TagM365

S for Security in EMS – Cloud App Security

Last but not least in my blog post series “S for Security in EMS” is about Microsoft Cloud App Security!

Microsoft Cloud App Security is a CASB (Cloud access security broker) service delivered by Microsoft that will give you several features to protect your data, users and cloud services. MCAS is giving you a great insight on

  • Shadow IT visibility
  • Cloud applications usage
  • Notifications when users take advantage of new Cloud applications
  • Dive into specific applications, users or ip addresses

Microsot Cloud App Security comes in two editions – Microsoft Cloud App Security and Office 365 Cloud App Security

To see differences in features have a look at docs.microsoft.com here

With both editions you can easily upload your firewall logs to MCAS and get a analysis on what users are using of Cloud applications from your office network or you can configure reverse proxy features with Conditional Access and MCAS giving you great insight on what applications users are using with Azure AD integration and files shared across other services outside of Office 365.

When creating a new snapshot report (aka firewall log upload) the data goes through several steps like file parsing, data analysis and then the report is created.

This is a sample on how the report could look like and what can be discovered.

Note that here you see Open Alerts on Cloud applications users are using, how many GB of data is being uploaded to what applications and much more!

Next up you also get som pritty nice alerting out of the box.

There is 26 enabled policies that will govern your environment looking for leaked credentials, multiple failed logons, imposible travel and much more

Take a look here at some alerts on imposible travel

The alert gives us rich information on IP addresses, country, what service is used and witch user are affected. A great tool to investigate a account breach!

Some of the policies available

That in mind!

Microsoft Cloud App Security or Office 365 Cloud App Security is a greate tool to use within your organization!

S for Security in EMS – Overview
Part 1 – S for Security in EMS – Azure AD Premium
Part 2 – S for Security in EMS – Information Protection
Part 3 – S for Security in EMS – Microsoft Intune
Part 4 – S for Security in EMS – Advanced Threat Analytics
Part 5 – S for Security in EMS – Cloud App Security

S for Security in EMS – AAD Premium

Let`s start off with the EMS E3 package and that will give you access and user rights to use Azure AD Premium P1 features.

So do you need it?

Well, Azure AD Premium P1 gives you capabilities for your hybrid users to access both on-prem and cloud resources. The synchronization also provides write-back capabilities so self-service password reset for on-prem users can be achieved. Along with advanced features as Dynamic groups, self-service group management and “Microsoft Identity Manager” (on-prem identity and access management).

And one more important feature which is one of the most powerfull regarding securing your cloud services is “Conditional Access”. Yes we have “Security Defaults” witch is a free service but if you need to do some exclutions you need to upgrade to Azure AD Premium P1 to gain “Conditional Access” features.

Over to EMS E5 – that gives you several additions to the P1 license with all the Azure AD P2 features.

Those features are at the time “Azure Identity Protection” and “Priviledged Identity Management”

When going to P2 i will say that PIM is the feature you want to configure right the way as this gives you access management in a whole new level. Users who have been givven additional roles within your AzureAD does not have the role active at all time lowering the attack vector for users. When users need to use their priviledge roles they have to activate it and by adding a second factor to the activation your priviledge roles are more secure! Hey, you can also add approvers to roles so that a second person need to approve the request.

Many options on this part as you see!

As this blogg post is in a series of several posts please stay tuned for the next service within EMS and this blog post series “S for security in EMS”

S for Security in EMS – Overview
Part 1 – S for Security in EMS – Azure AD Premium
Part 2 – S for Security in EMS – Information Protection
Part 3 – S for Security in EMS – Microsoft Intune
Part 4 – S for Security in EMS – Advanced Threat Analytics
Part 5 – S for Security in EMS – Cloud App Security

Using the new Sensitivity labels in Teams and SharePoint

These days the preview of Sensitivity labels in Microsoft Teams and SharePoint is rolling out, and I got the new feature up and running in my tenant allready!

If you have been waiting on this feature you may have noticed that the rollout came in stages and is taking some time to be rolled out.

After opt-in to the preview feature by following the guide lines from docs.microsoft.com. You can start creating your new Sensitivity labels tailord for Office 365 groups, SharePoint sites and Microsoft Teams.

Head into Compliance center and create a new label and set the settings you want to test! In my case i created two new labels (naming is for test and to make it easy for me to divided these two :))

Basicly now you finally can block untrusted devices to gain access to higly confidential information stored within SharePoint or Teams – AND also prevent guests to be invited into the site.

For this to be working you need to be using Intune aswell so that company devices such as computers, laptops and mobile devices can be marked as compliant devices.

A usefull scenario also for this is when you only allow Limited, web only access to site or team then you block downloads from untrusted devices such as kiosk, home computers etc.

What do you think of this new feature?

I can`t wait to be going production with this!

How do I know all my users are enabled for and using MFA?

More and more organizations is taking advantage of using MFA for their users and there is no reason for them not to since it`s free for all Office 365 users and also for all Azure AD users if you are not using the Office 365 services. But after you enable it for your users, are you sure everyone is enabled?

You may have seen at the Secure Score that not all users are registred for MFA, and if you do so you have users with no MFA! So these users may be victims for bruteforce attacks so it`s super important to remediate all users to see how everything is configured! Some of the users with no MFA maybe legit and should not have it.

So let`s dig into the materials for a second or two.

First thing is that there is a “Secure Score” check for MFA registered users that will show you how many of your users which are not registered (if any)

If you have any users in that list it would not show who the users are so we need to go deeper in the material to retreive this status.

So to get the list of users who don`t have setup MFA you need to run this PowerShell command with the AzureAD PowerShell module loaded.

Connect-MsolService

Get-MSOLUser -all | where {$_.StrongAuthenticationMethods.methodtype -eq $null} | Select Displayname,UserPrincipalName,BlockCredential,LastPasswordChangeTimestamp,UserType |Out-GridView

And now that we have found all users we can check them out why they don`t use MFA and make sure that they use it 🙂

Further on we can check what method users are using when authenticating with MFA. For this I use this script located in Technet PowerShell archives HERE

If you have deployed MFA the Conditional Access way (recommended) you will see that the MFA status on all user are set to “Disabled” but the method is set to what the user are using.

Have checking status on your users! 🙂

Automated Investigation & Response

The Automated Investigation & Response feature under Threat management in Security & Compliance admin portal is a pritty new and amazing feature in Office 365.

To use this feature you need to have “Office 365 Advanced Threat Protection Plan 2” licenses witch you can purchase standalone or it`s included in the Office 365 E5 license and yes – you need to be a “Global Administrator” or “Security Administrator” to configure the service. Once configured you can also use “Security Reader” or “Security Operator” to see whats happening.

Have a look here to see all capabilities within “Advanced threat protections”.

So over to Automated Investigation & Response (AIR) – have a look at this screenshot

As we see her we have two detection on-going which waiting on user action. The first one in the picture is automatically found by the system and the second one is a email which I reported through the “Message Report” add-in for Outlook which are deployed to all users (Both Outlook and Outlook Web).

In the overview of the case (the one i reported) we see what`s going on with the message, the Trigger alert, what threats  who where found, how many emails are “infected” and which users that have the infected email in their mailbox (could be a mass-phishing attack)

When we navigate to the Email tab we see what section of the email that are found malicious and in this case the Advanced Threat Protection has matched the URL to a malicious URL

Moving to the Action tab – we are given several a big tool belt meaning that we can do a soft delete from the users mailboxes (in this case only one user, but if this malicious email was delivered to 100 users we can in one click remove the email from the users mailboxes) and block the URL in Safe Links.

So this was very short on how to easily use AIR in your tenant if you have the right license.

© 2020 IdefixWiki

Theme by Anders NorénUp ↑