Register now for the Compliance pre-day at Microsoft Ignite on 11/3/2019

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Come join us for the Compliance pre-day event at Microsoft Ignite in Orlando, Florida on 11/3/2019! This interactive pre-day event will bring you together with leading industry peers, analysts, and partners who will share their views and best practices for protecting and governing sensitive data, handling internal risks, and responding to data compliance requests.

Agenda:

Click here to register for the “Compliance requirements: A practical guide to leveraging the capabilities in Microsoft 365” now.* We hope to see you there!

*Please note that you will have to register for Ignite prior to registering for the pre-day.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Introducing the new Microsoft Graph Security API add-on for Splunk!

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

A new add-on from Microsoft enables customers to easily integrate security alerts and insights from its security products, services, and partners in Splunk Enterprise. The new Splunk add-on is built by Microsoft, certified by Splunk, and is available on Splunkbase at no additional cost.

This add-on, powered by the Microsoft Graph Security API, supports streaming of alerts from the following Microsoft and partner solutions into Splunk using a single add-on and common schema, enabling easier correlation of data across these products:

1. Azure Security Center
2. Azure Active Directory Identity Protection
3. Microsoft Cloud App Security
4. Microsoft Defender Advanced Threat Protection
5. Azure Advanced Threat Protection
6. Office 365 Advanced Threat Protection
7. Azure Information Protection (preview)
8. Azure Sentinel (preview)
9. Palo Alto Networks

Note: Security products are continuously onboarded; Refer to the Microsoft Graph Security alerts providers table for the latest product list.

Since the new add-on extends support across a broader set of security products, it will replace the Azure Monitor add-on for Splunk as the preferred method for integrating with the Microsoft Graph Security API.

Getting Started

Follow these steps to install and configure the app. Refer to the documentation for more details.

1. Register your application for this Splunk add-on on Azure portal.
2. Configure permissions and be sure to add the SecurityEvents.Read.All permission to your application. Get your Azure AD tenant administrator to grant tenant administrator consent to your application. This is a one-time activity unless permissions change for the application.
3. Copy and save your registered Application ID and Directory ID from the Overview page. You will need them later to complete the add-on configuration process as illustrated below. Application registration
4. Generate an application secret by going to Certificates & secrets Save the generated secret as well for add-on configuration purposes.
5. In Splunk, click on Splunk Apps to browse more apps.
6. Search for ‘Microsoft Graph Security’ and install Microsoft Graph Security API add-on for Splunk
7. If Splunk Enterprise prompts you to restart, do so.
8. Verify that the add-on appears in the list of apps and add-ons as shown in the diagram below.  Microsoft Graph Security add-on for Splunk
9. Configure Microsoft Graph Security data inputs illustrated in the diagram below as per the detailed guidance in the installation documentation for this add-on. This add-on provides the capability to pre-filter your data by specific alert providers or by alert category or severity, etc. by specifying the OData Filter field as shown in the diagram below.  Add-on input configuration

10. Now you can use your Microsoft Graph Security alerts for further processing in Splunk, in dashboards, etc.

11. If you have Splunk and relevant add-ons running behind a proxy server, follow the additional steps for Splunk behind a Proxy Server in the installation documentation for this add-on.

What’s Next?

We are working to enable support for this add-on on Splunk Cloud. We would love to hear your feedback on this add-on so that we can factor that before making it available on Splunk Cloud. Please share your feedback by filing a GitHub issue. 

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

New Exact Data Match (EDM) classification helps you better detect and protect sensitive information

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Office 365 Data Loss Prevention (DLP) enables you to create policies to help prevent the inadvertent or inappropriate sharing of documents and emails containing sensitive information. DLP policies can leverage a broad range of over 90 built-in sensitive information types to detect common data types, such as financial data, PII and health-related information. Organizations can also choose to create custom sensitive information types to detect information specific to their organization’s needs – based on patterns, supporting evidence (keywords such as employee, badge, ID, and so on), character proximity (how close evidence is to characters in a particular pattern), and confidence levels.

Exact Data Match (EDM) is a new capability that enhances custom sensitive information types to help accurately target detection of your exact and unique sensitive content. Exact Data Match (EDM) sensitive information types is designed to:

• be dynamic and refreshable
• be more scalable
• result in fewer false-positives
• work with structured sensitive data
• handle sensitive information more securely
• be used with several Microsoft cloud services

Example use cases

Example 1: A healthcare provider needs to prevent or block the sharing of medical records that contains patient information – especially to ensure that this information isn’t sent to external users. The organization configures an Exact Data Match (EDM) based sensitive information type to do exact match lookup based on their patient records.

A patient EDM sensitive information type is configured to detect content which matches patient SSN or Patient ID or medical record number, along with patient information (e.g. name, date of birth, phone number). Office 365 DLP policies are configured to block external sending of email if a patient EDM sensitive information type is found.

Example 2: A banking institution needs to prevent customer account numbers from being sharing outside of the organization’s boundary. They configure an Exact Data Match (EDM) based sensitive information type to do exact match lookup based on customer bank account records.

A customer account EDM sensitive information type is configured to detect account number, type of account and customer information (name, email address, phone number). Office 365 and Microsoft Cloud App Security DLP policies are configured to detect and block sharing of content that contains the customer account EDM sensitive information type.

Configure Exact Data Match

Exact data match configuration involves three key steps:

• Define the schema for Exact lookup data
• Update sensitive content used for Exact Lookup
• Create Exact Data Match sensitive type

We provide an EDM Upload Agent to enable indexing and secure upload of sensitive content, which supports:

• Authorization to ensure that only users with right permission can execute EDM lookup.
• to ensure that sensitive content used for lookup never exits the customer’s boundary.
• Uploads indexed file right Microsoft service instance.

Detailed steps to create Exact Data Match sensitive information types is located here.

Start using Exact Data Match

To start, Office 365 DLP for Exchange Online (email), OneDrive for Business (files), Microsoft Teams (conversations) and Microsoft Cloud App Security policies supports EDM sensitive information types.

EDM sensitive information types for the following are currently in development, but not yet available for  Office 365 DLP for SharePoint (files) and auto-classification of content for the purpose of applying sensitivity labels and retention labels.

For end-users, Office 365 DLP policy tips are useful to provide notifications that sensitive information has been detected and DLP policies are being applied. While this has been widely available on Office apps for DLP policies, support for EDM policy tips will start in Outlook for the web, and we intend to support policy tips in other Office apps in the future.

A policy tip in Outlook for the web notifies the user that a patient record was detected.

Getting started

As an advanced classification capability, Exact Data Match is included as an entitlement in the following subscriptions:

• Office 365 E5
• Microsoft 365 E5
• Microsoft 365 Compliance
• Office 365 Advanced Compliance

You must be a global admin, compliance administrator, or Exchange Online administrator to perform the tasks described in . To learn more about DLP permissions, see Permissions.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Check out the Microsoft Graph Security sample application!

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

It’s easy to build rich security applications using the Microsoft Graph Security API. We built one to help demo the capabilities and have shared the sample code on GitHub so you can use it to kick start development of your own security app!

The sample app is designed to showcase some of the key scenarios enabled by the Microsoft Graph Security API. As you’ll see, data from across the organization is surfaced – from both Microsoft and third-party security solutions, in one simple dashboard. Users can easily drill down into specific alerts to get additional information and context, update alert status and add tags, pivot to view related alerts for a specific user or device, view detailed information about security recommendations, and much more.

Check out the video to see the sample app in action and what additional capabilities are available in the Microsoft Graph Security API.

Getting Started

Follow the steps below to get access to this sample app and try it on your Azure Active Directory (Azure AD). Refer to the sample app documentation for further details on the steps summarized below.

1. Ensure prerequisites are set up before you download the sample code and build the app.
2. Register this app in your Azure AD to meet Microsoft Graph auth requirements.
3. Gain consent from your Azure AD administrator to view security data.
4. Build and run the sample.
5. Deploy the app to Azure.

Download the sample app from our GitHub repository and be sure to check out the documentation to get started today! Check out additional samples for more options to connect with the Microsoft Graph Security API. Please share your feedback by filing a GitHub issue.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Maximizing Your Security Posture with Azure ATP

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Our customers spend a lot of time and money on security solutions and very few of them are taking full advantage of the solutions they’ve deployed. Even fewer of them are deploying or maintaining these solutions correctly. Based on this it’s not surprising to see stats like “93% of all breaches could have been avoided if basic cyber hygiene had been in place” (Online Trust Alliance).

From my view the industry and even our customers have been overly focused on finding technological solutions with the hope they’ll will address the people and process issues that are the root cause of so many incidents. Here at Microsoft we recognize that technology alone can’t solve the problem and so we’re increasingly focusing on delivering solutions that provide integrated capabilities on all three fronts.

Microsoft Secure Score is a perfect example of this. With it we can help you take full advantage of the Microsoft 365 security solutions you’ve deployed while at the same time helping you validate that they’ve been configured correctly.

Using Microsoft Secure Score to Amp Your Security Posture for Identity

As you’re probably aware of, when an organization suffers from a cyber-attack one of the first things attacks will target are user identities. By brute forcing passwords and then using lateral movement techniques to move across an organization, attackers can achieve their targeted goals. This is where Azure ATP comes in.

Azure ATP constantly monitors your domain controllers for identity-based threats, attacks and security posture issues by capturing and parsing network traffic and leveraging Windows events. From here it then analyzes the data utilizing profiling, deterministic detection, machine learning and behavioral algorithms that enable it to learn your network, detect anomalies and warn you of suspicious activities.

To maximize Azure ATP’s potential to catch anomalous identity related activities and to lower your time-to-resolve them we need to ensure that Azure ATP is fully configured and to do this you can use Microsoft Secure Score to surface a series of configuration checks.

Top 5 Most Impactful Improvement Actions to Prioritize

To maximize Azure ATP’s impact on your overall identity security posture, here are five improvement actions that many will find they can get done in a single day:

1. Install Azure ATP Sensor on all Domain Controllers
2. Set a honeytoken account
3. Configure VPN integration
4. Configure Microsoft Defender ATP Integration
5. Fix Advanced Audit Policy issues

Install Azure ATP Sensor on all Domain Controllers

It may seem trivial, but our telemetry shows that in complex environments IT sometimes struggle to verify that all of their domain controllers are monitored by Azure ATP. This improvement action leverages Azure ATP’s knowledge of your network to pinpoint the domain controllers that you may have missed or were added after Azure ATP’s initial setup. Make this the first Improvement Action to improve your security posture with Azure ATP.

Set a honeytoken account

Setting a honeytoken account(s) is a great way to help expose malicious actors . A honeytoken account, like one temptingly named “SuperAdmin”, is a real account that is used as bait to lure attackers into exposing their presence and activities. Any authentication attempts associated with these accounts will trigger an Azure ATP security alert enabling you to catch attackers in the act.

Configure VPN integration

A user’s VPN related activity can prove interesting for investigation purposes and once the “Configure VPN integration” improvement action has been implemented your SecOps team will be armed with information that will help them expedite their incident response activities. Once configured Azure ATP will start collecting VPN connection data (e.g.: IP addresses and locations where connections originated) which will be exposed in user profile pages within the Azure ATP  .

Configure Microsoft Defender ATP Integration

Azure ATP easily integrates with Microsoft Defender ATP to help provide a more end to end threat protection solution. Azure ATP monitors the traffic on your domain controllers, Microsoft Defender ATP monitors your endpoints – together they provide an integrated experience to completely protect your  . For example, Azure ATP will alert on remote execution of malicious code targeting domain controllers from a compromised device. From here an analyst can pivot to detailed device level information from Microsoft Defender ATP that enables the analyst to determine where it the malicious code came from, how it executed, etc.

Fix Advanced Audit Policy issues

Azure ATP detection relies on specific Windows Event Logs for visibility into a variety of scenarios, such as NTLM logons and security group modifications. To enable Azure ATP to monitor these events on your domain controllers the “success” and “failure” audit event options should be enabled in the Audit Credential Validation and Audit Security Group Management policies. These policies can be found under Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration.

Wrapping It Up

So, there you have it – a quick tour of the top improvement actions for Azure ATP. As you can likely tell from the list, implementing them will have no negative impact on your users and each of them can be quickly enabled. Start using Microsoft Secure Score today to see how you maximize your security posture and squeak each and every ounce of capability out of your Microsoft 365 security solutions. More information on Azure ATP and Microsoft Secure Score can be found at Microsoft Docs (Azure ATP and Microsoft Secure Score).

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Microsoft Secure Score at Inspire: Partner Opportunities

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Last week was an exciting time in Las Vegas where we hosted our largest annual partner networking event for thousands of Microsoft Partners from more than 130 countries. This was particularly true for Microsoft Secure Score where we spoke to an audience of well over 100 partners to demonstrate how it can help them grow their businesses.

At Microsoft Inspire 2018, Microsoft Secure Score was a relatively new feature and many partners at the event were learning about it for the first time. Since then much has changed. Customer and Microsoft Partner awareness has reached critical mass and adoption and usage has ramped significantly.

New Microsoft Secure Score Location and Layout

Much of this occurred when Microsoft 365 security center reached general availability and became the new centralized experience for security administrators. This new console also became the new home for Microsoft Security Score which dramatically enhanced its discoverability. Prior to this change, the Microsoft Secure Score experience was several clicks deep in the Office 365 Security & Compliance portal. Below is a view of the new Microsoft 365 Security Center which is where Microsoft Score is now located.

In addition, we released a completely revamped user experience in March 2019 to improve usability and create a more action oriented experience for users. With these changes we saw utilization of Microsoft Security Score triple by the end of April and it’s continued to rise from there.

In the image below you’ll see the new Microsoft Secure Score interface. The product-based donut scores from before have been removed and we aligned its organization around the Microsoft Threat Protection model which includes five pillars: Identity, Data, Devices, Apps, and Infrastructure. This change was based on feedback from our customers and partners who wanted to see a more category-based approach instead of scores for each product (Office 365, Windows, etc.). In addition, summary views for History and Improvement Actions have been added to the main Overview page and then if you drill down into either of them you’ll find more significant changes to help you work more efficiently.

The Microsoft Partner Opportunity

From a Microsoft Partner perspective, 2019 has been the year of adoption with many introducing Microsoft Secure Score into their programs, offerings, and tools. Some of these partners are listed below. One partner told us that they’ve used Secure Score to successfully drive cold call related lead quotes from 3% to 15% – a whopping 5X increase for them. Other partners have reported tremendous opportunities in security services work as a result of offering low cost Microsoft Secure Score assessments. As a result, often clients request to raise their secure score leading to additional licensing and services work to implement items such as data protection and smart phone management using product suites such as Microsoft 365.

While your mileage may vary, what we know for certain is that customers are exhausted by the news and articles describing the latest cyber-security breaches. And while organizations eagerly continue their hunt for better preventative and incident response technologies they’re increasingly searching for new solutions after coming to terms with the fact that 93% of cyber security breaches are the result of failures in basic cyber hygiene (Online Trust Alliance). Based on this statistic, they are also looking for solutions that provide active insights and expert guidance to help them maintain cyber-hygiene and maximize their security posture.

Microsoft Secure Score is just such a tool and when a Microsoft Partner shows their clients how Microsoft Secure Score provides them with a methodical approach to help them achieve basic cyber hygiene it is a real eye opener for them. Clients are amazed to learn about the simple things they can do to immediately increase their security posture and avoid becoming tomorrow’s next news story.

Partner Enablement

Microsoft Secure Score provides a unique ability for those using the Microsoft Cloud to review, understand, and improve their own security posture. But there are many organizations who are unaware or who do not have the technical expertise to translate that knowledge into action. Many organizations are focused 100% on running their businesses and if their services seem to be working, they assume everything is fine.

This operational reality provides a large services opportunity for Microsoft Partners. By positioning Microsoft Secure Score as part of a low-cost security assessment, Microsoft Partners can advertise this as a service. As displayed in the Microsoft Secure Score portal, on average most organizations have a very low score and a long list of important recommendations they should prioritize. Based on this knowledge, a partner like you can engage with almost any customer knowing what the assessment will surface to the customer (i.e.: low score needing significant improvement). From here the value add you can offer customers is to provide them with deeper level of explanation and knowledge, plans on how to address the top recommendations, and of course services to implement them. Through this engagement process, Microsoft partners are in a unique position to learn much more about the client environment which will often lead to additional opportunities.

While Microsoft Partners have the option to develop a Microsoft Secure Score Assessment as a stand-alone offer, some partners already have an established Security Assessment offering using a variety of utilities and report generators. For partners like these we’ve seen them add Microsoft Secure Score to their existing assessments which has enabled them to surface additional opportunities for improvement. Others have utilized the Microsoft Secure Score API to extend the capabilities of their scanning utilities. Some Microsoft Managed Services Providers (MSP) now export their client Microsoft Secure Score and review it during normal quarterly meetings. These types of reviews open up doors for many opportunities, not to mention it becomes a strong reminder of how a client’s previously low score is now trending much better because of the Microsoft Partners efforts.

To assist Microsoft Partners with the design and marketing of a Microsoft Secure Score Assessment offer, we have designed a marketing template as a place to start and generate ideas. This marketing template is only an example and we highly encourage Microsoft Partners to customize it by adding their own differentiators. The marketing template is available here: aka.ms/SecureScoreOfferTemplate

In addition to developing and marketing a Microsoft Secure Score Assessment, we recommend that Microsoft Partners first evaluate their own Microsoft Secure Score. Consider the improvement actions you’d recommend implementing in your own environment. Understand why you’d implement some but not others. Finally, assess the impact of implementing each improvement action on your environment, your users and business? This will help you generate a personal story that will help you assert why YOU’RE the best partner to provide this type of assessment service.

Partner Innovation

We’ve talked to a lot of partners about integrating Microsoft Secure Score into their offerings and we’ve been excited to see them using the Graph API to go beyond what we’ve offered natively.

QualityHosting is perfect example of partner that is using the Graph API to take make it an even better solution and it impressed us enough that we invited them to speak about it on stage at Inspire. When QualityHosting first saw Microsoft Secure Score they saw its potential, but they also quickly noticed that its user experience was designed for customers rather than partners. The specific challenge they noticed was is that it didn’t enable them to monitor scores and implement improvements across more than one customer tenant at a time. With Quality Hosting’s Managed Security 365 multi-tenant service they solved this challenge for themselves and then they productized the capability for other partners to take advantage of. More information on it can be found in the product video which can be found on their YouTube channel.

Quality Hosting’s Managed 365 Service

Enabling Technologies has incorporated a Microsoft Secure Score evaluation into its already well established and very successful SPARC security engagement program. This is their custom end-to-end security solution that focuses on Strategy, Policy, Awareness, Response, and Compliance with their clients. Discussions about their client’s Microsoft Secure Score has led many to request services to improve their security posture in the following areas just to name a few: securing iOS and Android devices with Intune, enabling multi-factor authentication on privileged accounts, etc. All have increased licenses sold, increased implementation services work, and further protected their clients from cyber risks.

Secure Score makes it easy for Agile IT to communicate the need, value, and impacts of its AgileSecurity program. Agile IT’s automation toolkit, combined with the Microsoft Graph API allows them to reach time-to-value and time-to-security faster, but it is Secure Score that tells the story with their clients. Simple visualizations help spur conversations with non-IT business decision makers, while its recommendations help them build prioritized roadmaps with IT leadership. The best part is that Secure Score provides impartial guidance since it is neither an Agile IT nor customer standard.

Upcoming Features

In addition to covering partner momentum, opportunities and new resources at our Inspire session we also offered a sneak-peak at some upcoming improvements that we will be releasing later this year. While the details are still being developed, the list below represents some of the key features Microsoft Partners and customers can look forward to:

• Improved scoring system
• Metrics and trends
• Improved history and comparisons
• Near real-time status
• More action oriented Ux
• and much more…

Below is a screen capture of one of the latest Microsoft Secure Score builds which, if you look closely, reveals a bit more than I mentioned above. The Microsoft Secure Score team will publish new blogs about the improvements as they reach General Availability (GA).

Wrapping it up

So, there you have it – a quick recap of Microsoft Secure Score session at Inspire.

If you are a partner that is new to Microsoft Secure Score now is the time to learn more and start planning how to take advantage of it. Consider developing a Microsoft Secure Score offer using these resources, educate your sellers, integrate a secure score evaluation into your customer meetings.

If you are a partner who has already integrated Microsoft Secure Score we thank you for the support and feedback, all of which has helped shape the latest release and features coming in the future. Be sure you are fully capitalizing on the business opportunity, make sure you have updated your offering and sellers with the latest changes released in March 2019, and then consider using the Graph API to provide innovative and differentiated offerings to your customers.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Empower security teams to easily report suspicious emails & content and receive instant feedback

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

One of the frequent requests we hear from Office 365 customers is the ability for security teams to easily report suspicious email messages or content to Microsoft and get feedback. Today I’m super excited to announce that we’re rolling out this capability to customers world-wide. This builds on a powerful capability Office 365 already supports – the ability for end users to report suspicious emails to their security teams and Microsoft. With the feature set we’re announcing today, security teams that want to defer reporting issues to Microsoft until after they have reviewed the messages themselves can now do so. What’s more – security teams can get immediate feedback on these submissions within the Office 365 Security and Compliance Center, dramatically reducing the time to investigate and response to issues and take corrective actions.

One of Microsoft Threat Protection‘s most important elements is the ability to secure emails and collaboration services with Office 365 Advanced Threat Protection (ATP). Office 365 ATP’s strength of signal offers comprehensive and best-in-class protection against sophisticated, targeted and zero-day phishing and malware attacks. To give you a sense of the scale that we deal with, in the course of 1 year in 2018, Office 365 ATP blocked 5 billion phish emails and analyzed 300k phish campaigns, protecting 4 million unique users from advanced threats. Analyzing such a huge amount of data helps continuously improve the machine learning algorithms, leading to the highest accuracy and effectiveness in the industry.

Phish email statistics from Office 365 from January 2018 to September 2018.

The impact to end users in 2018 from the enhanced anti-phish capabilities in Office 365

As proud as we are about the effectiveness offered by Office 365 ATP, we also know that no solution is 100% effective. For this reason, we also offer powerful feedback loops through which suspicious emails can be reported by end users to Microsoft to feed into the overall intelligence and continually improve the service to better protect customers.

End users can report suspicious messages they see in their inbox to Microsoft using the  Report Message plug-in in Outlook and Outlook Web Access. Organizations’ security teams can also review these user-reported messages in the Office 365 Security and Compliance Center to better understand the attacks users are seeing and update their security policies.

Real-time report showing all user-submitted emails

From the SecOps perspective, these submissions form an important source of intelligence and can trigger investigation and remediation workflows to significantly reduce the time to detect and respond to an attack and therefore limit the scope of impact of an attack within the organization.

The Report Message plug-in is therefore an invaluable tool for users to flag suspicious content to not only their security teams, but directly to Microsoft as well. But some organizations don’t want their users to submit emails directly to Microsoft, as they may contain sensitive information. They want these submissions to first be reviewed by their security teams before being submitted to Microsoft.

Today we’re excited to announce that the email submission experience will now be available to security teams and admins from the same place where they review user-reported messages within the Office 365 Security and Compliance Center.

With this new capability, admins can easily submit emails and content, provide more details, and receive immediate feedback. The feedback provided by Microsoft will also offers valuable insights into configurations that may have caused a false positive or a false negative, reducing the time to investigate issues and improving the overall effectiveness.

With this new submission process, admins can: 

• Submit suspicious emails, files, and URLs to Microsoft for analysis
• Receive immediate feedback on their submissions
• Find and remove rules allowing malicious content into the tenant 
• Find and remove rules blocking good content into the tenant 

Here’s a quick run through of the experience. You can also learn more about it in our technical docs.

Step 1 – Log in to the Security and Compliance Center or the M365 Admin Center as Global Admin, Security Admin, or Security Reader. Click on the ‘Submissions’ node under ‘Threat Management’. You will see all the end user reported messages here. Under the ‘User Reported’ tab. To create a new admin submission from the portal, click the ‘New Admin Submission’ on the top left.

Step 2 – Enter all the details related to the submission such as submission type, recipients, reason for submission and submit.

Step 3 – Review the status of your submission. You can see the progress of the submission after it is submitted. You can also drill down into specific submissions and see what was submitted, what it was submitted as, and reason for submission, as well as what verdict was issued.

Step 4 – Take actions to fix the suggested configuration.

This can be a great tool to manage false positives and help fix configurations issues that may result in EOP/Office 365 ATP not performing optimally. In the future we’ll not only present the config-related issues but also automatically fix them.

To whom is it available?

All Office 365 customers will be able to use this feature. However, customers using Office 365 ATP will benefit most from it. Customers using third-party reporting tools can also use this capability.

As you look to implement this solution, it’s important to know it provides valuable data for more than Office 365 ATP. Microsoft Threat Protection services in general can leverage it to fine tune the machine learning algorithms and better protect, detect, and respond to threats across different threat vectors. Get started with an MTP trial if you want to experience the comprehensive and integrated protection Microsoft Threat Protection provides. Learn more about Microsoft Threat Protection by following our monthly blog series.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Announcing Security Policy Advisor Preview for Office 365 ProPlus

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Today we are pleased to announce the preview of Security Policy Advisor, a new service that can help enterprises improve the security of Office 365 ProPlus clients in their organization.

Office provides a rich set of security policies that allow administrators to customize the security of their Office applications to help meet their enterprise’s security needs.  Administrators have traditionally relied on published guidance like security baselines or their own analysis to come up with a set of security policies they need to enforce. In such instances, the burden falls to the administrator to determine if a security policy is right for their enterprise and will not adversely affect user productivity. 

Security Policy Advisor enables IT admins who have deployed Office 365 ProPlus, to manage the security of their Office applications with confidence by providing the following capabilities:

• Tailored recommendations for specific security policies that can provide a high value in helping to raise the overall security posture of an enterprise and helping to protect against contemporary attacks.
• Rich data insights on security and productivity impact of applying a policy recommendation that can help admins weigh the benefit vs. risk of applying a policy and make a data-informed decision.

• One-click deployment of policies to end users through the recently released Office cloud policy service that enables admins to enforce Office policies straight from the cloud to any Office 365 ProPlus client without requiring on-premises infrastructure or MDM services.
• Monitoring and reporting on policy impact that allows an admin to have visibility into how a security policy recommendation is affecting users without having to wait to hear from them.

This service is now available as a preview in English (en-us) and will be available in additional locales in the coming weeks. If you are an administrator of an organization that has deployed Office 365 ProPlus, you can start using this service by signing into the Office client management portal, turning on Security Policy Advisor and creating Office cloud policy configurations.  For each policy configuration you create and assign to a group of users, Security Policy Advisor will generate recommendations with supporting data that you can review and deploy to users as a policy. Once you have applied a policy, you can continue to monitor its ongoing impact on users through the management portal.

For additional documentation on how to use this new policy service and its capabilities please refer to this document: Overview of the Security Policy Advisor (Preview) for Office 365 ProPlus.

As you evaluate this preview, please provide feedback using the feedback button (in the upper right corner) to help us improve Security Policy Advisor. We look forward to hearing from you!

FAQ:

Note:  Please refer to our documentation for the most up to date information.

What are the pre-requisites to start using Security Policy Advisor?

To start using Security Policy Advisor, your enterprise must have the following pre-requisites

1. Must be using the Office cloud policy service and meet all the requirements for that service
2. Office 365 ProPlus apps on the latest Monthly (1904) channel release deployed and being used by users in your organization.
3. To create the recommendations and insights, Security Policy Advisor relies on necessary service data from Office 365 ProPlus. For more information, see Necessary service data for Office.
4. Office 365 ProPlus clients can communicate back to Microsoft. Specifically, the following Office 365 URLs and IP Addresses for all Office 365 services and clients published here: Office 365 URLs and IP address ranges.

Note: If you are creating a brand new enterprise subscription in Office 365, please wait atleast 24 hours for the service to detect your subscription before trying to use Security Policy Advisor.

How does this relate to a security baseline?

Security baselines are a great starting point for enterprises to configure their applications for security. Office has a published baseline for Office 2016 and Office 365 ProPlus applications.

A security baseline is generic best practice guidance that ultimately needs to be consumed and customized for your enterprise to balance your security and productivity goals. You can use Office cloud policy service to apply the user level policies recommended in the Office security baseline.  Security Policy Advisor complements a security baseline by providing custom recommendations for specific policies that are tailored to your enterprise, helping you to choose the most secure policy that has the least impact on productivity for your organization.

How are the recommendations, productivity and security impact insights generated?

Security Policy Advisor uses the following data to generate recommendations and associated data insights on productivity and security impact:

1. To create the recommendations and productivity insights, Security Policy Advisor relies on necessary service data from Office 365 ProPlus . For more information, see Necessary service data for Office.
2. If your organization has Office 365 Advanced Threat Protection Plan 2, then Security Policy Advisor can use data from this service to provide insights on recommended policies. These insights will be based on threats that have been detected and stopped by Advanced Threat Protection. For more details on Office 365 Advanced Threat Protection, see Office 365 threat investigation and response.

 For more details, please refer to our documentation.

What happens when I turn off Security Policy Advisor?

When you turn off Security Policy Advisor, usage and threat data from your organization are no longer analyzed and no recommendations or insights will be generated. 

Admins can control the data collected from their clients using the new privacy controls supported by Office apps. More details are available here: Overview of privacy controls for Office 365 ProPlus.

What happens if I do not have Office 365 Threat Investigation and Response (via ATP Plan 2)?

If your organization has Office Threat Investigation and Response (via ATP Plan 2), Security Policy Advisor can use data from this service to provide you with information on threats detected and stopped by ATP that the recommended policy can help protect against. This can be great to quantify the actual risk to your organization when you consider applying a recommendation.

If your organization does not have ATP Plan 2, no problem, Security Policy Advisor will still show you information on the productivity impact that is helpful in assessing and monitoring impact to end users when applying recommendations. 

Which admin roles are allowed to view recommendations and configure policies?

Only the Global Admin, Security Admin or Desktop Analytics Admin (private preview) roles are allowed access to create or view policy configurations.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

How we’re helping our ecosystem build more connected security solutions

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Microsoft offers a number of solutions for developers to build connected security applications. We know that figuring out how to get started using these tools can be challenging. To make it easier for developers, we recently published a developer’s guide to help!

If you’re a developer, architect, or tool smith at a large enterprise, independent software vendor (ISV), managed security services provider (MSSP), or a system integrator (SI), check out the new developer guide to building connected security solutions.

This guide provides an introduction to the Microsoft APIs, services, and communities available to security developers. In addition, the guide offers detailed guidance on when and how to use each – what technology and integration option best aligns with your desired scenario and application type with links to different types of samples.

Download the free guide today! Share your feedback by filing a GitHub issue in the SecurityDev repo.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Announcing Attack Surface Analyzer 2.0

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Overview

Attack Surface Analyzer has been a valuable asset to software developers and IT security personnel for years in helping detect key system changes that may occur from software installations.  We’re pleased to announce the release of Attack Surface Analyzer 2.0 earlier this month, which is a new .NET Core and Electron rewrite of the classic 2012 version of the tool, and is one of several tools recommended from Microsoft SDL Practices which can help improve customer trust in software.

Attack Surface Analyzer 2.0 helps identify potential security risks introduced by new or untrusted software by detecting changes to key areas of the system security configuration including: 

• File System
• User Accounts
• System Services
• Network Ports (listeners)
• System Certificate Store
• Windows Registry

It includes static change detection between snapshots of these key areas and a real-time file change monitoring option as well as an export feature of analysis data which is stored in a local SQLite database file.   Additional collection types and improvements are planned to be released later this year. 

It also includes both a scriptable command line interface (CLI) and an Electron option and even allows for your own custom front end to call the underlying core components programmatically to create an entirely different or white label client experience.  The entire codebase has been released as an Open Source project on GitHub allowing developers to further extend the tool features themselves and contribute them to the community.  A key improvement over the classic version is the application now comes with cross-platform support for Windows, Linux and macOS.

Usage

Attack Surface Analyzer allows you to create “snapshots” before and after you install the target software under consideration.  A clean initial system with minimal additional software is ideal, but not required though it does require administrator user privileges to use fully .

Let’s say you want to detect system changes made from the installation of a software application e.g. Firefox. After downloading Attack Surface Analyzer, you can use the Electron GUI option and select Start or Scan to create a baseline initial snapshot labeling it “Before Install” or “Clean System” for example and allowing the scan to complete.

Next, install your software and run a new scan labeling it “After Install” for example and selecting the same collector types used in the initial scan.

Note: you can also run additional scans to capture changes made while using the software beyond just the installation.

Then use the Analyze Results feature selecting both the initial and post install scans that were previously saved to analyze for changes or selecting any two scans for comparison.  Finally, choose a desired filter to view any unexpected and potentially security impactful changes that were made.

Alternatively, use the CLI interface which comes with command line help and the same level of functionality or greater in some cases, and which can be scripted into your build or other processes.

Software Development Lifecycle Role

Attack Surface Analyzer contributes as an important software development best practice helping ensure the use of least privilege in your own software products for minimizing unwanted attack surface changes to your customers systems.  The output options can provide evidence for release management and security auditors that your product does only what it claims in addition to scanning for 3rd party software installation changes to your system.

As maintaining customer trust is key, including Attack Surface Analyzer 2.0 in your development processes or toolchain is a great idea.   Future releases of the tool will also include security guidance help for identified changes that may warrant additional scrutiny.

Getting Started

To get started, visit the project site on Github at https://github.com/Microsoft/AttackSurfaceAnalyzer and download the latest release.  We value your feedback, bug reports, and ideas and are excited by the release of this valuable tool for contributing to security compliance needs.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Introducing Microsoft Graph Security API Recognition Program and New Samples!

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

We are pleased to announce a Recognition program as part of building the Microsoft Graph Security API community. With this program, contributors will be highlighted in the Microsoft Graph Security solutions GitHub contributors page for increased visibility and easy discovery of contributions. Furthermore, contributions for the month will be promoted via Blogs and Tweets. Contributions can be in the form of code in any language of your choice, scripts, playbooks, dashboards, notebooks and queries using the Microsoft Graph Security API.

We have expanded our existing list of samples to publish a set of curated sample queries that you can leverage in any Microsoft Graph Security integrated solution for richer context. We have also added more Jupyter/Azure notebooks and sample playbooks to the repo as well. Review the list of this and all Microsoft Graph Security samples in the GitHub repo.

The Microsoft Graph Security API connects multiple security solutions to enable easier correlation of alerts, provide access to rich contextual information, and simplify automation. This empowers organizations to quickly gain insights and take actions across their security products, while reducing the cost and complexity of building and maintaining multiple integrations. For further details on integrating with the Microsoft Graph Security API, learn about the API and access the schema.

Getting Started

You can start contributing sample code, scripts, playbooks, etc. using Microsoft Graph Security API now using the following guidelines. Refer to the Microsoft Graph Security API contribution workflow for more information.

1. Create a new issue or reuse an existing issue to track the work.
2. If you are contributing to an existing sample or plan to add a new sample, mention that in the issue and assign the issue to yourself.
3. Create a personal fork of the GitHub repo. Some of the code samples are on separate GitHub repos and links to these are consolidated in the solutions GitHub repo.
4. Create a branch off master.
5. Make and commit your changes.
6. If it’s a code sample, build the sample with your changes and ensure build is clean and sample works as expected.
7. Create a pull request (PR) against the upstream repository’s master branch.

Microsoft team and community members will provide feedback on your changes and Microsoft team will merge your change.

What types of samples can I contribute?

Microsoft Graph Security API supports different integration options as illustrated below. Samples are available to support each of these integration formats and you can contribute more samples to build out a richer set for the community.

Microsoft Graph Security API Integration Options

You can contribute the following types of samples leveraging these integration options. Check out existing samples linked below to learn and contribute.

• Write code using SDKs – Contribute code samples in C#, Java, NodeJS, and more
• Connect using scripts using PowerShell module – Contribute PowerShell samples
• Drag and drop into workflows and playbooks using Microsoft Graph Security connectors for Azure Logic Apps, Microsoft Flow, and PowerApps – Contribute sample playbooks with the connector
• Get data into reports and dashboards using the Microsoft Graph Security connector for Power BI – Contribute sample dashboards
• Connect using Azure / Jupyter notebooks – Contribute notebook samples
• Contribute queries to use in different Microsoft Graph Security API integrated solutions

What’s next? We really look forward to seeing you in the contributor’s list! Please share your feedback by filing a GitHub issue.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

New Records Management solution and machine learning updates come to Microsoft 365 Compliance

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Organizations today are looking for ways to harness digital transformation, while meeting complex regulatory or internal requirements and expectations that have not always evolved at the same pace as the modern workplace. Organizations seeking to simplify their compliance archive infrastructure, and regulatory solutions requirements are adopting Microsoft 365 to meet their enterprise information archive and compliance solutions requirements in place.

With today’s updates, organizations can now use Microsoft 365 for more of their data, use new solutions to meet regulatory requirements and benefit from intelligence to triage content for compliance or policy related purposes.

Now archive more data with new native connectors to third-party data

Use the new native connectors functionality to import non-Microsoft 365 data such as Facebook and Twitter into the Microsoft cloud for archival purposes. The first set of connectors enable social data, next business app data connectors will be available to connect to sources like Bloomberg and other business applications. Once the connector is established and social data is archived into Microsoft 365 it is then available to be utilized in common compliance scenarios.

Now natively import third-party data for archival and compliance purposes.

Read more about how to take advantage of the connectors here

Streamline processes with new Records Management solution

Organizations of many types are required to identify, classify and maintain business records for certain regulatory requirements and or internal policy guidance. Public institutions and regulated entities often maintain vast archives of business records for years to meet strict requirements.

Now organizations can utilize a specific solution for Records Management requirements in the security and compliance center. Migrate and manage complex retention hierarchies across SharePoint, OneDrive for Business, Teams, Exchange and more with the file plan, establish event-based triggers and utilize the disposition review for deletion and export of the list of disposed items. Easily set tailored permissions to give access to the right people across business units for specific activities within the compliance center. Learn more about this solution here

Migrate and manage hierarchical retention with file plan.

Disposition review provides options for bulk disposition, retention extensions, or re-classifications. Review disposed items and export a list to provide proof of disposal.

Defensibly dispose of content with disposition review.

Support continuous collaboration with New Advanced Records Versioning feature

In addition to the solution for Records Management, the public preview of the new advanced record versioning feature is now available. This feature enables continuous record declaration on selected versions of a single document, with one click a user creates a record and auto-stores record versions in a records repository, providing assurance that critical record versions are retained. This new capability brings together compliance and productivity to help organizations meet both sets of requirements.

Enable collaboration and compliance with advanced record versioning.

Harness intelligence to identify content of interest with out of the box classifiers

Now you can put the machine learned data model for offensive language to work for your organization. This is the first out of the box classifier available to help manage the scale, volume and complexity of the data in your organization for specific compliance scenarios. Organizations are already setting up organization-wide policies to monitor offensive language in the workplace with machine learning that can detect the context and meaning behind common words and phrases.

Take a look at how this new technology works in the new Mechanics show on Supervision in Microsoft 365.

Offensive language is the first classifier coming to the Microsoft 365 compliance center, and we plan to release additional out of the box classifiers soon including attorney client privilege, resume and source code, and a classification assistant to enable organizations to create, train and establish their own intelligent classifiers for compliance outcomes.

Organizations are asking more of Microsoft 365 every day. Building these new capabilities into existing solutions helps organizations simplify their compliance processes and infrastructure with integrated and intelligent capabilities that span communications and collaboration technologies.

Learn more about how this works today, start an E5 trial or navigate to the Microsoft 365 Compliance Center to get started.

Thank you to Shilpa Ranganathan, Principal PM Lead, Microsoft 365 Compliance for delivering today’s post

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

A new home and an all-new look for Microsoft Secure Score

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Introduction

Last month we announced that Microsoft 365 Security Center had reached general availability and we provided our readers with a quick end to end tour of the top experiences. Since then it’s been exciting to see the number of new customers using Microsoft Secure Score for the very first time almost tripling while the blog became one of the top viewed items for the month of March. In this month’s blog we’d like to provide additional details on Microsoft Secure Scores’ redesign and new capabilities.

You asked, so we delivered

For this release your feedback on suggested we should focus on following four priorities and that’s exactly what we decided to do:

1. Integrating it within Microsoft 365 security center instead of having it be a stand-alone console
2. Organizing the experience around the Microsoft Threat Protection pillars
3. Improving usability and decreasing decision-making time
4. Enriched the API so it has complete access to all Microsoft Secure Score data 

A New Home

The first and most obvious difference customers will notice is that Microsoft Secure Score is no longer hosted on its own website (securescore.microsoft.com) as shown in the image below.  

Instead its functionality has been fully integrated into our new Microsoft 365 security center (https://security.microsoft.com) which consolidates Microsoft Secure Score and many of our other security administration experiences into a single integrated experience.

The previous Microsoft Secure Score website (securescore.microsoft.com) will remain available through May, at which point all traffic to the previous website will be redirected to the new experience shown above. At this point the previous website will be retired and taken offline. For existing customers, no action is required. However, we recommend customers update any links they’ve saved to go to the new location within Microsoft 365 security center ( https://security.microsoft.com/securescore ).  

Microsoft 365 security center home page

Customers will also notice right on the Home page of Microsoft 365 security center, there is a quick overview card called Microsoft Secure Score which exposes one of the more substantial changes that we’ve made for the release. Based upon customer feedback, we moved away from a product-based way of organizing scores (e.g. Windows, Office) to one that maps to the Microsoft Threat Protection entities. This means scores are now organized around the concepts of Identity, Devices, Data, Apps, and Infrastructure rather than the underlying products and technologies. This will help the many companies that organize their security administration efforts around these domains.

Microsoft Secure Score work space

When you drill into the overview card from the Home page you will land in the Microsoft Secure Score work space. Here you can view a higher fidelity version of the quick overview card. It includes a section to overview Your secure score, a History section to show your status over time and finally a list of key Improvement actions and overall status.

Improvement action changes

If you drill into the Improvement actions section, you’ll find several usability improvements. First you will notice that the improvement actions list now has much more space, which has enabled us to surface new columns and data. With this change you can now sort the list by User Impact, Implementation Cost, Category, and Source making it far easier to identify the right improvement actions to focus on and prioritize.

Another way we enhanced the user experience is by moving the improvement action details into a fly-out that appears from the right hands side of the page. Now you can quickly navigate from one item to the next without losing access to the list. Previously, the list would be obscured or pushed out of view when an improvement action’s detailed view was opened. Far fewer clicks and scrolling!

Next, we’ve improved the Filters capability to make it easier to find the right improvement actions to focus on. Imagine you’re the security administrator for Identity and you’re looking to score some quick points to keep your boss happy. Now you can Filter by Identity, low cost, and low user impact to find the improvement actions that you can complete with minimal effort and within the shortest possible time.

This new more advanced filtering capability replaces the Target Score capability shown below which looked nice in demos, but really didn’t pan out on the usability side. With the new advanced filtering capability, you’ll get more control, better slicing and dicing capabilities, and be able to get to the answers you need faster than before.

History and Score Comparison Changes

The last set of changes we will tell you about today are related to the Score Analyzer and Score Comparison experiences. In this release we’ve combined these experiences into one that is now called History.

The previous Score Comparison capabilities which enabled you to compare your score vs. the global average and customers who have a similar profiles to your own (i.e.: same industry and seat count) is still there, but it is much improved. We now provide comparison history data over time as opposed the previous experience which just enabled you to compare yourself vs. others based on the latest status information.

One additional improvement we added is a filter option which enables security administrators to filter history by domain (e.g. Identity, Device, etc.)

What about API’s?

Last September at Ignite we announced Microsoft Graph Security API support for Microsoft Secure Score and launched our public preview. We are pleased to announce that the API has now reached general availability and is ready for production use. The API provides full access to all the data we are using in our own Microsoft Secure Score user experience along with significant performance and localization improvements. Learn more about the Microsoft Graph Security API  and how to use it.

Wrapping it up

So, there you have it – a quick tour of our newly redesigned Microsoft Secure Score experiences. We encourage customers to start taking advantage of it in its brand new home and for those that aren’t we would love to see you begin trialing one of the many Microsoft 365 security products that will give you access. More information on Microsoft Secure Score can be found at Microsoft Docs.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Introducing My Library on the Service Trust Portal —a new service for Microsoft users

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

We are excited to announce some great new functionality to the Service Trust Portal (STP)!

To support our effort to be transparent in how we manage customer data, we make available several resources. One of those resources is the Service Trust Portal, where we host tools such as Compliance Manager and a robust set of documents. These documents are updated frequently, and before now customers had to manually search within STP to find the most current versions of documents.

After signing in, our customers are now able to save documents that are of particular relevance to them in one single place called My Library, and receive notifications when these documents are updated.

Below you will find information on how to take advantage of this great new feature.

To add a document to your library, click the … menu to the right of a document and then select Save to library. 

You can also add multiple documents to your library by clicking the checkbox next to one or more documents, then selecting Save to library at the top of the list.

Additionally, the notifications feature lets you configure your Library so that anytime a document that you’ve selected has been updated, you’ll be notified.

To set up notifications, go to your My Library and click Notification Settings. You can choose the frequency of notifications and specify an email address in your organization to send notifications to. Email notifications include links to the documents that have been updated and a brief description of the update. 

NOTE: We will automatically identify any documents in your My Library that have been updated within the last 30 days, regardless of whether or not you turn on email notifications.

We strive to be transparent in how we manage your data, and STP provides a bevy of resources to support that effort. It’s important to us that you know we manage your data in a secure, private, and compliant way.

If you would like to learn more about STP and other related topics, please see the resources below.

• How to use STP
• How Microsoft manages customer data
• Microsoft 365: our complete, intelligent solution that empowers everyone to be creative and work together, securely

The above was provided from Microsoft Security and Compliance blogs at TechCommunity