Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Synopsis of M365 Users' Group and the June Session

From: John Ramsey <000001cd0b5a1098-dmarc-request () LISTSERV EDUCAUSE EDU>
Date: Fri, 18 Jun 2021 15:09:48 +0000
Good morning!

I want to thank those that could attend last week’s M365 user session.  We had 109 attendees.  We did record the 
session and it’s posted in the M365 Wiki that REN-ISAC set up for us (located at 
https://members.ren-isac.net/display/IG/M365.)  You have to be a member of REN-ISAC to access the M365 Wiki though.  If 
you are not a REN-ISAC member, please feel free to email me directly and I’ll provide a password protected link to the 
recording.  There were questions asked during the session.  After my signature block are questions with answers.  If 
you emailed me separately and I have not responded, please don’t hesitate to re-engage.

If you wish to join the users groups, send a subscription request from a .edu email address to m365-sec-join () lists 
ren-isac net<mailto:m365-sec-join () lists ren-isac net>. You don’t have to be a member of REN-ISAC to be part of the 
users’ group.  You just won’t have access to the REN-ISAC portal for the Wiki.   You should receive notification of 
your approval within a few days of the request.

Last note, July 16th is the next M365 users’ group session and we’ll discuss how to protect the domain controllers with 
Microsoft Defender for Identity (aka Azure ATP).  This is from 100-300pm EST.

John

John Ramsey, Chief Information Security Officer
National Student Clearinghouse
Certified: CISSP, CISM, PMP, CSSLP, CRISC, CGEIT
2300 Dulles Station Blvd., Suite 220
Herndon, VA 20171
703.742.4428 | studentclearinghouse.org<http://www.studentclearinghouse.org>
LinkedIn<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fnational-student-clearinghouse&data=02%7C01%7Cdugan%40studentclearinghouse.org%7Cc37208aebac64fd76e8508d84f636448%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637346635590166954&sdata=MdT45I1n7Hwbp8Zlkxlm0wEd0LdLnq5Cpr91ybCEjHw%3D&reserved=0>
 | 
Twitter<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fnsclearinghouse&data=02%7C01%7Cdugan%40studentclearinghouse.org%7Cc37208aebac64fd76e8508d84f636448%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637346635590171933&sdata=idMHM8D4VdMRpIa2H1YUTmwMgC4ZU0L2jqL3VjVNs4s%3D&reserved=0>
 | 
Facebook<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2FNSClearinghouse&data=02%7C01%7Cdugan%40studentclearinghouse.org%7Cc37208aebac64fd76e8508d84f636448%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637346635590176915&sdata=ILW%2BPdv1fgHooOkbQlkP9ei%2BJOsk7YlCMzYNU572flU%3D&reserved=0>
 | Blog<https://www.studentclearinghouse.org/nscblog/> | Instagram<https://www.instagram.com/NSClearinghouse/>

Serving Education Since 1993

This message is proprietary to the National Student Clearinghouse, is intended only for the addressee and may contain 
confidential or privileged information. If you receive this message in error, please contact the sender and delete all 
copies.


There were a few questions in the M365 Users’ Group chat that I wanted to share with the group:

Is there a way to automate the soft delete of malicious emails in the Microsoft Defender (security.microsoft.com) 
Action Center?
There is not an automated way that I know.  I have provided feedback to Microsoft in their feedback feature that exists 
on every page.  Of critical note, Microsoft does actively look at their feedback.  For those items that they receive 
lots of feedback, I have seen them implement these features (quicker than most of us have experienced with Microsoft in 
other areas.)
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/remediate-malicious-email-delivered-office-365?view=o365-worldwide

Is NSC running EDR in block mode with full automatic remediation on any critical servers?
Yes.  All devices (Windows 10, Windows Servers, Linux Servers) run EDR in automated block mode with automatic 
remediation.  NSC has ran in this configuration for over 24 months.  We have not had a single issue where something was 
erroneously blocked or prevented.  NSC is more confident having fewer issues on critical servers than user endpoints.  
NSC critical servers aren’t actively used via the Internet (such as web browsing or email) like a user endpoint is.

Is “Microsoft Threat Experts-Targeted Attack Notifications” enabled for respective tenants?
Microsoft indicated for tenants larger than 10,000 licenses with the E5/A5 licensing, this is automatically enabled.  
In the next few months, this is probably going to expand to include tenants with licenses over 1000 devices and then 
eventually to tenants licensed over 100 tenants.  You can click the “Apply” button under Microsoft 
Defender-->Settings-->Endpoints-->Advanced Features--> .  Scroll to the bottom, turn on “Preview” and then click 
“Apply”.  That at least puts your tenant in the waiting queue if for some reason Microsoft doesn’t enable all at once.
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-threat-experts?view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts?view=o365-worldwide#before-you-begin

Where does a tenant receive notifications about new vulnerabilities?
Go to Microsoft Defender-->Settings-->Endpoints-->Email Notifications--> .   Select “Vulnerabilities” and then “Add 
notification rule”.  Then follow the Wizard.
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-vulnerability-email-notifications?view=o365-worldwide

How are you using Email & Collaboration section within Microsoft 365 Defender portal?
NSC maximizes every feature within Email & Collaboration.  Start by going to “Policies & Rules” under “Email & 
Collaboration”.  Then “Threat Policies”.  You have a few options:

  1.  Manually configure all the policies.  If you’re worried about your organization, this is the prudent approach.
  2.  Enable “Preset Security Policies”.  Microsoft has the best practices tied to this one setting.  You can enable 
this and the do the “Configuration Analyzer” too see if you should further fine tune anything based.
  3.  Select “Configuration Analyzer”.  Assess the recommendations and implement.

As far as NSC, we have everything enabled.  We run Configuration Analyzer quarterly to makes sure have not missed any 
new potential policies or recommendations.  One note, any setting that you have that is even more secure than the 
Microsoft setting will also trigger a recommendation.  IE, Microsoft recommends a 30 day quarantine period.  We have 
reduced this to 15.  This flags as a recommendation

https://security.microsoft.com/configurationAnalyzer?viewid=Setting
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configuration-analyzer-for-security-policies?view=o365-worldwide



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community
Previous By Date Next
Previous By Thread Next

Current thread: