A lot of talk but little action on cyber security

pexels-gezer-amorim-2293558

I attended a recent IT Professionals User Group meeting that featured yet another presentation by yet another ‘security’ vendor. Maybe I’m missing the point of these types of presentations but I didn’t feel it moved the needle in any meaningful way when it comes to cyber security. I wish I could get that time back I’ll be honest.

I’m finding that continual disappointment a lot if I’m honest. There is lots of talk but very little meaningful action when it comes to cyber security. Most of the focus of cyber security seems to be continually placed solely on how bad things are and this is probably more to aid in selling ‘product’ than it is in really providing real meaningful solutions. That, is a bad thing.

It is unfortunate that the whole ‘cybersecurity’ space is now seen as a revenue opportunity rather than a problem to be solved. Fear is probably the cheapest and easiest method of selling something and I see it in full swing where ever I go these days. There is no doubt that fear gets people’s attention, but fear alone does not solve the problem. Fear is an emotion not an action.

Good cyber security doesn’t need more bells, whistles and bright shiny objects, it needs people to implement and adhere to best practices and star using what they have already. Rarely does adding anything ‘more’ solve a problem because typically, more is simply a way to avoid addressing the actual root cause of the problem and making hard choices that need to be made. It is merely a way to be distracted from doing the ‘hard yards’ that implementing and adhering to best practices requires.

The amount of time, money, blood, sweat, PowerPoint slides and tears I see being utterly wasted on inconsequential approaches to cyber security utterly amazes me. Just when I think it can’t get it any worse, it does. It is no co-incidence, I would suggest, that as this wasted effort increases so to does the actual damage that cyber security incidents realise. Co-incidence? I think not! Why? All talk, no action.

Yes, there is no doubt, by any measure there is an issue. However, there isn’t a need to keep telling me this over and over and over again in the vain hope that I’ll buy some quantity of your magic cyber security snake oil remedy that in all honesty will just complicate things and rarely aid in help solve the problem. Work with what you have access to first, then seek to add more. Security starts with simplicity.

If you haven’t worked it out already, people are the problem when it comes to cyber security. Simple. The methodology and the tools to solve the problem are already available. Yet they largely lie under implemented and under utilised because of the human consequence from the lure from the next bright shiny object peddled by those regurgitating familiar statistics but with different slide decks.

Perhaps it’s just the old world engineer in me, out of touch with greater humanity, and that may be true. However, it doesn’t mean I’m wrong!

Stop trying to buy your way to peak cyber security and start doing the work. It is that simple. And guess what? All the stuff you need to improve cyber security is probably already available to you and is laying around neglected. The missing key ingredient is nothing more than effort expenditure. We’ll never solve the cyber security problem without effort and I think this quote from Edison is quite apt here:

Opportunity is missed by most people because it is dressed in overalls and looks like work

I will never claim that cyber security is easy. What I will however claim, is that there is so you much you can and should be doing but you aren’t. Everyone that is. From the business owner to the IT Professional to the government and beyond, let’s focus on solving the problem rather than simply using it as a topic of conversation or a method of sales conversion. Let your actions speak louder than your words when it comes to cyber security.

Checking Microsoft 365 Email Forwarding using PowerShell

A typical tactic after a business email compromise event is the creation of email forwarding rules using any one, or more, of these methods by an attacker:

Use rules in Outlook Web App to automatically forward messages to another account

Client rules

Sweep

It is therefore good practice to regularly check and verify the email forwarding rules inside your Microsoft 365 environment.

I have created a free PowerShell script exactly for this purpose, which you can find here:

Office365/o365-exo-fwd-chk.ps1 at master · directorcia/Office365 · GitHub

and the video:

https://www.youtube.com/watch?v=Oqk_yd6U3bk&t=16s

will provide a walk through of its execution.

The extra value that many have missed with Microsoft Defender for Business

If you haven’t heard, Microsoft has announced a new version of Defender for Endpoint called Defender for Business. Even better, its going to include Defender for Business in Microsoft 365 Business Premium for free:

“Included as part of Microsoft 365 Business Premium”

This is great news, and the feature set is amazing and all for free, BUT I think most people have overlooked what I would consider the best feature of the new Defender for Business.

Most traditional Managed Service Providers (MSPs) manage endpoints (devices) using a Remote Management and Monitoring tool (RMM) that they need to install on devices, typically only on PCs and not mobile devices like iPhones. Such RMM tools, from third parties, have been subject to successful supply chain attacks as well.

What most have over looked with Defender for Business is that the agent it installs on devices (including iOS and Android I will add) acts in many ways like an RMM agent but provide far more functionality.

An example of why is if you have a look at the free data sources for Azure Sentinel you’ll notice the following:

SecurityIncident – Free

SecurityAlert – Free

DeviceEvents- Paid

DeviceFileEvents – Paid

DeviceImageLoadEvents – Paid

DeviceInfo – Paid

DeviceLogonEvents – Paid

DeviceNetworkEvents – Paid

DeviceNetworkInfo – Paid

DeviceProcessEvents – Paid

DeviceRegistryEvents – Paid

DeviceFileCertificateInfo – Paid

The point is not whether they are free or not, the point is that the Defender for Business is capturing all that device information and feeding it into a centralised cloud dashboard (Sentinel).

Remember, that one of the key things about Sentinel is that you can create customised reports and queries based on the data you ingest. In my case, as an example,

image

I’ve created multiple custom dashboards from this data to report things like device CPU usage and disk space (above), much like a third party RMM tool BUT WITHOUT the need for a third party RMM tool!

image

This is because that log data from the device is now available in a centralised location where it can be reported, queried and displayed just about any way you wish!

The Defender for Business agent on devices also makes Microsoft Defender for Cloud Apps (new name for Microsoft Cloud App Security), especially Cloud App Discovery, even more powerful because it now has much greater visibility into the applications and their traffic than before thanks to the Defender for Business agent. Per Set up Cloud Discovery:

  • Microsoft Defender for Endpoint integration: Cloud App Security integrates with Defender for Endpoint natively, to simplify rollout of Cloud Discovery, extend Cloud Discovery capabilities beyond your corporate network, and enable machine-based investigation.

On its own, Cloud App Security collects logs from your endpoints using either logs you upload or by configuring automatic log upload. Native integration enables you to take advantage of the logs Defender for Endpoint’s agent creates when it runs on Windows and monitors network transactions. Use this information for Shadow IT discovery across the Windows devices on your network.

Without doubt, Defender for Business has massively improved the security capabilities for Microsoft 365 Business Premium with its inclusion. However, I would contend that it has achieved just as much with the reporting capabilities now available, especially when combined with Cloud App Discovery (which is included in Microsoft 365 Business as well) and Microsoft Sentinel.

The way I see it, Microsoft has just provided TWICE the capability and value by adding Defender for Business to Microsoft 365 Business Premium, yet I don’t think many appreciate that yet.

All the Defenders–Update 2

knight

This is an update to the last update about Defender products here:

All the Defenders – Updated

To start off with there are products that are considered ‘Window Defender’ products, although I see the Windows and Microsoft brand intermingled regularly. Here is a list of specific ‘Windows Defender’ products, typically tied to Windows 10 devices, and typically only available with Windows 10 Enterprise but not always:

Windows Defender Application Control – WDAC was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients.

Windows Defender Firewall – By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device.

Windows Defender Exploit Guard – Automatically applies a number of exploit mitigation techniques to operating system processes and apps.

The four components of Windows Defender Exploit Guard are:

  • Attack Surface Reduction (ASR): A set of controls that enterprises can enable to prevent malware from getting on the machine by blocking Office-, script-, and email-based threats
  • Network protection: Protects the endpoint against web-based threats by blocking any outbound process on the device to untrusted hosts/IP through Windows Defender SmartScreen
  • Controlled folder access: Protects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders
  • Exploit protection: A set of exploit mitigations (replacing EMET) that can be easily configured to protect your system and applications

Windows Defender Credential Guard –  Uses virtualization-based security to isolate secrets so that only privileged system software can access them.

Windows Defender System Guard – Reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It’s designed to make these security guarantees:

  • Protect and maintain the integrity of the system as it starts up
  • Validate that system integrity has truly been maintained through local and remote attestation

In contrast, here are the ‘Microsoft Defender’ products many of which have been re-branded lately:

Microsoft 365 Defender – (over arching service which includes other Defender services) is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Microsoft Defender for Office 365 – (previously Office 365 ATP) Safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools.

Microsoft Defender for Identity – (previously Azure ATP) Cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Microsoft Defender for Cloud – (previously Azure Defender) Provides security alerts and advanced threat protection for virtual machines, SQL databases, containers, web applications, your network, and more. It includes:

Microsoft Defender for Endpoint – (previously Defender ATP) an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats especially on user devices like desktops, laptops and mobiles.

thumbnail image 3 captioned Comparison between Microsoft Defender for Endpoint P1 and P2 capabilities. Microsoft Threat Experts includes Targeted Attack Notifications (TAN) and Experts on Demand (EOD). Customers must apply for TAN and EOD is available for purchase as an add-on.

thumbnail image 10 captioned Microsoft Defender for Endpoint P1 capabilities are offered as a standalone license or as part of Microsoft 365 E3.

There is a Microsoft for Defender P1 and P2 plan. information on the comparison of the two plans can be found here – Compare Microsoft Defender for Endpoint Plan 1 (preview) to Plan 2.

Microsoft Defender for Business – A new endpoint security solution that’s coming soon in preview. Microsoft Defender for Business is specially built to bring enterprise-grade endpoint security to businesses with up to 300 employees, in a solution that is easy-to-use and cost-effective. See Introducing Microsoft Defender for Business for more information.

Microsoft Defender Smart screen – Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.

Microsoft Defender Antivirus – Brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your organization.

Microsoft Defender Application Guard – helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet.

Microsoft Defender Security Center – is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks.

Microsoft Defender Browser Protection –  a non Microsoft browser extension helps protect you against online threats, such as links in phishing emails and websites designed to trick you into downloading and installing malicious software that can harm your computer.

Microsoft Defender for Cloud Apps – (previously Microsoft Cloud App Security) is a Cloud Access Security Broker (CASB) that supports various deployment modes including log collection, API connectors, and reverse proxy. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your Microsoft and third-party cloud services.

So, as you can see, there are quite a lot of ‘Defender’ products out there from Microsoft.

For now, just be careful to investigate what is actually meant when it says ‘Defender’ in the Microsoft space!

Need to Know podcast–Episode 277

In this episode I speak with ex-Microsoftie and now founder of Partner Elevate around the state of the partner channel and the alignment of incentives and campaigns for the modern workplace. I also bring you right up to date on the eve of Microsoft Ignite on exactly what’s the latest with the Microsoft Cloud.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020.

Brought to you by www.ciaopspatron.com

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-277-des-russell/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

Des Russell – Linkedin, Partner Elevate, Email – desmond@partnerelevate.com

Web version of Visual Studio Code

Microsoft now the most valuable company

Recent Microsoft earnings

What’s new in Teams for October 2021

Web content filtering is now GA

Manage All Your Surface Devices in a Single Portal

Autofill your addresses and payment info with Microsoft Authenticator

NOBELIUM targeting delegated administrative privileges to facilitate broader attacks

CIAOPS Need to Know Microsoft 365 Webinar – November

laptop-eyes-technology-computer

Join me for the free monthly CIAOPS Need to Know webinar. Along with all the Microsoft Cloud news we’ll be taking a look at working with Microsoft Lists in your environment.

Shortly after registering you should receive an automated email from Microsoft Teams confirming your registration, including all the event details as well as a calendar invite! Yeah Teams webinars.

You can register for the regular monthly webinar here:

November Webinar Registrations

(If you are having issues with the above link copy and paste – https://bit.ly/n2k2111 – into your browser)

The details are:

CIAOPS Need to Know Webinar – November 2021
Friday 19th of November 2021
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.