Category: Azure

CIAOPS Need to Know Microsoft 365 Webinar – December

laptop-eyes-technology-computer

Join me for the free monthly CIAOPS Need to Know webinar and the last for 2021. Along with all the Microsoft Cloud news we’ll be taking a look at working with Microsoft Azure in your environment.

Shortly after registering you should receive an automated email from Microsoft Teams confirming your registration, including all the event details as well as a calendar invite! Yeah Teams webinars.

You can register for the regular monthly webinar here:

December Webinar Registrations

(If you are having issues with the above link copy and paste – https://bit.ly/n2k2112 – into your browser)

The details are:

CIAOPS Need to Know Webinar – December 2021
Friday 24th of December 2021
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

Basic Azure Virtual Desktop (AVD) – Remote App setup

In a recent video I set up an Azure Virtual Desktop (AVD) environment. That showed how to create an Application Desktop. The above video now shows you how to extend that environment to include a Remote App into the same user Workspace. The Remote App capability allows you to publish just a hosted application for users rather that a whole desktop. This makes it easy to host virtual applications for additional security and cost reduction.

A direct link to the video can be found here:

Basic Azure Virtual Desktop (AVD) – Remote App setup – YouTube

All the Defenders–Update 2

knight

This is an update to the last update about Defender products here:

All the Defenders – Updated

To start off with there are products that are considered ‘Window Defender’ products, although I see the Windows and Microsoft brand intermingled regularly. Here is a list of specific ‘Windows Defender’ products, typically tied to Windows 10 devices, and typically only available with Windows 10 Enterprise but not always:

Windows Defender Application Control – WDAC was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients.

Windows Defender Firewall – By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device.

Windows Defender Exploit Guard – Automatically applies a number of exploit mitigation techniques to operating system processes and apps.

The four components of Windows Defender Exploit Guard are:

  • Attack Surface Reduction (ASR): A set of controls that enterprises can enable to prevent malware from getting on the machine by blocking Office-, script-, and email-based threats
  • Network protection: Protects the endpoint against web-based threats by blocking any outbound process on the device to untrusted hosts/IP through Windows Defender SmartScreen
  • Controlled folder access: Protects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders
  • Exploit protection: A set of exploit mitigations (replacing EMET) that can be easily configured to protect your system and applications

Windows Defender Credential Guard –  Uses virtualization-based security to isolate secrets so that only privileged system software can access them.

Windows Defender System Guard – Reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It’s designed to make these security guarantees:

  • Protect and maintain the integrity of the system as it starts up
  • Validate that system integrity has truly been maintained through local and remote attestation

In contrast, here are the ‘Microsoft Defender’ products many of which have been re-branded lately:

Microsoft 365 Defender – (over arching service which includes other Defender services) is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Microsoft Defender for Office 365 – (previously Office 365 ATP) Safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools.

Microsoft Defender for Identity – (previously Azure ATP) Cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Microsoft Defender for Cloud – (previously Azure Defender) Provides security alerts and advanced threat protection for virtual machines, SQL databases, containers, web applications, your network, and more. It includes:

Microsoft Defender for Endpoint – (previously Defender ATP) an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats especially on user devices like desktops, laptops and mobiles.

thumbnail image 3 captioned Comparison between Microsoft Defender for Endpoint P1 and P2 capabilities. Microsoft Threat Experts includes Targeted Attack Notifications (TAN) and Experts on Demand (EOD). Customers must apply for TAN and EOD is available for purchase as an add-on.

thumbnail image 10 captioned Microsoft Defender for Endpoint P1 capabilities are offered as a standalone license or as part of Microsoft 365 E3.

There is a Microsoft for Defender P1 and P2 plan. information on the comparison of the two plans can be found here – Compare Microsoft Defender for Endpoint Plan 1 (preview) to Plan 2.

Microsoft Defender for Business – A new endpoint security solution that’s coming soon in preview. Microsoft Defender for Business is specially built to bring enterprise-grade endpoint security to businesses with up to 300 employees, in a solution that is easy-to-use and cost-effective. See Introducing Microsoft Defender for Business for more information.

Microsoft Defender Smart screen – Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.

Microsoft Defender Antivirus – Brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your organization.

Microsoft Defender Application Guard – helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet.

Microsoft Defender Security Center – is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks.

Microsoft Defender Browser Protection –  a non Microsoft browser extension helps protect you against online threats, such as links in phishing emails and websites designed to trick you into downloading and installing malicious software that can harm your computer.

Microsoft Defender for Cloud Apps – (previously Microsoft Cloud App Security) is a Cloud Access Security Broker (CASB) that supports various deployment modes including log collection, API connectors, and reverse proxy. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your Microsoft and third-party cloud services.

So, as you can see, there are quite a lot of ‘Defender’ products out there from Microsoft.

For now, just be careful to investigate what is actually meant when it says ‘Defender’ in the Microsoft space!

Need to Know podcast–Episode 275

Join for an episode with MVP Rory Braybrook where we learn more about modern identities, especially Azure including B2B and B2C. Identity is so critical to everything we do in IT these days it is important to have a refresher to understand what’s what and how it can be used effectively. I’ll also bring you the latest news and updates from the Microsoft cloud world so listen in and share your feedback.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020.

Brought to you by www.ciaopspatron.com

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-275-rory-braybrook/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

Rory Braybrook – LinkedIn, Authory

Windows 11: A new era for the PC begins today

Welcome to the new Whiteboard

Mailbox storage limits

Microsoft Ignite

How cyberattacks are changing according to new Microsoft Digital Defense Report

Microsoft Digital Defense Report

Defending Windows Server 2012 R2 and 2016

Add TAXII threat intelligence feeds to Azure Sentinel

image

There a public threat intelligence feeds available that Azure Sentinel can take advantage of. Think of these as providing information around entities that represent threats such as compromised IP addresses, botnet domains and so on. Typically, these feeds will support the TAXII connector inside Azure Sentinel.

Select the Data connectors option from the Azure Sentinel menu on the left. Next search for TAXII. Finally, select Threat Intelligence as shown above, then the Open connector page in the lower right.

image

On the right hand side of the page, you see the Configuration area as shown above. Here you’ll require information on the following items:

– API root URL

– Collection ID

– Username

– Password

If you have a look at the bottom of this article:

Connect Azure Sentinel to STIX/TAXII threat intelligence feeds

you’ll find the details for the free Anomali Limo threat feed, which is:

– API root URL = https://limo.anomali.com/api/v1/taxii2/feeds/

– Collection ID = see list in article (i.e. 107, 135, 136, etc)

For the username and password of all these feeds use:

guest

image

Complete the details for each Collection ID, like what is shown above. When you have completed each feed select the Add button.

image

The feed will be validated and if successful, an alert will confirm this at the top of the page as shown above.

image

The entered feed will appear in a list at the bottom of the page. At this point, feed information will start flowing into your environment depending on the Polling Frequency you selected for the feed.

image

Once the feed has started to import data select the Threat intelligence from the main Sentinel menu as shown above. You should see a range of entries. These entries can now be utilised throughout your Sentinel environment. This is detailed here:

Work with threat indicators in Azure Sentinel

image

This data is stored in a table called ThreatIntelligenceIndicator as shown above, which can be used directly in hunting queries.

Keep in mind that any threat indicator data incurs an ingestion and data storage cost. However, this is not a great amount and the value they provide is well worth that minor cost. You can track threat indicator costs using workbooks that Sentinel provides. You can add more feeds if you wish and details about what is available can be found at:

Threat intelligence integration in Azure Sentinel

Having additional threat data provides more signal information for Sentinel when it examines your environment. If information from these threat indicators is detected in your environment, then alerts will be generated. For a small ingest and storage cost having these threat indicators flow into your Sentinel environment provided a huge amount of value and increase your security.

Testing for CVE-2021-40444 vulnerability

There are current concerns around:

Microsoft MSHTML Remote Code Execution Vulnerability

which is yet to have a patch made available.

I found this excellent article:

CLICK ME IF YOU CAN, OFFICE SOCIAL ENGINEERING WITH EMBEDDED OBJECTS

which provide some PowerShell scripts to create Word documents that can be used to test for the vulnerability.

I have run these scripts to create the actual Word documents and uploaded them for you here:

Office365/example at master · directorcia/Office365 (github.com)

2021-09-11_10-21-14

In both cases, when you open these documents, you should NOT be able to get CALC.EXE to execute on your system unlike what you see above and below.

test2-screen

I have also added these tests to my security testing script which you can download from my GitHub repo here:

Office365/sec-test.ps1 at master · directorcia/Office365 (github.com)

image

When I opened these documents in my production environment, the vulnerability was largely blocked thanks to Windows ASR which I have detailed previously:

Attack surface reduction for Windows 10

You can use the follow KQL query as I did above to view the result of this blocking if you are using something like Azure Sentinel like I am:

Another great security add on for Microsoft 365

KQL:

DeviceEvents
| where ActionType startswith ‘Asr’

Cybercrime reporting poll

pexels-donald-tong-143580

I’ve created an anonymous public poll asking the question:

Are you reporting cybercrime incidents, like ransomware, to government or police authorities?

which is here:

https://forms.office.com/r/mENdwmaXRj

as the results rolling you can see the summary here:

http://bit.ly/ciapoll01

I’m interested to see what people are doing when it comes to reporting incidents to authorities?