Yesterday we watched an interview with white-hat hackers and how and why your organization finds itself in the cross-hairs (it’s not you, it’s them, and by “them”, we mean it’s mostly just unattended bots on the Internet). There’s some good stuff in the video, but their key takeaways for ensuring your assets are safe are to:
Ensure strong passwords are in place
Enable multi-factor authentication
Patch your systems
As an adjunct of that last one, one of the panelists stressed the importance of properly inventorying your systems.
We’ve been beating a security drum for the past few months that might sound fairly similar to those salient points: enable multi-factor authentication! protect mailbox users with anti-phishing & credential theft controls! patch patch patch!
It may also sound fairly similar to the center for Internet Security’s top 5 most important security controls (paraphrased):
Inventory your devices
Inventory your software
Secure your configurations
Perform continuous vulnerability assessments
Control use of admin rights
It is absolutely critical for modern connected organizations to understand the current threat landscape, and as we pointed out to attendees at the Microsoft Tech Summit in Atlanta, it’s a heck of a lot easier to get users to compromise your security than it is to brute force through your perimeter defenses. Recent attacks like the Winter Olympics counter-terrorism message and pivoted financial attacks on payroll systems show that attackers are still constantly evolving their methods.
If you haven’t looked at the top 20 CIS controls recently, or need a refresher, here are the other 15 (again, paraphrased):
Maintenance, monitoring, analysis of audit logs
Email & browser protections
Limitation & control of network ports
Data recovery capability
Secure Configurations for network devices
Just enough & just-in-time access
Wireless access control
Account monitoring & control
Security skills assessment & training
Incident response & management
What is interesting here is that, with the exception of configuring the actual network devices, Microsoft 365 actually has a solution for every single control on the list. That’s pretty crazy to think that you can knock out 18 of 20 critical controls with one tool.
And that would be pretty cool even if that were the extent of it, but honestly, it’s not. Take malware defenses & analysis of audit logs: with integrations between Windows Defender ATP, Azure ATP for Users, and Office 365 ATP, we can see an attack across multiple vectors and drill down from one control surface to the next with 1:1 incident correlation. Tack on the recently-announced Office 365 Attack Simulator, and you’re armed with powerful tools to not just respond, but to assess and fill gaps in your security training & configurations.
And if we’re feeling particularly frisky, we can activate Azure Log Analytics and the Azure Security Center (both at free tiers) to monitor for update compliance, best practices, application compatibility, and threat management across our deployments. If you haven’t looked at using Log Analytics to get insights into your Windows 10 deployments, you should consider it. It’s totally 100% free to use, and now deployable without a big cumbersome script.
Before we veer too far off the subject of the CIS, on Tuesday they released their Microsoft Azure Foundations Benchmark. It’s free, and if you are or are considering using Azure, we strongly recommend downloading a copy (free registration required). At 200+ pages, it’s not a quick read, but it gives some great standardized best practices guidelines to secure your Azure environment, with guidance from identity to SQL instances to VM’s to tying it all together with Azure Security Center.
For every recommendation, it provides a description, rationale, remediation, impact, default value, reference(s), and how that setting corresponds to those same 20 guiding controls for system security.
Just like with the Office 365 Secure Score, some of the recommendations just won’t work well with your particular installation. And that’s ok. The goal is to align your security practices with the 20 CIS controls where practical, and meet at least the first 5 controls where possible.