Re: Synopsis of M365 Users' Group and the June Session

[Jeffrey Gilhool <0000027853ccb3b2-dmarc-request () LISTSERV EDUCAUSE EDU>]

On Fri, Jun 18, 2021 at 11:09 AM John Ramsey <
000001cd0b5a1098-dmarc-request () listserv educause edu> wrote:

> Good morning!
>
>
>
> I want to thank those that could attend last week’s M365 user session.  We
> had 109 attendees.  We did record the session and it’s posted in the M365
> Wiki that REN-ISAC set up for us (located at
> https://members.ren-isac.net/display/IG/M365.)  You have to be a member
> of REN-ISAC to access the M365 Wiki though.  If you are not a REN-ISAC
> member, please feel free to email me directlybbm and I’ll provide a
> password protected link to the recording.  There were questions asked
> during the session.  After my signature block are questions with answers.
> If you emailed me separately and I have not responded, please don’t
> hesitate to re-engage.
>
>
>
> If you wish to join the users groups, send a subscription request from a
> .edu email address to m365-sec-join () lists ren-isac net. You don’t have to
> be a member of REN-ISAC to be part of the users’ group.  You just won’t
> have access to the REN-ISAC portal for the Wiki.   You should receive
> notification of your approval within a few days of the request.
>
>
>
> Last note, July 16th is the next M365 users’ group session and we’ll
> discuss how to protect the domain controllers with Microsoft Defender for
> Identity (aka Azure ATP).  This is from 100-300pm EST.
>
>
>
> John
>
>
>
> *John Ramsey*, Chief Information Security Officer
>
> *National Student Clearinghouse *Certified: CISSP, CISM, PMP, CSSLP,
> CRISC, CGEIT
>
> 2300 Dulles Station Blvd., Suite 220
> <https://www.google.com/maps/search/2300+Dulles+Station+Blvd.,+Suite+220+%0D%0AHerndon,+VA+20171?entry=gmail&source=g>
> Herndon, VA 20171
> <https://www.google.com/maps/search/2300+Dulles+Station+Blvd.,+Suite+220+%0D%0AHerndon,+VA+20171?entry=gmail&source=g>
> 703.742.4428 | studentclearinghouse.org
> <http://www.studentclearinghouse.org>
> LinkedIn
> <https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fnational-student-clearinghouse&data=02%7C01%7Cdugan%40studentclearinghouse.org%7Cc37208aebac64fd76e8508d84f636448%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637346635590166954&sdata=MdT45I1n7Hwbp8Zlkxlm0wEd0LdLnq5Cpr91ybCEjHw%3D&reserved=0>
>  | Twitter
> <https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fnsclearinghouse&data=02%7C01%7Cdugan%40studentclearinghouse.org%7Cc37208aebac64fd76e8508d84f636448%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637346635590171933&sdata=idMHM8D4VdMRpIa2H1YUTmwMgC4ZU0L2jqL3VjVNs4s%3D&reserved=0>
>  | Facebook
> <https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2FNSClearinghouse&data=02%7C01%7Cdugan%40studentclearinghouse.org%7Cc37208aebac64fd76e8508d84f636448%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637346635590176915&sdata=ILW%2BPdv1fgHooOkbQlkP9ei%2BJOsk7YlCMzYNU572flU%3D&reserved=0>
>  | Blog <https://www.studentclearinghouse.org/nscblog/> | Instagram
> <https://www.instagram.com/NSClearinghouse/>
>
> *Serving Education Since 1993*
>
>
>
> This message is proprietary to the National Student Clearinghouse, is
> intended only for the addressee and may contain confidential or privileged
> information. If you receive this message in error, please contact the
> sender and delete all copies.
>
>
>
>
>
> There were a few questions in the M365 Users’ Group chat that I wanted to
> share with the group:
>
>
>
> *Is there a way to automate the soft delete of malicious emails in the
> Microsoft Defender (security.microsoft.com <http://security.microsoft.com>)
> Action Center?*
>
> There is not an automated way that I know.  I have provided feedback to
> Microsoft in their feedback feature that exists on every page.  Of critical
> note, Microsoft does actively look at their feedback.  For those items that
> they receive lots of feedback, I have seen them implement these features
> (quicker than most of us have experienced with Microsoft in other areas.)
>
>
> https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/remediate-malicious-email-delivered-office-365?view=o365-worldwide
>
>
>
> *Is NSC running EDR in block mode with full automatic remediation on any
> critical servers?*
>
> Yes.  All devices (Windows 10, Windows Servers, Linux Servers) run EDR in
> automated block mode with automatic remediation.  NSC has ran in this
> configuration for over 24 months.  We have not had a single issue where
> something was erroneously blocked or prevented.  NSC is more confident
> having fewer issues on critical servers than user endpoints.  NSC critical
> servers aren’t actively used via the Internet (such as web browsing or
> email) like a user endpoint is.
>
>
>
> *Is “Microsoft Threat Experts-Targeted Attack Notifications” enabled for
> respective tenants?*
>
> Microsoft indicated for tenants larger than 10,000 licenses with the E5/A5
> licensing, this is automatically enabled.  In the next few months, this is
> probably going to expand to include tenants with licenses over 1000 devices
> and then eventually to tenants licensed over 100 tenants.  You can click
> the “Apply” button under Microsoft DefenderàSettingsàEndpointsàAdvanced
> Featuresà .  Scroll to the bottom, turn on “Preview” and then click
> “Apply”.  That at least puts your tenant in the waiting queue if for some
> reason Microsoft doesn’t enable all at once.
>
>
> https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-threat-experts?view=o365-worldwide
>
>
> https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts?view=o365-worldwide#before-you-begin
>
>
>
> *Where does a tenant receive notifications about new vulnerabilities?*
>
> Go to Microsoft DefenderàSettingsàEndpointsàEmail Notificationsà .
>  Select “Vulnerabilities” and then “Add notification rule”.  Then follow
> the Wizard.
>
>
> https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-vulnerability-email-notifications?view=o365-worldwide
>
>
>
> *How are you using Email & Collaboration section within Microsoft 365
> Defender portal?*
>
> NSC maximizes every feature within Email & Collaboration.  Start by going
> to “Policies & Rules” under “Email & Collaboration”.  Then “Threat
> Policies”.  You have a few options:
>
>    1. Manually configure all the policies.  If you’re worried about your
>    organization, this is the prudent approach.
>    2. Enable “Preset Security Policies”.  Microsoft has the best
>    practices tied to this one setting.  You can enable this and the do the
>    “Configuration Analyzer” too see if you should further fine tune anything
>    based.
>    3. Select “Configuration Analyzer”.  Assess the recommendations and
>    implement.
>
>
>
> As far as NSC, we have everything enabled.  We run Configuration Analyzer
> quarterly to makes sure have not missed any new potential policies or
> recommendations.  One note, any setting that you have that is even more
> secure than the Microsoft setting will also trigger a recommendation.  IE,
> Microsoft recommends a 30 day quarantine period.  We have reduced this to
> 15.  This flags as a recommendation
>
>
>
> https://security.microsoft.com/configurationAnalyzer?viewid=Setting
>
>
> https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configuration-analyzer-for-security-policies?view=o365-worldwide
>
>
>
>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
-- 

Jeff Gilhool

Systems Engineer

127000 Sunrise Valley Dr, Suite 310, Reston, VA 20190

jeffrey.gilhool () lookout com | (540)454-8380 | www.lookout.com

Follow us for the latest on integrated endpoint-to-cloud security.

<https://bit.ly/3jqXb9G> <https://twitter.com/lookout>
<http://bit.ly/3tvSsYE>  <https://bit.ly/3pPgzzy>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community