Microsoft announces partnership with SANS Institute

by | Nov 3, 2022 | Technology

This article is contributed. See the original author and article here.

Microsoft Defender for Office 365 is pleased to announce a partnership with SANS Institute to deliver a new series of computer-based training (CBT) modules in the Attack Simulation Training service. The modules will focus on IT systems and network administrators. Microsoft is excited to collaborate with a recognized market leader in cyber security training to bring our customers training that can help our customers address a critical challenge in the modern threat landscape: educating and upskilling security professionals.


 


“We salute Microsoft for recognizing the requirement to direct security awareness training towards IT System and Network Administrators since our experience tells us that it is precisely these users who are more frequently targeted because of their privileged access.”


Carl Marrelli, Director of Business Development at the SANS Institute


 


We chose SANS Institute for its long track record of success in technical education and for its focus on an audience that Defender for Office 365 wants to support. Technical education is hard, and cyber security is even more difficult to deliver effectively. SANS Institute’s approach was best-in-class, and we think our customers are going to find this content very valuable for their organizational upskilling.


 


Today our Attack Simulation Training provides a robust catalog of end-user training experiences, soon to be expanding beyond social engineering topics. This partnership with SANS will help us expand our offerings to cover an important and challenging topic area. IT system administrators and network administrators have to acquire and use a broad and deep set of complex cyber security information in order to successfully protect their organizations. It can be difficult to find good training and Microsoft believes that this new set of training modules will help all of our organizations, large and small, upskill their administrative staff. These new courses will be self-paced, short-form, and easily digestible.


 


These new courses will be made available in the coming months through the Attack Simulation Training platform. They will ship alongside the rest of our catalog and can then be assigned through our training campaign workflows. Attack Simulation Training is available to organizations through Microsoft 365 E5 Security or Microsoft Defender for Office 365 Plan 2. The courses will meet all of Microsoft’s standards for accessibility, diversity, and inclusivity.


 


The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cybersecurity training and certification to professionals in government and commercial institutions worldwide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cybersecurity events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on technical certifications in cybersecurity. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to manage their “human” cybersecurity risk easily and effectively. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community.


 


Want to learn more about Attack Simulation Training?


 


Get started with the available documentation today and check out the blogs for Setting up a New Phish Simulation Program-Part One and Part Two. In addition to these, you can read more details about new features in Attack Simulation Training.

Multiple Yammer networks within single tenants will no longer be supported (1:Many Mode)

Multiple Yammer networks within single tenants will no longer be supported (1:Many Mode)

by | Nov 1, 2022 | Technology

This article is contributed. See the original author and article here.

Yammer is committed to strengthening the alignment of Yammer to Microsoft 365. This means we will no longer support tenants having more than one home Yammer network. This change will ensure Yammer networks have the same organizational boundaries as their corresponding M365 tenants. Integrating Yammer more fully into the Microsoft 365 ecosystem has been a multi-year effort and new networks created since October 2018 have not permitted this 1:Many configuration. Similarly, new Yammer networks provisioned after January 2020 have been created in Native Mode. In September 2022, the enforcement of Native Mode was announced. Automated network consolidation is an important prerequisite to reaching Native Mode and gaining access to broader safety, security, and compliance features. This will start on 5/1/2023 and continue through 5/1/2024.



Start the consolidation process



If you have secondary Yammer networks, you will lose access to all your secondary Yammer networks once you consolidate. Users from your secondary Yammer networks will be migrated to your primary network, but groups (communities) and data will be lost. In advance of this change, we strongly recommend that customers perform a full data export of their networks. You can read more about exporting data from your network here.



It is strongly advised that customers perform this network consolidation themselves. This will allow you to choose the time of the consolidation and allow the administrator to choose which primary domain will be associated with the remaining network.



Customers are encouraged to initiate network consolidation any time before or after 5/1/2023.


 


If you would like to self-initiate your network consolidation:



  •  There is a guide to network consolidation available to walk you through the process. A network administrator can run the network migration tool from within Yammer.



If you would like Microsoft to initiate your network consolidation:



  • You are not required to take any action. Microsoft will notify you via the M365 Message Center of your scheduled consolidation date and default primary network and domain. The network with the highest total message count will be the default primary network.

  • If you would like a different default primary network, contact Microsoft 365 support to log an exception.



If you need to postpone or schedule network consolidation around blackout dates:



  • Contact Microsoft 365 support to log an exception.


 


What happens next?



Post consolidation of the networks into 1:1 alignment with Microsoft 365, they will be upgraded to Native Mode. This provides access to the latest features in Yammer and ensures that customers are covered by the Microsoft 365 compliance features.



You can read more about our plans to ensure alignment to Native Mode here.


 


Need more help?


There are Microsoft partners that can help you migrate data from your secondary networks. Please reach out to your Microsoft Account Team or contact a partner for more information.


 


 



FAQ


Q: We know which network we want to be our primary network. How can we make sure that our networks are automatically consolidated to that specific network?


A: Please contact support to specify your desired primary network and domain.



Q: We do not want our networks consolidated. What can we do?


A: Please contact support to request an exception, which will include sharing business justifications, when the consolidation can proceed, and your plan to unblock it. This is not a permanent exception.


 


Q: We consolidated our networks, but we want to reverse the process so we can have a different primary network. Is that possible?


A: No. Network consolidation is an irreversible process.


 


 


 


 


Step-by-step instructions for network consolidation



  1. As a network admin, visit the Network Migration page within the Yammer network admin settings of the primary network you want to keep. Make sure that all of the domains you wish to consolidate are listed. If they are not listed, you can follow the link to add and verify additional domains.


Picture1.png     


       2. Choose the network you wish to consolidate, and click Next.


 


Picture2.png


 


       3. Validate that you are ready to consolidate the selected network and have performed any desired data export prior to consolidation.


 


Picture3.png


 


       4. Follow the instructions to initiate network consolidation.


 


Picture4.png


 


       5. You can view the status of your network consolidation on the Network Migration page.


 


Picture5.png


 


       6. When the consolidation is complete, the status will update.


 


Picture6.png


 


       7. Repeat this process until you only have one network associated with your tenant. Congratulations! You are now ready to migrate to Native Mode.


 


 

New transactable offers from Rubrik and Standss in Azure Marketplace

New transactable offers from Rubrik and Standss in Azure Marketplace

by | Oct 31, 2022 | Technology

This article is contributed. See the original author and article here.

Microsoft partners like Rubrik and Standss deliver transact-capable offers, which allow you to purchase directly from Azure Marketplace. Learn about these offers below:


 














Rubrik-Logo-1024 copy.png

Rubrik for Microsoft 365: Safeguard your enterprise data from insider threats or ransomware with Rubrik’s air-gapped, immutable, access-controlled backups, while continuously monitoring and remediating data risks. Rubrik Zero Trust Data Security for Microsoft 365 offers unprecedented simplicity and performance for search and restore operations for Microsoft Exchange Online, OneDrive, SharePoint, and Teams.
SendGuard Logo.png

 


 

SendGuard for Outlook (Microsoft 365): Prevent accidental data disclosure and improve your compliance posture with SendGuard for Outlook. The software scans, detects, warns or blocks potentially sensitive, confidential or non-compliant emails and prevents them from reaching unintended recipients. It prompts Microsoft Outlook users to review and confirm both attachments and recipients before an email with confidential information can be sent.
.

 

How monitor PITR restore in Managed Instance

How monitor PITR restore in Managed Instance

by | Oct 29, 2022 | Technology

This article is contributed. See the original author and article here.

When you start a PITR restore in your Managed Instance, is very useful be able to track how it progresses. Azure Portal does not show too many details about it, but we can use Managed Instance logs to track it. 


 


The way to do it, is quite simple. You just need to connect to your MI using your SSMS (SQL Server Management Studio) and open “SQL Server Logs” that you will find under “Management


 


Palomag_MSFT_0-1667062573486.png


 


 After open logs, is the time to filter then to be focus on the recovery process. 


 


Palomag_MSFT_1-1667062707819.png


After applying the filter, you will be able to track restore progression. 


 


Palomag_MSFT_2-1667063239155.png


 


Simple and effective


 


Enjoy. – 


 


Paloma.-

Best practices to harden your AKS environment

by | Oct 29, 2022 | Technology

This article is contributed. See the original author and article here.

Hi,


 


AKS takes more and more space in the Azure landscape, and there are a few best practices that you can follow to harden the environment and make it as secure as possible. As a preamble, remember that containers all share the kernel through system calls, so the level of isolation in the container world is not as strong as with virtual machines, and even more as with physical hosts. Mistakes can quickly lead to security issues.


 


1. Hardening the application itself


This might sound obvious but one of the best ways to defend against malicious attacks, is to use bullet proof code. There is no way you’ll be 100% bullet proof, but a few steps can be taken to maximize the robustness:


 



  • Try to use up-to-date libraries in your code (NuGet, npm, etc.), because as you know, most of your code is actually not yours.

  • Make sure that any input is validated, any memory allocation is well under control, should you not use frameworks with managed memory. Many vulnerabilities are memory-related (Buffer overflow, Use-after-free, etc.).

  • Rely on well-known security standards and do not invent your own stuff.

  • Use SAST tools to perform static code analysis using specialized software such as Snyk, Fortify, etc.

  • Try to integrate security-related tests in your integration tests


 


2. Hardening container images


I’ve seen countless environments where the docker image itself is not hardened properly. I wrote a full blog post about this, so feel free to  to read it https://techcommunity.microsoft.com/t5/azure-developer-community-blog/hardening-an-asp-net-container-running-on-kubernetes/ba-p/2542224. I took an ASP.NET code base as an example, but this is applicable to other languages. I’ll summarize it here, in a nutshell:



  • Do not expose ports below 1024, because this requires extra capabilities

  • Specify another user than root

  • Change ownership of the container’s file system


 


3. Scanning container images


Most of the times, we are using base images to build our own images, and most of the times, these base images have vulnerabilities. Use specialized software such as Snyk, Falco, Cloud Defender for Containers, etc. to identify them.  Once identified, you should:



  • Try to stick to the most up-to-date images as they often include security patches

  • Try to use a different base image. Usually light images such as Alpine-based ones are a good start because they embed less tools and libraries, so are less likely to have vulnerabilities.

  • Make a risk assessment against the remaining vulnerabilities and see if that’s really applicable to your use case. A vulnerability does not automatically mean that you are at risk. You might have some other mitigations in place that would prevent an exploit.


To push the shift left principle to the maximum, you can use Snyk’s docker scan operation, right from the developer’s machine to already identify vulnerabilities. Although Snyk is a paid product, you can scan a few images for free. 


4. Hardening K8s deployments


In the same post as before (https://techcommunity.microsoft.com/t5/azure-developer-community-blog/hardening-an-asp-net-container-running-on-kubernetes/ba-p/2542224), I also explain how to harden the K8s deployment itself. In a nutshell,


 



  • Make sure to drop all capabilities and only add the needed ones if any

  • Do not use privileged containers nor allow privilege escalation (make values explicit)

  • Try to stick to a read only file system whenever possible

  • Specify user/group other than root


 


5. Request – Limits declaration


Although this might not be seen as a potential security issue, not specifying memory requests and limits can lead to an arbitrary eviction of other pods. Malicious users can take advantage of this to spread chaos within your cluster. So, you must always declare memory request and limits. You can optionally declare CPU requests/limits but this is not as important as memory.


 


 


6. Namespace-level logical isolation


K8s is a world where logical isolation takes precedence over physical isolation. So, whatever you do, you should make sure to adhere to the least privilege principle through proper RBAC configuration and proper network policies to control network traffic within the cluster, and potentially going outside (egress). Remember that by default, K8s is totally open, so every pod can talk to any other pod, whatever namespace it is located in. If you can’t live with internal logical isolation only, you can also segregate workloads into different node pools and leverage Azure networking features such as NSGs to control network traffic at another level. I wrote an entire blog post on this: AKS, the elephant in the hub & spoke room, deep dive


 


 


  6.1 RBAC


Role-based access control can be configured for both humans and systems, thanks to Azure AD and K8s RBAC. There are multiple flavors available for AKS. Whichever one you use, you should make sure to:



  • Define groups and grant them permissions using K8s roles

  • Define service accounts and let your applications leverage them

  • Prefer namespace-scoped permissions rather than cluster-scope ones


  6.2 Namespace-scoped & global network policies


Traffic can be controlled using plain K8s network policies or tools such as Calico. Network policies can be used to control pod-level ingress/egress traffic.


 


7. Layer 7 protection


Because defense-in-depth relies on multiple ways to validate whether an ongoing operation is legal or not, you should also use a layer-7 protection, such as a Service Mesh or Dapr, which has some overlapping features with service meshes. The main difference between Dapr and a true Service Mesh is that applications using Dapr must be Dapr-aware while they don’t need to know anything about a service mesh. The purpose of a layer-7 protection is to enable mTLS and fine-grained authorizations, in order to specify who can talk to who (on top of network policies). Most solutions today allow for fine-grained authorizations targeting operation-level scopes, when dealing with APIs. Dapr and Service Meshes come with many more juicy features that make you understand what a true Cloud native environment is.


 


8. Azure Policy


Azure Policy is the corner stone of a tangible governance in Azure in general, and AKS makes no exception. With Azure Policy, you’ll have a continuous assessment of your cluster’s configuration as well as a way to control what can be deployed to the cluster. Azure Policy leverages Gatekeeper to deny non-compliant deployments. You can start smoothly in non-production by setting everything to Audit mode and switch to Deny in production. Azure Policy also allows you to whitelist known registries to make sure images cannot be pulled from everywhere.


 


9. Cloud Defender for Containers


Microsoft recently merged Defender for Registries and Defender for Kubernetes into Defender for Containers. There is a little bit of overlap with Azure Policy, but Defender also deploys DaemonSets that check for real-time threats. All incidents are categorized using the popular MITRE ATT&CK framework. One of the selling point is that Defender can handle any cluster, whether hosted on Azure or not. So, it is a multi-cloud solution. On top of assessing configuration and threats, Defender also ships with a built-in image scanning process leveraging Qualys behind the scenes. Images are scanned upon push operations as well as continuously to detect newer vulnerabilities that came after the push. Of course, there are other third party tools available such as Prisma Cloud, which you might be tempted to use, especially if you already run the Palo Alto NVAs. 


 


10. Private API server


This one is an easy one. Make sure to isolate the API server from internet. You can easily do that using Azure Private Link. If you can’t do it for some reasons, try to at least restrict access to authorized IP address ranges.


 


11. Cluster boundaries


Of course, an AKS cluster is by design inside an Azure Virtual Network. The cluster can expose some workloads outside through the use of an ingress controller, and anything can potentially go outside of the cluster, through an egress controller and/or an appliance controlling the network traffic.


 


  11.1 Ingress


Ingress can either be internet-facing callers or internal callers. A best practice is to isolate the AKS ingress controller (NGINX, Traefik, AGIC, etc.) from internet. You link it to an internal load balancer. Traffic that must be exposed to internet should be exposed through an Application Gateway, Front Door (using Private Link Service) or any other well-known non-Azure solution such as Barracuda, F5 etc.  You should also distinguish pure UI traffic from API traffic. API traffic should also be filtered using an API gateway such as Azure APIM, Kong, Ambassador, etc. For “basic” scenarios, you might also offload JWT token validation to service meshes, but they will not have comparable features. You should for sure consider real API gateways for internet-facing APIs.


 


  11.2 Egress


Pod-level egress traffic can be controlled by network policies or Calico, but also by most Service Meshes. Istio has even a dedicated egress controller, which can act as a proxy. On top of handling egress from within the cluster itself, it is a best practice to have a next-gen firewall waiting outside, such as Azure Firewall or third-party Network Virtual Appliances (NVA).


 


12. Keep consistence across clusters and across data centers


You start with one cluster, then 2, then a hundred. To keep some sort of consistency across cluster configurations, you can leverage Azure Policy. If your clusters are using on-premises or in another cloud, you can also use Azure Arc. Microsoft recently launched Azure Kubernetes Fleet Manager, which I haven’t tried yet but is surely something to keep an eye on.


 


Conclusion


The above tips are by no means exhaustive but if you start with that, you should be in a better position when it comes to handling container security. There are a myriad of tools available on the market to better handle container security. Azure has some built-in capabilities and it is up to you to see if you prefer to use best of breed or best of suite. Note that more and more Azure native tools span beyond Azure itself, so your single pane of glasses could be Azure.