Microsoft Security Matter Newsletter – June 2019

As Microsoft wraps up its fiscal year this past week here’s the latest newsletter for Microsoft Security.  There’s a lot of good content in this edition to be consumed but have called out ones that should be prioritized in italics.

General News

Microsoft 365 Security (All Up News)

Identity & Data Protection (Azure AD, Intune, AIP, MCAS)

Latest Azure AD Stats

Identity stats

Threat Protection (Office ATP, Windows Defender ATP, Azure ATP/ATA)

MDATP engines

MDATP protection

How to Get Started Resources for Securing Office 365

As I have mentioned in previous posts, I get the opportunity to meet with enterprises on a regular basis around security.  Most of these organizations run the spectrum on their adoption of O365 and other cloud-related services.  Specific to O365, there are extreme early adopters before there were means to secure the service to ones that are just now considering it to others that are in the process. The commonality between all these customers, no matter their stage of adoption, is how “what are best practices for securing O365?”.  So let’s take a look at the best practices resources from Microsoft.

Note:  In most cases, the guidance below assumes the customer is licensed for a minimum of EMS E3 for their environment and additional licensing for advanced security features are typically called out in the documentation.

O365 30, 60, and Beyond

This is a baseline resource to help establish a foundation of security for companies as they begin to adopt their first O365 workload which is typically Exchange or OneDrive.  It focuses on quick wins around basic admin and identity protections along with key service logging.

O365 Roadmap

Identity 5 Easy Steps

In the roadmap above it references in the 90-day timeline to implement advanced protection.  The 5 Easy Steps guide focuses on those advanced steps for protecting identities with an organization by focusing on:

  1. Strengthen your credentials.
  2. Reduce your attack surface area.
  3. Automate threat response.
  4. Increase your awareness of auditing and monitoring.
  5. Enable more predictable and complete end-user security with self-help.

Azure AD Break Glass

While the link to this guide has several of the same guidance as the 5 Easy Steps above there are a few additional ones that are worth calling out that every organization should put in their own O365 Security Roadmap.

Microsoft 365 Golden Config

As I mentioned in the note above, the guidance assumes the customer has licensed a minimum of M365 E3/EMS E3 to protect O365.  However, if your organization has licensed M365 E5/EMS E5 then you will want to use this guide as it provides guidance to implement the necessary policies to establish zero trust when accessing O365 resources.

m365 golden config

Deployment Guides

While the sections above provide links to get started with key security components, customers will inquire if there are deployment guides for the respective security components that can protect O365.  Provided below are such guides that can be provided to the IT architecture group or PMO to develop an implementation plan.

Fast Track Resources

As part of licensing M365 services, customers have the option to leverage a “FREE” (yes, free) service from Microsoft called Fast Track.  This group can be engaged through your Account Team or Customer Success Manager to assist with guidance and adoption of M365 services.  As you can see in the graphic below, they also can assist and provide resources to help implement all the security components discussed above.

Fast Track

Microsoft Secure Score

As organizations go about implementing the above guidelines and services they can refer to the Microsoft Secure Score.  This a checklist of items that can be used as a checkpoint to make sure the best practices are being implemented for their environment.

homepage-original

Check Back for Updates

Keep this link bookmarked in your browser favorites and check back periodically as I will update this as new guidance is released from Microsoft.  Best of luck in securing your O365 investment.

Troy Hunt’s (@troyhunt) “Have I Been Pwned” is for Sale and Microsoft Should Acquire

Early this morning, Security Researcher Troy Hunt posted on his blog (Project Svalbard: The Future of Have I Been Pwned) that he’s taking steps to have his data breach service be acquired.  If you are not familiar with “Have I Been Pwned” I suggest reading the post from Troy linked above as he goes into details about this great service that he has been providing since 2013.

Ok, now for the reasons Microsoft should acquire this service from Troy:

  1. Microsoft has established itself as a security vendor over the past several years with similar technologies being provided to enterprise customers.  Adding “Have I Been Pwned” to their existing services could enhance their existing offering for enterprise customers.  For example, Troy’s service allows IT admins to search his service for email addresses from their company to see if they have been in any data breach.
  2. “Have I Been Pwned” also allows for the everyday consumer the sign-up to be alerted when their personal email address shows ups in a data breach.  Acquiring this service would allow Microsoft to expand its consumer-facing security services.
  3. “Have I Been Pwned” is a stellar example of an Azure-based solution that Microsoft can showcase to customers from App Dev perspective.  As this service continues to grow, as we all know breaches aren’t slowing down, showing how the Azure platform can be used to handle this growth and leverage new features in the service.

Note:  The above is just my 2 cents on this major announcement from Troy and not that of my employer.

 

 

Just Do the Basics to Protect the EndPoint

Over the past few years, as part of my current role, I have had the pleasure of engaging in security conversations with customers.  These discussions have ranged from protecting the identity to securing the endpoint and sensitive data in the enterprise.  What has been consistent in these conversations is that individuals and organizations are chasing the next shiny object to solve their security problem.

Shiny ObjectWhile the latest and greatest security technologies are amazing and should be explored to help protect a company’s assets, the reality is that most enterprises aren’t even doing the basics when it comes to endpoint security.

Jessica Payne

The quote above is good guidance that everyone in enterprise IT Operations and Security should be following.  In most cases, a few tools that are either free or already licensed by most enterprises can improve the security posture overnight once implemented.

Security Tweet

So let’s take a look at the basics the enterprises should be leveraging in their environment.

Implement LAPs yesterday, It’s Been Free Since 2015

Microsoft LAPS (Local Administrator Password Solution) is a free tool from Microsoft that randomizes the local administrator password on workstations which in turn makes it more difficult for attackers to move laterally using the same admin password.

laps

Do Not Turn Off Windows Firewall….Yes, this is still occurring in 2019

Most IT professionals know that the Windows Firewall comes as part of the Windows OS yet some enterprises turn it off because they believe it is impacting applications in their environment.  Instead of turning it completely off take the time to tune it to your needs and help the workstation stay protected.  To better understand how the Windows Firewall works please take a look at Jessica Payne‘s session on “Demystifying the Windows Firewall“.

windows firewall

It’s Not 1990….Turn Off SMB1

SMB (Server Message Block) is a remote file protocol commonly used by Microsoft Windows clients and servers that dates back to 1980’s and heavily used by enterprise applications in 90’s.  However, in the 25-30 years security attacks have become more commonplace such as man-in-the-middle attack which takes advantage of SMB1.  Most recently, SMB1 was used in the Petya outbreak which impacted systems worldwide.

smb

While this protocol is disabled in newer versions of Windows, enterprises are enabling it so that legacy applications can work.  Please work with these vendors to move onto a new version of SMB to minimize the risk to your organization. Ned Pyle with Microsoft maintains a list (link below) of companies that still require SMB1 for their applications.  Highly suggest reviewing this list to see if these applications are in use in your organization.

Get Started on the right foot…with Windows 10 Security Baselines

Historically, enterprises, especially regulated ones, have leveraged STIG (Security Technical Implementation Guide) to deploy a set of recommended security policies on Windows workstations.

stig

Beginning with Windows 10, Microsoft began delivering Security Baselines for each build they deliver twice a year.  These baselines are a set recommended security policies that should be considered/implemented as enterprises deploy Windows 10.

baseline

Windows 10 SmartScreen

Smartscreen is yet another free tool within Windows 10 that helps protect the endpoint by:

SmartScreen determines whether a site is potentially malicious by:

  • Analyzing visited webpages looking for indications of suspicious behavior. If it finds suspicious pages, SmartScreen shows a warning page, advising caution.
  • Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious.

SmartScreen determines whether a downloaded app or app installer is potentially malicious by:

  • Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious.

  • Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn’t on that list, SmartScreen shows a warning, advising caution.

SmartScreen

Leverage Cloud-Based AV…Consider Windows Defender

Given today’s threat landscape enterprises should be leveraging an anti-virus(AV) solution on the endpoint the leverages the cloud for faster analysis versus waiting on traditional definitions to be delivered.

Cloud AV

In addition, as AV solutions become more of a commodity for today’s IT operations companies should consider utilizing Windows Defender solution that comes with Windows 10.  Their solution continues to achieve perfect scores in the industry accepted AV testing scores.

Industry Tests

Windows BitLocker

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.  This native Windows solution does not require an additional agent and makes OS upgrades for the enterprise a whole less complex than using a 3rd party tool.

Let’s Say it 3 Times…Patch, Patch, Patch

Per NIST guidance, and in an ideal world, enterprises would patch vulnerable systems when the updates are released.  However, with most organizations, this poses a challenge as they need to test the impact that the updates will have on their environment.  This issue is that a lot of companies either do not have a formal patching process or pick and choose patches (example below) neither of which are good for the overall security posture.

windows patching

A quick example of a Windows patching for enterprises to consider:

  • Microsoft Patch Tuesday updates are released on the second Tuesday of the month and these are tested on local devices by IT and if no issues then sent out to a group of workstations that are a good sampling in productions that are tested for the next 5-10 business days before rolling out to overall production.
  • The exception to the above is if there’s an out-of-band update or one severe enough that the vendor recommends patching immediately due to the potential impact.

Too Much to Sift Through

Most large organizations have adopted a SIEM to collect event logs but the reality this results in their SOC analysts in drinking from a:

firehouse.png

and then trying to find a “Needle” in a:

haystack

Customers should consider keeping it simple by leveraging “Weffles” (https://aka.ms/weffles) or streamlining the event logs from Windows endpoints to the following:

  • Security Event Logs being cleared (1102)
  • New Local User Created (4720)
  • High-value groups, ie Domain Admins, being changed (4728)
  • Local administrator groups being changed (4732)
  • New Services being installed, particularly on Domain Controllers (4697)
  • Scheduled Task was registered or executed (106/200)
  • Successful Logon (4624)
  • Unsuccessful Logon (4625)
  • Logon was Attempted with Explicit Credentials (4648)

eventlogs

 

 

 

 

 

 

 

 

  • Windows Version:  Pro & Enterprise

AppLocker

AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.  It’s ideal to use AppLocker in the following scenarios:

  • Your organization’s security policy dictates the use of only licensed software, so you need to prevent users from running unlicensed software and also restrict the use of licensed software to authorized users.
  • An app is no longer supported by your organization, so you need to prevent it from being used by everyone.
  • The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat.
  • The license to an app has been revoked or it is expired in your organization, so you need to prevent it from being used by everyone.
  • A new app or a new version of an app is deployed, and you need to prevent users from running the old version.
  • Specific software tools are not allowed within the organization, or only specific users should have access to those tools.
  • A single user or small group of users needs to use a specific app that is denied for all others.
  • Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps.
  • In addition to other measures, you need to control the access to sensitive data through app usage.
  • Additional AppLocker details:  https://aka.ms/applicationlocker

applocker

Aaron Margosis at Microsoft recently created a solution called “Aaron Locker” that makes it easier for enterprises to implement and maintain AppLocker.  Details on this solution can be found in the following links.

This Will be Living Guide

My hope is to keep this a living guide that will get updates as new recommended best practices or technologies come out about for Windows endpoints.  If there are other items that you feel need to be included or have general comments please let me know.

In addition, there will be a Part 2 to this post called “Up Your Game” so stay tuned for that coming out in the near future.

Microsoft Security Matters Newsletter – May 2019

While there were several product updates over the past month (listed below) there was a pretty significant vulnerability that was patched by Microsoft.  If you read nothing else in this edition of the news letter, please read the following:  A Reminder to Update Your Systems to Prevent a Worm .

General News

Microsoft 365 Security (All Up News)

Identity & Data Protection (Azure AD, Intune, AIP, MCAS)

Threat Protection (Office ATP, Windows Defender ATP, Azure ATP/ATA)

avtest

 

PSA: Azure AD Customer Training Webinars Started Back Up this Week

The week’s half over and you may have missed out on the first few webinars this week but it’s not too late to join in and catch these great sessions on Azure Active Directory.

Topics of the Webinars

  • Getting Ready for Azure AD
  • Secure Your Identities with Azure Multi-Factor Authentication
  • Intro to Azure AD B2C: Make it easy for your customers to securely Sign In and Sign Up to Your Applications
  • Hybrid Azure AD Join
  • The Basics of Governing your Azure AD and Office 365 Deployment
  • Choosing the Right Authentication Method for Azure AD
  • Manage Your Enterprise Applications with Azure AD

The following link will get you to the resources to register for the webinars.

https://aka.ms/aadwebinars

 

Microsoft Continues Its Azure ATP Webinar Series

Back in April, Microsoft did a series of webinars for its security products with one of those tracks being focused on Azure Advanced Threat Protection (AATP).  They are following up those sessions with two additional ones they announced today.

The next session will be on June 19th, at 8:00 AM PT / 11:00 AM ET / 15:00 UTC. It will discuss the new Unified SecOps Experience for Identities, which brings together Azure Advanced Threat Protection, Microsoft Cloud App Security, and Azure AD Identity Protection in a single console.

Part 2 of our Azure Advanced Threat Protection Detections Webinar coming on July 10th, at 8:00 AM PT / 11:00 AM ET / 15:00 UTC. The Azure ATP engineering team is hosting a second webinar to help demystify Azure ATP detections.

If interested you can register for these webinars at https://aka.ms/aatpwebinar.