Let’s Talk About Office 365 Advanced Threat Protection: Part Two

Medieval-siege

Last time, we reviewed Office 365 Advanced Threat Protection (ATP), an enhancement to Exchange Online Protection focused on protecting end-users from two categories of email delivered threats: zero day compromised attachments and malicious URLs.

Specifically, we discussed ATP’s safe attachments policies, reporting capabilities and the labor-intensive workflow required to confirm that what ATP is telling you is, in fact accurate (i.e., that the attachment is actually malware).

This time, we’ll review ATP’s safe links, which analyzes URLs before you click through, and the PowerShell cmdlets associated with Advanced Threat Protection.

To configure ATP’s safe links, you can go to the Office 365 ECP:

https://outlook.office365.com/ecp

From the menu on the left-hand side of the Exchange admin center interface, choose “advanced threats” –

Exchange-admin-advanced-threats

 

 

 

 

 

 

From the ATP sub-menu, choose “safelinks
ATP-Safelinks

 

 

In our example, we’re using the default Safe Links Policy; to edit its properties, click the pencil icon (a common design theme in the Office 365 admin interface):

ATP-safelinks-3

 

 

 

The first setting option is “general” –

Safelinks-general-setting

 

 

 

Note that both the Name and Description fields are labels and can be changed.

The real action starts with “settings” –

Safelinks-settings-detail

 

 

 

 

Let’s walk through the options you see above.

Configuration Options

  • On or Off are self-explanatory
  • When the setting is On, potentially malicious URLs are rewritten to https://na01/safelinks.protection.outlook.com/?=url to analyze here).
  • If “Do not track user clicks” is selected, ATP will not record user click-through attempts (which means no reporting data on this action)
  • If “Do not allow users to click through to original URL” is selected, end-users will not be able to reach the original URL via the link embedded within their email

Above I mentioned that if the “Do not track user clicks” option is selected, ATP won’t gather reporting data.  But what if it is selected?

Reporting

To access safe links reporting, choose the “mail flow” option from the Exchange Admin Center interface:

safe-links-reporting

This works the same as other Office 365 mail flow reporting widgets. As you can see, you can choose the date and time range for your output.  You can also choose to search for an individual’s results by using the ‘recipient’ option (not shown but on the page if you look towards the bottom). It’s also possible to search for a specific URL.

safelinks-search-by-person-or-url

To demonstrate a search, let’s click ‘search” (not shown in the screenshot but at the bottom of the interface, as usual) and gather a broad report:

safelinks-link-listing

The recipient addresses have been obscured for obvious reasons.

By clicking on one of the line items, it’s possible to view greater detail:

safelinks-detail

This gives you the ability to analyze safe links’ actions more closely for a particular user.

I know that I mentioned PowerShell cmdlets at the top; we’ll tackle that in the next post.

The Cloud Era Demands More (and different) Things from IT Professionals

Lost-in-Space-computer-control-smaller

If you’re like me, an IT professional of ‘a certain age’, (and come to think of it, even if you’re younger but toiling in an enterprise still struggling with legacy practices) you know what it’s like to work in a siloed, IT environment.

I’m sure you know what I mean by “siloed”: the database team works separately from the SharePoint team who speak, imperfectly with the various dev teams and so on, and so on.

This approach to enterprise IT, which fosters an emphasis on individual, technical prowess over solutions, and a tendency towards isolation from the concerns and pain points of end-users and business units, is losing whatever charms it once held as cloud technologies and methodologies become standard practice.

Here’s a concrete example…

For many companies, messaging, in the form of Exchange Online, is the entry point to SaaS as represented by Office365.  Typically, the goal is to reduce server footprint, licensing costs and operational complexity by moving the email function to the cloud.

And just as typically, the messaging person, long accustomed to fulfilling that role more or less in isolation from other IT roles (with interaction, as needed with teams who need messaging services) expects to continue along that track.

But the movement of this workload to the cloud makes that nearly impossible.

Cloud services, such as Office 365, operate on a scale not achievable for most enterprises and take advantage of computing fabrics (in the case of Office 365, the Microsoft Graph) that turn discrete technologies – such as SharePoint, messaging and cloud storage, into aspects of a unified collaboration framework.

This represents a powerful change to the IT function which alters the demands placed on IT professionals:

  • Solutions: a focus on solutions over pure technical prowess
  • Flexibility: a willingness to cross technology boundaries that follow the data flow throughout your cloud platform
  • Communication: assuming an ‘evangelist’ role in your organization, promoting workflow modernization via cloud services

You find solutions by listening, seeking to mate technology to an organization’s needs instead of trying to bend people and their work process, to the constraints of a technology. In the cloud era, failure to do this leads to the use of ‘shadow’ and ‘credit card’ IT as teams work around central IT obstacles by adopting cloud technologies independently of company strategy.

You achieve flexibility by leaving your silo (dev, operations, messaging, database, etc.) and developing a broad, cross-functional body of expertise that is built on an understanding of a platform, thinking of the service in utility terms.

You develop an effective communication strategy by understanding that, a key part of your responsibility during this moment of transition from exclusively on-premises technology methods to hybrid or all-in cloud adoption, is to explain the benefits and provide guidance.

These skills have always been important, but in the cloud era, they have achieved a critical importance not seen for quite some time.  As an IT professional, your success will be measured more and more by your strength in these areas, even above your (surely solid) technical chops.