I've written some advice that almost every organization can take to decrease the risk of being attacked by malicious actors. Awareness is rising due the fact that multiple organizations are being breached at this moment.

In this article I'm focusing on Cloud Security technology which is quickly deployable and can leverage instant insights and metrics to make 'security' decisions. I'm always pushing for quick enrollment and activation because the threat is out there. If you don't believe it — don't activate anything and only watch the insights. You will be confident and get in control to make impactful security decisions.

A How to decrease the risk of an attack on your users

In this chapter I've brought infrastructure close to the user-risk. Accounts with passwords are a big risk which can be lowered by activation of the steps below. This activation can be done in 4 hours.

1. Extend Active Directory to Azure AD for better insights in user risk

Install Azure AD Connect and sync your users to Azure AD. You could use Directory and password Synchronization to bring all identities from your current environment towards Azure AD.

If you are a Microsoft 365 customer your identities are already synced to Azure AD — proceed to step 2.
Azure AD Connect — directory synchronisation
Azure AD Connect — syncing on-premises identities to Azure AD

2. Prevent all Azure AD accounts from being phished by activating Multi-Factor Authentication

First of all accept the fact that every password in your organization has been leaked. Read: Your Pa$$word doesn't matter — Microsoft Tech Community.

Security defaults will push MFA for every account and will disable legacy authentication that does not use MFA. Also don't forget to activate MFA for every company service.

To enable security defaults in your directory:

1
Sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator.
2
Browse to Azure Active Directory → Properties.
3
Select Manage security defaults.
4
Set the Enable security defaults toggle to Yes.
5
Select Save.
Azure AD — Enable security defaults toggle
Azure Active Directory → Properties → Enable security defaults

3. Understand the user and credential risks in your local domain

To understand the identity risk it's best to consolidate the risks from multiple fronts. Applications are using AD or Azure AD authentication which creates insights in an attack attempt. If you create a Defender for Identity instance, all user sign-ins are brought to the Cloud for analysis.

Microsoft Defender for Identity — user risk dashboard
Microsoft Defender for Identity — consolidated identity risk insights

4. Activate a trial of Office 365 E5 to see identity risk consolidated from multiple fronts

When you have the capabilities to understand the identity risks and see what is going on in your organization you are more capable of acting and making decisions on additional levels — for example: creating an additional conditional access policy.

Activate a free 30-day E5 license first: Set up your Microsoft 365 Defender trial lab or pilot environment.

Then activate Cloud App Security (Defender for Cloud Apps).
Navigate to portal.cloudappsecurity.com and see the open alerts.
Microsoft Defender for Cloud Apps — open alerts overview
Defender for Cloud Apps — identity and anomaly alerts

B How to protect your organization from software exploits

Software could contain malware packages which could take over computers. Badly patched computers are increasing the risk of being attacked from within.

If you have activated a demo E5 license you could understand the risk of bad patching of software from one portal. This activation is more complex and requires more attention and reaction but it's doable in some hours. Working on risks is another thing — but start doing and choose pragmatic.

1
First of all onboard all your devices in Endpoint Manager. Hybrid or Cloud join doesn't matter for the sake of security. (It matters for the future — I know.)
2
Afterwards activate Defender for Endpoint to have insights in the pane as shown below.
3
Work on the Vulnerability Management tab → go to Recommendations and start working on the most critical advice. Patch Windows, patch third-party apps.
Microsoft Defender for Endpoint — vulnerability management recommendations
Defender for Endpoint — Vulnerability Management → Security Recommendations

C Protect your organization from targeted phishing attacks

Phishing attacks are the number one attempt to get control of your organizational infrastructure. Don't let actors in from a stupid e-mail.

1
Activate DKIM in your organization to keep your domain safe from being used by malicious actors.
2
Enable SPF for your domains. Read: How to Build Your SPF Record in 5 Simple Steps.
3
Activate Defender for Office 365 to have more control and better phishing avoidance — including Microsoft Defender for Office 365 and Exchange Online Protection.
Microsoft Defender for Office 365 — anti-phishing policies
Defender for Office 365 — anti-phishing and DKIM configuration

D Don't make exceptions and take insights seriously

If you have activated some Microsoft 365 E5 capabilities you can now work on 2 portals to understand what is going on in your environment:

security.microsoft.com  ·  portal.cloudappsecurity.com

Take care and stay safe.
Microsoft Security portal — security.microsoft.com overview
Microsoft 365 Security portal — security.microsoft.com
← back to terminal 💼 view on LinkedIn ☕ buy me a coffee