01x02_Get-Ignite24Recap.ps1

Topics

  • Chris takes a look at the Intune announcements from Ignite
  • Koos has some thoughts on new capabilities within Defender XDR and some other Security-related updates.



Ignite book of News

  • Ignite ‘24 Book of News
  • The terms ‘Copilot’ and ‘AI’ were used 259 and 392 times respectively 😜
  • Only two product/feature renames! 😳
    • ‘Azure Virtual Desktop for Azure Stack HCI’ has been renamed ‘Azure Virtual Desktop for Azure Local’
    • ‘Microsoft Purview Data Catalog’ has been renamed ‘Microsoft Purview Unified Catalog’.

Intune & Entra

Intune

Microsoft Security Copilot in Intune will expand to more platforms & scenarios

We’ll see integration and start to surface in more places inside Intune and the greater Intune Suite:

  • Intune Advanced Analytics - Natural language help with KQL queries, multi-device queries, etc.
  • Endpoint Privilege Management (EPM) - Copilot insights into apps requesting elevation
  • Policy Management - Easier to setting help, insights into settings in other policies, conflicts etc.
  • Windows Autopatch - Natural language insights into Win 10/ Win 11 updates, issues with updates etc.

Microsoft Intune is expanding its core device hardware inventory capability for Windows to iOS, Android, macOS and Linux devices.

Entra

New capabilities strengthen Microsoft’s Security Service Edge solution

If you recall, earlier this year Microsoft announced it’s SSE solution that consists of:

  • Microsoft Entra Private Access - Helps provide secure access to private resources
  • Microsoft Entra Internet Access - Provides secure access to all internet and SaaS apps

Announced at Ignite, Entra Private Access will have some new features added:

  • Quick access policies, generally available, make it easy to onboard private apps to Microsoft Entra.
  • App Discovery, coming soon to public preview, makes it easy to discover all your private apps.
  • Private DNS, in public preview, makes it easy to configure single label names or hostnames that users can use to access resources seamlessly.
  • Private network connectors available in the Azure, AWS, and Google Cloud marketplaces, in public preview, improve the admin experience and simplify deployment of private network connectors.

Entra Internet Access is also getting some new features:

  • Continuous access evaluation (CAE) support, in public preview, allows network access to be revoked in near real-time when it detects a critical event. It’s like gaining an automatic emergency switch that turns off the Internet until policy conditions are met. Because these controls operate at the network level, they work whether or not the application or client supports modern authentication and CAE natively.
  • TLS inspection, in private preview, provides comprehensive visibility of encrypted traffic and enables enhanced URL web category filtering based on full URLs. 

Microsoft Security Copilot will be embedded directly into Microsoft Entra admin center, bringing the available identity skills from the standalone Security Copilot experience, along with new identity capabilities, directly to identity admin workflows

Defender XDR

Very broad subject of course.

So when we think of “Defender” we might still think about Defender for Endpoint, right?

XDR = Cross Detection & Response

Defender XDR = Defense suite with “all the defenders” like:

  • Microsoft Defender for Endpoint (Defender ATP)
  • Microsoft Defender for Office 365 (Office 365 ATP)
  • Microsoft Defender for Identity (formerly: Azure ATP)
  • Microsoft Defender for Cloud Apps (formerly: Cloud App Security)
  • Microsoft Defender Vulnerability Management
  • Microsoft Defender for Cloud (Azure Defender)
  • Microsoft Entra ID Protection (AAD Identity Protection)
  • Microsoft Purview (Data Loss Prevention)

Unification of portals

Different role for Sentinel.

First Sentinel as orchestrator if you will.

Nowadays all “Defenders” are unified in the “Defender portal” (security.microsoft.com).

Last year rebranded to “Unified Security Operations Platform” where also Sentinel (Azure resource) was added as well.

But there are still some features missing for which you needed to switch back to the Azure Portal.

  • Workbooks are now available
  • Sentinel will now also be available to customers who do not use Defender XDR. Customers will be able to access the embedded Security Copilot experience.

I hope other missing functionality like automation rules and playbooks management will be added soon as well.

Other new integrations

  • Purview Insider Risk Management is now integrated in the incident page

This appears to be a big year for data security. More on this later…

Most notable product now GA

  • Microsoft Security Exposure Management

    Before I explain what it is, it’s good to understand the different ways Attackers and Defender generally operate.

    John Lambert (Microsoft Corporate Vice President Security) once said:

    • Windows Security team since 2000
    • Led the Microsoft Threat Intelligence Center (MSTIC)

    Defenders think in lists, attackers think in graphs. As long as this is true, attackers win.

    Most defenders focus on protecting their assets, prioritizing them, and sorting them by workload and business function. They have plenty of lists of assets in system management services, in asset inventory databases and even in spreadsheets. There’s one problem with all of this. Attackers don’t have a list of assets, they have a graph. Assets are connected to each other by security relationships. Attackers breach a network by landing somewhere in the graph and start hacking their way to the next point, finding vulnerable systems by navigating the graph. Who creates this graph? Well, you do.

    According to Microsoft Security Exposure Management:

    • Helps you to: understand your attack surface
    • Helps you to: think like an attacker
    • Helps you to: prioritize actions to protect most critical assets.

    It does this by consolidating posture data like:

    • Endpoints
    • Cloud
    • Applications
    • Identities
    • Data
    • Vulnerabilities
    • Attack Surface

    From both Microsoft AND third-party solutions:

    • ServiceNow CMDB
    • Qualys VM
    • Rapid7 VM
    • Tenable
    • Wiz (coming soon)
    • Palo Alto (coming soon)

    And present the data with three three key components:

    • Attack Surface Management Visualize these relationships in a graph, that’s what gives you the “attackers perspective” of your organization.
    • Attack Path Analysis Highlights how an attacker could potentially abuse your exposures and security gaps. It will show how they would be able to traverse their way through your organization, to your most critical assets.
    • Unified Exposure Insights Get dynamic metrics and scores for security initiatives like Cloud & Endpoint Security, Ransomware Protection and Zero Trust. This helps you prioritize efforts to close the most important gaps first.

Microsoft Security Exposure Management not only went GA, but it also received a couple of updates during Ignite

  • DACL Support XSPM now includes Discretionary Access Control Lists (DACLs) in attack path analysis.
  • Hybrid Attack Paths now identifies hybrid attack paths, capturing routes that originate on-premises.

Read more details about Microsoft Security Exposure Management going GA here.

Several other notable new additions

  • Defender for Office 365 now provides AI-powered email and collaboration security. Using purpose-built Large Language Models. Initial rollout to select customers shown impressive results of a 99.995% attacker intent detection accuracy and filtering.

  • Defender Cloud Security Posture Management (CSPM) received new additions. CSPM provides detailed visibility into the security state of your Cloud assets and workloads, and provides hardening guidance to improve your security posture. But not only Azure Cloud, AWS and GCP as well.

    • API security posture
      Mapping APIs in Azure API Management’s to back-end to gain full context across the entire app, including compute and storage.
    • Container security posture Azure, AWS and Google Cloud Platform and third party/private registries like Docker Hub and JFrog Artifactory
    • AI security posture Azure OpenAI Service, Azure Machine Learning and Amazon Bedrock
  • Microsoft launched “Zero Day Quest” - A $4 million AI and cloud security bug bounty program. “hacking event will be the largest of its kind”. Started on November 19th and runs until my birthday on January 19th.
  • New capabilities in Purview Data Loss Prevention will prevent oversharing of sensitive information and detect risky AI usage in Copilot.
  • Microsoft Purview Data Security Posture Management (DSPM) (preview). Will provide centralized visibility from across Microsoft Purview data security solutions into one place.
    • Information Protection
    • Insider Risk Management
    • Data Loss Prevention

    Data Security Posture Management will help:

    • identify possible labeling and policy gaps
    • unusual patterns and activities that might indicate potential risks and opportunities.
  • Security Copilot new features:
    • During incident investigations, analysts commonly review details about related evidence entities (like IP, accounts and devices) There already was a ‘Device Summary’ but now there’s also a new ‘Identity Summary’, highlighting behavioral anomalies and potential misconfigurations.
    • MDTI (Threat Intelligence) indicator skills can leverage threat intelligence in MDTI to link any IoC (indicator of compromise) to all related data and content.
  • Security Copilot enhancements:
    • ‘Script and file analysis’ simplifies complex investigations by translating what a script does into natural language and streamlining the analysis of multiple executable files.
    • ‘Incident Report’ compiles all response activities into a detailed report of the security incident. It now comes with third-party integration with ServiceNow
    • ‘Incident Summary’ in Copilot standalone experience is able to retrieve more details like entities and across both Sentinel and Defender
    • ‘Guided Response’ Enables security analysts to easily communicate with end users by dynamically generating text for analysts to use
  • Security Copilot now in more products:
    • Purview
    • Entra
    • Intune
  • 2025 will be the year of Microsoft Purview and Data Security.

Community Project

Entra ID Security Config Analyzer (EIDSCA)

Speaking of Workbooks; Sami 🇫🇮, Thomas 🇩🇪 and Markus 🇫🇮 have created the “Entra ID Security Config Analyzer (EIDSCA)” a while ago. And it contains a lot of great stuff but one of which is a Workbook which will evaluate your Entra ID tenant settings with several best practices.

Check out the project on Github.

Follow us on your favorite podcast platform or check us out on YouTube

01x01_mfa.exe

Topics

  • Chris has some thoughts about MFA usage and deployment,
  • Koos recently ran into some issues with Passkeys and wants to share a couple of do’s and don’t’s and also discuss future roadmap features.



MFA

Its almost 2025 - Is MFA still relevant today? Is MfA an unachievable utopia? The answers are definitely and no!

Seriously though, we’ve been talking about this for over a decade now - but it dawned on me recently that we always say “go enable MFA” and maybe we really should be saying “here’s how you enable MFA”. Believe it or not, I still see organizations that don’t have ANY MFA deployed - this happens for many reasons:

  • Legal/political reasons
  • Device restrictions

Its important to think of this as a process of continuous improvement and not ‘set and forget’ Where should you be? What does a MFA MVP look like? At a bare minimum, MFA should be enabled for all accounts in the tenant. In my opinion, I would go a little further than this - At a bare minimum, MFA should be enabled for all accounts in the tenant and all admin roles should be using phish-resistant MFA.

What do we mean by phish-resistant MFA?

  • FIDO / WebAuth authentication
  • Public key infrastructure (PKI)-based

These are things like FIDO2 tokens (Yubikey/Token2), Windows HfB, Passkeys, etc.

How should you configure MFA? Use Conditional Access - this requires at least Entra ID P1. If you don’t have at least P1, you can still deploy MFA via the ‘security defaults’ in M365, but you will lack granular control. Conditional Access is an important security tool so I’d encourage you to consider this during your next license cycle/true up.

You want to create at least 2 CA policies for MFA:

  • One policy to apply MFA for all users in administrative roles. Scope this policy to the roles, not to users/groups
  • One policy to MFA for all users. Scope this policy to ‘All users’

Once we you have these in place - your next step is to require phish-resistant MFA on the Admin roles. These align with the latest CIS benchmarks. If you’re not using Microsoft Authenticator - I’d strongly recommend moving toward that for as many users as possible. Avoid SMS where possible.

What about break glass accounts? For years we’ve been saying you should break glass accounts from MFA - this guidance in outdated. The recommendation now is to use FIDO2 tokens or similar for these. This also means that you need to consider your processes for using, storing and testing these.

Takeaways

  • If you don’t have MFA deployed - don’t let perfect be the enemy of good. Start now and deploy where you can.
  • Limit exclusions - look are service principals etc
  • It is not all or nothing
  • Security is not ‘set and forget’

CISA - Implementing Phishing-Resistant MFA

Conditional Access authentication strength

Passkeys

AiTM

As more organizations embrace multi-factor authentication (MFA) to block most password-based attacks, threat actors are moving up the cyberattack-chain by bypassing MFA authentication altogether.

Adversary-in-the-middle (AiTM) attacks

  • Involves attackers tricking users into clicking a link and completing MFA on the attacker’s behalf.
  • Token theft is when an attacker steals tokens and makes a copy to get to the users’ resources without needing a username, password, or a successful MFA challenge.

What are passkeys?

A passkey is a strong, phishing-resistant authentication method based on World Wide Web Consortium’s (W3C) WebAuthN standard.

Passkeys solve the issue with phishing attacks because AiTM phishing is done by using a proxy server, which phishes the password and session cookie right after the user performs MFA. Which allows the attacker to use the session cookie for as long as the cookie is valid.

Evilginx is a demonstration of what adept attackers can do. It is the defender’s responsibility to take such attacks into consideration and find ways to protect their users against this type of phishing attacks.

Passkeys are a pair of cryptography keys generated by your device. And without the private key, the attacker cannot login on the users behalf, because accessing the private key is protected by using a PIN or biometric methods.

Passkeys provide passwordless logon, where each passkey is a unique digital key which cannot be reused. Therefore they cannot be abused in AiTM attacks.

Two types of passkeys

Two types of Passkeys; device-bound and syncable passkeys. Device-bound is more secure because the key is stored and bound to a physical device.

Passkeys popup on Github, Paypal and 1Password. These are examples of syncable passkeys.

Microsoft currently only offers device-bound passkeys. This can be a FIDO2 key, or recently with their Authenticator app on Mobile. At first I thought this was quite odd, because during the process of the latter you need to scan a QR code and open it with the Authenticator app. So how does this prevent an attacker to provide a phishing QR code through a proxy? Well, the authentication device you scan the QR with needs to be in close proximity of the device that generates the QR code. This is also why you need to have Bluetooth enabled on your smartphone for this to work. And since this is still a Passkey authentication where the private key is needed for the authentication, phishing the session cookie has no use for the attacker.

The challenges

The downside to all of this is support. And that’s why I wanted to bring this topic to today’s Podcast.

  • Logging in from a desktop can be a bit awkward due to the QR code scanning process.
  • Bluetooth restrictions may apply in your company?
  • Break-the-Glass Storing physical keys in a safe require additional thoughts about the logistics of it
    • Take a look at OTP based MFA perhaps, but be aware of the additional dependency of “Entra ID MFA services”
  • iOS 17 - only one password manager. –> iOS 18 solves this!
  • Remote Desktop limitations
    • Especially on a Mac! :-( (no WebAuthN redirection)
    • Be careful with RDP from the Windows Store as well!

If you really need tight security where you want to check device compliance and risk status as well, you probably have a Virtual Desktop or equivalent solution setup of for externals. And there’s effectively no way to satisfy a Phishing-resistant MFA strength if they access this from a Mac…

Enable Passkeys for your organization

Build resilience with credential management

Simulate your own AitM attack with Evilginx

Enable passkeys in Microsoft Authenticator (preview)

Microsoft Entra ID FIDO2 provisioning APIs (preview)

Community Project - Maester

What is Maester?

Maester is a PowerShell based test automation framework to help you stay in control of your Microsoft security configuration.

Maester is built on the Pester framework - the team has put in a lot of work to provide an ‘easy button’, but allows you to create your own tests. Maester helps you monitor your Microsoft 365 tenant by running a set of tests to ensure your configuration is in compliance with your security policies.

Currently provides built-in tests:

  • Secure Cloud Business Applications (SCuBA) Security Configuration Baseline - CISA
  • Entra ID Security Config Analyzer (EIDSCA) - mapped to the MITRE ATT&CK framework.
  • Maester community tests (36)

Maester

Introducing Maester

Follow us on your favorite podcast platform or check us out on YouTube

01x00_boot_sequence.bat

Introducing the podcast and getting to know Chris & Koos, our backgrounds, interests etc. We also take a look ahead at our first episode coming soon!

Follow us on your favorite podcast platform or check us out on YouTube



TCA Podcast Episode 94: Clown Car!

It seems everyone is selling AI at the moment - how can we make the most of these technologies in a measured, controlled way without exposing ourselves to data leakage or other unintended consequences? In this episode we’re joined by Saaim Khan as we dive into some of the challenges faced by organizations rushing to adopt AI technologies. Saaim takes us through the role of governance in AI, the importance of a well-thought-out business case, and shares 5 simple questions to help you start taking control of your data governance.

For more information on The Cloud Architects podcast, check us out on SoundCloud

TCA Podcast Episode 93: Things that go bang!

Have you heard the story of malware that targets programmable logic controllers (PLCs) on industrial systems and causing fast-spinning centrifuges to tear themselves apart? How about the disgruntled employee in Australia who tampered with a supervisory control and data acquisition (SCADA) system and released 265,000 gallons (~1M l) of sewage from a waste management plant? In this episode we’re joined by Operational Technology (OT) Security expert Roger Hill as we discuss OT security, the convergence of OT and IT and how we can defend against OT / IOT attacks.

For more information on The Cloud Architects podcast, check us out on SoundCloud

TCA Podcast Episode 92: Dutch!

No language encryption here… In this episode we have the honor of sitting down for a late-night discussion with our Dutch friends Koos, Jeroen and Maarten. We really enjoyed their interesting and unique perspective on the global threat landscape and how the ransomware-as-a-service economy continues to grow. We also talk about cyber warfare, the challenge of attack attribution and share some practical guidance on how keep your organization secure.

For more information on The Cloud Architects podcast, check us out on SoundCloud

TCA Podcast Episode 91: Copilot is like a teenager

In this episode we welcome back a couple of our old friends Stephen Rose and Darrell Webster to talk about Copilot and AI - how useful or useless are these technologies and what does it take to get it to work as advertised. Our guest share some great insight on what is needed to make the most of AI and why so many organizations struggle soon after going all in. We each talk about our own favorite Copilot and how it has changed the way we work - and Warren has a conversation with ChatGPT about living on the moon.

For more information on The Cloud Architects podcast, check us out on SoundCloud

TCA Podcast Episode 90: Storyteller

In this episode we have the honor of being joined by Richard Campbell - an industry veteran and podcast legend who has recorded more than 3,000 episodes. Richard is a professional storyteller and we really enjoyed talking about a variety of things, including .NET, AI and even Windows on ARM.

For more information on The Cloud Architects podcast, check us out on SoundCloud

TCA Podcast Episode 89: Help us, help you!

Another in-person episode! We recorded this one at the MVP Summit in Redmond earlier this year and had a great time talking to Katie and Pablo about community as they introduced us to The Microsoft Security Customer Connection Program (CCP). Katie and Pablo help us understand the value the program provides to both Microsoft and its customers, how they gather feedback and what the requirements are to join the program.

Here are the links mentioned during the episode:

For more information on The Cloud Architects podcast, check us out on SoundCloud

TCA Podcast Episode 88: Data is the new oil!

In this episode we’re once again joined by Philip Miller to continue our AI discussion, and this time we also invited Todd Wright from Progress to discuss data and the importance of data accessibility and connectivity within AI. Generic large language models (LLMs) like ChatGPT are fun and all, but being able to leverage your own organizational data in a secure way to train models is where the real magic happens. AI is a long term program and not just a short term ‘one and done’ project. We discuss some practical guidance on how to make the most of your data and why data quality and governance are so important.

For more information on The Cloud Architects podcast, check us out on SoundCloud