;)
Watch Quisitive Director of Security and Compliance Solutions and Security Office Leader Ed Higgins, along with the CTO of Critical Start Randy Watkins, as they discuss 5 priorities for security teams to reduce risk.
In this on-demand webinar, we'll cover:
- Framework Alignment: Achieving seamless alignment with industry-standard security frameworks is essential to fortify your organization's security posture. Yet, it can be an intricate puzzle that demands your attention.
- Simplifying Security Architecture: Complexity can be your worst enemy in the quest for an efficient, adaptive, and effective security infrastructure. Simplification is the key to unlocking its true potential.
- Endpoint Security: With the rapid rise of remote work and a sprawling network of endpoints, securing each device is paramount. Endpoint security is now your front line of defense.
- Vulnerability Management: In a landscape where threats continuously evolve, identifying, prioritizing, and mitigating vulnerabilities is a perpetual endeavor. The success of your strategy hinges on how adeptly you manage this process.
- 24x7 Monitoring Capabilities: The realm of cyber threats knows no downtime. Establishing vigilant 24x7 monitoring capabilities is no longer a luxury but an imperative for early threat detection and rapid response.
In today’s digital landscape, where cyber threats loom larger than ever before, cyberattack prevention is more important than ever. Safeguarding your business from potential data breaches, cyberattacks, and security incidents is paramount. As the guardians of your company’s technological infrastructure, you hold the responsibility of protecting sensitive information, ensuring operational continuity, and maintaining customer trust. That’s where Managed Detection and Response (MDR) services step in as your ultimate game-changer.
In this blog post, we’ll explore the undeniable benefits that MDR services bring to your organization, empowering you to make informed decisions that can transform your cybersecurity posture, aid in cyberattack prevention, and ultimately enhance your business outcomes.
1. Proactive Threat Detection and Rapid Response:
Cybersecurity is constantly evolving. MDR utilizes a mixture of automation and analysts to implement an around-the-clock proactive approach to cyberattack prevention. This is accomplished through monitoring your network, endpoints, and cloud infrastructure for any signs of suspicious activity or potential threats.
An example of this proactive approach to security is an immediate notification for when a document is shared with sensitive information, even if that file is stale. Once the automated system detects this bad behavior, it sends the alert to an analyst to resolve the matter before any harm has occurred. By employing these advanced technologies and leveraging threat intelligence, MDR teams can quickly identify and mitigate emerging threats, ensuring that any security incidents are swiftly contained and neutralized before they cause extensive damage.
2. Around-the-Clock Security Operations:
When clients would ask if we could monitor them around the clock, the answer was always “No”, until now. We can now offer security operation centers that are fully staffed 24/7 every day, even holidays, in the US.
This approach allows us to always have an expert analyst in the chair promptly responding to alerts and threats around the clock. Your information assets are continually monitored for any sign of bad behavior. This means you can rest easy, knowing that there’s always a team of experts diligently watching over your systems and responding promptly to any security events.
3. Access to Cutting-Edge Technologies and Expertise:
Managing cybersecurity internally can be a daunting task, requiring significant investments in infrastructure, tools, and talent. This is what makes our partnership with Critical Start so powerful. Critical Start is a known leader in the area of advanced security operations since 2015, and an integral Microsoft partner, allowing these security protocols to work seamlessly with your existing software infrastructure.
MDR implements, optimizes, and helps customers get more out of Microsoft investments like: Microsoft 365 E5, Azure Purview, Azure Sentinel, Microsoft Security Center. Essentially, adding a module of capability to the existing programs. This synergy of leading software companies and cutting-edge platforms allows advanced threat detection capabilities, threat hunting techniques, incident response best practices, and cyberattack prevention, all without the burden of building and maintaining an in-house security operation.
4. Improved Incident Response and Remediation:
When a security incident occurs, time is of the essence. That’s why we have a service-level agreement of 1 hour time-to-detection and within 1-hour resolutions. This means that regardless of the time it is received, every alert will get an expert’s attention within 1 hour, and, your digital assets will always receive rapid response to incidents.
On top of this, our clients have full visibility of every alert and activity. Providing a comprehensive view of your company’s security threats. You will always stay in the loop about your company’s security, and we will always respond to any cyber threats without delay. These protocols minimize the impact on your business operations and reduce downtime.
5. Enhanced Compliance and Regulatory Adherence:
In an era of increasingly stringent data protection regulations, compliance is no longer a choice—it’s a necessity for cyberattack prevention–MDR services can play a pivotal role in helping your organization achieve and maintain compliance with industry-specific regulations such as GDPR, HIPAA, PCI DSS, and more. By aligning their processes with regulatory requirements and offering valuable insights and documentation, MDR providers can assist you in demonstrating your commitment to data security and regulatory adherence.
6. Risk Reduction and Business Continuity:
A successful cyberattack can lead to severe financial losses, reputational damage, and operational disruptions. MDR services offer a proactive defense strategy that significantly reduces your risk profile and aids in cyberattack prevention. By quickly identifying vulnerabilities, implementing preventive measures, and fortifying your security defenses, MDR providers enable you to safeguard your business continuity, protect your critical assets, and ensure uninterrupted service delivery to your customers.
Protect Your Business with Spyglass MDR
With Spyglass MDR we implement, fix, improve, and offer 24/7 monitoring. This is a total solution. Additionally, we can have a client receiving full 24x7x365 monitoring in 7-14 days. Embracing MDR services empowers your business to stay one step ahead of malicious actors, ensuring that your digital infrastructure remains secure, your operations run smoothly, and your customers trust you with their sensitive information. So, make the strategic decision today and unlock the power of MDR services to elevate your cybersecurity posture and achieve greater business success.
Remember, cybersecurity and cyberattack prevention is not just an IT concern; it’s a fundamental business imperative.
Stay secure and vigilant by contacting our security experts today about Spyglass-MDR.
;)
Discover how to make the most from your security investment and protect your data all in one place using your Microsoft technology stack.
Making the Most of Your Security Investment
Quisitive Security and Compliance experts will show you how to leverage powerful tools like Microsoft Defender, which provides a comprehensive suite of threat protection capabilities, as well as Security Information and Event Management (SIEM) with Sentinel. You’ll also learn how to protect your data with features like Azure Active Directory Premium, and how to use Microsoft Purview to better manage and protect your data at scale.
This on-demand webinar covers:
- Consolidation of security tools
- The Microsoft Defender product line for Windows and Endpoints
- Security Information and Event Management (SIEM) with Sentinel
- Data protection with Microsoft Purview
- Azure Active Directory Premium features
Microsoft Defender for Cloud provides recommendations on various items related to Azure resources (and on-prem resources via ARC). For example, one of the recommendation types focused on vulnerabilities that may exist on virtual machines (VMs). Microsoft provides two built-in vulnerability assessment solutions for VMs.
One is “Microsoft Defender vulnerability management,” and the other is the “integrated vulnerability scanner powered by Qualys” (referred to from here forward as “Qualys”). Microsoft includes both solutions as part of Microsoft Defender for Servers. In addition, Microsoft has made “Microsoft Defender vulnerability management” (referred to from here forward as “Default”) the default vulnerability scanner. These two options are shown below in Figure 1.
Figure 1 : Vulnerability assessment solutions currently available
My recommendation?
I recommend using the Qualys scanner instead of the Default vulnerability scanner. This is because the Qualys scanner looks for more vulnerabilities, resulting in a more complete result.
If you want to go further into the weeds from what I found, feel free to continue reading through the functional comparison, FAQ, and Reference Links sections below.
Functional comparison:
- When comparing a similar system in both scanners, the Qualys scanner identified significantly more vulnerabilities than the Default scanner.
- The Default scanner currently focuses only on software updates. At the same time, the Qualys scanner also identifies items such as null sessions, built-in guest accounts, Windows Explorer autoplay, and cached login credentials.
- In my example, the Qualys scanner found 8x as many vulnerabilities for a similar domain controller compared to the Default scanner.
- Both solutions are included in Microsoft Defender for Servers, so they currently have no cost difference.
FAQ’s:
- Do these scanners identify the same vulnerabilities? While there is some level of overlap in the vulnerabilities identified, they appear to be scanned using a different database for vulnerabilities.
- Can you use both vulnerability scanners on a single system? Unfortunately, only one vulnerability scanner can be installed at a time on a system. However, one vulnerability scanner can be used and then removed and replaced with the other vulnerability scanner. An example of these scanners and what they look like after deployment is shown in Figure 2.
Figure 2 : Two machines with one onboarded to each vulnerability scanner.
- Do the scanners use the same vulnerability identifier? Each scanner uses a different naming convention Default uses letters such as “QXCJCS,” versus Qualys, which uses numbers such as “90044”.
- Does using one scanner versus the other impact the secure score? Having either vulnerability scanner is considered acceptable to meet the “Machines should have a vulnerability assessment solution” requirement. However, the various vulnerabilities found by each scanner also need to be resolved to increase the secure score. So the more comprehensive scanner (Qualys) will require more work to remediate the issues identified and improve the secure score.
- Is there a way to see a complete list of what each scanner assesses? Unfortunately, I could not find a way to get a complete list of what each scanner checks. I attempted to find this data through searching with Kusto but was unsuccessful. (hint, search for securityresources | where type =~ “microsoft.security/assessments/subassessments”) .
- When was this assessment performed? I performed this evaluation on the week of 1/23/23.
Reference links:
Qualys usage is included per this article: Defender for Cloud’s integrated vulnerability assessment solution for Azure, hybrid, and multicloud machines | Microsoft Learn
So, what is your experience with these options? Do you have any insights that you can provide? Please feel free to reach out to me with them on LinkedIn or Twitter!
Happy October and Happy Halloween! Since October is Cybersecurity Awareness Month, I made a personal commitment at the beginning of the month to post at least one tweet per day on the topic of security tips, awareness, and/or guidance. I had some fun with this, waking up every morning and thinking, “What helpful thing could I offer today?”
I hope that these little bits of security awareness tips and guidance can help colleagues, friends, customers, and casual passers-by. As you’ll soon see these tips span across the main tenets of information security including Identity, Data, Device, Application, and Access.
Let’s jump into our cybersecurity awareness tips!
#1: Use Passphrases instead of passwords
A passphrase is the same as a password, but harder to crack, while easy to remember!
“Apitsaap,bhtc,wetr”! <— Here’s one made from the sentence above!
#2: Multi-Factor Authentication
Does your company use multi-factor authentication (MFA) to protect user accounts? You should!
Microsoft says 99.9% of account-compromise incidents they have dealt with could have been blocked by using an MFA. It works!
#3: Don’t reuse passwords
Do you reuse the same password for all of your accounts? Don’t do that!
Create unique, complex passwords for each of your accounts, use a good password management tool (e.g., 1Password, LastPass, or other) to manage them.
#4: Consider password-less authentication
Did you know that “password-less authentication” greatly improves user-experience, security, and eliminates password threats. Password theft isn’t possible with password-less authentication because they would no longer be part of the equation.
#5: Don’t forget to look at where your email is coming from.
When reading/responding to email, slow down! Check sender’s email address, any links in the body, (hover over them to see reality) before opening any attachments. Even then, if an email looks strange (especially from a coworker or boss) then call them!
#6: Use PIM and MFA to protect privileged user accounts
Protect privileged user accounts by implementing PIM (privileged identity management) & MFA (multi-factor authentication) for all admin accounts. It takes the rug out from under lateral movement attacks & it’s good practice. Ask us how!
#7: Avoid public USB charging stations
Be careful when charging your phone and devices on public USB charging stations because your data can easily be exploited. It’s called juice jacking. Get a USB data blocker to isolate your data from the charging station.
#8: Use RFID Blocking Sleeves on your cards
Always keep your credit cards stored in RFID Blocking Sleeves or a wallet with protection built in. Bad guys can steal your identity and money just by walking beside you. It’s called RFID skimming. Sleeves and RFID wallets prevent this.
#9: Keep your devices up to date
Keep your devices updated to the latest patch levels. You can set auto updates for your personal devices. Your work may have a different process. The more vulnerabilities you have, the bigger the target you become.
#11: Zero Trust
Did you know that password-less authentication, device management, removal of legacy protocols, and risk-based conditional access rules all interact seamlessly to improve user experience, strengthen security posture, and apply Zero Trust principals?
#12: Be weary of unprompted calls from the bank
Picture this: The bank calls and asks you to confirm the 6-digit code in the text message your phone just received. But you didn’t do anything that would have triggered the bank to send the code.
When you receive a call like this, hang up and reset your password immediately. That caller? A bad actor, NOT the bank. Your account was compromised, and the bank’s MFA saved you! #Security
#13: The cloud is more secure than a traditional data center
Your users, data, apps, and IT infra are more secure in a properly configured cloud, like Microsoft 365, Azure, or Dynamics 365, rather than your data center. We can help you envision it, see it, biz-justify it, and execute!
#14: Read closely and stay alert!
Sometimes, lessons are learned from our failures. I clicked! I was caught by a simulated phishing test my company ran. Even us pros fail! The message: link to an internal SharePoint site – something I see routinely. Be sure to read messages and sender addresses closely for signs of malintent.
Learn to spot phishing emails: Subtle things like a misspelled domain in the sender’s address or link, poor grammar in the body, and aggressive wording to get you to click. The better you spot phishing, the less you’ll fall for it.
#15: You don’t have to answer to anyone you don’t know
Be aware both in and out of work regarding conversations by email, phone, or in-person where you’re asked for detail outside of your area of responsibility. Remember, you DON’T HAVE to answer to anyone you don’t know.
#16: Make sure you’re properly managing your client’s sensitive data
Did you know an email or file with credit card details, spreadsheets with clients’ credit cards, or equivalent information sitting unprotected on your systems violates PCI-DSS? You can be banned from taking credit cards as a form of payment to your business.
#17: Be careful with the information you share online.
If you’re a C-level exec who’s traveling, going on vacation, or attending a special VIP event, try not to tweet about it so much! Bad guys use this intel to conduct fraud, fake wire transfers, and impersonation attacks against your company.
#18: We’re all part of the solution! Learn how you can help protect yourself and your company.
I suggest you view this very insightful short video entitled, “Can you recognize the 7 stages of a cyberattack?”
We are all part of the cybersecurity solution! Watch here: http://ow.ly/pYrq50LbOz1
#19: Do your research when choosing a VPN
Using VPN is good, except when it’s hosted by the bad guys!!! It can reveal everything you’ve got.
Be careful when choosing a personal VPN (free could be costly). Best to use only VPN services offered or approved by your company.
#20: Leave stray USB sticks where you find them!
Find a USB thumb drive on the ground in your workplace parking lot? Don’t plug it into your PC!
Sure, you’re curious to see what’s on it. Exactly what the bad guys want. Plug it in, and presto! The bad guy is in! Like a teleporter for malware.
#21: There are ethical hackers out there that can test your corporate environment
Around 40% of ethical hackers (good guys), says SANS Institute, can break into most environments they test, if not all. Nearly 60% said they need less than 5 hours to break into any corporate environment once they find a weakness.
#22: Know where to find news on data breaches in healthcare
If you’re in healthcare, listen up… Did you know that a breach of unsecured protected health information (PHI) of 500 or more individuals, requires you to report to US HHS and get on the “wall of shame”?
Check it out here: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Also, with curiosity to see the patterns, I quickly created a PowerBI report to visualize the entire historical record of HHS reported breaches of all types from 2009 through 2022. Yikes!
#23: Microsoft Sentinel
Great seeing the results of Microsoft’s dedication, rigor, investment, veracity, and excellence in cybersecurity payoff. Look where Microsoft Sentinel landed on Gartner’s SIEM magic quadrant.
#24: Don’t give out your password or pin – even if it looks like your bank is asking!
Neither your bank nor your IT department should ever ask for your password or PIN. These are “something you know”, meaning only you. Be concerned, and don’t give in, if anyone ever asks for your password or PIN.
#25: Microsoft Purview Information Protection
Did you know that with Microsoft Purview Information Protection, you can automatically tag (classify) and protect (e.g. restrict exfil, encrypt at rest, restrict display, etc.) any sensitive data in your enterprise?
#26: Be aware of non-technical security
Incident Response is more than just technology solutions. That’s one part.
Other parts include non-technical things: who’s your team, who does PR, when to bring in your legal team, do you practice, etc? Ask us!
#27: Use an Incident Response Framework
Here’s a good overview of the two most common Incident Response frameworks, NIST and SANS Institute. We help clients choose a framework that fits best, then implement, test, and learn. Check it out here: 2021 Incident Response Steps for NIST and SANS Framework | AT&T Cybersecurity (att.com)
#28: Check to see if you’ve been subjected to a data breach
Data breaches happen, sadly, much too often. Ever wonder if your email address (commonly User ID) or phone were among the breached data? Well, check this tool out: HaveIBeenPwned.com
This great website helps us all stay alert!
#29: Encrypt your WiFi
Work at home? You may think encrypting your home Wi-Fi is unnecessary. You’ve got nothing to hide, right? Think again! Your home Wi-Fi can be a “bad-guy pipeline” to your work via your home PC. Encrypt your Wi-Fi with WPA-2.
#30: Cybersecurity awareness training
Does your company do cybersecurity awareness training? Does it periodically phish test to see who reports or who clicks? It should! We do at Quisitive. We learn and develop muscle memory to spot these better and faster. Ask us!
#31: Make sure you trust the apps you’re downloading to your phone
Be leery about installing any apps on your smartphone that come from random websites, email, or Facebook ads. Bad actors often bury data-stealing malware inside benign-looking utility apps. Be careful!
Bonus: Keep personal information safe
If you must store sensitive personal information (PII, PHI, PCI), then properly protect it: classify, encrypt, limit access, and properly dispose of it when it’s no longer needed.
Bonus: Learn to spot phishing attempts
Worth repeating since 90% of all data breaches have a phishing component. Learn to spot phishing: misspelled domain in sender’s address or link, poor grammar, aggressive wording. Get good at it!
Learn more with this article from the IAPP.
Cybersecurity awareness is incredibly important.
If you need assistance with your business’ security strategy, Quisitive can help. Explore our Security and Compliance services.
Until next time,
Ed
;)
In this case study:
Industry: Professional Services
Products and Services: Spyglass Security and Compliance
Country: USA
Background
An architecture and engineering firm was looking for a way to improve their security posture using the security tools they already owned in their Microsoft tenant. With customers in the public and private sector requesting security compliance assessments and surveys, the firm needed well-defined security procedures to demonstrate a sound and operational security posture.
With Quisitive’s help, the firm’s IT team was able to define clear security and compliance solutions and procedures that aligned with their business needs. Quisitive was able to reduce the number of vulnerabilities and strengthen the firm’s overall security posture to prevent the possibility of future breaches.
Challenge
The firm’s chief information security officer (CISO) and IT team could not always adhere to security compliance assessments and surveys, and they were lacking the time and resources necessary to do an audit of their security landscape. Quisitive conducted an Office 365 security assessment, revealing a number of vulnerabilities, including VIP-level users logged in with impossible travel situations, a high volume of end-user phishing attacks and an excess of admin accounts and shared service accounts. Within one week of Quisitive’s findings, the firm committed to a 3-month Spyglass trial in which the Spyglass team rolled out advanced Microsoft security features.
The firm was then asked to give an update to its board and senior leadership on the status of its security posture the future of its security posture and the steps that were being taken to make improvements. Quisitive helped the firm’s chief information security officer build a progress report in nontechnical terms using Microsoft tools and Spyglass dashboards
Solution
After conducting an Office 365 security assessment and a 3-month Spyglass trial, the firm signed on to Spyglass as a full-time customer. During this time, Quisitive worked with the firm to evaluate their existing security and compliance policies, close security gaps and adopt the National Institute of Standards and Technology (NIST) 800-53 to satisfy customers in the public and private sectors.
Six months after implementing Spyglass, Quisitive helped double the firm’s Microsoft Secure Score, reduce the number of impossible travel events by 50%, reduce the number of unfamiliar login locations by one-third, and automatically remediate over 30,000 phishing attempts.
Quisitive also helped cut global admin and service accounts by 50%, cut sensitive data stored in Office 365 by one-third, cut stale externally shared files by 50%, and reduce the number of files being shared with personal emails to zero. Overall, end-user adoption of new security features increased to over 90%.
When the firm’s chief information security officer was asked to report on the firm’s security posture, he was able to pull key metrics from Microsoft’s Security & Compliance Center and Spyglass dashboards to demonstrate, quarter over quarter, incremental and steady progress and give insight into the near-term risk reduction work that was being done.
;)
Ensuring the security of your environment doesn’t have to be complex to be effective. In a traditional disparate security environment, you have many tools that you have to hook up together to work appropriately. An integrated security environment is much easier to manage.
Download the infographic to compare two different security environments and see which one works for you.
Quisitive is an
award-winning
Microsoft Solutions Partner
About Quisitive
Quisitive is a premier, global Microsoft Partner that harnesses the Microsoft cloud platform and complementary technologies, including custom solutions and first-party offerings, to generate transformational impact for enterprise customers. Quisitive has consistently been recognized as a leading Microsoft Partner with 16 Specializations and all 6 Solution Partner Designations. Quisitive’s Microsoft awards include the 2023 US Partner of the Year Winner for Health and Life Sciences, 2023 US Partner of the Year Winner for Solutions Assessment and 2023 US Partner of the Year Finalist for the Industrial and Manufacturing vertical.
;)
In this case study:
Client: Dematic
Industry: Manufacturing
Products and Services: Microsoft Azure, Microsoft Defender for Cloud, Azure Firewall, Azure Front Door, Azure DDoS Protection, Azure API Management, Azure Web Application Firewall
Country: USA
About Dematic
Dematic helps keep the world moving. Part of the KION Group, the Atlanta-based company designs, builds, implements, and supports automated system solutions that optimize the supply chain. As it creates these customized solutions to maximize efficiency for customers, Dematic needs a robust, efficient, and flexible security solution to protect sensitive client information and services.
Delivering highly secure supply chain services
Dematic takes pride in its position as a leading supplier of integrated automated technology software and services for warehouses, distribution centers, and production facilities. It has installed more than 6,000 systems of all sizes and levels of complexity, from lower-cost manual options to fully automated systems. It has more than 7,000 employees worldwide and 60 engineering centers in 25 countries.
Since Dematic works with a wide range of customer facilities, from e-commerce and apparel to groceries and healthcare, it constantly creates customized solutions—and the security for those services—to fit customer requirements. The breadth of customization makes it challenging to standardize and scale security services like firewalls, which provide advanced threat protection for sensitive and regulated environments.
Dematic needed a security solution with flexibility, scalability, and cloud-native integration. “We have a responsibility to our customers to protect their data and processes,” says Kevin Boutin, Principal Architect at Dematic. “Trust isn’t something that happens on its own, so Dematic must proactively demonstrate a variety of mitigation efforts we take to increase security. We need the right tools to effectively demonstrate this.”
Many Dematic customers work in sectors such as government and healthcare, which require especially rigorous security to protect sensitive information. As you can see, the security stakes are high in the supply chain. A security incident for a Dematic customer could lead to a mechanical equipment failure that harms people in a warehouse or supply chain delays that cost companies millions of dollars per hour.
Cloud-native security services
Dematic knew early on that it wanted to use Microsoft Azure. Since Dematic already used Microsoft cloud-native services internally, the company wanted a cloud-native approach to security for its customer-facing services.
Microsoft created a proof of concept for Dematic, which successfully met the flexibility and scalability requirements for Dematic to deliver highly secure services to customers.
Dematic ultimately selected the Premium tier of Azure Firewall along with the Premium tier of Azure Front Door, the Standard tier of Azure DDoS Protection, Azure API Management, Azure Web Application Firewall, and Microsoft Defender for Cloud.
Dematic partnered with Catapult Systems, a Microsoft Gold partner with specialty certification in cloud security, to deploy the Azure security products, especially Azure Firewall Premium. Dematic also used Microsoft FastTrack in the early stage of its development cycle.
With Azure Firewall Premium features like an intrusion detection and prevention system (IDPS) and transport layer security (TLS) inspection, Dematic can prevent zero-day threats, malware, and viruses from spreading across networks. Dematic uses Azure Firewall Premium for IDPS, TLS inspection, and URL filtering capabilities.
Dematic uses Azure Front Door, a cloud content delivery network service that delivers high performance, scalability, and more secure user experiences. Specifically, Azure Web Application Firewall (WAF), which is attached to Azure Front Door, protects Dematic’s customer-facing web applications from web-based attacks and malicious bots. It uses Azure DDoS Protection for network protection and rapid response to denial-of-service attacks. With recommendations from Microsoft Defender for Cloud, Dematic continually strengthens the overall security posture of its environment and protects workloads from evolving threats.
“With Defender for Cloud, we can set security policies and automatically generate compliance reports for the standards that we need to meet for customers,” says Brandon Bates, Principal Architect at Dematic. “It gives Dematic and our customers peace of mind when we show that we meet security standards.”
And with Azure API Management, Dematic has a single place from which to manage APIs for security and more.
“We have centralized where our DevOps, Security Ops, and other users would go to troubleshoot anything related to deployment,” Boutin says. “Bringing all these different services into Azure makes our lives easier.”
Scalability for meeting customer needs
With Azure Firewall Premium, Dematic can easily and quickly help protect any new data conduits for customers instead of having to seek out the technical expertise needed to do so. It is just one way that Dematic uses cloud-native tools to make security easier.
“Cloud-native scaling in Azure Firewall Premium is incredibly important to us,” Boutin says. “Not only do we remove single points of failure from our architecture, but we also get high availability and uptime of 99.99 percent, which helps us meet service level agreements with our customers.”
Dematic enjoys on-demand pricing for its security tools, so it only has to pay for what it needs as it creates, tests, and releases products for customers.
“During our production cycles, we offer beta tests for sales groups and decision-makers, but we don’t want to be locked into paying for a certain amount of usage,” Bates says. “With on-demand pricing in the Azure products that we use, we only pay for what we need at any given time.”
Dematic still has the flexibility to use third-party products like Terraform, an open-source infrastructure as code software, for its deployments in Azure. Dematic uses infrastructure as code in the deployment and maintenance of security solutions, so its teams can test applications in production-like environments early in the development cycle.
A more confident security posture
Dematic is confident that its cloud-native Azure network security solutions work around the clock to help prevent and detect any security issues. Now, Dematic can focus on delivering the best services to customers instead of worrying about its security posture and the detailed day-to-day workings of a firewall.
Dematic can use its strong security posture to show new customers the multiple layers of protection in place to help keep their data more secure.
“Our expertise is in developing applications with really easy-to-use interfaces that bring together data, analytics, AI, and other innovative capabilities,” Bates says. “Understanding the inner workings of a firewall is not our expertise, and with Azure Firewall Premium, it doesn’t have to be. We use Azure Firewall Premium to protect Dematic and our customers around the clock, and we can depend on it.”
While investigating ways to automate adding, modifying, or removing Microsoft Defender for Cloud Apps (MDCA) policies, I could not locate any good Microsoft references. While researching the topic, I discovered a blog post discussing how to automate some MDCA rules within some policy types. This served as a starting point to investigate further automation of the MDCA policies. In addition, I discovered some of the REST API calls used to add, view, or modify MDCA policies through trial and error, which I used to create automated PowerShell functions to implement a consistent set of MDCA policies across our clients. This blog post will serve as a starting point for using the MDCA REST API.
Activate the API
First, make sure to activate the API in MDCA’s security extensions setting. Then, in the MDCA portal, click on the Gear icon, and select Security Extensions.
Under API tokens, select the Add token button. Type in a name for the token and select the Generate button. Copy the URL and API token now, as you will not have access to the token again. Select the Close button when you are finished. This token will appear in the API tokens list and can be revoked at any time. If using the Invoke-RestMethod command in PowerShell, include the token in your header as follows:
$headers = @{
"Authorization" = "Token abcdefghijklmnopqrstuvwxyz1234567890="
"Content-Type" = "application/json"
}Microsoft does include other methods of authentication which can be used in your automation, so I will link the article here.
Depending on the region, the URL copied might have the letters “us2” or “eu2” added to the address. Remove these letters when using the URL in your Invoke-RestMethod PowerShell command, or you will receive errors when executing the script, i.e., for the URL https://example.us2.portal.cloudappsecurity.com, use https://example.portal.cloudappsecurity.com instead.
Basic REST API Calls
Let us review the REST API calls:
GET https://<URL>/cas/api/v1/policies/ – This API lists all active policies on the tenant, and their ID, which will be required to get the policy information later. The JSON output will also show the number of active policies.
GET https://<URL>/cas/api/v1/policy/activity/ – This API is the activity log of the tenant’s MDCA. You can test this by adding a policy from a template, then review the API output. At the bottom of the JSON output should be your new policy. You can also review the settings of an edited policy or see if a policy has been deleted by checking the “deleted” attribute.
JSON Policy Breakdown
Here is an example of one of the policies in the output:
{
"_id": "627b9de8a0039f63881ce801",
"ref_policy_id": 308,
"actions": {
"0": [],
"11161": [],
"11114": [],
"11770": [],
"10489": []
},
"alertEmailRecipients": [],
"alertSeverity": "MEDIUM",
"alertSmsRecipients": [],
"anomalyDetection": {
"riskFactors": []
},
"bip_created": 1545748144000,
"consoleFilters": "{}",
"created": 1652268519991.5312,
"createdBy": "Builtin Policy",
"deletable": true,
"deleted": false,
"description": "This policy profiles your environment and triggers alerts when users perform multiple file sharing activities in a single session with respect to the baseline learned, which could indicate an attempted breach.",
"descriptionTemplate": "CONSOLE_POLICIES_BUILT_IN_POLICY_ANUBIS_UNUSUAL_ACTIVITY_SHARE_DESCRIPTION",
"detectionEngine": 1,
"editable": true,
"enableAlerts": true,
"enabled": true,
"isHidden": false,
"lastModified": 1652814616971.3586,
"lastModifiedBy": "Builtin Policy",
"name": "Unusual file share activity (by user)",
"nameTemplate": "CONSOLE_POLICIES_BUILT_IN_POLICY_ANUBIS_UNUSUAL_ACTIVITY_SHARE_NAME",
"policyId": 3,
"policyType": "ANOMALY_DETECTION",
"stories": [
0
],
"version": {
"full": "0.227.1",
"major": "0.227",
"minor": "1"
},
"ref_policy_created": 1545748144000,
"lastUserModified": 1652814616971.3586,
"matchesCount": 0,
"msFlowCheckboxChecked": false,
"msFlowId": null,
"perApp": true,
"readOnly": false,
"selectedRate": "all",
"templateId": "default",
"threshold": 5,
"windowSizeInMinutes": 30,
"editMode": true,
"story": 0
}This will be the template for adding, editing, or removing the policy “Unusual file share activity (by user).”
All policies are grouped into different Policy Types in the portal and are identified in the JSON output as the policyType attribute:
- ANOMALY_DETECTION – Anomaly detection policy
- ANOMALY_DISCOVERY – Cloud discovery anomaly detection policy
- APP_PERMISSION – OAuth app policy, OAuth app anomaly detection policy
- AUDIT – Activity policy
- FILE – File policy, Malware detection policy
- INLINE – Session Policy
- NEW_SERVICE – App discovery policy
API Call Samples (get policy data)
If we need to retrieve a single Activity policy, use the API call:
GET https://<URL>/cas/api/v1/policy/activity/<ID>/To retrieve an Anomaly detection policy:
GET https://<URL>/cas/api/v1/policy/anomaly/<ID>/To retrieve an App discovery policy:
GET https://<URL>/cas/api/v1/policy/discovery/<ID>/To retrieve a Cloud discovery anomaly detection policy:
GET https://<URL>/cas/api/v1/policy/discovery_anomaly/<ID>/To retrieve a File or Malware detection policy:
GET https://<URL>/cas/api/v1/policy/file/<ID>/To retrieve an OAuth app or OAuth app anomaly detection policy:
GET https://<URL>/cas/api/v1/policy/app_permissions/<ID>/And to retrieve a Session policy:
GET https://<URL>/cas/api/v1/policy/session/<ID>/Edit/Delete Policies
To edit individual policies, use the output from the activity log for the body of the API call and modify the required attributes. Then, use PUT instead of GET in your API call. I recommend configuring a test policy, gathering the output, and applying it to your automation. This is a more straightforward method than modifying the attributes manually.
Using our previous JSON output example, we would change the enabled attribute to false to disable the policy, copy the JSON with the changed attribute into the API body, and submit using PUT https://<URL>/cas/api/v1/policy/anomaly/627b9de8a0039f63881ce801/.
"editable": true,
"enableAlerts": true,
"enabled": false,
"isHidden": false,
"lastModified": 1652814616971.3586,When we inspect the web portal, the policy is disabled after refreshing the browser.
To delete a policy, edit, or verify, the attributes deletable and deleted are set to true. Not all policies may be deleted. The Malicious OAuth app consent policy is one policy during my testing that may only be set to disabled, even if the deletable attribute is set to true.
Construct the JSON Body to Add a Policy
We will use the JSON output as a template again to add a policy. This time, we will remove the _id attribute and modify the templateId attribute with “default” vice the numeric value. Change the name attribute to the new name of the policy. This will be the body of the API call.
WARNING! If you do not remove the _id attribute when creating the policy, it will create a second policy and show both policies in the portal. If you try to delete one of the two, it will delete, but the duplicate policy will remain in the portal. While the policy is not active, you will not be able to delete the duplicate since the _id is already marked as deleted. You will need to contact Microsoft to delete the duplicate.
{
"ref_policy_id": 308,
"actions": {
"0": [],
"11161": [],
"11114": [],
"11770": [],
"10489": []
},
"alertEmailRecipients": [],
"alertSeverity": "MEDIUM",
"alertSmsRecipients": [],
"anomalyDetection": {
"riskFactors": []
},
"bip_created": 1545748144000,
"consoleFilters": "{}",
"created": 1652268519991.5312,
"createdBy": "Builtin Policy",
"deletable": true,
"deleted": false,
"description": "This policy profiles your environment and triggers alerts when users perform multiple file sharing activities in a single session with respect to the baseline learned, which could indicate an attempted breach.",
"descriptionTemplate": "CONSOLE_POLICIES_BUILT_IN_POLICY_ANUBIS_UNUSUAL_ACTIVITY_SHARE_DESCRIPTION",
"detectionEngine": 1,
"editable": true,
"enableAlerts": true,
"enabled": true,
"isHidden": false,
"lastModified": 1652814616971.3586,
"lastModifiedBy": "Builtin Policy",
"name": "Test - Unusual file share activity (by user)",
"nameTemplate": "CONSOLE_POLICIES_BUILT_IN_POLICY_ANUBIS_UNUSUAL_ACTIVITY_SHARE_NAME",
"policyId": 3,
"policyType": "ANOMALY_DETECTION",
"stories": [
0
],
"version": {
"full": "0.227.1",
"major": "0.227",
"minor": "1"
},
"ref_policy_created": 1545748144000,
"lastUserModified": 1652814616971.3586,
"matchesCount": 0,
"msFlowCheckboxChecked": false,
"msFlowId": null,
"perApp": true,
"readOnly": false,
"selectedRate": "all",
"templateId": "default",
"threshold": 5,
"windowSizeInMinutes": 30,
"editMode": true,
"story": 0
}API Call Samples (Add a policy)
To add an Activity policy, use the API call:
POST https://<URL>/cas/api/v1/policy/activity/To add an Anomaly detection policy:
POST https://<URL>/cas/api/v1/policy/anomaly/To add an App discovery policy:
POST https://<URL>/cas/api/v1/policy/discovery/To add a Cloud discovery anomaly detection policy:
POST https://<URL>/cas/api/v1/policy/discovery_anomaly/To add a File or Malware detection policy:
POST https://<URL>/cas/api/v1/policy/file/To add an OAuth app or OAuth app anomaly detection policy:
POST https://<URL>/cas/api/v1/policy/app_permissions/And to add a Session policy:
POST https://<URL>/cas/api/v1/policy/session/To add the policy in our example, we would copy the modified JSON output into the API body and submit it using POST https://<URL>/cas/api/v1/policy/anomaly/.
Summary:
Microsoft should create official documentation to help automate MDCA policy tasks. However, these notes should help the community “fill in the blanks” by creating awesome automations!
Reference links:
Automating the MCAS deployment
TORONTO, May 04, 2022 (GLOBE NEWSWIRE) — Quisitive Technology Solutions Inc. (“Quisitive” or the “Company”) (TSXV: QUIS, OTCQX: QUISF), a premier Microsoft solutions and payment solutions provider, has achieved the Microsoft Cloud Security Advanced Specialization, marking the 11th advanced specialization it has received and the final one available in the security solutions area. The Company now holds all four Microsoft Security Solutions Advanced Specializations.
The Cloud Security Advanced Specialization certification is available to Microsoft partners that showcase an organization’s capabilities and proven experience implementing comprehensive protection across customers’ Microsoft Azure, hybrid, and multi-cloud environments. In order to be eligible for this accolade, Microsoft partners must pass a stringent set of requirements which include performance-based accomplishments, in addition to customer references.
Partners who earn an advanced specialization will have a customer-facing label displayed on their Microsoft business profile page, and further differentiate their organizations from companies inside and out of the Microsoft ecosystem. As a holder of all four security certifications, Quisitive displays demonstrable capabilities in managing and implementing Microsoft’s offerings of Cloud Security, Identity Management, Information Protection, and Threat Protection.
“Receiving the Cloud Security Advanced Specialization, our 11th one, is another accomplishment that sets us apart from our competitors and reflects our commitment to further positioning ourselves as a leader in the Microsoft ecosystem,” said Quisitive CEO Mike Reinhart. “As the need for cloud security becomes a growing necessity for organizations, we are poised to enlarge our expanding footprint within this space. On brand with the results shared in our recent earnings call, we remain focused on delivering high organic growth and increasing recurring revenue within the Cloud Solutions segment which will in turn provide lasting value for our shareholders.”
About Quisitive:
Quisitive (TSXV: QUIS, OTCQX: QUISF) is a premier, global Microsoft partner that harnesses the Microsoft platform and complementary technologies, including custom solutions and first-party offerings, to generate transformational impact for enterprise customers. Our Cloud Solutions business focuses on helping enterprises move, operate, and innovate in the three Microsoft clouds. Centering on our LedgerPay product suite, our Payments Solutions business leverages the Microsoft Azure cloud to transform the payment processing industry into an entirely new source of customer engagement and consumer value. Quisitive serves clients globally from seventeen employee hubs across the world. For more information, visit www.Quisitive.com and follow @BeQuisitive.
Quisitive Investor Contact
Matt Glover and John Yi
Gateway Investor Relations
[email protected]
949-574-3860
Tami Anders
Chief of Staff
[email protected]
Cautionary Note Regarding Forward Looking Information
This news release contains certain “forward‐looking information” and “forward‐looking statements” (collectively, “forward‐ looking statements”) within the meaning of applicable Canadian securities legislation regarding Quisitive and its business. Any statement that involves discussions with respect to predictions, expectations, beliefs, plans, projections, objectives, assumptions, future events or performance (often but not always using phrases such as “expects”, or “does not expect”, “is expected”, “anticipates” or “does not anticipate”, “plans”, “budget”, “scheduled”, “forecasts”, “estimates”, “believes” or “intends” or variations of such words and phrases or stating that certain actions, events or results “may” or “could, “would”, “might” or “will” be taken to occur or be achieved) are not statements of historical fact and may be forward‐looking statements. Forward‐ looking statements are necessarily based upon a number of estimates and assumptions that, while considered reasonable, are subject to known and unknown risks, uncertainties, and other factors which may cause the actual results and future events to differ materially from those expressed or implied by such forward‐looking statements. These forward-looking statements include, but are not limited to, statements relating to: internal business integrations, onboarding of pilot merchants, completion of additional certifications, expectations regarding go-to-market strategy and future success of the Company’s LedgerPay platform, growth prospects, projected milestones and timelines, and other anticipated benefits and impacts of the Mastercard certification.
The risks and uncertainties that may affect forward-looking statements, or the material factors or assumptions used to develop such forward-looking information, are described under the heading “Risks Factors” in the Company’s annual information form dated April 20, 2021, which are available under the Company’s issuer profile on SEDAR at www.sedar.com. There can be no assurance that forward-looking information, or the material factors or assumptions used to develop such forward-looking information, will prove to be accurate. The Company does not undertake any obligations to release publicly any revisions for updating any voluntary forward-looking statements, except as required by applicable securities law.
Neither the TSX Venture Exchange nor its Regulation Services provider (as that term is defined in the policies of the TSX Venture Exchange) accepts responsibility for the adequacy or accuracy of this release.