September 2023 Newsletter
Cyber Insurance and Regulatory News
SEC and NCUA (for credit unions) are mandating 72-hour breach reporting processes. This puts even more importance on cross-company coordination of Incident Response Plans. Check out our Seven Steps for Successful Incident Response Tabletop Exercises.
We’ve heard from customers that their cyber insurer (Corvis) threatened to drop them because they have a Fortinet VPN. We’ve seen others reporting the issue Cyber Insurance Dropped due to Fortigate RAVPN : r/fortinet (reddit.com). See Cyber Insurance and Legal Advice for good preparatory practices.
What’s New in Microsoft?
Since Google has deprecated Android device administrator management, continues to remove management capabilities, and no longer provides fixes or improvements, Intune will end support for Android device management on devices with access to Google Mobile Services (GMS) in August 2024.
Starting this month, Intune will start to report any applications with SDK versions earlier than 17.6.1 on iOS/iPadOS 17 and later as non-compliant with Conditional Access. Organizations using the Conditional Access grant “Require App Protection Policy (APP)” must upgrade their iOS apps to the latest version prior to upgrading to iOS/iPadOS 17 to ensure applications continue to stay secure and maintain access to Conditional Access protected services.
Remote Help (Intune Suite feature) is available in public preview for Android Enterprise Dedicated devices from Zebra and Samsung. With Remote Help, IT pros can remotely view the device screen and take full control in both attended and unattended scenarios, to diagnose and resolve issues.
Group Policy Analytics is now generally available.
Using Proofpoint or Mimecast to send phishing tests? Exchange online protection (EOP)/Defender for Office 365 (MDO) customers who want to send phishing simulation emails need to configure advance delivery policy for optimal behavior. That way, emails that match your conditions are delivered unfiltered to the Inbox and that safe links time of click protection and post-delivery actions are disabled.
Microsoft released their debrief on what happened with the Exchange breach in July. A crash dump file containing a token key was exfiltrated by the attackers.
When September ends, MSFT is making a change to DMARC settings for enterprise customers. The default actions for ‘p=reject’ and ‘p=quarantine’ will be set to ‘reject’ and ‘quarantine,’ respectively. If you prefer to handle DMARC actions differently, you can modify the settings before the specified date.
Beginning in November, the ability to use Exchange DLP-related actions and conditions/exceptions will be removed from the mail flow rule. Use the Get-Transport Rule cmdlet to see if your organization has any existing mail flow rules that use these DLP actions or predicates. If you haven’t migrated to Unified DLP, migrate before mid-November, and then delete the Exchange DLP mail flow rules. To learn more about creating rules in DLP, see Create and Deploy a Data Loss Prevention Policy.
MSFT is introducing a new advanced capability for SharePoint Administrators to restrict SharePoint and OneDrive sites to specified users, using Microsoft 365 group or AAD security groups. Users not added in the specified group(s) will not be able to access the site even if they were previously granted site access.
By mid-September, you should see a new “Who can see this?” option in the file action menu in Microsoft Search in Office.com, SharePoint, and Feed. This will allow users to view and/or manage who has access to a file. Users can only manage file permissions if they are the owner or have permissions.
Users who turn off folder backup (also known as “PC folder backup” and “known folder move”) will have the option to restore the files back to their original location. Note: when a folder contains files stored only in the cloud, those files will not be moved; they will remain in the cloud.
When September ends, the “Create a list from CSV” feature will allow you to import data from a CSV file. To make source and destination lists look identical, use the “Export to CSV with schema” option.
By October, Organizational Leaders will soon see a refreshed Viva Insights homepage with content tailored to them. This update will only apply to organizational leaders who have already been assigned the Group Manager or Insights Business Leader role in Viva Insights (details can be found here).
The Topics app is available as a first-party “Microsoft-built” app. It’s in the app store for your tenant already, no upload or script downloading required. Users in your tenant can either easily ‘add’ the app, like other Microsoft-built or Viva apps, or the admins can pre-install the Topics app for users.
By now, Goals users will have the ability to export their OKRs into PowerPoint slides from the list and explorer views. Click “Export as PowerPoint” in Viva Goals to generate and customize a view of goal progress that generates a PowerPoint presentation for you to share and edit as needed.
Teams Phone (Direct Routing) users: on September 19th (starting at 9AM UTC), Microsoft will perform an additional 24-hour test where all Microsoft SIP endpoints will be switched over to use the new certificates. If your Session Border Controllers (SBCs) are not properly configured with the new Certificate Authority (CA), your Direct Routing incoming and outgoing calls will fail. How to prepare.
MSFT is currently rolling out a preview of a new Microsoft Teams desktop app for Mac to users in the Public Preview and Targeted Release programs.
By now, Teams Phone users who have set up call delegation will be able to see a Shared Line Appearance tab on the calls tab on Teams mobile app. The new UI will allow delegates to easily view the different delegator lines they manage (and their own delegates).
Teams phone users now have an option for a Voice over DECT phone.
Teams Phone users also now have an option for PAY AS YOU GO calling plans in the US. eGroup | Enabling Technologies can sell under CSP. This is a big moment for organizations who need to provide a phone number and people who don’t make very many calls. It’s $3/user/month, plus usage. This could be 50-75% cheaper than other calling plans. See Microsoft Disrupts UCaaS Market for details.
By mid-September, admins will be able to see real-time call analytics of users with Teams Premium licenses. Admins can proactively identify issues related to audio, video, content sharing, and network.
When September ends:
Teams Phone call delegates and delegators will see a refreshed, simplified UI in the Calls app, and the ability for delegates and delegators to join active calls, if permitted.
Two new list templates (Travel Requests with Approvals and Content Scheduler with Approvals) will begin to appear in the Approvals app in Microsoft Teams.
Teams Avatars will require boosted hardware and be turned on in the Teams Admin Center in order to work. Please refer to this guide to enable/disable the Avatars app for your organization.
Teams Panels will support reserving a room using a QR code, allowing users to book a room for meetings now, in the future, or add the room to an existing meeting by scanning a QR code on the scheduling panel and using the Teams app on their Android or iOS mobile phones.
Users will be able to initiate a self-service 60-day trial of Microsoft Teams Premium using their Entra ID credentials with payment information. They will generate usage signals for IT to identify users that would benefit from a paid Teams Premium license.
When users click on a link in a Teams message, Edge will open the web page and keep the Teams chat open in the sidebar (you may have noticed this happening with Outlook messages). To Choose which browser opens, use the Cloud Policy service for Microsoft 365.
Teams Cross Cloud Guest Access (CCGA) will extend existing Guest Access functionality allowing a user to participate in rich collaboration experiences in teams, channels, documents, and Teams meetings between tenants. When combined, tenants can enable trusts between tenants and between Microsoft clouds. Guests can participate in a full collaboration experience with audio/video, screen share, file share, and both 1:1 and 1:many chats. These features are enabled through the Entra ID B2B feature and the newly released Cross Tenant Access Settings.
Teams Cross Cloud Authenticated Meeting join (CCM) will allow a Teams user to join a meeting hosted in another cloud while signed into their account in their home tenant. This meeting can validate the identities of meeting participants without granting those participants any access to the host tenant. Client machines running Windows 10 must have KB5028166 installed.
By mid-October, Teams admins will soon be able to capture and redirect requests for external collaboration in shared channels. This will alert admins when users attempt to add an external member to a shared channel where B2B direct connect cross-tenant trust has not been mutually configured between the two organizations.
By October’s end, users can preview and play Stream videos directly in Teams Chat and Channel without having to open them in a browser and going to Stream.
A new Conditional Access capability is released. When a user registers a Windows 10 or newer device in Entra ID (formerly known as Azure AD), their primary identity can be bound to the device. This means that a policy can ensure that only bound sign-in session (or refresh) tokens, otherwise known as Primary Refresh Tokens (PRTs), are used by applications when requesting access to a resource.
Generally available as part of Microsoft Entra, accounts on macOS, iOS, and iPadOS can now support Apple’s enterprise single sign-on feature.
More than just Workday and SAP, Entra ID can take info from the HRIS as source of truth, then start to provision accounts into the directory. See more.
This tool provides tenant admins with a historical view of all the settings in the tenant including the change history over the years.
By mid-September, you will have new capabilities at hand to fine-tune whether emails coming in from outside your tenant should not allow reactions, whether all emails in your organization should not allow reactions, and users can decide if an email they are about to send should not allow reactions.
By 2024’s end, the Mail and Calendar apps for Windows will be replaced with the new Outlook for Windows, ending support for the Mail and Calendar apps for Windows.
The existing Workflows app and the Power Automate app will merge, and the Power Automate app will have a change in name… to “Workflows.”
The Guest Reviewer feature which has been in Public Preview is now generally available. Once this feature is turned on, eDiscovery managers will be able to invite a guest user to a specific eDiscovery case through Case settings > Access & Permissions page.
Now in Public Preview, you can provide DLP investigators the option to download the full file from SharePoint and/or OneDrive for Business that resulted in a DLP policy match. To download the file, Navigate to the Alerts details tab in the Purview Compliance portal or Defender portal.
When September ends, when default labeling of files is enabled in Word, Excel, and PowerPoint (365 Apps for Windows), a default sensitivity label is applied to any unlabeled document when it is saved.
When September ends, you’ll notice detection and classifying times for sensitive content shared via Teams. Users will see less latency between detection of policy violations and enforcement of defined policy actions (i.e., delaying or blocking sensitive content).
By mid-October, the Content Explorer Export feature will be improved to allow admins to use a new cmdlet within the Security & Compliance PowerShell, Export-ContentExplorerData, to export all rows of data for the content that are scanned and shown on the Content Explorer.
By October’s end, Optical Character Recognition (OCR) support will extract text from images and help discover and protect sensitive data in images being shared and stored in SharePoint Online, OneDrive for Business, and Windows PCs. OCR support on Exchange online and Teams is still in public preview.
By mid-November, users can access the Microsoft Purview compliance portal to check who has tried accessing their files that have sensitivity labels and/or are encrypted, and revoke access when needed. The Microsoft Purview Information Protection Tracking and Revocation feature will be turned on by default. To disable the feature, use the Disable-AipServiceDocumentTrackingFeature commandlet.
Coming soon to general availability, a Purview Data Loss Prevention (DLP) capability that will show you the exact cause of a flagged DLP policy violation. It will show matched conditions across workloads (Exchange, Teams, SharePoint, OneDrive, Endpoint), rules, and conditions.
The product name is changing from Defender for Office 365 to Defender for Collaboration.
When September ends, subscribers of Defender for Collaboration plan 1 or plan 2 will enjoy the added benefit of Microsoft human analysts reviewing the results of end-user reported messages on the User reported tab of the Submissions page. This will happen when you have configured “Send reported messages to Microsoft only” or to “Microsoft and the reporting mailbox.” Human graders confirm whether messages are malicious, spam, or clean.
When September ends, MSFT will update how tenant and user “allows” are handled in the filtering stack to provide more controls for the admins and ensure that users are better protected. You may see some changes in the ordering and thus items may be junked/quarantine which were previously allowed.
Zero Hour Auto-Purge for Teams is available for internal Teams messages that are identified as malware or high confidence phishing. (Currently, external messages aren’t supported).
When September ends, Defender for Identity reports will be moved to a new location in the Microsoft 365 Defender portal – in the main menu, in the Reports area, under Identities.
Beginning next month, customers of Microsoft 365 E5 can leverage real-time device discovery, continuous monitoring, and vulnerability management capabilities for up to 5 IoT devices per E5 user license. IoT devices like printers, scanners, cameras, Smart TVs, and VoIP phones can be protected.
Microsoft will retire Stream (Classic) on April 15, 2024. End users will be blocked from uploading new videos to Stream (Classic) on September 15, 2023. End users will not be able to access Stream (Classic) at all after October 15, 2023, unless you delay this change in the Stream (Classic) admin center.
Python in Excel will bring the capabilities of Python directly into the Excel grid. In Public Preview, users with access to the Microsoft 365 Insiders program Beta Channel will be able to add Python formulas into their workbooks without any installation required. Formulas will be run by Excel in a secure container on the Microsoft Cloud with enterprise-level security as a compliant M365–connected experience.
To save costs, consider the following:
Keep Microsoft Sentinel data in hot storage for 90 days, using Kusto Query Language (KQL) queries for detections, hunting, and investigation. Use Microsoft Azure Data Explorer for warm storage and Microsoft Azure Data Lake for cold storage and retrieval for up to two years.
Refine detection definitions to include suppression logic when notification isn’t required and aggregation logic to ensure that similar and related events were grouped together and not surfaced as multiple, individual alerts.
Check out other cost-savings ideas at How to Save on Sentinel’s Recurring Costs.
What’s New in the Data Center?
Windows Server customers should heed this information. Updates from November 8, 2022, and later include changes that address security vulnerabilities affecting Windows Server domain controllers (DC). Among the addressed vulnerabilities is a Kerberos security bypass and elevation of privilege scenario involving alteration of Privilege Attribute Certificate (PAC) signatures. Changes to address this issue have been released following a series of phases throughout 2023 and are reaching the final stage of enforcement in October. All domain-joined, machine accounts are affected by these vulnerabilities. For details on configuring these security requirements in your environment see KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967.
The FBI has recommended that Barracuda customers remove all ESG appliances.
Cohesity released their Fort Knox Vault Service on Azure. Customers can now use the award-winning as-a-service cyber vaulting capabilities of FortKnox to isolate an immutable copy of critical data and applications across multiple clouds in a Cohesity-managed cyber vault in Microsoft Azure. Read more.
Nutanix released its GPT-in-a-Box to address the complexity, scaling, and security challenges that enterprises face when adopting generative AI/ML applications. Nutanix GPT-in-a-Box is a full-stack, software-defined AI-ready platform with services to simplify initiatives from edge to core. See more.
Cisco announced End-of-Sale and End-of-Life Announcements for the HyperFlex Data Platform (HXDP) Software – Cisco. Cisco and Nutanix have partnered to bring Nutanix Hyperconverged Software on Cisco Hardware. You can migrate from the existing HyperFlex solution to Cisco Compute Hyperconverged with Nutanix solution with qualifying M6 hardware.
Contact our team of experts today to see how these updates may impact your workflow or organization!