TagMicrosoft365

S for Security in EMS – Advanced Threat Analytics

So in this fourth blog post in my series S for Security in EMS we will og deeper in Advanced Threat Analytics included within EMS.

So what is Advanced Threat Analytics?

Well, it`s an on-premises platform that helps protect your enterprise from multiple types of advanced targeted cyber attacks and insider threats.

Why is this a important toolset to have on your hybrid environment?

Well, since you have an hybrid environment you are lacking a system to detect abnormal behavour like password sharing, lateral movements and so on and Malicious attacks like Pass-the-Ticket, Pass-the-Hash and several other attack vectors.

Advanced threat analytics uses machine learning and user usage analytics discover abnorman activities and suspicious activities.

Within Advanced Threat Analytics we can also get insights on Security Issues and risk within our on-premises environment like broke trust between machines and domain controlelrs, weak protocols used by our users and systems and much more!

All these actions and insights can be viewed from the Advanced Threat Analytics Dashboard

This is just a smal insight on what ATA can do for you!

S for Security in EMS – Overview
Part 1 – S for Security in EMS – Azure AD Premium
Part 2 – S for Security in EMS – Information Protection
Part 3 – S for Security in EMS – Microsoft Intune
Part 4 – S for Security in EMS – Advanced Threat Analytics
Part 5 – S for Security in EMS – Cloud App Security

Change to Opt-In in MyAnalytics

Since MyAnalytics is an “Opt-Out” feature in Office 365, some companies wants to change this behavour for their users, meaning that each users should enable this feature them self instead of the service being automatically enabled when users are created.

Changing settings in Office 365 to change this behavour:

Remove the three ticks on the MyAnalytics service window to change the default behavour for new users. removing these ticks will ensure that users need to “opt-in” their self by accessing “Myanalytics.microsoft.com” and change settings there.

And in each user can ustomize their own MyAnalytics settings by opt-in or opt-out in the dashboard “myanalytics.microsoft.com”

Remove the service from each user forcing the users to enable the service themself

#Connect to Exchange Online with MFA
Import-Module $((Get-ChildItem -Path $($env:LOCALAPPDATA+"\Apps\2.0\") -Filter CreateExoPSSession.ps1 -Recurse ).FullName | Select-Object -Last 1) #download module from Exchange Online Admin Center under "hybrid" and using IE.
#Connect to Exchange Online
Connect-EXOPSSession -UserPrincipalName julian.rasmussen@xxxxxxxxxx.no
#This will make sure when you need to reauthenticate after 1 hour that it uses existing token and you don't have to write password and stuff
$global:UserPrincipalName="julian.rasmussen@xxxxxxxxxx.no"

#check what state the users is in today
Get-UserAnalyticsConfig –Identity julian.rasmussen@xxxxxxxxxx.no

#Opt-out from service - users can opt-in again at https://myanalytics.microsoft.com/ 
Set-UserAnalyticsConfig –Identity julian.rasmussen@xxxxxxxxxx.no -PrivacyMode Opt-out

#multiple opt-out
$privacyMode = "Opt-Out"

$users = Get-Mailbox *
ForEach ($user in $users)
{
$user.Userprincipalname
$upn=$user.UserPrincipalName

Set-UserAnalyticsConfig –Identity $upn -PrivacyMode $privacyMode
Get-UserAnalyticsConfig –Identity $upn
}

S for Security in EMS – AAD Premium

Let`s start off with the EMS E3 package and that will give you access and user rights to use Azure AD Premium P1 features.

So do you need it?

Well, Azure AD Premium P1 gives you capabilities for your hybrid users to access both on-prem and cloud resources. The synchronization also provides write-back capabilities so self-service password reset for on-prem users can be achieved. Along with advanced features as Dynamic groups, self-service group management and “Microsoft Identity Manager” (on-prem identity and access management).

And one more important feature which is one of the most powerfull regarding securing your cloud services is “Conditional Access”. Yes we have “Security Defaults” witch is a free service but if you need to do some exclutions you need to upgrade to Azure AD Premium P1 to gain “Conditional Access” features.

Over to EMS E5 – that gives you several additions to the P1 license with all the Azure AD P2 features.

Those features are at the time “Azure Identity Protection” and “Priviledged Identity Management”

When going to P2 i will say that PIM is the feature you want to configure right the way as this gives you access management in a whole new level. Users who have been givven additional roles within your AzureAD does not have the role active at all time lowering the attack vector for users. When users need to use their priviledge roles they have to activate it and by adding a second factor to the activation your priviledge roles are more secure! Hey, you can also add approvers to roles so that a second person need to approve the request.

Many options on this part as you see!

As this blogg post is in a series of several posts please stay tuned for the next service within EMS and this blog post series “S for security in EMS”

S for Security in EMS – Overview
Part 1 – S for Security in EMS – Azure AD Premium
Part 2 – S for Security in EMS – Information Protection
Part 3 – S for Security in EMS – Microsoft Intune
Part 4 – S for Security in EMS – Advanced Threat Analytics
Part 5 – S for Security in EMS – Cloud App Security

Using the new Sensitivity labels in Teams and SharePoint

These days the preview of Sensitivity labels in Microsoft Teams and SharePoint is rolling out, and I got the new feature up and running in my tenant allready!

If you have been waiting on this feature you may have noticed that the rollout came in stages and is taking some time to be rolled out.

After opt-in to the preview feature by following the guide lines from docs.microsoft.com. You can start creating your new Sensitivity labels tailord for Office 365 groups, SharePoint sites and Microsoft Teams.

Head into Compliance center and create a new label and set the settings you want to test! In my case i created two new labels (naming is for test and to make it easy for me to divided these two :))

Basicly now you finally can block untrusted devices to gain access to higly confidential information stored within SharePoint or Teams – AND also prevent guests to be invited into the site.

For this to be working you need to be using Intune aswell so that company devices such as computers, laptops and mobile devices can be marked as compliant devices.

A usefull scenario also for this is when you only allow Limited, web only access to site or team then you block downloads from untrusted devices such as kiosk, home computers etc.

What do you think of this new feature?

I can`t wait to be going production with this!

Automated Investigation & Response

The Automated Investigation & Response feature under Threat management in Security & Compliance admin portal is a pritty new and amazing feature in Office 365.

To use this feature you need to have “Office 365 Advanced Threat Protection Plan 2” licenses witch you can purchase standalone or it`s included in the Office 365 E5 license and yes – you need to be a “Global Administrator” or “Security Administrator” to configure the service. Once configured you can also use “Security Reader” or “Security Operator” to see whats happening.

Have a look here to see all capabilities within “Advanced threat protections”.

So over to Automated Investigation & Response (AIR) – have a look at this screenshot

As we see her we have two detection on-going which waiting on user action. The first one in the picture is automatically found by the system and the second one is a email which I reported through the “Message Report” add-in for Outlook which are deployed to all users (Both Outlook and Outlook Web).

In the overview of the case (the one i reported) we see what`s going on with the message, the Trigger alert, what threats  who where found, how many emails are “infected” and which users that have the infected email in their mailbox (could be a mass-phishing attack)

When we navigate to the Email tab we see what section of the email that are found malicious and in this case the Advanced Threat Protection has matched the URL to a malicious URL

Moving to the Action tab – we are given several a big tool belt meaning that we can do a soft delete from the users mailboxes (in this case only one user, but if this malicious email was delivered to 100 users we can in one click remove the email from the users mailboxes) and block the URL in Safe Links.

So this was very short on how to easily use AIR in your tenant if you have the right license.

© 2020 IdefixWiki

Theme by Anders NorénUp ↑