Microsoft Security Saturday – 11/13/2021

The hunt for NOBELIUM, the most sophisticated nation-state attack in historyThis is the second in a four-part blog series on the NOBELIUM nation-state cyberattack. In December 2020, Microsoft began sharing details with the world about what became known as the most sophisticated nation-state cyberattack in history. Microsoft’s four-part video series “Decoding NOBELIUM” pulls the curtain back on the NOBELUM incident and how world-class threat hunters from Microsoft and around the industry came together to take on the most sophisticated nation-state attack in history. In this second post, we’ll explore the investigation in the second episode of the docuseries.

Introducing the Microsoft Defender for Office 365 Migration GuideToday, we’re pleased to announce the release of the Microsoft Defender for Office 365 Migration Guide. If you’re thinking of switching your MX record from another filtering service or on-premises Security Email Gateway, then we hope you’ll find this helpful. Our goal with this guide is to help our customers have a better experience when migrating.

Protecting Federal Information Systems with the Microsoft Insider Risk Management SolutionInsider risk management remains at the forefront of priorities in protecting federal information systems. Federal requirements such as Executive Order 13587 and the National Industrial Security Program Operating Manual (NISPOM) provide respective guidance and requirements for defending against insider risk scenarios. Recent work trend indexes demonstrate shifts between on-premises and remote work during the pandemic.

Microsoft 365 Compliance audit log activities via O365 Management API – Part 1Auditing and reporting play important roles in the security and compliance strategy for many organizations. With the continued expansion of the technology landscape that has an ever-increasing number of systems, endpoints, operations, and regulations, it becomes even more important to have a comprehensive logging and reporting solution in place.

APIs and Best Security Practices for Microsoft Defender for Cloud Apps update: November 2021It’s important to know how to utilize APIs in order to work with a CASB like Microsoft Defender for Cloud Apps. Let’s explore authentication, authorization, and utilization of the Defender for Cloud Apps API to streamline and customize your cloud security experience.

Microsoft Defender for Cloud – Use casesThe way we look at threats and the mechanisms we implement to protect, detect, and respond to them has changed drastically. It is no longer a cat and mouse game between us and the attackers. Technology advancements and sophistication have given threat actors a multitude of options to combat the mindset and mechanisms we have been carrying over for years.

Azure Security Center: General availability updates for October 2021

What’s new: Microsoft Sentinel Deception SolutionAmong the most successful and well used techniques the adversary has in their toolbox is an attack which involves some form of deception, knowing full well the human vulnerability and ease of which it can be exploited. Whether it’s social engineering or spear phishing, deception plays a major part in most cyber-attacks impacting our customers today. But deception is a two-way street and defenders can use it to their advantage. By planting decoy resources in strategic locations and with heightened monitoring, defenders can lure an attacker in, forcing them to reveal their presence when they would otherwise remain undetected. 

Learn how Microsoft strengthens IoT and OT security with Zero TrustAs cyber threats grow more sophisticated and relentless, the need for Cybersecurity Awareness Month becomes more urgent every year. As part of our year-round commitment to security for all, Microsoft continues to track numerous incidents targeting both digital and physical operations for many organizations. Beyond the usual espionage and data-theft attacks aimed at IT systems, threat actors have increasingly turned their attention toward IoT devices and operational technology (OT) equipment—everything from oil pipelines1 to medical devices.

Hunt with MITRE ATT&CK techniques using refreshed hunting dashboard Now in GA, a refreshed hunting query experience helps you find undetected threats more quickly and with more precision. Hunting queries are now mapped to MITRE ATT&CK techniques and sub-techniques. This helps you identify which behaviors are present and your overall MITRE coverage for hunting.  You can run all your queries at once, then filter on MITRE techniques and queries that had significant changes in the last 24 to 48 hours.  This makes it much easier to zero in on the most promising leads for hunting.

Upcoming Microsoft Information Governance Webinars: Adaptive Policy Scopes Webinar SeriesIn our previous webinar “Deep Dive on Adaptive Scopes” we introduced the public preview release of Adaptive Policy Scopes which can be used to dynamically assign Microsoft 365 retention-based policies to users, groups and sites based on attributes and properties.  In this two-part webinar series, we will take a deeper look at using the advanced query builder to populate scopes for more complex scenarios as well as discuss best practices and common mistakes that are made and how to avoid them. 

It’s not all about the data! Protecting Your Users in Teams with Communications Compliance As administrators if we don’t know or have line of sight of the apps our users are using; or have any idea if malicious actors are already inside of our network; if we cannot control our own data from insider threats it begs the question – what else are we missing? Are we aware of – or do we have any control over – our users’ devices? Do we drive their servicing to ensure they are current and have the latest protection? Are we thinking about concepts such as Zero Trust or Conditional Access or AI driven security? Investing in Passwordless? Do we know what a SIEM is? What MITRE attack is? And do we have any oversight of regulatory or code of conduct violations through the apps we use like Exchange, Yammer, and Microsoft Teams?

Use sensitivity labels in your Microsoft TeamsBringing data classification into Microsoft Teams helps you to bring additional security and compliance to your collaboration environment. Avoid strictly confidential content, protect trade, and avoid guest access to certain Microsoft teams, all of this is possible with Microsoft Unified Labeling.

Upcoming permissions changes for Microsoft Defender for Endpoint running Android 11 or later We posted MC291890 in the Message Center a month ago (message below). Implementation of this change will start rolling out on November 11, 2021. To help you be more aware of this change, we’re sharing the Message Center post and included screen shots so you can see the experience.

Using gMSA account in Microsoft Defender for Identity in multi-domain forests. – As explained in MDI documentation here Microsoft Defender for Identity prerequisites   Microsoft recommends to use gMSA account and actually there is a soft cap of up to 30 accounts to be used with intention to map to 30 AD forests within single MDI instance and even this soft cap limit can be raised by opening a support ticket.

Sharing the latest Microsoft Teams security and compliance innovationsWe hope you had the chance to join us virtually at Microsoft Ignite to learn about all the latest innovations and product announcements. If you couldn’t join, Microsoft Ignite content will remain on-demand on our Microsoft Tech Community!