Educause Security Discussion mailing list archives
Re: Synopsis of M365 Users' Group and the June Session
From: Curt Kappenman <ckappenman () ANDERSONUNIVERSITY EDU>
Date: Thu, 16 Sep 2021 18:12:38 +0000
John, My institution is not part of REN-ISAC. Could I get the link to the recording please? I looked for your direct email and I could not find it. Curt Kappenman Anderson University Anderson, SC From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of John Ramsey Sent: Friday, June 18, 2021 11:10 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Synopsis of M365 Users' Group and the June Session Good morning! I want to thank those that could attend last week’s M365 user session. We had 109 attendees. We did record the session and it’s posted in the M365 Wiki that REN-ISAC set up for us (located at https://members.ren-isac.net/display/IG/M365.) You have to be a member of REN-ISAC to access the M365 Wiki though. If you are not a REN-ISAC member, please feel free to email me directly and I’ll provide a password protected link to the recording. There were questions asked during the session. After my signature block are questions with answers. If you emailed me separately and I have not responded, please don’t hesitate to re-engage. If you wish to join the users groups, send a subscription request from a .edu email address to m365-sec-join () lists ren-isac net<mailto:m365-sec-join () lists ren-isac net>. You don’t have to be a member of REN-ISAC to be part of the users’ group. You just won’t have access to the REN-ISAC portal for the Wiki. You should receive notification of your approval within a few days of the request. Last note, July 16th is the next M365 users’ group session and we’ll discuss how to protect the domain controllers with Microsoft Defender for Identity (aka Azure ATP). This is from 100-300pm EST. John John Ramsey, Chief Information Security Officer National Student Clearinghouse Certified: CISSP, CISM, PMP, CSSLP, CRISC, CGEIT 2300 Dulles Station Blvd., Suite 220 Herndon, VA 20171 703.742.4428 | studentclearinghouse.org<http://www.studentclearinghouse.org> LinkedIn<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fnational-student-clearinghouse&data=02%7C01%7Cdugan%40studentclearinghouse.org%7Cc37208aebac64fd76e8508d84f636448%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637346635590166954&sdata=MdT45I1n7Hwbp8Zlkxlm0wEd0LdLnq5Cpr91ybCEjHw%3D&reserved=0> | Twitter<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fnsclearinghouse&data=02%7C01%7Cdugan%40studentclearinghouse.org%7Cc37208aebac64fd76e8508d84f636448%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637346635590171933&sdata=idMHM8D4VdMRpIa2H1YUTmwMgC4ZU0L2jqL3VjVNs4s%3D&reserved=0> | Facebook<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2FNSClearinghouse&data=02%7C01%7Cdugan%40studentclearinghouse.org%7Cc37208aebac64fd76e8508d84f636448%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637346635590176915&sdata=ILW%2BPdv1fgHooOkbQlkP9ei%2BJOsk7YlCMzYNU572flU%3D&reserved=0> | Blog<https://www.studentclearinghouse.org/nscblog/> | Instagram<https://www.instagram.com/NSClearinghouse/> Serving Education Since 1993 This message is proprietary to the National Student Clearinghouse, is intended only for the addressee and may contain confidential or privileged information. If you receive this message in error, please contact the sender and delete all copies. There were a few questions in the M365 Users’ Group chat that I wanted to share with the group: Is there a way to automate the soft delete of malicious emails in the Microsoft Defender (security.microsoft.com) Action Center? There is not an automated way that I know. I have provided feedback to Microsoft in their feedback feature that exists on every page. Of critical note, Microsoft does actively look at their feedback. For those items that they receive lots of feedback, I have seen them implement these features (quicker than most of us have experienced with Microsoft in other areas.) https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/remediate-malicious-email-delivered-office-365?view=o365-worldwide Is NSC running EDR in block mode with full automatic remediation on any critical servers? Yes. All devices (Windows 10, Windows Servers, Linux Servers) run EDR in automated block mode with automatic remediation. NSC has ran in this configuration for over 24 months. We have not had a single issue where something was erroneously blocked or prevented. NSC is more confident having fewer issues on critical servers than user endpoints. NSC critical servers aren’t actively used via the Internet (such as web browsing or email) like a user endpoint is. Is “Microsoft Threat Experts-Targeted Attack Notifications” enabled for respective tenants? Microsoft indicated for tenants larger than 10,000 licenses with the E5/A5 licensing, this is automatically enabled. In the next few months, this is probably going to expand to include tenants with licenses over 1000 devices and then eventually to tenants licensed over 100 tenants. You can click the “Apply” button under Microsoft Defender-->Settings-->Endpoints-->Advanced Features--> . Scroll to the bottom, turn on “Preview” and then click “Apply”. That at least puts your tenant in the waiting queue if for some reason Microsoft doesn’t enable all at once. https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-threat-experts?view=o365-worldwide https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts?view=o365-worldwide#before-you-begin Where does a tenant receive notifications about new vulnerabilities? Go to Microsoft Defender-->Settings-->Endpoints-->Email Notifications--> . Select “Vulnerabilities” and then “Add notification rule”. Then follow the Wizard. https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-vulnerability-email-notifications?view=o365-worldwide How are you using Email & Collaboration section within Microsoft 365 Defender portal? NSC maximizes every feature within Email & Collaboration. Start by going to “Policies & Rules” under “Email & Collaboration”. Then “Threat Policies”. You have a few options: 1. Manually configure all the policies. If you’re worried about your organization, this is the prudent approach. 2. Enable “Preset Security Policies”. Microsoft has the best practices tied to this one setting. You can enable this and the do the “Configuration Analyzer” too see if you should further fine tune anything based. 3. Select “Configuration Analyzer”. Assess the recommendations and implement. As far as NSC, we have everything enabled. We run Configuration Analyzer quarterly to makes sure have not missed any new potential policies or recommendations. One note, any setting that you have that is even more secure than the Microsoft setting will also trigger a recommendation. IE, Microsoft recommends a 30 day quarantine period. We have reduced this to 15. This flags as a recommendation https://security.microsoft.com/configurationAnalyzer?viewid=Setting https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configuration-analyzer-for-security-policies?view=o365-worldwide ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Re: Synopsis of M365 Users' Group and the June Session Curt Kappenman (Sep 16)