Preventing a data breach, avoiding the news, and keeping your job
With my dog on one side, my green tea on the end table and my tablet in hand, I sift through my Bing news feed on keywords "Cyber Security" as I do every Sunday morning. I come across a few articles that talk about how a company has been breached and tons of intellectual property has been stolen. Sensitive data pertaining to the "secret sauce" of how a company manufactures its product or its long term roadmap. The articles talk about how it was an insider job, a supplier/vendor that was breached, and how the company is now going through a PR nightmare. Some of the data breaches were stolen identity via social engineering or email phishing while others were more sophisticated. As I read my emotions are a flutter with sympathy and with anger. One thing is clear, the common denominator in these companies is simple, they have something the bad guys want: information. Whether it's intellectual property so an economy abroad can grow, exploitation, or financial fraud – there is a little something for everyone to go around.
The next day I travel to the Microsoft Inspire partner conference where I work the Microsoft security booth on the expo floor and deliver break out sessions to Microsoft's global partner community. While working the booth, it's not uncommon to talk with 500+ people the first few days. Lots of foot traffic walks by where you are standing, and most want to talk with you and see what it is you are representing. The people that stop by span across the partner ecosystem, from IT consulting companies to companies that create custom software that enable other companies to be successful, and they all have a vested interest in Microsoft and in you. As the week goes on, partner after partner I speak with, I start noticing a theme in my conversations. I heard probably a dozen stories around data breaches, how their customers were recently hacked, and now in damage control mode.
A common theme emerges in these conversations, just like I read the day before in the news. Almost all of the attacks tied back to a user's identity being stolen either through email phishing or social engineering.
Nothing is 100% secure – meaning how much money and time does an attacker have to dedicate to the attack. With that said, I believe that most of the stories I read and heard could have have been prevented by implementing some key technologies. This blog is about those technologies and processes and how they can help to lower your risk and increase your security posture within the organization – some technologies you may already own, and not even realize it.
Note: It is important to implement a defense in-depth strategy inclusive of people, process and technology that spans from the human to the client endpoint, to the network, to the data, identity, etc. While I am only going to cover what I consider "low hanging fruit" in this blog – please understand there is a lot more that can be done!
At the end of the day, all roads lead back to identity
It does not matter how encrypted the data is when at-rest or in-transit, how locked down the computer is, the type of security (i.e. antivirus) software and the type of firewall that is deployed. At the end of the day, if I have your identity, in other words your username and password – it's game over. With your credentials, I have keys to the kingdom (so to speak). If you are an IT administrator and I have your credentials, then it's really game over. With those credentials I can traverse the environment, login to virtually every line of business app from finance to customer databases to email mailboxes. The best part - without the proper technologies in place, you may not know it's happening until it's too late.
Let's face it, times have changed and with it means the way we think about IT security must also change. No longer is our sensitive data and intellectual property stored on servers in a company owned data center, or on company owned computers. The data is stored in 3rd party cloud storage services, personal devices, and who knows where else. So how do you secure access and protect the data if you don't know where it lives? Simple: through a security strategy that incorporates: Identity, access management, and information protection. Identity is the new firewall, and data authorization must be tied to the user's identity.
For this to work, you need a unified set of credentials. You need a single identity. This is where Azure Active Directory comes in. Not only is this single set of credentials used to access Office 365, but it's also used to access your Windows PC and can even be used to access 3rd party cloud apps such as G-Suite, Box and Salesforce. As an example, Azure Active Directory can provide Single Sign On and unified identity management for G-Suite, via a Chromebook – here's a video demonstration
Sign-in to online services:
If using an online service such as Office 365, one of the simplest (and low cost) action you can take immediately is to customize the sign on page. The "human firewall" is the first line, and last line of defense. By customizing the page users sign-in to access corporate resources in Office 365 (or other online applications), when the webpage doesn't have the company's logo or background image this can be a red flag to the user and indicate this could be a bad actor impersonating the company. With a little bit of awareness, if an end user sees this, they know not to type in their credentials.
Standard (non-customized) Office 365 sign-in page:
Customized Office 365 sign-in page (can you tell the difference?):
Awareness and education for end users
The more an employee understands cyber security and how to protect themselves and the organization, the better. One effective way is by simulating phishing attacks within the organization and targeting your employees who are at risk with awareness campaigns. After all, email phishing remains the #1 threat vector we see in our research and telemetry. (Read the Microsoft Security Intelligence Report for more information).
This can be achieved using the Office 365 Attack Simulator, where an IT admin can send a simulated phishing email to a targeted set of employees. These emails can be custom crafted to match the business and difficult to spot, if a user clicks on the link and types in their credentials, IT has reporting to then follow up on those users with targeted training programs. Here's Office 365 Attack Simulator in action:
Launch an attack right from within the Office 365 Security & Compliance Center:
The simulated phishing email looks real, complete with targeting an individual user, and disclaimers at the bottom:
If the user clicks on the link, they are presented with an Office 365 sign in page. Notice the domain in the address bar (it's not an official Microsoft sign in page…) Note: You can customize this page.
If the user types in their credentials, they are presented with a page (that you can customize) instructing them this was only a simulation (but they fell for it) and some general information about email phishing:
The IT admin can then review reporting to discover who clicked on the link, and follow up with additional training:
Multi-factor (two step /two factor) authentication:
The next layer in your defense strategy with identity is multi-factor authentication (MFA). If a bad actor compromises your identity and steals your credentials, MFA makes it more expensive for them to succeed with attempting to use your credentials. For example, if you have my username and password and attempt to login to Office 365, if MFA is enabled on my account you must authenticate using a second factor such as a SMS code, one-time passcode, phone call or mobile app authorization. Without this, you cannot proceed.
Note: If MFA is tied to your cell phone number for a phone call or SMS, beware this is not as safe as you think.
Using Azure Multi-Factor authentication, and the smartphone app is a great way to protect your corporate credentials, and an easy way to access Office 365! Here it is in action:
If using a smart watch, I do not need to fumble for my phone to find a SMS message or one-time passcode. I can simply tap "Approve" as the push notification hits my phone and arrives on my watch!
IMPORTANT: Also, using Windows Hello for Business makes signing into your Windows PC much easier with a PIN, facial recognition or fingerprint. For more information watch the following video What is Windows Hello?
Note: When Windows Hello for Business is configured, it is multi-factor authentication by default. Something you know is the PIN, facial recognition or fingerprint and something you have is a key tied to the Trusted Protection Module (TPM) in your PC. For more information see Windows Hello for Business
There is a future of going passwordless. (Personally, I almost never have to type in my password in my day job with the exception of a few legacy applications).
An added benefit of using Windows Hello for Business, is that it is Single Sign On to your applications once you are logged into your PC! See this video for more information.
Access to resources based on a set of conditions
Let's take identity to the next level with access management. A key and unique feature of having your identity in Azure Active Directory is being able to take advantage of conditional access. This is an if/then statement that occurs every time a user logs into a resource using their Azure AD credentials.
As an example, if the user is an administrator we may require MFA and require the user access from a specific location (i.e. the office) or a specific device (such as a Privileged Access Workstation). Another example, could be a business scenario such as denying retail workers to access Microsoft Teams when off the clock. As you can see in the figure below, Conditional Access can even allow access (such as from a kiosk PC) but control the user's session and deny the ability to download any data locally.
One of my favorite conditions is deny access if the user's credentials have been discovered for sale on the public internet, user is coming from a known botnet, or even an impossible travel scenario. More on this in the next section.
For more detailed information on Conditional Access see What is conditional access in Azure Active Directory?
Here's an example of Conditional Access in action, where an end user is attempting to access corporate email on an iPad. Conditional Access kicks in to require the device to be managed before proceeding
Protecting the user's identity
What if the user's credentials are stolen? How do we ensure the attacker cannot use the stolen credentials? One effective method is to leverage Conditional Access as I described above and combine it with Azure Active Directory Identity Protection (AADIP). For more information I recommend watching the following video.
What AADIP enables you to do, is when a user signs in to a resource with their Azure AD credentials, Conditional Access and AADIP will assess the likely hood that user's identity has been stolen and associate it with a risk score of high/medium/low. Based on the score, you can decide if you want to allow access, challenge with MFA or a password reset, block access, or allow limited access. This uses machine learning and behavioral analytics to determine abnormal behavior like travel from infrequent locations or impossible travel. This will even look at the dark web to see if a user's credentials are up for sale (more information here)
AADIP also gives you visibility into users that are high risk, so you can then investigate those users to determine if there is a threat or a false positive. With a tool like this, as an IT Pro I can have confidence that we are protecting our environment even if a user's credentials have been compromised (as a result of them clicking on the link in the phishing email).
Here's AADIP in action:
What about managing administrators and their access?
Remember, if an administrator's identity is stolen, then an attacker has keys to the kingdom. A good IT security practice is to limit how many administrators you have in the environment. That's all good but what if I have a large environment where I need multiple administrators to perform daily operational tasks? This is where Azure Active Directory Privileged Identity Management (AADPIM) comes in.
Using AADPIM, I can limit the number of global administrators to one or two trusted individuals, then when someone needs elevated access to perform a management task they can request access. When access is requested and approved, a policy is in place that limits the permissions the requester has to that specific task (known as just enough access) and the access is time bound to a time window (known as just in time access). This way, you do not need to grant someone full administrator permissions to perform a simple task such as resetting a password or an administrative task in Office 365 or Azure – you just need to give them the proper role. This limits your risk and increases your posture.
A side benefit – is every access request is audited and logged. You now have an audit trail of when someone requested access, when they were approved access and (if enabled, such as auditing in Office 365) specifically how they used those permissions.
Here's AADPIM in action:
Protecting against email-based threats (attachments and links)
Let's take a detour from identity for a moment and revisit email phishing, the #1 threat vector. Phishing emails can be comprised of attachments that appear legitimate but contain malware under the hood that when executed on your PC, grants the attacker direct access to your computer. The email could also contain a link that takes you to a webpage asking you to sign in to Office 365 (but is really stealing your credentials to be used by the attacker). So how do we protect against these threats and help ensure these emails don't make it to the user's inbox? Simple, Office 365 Advanced Threat Protection (ATP).
Office 365 ATP in a nutshell, detonates attachments and links before they are delivered to the user's inbox. This is done through essentially a virtual environment where the attachment is being executed to understand if it is a legitimate document, or contains malicious code. This is referred to as Safe Attachments. For links, they are rewritten in the email. When the user clicks the link, they are redirected to the ATP service and the URL is checked against the Microsoft Intelligent Security Graph. Links that are embedded in Office documents or files on Microsoft Teams or SharePoint can also be protected.
Here's Safe Attachments and Safe Links in action:
Gaining visibility into file, cloud and logon activities
What if an attacker successfully makes it past the barriers we have talked about up to this point? Having visibility into what data is accessed, how it was accessed, and what was done with it can be powerful. Having policy in place to govern what can be done with that data, can be even more powerful.
Leveraging Microsoft Cloud App Security (MCAS), an IT admin has visibility into what is being accessed across the entire Office 365 tenant. Do you also have G-Suite, Box, Dropbox or SalesForce? You can see what's occurring in those cloud services using this tool as well! For more detailed information see What is Microsoft Cloud App Security.
Here's a look at all the activities occurring across my Office 365 tenant:
Specific file level activity:
Various alerts based on configured policy:
Activity occurring across G-Suite and Box:
Protecting the sensitive data – Not just in Office 365!
What about protecting your actual data? In this new world of storing data on multiple devices, and in multiple cloud services, we need to make sure the data itself is encrypted as it travels from device to device and from cloud to cloud. This is where Azure Information Protection comes in. This tool enables IT to classify data (e.g. Secret, Top Secret, Confidential) and govern access to the data based on it's classification (e.g. read only, or can't copy or can't print). It even enables you to send to someone outside the company and revoke access if needed.
Azure Information Protection (AIP) is built on identity. When I open a document that is protected using AIP, it uses my identity to provide authorization to view the document. When the document is closed, it is encrypted. If I send you the document, it leverages Azure Active Directory to see if you are authorized to view the contents. Unless you have my identity or have been granted permissions – you cannot open the document. AIP also allows IT to automatically classify documents based on keywords and apply security policy. So as an example, if I am working on a customer quote that contains a customer's account number or Personally Identifiable Information – the document is classified appropriately and the appropriate permissions and security policy is also applied.
At the end of the day, I can store sensitive company data on any device/any cloud. With AIP, the data is encrypted and protected, and because it is tied to Azure Active Directory I ensure only the proper recipients can gain access to open it.
Lastly, when Azure Information Protection is integrated into Microsoft Cloud App Security (MCAS), this enables me to discover data across my different clouds (such as G-Suite or Box) and then classify and protect that data, all from a single tool. Here's a policy in MCAS on where that is configured:
Here's the other half of the policy and applying governance actions to data that was discovered by the template, keyword or regular expression:
How does this work?
All roads lead to identity:
When a file is protected using Azure Information Protection (AIP), the file is actually encrypted at the file level, and the encryption travels with the file where ever it goes. This encryption is tied to the user's identity in Azure Active Directory (AD). When the file is accessed, they are authenticating to Azure AD, and authorization is checked, the file is de-encrypted and the user can view the file. For more detailed technical information on how this encryption process works see How does Azure RMS work? Under the hood
So, if I give you a super sensitive file that has been protected using AIP, unless you have my identity – or have been granted authorization – you cannot open the file. This is (in my opinion) a game changer, as this means your organization's data can travel from device to device (personal home computer, work computer, mobile devices, USB sticks, etc) and the data will stay encrypted. It doesn't matter if the device is protected or not – because the file is already encrypted. It doesn't matter if I accidently send the file to someone I shouldn't have – because it's already encrypted.
What's required to do this? A few things as outlined in the technical documentation but most importantly: The recipient (inside or outside your organization) needs to have an identity account in Azure Active Directory.
What if the recipient does not have an Azure AD account?
If the file is being sent to someone outside your organization, and that recipient does not have an identity account in Azure Active Directory you have a few options:
- The recipient can signup for "Azure RMS for Individuals" by browsing to this website and going through the wizard. Microsoft will check the email address to see if it's associated with an AIP subscription, or an Office 365 subscription that includes AIP. If it is not found, you can register and essentially an account in Azure Active Directory will be created for you. For more information about this process see: RMS for individuals and Azure Information Protection (Note, this DOES NOT sign your company up for anything, this is tied to a single identity so you can use the viewer or sign into a protected file)
- If you do not want to go with option 1 (although, it's VERY easy!) then your second option is actually pretty interesting. When AIP is used with Exchange Online – and that document is sent using Office 365 Message Encryption, then you can sign in using a Gmail, Hotmail or Microsoft (Live) account! See New Capabilities Available in Office 365 Message Encryption
- The last option, uses the Azure Information Protection client. You can manually specify the recipients who are authorized to access the file (by email address) and their associated permissions using the AIP client:
IMPORTANT: All three options require the user to sign into Office on their device (or use the Azure AIP Viewer) with the identity that is associated with the AIP protected file. So, if I receive a spreadsheet from you sent to email@example.com, I need to sign into Excel on my device as firstname.lastname@example.org.
NOTE: Notice above, there is an option to Expire Access. I can have the file expire after say, 30 days and no one can open it afterwards. This is again another important feature that adds tremendous value (salesperson that wishes to expire a quote after 30 days).
Visibility into your security posture
The last item I want to discuss is around security management, and understanding your all up security posture across Office 365 and your Windows endpoints. Leveraging Microsoft Secure Score I can have such visibility using a scoring system. Immediately upon reviewing I can have a good understanding of my current posture, and an idea of the recommendations and actions I need to perform to raise that posture and lower my risk. I can even see how certain actions will impact my users, and how I compare to my peers in the same industry. This tool enables me to answer the common question "what are the immediately actions I can implement today that are low cost and low impact?'
Here is Secure Score in action:
If using Windows Defender Advanced Threat Protection I have visibility (and control) over my Windows 10 environment, and can see which PCs have security controls enabled and are up to date on security patches and the latest Windows 10 build installed. All critical to help protect me from ransomware.
Using the security tools in Microsoft 365, I am able to significantly increase my security posture and lower my overall cyber security risk using technology that I may already own. This enables me to better secure what matters – my organization's data, and as you can see above, enables end users to be more productive. Are you using Microsoft 365, or any of the items above? Let me know in the comments below!
For a complete deep dive into each one of the Microsoft 365 features I showed below – check out Kevin Martins blog:
Introduction: Email Phishing Protection Guide - Enhancing Your Organization's Security Posture Part 1: Customize the Office 365 Logon Portal Part 2: Training Users with the Office 365 Attack Simulator Part 3: Deploy Multi Factor Authentication (MFA) Part 4: Deploy Windows Hello Part 5: Define Country and Region Logon Restrictions for Office 365 and Azure Services Part 6: Deploy Outlook Plug-in to Report Suspicious Emails Part 7: Deploy ATP Anti-Phishing Policies Part 8: Deploy ATP Safe Link Policies Part 9: Deploy ATP Safe Attachment Policies Part 10: Deploy and Enforce Smart Screen for Microsoft Edge, Microsoft Internet Explorer and Google Chrome Part 11: Monitor Phishing and SPAM Attacks in Office 365