The U.S. Government’s One-Stop Location to Stop Ransomware

 Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

You are subscribed to National Cyber Awareness System Current Activity for
Cybersecurity and Infrastructure Security Agency. This information has recently
been updated, and is now available.

New
StopRansomware.gov website – The U.S. Government’s One-Stop Location to Stop
Ransomware

07/15/2021 07:20 AM EDT

 

Original
release date: July 15, 2021

The U.S. Government launched a new website to help public and private
organizations defend against the rise in ransomware cases. StopRansomware.gov is a
whole-of-government approach that gives one central location for ransomware
resources and alerts. We encourage organizations to use this new website to
understand the threat of ransomware, mitigate risk, and in the event of an
attack, know what steps to take next.

The StopRansomware.gov webpage is
an interagency resource that provides our partners and stakeholders with
ransomware protection, detection, and response guidance that they can use on a
single website. This includes ransomware alerts, reports, and resources from
CISA, the FBI, and other federal partners.

We look forward to growing the information and resources on StopRansomware.gov and plan to partner
with additional Federal Agencies who are working to curb the rise in
ransomware.

Kaseya Provides Security Updates for VSA On-Premises Software Vulnerabilities

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

You are subscribed to National Cyber Awareness System Current Activity for
Cybersecurity and Infrastructure Security Agency. This information has recently
been updated, and is now available.

Kaseya
Provides Security Updates for VSA On-Premises Software Vulnerabilities

07/12/2021 03:00 PM EDT

 

Original
release date: July 12, 2021

Kaseya has released VSA version 9.5.7a for their VSA On-Premises software.
This version addresses vulnerabilities that enabled the ransomware attacks on
Kaseya’s customers.

CISA strongly urges Kaseya customers closely follow the instructions
detailed in the Kaseya
security notice
 and contact Kaseya should they require implementation
assistance. Note:
the Kaseya security notice includes Startup Runbooks and Hardening and Best
Practice Guides for both VSA On-Premises and VSA SaaS.

Microsoft Releases Out-of-Band Security Updates for PrintNightmare

 

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

You are subscribed to National Cyber Awareness System Current Activity for
Cybersecurity and Infrastructure Security Agency. This information has recently
been updated, and is now available.

Microsoft
Releases Out-of-Band Security Updates for PrintNightmare

07/06/2021 07:53 PM EDT

 

Original
release date: July 6, 2021

Microsoft has released out-of-band
security updates
to address a remote code execution (RCE)
vulnerability—known as PrintNightmare (CVE-2021-34527)—in the Windows Print
spooler service. According to the CERT Coordination Center (CERT/CC), “The
Microsoft Windows Print Spooler service fails to restrict access to
functionality that allows users to add printers and related drivers, which can
allow a remote authenticated attacker to execute arbitrary code with SYSTEM
privileges on a vulnerable system.”

The updates are cumulative and contain all previous fixes as well as
protections for CVE-2021-1675. The updates do not include Windows 10 version
1607, Windows Server 2012, or Windows Server 2016—Microsoft states updates for
these versions are forthcoming. Note: According to CERT/CC, “the Microsoft
update for CVE-2021-34527 only appears to address the Remote Code Execution
(RCE via SMB and RPC) variants of the PrintNightmare, and not the Local
Privilege Escalation (LPE) variant.” See CERT/CC Vulnerability Note VU
#383432
for workarounds for the LPE variant.

CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack

 

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

You are subscribed to National Cyber Awareness System Current Activity for
Cybersecurity and Infrastructure Security Agency. This information has recently
been updated, and is now available.

CISA-FBI
Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain
Ransomware Attack

07/04/2021 12:29 PM EDT

 

Original
release date: July 4, 2021

CISA and the Federal Bureau of Investigation (FBI) continue to respond to
the recent supply-chain ransomware attack leveraging a vulnerability in Kaseya
VSA software against multiple managed service providers (MSPs) and their
customers. CISA and FBI strongly urge affected MSPs and their customers to
follow the guidance below.

CISA and FBI recommend affected MSPs:

  • Contact Kaseya at support@kaseya.com
    with the subject “Compromise Detection Tool Request” to obtain and run
    Kaseya’s Compromise Detection Tool available to Kaseya VSA customers. The
    tool is designed to help MSPs assess the status of their systems and their
    customers’ systems.
  • Enable and enforce multi-factor authentication (MFA) on
    every single account that is under the control of the organization, and—to
    the maximum extent possible—enable and enforce MFA for customer-facing
    services.
  • Implement allowlisting to limit communication with
    remote monitoring and management (RMM) capabilities to known IP address
    pairs, and/or
  • Place administrative interfaces of RMM behind a virtual
    private network (VPN) or a firewall on a dedicated administrative network.

CISA and FBI recommend MSP customers affected by this attack take immediate
action to implement the following cybersecurity best practices. Note: these actions
are especially important for MSP customer who do not currently have their RMM
service running due to the Kaseya attack.

CISA and FBI recommend affected MSP customers:

  • Ensure backups are up to date and stored in an easily
    retrievable location that is air-gapped from the organizational network;
  • Revert to a manual patch management process that
    follows vendor remediation guidance, including the installation of new
    patches as soon as they become available;
  • Implement:
    • Multi-factor
      authentication; and
    • Principle of least
      privilege on key network resources admin accounts.

Resources:

CISA and FBI provide these resources for the reader’s awareness.  CISA
and FBI do not endorse any non-governmental entities nor guarantee the accuracy
of the linked resources.

What’s new: ASIM Authentication, Process, Registry and enhanced Network schemas

 New Microsoft Blog

https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-asim-authentication-process-registry-and-enhanced/ba-p/2502268

Hello everyone,

 Continuing our normalization journey, we added to the networking and DNS schemas the Authentication, Process
Events
, and Registry Events schemas and delivered normalized
content based on the two. We also added ARM template deployment and support
for Microsoft Defender for Endpoints to the Network
Schema
.

 Special thanks to @Yuval Naor , @Yaron
Fruchtmann , and @Batami Gold , who made all this possible.

 Why should you
care?

 Cross
source detection:
Normalized Authentication analytic rules work across
sources, on-prem and cloud, now detecting attacks such as brute force or
impossible travel across systems including Okta, AWS, and Azure.

  • Source
    agnostic rules
    :
    process event analytics support any source that a customer may use to
    bring in the data, including Defender for Endpoint, Windows Events, and
    Sysmon. We are ready to add Sysmon for Linux and WEF once released!
  • EDR support: Process,
    Registry, Network, and Authentication consist the core of EDR event
    telemetry.
  • Ease
    of use
    :
    The Network Schema introduced last year is now
    easier to use with a single-click ARM template deployment.

 Deploy the AuthenticationProcess Events,
Registry
Events
, or Network Session parser packs in a single click using
ARM templates. 

 Jon us to learn more about the Azure Sentinel information model in two webinars:

  • The
    Information Model: Understanding Normalization in Azure Sentinel
  • Deep Dive into Azure Sentinel Normalizing
    Parsers and Normalized Content

Why normalization, and what is the Azure Sentinel
Information Model?

 Working with various data types and tables together presents a challenge.
You must become familiar with many different data types and schemas, write
and use a unique set of analytics rules, workbooks, and hunting queries for
each, even for those that share commonalities (for example, DNS servers).
Correlation between the different data types necessary for investigation and
hunting is also tricky.

 The Azure Sentinel Information Model (ASIM) provides a seamless experience
for handling various sources in uniform, normalized views. ASIM aligns with
the Open-Source Security Events Metadata (OSSEM) common
information model, promoting vendor agnostic, industry-wide normalization.
ASIM:

  • Allows source agnostic
    content and solutions
  • Simplifies analyst use
    of the data in sentinel workspaces

 The current implementation is based on query time normalization using KQL
functions. And includes the following:

  • Normalized
    schemas
     cover
    standard sets of predictable event types that are easy to work with and
    build unified capabilities. The schema defines which fields should
    represent an event, a normalized column naming convention, and a standard
    format for the field values.
  • Parsers map existing data
    to the normalized schemas. Parsers are implemented using KQL functions.
  • Content
    for each normalized schema
     includes analytics rules, workbooks, hunting
    queries, and additional content. This content works on any normalized data
    without the need to create source-specific content.

Use Premium Assessments in Microsoft Compliance Manager to Meet Your Regulatory Compliance Needs

 New Microsoft Blog

The pandemic has permanently changed how organizations of all sizes work. A
substantial increase in hybrid and remote work has presented new compliance
challenges, and organizations have responded by growing their compliance
functions. A recent study shows that there were 257 average daily regulatory
alerts across 190 countries in 2020 and keeping up with regulatory changes continues
to be the top compliance challenge[1].

 

To help organizations simplify compliance and reduce risk,
we built Microsoft Compliance Manager, generally available since September 2020. Compliance
Manager translates complex regulatory requirements into specific recommended
actions and makes them available through premium assessment templates, covering
over 300 regulations and standards. By leveraging the universal mapping of
actions and controls, premium assessment templates allow customers to comply
with several requirements across multiple regulations or standards with one
action, providing an efficient solution to manage overlapping compliance
requirements. Premium assessment templates along with built-in workflows and
continuous compliance updates allow organizations to constantly assess,
monitor, and improve their compliance posture.

 

To meet customers where they are in their compliance journey, we are excited
to announce that Compliance Manager premium assessment templates will no longer
require a Microsoft 365 E5 or Office 365 E5 license as a prerequisite. This
update enables all enterprise customers to assess compliance with the
regulations most relevant to them and meet their unique compliance needs.
Starting July 1st, 2021, all Enterprise customers, both commercial
and government, can purchase premium assessment templates as long as they have
any Microsoft 365 or Office 365 subscription. Customers who have already
purchased a premium assessment template or are using the default templates
included with their subscription will not experience any disruption or change.
Customers with Microsoft 365 E1/E3 or Office 365 E1/E3 subscriptions will now
be able to see the list of 300+ premium assessment templates in their tenants.
The capability to create a new template, customize an existing template, or add
customized actions to a given template will continue to require a Microsoft 365
E5 or Office 365 E5 subscription.

 We look forward to hearing your feedback.

 Get Started

Navigate to the Microsoft 365 compliance center or sign up for a
Microsoft 365 E5 Compliance trial to get started with Compliance Manager premium
assessments today! Compliance Manager premium assessment SKUs can be
purchased in Microsoft
admin center
.

 Learn more:

  1. Compliance Manager licensing details.
  2. List of premium assessment templates here.
  3. Learn more about Compliance Manager here.

URL: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/use-premium-assessments-in-microsoft-compliance-manager-to-meet/ba-p/2494789