Get Security Done (GSD) - Microsoft Security & M365 Defender - quick wins to improve Security using existing entitlements

Updates - added MDO, MDE & MDCA (was MCAS)...

Ideally this page will be highlighting how to get the best out of your M365 E5 security and compliance entitlements. Yes, there is the ninja training series (full set of links below), but what is the best way to step lightly thru this and gain maximum benefit for the least effort?

Most of the focus here is more on the M365 SaaS Security platform elements, not necessarily on Sentinel or Azure, but there will be plenty of crossover.

Core reference material:

• Microsoft Cybersecurity Reference Architecture – https://aka.ms/MCRA
• Security collateral inc. CISO Workshops, and lots more – https://aka.ms/MarksList?
• Please - if you haven't come across these two links above before now - go and review and come back after, we'll still be here when you're done...
• ASD Essential 8 Security controls - Microsoft Whitepaper - https://aka.ms/e8guides
• Everything regards M365 Features and Licensing - Feature Matrix | M365 Maps - Aaron Dinnage , Microsoft Canberra
• Plan comparison in detail - https://aka.ms/M365EnterprisePlans

For those wanting to keep up with all the latest developments as they become available (or even before then) then we'd strongly suggest you sign up to the Team Channels. Both of these below are covered by your NDA with Microsoft from either a Partner or Customer perspective. This is where you can get early access to the latest features in Private Preview so long as you're prepared to provide feedback as to what works and what doesn't.

• Microsoft Cloud Security Private Community - https://aka.ms/prseccom
• Microsoft 365 Defender Customer Connection Program - https://aka.ms/M365DefenderCCPSignUp

Defender M365 Console:

Evaluate Defender 365: https://learn.microsoft.com/en-gb/microsoft-365/security/defender/eval-overview?view=o365-worldwide a good step by step guide to getting everything turned on - but it is aimed at folks just starting

Test Use Cases: https://learn.microsoft.com/en-gb/microsoft-365/security/defender/integrate-microsoft-365-defender-secops-use-cases?view=o365-worldwide

SOC Maint Tasks: https://learn.microsoft.com/en-gb/microsoft-365/security/defender/integrate-microsoft-365-defender-secops-tasks?view=o365-worldwide

MDI:

• Go to https://portal.atp.azure.com and if you see this, it’s not been installed

• Use Attack Simulations to validate MDI is installed correctly and Alerts are being surfaced accurately: https://learn.microsoft.com/en-us/defender-for-identity/playbooks
• Use Labs for in depth checking: https://learn.microsoft.com/en-us/defender-for-identity/playbook-lab-overview
• Review Security Assessments to validate what potentially needs remediation: https://learn.microsoft.com/en-us/defender-for-identity/security-assessment#assessment-reports
• Full list of the 44 Alerts that are being checked on your behalf when fully deployed: https://learn.microsoft.com/en-us/defender-for-identity/alerts-overview
• If you do not use the local default Administrator account (ideally have it disabled?) then please add it to the Honeytoken account list https://learn.microsoft.com/en-us/defender-for-identity/entity-tags#honeytoken-tags

?Troubleshooting:

• https://learn.microsoft.com/en-us/defender-for-identity/troubleshooting-known-issues
• https://learn.microsoft.com/en-us/defender-for-identity/troubleshooting-using-logs

MDCA (was MCAS):

• Settings: https://security.microsoft.com/cloudapps/settings
• Troubleshooting https://learn.microsoft.com/en-us/defender-cloud-apps/troubleshooting-cloud-discovery
• Tune the system https://learn.microsoft.com/en-us/defender-cloud-apps/tutorial-suspicious-activity
• Tell it what the Corporate IP address's are https://learn.microsoft.com/en-us/defender-cloud-apps/ip-tags
• Set the IP's in bulk if needed https://learn.microsoft.com/en-us/defender-cloud-apps/api-data-enrichment-manage-script
• Best Practices https://learn.microsoft.com/en-us/defender-cloud-apps/best-practices
• Daily Activities https://learn.microsoft.com/en-us/defender-cloud-apps/daily-activities-to-protect-your-cloud-environment

MDE:

• Demo Features: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/defender-endpoint-demonstrations?view=o365-worldwide
• Plan Deployment: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/deployment-strategy?view=o365-worldwide
• Architecture: https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.pdf
• Deployment Phases: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/deployment-phases?view=o365-worldwide
• BTW - Defender for Endpoint is for Endpoints, Servers actually belong in "Defender for Cloud" (MDC)
• https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/migrating-mde-server-to-cloud?view=o365-worldwide
• Configure Device Discovery: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-device-discovery?view=o365-worldwide
• Check it's working --> Simulated Attacks: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-simulations?view=o365-worldwide
• Automation Levels: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/automation-levels?view=o365-worldwide
• Configure AIR capabilities: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-automated-investigations-remediation?view=o365-worldwide
• Attack Surface Reduction (ASR) rules: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide
• ASR Rules Deployment: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment?view=o365-worldwide
• Troubleshooting: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/check-sensor-status?view=o365-worldwide
• Troubleshooting mode for devices: https://jeffreyappel.nl/microsoft-defender-for-endpoint-troubleshooting-mode-how-to-use-it/
• Migration Guide: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/migration-guides?view=o365-worldwide

MDO:

• Try in Audit mode: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/try-microsoft-defender-for-office-365?view=o365-worldwide
• Enhanced Filters aka Skip Listing: https://learn.microsoft.com/en-us/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors
• Step-by-Step guide: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/step-by-step-guides/step-by-step-guide-overview?view=o365-worldwide
• SecOps Guide: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-sec-ops-guide?view=o365-worldwide
• Features: https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-defender-for-office-365-features
• AIR: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/office-365-air?view=o365-worldwide
• How AIR works: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/office-365-air?view=o365-worldwide
• Protect against Threats: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/protect-against-threats?view=o365-worldwide
• Recommended Settings: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365?view=o365-worldwide
• Config Analyzer: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/configuration-analyzer-for-security-policies?view=o365-worldwide

Conditional Access:

The?#Microsoft?content:

• https://learn.microsoft.com/en-us/azure/architecture/guide/security/conditional-access-design
• https://learn.microsoft.com/en-us/azure/architecture/guide/security/conditional-access-architecture
• https://learn.microsoft.com/en-us/azure/architecture/guide/security/conditional-access-framework
• ?https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-apis
• https://github.com/Azure-Samples/azure-ad-conditional-access-apis/tree/main/03-deploy
• https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/plan-conditional-access
• https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps
• https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policies
• https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/
• https://learn.microsoft.com/en-us/powershell/module/azuread/get-azureadmsconditionalaccesspolicy?view=azureadps-2.0
• https://techcommunity.microsoft.com/t5/itops-talk-blog/deep-dive-how-does-conditional-access-block-legacy/ba-p/3265345

NOTE: please be aware there is no inherent "BLOCK" by default

You need to make sure you are BLOCKING by default unless explicitly allowing access

Walk through the 14 default Policies to better understand this

To make sure that you are fully covered please use this?PowerBI based tool https://github.com/AzureAD/AzureADAssessment

Here is a great companion for Sentinel: https://danielchronlund.com/2022/04/21/a-powerfull-conditional-access-change-dashboard-for-microsoft-sentinel/

Automation of "CA-as-Code"

• Thomas N. - https://www.cloud-architekt.net/speaking/ The most recent deck – 2022-06-11 Scottish Summit 2022 “Deploying and Managing Conditional Access at Scale” Slides
• Excellent article here that is really worth the time reading as this will highlight how to enable this in detail: https://www.cloud-architekt.net/aadops-conditional-access/

He also points out the others that have done great work in this space:

• Fortigi/ConditionalAccess (github.com)
• AlexFilipin/ConditionalAccess (github.com)
• DanielChronlund/DCToolbox: Tools for Microsoft cloud fans (github.com)

One important point – don’t get caught up trying to manage GUID’s:

• Fortigi has published some build scripts on GitHub?to convert those GUIDs to readable display names.
• This also covers known GUIDs such as AAD Role and Application ID to DisplayName.

Hardening Guidance from ACSC:

• https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-microsoft-windows-10-version-21h1-workstations
• https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-microsoft-365-office-2021-office-2019-and-office-2016
• https://www.cyber.gov.au/acsc/view-all-content/publications/microsoft-office-macro-security
• https://github.com/microsoft/Intune-ACSC-Windows-Hardening-Guidelines
• Windows Security Baseline (for use with ACSC Windows Hardening Guidelines)
• ACSC Windows Hardening Guidelines-Attack Surface Reduction

Ninja Security Training:

• M365 Defender : https://aka.ms/m365dninja
• Microsoft Defender for Endpoint: https://aka.ms/mdeninja
• Microsoft Defender for Identity : https://aka.ms/MDINinja??
• Microsoft Defender for O365 : https://aka.ms/mdoninja
• Microsoft Defender for Cloud Apps: https://aka.ms/mcasninja?(formerly MCAS)
• Microsoft Sentinel : https://aka.ms/sentinelninja
• Microsoft Sentinel for MSSP : https://aka.ms/azsentinelmssp
• Microsoft Defender for Cloud : https://aka.ms/ascninja
• Azure Network Security Ninja : https://aka.ms/aznetsecninja
• Microsoft Defender for IoT: https://aka.ms/d4iotninja
• Microsoft Purview eDiscovery: https://aka.ms/ediscoveryninja
• Microsoft Information Protection: https://aka.ms/mipninja
• Microsoft Purview Insider Risk Management: https://aka.ms/insiderriskninja
• Microsoft Purview Communication Compliance: https://aka.ms/communicationcomplianceninja
• Microsoft Purview Compliance Manager: https://aka.ms/compliancemanagerninja
• Sentinel Automation: https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/become-a-microsoft-sentinel-automation-ninja/ba-p/3563377
• Sentinel Notebooks: https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/becoming-a-microsoft-sentinel-notebooks-ninja-the-series/ba-p/2693491
• Microsoft Threat Intelligence: https://techcommunity.microsoft.com/t5/microsoft-defender-threat/become-a-microsoft-defender-threat-intelligence-ninja-the/ba-p/3656965
• Must Learn KQL: https://github.com/rod-trent/MustLearnKQL
• Kusto Detective Agency: https://detective.kusto.io
• Microsoft Defender for Endpoint Trial: https://aka.ms/mdetrial
• Exam SC-900: https://learn.microsoft.com/en-us/certifications/exams/sc-900
• Exam SC-200: https://learn.microsoft.com/en-us/certifications/exams/sc-200

Inspired by Mark Simos ’s “Mark’s List” and a discussion after an “In to the Breach” training exercise with Dylan J. over a few beers it was discussed that there should be a local ANZ version focused more around “Getting Security Done” (hence the short link to GSD) with a specific focus on the M365 Security platform, but not restricted to just that as we'd like to adopt a very customer centric view point on this. (of course here in Australia we might typically refer to this as "Get Shit Done")

So with that planning got under way to create https://aka.ms/GSD, and of course we could always refer to this as Global Security Deployment?

Please note this will be a mix of both Microsoft & non-Microsoft content, if it is of value and can help you with said mission of GSD for Security in the Microsoft Platform, then we'd like to include it - having said that, please feel free to provide feedback on the good, the bad and the ugly as we'd like to improve this over time.

While this will start off as a LinkedIn Article - it may well transition to either GitHubPages.io or to a hosted Worpress sometime early next year, as Jeff Beckitt keeps telling me - don't let perfect be the enemy of good - please keep that phrase in mind as you review the details below.

Feel free to provide suggestions