Microsoft Security Saturday – 1/23/2021

Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and RaindropMore than a month into the discovery of Solorigate, investigations continue to unearth new details that prove it is one of the most sophisticated and protracted intrusion attacks of the decade. Our continued analysis of threat data shows that the attackers behind Solorigate are skilled campaign operators who carefully planned and executed the attack, remaining elusive while maintaining persistence.

Using Zero Trust principles to protect against sophisticated attacks like SolorigateCompanies operating with a Zero Trust mentality across their entire environment are more resilient, consistent, and responsive to new attacks—Solorigate is no different. As threats increase in sophistication, Zero Trust matters more than ever, but gaps in the application of the principles—such as unprotected devices, weak passwords, and gaps in multi-factor authentication (MFA) coverage can be exploited by actors.

Microsoft 365 Information Protection and Compliance Deployment Acceleration Guides –  The guides can be used both independently, but we recommend using all the solutions together for your deployment needs. We are not recommending one solution be implemented before another but have included information in each guide to tie all the solutions together with features to consider during your implementation. The guide covers current released feature as of today and will be updated once additional features progress from beta, or private preview to general availability.

Microsoft Defender for Endpoint: Automation defaults are changingWe are excited to announce that we are about to increase our customers’ protection by upgrading the default automation level of our Microsoft Defender for Endpoint customers who have opted into public previews from Semi – require approval for any remediation to Full – remediate threats automatically

MDATP: How to use tagging effectively (Part 3)Microsoft Defender for Endpoint APIs allow you to do many things through scripting to both query and change elements within your Microsoft Defender for Endpoint instance.  As part of this blog on tagging we wanted cover how you can use scripting to apply tags to machines directly using an API.

Microsoft Cloud App Security User Interface UpdatesIn the coming months, Cloud App Security will be updating its UI to provide a more consistent experience across Microsoft 365 security portals.  Use this blog to learn about the changes as they unfold. 

Password Monitor: Safeguarding passwords in Microsoft EdgeOne of the biggest pillars for Microsoft Edge is trust. Today, to further bolster that trust while keeping our customers safe, we introduce a new feature called Password Monitor. The feature notifies users if any of their saved passwords have been found in a third-party breach.

Microsoft Edge 88 Privacy and Security UpdatesA year ago, we made a promise to protect our users, respect their choices, and always provide them transparency and control. Today, we reaffirm that commitment in a time where peace of mind is needed most and are excited to share some updates and improvements to Microsoft Edge 88.

What’s new: Dedicated clusters for Azure SentinelIf you ingest over 1Tb per day into your Azure Sentinel workspace and/or have multiple Azure Sentinel workspaces in your Azure enrolment, you may want to consider migrating to a dedicated cluster, a recent addition to the deployment options for Azure Sentinel.

What’s new: Managed Identity for Azure Sentinel Logic Apps connectorAzure Sentinel Logic Apps connector is the bridge between Sentinel and Playbooks, serving as the basis for incident automation scenarios. The connector requires an identity on whose behalf it will operate on Azure Sentinel.

Security Control: Enable audit and loggingAs part of our recent Azure Security Center (ASC) Blog Series, we are diving into the different controls within ASC’s Secure Score.  In this post we will be discussing the control of Enable audit and logging.

Bring Threat Intelligence from IntSights Using TAXII Data ConnectorOne of the ways to bring threat intelligence into Azure Sentinel is using the Threat Intelligence – TAXII Data connectors. This data connector uses the TAXII protocol for sharing data in STIX format and enables a built-in TAXII client in Azure Sentinel to import threat intelligence from TAXII 2.x servers.