Office 365 – Alert Policy – Detected Malware in File – OneDrive or SharePoint

Security and Compliance Admin Center in Office 365 you can create alert policys.

Todays challenge was to setup an Alert Policy so an admin is notifed if a user adds a file to OneDrive or SharePoint containing Malware.

Start in “Office 365 Security & Compliance > Alerts Dashboard > New Alert Policy

I started by creating an Alert, selecting Threat Management & High Severity

Set the Trigger “Detected malware in file”

Select the Admins to be notified. I set a daily limit notification limit of 5 so I’m not get overloaded with the same alert.

Then “Finish” you have the option to turn the policy on or off

View “Alert polices”

Office 365 How To Configure External Collaboration Settings with Domain Restrictions

In Office 365, how do you configure external collaboration settings but restrict certain domains from collaboration.

This is all configured under Azure Active Directory Admin Center.

A few clicks and your configured

User settings> External Collaboration Settings > Set the level of restrictions and Save. This example is restricting collaboration with *.outlook.com and *.hotmail.com domains

or if security if a higher priority over flexibility, Disable Members and Guests invite and set “Allow invitations only to the specified domains” Example :

How To Configure Office 365 Email Supervision

To allow another user to supervise a users outbound email, you will need to create a new policy under “Supervision”

Start by opening the “Security” center from the Microsoft Admin Center

Click “Supervision” and “Create”

Name your policy and click next

Add the users or groups. You have the option to select teams chats also. Untick if not required and click next

Select Inbound / Outbound / Internal to review

Select the % to review

Add the reviewers (Supervisors)

Review and Click Finish

Optimising and Securing VMware Environments with Runecast Analyzer

Overview of Runecast Analyzer

A brief overview of a product which helps reduce troubleshooting time, identify issues and helps with making your vSphere system compliant. The biggest issue I see in vSphere environments is maintaining security and hardware compatibility with the HCL. The features of Runecast certainly would appear to help resolve these issues. See the key features as I see in this product. (not an exhaustive list)

Key Features (from my perspective)

  • Config KB checks
  • Best Practise
  • Security reports
  • Hardware compatibility checks
  • Logs and KBs Discovered
  • Plugin Runecast for vSphere Client
  • vRealize Orchestrator – Remediation options

Requirements

  • Base appliance starts as min spec – 2vcpu 4GB RAM appliance

Runecast Dashboard (example)

Simple clear dashboard, also available using a plugin for the vSphere Client.

  • Config KB checks

The headache in my life resolved, identify config issues highlighted.

What a useful feature, it pulls the info from the VMware Knowledge base and shows resolution

  • Best Practise

Check best practise (run a scan, only takes 1 or 2 mins.)

NTP example

SSH example enabled

  • Security reports

Security and compliance

Analyse against compliance example report and recommendations

Example if PCI DCSS (target specific PCI clusters if your required)

  • Hardware compatibility checks

Hardware Compatibility check only too often get over looked when updates and upgrades happen. Then boom things go wrong and how do you start troubleshooting the unknown. So, this feature looks good to help keep you on track.

Drill down to see the issue example

  • Logs and KBs Discovered

Logs being reviewed, another nice feature

  • Plugin Runecast for vSphere Client (The plugin mentioned at the start)
  • vRealize Orchestrator – (Remediation options with Runecast example)

This is just a brief overview of a product to help save your IT resources time and effort in managing and maintaining the vSphere environment. Seems useful to me.

VMware Carbon Black Cloud – Next Generation Security

VMware Carbon Black Cloud

This interesting company Carbon Black, a VMware acquisition Oct, 08, 2019 , then lead me to watch the live demo’s / presentation at VMworld 2019. This product, possibly a game changer (opinions are my own) in the security space of VMware.

With my background in VMware vSphere, Qualys, McAfee, Trend Micro, Symantec and Ethical Hacking, this product jumps out to me. I started looking in more detail at what this new integration could do.

Image from “VMWCB-VMware-Carbon-Black-Cloud-1.pdf”

Could these features, now built in to / plugin for vCenter replace many other security products?

Components

  • Next-Generation Antivirus and EDR
  • Managed Alert Monitoring
  • Real-time device assessment
  • Inbuilt and Proactive Threat intelligence

Benefits

  • One Console – Provides One Platform for your Security
  • One Agent – Reduce the endpoint security agents required
  • Reduce CPU usage

For more information or a demo, visit the Carbon Black site.

Secure Connectivity to Azure


05.03.2020 – Stephen Hackers, attended the North East Azure User Group – 14th Meetup. Hosted by Frank Recruitment Group.

The core presentation was on Secure Connectivity to Azure by Matthew Bradley Chief Engineer (Azure) at ClearCloud

The session covered:

VPN Offerings, Service Endpoints, VNet Peering and Private Link

The presentation was focused on educating and sharing experiences in securing connectivity into Azure.

A key point : Security to Azure is required and it doesn’t need to come at a great expense to the business. Build it in to your solution from day 1.

Presentation Notes

VPN offerings:

  • Basic options start at £20 a month roughly (06.03.2020)
  • Bandwith is the key difference between levels
  • Number of S2S tunnels is mostly limited to 30 except basic is 10.

Service Endpoints:

  • No additional cost for VNet Service Endpoints
  • VNet ACLs are not supported across AD tenants
  • Service Endpoints add a system route which takes precedence over other routes

VNet Peering:

  • Traffic between resources is private/isolated. Not encrypted
  • Network address space must not overlap
  • VNet peering doesn’t impose bandwiths

Private Link

  • Connect to Azure without a public IP address
  • Private end points mapped to an instance of PaaS (in Preview)
  • Private Link works a bit like NAT, Private Link endpoint is given a private IP in the VNet of the source
  • IP ranges can overlap

Summary

Small event, around 45 technical Azure focused people attended. Keeping the event simple with one good presentation. There are a great community bunch attending this up and coming North East Azure User Group. Thanks to Frank Recruitment Group for hosting the event and essential beer and pizza. Having a recruitment company hosting, minimal sales pitch was a double win. We did discuss careers a little too at the end (in the optional pub near by).

Looking forward to the next event. For anyone wishing to attend https://www.meetup.com/North-East-Azure-User-Group/

Security, LinkedIn, Enable Two-Step Verification and FaceID

#Security  #LinkedIn turn on #2FA its really straight forward and I would suggest it’s a “must” to protect yourself/ LinkedIn account. Rather than recreate the wheel, I found this useful link where someone had done the hard work of explaining the how to enable 2FA. The setup / enable process should take less than 1-2minutes to complete. https://www.howtogeek.com/448273/how-to-turn-on-two-factor-authentication-for-linkedin/amp/

Example shown below where the options are set:

  1. Two-Step verification option to enable


If your concerned about loosing your phone, enable additional security for the FaceID when opening the LinkedIn app. If FaceID is already setup on the phone, just enable it in settings.

  1. App Lock using FaceID option to enable



#cyberattack
#cybercrime
#infosec
#cybersecurity
#informationsecurity
#cloudsecurity
#datasecurity
#mfa

Office 365, Legacy Applications and MFA

Some legacy applications don’t support MFA. This is a solution to enable the apps to continue to function when MFA is enabled for a user in Office365.

How to create a “Additional Security Verification App Passwords”

Browse to https://portal.office.com/account/

Click “Security & Privacy” then click “Manage Security and Privacy”

Expand / Click on “Additional Security Verification”

Click “Create and manage app passwords”

Click “Create”

Enter a Name , example “Diary Sync” and click “Next”

Click “copy password to clipboard” (YOU NEED THIS PASSWORD)

(password above example only)

Some might get this error. Copy the password. (short cut to copy > Ctrl +A, then Ctrl + C)

(password above example only)

Click “Close”

You now have an application password which you can use with your legacy application without MFA causing any integration problems

Office 365 – Security (Part 1)

Have you setup MS Office 365? Did you start with security in mind?

Have you reviewed your Security and privacy settings? Nothing is configured out of the box. When implementing o365, start treating the platform as if you were securing your On-Prem infrastructure.

Start with the basics:

  • Password Policies
  • Privacy Statements

Can you add additional security to users?

Have you enabled and enrolled users to use MFA? Is it Enfored MFA?

Has access been restricted?

https://docs.microsoft.com/en-us/sharepoint/control-access-based-on-network-location

Mobile Device Management, are you applying any controls to apps accessing OneDrive?

Has logging been enabled for the Office 365 Security and Compliance reports and stats