Maximising security and compliance features from Microsoft 365 E5 license - 22 November 2022

Tips on maximising existing cyber security features from our free webinar with Microsoft on Tuesday 22 November 2022. Chaired by Geoff Connell, Director of IMT & Chief Digital Officer at Norfolk County Council.


Arron Kerai: Hi everyone, good morning, thanks for your time this morning, much appreciated. So, again, as Geoff mentioned, by way of introduction, I'm Arron Kerai. I'm a cyber security specialist in Microsoft and I'm joined by Chris today, also a cyber security specialist on the technical side. So, he'll be running the, the majority of the session today. So, I mean, Chris and I have been working in local, regional government for, for many years and we've seen that many organisations adopt the Microsoft portfolio, the technology portfolio to help with things like transformation and with the digital initiatives. But what we've seen recently is that we've launched a, a campaign out there. That's about doing more with less, and, you know, it doesn't necessarily mean, you know, doing more with, with, the, you know, working harder with less time. But it's actually on the technology (mw 00.38), using the Microsoft platform to make the most of your existing investment as we continually add extra value, extra capabilities. All that sort of stuff in, inside what you've bought. So, it's using what you've got and using the new stuff that comes out of that to more effective us. And again, you know, having all that capability is good, but it's about how do you keep up with that. You know, what's new, how do you see how it can improve your processes and how can it also mature your security.

 Right? So, that's all about the session today, we want to make sure you can use what you've got and make the benefit out of that. So, the idea is we'll focus on the E5 security and compliance technologies within, within E5. Again, as Geoff mentioned we've broken it down into four different pillars. Identity, end point, threat protection and compliance and governance. And you know, we can spend a lot of time on each of these things, it could be several days, but we've broken it down into what we think is the most relevant for local regional government, an LRG. So, we want to make sure it's useful for your time today. WE do have time for Q&A at the end of each one as well, as Geoff mentioned, which will be good. And again, if you can hit the thumbs up on any questions that you have in the chat, we can prioritise them in the time that we have for the Q&A, so we can really make the most of your time today. So, before we dive in, just a quick level set on 356, Microsoft 365 and the E5 side of things. So, as you can obviously gather, we covered E3 last week and the E5 builds on top of that capability. And it focuses on these four areas, security, compliance, voice, analytics. And of course, today will just be around security compliance. To kind of ensure that you know what you have as part of this licence stack. Or, at least what you'll gain if you decide to move to E5, it's these features.

 It's also worth noting at this point that each of these things can be procured individually, if you have those individual use cases. Or, you know, many customers have realised that actually procuring all of them as, as kind of the full E5 suite, results in, in a lot of extra savings in that, sort of, vein. So, worth knowing these before we start. So, with that in mind, I'll pass over to Chris and we can crack off with the bulk of the session.

Chris Howlett: Okay, thank you very much. I've just turned my camera off, just because I'm sharing lots of monitors, lots of screens, so I don't want anything to go wrong, basically, while, while presenting. So I'm just going to dive straight in, as I said, to identity. We're going to build upon some of the stuff that we, we spoke about last week, so the two recordings should hopefully go quite well together in a two slide deck. We will be focusing, as I said, almost entirely on E5 today and around that functionality. Just want to put this point in there for those who weren't on the last, on the last call. For the love of God, turn on MFA if you haven't done so already, just wanted to put that out there. Yes, it's E3, but please turn it on, it is so important. Okay? So, the bit I want to start actually focusing on when getting into, into E5 is actually talking about Defender for Identity. So, this is a-, to protect your on-premise infrastructure. But it's actually using cloud-based services to be able to do that, effectively. So, Defender for Identity, effectively has an agent that installs onto each one of your domain controllers. I appreciate guidance always says never put anything on domain controllers but we need to gather that information. We do proxy the information out, so nothing sits, you know, your domain controllers aren't talking directly to the internet or anything along those kind of lines.

 But what we're effectively doing here is what's called user entity and behaviour analytics. So, we're picking up on what's actually happening inside your directory and there's an attacker, effectively, snooping around in your directory. And making sure that we can basically batten down the hatches, or most importantly eject them before, you know, the, the worst happens basically. So, here's just the anatomy of a, you know, the, a cloud, an-, well hybrid attack basically to both on-prem and the cloud as well. So, we have the attacker gets in and they'll get hold of credentials somehow and they get inside the organisation. We've put here they may be a user that's not on an MFA account. It could also be somebody on the back end of a VPN, so they're on a trusted device, or whatever else as well and they've come across the VPN. And they're getting into your network. And what the attacker actually does, is it doesn't necessarily go, 'Right, what's actually happening.' And just snoop around and just, you know, try and encrypt things or whatever else, straight away. They need to know where to turn the thumb screws, etc, as well. So, there'll be lots of activity going on to say, 'Well, actually where? Who, who are the admins? Where does this data actually reside? Where does it actually go?'

 And there may be users going, 'Well, I, I'm going to try as a standard user, try and access a bunch of finance shares which I may not actually do.' I might try and enumerate the directory, so I go, 'Who are my global admins?' And things along those kind of lines. And of course, as an attacker, I'll be doing a lot more, such as actually trying to inject malware or inspect hashes of credentials or do, do any kind of lateral movement. As much as I can do on that device, or across your network, to try and get that domain dominance, you know, turn the thumb screws, encrypt it. You know, launch ransom ware, whatever the attack might actually be. And that could include actually getting to exchange on line or SharePoint on line and trying to steal a load of data from that side. We'd be looking at Defender for Identity, so, so as your identity protection, to see what's happening in the cloud. But from the on-prem's pieces, we can start taking a look and having these controls that are going-, see what's happening in your local active directory. So, the analogy always used to show the importance of Defender for Identity and why we've started with Defender for Identity as well. Is that it's as much of the analogy, is that you're driving a car, okay? Your car is your endpoint, your estate, whatever it is, as well.

 So, you've got your airbags and all that kind of good stuff and all the advance warning systems and things like that as well. To basically say, 'Right, you know, you've been hit we need to absorb as much of that as possible. And mitigate as much damage so you don't get hurt.' So, the driver is effectively, be your data, effectively and you don't want the data getting hurt or stolen or damaged or whatever else it might be. Defender for Identity in all of this, is effectively going, 'Well rather than actually having something in the car to protect and mitigate damage. It's like turning your high beams on.' You can now see what's coming down the road and you can swerve around it. So, before any of your other security is actually required to actually mitigate the threat, you can see what's happening and see what's coming down the road. This is why we put it first and if anyone has been in any of my sessions, done anything with me around dark to deployed, whatever else as well. I always say this is the most important security to put in. Because it's there before any other security is required, it is your early warning system. So, you, this is covered under your E5 licencing and as I said, you have an agent you have to put on each domain controller, the agent is very thirsty.

 So you run a sizing tool, to say, 'Well how much RAM and CPU does it actually require and it then bases it on the, how active that domain controller actually is. And you record that over time to then make a-, make a fair assessment. So, again, just putting that in perspective, Defender for Identity is not just about that detection piece as well. It can also do a lot of preventative measures, so there are lots of bits and pieces we can put in place, to actually harden your active directory and do an assessment of your directory, and make recommendations to say, 'You should turn this off, you still have legacy protocols in place.' Now, like, you might have, yes, the old NTLM protocols in place, like LAN Man 4 or something along those, kind of, lines. So, to actually make suggestions on how you can harden your environment. I appreciate there is also legacy apps that might still require that side of things. But hopefully the majority of you, if not all of you have actually gone into at least 2012 R2 and above on your domain controllers, and a lot of that legacy stuff is no longer required. So, fingers crossed, so we can pick out on that and do, do some assessments there. As I said, we do do that detection, so there's all that remediation and that side of things as well. Defender for Identity, will also integrate into, as your identity protection as well, so we can actually create a hybrid view of the user.

 And we actually, surfaces via defender for cloud ups, and that actually lets us know and gives a timeline and a risk score, and all the rest, against the users. If we have some time towards the end we'll actually show that off and show what that can look like. If not, we can follow up in a much deeper dive session, should people want to know more about this as well. But again, from us, for me, the most important thing-, and of course, the last, so the most important technology. Of course, the last part of this as well, is you have the ability to respond. So, it's not just a case of knowing something is going wrong, it's having those links to go, 'Okay, this is what we need to stop. This is what we need to get in place.' You know, how do we actually stop it and give that one button response, or whatever else that might be? And of course, that's then tying into Sentinel, or whatever else you're using, to actually create that, to have that feed from that user end-to-end behaviour analytics. So, we can have that really informed response, okay, so we're going to put that, Defender for Identity, is the first piece to put in there. If you haven't turned that on already, I cannot recommend enough to actually get that put in place. As a final point of this, we live in a world of human operated ransomware. That's a, a sad fact and a, a sad reality unfortunately.  

So, this is going to be, if somebody is actually in your environment, we, we've had a, a council that basically put this in, probably about two years ago. And they found that there had actually been an admin breach, they put in around December-, December, January time. And there had been an admin breach since the previous July and those attackers had access to build servers, so imaging servers and things along those kind of lines. Which made it very hard to ascertain how far that attack had then gone. But it was effectively, you know, quite late in the day of a ransomware attack and it could've been-, the attack could've been launched literally any day after that. Because they were that far into the environment and knew what to do etc, as well. Again, Defender for Identity picked up on all of this and was able to stop it before the worst basically happened. Okay. Okay, so the next one is a bit about conditionally access. Of course, everyone knows about conditional access and hopefully everybody is actually using that as well. But the first area I want to, sort of, focus on, as you come into the E5 side of things, is this session risk, or the risk effectively that's associated with the authentication. So, under E5, we have this vast amount of data and that number is probably even higher, of what we have to look at at any given time of the amount of feeds and signals and all the rest that we've actually got.

 To say, 'Right, what's good, bad or otherwise?' And is this authentication actually good? So, it could be that the user has again, patterns of behaviour. You know, they regularly log in from home and we can pick up from the, the block of IP addresses, the ISP users, all that kind of good stuff as well. So, we know the user, we know the device, we know the location, we know the resources they access, all that kind of good stuff as well. No one can see this apart from the machine learning, so it's not viewable by anyone in Microsoft, or anyone else elsewhere. But we can make that assessment to say well actually they never work in the office. But if they have come into the office that one time, they'll say, 'Well, that's out of pattern behaviour.' So, that time we're going to challenge them for MFA, or we'll challenge them for something else. Or, something is out of pattern to say, 'Right, actually validate that you are who you say you are.' And this then works in linen with that zero trust model. So, effectively, what we're saying is, you know, if the user is consistently working in these patterns and behaviours and there's a number of locations that they can work from. We don't disclose how many of those locations they are, and we have over 200 indicators of compromise to say, or potential indicators of compromise, to say, 'Right, is this account potentially compromised?'

 And then we evaluate that as risk, as low, medium, or high. So, if it's low risk, we want to stop it, medium risk, maybe settle for self servers password reset. High risk, enforce a block. Could be they're accessing a really secure service like Mosaic of Liquid Logic, or something like that as well. You'd say, if it's low risk, just block it, because we'd rather inconvenience the user, than have any of that kind of really sensitive data actually be leaked. The other aspect of this is then going to that BYD piece, is to actually say, 'Well, we can take that, that evaluation of the point of authentication. But we also want to be continue evaluating that risk during the session itself.' So, so, it's a jumping change or something the user do something, it could be their machine is compromised. It could be they start accessing resources they don't normally access, whatever else that might be, we can evaluate that risk. So, what that then means is, is to put that as a, you know, quick little walk through. So, we can say the user risk is low or whatever else as well, medium, depending on what you want to accept. Is that they can view and print and do what they need to do on that side of things. The risk is then elevated and as they elevate the risk you say, 'Well, actually no, you can only view the file now.'

 And we can do this based on the sensitivity of information and we can basically look at the context of what the users are actually accessing and take action upon that as well. And we can automate that whole response, so yes we can-, we might inconvenience the user. Again, I'd rather have a user slightly inconvenienced, than have a breach. And have something potentially what is a compromised account, actually do some damage at that point as well. So, I just want to put that whole bit in perspective and what the end user experience effectively going to be is, as I say, 'Well, actually this action is blocked.' So they may see it, they, they can carry on and do what they need to do until they do something that crosses that line. And you determine where that line actually is in your policies. So, you can say, 'Well, actually no, you're not allowed to download data.' You can view and interact with it and you can edit it and save it in place, but you cannot download it. You cannot take copies of it, you can't take print screens of it. You can ex-, exultate data or whatever else as well. Okay? So, just to put those, those kind of bits and pieces in place there. So, if you pull all of that together, we've kind of got this feedback loop that we have for identity. So, you know, something bad happens, we pick an incident, whatever else that might be.

 So, that would probably be hit by your security teams or something like that as well. Security investigates that and says, 'Yeah, that is definitely compromised.' It's not the user has just gone on holiday, so you may-, might, eject that, reject that as a reason somebody is logging in from Eastern Europe or whatever else it might be. It's because they might legitimately be on holiday there. So, we can say that, is that a compromise and we can, you know, not compromise and we can just say, 'Yeah, we accept that risk.' Or, it's actually compromised, it is actually a stolen credential or something along those kind of lines. So, at that point we understand what has actually caused it, you know, is it a leak or whatever else as well. Whatever-, you know, where do those credentials potentially leak out, etc, as well, and we've got all the tools to investigate that. So, you then tweak your conditional access policies and say, 'Right, no you're just not allowed to log in from that location.' Or, you're not allowed to do X, Y, Z. And just have a little tweak to actually, to be able to deal with it. And then, you know, if that incident occurs again, it's just automatically blocked by conditional access. So, great controls and great bits and pieces we can put in place. But I also really want to emphasise the point, there is a lot of automation in here, but there isn't total automation.

 You know, you guys still need to be at the helm, you still need to be keeping an eye on what's actually happening in your environment. We can reduce a lot of that noise and give you actionable intelligence, but you still need to act upon it, okay? Next bit and just the last bit around identity and just keeping things focused, etc, as well. Is we want to tackle that joiners, movers, leavers process head on. I talk to a lot of my customers about this, because this is something that I'm really, you know, quite passionate about actually. Is understanding that process of when a user, a user then joins the environment and what they actually get access to and how that's actually managed, etc, as well. So, probably a scenario that's probably relatable to most people, is you've got, you know, Jan, a fictitious person Jan, has joined finance. She's been in finance for a couple of years, she then moves on into HR or something like that as well. A couple of years later, someone comes to a HR query with Jan and, something, complaining about their pay or whatever else as well. And Jan goes, 'Yeah, sure, that's not a problem, I'll just check your, I'll check your payslip. Because I've still got access to all the finance systems and things along those kind of lines.' Next user comes in to join HR as well and goes, 'Oh yeah, we know Jan works in HR.

 So, we'll just copy Jan's account we're going to set up and she's now got all the-, the new user now has all of Jan's existing permissions. And then all the finance permissions and things along those kind of lines. And whatever else has actually happened in that environment. Again, you see, try and automate as much as you can do and then you go, 'Well, I'll tell you what Jan has left HR. Left finance, and joining HR, so we'll strip out her finance bit.' and Jan goes, 'No, no, no, I'm still doing a handover, please can I-, I need access for the next couple of months on both as I hand off one and train up on the other.' And as I, as I change roles so I might actually remain in both roles, there may actually be a, a situation for that. So, that automation piece and that lot starts to drop out and becomes very, very difficult. When 90% of your users, or your use cases are probably exceptions rather than the rule. So, it's really hard to deal with, so what we want to be able to say is actually, we want IT to have full control, but we put that day-to-day running, that bureaucracy and most importantly that accountability out to the business about who should be able to access what. Because they're the ones that actually know about their department and the people who live and work there. It shouldn't be IT's responsibility and that's actually very hard to do.

 So, what we do is, we take a step and say, 'Right okay, so let's integrate into HR systems as much as we can do to start off with.' And say, 'Who should be in the directory? What apps should they have, should have access to in the first place?' And we'd be able to automate that through provisioning. To say, 'Okay, they joined this and then we, we say they get a member of this group or whatever else as well.' Then they can be automatically provisioned into a CRM system, or into a HR system, or whatever else it might be. And they're automated with the right level of controls as well, should that service actually support that. And we can actually do provisioning back to on premise now as well. We have-, Sequel needs to be involved in it and some, a little bit of understanding. But we can say actually by adding someone to a group and to Azure AD, they can be added to an application in, in, on-prem. In the same way they can be added into Teams sites and SharePoint libraries and all that kind of good stuff as well, online. And we can even go so far now as to add groups, we can do roles in Azure AD. We can also-, we're just adding in, it's in preview at the moment, to be able to add in Power BI controls as well. Or, so, Power Platforms I should say. So, you can add somebody to a Power page or somebody to a Power BI dashboard.

 Add them to a Power app or whatever else that might be. We can then provisional of that, and make it into a self service request, but we give that, that auditing, the recertification and accountability of who should agree to that person having access to a finance resource, or a HR resource. Or, you know, maybe welfare or whatever else it might be, obviously there are hundreds of departments. So, let's actually work out what that is and give that accountability to them. They can simply say, 'I approve that.' Or whatever else as well, so then they can also say, 'Well, actually every week, ever month, every quarter, half yearly or yearly.' You can say, actually should these people still have access to these resources. So, let's say Bob is owned finance as an example and say, well, Bob will go-, 'No, no Jane still needs access to finance for the next month, I'll keep her access in there.' The next what we call access review comes around and says, acutely a month later, Jan has finished her handover, so we'll now take Jan out of finance, but keep her in the HR pieces. In the same way Jane would've gone to the person in HR and gone, I'm coming to HR. I need access to the HR resources. Then you've got a whole audit trail and accountability, help-desk hasn't been involved. It's all very simply set up, IT have the control over this, and determine what resources people see.

 But all the approvals and justifications go out to the business. And let's be honest, if there's a help-desk request that comes in, the first thing you're going to do is go to somebody in that department and go, 'Is this right that somebody has access to this?' There's really great controls, you've got this built into Azure AD Premium PT and with that provisioning component we've just brought in to the on-prem side of things. This really starts to extend this, what is a cloud based control, back on Prem. Okay, so really important piece here. So, it's-, what this should really mean is, is that, that joiners process becomes a lot easier. The leavers process then becomes a lot easier on that side of things as well. Because you can just strip out their privileges as well, but most importantly that really complex bit of the movers process and the amount of caps that people wear and all the rest as well, becomes very easy to manage. This isn't an all or nothing thing, this is something you can put out to the business, you know, for one app at a time. You can do it for entire, entire departments at a time, you can do it a big bang, whatever you want. Okay, but to get this set up. So, I just really wanted to put that bit out there. And of course, we have this whole lifecycle that goes around that and all the auditing, reporting, etc, that goes, that goes on top of that as well.

 So, just as a really quick demo, just to show through this, around that lifecycle piece. You know, identity governance piece as well, the first bit I wanted to talk about was connected organisations. So, this is a new way of working and a new bit that we've actually put in that ties in to these entitlement packages. And I've got my, my organisation that I set up here earlier on, which happens to be a, my personal one I've just set up for demo purposes. But what I've effectively done in this governance is says, right, me as my demo tenant here, trusts this other tenant called How it Works. And what that means is, is those access packages that I create that contain those SharePoint sites, Teams, applications, you know, privileged or whatever else I need to have in there. Whatever you choose to put into that access package, I can make it here and present it out to the other tenant. To the one that I've set up as a connected organisation. So, all my guest membership and group membership and all the rest as well, that is automatically managed. I can save from this connected organisation, I can take what's called the claim of their MFA and their trusted device that they've set up in their tenant. That they trusted it and they've given MFA and their tenant and it's an enrolled device in their tenant. We can take that trust and say, 'Yes, they're allowed to access data in our tenant.'

 And you set that up for very specific organisation. So, for all of those, dropping into ICS's. You know, so you're working very closely with the NHS, this could help remove a lot of that friction of working with them. And providing access to those resources as well. Again, a one time set up to actually set up the collaboration and then you're looking to, just to manage your access packages and what you want to present out. So, a really great control, great pieces that we can put in place there. There is lots and lots of other stuff we can show, but I just want to make sure we stay on track. So, with that, is there any questions or anything else that has come up? So, I'm just going to take a quick look through the chat as well. And I've got, we have a shared on-premise AD, with two other authorities and that AID connect just syncs ROU from the domain, can the Defender agent be installed and work in this scenario? Yes it can. Currently we can work with up to 30 individual forests at the moment-, or 50 individual forests at the moment, and we're looking-, courtesy of the NHS, we're looking to actually break that barrier. Because they've got 24,000 separate organisations. So, but currently we can work with 50 separate forests. You can manage all of those in a single defender for identity tenant (ph 22.21), basically. So hopefully, Andrew, that answers your question. And ideally, they should hopefully have individual domain names. If they don't have individual domain names, i.e. they're both called, like, domain.local or something ridiculous like that, then you can tag them and make sure you've got that information. You can easily identify them, as well. Okay. And, next one, just checking. Yeah, in the deeper dive sessions-, we're definitely happy to follow up on those deeper dive sessions. Just checking, is there any other questions or anything else before we move into the end point side of things and just stay on track? And, yes, after end point there will be a quick comfort break for people if they wanna grab a coffee, whatever else as well, just for 5 minutes. But if I can't see in there, so-,

Moderator: Chris, Ben's got a question at the end of the chat, that I-,

Chris Howlett: Yep, yeah, I just scrolled down. There does seem to be a case of so many portals, when often large amounts of overlapping information, so Defender, Sentinel, Entara, Emcaz (ph 23.19), Endpoints, et cetera, I'm sure I've missed one. So, just as a quick one on that side, I happen to have the main portals actually open here. So what we'd have is the security console, so Emcaz (ph 23.31) and all the rest as well, as you'll see, it's Cloud apps is now come into that security console. So, effectively, we're managing security and we call that, 'Defender.' That's in one console. We then have, sorry, Entara, so, this is Purview, sorry. So Purview is going to be all our compliance and governance pieces, and bits and pieces to go with that. So information protection, record management, data classification, all that kinda good stuff goes into that portal. We will then have the Entara portal to go on that side. So the Entara portal is then managing identity, and finally we have the Endpoints portal. So, yes, we have listened, and there has been a lot of portals in the past, so we're now pulling those together. And the S Defender for Cloud's in the final one of Azure for the infrastructure pieces. Ultimately, what it should really be focussing on, is hopefully there'd be six portals in total. So, there-, because, obviously, Microsoft-, the Microsoft stack covers so many solution areas as well. So we have security in the Defender piece, we have that cloud-, you have the infrastructure and deeper security in that side of things, that goes into the Azure portal. We have data protection, which we now call Purview, and that side of things sits in the Purview portal. So compliance and governance in one. So basically, users, devices, apps, data, basically. That's, kind of, the portals that we've got there. Or most importantly, identity, end points, compliance and governance and threat protection are the four portals. The final two that sit at the top of that, as I said, are the Azure portal, because this is your infrastructure piece and, yes, server security will sit in there but that will bleed into the security portal if you want to have it all in one place. And the final one's the Office 365 app in portal. And that's just to manage your licensing and users and, you know, the general day to day stuff around office 365. So yes there's still-, six is quite a lot, but that makes it-, you know, it's better than, like, the fifteen or the sixteen that we had previously. And hopefully make them a lot better. Yeah, I love the data protection and functional names. We are an American company so we're gonna have some funky names that go around it because, you know, that's what an American company does. So, so Defender for Cloud Apps, it is-, was re-badged from Microsoft Cloud App Security. So I appreciate there's been lots of confusion around the re-naming and things along those, kind of, lines. But the idea being is we now have these four, really distinct areas. So, again, Threat Protection, Defender, Identity Entara, Endpoints-, Endpoints, obviously, In Tune Endpoints, and then the-, you know, Compliance and Governance under Purview. So if you see-, if it's Purview something, you know it's related to Compliance and Governance. If it's Defender, you now it's related to security. So all the re-badge and renaming has done that so it's very clear solution areas. And obviously, you know, we're huge. We cover so many areas. Hopefully that makes a little bit more sense. Hopefully that's helpful for people.

Moderator: That's great, Chris

Chris Howlett: Cool, can I now jump onto the next section?

Moderator: Yes, absolutely. And just to let people know that there's going to be a five minute break between the next section and the one after so, right. Back over to you, Chris. Go for it.

Chris Howlett: Yeah, at the end of this section there'll be a quick break, yeah. Cool. So, so the first bit's going to take you through a quick bit-, a quick walk through. These are slightly old slides but the-, the view is pretty much the same. It's just got some, sort of, old portals, I couldn't find the updated ones, of how Defender and Intune actually work together, okay. So here we have an attack, when something arrives on the Endpoint, basically. So somebody's plugged in a USB drive, whatever else that might be. And something's being detonated all over us as well. So we pick that up in the Defender portal, so sorry for the old views, it's just-, just laid out really well. So we pick up on that. At that point we-, we raise a high-, a high security alert et cetera as well. At that point Defender for Endpoints has picked up what's actually happening, it knows that the machine holds sensitive data, et cetera, as well, and we can have the authentication context, it comes from-, from Azure AD that actually has that information as well as what's picked up on scans and things like that as well. So it then holds-, it applies this proactive defence policy and actually it raises the machine risk level to high. And when the machine risk level is high, it basically then changes the device to not compliant from an Intune perspective. So, and when a device is not compliant, it means that any conditional access policy that says, 'You must be on a compliant device to access this data,' is now-, will no longer work because this machine is currently under threat and it's being dealt with. So the user goes to authenticate and it goes, 'No, no. You can't do that because the device is out of compliance.' Basically, your device is not ready or whatever else as well. The viewer can go off and look at their kitten videos or whatever else as well, you know, they're not blocked from doing any of their other work, they just can't get to anything that's protected by Azure AD compliance policy, so CA policy, rather, I should say, that says, you must be on a compliant device.

 Okay, so that can include other apps, it doesn't have to be SharePoint or OneDrive, it can be other places as well. That includes accessing it via the apps and things along those, kind of, lines as well. Now the automation kicks in, deals with the incidents and whatever else as well, investigates and remediates it. Might require that being an intervention or whatever else that might be, but that's then-, that's then dealt with. And at that point the user can then go back in, although they can't access sensitive information while the remediation's, sort of, kicking in at that point. Threats are remediated, the risk is now-, the risk is removed and the officer can now sign back or the user can now sign back in and do what they need to do. So we've automated that entire process. So in the case of an attack, or whatever else, as well, we've inconvenienced the user, but we've stopped the attacker being able to get hold of any data or get hold of anything sensitive on that device. And that includes any data that's being stored locally that might have been tagged as sensitive, as well. Okay, so, a great control. Again, entirely automated, and this is literally a single button click to get that turned on and I'll show you where that sits in just a moment as well. Then, of course, you can review the incident and all the rest as well and make sure that it's all okay, there hasn't been any further lateral movement or whatever else as well. But from the end user's perspective, their device is now safe, and they can get on and they can carry on working, and now the admins got all the logs they can pore over to find out what actually happened and has it got any further. Okay, and we can go through those various different portals.  

So the other aspect of what we'll have on the Endpoint side of things, is the threat and vulnerability management piece. Now this is becoming a bigger and bigger thing, I know it's a big thing for most cancels (ph 29.47) as well. We see a lot of people either using-, directly using the threat and vulnerability management capability, built into Defender for Endpoints. Or we see people using things like Nessus or Tenable or something along those kind of lines, or potentially Qualys or something, to be able to get those bits and pieces out. But for those who haven't turned this kind of functionality on, I cannot recommend it enough. As I said, you have all these, kind of, like, risky vulnerabilities and all those, kind of, bits and pieces that go with that as well. So it could be-, as an example, we'd have the Log4j. That was obviously one of the last big ones that went out as well. There will be another big one. That is the nature of the beast and what we actually do. But effectively, what we can do is we pick up on these, kind of, threats and what's actually happening in the environment, is we can start tagging machines and let you know that, actually, this is everywhere that's got that vulnerability. And I'll you through the console in just a moment on how that can effectively help you. We have a console that looks a little bit like this. But effectively what we can do is real time discovery. I say real time, under the E5 banner, we're-, typically it's about 24 hours or so to update on some vulnerabilities. More critical ones will come through sooner but typically we run the scan, like, every 24 hours or so. And then we can then do all that prioritisation, et cetera, as well.

 There is a new add on coming. You might have seen actually just land in your portals as a preview, and you-, you've been given a licence for, effectively, the next five or six months, that's added a bunch of extra functionality around the defender-, the threat and vulnerability management. So those updates on the newer add in, is actually genuine, real time protection of what we actually put in place. The updated one, Ben has just put in the chat, it is faster. It is real time, effectively. So taking a look at a quick demo of what we actually have on that side of things, if I actually go into my vulnerability management on the side here, I've got a dashboard. This is my own environment so I do have a limited number of machines in here, but I've still got, you know, something to show at least, anyway. So what I can see happening in my environment, is I've got an overall exposure score. So this is the kind of portal, maybe, my CSA wants to take a look at or CIO, or something like that, and just say, 'Well, how bad is my environment,' or, 'How good is my environment?' For that matter as well. And what I have is these few extra bits and pieces I could put in place. So the recommendations will all be covered under E5 and what I'm going to have is, basically, these are controls and configurations et cetera that I need to turn on and get configured, and put in place, et cetera, as well, to actually improve my-, improve what I can do. That will also feed into your secure score as well. So you have threat and vulnerability management turned on, that will have, initially, a negative impact on your secure score, as you start closing off these vulnerabilities in your environment, updating software, putting proper configuration out, things along those kind of lines, your secure score will improve. But obviously that becomes more of a truer representation of what's actually in your environment as well.  

From a remediation perspective, if I take a look at this, I can take a look, oh I know I've got some Windows 11 machines that need to be updated. What I can do, is I can take a look to see, you know, which machines are actually affected, again, very limited demo environment here, which devices haven't had it installed on, and the associated CVEs. So tying back to that MITRE ATT&CK framework, you know, what-, what is it actually closing off? What's actually affected here? What's the number of devices that are explicitly exposed to this et cetera, as well. And what I can then do, is then create a remediation request. So I can say, 'I want to update the software, add an installer, whatever else as well,' and say, 'This is going to be an updated one.' For my AAD domain join devices directly, I can throw that across directly to Intune. I should be able to throw it into Intune anyway. And I say, 'I want this to be updated by, you know, in the next week.' You know, obviously be a bit more reasonable or (inaudible 33.33) what's on that. And I want that as a high priority, maybe a medium priority to get my updates done. You know, get those rolled out, go through my update rings et cetera as well. And what I'm now going to have is this software update and I can request that in my Endpoint manager. So if I go, now, across to Endpoint, and my Endpoint security, I will actually have-, as soon as this loads, hopefully the demo gods will be with me, I'll have these security tasks that I come across to update software. So I've just got this, 'Update Windows 11,' one, so this has just come in. It's a pending one that's come in. One impacted device that I put in-, literally just put through. So what I've basically done is bridged a gap between security and infrastructure, although that-, there's typically the same people in LRG depending on the size of your organisation, there's typically very little to actually say, 'Left hand talk to the right.' Across, when I escalated this and put it across, I've put it into Intune and have that tied directly.  

You might also put it into your ITSM tool like ServiceNow or something like that as well, and have that pushed across and have a ticket raised in there as well. But the idea being, is you can ave security actually talk to infrastructure and close off that gap, and have-, say, 'Right, actually, this is critical, this needs to be done.' If you're then doing things like co-configuration, for those who still have SCCM or something else in place, you can say, 'Well, actually, this packaging I can actually leave with security so-, and this security update or whatever else as well, I want security to be able to take care of that.' So in my co-configuration, so co-management, I say all my security update goes across to Intune, Intune will now take care of all these updates and all the rest as well and it may be down to security to manage that if you want to divide up responsibility and then the end user compute teams can still be involved or they can just focus on apps and a general day-to-day running and, you know, all the image building and all that kind of good stuff that goes with it as well. So, again, you know, left hand talking to the right. And going back to the threat and vulnerability management side of things as well, some extra bits and pieces that we've put in is that we have these inventories that we've put in. So, we can inventory software. So, this is, again, building upon the functionality that we had in, in threat and vulnerability management to say, you know, what software's actually installed in all the machines and all the rest as well, you'll be able to-, you should be able to see it, it's under E5 but what we can now put in is browser extensions. So, I only have the one in my demo (ph 35.49) environment and yes, the purview one is seen as critical because it does ask for lots of permissions and things like that as well. Obviously, we can trust this and close off the risk for it but we can still see all the browser extensions and that lot that have been installed in our environment. For me, probably the most important one and while this is still free to you guys, if you don't-, if you're not actually going to pay for it, I, I can't suggest enough how important it is to basically take a look at your certificates and actually get these sorted out in your environment so I can see what's-, even in my very limited environment here, which has probably only got about five or ten machines in, you know, I've still got a bunch of expired certificates, some that are going to expire soon, a whole bunch of self-assign (ph 36.24) certificates. Ones with short keys and ones with weak algorithms. So, these certificates are going to be a big area of attack. There's, there's an ever-growing area of attack. We've also brought in certificate-based authentication to, to conditional access, which greatly eases the burden on MFA and things along those kinds of lines and we've recently just-, even though we just added it in, we improved the workflows for the end users based on feedback, so it makes it easier for them to choose the right certificates and things along those kinds of lines.

 So, it's going to become ever more important that you make sure your certificates are, you know-, I mean, they should do it any way, are secure and managed and up-to-date as well. What you might have seen, as we turned on this additional Microsoft Defender vulnerability management, as we're calling it, that your secure score might have dropped because we would have picked up on lots of extra things that are happening in your environment. So, very important there. The last bit as well, just to go with this, is that we've got your-, these, these new baseline assessments that we put in. So, you can create some profiles and configurations that are based on benchmarks or whatever else as well, so you can just give this, again, just as a, a demo. So, just type into that-, sorry, just put that demo as an example. I can then choose how I want this to rate against. So, I want to take a look at all my maybe slightly older Windows 10 machines that I haven't quite updated yet. I then have the base marks-, the benchmarks that I can test them against, basically. And so I can say I want to test against the CIS controls and the latest implementation of that. I can then choose what level I want to take that to as well. So, I can say I just want that as a level one, basically, the general use one or whatever else it might be and I can then actually assess my environment and see, well, I'm actually conforming to that assessment. I won't have time to actually run this assessment during the demo but you get the ideas that you can then build this up and, you know, you can put additional configuration in place. You know, choose what objects you want to scan and you can now tweak that-, the, the, the template that we originally put in of what you actually want to search against and what you actually want to be compliant against as well. You can then push this out to a specific set of devices. So, although I've chosen those Windows 10 devices, I can say, do my entire estate and just look at that or I can say, I just want to focus on this device group, you know, and perhaps my execs or perhaps the, the front-line workers or whatever else it might be. So, just, just as an example of what you can do around these kinds of assessments. Okay?

 So, also, just going to say while I'm in the portal, that bit I showed between In Tune and Defender for Endpoints earlier on, just having that integration and automatically blocking based on threats and things like that as well, all I had to do was go into my settings, into Endpoints, into my-, then when it loads up into my advanced-, my advanced features and I've literally got a tick box that says 'Integrate with In Tune' somewhere down the list, if it's not automatically there. Somewhere. I think it may even be automatic configuration now. So-, dare I say, it looks like we actually-, we've done it automatically now. No, so, it is there. So, I was right there. So, we literally have that one button to turn that on. That's it, job done. You don't have to do anything else. So, if you haven't turned it on already, I would highly recommend getting that integration turned on because you can stop threats before they start, basically. Cool, right. Appreciate we're whizzing through lots of things. As I said, lots to cover. Is-, just going to go onto-, to question time now and see what's come up in the chat. Yes, so, the, the bit around the TVM piece, the, the extra money's on that. Obviously, I can't really comment so much on our corporate policies and things along those kinds of lines. As it is with all these things, with cloud services, what you're effectively doing is paying for more compute, more understanding, more analysis which basically requires more energy, more CPU's, more RAM, more, more, more, basically and not-, that's not always free. So, obviously, from the E5 piece, we give as much as we can do and then extra bits and pieces, we do have to pay on top. Then it, it may-, things might start to merge together in rolling down. I don't know if that's going to happen, it does happen occasionally, so, hopefully that'll be the case but yes, I'm sorry it's, it's something else but hopefully, that extra functionality, the actual error scanning, all those assessments and the actions as well will go there. So, with-, is there a risk in getting this turned on? Is-, yes, so, if you have-, just-, hopefully, it, it will actually be mitigating risks rather than actually stopping risks or anything along-, rather than creating risks because if anybody is affected by this, as you turn that on, it means their devices are actually under risk.  

As in, there's a threat on those devices or something along those kind of lines. So, yes, you actually want it to take action at that point and yes, sorry, I'd just make, make your help desks aware that you are going to be turning this on so if somebody can't complain, not only does the help desk need to be aware but security definitely needs to be aware as well if, if somebody should be affected by that, basically. Is it possible to get a report on update times as this can prevent updates being installed in good-, as this can prevent updates from being installed in good time. So, that, you'll be using Windows Update for Business to manage that side of things. The threat and vulnerability management can report on devices that are non-compliant and just pick up which devices you might need to go back to but you should have all of this covered in your update ranks. So, what you might need to do is say, okay, well, these are my immediate update rings, so, these are my early adopters, so to speak, and they get it on day one. This is my second update ring that might get it on week two, the start of week two and then these are the, the rest of the organisation that might get it at the start of week three or whatever else as well. So, the threat and vulnerability management might be showing that weakness for some weeks until you've actually rolled out the changes. Oh no, uptime of devices. Sorry. So, where would we report on that? That, that-, I think that may be reported in the interim portal itself, actually, on devices and how long a device has actually been turned on or not or when it was last seen. Do bear with me. I've, I've been poking around the consoles myself. So, I'm just checking the security console to start off with. So, if I've got my Windows 11 machine. I'll just see if it's got uptime or anything along those kinds of lines in there.

 I've got first seen and last seen. Sorry, that's probably just where it got turned on, so, that doesn't really help on that side. You could probably create an advancing hunting query or something like that, that runs on a regular basis, that just picks out the machine. It's not a direct way of doing it, there must be an easier way of doing it. I, I may have to take that one offline to find where that would be but just checking on the devices. And if I check my-, may not have renamed it, I think it's still got the old domain here. This is our Hyper-V (ph 43.15) machine I've got running in the background. Might have to get back to you on that one, just to find out where that data actually is in the last uptime. We'll only have the check-in time. I'll get back to you on that one to find out where that is. I'm sure we've got it somewhere. Right. Just checking. We can feed back on that as a standard report. I can't guarantee that will get made but we can feed back to the product group and say can we just have uptime. The one thing I will say about that is the MDM agent doesn't continuously check-in. It checks in-, once the machine is up and running, it will check in every six hours, unless you purposely do a push out to the device or something along those kinds of lines. So, the uptime may not be truly accurate on that side of things, just, just as a heads up. There might be a, you know, a, a drift of a couple of hours in there or something like that as well but at least you'll be able to pick up the machines that have been running for days and days and days and days at least anyway, okay? But we will get back to you, see if there's a lot of people who actually want that, we'll take that as an action follow-up on that side. Is-, just checking, is there any other questions that people can see that I might have missed in the chat?

Moderator: I think you've covered it, Chris, and so, in that case, I think we'll, we'll take a five minute break now, five minute comfort break, come back at 10:55 and then we'll kick straight into the next two sessions and then just a reminder, we'll have ten minutes or so of, of, of further Q&A and follow-ups at the end. Right, Chris, back over to you to carry on into the next session.

Chris Howlett: Okay. So, next bit, we'll be going onto the big one, old threat protection, talking about Microsoft Defender. So, yes, big, big slide, lots of things going on on this side of things. Obviously, we talk about the kill chain, so to speak, with the, the extent of what we call the extended detect and response. That's a, a, a Gartner term that's been thrown out. Really important thing here is that we can protect across the entire kill chain, from the point that something's actually entering your environment, something going wrong to you being able to detect it, then being able to remediate it and eject it from your environment, basically, and actually, you'll be able to deal with that side of things. I don't want to go through this kill chain. If you've been in any of our meetings, you've probably been through this and had the history of it and all that, kind of-, all those kinds of bits and pieces that go with that. The bit that I really want to call out here is to really highlight that integrated nature of, of basically, the Microsoft 365 suite, or the, the Defender suite, basically. For me, I looked across other councils and got lots of other products in place, like up-streamed secure mail gateways, things along those kinds of lines as well, is the most important thing here is that integration. And if I was to take a look at all my security, no matter what it is, no matter who I'm doing it for, no matter who I'm working for and everyone else as well, if I was in charge of security or had an influence in security, the two primary metrics I'd be measuring myself against would be mean time to detection and mean time to remediation. So, i.e. how do you know-, how quickly can you find out something's actually in your environment and then how quickly can you actually deal with that as well? What we find through lots of disparate tools is that that can start to separate and that that mean time to remediation, and to detection, starts becoming longer and longer and longer and longer. So, what we have here is that ability to, to actually then deal with the threats but most importantly, our products naturally and natively talk to each other. So, to take this as a new thing to put into-, we just put into place to really show you how that works and I apologise for the quality of this GIF on the-, on the next slide here. Sorry about clicking on the link, sorry. The, the GIF I have on the next slide here, bit pixelated but effectively, what we've got is the real-time events of a ransomware invading environment, basically, and what we can actually do and what we can detect and how we can deal with this.

 So, basically, as an attack is, is hitting the environment, we can disrupt that attack at machine speed meaning that how fast we detected it, alerted it and then you guys respond on that, as in, we'd done it. We'd, we'd dealt with it. So, in this case, ransomware hitting environment, it started hitting the machine, we can see what happened, we can see which user is doing that, we block that account and we've isolated that machine as an automated response and we've done that in a matter of seconds of that machine actually starting to behave like it's got ransomware on there. Basically i.e. their files start to be encrypted, whatever else as well on that device. So, we've picked up on it, stopped it straightaway. So, again, in the world of human operated ransomware, we've pulled identity together, we've pulled what's happening on the endpoints together, in this case with a specific ransomware attack and isolated it, dealt with it then and there on the spot. You've then got all the information, all the forensics and everything else you need to do to understand what actually happened, what got there, how, how did the attacker get there in the first place, all that kind of good stuff as well and then being able to go back and do that investigation and find out so you can then basically batten down the hatches and stop that happening again as well. So, then we do this-, we, obviously, we have levels of confidence on what we can do, so, we're looking for a high level of confidence that this is definitely going to attack rather than just quarantining it or whatever else as well, we want to stop that attack then and there and we'll do that for high levels of attack. So, again, a very new feature that we've put in place but for me, this is probably one of the most important features that we can basically put into-, if I just have my Teams up on the side here-, have, have the meeting setup on the side, this is probably the most important feature that we can basically put in for LRG (ph 48.31). We've all seen the unfortunate aftermath of a number of attacks-, of, of ransomware attacks across public sector, so, we just really want to highlight this feature. For those of you with E5, this will just come in and we've basically got this alert story, if you-, it should be in your environments already and if you haven't seen it and if you haven't got it, it will be in the process of rolling out at the moment and in the demos, I'll show you what that could actually look like.  

I don't have an actual ransomware attack that's just happened in my environment but I can show you how, how you can use this alert story to see what's happened but this will build out in real-time as what's actually happening on the machine, okay? So, we can deal with it, again, then and there on the spot, basically. So, anybody wants anymore questions or wants to go deeper on that, I will try and do a little bit more in the demo-, in the demo, just to show you the kind of things that you can investigate and see what's happening but yes, if not, yes, I'll move onto the next section. Okay, right. So, next bit that we call out and seems to be, again, quite a hot topic across what we see across a lot of our councils is the use of upstream proxies versus the use of Defender for Office 365 and as people are coming into the Microsoft 365 environment and into E5 specifically, there's a lot of due diligence and, and rightfully done, of what should be done, should I be removing my existing third party service such as Mimecast or Trend or whatever else it might be and replacing that with Defender for Office 365. So, just as a first bit, just to run the kind of controls that we can put in place and I'll just actually build this out, the level of controls that we have right from the edge, right into that post delivery detection. You know, post delivery remediation, I should say, to see what's actually happening now. So, as I said, from that Edge protection actually coming into the exchange environment, do we actually block it straight (inaudible 50.21) as well. Can we then block it based on known bad quantities? Does URL or the IP address have a low-, a low reputation known for using bad-, being bot networks and things along those kinds of lines. Then we get that sender intelligence that comes in as part of that as well. So, does the DMARC, DKIM, all that kind of good stuff come in. If you do happen to have an upstream proxy, so, something like Mimecast or, or Secure Email Gateway, I should say, if you have something like that in place, we can't always act upon what we see from a DMARC and DKIM place and the way how we would act upon that is actually using custom transport rules and web content filtering and things along those kinds of lines to say, well, actually, based on what we've seen here and the response that we've had, so, have we had a, a positive or a negative response from, from DMARC or DKIM or whatever else it might be.

 You know, hopefully you have a neutral response, so how do we actually deal with that as well and what response can we put in place so you can then put the transport rules in place. You can say, well, if, if we've had a neutral response, then I want a transport rule to say, raise the spam confidence level up to six or seven, not a full nine and it's blatantly spam but, but maybe put that to a six or seven which will then force it through the, the, the spam filter, basically, as part of exchange online protection to say, well, actually, is it spam or is it actually good email. So, you can put these kinds of controls in place so you can control what email does. So, if it's been using-, if you've got an upstream-, an upstream secure email gateway in place, we won't be able to get that kind of information and be able to take the appropriate response, basically, so, just something to be aware of there. Now, what we also have then is part-, going back to that centre intelligence piece is we would have things like mailbox intelligence. So, the mailbox intelligence and things like domain impersonation-, obviously, we have domain impersonation, I should say, the mailbox intelligence would be able to do the user impersonation. So, yes, we have that for the key users and we'll have 350 'key users' that you can put in i.e. these are the ones you really want to be careful of and we want extra scrutiny put around those accounts. So, things like the CFO and things like that, anyone who is likely to be impersonated and can actually then do damage in that side, especially if they're impersonated. But as I said, the mailbox intelligence will pick up on everything else. So, still do user impersonation accounts briefing, all that kind of good stuff as well, so, we'll deal with that and we'll understand again patterns of behaviour and we take care of it. So, this is why we only have 350 users that we can configure here but we actually cover every single mail that's coming into your mailbox and then we have that deeper level of impersonation across, across domains and across specific users etc, as well. Then, of course, as we then go into the content filtering, so, we're now actually understanding, we're starting to analyse, we know where it's come from so we now trust it or not, as the case may be, as it's coming into the environment so we now need to take a look at the content and make sure that what we've got there has actually-, it is protected and safe and good and all the rest as well and this is where we start doing detonation and URL rewrites, all that kind of good stuff as well to say, right, is the-, is the actual attachment and the content of the email actually good.

 Then we'll actually then have that post delivery detection. So, let's say, in the content filtering, a, a link came in that was completely safe, totally legitimate, completely inert, you know, totally fine. So, it's going to breeze through security because it is all legitimate. If that URL is then later weaponised, you know, the attacker's done what's called a watering hole attack or something along those kinds of lines, that email is now sat in someone's mailbox, so it's not going to be going through a filter to say, right, actually, is it safe or not? So, we test it at the point of click and, and the time of a-, and the time and all the rest as well that goes with that and we can see, well, actually, this URL is now unsafe. So, not only we will say, alright, the point of click, is it safe or not, we'll then go back and actually say, well, it's not safe, here's all the emails that are actually responsible for that, so we then go back and actually purge all those emails and get rid of it, basically, and just do that on the fly. You know, we do what we call a zero hour auto purge and take care of all that and then that will update all the intelligence and all that kind of stuff that goes with it, so the next mails won't even reach the environment. So, it might come through as we're building it up. We say, right, okay, actually, now we're marking it as spam, actually we're now marking it as malicious, now we're blocking it. Yes, those kind of controls, as we build that reputation and build those controls but we've always got that zero hour auto purge should it actually reach the end users mailbox and go, actually, later proven to be malicious, based on those kinds of controls. The most important part of all of this though is it doesn't just apply to email. This can also apply to One Drive, SharePoint and Teams and that's the beauty. It's, it's Defender for Office 365, it's not Defender for Exchange and because it's our internal system so, yes, it's-, I appreciate it's the eggs in one basket. For me, the eggs in one basket all talk together and all behave very nicely. Eggs that grew up in their own baskets don't behave well with other eggs. You know, they don't talk to other people, it's very difficult communication. They speak different languages, things along those kinds of lines. So, actually, having it all together means that we can see what's actually happening inside the basket. Not just what's coming into it or going out of it, we can also see what's happening inside of it as well. So, that means that we-, you know, if, if somebody is compromised, again, let's say an endpoint is compromised and some-, an attacker has access to a VPN, you know, or they just managed to get hold of your VPN, they're coming in and being trusted or, or whatever else as well, we've now got that pattern of behaviour that we can pick up on that and if they then actually get into someone's email or whatever else as well before I compromise credentials and they start doing all of that internally, we can still pick up on that threat, the internal phishing, all that, kind of, good stuff, that escalation etc, as well.

 Again, you know, other providers simply cannot do that. You know, there's, there's only so much an API can actually give you access to when you're actually looking at it in the transport and actually, as mail is going from A to B and all the rest of it and she's stopping it at that point. So, again, fantastic controls and things we can put in place. So, the next bits that I always get asked, the questions in there, it's just some good practice, is how do we really get started with this? So, the two starting points are put in is, the first one, for those, those who've actually got exchange online protection, if you haven't configured your phishing threshold-, so, I go into my email here, I go into my-, I go into my policies and rules, threat policies and then my anti-phishing policy and I've just edited my anti-phishing policy and I've got this, this phishing threshold and it basically gives you a level of one, standard, two, aggressive, three, more aggressive and four, most aggressive and that is effectively the level of confidence that we have that something is phishing. So, a zero basically-, or a one, I should say, means it categorically, without a doubt, has to be phishing. Very, very high confidence, basically, and as we start increasing this aggression, we lower that confidence. If you leave it on standard, that is effectively the same level of protection that we give you in E3, basically, and what you've got out of the box of E3. So, I-, it only has to be very high confidence phish to do that. If you set it to at least two, if you haven't done this already, I cannot stress enough because we now start bringing in the AI and machine learning and all these other good pieces I've just spoken about and say, right, is this actually phishing? And if you suspect that you're actually under attack and you're being sprayed with phish and all the rest as well, please dial up this confidence level. I, again, if I was in your boots as security, I would much rather deal with getting-, you know, the help desk requests and getting people getting things out of quarantine, rather than actually having phishing or something else and the worst actually happening in our environment. You know, an attack actually being launched and, and becoming successful. So, something very, very important for myself on that side, okay? The other bit that we have in here as well, again it's that phishing threshold, is the configuration analyser. So, the configuration analyser, again, is reasonably new. Probably a, a fair few months old but, you know, so, still reasonably new, is you can go into this and actually, you have levels of-, a level of control.

 So, we've got the standard or a strict or your own custom one. Sorry, custom-, so, we've got standard, standard or strict. So, this is, you know, reasonable, reasonable controls and what should be good for most environments. Stripped environments is if you are a little bit more paranoid or, you know, you, you will be impacting the end user at this point as you start applying stricter controls but then you can start taking a look at your analysis and history of that. I don't have any data to show a tenant (ph 58.22) on this unfortunately but you can start to see, as you've changed your settings and things along those kind of lines, as to what-, you know, how well you're actually conforming to this configuration but this should hopefully make things a lot easier for you guys. There is also some baseline configurations that we can put in place as well and just turn things on for you. Personally, given the size of your organisations and the fact you're not-, you're, you're not SMB or something like that, you do have security teams, is to start looking at least a standard configuration and making sure you've got a good configuration in place and then if you see fit, if you're not happy with that level of control, then start looking at the strict recommendations as well. But again, you've got lots of tick boxes and natural configuration on what to do to actually get that going. The next bit is then, okay, well, email might still be getting into the environment. We've still got these kinds of things going on, so how can we then actually train users to actually do simulations and things along those kinds of lines. So, the, the-, you've got the-, so, first off, we have the, the attack simulator. So, this attack simulator allows you to launch internal campaigns. You can govern what, what the payload i.e. what, what you're actually targeting users with, what that actually looks like. You can also use what we call automations and we've got a payload automation in there and what we can do is, as phishing email is actually hitting your environment, yes, it will be blocked by the filters, is that we can actually say that we actually put automations-, so, we put-, we, we can start harvesting that phishing email and then use that to create a payload that you launch as part of a phishing attack. So, rather than being the best efforts that we've got to create a phishing email or the best efforts that you guys could put in place to create a phishing email, you can actually target with actual phishing email and of course, replace it with safe links and training links and things along those kinds of lines as well. And the result of that basically means that the, the end user will get a response and depending on the level of action that they actually take, so, did they click a link, did they then enter credentials in the link, whatever else as well. So, how far did the compromise go, you can then determine the actual level of training and all the rest that actually goes with them at that point as well.  

So, you can say, you know, everybody gets this training. So, you know, the phishing email goes out, end of the campaign, everybody gets this training. You know, if somebody clicked the link, they'll get this additional training. If somebody followed right through to compromise, would then get even more training to go on top of that and then what we provide are, are videos of anything from, like, a minute to seven minutes, so, it's all bite-size chunks, so to speak. And we can then pick up on repeat offenders and then-, you're then able to very effectively target who you actually want to put phishing emails out to. So, I'd recommend doing, like, a, a wide campaign across the board, so, perhaps to, like, three emails in four months or something along those kinds of lines, randomise that across your organisation, build some data so you know who, who are the repeat offenders, what's actually happening, who responds well to it and all the rest as well. So, we do do things, if somebody does say, actually, this is phishing and they've used the 'Report it now' button, we can give them that kudos, like, you know, well done, here's a biscuit, kind of thing. You know, you've, you've done-, congrats, you've done the right thing. And in the same way, if people don't respond to the training, you can start, you know, just harassing them via automation of basically, complete your training and get that done and you can report on non-compliance and all that kind of good stuff as well and so, we've got all those kinds of reports to go in there, who completed it, who didn't etc that goes with all that side of things as well. So, again, very, very important side, you know, you've got this built in as part of Defender for Office 365. Plan two, that is. We have had a number of cancels. So, we use things like Meta Compliance and other third party products and they say, basically, this is as good, if not better, than the third party products that are actually out there. Those who use the, the, the simulation probably, you know, two or three years ago were probably very disappointed with it and I'd be inclined to agree with that as well but since we've gone into this V2 of the simulators, what we've got now, it is a highly competitive product and it should really, really help you guys as well. But yes, so, just lots of good stuff that we can put in there as well. And of course, the other bits and pieces, again, since you were using Exchange online, you can integrate into the services and we can start putting notifications directly into the user interface. So, not only notifications of, you know, you've, you've done phishing or whatever else as well or been susceptible to phishing or use a report it now, but, like, you know, is this that you don't get emailed from these people that often or this has come from external, you can have that big external tag that, that appears on there as well.

 So, if it's saying-, I, I email Jane internally all the time and then suddenly, Jane's one's got an external tag on there, is that one-, is that somebody trying to spoof Jane? You know, or something along those kinds of lines, you know, if you haven't got those filters turned on or something along those kinds of lines, you know, and just make sure you can actually handle all of this. And of course, you've got the actual hover over of the URL to make sure it's actually a legitimate URL and things along those kinds of lines, okay? Yes, so, just, just hopefully some handy bits and pieces on that side. Yes, so, I just highlight those there. So, just going into some quick demos, again, so, just going across back to-, sorry, let me get the right, right one set up here. So, in, in my security console, in my incidence & alerts here, the incidents I've got, like, don't know, a handful of things in my environment but I could take a look at this and what I have is this new bit, I've got this alert story that's actually built out on what's actually happening at the time. You know, what's actually going on in my environment and all of this-, all of this is under E3 and so I can expand this out and so, I can view these fourteen processes and see what's actually involved. So, what's actually happened here and I can-, I can still go into the level of detail as I have before and all the alerts and etc, what's going into that and the different entities etc. So, I can really build into this. That, that safe links bit, by the way, we, we are updating that so it's not a, you know, a really obscure URL. As you hover over it, it is actually a legitimate URL, not the safe links URL, to get that sorted out. Yes, so, I, I can drill into any one of these as well and as I say, if I ungroup my nodes of what's actually happening in this environment, I can really drill out, you know, everything that's happening. I get quite a detailed exploded view of what's happening and I can click into any aspect of this and actually drill down, understand the process etc., as well. So, when I'm doing my forensics in that post-breach detection and things along those kinds of lines, I have lots and lots and lots of information I can put into and of course, I've got-, and it might be some automated investigations and alerts and things like that, that might go into it. You know, just to pick up on that side of things.  

And again, just to reiterate, just as a final bit on here, those policies and rules under my email and collaboration and again, collaboration being SharePoint, One Drive, Teams etc, as well, I've got my threat policies and then I've got my anti-phishing policy and then finally, I've got the, the phishing threshold that I can set in the side of it here. Basically, I can make sure I can dial it up or dial that down. Please make sure that's at least two, just to make sure you've got an adequate level of protection or at least a bare minimum level of protection in your environment for those who have actually gone E5 as well, okay? Just pulling a few, few quick pieces together. So, just one other thing that's probably worth calling out as well. Under your safe attachments policy, for those who haven't seen this and then under your global settings-, sorry, this, this, this page always takes forever to load. I've got the ability to turn on safe documents. So, safe attachments is when we're doing the, the, the sandboxing of the file as it comes into the environment. Safe documents is we're effectively isolating the entirety of the office session on the local computer. So, if I've downloaded a file that's come from email or may have just randomly downloaded from the Internet and not come from a trusted source, at that point, I can say I want it to isolate on my machine and the user has to remove that from there-, to remove the protection to then be able to collaborate on the document. But it basically means, if that file contains any ransomware or something like that, you know, or some, some kind of malicious macro, whatever else it might be, it will detonate in what we call an application guard environment, simply close, close Office and it hasn't touched the rest of the machine. And if they want it to touch the rest of the machine and collaborate etc, and all the rest as well, simply go to remove protection, it does a deep scan of the document and then you can choose to say, actually, if the scan fails, still allow people to remove protection or, you know, the scan fails, you know, raise a help desk ticket or whatever else it might be. You know, stop people doing that. It depends on what level of impact you want to have on, on collaboration etc, as well. So, just a really handy feature to call out there. So, with that, I'll pass across to any questions. So, going back, 'Agree about the phishing level but when you're reliant on notifications of those emails being stopped and whether users can access their own quarantine to release the email, as I understand, it's not possible for some high confidence spam phish malware emails?'.

 Yes, that's right. For, for things that are high confidence phish, we do not allow releasing of that email for high confidence phish, from an end user perspective. So, you can choose the, the thresholds at what level that gets sorted but high confidence phish, we simply do not allow you to release that. You know, for what I hope is obvious reasons. You know, if somebody has sent an email that's looking like phishing and then not receiving it, maybe have, have, have a chat with the-, with the sender, we'll get the recipient to say that, 'Could you reformat your email for us please?' Or something along those kind of lines but again, that, that's a real safeguard that you can put in space and from a speed dial perspective, Sam, you know, fortunately, you'll talk to someone like Aaron or whoever else as well, you know, and see if you can get hold of my time. I am happy to provide time to anybody in LRG, as long as it's actually, you know, it's, it's appropriate and I can actually squeeze you in on that side. My, my diary is very, very full, so, I do apologise about that. We've also seen a direct correlation between turning on-, you, you don't often get email type of banners and a permanent drop in number of successful user phishes. So, that, there you go, it speaks for itself, basically. That, that is, you know, turn it on, put that visibility in front of the end users, that is just fantastic and thank you for that feedback as well, that, that is amazing to hear. Yes, cool, right. Just checking if there's anything else. And yes, and I'm happy to, to see anybody be sprayed with phish. Well, hopefully nobody gets sprayed with phish. Nobody wants that, so-, it just, just, just sounds disgusting. Cool, any other questions before I drop in? Before I move on to compliance and governance and this, this one's obviously, I, I appreciate is going to be a hot topic and probably carry on a little bit as well. Right. Next question. Right, so, the first thing around information protection and that side of things as well. Again, this is-, for, for me, there is varying degrees of maturity across the entire environment-, sorry, not across the entire environment, across, across LRG.

 We have some, some of our customers who are very mature in this space and some people that haven't even started the journey and it's, it's a, you know, really difficult journey for a lot of people to undertake and those who have undertaken it can probably attest to just how difficult that journey actually was but the idea of sensitivity labelling is not just around encryption and that side of things, it's about getting your data into a known state and that's the most important thing. What data is more important than the next bit of data? To really give you an analogy and to help you really understand, you know, sensitive information types etc, as well-, sorry, sensitivity labelling, is I, I-, my customers who have already been with me will probably understand or know this before. Imagine I got a bit of paper and on that bit of paper, I have a child's name, I have their home address, I have their school address. I could even have a photo of the child and their date of birth. So, basically, with that bit of paper, I can very, very easily identify that child, okay, so, and given the normal routines a child are in i.e. leaving school, coming home again, all the rest as well, I can probably identify where that child's going to be at a reasonable-, to a reasonably high degree of certainty. So, it's a really really dangerous bit of paper. So, who are you going to hold-, who are you going to let hold that bit of paper? Or even show that bit of paper for that matter, or, like, hold that bit of paper. Who are you going to let walk out the room with that bit of paper. Now, if I now change that so it's only got the school address on there, so, same information, completely different context. Every bit of information's the same, but the context around it, is completely different. With public information, anybody can walk out the room with it. So, how would-, this is where the sensitivity labelling comes in, to say, okay, well, what's on that bit of paper that you only want to let people-, you only want to show people?

 What else can go on that paper, now people-, someone can actually hold it and you know, it can be emailed out of the environment and whatever else as well. What can you say? People can walk out the room? I.e. it has minimal level of protections or controls around it. So, what's actually there? And this is where the sensitivity labelling comes in and what we have to underpin that is what we call a Sensitive Information Type and the Sensitive Information Type is basically, it's like the pattern of information that we're looking for. So, the one we always call out would be the-, well, in fact, I can use that bit of paper now for, like, the built in ones we've got. So, the child's name, we can have full names as a Sensitive Information Type. Their home address and the school address, we can have full addresses as those Sensitive Information Types. As well, to actually put in that side and understand, you know, you can have a combination of these. The date of birth we can have as a Sensitive Information Type.

 We can then have as a trainable classifier, which is another form of Sensitive Information Type, portraits of people, i.e. photos of people's-, someone's face or something like that as well. So, if it's got all of those combined, that can increase the sensitivity of the document. If it's only got a home address on there, you know, a physical address on there, i.e. like, one, two, three, some street somewhere. Yes, you know, if that only appears once, how sensitive is that? If there's multiple addresses appearing on there, then there's probably going to be more sensitive. So, we can put these kind of controls in place and with E5, we can then automate that, and say, 'Right, where does this information reside? Go and protect it.' And the result you have of this protections is then your data loss prevention controls, or DLP controls, so we can now say, 'Okay, well, you know, this is we're saying, who can show? Who can hold? Who can walk out the room?' Basically. And that's the level of control that we can put in with a DLP. And the DLP itself you know, with your E5 we can extend across, obviously share point and exchange, basically E3 controls.  

We can then bring in Teams chat and channel data, we can bring the E5 controls in there. We can bring in the endpoint as well, so people copying things to USP drives or Bluetooth or copying to off the endpoint directly to a cloud share or something along those kind of lines. Or to an untrusted location or whatever else it might be, we can put all those kind of controls in place. If you have the unified labelling scanner, and please see the E3 presentation for around that side of things, we can then actually put in what we call on premise DLP and we have more-, rather than the reactive one of all these other services, i.e. somebody's doing something wrong, stop them, we can have a more pro-active DLP for your on-premise file shares and say, 'Well, what files are overly permissive? What are people accessing that they shouldn't be accessing?' And that's actually, quite a better control. So, we'd lock it down via protection-, by a protection label that we put in place to say that only these people can access it. Or, we might alter the ACLs so if it's say, you've got blocked inheritance on that file, we can re-enable inheritance and remove the extra people off that file. We can quarantine it etc as well, so lots of good controls we can put in place and then, of course, we can then alert on what's actually happening.  

So, you can have your DLP as you start off with, just put it in audit, so you're not actually enforcing anything until you know, what is the actual state of play in my environment? And rather, before anything's actually labelled, you can base this all on Sensitive Information Types. So, you can say, 'Well actually, if someone is emailing credit card numbers or whatever else as well, stop them doing it, or just notify that people are actually doing this and alert on that side.' And a really cool new feature we just put in, it's just a really obvious one, but it should be really helpful for a lot of compliance administrators or any security people who are involved investigation, is that we now take a version at the point of the DLP, of that document, at the point of the DLP infringement. So, if somebody shares a document, we will take a version of that document and attach it to the DLP alert, so all the link to that version will be in the DLP alert, so rather than saying, like, 'This file was shared.' And that file's the been later modified before somebody's had chance to investigate it, we get this is what's happened at that point. In the same way, those versions will also surface in the discovery investigations as well so you can start taking a look again at the point of infringement or the point of the policy violation. You know, what actually happened? What are they actually sharing? I.e. did they share a bunch of sensitive information, then remove that sensitive information later on, to try and make themselves look innocent? Whatever else that might be. So, lots of controls and things like that we can put in place.

 Okay? So, the next bit that then obviously naturally leads from that as well. So, actually one other bit to put into place here. One thing you have is an E3 control that is specifically for data loss prevention, Sensitive Information Type you can create, is what's called a document finger print. So, if I was to take an invoice template or something like that, or, you know, a form that even someone else fills in. What you can do, is that I take that form and I present the form as a finger print or a document finger print. So, if somebody then creates some data and attempts to share some data that's been built on that form, regardless of whatever content has been put into it, you know, it could be totally non-sensitive information or highly sensitive information, you say, basically if it's been built on that form, we recognise that that's a DLP violation or we want to protect it in this way. You know, so that's a really great thing and they use Power Show and we can send you some links afterwards etc as well, but you use Power Shell to actually create those forms, also to create that document fingerprint. There isn't-, there currently isn't a GUI to put that into the console and they can only be used for DLP. We can't use that for, like, the on-prem file scan or for labelling or anything as it currently stands. My understanding is we are working on that but I have no ideas on a timeline and if we don't have a timeline, it generally means it's months, it's not years down the line.

 Okay? So-, so, the next progression, coming off from that sensitive information type and understanding the nature of our data, is then obviously protecting it from a retention perspective. Now, I could probably go so far as to say that at least 80% of the data that your guys have got on prem is just completely worthless, as in people are just hoarding it and people are afraid of the delete button, just in case kind of thing. And then, that DSAR or Freedom of Information request comes along and you go, 'Well, one, I've just made my life a lot harder to do that Freedom of Information request because I've got a shed load more data to sift through and understand but worst yet, I know all of the data that I'm surfacing if going to start becoming toxic, as in, why am I holding this data on somebody fifteen years later, when at most, I should have held it for, seven years. Whatever else as well, because there's that just in case bit. Okay, so, we end up on the other side as people pull that and we can start to identify that data and we can use, like, the unified labelling scanner and things like that to find it.  

I can then pull this data into the cloud, we can then start doing more better analysis of what's actually happening because you're going into a document management system and the kind of stuff you just don't get in on prem file shares, basically. So, the kind of controls you don't see. And we can then start bringing in data from elsewhere as well. So, not just the, you know, data we've got sat in Microsoft 365, we can start brining in non-Microsoft data as well and there is only a handful of convectors we've got here in relative terms, but we can still start bringing in other information. So, for example, for those who might use WhatsApp or whatever else as well on a corporate phone, you can have a WhatsApp archive where you can pull that WhatsApp archive up, the data from that into your retention and then, in turn, into eDiscovery and things along those kind of lines as well. So again, really powerful stuff to go with that. Another thing that I just want to call out and something that I see across LRG, is a lot of people who are, you know, politely put, immature on this journey, as in they're just starting a journey on that side, we see a lot of things of blanket retention, i.e. just retain everything for seven years. So, you see in some places it go into decades, in multiple decades to actually retain data. That is not the best approach and that can actually have far-reaching consequences, you may not have seen to start off with, you know, in the way how we actually manage that data and you know, how much data you're storing etc, as well and then how much data you've got to sift through etc as well.  

So, if you are going to put blanket retention in place whatever else as well, I'd try to keep that to as short a period as possible, maybe six months or a year, two years tops, whatever else as well. That's down to you as an organisation and then, start looking at that individual retention based on the Sensitive Information Type. So, we know this data is for archive, has been marked for archive, you know, somebody has put a-, you know, associated a label with that or whatever else as well, so we're now going to retain that for 99 years. Now this is mental health data, we're going to retain that for 50 years. This is financial data, we're going to retain that for seven years and all the rest as well. Now, one of the things I'd like to see and one of the follow-ups we've got from this is about the LRG Champion's Community and one of the things-, I've tried to start this and it's been a bit of a false start each time and it would be great to get the community behind it, is how can we start setting standards for LRG? So, you know, a common set of policies, a common set of labels, a common set of initial access policies, retention labels, whatever else it might be. There's loads that we can do and have that all peer reviewed by you guys.  

Of course, you're going to have your exceptions and the bits and pieces you need to do for your own organisations as well, but the majority-, you're all doing the same thing in the same-, largely in the same way, so can we actually work together to create something to help protect LRG? With our connections that we have with the Home Office and things along those kind of lines, we can be a facilitator and say, 'We've created this guidance. We've done this. It's been peer reviewed. Will the Home Office or whoever else actually sign this off and turn this into policy?' Or things along kind of lines. So, it would be great to work with you guys and that will be, obviously, an ongoing thing with a big forum. I'll be looking at people like Jeff and things like that as well, who manages these central forums to actually get things sorted out and move forward on that side. Cool. Just as a separate note, I just wanted to highlight that. Another quick one just around Purview and eDiscovery pieces and the bits to go with that as well. So, eDiscovery from us is-, eDiscovery premium as we now call it. We have standard and premium. This is actually one of the reasons some councils have actually got E5, because they can actually see the true value in simplifying the process around data discovery and retention and things along those kind of lines. So, eDiscovery standard I would go so far as to say is literally a data gathering tool for eDiscovery premium and as we go into premium, we can then start doing detection so if we have a thread to say, you know, between Bill and Jane earlier on, or Bob and Jane earlier on, so, Bob and Joan start talking to each other, not Jane, not Jane, Joan even. Bob and Jane they-, Bob emails Jane, Jan emails Bob, Bob emails Jan etc. etc. it goes back and forth. On the standard eDiscovery, each one of those emails will surface up.  

On the eDiscovery premium and near duplicate protection, we say, well, actually that's one thread. That's one thing. So a conversation going back and forth so we can immediately start pulling that down and we then start going, 'Okay, well let's actually start taking a look at the themes within the data as well.' So, is there any kind of commonality and this is the kind of thing where machine learning excels. If you try and get a human to do this, it has to be one human or a group of humans that are working really really really well together and really understand what they're doing to say, 'Okay, well what themes are there in the document? What's the commonality? What's the thread that keeps appearing between all this data that I've chosen to investigate?' And what we can do, is say, ' Well, actually let's highlight these common bits.' So, eDiscovery's great, like, if you're doing a DSAR or Freedom of Information Request or something when you kind of know what you're looking for or you're looking for a very specific thing. eDiscovery premium and this theming and all the rest as well is great when you don't know what you're looking for. Is somebody being bullied? Is someone-, you know, whatever else it might be, all those kind of bits and pieces.

 So, we can start pulling all that together and start say, rather than trying to-, so try to find a needle in a haystack, is we can make that haystack a hell of a lot smaller and go, yes, there's the needle. That was really easy to find now. Because we've taken from, like, the five million items we had to start off with, we pulled that down to 50,000, done a search and pulled that down to maybe a thousand items. Gone through standardly discovering how to sift through all those thousand items individually and just, you know, pull your hair our at that point. Flip a table, whatever else as well, especially when you keep going back to ask for more information and as we then do this into the premium bit, we say, we take that thousand and let's actually pull it down to 300. Now, actually let's understand the theme on that and prioritise it and you know, actually understand the relevance of that data and say, of that 300, actually these are probably the ten or fifteen ones that you're actually looking for and here's the rest of the priority order. You know, and then we can, you know, redact it and export it appropriately and all that kind of good stuff as well and make sure that we're defensible from one end to the other and we've managed all the custodians, we've done all the communications, we've kept people on hold appropriately, we've taken people off hold etc. as well.  

So, again, really powerful. For those who are not using eDiscovery premium yet, please reach out either to your CSAM to see if you can get any kind of training via Unified Support. If not, we are more than happy to arrange a deep dive and just do some generic training so to speak and the overall view for, for people like yourself and just do a deep dive session on that. But we would really really help-, it would help you guys and we fully respect that those who's generally sit in your IG Teams just because the nature of what a council is and the amount of people that have-, you know you have to serve etc. as well, the IG Teams are always overwhelmed. They're always in a constant fire fight in trying to respond to these DSARs, these Freedom of Information requests and when you have an investigation, they need to do. So all this tooling and that lot that we spoke about previously, is about understanding your data, being able to rationalise it, being able to find it very quickly, so when these investigations do come up, it's not a seven week, you know, trial by fire, it's like maybe a week long, you know, relative terms. It's like week long, easy bit. This is what we've got, confirmed, out the door, basically.  

And we've kept that very simple. Lots of controls in place. Again, we can go there in a deeper dive in a later one. But the result of this, as you put it all in is like, well, let's understand my data, you know, on a sheet. You know, and where I actually got things. So, that's just of the overview of the Data Classification we can say, 'Okay, well this is what you've got in the environment at a very high level, what's come from prem? What's been retained? What's not being retained? What's been labelled? Etc,' As well and we can then go into that as well, into the activity explorer and understand how that data is then being used. So, we can see in the environment, you know, what's been printed, what's been copied, what's not and all the rest as well. I don't have a screen for it, but I can share it later on so we can go into the content explorer and then that's your drill down and what we can do is view all the data, literally, as a massive list to say, right, here it all is by the sensitive information type i.e you know, it contains full addresses, it contains whatever else the sensitive information type might be.  

It then contains sensitivity labels. What's been retained? And what matches labels and what matches retention labels and things along those kind of lines? And you can then drill down into that to understand your data and this is one of those pieces because we get lots of questions asked of, you know, do I clear up all my data before I migrate to Microsoft 365, or do I just lift and shift and then sort it out later on? And there is no right answer. There's a right answer for you on that side. My perspective as a technical person on it is to say, well, on prem, I don't have the tools to sift through that data. I don't have the tools to effectively do that. The only thing I can do is use the unified labelling scanner and find everything that matches sensitive information types, i.e. data that's in important to me and then down to how well can I identify that data? How well can I articulate what is important to me and translate that into technology?

 So, I can then go and hunt all of that, sift thought the mud, find the gold, so to speak and then the rest of the data I can choose to just put into archive, or I can pull it up into a separate location and let all this tooling work out how it's actually being used. What's the relevance of-, what's the relevancy of it? And all the rest as well, when was it last accessed? All that kind of good stuff as well and say, actually, I can just disappear off the archive for a year or whatever else as well and I can go and ask for it in a year, because you know we've highlighted and retained everything we need to keep. The rest of it can go in the garbage, you know, and be afraid of it and actually go with a high degree of certainty that it can go in the garbage. You can even if you wanted to, put it though a whole bunch of disposition reviews and say, 'No longer serves a purpose. No longer serves a purpose. No longer serves a purpose.' And defensively delete the whole lot of it. So, yes, you know, and you can put in place there. So, really great controls and great things to do, and that for me is how I would be using this tool to manage my migration of data from on prem into the cloud, but that's my approach and it has to be the right approach for you guys.  

Okay, so, as a quick demo and something to go on there, I can go onto some other bits and pieces. I'm actually going to go through a click through demo on something we haven't spoken about yet, which is something called Communications Compliance and for me, I see this as a very valuable tool for local regional governments basically. And I'll go through it-, I'm going to explain as we go through, what's actually happening etc. as well. So, I've gone into the Compliance Centre and I'm going into my Communication Compliance and under my Communications Compliance, I've got all these separate bits and pieces and policies and all that kind of good stuff as well. And as I scroll down here and see what's happening, and so I can take a look so I close that off and take a look at a specific key work or highlighting test as has been put into this environment as well and I can take this and I can just say, 'I want to create a policy on the back end of this,' So I'm going to create a custom policy, put that in place.  

I can add the relevant users that I want to be the reviewers so I just add those people in. I'd get rid of the extra language-, phrases I don't want have and just will investigate this in Teams and with this, I can then add some conditions to say, right, well what is it I'm looking for? So, I go to my classifiers and the first thing I add is a trainable classifier, so just as a quick note around trainable classifiers versus those other sensitive information types, so the first sensitive information types I was talking about are great when you know exactly what it is you're looking for. So, I go, here's an invoice, yes, great it's got an invoice number on there or it's built on a form or a template or something like that as well, so it's very easy to identify. If I then go, here's a contract. Here's six contracts next to each other. Find the commonality between those contracts.  

Well, that's an employment contract, that's a vendor contract, that's another one but for a completely different job role or whatever else as well as an employment contract. So, there's no real quantifiable pieces that may sit between those. So, what we then have-, so what we then have is the ability to-, to use AI machine learning to identify what's actually in there. The patterns of data. How what relates to each other and what actually makes up a contract. So, there's lots of stuff that we have built in. So, we've got things like harassment, profanity. We have financial data and contracts actually built into these trainable classifiers to have some out the box to say, right, well, actually, there's no direct information but it's built like a contract, so therefore, we'll identify it as a contract and you can train these classifiers to be very specific. And you train them by basically throwing samples at them. You create what's called a feedback loop. You throw samples at them and in that sample you say, 'Yes-,' as an example, we had this fictitious IP called project Jupiter, which is about a motherboard design, obviously we do deal with enterprise organisations as well, or commercialised organisations I should say, so we can then say,' Okay, if anywhere Project Jupiter appears and you've got the words Project Jupiter together and you've got this motherboard design, there's a picture and you've got other words and other phrases and all other bits and pieces and there's document structures as well, we can say that's Project Jupiter.' If we now throw in, in our trainable, in a trainable classifiers, a project to go to Jupiter, yes, I appreciate it's a bit ridiculous, but at the same time, it's now going to say, 'Well, actually that doesn't match our requirement,' because it now starts to understand the relationship of the words to say, actually if project and Jupiter appear separately or there's a gap between them or whatever else as well that doesn't need my classification.  

So, you can train it to be really bespoke or really broad, depending on how you want it to be and what you want it to look for and you can always go back and retrain it rather than recreating it as well and refining it. So, in this case, I want to pick off a whole load of bits and pieces from my communications compliance and how people are actually communicating inside my organisation. So, are people using harassment? Are they swearing at each other, are they threatening each other? You know, is somebody getting quite abusive or whatever else as well so we can pick up on that side of things, and of course we can then-, we've got discrimination coming in so they're using offensive terms, things along those kind of lines or discriminatory terms, we can pick up on that and of course we've then got images that we can put in there as well. So we've got adult images, racy images so it's not quite adult, and then gory images. We can also have things like credit card numbers-, credit cards or other financial information, or something along those kinds of lines. So I can add those in and decide, 'Right, this is the information I want to see.' I can then add other conditions in as well and just add another sensitive information type, in this case I want to look for words that you don't want to have in your environment so maybe words that are taboo to you guys, whatever else as well and I can just-, that'll just be a key word list that we want to put in basically. So there's no context in how those words are being used so it's more how-, you know, just that these words are being used full stop basically, and then I can extract printed or handwritten texts from images as well. So somebody writes this or whatever else it would be, I can write that out and say, 'I want to be 100% certain of what people have actually written and things like that as well.' I also want to scan every single document so it estimates compute time and it might slow my investigation but it makes sure it doesn't miss anything at the same time as well, and as I go through this, yes, I just review and create that policy and what I then have is I can view where these policies are starting to be used. So I can say for the-, who's going to supervise it, who's going to manage it, who's going to do X, Y, Z with it as well, so this is a conflict of interest policy and I want the legal team to be the supervisor and followed-up by the finance team, and then Adel as a fictitious user of my environment who's then going to manage all of this as well, so I'm going to create that policy.

 So when the user signs in, they go through the communication compliance-, maybe it's Adel going into the portal now to see what's actually happening. She sees, right, she's responsible for this so she's going to take a look at the offensive language and see where offensive language is actually being used and whatever else as well. So most importantly, Adel is not a full administrator or whatever else as well, or maybe not the full reviewer, so who's involved has been anonymised so they don't know who they're investigating. This should never be a case of, 'Big Brother is watching you,' this should be a case of, 'You know, we as an organisation need to behave appropriately and we need to be accountable to our own actions.' Not, 'Big Brother is watching you.' So we can take into that so we anonymise etc. as well and we can then say, 'Yes, there's been some policy matches on whatever else as well,' and we can escalate that and say, 'This person's a repeat offender,' so yeah, never trust the administrator of course, you know, that side of things. So we can escalate that, just create a case so that's then sent it out so here's the investigation etc. as well. So now the people we've elevated that to go into the communications compliance and they take a look at the offensive messages here, and they take a look at the pending investigations exceptions as well. So one we can see, you know, people are using languages whatever else in-, are using different languages, doesn't necessarily have to be English, here's where we can do the on the fly translation and we can see some, you know, some language that may not be appropriate to use inside your environment exception as well.

 So lots of good places we can put in there as well and then as we go into this as well, we can look to other investigations or other things that might be going on as well. As we take a look at this so like, 'Why do you keep asking me?' Might be seen as harassment to start off with, it might just be a legitimate question so we can say, 'Actually, report that as misclassified,' but we can still keep a note of it just in case, it might lead to something else but right now, you know, we can ignore that so we don't have to take everything as if this is really bad or whatever else as well. We can also take a look obviously what's happening in images and things like that as well, and say, 'Right, do we actually want to report on that? Is that something just that Cat's putting it? Is it something about related to wearing of masks, or anything along those kind of lines?' What's your company policy around that, or what was your company policy around that? Something along those kind of lines. We can also then pick down what's happening in conversations as well and then look at the user histories and things along those kind of lines, so we can see, you know, things-, where things have now been highlighted, or communications, or whatever else as well, repeat offending items, whatever else that might be. We can then go across and take a look at that individual user, and take a look at their user history and see what they've actually been up to etc (ph 01.34.07) as well. So we then have the option to then actually go through and say, 'Right, we've got the evidence, we've gathered it all in. We know where there's been a policy violation, this might be a case for HR, it might be something else as well,' depends on how you guys want to operate and again you're looking against those-, those sensitive information types that you've defined. So this is about data that you're concerned with and your policy exception as well, so we can then remove those messages and actually tidy those up so we can actually retrospectively go back to that.

 So from an End-User's perspective, they can say, 'Right, actually they can see that.' The actions now been blocked and removed so we've got this really, you know-, something's maybe a bit funny, maybe a bit offensive but, you know, it's acceptable-ish. This, you know, is unacceptable, you know, actual threat for physical harm or something like that as well, so in that case we will remove that message and you can choose to do that on time and all the rest as well but of course you've gathered all that information, and images, etc, to go-, to deal with that. What you can now do is tie this into Power Automate and say, 'Actually, I want to automatically create a workflow to notify someone's manager when this has actually happened,' this is just an example of a workflow you can put in place. So we've put all these kind of controls etc we need to do, just scroll down on there. We add who we want to email, get their messages and all the rest as well, and just create a note-, a notification to say, 'Yep, I want to do this. Run the flow,' so we-, that will then automatically happen for the users. So I go into the reports here, I can see what's happening, I can see that there's been policy matches, how that's worked, and hopefully something that's worthwhile and you guys can then use on that side of things. And then follow that through, view more details, view activities etc as well and drill into that, customise the columns, understand what we want to see, where those item matches, so you can have some really in-depth understanding of what's actually happening in your environment. So I'm just whizzing through this, and then you can do items per location etc, so who's really effecting this, who's-, which areas of the business are the worst offenders, which ones might you just want to 'ignore on profanity' or something like that because that's just how they communicate. Things along those kind of lines, so lots and lots of good stuff that we can put in place there. So whizzing through and hopefully, like, three minutes ahead of schedule and just in time for some more questions, so sorry for the whistle-stop tour there.

 So let's go back to see what questions have actually come up on that side. Oh jeez, right. 'Final section is great to-', no, no, that's just the one-, 'Can you tell me more about the WhatsApp archives?' So that would be a third-party system on the WhatsApp archives, something like TeleMessage or something like that, and that's basically just a-, an App or something you install on corporate devices, obviously definitely don't do personal devices. Obviously, notify people that you will do that so that-, because it basically means it stops the Shadow IT bit, because a lot of people may just communicate on WhatsApp rather than using Teams or something like that as well and then maybe lots of sensitive information that just disappears into the ether, people think it's all okay because WhatsApp is encrypted and things like that as well but obviously it's completely out of your environment, you know, and out of control-, out of your control, so this is a way of bringing it back in and at least notifying it, and having that kind of information to go with it as well. 'What's the best learning resource course to get started on DLP retention and how do you get it right from the start?' For the first bit of getting it right from the start is, I'll politely put, would be partner. If you want to get this done quickly and turned on efficiently etc as well, our partners do this all day, every day. They live and breath this and they've done it for your-, for your peers across LRG. Please do use the LRG Champions or whatever else as well to pick up on that side of things and we'll show you-, give some more information on that in a moment on how you can follow through, and with partners and work on that side of things, and create your own policies, and get best practices from other people as well.

 If not, we-, there's lots of information we have online. In the-, in the presentation I've got, I've got some extra bits around data lifecycle management and that side of things, so understanding your data but again, it'd be great to have the actual conversation of, 'What do you guys actually want to do in as a LRG as a whole?' So yes, you-, what you have to do individually, is there any common policies or anything else that we can define and just simplify this for all you guys basically? Don't worry, I mean, it's never going to be simple but let's make it easier and give you a, 'Do this, do this, do this,' you know, and then anything else you want to do is your call basically so along those kind of lines. If not, if you want to look-, if you want to go really deep dive into it and start your learning, if you look up the SC-300 exam-, so Microsoft SC-300, I just put that in the chat, that is the Information Protection and Compliance basically-, is it 300? No, 400 sorry. SC-400, I do apologise. 300 is Identity, the SC-400 is Compliance and Governance. There would be a learning path that goes with that so lots and lots-, so if I just bring this up on another screen.

Arron Kerai: Yes, Chris-, Chris, if you go to the next slide we can talk about how that can be possible.

Chris Howlett: Okay, right. Cool. Ah yes, of course. You've got the ESI. Sorry, yes. Arron, do you want to cover that one off actually?

Arron Kerai: Yes, yes. No worries, thanks Chris. So yes, just on the SC-400, there's a lot of stuff you can do that's-, that's provided by Microsoft. So one of those things is what we call the Virtual Training Days so again, it's free resources, a free workshop where you can sign up, you can have a look, you can-, you can listen to all the resources that they described there and really break it down for you so if you want more information on that, I'll send the links in the chat afterwards. The other really good one is the Enterprise Skills Initiative. Now that offers all the virtual classes, all the Microsoft Learning materials, and also the certifications, a way for you to learn anything that you want to learn more deeply. So, you know, mentioned before were things like Defender but absolutely things like DLP and compliance, you know, all of that is in there, that should be your point to go to. It's the Enterprise Skills Initiative. Again, I'll put the link in the chat in a minute and then that's, kind of, the-, kind of, the learning element. On the FastTrack side, that moment-, that bit underneath there, that'll be held to help you deploy some of this tech for your organisation, right? So that's a Microsoft service, you have access to it today with your existing licensing and it helps you to deploy certain things that you might want to know a bit about  basically. So again, something to look into as you move forward. The middle one there-, again, really, really clear. I highly recommend this, is the Microsoft hosted Local Regional Government Champions group and that's based on teams, it's a Teams channel. The point is basically to connect all of you guys together, right, and it's basically to promote advice, and share ideas, and that kind of thing. There is a rule there, there is strictly no selling or no partners allowed either so it's purely peer to peer.  

Of course, any questions and concerns that you might have in terms of how to implement stuff, we can advise on how to do that but there is no selling or partners in that group. There's almost actually 2,000 members in that group today so, again, worth doing and if you want to continue some of the discussion that you've had today, feel free to do that on that channel and we can get to that as we go throughout the couple of weeks and that kind of thing. And then lastly, just on some third-party best practice on the NCSC, that's worth checking out too so there's the Good, Better, Best Guidance around Office 365. That includes things like security compliance, where E5 fit into that as well so you can see all that kind of stuff in their feedback there and then just lastly to finish off, any feedback you've got on how you found this session today would be really appreciated. You know, we're happy to run more sessions like this in the future so for example, we could do one based on Azure cloud security alone, things like that for example so, you know, please let us know what you want to see from us and we're happy to follow-up and run that in the future. So that's it from me, I'll hang back to Jeff to close off.

Moderator: Brilliant. Thanks, Arron, and thanks so much Chris. I think a round of virtual applause would be-, would be appropriate at this point and I've got to say, what a wealth of information you gave us there. Hopefully everybody's picked up some useful learning there and there's some-, certainly some great tips. Chris, it might be worth thinking about distilling those top tips, things to prioritise, things you'd do first, that you'd put in.

Chris Howlett: To, to aid with that actually, can I add to that and just something else to add in, something we'll be putting out more next month as well. I have run this for a number of councils already but this is an exercise we want to be able to escalate so you guys can actually run it yourself. So there's probably a lot of councils on here that probably recognise this DaRT Deployed, it's forever a work-in-progress, so what I've done is taken all the security compliance technologies and then broken that down to products and features, and then configurations of those as well, aligned that to the NCSC Good, Better, Best practices etc as well and then broken that down into the high-level prereqs identity endpoints Threat Detection, Compliance, and Governance. The RAG status is basically a finger in the air of the amount of time and effort it takes to get these things deployed, as well as the level of user impact and things along those kind of lines as well, so what level impact they have there. What I've recently added in to really help you guys is to basically-, is that, kind of, soft saving of why you'd want to turn this on as well as that  business justification. So I've written all that out as to what's what and, you know, not just the hard saving of replacing, you know, product data  with Microsoft, it's also, 'Why would you want to actually put these configurations in place as well?' Okay? Yeah, so lots and lots to put in there as well. So the DaRT Deployed from a licensing perspective, as we did speak about last time, we can filter it down based on license so you can filter out the E5 side of things as well which is exactly why I've put these lines in, so you can then say, 'Yes, I just want to look at E3,' or, ' I just want to look at E5,' or just as your-, or whatever else I might be. So basically, yes, you would have to probably do a custom filter and just say, 'Anything that contains E3,' and then filter down on that side.  

What I'm also building to go with that, and this is very much a work-in-progress and I'm hoping to have it done by the end of next month-, if you can just bear with me for one moment, just opening up on another screen-, is I want to share this out with you guys as well so-, it's very simple but the idea is hopefully it'll be very-, very effective, is this companion guide will go out with it and this companion guide, again very much a work-in-progress, is basically each slide number refers to the row number and DaRT Deployed so what is it, what problem does it solve? So you can then hopefully understand what that is. In addition to that, the DaRT Deployed will also highlight, you know, via the links you've got in here, it's not necessarily just what it is, it'd be how do you actually turn it on as well. So if I click on the link here and open it up so it's just on another monitor, that will then say how do you actually implement this and get this turned on so you should have all the information you need to really maximise your E5 investment, or your Microsoft investment full stop for that matter. Okay? I just want to put that out so next month we've got a bit of a-, bit more security stuff coming up but we will basically share that out, basically.

Moderator: Chris, that looks like a fantastic resource, that DaRT Deployed. How do people find that? Chris, I'm saying,

Chris Howlett: Is there anyone on the call that I've actually run this for as well?

Moderator: I'm just saying, how do people find it, Chris?

Chris Howlett: The general feedback that I get is it's really helpful. As I said, it's a very full-on session as, you know, as that's all I seem to do but it is a very full-on session but for most people, it really understands what's in the box and the whole thing is about prioritisation. So what have you done, where are you at, you know, where do you want to go to next basically? Because it's such a big thing to do, how do you prioritise it and there's lots of bits and pieces in there that some people just don't know about. You know, just little features that we call out that are just, you know-, that you're paying for already and you may be paying for another product so the example I always give is a thing like the Unified Write Filter, something built into Windows 10 and does exactly what Deep Freeze does. You know, and that's been built into Windows since 8.1 in fact actually and it's built into 10 and 11, but it's things along those kind of lines. So the DaRT Deployed stuff, we're showing information, we'll-, we'll create a proper bit in the LRG website and things like that as well once the companion guide is complete and we'll share that out via the LRG Champions and our own website that we have, a LRG SharePoint site that you guys can access.

Moderator: Excellent. Well certainly at Norfolk County Council, we're busy trying to deploy all the E3 and E5 capabilities and great to see the whole thing together in one place today. Huge amount to take in but, as I say, the recording will be out in a couple of weeks time. Lots of links that people can follow as well, huge amount of resources. Do join the LRG Champions group and also there are other groups where-, where we'll be holding the assets, any reusable components that will be shareable so-, the other thing I would pick up on is don't retain everything forever. I know it's a lot of work but another project we've got on the go at Norfolk is just deleting everything that we shouldn't be holding anymore or that doesn't have value, and then shifting everything's that's left into 365 so you can, you know, reduce what you need on Prem (ph 01.46.57) so you can manage that data more effectively. So yes, as I say, I hope you found that really useful, I certainly have. Do we have any following-, any final questions before we close? And great to see we've still got 100 people on the call by the way. I should also mention that this-, this session's been brought to you by the LGA Cyber, Digital, and Tech Programme and, Iman, can you put a link to the LGA Hub in the chat, please? So people can follow up on that.

Chris Howlett: Sorry, just now about the sharing as-, sorry, Jeff, do you want to put out the sharing of the chat, if you want to mention that. There's just a quick question that's come in, the sharing of the recording.

Moderator: Yes, so the recording will-, the E3 one will go out next week and the E5 one will go out the week after. That will come from Neil Jay (ph 01.47.52). Here's the LRG group, Microsoft Teams, so Teams group with the significant number of people in already.

Chris Howlett: Again, to stress the LRG Champions group, it's very strict. No selling, no partners. This should be an open forum where you can talk to your peers and yes, we wade in with, you know, technical suggestions or whatever else as well but it's not a place to sell. It's there purely to help you guys.

Moderator: Yes. Yes, absolutely. I've been part of that for a long while now and it's definitely useful. Okay, really keen to get feedback so please do let us know in the chat or by follow-up email how you found this, and if you want to see any particular follow-ups. Do you want a deep dive on specific areas? Do you wanna, you know-, a manager's version? You know, whatever's useful. We want to maximise the deployment of these capabilities. You've paid for it, let's make the best use we can. I know it takes a lot of time but we can go on that journey together hopefully, of continuing to deploy these capabilities. Also don't forgot the National Cyber Security Centres ACD, Advanced-, sorry, Active Cyber Defence capabilities, they're all free as well, they're all complimentary and keep an eye on what the LGA's doing in this space because there's lots of great content being developed. So two packed hours, huge amount of content, hope you enjoyed it, I hope you learned from it. Thanks for your time, everybody.