System4u helps its customers in the Digital Workspace area. Proper interconnection of technologies is a guarantee of a well-functioning and secure IT environment for companies.
The advanced attack protection provided by Microsoft 365 – Advanced Threat Protection (ATP) – contains 3 basic parts, which will be the subject of today’s article.
The first part we will talk about is Microsoft Defender for O365. This is used to protect the core Microsoft file sharing tools, i.e. email, Microsoft Teams, Sharepoint. Microsoft Safe Attachments protects files (attachments) that the user receives from outside or from colleagues.
In practice, this can be described in such a way that an automatic check is performed on the sent or received file and if it is found to be an “infected” file, this file is automatically removed and furthermore, a check is performed to see if this file has been sent to other users in the company and if so, Microsoft Defender can take care of this by blocking access to the attachment and inserting it into the so-called “infected” file. quarantine.
Another tool – Microsoft Safe Links– works on a similar principle. If a user receives a link to a file, O365 can check the link and if it assesses that it contains malicious code, it can also block the file and prevent an attack on the network. Microsoft 365 ATP also includes antifishing and antimalware, protection that is also known from other providers’ solutions.
Windows Defender Advanced Threat Protection. This additional security tool from Microsoft protects the very endpoint devices on which an attacker can run malicious code. Here again, there are several components, such as Windows Defender Smart Screen, which is a technology that can block access to a dangerous website on the device or can block a file from being downloaded locally to the device.
Endpoint Protection, another part of Microsoft Defender, is used to protect your device if a malicious file has already entered it. The user or attacker wants to run the infected file on the device, and Endpoint Protection will scan the file or application and block the process if it detects malicious code.
Endpoint Detection and Response corrects the next step, if a dangerous downloaded file or application is already running on the device. This tool can retroactively analyze the behavior of such a file or application, evaluate the malicious code, take action on the device and pass the information to other endpoint devices in the company. It uses machine learning, which takes place in the Microsoft cloud. Microsoft collects information from all devices enrolled in Microsoft 365, evaluates the data and prevents potential attacks.
How is endpoint protection done in practice? The user downloads the file they want to open to the device. The device sends information to the Microsoft cloud, which immediately verifies that the file or application is not a malicious code. In a situation where Microsoft knows nothing about such a code, it sends information to the device that it is an unknown code. The appliance then performs basic tests using Machine Learning on a local level and at the same time the code sample is sent to the Microsoft cloud for further examination and testing. If the application is not detected as malicious code even at this stage, the application is allowed to run. This process takes seconds, the user is virtually unaware of what is happening on his device. On the Microsoft side, the analysis is still ongoing and the code sample is being further examined. If it is determined that there is a risk, information about the possible attack is sent to the device again and the file is completely blocked, isolated and the information is sent to all other devices in the company.
Azure Advanced Threat Protection (Azure ATP) or Microsoft Defender for Identity can prevent and counter attacks on the internal network if an attacker has already entered the network. This tool profiles users and where they communicate from, distinguishing their permissions to access the internal network. If it detects that many different requests are coming from a user’s device, including e.g. requests under a different identity to the domain controller, it might evaluate this behavior as an attempt to crack the password and gain elevated privileges within the organization.
Again, the way this works in practice is that the Azure ATP sensor, which is installed on the domain controller or as a standalone solution, collects all the information that comes into the domain controller. The analysis of the network communication takes place on L7 and thanks to this we can see directly into the Kerbros tickets, for example. We know from where and which user is requesting access to a particular application or if they are requesting access for another user. This information is used to profile users, including a model of their usual behaviour.
The IP Resolution function creates a map of devices including their IP address and function based on ATP data. This is used, for example, if an attacker sends a request to replicate data to a domain controller from the IP address of a personal computer – replication commands are exchanged only between domain controllers and never come from end stations. Such behaviour can again be assessed as risky and a possible attempt to obtain information about the customer’s network.
All data from the Azure ATP sensor is processed in the Microsoft cloud and only within your tenant. With data processing in the cloud, almost unlimited power is available for analyzing the collected data. The result is real-time processing and reporting of potential threats.
In the previous steps we have obtained the necessary information, profiled the users and then we can monitor their abnormal behaviour. If, for example. requests for failed authentication of other users start coming from the end device on which one user is working, again we see here an attempt to guess the passwords of other users in the network and a possible attack.
Of course, it is possible to generate alerts for suspicious activity on the network and view details in the admin console. It is also possible to connect Azure ATP to Windows Defender ATP to get a comprehensive view of a potential attack across the timeline.
Another service is Microsoft Cloud App Security. This tool can protect other cloud services. It analyzes network communication by installing a probe on the Firewall or Proxy server to detect so-called. Shadow IT, i.e. whether users are using applications that are not under their control or whether they are exchanging data in an unofficial way, e.g. via Dropbox or other means.
You can view the ratings of the apps you’ve found in the Microsoft cloud App Catalog, which contains a list of apps compiled by Microsoft (there are now about 15,000 apps). Applications can then be blocked on the basis of a negative rating.
It is also possible to evaluate abnormal user behavior when, for example, a large number of files are downloaded to the local computer from cloud storage. In this case, the user can be called. cut off and block access. Longer can help with ransomware protection.
Another tool, this time for identity protection, is Azure Privileged Identity Management (Azure AD PIM). This tool is used to set the amount of user permissions for access to the corporate network. This is to prevent attacks on users with the highest privileges and thus prevent an attacker from obtaining e.g. global administrator privileges. Azure AD PIM can add permissions “just in time”. Thus, each user has a standard permission, and when he needs a higher permission, he only requests it at that moment, and after a certain period of time this permission is automatically converted to the permission of the standard user again. For example, multifactor authentication or approval by another user may be required when assigning roles and permissions.
Another tool related to identity protection is Microsoft Identiti Protection. This tool assesses the risk of users logging into Microsoft 365 services. For example, if they are reporting from an anonymized network, a non-standard geographic area, an unusual time, or an IP address from which infected computers are communicating, the login is blocked or an additional authentication factor is enforced.
Microsoft 365 and Windows 10 management
If the company uses Microsoft 365 services, it is recommended to use Microsoft Intune for bulk management of mobile devices . If a company uses SCCM (Configuration Manager) for Windows device management and has hundreds or thousands of devices, it is difficult to quickly transition to Intune management. To make this transition smooth, seamless and gradual, all you need to do is connect Intune and SCCM. This connection will activate
co-management and company devices are managed from two systems at the same time, without conflicts between these systems.
Thanks to co-management, you can gradually migrate individual management areas from SCCM to Intune. A prerequisite for co-management is synchronization and registration of devices in Azure AD. Then the devices are activated automatically in Microsoft Intune, where in the first phase the devices can only be audited, before the gradual conversion of all can be used again in Conditional Access policies to access MS365 services.
The main reason to switch to Microsoft Intune is its location in the cloud
and accessibility at any time and from anywhere. This ensures that the configuration is always up-to-date
and security on Windows 10 devices.
In terms of co-management licensing, you need to have Microsoft Azure AD Premium P1and Microsoft Intune licenses , both of which are included in Microsoft Enterprise and Security or can be purchased separately.
Another reason to manage Windows 10 devices with Microsoft 365 tools is the easy and automatic first-time configuration of new devices with Microsoft Autopilot. This tool will ensure that when the device is first started, it is activated for management in MS Intune, which will deliver the necessary configurations and applications to the device. The result is a ready device in minutes without the need for initial configuration by IT support.
Authors of the paper:
Roman Přikryl, System Architect
