Microsoft Defender Weekly Wrap - Issue #74

Laters

Things from Me

Happy Friday, all!

As you read this, I’ll be prepping to get on an airplane to travel back home from the MMS MOA conference this week. It’s been a wonderful week and I’ll have much more to say during debriefs over the next couple newsletter issues. Feedback is one of my superpowers and my conference collateral. I delivered and helped deliver 5 sessions during the week - so it was definitely a busy one with lots of feedback to take back to our product teams and to help fill out my trip report.

I don’t have a lot more to say this week due to even having to hustle to get the newsletters ready to push out, so expect more later.

However, I am out of the office next week taking some time off to get the house ready for my grandboy’s 2nd birthday party. But I’ll still be around and checking in and the newsletters will still deliver. How does that mantra go?

“Neither snow nor rain nor heat nor gloom of night…”

Talk soon.

-Rod

Things that are Related

Set up Granular Delegated Admin Privileges in Microsoft 365 Lighthouse - In collaboration with MSPs, we’ve developed five support roles in our default recommendations: Account manager, Service desk agent, Specialist, Escalation engineer, and JIT agent. An Account manager, for example, may require customer access occasionally to read licensing and usage information. In contrast, an Escalation engineer may require customer access more regularly to provide hands-on services across Microsoft workloads. MSPs can adopt recommended roles or customize them based on their organization’s needs.

What is a Cloud Adoption Security Review? - The Cloud Adoption Security Review (CASR) is aimed to self-assess an Azure landing zone (ALZ) environment that has achieved baseline security against the Secure Methodology of the Cloud Adoption Framework (CAF).

Things to Watch/Listen To

Microsoft Security Insights Show Episode 151 - Mia Reyes / Olivia Armstrong - Speakers: Mia Reyes - Director - Foundational Security, Cybersecurity @ Microsoft and Olivia Armstrong, Product Marketing | Customer Journey Lead | Microsoft Security

Things in Techcommunity

Secure Registration and TAP with a password-less CA baseline - I've been looking further at password-less in an Azure AD tenant and if it can be set as a baseline CA requirement for access to tenant resources. Access via CA policies appears to work fine with the password-less requirements if an account is already configured. If its a new account needing to enroll or an account with a lost authenticator, TAP cant provide access to register methods again without seeing "Additional authentication is required to complete the sign-in" bricking the user without excluding them from the CA baseline. How are people getting past this and maintaining a password-less baseline within their environment?

Block downloads in Microsoft 365 clients - I have the following requirement: - Block download files un Microsoft 365 clients (Microsoft Outlook and Teams).} For Web Apps is ready. I create Conditional Access policy for use conditional access app control and create Microsoft Defender for Cloud Apps policy for sessión control file download. Any file in Outlook Web or Teams Web cannot download file. But policy cannot work in clients (Microsoft Outlook client or Teams client). How can I apply the document download block on clients?

Microsoft Security Tech Community Join the other 68,000 members of the Tech Community to ask questions to the product team and get the latest on product updates. The Security Tech Community is free to join and provides the easiest way to get notified when something new is in product, and how you can implement it into your workflows.

Things in the News

What’s new in Windows Autopatch: May 2023 - Not since the introduction of Windows Autopatch have we had a blog so full of impactful news. This is a parade of public previews for powerful new features now available in Windows Autopatch, so keep reading to get a glimpse at the latest additions to the service. The theme of this release is responding to real enterprise needs – all because we've heard from Autopatch customers and would-be customers about what they want from the service. So here they are: new capabilities, controls, and reports, all geared towards helping IT administrators improve security and productivity with less effort.

Forrester names Microsoft a Leader in 2023 Infrastructure-as-a-Service Platform Native Security report - “Microsoft provides strong CSPM and CIEM [cloud security posture management and cloud infrastructure entitlement management] capabilities. It has made significant investments in CSPM and CWP [cloud workload protection]. The vendor sports a strong vision for IPNS offerings, and its execution roadmap and market approach are ahead of the competition.”

Defender for Cloud Things

BLOG: Creating custom recommendations & standards for AWS/GCP workloads with Microsoft Defender for Cloud - Have you ever found yourself in a situation where you wanted to determine which AWS resources are missing a tag? You can accomplish this use case using custom recommendations for AWS workloads in Defender for Cloud. The following steps solve the problem of creating a custom recommendation that identifies which Amazon RDS instances are missing a tag, but they can be applied to other use cases too.

BLOG: Validating Microsoft Defender for APIs Alerts - Microsoft Defender for APIs, a new plan in Defender for Cloud, offers full lifecycle protection, detection, and response coverage for APIs published in Azure API Management. One of the main capabilities is the ability to detect exploits of the OWASP API Top 10 vulnerabilities through runtime observations of anomalies using machine learning-based and rule-based detections.

Defender for Endpoint Things

BLOG: Block C2 communication with Defender for Endpoint - Human-operated ransomware (HumOR) is growing and needs different layers of protection. Microsoft released some new features to protect against C2 communication. Attackers rely heavily on C2 communications for multiple stages, and blocking these direct connections can disrupt or mitigate attacks in the earlier state.

365 Defender Things

BLOG: Automating and Streamlining Vulnerability Management for Your Clients - Security teams are always engaged in a constant battle with vulnerabilities. At present, enterprise groups confront a variety of problems when trying to accomplish effective vulnerability management, such as inadequate IT resources and complexities, resulting in protracted patching periods. Taking into consideration the sped-up manner in which criminals have taken to exploiting vulnerabilities, the potential for data breaches, regulatory fines, and harm to one's reputation, these issues are unlikely to disappear soon. Fortunately, Microsoft Security Services for Incident Response is familiar with this problem and is always helping customers resolve it. This blog will examine approaches to address this issue on your windows clients (servers will be discussed in a separate blog entry) by automating and optimizing the vulnerability management process using applications like Microsoft Defender for Endpoint, Microsoft Intune, and Azure AD while keeping costs low.

BLOG: Get step-by-step guidance for enabling key features in Microsoft Defender - To get the most value from your Security solutions, you need to understand the business value of the different features they include to decide if, when, and how to go about turning them on. And when you’re ready to enable new features, you need clear guidance to make it happen. This is why we recently published new Microsoft Security solution feature guides on Microsoft Defender for Office 365 and Defender for Endpoint. Each guide briefly highlights five key product features and the value they provide, then points directly to step-by-step enablement instructions.  

Microsoft Purview Things

BLOG: Microsoft Purview DevOps policies now includes all the typical permissions for SQL support personnel - IT/DevOps personnel need access to database and system metadata so that they can keep critical database systems healthy, performing to expectations and secure. Microsoft Purview DevOps policies, a subset of Microsoft Purview access policies, are specifically designed to provide IT/DevOps personnel with the access they need so that they perform their crucial job, while at the same time helping reduce the insider threat.

BLOG: Use Microsoft Purview to provide at-scale access to performance data in Azure SQL and SQL Server - In a nutshell, Microsoft Purview DevOps policies are a central, cloud-based experience used to provision access at-scale to IT/DevOps personnel, so that that they can monitor the health and performance of SQL systems, but without giving them access to your data's crown jewels. DevOps policies are already available for SQL Server 2022, Azure SQL Database and soon for Azure SQL Managed Instance.

Defender for Office Things

BLOG: Blog Series: Email Protection Basics - Microsoft 365 Defender is a unified enterprise defense suite that provides integrated protection against sophisticated attacks by coordinating detection, prevention, investigation, and response across endpoints, identities, email, and applications. It provides advanced protection against spam, malware, phishing, spoofing, and other malicious attacks.

BLOG: Introducing the release of Attack Simulation Training Write API functionality (available in beta) - Attack Simulation Training is an intelligent social engineering phish risk reduction tool that measures behavior change and automates the deployment of an integrated security awareness training program across an organization. It is available with Microsoft 365 E5 or Microsoft Defender for Office 365 P2 plan, and we also have a special teaser version available with Microsoft 365 E3.

Defender Threat Intelligence Things

BLOG: What’s New: MDTI Interoperability with Microsoft 365 Defender - Microsoft Defender Threat Intelligence (Defender TI) helps streamline security analyst triage, incident response, threat hunting, and vulnerability management workflows, aggregating and enriching critical threat information in an easy-to-use interface. At Microsoft Secure, we announced new features, including that Defender TI is now available to licensed customers within the Microsoft 365 Defender (M365 Defender) portal, placing its powerful threat intelligence side-by-side with the advanced XDR functionality of M365 Defender.

Microsoft Entra Things

BLOG: New Microsoft Entra Features Now Available - Microsoft has recently introduced a range of new security tools and features for their Entra product family, aimed at helping organizations to improve their security posture. With the ever-increasing sophistication of cyber-attacks and the increasing use of cloud-based services and the proliferation of mobile devices, it is essential that organizations have effective tools in place to manage their scope of security.

BLOG: How Microsoft can help you go passwordless this World Password Day - For stronger, streamlined security, Microsoft passwordless authentication can help your organization eliminate password vulnerabilities while providing simplified access across your entire enterprise. In honor of World Password Day, this blog will help you make the case to your organization that when it’s time to “verify explicitly” as part of a Zero Trust strategy, modern strong authentication using phishing-resistant passwordless credentials provide the best security and an excellent return on investment (ROI).

Fun Thing This Week

Being away from home at the conference this week, I’ve been missing my grandson. But isn’t technology great for this? Fortunately, I’ve been supplied with plenty of pictures and videos to help satiate my grandboy addiction. This past week he just figured out how to blow things out.