Data investigation capabilities in Office 365 in Public Preview

Data investigation capabilities in Office 365 in Public Preview

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

In talking to our customers, we learned that IT and security operations roles need a more efficient way to contain a data spill by quickly identifying the impacted content and taking immediate action to remediate the risk.

 

Unfortunately, in the past, this process involved several different tools such as content search, audit log search and executing different PowerShell cmdlets.

 

Today, we are excited to share new data investigation capabilities in Office 365 that is available in preview. With these new capabilities in Office 365, you can search for sensitive, malicious, or misplaced data across Office 365, investigate what happened, and take the appropriate actions to remediate the spillage.

 

Read further to understand what data investigation capabilities in Office 365 can do: 

 

Advanced search

 

Target relevant content across Office 365. Quickly identify potential sources of both personal and shared content locations. You can also triage data with conditions, key words and advanced search functionality to cull initial collection to a smaller set. Once evidence is collected to a reasonable data set, you can process and validate the content.

 

Pix 1.png

 

Review and investigate the data

 

Once you are ready to process and validate the impacted content, you can review individual documents and evaluate the data to determine if further action is required.

 

pix 2.png

 

Remediate risk by taking immediate action

 

Finally, you can remediate and mitigate the incident of a data spill and limit damage to the organization by deleting the impacted data to prevent end users from accessing the content. Today this is done through PowerShell but we plan on providing a UI experience at the end of May. 

 

pix 3.png

 

Get started today

 

Review our supporting documentation and try the data investigation capabilities in Office 365 in Preview today.

 

Also, let us know what you think! We want to hear from you. Fill out this short survey for us if you are interested in us reaching out to you.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Announcing Office 365 Advanced Message Encryption

Announcing Office 365 Advanced Message Encryption

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

A year and a half ago, we launched new Office 365 Message Encryption capabilities, and at the heart of these updates, we made it easier for users to collaborate on protected messages with anyone and on any device. These updates included empowering end users to apply encryption and read encrypted emails directly in Outlook, and also making it easier for non-Office 365 recipients to use their Google or Yahoo identities to authenticate and read encrypted messages.

 

Our goal continues to be to protect our customers’ sensitive data, by making it easier to apply and consume encrypted messages, regardless if your recipient is inside or outside your organization. Unfortunately, protecting and controlling sensitive data that’s shared outside your organization is more challenging than if it was shared inside your organization.

 

That’s why we are investing in capabilities that not only enhance encryption, but also provide more control over access to encrypted emails by external recipients.

 

Today, we are excited to share new Office 365 Advanced Message Encryption capabilities that enable admins to apply multiple custom email templates, and to expire and revoke encrypted emails accessed through the Office 365 web portal.

 

Read further to understand what’s available in Advanced Message Encryption.

 

Apply multiple custom email templates

Many organizations require custom email templates that reflect the unique brand, logo or text of the department or region the encrypted email came from. For example, a regional office in France may require that the email template that external recipients receive are in French.

 

With Advanced Message Encryption, customers can apply more than one custom email template. That means you can change, for example, the logo, color, and text of email template. Today, this is done through a PowerShell cmdlet.

 

Once the custom template is created, in the Exchange admin center, you can create a mail flow rule that applies the custom template based on set conditions. For example, if the message contains the key word ‘confidentiel’, for example, the email will be automatically applied with the desired encryption policy and custom template.

 

template.png

 

Expire access to encrypted emails

Another benefit to creating custom branded email templates is the ability to also set an expiration date as an added option to the template.

 

This may be valuable for organizations that have compliance obligations that require you to restrict how long external recipients can access sensitive emails per organizational policies or regulatory requirements.

 

With Office 365 Advanced Message Encryption, you can apply automatic policies that can detect sensitive information types (e.g. PII, Financial or Health IDs) or keywords, then enhance protection by expiring access through the Office 365 web portal to encrypted emails.

 

To enable this, once the custom email template is created in PowerShell with the desired expiration date, in the Exchange admin center, admins can apply the template based on the set conditions.

 

expiration_Health ID.png

 

After the template is applied, the sender can send email normally, and if the email meets the conditions of the policy, the expiration date will be invoked.

 

From the perspective of the recipient, after the message is sent, they would see the branded template with the expiration date. Once the encrypted email has expired, the email will no longer be accessible through the Office 365 web portal.

 

expiration recipient.png

 

Revoke access to encrypted emails

 

For organizations that collaborate and share sensitive emails with external recipients, we are also enabling the ability to revoke encrypted emails accessed through the Office 365 web portal.

 

Whether it’s due to malicious attack, accidental sharing of encrypted emails, or changes in who is authorized to view encrypted emails, admins can now go into the encryption report to find encrypted emails and revoke access through a new UI experience  inside the Office 365 Security and Compliance Center.

Revocation_5_Updated with names.png

 

Once the message is revoked, the external recipient  no longer access the sensitive email through the Office 365 web portal.

 

Revocation_9.png

 

Get started

Advanced Message Encryption is rolling out and will be available in eligible tenants by the end of May. Get started by leveraging the resources such as support documentation and interactive labs provided below. 

 

Note, you must set up Office 365 Message Encryption to leverage Advanced Message Encryption capabilities, which provide added protection on top of encrypted messages shared externally. If you do not have Office 365 Message Encryption learn how to set it up here.

 

Office 365 Advanced Message Encryption requires an Office 365 E5 subscription or an Office 365 E3 subscription with the E5 Compliance add-on or Advanced Compliance add-on. If you don’t have that plan and want to try Advanced Message Encryption, you can sign up for a trial of Office 365 Enterprise E5.

 

Resources

Documentation: 

https://docs.microsoft.com/en-us/office365/securitycompliance/ome-advanced-message-encryption

Interactive guide: Enhance protection with Advanced Message Encryption in Office 365

 

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

ISO 22301 highlights Office 365’s unmatched business continuity & disaster recovery preparedness

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

As part of our commitment to providing our customers with the peace of mind that your applications, and data, are safe and available in Office 365, we are pleased to announce that Microsoft Office 365 has achieved ISO 22301 certification. ISO 22301 is the premium standard for business continuity, and certification demonstrates conformance to rigorous practices to prevent, mitigate, respond to, and recover from disruptive incidents.

 

For years, we’ve heard from organizations about the importance of disaster preparedness and continuous improvement in their operations to ensure their IT systems can survive, and be restored, in the aftermath of major incidents (such as natural disasters, power outages, or cyber-attacks). We were the first major cloud provider to prove our commitment of being fully prepared for all eventualities through this internationally recognized standard for business continuity. 

 

What does this mean for our customers? It gives you the assurance that you can trust Microsoft Office 365 with your mission critical content by providing an extensive independent 3rd party audit of all aspects of Office 365’s business continuity. This includes the following:

  • how backups are validated
  • how recovery is tested
  • documented training for critical staff
  • the level of resources available
  • buy-in by senior management
  • how risks are assessed/mitigated
  • adherence to legal/regularly requirements
  • the process for response to incidents
  • the process for learning from incidents

 

Achieving the ISO 22301 certification demonstrates the seriousness of our commitment to providing you the highest quality of service, and we’ll continue to prioritize our customer data’s continuity and ensure we are handling it responsibly.

 

To learn more about Microsoft Office 365’s ISO 22301 certification and download a copy of the certification, please see the resources below:

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Office 365 Retention, Disposal & Archiving – Frequently Asked Questions (And We’ve Got the Answers!)

Office 365 Retention, Disposal & Archiving – Frequently Asked Questions (And We’ve Got the Answers!)

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

With the introduction of Unified Retention & Retention Labels in the Security and Compliance, many customers have questions on the differences between Unified Retention, Retention Labels and MRM retention, configurable parameters and other common scenarios.

 

Retention or Unified Retention

Retention or Unified Retention is available in Office 365 Security and Compliance portal.

Unified retention policy in Office 365 can help you achieve all these goals. Managing content commonly requires two actions:

  1. Retaining content so that it can’t be permanently deleted before the end of the retention period.
  2. Deleting content permanently at the end of the retention period.

With a retention policy, you can:

  • Decide proactively whether to retain content, delete content, or both – retain and then delete the content.
  • Apply a single policy to the entire organization or just specific locations or users.
  • Apply a policy to all content or just content meeting certain conditions, such as content containing specific keywords or specific types of sensitive information.

SCC Retention provides true retention, you can use a single SCC retention policy to perform both deletion and retention and at the same time a single policy can be applied across different workloads.

For more details, refer Overview of Retention Policies

 

Retention Labels.

Retention Labels is available in Office 365 Security and Compliance portal.

Retention labels in Office 365 can help you take the right actions on the right content. With retention labels, you can classify data across your organization for governance, and enforce retention rules based on that classification.

With retention labels, you can:

  • Enable people in your organization to apply a retention label manually to content in Outlook on the web, Outlook 2010 and later, OneDrive, SharePoint, and Office 365 groups. Users often know best what type of content they’re working with, so they can classify it and have the appropriate policy applied.
  • Apply retention labels to content automatically if it matches specific conditions, such as when the content contains:
    • Specific types of sensitive information.
    • Specific keywords that match a query you create.
    • The ability to apply retention labels to content automatically is important because:
    • You don’t need to train your users on all of your classifications.
    • You don’t need to rely on users to classify all content correctly.
    • Users no longer need to know about data governance policies – they can instead focus on their work.
  • Apply a default retention label to a document libraryin SharePoint and Office 365 group sites, so that all documents in that library get the default retention label.
  • Implement records management across Office 365, including both email and documents. You can use a retention label to classify content as a record. When this happens, the label can’t be changed or removed, and the content can’t be edited or deleted.

Retention setting in Labels and Unified Retention is same. A single retention labels policy to perform both deletion and retention and at the same time a single policy can be applied across different workloads.

 

There are different ways to monitor the usage of Retention Labels using Data Governance Dashboard, Label Activity Explorer (Available with E5 only), Content Search, Audit log

 

For more details, refer Overview of Retention Labels

 

Messaging Records Management (MRM)

Messaging Records Management aka Retention Policy is available in Exchange on-premises as well as in Exchange online and available in Exchange Admin Center (EAC).

 

You can use retention policies to enforce basic message retention for an entire mailbox or for specific default folders. Although there are several strategies for deploying MRM, here are some of the most common:

  • Remove all messages after a specified period.
  • Move messages to archive mailboxes after a specified period.
  • Remove messages based on folder location.
  • Allow users to classify messages.
  • Retain messages for eDiscovery purposes.

When you implement MRM policies that remove messages from mailboxes after a specified period it also retains them in the Recoverable Items folder for In-Place eDiscovery purposes, even if the messages were deleted by the user or another process.

 

In Exchange Server and Exchange Online, MRM is accomplished through the use of retention tags and retention policies.

  • Assigning retention policy tags (RPTs) to default folders, such as the Inbox and Deleted Items.
  • Applying default policy tags (DPTs) to mailboxes to manage the retention of all untagged items.
  • Allowing the user to assign personal tags to custom folders and individual items.

Messaging Record Management policy itself doesn’t perform any retention You need to use a time-based In-Place Hold or Litigation Hold to preserves messages that were deleted for long period of time than the Single Item Recovery period.

 

In this post, we will be referring Messaging Records Management (MRM) as EAC based Retention.

For more details, refer Messaging records Management

 

Next, we will answer some of the frequently asked questions around Retention Policies in the SCC and EAC.

 

Deletion and Retention options for Retention. What do they really do?

While creating Unified Retention policy or Retention Labels, the settings below, may not be as clear for some customers.   Let’s take a deeper look;

SCC Post Image 1.png

 

Option: “Yes, I want to retain” 

This option means retain content in user’s mailbox (mail folders and Recoverable Items folder) wherever they are located for specified x days/months/years. You also get an option to retain them forever. This setting also applies to content in folders in archive mailbox and its Recoverable items folders.

 

Content deleted from user’s mail folders will be moved to Recoverable items folder and content which is already existing in Recoverable items folder (when policy is applied), will be retained for x days/months/years. In short retention will make sure that the content will not be purged completely from the mailbox for specified number of days/months/years

 

What happens to content when the retention period for emails is expired? It depends on what’ option is selected next;

 

“Do you want us to delete it after this time?”

If “Yes” is selected, MFA does the job of cleaning the expired contents from user’s mail folders and from the Recoverable items folders. This also includes expired content in archive mailbox and its recoverable items folders.

 

If “No” is selected, Managed Folder Assistant (MFA) will not clean the expired content (move to recoverable items folder) which exists in user’s mailbox folders. But the expired content in Recoverable items folder older than Single Item recovery period (14 days) will be cleaned, provided there is no other hold applied to this mailbox to retain the content longer.

 

To identify other holds on the mailbox, refer How to identify the type of hold placed on an Exchange Online mailbox

 

Option: “No just delete content that’s older than”

This option indicates delete content in user’s mailbox (users’ mail folders and Recoverable Items folder) which is older than configured x days/months/years, wherever it is located. This also includes content in folders in the archive mailbox and its Recoverable items folder.

 

With this option selected, expired content from user’s mail folders and Recoverable items will be deleted permanently (provided that there is no other hold configured to retain content for longer period.)

 

For more details refer Deleting content that’s older than a specific age

 

Let’s discuss some of the common scenarios.

 

Retain and Delete content in the entire mailbox.

 

If you are planning to use Unified Retention and your requirement is that the mailbox should not hold any content older than 1 year.

 

You can create a SCC Retention as shown below so that any data which is older than 1 year would be deleted from the user’s mail folders and Recoverable items folders.

SCC Post Image 2.png

This option makes sure than there is no content in the mailbox older than 1 year, both in users mail folder and Recoverable items folder, this also includes content in archive mailbox. The expired content is not immediately purged from the mailbox instead it is retained for some more days, it could be because other holds and because of DelayHoldApplied on the mailbox.

 

Retain the deleted content for a longer period.

If you are planning to use SCC Retention and your requirement is that the content from user’s mail folders older than 1 years needs to be deleted and the deleted content need to be retained for 7 years for eDiscovery or recovery.

 

One of the ways to achieved this is by creating two SCC Retention policies, one policy to delete email older than 1 year

 

SCC Post Image 3.png

Another policy to retain data for 7 years

 

SCC Post Image 4.png

 

 

 

How is the retention period specified calculated?

The retention period calculation for different types of items varies and is documented in below article.

For more details How retention age is calculated. This article applies both the EAC based retention and SCC Retention

 

Principles of retention.

A mailbox can have multiple Unified Retention or Retention Labels policies applied either implicitly or explicitly. At times in order to meet your compliance requirement, a given mailbox can be subjected to multiple policies, in such cases it’s important to understand which action take precedence, which is explained nicely using “Principles of retention”

 

For more detail on “Principles of retention” refer Overview of retention policies

 

Should I use the EAC based retention or SCC Retention?

 

It really depends on your retention requirements.

 

With introduction of auto-expanding archive feature, it is important that you move your old emails from primary mailbox to archive mailbox this includes emails from the user’s folders and Recoverable Items folder of primary mailbox, so that Primary mailbox doesn’t exceed the mailbox quota limits.

For auto-expanding archiving feature refer Auto-expanding archiving feature

 

Automate moving emails to the archive.

 

What if you want to automate moving emails older than 2 years from primary to archive, the only option to do this currently is using Default Policy tag or Personal tag in MRM 2.0 as these are the only retention tags which support move to archive action.

 

SCC Retention or even Retention Labels doesn’t provide us the same option of moving emails to archive mailbox. So, in this case EAC based retention is the only option (currently). This is probably the only advantage of using EAC based retention.

 

Does it mean that I can apply EAC based retention and SCC Retention to the same mailbox?

 

Yes, you can.

 

It’s important note that a given mailbox can have only one EAC based retention with multiple tags and at the same mailbox can have multiple SCC Retention policies and Retention labels policies.

I would recommend using EAC based retention to meet your archiving (mailbox) needs and SCC retention for your retention needs.


But what about emails in the Recoverable Items folder in Primary mailbox?

 

As Recoverable items has its own quota, in order to prevent it from being full, you can opt to archive emails from your primary mailbox’s recoverable items to archive mailbox’s recoverable items. There is a special tag called “Recoverable Items tag” in EAC based retention which only support the move to archive action can move emails from Recoverable items folder of Primary mailbox to Recoverable items folder of Archive mailbox.

 

So, if you are planning to use EAC based retention for archiving purpose and SCC retention to meet your retention needs, your sample policies should look as below.

 

SCC Post Image 5.png

 

With above EAC based retention policy in place, emails (as well as other items) older than 180 days in users mail folders will be moved to archive mailbox, at the same time deleted content in Recoverable items of Primary mailbox will be moved to Recoverable items of archive mailbox after 14 days.

 

Also, when you are planning to use SCC retention along with EAC based retention policy it is important to understand how precedence works in EAC based retention like;

  • Default Policy tag (DPT) with move to Archive action always overwrites the Retention Policy tag (RPT) or the Personal tag (PT), when the age limit for retention of DPT is lower than of RPT or PT.
  • Explicitly assign tag wins over an implicit tag

It’s important to plan your policies & test the policies on test mailboxes to understand the behavior.

Organizations share a common goal of having consistent approach to categorize, classify important content from its creation, retention and disposal. In achieving this goal it’s critical that administrators and Information Management teams carefully plan and test their data governance strategy.

Hope this post helps.

 

Big Thanks to Vikas Soundade (Support Escalation Engineer) for authoring this post and Linda Harrell (Supportability PM – Information Protection) & Bhalchandra Atre (Supportability PM – Exchange) for reviewing this post.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Advanced eDiscovery general availability

Advanced eDiscovery general availability

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Today, we are excited to announce that the new and improved Advanced eDiscovery experience in Microsoft 365 is now generally available. Customers told us we need an eDiscovery solution that provides a custodian based approach to holding content, ability to communicate with custodians with hold notices and escalations, a static set of content to work with once a case is established and the ability to review and update content prior to export.

 

With this update, Advanced eDiscovery will now do those things and more.

 

See more about how this experience works in the recent Microsoft Mechanics video

 

 

 

Manage custodians, hold notifications, review sets and review in-place with Advanced eDiscovery

 

With this release of Advanced eDiscovery the product now has more feature functionality to address common work flow requirements, and a significant improvement in platform that surfaces as improved performance, reliability and completeness across the eDiscovery process.

 

Now manage custodians within a case, and place content on hold by custodian owned and shared locations. For example quickly search your address list for related individuals, add their exchange mailbox and OneDrive content to a hold, and then see their membership to shared locations like Teams, and add those locations to the hold as well.

custodian.png

 

Issue and track hold notifications to meet the requirements to inform individuals that they are part of an investigation or litigation. Now define the communication, embed acknowledgement links into the communication – issue, re-issue, escalate – and track the responses from custodians.

hold notice.png

 

Once you have identified your initial set of content, add it to a review set for further processing with advanced analytics and custom tag panel. Iteratively search and refine content within the review set to cull to the most relevant data with native capabilities like themes, email threads, near duplicate detection and more.

review set.png

 

Within the review set you can then start to take action with the integrated review capability. Review the content in native, text or annotate view, and mark that content with redactions, or annotations prior to production. Export has improved too – more options for export including exporting a pdf of the redacted file as part of the export instead of the original.

redaction.png

 

Preview feedback has been strong

 

Over the last few months customers of all sizes have tested out the new experience and provided lots of feedback on the capabilities, performance, user experience and the next set of features they would like to see included in the product.

It has been great to hear some of the candid feedback from customers and analysts who have been following our progress closely. Notable sound bites include:

 

  • This new Advanced eDiscovery experience is “beautiful”
  • This new Advanced eDiscovery experience is a “massive overhaul and very impressive”
  • “This update is an impressive step forward over a relatively short period of time”

 

Get started today

 

Are you ready to get started today? Take a look at our supporting documentation and add or start an E5, Advanced Compliance or E5 Compliance trial today. Need to learn more? Reach out to your Microsoft account rep for a detailed demo and walk thru.

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Manage compliance from one place beyond Microsoft Cloud with Compliance Manager

Manage compliance from one place beyond Microsoft Cloud with Compliance Manager

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Many compliance professionals and risk assessors use manual processes to record and track their day-to-day work. This is time-consuming and labor-intensive, and it inhibits efficient collaboration, especially across teams. Research shows that around 40% of companies spend more than 4 hours a week creating and amending reports[I]. This leaves compliance professionals, risk assessors and privacy professionals with less time to spend on strategic activities. The right tools can help these professionals simplify compliance management processes and increase efficiency and productivity.

 

Since we announced the general availability of Compliance Manager last year, a lot of you asked for the ability to create your own assessments for applications or regulations that weren’t already covered in Compliance Manager. Many of you also asked for automation and integration with other Microsoft solutions.

 

Apropos of that, we are thrilled to announce the public preview of Compliance Manager new experience, which includes the following enhancements:

 

Custom assessment: You can build and import templates that enable you to create assessments for any application or service (including on-premises and non-Microsoft apps and services) against any regulation or standard. You can also customize built-in assessments by adding your own controls and actions. This enables you to use Compliance Manager as your centralized compliance management tool to collaborate with stakeholders, collect evidence and prepare for audit reports in a secure and compliant cloud environment.

 

Assessment Dashboard_vF.pngAdd new templates of risk assessments in Compliance Manager for non-Microsoft apps.

Automatically assess security-oriented controls: Compliance Manager works with Microsoft Secure Score to detect changes to your tenant configuration and automatically record the implementation of security controls once you enable the “continuous Secure Score update” in settings. For example, after you configure multi-factor authentication for admins in your tenant, your Compliance Score and your Secure Score will both increase accordingly. Compliance Manager automatically reflects the updated status and records activity logs. This feature represents our first step toward automated control assessments that enhance the credibility of control testing.

 

Secure Score Implementation_vF.pngMulti-factor authentication control is updated automatically via the signals from Secure Score.Action-based experience: Compliance Manager includes a new action pivot that streamlines the required and recommended activities by allowing you to focus on the necessary tasks instead of each control. This sets the foundation for us to build deeper integration between technical requirements and security and compliance solutions.

 

With these new features, you can manage compliance from one place beyond Microsoft Cloud, reduce the burden of relying on manual processes, and increase your productivity to focus more on the strategic tasks.

 

Access the new Compliance Manager features in the public preview that available on the Service Trust Portal today. The new features are available for all commercial plans as additional values. We would love to hear what you think of the new features during the public preview period. You can learn more about Compliance Manager and how to use the new features in this supporting document.

 

Frequently Asked Questions

How long will Microsoft keep the data in the previous version of Compliance Manager?

We plan to keep the data in the previous version of Compliance Manager for at least 12 months from GA of the new experience to allow organizations to migrate assessments into the new experience.

 

What do organizations need to do before using the new features?

Organizations need to assign permission roles before turning on the “continuous update from Secure Score”, so only people with permission will see the tenant-specific information, such as the status of the security-oriented controls (see these instructions).

 

How often does Compliance Manager receive updates from Secure Score?

Once you turn on the continuous updates from Secure Score, you will receive the signal from Secure Score every 24 hours.

 

Why do organizations need to turn on continuous update from Secure Score for each action, but not doing it with one-time configuration for the whole tenant?

We will introduce a tenant-wide switch to turn the “continuous updates from Secure Score” on and off when the new experience reaches generally available.

 

We provide granular control on a per-action basis in case you use other third-party tools to implement controls and want to mark controls as “alternative implementation”.

 

What are other changes made for Microsoft Compliance Score in the new experience?

In the new experience, you will find that Microsoft Compliance is presented in percentage instead of numeric numbers. Additionally, we now only account for the score from customer-managed actions, not including the actions from Microsoft-managed actions. Therefore, the denominator of the percentage is the total score you can get from all the customer-managed actions. The nominator is the accumulated score from the actions you implemented and marked as passed for the test results.

 

We made the changes to align the presentation of Microsoft Compliance Score with Secure Score, so organizations can interpret both scores in a similar way.

 

Which cloud services are covered by the new Compliance Manager experience?

You can find the list of cloud services and the regulations/standards covered listed below:

  • Office 365: FedRAMP Moderate, NIST 800-53, NIST 800-171, ISO 27001, ISO 27018, FFIEC, HIPAA, NIST CSF, CSA CCM
  • Intune: FFIEC

We are working on adding GDPR assessment soon in a few weeks.  

Note that coverage of regulations and standards in Compliance Manager varies by product. We will keep adding and updating the information in the future and our goal is to provide similar experience of using Compliance Manager for all Microsoft Cloud services. Please keep providing us feedback in the areas you see strong customer demands, so we can give the feedback to the product team for prioritization.

 

What licenses do I need to access Compliance Manager?

Compliance Manager is an additional value within Office 365 for all Business and Enterprise customers in public clouds. GCC customers can access Compliance Manager, however users should evaluate whether to use the document upload feature of compliance manager, as the storage for document upload is compliant with Office 365 Tier C only. Compliance Manager is not yet available in sovereign clouds including DoD, Office 365 Operated by 21 Vianet, and Office 365 Germany.

 

[i] Thomson Reuters – Cost of Compliance 2018

 

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

How Microsoft can help organizations differentiate with the new Ohio Data Protection Act

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Today’s post was written by Alonzo Barber, Senior Attorney – Corporate, External, and Legal Affairs

 

Ohio recently enacted the Ohio Data Protection Act (“ODPA”), the first legislation of its kind in the United States.  The law provides a comprehensive legal incentive for cybersecurity investment and may be a game changer to the technology and legal landscape for Ohio businesses. The Ohio State and Cleveland Marshall Schools of Law published a white paper analysis of the ODPA.  The whitepaper specifically calls out the important role that cloud service providers, like Microsoft, can play to enable businesses to avail themselves of the benefits of the ODPA through a shared responsibility model for protecting data. 

 

This response to the white paper provides an overview of Microsoft’s commitment to compliance, privacy and security of our customer’s data. Also included below are highlights to several tools and resources that Information Technology Professionals can use to build and manage a robust cyber security framework within their organization to allow them to take full advantage of the protections under the ODPA.

 

What is the ODPA

The Ohio Data Protection Act is unique among state laws seeking to improve data security. Instead of setting minimum cybersecurity standards or imposing new penalties, the ODPA provides an incentive for businesses to create, maintain, and comply with a cybersecurity program that conforms to industry best practices.  The law does this by providing an affirmative defense for tort claims arising out of a data breach, brought in an Ohio court or under Ohio law, if that business can show reasonable conformity to one of the ten cyber security frameworks enumerated in the legislation[1].

At a basic level, a company must create, maintain, and demonstrate compliance with a written cybersecurity program that includes administrative, technical, and physical safeguards to protect data.  ODPA offers a company flexibility to select appropriate safeguards by taking into account several factors, including the resources available to the company and the risk level associated with the protected information the company maintains in its systems.

 

Moving your data to the Microsoft Cloud moves your company closer to compliance with ODPA

When businesses trust their enterprise data to cloud service providers, the business and the service provider share responsibility to protect the data.  The business never fully relinquishes ultimate responsibility for the security and protection of the data.  However, when an organization moves workloads to the cloud, the business can take advantage of the service provider’s compliance profile to satisfy many of the compliance obligations required on the ODPA.  Microsoft has a compliance profile that meets or exceeds hundreds of global security and data protection standards and regulations, including all of the security frameworks listed in ODPA[2]

 

Microsoft assists your company with managing your compliance program

Under the ODPA, Ohio businesses must demonstrate adherence to an appropriate data security program within their organization that reasonably confirms with the stated security frameworks set forth in the Act.  Microsoft offers several tools and resources to assist our customers in managing internal controls for protecting their data that our customers can use to demonstrate they adhere to a data security program.

 

Microsoft Trust Center: https://www.microsoft.com/en-us/trustcenter

The Microsoft Trust Center provides a holistic view into how Microsoft addresses privacy, security and compliance across all of its cloud products and services.  The Trust Center is also the repository for various tools and resources to educate consumers on how Microsoft instills trust in our cloud. 

 

Service Trust Portal: https://servicetrust.microsoft.com/

The Microsoft Service Trust Portal provides customers with a variety of content, tools, third-party audit reports, and other resources about Microsoft security, privacy and compliance practices. Microsoft makes available independent third-party audit reports of our online services, and information about how they can help your organization maintain and track compliance with standards, laws, and regulations.

 

Compliance Manager: https://servicetrust.microsoft.com/ComplianceManager

With the free Microsoft Compliance Manager tool, compliance and Information Technology Professionals are able to interactively track the various controls for a specific regulation or security framework and identify which controls Microsoft’s cloud satisfies along with those controls that will be managed by the customer.  Compliance Manager also offers templates for establishing and documenting internal compliance processes.  Customers can also perform their own security risk assessment via Compliance Manager and benchmark results against other businesses. 

 

Enterprise Mobility and Security website: https://www.microsoft.com/en-us/enterprise-mobility-security

Microsoft Enterprise Mobility and Security (EMS) is an intelligent mobility management and security platform. It helps protect and secure your organization and empowers your employees to work in new and flexible ways.  This service also provides a single view into the controls you will use to manage the spectrum of security, including threat management, data governance, and search and investigation. EMS increases the security features of Windows 10 and Office 365 and extends them to your entire environment including third-party investments.

 

[1] NIST Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF); NIST Special Publication 800-171; NIST Special Publications 800-53 and 800-53a; FedRAMP Security Assessment Framework (FedRAMP SAF); Center for Internet Security’s “Critical Security Controls for Effective Cyber Defense” (CIS Controls); ISO/IEC 27000 Family – Information Security Management Systems  (ISO 27000 Family); Health Insurance Portability and Accountability Ace security requirements (HIPAA); Gramm-Leach-Bliley Act Title V (GLBA); Federal Information Security Modernization Act of 2014 (FISMA); and Health Information Technology for Economic and Clinical Health Act (HITECH).

[2] https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Don’t miss the Compliance & Security Virtual Conference on May 14

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

In the present, ever-evolving threat landscape, many organizations find their biggest challenges in digital transformation to be ensuring security, privacy, and compliance. With the number of cybersecurity attacks on the rise, tighter local and global data privacy regulations, and the constant demand to ensure employees productivity, the need for an effective solution has never been greater.

 

The Virtual Conference on Compliance and Security is coming on May 14. We invite you to register for a live event where you’ll learn how to transform your business while remaining secure and compliant in a rapidly evolving world.

 

Event opportunities:

  • Hear perspectives from industry leaders and peers on key changes and regulations affecting personal privacy and controls.
  • Learn about Microsoft’s commitment to compliance across industries in Canada and the United States.
  • Stay up-to-date on how technology solutions can help your organization throughout its journey towards compliance.
  • Obtain next steps for your organization around risk assessment, data protection, and response to regulatory requests.

Visit the registration page to learn more details about the event, including a preview of the agenda and session overviews. Invite your colleagues and register today to reserve your spot. We hope to see you at the Compliance & Security Virtual Conference!

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Bolster efficiency of security teams with new Automated Incident Response in Office 365 ATP

Bolster efficiency of security teams with new Automated Incident Response in Office 365 ATP

Office 365 ATP offers unparalleled protection from targeted and zero-day attacks over email and other collaboration vectors. Building over the massive threat intelligence signal available in the Microsoft Intelligent Security Graph and pairing it with sophisticated Machine Learning algorithms, Office 365 ATP offers security teams best-in-class prevention, detection and response capabilities to keep their organizations secure with stellar effectiveness and efficiency. And today we’re extremely excited to announce new Automation capabilities in Office 365 ATP that further amplify the efficiency of security teams as they investigate and respond to threats within their organization.

 

The broad intelligence of the Microsoft Security Graph that supports all of the Advanced Threat Protection products from Microsoft and the deep integration between them forms the backbone of Microsoft Threat Protection that offers security teams amazing capabilities to protect their organizations across their users, devices, email, applications, data and infrastructure. And the automation capabilities we’re announcing today further strengthen the overall automation story of Microsoft Threat Protection.

 

Security Dashboard.pngSecurity Dashboard showing summary of automated investigations

 

Challenges faced by SecOps today

 

To set some context, we continue to hear from customers that dealing with incident response quickly and effectively is a big challenge facing their SecOps teams. One key issue is the lack of available resources and expertise needed to analyze signals and respond to incidents in an efficient way. There are just too many alerts to investigate and signals to correlate. And SecOps teams are constantly struggling with budget and time.

 

A typical Security team member goes through the following cycle of investigation day in and day out.

 

A day in the life.png

 

Every single security alert goes through the above process and with the huge volume of alerts that need to be looked at, it can quickly become challenging for security teams to scale. Intelligent correlation of signals and automatic investigation of alerts can significantly reduce the manual effort and time for incident response.

 

Automation can significantly reduce the time, effort and resources needed for incident response

 

Last year, we shared how Office 365 ATP can help security teams become more effective and efficient in the threat investigation and response process. This research from Forrester also revealed huge cost savings when using our Office 365 Threat Intelligence service.

 

Composite Organization.png

 

The new automation capabilities in Office 365 ATP goes even further in being able to bring more effectiveness and efficiency into SecOps flows.

 

Introducing new security playbooks within Office 365 ATP

 

Security playbooks are the foundation of automated incident response. They are the back-end policies that admins can select to trigger automatic investigation. The playbooks are built off our experience with real-world security scenarios. Based on our visibility and experience into the threat landscape we’ve designed these playbooks which tackle the most frequent threats.

 

Security playbooks.pngSecurity playbooks are the foundation of AIR

 

We’re delighted to announce the public preview of two playbooks that help investigate key threats and alerts within Office 365 with recommended actions for containment and mitigation.

 

  • User reports a phishing email— This alert will trigger an automatic investigation using the User Reported Messages Playbook when users use the “Report Message” button to report a phishing email.
  • User clicks on a malicious link— This alert will trigger an automatic investigation using the Weaponized URL playbook when an Office 365 ATP Safe Links protected URL clicked by a user is determined to be malicious through detonation (change in verdict) or if the user overrides (clicks through) the Office 365 ATP Safe Links warning pages.

 

Over the new few weeks and months we’ll continue to add even more playbooks.

Alert automatically.pngAlert automatically triggers investigation when a user reports an email as phish

Investigation graph.pngInvestigation graph showing a summary of relevant emails and users with threats and recommended actions.

You can learn more about how the SecOps teams can use these playbooks in this article.

Watch below:

to see the playbooks in action.

 

Triggering an automated investigation from the Threat Explorer

 

In addition to these playbooks, we’re also adding the ability to manually trigger automated investigations from the Threat Explorer. The Threat Explorer has become an invaluable tool for many security teams to hunt for and investigate threats within the O365 productivity suite as security teams use it to search for bad actors or IOCs. With the new ability to trigger an automatic investigation from within the Threat Explorer, security teams can leverage the efficiency and effectiveness gains that come with automation as part their hunting/investigation flow. This allows them to gain visibility into any potential threat instantly with relevant recommendations.

 

Triggering automated.pngTriggering automated investigations from the Threat Explorer for All email view

 

We’re only getting started

 

Automation for incident response will become a much more important part of an enterprise-grade security solution.  It can help mitigate more threats in real-time, reduce the time for detection and recovery, and ultimately, improve the efficiency, accuracy, and overall security for any organization.  Just as important, it frees up time for the organization’s key security expertise to focus on more complicated problems – getting more out of their most trained experts.

 

The automation capabilities announced today paired with the automation within the Microsoft Defender Advanced Threat Protection offering form the backbone of the powerful integrated automated protection that comes as part of the  Microsoft Threat Protection stack to enable better

detection, more insightful investigations, and more rapid remediation across multiple vectors such as emails, users and devices.

 

This is just the beginning. We’ll be rolling out more playbooks to address the most common threat scenarios. We invite you to try these playbooks out and provide feedback.

 

Bolster efficiency of security teams with new Automated Incident Response in Office 365 ATP

Bolster efficiency of security teams with new Automated Incident Response in Office 365 ATP

Office 365 ATP offers unparalleled protection from targeted and zero-day attacks over email and other collaboration vectors. Building over the massive threat intelligence signal available in the Microsoft Intelligent Security Graph and pairing it with sophisticated Machine Learning algorithms, Office 365 ATP offers security teams best-in-class prevention, detection and response capabilities to keep their organizations secure with stellar effectiveness and efficiency. And today we’re extremely excited to announce new Automation capabilities in Office 365 ATP that further amplify the efficiency of security teams as they investigate and respond to threats within their organization.

 

The broad intelligence of the Microsoft Security Graph that supports all of the Advanced Threat Protection products from Microsoft and the deep integration between them forms the backbone of Microsoft Threat Protection that offers security teams amazing capabilities to protect their organizations across their users, devices, email, applications, data and infrastructure. And the automation capabilities we’re announcing today further strengthen the overall automation story of Microsoft Threat Protection.

 

Security Dashboard.pngSecurity Dashboard showing summary of automated investigations

 

Challenges faced by SecOps today

 

To set some context, we continue to hear from customers that dealing with incident response quickly and effectively is a big challenge facing their SecOps teams. One key issue is the lack of available resources and expertise needed to analyze signals and respond to incidents in an efficient way. There are just too many alerts to investigate and signals to correlate. And SecOps teams are constantly struggling with budget and time.

 

A typical Security team member goes through the following cycle of investigation day in and day out.

 

A day in the life.png

 

Every single security alert goes through the above process and with the huge volume of alerts that need to be looked at, it can quickly become challenging for security teams to scale. Intelligent correlation of signals and automatic investigation of alerts can significantly reduce the manual effort and time for incident response.

 

Automation can significantly reduce the time, effort and resources needed for incident response

 

Last year, we shared how Office 365 ATP can help security teams become more effective and efficient in the threat investigation and response process. This research from Forrester also revealed huge cost savings when using our Office 365 Threat Intelligence service.

 

Composite Organization.png

 

The new automation capabilities in Office 365 ATP goes even further in being able to bring more effectiveness and efficiency into SecOps flows.

 

Introducing new security playbooks within Office 365 ATP

 

Security playbooks are the foundation of automated incident response. They are the back-end policies that admins can select to trigger automatic investigation. The playbooks are built off our experience with real-world security scenarios. Based on our visibility and experience into the threat landscape we’ve designed these playbooks which tackle the most frequent threats.

 

Security playbooks.pngSecurity playbooks are the foundation of AIR

 

We’re delighted to announce the public preview of two playbooks that help investigate key threats and alerts within Office 365 with recommended actions for containment and mitigation.

 

  • User reports a phishing email— This alert will trigger an automatic investigation using the User Reported Messages Playbook when users use the “Report Message” button to report a phishing email.
  • User clicks on a malicious link— This alert will trigger an automatic investigation using the Weaponized URL playbook when an Office 365 ATP Safe Links protected URL clicked by a user is determined to be malicious through detonation (change in verdict) or if the user overrides (clicks through) the Office 365 ATP Safe Links warning pages.

 

Over the new few weeks and months we’ll continue to add even more playbooks.

Alert automatically.pngAlert automatically triggers investigation when a user reports an email as phish

Investigation graph.pngInvestigation graph showing a summary of relevant emails and users with threats and recommended actions.

You can learn more about how the SecOps teams can use these playbooks in this article.

Watch below:

to see the playbooks in action.

 

Triggering an automated investigation from the Threat Explorer

 

In addition to these playbooks, we’re also adding the ability to manually trigger automated investigations from the Threat Explorer. The Threat Explorer has become an invaluable tool for many security teams to hunt for and investigate threats within the O365 productivity suite as security teams use it to search for bad actors or IOCs. With the new ability to trigger an automatic investigation from within the Threat Explorer, security teams can leverage the efficiency and effectiveness gains that come with automation as part their hunting/investigation flow. This allows them to gain visibility into any potential threat instantly with relevant recommendations.

 

Triggering automated.pngTriggering automated investigations from the Threat Explorer for All email view

 

We’re only getting started

 

Automation for incident response will become a much more important part of an enterprise-grade security solution.  It can help mitigate more threats in real-time, reduce the time for detection and recovery, and ultimately, improve the efficiency, accuracy, and overall security for any organization.  Just as important, it frees up time for the organization’s key security expertise to focus on more complicated problems – getting more out of their most trained experts.

 

The automation capabilities announced today paired with the automation within the Microsoft Defender Advanced Threat Protection offering form the backbone of the powerful integrated automated protection that comes as part of the  Microsoft Threat Protection stack to enable better

detection, more insightful investigations, and more rapid remediation across multiple vectors such as emails, users and devices.

 

This is just the beginning. We’ll be rolling out more playbooks to address the most common threat scenarios. We invite you to try these playbooks out and provide feedback.

 

Bolster efficiency of security teams with new Automated Incident Response in Office 365 ATP

Bolster efficiency of security teams with new Automated Incident Response in Office 365 ATP

Office 365 ATP offers unparalleled protection from targeted and zero-day attacks over email and other collaboration vectors. Building over the massive threat intelligence signal available in the Microsoft Intelligent Security Graph and pairing it with sophisticated Machine Learning algorithms, Office 365 ATP offers security teams best-in-class prevention, detection and response capabilities to keep their organizations secure with stellar effectiveness and efficiency. And today we’re extremely excited to announce new Automation capabilities in Office 365 ATP that further amplify the efficiency of security teams as they investigate and respond to threats within their organization.

 

The broad intelligence of the Microsoft Security Graph that supports all of the Advanced Threat Protection products from Microsoft and the deep integration between them forms the backbone of Microsoft Threat Protection that offers security teams amazing capabilities to protect their organizations across their users, devices, email, applications, data and infrastructure. And the automation capabilities we’re announcing today further strengthen the overall automation story of Microsoft Threat Protection.

 

Security Dashboard.pngSecurity Dashboard showing summary of automated investigations

 

Challenges faced by SecOps today

 

To set some context, we continue to hear from customers that dealing with incident response quickly and effectively is a big challenge facing their SecOps teams. One key issue is the lack of available resources and expertise needed to analyze signals and respond to incidents in an efficient way. There are just too many alerts to investigate and signals to correlate. And SecOps teams are constantly struggling with budget and time.

 

A typical Security team member goes through the following cycle of investigation day in and day out.

 

A day in the life.png

 

Every single security alert goes through the above process and with the huge volume of alerts that need to be looked at, it can quickly become challenging for security teams to scale. Intelligent correlation of signals and automatic investigation of alerts can significantly reduce the manual effort and time for incident response.

 

Automation can significantly reduce the time, effort and resources needed for incident response

 

Last year, we shared how Office 365 ATP can help security teams become more effective and efficient in the threat investigation and response process. This research from Forrester also revealed huge cost savings when using our Office 365 Threat Intelligence service.

 

Composite Organization.png

 

The new automation capabilities in Office 365 ATP goes even further in being able to bring more effectiveness and efficiency into SecOps flows.

 

Introducing new security playbooks within Office 365 ATP

 

Security playbooks are the foundation of automated incident response. They are the back-end policies that admins can select to trigger automatic investigation. The playbooks are built off our experience with real-world security scenarios. Based on our visibility and experience into the threat landscape we’ve designed these playbooks which tackle the most frequent threats.

 

Security playbooks.pngSecurity playbooks are the foundation of AIR

 

We’re delighted to announce the public preview of two playbooks that help investigate key threats and alerts within Office 365 with recommended actions for containment and mitigation.

 

  • User reports a phishing email— This alert will trigger an automatic investigation using the User Reported Messages Playbook when users use the “Report Message” button to report a phishing email.
  • User clicks on a malicious link— This alert will trigger an automatic investigation using the Weaponized URL playbook when an Office 365 ATP Safe Links protected URL clicked by a user is determined to be malicious through detonation (change in verdict) or if the user overrides (clicks through) the Office 365 ATP Safe Links warning pages.

 

Over the new few weeks and months we’ll continue to add even more playbooks.

Alert automatically.pngAlert automatically triggers investigation when a user reports an email as phish

Investigation graph.pngInvestigation graph showing a summary of relevant emails and users with threats and recommended actions.

You can learn more about how the SecOps teams can use these playbooks in this article.

Watch below:

to see the playbooks in action.

 

Triggering an automated investigation from the Threat Explorer

 

In addition to these playbooks, we’re also adding the ability to manually trigger automated investigations from the Threat Explorer. The Threat Explorer has become an invaluable tool for many security teams to hunt for and investigate threats within the O365 productivity suite as security teams use it to search for bad actors or IOCs. With the new ability to trigger an automatic investigation from within the Threat Explorer, security teams can leverage the efficiency and effectiveness gains that come with automation as part their hunting/investigation flow. This allows them to gain visibility into any potential threat instantly with relevant recommendations.

 

Triggering automated.pngTriggering automated investigations from the Threat Explorer for All email view

 

We’re only getting started

 

Automation for incident response will become a much more important part of an enterprise-grade security solution.  It can help mitigate more threats in real-time, reduce the time for detection and recovery, and ultimately, improve the efficiency, accuracy, and overall security for any organization.  Just as important, it frees up time for the organization’s key security expertise to focus on more complicated problems – getting more out of their most trained experts.

 

The automation capabilities announced today paired with the automation within the Microsoft Defender Advanced Threat Protection offering form the backbone of the powerful integrated automated protection that comes as part of the  Microsoft Threat Protection stack to enable better

detection, more insightful investigations, and more rapid remediation across multiple vectors such as emails, users and devices.

 

This is just the beginning. We’ll be rolling out more playbooks to address the most common threat scenarios. We invite you to try these playbooks out and provide feedback.

 

Bolster efficiency of security teams with new Automated Incident Response in Office 365 ATP

Bolster efficiency of security teams with new Automated Incident Response in Office 365 ATP

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Office 365 ATP offers unparalleled protection from targeted and zero-day attacks over email and other collaboration vectors. Building over the massive threat intelligence signal available in the Microsoft Intelligent Security Graph and pairing it with sophisticated Machine Learning algorithms, Office 365 ATP offers security teams best-in-class prevention, detection and response capabilities to keep their organizations secure with stellar effectiveness and efficiency. And today we’re extremely excited to announce new Automation capabilities in Office 365 ATP that further amplify the efficiency of security teams as they investigate and respond to threats within their organization.

 

The broad intelligence of the Microsoft Security Graph that supports all of the Advanced Threat Protection products from Microsoft and the deep integration between them forms the backbone of Microsoft Threat Protection that offers security teams amazing capabilities to protect their organizations across their users, devices, email, applications, data and infrastructure. And the automation capabilities we’re announcing today further strengthen the overall automation story of Microsoft Threat Protection.

 

Security Dashboard.pngSecurity Dashboard showing summary of automated investigations

 

Challenges faced by SecOps today

 

To set some context, we continue to hear from customers that dealing with incident response quickly and effectively is a big challenge facing their SecOps teams. One key issue is the lack of available resources and expertise needed to analyze signals and respond to incidents in an efficient way. There are just too many alerts to investigate and signals to correlate. And SecOps teams are constantly struggling with budget and time.

 

A typical Security team member goes through the following cycle of investigation day in and day out.

 

A day in the life.png

 

Every single security alert goes through the above process and with the huge volume of alerts that need to be looked at, it can quickly become challenging for security teams to scale. Intelligent correlation of signals and automatic investigation of alerts can significantly reduce the manual effort and time for incident response.

 

Automation can significantly reduce the time, effort and resources needed for incident response

 

Last year, we shared how Office 365 ATP can help security teams become more effective and efficient in the threat investigation and response process. This research from Forrester also revealed huge cost savings when using our Office 365 Threat Intelligence service.

 

Composite Organization.png

 

The new automation capabilities in Office 365 ATP goes even further in being able to bring more effectiveness and efficiency into SecOps flows.

 

Introducing new security playbooks within Office 365 ATP

 

Security playbooks are the foundation of automated incident response. They are the back-end policies that admins can select to trigger automatic investigation. The playbooks are built off our experience with real-world security scenarios. Based on our visibility and experience into the threat landscape we’ve designed these playbooks which tackle the most frequent threats.

 

Security playbooks.pngSecurity playbooks are the foundation of AIR

 

We’re delighted to announce the public preview of two playbooks that help investigate key threats and alerts within Office 365 with recommended actions for containment and mitigation.

 

  • User reports a phishing email— This alert will trigger an automatic investigation using the User Reported Messages Playbook when users use the “Report Message” button to report a phishing email.
  • User clicks on a malicious link— This alert will trigger an automatic investigation using the Weaponized URL playbook when an Office 365 ATP Safe Links protected URL clicked by a user is determined to be malicious through detonation (change in verdict) or if the user overrides (clicks through) the Office 365 ATP Safe Links warning pages.

 

Over the new few weeks and months we’ll continue to add even more playbooks.

Alert automatically.pngAlert automatically triggers investigation when a user reports an email as phish

Investigation graph.pngInvestigation graph showing a summary of relevant emails and users with threats and recommended actions.

You can learn more about how the SecOps teams can use these playbooks in this article.

Watch below:

to see the playbooks in action.

 

Triggering an automated investigation from the Threat Explorer

 

In addition to these playbooks, we’re also adding the ability to manually trigger automated investigations from the Threat Explorer. The Threat Explorer has become an invaluable tool for many security teams to hunt for and investigate threats within the O365 productivity suite as security teams use it to search for bad actors or IOCs. With the new ability to trigger an automatic investigation from within the Threat Explorer, security teams can leverage the efficiency and effectiveness gains that come with automation as part their hunting/investigation flow. This allows them to gain visibility into any potential threat instantly with relevant recommendations.

 

Triggering automated.pngTriggering automated investigations from the Threat Explorer for All email view

 

We’re only getting started

 

Automation for incident response will become a much more important part of an enterprise-grade security solution.  It can help mitigate more threats in real-time, reduce the time for detection and recovery, and ultimately, improve the efficiency, accuracy, and overall security for any organization.  Just as important, it frees up time for the organization’s key security expertise to focus on more complicated problems – getting more out of their most trained experts.

 

The automation capabilities announced today paired with the automation within the Microsoft Defender Advanced Threat Protection offering form the backbone of the powerful integrated automated protection that comes as part of the  Microsoft Threat Protection stack to enable better

detection, more insightful investigations, and more rapid remediation across multiple vectors such as emails, users and devices.

 

This is just the beginning. We’ll be rolling out more playbooks to address the most common threat scenarios. We invite you to try these playbooks out and provide feedback.

 

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Bolster efficiency of security teams with new Automated Incident Response in Office 365 ATP

Bolster efficiency of security teams with new Automated Incident Response in Office 365 ATP

Office 365 ATP offers unparalleled protection from targeted and zero-day attacks over email and other collaboration vectors. Building over the massive threat intelligence signal available in the Microsoft Intelligent Security Graph and pairing it with sophisticated Machine Learning algorithms, Office 365 ATP offers security teams best-in-class prevention, detection and response capabilities to keep their organizations secure with stellar effectiveness and efficiency. And today we’re extremely excited to announce new Automation capabilities in Office 365 ATP that further amplify the efficiency of security teams as they investigate and respond to threats within their organization.

 

The broad intelligence of the Microsoft Security Graph that supports all of the Advanced Threat Protection products from Microsoft and the deep integration between them forms the backbone of Microsoft Threat Protection that offers security teams amazing capabilities to protect their organizations across their users, devices, email, applications, data and infrastructure. And the automation capabilities we’re announcing today further strengthen the overall automation story of Microsoft Threat Protection.

 

Security Dashboard.pngSecurity Dashboard showing summary of automated investigations

 

Challenges faced by SecOps today

 

To set some context, we continue to hear from customers that dealing with incident response quickly and effectively is a big challenge facing their SecOps teams. One key issue is the lack of available resources and expertise needed to analyze signals and respond to incidents in an efficient way. There are just too many alerts to investigate and signals to correlate. And SecOps teams are constantly struggling with budget and time.

 

A typical Security team member goes through the following cycle of investigation day in and day out.

 

A day in the life.png

 

Every single security alert goes through the above process and with the huge volume of alerts that need to be looked at, it can quickly become challenging for security teams to scale. Intelligent correlation of signals and automatic investigation of alerts can significantly reduce the manual effort and time for incident response.

 

Automation can significantly reduce the time, effort and resources needed for incident response

 

Last year, we shared how Office 365 ATP can help security teams become more effective and efficient in the threat investigation and response process. This research from Forrester also revealed huge cost savings when using our Office 365 Threat Intelligence service.

 

Composite Organization.png

 

The new automation capabilities in Office 365 ATP goes even further in being able to bring more effectiveness and efficiency into SecOps flows.

 

Introducing new security playbooks within Office 365 ATP

 

Security playbooks are the foundation of automated incident response. They are the back-end policies that admins can select to trigger automatic investigation. The playbooks are built off our experience with real-world security scenarios. Based on our visibility and experience into the threat landscape we’ve designed these playbooks which tackle the most frequent threats.

 

Security playbooks.pngSecurity playbooks are the foundation of AIR

 

We’re delighted to announce the public preview of two playbooks that help investigate key threats and alerts within Office 365 with recommended actions for containment and mitigation.

 

  • User reports a phishing email— This alert will trigger an automatic investigation using the User Reported Messages Playbook when users use the “Report Message” button to report a phishing email.
  • User clicks on a malicious link— This alert will trigger an automatic investigation using the Weaponized URL playbook when an Office 365 ATP Safe Links protected URL clicked by a user is determined to be malicious through detonation (change in verdict) or if the user overrides (clicks through) the Office 365 ATP Safe Links warning pages.

 

Over the new few weeks and months we’ll continue to add even more playbooks.

Alert automatically.pngAlert automatically triggers investigation when a user reports an email as phish

Investigation graph.pngInvestigation graph showing a summary of relevant emails and users with threats and recommended actions.

You can learn more about how the SecOps teams can use these playbooks in this article.

Watch below:

to see the playbooks in action.

 

Triggering an automated investigation from the Threat Explorer

 

In addition to these playbooks, we’re also adding the ability to manually trigger automated investigations from the Threat Explorer. The Threat Explorer has become an invaluable tool for many security teams to hunt for and investigate threats within the O365 productivity suite as security teams use it to search for bad actors or IOCs. With the new ability to trigger an automatic investigation from within the Threat Explorer, security teams can leverage the efficiency and effectiveness gains that come with automation as part their hunting/investigation flow. This allows them to gain visibility into any potential threat instantly with relevant recommendations.

 

Triggering automated.pngTriggering automated investigations from the Threat Explorer for All email view

 

We’re only getting started

 

Automation for incident response will become a much more important part of an enterprise-grade security solution.  It can help mitigate more threats in real-time, reduce the time for detection and recovery, and ultimately, improve the efficiency, accuracy, and overall security for any organization.  Just as important, it frees up time for the organization’s key security expertise to focus on more complicated problems – getting more out of their most trained experts.

 

The automation capabilities announced today paired with the automation within the Microsoft Defender Advanced Threat Protection offering form the backbone of the powerful integrated automated protection that comes as part of the  Microsoft Threat Protection stack to enable better

detection, more insightful investigations, and more rapid remediation across multiple vectors such as emails, users and devices.

 

This is just the beginning. We’ll be rolling out more playbooks to address the most common threat scenarios. We invite you to try these playbooks out and provide feedback.

 

Exchange Online Mailbox Auditing Enabled By Default

Exchange Mailbox Auditing has now been enabled by default and rolled out worldwide, with the rollout to Unified Audit Log in Security and Compliance Center still in progress. If you are an Office 365 Customer, you should be able to search and retrieve your audit data with Search-MailboxAuditLog.  

 

As part of this change, we are also introducing the DefaultAuditSet parameter which would help you get back to the default set of verbs. DefaultAuditSet can be used to set the different action sets (Owner, Admin, Delegate) back to the service default audit events on a per-mailbox basis. 

 

As an example, If you want to bring Owner action sets back to default for a mailbox which was on custom events for all action sets, you perform the following operations:  

 

Set-Mailbox [username] -DefaultAuditSet Owner 

 

Now if you verify this through Get-Mailbox, you will be able to see that AuditOwner is set to the default set of actions:  

 

Get-Mailbox [username] | fl AuditOwner, AuditAdmin, AuditDelegate 

Output: 

AuditOwner      : {Update, MoveToDeletedItems, SoftDelete, HardDelete, UpdateFolderPermissions, UpdateInboxRules, UpdateCalendarDelegation} 

AuditAdmin      : {Update, MoveToDeletedItems, SoftDelete, HardDelete, SendAs, SendOnBehalf, 

                                UpdateCalendarDelegation} 

AuditDelegate   : {Move} 

 

To remove a mailbox from the default audit set event, you can go ahead, and add custom actions to the mailbox. This would remove it from the default set of actions. However, this would also mean, that any future audit events added to the default set would not be available automatically by default, and would need to be added manually.  

 

Find more information:

Exchange Online Mailbox Auditing Enabled By Default

Exchange Mailbox Auditing has now been enabled by default and rolled out worldwide, with the rollout to Unified Audit Log in Security and Compliance Center still in progress. If you are an Office 365 Customer, you should be able to search and retrieve your audit data with Search-MailboxAuditLog.  

 

As part of this change, we are also introducing the DefaultAuditSet parameter which would help you get back to the default set of verbs. DefaultAuditSet can be used to set the different action sets (Owner, Admin, Delegate) back to the service default audit events on a per-mailbox basis. 

 

As an example, If you want to bring Owner action sets back to default for a mailbox which was on custom events for all action sets, you perform the following operations:  

 

Set-Mailbox [username] -DefaultAuditSet Owner 

 

Now if you verify this through Get-Mailbox, you will be able to see that AuditOwner is set to the default set of actions:  

 

Get-Mailbox [username] | fl AuditOwner, AuditAdmin, AuditDelegate 

Output: 

AuditOwner      : {Update, MoveToDeletedItems, SoftDelete, HardDelete, UpdateFolderPermissions, UpdateInboxRules, UpdateCalendarDelegation} 

AuditAdmin      : {Update, MoveToDeletedItems, SoftDelete, HardDelete, SendAs, SendOnBehalf, 

                                UpdateCalendarDelegation} 

AuditDelegate   : {Move} 

 

To remove a mailbox from the default audit set event, you can go ahead, and add custom actions to the mailbox. This would remove it from the default set of actions. However, this would also mean, that any future audit events added to the default set would not be available automatically by default, and would need to be added manually.  

 

Find more information:

Exchange Online Mailbox Auditing Enabled By Default

Exchange Mailbox Auditing has now been enabled by default and rolled out worldwide, with the rollout to Unified Audit Log in Security and Compliance Center still in progress. If you are an Office 365 Customer, you should be able to search and retrieve your audit data with Search-MailboxAuditLog.  

 

As part of this change, we are also introducing the DefaultAuditSet parameter which would help you get back to the default set of verbs. DefaultAuditSet can be used to set the different action sets (Owner, Admin, Delegate) back to the service default audit events on a per-mailbox basis. 

 

As an example, If you want to bring Owner action sets back to default for a mailbox which was on custom events for all action sets, you perform the following operations:  

 

Set-Mailbox [username] -DefaultAuditSet Owner 

 

Now if you verify this through Get-Mailbox, you will be able to see that AuditOwner is set to the default set of actions:  

 

Get-Mailbox [username] | fl AuditOwner, AuditAdmin, AuditDelegate 

Output: 

AuditOwner      : {Update, MoveToDeletedItems, SoftDelete, HardDelete, UpdateFolderPermissions, UpdateInboxRules, UpdateCalendarDelegation} 

AuditAdmin      : {Update, MoveToDeletedItems, SoftDelete, HardDelete, SendAs, SendOnBehalf, 

                                UpdateCalendarDelegation} 

AuditDelegate   : {Move} 

 

To remove a mailbox from the default audit set event, you can go ahead, and add custom actions to the mailbox. This would remove it from the default set of actions. However, this would also mean, that any future audit events added to the default set would not be available automatically by default, and would need to be added manually.  

 

Find more information:

Exchange Online Mailbox Auditing Enabled By Default

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

Exchange Mailbox Auditing has now been enabled by default and rolled out worldwide, with the rollout to Unified Audit Log in Security and Compliance Center still in progress. If you are an Office 365 Customer, you should be able to search and retrieve your audit data with Search-MailboxAuditLog.  

 

As part of this change, we are also introducing the DefaultAuditSet parameter which would help you get back to the default set of verbs. DefaultAuditSet can be used to set the different action sets (Owner, Admin, Delegate) back to the service default audit events on a per-mailbox basis. 

 

As an example, If you want to bring Owner action sets back to default for a mailbox which was on custom events for all action sets, you perform the following operations:  

 

Set-Mailbox [username] -DefaultAuditSet Owner 

 

Now if you verify this through Get-Mailbox, you will be able to see that AuditOwner is set to the default set of actions:  

 

Get-Mailbox [username] | fl AuditOwner, AuditAdmin, AuditDelegate 

Output: 

AuditOwner      : {Update, MoveToDeletedItems, SoftDelete, HardDelete, UpdateFolderPermissions, UpdateInboxRules, UpdateCalendarDelegation} 

AuditAdmin      : {Update, MoveToDeletedItems, SoftDelete, HardDelete, SendAs, SendOnBehalf, 

                                UpdateCalendarDelegation} 

AuditDelegate   : {Move} 

 

To remove a mailbox from the default audit set event, you can go ahead, and add custom actions to the mailbox. This would remove it from the default set of actions. However, this would also mean, that any future audit events added to the default set would not be available automatically by default, and would need to be added manually.  

 

Find more information:

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

Exchange Online Mailbox Auditing Enabled By Default

Exchange Mailbox Auditing has now been enabled by default and rolled out worldwide, with the rollout to Unified Audit Log in Security and Compliance Center still in progress. If you are an Office 365 Customer, you should be able to search and retrieve your audit data with Search-MailboxAuditLog.  

 

As part of this change, we are also introducing the DefaultAuditSet parameter which would help you get back to the default set of verbs. DefaultAuditSet can be used to set the different action sets (Owner, Admin, Delegate) back to the service default audit events on a per-mailbox basis. 

 

As an example, If you want to bring Owner action sets back to default for a mailbox which was on custom events for all action sets, you perform the following operations:  

 

Set-Mailbox [username] -DefaultAuditSet Owner 

 

Now if you verify this through Get-Mailbox, you will be able to see that AuditOwner is set to the default set of actions:  

 

Get-Mailbox [username] | fl AuditOwner, AuditAdmin, AuditDelegate 

Output: 

AuditOwner      : {Update, MoveToDeletedItems, SoftDelete, HardDelete, UpdateFolderPermissions, UpdateInboxRules, UpdateCalendarDelegation} 

AuditAdmin      : {Update, MoveToDeletedItems, SoftDelete, HardDelete, SendAs, SendOnBehalf, 

                                UpdateCalendarDelegation} 

AuditDelegate   : {Move} 

 

To remove a mailbox from the default audit set event, you can go ahead, and add custom actions to the mailbox. This would remove it from the default set of actions. However, this would also mean, that any future audit events added to the default set would not be available automatically by default, and would need to be added manually.  

 

Find more information:

Your specialized compliance workspace – Microsoft 365 compliance center

Your specialized compliance workspace – Microsoft 365 compliance center

With electronic data growing exponentially across the digital estate and the increased number of new privacy regulations emerging, consumers are more aware of their privacy rights now more than ever. Compliance and privacy professionals need more tools to help them safeguard sensitive information and reduce compliance risks. To empower organizations to more effectively and efficiently take control of their data privacy, we introduced the new Microsoft 365 compliance center in January and are excited to announce its general availability today!

 

The new Microsoft 365 compliance center enables you to assess compliance risks and posture, protect and govern your data, and respond to data discovery requests in a timely manner. Here, we highlight several key compliance capabilities in the three scenarios below.

 

Simplify assessment of compliance risks and posture with actionable insights

On the Microsoft 365 compliance center homepage, you can easily find actionable insights in the Assess, Protect, and Respond sections with signals across the Microsoft 365 feature set. The homepage is the go-to dashboard for compliance and privacy teams to examine their organization’s data compliance posture.

 

To help with your regulatory compliance, we’ve brought in score insights from Compliance Manager, a cloud-based tool that helps you perform on-going risk assessments, and provides step-by-step guidance on implementing compliance controls. It also tracks and records your compliance activities to help you prepare for internal and external audits. On the Compliance Manager card, you can find a quick summary of your current compliance posture for regulations and standards including: GDPR, ISO 27001, and NIST 800-53. From here, you can visit Compliance Manager to improve your Microsoft Compliance Score.

 

M365 Compliance Center homepage.png

 

In addition to the score, you can also find insights from Microsoft Cloud App Security (MCAS) including: third-party application usage, application compliance statuses, both the users and files shared most from cloud applications, and shadow IT applications as well. Additionally, with signals from Data Loss Prevention, you can quickly examine your DLP policy matches and create new policies to protect your sensitive data.

 

Integrated protection and governance of sensitive data across devices, apps, and cloud services

To help you better protect your digital estate across devices, apps, and cloud services, we aggregated the signals for risky compliance activities in your organization’s environment, and helped you highlight the high severity ones with details so that you take the appropriate actions to remediate risks.

 

M365 Compliance Center - alerts(2).png

 

Within the new compliance center, you can also classify your most important data with sensitivity and retention labels, and configure protection and governance policies with a unified experience. Additionally, the Label analytics functionality in public preview gives you label insights across your Office 365 and non-Office 365 workloads, helping you analyze and validate your label usage.

 

M365 Compliance Center - label analytics.png

 

Under the solutions area, you can easily access compliance features that help you better govern your data. The disposition review under Data governance helps you review the content when it reaches the end of its retention period, for you to make a final decision about keeping or deleting the data. Additionally, Supervision helps organization meet communication-monitoring requirements to address internal policies or regulatory compliance. You can establish policies with intelligent conditions and identify Teams or users and the related channels or chat messages to be included in the supervision policy. Supervisors can then review content with the new built-in review experience to tag, escalate, and bulk resolve.

 

Supervision in cc screenshots.jpg

 

Intelligently respond to data discovery requests by leveraging AI to find the most relevant data

The cost of compliance has continuously increased in the past few years due to new regulations like GDPR, and the growing amount of electronic data. Organizations need assistance to discover the most relevant data to respond to regulatory requests like the Data Subject Access Requests (DSARs).

In the new Microsoft 365 compliance center, you can access the Data Subject Requests tool to create DSR cases and identify your employees’ personal data with built-in content search capabilities. With Advanced eDiscovery, you can reduce the cost and risk of common eDiscovery processes with custodian management, hold notifications, working sets and review and redact functionality built into Microsoft 365 directly.

 

M365 Compliance Center - DSR.png

 

In addition to data discovery, Microsoft 365 compliance center also provides you with access to data investigations solution in preview, which helps organizations to search for leaked or unprotected sensitive data and take actions like deleting emails or documents to remediate risks.

 

We will keep adding more compliance solutions like audit log search, content search, retention policies, archiving and more in the Microsoft 365 compliance center soon to reach parity with the solutions we provide in Office 365 Security & Compliance Center. Please don’t hesitate to give us feedback from the feedback button in the new center.

 

Get started today

To get the new Microsoft 365 security center and Microsoft 365 compliance center, your organization must have a subscription to Microsoft 365 E3 or E5, or a Volume Licensing equivalent (which consists of Office 365 Enterprise E3 or E5, Enterprise Mobility + Security E3 or E5, and Windows 10 Enterprise E3/E5). We plan to expand access to additional subscriptions and license types later in the year. Users must be assigned the Global Administrator, Compliance Administrator, or Compliance Data Administrator role in Azure Active Directory to access the new Microsoft 365 compliance center.

 

You can start using the Microsoft 365 compliance center today by visiting compliance.microsoft.com or through the Microsoft 365 admin center. Learn more about the new experience in our technical supporting document.

Your specialized compliance workspace – Microsoft 365 compliance center

Your specialized compliance workspace – Microsoft 365 compliance center

With electronic data growing exponentially across the digital estate and the increased number of new privacy regulations emerging, consumers are more aware of their privacy rights now more than ever. Compliance and privacy professionals need more tools to help them safeguard sensitive information and reduce compliance risks. To empower organizations to more effectively and efficiently take control of their data privacy, we introduced the new Microsoft 365 compliance center in January and are excited to announce its general availability today!

 

The new Microsoft 365 compliance center enables you to assess compliance risks and posture, protect and govern your data, and respond to data discovery requests in a timely manner. Here, we highlight several key compliance capabilities in the three scenarios below.

 

Simplify assessment of compliance risks and posture with actionable insights

On the Microsoft 365 compliance center homepage, you can easily find actionable insights in the Assess, Protect, and Respond sections with signals across the Microsoft 365 feature set. The homepage is the go-to dashboard for compliance and privacy teams to examine their organization’s data compliance posture.

 

To help with your regulatory compliance, we’ve brought in score insights from Compliance Manager, a cloud-based tool that helps you perform on-going risk assessments, and provides step-by-step guidance on implementing compliance controls. It also tracks and records your compliance activities to help you prepare for internal and external audits. On the Compliance Manager card, you can find a quick summary of your current compliance posture for regulations and standards including: GDPR, ISO 27001, and NIST 800-53. From here, you can visit Compliance Manager to improve your Microsoft Compliance Score.

 

M365 Compliance Center homepage.png

 

In addition to the score, you can also find insights from Microsoft Cloud App Security (MCAS) including: third-party application usage, application compliance statuses, both the users and files shared most from cloud applications, and shadow IT applications as well. Additionally, with signals from Data Loss Prevention, you can quickly examine your DLP policy matches and create new policies to protect your sensitive data.

 

Integrated protection and governance of sensitive data across devices, apps, and cloud services

To help you better protect your digital estate across devices, apps, and cloud services, we aggregated the signals for risky compliance activities in your organization’s environment, and helped you highlight the high severity ones with details so that you take the appropriate actions to remediate risks.

 

M365 Compliance Center - alerts(2).png

 

Within the new compliance center, you can also classify your most important data with sensitivity and retention labels, and configure protection and governance policies with a unified experience. Additionally, the Label analytics functionality in public preview gives you label insights across your Office 365 and non-Office 365 workloads, helping you analyze and validate your label usage.

 

M365 Compliance Center - label analytics.png

 

Under the solutions area, you can easily access compliance features that help you better govern your data. The disposition review under Data governance helps you review the content when it reaches the end of its retention period, for you to make a final decision about keeping or deleting the data. Additionally, Supervision helps organization meet communication-monitoring requirements to address internal policies or regulatory compliance. You can establish policies with intelligent conditions and identify Teams or users and the related channels or chat messages to be included in the supervision policy. Supervisors can then review content with the new built-in review experience to tag, escalate, and bulk resolve.

 

Supervision in cc screenshots.jpg

 

Intelligently respond to data discovery requests by leveraging AI to find the most relevant data

The cost of compliance has continuously increased in the past few years due to new regulations like GDPR, and the growing amount of electronic data. Organizations need assistance to discover the most relevant data to respond to regulatory requests like the Data Subject Access Requests (DSARs).

In the new Microsoft 365 compliance center, you can access the Data Subject Requests tool to create DSR cases and identify your employees’ personal data with built-in content search capabilities. With Advanced eDiscovery, you can reduce the cost and risk of common eDiscovery processes with custodian management, hold notifications, working sets and review and redact functionality built into Microsoft 365 directly.

 

M365 Compliance Center - DSR.png

 

In addition to data discovery, Microsoft 365 compliance center also provides you with access to data investigations solution in preview, which helps organizations to search for leaked or unprotected sensitive data and take actions like deleting emails or documents to remediate risks.

 

We will keep adding more compliance solutions like audit log search, content search, retention policies, archiving and more in the Microsoft 365 compliance center soon to reach parity with the solutions we provide in Office 365 Security & Compliance Center. Please don’t hesitate to give us feedback from the feedback button in the new center.

 

Get started today

To get the new Microsoft 365 security center and Microsoft 365 compliance center, your organization must have a subscription to Microsoft 365 E3 or E5, or a Volume Licensing equivalent (which consists of Office 365 Enterprise E3 or E5, Enterprise Mobility + Security E3 or E5, and Windows 10 Enterprise E3/E5). We plan to expand access to additional subscriptions and license types later in the year. Users must be assigned the Global Administrator, Compliance Administrator, or Compliance Data Administrator role in Azure Active Directory to access the new Microsoft 365 compliance center.

 

You can start using the Microsoft 365 compliance center today by visiting compliance.microsoft.com or through the Microsoft 365 admin center. Learn more about the new experience in our technical supporting document.