Tag: Security

Need to Know podcast–Episode 224

Our last episode for 2019. Thanks for all your support. Before Brenton speaks with Patrick Gray from the Risky Business podcast, I share my thoughts on technology for 2020. Firstly, I give you my wishes for Microsoft 365 Business. Then, I highlight what I believe is the specific Microsoft Cloud tech you should be paying attention to in 2020. Finally, I talk about some general tech trends to pay attention to and break down for your business for the new year. let us know your thoughts for 2020 via our various feedback options.

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-224-patrick-gray/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

Risky Business

@riskybusiness

@contactbrenton

@diirectorcia

Need to Know podcast–Episode 222

I’m joined by Stephen Rose, Senior Product Marketing Manager for Microsoft 365, to speak about everything Microsoft 365. Stephen explains what the products is all about, how it can help businesses and the direction that the technology is taking off the back of many announcements from Ignite. Of course, Brenton is also here and we bring you up to date on all the latest Microsoft Cloud news before some of us head off for a Christmas break. Fear not! The episodes will continue even in the face of absenteeism. All the best to all our loyal listeners for the holidays season. We appreciate your support and look forward to providing you more information in 2020.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-222-stephen-rose/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@stephenlrose

@contactbrenton

@directorcia

Stephens’ presentation from Ignite 2019 around adoption

CIAOPS Patron Community

Ignite the Tour Sydney

CIAOPS Techwerks 10

Microsoft Teams now available on Linux

Microsoft Integrated Threat Protection

Campaign views in Office 365 ATP

Windows VM now support Azure AD authentication

Native support for WebAuthn and FIDO for iOS

Preview of Azure spot machines

What’s new in Microsoft Forms

Beazley Breach insights

Blocking macros with Intune

Licensing guidance

Remove known bad emails from tenant

Microsoft has a technology in Exchange Online known as ZAP. It will basically move known malicious emails, even after they may have initially been delivered to a mailbox. You can read more about the the technology here:

Zero-hour auto purge protection against spam and malware

ZAP however, is a ‘reactive’ security technology requiring knowledge of malicious content prior to taking action. There will therefore be cases when malicious content can get delivered to a mailbox, especially if the attack is relative new in the wild, simply because it has not yet been identified.  Hopefully, users have been trained so they can report any suspicious material that they do find, as I have detailed here:

Improved security is a shared responsibility

You can also enable an alert that notifies when someone reports an email. When that happens, you may want to check through all the other mailboxes to see whether that malicious email occurs elsewhere. If the payload is indeed malicious, you may wish to take the pro-active step of deleting that bad email from all users inboxes.

You can achieve this using two steps:

1. Create a content search to locate the suspect item in your tenant

2. Use PowerShell to delete the discovered items

Step one is to login to the Microsoft 365 tenant as an administrator and visit the Security and Compliance Center like so:

image

Select Content Search from under the Search option on the left.

Before you create a new search, you’ll need to find something unique about the item you are searching for.

image

In the case above, with this dodgy email, I’ll do a search based on the senders email but I could as easily do one on the mis-spelled subject ‘Alart’. All you need is something unique.

image

If I look in my inbox I can see this email listed as shown.

image

I create a new Content Search and use the unique criteria in the keywords as shown above.

image

Below this I can limit where the search is conducted. In this case, I will specify messages, as that is what I am looking for. You can get quite granular here if you need to. Just select Modify and specify the location you wish to search. Remember, the more places you search the longer it will take to return results.

image

Once you have crafted your search, select Save & run in the lower left. After a short while, you should see the results. In this case, I have only found the one result, which is the item in my inbox. Make sure you check the items that are returned as it is these items that will be deleted! You may need to adjust your search to get exactly the results you wish.

Next, you’ll need to fire up PowerShell and connect to the Microsoft Security and Compliance Center for you tenant. I have a script that you can use here if you have MFA:

https://github.com/directorcia/Office365/blob/master/o365-connect-mfa-sac.ps1

and if you don’t (shame on you):

https://github.com/directorcia/Office365/blob/master/o365-connect-sac.ps1

Once you have successfully connected you need to run the following line of PowerShell:

New-ComplianceSearchAction -SearchName “<Content search query name>” -Purge -PurgeType SoftDelete

for a ‘soft delete’ of the item (i.e. recoverable). Or

New-ComplianceSearchAction -SearchName “<Content search query name>” -Purge -PurgeType HardDelete

for a ‘hard delete’ (i.e. non-recoverable). You’ll also need to change <Content search query name> to match the name you gave the Content Search when you created it.

image

You should now see a prompt, as shown above, asking you to confirm your actions. Generally, you’ll select Yes to All here.

image

This will kick off the process of deleting the content you have found. Note, this process is not immediate. It may take a little while to work through all the locations.

image

When the process is complete, as shown above, that item no longer appears in mailboxes.

That’s how you run your own ZAP!

CIAOPS Need to Know Microsoft 365 Webinar–December

laptop-eyes-technology-computer

We are going to round off 2019 by taking a deep dive into Microsoft 365 Security. what should you be doing? What should you be checking? What is available and more. Not something you want to miss if you want to ensure you are doing everything possible to secure your information. there will also be the latest updates plus Q and A as well. Still lots happening in the Microsoft Cloud world, so join me for the final webinar of the year.

You can register for the regular monthly webinar here:

December Webinar Registrations

The details are:

CIAOPS Need to Know Webinar – December 2019
Tuesday 24th of December  2019
10.30am – 11.30am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

Bad guys keep winning (Part V)

image

The above amazing slide is from the recent Microsoft Ignite 2019 session – SECI20 – Shut the door to cybercrime with identity-driven security.

This means that vast majority of Microsoft Cloud tenants DO NOT have their admin account secured via MFA. You could understand maybe 5 or 10 percentage as ‘break glass’ style accounts but 92%??

Would you not say that in the past year we, as a society, have become MORE dependent on technology? I know many business can’t run a business without technology but not enabling simple protective measure like this is simply amazing! It also makes you wonder at how much else is not secured appropriately? I think saying that 92% of ALL IT installations are not appropriately secured would not be far wrong.

The good news is that, if you take the time to implement things like MFA, you are more secure than 92% of systems out there. Given that bad guys go after the easiest target (law of the jungle), it kinda makes you less susceptible. Sad but true, that there are plenty of victims out there just waiting to happen!

I’m sure there is a lot of finger pointing that can be had as to who is responsible and who needs to do what, however all that is irrelevant as it simply means the bad guys are rubbing their hands together as the 92% vacillates over implementing what really should be mandatory!

Keep calm and Twitter

Generally, the cloud is pretty reliable. However, it is not perfect and there will be downtimes and outages. Just because you move your information to the cloud doesn’t mean that you abdicate your responsibilities for it. Disaster planning is as important in the cloud as it is on prem.

image

The first place to start if you are having issues with what you believe to be related to Microsoft 365 is the Microsoft 365 Service Health page shown above, which can be found at:

https://portal.office.com/adminportal/home#/servicehealth

Of course, if you are unable to access your tenant for any reason, then you’ll have to try another resource.

image

Your next point of call should be the Office 365 status page here and shown above:

https://status.office365.com/

This is fairly generic and also just links back to the Service Health in your own portal. However there maybe information here around any wider scale issues so it is always worthwhile checking.

image

Next, you should follow the @MSFT365Status Twitter account as shown above. Here you’ll find information posted that is on infrastructure outside Microsoft’s. You can also communicate with this account if you need to.

image

You can also find an Azure Status page at:

https://status.azure.com/en-us/status

Given that many Microsoft 365 services are built on Azure, it is another area that may give you some insight.

image

There is also an Azure support Twitter account @azuresupport that will post information concerning issues and something you can also interact with if you need to.

There are also numerous third party services that will track whether a web site active.

Finally, a good approach is also to do a search across Twitter to see whether others are also having similar issues. People tend to be pretty vocal on social media when they are inconvenienced, so that should a source of both good and bad information.

As Noah knows, you prepare for the flood BEFORE it rains. In the event of cloud issues, how will you know the extent of the issues and where will you get good information? For me, that source has typically been Twitter as the major source. You do have to filter those results a tad to get helpful information there, but that is the nature of social media.

In short, you need a plan. Take my advice and start monitoring Twitter to get a better idea of what might be happening beyond your own screen.

Another great security add on for Microsoft 365

Previously, I have spoken about Cloud App Security being a ‘must have’ add on for any Microsoft 365 environment:

A great security add on for Microsoft 365

I now believe that the next ‘must have’ security add on you should integrate with your tenant is Azure Sentinel.

image

In a nutshell, Azure Sentinel will allow you to monitor, alert and report on you all you logs from just about any location, whether on prem or in the cloud.

image

Once you have created the Sentinel service and assigned it a log workspace, the first place to go is to the Connectors option as shown above.

Here you can connect up your services. There is a huge range of options from Office 365, Azure, on prem and third parties like AWS, At a minimum I would suggest you connect up your Azure and Office 365 services.

image

Next, go to the Analytics option, then select Rule templates from those available. These rules are basically queries across your data sources from your connectors. Add in the rules that make the most sense for your environment.

image

As you create these rules you be stepped through a wizard as shown above.

image

The Set rule logic step allows you to define the rule based on the data being received. You will notice there are lots of options. The great thing about using the templates is that this is already done for you but you can certainly modify these or create your own.

image

The real power of Azure Sentinel lies in the Automated response step shown above. Here you define what actions will be taken when a alert is generated by the rule. This means that you can have something automatically execute when an alert happen. This could be a remediation process, advanced alerting and more. This allows the response action to threat to be immediate and customisable.

image

Next, go into the Workbook options as shown and then the Templates area and add all the options that make sense.

image

A workbook is basically an interactive dashboard where you can graphically query and report on data as shown above.

image

When rules are triggered they will appear as Incidents that you investigate as shown above.

image

You’ll be able to explore incidents in greater depth using the graphical explorer as shown above.

image

Good security is about being pro-active and Azure Sentinel gives you this via the Hunting option as shown above. This allows you to run standard queries against the data to discover items that may need further investigation and analysis. Note the option highlighted here that allows you to Run all queries at the touch of button. This is yet another hugely powerful option as you can now ‘hunt’ across all your information so quickly. Show me another tool that can do this for both cloud and on prem?

image

There are lots more features, but by now you are probably wondering what the costs are? As you can see from above, they are based on storage and you can reserve a storage size to suit your needs. However, you can also opt, as I have, for a pay as you go option.

image

This means the Azure Sentinel cost to analyse all my data is AUD$3.99 per GB of data and

image

on the pay as you go plan I also need to factor in data ingestion, which is shown above in AUD$. Note that you get 5GB of data ingestion free per month. After that, I’d be paying AUD$4.586 per GB.

image

As you can see from the above usage figures I am no where near the 5GB ingestion limit, so all I am currently paying for just Azure Sentinel analysis.

The amount of data you ingest and analyse will depend on the services you connect and well as things like data retention periods. All of these can be adjusted to suit your needs. There are also many other Azure pricing tools you can use to control your spend. However, if you are concerned about running up an excessive bill, just connect and few services and scale from there.

In my case, I have logs from Microsoft 365 Cloud services, Azure, on premises machine monitoring, Defender ATP and more all going into Sentinel. Basically, everything I can, is going in there and the costs remain low.

I have always maintained that when you sell Microsoft 365, you should also sell an Azure subscription:

Deploy Office 365 and Azure together

Azure Sentinel is yet further confirmation that you should be doing this to add greater functionality and security to your environment. I will be spending more time deep diving into Azure Sentinel so make sure you stay tuned.