Protect against phishing and other cyberthreats with Microsoft 365 Business | THR3082
All. Right welcome everybody, today we're gonna talk about phishing. And threat protection in Microsoft 365. Business. Before. We start just quick show, of hands who in this audience with classes classify, themselves as a cyber security Pro. Like this is the, primary function of your role okay. A couple folks in the room good so this session is I think will be interesting to you but it's not for you we're, gonna kind of address everybody else because we're not gonna make a bunch of cyber experts in 20 minutes right so all, right let's get started I just want. To kind of cover though you know the why Microsoft, pitch, you. Know why so why, Microsoft, is credible for cyber. We. Have some of the best signal. Or we have the best signal in the industry you. Know we analyze, law you know billions. Of logins every single day we have six point five, trillion, signals, per day where we can detect what's happening, in our environment. Across. The world to, help protect our customers and, this is where we get met, much of this cyber insight, from that you, know derives into our protection, for individual users. So. Here are some of my favorite, stories about cyber threats. That hit SMBs. Folks. On the top you, know didn't do they're you know they're they're the lucky ones you know Barry and Barry's firmly got ransomware but it didn't spread to all the machines you. Know Dave. David, paid his rent. You. Know but he was fished from, his landlord and you know they changed, his instructions, and he fight you got a past-due notice on his rent only to find out that his rent was going to someone. It wasn't supposed to go to the. Folks in the bottom ones weren't so lucky you know someone you. Know and Diane's sisters company they lost 40 40, grand in days company. Owes one point nine million dollars lost and in this case use it a user's credentials are compromised the, attackers, had lurked in the environment for quite some time, skin, reading everyone's emails figuring, out how the business operated, they waited until a supplier payment, was due 1.9. Million was lost it. Was sent to a farmer. In Idaho where then that farmer was also tricked into transferring it to Vietnam and you. Know these criminals were pretty smart, this company actually tried to get the FBI involved to get their money back didn't. Work the FBI initially. Refused to get involved for, anything less than two million dollars. I think. That what still pending so. What do we do about this so this is a 20-minute session there's a lot of security value in Microsoft 365, business we're not going to touch it all but if you remember two things today it's.
These Two things everybody. Needs to turn on their MFA for. Everyone. Right, and turn, on ATP, these are easy to do. Relatively. Straightforward. And there's a couple ways to do each one and we're going to talk about it on the MFA side we. Can simply turn on security, defaults and, let Microsoft, handle it for you the, other thing we can do is use conditional, access all, right we're not going to talk conditional, access is not difficult we're, not going to cover that in a 20-minute session though if anybody's interested in CA come, talk to me I'll tell you how to do it and. Then turning on ATP is is pretty straightforward we have base protection, turned on in the tenant but it's we've made it very very easy to turn. On your policies for advanced threat protection to, protect from the phishing and the viruses that come in so two easy things to do we're gonna show them today and, talk a little bit more about it. So. I'll also try to demo with one. Hand here. So. I'm. Signed. Into the admin Center on my Microsoft 365, business, tenant I haven't done much with this particular, tenant but. Let's do a quick drive through on how to turn this stuff on. So. If I go in my tenant and I go to setup you're. Going to see our brand-new admin, experience here. I go into setup I've, got a number of things to work on the, first is turn, on multi-factor, authentication, so. Literally, getting MFA turned on is. As simple as pressing the get started button. It's. Gonna ask us what kind of policies, do we want to apply you can turn it on for admins can, turn it on for users within, 14, days of, people people have the opportunity, to just skip this and put, it off for a while but within 14 days users, will have to complete the process how. Many here have not completed. MFA. And Microsoft, 365, yet, a couple. Okay it's easy I sometimes, you know my job is often. Involves working with partners I highly. Recommend you try it out even if in a demo tenant so you can understand, the experience, one, caveat here you don't want to turn on in buffet for the users before, they're ready the users do need to be aware this is coming they did need to know what to do it is fairly, straightforward for them to enroll themselves an MFA.
Doesn't. Require an admin to help them but if they don't if they're not expecting, it they may get confused the. Admins should have MFA, most admins can understand. What they're you, know what this setup is, by. Clicking on create policy, I will have turned, on the baseline policies, for, multi-factor. Authentication. It's. Always a good idea to exclude, at least one user from these policies it's, your break class account we sort of say if you, MFA. Has a problem or you. Know you. Make a mistake it's always a good idea to have a backup so you don't have to call support to have this undone for you this, is way number one this is the easy way to turn on my MFA across your org there's. Another, way that I want to show you this worth mentioning, it's a little bit more advanced, and, the reason I'm mentioning and mentioning, this is there's like, with everything at Microsoft, there sometimes, more. Than one good way to do it so I showed you baseline policies. Baseline. Policies are going away in four, months, this wizard will get updated to reflect that but if you want to get ahead of the curve not. Rely on baseline, policies, which are getting turned off there is a little bit slightly more advanced way to turn on these defaults, and that's to just do it in Azure ID directly, I click. Front to them into my add azure, ad admin, Center. Gonna. Wait for it to load. Or. Take this shortcut here. When. I'm in Azure ad so every Microsoft, 365, tenant is backed by add your Active Directory I. Can. Click into the properties, of my directory. We. Have this new functionality, you may not have seen before and it's managed security defaults, I. Can. Just simply turn it on this, does four things turns. On MFA for the admins turns, on my MFA for the users disables. Legacy authentication. Across the tenant across the board right, and it also requires MFA, for privilege actions in an ad. This. Is getting turned on by default it's. Not on by default yet, but this is a view into what's coming, in Microsoft 365, so. For last. Five, years or so or we, haven't had MFA on by default it will be on default these security, defaults will be turned on at, some point in the future so I just wanted to make you guys aware of this that, it's exists, and we'll turn it on here. Just. To show what it looks like this is the easy button for MFA priority. Number one. All, right the other thing we must do and all tenants need to have their ATP policies, turned on so from the same setup. Experience. I. Have. Another option for. Advanced. Protection. So. This gives another a guided experience, to help customers. And partners get ATP, turned on, without. Necessarily, having to be experts. So. Click get started. All. Right it's gonna ask me if I want to create my policies, so. In this case I'm going to protect links and attachments in, email this will turn on safe links and safe attachments, will, also scan the files and onedrive, teams in SharePoint will. Scan links inside the desktop apps. Okay, and that's all we have to do there's. More that can be done but if you do do these two things you, know you can basically envision. Yourself with. Seatbelt and. Airbags. On in the car I will say there's a little bit of tunnel vision this isn't all that should be done but these are the two most important, thing the third important, thing we won't cover today is enable device management do, I like to think about it is if.
You If you have your ATP you know if a turned on you have your seat belt the airbags on in the car but you can only see directly what's ahead of you because. You're allowing devices, to attach the environment, that you can't see you you have no visibility, into the security problems and I guarantee you there are security problems, on the devices you can't see or you don't manage so this kind of third tenet here is to use. These same Wizards to enable ma'am and MDM policies, to get some control either over the devices, the company owns or the, applications, that are used on the devices they don't own the people's personal devices so. We don't have time to click into that but it's super super important, that folks do that and. Then. Let's now let's we'll talk a little bit about what. We just did. Okay. So we turned on our security of faults. Let's. Kind. Of go into what, was done here. So. Part, of our IT we're delivering Microsoft, 365, business is their enterprise enterprise-grade. ATP, super, powerful very. Effective, ATP. Today, is more effective, than our competitors in, the same. You. Know Gartner Magic Quadrant we. Have it in to that you, know, you. Know so our our. Our attach. Or our detection and, Prevention rate in ATP is, industry-leading. It's comprehensive, it's, easy to turn on and we, you know you don't have to buy something else to if you have Microsoft 365, business this is included there's, three main things we do within ATP. One. Is we protect from spoofing, office. 365, has base level spoofing detection. So we use DCAM and SPF and other technologies, to make sure you know to detect, when, people are spoofing domains but, in M 365 business we have advanced spoofing protection. To protect from, you know we actually look in the body the email and look for known turns looking, you know we can detect when someone is asking, for something it's a very you know leading indicator of a potential, fish for, example if my boss asked, me for something that's pretty normal the service knows that he's always asking for you for something, but if Satya Nadella asks, me for something that's actually, raises the risk of a fish because that's not normal you, know I'm quite a bit below Satya, and he doesn't normally ask me for things same, thing for emails coming in from the outside, in, addition to spoofing we you know we have advanced protection from a person is a ssin and there's a whole stack of content. Analysis, and detonation this is what we're looking for patterns of malware, we're looking for the ransomware, not, based on a signature, in a file which is the old way of doing it well detonate the content, in a safe sandbox, and look at it look what it's doing on the network well look what it's doing on the Box well look and see if it's trying to evade our detection, to, see you know if this if it's looking to try to determine like if it's in our data center and other suspicious activities, like that. So. On our anti poofing stack where you know we're relying that this for advanced fish attack. Mitigations, we're, protecting, the customers, internal, domains and we give you the ability to protect external, domains what we mean by that so, at Microsoft, I often work with our, partners so, I can add my partner's domains to help protect someone from spoofing, like partner email pretending to be my partners that I actually don't own in control right.
And, The anti-spoofing. Stack, we're gonna we're working to mitigate phishing, attacks it's, always on it's not only on for the emails is on for office 365 documents. As well, right. And it's, the external domains is on for for, Microsoft, 365, business by, default. On. The content, analysis, side we, have safe, attachments, so every attachment with executable, content whether it's a dot exe or, a macro enabled. Office. Document, will get sent off into the sandbox the. Content. Is detonated in. A virtual environment and its behavior is analyzed to see if this is safe. Or not it supports dynamic delivery so we can deliver the email to the user before, the, analysis. Is finished. We. Allow them to preview the document in a safe way, so that the any executable. Sherman is still being apart the executable, portions are being scanned like say a macro we can still show them a preview of what's in the document, for folks who are impatient. With. Safe lengths every link inside of an email or an office document, or a PDF is, is also, protected, at point, of click every, time someone's clicked clicks on it it's checked, I'll. Talk a little bit about that so on the safe attachments side. You. Know someone, will receive an email the. Attachment, is pulled, from the email it sent off her desk detonation. Where we're looking at the behavior, looking. At the network traffic associated. With the machine looking. For any downloaded, files command and control we're, also looking for evasive techniques, office gated code a whole bunch of other stuff and it's really, mail, with dynamic, delivery turned on so that the user gets a preview to the email while, this is happening right. We're, trying to preserve user productivity so we can tell them what's going on they, look at their attachment, they'll see that the scan is in progress, we're. Really proud to announce is that our average scan time is now down to 45 seconds, working. With our partners one of the number-one kind, of points, of pushback is that sometimes, a scanning takes a long time so, that's you, know I will not we don't have an SLA we'll say it will never take a long time but I can't say with certainty the average, it's 45 seconds which. Is really really good. And. Safe, links, you know here I have an email with a link you know D hi Emily someone forwarded me to this site that, link is rewritten so the user doesn't see it but it has been rewritten so that every time they click on it it's checked. All. Right when they click on it its, redirected, to our service every. Time they click on it we're checking to see if it is safe for is still safe and, then. They're passed through if the, content, has turned malicious, they'll get this message. Okay. So. The safe links we have time to click protection, both across email as well, as office. 365 documents. And. One of the things that, this is fairly new is we also have the ability to apply. Or unup life link, sand messages inside of the organization, it's, generally a good idea but if it's causing problems for line of business apps you can you can turn it off. So. URLs, are also detonated, so URLs, to, executable. Content again will actually pull the content down analyze. It in our sandbox environment, in much the same way we would in actual attachment, this allows folks you know it's this helps protect. Users. When the malicious.
Actors Are actually trying to bypass, document. Scanning and then attachments. By pointing, a link to some kind of other downloadable content, and tricking, them into downloading, and doing something to it. It's. Only the impersonation. Side right, this is the advanced, anti in person nation so I mentioned we have every. Office 365, has basic anti, spoof anti, fish embedded, you don't have to turn it on to get the basic level of protection Microsoft. 365 business, includes advanced threat protection so. We're looking for user impersonation. Domain. And person is a ssin so you know contoso with a base64. Character, instead of an O branded. Personation, for that particular, customers, tenant or their, particular brand, names, fairly. Easy to configure this again we can turn this on via the wizard I showed you right. And. Here you know here's here's an example, of my kind of my common, anti spoof. You. Know when I spoof Satya, I get an you know I get the message that you know this the sender of this message is different from, a normal sender, so even though like I went through the trouble of spoofing you know to make it hard to detect, normally, service, picks it up. And. Quite a bit of this is driven by mailbox, intelligence, so one of the you know more advanced features we have is the machine learning algorithms. That drive ATP. Continuously. Learn for the based, on the customers email patterns. So, this is what I was getting to you know if for if by chance you. Know I was you. Know sakis admitting, he did routinely ask me for stuff the system would learn that that's fairly normal pattern but if an email came in like a different route than normal or it was it appeared different in some way from the normal pattern of our communications, that's, likely to trip the impersonation. Filters, or the personation protection. Last. I wanted to close on you know we have, a complete story with Microsoft, 365, business, they, have protection, in files, on SharePoint Online the onedrive and teams, all. Of this has analyzed in real time for collaboration signals. We're looking for all. Kinds, of things that you know might. Need protection, we have tons of threat feeds coming in I. Have. Watchlist, this, really, drives, our. Ability, to put apply smart heuristics, through a customer's. Tenant whether its first and third party, reputation, so our reputation in is our own detections as well as third parties we contract, we, have our own AV engines, monitoring, this stuff as well as third-party AV.
Engines We don't disclose which, ones for a reason because it changes, and we don't want to give thread actors a heads up like on exactly what we're using, right. And as I mentioned we have sandboxing, in detection. Which. Really it ends, up with a operating. Environment, that uses, secure files and emails. And. We can protect our desktop clients, affect our emails we practice brawlers, it's. All you, know so one of the reasons why we created Microsoft, 365 business is to give small, businesses, those under 300. Seats an easy, way to get, secure stay secure and not have to comb through a, bunch, of different products trying to pick out you know individual. Solutions, for the protection stack. So. I want to direct you guys I will take some time for Q&A but a couple things I think are really cool is we just launched a new CSO, site is, kind of a mix of cybersecurity and humor where. You, know we kind of democratize. And make cyber you, know a little bit you know a little kind of funny but, also we have some very real like steps, recommendations. Next, steps and actions you can take so, you can watch the videos on the new CSO I think they're really really good but, more importantly we have notes on you know what to do and how to do it in, a context. That's very. Digestible, by your typical IT Pro IT admin, or partner admin. Also. If you're not if you haven't checked out the new secure score I recommend, taking a look and, for, those of you who want like direct answers on how to do something how to configure something I personally. Monitor, our SMB tech community so you can get there at a kms. /sm. BTC. This. Is also monitored, and managed by the product group it's also monitored, by product marketing so this is you. Know some of the stuff I showed you or talk to you today is often driven by this site so for example a lot of folks felt very strongly that we needed conditional, access in the SMB product line it's, one of the ways we got it done by collaborating, with IT pros and partners who had kind of the justification, the reason. Being. Able to show that to product, engineering and product marketing, was pivotal and making you know driving, product, improvements, so.
With That I'll take some q and A's if anybody would like at least till we run out of time and then I can do one-on-one Q&A. So. We're making the journey to office, 365 with. ATP is. There any metrics, that I can find and how you compare. How. Well ATP. Is doing and detecting, as compared. To ironport, so. Is any, so. We do have metrics. For. Ironport Proofpoint, etc specifically, we keep them internally, our. Anti-trust. Internal. Guidance prevents, or prohibits, like me specifically, like going, like public with a stat, against a competitor so what, we do have is we do have the competitors unnamed, where you know we do, have testing, that shows we, surpass, all of the. In our space like in the quadrant by a factor, of over. Ten to one on what we can detect and what they can't detect but we won't do is go stiffly, up against at least publicly against a specific competitor. But if you're a partner you can get that information under NDA so it. Is it is real it's just you know the we, don't we. Have legal. Prohibition. Prohibitions, from, disclosing like those type of stats externally. Yeah. In fact after the session I'll show you the I can show you the the slide that shows graphically. Like where we stack currently. Against all of our major competitors, oh. Yeah. We have had Poland here from SMB, product group he, does have a. Actually. Let him speak to it. Thanks, ivory when Fred pullin so, we're, starting a new SMB. Community. Around, security, so. We would love if you if you're a partner who works with small to medium sized businesses or your small and medium-sized business yourself we're defining this as one two three, hundred employees we. Would love to get you engaged and, get your feedback and, give you an opportunity to talk with other customers. And partners so. If you want you can come get a card for me or for mavs there and, we're. Happy to work with you. There's. A slide it, shows us like I can't name the vendor, one two and three but these aren't made-up graphs. Either internally. We can disclose it to partners. Does. The anti-spoofing, is, it usable, if you have middleware, if you do have an iron port or something but you still want to pass it to you. Know once, it passes to office. 365 you want to check to see if it's spoofed is that problematic because it's coming from that. So. The question is do we create problems, with ATP's ability to detect something if we put like a some kind of bastion, hose or to filter in front and it's, absolutely it is true it you're gonna take, our ability, to weigh to get as much signal, because all the mails appears to come from one host doesn't, mean it won't know you you can still use anti spoof the effectiveness, goes down when there's something in front of office 365 so. The best way, you know we get the best signal, when, the stuff is coming directly you know hitting us first. Do. It false-positives, as in. Okay. So you, can can you know if you are using like a you know you're gonna use something in front of us you can just configure, that is you, know a real, a host or smart coast and trust. The mail coming from it but you you you doesn't, mean you disabled all of our detection but you do you know we're. More effective when we're the specially, when it's you, know it is spoof it is especially. Part of a campaign because, we tie the signal from customer a with every single other customer, so if you're receiving the same malware, campaign, ransomware campaign fish campaign, and it's coming in a different like through your smart host we're. Not you know we're not gonna be as effective, to protect you but it doesn't mean your protection is off by any chance so, yeah. So. Am. I ever gonna be able to buy a defender. ATP. As like a separate license and attach it to my. So. The question is can we can you buy defender ATP so number one I recommend you talk to this man right here because, he's the way to make that happen technically you can buy today if you buy Enterprise, e5 you're, gonna get a defender, ATP, in there we, write you know I our group does recognize this is something that SMBs, would like it just there's some stuff to figure out and I actually recommend. Fred's, design, community is the place to have this conversation because. There's a lot of interest in doing this we're just trying to figure out like the what in the how to. Get it done and like what would make sense for for, SMB, I don't think it's going to be included in Microsoft, 365 business but we have we're, forming, a consensus, see art if it's an add-on what should that add-on look like like and he's, the one to make that happen.
2020-01-19 07:54
