New Microsoft 365 Security Center allows you to more quickly assess threat risk and take action, but you need an E5 license. Credit: Microsoft / Gerd Altmann I recently spoke with Microsoft’s Rob Lefferts, corporate vice president, program management, M365 security and compliance, about recent updates to Microsoft 365 Defender solutions. Many of you are familiar with Microsoft 365 for Endpoint. If you have the proper licensing (E5), it allows you to drill down into exactly what your workstations are getting into trouble with and what risks they are bringing to your network.Why is this important? From SolarWinds, to the Exchange attacks to F5 remote attacks, the 2021 security year has been less than ideal. If you aren’t logging information as best as you can, you won’t have the information you need to investigate incidents. Make no mistake, you will have an incident. Plan now for how you will have the necessary information to authoritatively tell your executive team that an intrusion did or did not occur. Shrugging your shoulders and saying, “Gee, I’m not sure, how about we call the cyber insurance guys and ask them” is not going to cut it. You need information at your fingertips so you can act quickly and take immediate action without calling in outside help.A portal view: Microsoft 365 Security CenterMicrosoft is previewing a portal that brings the view of your entire network from workstations to server to cloud email to cloud applications to Azure into one portal. and click through to review the risks you have in your organization.One feature that I’m a fan of is the Threat Analytics portal. From it, you can not only review the latest security attacks and risks that Microsoft is highlighting but also drill down to your network and see if you have any additional mitigations or configurations you need to do to protect your network. The information contained in this portal is so valuable that I strongly recommend purchasing Microsoft 365 E5 licenses for your riskiest users to fully understand the information and receive guidance for these high-risk users. Remember, you can mix and match licensing, though you may need to limit users to certain features to be compliant. These reports give you actionable tasks to mediate and protect your network proactively from the types of attacks discussed in the portal. These threat reports provide you with actionable information that you can roll out to your organization. For example, one action item that I need to roll out to my workstations is additional attack surface reduction rules to better detect and prevent ransomware. The portal identifies those assets and users in my network that need the most protection and what steps are recommended to protect my machines. Susan BradleyAttack surface reduction rules needed in my organizationFor example, in a recent post in the portal, “Qakbot blight lingers, seeds ransomware”, indicated that I needed to take actions to better protect my systems from ransomware. I have a Microsoft 365 E5 installed on my home personal computer. Therefore, I have not managed the local administrator password on this laptop. The portal identified that I needed to deploy a Local Administrative Password Solution (LAPS) to ensure that I had randomized local passwords and did not require matching local passwords across the network. The portal recommended that I set the following group policy to the “Enable” value:Computer ConfigurationPoliciesAdministrative TemplatesLAPSEnable Local Admin Password ManagementThis ensures that you have random local administrative passwords that are not shared. Attackers can’t gain access to one local administrator password and then traverse across the network to additional workstations.For some suggestions such as enabling Microsoft Defender Credential Guard, you will need to review both hardware requirements and software requirements. For this protection you will need to have Windows 10 Enterprise installed as well as mandated hardware requirements. Monitor Microsoft 365 threat reportsKeep a constant eye on these threat reports. They provide you with actionable information and give you a high-level view of security incidents in the news as well as specific information for your network. You can easily and quickly go from understanding the risk of the security situation to taking preventative actions. This goes beyond the secure score portal to provide specific incident information targeted to your firm.Once you have a user in a full Microsoft 365 E5 configuration, you can then review workstation activity, as well as cloud-based email security related reports under email and collaboration in the portal. Rather than reviewing the content in the Microsoft Defender Security Center and the Office 365 Security & Compliance portal, you can now review the information in the single portal. If you have solutions that use the URLs of the older portals, you can continue to use them. When you are ready to move to the integrated URL, you can then adjust the portal redirection links. This helps when you have a phishing email investigation whereby you can track the email from the cloud email system through to your desktops. For example, the other day I had a phishing email that was later flagged as phishing and was proactively removed from the cloud email. I was able to track to ensure that no user had clicked on the email and introduced risk into the network.I urge you to look at Microsoft 365 Defender’s unified portal. You’ll be able to quickly identify risks to your organization and take action quickly to prevent attacks. Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe