You are the corporate information security officer (CISO), responsible for managing activities in the United States and in the European Union. As part of your role, you are the data production officer (DPO) under GDPR, and you are also the Compliance Manager under your corporate responsibilities. Your company has made the strategic decision to purchase Office 365 and integrate the on site active directory into Office 365 Azure services. The problem is where do you begin. You have spoken with a number of Microsoft partners and they point to two areas: Azure security services and Microsoft Secure Score. You are worried about phishing attacks and the next generation of worms that are AI based. You are using an older version of anti virus that is signature based. Your security tools are out of date and you need to look at the problem from a new perspective. What do you do next? The answer is simple - deploy Microsoft Secure Score!
Ninety-five percent of penetration attacks begin with a phishing attack. The bad actors data mine LinkedIn and other social media sites to find information about a target using an approach that is no different than what most companies use for marketing programs. The bad actors start to develop a relationship and become trusted. How does a bad actor become trusted? They start to imitate your friends and contacts through phishing and spoof attacks and then breach your network.
As I’ve said repeatedly, security is a landscape in flux. As attacks become more vicious, we as custodians for our company information need to change our policies and approaches. Traditionally, IT has been a service and support organization. Because of data threats, support organizations need to change and adopt new policies for audit and security management. One trend that we are seeing is the addition of a security operations center (SOC) to the help desk. Typically, IT services do not include all three branches: the help desk, the network operations center (NOC), and the security operations center (SOC). Today, SOCs enlist predictive tools to spot and analyze trends, and include machine learning, behavior analysis of users, and deep learning.
Deep learning is one of the latest tools added to security suites and involves the analysis of large data sets. It is likened to a neural network resembling the human mind, and is capable of analyzing all sets of data. To be a successful CISO, you need to deploy the tools that will provide the necessary protection and analysis of the threats your company is facing.
Note
Deep learning is used to develop neural networks, which are a key component in next-generation AI tools. Deep learning software is self-learning and is used to drive automobiles, analyze legal cases, and install threat detection/remediation software. If you look at Windows Advance Threat Protection (part of the Windows 10 E5 solution), you will see an implementation of neural network or deep learning model.
The third step is to analyze the data, draw conclusions, and provide a set of recommendations with a timeframe for implementation. The tools are constantly changing, with more options for configuration and analysis. As compliance becomes more part of our business activities, we need to deal with the risk of devices, users’ access, and identity management. The question that we ask ourselves is how can we configure the environment and set up the necessary components that we require to be successful in our deployment? Where do we start, and how do we proceed?
Secure Score is a feature in the Office 365 Compliance Security Center and is available to all users who have an Office 365 subscription. The purpose of Microsoft Secure Score is to get you headed in the correct direction, with a measurement that can be used to see if you have improved your security posture. The Microsoft Secure score is designed so you can measure your deployment so you can improve upon it.
There is a lot of work required to set up your 365 tenants to be monitored and analyzed under Microsoft Secure Score. Each of the Security Centers has a different function associated with it. After you set up the security scoring, the next step is to configure Mobile Device Management and Mobile Application Management for Office 365 (see Chapter 5). Once you complete the MDM/MAM setup, you have a secure environment. The setup order is important, though. Each Security Center feeds on the previous one to provide you with a 360-degree view of the security process.
The goal of this chapter is to provide you with the tools necessary to manage your Office 365 tenant in a secure way. At the end of this chapter, you will have Secure Score and Compliance Manager configured and set up to record information for your security process. As part of this process, you want to record your security score at the start of the process so you can see the impact to the changes that you make on your Office 365 account. The Microsoft Secure Score is composed of two scores when this book was published. The Microsoft Secure Score includes the Office 365 Secure Score and the Windows Secure Score. Let’s get started in building out our Microsoft Secure Score and enable the security implementation tracking.
Note
Before you proceed, you will want to purchase the following Office 365 subscriptions for your account: Microsoft 365 E5 and an Azure $100 CSP subscription. To fully understand the concepts in this book, you must have these subscriptions deployed on your administrator account. You can deploy these subscriptions from your current Microsoft partner. If you are worried about the long-term commitment of Office 365, check out www.kamind.com/csp for the different subscription offerings.
Security & Compliance Center
Note
The IT support industry is changing. There are three types of outsourced IT organizations in the United States: break fix (you call them and they fix things for you), Managed Service Provider (MSP) (these are companies that provide you with a managed services plan and have a limited scope of work to do), and Managed IT Department (MID). The vendor that supplies you MID services becomes the vendor that helps your business move to the next level. The MID organization is your strategic advisor. This is very much like they are in your office and they take care of issues and problems associated with the activities of the IT organization.
At this point you may be wondering as to why we are scoring our configuration and this has to do with Office 365 security. The Microsoft Security Score contains baseline configuration data of companies in the same market segment. In essence, we are measuring ourselves against our competitors. The objective is to set up a baseline measurement that we can use to compare our Office 365/Azure tenant implementation to other organizations. As new threats emerge, the security posture changes and our baseline number will change. We can see the impact of changes and take appropriate actions to improve our security posture. This is why Microsoft Secure Score is important to us and our company. A low score means higher risk. A higher score is implying lower risk. Our discussion on compliance (later in this chapter) will also look at the Microsoft Compliance Score to see how we are doing in compliance and see areas where we need to improve. The security and compliance scores provide us with meaningful metrics to assist us in managing our business in the Microsoft Intelligent cloud.
The security score is critical to managing our cloud security posture. To access the Microsoft Secure Score, in the “Security admin” area, select Office 365 Secure Score. This will redirect you to the Microsoft Secure Score dashboard (which includes Office 365 Secure Score and Windows Secure Score, see Figure 3-8). We will be looking at both security score settings in this chapter. Keep in mind that the secure score settings are a comparison of the different configurations of Office 365 combined with the threat intelligence from the Microsoft security graph. The score is a weighted value based on the importance of the security control and the impact of the control to various threats. If an Office 365 tenant is attacked by a bad actor and the attack is thwarted by a control setting, then this control setting will have a higher value than a different control.
Note
The Microsoft Secure Score is only a number that gives you a probability of penetration. This does not mean you should set the number to be the maximum value. On the contrary, you need to look at the controls and determine what makes business sense for your organization. Typically smaller companies will have a lower score and larger companies with a security department will have a higher score. In all cases, you need to continuously monitor the events and take actions as necessary.
Secure Score Overview
Secure Score is composed of two parts: Office 365 Secure Score and the Windows Secure Score from the Windows Security Center ( https://securitycenter.windows.com ). Before you can start using the Microsoft Secure Score, you will need to deploy Windows Security Center Advanced Threat Protection (part of Windows 10 E5).
Deploying the Windows Security Center
The subscriptions that we have deployed in our test organization are the Microsoft 365 E5 and Azure CSP subscriptions. One of the components in Microsoft 365 E5 is the Advanced Threat Protection upgrade for Windows Defender. This is the next-generation end-client threat protection agent. The agent is linked to the larger Microsoft threat brain (called the threat intelligence graph ) and is able to protect against endpoint threats (servers, desktops and non Microsoft endpoints). The desktop agents are AI-based and deploy deep learning methodologies that you find in neural networks.
The Microsoft 365 E5 subscription includes the Windows 10 E5 subscription which is a digital licenses upgrade to Windows 10 pro systems to Windows 10 Enterprise (no code changes to upgrade subscriptions). This upgrade includes the next-generation Advanced Threat Protection. This software is a key threat protection tool that is used to defend the endpoint from attacks and is a crucial tool in the defenses of your network by bad actors. The following steps will configure the Windows Security Center to be used by your Office 365 tenant. The account you are using must be configured with this subscription as a global administrator and cannot be configured with partner-delegated admin rights.
Installing Windows Advanced Threat Protection
- 1.
Make sure your account is provisioned with a Microsoft 365 E5 subscription.
- 2.
Log in with a global admin account (and not a delegated admin) to Office 365.
- 3.
Log into https://securitycenter.windows.com and follow the steps outlined next.
The detailed steps to set up Windows 10 ATP are outlined next. There is additional software that you will need to deploy to the desktop to enable Windows analytics and to collect data for Azure security services. The Azure security deployment and the Windows 10 analytics are used to address security issues on clients and the actions of bad actors. We deployed the Azure Security Center (in the previous chapter) first so we could enable the additional security monitoring of the Windows Security Center and the Azure security monitoring services. If you have not configured your Azure security services (described in Chapter 2), please return to that chapter and configure them now.
Note
To access a free trial of Windows Defender Advanced Threat Protection, go to https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp . Before you start the free trial, make sure you are logged into the Office 365 tenant as a global admin. The free trial will be added to your 365 tenant.
Microsoft requests that you log in a second time to verify your account. The other way to use Windows 10 ATP is to use a Microsoft 365 E5 subscription.
Step 1: Log In to securitycenter.windows.com
Step 2: Set Up the Data Repository
Step 3: Set Up Data Retention Preferences
Step 4: Set Up the Organization’s Data Size
Step 5: Identify the Organization Type
Step 6: Click Preview and Set Up the Cloud Instance
Step 7: Download the Client Software
Step 8: Download the Client Software for Azure Log Analytics
You can also download the same agent for all Windows and non-Windows devices. Data collection for analyzing threats is key to deploying Office 365. If you do not install the data collection agents, you will not have visibility into the threats against your system. As an example, you now have the ability to look at systems’ configuration and performance and take appropriate actions. One of the new threats that is emerging is crypto-jacking. Crypto-jacking takes over a system using the computer’s resources. If your systems have been operating slowly for no apparent reason, then deploy the monitoring agents to see what is happening in your systems through the Log Analytics dashboard.
Note
The Log Analytics monitoring agent supports Windows and non-Windows devices. If you have not looked at the connected services, take the time now to examine what needs to be done to connect the rest of your monitoring services to Office 365 and Azure. To manage your cloud-based services, you will need to install the monitoring agents.
After you have downloaded and installed the agent, move on to step 9 and configure the Windows 10 analytics environment with the commercial ID.
Step 9: Configure the Windows 10 Environment
- 1.
In the azure portal (portal.azure.com) select favorites (next option located under create a resource on left hand menu)
- 2.
Scroll down to Intune service
- 3.
Select the Intune service – click on the star so it is yellow. This will add Intune to the favorites on the left hand menu.
- 4.
Select Intune (it will be at the bottom of list, unless already added).
Once you have the Commercial ID, there are three ways to deploy it. You can deploy it with Group Policy, Local Policy, or EMS deployment (version 1803 or later). In the following steps, we will use Local Policy to configure the Commercial ID. If you want to configure the commercial ID data collection on the local systems, see “Deploying the Commercial ID on Windows 10 Devices” later in this chapter. In this case, we will configure the Commercial ID deployment via the MDM wizard (MDM is covered in detail in Chapter 5).
Name: Windows 10 Systems – Telemetry
Description: Enable Commercial ID
OMA-URI: ./Vendor/MSFT/Policy/Config/System/AllowTelemetry
Data Type: Integer
Value: 1
The last step is to make sure you have assigned this deployment to a security group for deployment to the Windows 10 devices (see Figure 3-22). Once you have configured any MDM feature, you will need to assign the deployment to the different groups. In our case, we assign this to a test group for deployment (more in Chapter 5 about this configuration).
Step 10: Verify the Windows 10 ATP Deployment
ATP agent for Security Center
Microsoft Monitoring Agent for data collection
Commercial ID for detailed systems analysis
Reviewing Windows Security Center Settings
To configure the Application Guard feature, we use the same methods that we used earlier. We configure the OMA-URI for the Application Guard deployment (see https://docs.microsoft.com/en-us/windows/client-management/mdm/windowsdefenderapplicationguard-csp ). Once this is deployed, our Windows Secure Score will increase with the new policy. Later in this chapter, you will examine how you configure the OMA-URI settings to push notifications to your managed clients. In Chapter 5, I will discuss these settings and others in more detail when talking about the MDM/MAM configuration.
So far, we have configured the Windows Secure Score; the other half of the problem is the Office 365 Secure Score. Let’s move to the Office 365 Secure Score and configure the services so we can review the security positioning of our Office 365 environment.
Note
There are many different philosophies on what to configure or not to configure. My best advice is to look at each feature and independently make a decision to deploy or not to deploy. If you leave the defaults without understanding why they are in place, your configuration may not be as secure as needed and you have drastically effected the end user experience in a negative way.
Office 365 Secure Score
The Office 365 Secure Score is easy to configure; there is little setup required to collect the information. The Office 365 information is collected in your tenant based on your configuration of the different Office 365 services. There are three components that make up the security score. These are your Office 365 configuration, your organization size, and your market segment. Keep in mind that the security score values are recommendations. You will need to look at each of the recommendations to see the impact on your business. In some cases, there is no impact. In other cases, there could be a significant impact on the organization productivity. The goal of Microsoft Secure Score is to set up a configuration that meets your security needs. Do not try to max out the configuration. You want to select the configuration that makes sense for your business.
Comparison Score
What is the comparison score? I have had many discussions with Microsoft over the years on the features of the Microsoft Secure Score. The comparison provides a look into your target market and your company size and the typical configuration of the 365 tenants. This gives you an idea of what you are doing and what your fellow competitors are doing. This is important because bad actors look to target certain industries with different types of attacks. If your industry is banking, it is common that the attack will take on a form that is recognized by your fellow workers as a valid e-mail. In this case, the score gives you a metric to show that you need to be better to reduce your risk. Microsoft has extended the Microsoft Secure Score with threat intelligence, so if you are in a targeted industry that is exposed to certain types of threats and you turn the defenses off, your Microsoft Secure Score will be impacted.
Note
Secure Score is nothing more than the gamification of security. We all are competitive in one way or another. What we are doing here is getting a target so we can improve. Remember, what is measured can be improved, and what is tracked exponentially improves. In our case, we want to raise our security score.
Microsoft Secure Score Target
Once you set the target, all that is needed is to look at the actions necessary to adjust the score. In our case, there are 22 actions that we need to complete. The filter on the actions is extremely useful to separate the easy configuration changes from the more difficult configuration changes. Many of the changes will require you to use PowerShell (see Chapter 7 for an overview) to configure your Microsoft Secure Score.
Enable MFA for global admins
Enabling audit data recording
Review signings after multiple failures report weekly
Set outbound SPMA notification
Enable mailbox auditing for all users
Review role changes weekly
Enable information rights management
User audit data
Do not use transport rule to external domains
In the list of tasks that we need to compete, some of these tasks require reviewing reports and others require configuring a specific function. If you expand the action items and add up the score, this would add about 15 points to our score, which would place us at 295 security scores, which is less than 120 points away from our target of 407.
Increasing the Microsoft Secure Score
After you configure the MFA function to increase the score, walk through the renaming options to configure the services. The benefit is that your Office 365 tenant will have a secured configuration. Will this block all bad actors? We hope so! What Microsoft Secure Score does is make your data more difficult to compromise. So, the bad actors will be blocked the majority of the time. MFA raises the bar and forces the bad actors to look elsewhere. This is no different from homes that are well-lit and have barking dogs versus home that are quiet and not well-lit. Bad actors will go for the homes that look like they are easy to break into. You need to think of your Office 365 tenant in the same manner. Raise the security level and direct the bad actors to other homes.
Score Analyzer and Next Steps
Microsoft Secure Score is designed to be constantly evaluating the configuration of your Office 365 tenant. The evaluation happens at least once a day. The best practice is to make changes in the areas where there is the least impact on your users. In the areas where there is impact (such as setting up MFA) and configuration of the application ID, these changes need to be rolled out more slowly.
Note
Microsoft Secure Score is a set of baseline numbers that give you a recommendation on how your Office 365 tenant should be configured. As a CISO, you need to look at the reports generated in the Security Center and evaluate your business risk. Microsoft Secure Score is a tool that dynamically adjusts your score based on your Office 365 and Windows configuration and compares this to the risk associated to your business in a specific target market. The Microsoft Secure Score is design to assist you in building a solution that has less vulnerabilities. However, if a bad actor has targeted the organization, there is a high probability of penetration by the bad actor.
Compliance Manager
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 1
The difference between Secure Score and Compliance Manager is technical implementation versus business process implementation. Compliance Manager is about the business processes being compliant with the different governmental entities. The score that is used in Compliance Manager is a relative weight of the importance of the activity when you look at the overall requirements. In the case of the GDPR, we are looking at changes in how we store and manage information. When you are audited by a governmental agency, the audit looks at who is responsible for the implementation of the various regulations in your business.
So far, we just looked at the EU GDPR requirements. Let’s look at the NIST 800-53 requirements. These are the requirements for U.S. federal contractors. If your business receives federal funds, you are required to be compliant with the NIST-800-53 standard.
When an auditor approaches an organization, the organization must show that it has implemented the necessary processes and controls and that it has the necessary documentation and checklist assigned to complete the activity. If the organization does not show the necessary controls and documents to support the audit request, the organization is fined.
Note
Compliance Manager supports the EU regulation GDRPR and NIST 800-35 for federal contractors. The next change we will see is the implementation of the California Consumer Privacy Act (CCPA). CCPA also includes fines.
The fines for noncompliance can be large and even close businesses. In the case of the European Union, the fines start at 20 million euros. In the United States, it depends on the agency, but it is not uncommon to have fines of $10,000 per incident with forfeiture of the government contracts.
This is why Compliance Manager is extremely important to your business. If you are subject to any state, federal, or international regulation, you must manage the information from a legality point. For all other businesses, you need to look at the regulations (GDPR and NIST 800-53) and use the same process to manage your internal activity. When the CCPA becomes more widespread, this is the tool you will use to ensure that your organization is complaint.
Compliance is a big topic. My objective here was to introduce you to the service trust center and the configuration necessary to manage your Office 365 tenant. Compliance is all about business processes and changes. Just like with Secure Score, we have a compliance score.
Next Steps
We use Compliance Manager as a check list when we audit a customer for GDPR compliance and NIST 800-53 compliance. This is the check list that your organization needs to implement. All companies should do what is necessary to be NIST 800-53 compliant. If we add into this the change under California’s CCPA, our businesses will fundamentally change. What are the steps that you need to follow to implement the necessary changes in your organization? I have outlined some typical questions that you need to ask.
Step 1: Review Your Business
- GDPR
Do you have customers from the European Union?
Do you supply product or services to EU entities (people and/or businesses)?
- NIST
Do you have a federally funded contract for products or services?
Do you supply products or services to a vendor that is a government contractor?
- CCPA (use the NIST compliance tool)
Do you have customers in California?
Do you supply products or services to vendors in California?
Is your state passing a law similar to CCPA?
Step 2: Engage with a Licensing/Compliance Partner
Compliance Manager does a good job of helping you with the requirements of compliance. However, you may need a facilitator to provide you with accountability to make sure you are doing the work correctly. Compliance is about record-keeping an inventory assessment. Assign owners to the various regulations, and manage the activity like you would any other project. Set start dates and define a time line for implementation.
The goal of this type of engagement is to identify the compliance gap and who owns the gaps. Bear in mind that everything needs an owner, and everything must be tracked to make progress.
Once you have completed the compliance management process, Compliance Manager can assist you to make sure the data is kept up-to-date. This will help an organization meet the compliance needs. However, this is not a one-time action. It is a continuous process.
Step 3: Complete the Assessment
There is no way to get around this; you will need to complete the assessment and generate your business compliance score. The deliverable in the compliance score is the detailed process document that your organization needs to execute against for the different areas.
Other Configurations
Microsoft Secure Score is a powerful way to build out your Office 365 configuration and Azure configuration. This section contains some miscellaneous helpful hints on where to find and configure certain information required in Microsoft Secure Score. The techniques to deploy the configurations to the desktops are covered in the Mobile Device Management (Chapter 5).
Retrieving the Commercial ID for Windows 10 Devices
The commercial ID is used to collect information for Windows 10 desktop devices and supply the information to Microsoft. In this way, Microsoft can advise on the upgrade readiness. The second use of the commercial ID is to collect information that we can use in our security analysis of the workstation and the external threats form bad actors.
What we are doing from a security perspective is adding the Windows information from the desktops (and servers) and linking the information with the Active Directory and Office 365 information to build a full, 360-degree view of the security profile of the user. When we add Windows 10 Advanced Threat Protection, we are also linking information so we can see different threats to the environment that we are mitigating. To retrieve the Commercial ID, follow the steps outlined next.
Note
To retrieve the Commercial ID, you need to have completed the Azure Log Analytics setup described in Chapter 2. If you have not completed those steps, please return to Chapter 2 and configure Log Analytics so can you add data analysis to your environment. Security defenses requires that data is collected form different endpoints and analysis with the data form the cloud services.
Step 1: Select Log Analytics and Update Management
Step 2: Copy the Commercial ID from the Update Compliance Blade
Deploying the Commercial ID on Windows 10 Using Local Policy
There are three ways to deploy the commercial ID. You can deploy this with Group Policy, Local Policy, and EMS deployment (version 1803 or later). In the following steps, we will show how to use Local Policy to configure the commercial ID. In this case, we will use the Group Policy editor to configure the necessary entries for data recording.
Step 1: Edit the Group Policy by Using the MMC Component
Step 2: Expand Data Collection and Preview Builds
Step 3: Expand Telemetry
Step 4: Enter the Commercial ID and Enable Upload
Setting Custom OMA-URI Settings for Microsoft Intune
Name: Windows 10 Account Management – Holographic Delete policy
Description: Set Account Delete Policy
OMA-URI: ./Vendor/ MSFT/AccountManagement/UserProfileManagement
Data Type: Integer
Value: 2
Deploying DMARC/DKIM
How does DMARC work? Simply put, it standardizes the send from address (5322 specification) and the mail from address (5321 specification). The deployment of DMARC/DKIM prevents spoofing. As an example, look at the simple mail transcription in Figure 3-50. Normal SPF checks will allow an e-mail to go through the message filters, but a DMARC/DKIM deployment will detect the phishing address and force a failure for DMARC.
DRMARC/DKIM simply forces the domain validation of the e-mail. In the example, DMARC validates that the e-mail addresses comes from a valid domain. This approach validates the sender e-mail; however, you can still be phished, but this minimizes the phishing from fake e-mail domains. The configuration of DMARC involves the following steps.
Step 1: Configure SPF Records
Office 365 has a default DKIM and uses the onmicrosoft.com domain. Once you have verified your domain, you need to create the DKIM record that corresponds to the verified domains.
Step 2: Publish Two CNAMEs for Records in Your Custom Domain
Step 3: Enable DKIM in Office 365
Step 4: Deploy the DMARC Identifier in Office 365
Using Azure Advisor
Summary
At this point you have expanded the type of data being collected in the Azure security center. You enabled the Commercial Id for windows devices (Server 2019 and Windows 10), and started to collect more data about your enterprise environment. At this point we can now see alerts in our enterprise and drill down on those alerts to remediate issue. One of your other accomplishments, is the integration with Microsoft Secure Score and you started to build a road map on the features you need to implement to secure the environment. We are on the path for success..
Next Steps
Now that our base logging configuration is completed, and the logs are collecting data, we move on to the next step. The next step in this case is the continue build out of the Enterprise Mobility and Security applications. These are not true applications, rather they are Azure extensions targeted to complete specific function, all revolving around Identity protection and information protection. Once we have completed the integration of the EMS services, we can move forward with Mobile application and device management.
Reference Links
There is a lot of information about Office 365 on the Web—the issue is finding the right site. The information contained in this chapter is a combination of my experience doing deployments and of support information that has been published by third parties.