 Information Barriers is an effective way to ensure wrong information isn’t used by Microsoft Copilot for Microsoft 365. Copilot only surfaces organizational data that users have minimum view permissions on. This is why it's important to use permission models available in Microsoft 365 services and Purview technology. Such as Information Barriers to completely block the access between certain user groups, helping ensure that the right user groups have the correct access to the appropriate content within your organization when using Copilot. Imagine another scenario where you want to prevent communication between different schools. This helps to protect their privacy and ensures that their personal information is not exposed to potential threats or unauthorized individuals. By using this technology, schools can demonstrate their commitment to protecting student information and providing a secure learning environment for all. With the rise of privacy concerns and the need to protect student information, it becomes necessary to implement Information Barriers to prevent these younger students from being searchable or visible in the school's system. By utilizing this solution, the school district can ensure that only authorized personnel can access student email addresses. Creating a secure environment with Information BarriersBy implementing Purview Information Barriers, organizations that want to get a balance between technology-driven collaboration, privacy, and security. These barriers not only protect sensitive information but also foster a safe and secure the environment for the users. Understanding Information BarriersIt is crucial to understand the concepts underlying information barriers (IBs), to be able to use this solution in an effective and functional way. In short, Information barriers are policies that block communication and sharing between what’s called segments in an organization. Segments are defined on user attributes for example the Entra ID attributes “Department”, “Job title” or “City”. The policy blocking is supported in these workloads: Teams, SharePoint, and OneDrive. Information Barriers policies can block these kinds of actions between segments:  IB uses policies to determine communication limits or restrictions between the segments. When defining IB policies, you can create two kinds of policies: One-way blocking For users defined in the “HR Segment”, the users and information in the “Day Trader Segment” won't be visible to users included in “HR Segment”. But the users in the “Day Trader Segment” will see users and information in the “HR Segment” Two-way blocking For users defined in both the “Marketing Segment” and the “Day Trader Segment” the users and information in each segment won't be visible to users included in the opposite segment. Non-block Simply no IB policy block and the users can communicate freely between the departments.  When IB policies are configured as above, this will be the outcome in Teams when searching for a user in a segment that is blocked.  
0 Comments
 As the world becomes more digital, cyber-attacks are becoming increasingly common. Phishing attacks are a major concern for organizations. Based on studies, Phishing is the most common attack in many continents and stolen credentials are the most common cause of data breaches. To make matters even worse, phishing attempts are the most expensive breach cause and can cost an organization $47 million. In fact, there were 323,972 users that fell victim to phishing attacks globally in 2021 and there are 3.4 billion spam emails sent every day. So, how can organizations protect their employees from phishing attacks? One strategy is to implement the classic security features and another one is to test the awareness and educate employees about the dangers of phishing emails. Organizations can lower their vulnerability to this form of attack by up to 70% due to researchers. By doing so, you can also prevent related expenses that come with phishing attacks. Phishing training customized for your needs using “Microsoft Defender for Office 365: Attack Simulation Training” is a useful tool for training and educating employees on how to identify and report phishing emails. This training can be customized to suit the individual requirements of each company and by using intelligent simulations that can be based on real-world phishing attacks. It has several features that are intended to make the training process as efficient as possible. About Attack Simulation Trainings featuresThe scheduling and automation features enable businesses to plan when to execute the phishing simulation and training. This is a useful tool for arranging regular activities, as simulations and awareness training are constantly required to train the company against phishing. Another important aspect is the ability to track results. Organizations can see how effective training is by tracking simulation and training results and customizing future training properly. It can also recognize repeated offenders and individuals who are more susceptible to phishing.  With this solution your organization can train the awareness of these risky users with integrated nano or microlearning and interactive training courses. But you can also add your organizations own training content.  Microsoft provides analysis and reporting based on the results of simulations and training courses. This information keeps you aware of the evolution progress of your users risk awareness as well as getting a hint of the next actions to better make them ready for real attacks.  Another crucial feature is the ability to import or customize genuine phishing emails and Microsoft Teams phishing chats for the payloads. This allows employees to obtain training with an authentic look of phishing emails or chats used in the real world or discovered in their organization.  How to use Attack Simulation Training?First and foremost, it is crucial to inform all necessary departments within the organization that a phishing simulation will be taking place. This includes the Security Operations Center (SOC), support department, and any other relevant teams. This allows these departments to prepare themselves and avoid unnecessary panic or confusion during the simulation.  PayloadThere is some widely used terms in AST that we will cover here. We start with the term "payload" refers to the link or attachment in a simulated phishing email that is presented to users. While the feature provides pre-built payloads that use various social engineering techniques, it is possible to create customized payloads that are better suited to your organization's unique requirements. This is how to create a payload in the MDO Attack Simulation Training: Click on the Create a payload icon to start the new payload wizard, select payload type and choose the appropriate technique for your payload.  On the Configure payload page, customize the settings based on the technique you choose. This includes the sender details, attachment details (if applicable), phishing link, and common settings for all techniques such as suitable customized theme and type that fits your organization. You build the payload theme and type with html and css code. You can see a default payload example brought by AST itself on the next image. Because the default payloads tend to be of poor quality, creating your own customized payload is highly recommended.  Landing pageLanding pages are the web pages users see when they click the payload in a simulation. Landing pages are available in the Content Library, the Global tab has built-in landing page templates, while the Tenant tab has custom landing pages created by users. When creating a landing page you can build it with html and css using a code editor and there is implemented dynamic tags that allow you to insert user and payload details in the landing page but also provide information about the simulation and end-user training. See the green mark in the image below for a dynamic tag example. This dynamic tag will show the payload that is used in the simulation.  End-user notificationsThe different end-user notifications that can be used is Simulation notifications that are a type of notification that informs the user that they were participating in a phishing simulation. Positive reinforcement notifications are intended to inform and reward users for successfully reporting a phishing email. These notifications, which can take the form of badges or congratulatory messages and are aimed at motivating users to keep engaging in the simulations. There is also Training assignment and Training reminder notifications that are two types of end-user notifications used to encourage and remind users to participate in the training courses.  Start the Create new end-user notification wizard. On the Define details page, you can configure the Select notification type, Name, and Description settings. When creating the notification, it’s the same way as with payload and landing page, you use html and css.  In conclusion, Attack simulation training is a crucial component of any organization's security solutions. It enables organizations to identify risky users and potential flaws in their processes, while also educating employees on how to recognize and respond to real-life attacks. Ultimately, investing in Attack simulation training can save organizations both time and money in the long run, while also ensuring the safety and security of their valuable data and assets. If you're looking for a way to keep your organization's data organized and secure, you should definitely check out the Microsoft Purview Compliance: Data Lifecycle Management (DLM) solution. The DLM (formerly Microsoft Information Governance) solution offers a range of tools and features to help you provides the capability to manage regulatory, legal, and business-critical records, as well as disposition reviews and proof of disposition, for the legal and regulatory demands that exist, such as GDPR. By managing your content in this way, you can ensure that you are effectively meeting your business needs while also adhering to industry standards and requirements, and you will not need to manually ensure that the information is deleted on time anymore. This post will show how to get started so you can keep your data safe and deleted in time. Why is Data Lifecycle Management important? It is important to remember that businesses of all sizes are vulnerable to security breaches and threats. Bad actors simply want to harm your business. As a business owner, it is your responsibility to protect the important data of your customers, employees, and stakeholders. By proving good planning for information governance with DLM, you can show that you are a responsible business owner that cares about all parties involved in your business operations.
 Retention Labels The Retention labels allow you to specify whether data should be retained forever or for a specific period if it is edited or deleted by users. Alternatively, you can configure the label to delete the content automatically and permanently after a specified period if it has not already been deleted. You can also retain an email or file for one year and then deleting it or using the Disposition Review function, where an admin needs to review all files that is ready to be deleted. The Disposition Review is recommended to use on the most critical information to keep track of it and when it should be deleted or relabelled. Retained means that the content is “in hold” and that will prevent permanent deletion, if a user delete a retained file it will still remain available for eDiscovery The majority of the time, users don’t even need to be aware that their data has retention settings. The retain setting is useful for content such as invoices and contracts that must remain in a certain time. Retention Label Policy Retention label policy’s play a crucial role in managing the lifecycle of data. These policy’s will determine the scope for your Retention labels to take effect and can be used for Microsoft 365 workloads such as Exchange, SharePoint, OneDrive, Teams, and Yammer. When setting up a retention label policy, you have the option to target all instances within your organization e.g., all mailboxes and all SharePoint sites or specific instances for example only the mailboxes for certain departments or regions, or specific SharePoint sites. Requirements before you start Licensing: M365 A5/A5 Compliance M365 E5/E5 Compliance M365 F5 Security+Compliance/F5 Compliance O365 E5 For more detailed licensing info see: Microsoft Purview Data Lifecycle Management Licensing - Microsoft Learn You must have the Data Lifecycle Management permissions when using this solution, auditing must be enabled in order to manage disposition reviews and verify that records have been deleted. Before implementing this technical solution you need to make sure that you have a framework in place for how it should be managed and who owns which information, and also who will handle the disposition reviews, etc. How to use Data Lifecycle Management I will provide a simple example of how you can implement the DLM: Microsoft 365 solution in your company. The example will show a retention label with settings to automatically retain the files with the specific label and remove them after a specified amount of time has passed since the file was created. I have also add a disposition reviewer (DR) that will review each file that is scheduled for deletion. So, the label configuration will be as follows.  This is just one example, in your organization, you must specify how your data should be managed. In this stage, we choose the label settings that will allow labelled files to be retained for the specified amount of time that we set in the next step.  Here, we select the retention period. As you can see, there are several settings available that you can use to customize the labels to fit your organizations needs during the configuration stage.  And the last step in the label configuration is to set a disposition reviewer that will handle all labelled files that is scheduled for deletion.  Configuring the retention label policy, which will specify the scope of our label or labels, this is the following step. Here, we'll go with static, but you could also choose adaptive if you wish to base the scope on organizational attributes.  When we are using the static setting we basically define the scope from Microsoft 365 locations and not attributes as in the adaptive setting.  The outcome of this configuration will be that all all files in SharePoint marked with our Retention label, will now be retained for seven years from when it was created. Then being sent to the Disposition Reviewer, who will decide whether the data needs to be removed at that point. While using the static setting, a recommendation is to label the parent directory so that all files inside will be labelled automatically. You will never have to manually manage and remove your data again if you use this solution. You can relax and let the DLM solution effectively manage everything in time. Feel free to contact me for more information! Hardening - what is it and why should we take it seriously?Let us begin with the basics, what is hardening and why should we harden our systems? Hardening is the practice of improving a systems security by limiting vulnerabilities and minimizing its attack surface. The purpose of hardening is to lower the risk of security breaches and raise the Linux system's resistance to attacks. If your organization has systems that manage sensitive data, manage vital infrastructure, or are accessible via the public internet you should pay special attention to this. The hardening processI do like to begin by stating the scope of this article series. I will be working on a Debian system, and I will skip the fundamentals of hardening and instead focus on a few specific in-depth hardening methods. The reason I chose to skip the fundamentals is simple: I prefer in-depth hardening, and there are numerous writings on the subject already available. And I like to define the Hardening process I use as being based on industry and federal standard baselines, as well as documentation from various community projects conducted by carefully selected competent individuals in this field.  Here are some examples of general steps for hardening a Debian system:
What we will learn about here is some of the more in-depth steps to secure the Debian system:
According to this list, a blog article would be far too long to cover everything I want to include. As a result, I will divide the posts based on the in-depth points I made. That is why I call this article Part 0. Why do I begin with Linux Kernel Hardening as part 1, simply because it's one of my favorites. So, keep your eyes out for the Linux Kernel Hardening - Part 1 article, which will be published soon. The biggest fear for the modern organization is that their data leaks and that their sensitive data gets stolen. Many organizations are struggling with how to manage their data because they don’t have a full understanding of the huge risks with manage the data incorrectly. Most data leaks are caused by human mistakes. Example of that is data ex filtering when users decide to use their own solutions instead of the organization provided solutions and it can last for a long time until its noticed. Microsoft 365 Purview have developed a tool to help organizations with this problem and that is Insider Risk Management. It helps to identify and minimize the insider risks to their organization. Imagine your organization in this scenario, a disgruntled user downloading confidential or secret files from SharePoint or the local network and then leaks it to competing organization or even worse to the public. The user had been planning the leak for months, used personal USB devices without authorization and copying or mailed files to private spaces. This could be a disaster, but organizations can mitigate these risks. Insider Risk Manager can help you identify and prevent these types of malicious activity in quite an easy way. How it works Insider Risk Management allows you to easily analyze, detect and investigate the user activity's and also help identify malicious activities, potential risk areas and the type and scope of Insider Risk Management policies you may want to configure. (Figure 1)  Figure 1 Most policies work best if your organization are using sensitivity labels properly. You can also use Data Connectors to import user and log data from 3rd-party systems that help alert indicators in Insider Risk Management policies. One example is to import human resources (HR) data related to change in a user's job and then be used to generate risk indicators. Data Loss Prevention (DLP) policies are also supported to help identify exposure of sensitive information and are important to get full risk management coverage in your organization. You can run an analytics scan to search across recent user activity in Microsoft 365 locations and it will show you potential risks, risk scores and help you select a useful policy template such as “Data leak”, “Data Theft” or “Security policy violations” that can be configured to fit your organization’s needs of tracking. You can choose what specific activities you want to analyze with Triggering events, here are some examples:
Then it’s time to select the indicators that you want to use to analyze and what apps and devices to analyze. Some of these indicators are:
The results will be shown in an easy-to-use overview that allows analysts and investigators to dig into the collected data and start a case, review the cases or the individually alerts that are ranked in severity levels: Low, Medium and High. (Figure 2)  Figure 2 Risk analysts can easily act on and escalate cases in Microsoft eDiscovery. To help meet privacy standards all usernames are by default anonymized (Figure 3), this can be turned off in settings by some roles and are always getting logged in the Audit section.  Figure 3 How to get started When you are going to use Insider Risk Manager, you need to have an existing Microsoft 365 Enterprise E5 subscription and use the role “Insider Risk Management Admin”. If you later are going to start an investigation in eDiscovery you need the “Insider Risk Management” role. Everything is done from Microsoft Purview Compliance portal. When a policy being created, you define the conditions and indicators that should be used. To mitigate the scenario above, you can choose “Data leaks” and then specify users/groups, SharePoint sites, “Sensitive info” types and “Sensitive labels” to analyze. Triggers for policies can be specified by yourself or use a “Data Loss Prevention” (DLP) policy.  |
RSS Feed
