Microsoft Defender Weekly Wrap - Issue #65

Nothingness

Things from Me

Happy Friday everyone!

So, what’s on tap for the weekend? For me, I plan to try my best to do nothing. It’s been a busy week. And I didn’t really realize just how busy it was or how much I accomplished until I sat down to finish out this newsletter. There are some interesting and cool things I’m working on that will all come to fruition soon and I’ll share them when ready. And only some of it is AI related.

It seems folks have lost their marbles around AI. Everything is AI. Every discussion, every net-new project. Everything.

And that worries me a bit. There’s some value in AI and applying AI models in certain circumstances and I believe we’ll learn more and more as time progresses. But it’s like the security automation discussion. Just like not everything needs to be automated, and some automation is detrimental, AI falls right into the same design.

And believe me — AI is soaked and baked into all discussions at Microsoft right now, too. But fortunately, from what I’ve seen, a very measured, logical approach is in play here. If that changes, I’ll let you know.

So, yeah. Because AI is everything - a weekend of nothing sounds just about right.

…

Microsoft Security is our new event that kicks off on March 28th. Of interest to this community there is a Learn Live event called: Manage insider risk in Microsoft Purview​ 

This Learn Live will take you through the module Manage insider risk in Microsoft Purview. You’ll learn about insider risk management and how Microsoft technologies can help you detect, investigate, and take action on risky activities in your organization.​ ​​ 

Presenters: Beau Faull, Technical Specialist, and Lou Mercuri, Sr. Technical Specialist, Microsoft Purview

Date and time: Tuesday, March 28, 2023, 12:30 pm – 1:30 pm​ PDT 

Be sure to register for Secure to attend the sessions. 

…

That’s it for me for this week.

Talk soon.

-Rod

Things to Attend

EVENT SERIES: April is RSA/MISA Month on the Microsoft Security Insights Show - To help bolster and show our support for this awesome program, we are dedicating the month of April to some of the MISA members who - if you are attending RSA - will also be in attendance in a big way. And, if you’re not attending RSA this year, this is still a great chance to get to know some of the stellar partners in the MISA program. Schedule:

• April 5th (Wed), 5pm EST - Microsoft Security Insights Show Episode 147 - Difenda

• April 12th (Wed), 5pm EST - Microsoft Security Insights Show Episode 148 - Drew Perry, Chief Innovation Officer at Ontinue

• April 19th (Wed), 5pm EST - Microsoft Security Insights Show Episode 149 - Mark Shavlik, Mark Shavlik, Co-Founder Senserva

• April 26th (Wed), 5pm EST - Microsoft Security Insights Show Episode 150 - Mona Ghadiri, Dir of Product Management, BlueVoyant

EVENT: How to migrate from Azure AD Connect to Azure AD Cloud Sync 

Are you interested in learning more about the future of Sync? In this event, we will cover the following:
- The difference between Azure AD Connect and Cloud Sync
- What is coming to Cloud Sync
- Perform a pilot by running Azure AD Connect and Cloud Sync in coexistence
- Migration from Azure AD Connect to Azure AD Cloud Sync Azure AD
- Cloud Sync offers faster sync times, lightweight agent-based deployment, greater ease of use, disconnected AAD forest support & an easy migration path.

Please join us for this event on March 28, 2023. 8:00-9:00 AM, PDT

Registration link: https://rodtrent.com/3df

Women in Cybersecurity Month 2023 is in full swing. Here’s the remaining show for the month:

• March 8th (Wed), 5pm EST - Microsoft Security Insights Show Episode 143 - Vasu Jakkal, CVP Microsoft SCI

• March 14th (Tues), 1pm EST - Microsoft Security Insights Show Episode 144 - Ann Johnson, CVP SCI

• March 22nd (Wed), 5pm EST - Microsoft Security Insights Show Episode 145 - Future Kortor / Lara Goldstein, Cloud Security PMs

• March 29th (Wed), 5pm EST - Microsoft Security Insights Show Episode 146 - Elizabeth Stephens, Dir of DC Cyber Risk Intelligence

Things that are Related

The dotted lines between Threat Hunting and Detection Engineering - There's no way out, the practices of Detection Engineering and Threat Hunting are becoming utterly important within a Cyber Security Program. How to define boundaries and establish ownership of the processes involved? Where's the overlap? Read along for some insights from the field.

SEC cyber risk management rule—a security and compliance opportunity - In my practice as a Microsoft Global Black Belt, I focus on the technical and business enablement aspects of protecting organizations from cyber threats with tools like Microsoft 365 Defender, Microsoft Purview and Microsoft Sentinel. In my role as a board member for another publicly traded company, the conversation is about creating value for our shareholders and managing risks in alignment with our business goals. Compliance is an important risk. Shifting gears and having the right conversations with the right stakeholders is critical to being effective, whatever your role.

Detecting AD CS subjectAltName (SAN) Abuse Using KQL - Over the past few weeks, we’ve been experimenting with detection of Active Directory Certificate Services abuse using native logging and not by relying on EDR telemetry, specifically with regards to the identification, issuance and use of certificates with alternative names (SANs). Further details of the attack specifics can be found from the excellent research provided by Will Schroeder and Lee Christensen of Specterops and in this article we’re specifically hunting for the abuse of certificates that allow a subjectAltName (SAN) to be provided.

How AI will impact the future of security - The speed of innovation has rapidly accelerated since we became a digitized society, and some innovations have fundamentally changed the way we live — the internet, the smartphone, social media, cloud computing.

Things to Watch/Listen To

Stories from DART: Taking the ware out of ransomware - Folks from Microsoft’s Detection and Response Team (DART) share some simple things that anyone can do in their environment to minimize exposure to Ransomware. These scary stories from the DART team customer engagements are sure to thrill and educate at the same time. In this session learn how DART operates through investigation, mitigation and remediation to understand how these same principles can be applied across the depth and breadth of the entire organization.

Microsoft Security Insights Show Episode 142 - Maria Thomson, MISA Lead - It's Women in Cybersecurity month 2023! To kick-off this event, we visit with Maria Thomson, Microsoft Intelligent Security Association lead. Hear how Maria went from dance instructor to the lead of Microsoft's partner association.

Things in Techcommunity

ATP Sensor service is continuously trying to start but stops itself - I've installed ATP Sensor across multiple DCs and it was completed successfully. However, the service is continuously trying to start and stop itself on every machine it's been installed on, with the following error message appearing in the Microsoft.Tri.Sensor-Errors log...

MCAS session policy with Conditional Access is blocking access in external shares - I have a strange behavior between a test tenant and qualification tenant.

Which Microsoft community is right for me? - In the last five years, Microsoft has increased the emphasis on community programs – specifically within the security, compliance, and management space. These communities fall into two categories: Public and Private (or NDA only). In this blog, we will share a breakdown of each community and how to join.

Microsoft Security Tech Community Join the other 67,000 members of the Tech Community to ask questions to the product team and get the latest on product updates. The Security Tech Community is free to join and provides the easiest way to get notified when something new is in product, and how you can implement it into your workflows.

Things to Have

Email-ThreatHunting-URL.yaml - Hunting for a specific URL in email's activities.

Things in the News

The Microsoft Intune Suite fuels cyber safety and IT efficiency - Today marks a significant shift in endpoint management and security. We’re launching the Microsoft Intune Suite, which unifies mission-critical advanced endpoint management and security solutions into one simple bundle. The new Intune Suite can simplify our customers’ endpoint management experience, improve their security posture, and keep people at the center with exceptional user experiences. Microsoft Security and Microsoft 365 deeply integrated with the Intune Suite will empower IT and security teams with data science and AI to increase automation, helping them move simply and quickly from reactive to proactive in addressing endpoint management and other security challenges.

Defender for Cloud Things

BLOG: Leveraging Defender for Containers to simplify policy management in your Kubernetes Clusters - A key part of Kubernetes security includes making sure the cluster is configured to industry and company best practices. This entails controlling what users can do on the cluster and blocking actions that don’t comply with pre-defined best practices.

DOCS: UPDATED - Select a Defender for Servers plan - This article helps you select the Microsoft Defender for Servers plan that's right for your organization. Defender for Servers is one of the paid plans provided by Microsoft Defender for Cloud.

Defender for Endpoint Things

NEWS: Microsoft is named a Leader in the 2022 Gartner Magic Quadrant for Endpoint Protection Platforms - Today, I am pleased to announce that Gartner has recognized Microsoft as a Leader in the 2022 Gartner Magic Quadrant for Endpoint Protection Platforms, positioned highest on the Ability to Execute. Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering endpoint protection, endpoint detection and response, mobile threat defense, and integrated vulnerability management.

BLOG: Defender for Endpoint (MDE): Integrate with Compliance & Conditional Access Policy - In this post, we discuss how to integrate Defender for Endpoint (MDE), compliance policy, and conditional access policy to protect company resources, devices, and data by enforcing security and compliance requirements. We use Microsoft Endpoint Manager admin center (Intune) for compliance policy and Azure Active Directory for conditional access policy and both will automatically sync with MDE.

Defender for IoT Things

VIDEO: OT/IoT Enabled SOC with Microsoft Sentinel and Microsoft Defender for IoT - Cyber-attacks on OT and IoT are on the rise, making it harder for SOC organizations to quickly and efficiently respond to emerging threats. In this webinar, we will explore the security challenges of attacks on OT and IoT and how it impacts managing security operations in today’s modern SOC.

365 Defender Things

BLOG: Total Identity Compromise: DART lessons on securing Active Directory - When the Microsoft Detection and Response Team (DART) is engaged during an incident, almost all environments include an on-premises Active Directory component. In most of these engagements, threat actors have taken full control of Active Directory –i.e., total domain compromise.

Microsoft Purview Things

BLOG: Microsoft Purview Secures Your Most Important Asset: Your Data - Did you know that the Microsoft 365 admin center includes advanced deployment guides to help you deploy Microsoft Purview products? You can’t innovate without knowing where your data is. Gain visibility, manage data securely, and go beyond compliance with Microsoft Purview. Safeguard all your data across platforms, apps, and clouds with comprehensive solutions for information protection, data governance, risk management, and compliance.

BLOG: Inexpensive solution for managing access to SQL health, performance and security information - In this article, I will detail how you can use DevOps policies as an inexpensive solution to provision access at-scale for IT/DevOps personnel tasked with monitoring and auditing SQL system health, performance, and security.

DOCS: Learn about insider risk management forensic evidence (preview) - Having visual context is crucial for security teams during forensic investigations to get better insights into potentially risky security-related user activities. With customizable event triggers and built-in user privacy protection controls, forensic evidence enables customizable visual activity capturing across devices to help your organization better mitigate, understand, and respond to potential data risks like unauthorized data exfiltration of sensitive data. You set the right policies for your organization, including what risky events are the highest priority for capturing forensic evidence, what data is most sensitive, and whether users are notified when forensic capturing is activated. Forensic evidence capturing is off by default and policy creation requires dual authorization.

CODE: Microsoft Purview Advanced Rich Reports (MPARR) Collector - This solution takes the information available under the Microsoft 365 services and give the capabilities to present this information to different business units, given the capacity to c-level users have access to business metrics related to compliance.

Defender Vulnerability Management

BLOG: Mitigate risks with application block in Defender Vulnerability Management - Remediating vulnerabilities in organizations takes time so it's essential to have effective risk management strategies in place. We know that addressing software vulnerabilities can be challenging due to a variety of factors. To help with risk mitigation, Microsoft Defender Vulnerability Management (MDVM) users can leverage the application block feature to take immediate action to block all currently known vulnerable versions of applications. A feature unique to Defender Vulnerability Management, you can block vulnerable app versions for designated device groups, provide users with custom warning messages, and provide links to your organization’s internal sites where you can provide more information on the policy. This premium capability is available to Defender Vulnerability Management add-on and standalone users.

NEWS: Premium capabilities in Microsoft Defender Vulnerability Management are now generally available - Misconfiguration exploits, a growing volume of vulnerabilities, lack of visibility and a flood of duplicative recommendations continue to challenge the security teams while exposing organizations to significant risks. To mitigate risks at scale and bolster your threat prevention strategy, we have shared our strategy for Microsoft Defender Vulnerability Management last year to help mitigate risks proactively at scale and bolster your threat prevention strategy. Today, we are thrilled to announce the general availability of premium capabilities in Microsoft Defender Vulnerability Management, a comprehensive solution that enables organizations to identify, assess, prioritize, and remediate your biggest risks across critical assets.

Microsoft Entra Things

BLOG: Identity Innovation for a More Secure Nation - With more than 1000 identity attacks occurring each second1, government agencies are tasked with serving the public amidst the most challenging cybersecurity environment in history. Protecting the freedom of citizens makes them a prime target for bad actors across the cyberthreat ecosystem, from nation-state attacks on our infrastructure to identity compromise. Expanding security threats put federal agencies and their most critical data at risk. With recent innovations like phishing-resistant multifactor authentication (MFA) from Azure Active Directory - part of Microsoft Entra - government customers can deliver on their policy objectives, while adhering to cybersecurity guidelines and regulatory compliance.