Microsoft Edge now alerts you if any of your online passwords are leaked!

Password Dialogue Screen

Let’s face it – all of us re-use our passwords across different systems, and most use one password for pretty much everything they online – and whilst these may be secure (and yes, some sites may enforce MFA – that’s something at least), if just one of these sites/company’s get’s breached – then your password is out there!!!

Microsoft are trying to help prevent this – well, at least make sure you know so you can do something about it quickly…

Whilst anyone running Beta or Dev version of Edge have had this for a while, the latest “stable” update to roll out this week, has introduced / released probably of the most important feature to help users (everyone) understand anywhere where their password may have been breached/compromised – not just on their Office 365 or laptop credentials but across any (and i mean) any web site or SaaS service they use in Edge.

Introducing Password Monitor in Edge

Microsoft have released a new feature called Password Monitor (which is included in Edge build 88 and later), which notifies users if any of their saved passwords have been found in a third-party breach.

Edge Password Monitor Graphic

This is done by using password hash comparison (so Microsoft doesn’t actually learn or store passwords anywhere), so users can be assured that neither Microsoft nor any other party can learn the user’s passwords while they are being monitored for breach.

When you turn on Password Monitor, Edge  starts periodically (you can force it too) checking the passwords you’ve saved in the browser against a huuuuuuge database of known leaked passwords that are stored in the cloud. If any of your passwords match those in the database, they’ll appear on the Password Monitor page in Microsoft Edge Settings. and you also get a pop-up notification if new ones are found. What this is basically telling you is that “any passwords listed there are no longer safe to use” and you should change them immediately – pretty damn useful advice for anyone!
 

Why this so important

Each year, hundreds of millions of usernames and passwords are exposed online when websites or apps become the target of data leaks and as i mentioned at the start, whilst the public are regularly cautioned against reusing the same username and password combination for more than one online account, it’s a common practice, which leaves them vulnerable on multiple sites when even one passwords gets leaked. Even if your password is complex – it only takes one site to be leaked and your password and username is out there – its like leaving the front door of your house wide-open.

Leaked usernames and passwords often end up for sale on the online black market, commonly referred to as the Dark Web. Hackers use automated scripts to try different stolen username and password combinations to hijack people’s accounts. If one of your accounts is taken over, you can be the victim of fraudulent transactions, identity theft, illegal fund transfers, or other illegal activities and bear in mind many of these sites allow you to save or store payment information, address information, family information on them – perfect for an identity theft!

Password Monitor helps protect your online accounts in Microsoft Edge by informing you when any of your passwords have been compromised, so you can update them. Changing passwords immediately is the best way to prevent your account from being hijacked.

Enabling Password Monitor

This new feature is not enabled by default. In order to active this, you need to carry out these simple steps

  1. Sign in to Microsoft Edge using your Microsoft account or your work or school account.
  2. Navigate to Settings and more > Settings > Profiles > Passwords.
  3. Turn on Show alerts when passwords are found in an online leak.
  4. Any unsafe passwords will then be displayed on the Password Monitor page.

Screenshot of settings in Edge

If you are signed in and syncing your passwords, Password Monitor is automatically enabled in your browsers – auto enablement

When you first enable Password Monitor for the first time, all your passwords will be checked to see if any of them have been compromised. If any of your passwords match those in the list of known leaked passwords, a notification appears:

 

This notification appears only once each time a new password is found to be unsafe. Microsoft give you two options at this point:  – view the details or dismiss the notification – its ok you can come back to them later. 

 

Responding to notifications

If Edge informs you that a user / password combination has been breached / therefore is no longer safe, can go here to learn more :

Settings and more > Settings > Profiles > Passwords > Password Monitor.

Here you will see a list of all the unsafe passwords Microsoft has found, and then for each account listed on the page you can be redirected to that site to allow you to update and change your password.  If an entry in the list of compromised passwords is no longer relevant (you may have deleted your account for example), you can click ignore – remember though, if just one site is breached and you use that account elsewhere – change it!

Microsoft have provided a nice Q&A and support page for this here: Password Monitor support page.

 

Read More about how Password Monitor works

Password Monitor will be made available to Edge users on a rolling basis so it will not be immediately visible to everyone.

You can read more about how this works and why is such a vital step forward for privacy, security and control of your online life here: Password Monitor: Safeguarding passwords in Microsoft Edge – Microsoft Research

Microsoft Defender now unifies SIEM and XDR

Microsoft Security Logo

At #Ignite2020 (September 2020), Microsoft announced a change to their Security and threat protection with a new, unique approach designed to “empower security professionals to get ahead of today’s complex threat landscape” with fully integrated SIEM and XDR (eXtended Detect and Response) tools from a single vendor so you get the best of both worlds. – much of the summary below is taken from the wider Microsoft Blog.

As part of this, Microsoft are unifying their XDR tech under the Microsoft Defender brand.

“The new Microsoft Defender is now the most comprehensive XDR in the market and prevents, detects, and responds to threats across identities, endpoints, applications, email, IoT, infrastructure, and cloud platforms”.

With Microsoft Defender, Microsoft are both rebranding our existing threat protection portfolio and adding new capabilities, including additional multi-cloud (Google Cloud and AWS) and multi-platform (Windows, Mac, Linux, Android, and iOS) support.

Microsoft Defender is delivered in two main areas,

  • Microsoft 365 Defender for end-user environments and
  • Azure Defender for cloud and hybrid infrastructure.

Microsoft 365 Defender

This delivers XDR capabilities for identities, endpoints, cloud apps, email, and documents, using AI to reduce the SOC’s work items. Microsoft claims this can consolidated 1,000 alerts to just 40 high-priority incidents and that built-in self-healing technology fully automates remediation with a success rate of over 70%, ensuring the SOC can focus on “other tasks” that better leverage their knowledge and expertise.

An image of the Microsoft 365 Defender dashboard.

As part of this, the following branding changes have also been made to the Microsoft 365 security services:

  • Microsoft Threat Protection is now Microsoft 365 Defender

  • Microsoft Defender ATP is now Microsoft Defender for Endpoint

  • Office 365 ATP is now Microsoft Defender for Office 365

  • Azure Advanced Threat Protection is now Microsoft Defender for Azure

As well as the name change, several new features are now also available or coming:

  • New mobile for Apple iOS (now in Preview) and Android support now released. As a result, Microsoft now delivers endpoint protection across all major OS platforms.
  • Extension of the current macOS support with addition of threat and vulnerability management.
  • Priority account protection in Microsoft Defender for Office 365 will help security teams focus on protection from phishing attacks for users who have access to the most critical and privileged information. 

Azure Defender

Azure Defender is an evolution of the Azure Security Center threat protection capabilities and is accessed from within Azure Security Center and delivers XDR capabilities to protect multi-cloud and hybrid workloads, including VMs, databases, containers, IoT, and more. 

An image of Defender.

Aligned with the Microsoft 365 brand changes, there are also new name changes as well as some new features naturally!

  • Azure Security Centre Standard is now Azure Defender for Servers
  • Azure Security Centre for IoT is now Azure Defender for IoT 
  • Advanced Threat Protection for SQL is now Azure Defender for SQL 

Along with the name change, these new features were also announced: 

  • New unified experience for Azure Defender that makes it easy to see which resources are protected and which need protection.
  • Added protection for SQL servers on-premises and in multi-cloud environments
  • Added protection for virtual machines in multi-cloud
  • Improved protections for containers, including Kubernetes-level policy management and continuous scanning of container images in container registries.
  • Support for operational technology networks with the integration of CyberX into Azure Defender for IoT.

The video below from Microsoft shows how it all works

Video from Microsoft Mechanics on the New Microsoft Defender

 

And finally…. let’s not forget Azure Sentinel

Whilst the XDR capabilities of Microsoft Defender delivered through Azure Defender and Microsoft 365 Defender provides rich insights and prioritised alerts, to gain visibility across your entire environment and include data from other security solutions such as firewalls and existing security tools, we connect Microsoft Defender to Azure Sentinel, Microsoft cloud-native SIEM.

Azure Sentinel is deeply integrated with Microsoft Defender so you can integrate your XDR data in only a few clicks and combine it with all your security data from across your entire enterprise.

An image of Azure Sentinel.

You can read the full Microsoft Blog on this here:

“Application Guard” for Office Desktop Apps enters public preview

Image of Office Application Splash Screen

Microsoft has released a new security feature for Microsoft 365 into Public Preview. This new feature, known as “application guard“, has been designed to help prevent risky, malicious, or untrusted files from accessing your trusted resources.

This feature is turned off by default, and it’s currently only available to organisations that have Microsoft 365 E5 or Microsoft 365 E5 Security licenses.

When enabled however, files from the internet and other potentially unsafe (not yet scanned or trusted) locations can contain viruses, worms, or other kinds of malware that can attempt to infect or harm users’ devices and data, in the case of malware, spread to other areas.

With the new Application Guard feature enabled, Office apps will open files from potentially unsafe locations in Application Guard, which is a secure container (in memory) that is isolated and shielded from other applications, device hardware, processes, and system memory through hardware-based virtualisation.

When enabled, users will see a change to the standard Office splash screen on the first launch of an untrusted office document that indicates that Application Guard for Office has been enabled, and that the file is being opened in a secure environment. In addition, the application will also display a visual indicator, such as a callout in the ribbon and the taskbar icon, to inform the user that the Application Guard is running.

Screenshot showing Office Application GuardImage of Office Application Splash Screen

What is nice about this new feature is that unlick the previous “protected mode” which limited editing functions for example and prevented some aspects of the document or excel macros from running, with Application Guard, users do NOT get a compromised experience, meaning they can securely read, edit, print, and save those files without having to re-open files outside the “safe” container.

As I said at the start, this feature is off by default and needs to be enabled by IT admin using a group policy or a CSP entry in your MDM . Details on how to enable Application Guard are provided by Microsoft here

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/install-app-guard?view=o365-worldwide

 

 

Cisco Live 2020: “To power an inclusive future for all”

The Cisco Live 2020 keynote yesterday (June 16 2020) followed the same theme as many of the other leading tech vendor events and focussed primarily on the current social and economic climate brought about by the global COVID19 pandemic before touches on new Cisco Webex and Cisco SecureX features which were the core focus of announcements on day 1.

Key Priorities Announced

“Possibilities” was the main theme of the keynote on Tuesday 16th June, in which Chuck Robbins summarised the current climate and demand on technology as the need to reimagine applications, secure data, transform traditional network and data centre infrastructure, and the “empowering” of teams through technology as being more important now than ever. which namely allowed Cisco to ire-introduce and emphasise some of the new core features coming to their Webex and SecureX platforms. 

Outside of this, most of the keynote didn’t focus on new announcements, but openly discussed the chaos that #Covid19 has thrown on the world nicely introducing the keynotes’ main theme – simple “Possibilities”. 

2020 has been a difficult and challenging year,”, “We started out with a new decade with hope, and we never imagined that in June we would have experienced what we’ve experienced this year.” Chuck Robbins, Cisco Live 2020

Chuck Robbins went on to talk about the combination of the COVID19 pandemic, and the fundamental change to business, employees and how we work, combined with the urgency, rapid change in direction and crazy tasks that every organisation has been faced with ensuring the technology, people and business can function from home which has of course been a challenge for many organisations globally. 

One of those big challenges included shifting office workers to a remote work style. This stark change, on top of all of the exterior issues, has taken a toll–both on the enterprise and individuals.” Chuck Robbins, Cisco Live 2020

Additions to Webex and SecureX

Javed Khan, VP of collaboration at Cisco, was next on the virtual stage joined by Gee Rittenhouse, senior VP at Cisco, to discuss some of the new features being added to their WebEx and SecureX platforms.

Webex 

With so many people working from home now and for the foreseeable future due to #COVID19, video and web conferencing use has skyrocketed across all major platforms, namely Zoom, Microsoft Teams and of course WebEx.

By April 2020, Cisco said they were seeing more than 25 billion meeting minutes a month (which was up nearly 3 fold  which is three times the size of the normal monthly average and said that “We have the unique opportunity to use our collaboration technology and our amazing people to help power an inclusive future for all.

We already know the future of Webex (currently in preview) will bring an enhanced experience leveraging what Cisco have called “Cognitive Collaboration” which will deliver insights about upcoming meetings, contacts as well as information about your day to reduce the need to keep flicking between Webex and Outlook.

NewWebEx
New WebEx Preview interface

 

Next, Javed Khan formerly announced the addition of the Webex Assistant, a personal digital assistant that can be used within the WebEx platform to enable handsfree operation and event in meeting administration WebEx meetings. With the Webex Assistant, users can “ask” Webex to record the meeting, take notes, and even send highlights to attendees when the meeting has finished. 

Picture of Cisco WebEx Assistant

Security built in was another focus of WebEx improvement, with extended data loss prevention (DLP) retention, Legal Hold tools for chat and content which is also coming to Webex Meetings. Cisco also announced an expansion to their end-to-end encryption including AES 256 Bit encryption with GCM mode for increased protection for meeting data and resistance against tampering. Security around meetings has of course been very top of mind for many whereby Zoom have had their reputation dented over claims and fears of poor security across their platform. 

Cisco also announced the Webex Desk Pro – an “AI powered” collaboration device that features a 27-inch 4K display, 71-degree HD camera and digital whiteboarding which looks like a cross between a Surface Studio and a Cisco EX device.

Picture of a Cisco WebEx Desk Pro

Cisco said that they would be “doubling down on AI” and that they would be adding even more intelligence into their contact centre solutions, converting customer support agents into “super agents” to ensure that they always have all the all the right information at their fingertips to allow them to solving customer issues faster than ever.  Javed Khan said that the goal of Cisco Contact Centre platform is to “improved customer satisfaction and improved customer loyalty.”

It’s also very apparent that Cisco are going to be dropping the “Webex Teams” name and moving to “Webex App” or simply back to just “Webex” as part of their next update integrations. I think this is a good move as to be honest, customers got confused when Webex Teams simply got Teams, which, let’s face it, every assumed they meant Microsoft Teams!

SecureX Update

From a security perspective, another huge focus for Cisco, Gee Rittenhouse talked about some of the new optimised features within SecureX, which he called 
“the most comprehensive cloud native platform in the industry.”

Gee Rittenhouse continued his explanation of the SecureX platform, stating that “In one place, you can see your entire environment, threats and incidents, and resolve policy changes.” 

Cisco SecureX dashboard

This was followed by a quick demo in which Cisco illustrated how Cisco SecureX customers could directly see all the possible security threats across their network through a single view/dashboard.  They demo showed a “kill chain” explorer view whereby, upon clicking on a particular detected threat, the system generated a relationship graph so that the SecOp team can see everything related to that single threat along the ability to then block it across the organisation with a just couple of clicks. There is also some automation behind this allowing some auto remediation as you’d expect. 

Cisco said they have a huge and growing number of integration partners, and are sharing intelligence and threat protection details with other leading security vendors including Microsoft, McAfee, and many others

Summary

As you’d expect from Cisco – huge focus on collaboration and security which right now is top of mind as many organisations get ready for a quite different future for the time-being at least.

What did you think? Did you attend the conference? What were your key takeaways and what did I miss?

 

Revamped alert page now live in Microsoft Defender ATP

Microsoft have released a completely redesigned alert page in the Microsoft Defender Security Center (which is now in public preview).

The new Microsoft Defender ATP alert page is designed to help security admins more effectively triage, investigate, and take effective actions on alerts. Microsoft say that the changes to the page were guided by customer feedback on how to make the experience better and as a result the new page constructs a detailed alert story with full context which will provides the following:

  • Improved focus – at the forefront so that analysts have less clicks to get to relevant insights.
  • An investigation-oriented approach – alerts related to the same execution tree will appear on the same page, increasing efficiency, and awareness to the investigation scope.
  • Easier to take actions – with necessary actions built into the workflow, doing what you need just became that much faster.
New Defender ATP alert page

To learn more about the new Microsoft Defender ATP alert page, see the Microsoft Defender ATP alert page documentation.

Microsoft “Authenticator app” now lets users change their passwords directly from the app

The Microsoft Authenticator app on Android has been updated and now lets users change security information and passwords right from within the app. This update also lets users view recent sign in activity, such as recent login attempts or changes to their account. This features update bring the android version upto date with the iOS version, which got this update back in May.

With the updated version, users can tap on the account name in the app which then opens a full-screen page for that account’s settings. Here it provides the one-time passcode for second-factor authentication, along with other options such as changing the password, updating security information, reviewing recent activity, and removing the account from authenticator should you wish.

These options are presented directly inside the app in a kind of in-line browser that lets users perform these actions without needing to switch to a browser or make these changes on the web. This works for corporate accounts as well as personal Microsoft accounts such as those with personal Microsoft 365 accounts.

Note: the account management options are not be available to Azure AD accounts as Microsoft want to empower IT admins to choose which options are made available to users from the Authenticator App.

Users can download the Microsoft Authenticator app for Android from the Google Play Store here.

Microsoft announces “Cloud for Healthcare” at #MSBuild2020

As Microsofts’ annual dev conference Build opened today (May 19 2020), Microsoft announced the launch of the Microsoft Cloud For Healthcare, — a new Microsoft Industry Cloud solution.

Microsoft said that the solution aims to integrate Microsoft Cloud with an “industry-specific data model” “cross-cloud connectors,” and APIs to better help serve the global healthcare industry.

Global capabilities uniting the healthcare industry

The Microsoft Cloud for Healthcare wi bring together capabilities from across many Microsoft Cloud Services 365. This includes Microsoft 365, Dynamics 365, Power Platform, and if course Azure. This will be powered by a common data model which will allow the sharing of data across various applications to provide better analytics. Microsoft say that this will allow health providers globally to provide better services for patients, clinicians and doctors by helping make it easier to deploy resources to the needs of all hospital and care units.

For example, Cloud for Healthcare, will focus on what Microsoft has identified as important needs for the field, like engaging patients, facilitating health team collaboration and improving operational efficiency, all with strict security measures.

Sample Health App powered services


Of course, an important component of healthcare is aftercare, where medical professionals need to keep in touch with their patients to follow up on their recovery and any post opp treatment, tools available to do so are generally limited to follow-up phone calls and emails, which are not only tedious but can sometimes not meet security standards or provide the best care.

Microsoft’s Healthcare Bot Service will be available as part of this service, which Microsoft say is behind more than 1,500 instances of COVID-19-based bots that have gone live globally since March 2020. These bots can help alleviate the strain on emergency hotlines for public and provide health providers while addressing common questions that patients might have.

Availability

Microsoft has said that a public preview will be coming in coming days and will be free for 6 months for evaluation, with general availability bringing late this calendar year.

Microsoft has also said that although the healthcare industry will be “first served” with the solution, they also promised that more industry-specific clouds solutions will follow.

Thoughts..

What do you think.. Is industry specific Cloud solutions a good next step for Microsoft?

Microsoft’s made Azure Single Sign-On and MFA free*.

Microsoft have announced that any customer using a subscription of a their commercial online services (Azure, Dynamics, Office 365 etc.) can connect all their cloud applications to Azure AD for single sign-on (SSO), and protect this access with multi-factor authentication (MFA) as a huge additional security benefit at no extra cost –  other than internal (or partner) resource to configure and test it. Using MFA alone is proven to reduce the attack surface and prevent over 99% of breaches caused by credential theft. 

Using SSO reduces the number of sign-in prompts for employees, reduces the number of different user ID and password combinations needed also enables one-click access to the most used line of business applications  – and it should make working remotely even easier and more secure – since user access control can be made central – and under the protection and safeguard of Azure AD.

Microsoft has also added several other Azure AD enhancements which will help simplify identity and access management and improve the experiences for all those working remotely – these include the following:

  • Streamlined identity management
  • Improve application configuration and security for Azure AD SSO
  • Seamless and secure collaboration
  • Safeguard identities with industry-leading security
  • App gallery integration

“SMS sign in” for Microsoft Teams* now in public preview.

Another #MicrosoftTeams feature is rolling out (ok so it’s in public preview so pretty much rolled out).

This time is a feature aimed more at front line workers like retail for example who may oy have a mobile phone to access their busienss apps.

Introducing SMS based user sign-in

With SMS based user sign-in, users can simply sign-in with their phone number and receive a code via SMS, which will then log them in (the number needs to be registered against them in Azure Active Directory).

How’s it works?

Worth noting that this is just in preview and is still some key features missing (a key one being this doesn’t yet work with MFA… But it will).

As I mentioned in the introduction SMS-based authentication, lets users sign in without needing to provide, or even know, their username and password. After their account is created by an identity administrator, they can enter their phone number at the sign-in prompt, and provide an authentication code that’s sent to them via text message. This authentication method simplifies access to applications and services, especially for front line workers.

Whilst this will work for any Office 365, it’s primary aim is to help front line workers use and login to Team in mobile device as the illustration below shows

Each user enabled for SMS-sign in must have one of the following Azure AD or Microsoft 365 licenses:
– Azure AD Premium P1 or P2 or
– Microsoft 365 F1 or F3

Current limitations

Microsoft have clearly detailed a number of limitations which will apply during the public preview including.

  • SMS-based authentication isn’t currently compatible with Azure Multi-Factor Authentication.
  • With the exception of Teams, SMS-based authentication isn’t currently compatible with native Office applications.
  • SMS-based authentication isn’t recommended for B2B accounts.
  • Federated users won’t authenticate in the home tenant. They only authenticate in the cloud.

To learn more and for instructions in how to active and configure SMS sign in, see the Microsoft supporting information here.

Other Azure AD Passwordless options.

For additional ways to sign in to Azure AD without a password, such as the Microsoft Authenticator App or FIDO2 security keys, you can review the Passwordless authentication options for Azure AD.

Microsoft says their Cloud Usage has jumped 775% due to COVID-19

Microsoft’s Azure Cloud and Office 365\Teams collaboration services have seen a significant, in fact colossal, spike in usage over the past week as companies globally continue to deal with an increase in remote workers due to the ongoing COVID-19 outbreak and lock downs that are being put in place to help control the infection rate and curb the impact on the world’s health services like our incredible NHS.

Microsoft said yesterday that in the last week it has seen a 775% increase in the use of its cloud services in regions where enforced social distancing and lock downs have been put in place such as here in the UK, most of Europe and many States in the US.

Microsoft Teams is seeing more than 900 million meeting and calling minutes per day.

Microsoft had  previously stated just last week that they was prioritising traffic for critical front line and public services such as NHS as well as also tuning and reprioritising services to cope with this unprecedented demand. This includes prior temporary limits on free offers (outside key workers and NHS for example) to prioritise capacity for existing customers and the downgrading of video in Teams for example to help manage traffic. Microsoft has said that these limits are typically being isolated to regions/locations that are seeing the most demand and that customers impacted can use alternative regions to get around some of the performance hits while they even out and scale out their services to handle the new demands.

Last week, Microsoft has some issues with adding new services to Azure in some regions, including the UK which caused them to “drop below the typical 99.99% success rates.”. This was caused by the huge surge in new Azure Virtual Desktop services being spun up as organisations looked to quickly enable remote desktop to facilitate homeworking after the UK mandated work from home as part of the UK Covid19 lock down measures.

COVID-19 sees huge demand and growth

Microsoft said last week that Teams has “seen a very significant spike” in usage and counted more than 44 million daily users. This week new numbers have revealed that last week they also saw more than 900 million meeting and calling minutes per day.

Windows Virtual Desktop has also seen a 300% increase in the last week with hundreds of thousands of new Desktops being added globally.

Other collaboration platforms like Cisco’s Webex and Zoom have seen similar surges in network traffic tied to the COVID-19 outbreak.

It’s not just Microsoft though…

Microsoft of course isn’t the only Web conferencing provider seeing such growth. Other collaboration platforms including Cisco Webex and Zoom have seen similar surges in network traffic tied to the COVID-19 outbreak.

Cisco has also reported large growth and demand and said Webex traffic from China had increased by more than 2,000% since the outbreak began and that more than 30% of its enterprise customers have reached out for help getting their employees set up to work from home.

Since the start of the outbreak, Microsoft, Zoom and Cisco have made their platforms available for free to most businesses affected by COVID-19 and are having to work relentlessly to expand the capacity of their services to ensure as few disruptions as possible…. All have had growing pains and as the lock downs continue globally, it probably won’t be the last time!

Continue reading “Microsoft says their Cloud Usage has jumped 775% due to COVID-19”

Protect yourself from COVID-19 themed “PHISHING” attacks

Microsoft sent out warnings last week about an rise in phishing attacks and scare mongering related to the coronavirus outbreak with many cybercriminals playing on people’s fear in order to steal personal data.

Criminal groups have various ways to attack vulnerable people, including malware, but Microsoft have emphasised that “91 percent of all cyberattacks start with email” and almost all are aimed at tricking their targets into handing over their credentials.

Microsoft has a robust set of security and protections servives designed to detect and block malicious emails, links and attachments with Outlook.com, Office 365, Office 365 ATP, Microsoft Exchange, and Microsoft Defender all working in together to protect. These services leverage advanced machine learning, heuristics, and anomaly analysers to detect malicious behaviours in email to try to prevent these landing in user mailboxes and to protect them should they get through and users click on the links.

Unfortunately technology alone will never be 100% foolproof, therefore it’s important for users and for IT to ensure the latest security updates are deployed, services are enabled (a staggering number of organisations have services like Office Advanced Threat Protection for example but don’t use it) and use advanced anti-malware and Endpoint Protection service, such as Microsoft Defender.

MFA is Critical to Identity Protection

If you don’t use multi-factor authentication (MFA) on all of your personal and business Office 365 (and other mail products like Gmail etc.), I’d strongly suggest you enable it and use Microsoft’s Authenticator to protect you.

Combined with Password Self Reset and Risk Based Conditional access MFA can detect and prevent over 99% of phishing attacks by preventing user identities since logins are protected by an additional login authentication step (just like you need to access your online banking).

Education is still key

It’s still important for users to be vigalenr and to educate themselves around what to look for..

Bad spelling and grammar, suspicious links and attachments and emails that look to good to be true, should always raise your suspicions… Even with the extensive protection, if you are suspicious about an email, never click on links or open any attachments, especially those with weird file extensions such as pdf.exe” or “txt.hta”

Cybercriminals (especially now) use urgency and scare as an attack vector. Microsoft warn users about the current trends which should always trigger an alarm:

  • Threats. These types of emails cause a sense of panic or pressure to get you to respond quickly. For example, it may include a statement like “You must respond by end of day.” Or saying that you might face financial penalties if you don’t respond.
  • Spoofing. Spoofing emails appear to be connected to legitimate websites or from your boss, or medical insurer, but take you to phony (often legitiame) scam sites or display legitimate-looking pop-up windows. Always check the website and the Url.
  • Altered web addresses. A form of spoofing where web addresses that closely resemble the names of well-known companies, but are slightly altered; for example, “www.micorsoft.com” or “www.mircosoft.com”.
  • Incorrect spelling or salutation of your name.
  • Mismatches. The link text and the URL are different from one another; or the sender’s name, signature, and URL are different.

What do I do if I get a suspicious link?

If you think you have encounter a suspicious email or website, speak to your IT team. Microsoft also recommends using the built-in tools in Outlook on the Web, on the desktop Outlook app and in the Outlook Mobile app to report suspicious messages.

If you’re using Microsoft Edge, you can also report suspicious sites by clicking the More (…) icon > Send feedback > Report Unsafe site.

Final word

While bad actors are attempting to capitalize on the COVID-19 crisis, they are using the same tactics they always do. You should be especially vigilant now to take steps to protect yourself,” the company said today. You can learn more about Microsoft’s recommendations on their Security blog.

What Microsoft announced at the 2020 RSA Conference.

The annual RSA Conference brings together 50,000 cybersecurity professionals to connect with peers from around the world to uncover new and better ways to keep the digital world safe. Most of the leading Security vendors are there as you expect. As is becoming the annual norm, Microsoft used this opportunity to being more exciting announcements around its ever expanding offerings and capabilities in security.

Inside Risk Management

Insider Risk Management which has been in preview for a couple of months is now widely available.

The world we work in today with Internet everywhere, multiple devices being carried by employees and a work from anywhere culture means corporate data is likely to be stored or accessed on laptops, tablets phones, and even watches. Where blocking access is not an option, IT need ways to identify, take action on, and prevent insider risks to keep their busienss data safe.

New Insider Risk Management in Microsoft365

Insider Risk Management (part of Microsoft 365) helps tackle this challenge by gathering signals from across Microsoft 365 and other third-party systems, and then leverages the Intelligent Security Graph Insider Risk and machine learning to identify anomalies in user behavior and flag high-risk activities – enabling businesses to more effectively protect and govern their data.

Communication Compliance

Communication Compliance, which extends the existing complaince services within Microsoft 365 can be tuned to leverage machine learning to quickly identify and take action on code of conduct policy violations within all company communications channels. This has also just been generally released.

Microsoft Threat Protection

Over the past year Microsoft has been busy consolidating and harmonising all the various theat protection services and standardising the signalling, risk profile and events. In a world where multiple vendor solutions are no longer the recommended approach to provide end to end security, Microsoft Threat Protection helps simply whilst strengthening protection for the enterprise.


Traditionally, Security and IT have an endless list of alerts coming in from multiple monitoring systems and across their network, cloud, data centre and devices , making it almost impossible to link those at speed, recognise an attack, prioritise, and act quickly on the most critical threats or risks.

The unification of Microsoft’s Threat Protection services means that security/IT teams can now get a correlated, incident-level view of threats rather than having to manage and investigate multiple individual alerts from multiple systems.

The key capabilities in Microsoft Threat Protection include:

  • Investigating threats, automatically (or semi automatically) responding to them, and restoring affected assets to a secured state automatically, while simplifying hunting across the landscape for other signs of attack.
  • Self-healing compromised user identities, endpoints, and mailboxes, allowing security and IT teams to spend more time focussing on projects and policies by using AI and ML to automate remediation.
  • Sharing critical threat insights in real time to help stop the progression of an attack.
  • Azure Sentinel enhancements which are covered below.

Updates to Azure Sentinal

Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) solution which allows business of any size to keep pace with the exponential growth in security data, improve security outcomes, and reduce hardware and operational costs.

New enhancements have been announced this week at RSA in San Francisco designed to deliver instant value and increased efficiency for security operations teams. These include

  • New community rewards (bounty program) for contributions to develop dashboards, orchestration, playbooks etc
  • New developer guides and APIs along with GitHub code and data collections
  • Ability to import AWS CloudTrail logs at no cost until June 2020
  • New security campaign views which gives security teams an all-encompassing view of email attack campaigns targeted at their organisation
  • New connectors for easier data collection from a wider range of security appliances and services

Security Campaign Views

Campaign views and compromise detection and response has also been made generally available following a short preview.

This feature gives security teams an all-encompassing view of email attack campaigns targeted at their organisation, along with making it easy to spot vulnerable users or configuration issues that enabled the attack or breach to succeed in the first place.

Early detection and response to compromised users is critical to ensuring that attacks are detected and actioned/remiated as early as possible so that the impact of a breach is minimised.

New Security Awareness Training

Through a partnership with Terranova, a market leader in computer-based training, Microsoft will be including Terranova’s entire phishing-related training set for free for organisations that use or are licensed for Office 365 Advanced Threat Protection Plan 2 (including in Microsoft 365 E5).

This security awareness training, coupled with Microsoft security solutions and risk analytics, will enable and extend Office 365 Advanced Threat Protection to provide a complete solution, encompassing customised user learning paths that enable IT and your compliance teams to create governance around organisational risk and maintain a stronger security posture.

Exchange Online unlimited archiving… What you need to know.

I talk to a lot of customers about Exchange Online and about the need and desire to use 3rd party add on services like backup, DLP threat protection and archiving.

Many don’t realise or are not up to date on the continuous updates and improvements to Exchange Online in particular and it’s unlimited archive feature is just one of the services that could help you save costs and simplify your management. That’s not to say there is never a need for 3rd party complementary services (there is sometimes a use case), but I wanted to highlight the power and extent of this archive feature.

What is “unlimited archiving”

Exchange Online Archiving is an enterprise-class service that assists these organizations with their archiving, compliance, regulatory, and e-discovery challenges while simplifying their on-premises infrastructure, thereby saving costs and easing the IT management overhead. (source:Microsoft)

In Exchange Online, Microsoft provides archive mailboxes which provide users with additional mailbox storage space. Once a user’s archive mailbox is enabled (it’s not on by default), up to 100 GB of additional storage is made available automatically.

Previously, whilst this feature did exist, it was quite hidden away and the only way to active it was to contact Microsoft and request additional storage space for an archive mailbox. This is no longer required and the process is fully automated (if enabled).

This “unlimited archiving” feature called auto-expanding archiving, provides additional storage in archive mailboxes once the storage quota in the primary archive mailbox is reached. Exchange Online then automatically increases the size of the archive, meaning users won’t run out of mailbox storage space and Exchange Admins don’t need to traukt through storage alterts, respond to help desk requests or contact Microsoft to request additional storage for archive mailboxes.

How auto-expanding archiving works


Once enabled, Exchange Online periodically checks the size of the users archive mailbox. When an archive mailbox gets close to its storage limit, it automatically creates additional storage space for the archive. Should this space also run out (now that’s a lot of mail), more space is automatically added to the user’s mail archive meaning now additional management the archive is needed. Here’s how it works.

Image from docs.microsoft.com
  1. Archiving is enabled for a user mailbox or a shared mailbox. An archive mailbox with 100 GB of storage space is created, and the warning quota for the archive mailbox is set to 90 GB.
  2. Exchange Online admin enables auto-expanding archiving for the mailbox.
  3. When the archive mailbox (including the Recoverable Items folder) reaches 90 GB, it’s converted to an auto-expanding archive, and extra storage space is added to the archive.

What gets moved to the archive storage space?

The process is fully automatic. In order to make efficient use of auto-expanding archive storage, folders may get moved as part of the archive move.

What items and folders are moved is determined by Exchange Online whenever additional storage is added to the archive. Sometimes when a folder is moved, one or more subfolders are automatically created and items from the original folder are distributed to these folders to facilitate the moving process.

When viewing the archive portion of the folder list in Outlook or Outlook Online, these subfolders are displayed under the original folder.

The naming convention used to name these subfolders is <folder name>_yyyy (Created on mmm dd, yyyy h_mm), where:

  • yyyy is the year the messages in the folder were received.
  • mmm dd, yyyy h_m is the date and time that the subfolder was created by Office 365, based on the user’s time zone and regional settings in Outlook.

What about Compliance and Data Governance?

eDiscovery: if your organisation uses Office 365 eDiscovery, such as Content Search or In-Place eDiscovery, the additional storage areas in an auto-expanded archive are also searched.

Retention: When a mailbox is placed “on hold” by using tools such as Litigation Hold in Exchange Online or if an Office 365 eDiscovery case holds and retention policies in the security and compliance center, content located in an auto-expanded archive is also placed on hold.

Messaging records management (MRM): If you use MRM deletion policies in Exchange Online to permanently delete expired mailbox items, expired items located in the auto-expanded archive will also be deleted.

PST Import service: You can use the Office 365 Import service to import PST files to a user’s auto-expanded archivenof up to 100 GB of data.

Common Questions

Can I access my archive at anytime or does need IT input? You can access any folder in thearchive mailbox, including ones that were moved to the auto-expanded storage area.

What about search? Can I search items in the archive? Yep.. But the search process is a little different. You can search for items that were moved these additional storage area but only by searching the folder itself. If the archive folder contains subfolders, you have to search each subfolder separately. This is due to performance and speed since the archive folders are stored on lower tier disks within Exchange Online (well it is an archive).

Can I delete items from the mail archive? Yes, You can delete items in a subfolder that points to an auto-expanded storage area, but the folder itself cannot be deleted manually.

Interested to hear how other Exchange Online Archiving compares and if you see the need for 3rd parties still…?

From Zero to cyber-security Hero. How Microsoft became a Leader in Security.

Microsoft Security. Now a Leader in 5 Gartner Magic Quadrants

Whatever you may have once thought about Microsoft and Security, (I remember the days when security engineers would say that its due to the amount of security holes in Microsoft that they have a job) Microsoft is now a global leader in cybersecurity, and invest more than $1b annually in security R&D as well as processing more than 6.5Trillion security and threat signals per day to protect organisations and further enhance and develop their platform and their customers businesses.

Gartner has now named Microsoft Security a Leader in five Magic Quadrants which clearly demonstrates breadth and depth of their security portfolio and depth of integration across their platforms. The leader awards include…

  • Cloud Access Security Broker (CASB)
  • Access Management
  • Enterprise Information Archiving
  • Unified Endpoint Management (UEM)
  • Endpoint Protection Platforms

Gartner places vendors as Leaders who are able to demonstrate balanced progress and effort in all execution and vision categories. This means that Leaders not only have the people and capabilities to deliver strong solutions today, they also understand the market and have a strategy for meeting customer needs in the future.

Given this, Microsoft Security doesn’t just deliver strong security products in five crucial security areas only, as you look across the Microsoft 365, Azure and Dymanics platforms but also across customers in premise and 3rd party cloud providers, they are able to provide a comprehensive set of security solutions that are built to work together, from identity and access management to threat protection to information protection and cloud security.

Their services integrate easily and share intelligence from the 6.5 trillion of signals generated daily on the Microsoft Intelligent Security Graph. Customer thst are bought in to the wider Microsoft Security approach can monitor and safeguard identity, devices, applications and data across their end to end infrastructure and cloud solutions whether that is Microsoft Azure, Amazon Web Services, Slack, SAP, Citrix, Oracle, Salesforce, Google or many many others.

They key to this is their ability (like few others) to unify their security tools, bringing end to end visibility into their customer entire environment all drawn together with their new SEIM platform Azure Sentinel.

Where are the gaps?

There are some… Some of the main ones I see are around

1. Web security and DNS security.. The kind of stuff Cisco does really well with Umbrella for example.

2. Network and LAN segmentation. This is possible in Azure but other than some relatively “old” Network Access Control services in Windows Server, this is also an area Microsoft don’t really play in.

3. Industry Specific scenarios where long (99 year or so) retention policies and archiving is required. These are areas where solutions like Proof Point do really well in my experience.

What others do you see? Interested in your views and comments..

How Microsoft is further advancing its Unified Threat Protection

Microsoft Threat Protection now unifies your incident response process by integrating key capabilities across Microsoft Defender ATP, Office 365 ATP, Microsoft Cloud App Security, and Azure ATP which is powered by the #IntelligentSecurityGraph processing and responding to over 6.5 Trillion threat signals per day!

Learn more about the Intelligent Security Graph

This is just the latest in an ongoing list of updates and features being rolled out across Microsoft 365 and Azure to protect organisations on premises and cloud environment and is a result of their $1billion investment in security each year.

If you have Microsoft 365 E5 you can take a Sneak peak at the new public preview (you need to be an admin or sec admin of course)!

This unified experience now adds powerful new features that can be accessed from the Microsoft 365 security Centre #intelligentsecurity #microsoft365

Microsoft is now top right in the Gartner Magic Quadrant in 6 areas including Cloud App Security Broker, Unified end point management, information protection, data archiving and Endpoint threat protection. 

You can try it out today.. https://security.microsoft.com/hunting

There’s a myth that #Microsoft doesn’t “do” #security… Think again..

The myth that Microsoft isn’t a security vendor continues… led mainly by the traditional security appliance vendors and organisations that are still predominately on premise and therefore defend their data centre and office perimeters with traditional security blockers.. (sorry that was a bit of a generalist statement and not meant to offend)!

In reality, nothing could be further from the truth. With more than a billion dollar investment in security each year (excluding acquisitions), Microsoft has been recognised as a leader in multiple security-related Gartner Magic Quadrants, the Forrester Wave for Endpoint Security, and by I dependant AV testing firms such as AV TEST, AV Comparatives, and SE Labs in 2019 alone.

Security is built in across everything Microsoft designs, deploys and makes available and I’m proud to work and lead a certified and accredited partner is this space with Gold in Enterprise Mobility and Security competencies.

Check out the latest reports:

Take the time to read the reports and I’d love to hear your experiences thoughts and views on where you think Microsoft has its biggest gaps in this space.

Finally, theres some new announcements this week at Ignite to be sure to check these out.. The latest today is the announcment of #safedocuments which adds ATP type protection to Office desktop apps. Rolling over the next couple of month, when a user wants to consider a document “trusted”, Safe Documents will automatically check the file against the ATP threat cloud before it releases the document.

Thanks for reading and have a good day..
Rob

Did you know there’s a “Business” version of the SurfaceProX

With all the news and media about Surface Pro X, it’s easy to miss that Microsoft have also released a dedicated business version called… Well Surface Pro X for Business which has one core feature aimed at business rather the consumer.

What’s the Difference

On the surface (ok dad joke) the business version isn’t much different from the consumer version. It’s the same spec, same processor, same pen and battery etc, but where it differs is in its security, which is unique to the new Surface business line up in this latest generation.

The Surface Pro X for Business is what Microsoft are calling a “Secured-core PC.”

What’s a Secured-core PC?

In short, this new technology is powered by Windows Defender System Guard and protects the Surface Pro X from firmware hacking such as LoJax

With Secured-core, your organisation can now prevent hackers from tampering or altering with the UEFI (or BIOS) which in the future I think will be a pre req for IoT type devices as well as business decides of all types.

There are 3 levels of protection provided by Secured-Core which make the Surface Pro X ultra secure and essentially shields Windows 10 from attacks and unauthorised access which target the device before Windows has booted or during shutdown.

  • Firmware attacks
  • Kernel attacks and
  • System integrity attacks

Who’s Secured-core ideal for?

Microsoft claim that the target market are people that work in the most data-sensitive industries such as government, financial services, and healthcare but really this is suited to any organisation that ultra concerned with security.

Just Surface?

No… This is by no means limited to just Microsoft decides. Lenovo, Panasonic, Dynabook, Dell, HP etc are all behind this new approach

Find out more

  • Microsoft have published the following information about Secured-core here
  • Thurrot have published this information
  • Computing have this to say

What do you think about Secured-core? Needed? or Over kill?

Another critical step to preventing Identity and Information Theft…

One of my earlier posts talked about how enabling Multi-Factor Authentication across your organisation can dramatically reduce your risk of attack/breach or data theft by Identity Compromise however after reading some of the comments and talking to some other IT admins and CSOs, I felt this needed a Part #2.

According to Symantec, 91% of all Cyber Attacks start with a spear phishing email  

Protecting Corporate Email

Its fair to say that “most” organisations who use Microsoft Exchange Online for their corporate email services use some form of additional security or protection…. 

Exchange Online Protection

Microsoft provides Exchange Online Protection (EOP) as a standard service with Exchange which essentially is an anti-spam and antivirus service.

Every and any mail security company, Symantec, proof point, mimecast, you name it, will heavily criticise Microsoft for its “lack” of protection against modern and zero-day threats and to be honest they are quiet right too but what many people aren’t aware of (and I don’t think Microsoft shout about it loud enough) – they have some pretty good advanced services you can enable (or buy).  Any security officer will tell you that they key to security is defence in depth and there isn’t a single  “master of all” platform or vendor out there that can protect an organisation from attack, regardless of what form it comes in.

Having multiple defences (not necessarily multiple vendors) in place helps because if spam sneaks by the first line, it might be stopped by the second. 

As you’d expect there are many 3rd party products and services available that complement the standard Exchange Online Protection services available including ProofPoint, Symantec, Mimecast etc, but if your organisation uses Microsoft Exchange Online then, depending on your licensing level, you have some pretty impressive advanced security features which to be honest, you should be using especially if you don’t use any 3rd party bolt-ons. This Office 365 ATP (note, its not specifically focuses on Exchange).

Hello Office 365 ATP

Microsoft Office Advanced Threat Protection (ATP), which is part of Office 365 E5 (or an add-on) builds on the Microsoft EOP and provides two key features aimed at protecting users from phishing attacks, malicious attachments and other advanced threat vectors which typically target users but getting them to click something, fill something in or download something. Again, according to Symantec 1 in 4 people will click a link in an email without checking the message header or checking it is from who they think it is.

Of course Microsoft claim Office ATP is the best line of defence for their Office 365 customers. As you’d expect, Third-party mail hygiene services beg to differ and say that their solutions offer better protection. Either way, you’re better protected when EOP is not the only line of defence.

So what’s Office ATP Include?

Office ATP delivers two key security enhancements for Exchange (and Office 365 in general) including ATP Safe Attachments and ATP Safe Links, both features designed to prevent or stop malicious content arriving in user mailboxes and indeed across the other key Office 365 services.

ATP Safe Attachments

The concept behind ATP Safe Attachments is fairly simple and is designed with protecting users against emails that may contain malicious attachments. ATP Safe Attachments helps here by intercepting all emails before they hit the users inbox, essentially detonates the attachment to makes sure its safe. ATP Safe Attachments also stops infections caused by malware being uploaded to SharePoint Online and OneDrive for Business sites, including the SharePoint Online sites used by Microsoft Teams (which is enough for Microsoft to claim ATP support for Teams).

There are a couple of configuration options around how Safe Attachments works which are mainly designed to control how attachments get delivered to users.

The options are relatively self explanatory. For avoidance of doubt, I’d strongly recommend using Dynamic Delivery, which means all users receive their email messages (at first) without the attachments (well, they get a place-holder) while those attachments are being scanned by Microsoft to check they are safe.

Safe Attachments doesn’t generally take long to process attachments and in my experience the delay is usually less than 30 seconds (though that can feel like ages if you are waiting for the scan to complete in order to open your attachment – especially if its a sales PO!). 

ATP Safe Links

ATP Safe Links as the name implies, provides “click-time” URL Protection to blocks malicious links by analyzing them at arrival time and also each and every time the user clicks on the link to protect against spear phishing attacks that weaponize a link after an email is delivered.

While links are being checked, users are prevented from getting to these to the sites. Yes, this can delay mail recipients from being able to get to information but given the amount of bad sites that exist on the internet (and that more than 91% of phishing attacks original from email), this is a fair compromise, even if users are sometimes frustrated when they can’t immediately reach a site because of a blocked link.

A newish feature in the ATP Safe Links policy allows Office 365 administrators to “delay message delivery” until all links in an email message are scanned (see below). This seems to be “off” by default but is definitely one I think should be enabled. 

” alt=”” aria-hidden=”true” />Configuring Wait for URL Scanning in an ATP Safe Links policy

What are my other Options?

I’m not going to go into the pros and cons of the other services in this blog, the 3rd party vendors will do this, but depending on your licensing level, need or desire to use multiple vendors for security or to standardise your security products across other key strategic vendors, you may choose to explore. Which is best – its hard to say but if you have nothing, I’d start with Office ATP as its most likely included within your licensing plan (and if not its easy to set-up a trial with your partner).

Summary

Microsoft and also many 3rd parties provide Advanced Threat Protection services across Exchange Online . At time of writing, Microsoft, however, are the only vendor that extend these services across other Office 365 services including SharePoint Online, One Drive for Business and therefore Teams.

How to quickly prevent 99.9% of attacks on your users’ accounts

Cyber-attacks aren’t slowing down, and it’s worth noting that many attacks have been successful without the use of advanced technology.

For even the largest, most security averse company, all it takes is one compromised credential or one legacy application to cause a data breach.

This underscores how critical it is to ensure password security and strong authentication across your organisation and whilst there are many many solutions out there that can protect networks, applications and data, there is one simple thing that organisations can do, regardless of size and sector that can have a significant impact on protecting cyber-attacks and breach through compromised credentials.

Where are organisations most vulnerable?

A recent report from the SANS Software Security Institute, the most common vulnerabilities include:

  • Corporate email compromise: Where an attacker (often called bad-actor) gains access to a corporate email account, such as through a phishing or spoofing attack (emails that look like they are from IT or a trusted source that get users to “handover” their log on credentials), and uses it to exploit the system, and steal data or compromise your business. Accounts that are protected with only a user id and password are easy targets.
  • Legacy protocols: Old email clients and many “stock smartphone email clients” can create a major vulnerability since applications that use these old basic protocols, such as SMTP, were not designed to leverage or use modern security technologies such as Multi-Factor Authentication (MFA). So even if you require MFA for most use cases, if legacy protocols are enabled, attackers will search for opportunities to use outdated browsers or email applications to force the use of less secure protocols.
  • Password reuse: This is where attacks such as as “password spray” and “credential stuffing attacks” come into play. Common passwords and credentials compromised by attackers in public breaches are used against corporate accounts to try to gain access. It is considered that more than 70% percent of passwords are duplicates and used on other public sites such as shopping or consumer sites, this has been a successful strategy for many attackers for years and it’s easy to do. Most users re-use passwords because many believe that complex passwords (a mix of letters, numbers and symbols) make passwords and accounts secure  – but it can actually have a counter affect since passwords are more likely to be re-used. 

What you can do to protect your company

There’s loads of simple steps than can and should be undertaken to provide some basic account and security hygiene.

Administrators can quickly help prevent many of these attacks by banning the use of bad passwords (Azure AD can do this naively), blocking legacy authentication, and through basic awareness and training to staff on how to spot common phishing attacks.

Whilst all this will help – by far the most effective step you can take as a business is to turn on and require Multi Factor Authentication (MFA). This  extra layer of user account protection, creates a very effective barrier and layer of security that makes it incredibly difficult for attackers to log on or use stolen/compromised credentials even if a user “hands the over” as a result of a successful phishing attack.

Simply put, MFA can block over 99.9% percent of account compromise attacks. With MFA, knowing or cracking the password isn’t enough to gain access since the user will be challenged to enter a code, respond to a text sent to their phone or approve logon via an app on a device that they have in their possession. To learn more, read Your Pa$$word doesn’t matter.

MFA is easy to enable and use

According to the SANS Software Security Institute there are two primary obstacles to adopting MFA implementations today:

  • Misconception that MFA requires external hardware devices.
  • Concern about potential user disruption or concern over what may break.

When we have these kind of conversations with customers, the 2nd point is usually the most common – “the owner wont like it” or “what if stops person x from logging on and they cant talk to IT?”

No banking app allows their customers to access their services these days without some form of MFA and we all (as we have to) simply accept this so why should accessing your company’s data be any different?

Depending on your organisations choice of MFA technology and the level of licensing they have in place, services such as MFA can be used in conjunction with Risk Based Conditional Access – which is a feature included within Azure Active Directory. 

Risk Based Conditional Access

Risk Based Conditional Access is essentially adaptive authentication which looks at a number of different risk factors to determine what and how to allow a user to gain access to resources. In the MFA example, RBCA can be configured to now need MFA to be used when on a corporate device when in the office but enforced when ever users are remote or on an non-corporate or non encrypted device.

Need some help – the organisation I work for @cisilion can help – get in touch via twitter or visit our website. For more click here: 

 

Note: Aspects of this information are taken from a blog by 
Melanie Maynes | Senior Product Marketing Manager | Microsoft Security

 

 

Why you should be using Azure Identity Protection

Why?

The move from traditional on-premises IT solutions to cloud services has seen a dramatic change in the way that systems are managed and controlled. The access to services from any location and using any device means that a lot of the traditional management methods are not feasible.

Identity (not the firewall) is the modern control pane. Your user identity (and how ever its protected) is typically the key to your applications, devices and data within the modern workplace so keeping it safe should be paramount.

The UK National Security Agency, any reputable security company or agency will advise you not to use the same password in multiple places, to make it complex, and to not make it simple like Password123 or Comanyname2019 for example.

What is Azure Identity Protection?

Aslong as your organisation uses Microsoft Azure AD – which it will if you use Office 365 (and have Azure AD Premium P1 or P2), Microsoft provides a nifty service (known as Azure Active Directory Identity Protection) that can go a long way in helping organisations guarantee that their users are follow industry (and your) security guidance and that they aren’t using common passwords or passwords that are known to be included in recent data attacks and breaches.

In addition to the automatic protection provided by Microsoft’s Threat Intelligent, Azure Identity Protection also allows you to manually specify up to 1,000 custom passwords. I’d strongly recommend adding (or using) the top 1,000 common passwords which is available on GitHub as a starter and then adding your own organisation’s name, and any common terms used in your company or industry to the list.

If you haven’t used the service before, you can run this in “Audit” mode to allow you to review the number of “hits” against the new policy before enforcing it. Once enforced, when any user tries to set/reset their password, their password is “scored” based on a combination of risks including use of known and common /custom passwords or known breach credential/password. 

How are passwords evaluated?

Whenever a user changes or resets their password, the new password is checked for strength and complexity by validating it against both the global and the custom banned password list (if the latter is configured).

Even if a user’s password contains a banned password, the password may still be accepted if the overall password is strong enough otherwise. A newly configured password will go through the following steps to assess its overall strength to determine if it should be accepted or rejected.

An invalid password reset attempt which is poorly scored as secured, will be rejected and the user will receive an error message similar to the below:

Unfortunately, your password contains a word, phrase, or pattern that makes your password easily guessable. Please try again with a different password.”

Reviewing the effectiveness

As well as users being informed (and prevented) to setting a password that is “banned”, admins can also see this activity in the Security Logs.

Read more from Microsoft

Microsoft provides a lot more detail and examples on how this works here: