Tag: Cloud App Security

Microsoft Cloud App Security is a Cloud Access Security Broker (CASB) that operates on multiple clouds. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your cloud services.

Microsoft is delivering automated Security Operations (SecOps) for any organization

Microsoft is delivering automated Security Operations (SecOps) for any organization

Hi There! I’m happy that you find your way to one of the series of blogs about Microsoft 365 Security.

You may find earlier articles that will help to understand the scenario where I wanted to position this solution in. First Article: How to build your Zero Trust modern workplace with Microsoft 365. This articles is focusing on relevant security discussion that can help segment and isolate your broader IT landscape. Important to keep on track is the foundation of security maturity in Microsofts technological landscape. I mean, you need a baseline for doing sec-ops. You need to get things finetuned, get modern technology to be sure you’ve done all you can to decrease the respond actions. In the next article I’ve answered the technical high-level blocks to actual shift workloads to Microsoft 365 and Azure. Yes, I’m focusing cloud technology. And the reason why is written in this Zero Trust article.

At first it will be useful to get some context of the type of customers where I wanted to touch-base this Security Operation strategy.

It’s time for change. “I’m not a Security specialist. Not totally aware of the technological part of it and my question is: ARE YOU?”

What I mean by this statement is that there is a lot cyber risks. The understanding is poor. The implementations are very basic. For example a SIEM solutions, companies are buying SIEM solutions and are doing nothing with it. But they have a SIEM. — Why do we think we need 10 people in a SecOps organizations if we don’t have a team now? — Why not make standards, fully automated. And run a SecOps operation different than hard-core teams (early adoptors)

In this article I’m providing answers on these topics. Feel free to give a reaction in the comment! Thank you for reading.

Customer focus

The customer focus of this article are small and midsize companies. Microsoft Cloud focused. Because their security maturity is relative low. Companies struggling with the fact that they cannot get their SecOps in order because: it’s too complex, too expensive, the maturity is low.. read on, below.

Framework for security operation

Every security operation need a plan and strategy when it comes to running the operation. Let’s make this simple. A Security Operation is using mythology which include:

  1. Identify: Who has access to information or privileged controls. Is it really you?
  2. Protect: Limit access, patch, upgrade, update, keep everything in order.
  3. Detect: Detect malware (Antivirus), monitor for anomalies for sign-in and device behavior
  4. Respond: Fast response for mitigation of the issue, or limit the impact. Clear Incident process
  5. Recover: Have a plan for disaster when security incidents are appeared. Backups, cyber insurance, and more technical important be able to recover from difficult damages done.

What is a Security Operation?

SecOps (Security + Operation) is the organization to facilitate and elaborate with focus on security in a organization. It has procedures, standards, process which describes the actions and effort it will put in running this Security operation.

SecOps is ‘always running’, with service-level agreements (SLA), possibly 24/7. SecOps is a team of people continuous working on Identify -> Protect -> Detect -> Respond..

Is a Security Operation overvalued?

‘Security operation” is a container concept. Which doesn’t always make the same understanding. It has no real meaning like ‘digital transformation’. When people talk about SecOps they talk about their analyst running trough their SIEM. Others are talking about endpoint security, and most of the time (because of the relative impact) we talk about patching and updating of systems or incident response. — reactive.

SecOps is overvalued because there is a double understanding here. We have the top 5 giant companies as Microsoft doing SecOps for their customers. And you have your own SecOps team doing the already ‘segmented’ of ‘made ready for you’ actions. Our Security Operation teams needs to be in charge of the incidents when appearing. And all other tasks reactive on the somewhat predefined roadmap of Microsoft. It’s the only way – embrace the change.

This shocking title is an invitation for you — to think about security operations in a different way. The world has changed since companies are shifting their workplace and workloads towards Microsoft 365. It became super relevant to think about the strategy and the usage in your organization of this service and infrastructure. How important is O365, CRM, M365, Networking, Applications in your datacenter.

Focus has never been so important then today, also on security efforts

If you, as an organisation work with future proof collaboration tools and migrate your server infrastructure to Azure or AWS or private datacenters the focus stays at protection Microsoft technology. It’s a fact.

How does a security operations work?

High-level overview of how your security operation is running:

Tier 1: Clearing the incident queue – Triage and high-speed response
Tier 2: Investigate and respond – Deeper analysis and remediation
Tier 3: Hunting based on org specific knowledge – Proactive hunting and advanced forensics

Why choose Microsoft?

Choose Microsoft for simplifying your IT Landscape. It’s already difficult enough. Next to that: Microsoft is leading and heavily investing in Cybersecurity. And buying companies that fit in the future needs.

If you’re building your workplace with 90% Microsoft Technology It’s super strange not to take Microsoft Technology to protect this environment. Think about the foundation infrastructure. Technology and workloads are never the goal of transformation but they are just facts when shifting. Choose wisely if you’re not willing to go the Microsoft way. And if you choose different, integrate with Microsoft.

Why Microsoft? Because it’s leading in the Security era. Let me put this very clear. I do believe there are a lot of security vendors creating great great technology for keeping organizations save. Most of the time the missing part is integration in one ecosystem. That is were the fragmentation and segmentation and integration fails. If it’s not integrated well enough:

  • Alerts are coming from everywhere
  • The focus is lost
  • Security standards are lowered
  • The automation is poor
  • The security vision is troubled
  • The Impact on changes are difficult

Licensing for Security Operation

I’ve written a popular article about why should each company invest in Microsoft 365 E3 and E5. As you can see in the licensing part in Microsoft 365 E5 Windows 10 Enterprise E5 + Advanced EndPoint Security is included.

Building blocks of organizations core infrastructure

The fundamental infrastructureBuild your workplace based on a layered approach. The high-level is written below the details in this highlighted article.

Identity: Building your foundation identity management solution as described in this article. Cloud first. Azure AD primary. More options -> more automation.

Protect Devices: Windows 10, Mobiles, iOS, Android. Exclude non supported devices so it’s super clear what is supported. On paper + technical. Compliance.

Services: Understand the services used by your business or customer. 5% of all companies do know what software they are using and running. Ask the DPO to deliver a list of current used applications and services..

Data: Data can be in Microsoft 365. Third-party can be strategic defined that it lands in SharePoint, Teams or OneDrive. Most of the time that’s your 90%.

Network: Just treat it as an public connection. Depending on the migration path to M365 and Azure. When all infrastructure is still running on-premises. It could be that it’s not (yet) possible.

There are always exceptions needed for some applications – but this doesn’t mean you cannot do the 90% right!

Why you (don’t) need a 24×7 team

Focus on the prevention of important fundamental things as for example: Identity & Devices. Automate all actions in Tier 1 + Tier 2 even if you don’t to research and analyses right away. Because you don’t have people working in the night. Make smart decisions. Isolate risks as compromised identities, devices etc.. Automate.

This is the most important figure of the whole article.

Practical examples of T1 and T2 response and remediate

Example 1: Identity protection: Require Password Change when the risk is high. Create process that describes the action required as: Call user – validate risk – validate credentials (real person) ..

Identity Protection
Identity Protection

Example 2: Automatic Remediation when suspicious events are happening.
If you don’t want to do anything set remediation to automatically and build a partnership with Microsoft Engineers to consult when threats are around the corner. This is a holistic position. You need Security specialists to start from scratch.

Example 3: Isolate a machine when risk is detected. You can use Microsoft PowerAutomate to do automated response when events appear. The possibilities built-in without any code and development are huge. The impact and value is undervalued 🙂

Identify(1) and Protect(2)

What you could do to Identify and protect your organization is work with the: Threat & Vulnerability Management dashboard to map actions on your roadmap to implement. 5 top Security recommendations are brought by Microsoft, as example.

Security Recommendations: Find the critical gaps. Put them towards the operational team. Process needs to be defined.

Software inventory: Easiness of understanding the temperature and the required actions to make these risks go away. Again process..

Integrate ATP for on-premises alerts from lateral movements, plain text passwords, pass-the-ticket/hash to understand which alerts occur.

Detect (3)

Weaknesses in SecurityCenter: Easy to bring these in the first process and create processes with service levels to fix these gaps.

Cloud App Security: Find anomalies based on Alerts of sign in or device based.

Azure Workbooks for sign-in analyses

Other possibilities: Risky Sign-ins, Security center, Log Analytics queries,..

Respond (4)

Responding is actually doing something to prevent that the breached device or identity is being taking care of. It’s doing an action to prevent different users from having the same risk. As for example isolate a device when doing to research. Or locking an account as long as the risks is valid. Also work with ATP.

Automatic investigation can start with: User-reporting a phishing emails or
a user clicks a malicious link.

Recover (5)

Ransomware detection and recovering your files. (built-in)
SharePoint Site-restore for collections and sites. (built-in)
Backup with Microsoft technology of third-party. Azure Back-up, SQL Service backup.
Disaster recovery (Plan)
Cyber insurance

Conclusions

  • Microsoft understand that automation is the way forward. Alerts creation, follow-up to have relations in events. It’s time to shift from complex Security Operation to understandable solutions with reporting, automation and long-term possibilities.
  • Sensitive document data can be found in Office 365. (Exchange, SharePoint, Teams). Core-application as CRM and Server Infrastructure are integrated in Azure AD. The risks are shifting to the modern cloud. Focus on these new risks. Not the on-premises Active directory, not anymore.
  • Focus on T1 and T2 automation. Next to reactive follow-up, work with the benefits of E5 MDATP. If you’re able to get the security baseline to a next level the standards will shift to a less risky environment.
  • SIEM solutions can be integrated but keep in mind: If the full infrastructure + Office 365 is shifted. Do you still need an different solution on-premises or in Azure?
  • Microsoft 365 E5 includes great security features with a cost. It’s best to use the full potential.
  • Power Automate skills are important for SecOps and can be used for different Sysadmin tasks and other teams in the organization.

And after this journey? Logic Apps with building blocks for quick deployments and standards, reporting, Azure Sentinel workbooks with templates as in this blog, Integrations with ticket tools, prediction and whatever you like…

Thank you so much for reading! If you have feedback please comment below or reach out on Linkedin or Twitter.

how to build your Zero Trust modern workplace with Microsoft 365

how to build your Zero Trust modern workplace with Microsoft 365

Thank you so much for reading my blog about: How to build your modern workplace with Microsoft 365. In this article I’ve written an high-level approach of an implementation and shift from a more traditional organization towards a cloud focused organization. I would love to receive feedback in in the comment, on Linkedin or Twitter. Also read: The value of Microsoft 365 E3 and E5.

This blog is describing the strategic, high-level possibilities how Microsoft 365 can help you, as an organization to be ready for a modern future.

Strategy and vision

Welcome in 2021. The world has changed since Covid-19…

Organizations are struggling to anticipate better on their workforce to help and achieve their ultimate goals.

To collaborate better, to get in contact different than before a more modern approach is necessary – change is required. I don’t want to go to deep in the fact that it is becoming a huge challenge for CIO’s and IT Manager since the world has shifted into a new era. Working different has become a new standard. And the change driver is from the outside towards inside. It is happening — there is no way not to accept the signals and facts. There is no way, not to change.

When mapping these challenges on the technological needs of today I’ve summed up some topics that will come back in my article, later. The main challenges are:

  • To connect people to collaborate in a different way with new technical possibilities – Keeping in mind that the experience needs to be great. It should be simple. Transparent. Team driven, no individuality.
  • To use proven standards that do work – because they are used in multiple organizations. The slowness of not believing these standards and references and going the own way is killing organizations from within. This results in slow implementation speed – lack of confidence and trust which results in over thinking. And conclusion: failing.
  • To provide the right tools that do work for organizations – In a modern world – without the fence of physical locations and more important with the same security level as in the early on-premise days.
  • To be fast enough and accelerate your business goals. Timing = everything — Lack of speed = lack of relevance.
  • To get you security maturity in order, better, safer, to grow to a technical safer workplace – this is more important than ever. If you see the cyber Risk trends growing, somethings needs to change.

Companies are working different than before. And I trully believe that the one that is most adaptable to change do survive.

It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is most adaptable to change.

The traditional corporate infrastructure is isolated of the outside world

As you can see in this picture that’s is brought by Microsoft in the zero-trust concept organization did build great solutions in their datacenters on their premises. In their decentralized redundant datacenters with everything in place to have their DRP and failover working great. I’m not bashing on smart people which did a great job fixing these massive complex integration to keep everything running 24/7, in their de-central service centers / data centers.

The problem is, the solution is… As I’ve mentioned in my last point. Organizations did a great job, on their premises to get everything working as it should.

Disruptive of cloud organizations as Microsoft, Amazon and Google came with scalable and relative quick-deployable solutions. Solutions that didn’t require the technical need of the on-premise or ‘self-owned’ of Infrastructure on premises. Software-as-a-Service (SaaS) solutions that were isolated from these corporate environments with plug and play capabilities to most important leverage solutions for these organizations – and this is the most important aspect of it all. Solutions for organizations, to achieve more. The get to the ultimate goals of these organizations. Non technical driven scenario’s, business case and business scenario’s. I think we are somewhat naïf not understanding why disruptive came. It is mainly because we were not able to adapt on changes required to make our organizations more modern. With high speed implementation. Image a new Office 365 customer in a cloud scenario. With: Exchange, Sharepoint, Teams, mobile device management. They can start after some hours of implementation. Image this setup on- premises. How long will it take? Perspective = everything.

A new concept of layered approach which kills the fish tank within corporate infrastructure

In the picture below you will see the corporate datacenter with all servers running in virtualized state, segmented with additional security solutions. Segmentation on networking storage and many more services. It’s so extreme complex. One mistake could impact everything. next to mistakes: Ransomware, targeted-attacks, phishing attacks,.. and all other bad-actors took this opportunity to infiltrate and bring this infrastructure down. Sell data. Bottom-line: it became so complex to react on all aspect of just only the core infrastructure where your servers and services are.

Microsoft didn’t invented the layered approach when it comes to: Identity, Devices, Services, Data and Network. It’s no new model nor real solution that fixes any problem. No, it’s a way of understanding and integration of your assets to bring them in a layered solution where it cannot touch the asset next to it. And isolation was always the biggest problem of own infrastructure. Even when your organization is huge it’s still extremely hard to take everything under control and secured. The right conclusion: Layered approach.

Building your foundation identity management solution

Almost every organization did start with Microsoft Active Directory Servers/services with Windows 2000 or Windows Server 2003. Upgraded to more future-proof versions to integrate better. More features, more integration capabilities, more security. Newer versions.

Cloud solutions came disruptive like BPOS, Office 365 and we did integrated our current infrastructure with Identity federation solutions as Microsoft FIM to provision our on-premise active-directory ‘accounts’ towards Azure Active Directory. Later the process was well optimized to bring all on-premises identities in sync with Azure AD connect. A modern tool that helps extending your current on-premise Active directory to Azure Active Directory. But we didn’t thought Office 365 was the most important part of our core organization.

Azure Active Directory is different than Active Directory On-premise. Is has more features and a more security baselines than a Active Directory server. I’m not saying that Azure AD is by design more secure. I’m saying the options are there to start with a better secure platform. Building blocks. Easier for activations as for example: Azure AD Security Defaults. Maximum value, less complexity faster implementation speed.

Enterprise hybrid cloud solution to extend to Office 365 and Azure

Before 2020 a lot of organizations shifted workloads from their on-premises systems infrastructure to Office 365. The most common workload was Exchange On-premise to Exchange Online. Later these workloads did shifted in the Office 365 landscape. For example:

  • Fileservers became -> OneDrive, SharePoint or Microsoft Teams
  • SharePoint on-premise -> Hybrid -> SharePoint Online
  • Mail/Exchange on-premises -> Exchange Online
  • Voice/Skype tot hybrid Skype -> Skype Online -> now Microsoft Teams with PSTN, Direct routing and all voice capabilities.

As you see I’ve migrated the biggest workloads on paper and there is nothing left except application servers, other e-mail systems, voice solutions and other solutions. (See Apps & Scenario’s)

As you all know sometimes small infrastructures or some applications are slipping in the architectural designs – I don’t think we need to overvalue the fact that in every change some things needs to change! Old legacy, phase it out, migrate to different solutions. Focus long-term.

Endpoint devices and future-proof device management

Devices as Windows XP, Vista, 7, 8, 8,1, Windows 10 (since 2015) 1703, 1706, 1709, 1803, 1806, 1809, 1903, 1909. Were staged by System-Center Configuration Manager in a on-premise solution. And are now brought in a hybrid deployment with Microsoft EndPoint Manager.

Microsoft EndPoint manager is a combination of SCCM + Intune. To get the best of both worlds. Manage workloads from cloud and on-premises. Example: You could implement, during Covid-19 the change of update mechanisms from SCCM towards Endpoint Manager.

In this great overview you see on the left the integration of the current Active-Directory environment towards Azure Active Directory. In the right you see future state building blocks that needs to be active on your endpoint devices, to be prepared for the non-phish tank approach. Because most of the time: you already chose Microsoft, Windows 10 and Office 365. The possible scenario’s of managing your endpoint devices:

  • SCCM only or third-party solutions
  • SCCM CO-Management with EndPoint Manager
  • EndPoint manager only

How to choose what’s right for your organization? What is the right path for modern management? Which products would you need to choose to be ready for a future state workplace?

I’m total fan of going for EndPoint manager in the cloud only world. Because if your new to modern management you have the opportunity to use your hybrid Identity (from on-premises) and your cloud-only joined Azure AD Windows 10 workstation.

Why? Because different than before speed became a huge factor of implementation. And focusing on only the deployment and core Windows 10 enrollment has became less important compared to security implementations and improvements.

  • The first reason: The configuration and implementation is easy. Not because I’m lazy to implement more complex solutions but the create simplified standard solutions to manage your Windows 10 Devices is just so important. It’s great to have standard sets in Intune that are on or off. It helps the dialogue and the complex discussions and integration in high-speed.
  • Second reason is: Mobile devices, mobile device management with basis functionality is very easy and transparent with Endpoint Manager. And as we all know: You need to have some scenario’s for: BYOD, CYOD, COPE and COBE. BYOD is Bring Your Own Device; CYOD is Choose Your Own Device; COPE is Company Owned/Personally Enabled; and COBO is Company Owned/Business Only. Are you thinking this is the bla bla cool term discussion? Let’s get that sorted out: Are you able to securely work on your mobile applications and protection your companies IP. Do you know where your company data is located?
  • Third Reason: The security maturity and implementation effort has pro’s: Bitlocker activation, Windows Hello For Business working great full-cloud, easy activation. I believe segmentation of this device layer is important to not have lateral movement with domain joined devices connected on-premises. It’s not even technical possible if the device is not trusted. (zero-trust)
  • Fourth reason: No hybrid complexity, easier staging with Windows Autopilot. Staging from anywhere. Not possible in hybrid scenario’s, at the moment. It’s announced will be possible soon.
  • Fifth reason: Go Cloud. If you have no on-premises infrastructure left and are able to go without ‘traditional’ domain controllers to Azure AD or ADDS. The baseline is the most important real touchable factor. There are more capabilities easier to implement. Long-term is the real reason.

Why should you choose for CO-Management and what are decision points?

  • When you are not in a hurry moving to full-cloud. And for example defined you will shift in 2025. And still will keep your on-premises core-environment intact until then.
  • When you have big task-sequence and big deployment of software that is not possible to bring to Endpoint Manager. But more important is strategy. It will be strange if you keep SCCM without any other workload on-premise. Choose strategic, long term.
  • If strategy of full-cloud is defined. Don’t invest in co-management. For example: No business critical application service is running on-premises, shift to EndPoint Manager. Its better to make the invest in modern tools compared to well know configuration manager.
  • When you have 20 language packs and custom scripts. Sometimes hard decisions needs to be made to be more flexible in a later stadium. Again, Strategic decision.

Services, servers and infrastructure

It’s al about responsibility, complexity, standards, governance, way of stabilizing your businesses critical systems.

Responsibility and Security: As you can see in this matrix thanks to the shift of On-premise servers, appliances, services running Windows Server or different operations systems the ownership is in the organizations hands.

The downside in general is security. It’s difficult to segment, patch, upgrade, update and keep track of risks in the attack chain. Servers are integration with active-directory. Next to Security TCO is important. Did you know that we spend a lot of our time doing core-infrastructure task to keep everything running. It’s so critical infrastructure. Do we really want to keep on working and supporting this infrastructure when there are other options? It’s illusion to think organizations can keep up evolving and transforming when the focus is not shifted and the battle of cloud focus is not yet won.

The next diagram shows the responsibilities – import for knowing the opportunity for engineers, architects and the impact on these people. Next to the workload and impact the technology is probably more important.

“Rehost, Refractor, Rearchitect, rebuild, replace” – IF you want to shift to a modern approach redesign to Software as a service, wen possible is very important.

Example: Azure FileServer, Azure SQL. No Windows server 2016 running SQL instance(s). Just a SaaS solution. Easier for technical workers.

Data (documents)

Data maturity. automatic processing. Automation,. You get the point. (document)data is crucial and needs protection. Data is the core of every organization. And still we are sending documents over e-mail, sharing over third-party solutions that are not trusted etc.. We need a consolidated approach to fix document data ‘problem’ and discovery of security risks, compliance. We need to take back control of corporate data. It’s sometimes difficult to understand that companies are building data warehouses with high-end security and leave the door open of information documents / management. We are building super complex systems with machine learning, intelligent architectures for modern needs. With super smart people – but we leave the “core workplace behind” maybe because we are having less smart people really understanding what we are doing.

  • Trust / Platform / Decide -> Choose Microsoft. If you chose Office 365 to collaborate better and you don’t trust the environment you made the wrong choice. I mean, use the technology to make your environment more secure. Don’t use it if it’s just for mail. The tech goes beyond the tool itself.
  • Migrate personal documents to OneDrive, Organizational document to SharePoint of Teams and other application data to Azure Fileserver or different solutions.
  • The main reason is data control. When fileservers, and local copies are gone Microsoft 365 cloud can deliver automated labeling an classification or at least insights on confidential data. We lack data-control. Not even ‘understanding’ of document movement in our organizations.
  • Cloud App Security. Cloud App Security can help you remediate and take actions when necessary, discover document flows and help to set rules on document when the risk of data-leakage is valid. Cloud App Security will not fix the ‘complex’ solutions when we made them complex. There is nothing easier to manage than Office 365: Teams, SharePoint, Yammer, Exchange when this is the only platform used.
  • Security and governance in Microsoft 365 is hard. But it’s even harder if you also have on-premises resources and non-controlled instances. The pro’s of only O365 is you can deliver actionable insights.

Network

I’m not a network specialist. I don’t know a thing of networking. But what I do now is that because of this ‘gap’ of IT-Pro’s to opportunity of hackers will rise. Because of the unknown facts. If you are able to shift all workloads to Microsoft 365 the network part, and the network-security will become less important. When it comes to information breaches, and core-infrastructure is gone on the on-premises. Every organization needs stable network, shaping, priorities and all other things to regulate network infrastructure. It is super important. But, we need to stop trusting our own networks as much as we did, before. Because the silo walls are gone. The crucial organization data did shifted to somewhere else.

Why should we even make a more trusted inside network than outside over VPN or private connections?

Strategic modern workplace decisions

Strategic long-term definitions are important to set milestones to grow to a real modern workplace. Most of the time we are delivering workplace optimizations for 20% of the workplace – of the possibilities and the needs. Only modern management for example.

  • Shifting al or our traditional infrastructure to Azure, Microsoft 365 is crucial for the long-term. For future-proof architecture.
  • Modern Management is a part of a workplace. For just only managing your assets, devices, updates, applications and deployment. But we are making this the import part. It’s the easy part. maybe in the near future Microsoft will deliver end-to-end solutions for deployment and management of devices. I hope they will. Probably we will complain of Microsoft taking over. And we are not willing to see the opportunity of the broad workplace.
  • Security baselines became important to get easier packages with a big value, low-cost, maximum impact. Building blocks to implement to get your organization on a high(er) security level.
  • Consolidation and migration to Microsoft 365 gives control to start with Unified Classification of documents and rich integration with for example PowerPlatfrom. It’s a tremendous opportunity to see how data is moving thought your workplace. And it creates insights to get things in order.
  • Real communication and collaboration is possible from anywhere if you brought all services from on-premises to Microsoft 365. Example: Using Teams with an on-premise exchange? What’s the strategy for that? And this brings me to the start of the article.
  • Mindset. Things have changed in the last decade. In the early days we have build IT-systems that were not able to change fast and may ‘never break’ -> Time has changed with superspeed — mindset should change. To old ‘system’ lacks modern need. This topic is deeply written in the CISO workshop 1 of Microsoft.

There is no room for traditional workloads when your strategy is to work and invest in Security optimizations. There is no room for traditional Exchange, SharePoint and fileservers when you want to be a flexible and cloud company.

We have seen the world changing the last 3 months. Maybe we will turn back to where we were. The choice now is:

  • Would you be the company that is prepared for next trends of working from anywhere – with a future proof ready architecture. to build on. To grow security, data maturity and easiness of future integration and implementations?
  • Would you go back, and use the old-tech? Until your organization is irrelevant because someone will change faster someday.

It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is most adaptable to change.

Thank you so much for reading! In my post of next week you will read 15 technical high-level implementations and the next steps of a modern secured workplace. If you have feedback please comment below or reach out on Linkedin or Twitter.

Jasper

Modern Workplace security: 5 steps to use Microsoft Teams in a safe way

Modern Workplace security: 5 steps to use Microsoft Teams in a safe way

In this blog I will go through 5 basic security improvement for organization that are shifting to Microsoft Teams. Also read my previous article: The Value Of Microsoft 365 E3 and E5.

Security improvements are embedded in Teams, it just needs activation

I’ve met a lot of organizations over the last months implementing Microsoft Teams, and I really love to see the fast-deployments, the big-activation, simple communication, dedicated onboarding.

  • Did you know that Microsoft Teams is not an addition to Office 365, but an integration of multiple services?
  • Did you know you can integrate the product better in your current workplace than ‘we’ think?
  • And thousand other possibilities – now that’s the problem, right? We do not really knew, before..
  • I know I’ve used Microsoft 365 E5 licenses. You can figure something out without CASB and with Azure Premium P1 + EndPoint Manager.

Introduction: Microsoft Teams Architecture

Did you know that Microsoft Teams is part of Office 365 or Microsoft 365 and is using: Azure AD, OneDrive, SharePoint, Exchange Online, SharePoint, Yammer, Stream, etc all out of the box. I mean, I suppose your organization will use deep integration when shifting to Microsoft Teams. Let’s dig into solutions now!

1. Identity Protection: MFA + Azure AD Conditional Access Policies + Risk Policy

The first step is to have a security-identity. Everything comes to Identity security and authentication – access management in general.

  • It’s still a best practice to activate Multi-Factor Authentication. I’ve written a lot about this in my previous article.
  • Activate Conditional Access to not get craziness of pop-ups and deliver a productive workplace.
Azure AD Conditional Access
  • Force a password change when assuming breach, risk-policies to be sure you can harbor save identities.
User Risk Policy

2. Registration for Windows 10: Device Onboarding

Make your Windows 10 devices known in the organization. So you have them in control, and you can do smart things with knowing.

Register or enroll your devices into Azure AD to provide an identity-token to the device. This identity is used to authenticate the device when a user signs in and apply conditional access rules that require domain-joined or compliant PCs.

  • Hybrid Azure AD Join: Enables devices in Active Directory to register in Azure AD For Access Management.
  • Go through Autopilot and let new devices join in Cloud-Only modus. With an Hybrid Identity. I’m not fan of doing registration only. It has value, but you can give than only Access Management. I’ve seen companies being able to go direct with Autopilot and shift to only Cloud Modern Management and have the devices in Azure AD only. It’s not a requirement Cloud or Hybrid. But it can help with straight-forward implementations.
  • Later you can do EndPoint Manager. Deploy Microsoft Teams, and the Office 365 suite to all endpoints.

3. Block downloading of document on non-trusted devices

If your device is not trusted. Accessing corporates data should be possibly (sometimes not, I know) but different than a real trusted device.

  • Set simple and transparent conditional access policies. Don’t make it to complex.
  • You could use this App Control (preview) to easily block downloading of ANY Office 365 document on a ‘non-trusted’, ‘non-compliant’ device.
  • Keep in mind, when using this. If you only select Exchange, it still impacts Teams, SharePoint as stated in the tip in the first screenshot.

4. Intune App Protection policies for Mobile Devices

You’ve covered your identity, your Windows 10 devices. You’ve covered your non-trusted devices and now your mobile devices.

  • I like to get feedback on this one. I’ve done App Protection policies on multiple customers without changing any definition of the standard policy you can create from: https://admin.microsoft.com – there is nothing wrong with standards. Better a policy activated than no policies.

Or you can use the App Protection Policy Data Protection Framework. It provides 3 levels op App data protection configuration. (github)

  • Level 1 enterprise basic data protection – Microsoft recommends this configuration as the minimum data protection configuration for an enterprise device.
  • Level 2 enterprise enhanced data protection – Microsoft recommends this configuration for devices where users access sensitive or confidential information. This configuration is applicable to most mobile users accessing work or school data. Some of the controls may impact user experience.
  • Level 3 enterprise high data protection – Microsoft recommends this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (as one example, one organization identified users who handle data whose theft would directly and seriously impact their stock price). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration.

Access requirements: You can find this in: EndPoint Manager

  • PIN for access: Require
  • PIN type: Numeric
  • Simple PIN Allow
  • Select minimum PIN length 4
  • Touch ID instead of PIN for access (iOS 8+/iPadOS): AllowOverride
  • More details in the 3 screenshots for iOS. I’ve also created a policy for Android.

5. Knowing the risks with Cloud App Security

You’ve covered your identity, your Windows 10 devices. You’ve covered your non-trusted devices and your mobile devices. If there is something slipping in between activation or something is missing. I suggest to use Cloud App Security to see data exfiltration, etc..

  • As you can see in your Cloud App Security portal the ‘possibility’ to understand the block download policy is there.
  • You can dig deeper to understand what happened. In the demo movie on the top I’ve showed left a trusted environment, on the right a non-trusted ‘personal computer’.
  • You can go further with automation from here. But I will not go deeper into this in this article. Because I believe that if you have these 5 steps you have already achieved somethings.

Next steps?

  • Identity protection(1) – automated remediation and creation of service-desk ticket to respond to your risky users.
  • Compliance policies(2) – to not let devices slip under the fingers of IT-departments. You need a process to be sure all devices are passing the same process. And are totally blocked if not.
  • Block downloads on non-trusted devices. (3) Go further, this implementation above is a great opportunity because of the easiness of implementation. Information protection is next. Because people can exfiltrate data when e-mailing, syncing, copying on their corp device, and their home device. And that’s a thing that should not be possible, anymore.
  • Automate actions with CASB. Label your exfiltration expert. And create processes IF there is something wrong. The right people in the chain of command are informed.
  • Next improvement is a future blog! Thanks for reading.

I hope you enjoyed reading. Please comment below!

When and why should you start with Microsoft 365 business Premium

When and why should you start with Microsoft 365 business Premium

Earlier I’ve brought the article: The value of Microsoft 365 E3 and E5. Due the request I’ve written this article about Business Premium. To respect the content of the previous article the creating the modern workplace is crucial to read before reading this one. Global value of the Microsoft 365 stack will be the same.

The value of Microsoft 365 Business Premium

1. High-level

  • Cloud strategy to become a modern organization that will tackle the on-premises complexity and grow to a modern cloud-first organization.
  • Some Microsoft 365 E3 or E5 features are included to enable and empower the people to reset their own password. Some are part of AD premium P1 features: Others are: Cloud App Discovery, Office 365 ATP, Application Proxy, Dynamic Groups, Passwordless authentication.
  • WHY? This product is made for companies under 300 people. And has more value because of this specific offering in the market. The price is lower. It has features of Microsoft 365 E3/E5, but there are constraints because the cloud-only focus. This will push the investment to consolidate on-premises workloads to M365 Business Premium. You will read the details below.

2. Defend against threats

  • Office 365 Advanced Threat protection to be protected with Safe Links, Safe Attachments, Anti-phishing intelligence.
  • Advanced multi-factor authentication. You can choose to bypass MFA from trusted locations.
  • You can enforce Microsoft Defender on your Windows 10 PCs with enhanced protection against ransomware and malware.

3. Protect business data

  • Data Loss Prevention: Microsoft 365 Business Premium can automatically detect when an email you’re about to send includes sensitive data like credit card info, social security numbers, and dozens of other confidential data types. If you’re just conducting normal business. But, if you’re about to do something dumb, it’s a welcome safety net. There are even templates that can conform to geographic or industry-specific regulatory requirements.
  • Encryption of email and documents: If you need to send sensitive data to a partner or customer outside your organization you can encrypt that email with just one click. This ensures that only the intended recipient with the right credentials can open the email.
  • Information protection: You can use this function to control who has access to company information. Whether it’s in an email or a document. By applying restriction that prevents people form forwarding, copying and printing.
  • Archiving: This is another function that’s been made simple for when you need to preserve email and documents for legal reasons, or if you need to access an employee’s email/files after they leave the company

4. Easily secure and manage your devices

  • MAM: Mobile Application Mangement is typically used for devices that aren’t owned by your employees, like personal phones or laptops. This type of management gives you control of company-owned email and files—but personal “data,” like pictures and texts, are not controlled with MAM. With MAM, your workers can use their personal devices to do their job without worrying that IT is controlling it. If a MAM device is ever lost or stolen, it’s simple to wipe all the corporate data from it.
  • MDM: Mobile Device Management: is the best option if your organization issues company-owned devices to your employees for work use. With MDM, you can centrally manage everything on the device, install apps on it, restrict the functions or usage, block recreational usage (kind of a buzzkill, but ok), just to name a few options. As with MAM, if an MDM device is ever stolen, wiping the corporate data or doing a full factory reset is easy.
  • You are able to set a minimum of security requirements needed for a modern midsize organisation.

The Microsoft 365 Business Premium strategy

Microsoft 365 business Premium is created to help midsize organization with their challenging ambition to be more productive and secure. It’s a known fact that not all small business have the possibly to provide a M365 E5 license for everyone.

  • Office apps and services
  • Advanced security + management
  • for 1-300 employees! Hard requirement!
Microsoft 365 Business Premium

Which features of E5 are included in Microsoft 365 Business Premium

Don’t choose Microsoft 365 Business Premium if…

  • I’ve met a lot of people who don’t dare to advice Microsoft 365 Business Premium because for a long time there were less features than today. And they don’t follow the evolution.
  • It is still difficult to grow to cloud-only. so take a good look to the things below that are not included.
  • It is important to know that Microsoft 365 Business Premium is focusing on a cloud-strategy. When you have a mid-size organization who is willing to shift to modern cloud solutions they will be able to shift if they make the commitment to remove these integrations. This product is created to work for cloud scenario’s. Are you able to decommission all of these workloads?
  • It looks difficult but the most services are replaced in cloud variants today. So it’s outdated technology with a high TCO.
  • Exchange Server, SharePoint Server, and Skype for Business Server Client Access License (CAL) equivalency is not included/licensed.
  • Windows Server, RMS, and Microsoft Identity Management CAL equivalency is not included/licensed.
  • System Center Configuration Manager and System Center Endpoint Protection Management License (ML) equivalencyis is not included/licensed.
  • Full overview here.

Microsoft 365 Business will include Azure AD Premium P1

Brad Anderson, Microsoft 365 Vice-President is referring to this blog: aka.ms/aadp1smbblog

High-level decisions to be made

  • Are you ready and able to stop investing heavily in your on-premises infrastructure?
  • Do you want to stop using, Exchange, SharePoint, Skype for business on premises?
  • Are you willing to shift your System center infrastructure to EndPoint Manager?
  • And at least, most important: Are you able to stop thinking Hybrid AND on-premises? Than GO, DO IT! Good luck! I’ve helped almost 5 customers to grow to full cloud. with no footprint in their local-AD. they are super exited and happy! Simplicity = key to grow.

New product names

The new product names go into effect on April 21, 2020. This is a change to the product name only, and there are no pricing or feature changes at this time. Maybe later.

Enable Microsoft 365 Security – Example from Microsoft

Set up tenant:Recommend settings – normal scenarioRecommended settings – high risk scenario
Decide between hybrid & cloud-only identityHybrid, Azure AD ConnectHybrid, Azure AD Connect
Azure AD Connect – sign-in methodPassword Hash SyncPassword Hash Sync
Azure AD Connect – single sign-onEnabledEnabled
Azure AD Connect – On-premises attribute for Azure AD usernameuserPrincipalNameuserPrincipalName
Azure AD Connect – Password writebackEnabledEnabled
Decide on email migration strategyHybrid AgentHybrid Agent
Configure DNS domainsSituationalSituational

Configure identity protection – example from Microsoft

Configure identity protection:Recommend settings – normal scenarioRecommended settings – high risk scenario
Plan for administrative accessRequiredRequired
Configure dedicated admin accountsRecommendedRecommended
Multi-factor authentication (MFA) for adminsSecurity defaultsRequired, Conditional Access
Multi-factor authentication (MFA) for usersSecurity defaultsRequired, Conditional Access
Self-service password reset (SSPR)Enabled-AllEnabled-All
Combined security information registrationEnabled-AllEnabled-All

Practical guide to securing remote work using Microsoft 365 Business Premium

This guide summarizes Microsoft’s recommendations for enabling employees at small and medium-sized businesses to securely work from home, using the features included in Microsoft 365 Business Premium is written above. Read the Microsoft Guide: Here with deep insights and knowledge of medium-sized business. Guide

Creating a security culture

Use the Chief Security Officer (CSO)

Succes Stories Microsoft 365 Business Premium

Something missing? Please leave a reply!

The value of Microsoft 365 E3 or E5

The value of Microsoft 365 E3 or E5

Creating the modern workplace!

  • Digital business transformation. Every company has a digital transformation initiative. Microsoft 365 drives this digital transformation.
  • Increasing agility. The ability to respond to and drive market change quickly is the fundamental measure of business agility.
  • Empower information workers and firstline workers so they can collaborate and communicate better. Internally as with customers.
  • Support different working styles for millennial’s, Gen Z, Gen X, Baby boomers.
  • Generate better intelligence and analytics with a single view into your company information!
  • Increase mobility. people are working from home. From clients and during travel. In regard to collaboration, 98% of information workers collaborate or communicate with someone else at work on a weekly basis.
  • Improve security and compliance. Most of the time there is no control of data compliance in the current on-premise environment. Security systems are complex and static without growing or proven improvements. Start with a Zero Trust model.

Microsoft 365 E3 OR E5?

  • Decision making is crucial. Also simplicity. Make IT-system simple to move faster and support your business better. 2-3 Flavors of license scenario’s or strategies will be great. Don’t mess with addons id you will not use or active them..build trust, choose platform, choose Microsoft.
  • Start with activating basic security mechanisms. Start support of what you are using. grow. Don’t buy E5 when you are not mature enough, yet. Buy E5 and enable CASB to understand shadow IT or act when people extract crucial organization data… etc..
  • Don’t think it’s complex. Even when your company size is 50 people. You could start using Microsoft Business, full cloud. With real value and benefits as in Microsoft 365 E3. You could even use M365 E5 for small business when data control and cloud security is required.
Microsoft 365 E3 license overview
Micrososoft 365 E5 License overview
Micrososoft 365 E5 License overview

Office 365 – standard set

  • Every company is using e-mail, calendar, contacts move to exchange Online. it’s a proven standard.
  • Voice, Video, Meetings. Microsoft Teams. It’s used by 500.000 organization and became a standard. Shift to Microsoft Teams for better collaboration.
  • Office ProPlus: Everyone is using rich office clients: Word, Excel, PowerPoint. It’s there for decades and became a standard.
  • Planner, Yammer, OneDrive, SharePoint,.. it isn’t always a standard but we currently have tools to Plan tasks, Share thoughts, Share Documents and colleborate in our organization. Proven standard

Office 365 – advanced

  • ‘Built-in’ Analytics – did you know there are free/default/built-in dashboards for a lot of Microsoft 365 Services. I know. These are not organizational related. So they can give rich insights of usability of Office 365 tools.
  • Workplace Analytics for example: Measure progress toward transformation goals or Evaluate effectiveness of change efforts. Measure meeting hours, Discover inefficient processes, Identify hurdles to innovation, Gaps in learning, Identify Influencers,..
Workplace Analytics Microsoft
  • MyAnalytics: It’s not to control – it’s to to help to find out how work is done. People in your organization can find out their own habits because of their Analytic-insights.
MyAnalytics Workplace

The bigger picture – Why?

To bring value of Microsoft 365 E3 or E5 it’s important to understand the bigger picture. In the underlaying topics I’ve brought as much features in the eco-system of the E5 license. The main question is what are the benefits for a organization to shift to cloud solutions?

Why shift to Microsoft 365 E5

1. Protection across the attack kill chain

This slide shows the real value of Microsoft 365 E5. A lot of customers al laughing with MDATP because they think this is a isolated product. And are going deep in the license compare strategy of their current antivirus. Have a separated anti-spam solution, NO Azure AD Protection, NO cloud App Security..

2. Microsoft 365 E5 license includes

O365 ATP, Windows Defender ATP, Azure ATP + Cloud App Security. Detailed descriptions can be found on the website of Microsoft.

3. Cloud App Security

Cloud App Security shows you exactly whether data is passing on all endpoints. Document data, lateral movements, usage of applications, global traffic, count of applications in use in your organisation. Risk levels, GDPR proof applications. Bring network devices logging in CASB to have more insights.

Cloud App Security

4. Security & Compliance

I’ve seen that there a not enough organizations aware of the richness of the Security & Compliance possibilities in Microsoft 365. Because of shifting to Microsoft 365 the compliance will be in control of your organization. Even if you leave some file-servers and SharePoint services on-premise.

Unified data classification platform

5. Identity & Access management

Because of simplified Identity management organizations are able to work with Security perimeters to protect their users and organization. Because of these simplified configuration users will be able to reset their own password, control their own devices, or configure additional security components. (ZERO-IT)

Azure Active Directory

6. Self-Service Password Reset (SSPR)

The SSPR possibility Is an Azure Active Directory (AD) feature that enables users to reset their passwords without contacting IT staff for help. People can unblock themselves and continue working no matter where they are.

7. Managed Mobile Device

Cloud intelligence drives management. Use Autopilot to roll-out new devices and Increase productivity, reduce help-desk costs and Provide the best employee experience. Manage you Windows 10 devices and your mobile devices. Stop allowing personal devices without taking control of organization data. Use MAM and be diplomatic for end-users.

8. Microsoft Defender Security Center Security operations dashboard

The Security operations dashboard is where the endpoint detection and response capabilities are surfaced. It provides a high level overview of where detections were seen and highlights where response actions are needed. USE your built-in possibility for SECOPS reporting. You HAVE IT.

EndPoint manager admin center

9. Identity driven Security

Because of the use of a single identity in Azure. Or hybrid synced from your local Active Directory services organizations will be able to protect and automatically act when necessary. request for update your password if breached. Ask MFA when your device is not trusted. etc.. let your users update their password from home. Increase productivity.

Microsoft Secure Score

10. Risky Sign-ins

This great feature will bring based on cloud intelligence insights to understand the RISK of a user. for example unfamiliar location, anonymous IP addresses, leaked credentials.. (more info here)

Risky Sign ins Azure AD
risky users
Risky Sing ins overview
Risky Sing ins overview

11. Information Protection

To start with classification and labeling of document choose your battles. Define 1-2-3 labels for example: “High-Confidential Internal Only”, “Public” and “Internal Only”. It’s a good start without auto-labeling documents so people can learn how to protect their confidential data. In a later phase you can enable auto-labeling when a document is highly confidential because of there are credit-card numbers, personal information etc in this document. The activation of Information Protection could come from the fact that 1 million files are shared with external people. Or that you want to stop third-party applications so company data stays safe in the environment.

Microsoft 365 Compliance

12. Advanced Threat Protection

Work with Microsoft Defender Security Center (previous WDATP) it will give you insights for Applications, OS, Network, Accounts, Security Controls + Give insights for Software patching, Top vulnerable software, Top exposed machines. Most reports are built-in and seamless integration is done in the Eco-system of Microsoft 365 E5.

Threat & Vulnerability management dashboard
Detection sources

13. Windows 10 Enterprise with modern approach

Windows 10: My personal favorite. I really love customers which did their homework and started using Windows 10 without policies, governance, Intune (for example), management solutions and now they are stuck in the patching & management of these systems. This is wrong!

Microsoft Windows 10: Windows 10 has been released to insiders in 2015. version. 1507 afterwards 1511, 1607, 1703,1709, 1803,1809,1903,1909. Microsoft did understand the pain of shifting from Windows XP to Windows 7, Windows 8 to 8.1 and Windows 10. And now they want you to work on this NEW versions in a different way.

Microsoft’s Windows 10 Enterprise: comes in the flavor of continues improvement. And needs to be implemented in a service-model with automatic updates, roll-outs, deployment, patching, updating, software requests (self-service) and even more!

Set compliance policies: Because of deep integrations you will be able to work on the compliance of the devices and grow to a recurrent update-model.

Device Compliance

14. Desktop Analytics 

Thanks to desktop analytics you will be able to evaluate the changes during updates as software distribution and compatibility issues. You can bring your organization to a next level. In case you were afraid that automation took your job, think again. These things need huge attention!

Dekstop Analytics

15. Native PowerBI Integration

Because of the rich Eco-system within Microsoft 365 everything can be measured. This report is default/standard without any manipulation of Power-bi. I know it sounds stupid, but without insights that can grow fast. You have nothing. Features/services are changing every year. Be prepared. Start consolidation and start using standards to built on.

Native PowerBI Integrations

Action Plan

  • Create a STRATEGY to bring value for Microsoft 365 E3 or E5. Do you want to: increase agility, empower information workers create intelligence increase mobility short: Drive transformation. AND invest in your SECURITY MATURITY -> than you should start with a STRATEGY. Non of all these things are technical. Even if we think it’s technical. DECIDE.
  • PLAN: Everything starts with a plan. PLAN to start a Microsoft Teams pilot, to evaluate, to pick-up the finding. and plan to go further. Most important PLAN to write a ROADMAP which describes the road ahead.
  • READINESS CHECK: Are you technically READY to start with a Microsoft Teams Roll-out? Is your company READY to start? Are the people READY to start? Is everyone involved? Are you READY?
  • IMPLEMENTATION: This is the easy part. Implement Microsoft Teams. Enable the features, check the boxes. Activate the subscriptions, copy the templates. Start the Pilot. Ask experts to deliver the technical requirements.
  • NEW WAY OF WORK: Microsoft Teams as used in this example as ‘new tech’, think about the groups we had in the top of the article. millennial’s, Gen Z, Gen X, Baby boomers. Do you think you should make some scenario’s? training and standard adoption programs to help them work as they never did before? YES!
  • TRANSFORM(ATION): Real transformation is successful when you KNOW/MEASURE it went well. Wen you see the activation/usage ratio in numbers. When you know the people are confident and happy to use new technology. When nobody is complaining and the organization has grown to a higher level of collaboration. And even when it fails or needs more improvements start over with this S-P-R-I-N-T.

Thank you for reading!

Jasper

The top 10 security recommendations to consider while working from home!

The top 10 security recommendations to consider while working from home!

  • Mobile working is a standard, today.
  • Companies are not longer protected by their infrastructure in their corp-environment.
  • Crucial document data is moving away from centralized systems because it’s easier to work on them on our own document systems.
  • The irrelevance of bombastic systems in corporate environment is holding collaboration down.
  • Does it sounds familiar?

the 10 security recommendations we should consider while working from home!

  1. Identity Security / MFA
  2. Install the latest patches and updates
  3. Passwords and management
  4. Build real-time reports of security risks 
  5. Create automated and intelligent alerts 
  6. Install antivirus on all endpoints 
  7. Secure devices and corporate devices (+ personal phones) 
  8. Evaluate regularly which users have access to data, devices and networks 
  9. Track, change and block access for temporary projects and when employees are leaving your company 
  10. Use information protection solutions to protect your data everywhere. 

1. Identity protection

  • Some facts: 1.2 million of all Office 365 or Microsoft 365 accounts (each month) are compromised. This represents 0.5% of all accounts in your environment. Source: theregister-co-uk

Multi-factor authentication prevents 99.9% of all attacks.

99,9% compromised accounts did not have MFA

2. Patching & updates

Device Compliance

3. Passwords and management of authentication

4. Create real-time reporting of security vulnerabilities

  • Identity risks are in every organisation. Don’t think that your changes are low. Check the facts.
  • It is very easy to use ‘risky users‘, ‘risky-sign’ ins and ‘risk detection’ to find out real risks.
  • Integrate with Microsoft Defender ATP and ATP Sensors to have all intelligence in the Microsoft cloud.
Risky Users
Risky Sign-ins

5. Create automated and intelligent alerts

  • There is only 1 answer. Microsoft Cloud App Security.
  • Create alerts when 100 files are deleted. Copied to Dropbox for example.
Cloud App Security Portal

6. Install antivirus on ALL endpoints + go beyond antivirus

  • Microsoft Defender ATP, sentinel-one, Norton, McAfee, it doesn’t really matter. As long as you are able to protect all endpoints.
  • The second factor is to make sure that your antivirus is enabled. Use a single console. OR use MDATP. Set security alerts so you know when you are at risk.
  • Use EDR monitors to detect and respond to advanced attacks in real time.
Antivirus Windows 10

7. Secure private(personal) devices and corporate devices

  • workstations and portables (With W10 for example) are in control in most of the companies. Mobile devices are left unmanaged because we don’t know the options.
  • With Intune (EndPoint Manager) you can isolate and segment applications without having to manage the device. The corp. applications is under control. The organization’s data is protected. The most important thing is done!
  • Choose a fingerprint, faceID worst-case pincode in app protection.
  • Below you may find an example of the Outlook application which is protected by Mobile Application Management. In case organisations are not the owner of these devices this is a great option. And simple to implement.
Mobile Application Management

8) Evaluate regularly which users have access to data, devices and physical network

  • Cloud App Security shows you exactly whether data is passing on all endpoints.
  • Document data, lateral movements, usage of applications, global traffic, count of applications in use in your organisation. Risk levels, GDPR proof applications..
  • Bring network devices logging in CASB to have more insights.
Cloud Discovery
Cloud Discovery

9. Track and block access for temporary projects or employees leave the company

  • governance without enforcement is just good advice.
  • Create simple written policies, enforce policies.
  • Create retention policies for example in a Microsoft Team that removes the team after 180 days.

10. Use information protection to protect your data everywhere

  • Use Information protection to protect document data. Even if you lose the document “physically”. There are still options to block this from opening and keep in secure from distribution, opening, editing,..
  • Create document data insights from on-premises and cloud solutions with Microsoft Information Protection Policies.
Unified data classification platform
Retention Label

Conclusions

Windows Secure Score
  • Security priorities are difficult. However, I would always start with MFA becasue this is fundamental identity security. Afterwards document and device security. Because companies are moving to Teams during Covid-19. And you don’t want data leakage during this time.
  • If your identity is not secure, and compromised, there is no point in doing information protection. Because a ‘hacker’ will use your accounts to access your corporate data.
  • Use Microsoft Securescore.microsoft.com as a guidance. Extract your priorities.
  • Let’s do it!
Protect apps with Microsoft Cloud App Security Conditional Access App Control

Protect apps with Microsoft Cloud App Security Conditional Access App Control

A lot of companies are struggling with data leakage when it comes to their exchange online environment. Easy fix! Enable: Microsoft Cloud App Security Conditional Access App Control! First, check the 7 seconds demo. It explains the unnecessary words!

Scenario:

  • You have all your devices enabled in Microsoft’s endpoint manager aka Intune
  • You are able to have an inventory and control of your hardware assets (CIS Control 1)
  • You are using Office 365 or Microsoft 365.
  • You don’t want users to download their e-mail attachments on a non-company owned device. (other scenario’s possible!)

Protect apps with Microsoft Cloud App Security Conditional Access App Control

It sounds so complex and i strongly believe this is making the implementations way to complex. So now the 2 Practical steps for the configuration.

Step 1: Choose the cloud application – select the condition!

  • Select cloud apps or actions: Microsoft Exchange
  • Select a condition – IF your device is marked as compliant. Based on a intune policy that is able to CHECK if the device is compliant. Users are able to just go their way on Exchange Online.
device State Preview

Step 2: select the Access Controls

  • IF not they are not able to download attachments to their environment. Block downloads. That’s it!
Conditional Access App Control

By natively integrating with Azure AD, any app that is configured with SAML or Open ID Connect can be self-onboarded.

In addition, the following apps are featured by Cloud App Security and are already onboarded and ready to use in any tenant: More apps: Here

  • Exchange Online
  • OneDrive for Business
  • Power BI
  • SharePoint Online
  • Microsoft Teams

Conclusions

  • It’s not because you block attachment downloads in Exchange or OneDrive from non-company owned devices that your organization is good to go! This practical example shows the flexibility to get conditions in your organizations which can prevent leakage of data in e-mail systems.
  • Blocking exchange download could shift that your organization will become aware they are still sending crucial information by mail which should be found in Microsoft Teams or SharePoint Online.
  • Microsoft Information protection could play a big role in this configuration but this enablement can be a first step in security maturity growth.
  • More options? YES: Notification when someone is downloading +10 documents, leaked credentials, impossible travel, File shared with unauthorized domain, New risky app, …
The Multi-factor-authentication struggle? AND the solution!

The Multi-factor-authentication struggle? AND the solution!

The struggle for a Multi-factor authentication implementation is REAL and most of the time, really frustrating? Some frequently asked questions and answers below! Let’s change problem into a solution.

We don’t want to use Multi-factor authentication – it’s too complex!

  • Ask the people in your organization if they use the same password as their corporate account for: Dropbox, Yahoo, Gmail, Facebook. Do they?
  • I know, it’s really bad advice. But type your ‘old’ password in Haveibeenpwned.com Is it still ‘safe’?
  • Do you have MFA on your Facebook account? Your iCloud account, You’re private mail? Is it that bad?

How to tackle the resistance!

  • END-USER AWARENESS: There are a lot of organizations helping with a great case which can help your organization (including Microsoft) to communicate well. Communicate – make people understand WHY – support them – give them more!
  • MEASURE THE NEED FOR MFA: Measure the impact in your organization. And make people understand WHY. You could send out a ‘false Payroll update’ and measure how many people are entering their credentials. Make them aware that they did very good not entering their corporate credentials. Don’t punish people because they did. Help them to identify and understand phishing mails. https://protection.office.com/attacksimulator
ATP Phishing demo
Change Password
  • SELF-SERVICE: Give people in the organization the ability to get some pro’s because they ‘need’ to do MFA. For example: self service reset password possibilities. It could also mean that the workload of IT-teams will decrease because of self-service mechanisms. It’s nearly impossible (insecure) to deliver self-service without a trusted-second factor.
  • MODERN MANAGEMENT: Bring all your devices in a Azure AD in a state where they are at least Azure AD Joined so users will have pro’s like Single-Sign-On in Microsoft Edge. Other browsers are possible, but requires a little bit more time.
  • CONDITIONAL ACCESS: It’s simple to define a basic set of conditions where there shouldn’t be an second factor required. For example your work-environment. It creates a huge way of possibilities to have a better roll-out. Better have MFA with one condition then having no MFA at all.
Passwordless authentication codes
  • PASSWORDLESS AUTHENTICATION: Deliver passwordless authentication. It will help your users to not struggle with their password. Implementation guide here.
  • MEASURE THE RISK(S): Login to your Azure AD portal and export all sign-in logs of the last 3 month. Filter on SUCCESS and filter on a country which your company is not in. (or filter out all locations you are in and work with the left-overs) You have leaked credentials. Mostly it’s clear after this simple exercise.
  • MICROSOFT AUTHENTICATOR APP: You could just use SMS as a factor but don’t bother and use the Authenticator App
Sign-ins Azure AD
  • AZURE ADVANCED THREAT PROTECTION: Work with Azure Advanced Threat Protection in a ‘Pilot’. This setup will cost you 60 minutes. Order a trial license of Microsoft 365 E5, go through the wizard of Azure ATP and add your domain controllers as a sensor.
Azure Advanced Threat Protection

After 30 days go to the console and export: Passwords exposed in clear text, lateral movement paths to sensitive accounts. I’m sure you can find something happening without knowing! This will bring insights where you had none before.

ATP Reports Cloud
  • THIRD PARTY ASSESSMENT: Work with third-party tools to measure the security or cyber-security maturity of your organization.
  • CLOUD APP SECURITY: Measure that data is extracted to machines to understand the needs in your environment. This will prioritize the need of identity-protection (later data-control)
Cloud Discovery Reports

Advice to IT Administrators

  • Maintain an 8-character minimum length requirement (and longer is not necessarily better)
  • Eliminate character-composition requirements.
  • Eliminate mandatory periodic password resets for user accounts.
  • Ban common passwords, to keep the most vulnerable passwords out of your system.
  • Educate your users not to re-use their password for non-work-related purposes.
  • Enforce registration for multi-factor authentication.
  • Enable risk based multi-factor authentication challenges.

Microsoft Password guidance didn’t changed in years. It’s still great!

It isn’t only commercial talk..

Microsoft sees over 10 million username/password pair attacks every day. This gives them a unique vantage point to understand the role of passwords in account takeover. 99.9 percent of attacks on your accounts can be prevented. (and it is not)

Side nodes