Azure ATP is a service in the Microsoft Threat Protection solution, which integrates with Azure Identity Protection and Microsoft Cloud App Security and leverages your on-premises Active Directory signals to identify suspicious user and device activity with both known-technique detection and behavioral analytics. It protects user identities and credentials stored in Active Directory and allows you to view clear attack information on a simple timeline for fast triage. Integration with Windows Defender Advanced Threat Protection (Windows Defender ATP) provides a single interface to monitor multiple entry points.

Azure ATP works by analyzing data sent by Azure ATP sensors that parse network traffic from domain controllers (Figure 1). In this blog, we share resources and advice that will help you install and configure the Azure ATP sensors following these steps:

• Plan your Azure ATP capacity.
• Install the Azure ATP sensor package.
• Configure Azure ATP sensor.
• Detect alerts.

Figure 1: Azure ATP sensors parse network traffic from domain controllers and send it to Azure ATP for analysis.

Plan your Azure ATP capacity

Before you begin your Azure ATP deployment, you’ll need to determine what resources are required to support your Azure ATP sensors. An Azure ATP sensor analyzes network traffic and reads events locally, without the need to purchase and maintain additional hardware or configurations. The Azure ATP sensor also supports Event Tracing for Windows (ETW), which provides the information for multiple detections. ETW-based detections include suspected DCShadow attacks that attempt to use domain controller replication requests and domain controller promotion.

The recommended and simplest way to determine capacity for your Azure ATP deployment is to use the Azure ATP sizing tool. Once you download and run the tool, the details in the “Busy Packets/sec” field will help you determine the resources required for your sensors.

Next, you create your Azure Advanced Threat Protection instance and connect to your Azure Directory forest. You’ll need an Azure Active Directory (Azure AD) tenant with at least one global/security administrator. Each Azure ATP instance supports a multiple Active Directory forest boundary and Forest Functional Level (FFL) of Windows 2003 and above.

Install the Azure ATP sensor package

Once Azure ATP is connected to Azure Directory, you can download the sensor package. Click Download from the Azure ATP portal to begin the process. You need to copy the access key for use when you install the sensor (Figure 2).

Figure 2: The access key is used in installation.

Next, verify the domain controller(s) on which you intend to install Azure ATP sensors have internet connectivity to the Azure ATP Cloud Service. These URLs automatically map to the correct service location for your Azure ATP instance:

• For console connectivity: <your-instance-name>.atp.azure.com (For example, “Contoso-corp.atp.azure.com”)
• For sensors connectivity: <your-instance-name>sensorapi.atp.azure.com (For example, “contoso-corpsensorapi.atp.azure.com”)

Note: There is no “.” Between <your-instance-name> and “sensorapi”.

Extract the files from the ZIP and run the Azure ATP sensor setup.exe, which initiates the installation wizard. When you get to the Configure the Sensor screen, enter the access key you copied during the download.

Note that all domain controllers in your environment should be covered by an Azure ATP sensor. The Azure ATP sensor supports the use of a proxy.

For more information on proxy configuration, see Configuring a proxy for Azure ATP.

Configure the Azure ATP sensor

The domain synchronizer is responsible for synchronization between Azure ATP and your Active Directory domain. Depending on the size of the domain, the initial synchronization may take time and is resource intensive. We recommend setting at least one domain controller as the domain synchronizer candidate per domain. This ensures Azure ATP is actively scanning your network at all times. By default, Azure ATP sensors aren’t domain synchronizer candidates. To manually set an Azure ATP sensor as a domain synchronizer candidate, switch the domain synchronizer candidate toggle option to ON in the configuration screen (Figure 3).

Figure 3: The domain synchronizer candidate toggle option set to ON in the configuration screen.

Next, manually tag groups or accounts as sensitive to enhance detections. This is important because some Azure ATP detections, such as sensitive group modification detection and lateral movement paths, rely on sensitive groups and accounts.

We also recommend that you integrate Azure ATP with Windows Defender ATP. Windows Defender ATP monitors your endpoints and the integration provides a single interface to monitor and protect your environment. It is easy to turn on the integration from the Azure ATP portal (Figure 4).

Figure 4: A simple toggle enables integration with Windows Defender ATP.

You can also integrate with your VPN solution to collect additional user information, such as the IP addresses and locations where connections originated. This complements the investigation process by providing additional information on user activity as well as a new detection for abnormal VPN connections.

Detect alerts

After you set up Azure ATP, we recommend that you set up an Azure ATP security alert lab to help you better understand the alerts which may be generated in your environment. The lab includes a reconnaissance playbook that shows how Azure ATP identifies and detects suspicious activities from potential attacks. The lateral movement playbook allows you to see lateral movement path threat detections and security alerts services of Azure ATP. In the domain dominance playbook, you’ll simulate some common domain dominance methods. For best results set up your lab as close as possible to the instructions in the tutorial.

When Azure ATP is configured, you will be able to manage security alerts in the Security Alerts Timeline of the Azure ATP portal. Azure ATP security alerts provide tools to discover which suspicious activities were identified on your network and the actors and computers involved in the threats. Alerts are organized by threat phase, graded for severity, and color-coded to make them easy to visually filter.

Learn more

This completes our series, “Top 10 actions to secure your environment.” Review the entire series for advice on setting up other Microsoft 365 security products, such as Azure AD or Microsoft Cloud App Security.

Resources

• Top 10 Security Deployment Actions with Microsoft 365 infographic
• Deployment series

The post Step 10. Detect and investigate security incidents: top 10 actions to secure your environment appeared first on Microsoft Security Blog.

In an advanced threat, hackers and cybercriminals infiltrate your network through compromised users or vulnerable endpoints and can stay undetected for weeks—or even months—while they attempt to exfiltrate data and move laterally to gain more privileges. Microsoft Defender ATP helps you detect these threats early and take action immediately.

Enabling Microsoft Defender ATP and related products will help you:

• Mitigate vulnerabilities.
• Reduce your attack surface.
• Enable next generation protection from the most advanced attacks.
• Detect endpoint attacks in real-time and respond immediately.
• Automate investigation and remediation.

Threat & Vulnerability Management

Threat & Vulnerability Management is a new component of Microsoft Defender ATP that provides:

• Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities.
• Linked machine vulnerability and security configuration assessment data in the context of exposure discovery.
• Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager.

To use Threat & Vulnerability Management, you’ll need to turn on the Microsoft Defender ATP preview features.

Attack surface reduction

Attack surface reduction limits the number of attack vectors that a malicious actor can use to gain entry. You can configure attack surface reduction through the following:

• Microsoft Intune
• System Center Configuration Manager
• Group Policy
• PowerShell cmdlets

Enable these capabilities to reduce your attack surface:

Next generation protection

The Intelligent Security Graph powers the antivirus capabilities of Microsoft Defender Antivirus, which works with Microsoft Defender ATP to protect desktops, laptops, and servers from the most advanced ransomware, fileless malware, and other types of attacks.

Configure Microsoft Defender Antivirus capabilities to:

Endpoint detection and response

Microsoft Defender ATP endpoint detection and response capabilities detect advanced attacks in real-time and give you the power to respond immediately. Microsoft Defender ATP correlates alerts and aggregates them into an incident, so you can understand cross-entity attacks (Figure 1).

Alerts are grouped into an incident based on these criteria:

• Automated investigation triggered the linked alert while investigating the original alert.
• File characteristics associated with the alert are similar.
• Manual association by a user to link the alerts.
• Proximate time of alerts triggered on the same machine falls within a certain timeframe.
• Same file is associated with different alerts.

Figure 1. Microsoft Defender ATP correlates alerts and aggregate them into incidents.

Review your alerts and incidents on the security operations dashboard. You can customize and filter the incident queue to help you focus on what matters most to your organization (Figure 2). You can also customize the alert queue view and the machine alerts view to make it easier for you to manage.

Figure 2. Default incident queue displays incidents seen in the last 30 days, with the most recent incident showing at the top of the list.

Once you detect an attack that requires remediation, you can take the following actions:

• Take response actions on a machine – Isolate machines or collect an investigation package.
• Take response actions on a file – Stop and quarantine files or block a file from your network.

Auto investigation and remediation

Microsoft Defender ATP can be configured to automatically investigate and remediate alerts (Figure 3), which will reduce the number of alerts your Security Operations team will need to investigate manually.

Figure 3. You can view the details of an automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.

Create and manage machine groups in Microsoft Defender ATP to define automation levels:

Microsoft Threat Experts

Microsoft Threat Experts is a new, managed threat hunting service that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately with two capabilities:

1. Targeted attack notifications—Alerts that are tailored to organizations provide as much information as can be quickly delivered to bring attention to critical network threats, including the timeline, scope of breach, and the methods of intrusion.
2. Experts on demand—When a threat exceeds your SOC’s capability to investigate, or when more actionable information is needed, security experts provide technical consultation on relevant detections and adversaries. In cases where a full incident response becomes necessary, seamless transition to Microsoft incident response services is available.

Microsoft Defender ATP customers can register for Microsoft Threat Experts and we will reach out to notify you via email when you’ve been selected.

Learn more

Check back in a few weeks for our final blog post in the series, “Step 10. Detect and investigate security threats,” which will give you tips to deploy Azure Advanced Threat Protection to detect suspicious activity in real-time.

Resources

• Top 10 Security Deployment Actions with Microsoft 365 infographic
• Deployment blog series
• Get started with Microsoft Defender ATP

The post Step 9. Protect your OS: top 10 actions to secure your environment appeared first on Microsoft Security Blog.

There are two types of risks to plan for when it comes to documents and emails. The first risk is that sensitive information will be distributed, often unintentionally, to others that should not have access to it inside or outside of your company. The second is that users in your organization will click links in phishing emails that trick them into giving up their credentials or open attachments that unleash malware. This blog will address ways to protect your company against both.

Azure Information Protection, which is part of Microsoft Information Protection, helps protect your sensitive information wherever it lives or travels. To set up Azure Information Protection, you need to discover where your sensitive information resides, classify and label the information based on its sensitivity, apply policy-based protection settings to control information access and sharing, and continuously monitor your sensitive data landscape. Then Office 365 Advanced Threat Protection (ATP) and Exchange Online Protection can help you protect your mailboxes, files, online storage, and applications against sophisticated attacks in real-time by setting up anti-phishing policies, enabling Safe Links, and setting up Safe Attachments.

Deploy Azure Information Protection to protect your sensitive documents and emails

You may have hundreds or thousands of users creating and sharing documents and sending emails every day. Many files may not contain sensitive information, but the ones that have personal identifiable information, financial data, health-related information, or confidential company information could cause you serious reputational, financial, or legal harm if it gets into the wrong hands.

You can protect your critical documents and emails by implementing the right policies and controls across the information protection lifecycle:

• Discover: Identify sensitive data in apps and repositories.
• Classify and label: Classify data and apply labels based on sensitivity level.
• Protect: Apply policy-based protection actions including encryption and access restrictions.
• Monitor and remediate: Receive alerts flagging potential issues or risky behavior and take action.

You can download the Azure Information Protection—Deployment Acceleration Guide for a deeper overview of these phases and learnings from our engineering team. Read on for a high-level overview of the core concepts and resources.

Discover

The first phase in the approach is the discovery phase. In the discovery process, you gain visibility into the data that currently exists across your environment. To discover data in your on-premises file servers, run the Azure Information Protection scanner in discover mode. It will generate a report that catalogs data that has already been labeled, and the sensitive information types that Azure Information Protection has detected (Figure 1).

Figure 1. Azure Information Protection scanner report allows you to view overall volume and distribution of labeled files, and the types of sensitive data detected.

As discussed in Step 7. Discover shadow IT and take control of your cloud apps, you can use Microsoft Cloud App Security to scan files in cloud repositories to discover sensitive information. Once you’ve inspected data across your cloud repositories and on-premises repositories, you will move on to the classify and label phase.

Classify and label

Classification is determining the sensitivity of a document or email based on its content, and labeling is the application (either automatically or manually) of a sensitivity label, such as “Highly Confidential.” Azure Information Protection provides a recommended default label taxonomy in new tenants that can be modified for use by your organization. We also provide an online example of our current taxonomy that was developed by Microsoft over years of testing. We recommend using this taxonomy if your organization does not already have one established. If your organization has its own taxonomy or you plan to create one, the default label names in Azure Information Protection are easy to change or modify. It’s important not to overcomplicate your taxonomy, so review the Azure Information Protection—Deployment Acceleration Guide for guidance on how to develop your taxonomy.

Labels persist with files even when the files are shared or moved, ensuring that protection travels with the document. There are four options for applying labels:

• Apply manually by users.
• Apply a default label automatically to all new documents.
• Recommend labels based on the data detected.
• Apply labels automatically based on pre-defined classification and policies.

If you want users to apply labels manually, you can make it easy for them by automatically applying a default label to all new documents. In our default taxonomy, this would be the “General” label. A default label of “General,” which doesn’t apply encryption, allows anyone to view and edit the document, which may be a reasonable baseline for many documents in your organization. Users will need to think about applying a higher sensitivity label, such as “Confidential,” when they’re dealing with more sensitive data. We recommend that you enable the Azure Information Protection policy setting, which requires users to justify and explain why they lowered a classification level or removed a label (Figure 2).

Figure 2. You can require that users supply a justification if they lower the classification label.

Enable recommended labels in Azure Information Protection to provide guidance for users on how to label a document based on its content (Figure 3). This recommendation is based on the conditions that you define. For example, if Azure Information Protection detects credit card numbers in a document, you could define policies that recommend that the user label it as “Confidential.”

Figure 3. Azure Information Protection can be configured to recommend labels based on the information detected in the document.

You can also define conditions that, if matched, will apply the corresponding label automatically with no user involvement, and you can configure the Azure Information Protection scanner and Microsoft Cloud App Security to scan, classify, and label documents already saved on-premises and in cloud repositories, respectively.

Protect

Several protection actions can be applied to documents and emails based on sensitivity label, including applying encryption, rights restrictions, or visual markings (such as headers or footers). To encrypt files based on classification label, you will need to set up usage rights based on role. Azure Information Protection includes the following predefined roles:

• Viewer: Allows users to view the data and nothing else.
• Reviewer: Allows users to edit the data but NOT copy information out or change the protection applied.
• Co-Author: Allows users to edit the data AND copy information out but NOT change the protection applied.
• Co-Owner: Allows users to have Full Control that also allows users to copy and change/remove protection and change the Azure Information Protection label.

You’ll need to determine the type of protection that will be applied and the users that can access specific types of content. We recommend using sub-labels to define the audience of the content and the usage rights available to that audience. The Azure Information Protection—Deployment Acceleration Guide describes this concept in more detail with tips on how to apply it to your organization.

Monitor and remediate

Azure Information Protection Analytics gives you tools to view the state of your sensitive information, including the volume of labeled and protected files and emails, the application used to apply the label, the location of sensitive files, and the type of data that was detected (Figure 4). We recommend using the Azure Information Protection Analytics dashboards to see detailed information on information protection activities. This provides rich usage and activity data but requires consumption on an Azure subscription that incurs an additional cost based on usage.

Reporting data can help you refine the policies that you’ve established for labeling and protecting documents and identify potential risky behavior or over-sharing. Plan to regularly revisit your Azure Information Protection policies to optimize for your users and data needs.

Deploying Office 365 ATP

Bad actors continue to use email as a primary method for gaining initial access to your organization. Phishing and malware campaigns have increased in sophistication, increasing the chances that one or more of your users will accidentally provide their credentials or open an attachment that gives hackers access. Set up Office 365 ATP to protect against advanced attacks such as phishing and zero-day malware.

Figure 4: The Data discovery dashboard provides information on the location of sensitive data within your organization.

To get started, you’ll need to set up policies for the following:

• Anti-phishing
• Safe Links
• Safe Attachments

Anti-phishing policies

When you enable anti-phishing in Office 365 ATP, machine learning models trained to detect phishing messages are applied to every incoming message. Anti-phishing polices are designed to protect against email spoofing, impersonation, and compromised email accounts. Additionally, Office 365 ATP learns how each individual user communicates with other users inside and outside the organization and builds a map of these relationships. This map allows Office 365 ATP to understand more details about how to ensure the right messages are identified as impersonation. Anti-phishing policies can be added, edited, and deleted in the Office 365 Security & Compliance Center. Each organization in Office 365 has a default anti-phishing policy that applies to all users. You can create custom anti-phishing policies that you can scope to specific users, groups, or domains within your organization.

Safe Links policies

When a user clicks a link in an email or document, Office 365 ATP Safe Links scans the website or the reputation of the link and determines if it is safe or malicious. Based on the ATP Safe Links policies configured, users will either be able to open the link, receive a warning, or be blocked from accessing it.

Safe Attachments policies

The Office 365 ATP Safe Attachments scans email attachments and files in SharePoint Online, OneDrive for Business, and Microsoft Teams to determine if they are malicious. Once identified as malicious, the file is blocked, replaced, or delivered based on the ATP Safe Attachments policies configured.

ATP Safe Attachments policies can be configured to:

• Block emails with malicious attachments from proceeding.
• Deliver messages immediately while the attachment is scanned in the background.
• Remove detected malware from emails and notify the user.

Take a look at our best practices for configuring Exchange Online Protection for more tips on blocking unwanted emails from reaching your users.

Learn more

Check back in a few weeks for our next blog post, “Step 9: Protect your OS,” which will give you tips for configuring Windows Defender Advanced Threat Protection to block new and emerging threats on Windows 10.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

• Top 10 Security Deployment Actions with Microsoft 365 infographic
• Deployment blog series
• Azure Information Protection Webinar Series

The post Step 8. Protect your documents and email: top 10 actions to secure your environment appeared first on Microsoft Security Blog.

Cloud-based services have significantly increased productivity for today’s workforce, prompting users to adopt new cloud apps and services and making it a challenge for you to keep up. Microsoft Cloud App Security (MCAS), a cloud access security broker (CASB), helps you gain control over shadow IT with tools that give you visibility into the cloud apps and services used in your organization, asses them for risk, and provide sophisticated analytics. You can then make an informed decision about whether you want to sanction the apps you discover or block them from being accessed.

Your users are in the cloud—even if you aren’t

Whether or not your organization has started its move to the cloud, your workforce probably has. Users in large enterprises use an average of 1,181 cloud applications—of those services, 60 percent go undetected by IT. MCAS can help you discover those apps and services and enable you to establish a lifecycle management approach for your cloud services (Figure 1).

We’ll show you how to set up continuous reporting, which can help you maintain vigilance over the cloud-based services accessed from your network and create workflows for automatic management of unsanctioned or newly discovered apps. Then we’ll explain how you can extend your monitoring capabilities on managed Windows 10 PCs beyond the corporate network by walking through the integration with Windows Defender Advanced Threat Protection (ATP), now Microsoft Defender ATP.

We recommend three actions to enable discovery with Microsoft Cloud App Security (Figure 1):

• Deploy a log collector.
• Extend discovery beyond your network by enabling Windows Defender ATP integration.
• Create a workflow to automatically block unsanctioned apps.

Figure 1. Shadow IT discovery management lifecycle.

Deploy a log collector for continuous monitoring

Before you enable cloud discovery, you’ll need to set up your Microsoft Cloud App Security portal. A log collector provides ongoing visibility from MCAS with continuous monitoring and reporting. This capability lets you monitor cloud app usage within your network. As new cloud apps and services are introduced, or gain greater usage in your organization, MCAS provides alerts so you can take immediate action. To enable these capabilities, deploy a log collector on your network endpoints and configure automated, continuous log uploads to MCAS.

If your organization uses Zscaler or iboss as their Secure Web Gateway (SWG), you can integrate these with MCAS and eliminate the need to install log collectors on your network endpoints. These standalone SWGs integrate with MCAS to monitor your organization’s traffic and enable you to block apps inline. The SWG block capabilities are automatically applied to apps you tag as unsanctioned in the MCAS portal. Learn how to integrate Zscaler with MCAS.

Extend discovery beyond your network with Windows Defender ATP

MCAS uniquely integrates with Windows Defender ATP, giving you powerful tools to discover cloud apps accessed from managed Windows 10 machines on any network. The integration is enabled with a single click in the Windows Defender Security Center. Once enabled, Windows Defender ATP immediately starts sending log data to MCAS and adds a powerful machine-centric view of the discovery data. If you detect suspicious traffic from a machine, you can pivot easily between the services and continue an in-depth machine investigation in the Windows Security Center. We recommend that you enable log collectors and Windows Defender ATP integration to get the most complete view of the cloud applications used by your organization.

Watch the following video on how Cloud App Security integrates with Windows Defender ATP:

Create a workflow to automatically block unsanctioned apps

MCAS integrates with Microsoft Flow to provide centralized alert automation and orchestration of custom workflows. It enables the use of an ecosystem of connectors in Microsoft Flow to create playbooks that work with the systems of your choice and it enables automated alert triage. The discovery capabilities of Microsoft Cloud App Security can identify apps that do not meet the guidelines established by an organization with the intent to block future access. When MCAS generates a discovery alert for such an application, your organization can create a playbook to automatically execute the blocking of unwanted application domains on the firewall.

For example, in Figure 2, we use the HTTP connector and custom code with the firewall API:

Figure 2. Create a custom workflow to automatically block unsanctioned apps on your firewall.

Use the Cloud Discovery data

Once you set up MCAS to collect data, you can view that data in the Cloud Discovery dashboard. The Cloud Discovery dashboard provides an at-a-glance overview of the apps being used, their risk levels, and your open alerts (Figure 3). You can configure the dashboard to meet the needs of your organization, such as identifying top users or excluding noisy apps.

Figure 3. The Cloud Discovery dashboard provides an at-a-glance overview of the apps being used, their risk levels, and your open alerts.

From here, you can also drill down into discovered apps, IP addresses, users, and machines to help you understand which apps are being used in your organization and leverage the data and risk analysis to decide which apps you want to allow in your organization and which ones you may want to block (Figure 4).

Figure 4. Usage deep dive, providing in-depth overview of the usage and risk factors of an app.

Learn more

Check back in a few weeks for our next blog post, “Step 8. Protect your documents and email,” where we will discuss how to discover, classify, and label information with Azure Information Protection, and how to protect mailboxes, online storage, and apps with Office 365 Advanced Threat Protection.

Resources

• Top 10 Security Deployment Actions with Microsoft 365 infographic
• Deployment blog series
• Microsoft Cloud App Security Discovery datasheet
• Microsoft Cloud App Security Webinar series

The post Step 7. Discover shadow IT and take control of your cloud apps: top 10 actions to secure your environment appeared first on Microsoft Security Blog.

In our last blog, Step 5. Set up mobile device management, we introduced ContosoCars to illustrate the journey of implementing Intune as part of your UEM strategy. We continue their story to demonstrate how you can enhance endpoint security by managing mobile apps and tracking the deployment.

You will recall from our last post that ContosoCars already defined their scenarios and requirements, set their mobile device management (MDM) authority to Intune, and set up configuration policies to enroll their Windows 10 and other mobile devices (Figure 1).

Figure 1. ContosoCars defined Intune use case scenarios and requirements.

Protect sensitive data within apps

ContosoCars corporate and sales employees use their personal phones and tablets, which creates risk of data leakage.

To protect company data that is accessed from devices that are not managed by the company, ContosoCars will use Intune app protection policies, which can apply to apps even if the devices are not managed by Intune. ContosoCars can create and assign app protection policies to policy-managed apps, which include a piece of Intune code, to enforce data protection policies (Figure 2).

Figure 2. Data protection with app protection policies.

For example, an app protection policy can ensure that corporate data can only be saved to OneDrive for Business and SharePoint, and not to local storage. This prevents data leakage to unsecured, consumer cloud storage services and remains encrypted in the event of device loss (Figure 3).

Figure 3. App protection policy restricting cut, copy, and paste.

Protect customer data on unmanaged devices

Unlike the employee devices, ContosoCars does not enroll or manage the devices used by their franchisee technicians. To deliver the best customer experience, the technicians need real-time customer data on their tablets when they are working on the shop floor. Intune app protection policies work even if the devices are not enrolled in Intune.

ContosoCars can use Intune’s MAM to deliver and manage approved corporate apps on the technicians tablets, apply required app protection policies to protect the data, and selectively wipe the data if required so only the “managed apps and data” are removed, keeping the franchisee’s other data intact on the devices. They can also restrict data movement to apps that aren’t protected by app protection policies, while allowing data to be easily shared within policy-managed apps.

ContosoCars can enforce an app-level PIN and configure the app to launch only if the device-health meets the access requirements. Since they cannot ensure the tablets are kept in a secure location and cannot control OS upgrades and security updates to the device, they can ensure that the customer data is only available when authorized users enter the PIN. Access will be blocked upon multiple tries and a PIN will be required after a certain period of inactivity. This allows ContosoCars to maintain their high customer service standards at their franchise showrooms (Figure 4).

Figure 4. Customers can use an app-level PIN to restrict access to a specific app.

Strengthen Intune security with Microsoft 365 integration

Using Microsoft 365, ContosoCars benefits from security beyond device and app management. Intune integration with Azure Information Protection ensures that if franchise sales staff shares sensitive data with users outside the company, unauthorized users will be blocked from accessing it. Azure Active Directory conditional access policies allow only policy-managed apps access to Exchange online and other Office 365 services. This can prevent an unsecure email app on a mobile device from being exploited by a malicious attacker to gain access to the entire network.

Track and monitor your Intune deployment

Intune provides several ways that you can monitor your deployment. User group views, built-in reports and in-console alerts allow you to track how many users have enrolled devices after each phase of your rollout, so that you can:

• Evaluate the effectiveness of your communication plan.
• Estimate the impact of enforcing conditional access policies.

Learn more

Check back in a few weeks for our next blog post, “Step 7. Set up cloud discovery,” where we’ll discuss how you can discover apps in use, assess risk from those apps, and identify vulnerabilities.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

• Top 10 Security Deployment Actions with Microsoft 365 infographic
• Intune deployment planning, design, and implementation guide
• Deployment series

The post Step 6. Manage mobile apps: top 10 actions to secure your environment appeared first on Microsoft Security Blog.

In Steps 1-4 of the series, we provided tips for securing identities with Azure Active Directory (Azure AD). In the next two posts (Step 5 and Step 6), we introduce you to ContosoCars to illustrate how you can deploy Microsoft Intune as part of your UEM strategy for securing company data on devices and applications.

ContosoCars is an automotive company with 1,000 employees that work in the corporate headquarters, and 4,000 that work in several branches across the U.S. Another 2,000 service centers are owned by franchises. To stay competitive, IT needs to support a fleet of cloud-connected devices for secure, remote access to Office 365 and SaaS apps and sensitive customer data. With their expanding business, franchise sales staff need access to ContosoCars customer data as well, but ContosoCars does not own those devices.

They have defined the following goals: 

• Deliver the best Windows 10 experience for all their corporate PCs.
• Allow employees to use personal devices and mobile phones at work.
• Protect the network from unknown or compromised users and devices.
• Secure data on tablet devices shared by several shop floor workers that are often left in public areas of the shop.
• Prevent employees from accessing and maintaining corporate data if they leave the company.

Plan your Intune deployment

Once ContosoCars defines their goals, they can begin to set up use-case scenarios to align their goals with user types and user groups (Figure 1). ContosoCars wants to provide corporate devices for their employees at headquarters and branches. They will not supply devices to their franchise sales staff, but they need to make sure staff-owned tablets can use Office 365 apps to securely access company data.

Figure 1. ContosoCars’ defined Intune use-case scenarios and requirements.

You can find more information on setting goals, use-case scenarios, and requirements in the Intune deployment planning, design, and implementation guide. The guide also includes recommendations for a design plan that integrates well with existing systems, a communication plan that takes into account the different channels your audience uses to receive information, a rollout plan, and a support plan.

Set up Mobile Device Management (MDM)

Once planning is complete, ContosoCars can move onto implementing their Intune plan. ContosoCars uses Azure AD to fully leverage Office 365 cloud services and get the benefits of identity-driven security (see Step 1. Identify users). Before employees can enroll their devices to be managed by Intune, IT admins will need to set MDM authority to Intune in the Azure portal.

In order to manage the devices, ContosoCars can add and deploy configuration policies to enable and disable settings and features such as software delivery, endpoint protection, identity protection, and email. ContosoCars can also use configuration policies to deploy Windows Defender Advanced Threat Protection (ATP), which provides instant detection and blocking of advanced threats. Once IT admins set up Intune, users can enroll devices by signing in with their work or school account to automatically receive the right configuration profiles for their device.

ContosoCars can configure devices to meet business requirements and enable security features, such as Windows Hello, which allows users to sign in to their computer using a combination of biometrics and a PIN.

Manage personal devices  

Next on the rollout plan are the personal iPhones and Android phones used by the staff to keep up with work email and data. ContosoCars will manage these devices by requiring employees to enroll their devices with Intune before allowing access to work apps, company data, or email using enrollment requirements guidance. ContosoCars can set up configuration policies for these devices just as they did the Windows 10 PCs, and they can add additional security controls by setting up device compliance policies. Using Azure AD you can allow or block users in real-time if their compliance state changes. These policies ensure only known and healthy devices enter the network.

Some examples include:

• Require users to set a password to access devices; password must be of certain complexity.
• Require users to set a PIN to encrypt the device; PIN must be of certain complexity.
• Deny access to jail-broken or rooted devices, as they may have unknown apps installed.
• Require a minimum OS version to ensure security patch level is met.
• Require the device to be at, or under, the acceptable device-risk level.

With Windows 10, conditional access policies are integrated with Windows Defender ATP. Microsoft works with leading mobile threat defense technology partners to provide comprehensive device-risk assessment on all platforms.

Learn more 

Check back in a few weeks for our next blog post, “Step 6. Manage mobile apps,” where we explore the use of Intune app protection policies to allow only approved applications to access work email and data. We will also learn how ContosoCars keeps sensitive customer data secure on shared franchise devices on the shop floor.

Get deployment help now 

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources 

• Top 10 Security Deployment Actions with Microsoft 365 infographic 
• Intune deployment planning, design, and implementation guide 
• Deployment series 

The post Step 5. Set up mobile device management: top 10 actions to secure your environment appeared first on Microsoft Security Blog.

In today’s workplace, users can work from anywhere, on any device. Whether using a company-provided laptop at the office, working from home, traveling for business, or using a personal mobile phone, employees expect to seamlessly access what they need to get work done. While the need for productivity may not change with circumstances, the level of risk of each sign-in does. Not all devices, apps, or networks are equally secure, and hackers will exploit any vulnerability that will give them access to your users and resources. It is critical to safeguard your identities, but it is not enough. You also need flexible security policies that are responsive to conditions.

Set up Azure Active Directory (Azure AD) conditional access policies

Azure AD conditional access lets you apply security policies that are triggered automatically when certain conditions are met. You can block access if the data suggests the user has been compromised or if it’s highly unlikely that the user would sign in under those conditions. You can enforce additional authentication requirements when the system detects a medium risk based on the sign-in conditions (see “Sign-in risk” below).

We recommend that you apply polices that are appropriate for your organization for the following conditions:

• Users and user groups: To reduce the risk that sensitive data is leaked, define which users or user groups can access which applications or resources, paying careful attention to sources of highly sensitive information such as human resources or financial data.
• Sign-in risk: Azure AD machine learning algorithms evaluate every sign-in and give it a risk score of low, medium, or high depending on how likely it is that someone other than the legitimate owner of the account is attempting to sign in. Anyone with a medium risk should be challenged with Multi-Factor Authentication (MFA) at sign-in. If the sign-in is a high risk, access should be blocked. This condition requires Azure AD Identity Protection, which you can read about in Step 3. Protect your identities.
• Location: A location can be risky if it’s in a country with limited security policies or if the wireless network is unsecure or simply because it’s not a location where the organization typically does business. You can modify access requirements for sign-ins from locations that are not on an IP safe list or that are risky for other reasons. Users accessing a service when they’re off the corporate network should be required to use MFA.
• Device platform: For this condition, define a policy for each device platform that either blocks access, requires compliance with Microsoft Intune policies, or requires the device be domain joined.
• Device state: Use this condition to define policies for unmanaged devices.
• Client apps: Users can access many cloud apps using different app types such as web-based apps, mobile apps, or desktop apps. You can apply security policies if an access attempt is performed using a client app type that causes known issues, or you can require that only managed devices access certain app types.
• Cloud apps: This condition specifies unique policies for sensitive apps. For example, you can require that HR apps like Workday are blocked if Azure AD detects a risky sign-in or if a user tries to access it with an unmanaged device.

When a condition is met, you can choose what policy Azure AD will enforce:

• Require MFA to prove identity.
• Change the actions the user can take in cloud apps.
• Restrict access to sensitive data (for example: limit downloads or sharing functionality).
• Require a password reset.
• Block access.

Once set, these policies will apply automatically without any manual intervention (Figure 1).

Figure 1. Azure AD automatically applies the policies you set based on conditions.

Block legacy authentication and control access to highly privileged accounts

Old apps that use a legacy authentication method, such as POP3, IMAP4, or SMTP clients, can increase your risk because they prevent Azure AD from doing an advanced security assessment and don’t allow more modern forms of authentication, such as MFA. We recommend you use client application conditional access rules (Figure 2) to block these apps entirely.

Figure 2. Apply conditional access rules to block client apps using legacy authentication methods.

You can also use conditional access rules to reduce the risk that highly privileged accounts or service accounts are compromised. For example, if your HR system uses a service account to access the email account, you can make sure it can only run against the service from a specific IP at the appropriate time of day.

Enhance conditional access with Intune and Microsoft Cloud App Security

Azure AD integrates with Intune, so that conditional access policies can consider the Intune device state as part of the policy, letting you set access controls for devices that have old operating systems or other security vulnerabilities. You can also use conditional access in Intune to make sure that only apps managed by Intune can access corporate email or other Office 365 services. Azure AD will enforce these rules.

Cloud App Security Conditional Access App Control extends conditional access to your SaaS apps. You can block downloads from apps, limit activities in the app, monitor risky users, or block access to the app entirely.

Once you have policies in place, we recommend that you use the Azure AD What If tool to simulate possible sign-in scenarios that your users may confront. The What If tool allows you to select a user, the app that user is trying to access, and the conditions of that sign-in to see which policies will apply. (Figure 3.) This step will give you a better sense of how your policies will impact your users. You can also check what policies do not apply to a specific scenario.

One final precaution: Be sure to set up an exception group for each conditional access policy, so you don’t lock yourself out.

Figure 3. The Azure AD What If tool gives you a better sense of how your policies will impact your users.

Learn more

Check back in a few weeks for our next blog post, “Step 5. Set up mobile device management,” where we’ll dive into how to plan your Intune deployment and set up mobile device management as part of your Unified Endpoint Management strategy.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

• Top 10 Security Deployment Actions with Microsoft 365 infographic
• Azure AD deployment plans
• Deployment series

The post Step 4. Set conditional access policies: top 10 actions to secure your environment appeared first on Microsoft Security Blog.

Whether or not you have experienced a security incident in the past, you probably know that it’s not a matter of if an attacker will successfully compromise your corporate resources, but when. This is what is meant by an “assume breach” mindset. Preventative measures are critical, but in an “assume breach” world, so are detection and rapid response. Azure Active Directory (Azure AD) Identity Protection can help you rapidly uncover anomalies or suspicious incidents and configure policies that will automate a response. With Azure AD Privileged Identity Management (PIM), you can protect your administrative accounts. The faster you discover a hacker and take back control, the less damage that attacker can do, saving you time, money, and reputation.

Reduce the time an attacker has access to your network

Most breaches begin with stolen or guessed user credentials. Once hackers gain access, they attempt to escalate those privileges, or they exploit their access to discover and target administrative users with access to valuable data. Rapid detection of a compromised account—no matter its access level—is critical. This can be challenging in a large enterprise with thousands of users.

Azure AD uses machine learning to analyze every sign-in to uncover anomalies or suspicious incidents. It then assigns a risk level of low, medium, or high to indicate how likely it is that the sign-in was not performed by the user. This is called a risk event. Azure AD also analyzes risk events for each user and calculates a risk level of low, medium, or high to indicate how likely it is that a user has been compromised. Azure AD Identity Protection uses this data to generate reports and alerts that can be viewed from a dashboard (Figure 1) in the Azure portal or by enabling daily or weekly emails.

Figure 1. Azure AD Identity Protection reports users who are likely compromised.

Automate response with Azure AD risk-based conditional access policies

In addition to reporting, Azure AD Identity Protection also lets you configure policies to automate a response based on conditions you define. A sign-in risk policy is a conditional access policy that you can configure based on the risk level assigned to a sign-in (Figure 2). A user risk policy is a conditional access policy that you can configure based on the likelihood that a user has been compromised. For example, we recommend that you create a sign-in risk policy that forces all medium-risk sign-ins to use Multi-Factor Authentication (MFA). We also recommend users with a high-risk level be required to safely change their password after verifying their identity using MFA. In both instances, these policies will be enforced automatically without any intervention by an administrator. (We’ll go into more details about Azure AD conditional access policies in our next blog.)

Figure 2. Apply a policy that blocks or flags risky sign-ins.

Protect your administrative accounts with Azure AD PIM

Even with good detection and response tools, there is still a chance that a hacker will make it through your defenses. In those instances, you need to minimize the likelihood that a compromised account can operate with a privileged role. Azure AD PIM gives you visibility into the users assigned to administrative roles and allows you to establish rules and policies that govern those accounts. Once you’ve identified the users, you can remove users who don’t need privileged access and move remaining user permissions set from permanent to eligible (Figure 3). A user who is eligible for administrative access must request access every time they wish to perform a privileged task. We recommend that you enable MFA for all privileged roles, so you can verify their identity. We also recommend that you establish time limits for administrator access. Users should only have access long enough to complete the privileged task. These steps will make it much more difficult for a hacker to gain access to your most valuable data and resources.

Figure 3. Protect administrative roles by setting users to “Eligible.”

Learn more

Check back in a few weeks for our next blog post, “Step 4. Set conditional access policies,” where we’ll dive into additional conditional access policies you can apply to your identities to ensure that only authorized people access the appropriate data and apps.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

• Top 10 Security Deployment Actions with Microsoft 365 Infographic
• Azure AD deployment plans
• Deployment series

The post Step 3. Protect your identities: top 10 actions to secure your environment appeared first on Microsoft Security Blog.

Balancing employee productivity needs with enterprise security begins with protecting identities. Gone are the days when users accessed corporate resources behind a firewall using corporate-issued devices. Your employees and partners use multiple devices and apps for work. They share documents with other users via cloud productivity apps and email, and they switch between personal and work-related apps and devices throughout the day. This has created a world of opportunity for sophisticated cybercriminals.

Hackers know that users often use the same weak password for all their accounts. Sophisticated cyber criminals employ several tactics to take advantage of these vulnerabilities. Password spray is a method of trying common passwords against known account lists. In a breach relay, a malicious actor steals a password from one organization and then uses the password to try to access other networks. Phishing campaigns trick users into handing over the password directly to the hacker. Azure AD provides several features to reduce the likelihood of all three of these attack methods.

Access credentials in the form of email addresses and passwords are the two most compromised data types—at 44.3 percent and 40 percent, respectively.
Source: Dark Reading  Date: November 2017

Simplify user access with Azure AD single sign-on

Most enterprise security breaches begin with a compromised user account that makes protecting those accounts a critical priority. If you manage a hybrid environment, the first step is to create a single common identity for all your users. We recommend password hash sync as your primary authentication method if possible. If you use federation services to authenticate users, be sure to enable extranet lockout. You can read about these and other hybrid identity security recommendations in the first blog in this series: Step 1. Identify users: top 10 actions to secure your environment.

One huge advantage of a hybrid deployment is that you can set up SSO. Users already sign in to on-premises resources using a username and password they know. Azure AD SSO lets them use the same set of credentials to access on-premises resources plus Office 365 apps. You can then increase productivity further by extending SSO to include more cloud SaaS and on-premises apps through AppProxy. Cloud-only customers gain the same productivity benefits by setting up SSO across Azure AD, Office 365, and Azure AD-connected cloud applications.

You can use the SSO deployment plan as a step-by-step guide to walk you through the implementation process of adding more apps to your SSO solution.

Strengthen your credentials

Given the frequency with which credentials are stolen, guessed, or phished, both cloud and hybrid customers should enable Azure MFA to add another layer of security to their accounts (Figure 1). MFA protects everything under the SSO identity system, including cloud SaaS and on-premises apps published with AppProxy, significantly decreasing the odds that a compromised identity will result in a security breach.

MFA works by requiring two or more of the following authentication methods:

• Something you know (typically a password).
• Something you have (a trusted device that is not easily duplicated, like a phone).
• Something you are (biometrics).

You can use the MFA deployment plan as a step-by-step guide to walk you through the implementation process.

One of the reasons users select weak or common passwords is because lengthy passwords that require numbers, letters, and special characters are difficult to remember, especially if they must be changed every few months. Microsoft recommends that you disable these rules, and instead prohibit users from choosing common passwords. If you are a hybrid customer, you will need to deploy Azure AD password protection agents on-premises to enable this feature. Azure AD password protection blocks users from choosing common passwords and any custom passwords that you configure. If you implement password hash synchronization as a primary or backup authentication method, you will have access to a leaked user credentials report, which provides usernames and password pairs that have been leaked to the dark web.

Better yet, move away from passwords entirely. One of the reasons passwords are frequently stolen is that they work from anywhere. Windows Hello allows users to set up device authentication using either a PIN or biometrics, such as a fingerprint scanner or face recognition. This form of authentication is easier for users because they don’t have to remember complex passwords, but it is also safer because the authentication method is tied to the device. A hacker would have to gain possession of the device and the biometrics or PIN to compromise your network.

Enable productivity with self-service

The Azure self-service portal allows you to turn over common tasks to your users, saving your help desk time without increasing your risks. Azure AD self-service password reset (SSPR) offers a simple means for users to reset their passwords or unlock accounts without administrator intervention. You can also give users the ability to manage groups using Azure AD security groups and Office 365 groups. Known as self-service group management, this feature allows group owners who are not assigned an administrative role to create and manage groups without relying on administrators to handle their requests. Letting users reset their own passwords and manage groups gets them back to productive work quickly while reducing your tech support costs.

You can use the SSPR deployment plan as a step-by-step guide to walk you through the implementation process.

In future blog posts, we will provide additional Azure AD configuration recommendations to help secure your identities. We will then touch on the recommended security best practices to protect your apps, devices, and infrastructure.

Learn more

Check back in a few weeks for our next blog post: “Step 3. Protect your identities.” In this post, we’ll dive into additional protections you can apply to your identities to ensure that only authorized people access the appropriate data and apps.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

• Top 10 Security Deployment Actions with Microsoft 365 Infographic
• Azure AD deployment plans
• Deployment series

The post Step 2. Manage authentication and safeguard access: top 10 actions to secure your environment appeared first on Microsoft Security Blog.

Establishing a single, common identity for each user is the foundations step to your cybersecurity strategy. If you currently have an on-premises footprint, this means connecting your Azure Active Directory (Azure AD) to your on-premises resources. There are various requirements and circumstances that will influence the hybrid identity and authentication method that you choose, but whether you choose federation or cloud authentication, there are important security implications for each that you should consider. This blog walks you through our recommended security best practices for each hybrid identity method.

Set up password hash synchronization as your primary authentication method when possible

Azure AD Connect allows your users to access on-premises resources including Azure, Office 365, and Azure AD-integrated SaaS apps using one identity. It uses your on-premises Active Directory as the authority, so you can use your own password policy, and Azure AD Connect gives you visibility into the types of apps and identities that are accessing your company resources. If you choose Azure AD Connect, Microsoft recommends that you enable password hash synchronization (Figure 1) as your primary authentication method. Password hash synchronization synchronizes the password hash in your on-premises Active Directory to Azure AD. It authenticates in the cloud with no on-premises dependency, simplifying your deployment process. It also allows you to take advantage of Azure AD Identity Protection, which will alert you if any of the usernames and passwords in your organization have been sold on the dark web.

Figure 1. Password hash sync synchronizes the password hash in your on-premises Active Directory to Azure AD.

Enable password hash synchronization as a backup during on-premises outages

If your authentication requirements are not natively supported by password hash synchronization, another option available through Azure AD Connect is pass-through authentication (Figure 2). Pass-through authentication provides a simple password validation for Azure AD authentication services by using a software agent that runs on one or more on-premises servers. Since pass-through authentication relies on your on-premises infrastructure, your users could lose access to both Active Directory-connected cloud resources and on-premises resources if your on-premises environment goes down. To limit user downtime and loss of productivity, we recommend that you configure password hash synchronization as a backup. This allows your users to sign in and access cloud resources during an on-premises outage. It also gives you access to advanced security features, like Azure Directory Identity Protection.

Figure 2. Pass-through authentication provides a simple password validation for Azure AD authentication services.

Whether you implement password hash synchronization as your primary authentication method or as a backup during on-premises outages, you can use the Active Directory Federation Services (AD FS) to password hash sync deployment plan as a step-by-step guide to walk you through the implementation process.

Implement extranet lockout if you use AD FS

AD FS may be the right choice if your organization requires on-premises authentication or if you are already invested in federation services (Figure 3). Federation services authenticates users and connects to the cloud using an on-premises footprint that may require several servers. To ensure your users and data are as secure as possible, we recommend two additional steps.

First, enable password hash synchronization as a backup authentication method to get access to Azure AD Identity Protection and minimize interruptions if an outage should occur. Second, we recommend you implement extranet lockout. Extranet lockout protects against brute force attacks that target AD FS, while preventing users from being locked out of Active Directory. If you are using AD FS running on Windows Server 2016, set up extranet smart lockout. For AD FS running on Windows Server 2012 R2, you’ll need to turn on extranet lockout protection.

Figure 3. Federation services authenticates users and connects to the cloud using an on-premises footprint.

You can use the AD FS to pass-through authentication deployment plan as a step-by-step guide to walk you through the implementation process.

Learn more

Check back in a few weeks for our next blog post, “Step 2. Manage authentication and safeguard access.” In this post we’ll dive into additional protections you can apply to your identities to ensure that only authorized people access the appropriate data and apps.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

• Top 10 Security Deployment Actions with Microsoft 365 Infographic
• Azure AD deployment plans
• Deployment series

The post Step 1. Identify users: top 10 actions to secure your environment appeared first on Microsoft Security Blog.