For additional documentation on how to use this new policy service and its capabilities, see Security Policy Advisor for Office 365 ProPlus.

 

This service is just one of many new services which the Office team will be releasing over the next 12+ months.  These services, which shape the foundation of the Office serviceability SDK, are designed to work with 1st and 3rd party management solutions to help administrators simplify and streamline Office deployment and management.

 

As always, please provide feedback using the feedback button to help us improve the service. We look forward to hearing from you and continue improving this service.

 

Thank you! 

 

FAQ:

Note:  Please refer to our documentation for the most up to date information.

 

What are the prerequisites to start using Security Policy Advisor?

For prerequisites, see Requirements for using Security Policy Advisor.

 

How does this relate to a security baseline?

Security baselines are a great starting point for enterprises to configure their applications for security. A new draft of the security baseline for Office 365 ProPlus applications is available here.

 

A security baseline is generic best practice guidance that ultimately needs to be consumed and customized for your enterprise to balance your security and productivity goals. You can use Office cloud policy service to apply the user level policies recommended in the Office security baseline.  Security Policy Advisor complements a security baseline by providing custom recommendations for specific policies that are tailored to your enterprise, helping you to choose a security policy that has the least impact on productivity for your organization.

 

How are the recommendations, productivity and security impact insights generated?

Security Policy Advisor uses the following data to generate recommendations and associated data insights on productivity and security impact:

  1. To create the recommendations and productivity insights, Security Policy Advisor relies on required service data from Office 365 ProPlus . For more information, see Required service data for Office.
  2. If your organization has Office 365 Advanced Threat Protection Plan 2, then Security Policy Advisor can use data from this service to provide insights on recommended policies. These insights will be based on threats that have been detected and stopped by Advanced Threat Protection. For more details on Office 365 Advanced Threat Protection, see Office 365 threat investigation and response.

 For more details, see How Security Policy Advisor creates recommendations.

 

What happens when I turn off Security Policy Advisor?

When you turn off Security Policy Advisor, usage and threat data from your organization are no longer analyzed and no recommendations or insights will be generated.

Admins can control the data collected from their clients using the new privacy controls supported by Office apps. More details are available at Overview of privacy controls for Office 365 ProPlus.

 

What happens if I do not have Office 365 Threat Investigation and Response (via ATP Plan 2)?

If your organization has Office Threat Investigation and Response (via ATP Plan 2), Security Policy Advisor can use data from this service to provide you with information on threats detected and stopped by ATP that the recommended policy can help protect against. This can be great to quantify the actual risk to your organization when you consider applying a recommendation.

If your organization does not have ATP Plan 2, Security Policy Advisor will still show you information on the productivity impact that is helpful in assessing and monitoring impact to end users when applying recommendations.

 

Which admin roles can view recommendations and configure policies?

Only the Global Admin, Security Admin or Desktop Analytics Admin roles are allowed access to create or view policy configurations.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Register now for the Compliance pre-day at Microsoft Ignite on 11/3/2019

Register now for the Compliance pre-day at Microsoft Ignite on 11/3/2019

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Ignite.png

Come join us for the Compliance pre-day event at Microsoft Ignite in Orlando, Florida on 11/3/2019! This interactive pre-day event will bring you together with leading industry peers, analysts, and partners who will share their views and best practices for protecting and governing sensitive data, handling internal risks, and responding to data compliance requests.

 

Agenda:

Time Description
9:00AM – 10:00AM

Exclusive keynote with Microsoft’s  CISO

 

In this keynote Bret Arsenault, CVP and CISO, shares his strategy for security and compliance in Microsoft’s complex enterprise, details about some of our accomplishments, problems we’re endeavoring to solve, and what we’ve learned along the way

10:30AM – 12:00PM

Analyst-Facilitated Customer Panel

 

Hear from industry leaders about challenges, opportunities, and what’s next for compliance. Participate during our interactive panel.

1:00PM – 2:45PM

Chalk Talk with Microsoft’s Compliance Professionals

 

Join Microsoft compliance professionals to discuss real-world challenges and best practices around insider risk, information protection, and data subject requests.

3:00PM – 3:45PM

Why Microsoft is in the business of compliance: our investment in innovation

 

Hear Microsoft engineering explain how and why we’re invested in the business of compliance.

3:45PM – 4:30PM

Partner Panel Discussion

 

Lessons from partners on how to effectively define and implement a compliance strategy with your key stakeholders.

6:00PM – 9:00PM

 Community building

 

Wrap up the day by joining us for a special dinner and enjoy connecting with peers and partners.

 

Click here to register for the “Compliance requirements: A practical guide to leveraging the capabilities in Microsoft 365” now.* We hope to see you there!

 

*Please note that you will have to register for Ignite prior to registering for the pre-day.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Introducing the new Microsoft Graph Security API add-on for Splunk!

Introducing the new Microsoft Graph Security API add-on for Splunk!

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

A new add-on from Microsoft enables customers to easily integrate security alerts and insights from its security products, services, and partners in Splunk Enterprise. The new Splunk add-on is built by Microsoft, certified by Splunk, and is available on Splunkbase at no additional cost.

 

This add-on, powered by the Microsoft Graph Security API, supports streaming of alerts from the following Microsoft and partner solutions into Splunk using a single add-on and common schema, enabling easier correlation of data across these products:

  1. Azure Security Center
  2. Azure Active Directory Identity Protection
  3. Microsoft Cloud App Security
  4. Microsoft Defender Advanced Threat Protection
  5. Azure Advanced Threat Protection
  6. Office 365 Advanced Threat Protection
  7. Azure Information Protection (preview)
  8. Azure Sentinel (preview)
  9. Palo Alto Networks

Note: Security products are continuously onboarded; Refer to the Microsoft Graph Security alerts providers table for the latest product list.

 

Since the new add-on extends support across a broader set of security products, it will replace the Azure Monitor add-on for Splunk as the preferred method for integrating with the Microsoft Graph Security API.

Getting Started

Follow these steps to install and configure the app. Refer to the documentation for more details.

  1. Register your application for this Splunk add-on on Azure portal.
  2. Configure permissions and be sure to add the SecurityEvents.Read.All permission to your application. Get your Azure AD tenant administrator to grant tenant administrator consent to your application. This is a one-time activity unless permissions change for the application.
  3. Copy and save your registered Application ID and Directory ID from the Overview page. You will need them later to complete the add-on configuration process as illustrated below. Registration_Process_Overview.pngApplication registration
  4. Generate an application secret by going to Certificates & secrets Save the generated secret as well for add-on configuration purposes.
  5. In Splunk, click on Splunk Apps to browse more apps.
  6. Search for ‘Microsoft Graph Security’ and install Microsoft Graph Security API add-on for Splunk
  7. If Splunk Enterprise prompts you to restart, do so.
  8. Verify that the add-on appears in the list of apps and add-ons as shown in the diagram below.  splunk_homepage.PNGMicrosoft Graph Security add-on for Splunk
  9. Configure Microsoft Graph Security data inputs illustrated in the diagram below as per the detailed guidance in the installation documentation for this add-on. This add-on provides the capability to pre-filter your data by specific alert providers or by alert category or severity, etc. by specifying the OData Filter field as shown in the diagram below.  new_input.PNGAdd-on input configuration
  10. Now you can use your Microsoft Graph Security alerts for further processing in Splunk, in dashboards, etc.

  11. If you have Splunk and relevant add-ons running behind a proxy server, follow the additional steps for Splunk behind a Proxy Server in the installation documentation for this add-on.

What’s Next?

We are working to enable support for this add-on on Splunk Cloud. We would love to hear your feedback on this add-on so that we can factor that before making it available on Splunk Cloud. Please share your feedback by filing a GitHub issue

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

New Exact Data Match (EDM) classification helps you better detect and protect sensitive information

New Exact Data Match (EDM) classification helps you better detect and protect sensitive information

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Office 365 Data Loss Prevention (DLP) enables you to create policies to help prevent the inadvertent or inappropriate sharing of documents and emails containing sensitive information. DLP policies can leverage a broad range of over 90 built-in sensitive information types to detect common data types, such as financial data, PII and health-related information. Organizations can also choose to create custom sensitive information types to detect information specific to their organization’s needs – based on patterns, supporting evidence (keywords such as employeebadgeID, and so on), character proximity (how close evidence is to characters in a particular pattern), and confidence levels.

 

Exact Data Match (EDM) is a new capability that enhances custom sensitive information types to help accurately target detection of your exact and unique sensitive content. Exact Data Match (EDM) sensitive information types is designed to:

  • be dynamic and refreshable
  • be more scalable
  • result in fewer false-positives
  • work with structured sensitive data
  • handle sensitive information more securely
  • be used with several Microsoft cloud services

 

Example use cases

 

Example 1: A healthcare provider needs to prevent or block the sharing of medical records that contains patient information – especially to ensure that this information isn’t sent to external users. The organization configures an Exact Data Match (EDM) based sensitive information type to do exact match lookup based on their patient records.

 

A patient EDM sensitive information type is configured to detect content which matches patient SSN or Patient ID or medical record number, along with patient information (e.g. name, date of birth, phone number). Office 365 DLP policies are configured to block external sending of email if a patient EDM sensitive information type is found.

 

Example 2: A banking institution needs to prevent customer account numbers from being sharing outside of the organization’s boundary. They configure an Exact Data Match (EDM) based sensitive information type to do exact match lookup based on customer bank account records.

 

A customer account EDM sensitive information type is configured to detect account number, type of account and customer information (name, email address, phone number). Office 365 and Microsoft Cloud App Security DLP policies are configured to detect and block sharing of content that contains the customer account EDM sensitive information type.

 

exact data match.png

 

Configure Exact Data Match

 

Exact data match configuration involves three key steps:

  • Define the schema for Exact lookup data
  • Update sensitive content used for Exact Lookup
  • Create Exact Data Match sensitive type

 

We provide an EDM Upload Agent to enable indexing and secure upload of sensitive content, which supports:

  • Authorization to ensure that only users with right permission can execute EDM lookup.
  • to ensure that sensitive content used for lookup never exits the customer’s boundary.
  • Uploads indexed file right Microsoft service instance.

 

Detailed steps to create Exact Data Match sensitive information types is located here.

 

Start using Exact Data Match

To start, Office 365 DLP for Exchange Online (email), OneDrive for Business (files), Microsoft Teams (conversations) and Microsoft Cloud App Security policies supports EDM sensitive information types.

 

EDM sensitive information types for the following are currently in development, but not yet available for  Office 365 DLP for SharePoint (files) and auto-classification of content for the purpose of applying sensitivity labels and retention labels.

 

For end-users, Office 365 DLP policy tips are useful to provide notifications that sensitive information has been detected and DLP policies are being applied. While this has been widely available on Office apps for DLP policies, support for EDM policy tips will start in Outlook for the web, and we intend to support policy tips in other Office apps in the future.

 

datamatch2.pngA policy tip in Outlook for the web notifies the user that a patient record was detected.

 

Getting started

As an advanced classification capability, Exact Data Match is included as an entitlement in the following subscriptions:

  • Office 365 E5
  • Microsoft 365 E5
  • Microsoft 365 Compliance
  • Office 365 Advanced Compliance

You must be a global admin, compliance administrator, or Exchange Online administrator to perform the tasks described in . To learn more about DLP permissions, see Permissions.

 

 

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Check out the Microsoft Graph Security sample application!

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

It’s easy to build rich security applications using the Microsoft Graph Security API. We built one to help demo the capabilities and have shared the sample code on GitHub so you can use it to kick start development of your own security app!

 

The sample app is designed to showcase some of the key scenarios enabled by the Microsoft Graph Security API. As you’ll see, data from across the organization is surfaced – from both Microsoft and third-party security solutions, in one simple dashboard. Users can easily drill down into specific alerts to get additional information and context, update alert status and add tags, pivot to view related alerts for a specific user or device, view detailed information about security recommendations, and much more.

 

Check out the video to see the sample app in action and what additional capabilities are available in the Microsoft Graph Security API.

 

 

Getting Started

Follow the steps below to get access to this sample app and try it on your Azure Active Directory (Azure AD). Refer to the sample app documentation for further details on the steps summarized below.

  1. Ensure prerequisites are set up before you download the sample code and build the app.
  2. Register this app in your Azure AD to meet Microsoft Graph auth requirements.
  3. Gain consent from your Azure AD administrator to view security data.
  4. Build and run the sample.
  5. Deploy the app to Azure.

 

Download the sample app from our GitHub repository and be sure to check out the documentation to get started today! Check out additional samples for more options to connect with the Microsoft Graph Security API. Please share your feedback by filing a GitHub issue.

 

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Maximizing Your Security Posture with Azure ATP

Maximizing Your Security Posture with Azure ATP

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Our customers spend a lot of time and money on security solutions and very few of them are taking full advantage of the solutions they’ve deployed. Even fewer of them are deploying or maintaining these solutions correctly. Based on this it’s not surprising to see stats like “93% of all breaches could have been avoided if basic cyber hygiene had been in place” (Online Trust Alliance).

 

From my view the industry and even our customers have been overly focused on finding technological solutions with the hope they’ll will address the people and process issues that are the root cause of so many incidents. Here at Microsoft we recognize that technology alone can’t solve the problem and so we’re increasingly focusing on delivering solutions that provide integrated capabilities on all three fronts.

 

2019 - Blog 03 - Secure Score - Technology People Process.png

 

 

 

Microsoft Secure Score is a perfect example of this. With it we can help you take full advantage of the Microsoft 365 security solutions you’ve deployed while at the same time helping you validate that they’ve been configured correctly.

 

Using Microsoft Secure Score to Amp Your Security Posture for Identity

As you’re probably aware of, when an organization suffers from a cyber-attack one of the first things attacks will target are user identities. By brute forcing passwords and then using lateral movement techniques to move across an organization, attackers can achieve their targeted goals. This is where Azure ATP comes in.

 

Azure ATP constantly monitors your domain controllers for identity-based threats, attacks and security posture issues by capturing and parsing network traffic and leveraging Windows events. From here it then analyzes the data utilizing profiling, deterministic detection, machine learning and behavioral algorithms that enable it to learn your network, detect anomalies and warn you of suspicious activities.

 

To maximize Azure ATP’s potential to catch anomalous identity related activities and to lower your time-to-resolve them we need to ensure that Azure ATP is fully configured and to do this you can use Microsoft Secure Score to surface a series of configuration checks.

 

Top 5 Most Impactful Improvement Actions to Prioritize

To maximize Azure ATP’s impact on your overall identity security posture, here are five improvement actions that many will find they can get done in a single day:

 

  1. Install Azure ATP Sensor on all Domain Controllers
  2. Set a honeytoken account
  3. Configure VPN integration
  4. Configure Microsoft Defender ATP Integration
  5. Fix Advanced Audit Policy issues

 

Install Azure ATP Sensor on all Domain Controllers

It may seem trivial, but our telemetry shows that in complex environments IT sometimes struggle to verify that all of their domain controllers are monitored by Azure ATP. This improvement action leverages Azure ATP’s knowledge of your network to pinpoint the domain controllers that you may have missed or were added after Azure ATP’s initial setup. Make this the first Improvement Action to improve your security posture with Azure ATP.

 

2019 - Blog 03 - Secure Score - Install Azure ATP Sensor on all Domain Controllers.png

 

Set a honeytoken account

Setting a honeytoken account(s) is a great way to help expose malicious actors . A honeytoken account, like one temptingly named “SuperAdmin”, is a real account that is used as bait to lure attackers into exposing their presence and activities. Any authentication attempts associated with these accounts will trigger an Azure ATP security alert enabling you to catch attackers in the act.

 

2019 - Blog 03 - Secure Score - Set a honeytoken account.png

 

Configure VPN integration

A user’s VPN related activity can prove interesting for investigation purposes and once the “Configure VPN integration” improvement action has been implemented your SecOps team will be armed with information that will help them expedite their incident response activities. Once configured Azure ATP will start collecting VPN connection data (e.g.: IP addresses and locations where connections originated) which will be exposed in user profile pages within the Azure ATP  .

 

2019 - Blog 03 - Secure Score - Configure VPN integration.png

 

Configure Microsoft Defender ATP Integration

Azure ATP easily integrates with Microsoft Defender ATP to help provide a more end to end threat protection solution. Azure ATP monitors the traffic on your domain controllers, Microsoft Defender ATP monitors your endpoints – together they provide an integrated experience to completely protect your  . For example, Azure ATP will alert on remote execution of malicious code targeting domain controllers from a compromised device. From here an analyst can pivot to detailed device level information from Microsoft Defender ATP that enables the analyst to determine where it the malicious code came from, how it executed, etc.

 

2019 - Blog 03 - Secure Score - Configure Microsoft Defender ATP Integration.png

 

Fix Advanced Audit Policy issues

Azure ATP detection relies on specific Windows Event Logs for visibility into a variety of scenarios, such as NTLM logons and security group modifications. To enable Azure ATP to monitor these events on your domain controllers the “success” and “failure” audit event options should be enabled in the Audit Credential Validation and Audit Security Group Management policies. These policies can be found under Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration.

 

2019 - Blog 03 - Secure Score - Fix Advanced Audit Policy issues.png

 

Wrapping It Up

So, there you have it – a quick tour of the top improvement actions for Azure ATP. As you can likely tell from the list, implementing them will have no negative impact on your users and each of them can be quickly enabled. Start using Microsoft Secure Score today to see how you maximize your security posture and squeak each and every ounce of capability out of your Microsoft 365 security solutions. More information on Azure ATP and Microsoft Secure Score can be found at Microsoft Docs (Azure ATP and Microsoft Secure Score).

 

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Microsoft Secure Score at Inspire: Partner Opportunities

Microsoft Secure Score at Inspire: Partner Opportunities

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Last week was an exciting time in Las Vegas where we hosted our largest annual partner networking event for thousands of Microsoft Partners from more than 130 countries. This was particularly true for Microsoft Secure Score where we spoke to an audience of well over 100 partners to demonstrate how it can help them grow their businesses.

 

At Microsoft Inspire 2018, Microsoft Secure Score was a relatively new feature and many partners at the event were learning about it for the first time. Since then much has changed. Customer and Microsoft Partner awareness has reached critical mass and adoption and usage has ramped significantly.

 

New Microsoft Secure Score Location and Layout

Much of this occurred when Microsoft 365 security center reached general availability and became the new centralized experience for security administrators. This new console also became the new home for Microsoft Security Score which dramatically enhanced its discoverability. Prior to this change, the Microsoft Secure Score experience was several clicks deep in the Office 365 Security & Compliance portal. Below is a view of the new Microsoft 365 Security Center which is where Microsoft Score is now located.

 

2019 - Blog 04 - Secure Score - Secure Score at Inspire - SCC.png

 

 

In addition, we released a completely revamped user experience in March 2019 to improve usability and create a more action oriented experience for users. With these changes we saw utilization of Microsoft Security Score triple by the end of April and it’s continued to rise from there.

 

In the image below you’ll see the new Microsoft Secure Score interface. The product-based donut scores from before have been removed and we aligned its organization around the Microsoft Threat Protection model which includes five pillars: Identity, Data, Devices, Apps, and Infrastructure. This change was based on feedback from our customers and partners who wanted to see a more category-based approach instead of scores for each product (Office 365, Windows, etc.). In addition, summary views for History and Improvement Actions have been added to the main Overview page and then if you drill down into either of them you’ll find more significant changes to help you work more efficiently.

 

2019 - Blog 04 - Secure Score - Secure Score at Inspire - SC Overview.png

 

The Microsoft Partner Opportunity

From a Microsoft Partner perspective, 2019 has been the year of adoption with many introducing Microsoft Secure Score into their programs, offerings, and tools. Some of these partners are listed below. One partner told us that they’ve used Secure Score to successfully drive cold call related lead quotes from 3% to 15% – a whopping 5X increase for them. Other partners have reported tremendous opportunities in security services work as a result of offering low cost Microsoft Secure Score assessments. As a result, often clients request to raise their secure score leading to additional licensing and services work to implement items such as data protection and smart phone management using product suites such as Microsoft 365.

 

2019 - Blog 04 - Secure Score - Secure Score at Inspire - Partner Slide.png

 

 

While your mileage may vary, what we know for certain is that customers are exhausted by the news and articles describing the latest cyber-security breaches. And while organizations eagerly continue their hunt for better preventative and incident response technologies they’re increasingly searching for new solutions after coming to terms with the fact that 93% of cyber security breaches are the result of failures in basic cyber hygiene (Online Trust Alliance). Based on this statistic, they are also looking for solutions that provide active insights and expert guidance to help them maintain cyber-hygiene and maximize their security posture.

 

Microsoft Secure Score is just such a tool and when a Microsoft Partner shows their clients how Microsoft Secure Score provides them with a methodical approach to help them achieve basic cyber hygiene it is a real eye opener for them. Clients are amazed to learn about the simple things they can do to immediately increase their security posture and avoid becoming tomorrow’s next news story.

 

Partner Enablement

Microsoft Secure Score provides a unique ability for those using the Microsoft Cloud to review, understand, and improve their own security posture. But there are many organizations who are unaware or who do not have the technical expertise to translate that knowledge into action. Many organizations are focused 100% on running their businesses and if their services seem to be working, they assume everything is fine.

 

This operational reality provides a large services opportunity for Microsoft Partners. By positioning Microsoft Secure Score as part of a low-cost security assessment, Microsoft Partners can advertise this as a service. As displayed in the Microsoft Secure Score portal, on average most organizations have a very low score and a long list of important recommendations they should prioritize. Based on this knowledge, a partner like you can engage with almost any customer knowing what the assessment will surface to the customer (i.e.: low score needing significant improvement). From here the value add you can offer customers is to provide them with deeper level of explanation and knowledge, plans on how to address the top recommendations, and of course services to implement them. Through this engagement process, Microsoft partners are in a unique position to learn much more about the client environment which will often lead to additional opportunities.

 

While Microsoft Partners have the option to develop a Microsoft Secure Score Assessment as a stand-alone offer, some partners already have an established Security Assessment offering using a variety of utilities and report generators. For partners like these we’ve seen them add Microsoft Secure Score to their existing assessments which has enabled them to surface additional opportunities for improvement. Others have utilized the Microsoft Secure Score API to extend the capabilities of their scanning utilities. Some Microsoft Managed Services Providers (MSP) now export their client Microsoft Secure Score and review it during normal quarterly meetings. These types of reviews open up doors for many opportunities, not to mention it becomes a strong reminder of how a client’s previously low score is now trending much better because of the Microsoft Partners efforts.

 

To assist Microsoft Partners with the design and marketing of a Microsoft Secure Score Assessment offer, we have designed a marketing template as a place to start and generate ideas. This marketing template is only an example and we highly encourage Microsoft Partners to customize it by adding their own differentiators. The marketing template is available here: aka.ms/SecureScoreOfferTemplate

 

In addition to developing and marketing a Microsoft Secure Score Assessment, we recommend that Microsoft Partners first evaluate their own Microsoft Secure Score. Consider the improvement actions you’d recommend implementing in your own environment. Understand why you’d implement some but not others. Finally, assess the impact of implementing each improvement action on your environment, your users and business? This will help you generate a personal story that will help you assert why YOU’RE the best partner to provide this type of assessment service.

 

Partner Innovation

We’ve talked to a lot of partners about integrating Microsoft Secure Score into their offerings and we’ve been excited to see them using the Graph API to go beyond what we’ve offered natively.

 

QualityHosting is perfect example of partner that is using the Graph API to take make it an even better solution and it impressed us enough that we invited them to speak about it on stage at Inspire. When QualityHosting first saw Microsoft Secure Score they saw its potential, but they also quickly noticed that its user experience was designed for customers rather than partners. The specific challenge they noticed was is that it didn’t enable them to monitor scores and implement improvements across more than one customer tenant at a time. With Quality Hosting’s Managed Security 365 multi-tenant service they solved this challenge for themselves and then they productized the capability for other partners to take advantage of. More information on it can be found in the product video which can be found on their YouTube channel.

 

 

2019 - Blog 04 - Secure Score - Secure Score at Inspire - Quality Hosting.pngQuality Hosting’s Managed 365 Service

Enabling Technologies has incorporated a Microsoft Secure Score evaluation into its already well established and very successful SPARC security engagement program. This is their custom end-to-end security solution that focuses on Strategy, Policy, Awareness, Response, and Compliance with their clients. Discussions about their client’s Microsoft Secure Score has led many to request services to improve their security posture in the following areas just to name a few: securing iOS and Android devices with Intune, enabling multi-factor authentication on privileged accounts, etc. All have increased licenses sold, increased implementation services work, and further protected their clients from cyber risks.

 

Secure Score makes it easy for Agile IT to communicate the need, value, and impacts of its AgileSecurity program. Agile IT’s automation toolkit, combined with the Microsoft Graph API allows them to reach time-to-value and time-to-security faster, but it is Secure Score that tells the story with their clients. Simple visualizations help spur conversations with non-IT business decision makers, while its recommendations help them build prioritized roadmaps with IT leadership. The best part is that Secure Score provides impartial guidance since it is neither an Agile IT nor customer standard.

 

Upcoming Features

In addition to covering partner momentum, opportunities and new resources at our Inspire session we also offered a sneak-peak at some upcoming improvements that we will be releasing later this year. While the details are still being developed, the list below represents some of the key features Microsoft Partners and customers can look forward to:

 

  • Improved scoring system
  • Metrics and trends
  • Improved history and comparisons
  • Near real-time status
  • More action oriented Ux
  • and much more…

 

Below is a screen capture of one of the latest Microsoft Secure Score builds which, if you look closely, reveals a bit more than I mentioned above. The Microsoft Secure Score team will publish new blogs about the improvements as they reach General Availability (GA).

 

2019 - Blog 04 - Secure Score - Secure Score at Inspire - Vi Teaser.png

 

 

Wrapping it up

So, there you have it – a quick recap of Microsoft Secure Score session at Inspire.

 

If you are a partner that is new to Microsoft Secure Score now is the time to learn more and start planning how to take advantage of it. Consider developing a Microsoft Secure Score offer using these resources, educate your sellers, integrate a secure score evaluation into your customer meetings.

 

If you are a partner who has already integrated Microsoft Secure Score we thank you for the support and feedback, all of which has helped shape the latest release and features coming in the future. Be sure you are fully capitalizing on the business opportunity, make sure you have updated your offering and sellers with the latest changes released in March 2019, and then consider using the Graph API to provide innovative and differentiated offerings to your customers.

 

 

 

 

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Empower security teams to easily report suspicious emails & content and receive instant feedback

Empower security teams to easily report suspicious emails & content and receive instant feedback

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

One of the frequent requests we hear from Office 365 customers is the ability for security teams to easily report suspicious email messages or content to Microsoft and get feedback. Today I’m super excited to announce that we’re rolling out this capability to customers world-wide. This builds on a powerful capability Office 365 already supports – the ability for end users to report suspicious emails to their security teams and Microsoft. With the feature set we’re announcing today, security teams that want to defer reporting issues to Microsoft until after they have reviewed the messages themselves can now do so. What’s more – security teams can get immediate feedback on these submissions within the Office 365 Security and Compliance Center, dramatically reducing the time to investigate and response to issues and take corrective actions.

 

One of Microsoft Threat Protections most important elements is the ability to secure emails and collaboration services with Office 365 Advanced Threat Protection (ATP). Office 365 ATP’s strength of signal offers comprehensive and best-in-class protection against sophisticated, targeted and zero-day phishing and malware attacks. To give you a sense of the scale that we deal with, in the course of 1 year in 2018, Office 365 ATP blocked 5 billion phish emails and analyzed 300k phish campaigns, protecting 4 million unique users from advanced threats. Analyzing such a huge amount of data helps continuously improve the machine learning algorithms, leading to the highest accuracy and effectiveness in the industry.

 

Impact.pngPhish email statistics from Office 365 from January 2018 to September 2018.

Phish.pngThe impact to end users in 2018 from the enhanced anti-phish capabilities in Office 365

 

As proud as we are about the effectiveness offered by Office 365 ATP, we also know that no solution is 100% effective. For this reason, we also offer powerful feedback loops through which suspicious emails can be reported by end users to Microsoft to feed into the overall intelligence and continually improve the service to better protect customers.

 

End users can report suspicious messages they see in their inbox to Microsoft using the  Report Message plug-in in Outlook and Outlook Web Access. Organizations’ security teams can also review these user-reported messages in the Office 365 Security and Compliance Center to better understand the attacks users are seeing and update their security policies.

 

Read-time.pngReal-time report showing all user-submitted emails

From the SecOps perspective, these submissions form an important source of intelligence and can trigger investigation and remediation workflows to significantly reduce the time to detect and respond to an attack and therefore limit the scope of impact of an attack within the organization.

 

The Report Message plug-in is therefore an invaluable tool for users to flag suspicious content to not only their security teams, but directly to Microsoft as well. But some organizations don’t want their users to submit emails directly to Microsoft, as they may contain sensitive information. They want these submissions to first be reviewed by their security teams before being submitted to Microsoft.

 

Today we’re excited to announce that the email submission experience will now be available to security teams and admins from the same place where they review user-reported messages within the Office 365 Security and Compliance Center.

 

With this new capability, admins can easily submit emails and content, provide more details, and receive immediate feedback. The feedback provided by Microsoft will also offers valuable insights into configurations that may have caused a false positive or a false negative, reducing the time to investigate issues and improving the overall effectiveness.

 

With this new submission process, admins can: 

  • Submit suspicious emails, files, and URLs to Microsoft for analysis
  • Receive immediate feedback on their submissions
  • Find and remove rules allowing malicious content into the tenant 
  • Find and remove rules blocking good content into the tenant 

Here’s a quick run through of the experience. You can also learn more about it in our technical docs.

 

Step 1 – Log in to the Security and Compliance Center or the M365 Admin Center as Global Admin, Security Admin, or Security Reader. Click on the ‘Submissions’ node under ‘Threat Management’. You will see all the end user reported messages here. Under the ‘User Reported’ tab. To create a new admin submission from the portal, click the ‘New Admin Submission’ on the top left.

 

details.png

 

Step 2 – Enter all the details related to the submission such as submission type, recipients, reason for submission and submit.

 

review.png

 

Step 3 – Review the status of your submission. You can see the progress of the submission after it is submitted. You can also drill down into specific submissions and see what was submitted, what it was submitted as, and reason for submission, as well as what verdict was issued.

 

sender.PNG

take action.jpg

 

Step 4 – Take actions to fix the suggested configuration.

 

This can be a great tool to manage false positives and help fix configurations issues that may result in EOP/Office 365 ATP not performing optimally. In the future we’ll not only present the config-related issues but also automatically fix them.

 

To whom is it available?

 

All Office 365 customers will be able to use this feature. However, customers using Office 365 ATP will benefit most from it. Customers using third-party reporting tools can also use this capability.

 

As you look to implement this solution, it’s important to know it provides valuable data for more than Office 365 ATP. Microsoft Threat Protection services in general can leverage it to fine tune the machine learning algorithms and better protect, detect, and respond to threats across different threat vectors. Get started with an MTP trial if you want to experience the comprehensive and integrated protection Microsoft Threat Protection provides. Learn more about Microsoft Threat Protection by following our monthly blog series.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Announcing Security Policy Advisor Preview for Office 365 ProPlus

Announcing Security Policy Advisor Preview for Office 365 ProPlus

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Today we are pleased to announce the preview of Security Policy Advisor, a new service that can help enterprises improve the security of Office 365 ProPlus clients in their organization.

 

Office provides a rich set of security policies that allow administrators to customize the security of their Office applications to help meet their enterprise’s security needs.  Administrators have traditionally relied on published guidance like security baselines or their own analysis to come up with a set of security policies they need to enforce. In such instances, the burden falls to the administrator to determine if a security policy is right for their enterprise and will not adversely affect user productivity. 

 

Security Policy Advisor enables IT admins who have deployed Office 365 ProPlus, to manage the security of their Office applications with confidence by providing the following capabilities:

 

  • Tailored recommendations for specific security policies that can provide a high value in helping to raise the overall security posture of an enterprise and helping to protect against contemporary attacks.
  • Rich data insights on security and productivity impact of applying a policy recommendation that can help admins weigh the benefit vs. risk of applying a policy and make a data-informed decision.
  • One-click deployment of policies to end users through the recently released Office cloud policy service that enables admins to enforce Office policies straight from the cloud to any Office 365 ProPlus client without requiring on-premises infrastructure or MDM services.
  • Monitoring and reporting on policy impact that allows an admin to have visibility into how a security policy recommendation is affecting users without having to wait to hear from them.

SPA_TechCommunity.png

 

 

 

This service is now available as a preview in English (en-us) and will be available in additional locales in the coming weeks. If you are an administrator of an organization that has deployed Office 365 ProPlus, you can start using this service by signing into the Office client management portal, turning on Security Policy Advisor and creating Office cloud policy configurations.  For each policy configuration you create and assign to a group of users, Security Policy Advisor will generate recommendations with supporting data that you can review and deploy to users as a policy. Once you have applied a policy, you can continue to monitor its ongoing impact on users through the management portal.

 

For additional documentation on how to use this new policy service and its capabilities please refer to this document: Overview of the Security Policy Advisor (Preview) for Office 365 ProPlus.

 

As you evaluate this preview, please provide feedback using the feedback button (in the upper right corner) to help us improve Security Policy Advisor. We look forward to hearing from you!

  

 

FAQ:

 

Note:  Please refer to our documentation for the most up to date information.

 

What are the pre-requisites to start using Security Policy Advisor?

To start using Security Policy Advisor, your enterprise must have the following pre-requisites

  1. Must be using the Office cloud policy service and meet all the requirements for that service
  2. Office 365 ProPlus apps on the latest Monthly (1904) channel release deployed and being used by users in your organization.
  3. To create the recommendations and insights, Security Policy Advisor relies on necessary service data from Office 365 ProPlus. For more information, see Necessary service data for Office.
  4. Office 365 ProPlus clients can communicate back to Microsoft. Specifically, the following Office 365 URLs and IP Addresses for all Office 365 services and clients published here: Office 365 URLs and IP address ranges.

Note: If you are creating a brand new enterprise subscription in Office 365, please wait atleast 24 hours for the service to detect your subscription before trying to use Security Policy Advisor.

 

How does this relate to a security baseline?

Security baselines are a great starting point for enterprises to configure their applications for security. Office has a published baseline for Office 2016 and Office 365 ProPlus applications.

 

A security baseline is generic best practice guidance that ultimately needs to be consumed and customized for your enterprise to balance your security and productivity goals. You can use Office cloud policy service to apply the user level policies recommended in the Office security baseline.  Security Policy Advisor complements a security baseline by providing custom recommendations for specific policies that are tailored to your enterprise, helping you to choose the most secure policy that has the least impact on productivity for your organization.

 

How are the recommendations, productivity and security impact insights generated?

Security Policy Advisor uses the following data to generate recommendations and associated data insights on productivity and security impact:

  1. To create the recommendations and productivity insights, Security Policy Advisor relies on necessary service data from Office 365 ProPlus . For more information, see Necessary service data for Office.
  2. If your organization has Office 365 Advanced Threat Protection Plan 2, then Security Policy Advisor can use data from this service to provide insights on recommended policies. These insights will be based on threats that have been detected and stopped by Advanced Threat Protection. For more details on Office 365 Advanced Threat Protection, see Office 365 threat investigation and response.

 For more details, please refer to our documentation.

 

What happens when I turn off Security Policy Advisor?

When you turn off Security Policy Advisor, usage and threat data from your organization are no longer analyzed and no recommendations or insights will be generated. 

 

Admins can control the data collected from their clients using the new privacy controls supported by Office apps. More details are available here: Overview of privacy controls for Office 365 ProPlus.

 

What happens if I do not have Office 365 Threat Investigation and Response (via ATP Plan 2)?

If your organization has Office Threat Investigation and Response (via ATP Plan 2), Security Policy Advisor can use data from this service to provide you with information on threats detected and stopped by ATP that the recommended policy can help protect against. This can be great to quantify the actual risk to your organization when you consider applying a recommendation.

 

If your organization does not have ATP Plan 2, no problem, Security Policy Advisor will still show you information on the productivity impact that is helpful in assessing and monitoring impact to end users when applying recommendations. 

 

Which admin roles are allowed to view recommendations and configure policies?

Only the Global Admin, Security Admin or Desktop Analytics Admin (private preview) roles are allowed access to create or view policy configurations.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

How we’re helping our ecosystem build more connected security solutions

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Microsoft offers a number of solutions for developers to build connected security applications. We know that figuring out how to get started using these tools can be challenging. To make it easier for developers, we recently published a developer’s guide to help!

 

If you’re a developer, architect, or tool smith at a large enterprise, independent software vendor (ISV), managed security services provider (MSSP), or a system integrator (SI), check out the new developer guide to building connected security solutions.

 

This guide provides an introduction to the Microsoft APIs, services, and communities available to security developers. In addition, the guide offers detailed guidance on when and how to use each – what technology and integration option best aligns with your desired scenario and application type with links to different types of samples.

 

Download the free guide today! Share your feedback by filing a GitHub issue in the SecurityDev repo.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity