Category: Implementation

Best Zero Trust sources Microsoft 365 + Azure

Best Zero Trust sources Microsoft 365 + Azure

Hi! I’ve merged great Microsoft content in one article and provided the greatest screenshots or links to valuable content. Happy reading! If you have other useful sources give a comment.

From vision to execution – How to build your Zero Trust workplace with Microsoft 365

Microsoft’s approach to Zero Trust Networking and supporting Azure technologies

02:19 An overview of Microsoft’s environment
03:28 Cloud networking – by the numbers
06:22 Initiative alignment
09:32 Microsoft enterprise networking 2020
12:25 Elements of Zero Trust networking
15:45 Does Microsoft benchmark against industry models for Zero Trust to stay ahead of the practice?
17:42 Zero Trust networking maturity model
19:27 User-connectivity specialization and standardization
26:20 Device assignment in Zero Trust networks
31:22 Locking down our “open” cloud and datacenter networks
40:29 Future scenario: leveraging native Azure services
44:09 Future scenario: connectivity via Azure virtual WAN
49:31 Future scenario: Infrastructure as Code
53:07 Key takeaways

Slides in PDF: https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4pKrV

Zero Trust with Microsoft Services (showcase)

Zero Trust access architecture addresses the modern security challenges that come with cloud migration and a mobile workforce. By implementing Zero Trust, Microsoft takes a layered approach to secure corporate and customer data. Microsoft’s phased implementation of Zero Trust centers on strong user identity, device health verification, validation of application health, and secure, least-privilege access to corporate resources and services.

A diagram that illustrates Microsoft's approach to Zero Trust implementation.

https://www.microsoft.com/en-us/itshowcase/implementing-a-zero-trust-security-model-at-microsoft

Zero Trust business model

Link.

Microsoft Blogs (general information)

How to organize your security team: The evolution of cybersecurity roles and responsibilities

Maturity model.

Chief Information Security Officer (CISO) Workshop Training (5 modules)

  • Module 1: Microsoft Cybersecurity Briefing: This module covers overviews on critical security hygiene, Microsoft cybersecurity reference architecture, cybersecurity resilience, Internet of Things (IoT), and operational tech.
  • Module 2: Security Management: Learn how to increase visibility and control over your hybrid enterprise estate with integrated guidance, automated policy enforcement, and monitoring.
  • Module 3: Identity and Zero Trust User Access: Learn how to advance zero trust with your identity and user access strategy to better protect corporate data inside and outside your network perimeter
  • Module 4a: Threat Protection Strategy, Part I: Explore key learnings about threat protection, security evolution, strategies, and security road maps.
  • Module 4b: Threat Protection Strategy, Part II: This module reviews the evolution and trajectory of the Security Operations Centers (SOC), powered by the trillions of signals in the Microsoft Intelligent Security Graph.
  • Module 5: Information Protection: Learn how to protect sensitive information wherever it goes with automatic classification, persistent encryption across devices, and continuous monitoring of data across mobile devices, cloud services, and other corporate assets.

Vision Paper

Different organizational requirements, existing technology implementations, and security stages all affect how a Zero Trust security model implementation is planned. Using our experience in helping customers to secure their organizations as well as implementing our own Zero Trust model, we’ve developed the following maturity model to help you assess your Zero Trust readiness and build a plan to get to Zero Trust.

Zero Trust: A new era of security Ebook

Microsoft Digital Defence Report

Microsoft 365 + the NIST cybersecurity framework

Zero trust landing page

General: microsoft.com/en-us/security/business/zero-trust
Maturity paper and 10 tips for enabling zero trust security

Azure: Overview of the security pillar

Security TopicDescription
Role of securitySecurity is one of the most important aspects of any architecture. Security provides confidentiality, integrity, and availability assurances against deliberate attacks and abuse of your valuable data and systems.
Security design principlesThese principles support these three key strategies and describe a securely architected system hosted on cloud or on-premises datacenters (or a combination of both).
Types of attacks to resistAn architecture built on good security practices should be resilient to attacks. It should both resist attacks and recover rapidly from disruption to the security assurances of confidentiality, integrity, and availability.
Regulatory complianceGovernments and other organizations frequently publish standards to help define good security practices (due diligence) so that organizations can avoid being negligent in security.
Reduce organizational riskMuch like physical safety, success in information security is defined more as an ongoing task of applying good security practices and principles and hygiene rather than a static absolute state.
AdministrationAdministration is the practice of monitoring, maintaining, and operating Information Technology (IT) systems to meet service levels that the business requires. Administration introduces some of the highest impact security risks because performing these tasks requires privileged access to a very broad set of these systems and applications.
Applications and servicesApplications and the data associated with them ultimately act as the primary store of business value on a cloud platform.
Governance, risk, and complianceHow is the organization’s security going to be monitored, audited, and reported? What types of risks does the organization face while trying to protect identifiable information, Intellectual Property (IP), financial information? Are there specific industry, government, or regulatory requirements that dictate or provide recommendation on criteria that your organization’s security controls must meet?
Identity and access managementIdentity provides the basis of a large percentage of security assurances.
Info protection and storageProtecting data at rest is required to maintain confidentiality, integrity, and availability assurances across all workloads.
Network security and containmentNetwork security has been the traditional linchpin of enterprise security efforts. However, cloud computing has increased the requirement for network perimeters to be more porous and many attackers have mastered the art of attacks on identity system elements (which nearly always bypass network controls).
Security OperationsSecurity operations maintain and restores the security assurances of the system as live adversaries attack it. The tasks of security operations are described well by the NIST Cybersecurity Framework functions of Detect, Respond, and Recover.

Microsoft Zero Trust deployment guide for your applications

https://www.microsoft.com/security/blog/2020/08/27/zero-trust-deployment-guide-microsoft-applications/

Tools to drive your Zero Trust implementation

  1. Strong authentication. Ensure strong multi-factor authentication and session risk detection as the backbone of your access strategy to minimize the risk of identity compromise.
  2. Policy-based adaptive access. Define acceptable access policies for your resources and enforce them with a consistent security policy engine that provides both governance and
    insight into variances. Micro-segmentation. Move beyond simple centralized network-based perimeter to comprehensive and distributed segmentation using software-defined micro-perimeters.
  3. Automation. Invest in automated alerting and remediation to reduce your mean time to respond (MTTR) to attacks.
  4. Intelligence and AI. Utilize cloud intelligence and all available signals to detect and respond to access anomalies in real time.
  5. Data classification and protection. Discover, classify, protect, and monitor sensitive data to minimize exposure from malicious or accidental exfiltration

Zero Trust Deployment Center

Secure identity with Zero Trust — https://aka.ms/ZTIdentity
Secure endpoints with Zero Trust — https://aka.ms/ZTDevices
Secure applications with Zero Trust — https://aka.ms/ZTApplications
Secure data with Zero Trust — https://aka.ms/ZTData
Secure infrastructure with Zero Trust — https://aka.ms/ZTInfrastructure
Secure networks with Zero Trust — https://aka.ms/ZTNetwork
Visibility, automation, and orchestration with Zero Trust — https://aka.ms/ZTCrossPillars
Zero Trust Deployment Centerhttps://docs.microsoft.com/en-us/security/zero-trust/

Microsoft 365 for IT Architects

  • Microsoft Teams and related productivity services in Microsoft 365 for IT architects
  • Groups in Microsoft 365 for IT Architects
  • Microsoft 365 information protection and compliance capabilities
  • Security and Information Protection for Multi-Region Organizations
  • Microsoft Defender for Endpoint deployment strategy
  • Identity and device protection for Microsoft 365
  • Advanced eDiscovery architecture in Microsoft 365
  • Microsoft Telephony Solutions

Source: https://docs.microsoft.com/en-us/microsoft-365/solutions/productivity-illustrations?view=o365-worldwide

Thank you for reading my summary of great places to find Zero Trust information. If you have great sources please put them in the comment.

Jasper

Microsoft is delivering automated Security Operations (SecOps) for any organization

Microsoft is delivering automated Security Operations (SecOps) for any organization

Hi There! I’m happy that you find your way to one of the series of blogs about Microsoft 365 Security.

You may find earlier articles that will help to understand the scenario where I wanted to position this solution in. First Article: How to build your Zero Trust modern workplace with Microsoft 365. This articles is focusing on relevant security discussion that can help segment and isolate your broader IT landscape. Important to keep on track is the foundation of security maturity in Microsofts technological landscape. I mean, you need a baseline for doing sec-ops. You need to get things finetuned, get modern technology to be sure you’ve done all you can to decrease the respond actions. In the next article I’ve answered the technical high-level blocks to actual shift workloads to Microsoft 365 and Azure. Yes, I’m focusing cloud technology. And the reason why is written in this Zero Trust article.

At first it will be useful to get some context of the type of customers where I wanted to touch-base this Security Operation strategy.

It’s time for change. “I’m not a Security specialist. Not totally aware of the technological part of it and my question is: ARE YOU?”

What I mean by this statement is that there is a lot cyber risks. The understanding is poor. The implementations are very basic. For example a SIEM solutions, companies are buying SIEM solutions and are doing nothing with it. But they have a SIEM. — Why do we think we need 10 people in a SecOps organizations if we don’t have a team now? — Why not make standards, fully automated. And run a SecOps operation different than hard-core teams (early adoptors)

In this article I’m providing answers on these topics. Feel free to give a reaction in the comment! Thank you for reading.

Customer focus

The customer focus of this article are small and midsize companies. Microsoft Cloud focused. Because their security maturity is relative low. Companies struggling with the fact that they cannot get their SecOps in order because: it’s too complex, too expensive, the maturity is low.. read on, below.

Framework for security operation

Every security operation need a plan and strategy when it comes to running the operation. Let’s make this simple. A Security Operation is using mythology which include:

  1. Identify: Who has access to information or privileged controls. Is it really you?
  2. Protect: Limit access, patch, upgrade, update, keep everything in order.
  3. Detect: Detect malware (Antivirus), monitor for anomalies for sign-in and device behavior
  4. Respond: Fast response for mitigation of the issue, or limit the impact. Clear Incident process
  5. Recover: Have a plan for disaster when security incidents are appeared. Backups, cyber insurance, and more technical important be able to recover from difficult damages done.

What is a Security Operation?

SecOps (Security + Operation) is the organization to facilitate and elaborate with focus on security in a organization. It has procedures, standards, process which describes the actions and effort it will put in running this Security operation.

SecOps is ‘always running’, with service-level agreements (SLA), possibly 24/7. SecOps is a team of people continuous working on Identify -> Protect -> Detect -> Respond..

Is a Security Operation overvalued?

‘Security operation” is a container concept. Which doesn’t always make the same understanding. It has no real meaning like ‘digital transformation’. When people talk about SecOps they talk about their analyst running trough their SIEM. Others are talking about endpoint security, and most of the time (because of the relative impact) we talk about patching and updating of systems or incident response. — reactive.

SecOps is overvalued because there is a double understanding here. We have the top 5 giant companies as Microsoft doing SecOps for their customers. And you have your own SecOps team doing the already ‘segmented’ of ‘made ready for you’ actions. Our Security Operation teams needs to be in charge of the incidents when appearing. And all other tasks reactive on the somewhat predefined roadmap of Microsoft. It’s the only way – embrace the change.

This shocking title is an invitation for you — to think about security operations in a different way. The world has changed since companies are shifting their workplace and workloads towards Microsoft 365. It became super relevant to think about the strategy and the usage in your organization of this service and infrastructure. How important is O365, CRM, M365, Networking, Applications in your datacenter.

Focus has never been so important then today, also on security efforts

If you, as an organisation work with future proof collaboration tools and migrate your server infrastructure to Azure or AWS or private datacenters the focus stays at protection Microsoft technology. It’s a fact.

How does a security operations work?

High-level overview of how your security operation is running:

Tier 1: Clearing the incident queue – Triage and high-speed response
Tier 2: Investigate and respond – Deeper analysis and remediation
Tier 3: Hunting based on org specific knowledge – Proactive hunting and advanced forensics

Why choose Microsoft?

Choose Microsoft for simplifying your IT Landscape. It’s already difficult enough. Next to that: Microsoft is leading and heavily investing in Cybersecurity. And buying companies that fit in the future needs.

If you’re building your workplace with 90% Microsoft Technology It’s super strange not to take Microsoft Technology to protect this environment. Think about the foundation infrastructure. Technology and workloads are never the goal of transformation but they are just facts when shifting. Choose wisely if you’re not willing to go the Microsoft way. And if you choose different, integrate with Microsoft.

Why Microsoft? Because it’s leading in the Security era. Let me put this very clear. I do believe there are a lot of security vendors creating great great technology for keeping organizations save. Most of the time the missing part is integration in one ecosystem. That is were the fragmentation and segmentation and integration fails. If it’s not integrated well enough:

  • Alerts are coming from everywhere
  • The focus is lost
  • Security standards are lowered
  • The automation is poor
  • The security vision is troubled
  • The Impact on changes are difficult

Licensing for Security Operation

I’ve written a popular article about why should each company invest in Microsoft 365 E3 and E5. As you can see in the licensing part in Microsoft 365 E5 Windows 10 Enterprise E5 + Advanced EndPoint Security is included.

Building blocks of organizations core infrastructure

The fundamental infrastructureBuild your workplace based on a layered approach. The high-level is written below the details in this highlighted article.

Identity: Building your foundation identity management solution as described in this article. Cloud first. Azure AD primary. More options -> more automation.

Protect Devices: Windows 10, Mobiles, iOS, Android. Exclude non supported devices so it’s super clear what is supported. On paper + technical. Compliance.

Services: Understand the services used by your business or customer. 5% of all companies do know what software they are using and running. Ask the DPO to deliver a list of current used applications and services..

Data: Data can be in Microsoft 365. Third-party can be strategic defined that it lands in SharePoint, Teams or OneDrive. Most of the time that’s your 90%.

Network: Just treat it as an public connection. Depending on the migration path to M365 and Azure. When all infrastructure is still running on-premises. It could be that it’s not (yet) possible.

There are always exceptions needed for some applications – but this doesn’t mean you cannot do the 90% right!

Why you (don’t) need a 24×7 team

Focus on the prevention of important fundamental things as for example: Identity & Devices. Automate all actions in Tier 1 + Tier 2 even if you don’t to research and analyses right away. Because you don’t have people working in the night. Make smart decisions. Isolate risks as compromised identities, devices etc.. Automate.

This is the most important figure of the whole article.

Practical examples of T1 and T2 response and remediate

Example 1: Identity protection: Require Password Change when the risk is high. Create process that describes the action required as: Call user – validate risk – validate credentials (real person) ..

Identity Protection
Identity Protection

Example 2: Automatic Remediation when suspicious events are happening.
If you don’t want to do anything set remediation to automatically and build a partnership with Microsoft Engineers to consult when threats are around the corner. This is a holistic position. You need Security specialists to start from scratch.

Example 3: Isolate a machine when risk is detected. You can use Microsoft PowerAutomate to do automated response when events appear. The possibilities built-in without any code and development are huge. The impact and value is undervalued 🙂

Identify(1) and Protect(2)

What you could do to Identify and protect your organization is work with the: Threat & Vulnerability Management dashboard to map actions on your roadmap to implement. 5 top Security recommendations are brought by Microsoft, as example.

Security Recommendations: Find the critical gaps. Put them towards the operational team. Process needs to be defined.

Software inventory: Easiness of understanding the temperature and the required actions to make these risks go away. Again process..

Integrate ATP for on-premises alerts from lateral movements, plain text passwords, pass-the-ticket/hash to understand which alerts occur.

Detect (3)

Weaknesses in SecurityCenter: Easy to bring these in the first process and create processes with service levels to fix these gaps.

Cloud App Security: Find anomalies based on Alerts of sign in or device based.

Azure Workbooks for sign-in analyses

Other possibilities: Risky Sign-ins, Security center, Log Analytics queries,..

Respond (4)

Responding is actually doing something to prevent that the breached device or identity is being taking care of. It’s doing an action to prevent different users from having the same risk. As for example isolate a device when doing to research. Or locking an account as long as the risks is valid. Also work with ATP.

Automatic investigation can start with: User-reporting a phishing emails or
a user clicks a malicious link.

Recover (5)

Ransomware detection and recovering your files. (built-in)
SharePoint Site-restore for collections and sites. (built-in)
Backup with Microsoft technology of third-party. Azure Back-up, SQL Service backup.
Disaster recovery (Plan)
Cyber insurance

Conclusions

  • Microsoft understand that automation is the way forward. Alerts creation, follow-up to have relations in events. It’s time to shift from complex Security Operation to understandable solutions with reporting, automation and long-term possibilities.
  • Sensitive document data can be found in Office 365. (Exchange, SharePoint, Teams). Core-application as CRM and Server Infrastructure are integrated in Azure AD. The risks are shifting to the modern cloud. Focus on these new risks. Not the on-premises Active directory, not anymore.
  • Focus on T1 and T2 automation. Next to reactive follow-up, work with the benefits of E5 MDATP. If you’re able to get the security baseline to a next level the standards will shift to a less risky environment.
  • SIEM solutions can be integrated but keep in mind: If the full infrastructure + Office 365 is shifted. Do you still need an different solution on-premises or in Azure?
  • Microsoft 365 E5 includes great security features with a cost. It’s best to use the full potential.
  • Power Automate skills are important for SecOps and can be used for different Sysadmin tasks and other teams in the organization.

And after this journey? Logic Apps with building blocks for quick deployments and standards, reporting, Azure Sentinel workbooks with templates as in this blog, Integrations with ticket tools, prediction and whatever you like…

Thank you so much for reading! If you have feedback please comment below or reach out on Linkedin or Twitter.

Technical High-level Modern Workplace implementation with M365

Technical High-level Modern Workplace implementation with M365

Thank for reading my blog about: the technical implementation for a Microsoft 365 workplace. In this article I’ve written an high-level approach of an implementation and shift from a more traditional organisation towards a cloud focused organization. If you not totally ‘fan’ of the cloud idea please read this article: The value of Microsoft 365 E3 and E5. and How to build your Zero Trust modern workplace with Microsoft 365 – which totally bring the why cloud and why modern technology.

This blog is describing the high-level tech actions to grow to a Microsoft 365 modern organization. I would love to receive feedback in in the comment, Linkedin, Twitter.

1. Start with Identity Management and extending Active Directory to Azure AD

Install Azure AD Connect and sync your users and groups to Azure AD.

You could use Directory and password Synchronization to bring all identities from your current environment towards Azure AD. I prefer the hybrid scenario and later full cloud scenario. Worst-case ADDS in Azure. To have the ‘control’s shifted and the primary Directory in Azure AD.

Why? Microsoft Azure AD is beyond the current ‘legacy’ integration and is a next-gen identity platform. Make it simple. If you don’t need third-party solutions (which always limits new capabilities) don’t go for it. Use native Azure AD. Also it’s a big opportunity to leave things behind and smoothly shift to ADDS or Azure AD.

2. Migrate your exchange workload with Exchange Hybrid Wizard

It’s very easy to shift Exchange workloads as first load to Office 365.

  • Setup Azure AD connect – Sync all identities.
  • Change the UPN’s if required, same as e-mail preferred. Easier for users.
  • Pre-sync all mailboxes to a state of 95. Throttled, change the maximum in your virtual webservices.
  • Cut-over migration is best-practice under 2000-5000 best one shift, if more phased approach. Approach and instructions here.
  • After the migration over hybrid Exchange the next steps is shifting the relay to O365 direct. Or alternative solutions. Make it simple. Not over-think, don’t create complexity for hybrid mailflow. You could keep hybrid-Exchange for the first phase with management to AD en Exchange Online.

3. Migrate personal data to OneDrive

Document data is one of the post important things running in any workplace. Personal data is crucial for taking into account for migration. It will help support the shift to M365 when you help to achieve a better collaboration space for the people.

  • Use OneDrive Known Folder move so you can automatically discover your favorites, desktop document and place them on OneDrive’s. People love this feature. It’s easy to implement, and has additional value without changing the core.
  • Migrate your homedrives, to OneDrive with the SharePoint migration tool or different tools when you need more control. Document shift is important to get away from the current system(s).

4. Migrate departments to Teams or SharePoint Online

I’m not going super deep into details for document migration. But I will provide the high-levels of migrations of workloads.

  • Assess your current environment and understand the needs.
  • Migration of team data could result in Microsoft Teams Libraries.
  • Migration of organization data could result in SharePoint Online.
  • Still personal data could (only touched by 1 person) can land in OneDrive.
  • There are great tools on the marked to to the assessment. Phased approach is necessary. Standards & building blocks will help with speed of implementation.

5. Voice shift from on-premises to Microsoft 365 or any other cloud integration solution

There are 4 options of Microsoft Teams voice solution:

  • Phone system with Microsoft’s calling plan
  • Phone system with your own carrier. (direct-routing)
  • Phone system with own carrier via Skype For Business or cloud connector Edition.
  • Enterprise voice in Skype for Business with own carrier.

Don’t go for less. Use Microsoft Teams. And if you will choose other platforms think about trust – compliance – think about the adoption. Inclusion, security, segmentation and most important: Think about the speed of implementation comparted to the easiness of one platform.

If there are complex need for voice, callcenter. There are solutions in the marked to help shift to cloud voice with Teams. And keep in mind that Microsoft shifted it’s full organization to Team. I mean, they have a complex organization and multiple flavors of requirements and needs.

6. Microsoft EndPoint Manager

  • Implement Microsoft EndPoint manager for Windows 10 + all mobile devices as described above. The minimum set is written in this article.
  • Onboard all current devices with Hybrid Join or full cloud join / Azure AD join.
  • Onboard all new devices with Windows Autopilot.
  • Implement MAM for mobile at least. Manage all your company owned devices at least.

7. Increase basic identity Security

  • Multi-Factor Authentication or Azure Security Defaults.
  • Conditional Access for easier login’s – and more security.
  • Connect your devices to Azure AD with EndPoint Manager. Hybrid Join – Full Cloud. Connect it.
  • Risky User Sign-in policies. Define some security policies as written here.
  • SSPR or Self-Service Password Reset. Check this out.
  • Create control on lifecycle management of identities. Expiration, onboarding, offboarding etc..
  • Automatic password reset or disablement of account when breached.
  • Shift to primary Azure AD, later.

8. Windows Autopilot for enrollment of Windows devices

  • Enroll new device with Windows Autopilot (staging Principe)
  • Onboard current domain joined devices with a Group Policy written here.

9. Software Deployment migration

  • Microsoft Office 365 ProPlus (now Microsoft 365 Apps) can be quickly deployed by Endpoint Manager.
  • Windows Updates can shift ASAP when using endpoint manager. Total control is build-in.
  • Microsoft Edge will deliver great value when it comes to browser support, can support old ‘sessions’ as well. Azure AD integrated, great new stuff, super modern.
  • Use third-party mechanisms as PatchMyPC or Chocolatey for ‘simple’ deployable software. Use own written scripts and create packages when necessary.

10. Group-Policy-Objects (GPO) Migration

  • Microsoft is currently working on policy analytics which will help the migration of GPO’s to MDM policies with controls. But keep in mind, a lot of policy are used for legacy. I don’t believe in migration of GPO. I believe in a basis workplace ‘greenfield’ were you build standards for everyone. Not for groups. And if you do. For 10 groups. and 90% same architecture and flavors. So: Don’t migrate non used GPO’s. Rethink GPO’s -> MDM.
  • ADMX backed baselines will help for smooth and faster configuration. Whenever it’s not possible use the OMA-URI’s.
  • Most important try to be prepared for 80% to shift the authority from GPO’s to MDM. And leave the GPO’s in your on-premise DC’s behind.

11. Windows updates and security improvements

  • Create a Windows 10 update ring with peer-to-peer caching to not kill the internet break out. VPN etc..
  • Create segmented of pre-test groups to validate the update version in production.
  • Use the standard Security Baselines to implement the W10 MDM Baseline and MDATP configuration. Baselines are great. It’s so easy to use.

12. Shift infrastructure to Azure

Think about: Rehost, Refactor, Rearchitect, rebuild, replace!
If you want to do infrastructure shift follow the next steps. Otherwise do the assessment and write down all infrastructure and start with rearchitecting were possible. When you’re hosting well known vendor applications try to get in touch and ask if they are planning for SaaS, Azure, others.

  • Create an Azure Migrate project and add the Server Assessment solution to the project. Tutorial
  • Set up the Azure Migrate appliance and start discovery of your server. To set up discovery, the server names or IP addresses are required. Each appliance supports discovery of 250 servers. You can set up more than one appliance if required. Prereq’s
  • Once you have successfully set up discovery, create assessments and review the assessment reports.
  • Use the application dependency analysis features to create and refine server groups to phase your migration.
  • Migrate machines as physical servers to Azure.
  • Don’t forget: Rehost, Refactor, Rearchitect, rebuild, replace

13. Migration of legacy Active Directory Integration

  • Shift applications that use AD Groups or AD Authentication to authenticate applications towards Azure AD worst case ADDS.
  • Try to isolate all applications, monitor the active usage of AD and try to find and understand what you can transform easily.
  • Sometimes there is an application which is old for billing or accountants, mostly used by some people. Don’t integrate, isolate and shift with dedicated accounts to Azure IaaS. But write it in the long-term plan and push these vendor for integration of choose other platforms.

14. Build collaboration platforms with Microsoft Teams & SharePoint

I’ve probably missed some ‘crucial’ applications on-premises that are used for 20 years. I’m saying: We need to leave complex legacy behind. Choose SaaS solutions with future-benefits. Don’t wait for phasing these out to go cloud. Do cloud and leave legacy behind. OR migrate and isolate. And more important: Long term strategy.

We are always choosing short-term quick solutions for fixing a problem, integrating on solutions and after 5 years its bombastic. Choose long-term. Don’t choose non compliant solutions that are not ready for the compliance requirements of the future. Security complexity and needs are growing, GDPR, ISO27 is important.

  • Build your new Microsoft Teams Sites for collaboration.
  • Create a SharePoint Hub for all SharePoint sites – create a frame and design of the requirement and visual for your full organization.
  • Build out department and long-term SharePoint collaboration spaces.
  • Migrate the old ’20’ years ago applications to SharePoint list, with PowerApps and integrate with power Platform. I’ve seen simple apps in Lotus Notes that can easily shift their history to SharePoint lists and PowerApps. PowerBI can help with the transparent reporting.

15. Rethink on-premises

Rehost, Refactor, Rearchitect, rebuild, replace!

Rethink the new needs of on-premises. All collaborations spaces are shifted to Office 365. Your devices are managed with M365 EndPoint Manger. Documents are shifted to OneDrive, Teams and SharePoint. Authentication and integration with Azure AD is shifted. Printers with universal Print of different solutions as Printix. Core applications are moved to IaaS and are waiting to become SaaS overtime. What else is there?

16. Build security mechanisms than can be automated

Now, only now, when the shift is completed is the time to build your SEC-OPS landscape.

Why? It’s easier. Don’t you want to go fast? Don’t you want to have 1 platform. Don’t you want to integrate with modern technology in Azure AD, M365..

  • Security Operation and your incident responds can be done with MDATP. I know it’s working in hybrid – it’s the first phase. Not the end goal.
  • Build on the next level modern workplace with Information Protection – which automatic labels classified documents. Use the unified data classification platform.
  • Get grip on actionable risks on devices, users with MDATP in combination with Cloud App Security to identity and isolate risks. Sometimes automatic remediation.
  • Basis of identity and risk management as shown in step 1 of this article.
  • Start with MAM (Mobile Application Management) to isolate corporate applications from personal applications on BYOD Devices.
  • Evaluate regularly which users have access to data, devices and physical network. (ref 8)
  • Work on SecureScore and azure SecureScore.

Thank you so much for reading! If you have feedback please comment below or reach out on Linkedin or Twitter.

Modern Workplace security: 5 steps to use Microsoft Teams in a safe way

Modern Workplace security: 5 steps to use Microsoft Teams in a safe way

In this blog I will go through 5 basic security improvement for organization that are shifting to Microsoft Teams. Also read my previous article: The Value Of Microsoft 365 E3 and E5.

Security improvements are embedded in Teams, it just needs activation

I’ve met a lot of organizations over the last months implementing Microsoft Teams, and I really love to see the fast-deployments, the big-activation, simple communication, dedicated onboarding.

  • Did you know that Microsoft Teams is not an addition to Office 365, but an integration of multiple services?
  • Did you know you can integrate the product better in your current workplace than ‘we’ think?
  • And thousand other possibilities – now that’s the problem, right? We do not really knew, before..
  • I know I’ve used Microsoft 365 E5 licenses. You can figure something out without CASB and with Azure Premium P1 + EndPoint Manager.

Introduction: Microsoft Teams Architecture

Did you know that Microsoft Teams is part of Office 365 or Microsoft 365 and is using: Azure AD, OneDrive, SharePoint, Exchange Online, SharePoint, Yammer, Stream, etc all out of the box. I mean, I suppose your organization will use deep integration when shifting to Microsoft Teams. Let’s dig into solutions now!

1. Identity Protection: MFA + Azure AD Conditional Access Policies + Risk Policy

The first step is to have a security-identity. Everything comes to Identity security and authentication – access management in general.

  • It’s still a best practice to activate Multi-Factor Authentication. I’ve written a lot about this in my previous article.
  • Activate Conditional Access to not get craziness of pop-ups and deliver a productive workplace.
Azure AD Conditional Access
  • Force a password change when assuming breach, risk-policies to be sure you can harbor save identities.
User Risk Policy

2. Registration for Windows 10: Device Onboarding

Make your Windows 10 devices known in the organization. So you have them in control, and you can do smart things with knowing.

Register or enroll your devices into Azure AD to provide an identity-token to the device. This identity is used to authenticate the device when a user signs in and apply conditional access rules that require domain-joined or compliant PCs.

  • Hybrid Azure AD Join: Enables devices in Active Directory to register in Azure AD For Access Management.
  • Go through Autopilot and let new devices join in Cloud-Only modus. With an Hybrid Identity. I’m not fan of doing registration only. It has value, but you can give than only Access Management. I’ve seen companies being able to go direct with Autopilot and shift to only Cloud Modern Management and have the devices in Azure AD only. It’s not a requirement Cloud or Hybrid. But it can help with straight-forward implementations.
  • Later you can do EndPoint Manager. Deploy Microsoft Teams, and the Office 365 suite to all endpoints.

3. Block downloading of document on non-trusted devices

If your device is not trusted. Accessing corporates data should be possibly (sometimes not, I know) but different than a real trusted device.

  • Set simple and transparent conditional access policies. Don’t make it to complex.
  • You could use this App Control (preview) to easily block downloading of ANY Office 365 document on a ‘non-trusted’, ‘non-compliant’ device.
  • Keep in mind, when using this. If you only select Exchange, it still impacts Teams, SharePoint as stated in the tip in the first screenshot.

4. Intune App Protection policies for Mobile Devices

You’ve covered your identity, your Windows 10 devices. You’ve covered your non-trusted devices and now your mobile devices.

  • I like to get feedback on this one. I’ve done App Protection policies on multiple customers without changing any definition of the standard policy you can create from: https://admin.microsoft.com – there is nothing wrong with standards. Better a policy activated than no policies.

Or you can use the App Protection Policy Data Protection Framework. It provides 3 levels op App data protection configuration. (github)

  • Level 1 enterprise basic data protection – Microsoft recommends this configuration as the minimum data protection configuration for an enterprise device.
  • Level 2 enterprise enhanced data protection – Microsoft recommends this configuration for devices where users access sensitive or confidential information. This configuration is applicable to most mobile users accessing work or school data. Some of the controls may impact user experience.
  • Level 3 enterprise high data protection – Microsoft recommends this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (as one example, one organization identified users who handle data whose theft would directly and seriously impact their stock price). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration.

Access requirements: You can find this in: EndPoint Manager

  • PIN for access: Require
  • PIN type: Numeric
  • Simple PIN Allow
  • Select minimum PIN length 4
  • Touch ID instead of PIN for access (iOS 8+/iPadOS): AllowOverride
  • More details in the 3 screenshots for iOS. I’ve also created a policy for Android.

5. Knowing the risks with Cloud App Security

You’ve covered your identity, your Windows 10 devices. You’ve covered your non-trusted devices and your mobile devices. If there is something slipping in between activation or something is missing. I suggest to use Cloud App Security to see data exfiltration, etc..

  • As you can see in your Cloud App Security portal the ‘possibility’ to understand the block download policy is there.
  • You can dig deeper to understand what happened. In the demo movie on the top I’ve showed left a trusted environment, on the right a non-trusted ‘personal computer’.
  • You can go further with automation from here. But I will not go deeper into this in this article. Because I believe that if you have these 5 steps you have already achieved somethings.

Next steps?

  • Identity protection(1) – automated remediation and creation of service-desk ticket to respond to your risky users.
  • Compliance policies(2) – to not let devices slip under the fingers of IT-departments. You need a process to be sure all devices are passing the same process. And are totally blocked if not.
  • Block downloads on non-trusted devices. (3) Go further, this implementation above is a great opportunity because of the easiness of implementation. Information protection is next. Because people can exfiltrate data when e-mailing, syncing, copying on their corp device, and their home device. And that’s a thing that should not be possible, anymore.
  • Automate actions with CASB. Label your exfiltration expert. And create processes IF there is something wrong. The right people in the chain of command are informed.
  • Next improvement is a future blog! Thanks for reading.

I hope you enjoyed reading. Please comment below!

The value of Multi-Factor Authentication – Get your story right!

The value of Multi-Factor Authentication – Get your story right!

I’ve tried something different last night. To write the story of Multi-factor authentication and bring the relation in the eco-system of Microsoft. Everything is connected. I would love a comment, share or a reply to see if this content is valuable for you! Thanks, Jasper

Creating the modern workplace! – Vision

  • Increase mobility: People are working from home. From clients and during travel. In regard to collaboration, 98% of information workers collaborate or communicate with someone else at work on a weekly basis.
  • Improve security and compliance. Most of the time there is no control of data compliance in the current on-premise environment. Security systems are complex and static without growing or proven improvements. Start with a Zero Trust model. Start with protection of your people.
  • Find more topics I’ve written in my previous article.

What is Multi-Factor Authentication – To know

  • Something you know, typically a password or a pincode.
  • Something you have, such as a trusted device that is not easily duplicated, like a phone or hardware key/token.
  • Something you are – biometrics like a fingerprint or face scan.

Cybersecurity Reference Architecture – The Cybersecurity vision to integrate deeply in Microsoft tech

Whoooaww, that’s a extreme reflex for doing our MFA implementation!! IS IT? Dear customer, colleagues. is it? I don’t think so. We need to see and understand that the small parts (Micro) are connected to the big parts. (Macro) Identity & Access management in crucial. Identity is the first step, is the bases, the baseline. We need to invest in the whole Cybersecurity frame and we need to start with the basics.

Next to the macro view of this Cybersecurity Reference architecture we need to dare to question the identity providers we have integrated in our current environment.

Foundation Infrastructure – The not so interesting part

The only way is up. Starting with your foundation. 1. Networking
2. Identity is the first investment before you ‘grow‘ to workloads and scenario’s.

Identity is a fundamental part of the workplace – The attack surface

As you can see in this figure all security mechanisms are built on the fundamentals of Identity Management. What can you protect IF you’re not able to enable MFA? It has his reasons. There are numbers out there to make you aware of this. We will come to that, later in this article.

Cloud Architecture Identity – MFA is part of something

Understanding identity management in the eco-system of Microsoft’s Identity management system is crucial to find the place where Multi-factor authentication (MFA) belongs. User Accounts – Identity management – Azure Active Directory – Azure/Microsoft365

Self-Service Password Reset – To help the people

Give people in your organization the ability to get some good because they ‘need’ to do MFA. This will ask people of your organization to change their password when there is a threshold higher or above the risk level. It will decrease the IT workload and more import it will make your customers happy. By the way, it’s very easy to configure go to Azure ADPassword ResetAuthentication Methods.

Force a password change when assuming breach – To prevent breaches AND decrease IT tickets

Go to Identity Protection in Microsoft Azure. Select your assignment. All users. Conditions. Select your requirement. And select Require Passwords Change. This will ask people of this organization to change their password when the threshold is at or above the risk level.

Did you know that: IT administrators can enable sign-in risk as a condition in multiple conditional access policies outside identity protection.
In case you don’t have MFA enrolled before this ‘risk policy’ – your account will be locked.

Azure AD Conditional Access – To make it easier

Conditional Access is a solution used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity driven control plane.

  • Keep user accounts safe by requiring strong authentication based on location and risks.
  • Keep data safe by only allowing managed devices.
  • Meet compliance requirements.
  • Create simple policies for everyone – not for groups, departments – make it simple!
  • Your modular dreams

What if MFA fails like it did before? – Probably won’t

  • MFA failed 2 times? Less than 4 hours? Ever? Compared to your on-premise environment?
  • We like to kill MFA implementations because we don’t like it but we still want more security. DO IT. If security is a priority, you can fix this technically. What if that’s the real problem?
  • What if you did not have MFA and are breached? OR leave MFA enabled and still be in control of your data.
  • What if MFA failed and you had your devices and identities connected to your modern workplace because it was not a side-project and part of a strategic decision and were able to work when the service fails for some hours?
  • The reflex should to be prevent: Like a break glass account in case of a problematic situation.
  • Next to that write up a document that describes the action requires in case of MFA authentication problems. High risk user will get a unique passwords, low risk users may authenticate without password change. Risky users with medium risk and higher will get a password change.

The standard pitch doesn’t work – So stop telling this

  • 99,9% compromised accounts did not have MFA.
  • Next to this fact the 50 accounts on 10.000 people that will be breached according the numbers of Microsoft is more and more understandable.
  • Your Pa$$word doesn’t matter
  • You can do internal phishing attacks and see that people are entering their passwords. It’s a fact. What’s the point of knowing again if it’s already known? Any fool can know, the point is to understand. Albert E.

These stories are well-known but will not trigger changes. Do’s & don’ts are judging. Don’t work on the ‘facts’. Work on the value and support and simplicity of modern technology. GIVE to the people. Don’t take things away.

99,9% compromised accounts did not have MFA

MFA is included in all licenses – It has been changed since a long time

Basic MFA is included in all Office 365 and Microsoft 365 licenses. It does not mean conditional access or other related features are included. Reference.

Passwordless authentication – To give to the people

Enablement of Passwordless authentication will activate authentication without a password – isn’t this great? Enablement of password Authentication in Azure AD is easy. Go to Azure Active DirectorySecurityAuthentication methods | Authentication method policy (Preview) – Enable.

Passwordless authentication is a feature that let us rethink our current MFA solution IF it’s not running in the cloud or third-party. As you can see the integration is deeper and deeper here.

The MFA Experience – It isn’t bad at all

The mobile experience shows 3 sign-in code’s to validate the sign-in. Your code needs to be validated. and you don’t need to enter the password.

Combined MFA and password reset registration – To make the onboarding smooth

Microsoft has announced that the combined security information registration is now generally available (GA). This new experience makes it easy for users to register for Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) in a simple step-by-step process.

Adoption and change management – To make everyone happy except the sponsor 😉

Make standards that are understandable for everyone, not only of the IT organization. Communicate MFA announcement and changes before the change – not after. Keep track of the change record. Explain very well how you’re using ‘standards’ in your organization. Put the guidelines on a place where all procedures are located. Communicate over multiple platforms. Make it about the end-user. Help end-users. It’s all about experience! And you are in control!

Published on the #WorldPasswordDay – Stay Save!

What are your thoughts after reading this article? Comment below! In case you were inspired by this article please share!

The top 10 security recommendations we should consider while working from home!

The top 10 security recommendations we should consider while working from home!

  • Mobile working is a standard, today.
  • Companies are not longer protected by their infrastructure in their corp-environment.
  • Crucial document data is moving away from centralized systems because it’s easier to work on them on our own document systems.
  • The irrelevance of bombastic systems in corporate environment is holding collaboration down.
  • Does it sounds familiar?

the 10 security recommendations we should consider while working from home!

  1. Identity Security / MFA
  2. Install the latest patches and updates
  3. Passwords and management
  4. Build real-time reports of security risks 
  5. Create automated and intelligent alerts 
  6. Install antivirus on all endpoints 
  7. Secure devices and corporate devices (+ personal phones) 
  8. Evaluate regularly which users have access to data, devices and networks 
  9. Track, change and block access for temporary projects and when employees are leaving your company 
  10. Use information protection solutions to protect your data everywhere. 

1. Identity protection

  • Some facts: 1.2 million of all Office 365 or Microsoft 365 accounts (each month) are compromised. This represents 0.5% of all accounts in your environment. Source: theregister-co-uk

Multi-factor authentication prevents 99.9% of all attacks.

99,9% compromised accounts did not have MFA

2. Patching & updates

Device Compliance

3. Passwords and management of authentication

4. Create real-time reporting of security vulnerabilities

  • Identity risks are in every organisation. Don’t think that your changes are low. Check the facts.
  • It is very easy to use ‘risky users‘, ‘risky-sign’ ins and ‘risk detection’ to find out real risks.
  • Integrate with Microsoft Defender ATP and ATP Sensors to have all intelligence in the Microsoft cloud.
Risky Users
Risky Sign-ins

5. Create automated and intelligent alerts

  • There is only 1 answer. Microsoft Cloud App Security.
  • Create alerts when 100 files are deleted. Copied to Dropbox for example.
Cloud App Security Portal

6. Install antivirus on ALL endpoints + go beyond antivirus

  • Microsoft Defender ATP, sentinel-one, Norton, McAfee, it doesn’t really matter. As long as you are able to protect all endpoints.
  • The second factor is to make sure that your antivirus is enabled. Use a single console. OR use MDATP. Set security alerts so you know when you are at risk.
  • Use EDR monitors to detect and respond to advanced attacks in real time.
Antivirus Windows 10

7. Secure private(personal) devices and corporate devices

  • workstations and portables (With W10 for example) are in control in most of the companies. Mobile devices are left unmanaged because we don’t know the options.
  • With Intune (EndPoint Manager) you can isolate and segment applications without having to manage the device. The corp. applications is under control. The organization’s data is protected. The most important thing is done!
  • Choose a fingerprint, faceID worst-case pincode in app protection.
  • Below you may find an example of the Outlook application which is protected by Mobile Application Management. In case organisations are not the owner of these devices this is a great option. And simple to implement.
Mobile Application Management

8) Evaluate regularly which users have access to data, devices and physical network

  • Cloud App Security shows you exactly whether data is passing on all endpoints.
  • Document data, lateral movements, usage of applications, global traffic, count of applications in use in your organisation. Risk levels, GDPR proof applications..
  • Bring network devices logging in CASB to have more insights.
Cloud Discovery
Cloud Discovery

9. Track and block access for temporary projects or employees leave the company

  • governance without enforcement is just good advice.
  • Create simple written policies, enforce policies.
  • Create retention policies for example in a Microsoft Team that removes the team after 180 days.

10. Use information protection to protect your data everywhere

  • Use Information protection to protect document data. Even if you lose the document “physically”. There are still options to block this from opening and keep in secure from distribution, opening, editing,..
  • Create document data insights from on-premises and cloud solutions with Microsoft Information Protection Policies.
Unified data classification platform
Retention Label

Conclusions

Windows Secure Score
  • Security priorities are difficult. However, I would always start with MFA becasue this is fundamental identity security. Afterwards document and device security. Because companies are moving to Teams during Covid-19. And you don’t want data leakage during this time.
  • If your identity is not secure, and compromised, there is no point in doing information protection. Because a ‘hacker’ will use your accounts to access your corporate data.
  • Use Microsoft Securescore.microsoft.com as a guidance. Extract your priorities.
  • Let’s do it!
Modern Desktop implementation – Behind the scenes

Modern Desktop implementation – Behind the scenes

Introduction & Vision

At Synergics we truly believe the mission of Microsoft to empower every person and every organization on the planet to achieve more. Every great implemented project start with a vision and with goals/milestones.

In the first project we delivered workshops to understand the transformation needs of the organization. we identified these digital outcomes below. (the description is basic, I know. But it’s another side-traject of this implementation)

  • Empower information workers and firstline workers so they can collaborate and communicate.
  • Simplified communication – Communicate through the full organization.
  • Increase agility for the IT-Organization – adaptability.
  • Futureproof design – Technical design, cloud first strategy.

You can read the reference-case in NL or FR! Microsoft Surface with Windows Autopilot ensure efficiency gains and easier IT management for the city of Lokeren. Reference Case.

Evolution to modern management – 100% CLOUD!

  • Less complexity
  • built-in automation
  • brand-new configuration & policies
  • higher security standards
  • self-service possibilities
  • 100% CLOUD!

To achieve more it’s important to give control to the people (empower), update your platform, easier roll-out’s of new devices etc.. (Scenario on the right, 100%…)

Traditional Co-Management Modern

New device setup experience with Autopilot

Imaging/cloning/etc of devices is taking a lot of crucial time – compared to Autopilot. This isn’t the easiest enabler because there are policies, GPO’s, in place. With Autopilot we deliver the roll-out of the Windows 10 Devices and sync back the Device-Object so on-premise resources can still be accessed in transition for future plans.

Autopilot Microsoft EndPoint Manager
  • – Old GPO’s can stay for some time.
  • – New possibilities of modern management becomes active.
Autopilot

Microsoft Windows update in waves & delivery optimization

It looks like a easy job but most of the time it’s a non-controlled mechanisms.

Windows 10 started in 2015 with builds as: 1511, 1607, 1703,1709, 1803,1809,1903,1909. As you see can in the screenshot, now we are transforming to 1903! and 1909 starting soon.

Compliance Policy
Device Compliance

Hybrid Identity – and password write-back

I was hoping to write cloud-identity but we still live in a world of on-premise infrastructure waiting to move to the cloud. For now we are creating and maintaining identities on-premise. We enable password-write-back so users are able to change their password.

Azure AD connect configuration

Intune mobile device management authority

Office 365 ProPlus distribution based on dynamic collections

It sounds very easy but I’ve seen a lot of customers fighting with licenses and automated processes.

  • When a user is in a M365 E3 dynamic collection because of the parameters Office ProPlus is automatically distributed.
  • When a user has no ProPlus acces, like a O365 F1 user, office 365 ProPlus will be removed.

Onedrive Known Folder Move (KFM)

There are two primary advantages of moving or redirecting Windows known folders (Desktop, Documents, Pictures, Screenshots, and Camera Roll) to OneDrive for Business for the users in your domain:

  • Your users can continue using the folders they’re familiar with. They don’t have to change their daily work habits to save files to OneDrive.
  •  Saving files to OneDrive backs up your users’ data in the cloud and gives them access to their files from any device.
  • This has value, value, value. Users can find their documents on their phones because of the automated move. When there workstations crashes, the data is still there..

Microsoft Defender Advanced threat protection

All devices are fully managed under the greatest MDATP. (also see the quadrant)

  • Multi-layered protection: Microsoft Defender ATP provides multi-layered protection (built into the endpoint and cloud-powered) from file-based malware, malicious scripts, memory-based attacks, and other advanced threats
  • Threat Analytics: Contextual threat reports provide SecOps with near real-time visibility on how threats impact their organizations
  • A new approach to Threat and Vulnerability Management: Real-time discovery, prioritization based-on business context and dynamic threat landscape, and built-in remediation process speed up mitigation of vulnerabilities and misconfiguration
  • Built-in, cloud-powered protections: Real-time threat detection and protection with built-in advanced capabilities protect against broad-scale and targeted attacks like phishing and malware campaigns
  • Automated security, SecureScore and +10 more features!
Microsoft Defender ATP

Enterprise state roaming (ESR)

With Windows 10, Azure AD users gain the ability to securely synchronize their user settings and application settings data to the cloud. Enterprise State Roaming provides users with a unified experience across their Windows devices and reduces the time needed for configuring a new device. Enterprise State Roaming operates similar to the standard consumer settings sync that was first introduced in Windows 8. Additionally, Enterprise State Roaming offers:

  • Separation of corporate and consumer data – Organizations are in control of their data, and there is no mixing of corporate data in a consumer cloud account or consumer data in an enterprise cloud account.
  • Enhanced security – Data is automatically encrypted before leaving the user’s Windows 10 device by using Azure Rights Management (Azure RMS), and data stays encrypted at rest in the cloud. All content stays encrypted at rest in the cloud, except for the namespaces, like settings names and Windows app names.
  • Better management and monitoring – Provides control and visibility over who syncs settings in your organization and on which devices through the Azure AD portal integration.
  • Even next to KFM! Even more great for data loss etc..

Future achievements..

  • Everything starts with the value of Microsoft 365 E3 of E5.
  • Analytics and data. My-analytics, Workplace Analytics?
  • Security Operations – Advanced hunting?
  • Proactive services – thousand scenario’s possible..
  • Automation in processes with Power Automate?
  • Deep integration with third-party applications?
Modern Device Management
Office 365 ATP Recommended Configuration Analyzer – Best Practices!

Office 365 ATP Recommended Configuration Analyzer – Best Practices!

Office 365 Advanced Threat Protection is growing and evolving over time. Writing documentation takes time – automation doesn’t. Automatically export your O365 ATP settings in one HTML file to see the scores and recommendations.

Solution: ORCA! Orca is a report that you can run in your environment which can highlight known configuration issues and improvements which can impact your experience with Office 365 Advanced Threat Protection (ATP).

Start from Exchange Online Powershell

Start up your Exchange Online Powershell Module from:

PowerShell Module Exchange Online

Installation of ORCA

  • Install-Module ORCA
Install Orca

Run ORCA

  • Get-ORCAReport
OrcaReport

Results

The results are logged in a log in your userprofile. And will be populated in a really great HTML overview.

High-level overview of the Office 365 ATP ORCA Report

Configuration Analyzer Report

Recommendation example

Compliant Level
Safe Links

What’s in scope?

  • Configuration in EOP which can impact ATP
  • Safe Links configuration
  • Safe Attachments configuration
  • Antiphish and antispoof policies.

Coming Soon!

  • At MS Ignite session’s Microsoft announced a new best-practice portal in Office 365’s admin console. This session can be found here: 79719(BRK2104)
Best Practive Analyzer

Bring it all together

  • Export and compare multiple customer-scenario’s. This will help you determine the differences.
  • Modern Security mechanisms as Office 365 ATP are continues improving and need continues attention and recurrent validations. (each month!)
  • In 2018, the percentage of inbound emails that were Phishing messages grew 250%. That trend has continued to grow with increased level of targeting and sophistication! Still super important!
  • Focus on user education and training. In addition to advanced security tools for detection, investigation and response still 40% is user-related.
  • More and more control an reporting will come to the Office 365 portal!
  • AND NOW since you have the report in a easy way. ACT and enable best-practices!
Protect apps with Microsoft Cloud App Security Conditional Access App Control

Protect apps with Microsoft Cloud App Security Conditional Access App Control

A lot of companies are struggling with data leakage when it comes to their exchange online environment. Easy fix! Enable: Microsoft Cloud App Security Conditional Access App Control! First, check the 7 seconds demo. It explains the unnecessary words!

Scenario:

  • You have all your devices enabled in Microsoft’s endpoint manager aka Intune
  • You are able to have an inventory and control of your hardware assets (CIS Control 1)
  • You are using Office 365 or Microsoft 365.
  • You don’t want users to download their e-mail attachments on a non-company owned device. (other scenario’s possible!)

Protect apps with Microsoft Cloud App Security Conditional Access App Control

It sounds so complex and i strongly believe this is making the implementations way to complex. So now the 2 Practical steps for the configuration.

Step 1: Choose the cloud application – select the condition!

  • Select cloud apps or actions: Microsoft Exchange
  • Select a condition – IF your device is marked as compliant. Based on a intune policy that is able to CHECK if the device is compliant. Users are able to just go their way on Exchange Online.
device State Preview

Step 2: select the Access Controls

  • IF not they are not able to download attachments to their environment. Block downloads. That’s it!
Conditional Access App Control

By natively integrating with Azure AD, any app that is configured with SAML or Open ID Connect can be self-onboarded.

In addition, the following apps are featured by Cloud App Security and are already onboarded and ready to use in any tenant: More apps: Here

  • Exchange Online
  • OneDrive for Business
  • Power BI
  • SharePoint Online
  • Microsoft Teams

Conclusions

  • It’s not because you block attachment downloads in Exchange or OneDrive from non-company owned devices that your organization is good to go! This practical example shows the flexibility to get conditions in your organizations which can prevent leakage of data in e-mail systems.
  • Blocking exchange download could shift that your organization will become aware they are still sending crucial information by mail which should be found in Microsoft Teams or SharePoint Online.
  • Microsoft Information protection could play a big role in this configuration but this enablement can be a first step in security maturity growth.
  • More options? YES: Notification when someone is downloading +10 documents, leaked credentials, impossible travel, File shared with unauthorized domain, New risky app, …
The Multi-factor-authentication struggle? AND the solution!

The Multi-factor-authentication struggle? AND the solution!

The struggle for a Multi-factor authentication implementation is REAL and most of the time, really frustrating? Some frequently asked questions and answers below! Let’s change problem into a solution.

We don’t want to use Multi-factor authentication – it’s too complex!

  • Ask the people in your organization if they use the same password as their corporate account for: Dropbox, Yahoo, Gmail, Facebook. Do they?
  • I know, it’s really bad advice. But type your ‘old’ password in Haveibeenpwned.com Is it still ‘safe’?
  • Do you have MFA on your Facebook account? Your iCloud account, You’re private mail? Is it that bad?

How to tackle the resistance!

  • END-USER AWARENESS: There are a lot of organizations helping with a great case which can help your organization (including Microsoft) to communicate well. Communicate – make people understand WHY – support them – give them more!
  • MEASURE THE NEED FOR MFA: Measure the impact in your organization. And make people understand WHY. You could send out a ‘false Payroll update’ and measure how many people are entering their credentials. Make them aware that they did very good not entering their corporate credentials. Don’t punish people because they did. Help them to identify and understand phishing mails. https://protection.office.com/attacksimulator
ATP Phishing demo
Change Password
  • SELF-SERVICE: Give people in the organization the ability to get some pro’s because they ‘need’ to do MFA. For example: self service reset password possibilities. It could also mean that the workload of IT-teams will decrease because of self-service mechanisms. It’s nearly impossible (insecure) to deliver self-service without a trusted-second factor.
  • MODERN MANAGEMENT: Bring all your devices in a Azure AD in a state where they are at least Azure AD Joined so users will have pro’s like Single-Sign-On in Microsoft Edge. Other browsers are possible, but requires a little bit more time.
  • CONDITIONAL ACCESS: It’s simple to define a basic set of conditions where there shouldn’t be an second factor required. For example your work-environment. It creates a huge way of possibilities to have a better roll-out. Better have MFA with one condition then having no MFA at all.
Passwordless authentication codes
  • PASSWORDLESS AUTHENTICATION: Deliver passwordless authentication. It will help your users to not struggle with their password. Implementation guide here.
  • MEASURE THE RISK(S): Login to your Azure AD portal and export all sign-in logs of the last 3 month. Filter on SUCCESS and filter on a country which your company is not in. (or filter out all locations you are in and work with the left-overs) You have leaked credentials. Mostly it’s clear after this simple exercise.
  • MICROSOFT AUTHENTICATOR APP: You could just use SMS as a factor but don’t bother and use the Authenticator App
Sign-ins Azure AD
  • AZURE ADVANCED THREAT PROTECTION: Work with Azure Advanced Threat Protection in a ‘Pilot’. This setup will cost you 60 minutes. Order a trial license of Microsoft 365 E5, go through the wizard of Azure ATP and add your domain controllers as a sensor.
Azure Advanced Threat Protection

After 30 days go to the console and export: Passwords exposed in clear text, lateral movement paths to sensitive accounts. I’m sure you can find something happening without knowing! This will bring insights where you had none before.

ATP Reports Cloud
  • THIRD PARTY ASSESSMENT: Work with third-party tools to measure the security or cyber-security maturity of your organization.
  • CLOUD APP SECURITY: Measure that data is extracted to machines to understand the needs in your environment. This will prioritize the need of identity-protection (later data-control)
Cloud Discovery Reports

Advice to IT Administrators

  • Maintain an 8-character minimum length requirement (and longer is not necessarily better)
  • Eliminate character-composition requirements.
  • Eliminate mandatory periodic password resets for user accounts.
  • Ban common passwords, to keep the most vulnerable passwords out of your system.
  • Educate your users not to re-use their password for non-work-related purposes.
  • Enforce registration for multi-factor authentication.
  • Enable risk based multi-factor authentication challenges.

Microsoft Password guidance didn’t changed in years. It’s still great!

It isn’t only commercial talk..

Microsoft sees over 10 million username/password pair attacks every day. This gives them a unique vantage point to understand the role of passwords in account takeover. 99.9 percent of attacks on your accounts can be prevented. (and it is not)

Side nodes