Microsoft Defender Weekly Wrap - Issue #73
Do not disturb - as much
Things from Me
Happy Friday everyone!
This week has been busy for me. I’m in final preparations for my sessions at the MMS MOA conference next week which means I’m hustling to get all the demos and slide talk angles completed. I’m prepping for an upcoming Microsoft Build session on Azure Open AI and somewhere in there attempting to squeeze in a much needed week off. At one point during the week, I put a “do not disturb” notice in Microsoft Teams in hopes of deterring would-be calls for help. I think that worked as I was interrupted a lot less than normal.
Next week will be great and I’m really looking forward to being at another in-person event. The weather in Minneapolis is shaping up nicely so I should be able to enjoy some outside runs throughout the week, too. I’ve been to this conference and this area many times, so I know some great places to run. For those that I’ll see next week, I hope you stop by one or many of my 5 sessions.
As incentive, I have several signed copies of the Must Learn KQL paperback book to give away as session SWAG.
For those interested in this conference and not attending this time, I’ll be posting pictures and commentary on Twitter and LinkedIn next week. Also, there’s a Miami Beach version later this year. More information about MMS Miami Beach here: https://rodtrent.com/iws
…
CANCELLED: May 3 - Better Together: Microsoft Defender Vulnerability Management & Microsoft Defender for Servers
The webinar on Better Together: Microsoft Defender Vulnerability Management & Microsoft Defender for Servers scheduled for May 3, 2023, has been canceled. Our apologies for the inconvenience. Please remove the May 3 reminder from your calendar.
…
Just a heads-up for those interested in Azure Open AI. I posted a survey recently (https://rodtrent.com/wag) and the results show a very large number of people want more Azure Open AI content. So, to help with exposing this content and the growing community there is now a new Azure Open AI LinkedIn group: https://rodtrent.com/o02
This group will be managed like the other successful LinkedIn groups I maintain.
…
That’s it from me for this week.
Talk soon.
-Rod
Things to Attend
Announcing our Attack Disruption in Microsoft 365 Defender AMA on May 3rd! Join us on Wednesday 5/3 at 9:00AM PST for an AMA (Ask Microsoft Anything) with the Attack Disruption team! This will be a text-based live hour of answering all your questions relating to the product.
Note: If you are unable to attend the live hour, you can ask your question at any time on the event page below and the team will get to it during the event.
Join here: aka.ms/AttackDisruptionAMA
Things that are Related
What is a Cloud Adoption Security Review? - Security is an ongoing journey of incremental progress and maturity, and not a static destination. The Cloud Adoption Framework provides security guidance for this journey by providing clarity for the processes and best practices. This guidance is based on real world experiences of our customers, of Microsoft's own security journey and lessons learned, and the work with other organizations like NIST or CIS.
Why you should practice rollbacks to prevent data loss in a ransomware attack - The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. In the latest post of our Community Voices blog series, Microsoft Security Senior Product Marketing Manager Brooke Lynn Weenig talks with Tanya Janca, Founder and Chief Executive Officer (CEO) of We Hack Purple, who is known as SheHacksPurple and is the best-selling author of Alice and Bob Learn Application Security.
Things to Watch/Listen To
Microsoft's Role in Cybersecurity - This video is for aspiring cybersecurity board members, CISOs and founders who should understand the breadth of Microsoft's influence on the cybersecurity ecosystem. Ron discusses a variety of issues and opportunities executives face implementing a cybersecurity program with Microsoft technology and solutions.
Microsoft Security Insights Show Episode 150 - Mona Ghadiri, BlueVoyant - It’s MISA Month and this is our last episode of an amazing series. Just off winning MISA award “MSSP Partner of the Year,” Mona ‘Excellence’ Ghadiri with BlueVoyant joins us for an amazing discussion.
Defending at Machine Speed: Technology’s New Frontier - In security, it’s not about what technology can do, but what people can do when empowered by technology. Human expertise is a precious resource, and with the sophistication of cyberattacks increasing, breakthroughs in technology can help close the security gap. Vasu Jakkal, CVP of Security at Microsoft, will examine key technologies that are reshaping the future of cybersecurity.
Things in Techcommunity
MDE Onboard syslog/cef collectors. Possible? - Can you onboard syslog/cef collectors running either the legacy agent or the new AMA to MDE without affecting the log collector capability?
Suspected brute-force attack and None of the passwords attempted where previously used passwords - This makes me wonder. It knows it is a password that was not used before. But did the account try to login 100x times with this password or did it do 100x times a try with 100 passwords that where not used before.
Microsoft Security Tech Community Join the other 68,000 members of the Tech Community to ask questions to the product team and get the latest on product updates. The Security Tech Community is free to join and provides the easiest way to get notified when something new is in product, and how you can implement it into your workflows.
Things in the News
RSA News: Taking XDR for SaaS apps to the next level - App Governance is now included in E5 Security - Because we are seeing a continued rise in app-based attacks, we believe this is a foundational capability for customers. That’s why today, we are excited to announce that going forward the App Governance add-on will be included in Defender for Cloud Apps at no additional cost. On June 1, 2023, new and existing customers will be able to start the opt-in process to begin using these capabilities. This means that all customers with a standalone, E5 Security, or Microsoft 365 E5, or any other license that includes Defender for Cloud Apps, will have access to App Governance, at no additional cost.
Microsoft announces the 2023 Microsoft Security Excellence Awards winners - Both technology and people are essential for creating a secure future, and we were thrilled to recognize some of the top companies and individuals in the field across 11 award categories that reflect the diverse and valuable contributions of MISA members. We were impressed by the hundreds of award nominations we received. The panel diligently reviewed each one and shortlisted five nominees for each category. Winners were then decided by the votes of Microsoft and MISA members. We are proud to announce the finalists and winners in each category.
Defender for Cloud Things
NEW: Microsoft bolsters cloud-native security in Defender for Cloud with new API security capabilities - To combat API security threats, we are thrilled to announce the public preview of Defender for APIs, a new offering as part of Microsoft Defender for Cloud – a cloud-native application protection platform. CTOs rely on Microsoft’s industry-leading Azure API Management platform to manage their most critical APIs. Now through the integration of Defender for APIs with Azure API Management, security teams can use the Defender for Cloud portal to gain visibility into these business-critical Azure APIs, understand their security posture, prioritize vulnerability fixes, and detect and respond to active runtime threats within minutes – using machine-learning powered anomalous and suspicious API usage detections.
BLOG: Manage DevOps Security Posture & Governance through single pane of glass with Defender for DevOps - Defender for DevOps helps unify, strengthen, insights to prioritize remediation and manage DevOps security posture across multi-pipeline environments, such as GitHub and Azure DevOps.
New DOCS: About Microsoft Defender for APIs - Microsoft Defender for APIs is a plan provided by Microsoft Defender for Cloud that offers full lifecycle protection, detection, and response coverage for APIs.
Microsoft Defender for Cloud Lab Module: Defender for APIs - In this exercise, you will learn how to enable Defender for API with Azure API Management, and leverage Defender for API capabilities.
BLOG: Price Alert: Defender for CSPM - Hey all just a heads up in case you hadn’t seen or heard, Defender for CSPM has gone GA and where this plan is enabled on Azure Subscriptions or AWS Connectors will begin charging in Azure on May 1st.
365 Defender Things
Password Spray Attack Detection with New Microsoft 365 Defender Alert - Microsoft continues to updating its tools and features to deliver customers the utmost security they can. As a part of this, a new alert for ‘password spray attack originating from single ISP’ has been added in Microsoft 365 Defender portal. Threat actors use various techniques to identify account passwords. One among them is a password spray attack that guesses correct passwords for many accounts with a limited set of commonly used passwords. In addition, attackers may create several virtual machines or containers to launch password spray attacks to abuse legitimate cloud services. Boo! How threatening! With this new password spray attack detection alert, admins can defend such attacks by monitoring several suspicious events happening in the organization. Let’s dive deeply into it.
Microsoft Purview Things
BLOG: Microsoft Purview in the Real World (April 21, 2023) - Sensitivity Labels and SharePoint Sites - The purpose of this document (and series) is to provide insights into various user cases, announcements, customer driven questions, etc.
BLOG: Can security be automatic for your files and data? - Detect data loss, exfiltration, and data theft with intelligent automation solutions in Microsoft Purview. Data lives across apps, databases, and in file sharing locations inside and outside your infrastructure. It can be stored on devices and removable media, and it travels with each interaction. Secure data with a scalable and automated approach — discover and understand the growing volume of sensitive data, apply protections that follow data wherever it lives or travels, take preventative action when there’s a risk of data loss, and elevate or lower data protections based on individual users to balance productivity with data security.
BLOG: Microsoft Purview data catalog now supports tags - We are announcing the tags feature in Microsoft Purview Data Catalog. Tags are a form of metadata that can be added to assets in order to label or categorize them. Similar to social media hashtags, tags are free-text words that can be used to associate multiple pieces of information with a single asset. Users can utilize tags to easily locate and retrieve data assets as needed, providing valuable context for anyone who needs to access them. Examples of tags include project names, cost centers, or other relevant keywords that help to organize and differentiate data assets.
Defender EASM Things
BLOG: Part 2: Uncovering Trackers Using the Defender EASM API - Thanks for joining me for the second installment on leveraging Trackers in Microsoft Defender External Attack Surface Management (Defender EASM) to find and manage risk in your organization. This blog post is part two of this series, building on the concepts introduced in part one about discovering your attack surface and applying this valuable inventory data to inform your security efforts at scale. As a quick refresher, in part one, we defined Trackers in Defender EASM and learned how to search for them in the User Interface (UI). This blog post will closely examine the Defender EASM Application Program Interface (API).
Windows Defender Things
NEW: New settings in Microsoft Intune to enhance Windows Defender Firewall management - We're pleased to highlight some of the new additions made to the Microsoft Intune admin center to configure settings related to Windows Defender Firewall. Admins can take advantage of these capabilities to enhance security and ease Defender Firewall management. The properties come directly from the Firewall configuration service provider (CSP) and apply to the Windows platform.
Microsoft Entra Things
NEW: Introducing Windows Local Administrator Password Solution with Microsoft Entra (Azure AD) - Today we have some news I know many of you will be excited about! As part of our vision to give you comprehensive security solutions, we’ve joined forces with the Windows and Microsoft Intune teams to release a public preview of Windows Local Administrator Password Solution (LAPS) for Azure AD (which is now part of Microsoft Entra).
NEWS: Building Stronger Identity Solutions with New Microsoft Entra Integrations - I’m excited by this year’s RSA theme of “Stronger Together.” In the Identity and Network Access Division, we believe that everyone must work together to make the world a safer place for all. Leading up to RSA this year, the team has been hard at work collaborating with a wide range of technology vendors to extend our Microsoft Entra capabilities and help our customers move forward in their Zero Trust journeys. By integrating our products together, we make better security solutions for all. Below you’ll find some highlights from the last six months of our work creating integrated solutions to add more value for our customers.
Fun Thing This Week
Earlier this past week, I built a web-based chatbot that utilizes the API connection to Azure Open AI ChatGPT. I built it to showcase security intelligence as part of my demos at MMS MOA next week. I’ve been training my AI deployments for KQL and cyber operations. My 15-year-old daughter wants to be a “coder” so she was interested in what I’ve been doing, so I showed it to her. She was impressed with my meager developer ability, but her first question to my chatbot?
Ah…to be 15 again.