Microsoft Information Protection & Compliance Preview Programs

Microsoft Information Protection & Compliance Preview Programs

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

MIPC Previews.png

Welcome to the MIP and Compliance previews page!

 

Here you will find details of the various preview programs being managed by the MIP&C CXE team including the program status. This page won’t include upcoming preview programs so if you have any interest in working with us on new features as they are close to release make sure you register your interest:

 

We will be updating this page regularly with new webinars and resources so check back often!

 

Preview Programs

Category / Program

Brief Description

More Details

Preview Status

MIP: Trainable classifier auto-labeling with sensitivity labels

Create sensitivity labels and corresponding automatic or recommended labeling policies in Office apps using built-in classifiers

Blog

 Private
 MIP: O365 service-based auto-labeling for EXO (Data in transit) and SPO/OD (Data at rest)

Auto classification for Sensitivity Labels in OneDrive, SharePoint, and Exchange helps you automatically label or tag content as sensitive to ensure the configured protections are applied.

Blog

Private

MIP: Using Sensitivity labels with Microsoft Teams, O365 Groups and SharePoint Online sites

When you create sensitivity labels in the M365 compliance center, you can now apply them to the following containers: Microsoft Teams sites, Office 365 groups, and SharePoint sites. Which provides you with additional policy settings which can be applied.

Webinar

Docs

Public

MIP: Office client support for sensitivity labels with user-defined permissions

 

Sensitivity labels that are configured to let users assign permissions will now appear in the Sensitivity picker in Office on Windows and Mac.

Docs

 Docs

Public

(Office Insiders) &

Rolling out to Monthly Channel

MIP: Office client support for automatic & recommended labeling

Office apps on Windows and web support recommending or automatically applying a sensitivity label based on sensitive terms contained in the content.

 

Word on Windows can also highlight and list the sensitive terms it detected in the canvas when a recommendation is shown.

Docs

Docs

Office on Windows:

Public

(Office Insiders)

 

Office Online:

Public (opt-in)

MIP: Enable sensitivity labels for Office files in SharePoint and OneDrive.

Ability to apply sensitivity labels that include encryption to Office files stored in SharePoint and OneDrive, and the SPO service process the content of these files for Coauthoring, eDiscovery, Data Loss Prevention, search etc.

 

This also enables sensitivity labeling in the Office Online apps (Word, Excel, PowerPoint Online)

Docs

Public

MIP: Understand Data Classification

After you apply your retention labels and sensitivity labels, you’ll want to see how the labels are being used across your tenant and what is being done with those items.

Blog

Public

 

 

Thanks to those of you who have participated in our sessions so far. If you haven’t already, don’t forget to check out our resources available on the Tech Community.

 

Thanks!

@Adam Bell  on behalf of the MIP and Compliance CXE team

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Microsoft Information Protection and Compliance Webinar Page

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Welcome to the MIP and Compliance webinar page!

 

Here you will find details of our upcoming webinars as well as resources for past webinars. We will be updating this page regularly with new webinars and resources so check back often!

 

Upcoming Public Webinars:

Category / Topic

Date & Time

Calendar

Attendee Link

Compliance: Compliance score how-to

EMEA: Apr. 15, 2020 16:00 GMT

NA:  Apr. 15, 2020 12:00 PST

ICS

ICS

Event

Event

MIP: Exact Data Match (EDM) classification (What is EDM?)

EMEA: Apr. 22, 2020 16:00 GMT

NA: Apr. 22, 2020 12:00 PST

ICS

ICS

Event

Event

 

Recordings of Past Webinars:

Date 

Category: Topic

Recording

Resources

Mar. 17, 2020

MIP: Trainable classifiers

Video

Deck/FAQ

Mar. 10, 2020

Compliance: Insider Risk Management & Communications Compliance

Video

Deck/FAQ

Mar. 5, 2020

MIP: Using Sensitivity labels with Microsoft Teams, O365 Groups and SharePoint Online sites

Video

Deck/FAQ

Feb. 11, 2020

MIP: Know Your Data

Video

Deck/FAQ

Jan. 22, 2020

MIP: Introduction to SharePoint & OneDrive Auto-labeling

 Video

N/A

Jan. 15, 2020

MIP: Moving to unified labeling

YouTube

Deck/FAQ

 

Thanks to those of you who participated in our sessions so far. If you haven’t already, don’t forget to check out our resources available on the Tech Community.

 

Thanks!

@Adam Bell  on behalf of the MIP and Compliance CXE team

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Using Sensitivity labels with Microsoft Teams, O365 Groups and SharePoint Online sites

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

With the ability to label a SharePoint Online site, Teams site or O365 Group we’re introduced to the first capabilities of applying sensitivity labels to “containers”. Check out the webinar to understand how this works and how to use this in your organization.

 

This webinar was presented on Thu Mar 5th 2020, and the recording can be found here.

 

Attached to this post are:

  1. The FAQ document that summarizes the questions and answers that came up over the course of both Webinars; and
  2. A PDF copy of the presentation.

Thanks to those of you who participated during the two sessions and if you haven’t already, don’t forget to check out our resources available on the Tech Community.

 

Thanks!

@Adam Bell  on behalf of the MIP and Compliance CXE team

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Announcing automatic labeling in Office Apps using built-in classifiers – Limited Preview

Announcing automatic labeling in Office Apps using built-in classifiers – Limited Preview

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

I’m thrilled to announce limited preview of automatic sensitivity labeling in Office apps using built-in classifiers. As part of this preview, the Microsoft 365 Compliance Center will allow you to create sensitivity labels and corresponding automatic or recommended labeling policies in Office apps using built-in classifiers.

 

The six built-in classifiers that are available as part of this preview are :

  • Resume: detects written accounts of an applicant’s personal, educational, and professional qualifications and experience
  • Source code: detects a set of instructions and statements written in the top 25 computer programming languages of GitHub
  • Offensive language: detects text items that contain profanities, slurs, taunts, and disguised expressions (expressions that have the same meaning as more offensive terms)
  • Threat: detects a specific category of offensive language related to threat to commit violence or do physical harm/damage to a person/property.
  • Harassment: detects a specific category of offensive language related to offensive conduct targeting one or multiple individuals regarding race, color, religion, national origin, gender, sexual orientation, age, disability and genetic information.
  • Profanity: detects a specific category of offensive language that contains swear words or vulgar language.

The Office apps which will support automatic sensitivity labeling using the above classifiers include the following:

  1. Win32 apps (You need to be a part of the Office Insider Program)
    1. Word
    2. Excel Win32
    3. PowerPoint Win32
  2. Office Online Apps (Opt-in to this preview required)
    1. Word Online 
    2. Excel Online 
    3. PowerPoint Online 
    4. Outlook Web 

The subscription and license requirements for this preview are similar to what is needed to enable automatic sensitivity labels  in Office apps. You need one of Microsoft 365 E5, Office 365 E5 or Azure Information Protection Premium P2. For more details, see subscription and licensing requirements for sensitivity labels

 

Pre-requisites to start with built-in classifier-based auto-labeling

For the tenant in which you want to enable built-in classifiers backed sensitivity labeling in Office apps, you should have the following as pre-requisites : 

  1. Office online apps : To enable this in Office online apps, you will need to opt-in to this preview.
  2. Win32 apps : To enable this in Office Win32 apps, you will need to opt-in to Office Insiders program. You have the option to opt-in as an individual, a set of individuals, or a group to the Insider channel for testing.
  3. Once you have at least one of the above pre-requisites completed, you’ll  need to define at least one label for your tenant and a corresponding label policy to detect an out-of-box or custom sensitive information type.
  4. Follow the procedure described in the section “How to Opt-in to this Preview” below to express interest for this feature.

How to Opt-in to this Preview

To express interest in this preview, please fill out this form with your details and we’ll enable it for your tenant in 3 working days.

 

Testing asks

Testing of built-in classifiers

  1. Built-in classifiers that are already published may be tested through the flow of creating an auto-apply sensitivity label policy – please refer to the section “Creating auto-label policies” below on details of how to create a sensitivity label and a label policy.
  2. Feedback: We’d love to hear your feedback on how this feature is helping you with your use cases. We have put together a form that you can fill out for feedback.

Creating auto-label policies

Please follow the steps to create an auto-label policy which uses any of the built-in classifiers

 

  1. Make sure that at least one sensitivity label and a corresponding label policy already exists in your tenant to detect an out-of-box or custom sensitive information type.

 

  1. Go to Microsoft 365 compliance Center and click on Information Protection on the left navigation menu and then click “Create a Label”

Shekhar_Palta_0-1582626212943.png

 

  1. Enter the name, tooltip, and description for the label and then click on Next.

Shekhar_Palta_0-1582626362475.png

 

  1. You can then associate a built-in classifier with the label by adding a classifier as shown below.

Shekhar_Palta_0-1582626452648.png

 

  1. You can then choose which classifier to associate with the label. In this example we will use “Resume”.

Shekhar_Palta_1-1582626632488.png

 

  1. Choose whether you want to auto-apply or just recommend this label and provide an optional policy tip.

TIP : For the purpose of testing please use recommended labeling. Once you are satisfied with how the policies are working you can choose the auto-labeling option

Shekhar_Palta_2-1582626779540.png

 

  1. You should then see your label in the list of labels. Click on Label Policies to create one as the next step.

Shekhar_Palta_0-1582626925107.png

 

  1. Go to label policies and click on Publish Labels

Shekhar_Palta_1-1582627022507.png

 

  1. Choose the sensitivity label to be associated to the policy

Shekhar_Palta_2-1582627151372.png

 

  1. While testing please scope it to certain users or user groups

TIP: For the purpose of testing please restrict the scope of users to a limited set of users which can be expanded later

Shekhar_Palta_3-1582627270694.png

 

  1. Choose your policy settings and give a name and description to your label policy.

Shekhar_Palta_4-1582627335274.png

 

  1. You should be able to see your label policy in the list of label policies

Shekhar_Palta_5-1582627434976.png

 

  1. Depending on the label settings, you can now see file detections like the following below as files are detected as matches for trainable classifiers, where a policy tip appears. Please note that it takes upto 24 hours for the policy to be synced across all the apps after policy creation.

 

Shekhar_Palta_6-1582627478878.png

 

Helpful Feedback

Throughout the process of testing built-in classifiers and label application across Office apps, your feedback on the following would be helpful:

  • Usability feedback
    • Feedback on the experience all-up
  • Feedback on using these classifiers in the auto-apply or recommended label policy
    • Are labels being /recommended to documents that match the category of the classifier (resume, source code, etc)?
    • Is label recommendation/auto-application accurate and quick?

We have published a form that you can fill to send us your valuable feedback.

 

For more information on Microsoft security solutions visit our website at https://www.microsoft.com/en-us/security/business/solutions or visit our security blog https://www.microsoft.com/security/blog/

 

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Threat hunting simplified with Microsoft Threat Protection

Threat hunting simplified with Microsoft Threat Protection

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

top-page.jpg

While well-funded and highly organized security operations teams often have the most sophisticated detection mechanisms in place, these teams still need experts that can run guided investigations to locate and stop certain threats. For example, sophisticated attackers often live off the land, taking advantage of normal system functionality that leaves almost no identifiable traces. While behavior-based detection algorithms powered by machine learning and AI can learn and respond quickly, human experts remain extremely valuable, especially if they know the network and are familiar with how attacks might play out.

 

What is threat hunting?

Cyberthreat hunting or simply threat hunting is a proactive cybersecurity activity that aims to find threats that are either buried under massive quantities of security signals and alert data or are simply not flagged by security products. It is generally a manual process, although great tools that we will describe in this article can make the process much less tedious and time-consuming.

 

During threat hunting, SecOps practitioners apply threat intelligence takeaways, whether from their own internal research or external research, and devise ingenious ways to determine the existence of an otherwise undetected threat. To do that, they need efficient access to comprehensive data about events and entities in their network as well as a good, quantifiable understanding of normal states or baselines.

 

Threat hunting lets analysts work with established baselines and highlight behavior that might be interesting. With the right tools, analysts can tailor their threat hunting activities to their environments and the threats that they will likely encounter. For instance, they can hunt for unusual behavior—like unexpected network connections—that might indicate that an in-house app or an account has been compromised.

 

The process of establishing the baselines themselves can also be part of threat hunting. To be able to do this, analysts need tools that can look backwards and forwards in time quickly, providing data that is sufficiently granular for defining normal states.

 

Effective threat hunting relies on:

 

cloud.png Comprehensive, well-structured, and retrievable event and system data
ai.png Threat intelligence: knowledge about threat actors or actor infrastructure, methodologies, and indicators
clock.png Granular baseline information that represents normal activity and states

 

Threat hunting example

 

jessica.png Let’s look at what Jessica, our fictional but awesome SecOps person, might go through:

 

  1. Jessica, who works for Contoso Health Services, finds out about a new vulnerability that affects one of the product suites in her environment. In this case, the attacks are against a known web content management system (CMS).
  2. After doing some more research online, she determines that, because the release of this vulnerability is so recent, it is unclear how attackers might be able to leverage it in her environment. She also knows that a patch to remedy the issue is not yet available.
  3. She creates a query for behaviors tied to the processes involved in this vulnerability to determine existing baseline and normal behavior. She then modifies queries to return only what would not be expected.
  4. Jessica also creates rules so that the queries run regularly and send her notifications whenever there are matches.
  5. Because Jessica did her research and constructed her queries very well—carefully considering the possibility that some unaffected machines might exhibit threat-like behavior—each match to her query constitutes a viable threat-hunting find. These matches include unusual process activity that might very well be actual attempts to abuse the vulnerable CMS.

Clearly, Jessica’s finds can benefit Contoso Health Services by proactively locating exploitation attempts against an unpatched vulnerability. Likewise, her ability to efficiently design and deploy proactive defenses highlights her own capabilities as a defender.

 

Data is key

With cloud-based storage and compute solutions, we can now easily collect massive quantities of data. But as we store larger data sets, there is a growing need to be able to efficiently manipulate and make sense of them.

 

Microsoft Threat Protection itself is made possible by the power of the Azure cloud coupled with insights from the Intelligent Security Graph. In the background, massive amounts of threat intelligence and security data from across Microsoft’s portfolio are crunched and matched against indicators, expert human rules, and machine learning (ML) algorithms in Microsoft AI. This process generates meaningful alerts, identifying threat components and activities that automated investigation and response (AIR) capabilities remediate.

 

For example, Microsoft Threat Protection distinguishes between malicious and normal attempts to write to the registry by looking at millions of examples of registry writes and their contexts: the files or processes involved, file pedigrees, whatever was written to the registry, the time the writes were performed, and so on. With this much baseline info, the AI can confidently raise alerts and start performing remediation activities, rapidly placing harmful registry modifications and associated files in quarantine.

 

While AI and other automated systems are particularly effective at finding threats, human intuition and flexibility can still beat them when dealing with highly specialized or unusual scenarios. What human analysts need, however, are tools that let them:

 

  • Effectively access and handle large sets of data — while the interface is easy-to-use, the tool also needs to be responsive and must label and organize data well. At the same time, log storage must be as straightforward as any competitive cloud-based storage and compute solution that can be deployed and scaled without professional system integrators and other specialists.
  • Automate monitoring of interesting matches to new data — going back to Jessica’s fictional investigation, the tools should let her monitor new activities for matches to the attack activities she has modeled. Without this automation, Jessica will be tied to her chair, constantly looking for matches as new data comes in.

 

Cross-product advanced hunting with Microsoft Threat Protection

With advanced hunting in Microsoft Threat Protection—available in the Microsoft 365 security center with a valid license (go here to get started)—you can deep dive and hunt across data from various workspaces in your Microsoft 365 environment. Advanced hunting initially covers both your endpoints and your Office 365 email. By the end of March 2020, we will expand the schema to cover identity- and app-related signals from Azure ATP and Microsoft Cloud App Security.

 

You can work with Kusto queries, plus you have the convenience of switching to richer views made possible by the various integrated solutions. For example, you can drilldown from a query to dedicated pages with comprehensive contextual information about specific alerts, devices, users, domains, IP addresses, and even software vulnerabilities.

 

The specialized data set is organized in a manageable schema covering security-sensitive event and entity information, such as device info, network configuration info, process events, registry events, logon events, file events, and email events.

 

Microsoft will continually incorporate more information into this schema. Here are a few examples of the sophisticated threat hunting activities you can perform with the current coverage.

 

Identify vulnerable devices

With advanced hunting, you can access software inventory information from Threat & Vulnerability Management. Imagine being able to write queries that check for possible exploitation behavior on devices running vulnerable software.

 

The following sample query locates machines affected by the RDP vulnerability CVE-2019-0708—popularly known as “BlueKeep”—and checks for actual RDP connections initiated by unexpected executables:

 

let BlueKeepVulnerableMachines = DeviceTvmSoftwareInventoryVulnerabilities 
| where CveId == "CVE-2019-0708"
| distinct DeviceId;
// Find unusual processes on Windows 7 or Windows Server 2008 machines with
// outbound connections to TCP port 3389
let listMachines = DeviceInfo
| where OSVersion == "6.1" //Win7 and Srv2008
| distinct DeviceId;
DeviceNetworkEvents
| where DeviceId in(BlueKeepVulnerableMachines)
| where RemotePort == 3389
| where Protocol == "Tcp" and ActionType == "ConnectionSuccess"
| where InitiatingProcessFileName !in~ //Removing expected programs
("mstsc.exe","RTSApp.exe", "RTS2App.exe","RDCMan.exe","ws_TunnelService.exe",
"RSSensor.exe","RemoteDesktopManagerFree.exe","RemoteDesktopManager.exe",
"RemoteDesktopManager64.exe","mRemoteNG.exe","mRemote.exe","Terminals.exe",
"spiceworks-finder.exe","FSDiscovery.exe","FSAssessment.exe", "chrome.exe",
"microsodeedgecp.exe", "LTSVC.exe", "Hyper-RemoteDesktop.exe", "", "RetinaEngine.exe",
"AuvikService.exe", "AuvikAgentService.exe", "CollectGuestLogs.exe",
"NetworkWatcherAgent.exe", "MobaRTE.exe", "java.exe", "mscorsvw.exe", "MultiDesk.exe",
"Microsoft Remote Desktop", "javaw.exe", "ASGRD.exe", "MultiDesk64.exe", "Passwordstate.exe")
| join listMachines on DeviceId
| project Timestamp, DeviceId, DeviceName, RemoteIP, InitiatingProcessFileName,
InitiatingProcessFolderPath, InitiatingProcessSHA1
| summarize conn=count() by DeviceId, InitiatingProcessFileName, bin(Timestamp, 1d)

 

Hunt for threats that land by email and impact devices

You can also run queries that track threats that might have arrived through email and then traversed your endpoints. For example, this simple query checks for files from a known malicious email sender:

 

//Get prevalence of files sent by a malicious sender in your organization
EmailAttachmentInfo
| where SenderFromAddress =~ "MaliciousSender@example.com"
| where isnotempty(SHA256)
| join (
DeviceFileEvents
| project FileName, SHA256
) on SHA256

Read more about hunting on devices and email

 

Start simple, learn fast

There’s no need to get intimidated by the query interface as the Kusto Query Language is straightforward. It has very powerful data manipulation capabilities that can be learned with more experience, but it takes only a few minutes to begin running simple queries, like locating a file SHA mentioned in the Twitter feed of your favorite security researcher.

 

Once you are there, you can easily look deeper into an instance of the SHA on a specific device or grab a list of all the devices with that SHA and look for commonalities between those devices. Again, it does not hurt that you have other Microsoft Threat Protection features, such as file and machine profile pages, at your disposal.

 

Advanced hunting is backed by a strong community of experienced security practitioners and Kusto Query Language users who are ready to share expertise so that you can easily learn a new syntax. You will find many blog posts in the Microsoft Defender ATP Tech Community discussing various query techniques. You could also explore the Microsoft Threat Protection repository or the Microsoft Defender ATP repository for queries covering various known threat campaigns and techniques.

Soon enough, you’ll be creating custom detection rules—available by the end of March 2020 with Microsoft Threat Protection—from your hunting queries. These detection rules automatically check for and respond to various events and system states, including suspected breach activity and misconfigured machines.

 

Try it yourself

It’s time to try advanced hunting for yourself! If you believe PowerShell download activity in your network is likely suspicious, give the query below a try.

 

// Finds PowerShell execution events that could involve a download
union DeviceProcessEvents, DeviceNetworkEvents
| where Timestamp > ago(7d)
// Pivoting on PowerShell processes
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
// Suspicious commands
| where ProcessCommandLine has_any("WebClient",
"DownloadFile",
"DownloadData",
"DownloadString",
"WebRequest",
"Shellcode",
"http",
"https")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
| top 100 by Timestamp

 

Want to explore this query further and understand how it might catch malicious activity? Learn how this query works

 

Hunt across your entire environment with Azure Sentinel

The advanced hunting capabilities in Microsoft Threat Protection enable you to find threats across your users, endpoints, email and productivity tools, and apps. You can integrate the data from Microsoft Threat Protection into Azure Sentinel and then expand that dataset to include data from Azure Security Center and third-party security products to find threats that span your entire environment.

 

Azure Sentinel provides cloud-native SIEM capabilities, including AI that fuses multiple alerts to a complete attack chain. For example, it can take an alert from Microsoft Threat Protection and combine that with an alert from a third-party firewall. You can then visualize that attack chain or use Kusto Query Language to query across the full set of security data and then remediate the issue and put in place an automated solution with Azure Logic Apps.

 

Louie Mayor & Justin Carroll

Microsoft Threat Protection team

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Microsoft Partners with Terranova Security for Security Awareness Training

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Microsoft is pleased to announce a strategic partnership with Terranova Security to provide world-class security training to end users. Through this partnership, we will address our customers’ most significant risk vectors – phishing driving risky end user behaviors. After a multi-month search across the industry, we chose to team up with Terranova Security because we believe that our partnership will enable us to deliver unique and highly differentiated value to our customers.

 

Users falling prey to phishing is one of the most common, impactful risks facing our customers today. Microsoft’s partnership with Terranova Security enables us to deliver an industry-leading solution with differentiated phishing simulation and human-centric training .

Rob Lefferts, Corporate Vice President, Microsoft 365 Security

 

Microsoft’s technology and platform enriches us with intelligent insights to develop security awareness training on the most recent and relevant risks. This partnership empowers Terranova Security to provide human-centric security training at maximum scale and efficacy.  

Lise Lapointe, CEO, Terranova Security

 

​We chose Terranova Security for their human-centric approach, which draws on principles of behavioral science to create training content that demonstrably changes user behavior, their comprehensive content catalog which will allow customers to customize training based on context and behavior patterns, and their demonstrated commitment to diverse and inclusive .

Started in 2001, Terranova Security brings together technology and education, twin passions of the founder, to create a unique interdisciplinary approach to security awareness training. The emergent need for user training that sparked the journey has since evolved. Today, the market looks to Terranova Security’s leadership and CEO Lise Lapointe’s book is the go-to text for designing effective security awareness programs.  The pedagogical consistency of Terranova Security’s content will empower our customers to deliver effective, engaging phish training to all their users as well as measure its efficacy.

 

Terranova Security’s catalog impresses not only in its intellectual quality and engaging experience, but also in its comprehensive breadth. It provides the most enterprise-ready library of content in the marketplace, featuring trainings of every duration, covering all the social engineering variants across the spectrum. This allows Microsoft to leverage insights from our email threat protection solution, Office 365 Advanced Threat Protection (Office 365 ATP) to personalize phish training—delivering the right training to the right users at the right time for maximum efficacy. The automation and integration built into Office 365 Advanced Threat Protection will leverage and target phish training content to deliver a seamless, context-aware and engaging user experience for all our customers. Insights generated will flow into analytics and recommendations that will help our customers customize and differentiate phish training for maximum effect within their organizations. The market has outgrown one-size-fits-all solutions, and end users expect interactive, engaging content that adapts to their learning needs. Terranova Security meets this.

 

Finally, both Terranova Security and Microsoft share a commitment to diverse and inclusive practices. Terranova Security builds inclusion into their boardroom, their content and their products and services. Terranova Security’s content library is available in 40 different languages, enabling training across geographies and . Further, Terranova Security’s content will meet Level A Success Criteria of the Web Content Accessibility Guidelines Version 2.1, the highest bar of accessible content available. All of this means that any organization in the world will be able to benefit from this security awareness training content. Microsoft strives to serve customers from all over the world, with different perspectives and needs. Terranova Security’s focus on diversity and inclusion bolsters our ability to deliver industry-leading experiences for all our customers.

 

We believe that this partnership will enable us to address our customer’s most significant and impactful risk vectors: phishing driving risky end user behaviors.  The combination of Microsoft technology to target the right training at the right coupled with Terranova Security’s human-centric approach will deliver an industry-leading phishing simulation and training experience. The solution will raise the efficacy bar for phishing training to new heights and will shift your users from being part of the problem to the solution.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Announcing GA of O365 ATP Campaign Views and Compromised User Detection and Response

Announcing GA of O365 ATP Campaign Views and Compromised User Detection and Response

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Today, I’m thrilled to announce the general availability of two extremely popular and valuable features in the Office 365 Advanced Threat Protection offering: Campaign Views and Advanced Compromised user detection and response. These features together greatly amplify the protection of organizations by helping security teams detect compromised users sooner, identify configuration weaknesses faster and improve security posture. And they also help reduce the scope of impact of breaches by giving security teams the tools to respond quickly.

 

Campaign views:

Girish_Chander_0-1582270578971.png

 

When we released Campaign Views into public preview a few months ago, we already knew it was an extremely popular and useful capability for security teams, based on the overwhelmingly positive feedback from our close design customer partners. Campaign views offer security teams the full story of how attackers targeted the organization and its users and how their defenses held up (or not).

Security teams can quickly:

  • See summary details about the campaign, including when the campaign started, the sending pattern and timeline, how big the campaign was and how many users fell prey to it.
  • See the list of IP addresses and senders used to orchestrate the attack.
  • Assess which messages were blocked, ZAPped, delivered to junk or quarantine, or allowed into the inbox.
  • See all the URLs that were manifested in the attack
  • Learn if there are users that have fallen prey to any attacks and clicked on the phish URL.

Armed with the information above security teams can more effectively and efficiently:

  1. Remediate compromised/vulnerable users
  2. Improving security posture by eliminating configuration flaws seen
  3. Investigate related campaigns that use the same indicators of compromise
  4. Hunt and track threats that use the same indicators of compromise

 

Amazing feedback:

Over the past few months, in public preview we’ve had extremely positive feedback on the feature.

“Being able to piece together the big picture of phishing attacks spread out over multiple days and with subtle changes in tactics of the campaigns, is extremely powerful”

“I’ve now started using this as one of the starting points for my hunting and investigation. And I keep coming back every few days to see what’s new and what I need to focus on”

Comments like the above are music to our ears and we’ve been hearing it from many customers that have been using Campaign Views in preview.

 

Tangible value:

It is no wonder that customers love this feature. Just consider the following stories.

For one large customer, visibility into the complexity of a small number of recurring, detected campaigns helped them identify and understand a set of persistent, targeted attacks against a specific R&D department.

Another tenant prioritized a full review of their decade-old configuration settings after they saw a campaign that completely bypassed filtering and allowed message delivery into their organization. It turns out that the campaign was allowed by a previously unknown and unrecognized Exchange mail flow rule (also known as a transport rule or ETR).

As we engage with customers, we continue to hear stories like this that make using campaign views as part of the SecOps workflows extremely compelling.

 

Additional improvements:

As part of the GA release we’ve also made additional improvements to Campaign views.

Improved discoverability: Campaign views are a separate node in the left navigation panel of the O365 Security and Compliance portal under ‘Threat Management’.

 

Girish_Chander_1-1582270578978.png

 

Expanded search and investigation capabilities: We’ve made it easier to search across campaigns. For example, you can search for all campaigns that targeted a specific recipient (for example, your company’s CEO) or campaigns related to a particular email (search for subject keywords or the specific messageID).

Girish_Chander_2-1582270578983.png

 

More campaign details: For each campaign, more included more information is presented.

  • Click-rate: As a way to measure the effectiveness of the campaign (from an attackers perspective), or in other words the impact of the campaign on the organization, we now show off a click-rate. Click-rate shows the percentage of Inbox’ed messages (messages delivered to the Inbox) that received a click from the recipient. This is an indirect measurement how effective and convincing the social engineering aspect of the campaign was.Girish_Chander_3-1582270578987.png

 

 

  • Authentication details: Within the Campaign view, we show expanded authentication details: all email authentication protocols (SPF for sending IPs, DKIM and DMARC for senders). Authentication failures identify attackers that are spoofing senders. Passing these authentication checks indicates a legitimate email sending infrastructure is being used for these attacks (for example, compromise or abusive activities that would require different action plans).

Girish_Chander_4-1582270578990.png

 

Campaign Views is GA!

Campaign Views will be immediately available to all customers with Office 365 ATP P2 and Office 365 E5 subscriptions. We encourage you to start using this powerful new set of capabilities to understand, mitigate and remediate phishing attacks. To learn more, see Campaign Views in Office 365 ATP.

 

 

Advanced Compromised user detection and response:

 

Girish_Chander_5-1582270578998.png

 

 

User accounts continue to have immense value for attackers. By compromising an account the attacker gains a foothold into the organization, using which they look to proliferate the attack, build avenues for the delivery of additional spam and phish campaigns, target additional users within the organization, steal sensitive data, or hold the organization to ransom.

This is why organizations need a sound protection strategy that focuses not only on prevention, but also early detection and response of account compromise and breaches.

The attacker’s activities when using a compromised account are often atypical or anomalous relative to the user’s regular behavior. For instance, there is no good reason for trusted users to be sending any phish or spam emails to other recipients. Being able to detect anomalies in user activity is therefore a key signal source for detection.

A few months ago, we released several features to detect anomalies in user activity to expand on our detection of user compromise. And we also released into preview a compelling automated playbook to automatically investigate such threats to help security teams more effectively and comprehensively detect the source and impact of the compromise and take remediation actions.

 

Amazing impact:

The power of these new capabilities has been immediately apparent. In the past few months, we’ve seen a 5x increase in the number of user compromises detected and responded to by customers using this feature.

If you consider the average cost of a data breach to organizations (~$4M globally, per some studies), with estimates being higher in certain geographies (some estimates reaching as high as $10M in regions like the US), any time security teams can detect and respond to compromised users faster and prevent costly data-breaches, is a critical win for the organization, their employees, their partners and customers.

 

Continuous stream of improvements:

As a lead up to GA, we’ve also been working to continually expand and tun our detections to more accurately detect compromise, highlight exfiltration of data and improve the efficiency of SecOps teams. While this GA announcement marks a compelling checkpoint to leverage this feature more confidently, we’ll continue to expand on the types of detections and SecOps capabilities we’ll introduce into this feature.

 

Compromise user detection and response is GA!

The compromise detections and alerts are available to all customers. The advanced automated playbooks for automatic investigation and response of compromised users for a more effective and efficient analysis of the cause and impact of the compromise is generally available today to all customers with Office365 ATP P2 and Office365 E5 subscriptions. We encourage you to start using this powerful new set of capabilities to stop attack kill-chains early and reduce the impact and scope of breaches. To learn more, see the documentation related to compromised user response

 

 

Try it for yourself!

 

If you’ve not checked out these capabilities yet, I strongly encourage you to do so. The combination of campaign views and compromise user detection and response helps reduce the scope of impact of breaches by giving security teams the tools to detect compromised users sooner, identify configuration weaknesses easily, respond faster and more effectively and improve security posture. Go on, give it a try. We’d love to hear what you think.

 

 

 

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Power faster and more effective forensic and compliance investigations

Power faster and more effective forensic and compliance investigations

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

We are pleased to share that Advanced Audit for Microsoft 365 is now rolling out. The new set of capabilities are aimed to power faster and more effective forensic compliance investigations.

 

These updates include:

  • Extending the preservation of a user’s audit activities from 90 days to 1 year
  • Increasing bandwidth access to the Management Activity API
  • Access to crucial events for investigations

Longer-term retention

Currently, audit logs are retained for 90 days by default. With Advanced Audit you are now able to retain audit logs for more than 90 days and up to 1 year for eligible users.

 

To apply the custom retention policy, within the audit log search, you can create a new retention policy and choose the appropriate duration within the UI or through cmdlets. You can also add more policies or customize existing ones. More details are available here.

 

[Image: Add a new retention policy for an individual user’s audit log activities for up to 1 year][Image: Add a new retention policy for an individual user’s audit log activities for up to 1 year]

 

Faster access to data

In the past, customers consuming logs through the Office 365 Management Activity API were limited by throttling limits at the publisher level, which means that for a publisher pulling data on behalf of multiple customers, the limit was shared by all those customers.

 

With this release, we are moving from publisher-based to tenant-based limits so each tenant will get their fully allocated bandwidth quota to access their auditing data. The bandwidth will be determined by a combination of factors including the number of seats in the tenant and their license subscription.

 

All tenants will start with a baseline of 2,000 requests per minute and will go up depending on their seat count, and E5 customers with Advanced Audit will get more bandwidth than non-E5 customers to provide faster access to data. Note that there will also be an upper cap for bandwidth to protect the health of the service. You can learn more from our documentation here.

 

Access crucial events for investigations

With Advanced Audit, one of the first events we are releasing is MailItemsAccessed. With this new event, access of data over mail protocols/clients will be audited to help investigators better understand scope of compromise.

 

The new MailItemsAccessed action is exposed as a part of Exchange Mailbox Auditing and is enabled by default. You can learn more from our documentation here.

 

[Image: users can now see audit activity such as the MailItemsAccessed event][Image: users can now see audit activity such as the MailItemsAccessed event]

 

Get Started

For Microsoft 365 E5 customers, Advanced Audit is rolling out over the next few weeks. You can also sign up for a trial or navigate to the Microsoft 365 compliance center to get started today. 

 

Learn more about what’s new with Advanced Audit and how to configure policies in your tenant in this supporting documentation. We look forward to hearing your feedback.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

[UPDATED]  Introducing remote deployment guidance for Microsoft Defender ATP and Office 365 ATP

[UPDATED] Introducing remote deployment guidance for Microsoft Defender ATP and Office 365 ATP

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

In today’s heterogeneous environments, security is becoming more and more complex. Customers are facing a growing attack surface and need help speeding up deployment of their protection tools at scale. To help security teams address these complexities and better protect, detect and respond to threats faster, we are excited to announce Microsoft FastTrack remote deployment guidance for Microsoft Defender Advanced Threat Protection (ATP), our unified endpoint security platform for proactive threat protection, post-breach detection, automated investigation, and response. We are also announcing an expanded FastTrack scope for Office 365 Advanced Threat Protection, which protects customers against sophisticated threats like phishing and malware with automated investigation and remediation.

 

Microsoft Defender ATP and Office 365 ATP are two critical components of the suite of Microsoft security products that work seamlessly together to provide protection across the entire attack kill chain, using built-in intelligence from the Microsoft Intelligent Security Graph to protect identities, email, applications, endpoints, and data from evolving threats.

 

clipboard_image_0.png

 

At Microsoft, we are fully committed to helping customers realize the value of our Microsoft 365 security solutions by deploying them more quickly to address their business needs. FastTrack is responsible for making this commitment a reality by advising and supporting customers during the deployment of their technologies. We are now expanding the support we already provide for securing identities to email and endpoints with remote deployment guidance for customers that want to leverage advanced tools to secure their email and endpoints. Together, identity, email and endpoints represent the three most common entry points for attackers.

 

Microsoft FastTrack enables customers to deploy Microsoft 365 security solutions at no additional cost for eligible subscriptions in North America. FastTrack has an engagement model built on learnings and expertise gained through engineering work with more than 60,000 customers since 2014. We use and share these best practices as part of a deployment process that enables customers to onboard to new services quickly and reliably.

 

The FastTrack team provides remote guidance, engaging directly with customers or partners. This is an ongoing benefit throughout the life of the subscription, delivered by Microsoft and approved partners.

 

To request assistance, visit www.microsoft.com/FastTrack.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

How to prevent and expose “unknown unknown” threats

How to prevent and expose “unknown unknown” threats

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Webinar2.png

Check out the joint Microsoft and Morphisec webinar next Tuesday, November 19, at 10am EST where two rockstar women in cybersecurity will show you how to how to prevent and expose “unknown unknown” threats through an integration with Morphisec’s Moving Target Defense and Microsoft Defender ATP.

 

To register and learn more, click here

 

Looking forward to seeing you next week!

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Speed up time to detect and respond to user compromise and limit breach scope with Office 365 ATP

Speed up time to detect and respond to user compromise and limit breach scope with Office 365 ATP

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Attackers are driven by the desire to cause damage or build their brand. They focus on gaining access to sensitive data to expose it, use it, sell it or hold it for ransom. Or they focus on impacting critical infrastructure – whatever will increase their bottom line, be it financial gain or notoriety. Regardless of their goals, attackers often look to achieve them by first gaining a foothold in the organization through a compromised user, device, or application. And then exercising a variety of steps in the ‘kill-chain’ of their attack to achieve their intent. 

A compromised entity in an organization can therefore have serious repercussions. And the longer a compromise goes undetected, the larger the potential for widespread impact and cost to the organization, their customers, and partners. Early detection and remediation of compromise is therefore critical to limit the scope of a breach.

To speed-up that time to detection, limit the scope of the breach and help security teams more effectively and efficiently detect and respond to compromised users, I’m excited to announce the preview of new enhanced compromise user detection and response capabilities in Office 365 ATP

Let me give you a quick look at what these enhanced detections look like, the alerts we raise in the Office 365 Security Center and the insights and powerful automation we offer security teams to investigate and respond to end-user compromise to limit the spread of the attack across the organization.

 

Figure1a.png

 Figure 1: Office 365 ATP auto-investigation into user suspected of being compromised

 

Improving detections across the kill chain

In the past few years, attacks targeting users using identity-based attacks, like password spray attacks, or social engineering attacks, like phishing, to try and compromise credentials has become increasingly common and sophisticated. For instance, over the past year across Office 365 we’ve seen a 60 percent increase in phishing attacks.

Attackers target users to land their exploit and then look to expand their attack scope. They compromise users and then leverage the victim’s contacts, accessible resources, applications they use, and more, to launch a variety of internal attacks to spread across the organization. These can include internal phishing campaigns orchestrated through emails and other collaboration tools to target other users, systems and data repositories inside the organization or in partner organizations.

 

Internal detections of such attacks are therefore a key piece of an organization’s protection and detection strategy. Paired with advanced investigation and response mechanisms, this can help ensure that compromised entities are detected quickly, and the breach does not prove too costly.

The attacker’s activities when using a compromised account are often atypical or anomalous relative to the user’s regular behavior. For instance, there is no good reason for trusted users to be sending any phish or spam emails to other recipients. Being able to detect anomalies in user activity is therefore a key signal source for detection. Office 365 ATP is able to detect these anomalies in email patterns and collaboration activity within Office 365.

 

The attacker may or may not trigger a suspicious login. And often suspicious login alerts, when viewed in isolation can be noisy. However, by pairing these O365 detections with other identity and endpoint-related suspicious signals we can greatly enhance the speed and accuracy of compromise detection

We’ve also built-in automation to investigate the source of the breach, determine if there are other potentially impacted users, and to the analyze the impact of the compromise. Further recommendations are then provided the security teams to remediate and ultimately reduce their attack surface.

 

Alerting security teams to potential compromise

A common attack technique is to use a compromised account to ‘spray’ a phishing campaign and target other users. The compromised mailbox is used to send phishing messages to a large number of users inside and outside the organization with the intent of compromising these other recipients.

When Office 365 detects suspicious email or anomalous activity patterns it will raise an alert to call out the suspicious activity. For example, figure 2 below shows an alert that was raised because of suspicious sending patterns of a user.

 

Fgure 2.png

Figure 2: Office 365 alert raised when suspicious email sending patterns were observed for a user

 Office 365 also allows security teams to define sending limits for users in advance to limit the scope of a possible breach. As shown in Figure 3 below, the admin can set hourly and daily sending limits for users and also specify the action to take if those limits are hit. And when these thresholds are breached, admins are alerted.

 

Figure 3.png

 Figure 3: Office 365 policy for internal and outbound email sending thresholds configuration with notification options

 

In some cases, as shown in figure 4 below, Office 365 will automatically restrict the user from sending any more emails and raise the alert below. 

 

Figure 4.png

 Figure 4: Office 365 alert when user is restricted from sending email detecting compromise

 

These alerts are meant to raise the awareness of security teams so they can quickly contain and investigate the issues.

 

Containing and investigating the threat

As called out above, there are cases where Office 365 will automatically block the user’s ability to send further emails to contain the impact. While an alert is raised, the user is also put on a “restricted” user list, as shown in figure 5 below. Admins can then unblock the user’s ability after investigating the user and assessing impact of the compromise.

 

Figure 5.png

 Figure 5: Users suspected of compromise and therefore restricted from sending email

 

O365 also offers recommendations to guide security teams through the process of unblocking a user manually. As shown in figure 6 below, specific recommendations are offered to check relevant user settings and activity logs to assess the potential impact of the breach. And specific remediation steps are recommended to ensure that the user is secured before re-enabling mail flow. O365 ATP P2 customers get the benefit of automation (covered in next section) where these investigation steps automatically carried out by the system.

 

Figure 6.png

 Figure 6: Admin workflow for mitigating and containing compromised users detected by Office 365

 

Automating investigation and response

Office 365 ATP P2 customers get the added benefit of automation to help with quick investigation and response. When any of the above alerts are raised, they are automatically investigated using detailed, built-in playbooks to determine the scope, impact and cause of the attack. The playbook intersects signals from identity sources, mail flow, DLP and mailbox settings and other O365 events to investigate and analyze the alert.

 

Doing the analysis above quickly and comprehensively is critical to reducing the cost of breach to the organization and preventing data theft or exfiltration. And automating the process achieves this.

 

Figure 7.png

 Figure 7: Office 365 ATP auto-investigation into user suspected of being compromised

 

Figure 7 below shows the automatic investigation results summary. The other tabs in the investigation offer up more details. The ‘Alerts’ tab, includes the other alerts aggregated into the investigation. The ‘Email’ tab includes details of how the automation looked for other emails matching the suspicious emails sent to see if there were other users impacted. The analysis also includes looking for the source of the compromise. The ‘users’ tab highlights other user activity anomalies detected. All the detailed steps of the playbook are captured in the ‘Log’ tab.

These details capture a comprehensive analysis of the alert to determine cause, scope and impact. And offer ways for security teams to verify the investigation steps and results should they choose to. Best of all, because it is the system doing this analysis, it can save security teams a lot of time and effort.

 

The ‘Actions’ tab, shown in figure 8, captures the list of recommended actions for the security teams to take based on the investigation results. This gives security teams the opportunity to review the recommendations prior to taking action.

 

Figure 8.png

 Figure 8: Office 365 ATP recommended response actions as a result of the investigation.

 

Try if for yourself!

These new updates are available in preview worldwide. If you’re not signed up for Office 365 Advanced Threat Protection, check it out here to experience the full security benefits and built-in protection, detection, response and automation capabilities of Office365 ATP.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Simplify compliance and reduce risk with Microsoft Compliance Score

Simplify compliance and reduce risk with Microsoft Compliance Score

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

More than half of risk management decision makers state that IT and cybersecurity risks are their biggest concern[1]. Amid all the challenges in risk management, identifying and assessing risks continue to be the most time-consuming tasks[2]. Many companies rely on manual and point-in-time assessments like annual auditing, which can quickly go out of date and expose companies to unidentified risks between audits. It’s more important than ever to equip IT professionals with the knowledge and tools to work across compliance and risk teams to effectively assess and monitor risks.

 

We are excited to announce the public preview of Microsoft Compliance Score, which helps you simplify compliance and reduce risks. Even if you are not an expert in complex regulations like GDPR, you can still quickly learn the actions recommended to help you progress toward compliance.

01_Microsoft Compliance Score.gifMicrosoft Compliance Score helps demystify compliance and provides recommended actions that help reduce risk.

With Microsoft Compliance Score, you can now continuously assess and monitor data protection controls, get recommendations on how to reduce compliance risks, and leverage the built-in control mapping to scale your compliance effort across global, industrial, and regional regulations and standards.

 

Continuously assess and monitor controls with a risk-based score

Microsoft Compliance Score can scan through your Microsoft 365 environments and detect your system settings, continuously and automatically updating your technical control status[3]. For example, if you configured a compliance policy for Windows devices in the Azure AD portal, Microsoft Compliance Score can detect the setting and reflect that in the control details. Conversely, if you have not created the policy, Microsoft Compliance Score can flag that as a recommended action for you to take. With the ongoing control assessment, you can now proactively maintain compliance, instead of reactively fixing settings following an audit.

 

automated assessments.pngAutomated assessments help you continuously monitor your data protection controls.

Improve your score with recommended actions and solutions

Microsoft Compliance Score provides you with improvement actions in different areas, such as information protection, information governance, device management, and more. This allows you to easily understand the contribution you are making towards organizational compliance by category. Each recommended action has a different impact on your score, depending on the potential risk involved, so you can prioritize important actions accordingly.

 

Score breakdown by category.pngScore breakdown by category helps you identify categories that need more immediate attention.

Risk managers and compliance professionals can assess controls using the assessments view, which shows you the scores of GDPR, ISO 27001, ISO 27018, NIST CSF, NIST 800-53, HIPAA, FFIEC, and more. To help you better prepare for new waves of privacy regulations coming in 2020, we have released the new California Consumer Privacy Act (CCPA) assessment. Microsoft Compliance Score helps make connections between each regulatory requirement and the solutions that can help you enhance your controls, thus increasing your overall score.

Assessment view.pngMicrosoft Compliance Score provides more than 10 out-of-box assessments across global, regional, and industrial regulations and standards.

Scale your compliance effort with built-in control mapping

With more than 220 updates every day from 1,000 regulatory bodies around the world, it’s overwhelming for organizations to keep up to date with the evolving compliance landscape. At Microsoft, we have a team of subject matter experts building out and maintaining a common control framework to scale our compliance effort. We are sharing this knowledge by building it into Microsoft 365 so you can scale your compliance program across global, industrial, and regional regulations and standards. With the built-in control mapping in Microsoft Compliance Score, when you implement one common control, the status and the evidence of the control will be automatically synchronized to the same control in other assessments, helping you reduce duplicate work.

Control mapping view.pngBuilt-in control mapping helps you scale your compliance effort.

Get started today

Microsoft Compliance Score is available to all Microsoft 365 and Office 365 enterprise licenses. You can sign up for a trial or navigate to the Microsoft 365 compliance center (compliance.microsoft.com) to get started today. You can learn more about Microsoft Compliance Score in this supporting document.

 

Compliance Score is a risk-based score that helps you simplify and automate risk assessments and provides recommendations to help you address risks. It does not express an absolute measure of organizational compliance with any particular standard or regulation. It expresses the extent to which you have adopted controls which can reduce the risks to personal data and individual privacy. Compliance Score should not be interpreted as a guarantee in any way.

 

[1] Integrated Risk Management (IRM) market landscape web survey, Gartner, May 2019 (n=500, buyers and influencers of IRM solutions, 1000+ employees)

[2] Deloitte’s 2019 survey of risk management

[3] Note that this functionality is currently available to part of the technical actions. Over the next few months, we will continue integrating more solutions to automate additional control assessments.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Leveraging AI and automation to quickly identify and investigate insider risks

Leveraging AI and automation to quickly identify and investigate insider risks

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

I spent several years in the Microsoft internal digital security and risk organization helping to develop various programs to identify insider risks, threats and code of conduct policy violations in collaboration with our human resources (HR) and legal teams. The ability to identify these risks and policy violations and then take action to minimize the negative impact is a priority for organizations worldwide.
 
Modern workplaces offer innovative technology that employees love, empowering them to communicate, collaborate, and produce with agility. Trusting your employees is the key to creating a dynamic, inclusive workplace and increasing productivity. But, with trust also comes risk. In fact, a survey by Crowd Research Partners indicated that 90% of organizations feel vulnerable to insider risks and 53% confirmed insider risks against their organization in the previous 12 months.
We know from our own experience that it’s hard to maintain trust without the right visibility, processes and control. However, the effort required to identify these risks and violations is not trivial. Think about the number of people accessing resources and communicating with each other, as well as the natural cycle of people entering and leaving the company. How do you quickly determine what is an intentional risk vs. an unintentional one at scale? And how do you achieve this level of visibility, while aligning to the cultural, legal and privacy requirements in which you operate? For example, truly malicious insiders do things such as intentionally stealing your intellectual property, turning off security controls or harassing others at work. But there are many more situations in which an insider might not even know they are causing a risk to the organization or violating your policies, like when they’re excited about something new they’re working on and send files or photos to tell others about it.
 
Ultimately, it’s important to see the activities and communications that occurred in the context of intent, in order to take the right course of action. The only way to do this efficiently and at scale is by leveraging intelligence and machine learning, as human driven processes can’t keep up and aren’t always that accurate. Furthermore, a holistic solution to this problem requires effective collaboration across security, HR and legal, as well as a balanced approach across privacy and risk management.
 
Today I am excited to announce two new Microsoft 365 solutions, Insider Risk Management and Communication Compliance.  These solutions can help you and your organization to leverage intelligence to identify and remediate insider risks and code of conduct policy violations, while meeting regulatory requirements. 

 

Insider Risk Management
Insider Risk Management leverages the Microsoft Graph, security services and connectors to human resources (HR) systems like SAP, to obtain real-time native signals such as file activity, communications sentiment, abnormal user behaviors and resignation date.

 

irm1.png

 

A set of configurable playbooks tailored specifically for risks – such as digital IP theft, confidentiality breach, and HR violations – use machine learning and intelligence to correlate these signals to identify hidden patterns and risks that traditional or manual methods might miss. Using intelligence allows the solution to focus on actual suspicious activities, so you don’t get overloaded with alerts. Furthermore, display names for risky users can be pseudonymized by default to maintain privacy and prevent bias.
 
A comprehensive 360° view provides a curated and easy-to-understand visual summary of individual risks within your organization. This view includes an historical timeline of relevant in-scope activities and trends associated with each identified user. For example, you could see if a user submitted their resignation, downloaded some files and copied some of them to a USB device. The system also evaluates whether any of those files had classification labels on them and whether they contained sensitive information. With the right permission, the files accessed from Microsoft cloud resources like SharePoint Online can also be made available for the investigator to view, which further helps with the risk determination. Having all this information at your fingertips allows you to quickly decide whether this risk is one that warrants further investigation, saving you considerable time.

 

irm2.png

 

Finally, end-to-end integrated workflows ensure that the right people across security, HR, legal and compliance are involved to quickly investigate and take action once a risk has been identified. For example, if the risk was determined to be unintentional, you could send an email saying this is a violation of company policy with a link to training or the policy handbook. If the risk was determined to be malicious, you could open an investigation that would collate and preserve all the evidence collected, including the documents, and create a case for legal and HR to take appropriate actions.
 
Insider Risk Management is available as part of the Microsoft 365 E5 suite and is currently in limited private preview. You can sign up for an opportunity to participate here.

 

Communication Compliance
Communication Compliance is a brand-new solution that helps all organizations address code-of-conduct policy violations in company communications, while also helping organizations in regulated industries meet specific supervisory compliance requirements. Communication Compliance supports a number of company communications channels, including Exchange email, Teams, Skype for Business Online, Twitter, Facebook and Bloomberg instant messages.

 

Organizations need the ability to improve investigating potential violations and facilitate taking adequate remediation action based on local regulations. To provide granularity in identifying specific words and phrases, we have three out-of-box machine learning models to identify physical violence, harassment, and profanities. You can also build-your-own trainable classifiers that understand meaning and context that are unique to your organization’s need such as insider trading or unethical practice, freeing you from a sea of false positives.   

 

Once a violation has been flagged and the designated supervisor is alerted, it is important that the review process enables them to efficiently act on violations. Communication Compliance includes features such as historical user context on past violations, conversation threading and keyword highlighting, which together allow the supervisor to quickly triage the violation and take the appropriate remediation actions.

 

cc1.png

 

The interactive dashboard provides an effective way to manage the growing volume of communications risks to ensure violations aren’t missed.  Proactive intelligent alerts on policy violations requiring immediate attention allows the supervisor to prioritize and focus on the most critical violations first. In addition, violations, actions and trends by policy provide a quick view on the effectiveness of your program.

 

cc2.png

 

The Financial Industry Regulatory Authority (FINRA) Rule 3110 is a good example of a requirement for regulated organizations to have solutions in place to detect violations in communications. For example, safeguarding against potential money-laundering, insider trading, collusion, or bribery activities between broker-dealers is a critical priority. For organizations in regulated industries, Communication Compliances provides a full audit of review activities and tracking of policy implementation to help you meet the regulatory requirements you may be subject to.

 

Communication Compliance is available today as part of the Microsoft 365 E5 suite, and you can sign up for a trial or navigate to the Microsoft 365 Compliance Center to get started today. 

 

We encourage customers who are currently using Supervision in Office 365 to use the new Communication Compliance solution to address your regulatory requirements with a much richer set of intelligent capabilities.

 

Thank you,

Talhah Mir, Principal Program Manager, Microsoft 365 Security and Compliance Engineering

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Integrated and intelligent data governance with Microsoft 365

Integrated and intelligent data governance with Microsoft 365

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Organizations are rapidly embracing digital transformation, and as a result the amount of data generated is growing exponentially across environments and endpoints. As data continues to grow, organizations are challenged with the lack of information protection and governance solutions across on-premises, cloud and hybrid environments. According to Gartner, approximately 80% of the data in organizations is unstructured, not classified, protected, or governed, with little visibility into what is happening with their sensitive and business critical data. As a result, organizations are forced to use traditional and fragmented information protection and governance solutions that work in silos and are not designed to be scalable. This makes it challenging to not only protect and govern data efficiently, but also to navigate through the ever changing compliance requirements.

 

The Information Governance capabilities from Microsoft 365 help you in this journey by providing a unified solution that integrates data from heterogeneous environments, intelligently classifies data with machine learning capabilities, provides remediation and enables records management to meet regulations. This helps users and organizations to intelligently govern data across their environment to reduce risk, thereby easing the path towards meeting compliance needs.

 

clipboard_image_0.png

 

Automation at scale

Not all information is created equal and every organization on the planet has data that is unique to them, whether these are contracts, invoices, or customer records. Organizations need to review, classify and assign policies in a way that is automated and scalable. Today, we are excited to announce the public preview of trainable classifiers that will harness the power of machine learning capabilities to help you detect and classify data in your organization. We have ‘built-in’ classifiers to detect resumes, offensive language, or source code. You can also create your own classifiers by providing sample data to look for information that is unique to your organization, such as customer records, HR data, contracts, etc.

 

clipboard_image_0.png

 

At preview, these trainable classifiers can be used with retention labels to help you automatically apply the associated retention or deletion policy. Let us know what you would like to see next in this exciting space through UserVoice.

 

clipboard_image_1.png

 

Integrated with data within and beyond Microsoft 365

Having your information where it can be easily discovered, retained and purged is critical to meeting your compliance needs and reducing risk. Microsoft 365 compliance center provides you streamlined capabilities that allows you to set policies across services.  

 

clipboard_image_2.png

 

Today, you already have available options for bringing your data into Microsoft 365 through both our PST email import and the SharePoint migration tool. This year, we have further broadened the data ingestion capabilities by introducing native connectors to third-party systems. These set of connectors allow you to import relevant information from corporate accounts on social media, instant messaging, and document collaboration platforms into the Microsoft cloud to meet numerous compliance requirements.

 

clipboard_image_3.png

 

Today, we are announcing the public preview of the native connectors gallery within the Microsoft 365 compliance center to discover and manage data from Instant Bloomberg, LinkedIn, Twitter and Facebook. These data connectors benefit Microsoft Information Governance, and a broad set of other solutions from Information Protection to eDiscovery, and we will continue to enhance their scope to include more categories of data outside of Microsoft 365.

 

Meet legal and regulatory requirements with Records Management

For business critical or sensitive data, your organization requires specific workflows to manage regulatory and legal record-keeping compliance. Records Management in Microsoft 365 gives you the ability to manage your complex records retention and disposition workflow efficiently.

 

clipboard_image_4.png

 

The Records Management solution is currently in public preview. This solution lets you easily onboard and manage complex retention schedules, declare items as immutable records, automate retention based on events. Today, we are excited to announce the public preview of trainable classifiers integrated into Records Management to help categorize your records.

 

Today, we are also rolling out new records versioning capabilities for SharePoint Online which enables continuous record declaration on selected versions of a single document. This capability unlocks collaboration on records while maintaining the necessary immutability required by policies and regulations.

 

clipboard_image_5.png

 

The new capabilities in Information Governance and Records Management enhance the already rich set of features available in Microsoft 365, including auto-expanding email archive, retention policies, retention labels, disposition review and more. 

 

Information Governance and Records Management solutions are part of the broader set of capabilities in Microsoft Information Protection and Governance. Get access to the new features with the Microsoft 365 E5 trial here https://aka.ms/M365E5ComplianceTrial or navigate to the Microsoft 365 Compliance Center to get started.

 

 

 

 

 

 

 

 

 

 

 

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Manage eDiscovery for Teams – Announcing conversation reconstruction and more

Manage eDiscovery for Teams – Announcing conversation reconstruction and more

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Reconstruct conversations to provide context for chats

We are excited to announce that the new conversation reconstruction capability is now generally available in the Microsoft 365 Advanced eDiscovery. This capability threads the Microsoft Teams messages into conversations, allowing you to efficiently review and export complete dialogues with context, not just individual messages.

 

Automatically identify and preserve chat content based on people of interest

Today, when you add people of interest (custodians) in Microsoft Advanced eDiscovery, the system can automatically identify these people’s Exchange mailboxes, OneDrive for Business accounts, SharePoint sites, and Teams in which they are members. Through this, you can easily identify the locations where the relevant Teams content may be stored and place a legal hold on it.

 

picker2.PNG

 

Review chat content with context

With our new built-in conversation reconstruction capability, you can identify relevant chats by using targeted queries and include contextual messages in your collection. You will no longer need to run multiple searches to understand the context surrounding your search results.

 

chat threaded.PNG

 

Messages in conversations are processed individually but displayed in a conversation view. You can annotate, tag, and redact messages inside a chat conversation, instead of in individual messages. This makes the review process much more intuitive.

 

Export conversations, not just individual messages

Chats can be exported as threaded conversations or as individual messages. You can choose the format that integrates better with your downstream processes. Regardless of your export format, your export will include all the metadata unique to each message such as sender, time sent, etc. You also have the option to export all your case work on the content, including tags and redactions.

 

export.PNG

Smart tag to intelligently detect attorney client privileged communications

A major and costly aspect of the eDiscovery process is reviewing documents to identify privileged content. We are thrilled to announce the smart tag feature to make this process more intelligent and efficient.

 

The new smart tag capability leverages a pre-trained machine learning model to identify attorney client privileged communications. Once enabled, Advanced eDiscovery will analyze your documents and let you instantly search, identify, and tag potentially privileged documents.

smarttag.png

 

eDiscovery for Yammer to broaden services coverage

We are  excited to let you know that eDiscovery for Yammer is coming soon! We will support hold, search, review and export Yammer content natively in Advanced eDiscovery by end of calendar year 2019.

Get started today

If you have the Microsoft E5 suite, you have access to all features in this announcement. Simply navigate to the Microsoft 365 Compliance Center to get started.

 

If you have not had the Microsoft E5 suite yet, sign up today for a trial!

Visit the following resources to learn more about eDiscovery in Microsoft 365

 

Misha Desai, Program Manager 2, Microsoft 365 Security and Compliance Engineering 

 

 

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Introducing remote deployment guidance for Microsoft Defender ATP and Office 365 ATP

Introducing remote deployment guidance for Microsoft Defender ATP and Office 365 ATP

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Microsoft Defender ATP and Office 365 ATP are two critical components of the suite of Microsoft security products that work seamlessly together to provide protection across the entire attack kill chain, using built-in intelligence from the Microsoft Intelligent Security Graph to protect identities, email, applications, endpoints, and data from evolving threats.

 

clipboard_image_0.png

 

At Microsoft, we are fully committed to helping customers realize the value of our Microsoft 365 security solutions by deploying them more quickly to address their business needs. FastTrack is responsible for making this commitment a reality by advising and supporting customers during the deployment of their technologies. We are now expanding the support we already provide for securing identities to email and endpoints with remote deployment guidance for customers that want to leverage advanced tools to secure their email and endpoints. Together, identity, email and endpoints represent the three most common entry points for attackers.

 

Microsoft FastTrack enables customers to deploy Microsoft 365 security solutions at no additional cost for eligible subscriptions in North America. FastTrack has an engagement model built on learnings and expertise gained through engineering work with more than 60,000 customers since 2014. We use and share these best practices as part of a deployment process that enables customers to onboard to new services quickly and reliably.

 

The FastTrack team provides remote guidance, engaging directly with customers or partners. This is an ongoing benefit throughout the life of the subscription, delivered by Microsoft and approved partners.

 

This service is initially available in English only. Worldwide availability and additional language support is scheduled for early 2020.

 

To request assistance, visit www.microsoft.com/FastTrack.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Introducing new videos on security and risk fundamentals of the Microsoft cloud environment

Introducing new videos on security and risk fundamentals of the Microsoft cloud environment

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

We are excited to announce some great new videos to help you familiarize yourself with the Microsoft Cloud security, privacy and risk practices!

If you are performing risk and security assessments you could benefit from these videos to learn how Microsoft is managing risks appropriately to ensure your customer data is secure and protected.

A Cloud Adoption Risk Assessment requires a thorough understanding of your Cloud Service Provider (CSP)’s security, privacy, and risk practices. These videos are designed to help you understand how Microsoft deploys a “defense in depth” strategy to secure hardware, software, and processes to safeguard customer data. 

Every business has different needs along their journey to the cloud and these videos are a great way to easily get information regarding the fundamentals of our cloud environment.

We have six videos in all, and they can be found on Microsoft Office 365 YouTube Channel:

 

Audit Videos.pngA screenshot of YouTube Playlist

•           Microsoft Online Services Incident Management This video will walk you through how Online Services investigates, manages, and responds to security concerns so that customers’ data is secure and protected.

•           Microsoft Online Services Continuity Management – This video will walk you through how Online Services anticipates, plans for, and addresses failures at the hardware, network, and datacenter levels.

•           Office 365 Security Development and Operation – This video will walk you through how Online Services combines holistic and practical approaches to reduce the number and severity of vulnerabilities and the Security Development Lifecycle–or SDL.

•           Office 365 Access Controls – This video will walk you through how Online Services operates under the principle of Zero Standing Access, meaning our personnel, by default, never have standing access to customer data; learn the ins-and-outs of access, including the varying types of customer accounts and the limits to access.

•           Office 365 Vulnerability Management – This video will walk you through how Online Services employs vast resources to stop attackers from compromising the integrity, availability, or confidentiality of services.

•           Office 365 Audit Logging and Monitoring – This video will walk you through how Online Services provides many capabilities to evaluate and strengthen the security posture of customer-managed environments; learn about services and features such as security auditing, logging, and reporting.

 

More resources can be found on Service Trust Portal.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Announcing ServiceNow, Microsoft Teams and Planner integration with Microsoft Secure Score

Announcing ServiceNow, Microsoft Teams and Planner integration with Microsoft Secure Score

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

It seems like just yesterday it was July and we were at Microsoft Inspire talking to partners about Microsoft Secure Score. Like years past they had a ton of ideas to share but one request was nearly universal between them. That request was the ability for security administrators to more easily assign secure score related Improvement Actions to co-workers for investigation, implementation, and remediation.

 

This is a scenario that partners and customers alike have asked about for some time, and so we’re excited to announce the general availability of Microsoft Secure Score integration with ServiceNow, Microsoft Teams and Microsoft Planner. With it, security administrators can create ticket, tasks, and send messages directly from the Microsoft Secure Score experience.

 

Introducing the new Share experience

With Microsoft Secure Score it’s all improving your security posture by implementing recommendations and best practices that we call Improvement Actions (e.g.: Do not allow the use of email forwarding rules to external domains). The more Improvement Actions an organization implements the better their score and the more resistant they’ll be to attacks.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 01 - Secure Score.PNG

 

In the previous version of the Microsoft Secure Score experience, as administrators identified interesting Improvement Actions they would need to switch to another application if they wanted to create a ticket and assign it for follow-up. Now with ServiceNow, Microsoft Planner and Microsoft Teams integration into Microsoft Secure Score this experience has been streamlined and automated.

 

“From the very beginning, ServiceNow’s Now Platform was built to help digitize workflows and make work, work better for people,” said Matt Schvimmer, Vice President and General Manager of IT Service Management (ITSM) at ServiceNow. “The integration of ServiceNow’s ITSM capabilities with Microsoft Secure Score helps customers address one of the biggest challenges they face, which is maintaining and maximizing their security posture.”

 

To take advantage of the new functionality you will use the new Share button which has been added to the upper right hand side of the Improvement Action’s details page.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 02 - Secure Score - Share Button.png

 

When the administrator selects the Share button, they will be given several options which include Copy Link, Email, Microsoft Team, Microsoft Planner and Service Now.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 03 - Share Button Clicked.PNG

 

The Service Now option is the first example of the Microsoft 365 security center integrating with a 3rd party product and it makes creating tickets in ServiceNow super easy. Most of the fields will automatically be completed for you and you can edit fields, like priority and due date, before submitting the ticket.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 04 - ServiceNow Selected.PNG

 

Of course, once a Microsoft Secure Score related Service Now ticket has been created security administrators will want to be able to track their status directly from Microsoft 365 security center. To address this, need we’ve added a Card that will enable you view a Microsoft Secure Score scoped listed of ServiceNow tickets.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 05 - ServiceNow Card.PNG

 

Creating tasks in Microsoft Planner and sending messages to a team in Microsoft Teams is just as easy. To create a task in Microsoft Planner just select the Microsoft Planner option from the Share menu, update any fields as necessary, and then select the Create Planner Task button to create it.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 06 - Planner Clicked.png

 

To post a message to a Team in Microsoft Team’s use the same type of process after selecting the Microsoft Team option from the Share menu.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 07 - Teams Clicked.png

 

In addition to the options just mentioned we also added a Copy Link option that administrators can use to copy a link to an Improvement Action’s details page directly into the clipboard. From here it can be pasted in documents and other resources.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 08 - Copy Link.PNG

 

Finally, there is the Email option which enables administrators to automate the process of adding a link to a specific Improvement Action to a draft email.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 09 - Email Clicked.PNG

 

How to Integrate Microsoft Planner and Microsoft Teams with Microsoft Secure Score

One of the beauties of using cloud-based Microsoft products is a lot of auto-magic can happen in the background to get them integrated talking to each other. In the case of Microsoft Planner and Microsoft Teams there is nothing for you to setup.

 

How to Integrate ServiceNow with Microsoft Secure Score

For ServiceNow there is a series of steps that must be completed before Microsoft 365 Security Center and ServiceNow can communicate with one another.

 

The first thing you need to do is install the Security and Compliance Connector for Microsoft 365 from the ServiceNow Store. You can find it by searching for “365”. From here choose the Install button to enable the connector within your ServiceNow instance.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 09.1 - Search for Connector.png

 

Once installed, the connector must be configured so that it can communicate with Microsoft 365 services. To locate the configuration experience for the connector type “365” in ServiceNow’s Filter navigator which can be found on the left-hand side of its navigation experience. From here select Microsoft 365 Connector and then the Installation Checklist option in the navigation.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 11 - Install List Menu.JPG

 

Once the Installation Checklist option has been selected you will be asked to complete a series of steps. The first step is to Create an OAuth Endpoint. To complete this step, you will need to copy the redirect URL’s from the ServiceNow user experience into your clipboard. See the image below for an example of the text you’ll need to copy into your clipboard. Next select the Create OAuth Endpoint button.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 12 - OAuth.JPG

 

Next you will complete the OAuth Endpoint form to define the connection information to your Microsoft 365 services. The Name, Client ID, Client Secret fields will automatically be completed for you. To simplify things for the future change the Name field to “Microsoft 365 Connector”. Next paste in the redirect URLs you copied into the clipboard in the previous step into the Redirect URL field.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 13 - OAuth.JPG

 

Next choose the Submit button complete the OAuth Endpoint form and Step 1 of the process. Once it’s been successfully submitted the Microsoft 365 Installation checklist will indicate its complete as shown in the image below.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 14 - OAuth and User card.JPG

 

For Step 2 you will create a user account in Service Now called an ‘Integration user’. This is the account that Microsoft 365 Security center will use to connect to your ServiceNow instance. Please note this account is created with the minimum set of privileges necessary for Microsoft 365 security center to create and manage the tickets it adds to ServiceNow. Input a username and appropriate password in the Username and Password fields. This will be used shortly in one of the subsequent steps.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 15 - User integration card.JPG

 

Next choose the Create user button complete Step 2. Once the account has been successfully created the Microsoft 365 Installation checklist will indicate so as shown in the image below.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 16 - User integration card.JPG

 

For Step 3 you will need to authorized Microsoft 365 Security center to connect to ServiceNow using the Microsoft 365 Security and Compliance Connector.

 

To do this type “OAuth” in Service Now’s filter navigator on the left-hand navigation. Next click the Application Registry option from menu. From here select the name of OAuth Endpoint that you created in Step 1 to open its details page. Unless you failed to change its name as instructed in one of the previous steps the name should be “Microsoft 365 Connector”.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 17 - OAuth table.JPG

 

From the details page take note of the Client-ID and Client-Secret text as you will need this information in subsequent steps to configure Microsoft 365 security center to communitate with ServiceNow.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 18 - Oauth screen.JPG

 

Next log out of ServiceNow and log back in with the Integration User account created during Step 2 to ensure its accessible.   

 

Now that the ServiceNow side of things is configured and it’s time to set things up things on the Microsoft 365 security center side of the house. Logon to the Microsoft 365 security center and scroll down the page until you see the ServiceNow card. Next select the Connect to ServiceNow button.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 18.1 - Do You Use.png

 

Once on the Provisioning ServiceNow page you will find that you have already completed Steps 1-3 so you can skip down to Step 4. All you need to do at this point is input the values for Client ID and Client Secret that we asked you to take note of during Step 3. From here enter the URL for your ServiceNow tenant into the Instance Name field. Next select Authorize to allow Microsoft 365 Security center to connect to your ServiceNow instance.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 18.2 - Provision SvcNow.png

 

Once authorization is complete you will be prompted to login to ServiceNow. Please user your integrated user login and password here.

 

# 19 Login screen.PNG

 

Once completed you be brought to a ServiceNow screen where you will click Allow.

 

2019 - Microsoft 365 Security Center - Collaboration - Blog - Vibranium - Image 20 - Allow Screen.png

 

Once Allow has been selected you will be brought to a Permissions requested page to accept permissions.

 

#21 Accept image.png

 

Once you Accept, the permissions request you will be brought back to the Provisioning ServiceNow page where you will have the option of mapping Microsoft 365 Security center ticket states to those from ServiceNow. For instance, for the Select which states represent completed change requests

option select the options that makes the most sense for your organziation. Do the same for the Select which states represent completed incidents option.

 

#25 - Connect to SvcNow.png

 

Once done select the Save button and you’ll be ready to start creating Microsoft Secure Score related tickets directly in ServiceNow.

 

Wrapping it up

So, there you have it – a quick introduction of our new Microsoft Secure Score integration with ServiceNow, Microsoft Planner and Microsoft Teams along with the step by step instructions you’ll need to get everything operational within your environment.

 

We encourage you to start taking advantage of this new functionality at the earliest opportunity and we look forward hearing your feedback. More information on Microsoft Secure Score and ServiceNow integration can be found at Microsoft Docs and Managing tickets through ServiceNow respectively.

 

 

 

 

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Improve your Cloud Security posture with Microsoft Secure Score

Improve your Cloud Security posture with Microsoft Secure Score

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Microsoft Secure Score provides you with an prioritized list of the key controls you can enable to improve the security posture for your environment. The recommendations and best practices it suggests includes those from across Microsoft 365 Security and Azure Microsoft Cloud App Security  which is a Cloud Access Security Broker (CASB), a new generation of security solutions, that is essential to any modern security strategy. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across cloud, on-premises and custom apps.

To ensure that customers enable key use cases to detect cloud-native attacks and protect against risky apps in their environment with Microsoft Cloud App Security, we will explore the top 5 most impactful Cloud App Security related Improvement Actions that Microsoft Secure Score has to offer. These will allow you to get the most out of your CASB investment and up-level the security for all your cloud apps, whether they’re Microsoft or 3rd party apps.

 

Get started with these top 5 Improvement Actions for Microsoft Cloud App Security

To maximize Microsoft Cloud App Security’s impact on your overall security posture, here are five of the top improvement actions you should start with:

  1. Use Cloud App Security to detect anomalous behavior
  2. Create a custom activity policy to discover suspicious usage patterns
  3. Discover Shadow IT and application usage
  4. Set automated notifications for new and trending cloud applications in your organization
  5. Review permissions & block risky OAuth applications connected to your environment

 

Use Cloud App Security to detect anomalous behavior

Designed with security professionals in mind, Microsoft Cloud App Security makes it easy to get started. It’s designed for a simple deployment, centralized management, and innovative automation capabilities. When you turn on the Cloud App Security console you can easily connect your apps and instantly leverage numerous built-in threat detection policies. They enable you detect insider threats, compromised accounts and brute force attempts. In addition, Microsoft Cloud App Security provides risk scores for all of the users in your organization, which enables the Security Operations team to prioritize their investigations.

 

1.png

 

Create a custom activity policy to discover suspicious usage patterns

Activity policies enable you to monitor suspicious user activities and be alerted on policy violations such as downloading a large number of files in a short period of time or sharing sensitive files with external users. Microsoft Cloud App Security also allows you to take manual remediation actions or setup automatic remediation to lighten the workload on your SecOps team.

 

Discover Shadow IT and application usage

In today’s modern enterprises, apps run the workplace. While we see an average of 129 IT-managed applications, our CASB discovery data shows that the total number of apps accessed by employees in large organizations exceeds 1,000. In Microsoft Cloud App Security, you have several options to activate the Discovery of Shadow IT, either by a single click enablement via Microsoft Defender Advanced Threat Protection, leveraging lots from your firewall, or using an existing Secure Web Gateway. Once discovered, Microsoft Cloud App Security assesses all apps against more than 90 risk and compliance factors and allows you to manage future access.

 

3.png

 

 

 

Set automated notifications for new and trending cloud applications in your organization

The initial Discovery and assessment of the apps in your organization can be time consuming depending on how many apps are in use. To ensure you can stay on top of the Shadow IT in your organization, it is recommended to implement continuous monitoring. Microsoft Cloud App Security allows you to setup policies to be alerted when new, risky or high-volume apps are discovered in your environment, so you can immediately evaluate and manage them according to the requirements of your organization.

 

 4.png

 

Review permissions & block risky OAuth applications connected to your environment

OAuth is a web-based industry standard protocol that enables users to grant web apps access to their accounts and data without sharing their credentials. The use of OAuth in enterprises is increasing as a result of the continued adoption of cloud-based solutions. While extremely convenient, OAuth introduces a new threat vector to the security of organizations and enables potential back doors into corporate environments when malicious apps are authorized.

Microsoft Cloud App Security enables you to identify all OAUth apps that have been authorized against your corporate apps such as Office 365, GSuite and Salesforce, evaluate their risk and ban them if necessary. You can find additional details in this blog post.

 

5.png

 

 

Wrapping It Up

So, there you have it – a quick tour of the top Microsoft Secure Score related Improvement Actions for in Microsoft Cloud App Security. Start using Microsoft Cloud App Security today to get better visibility into your cloud environment and take control of all your cloud apps. More information on Microsoft Cloud App Security and Microsoft Secure Score can be found at Microsoft Docs (Microsoft Cloud App Security and).

 

More info and feedback

  • Haven’t tried Microsoft Cloud App Security yet? Start a free trial today.
  • As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.
  • For more resources and information on Microsoft Cloud App Security go to our website.

 

 

 

 

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Sensitivity labeling now built into Office apps for Windows to help protect sensitive information

Sensitivity labeling now built into Office apps for Windows to help protect sensitive information

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Microsoft Information Protection solutions help you better protect your sensitive information, wherever it lives or travels – across devices, apps, cloud services and on-premises. Our goal is to provide a consistent and comprehensive approach to discovering, classifying, labeling and protecting sensitive data.

 

Earlier this year we released built-in sensitivity labeling in Office apps for Mac, iOS and Android. These capabilities enable users to easily apply sensitivity labels to documents and emails – based on the policies defined by your organization. The built-in labeling experiences are integrated directly into Office apps – there’s no need for any special plugins or add-ons.

 

We’re expanding to additional Office apps, and now sensitivity labeling is available in Office apps for Windows. With this release, end-user driven sensitivity labeling is now available in:

  • New! Office for Windows: Word, PowerPoint, Excel & Outlook
  • Office for Mac: Word, PowerPoint, Excel & Outlook
  • Office mobile apps for iOS: Word, PowerPoint & Excel (Outlook coming soon)
  • Office mobile apps for Android: Word, PowerPoint & Excel (Outlook coming soon)

The labeling experience in Office apps for Windows is similar to the labeling experience on other platforms – making it easy and familiar for your end-users. Once you define and configure your sensitivity labels and policies, the same labels are published out and made available across the supported Office apps.

 

The screenshots below show examples of the end-user experience in Office apps for Windows. Users select the Sensitivity drop-down menu to view the available labels and select the appropriate label. The experience is similar across Word, PowerPoint, Excel and Outlook.

clipboard_image_1.pngApply sensitivity labels in Office apps for Windows – your label policy will apply the configured protection actions, such as encryption, rights restrictions or visual markings.

 

clipboard_image_2.pngApplying sensitivity labels in Outlook for Windows is a similar experience.

 

clipboard_image_3.pngAn email labeled “Highly Confidential” in Outlook for Windows get encrypted, and headers & footers are applied.

Getting started

Similar to publishing labels for use in other Office apps, you need to first configure your organization’s sensitivity labels in the Office 365 Security & Compliance Center or the Microsoft 365 Compliance center. If your organization has sensitivity labels configured in the Azure portal for Azure Information Protection, you will first need to migrate your labels to the Microsoft 365 Compliance center, and then the labels can be used by the supported Office apps. You can find more information on migration steps here.

 

You can also learn more about sensitivity labels in our documentation, and additional details on supported Office apps is including in this article. Sensitivity labeling in Office apps for Windows is rolling out now to customers who have Office 365 E3 or E5 (built-in sensitivity labeling is supported on the Office 365 Pro Plus version of Office), and the rollout is expected to be completed by the end of September or October, 2019.     

    

We’re excited to expand sensitivity labeling to Office for Windows, enabling more comprehensive protection of sensitive information across your environment. We plan to release sensitivity labeling in the Office apps for the Web and Outlook mobile soon. Please check the Microsoft 365 roadmap for the latest information.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity