Microsoft 365 Defender updates bring a single portal view

I recently spoke with Microsoft’s Rob Lefferts, corporate vice president, program management, M365 security and compliance, about recent updates to Microsoft 365 Defender solutions. Many of you are familiar with Microsoft 365 for Endpoint. If you have the proper licensing (E5), it allows you to drill down into exactly what your workstations are getting into trouble with and what risks they are bringing to your network.

Why is this important? From SolarWinds, to the Exchange attacks to F5 remote attacks, the 2021 security year has been less than ideal. If you aren’t logging information as best as you can, you won’t have the information you need to investigate incidents. Make no mistake, you will have an incident. Plan now for how you will have the necessary information to authoritatively tell your executive team that an intrusion did or did not occur. Shrugging your shoulders and saying, “Gee, I’m not sure, how about we call the cyber insurance guys and ask them” is not going to cut it. You need information at your fingertips so you can act quickly and take immediate action without calling in outside help.

A portal view: Microsoft 365 Security Center

Microsoft is previewing a portal that brings the view of your entire network from workstations to server to cloud email to cloud applications to Azure into one portal. and click through to review the risks you have in your organization.

One feature that I’m a fan of is the Threat Analytics portal. From it, you can not only review the latest security attacks and risks that Microsoft is highlighting but also drill down to your network and see if you have any additional mitigations or configurations you need to do to protect your network. The information contained in this portal is so valuable that I strongly recommend purchasing Microsoft 365 E5 licenses for your riskiest users to fully understand the information and receive guidance for these high-risk users. Remember, you can mix and match licensing, though you may need to limit users to certain features to be compliant. These reports give you actionable tasks to mediate and protect your network proactively from the types of attacks discussed in the portal.

These threat reports provide you with actionable information that you can roll out to your organization. For example, one action item that I need to roll out to my workstations is additional attack surface reduction rules to better detect and prevent ransomware. The portal identifies those assets and users in my network that need the most protection and what steps are recommended to protect my machines.

Susan Bradley

For example, in a recent post in the portal, “Qakbot blight lingers, seeds ransomware”, indicated that I needed to take actions to better protect my systems from ransomware. I have a Microsoft 365 E5 installed on my home personal computer. Therefore, I have not managed the local administrator password on this laptop. The portal identified that I needed to deploy a Local Administrative Password Solution (LAPS) to ensure that I had randomized local passwords and did not require matching local passwords across the network.

The portal recommended that I set the following group policy to the “Enable” value:

Computer ConfigurationPoliciesAdministrative TemplatesLAPSEnable Local Admin Password Management

This ensures that you have random local administrative passwords that are not shared. Attackers can’t gain access to one local administrator password and then traverse across the network to additional workstations.

For some suggestions such as enabling Microsoft Defender Credential Guard, you will need to review both hardware requirements and software requirements. For this protection you will need to have Windows 10 Enterprise installed as well as mandated hardware requirements.

Monitor Microsoft 365 threat reports

Keep a constant eye on these threat reports. They provide you with actionable information and give you a high-level view of security incidents in the news as well as specific information for your network. You can easily and quickly go from understanding the risk of the security situation to taking preventative actions. This goes beyond the secure score portal to provide specific incident information targeted to your firm.

Once you have a user in a full Microsoft 365 E5 configuration, you can then review workstation activity, as well as cloud-based email security related reports under email and collaboration in the portal. Rather than reviewing the content in the Microsoft Defender Security Center and the Office 365 Security & Compliance portal, you can now review the information in the single portal. If you have solutions that use the URLs of the older portals, you can continue to use them. When you are ready to move to the integrated URL, you can then adjust the portal redirection links.

This helps when you have a phishing email investigation whereby you can track the email from the cloud email system through to your desktops. For example, the other day I had a phishing email that was later flagged as phishing and was proactively removed from the cloud email. I was able to track to ensure that no user had clicked on the email and introduced risk into the network.

I urge you to look at Microsoft 365 Defender’s unified portal. You’ll be able to quickly identify risks to your organization and take action quickly to prevent attacks.