Author: jay f

Control
assessments are not about checklists, simple pass/fail results, or generating
paperwork to pass inspections or audits. The testing and evaluation of controls
in a system or organization to determine the extent to which the controls are
implemented correctly, operating as intended, and producing the desired outcome
are critical to managing and measuring risk. Additionally, control assessment
results serve as an indication of the quality of the risk management processes,
help identify security and privacy strengths and weaknesses within systems, and
provide a road map to identifying, prioritizing, and correcting identified
deficiencies. 

Draft NIST Special Publication (SP) 800-53A Revision 5, Assessing Security and Privacy Controls in Information Systems
and Organizations, provides organizations
with a flexible, scalable, and repeatable assessment methodology and assessment
procedures that correspond with the controls in NIST SP 800-53, Revision 5.
Like previous revisions of SP 800-53A, the generalized assessment procedures
provide a framework and starting point to assess the enhanced security
requirements and can be tailored to the needs of organizations and assessors.
The assessment procedures can be employed in self-assessments or independent
third-party assessments.

In
addition to the update of the assessment procedures to correspond with the
controls in SP 800-53, Revision 5, a new format for assessment procedures in
this revision to SP 800-53A is introduced to:

• Improve the efficiency of
  conducting control assessments,
• Provide better traceability
  between assessment procedures and controls, and
• Better support the use of
  automated tools, continuous monitoring, and ongoing authorization
  programs.

NIST
is seeking feedback on the assessment procedures in this publication and in
electronic versions (OSCAL, CSV, and plain text), including the assessment
objectives, determination statements, and potential assessment methods and
objects. We are also interested in the approach taken to incorporate
organization-defined parameters into the determination statements for the
assessment objectives. To facilitate their review and use by a broad range of
stakeholders, the assessment procedures are available for comment and use in
PDF format, as well as comma-separated value (CSV), plain text, and Open
Security Controls Assessment Language (OSCAL) formats.

The comment period is open through October 1, 2021. See
the publication
details for a copy of the draft and associated files, and
instructions for submitting comments. We encourage you to submit comments using
the comment template provided.

Please
submit inquiries to [email protected].

 Cyber
attacks are a reality. Sometimes even with the best protective measures in
place, adversaries can breach perimeter defenses and find their way into systems.

Draft
NIST Special Publication (SP) 800-160, Volume 2, Revision 1, Developing
Cyber-Resilient Systems: A Systems Security Engineering Approach,
turns the traditional perimeter defense strategy on its head and moves
organizations toward a cyber resiliency strategy that facilitates defending
systems from the inside out instead of from the outside in. This guidance helps
organizations anticipate, withstand, recover from, and adapt to adverse
conditions, stresses, or compromises on systems – including hostile and
increasingly destructive cyber attacks from nation states, criminal gangs, and
disgruntled individuals.

This
major update to NIST’s flagship cyber resiliency publication offers significant
new content and support tools for organizations to defend against cyber
attacks, including ever-growing and destructive ransomware attacks. The
document provides suggestions on how to limit the damage that adversaries can
inflict by impeding their lateral movement, increasing their work factor, and
reducing their time on target.

In
particular, the draft publication:

• Updates the controls that
  support cyber resiliency to be consistent with NIST SP 800-53,
  Revision 5
• Standardizes a single threat
  taxonomy (i.e., Adversarial Tactics, Techniques, and Common Knowledge
  [ATT&CK] framework)
• Provides a detailed mapping and
  analysis of cyber resiliency implementation approaches and
  supporting NIST SP 800-53 controls to
  the ATT&CK framework techniques, mitigations, and
  candidate mitigations

The public comment period is open through September 20, 2021. See the publication
details for a copy of the draft and instructions for submitting
comments.

NOTE:
A call for patent claims is included on page v of this
draft.  For additional information, see the Information
Technology Laboratory (ITL) Patent Policy–Inclusion of Patents in ITL
Publications.

Publication
details:
https://csrc.nist.gov/publications/detail/sp/800-160/vol-2-rev-1/draft

ITL
Patent Policy:
https://www.nist.gov/itl/information-technology-laboratory-itl-patent-policy-inclusion-patents-itl-publications

 To continue to enable our customers to apply Microsoft Compliance solutions
to their entire data landscape including non-Microsoft systems we are
constantly expanding our Compliance ecosystem. Data connectors are built-in to
our Compliance platform and enable high-fidelity data ingestion. Once data is
ingested it is available for multiple compliance scenarios including Litigation
hold, eDiscovery, Retention settings, Records management, Communication
compliance as well as Insider risk management.

 

Data connectors
growth

Today we are excited to announce the addition of two new partners 17a-4 and
Cell Trust. These two new partners are bringing a wealth of new connectors and
categories of non-Microsoft data sources. Overall this has helped further
expand our connector catalog from 39 connectors – as announced earlier this year – to a total
of 65 connectors available in our connector gallery.

 

17a-4 connectors

17a-4 LLC focuses on assisting clients with SEC and FINRA compliance
requirements and the associated rules that govern Business Communications,
Electronic Messaging, and Books and Records.

 

“DataParser’s integration with Microsoft Compliance solutions further
enhances 17a-4’s partnership with Microsoft,” said Charles Weeden, Managing
Partner 17a-4, LLC. “With DataParser connectors, clients can bring users’ Zoom,
Slack, Webex, Bloomberg, etc. data into Microsoft 365 to benefit from various
compliance solutions including Litigation hold, eDiscovery, Retention, Records
Management and Communication Compliance.”

 

CellTrust connectors

CellTrust provides compliant and secure mobile communications for regulated
industries. CellTrust SL2™ is a communication platform for voice, text / SMS,
and chat.

 

“CellTrust is thrilled our flagship SL2™ is now available for use with
Microsoft Compliance solutions,” said Sean Moshir, CEO and Chairman. “SL2 keeps
personal and business mobile communications separate on a single device,
provides a dedicated Mobile Business Number™, and simultaneously captures
business data for various compliance solutions including Litigation hold,
eDiscovery, Retention, Records Management, and Communication Compliance – while
enhancing mobile collaboration and driving productivity within a secure
environment.”

 

Data connectors in
GCC

We have heard from our customers that governing data is critical to adhere
to compliance regulations. In a world where government employees work and
provide public services remotely, information is stored across numerous devices
in multiple disparate locations from on-premises to the cloud. This situation
makes it challenging to secure and govern data and to comply with regulations.
Today we are excited to announce the general availability of the following data
connectors – from our partner TeleMessage – for the Government Community Cloud
(GCC). This will provide government organizations with significantly greater
depth in governing critical data.

•    AT&T SMS/MMS
•   Bell SMS/MMS
•  Enterprise Number Archive
•  O2 Telefónica
•  Telus Text
•  Verizon SMS/MMS
• Android Archiver

More details on all the available external data sources along with supported
solutions are available here.

 Today, we are excited to announce that predictive vulnerability management
platform, DeepSurface,
has integrated across our threat and vulnerability management capabilities in
Microsoft Defender for Endpoint. Now, Microsoft Defender for Endpoint customers
can import vulnerability information across Microsoft, Linux and MacOS hosts
directly into the DeepSurface vulnerability management platform, further
strengthening our focus on interoperability.

 

“As the volume of
vulnerabilities increases, it’s critical that vulnerability management teams
can quickly identify which matter to their domain and filter out any that don’t
pose any risk to their organization. The status quo has been to juggle multiple
platforms and spend hours manually prioritizing vulnerabilities – this
integration between Microsoft and DeepSurface streamlines the number of
platforms for end-users and provides comprehensive, real-time insight into
their threat stance.” – Tomer Teller, Principal Security PM Lead,
Threat & Vulnerability Management at Microsoft

 

DeepSurface considers more than 50 different attributes of an environment to
contextualize vulnerabilities – and chains of vulnerabilities – within an
organization’s digital infrastructure to predict where an attacker could cause
the most damage and provides users with actionable intelligence on how to
reduce the most risk, fastest. Now, users of Microsoft Defender for Endpoint
have an integrated solution, easily operationalized in just a few minutes, that
provides them with at-a-glance insight into their threat stance.

 

Image
1 shows DeepSurface’s Risk Insight model. The paretograph shows all the patches
on your network and the relative risk they pose to your business, as well as
the number of affected hosts and number of vulnerabilities on your network.

 

 

DeepSurface integrates with Microsoft Defender for Endpoint APIs to collect
vulnerabilities and identify missing patches, then prioritizes the patches,
hosts and vulnerabilities based on a holistic threat model of your
infrastructure.

 

Image
2 shows the risk pathways or hacker roadmap of vulnerabilities and chains of
vulnerabilities that could be exploited on a network. By visualizing the most
exploitable risk paths, DeepSurface can help you identify which paths pose the
most risk to your business and prioritize where to patch first.

 

 

When viewing a specific patch, DeepSurface can show users which hosts are
affected, and the severity of the risk for each host after taking the holistic
context of your network into account.  DeepSurface also provides
information about patch supersedence, and extra steps required to fully mitigate
the vulnerabilities covered by the patch.

 

Integration is quick and seamless. All you have to do is add your API key to
the DeepSurface console (see screenshot below). Documentation is available for
DeepSurface customers.

 

Image
3: DeepSurface setup console to configure the Microsoft Defender for Endpoint
integration.

 

 

For additional details, you can view the full press release here.

 

At Microsoft, we believe that when solutions work well together, customers
benefit and can build stronger defenses. That’s why the Microsoft threat and
vulnerability management APIs give partners like DeepSurface, as well as
security full access to the threat and vulnerability management dataset,
allowing them to build integrations or other custom workflows.

 

More information and
feedback

• The threat and vulnerability management capabilities
  are part of Microsoft Defender for Endpoint and enable
  organizations to effectively identify, assess, and remediate endpoint
  weaknesses to reduce organizational risk.
• Documentation on how to configure the integration is
  available for DeepSurface customers in the product portal.

 

You are subscribed to National Cyber Awareness System Current Activity for
Cybersecurity and Infrastructure Security Agency. This information has recently
been updated, and is now available.

New
StopRansomware.gov website – The U.S. Government’s One-Stop Location to Stop
Ransomware

07/15/2021 07:20 AM EDT

 

Original
release date: July 15, 2021

The U.S. Government launched a new website to help public and private
organizations defend against the rise in ransomware cases. StopRansomware.gov is a
whole-of-government approach that gives one central location for ransomware
resources and alerts. We encourage organizations to use this new website to
understand the threat of ransomware, mitigate risk, and in the event of an
attack, know what steps to take next.

The StopRansomware.gov webpage is
an interagency resource that provides our partners and stakeholders with
ransomware protection, detection, and response guidance that they can use on a
single website. This includes ransomware alerts, reports, and resources from
CISA, the FBI, and other federal partners.

We look forward to growing the information and resources on StopRansomware.gov and plan to partner
with additional Federal Agencies who are working to curb the rise in
ransomware.

You are subscribed to National Cyber Awareness System Current Activity for
Cybersecurity and Infrastructure Security Agency. This information has recently
been updated, and is now available.

Kaseya
Provides Security Updates for VSA On-Premises Software Vulnerabilities

07/12/2021 03:00 PM EDT

 

Original
release date: July 12, 2021

Kaseya has released VSA version 9.5.7a for their VSA On-Premises software.
This version addresses vulnerabilities that enabled the ransomware attacks on
Kaseya’s customers.

CISA strongly urges Kaseya customers closely follow the instructions
detailed in the Kaseya
security notice and contact Kaseya should they require implementation
assistance. Note:
the Kaseya security notice includes Startup Runbooks and Hardening and Best
Practice Guides for both VSA On-Premises and VSA SaaS.

 

You are subscribed to National Cyber Awareness System Current Activity for
Cybersecurity and Infrastructure Security Agency. This information has recently
been updated, and is now available.

Microsoft
Releases Out-of-Band Security Updates for PrintNightmare

07/06/2021 07:53 PM EDT

 

Original
release date: July 6, 2021

Microsoft has released out-of-band
security updates to address a remote code execution (RCE)
vulnerability—known as PrintNightmare (CVE-2021-34527)—in the Windows Print
spooler service. According to the CERT Coordination Center (CERT/CC), “The
Microsoft Windows Print Spooler service fails to restrict access to
functionality that allows users to add printers and related drivers, which can
allow a remote authenticated attacker to execute arbitrary code with SYSTEM
privileges on a vulnerable system.”

The updates are cumulative and contain all previous fixes as well as
protections for CVE-2021-1675. The updates do not include Windows 10 version
1607, Windows Server 2012, or Windows Server 2016—Microsoft states updates for
these versions are forthcoming. Note: According to CERT/CC, “the Microsoft
update for CVE-2021-34527 only appears to address the Remote Code Execution
(RCE via SMB and RPC) variants of the PrintNightmare, and not the Local
Privilege Escalation (LPE) variant.” See CERT/CC Vulnerability Note VU
#383432 for workarounds for the LPE variant.

 

You are subscribed to National Cyber Awareness System Current Activity for
Cybersecurity and Infrastructure Security Agency. This information has recently
been updated, and is now available.

CISA-FBI
Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain
Ransomware Attack

07/04/2021 12:29 PM EDT

 

Original
release date: July 4, 2021

CISA and the Federal Bureau of Investigation (FBI) continue to respond to
the recent supply-chain ransomware attack leveraging a vulnerability in Kaseya
VSA software against multiple managed service providers (MSPs) and their
customers. CISA and FBI strongly urge affected MSPs and their customers to
follow the guidance below.

CISA and FBI recommend affected MSPs:

• Contact Kaseya at [email protected]
  with the subject “Compromise Detection Tool Request” to obtain and run
  Kaseya’s Compromise Detection Tool available to Kaseya VSA customers. The
  tool is designed to help MSPs assess the status of their systems and their
  customers’ systems.
• Enable and enforce multi-factor authentication (MFA) on
  every single account that is under the control of the organization, and—to
  the maximum extent possible—enable and enforce MFA for customer-facing
  services.
• Implement allowlisting to limit communication with
  remote monitoring and management (RMM) capabilities to known IP address
  pairs, and/or
• Place administrative interfaces of RMM behind a virtual
  private network (VPN) or a firewall on a dedicated administrative network.

CISA and FBI recommend MSP customers affected by this attack take immediate
action to implement the following cybersecurity best practices. Note: these actions
are especially important for MSP customer who do not currently have their RMM
service running due to the Kaseya attack.

CISA and FBI recommend affected MSP customers:

• Ensure backups are up to date and stored in an easily
  retrievable location that is air-gapped from the organizational network;
• Revert to a manual patch management process that
  follows vendor remediation guidance, including the installation of new
  patches as soon as they become available;
• Implement:
• Multi-factor
  authentication; and
• Principle of least
  privilege on key network resources admin accounts.

Resources:

CISA and FBI provide these resources for the reader’s awareness.  CISA
and FBI do not endorse any non-governmental entities nor guarantee the accuracy
of the linked resources.

• For the latest guidance from Kaseya, see Kaseya’s Important
  Notice July 3rd, 2021.
• For indicators of compromise, see Peter Lowe’s GitHub
  page REvil
  Kaseya CnC Domains. Note:
  due to the urgency to share this information, CISA and FBI
  have not yet validated this content.
• For guidance specific to this incident from the
  cybersecurity community, see Cado Security’s GitHub page, Resources
  for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply
  Chain Attack. Note:
  due to the urgency to share this information, CISA and FBI
  have not yet validated this content.
• For advice from the cybersecurity community on securing
  against MSP ransomware attacks, see Gavin Stone’s article, How
  secure is your RMM, and what can you do to better secure it?.
• For general incident response guidance, CISA encourages
  users and administrators to see Joint Cybersecurity
  Advisory AA20-245A: Technical Approaches to Uncovering and Remediating
  Malicious Activity.

 New Microsoft Blog

https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-asim-authentication-process-registry-and-enhanced/ba-p/2502268

Hello everyone,  Continuing our normalization journey, we added to the networking and DNS schemas the Authentication, Process Events, and Registry Events schemas and delivered normalized content based on the two. We also added ARM template deployment and support for Microsoft Defender for Endpoints to the Network Schema.  Special thanks to @Yuval Naor , @Yaron Fruchtmann , and @Batami Gold , who made all this possible.  Why should you care?  Cross source detection: Normalized Authentication analytic rules work across sources, on-prem and cloud, now detecting attacks such as brute force or impossible travel across systems including Okta, AWS, and Azure. Source agnostic rules: process event analytics support any source that a customer may use to bring in the data, including Defender for Endpoint, Windows Events, and Sysmon. We are ready to add Sysmon for Linux and WEF once released! EDR support: Process, Registry, Network, and Authentication consist the core of EDR event telemetry. Ease of use: The Network Schema introduced last year is now easier to use with a single-click ARM template deployment.  Deploy the Authentication, Process Events, Registry Events, or Network Session parser packs in a single click using ARM templates.   Jon us to learn more about the Azure Sentinel information model in two webinars: The Information Model: Understanding Normalization in Azure Sentinel Deep Dive into Azure Sentinel Normalizing Parsers and Normalized Content Why normalization, and what is the Azure Sentinel Information Model?  Working with various data types and tables together presents a challenge. You must become familiar with many different data types and schemas, write and use a unique set of analytics rules, workbooks, and hunting queries for each, even for those that share commonalities (for example, DNS servers). Correlation between the different data types necessary for investigation and hunting is also tricky.  The Azure Sentinel Information Model (ASIM) provides a seamless experience for handling various sources in uniform, normalized views. ASIM aligns with the Open-Source Security Events Metadata (OSSEM) common information model, promoting vendor agnostic, industry-wide normalization. ASIM: Allows source agnostic content and solutions Simplifies analyst use of the data in sentinel workspaces  The current implementation is based on query time normalization using KQL functions. And includes the following: Normalized schemas cover standard sets of predictable event types that are easy to work with and build unified capabilities. The schema defines which fields should represent an event, a normalized column naming convention, and a standard format for the field values. Parsers map existing data to the normalized schemas. Parsers are implemented using KQL functions. Content for each normalized schema includes analytics rules, workbooks, hunting queries, and additional content. This content works on any normalized data without the need to create source-specific content.

 New Microsoft Blog

The pandemic has permanently changed how organizations of all sizes work. A
substantial increase in hybrid and remote work has presented new compliance
challenges, and organizations have responded by growing their compliance
functions. A recent study shows that there were 257 average daily regulatory
alerts across 190 countries in 2020 and keeping up with regulatory changes continues
to be the top compliance challenge[1].

 

To help organizations simplify compliance and reduce risk,
we built Microsoft Compliance Manager, generally available since September 2020. Compliance
Manager translates complex regulatory requirements into specific recommended
actions and makes them available through premium assessment templates, covering
over 300 regulations and standards. By leveraging the universal mapping of
actions and controls, premium assessment templates allow customers to comply
with several requirements across multiple regulations or standards with one
action, providing an efficient solution to manage overlapping compliance
requirements. Premium assessment templates along with built-in workflows and
continuous compliance updates allow organizations to constantly assess,
monitor, and improve their compliance posture.

 

To meet customers where they are in their compliance journey, we are excited
to announce that Compliance Manager premium assessment templates will no longer
require a Microsoft 365 E5 or Office 365 E5 license as a prerequisite. This
update enables all enterprise customers to assess compliance with the
regulations most relevant to them and meet their unique compliance needs.
Starting July 1^st, 2021, all Enterprise customers, both commercial
and government, can purchase premium assessment templates as long as they have
any Microsoft 365 or Office 365 subscription. Customers who have already
purchased a premium assessment template or are using the default templates
included with their subscription will not experience any disruption or change.
Customers with Microsoft 365 E1/E3 or Office 365 E1/E3 subscriptions will now
be able to see the list of 300+ premium assessment templates in their tenants.
The capability to create a new template, customize an existing template, or add
customized actions to a given template will continue to require a Microsoft 365
E5 or Office 365 E5 subscription.

 We look forward to hearing your feedback.

 Get Started

Navigate to the Microsoft 365 compliance center or sign up for a
Microsoft 365 E5 Compliance trial to get started with Compliance Manager premium
assessments today! Compliance Manager premium assessment SKUs can be
purchased in Microsoft
admin center.

 Learn more:

1. Compliance Manager licensing details.
2. List of premium assessment templates here.
3. Learn more about Compliance Manager here.

URL: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/use-premium-assessments-in-microsoft-compliance-manager-to-meet/ba-p/2494789