Driving data security is a shared responsibility, here’s how you can protect yourself

June 19th, 2018 No comments

You’re driving a long, dark road on a rainy night. If you’re driving 20 miles over the speed limit and you don’t step on the brakes when the car in front of you comes to a sudden stop, is it your fault or your car manufacturers fault if you rear-end the car that is in front of you?

When we drive, we seamlessly understand that there are some things we depend on the manufacturer to provide (brakes that work, airbags that deploy) and some things we’re responsible for (using the brakes when needed, not turning off the airbag protection).

This is the concept of shared responsibility and was a core topic at this years Cybersecurity Law Institute panel Vendors and Cloud-Based Solutions: How Can All Stakeholders Protect Themselves?

When it comes to cloud computing and data protection, it is a shared responsibility between the cloud service provider (CSP) and the customer that is analogous to the relationship between the car owner and car manufacturer.

While the fundamentals of shared responsibility between drivers and car manufacturers seem relatively straightforward, its not always as clear-cut when analyzing the responsibilities between customers and CSPs for protecting cloud data.

The cloud, as a relatively new architectural model for many organizations, is unique because there are multiple organic models that can shift responsibilities between customers and CSPs. For example, customers can only configure the application layer software in Software as a Service (SaaS) applications. But when moving down the stack to Infrastructure as a Service (IaaS), customers have the responsibility for configuring and managing the servers theyve stood up in the cloud.

While on the Georgetown Law Institute panel in D.C., I explained how Microsoft views the shared responsibility model as a working partnership with customers to ensure they are clear on what we provide and what their responsibilities are across the stack. To be sure, there are some perceptible shifts in responsibility, which is illustrated in the graphic below.

The left-most column shows seven responsibilities that customers should consider when using different cloud service models. The model shows how customers are responsible for ensuring that data and its classification is done correctly and that the solution is compliant with regulatory obligations. Physical security falls to the CSP, and the rest of the responsibilities are shared. Note this a general rule of thumb, and every customer should talk to its CSP to ensure and understand the responsibilities are outlined and meet the organizational needs.

Once a customer has a solid handle on what the CSP is providing, consider the three tips below for managing the shared responsibilities. These could include things like network controls, host infrastructure, end-point protection, application level controls, and access management.

Consult the STARs

The CSA STAR registry consists of three levels of assurance, which cover four unique offerings based on a comprehensive list of cloud control objectives. Here customers can see what controls a provider has attested to. STAR also helps customers assess how different providers are using a harmonized model. Its also important to ask the CSP if it has completed a SOC 2 Type 2. This assessment is based on a mature attest standard, and ensure that evaluation takes place over time rather than at a point in time, among other helpful standards.

(Really!) Read the contracts

Yes, it’s tempting to skip over the long legalese, but the nuances of a contract between a customer and CSP can go a long way in helping each side understand its shared responsibilities. For example, if the contract allows for certain levels of transparency between the two in the form of allowing the customer to see an audit or compliance report. However, you should remember that seeing an overview isnt the same as being able to read every page of the report. A customer should know what level of transparency they’re getting. Customers should be certain there are clear roles and escalation paths that make sense, so if something goes wrong or a decision needs to be made about shutting off a service or reporting a breach, it can be done without hesitation. And don’t forget to engage your own counsel during contact review, no one understands legalese as well as a lawyer.

Follow the guides

To help organizations understand ways to protect their data in the cloud, Microsoft has blueprint guides for use cases like FFIEC and HIPAA regulations. We also have tools to help companies manage and improve their cloud controls, including Compliance manager and Secure score. Compliance manager enables organizations to manage their compliance activities from one place. Secure score is an assessment tool designed to make it easier for organizations to understand their security position in relation to other organizations while also providing advice on what controls they should consider enabling.

Microsoft takes its side of the shared responsibility model seriously and is continually looking for ways to help the customer identify weaknesses and put action plans in place to shore them up. Not unlike how car manufacturers continually iterate to make cars safer, safety enhancements are meant to lessen the burden of driver responsibilities, not remove them entirely. When it comes to protecting data, if you keep your eyes on your data road, well make sure the brakes are working.

For more information on shared responsibilities for cloud computing read this comprehensive white paper.

Categories: Uncategorized Tags:

New FastTrack benefit: Deployment support for Co-management on Windows 10 devices

This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blog Getting the most value out of your security deployment.

We are pleased to announce that FastTrack for Microsoft 365 (a benefit of your Microsoft 365 subscription for planning, deployment and adoption), now provides deployment support for Co-management on your Windows 10 devices. Id like to provide a few highlights on what you can expect.

What is Co-management?

Co-management is the integration between Configuration Manager and Microsoft Intune that enables a Windows 10 device to be managed by Configuration Manager and Intune at the same time. This provides you with an opportunity to enable remote actions that can be taken on the device, like remote factory reset or selective wipe for lost or stolen devices. Some additional advantages include conditional access, enabling you to ensure devices accessing your corporate network are compliant with your company policies and requirements. And, with your Windows 10 device you have Windows AutoPilot which is automatic enrollment that enrolls devices in Intune. This can let you lower your provisioning costs on new Windows 10 devices from the cloud. Co-management empowers you to complement Configuration Manager with Intune and more easily bring all this together where cloud makes sense for your organization as seen in Figure 1 below.

Figure 1: Co-management architecture

What can you expect

As part of our deployment support, the FastTrack team will provide guidance on the following activities:

  • Enabling Active Directory auto enrollment
  • Enabling hybrid Azure Active Directory
  • Enabling the Cloud Management Gateway
  • Enabling Co-management in Configuration Manager
  • Switch over supported device management capabilities from Configuration Manager to Intune:

    • Device conditional access policies
    • Resource Access profiles
    • Windows Update for Business policies
    • EndPoint Protection policies

  • Setting up Intune to deploy the Configuration Manager agent to new devices

FastTrack for Microsoft 365 benefits

FastTrack continues to invest in bringing you end to end services for planning, onboarding and driving adoption of your eligible subscriptions, and comes at no additional charge. It is our commitment to help you to realize the value of your Microsoft 365 investment with a faster deployment and time to value.

FastTrack lets you engage with our FastTrack specialists and provides best practices, tools and resources to help you quickly and easily enable Microsoft 365 in your environment, now including co-management for Windows 10 devices.

Get started

To request assistance from FastTrack, you can get started by going to our FastTrack website. Click on the Sign In prompt, and enter your company or school ID. Go to the dashboard, and from there follow the prompts to access the Request for Assistance form. Your submission will be reviewed and routed to the appropriate team that will address your specific needs and eligibility.

The FastTrack website also provides you with best practices, tools, and resources from the experts to help make your deployment experience with the Microsoft Cloud a great one.


More blog posts from this series:

Categories: Uncategorized Tags:

Building Zero Trust networks with Microsoft 365

The traditional perimeter-based network defense is obsolete. Perimeter-based networks operate on the assumption that all systems within a network can be trusted. However, todays increasingly mobile workforce, the migration towards public cloud services, and the adoption of Bring Your Own Device (BYOD) model make perimeter security controls irrelevant. Networks that fail to evolve from traditional defenses are vulnerable to breaches: an attacker can compromise a single endpoint within the trusted boundary and then quickly expand foothold across the entire network.

In 2013, a massive credit card data breach hit Target and exposed the credit card information of over 40 million customers. Attackers used malware-laced emails to steal credentials from contractors that had remote access to Targets network. They then used the stolen credentials to gain access to the network, effectively evading the perimeter defense mechanisms that Target had in place. Once inside the network, the attackers installed malware on payment systems used in Target stores across the US and stole customer credit card information.

Zero Trust networks eliminate the concept of trust based on network location within a perimeter. Instead, Zero Trust architectures leverage device and user trust claims to gate access to organizational data and resources. A general Zero Trust network model (Figure 1) typically comprises the following:

  • Identity provider to keep track of users and user-related information
  • Device directory to maintain a list of devices that have access to corporate resources, along with their corresponding device information (e.g., type of device, integrity etc.)
  • Policy evaluation service to determine if a user or device conforms to the policy set forth by security admins
  • Access proxy that utilizes the above signals to grant or deny access to an organizational resource

Figure 1. Basic components of a general Zero Trust network model

Gating access to resources using dynamic trust decisions allows an enterprise to enable access to certain assets from any device while restricting access to high-value assets on enterprise-managed and compliant devices. In targeted and data breach attacks, attackers can compromise a single device within an organization, and then use the “hopping” method to move laterally across the network using stolen credentials. A solution based on Zero Trust network, configured with the right policies around user and device trust, can help prevent stolen network credentials from being used to gain access to a network.

Zero Trust is the next evolution in network security. The state of cyberattacks drives organizations to take the assume breach mindset, but this approach should not be limiting. Zero Trust networks protect corporate data and resources while ensuring that organizations can build a modern workplace using technologies that empower employees to be productive anytime, anywhere, any which way.

Zero Trust networking based on Azure AD conditional access

Today, employees access their organization’s resources from anywhere using a variety of devices and apps. Access control policies that focus only on who can access a resource is not sufficient. To master the balance between security and productivity, security admins also need to factor in how a resource is being accessed.

Microsoft has a story and strategy around Zero Trust networking. Azure Active Directory conditional access is the foundational building block of how customers can implement a Zero Trust network approach. Conditional access and Azure Active Directory Identity Protection make dynamic access control decisions based on user, device, location, and session risk for every resource request. They combine (1) attested runtime signals about the security state of a Windows device and (2) the trustworthiness of the user session and identity to arrive at the strongest possible security posture.

Conditional access provides a set of policies that can be configured to control the circumstances in which users can access corporate resources. Considerations for access include user role, group membership, device health and compliance, mobile applications, location, and sign-in risk. These considerations are used to decide whether to (1) allow access, (2) deny access, or (3) control access with additional authentication challenges (e.g., multi-factor authentication), Terms of Use, or access restrictions. Conditional access works robustly with any application configured for access with Azure Active Directory.

Figure 2. Microsofts high-level approach to realizing Zero Trust networks using conditional access.

To accomplish the Zero Trust model, Microsoft integrates several components and capabilities in Microsoft 365: Windows Defender Advanced Threat Protection, Azure Active Directory, Windows Defender System Guard, and Microsoft Intune.

Windows Defender Advanced Threat Protection

Windows Defender Advanced Threat Protection (ATP) is an endpoint protection platform (EPP) and endpoint detection response (EDR) technology that provides intelligence-driven protection, post-breach detection, investigation, and automatic response capabilities. It combines built-in behavioral sensors, machine learning, and security analytics to continuously monitor the state of devices and take remedial actions if necessary. One of the unique ways Windows Defender ATP mitigates breaches is by automatically isolating compromised machines and users from further cloud resource access.

For example, attackers use the Pass-the-Hash (PtH) and the Pass the ticket for Kerberos techniques to directly extract hashed user credentials from a compromised device. The hashed credentials can then be used to make lateral movement, allowing attackers to leapfrog from one system to another, or even escalate privileges. While Windows Defender Credential Guard prevents these attacks by protecting NTLM hashes and domain credentials, security admins still want to know that such an attack occurred.

Windows Defender ATP exposes attacks like these and generates a risk level for compromised devices. In the context of conditional access, Windows Defender ATP assigns a machine risk level, which is later used to determine whether the client device should get a token required to access corporate resources. Windows Defender ATP uses a broad range of security capabilities and signals, including:

Windows Defender System Guard runtime attestation

Windows Defender System Guard protects and maintains the integrity of a system as it boots up and continues running. In the assume breach mentality, its important for security admins to have the ability to remotely attest the security state of a device. With the Windows 10 April 2018 Update, Windows Defender System Guard runtime attestation contributes to establishing device integrity. It makes hardware-rooted boot-time and runtime assertions about the health of the device. These measurements are consumed by Windows Defender ATP and contribute to the machine risk level assigned to the device.

The single most important goal of Windows Defender System Guard is to validate that the system integrity has not been violated. This hardware-backed high-integrity trusted framework enables customers to request a signed report that can attest (within guarantees specified by the security promises) that no tampering of the devices security state has taken place. Windows Defender ATP customers can view the security state of all their devices using the Windows Defender ATP portal, allowing detection and remediation of any security violation.

Windows Defender System Guard runtime attestation leverages the hardware-rooted security technologies in virtualization-based security (VBS) to detect attacks. On virtual secure mode-enabled devices, Windows Defender System Guard runtime attestation runs in an isolated environment, making it resistant to even a kernel-level adversary.

Windows Defender System Guard runtime attestation continually asserts system security posture at runtime. These assertions are directed at capturing violations of Windows security promises, such as disabling process protection.

Azure Active Directory

Azure Active Directory is a cloud identity and access management solution that businesses use to manage access to applications and protect user identities both in the cloud and on-premises. In addition to its directory and identity management capabilities, as an access control engine Azure AD delivers:

  • Single sign-on experience: Every user has a single identity to access resources across the enterprise to ensure higher productivity. Users can use the same work or school account for single sign-on to cloud services and on-premises web applications. Multi-factor authentication helps provide an additional level of validation of the user.
  • Automatic provisioning of application access: Users access to applications can be automatically provisioned or de-provisioned based on their group memberships, geo-location, and employment status.

As an access management engine, Azure AD makes a well-informed decision about granting access to organizational resources using information about:

  • Group and user permissions
  • App being accessed
  • Device used to sign in (e.g., device compliance info from Intune)
  • Operating system of the device being used to sign in
  • Location or IP ranges of sign-in
  • Client app used to sign in
  • Time of sign-in
  • Sign-in risk, which represents the probability that a given sign-in isnt authorized by the identity owner (calculated by Azure AD Identity Protections multiple machine learning or heuristic detections)
  • User risk, which represents the probability that a bad actor has compromised a given user (calculated by Azure AD Identity Protections advanced machine learning that leverages numerous internal and external sources for label data to continually improve)
  • More factors that we will continually add to this list

Conditional access policies are evaluated in real-time and enforced when a user attempts to access any Azure AD-connected application, for example, SaaS apps, custom apps running in the cloud, or on-premises web apps. When suspicious activity is discovered, Azure AD helps take remediation actions, such as block high-risk users, reset user passwords if credentials are compromised, enforce Terms of Use, and others.

The decision to grant access to a corporate application is given to client devices in the form of an access token. This decision is centered around compliance with the Azure AD conditional access policy. If a request meets the requirements, a token is granted to a client. The policy may require that the request provides limited access (e.g., no download allowed) or even be passed through Microsoft Cloud App Security for in-session monitoring.

Microsoft Intune

Microsoft Intune is used to manage mobile devices, PCs, and applications in an organization. Microsoft Intune and Azure have management and visibility of assets and data valuable to the organization, and have the capability to automatically infer trust requirements based on constructs such as Azure Information Protection, Asset Tagging, or Microsoft Cloud App Security.

Microsoft Intune is responsible for the enrollment, registration, and management of client devices. It supports a wide array of device types: mobile devices (Android and iOS), laptops (Windows and macOS), and employees BYOD devices. Intune combines the machine risk level provided by Windows Defender ATP with other compliance signals to determine the compliance status (isCompliant) of the device. Azure AD leverages this compliance status to block or allow access to corporate resources. Conditional access policies can be configured in Intune in two ways:

  • App-based: Only managed applications can access corporate resources
  • Device-based: Only managed and compliant devices can access corporate resources

More on how to configure risk-based conditional access compliance check in Intune.

Conditional access at work

The value of conditional access can be best demonstrated with an example. (Note: The names used in this section are fictitious, but the example illustrates how conditional access can protect corporate data and resources in different scenarios.)

SurelyMoney is one of the most prestigious financial institutions in the world, helping over a million customers carry out their business transactions seamlessly. The company uses Microsoft 365 E5 suite, and their security enterprise admins have enforced conditional access.

An attacker seeks to steal information about the companys customers and the details of their business transactions. The attacker sends seemingly innocuous e-mails with malware attachments to employees. One employee unwittingly opens the attachment on a corporate device, compromising the device. The attacker can now harvest the employees user credentials and try to access a corporate application.

Windows Defender ATP, which continuously monitors the state of the device, detects the breach and flags the device as compromised. This device information is relayed to Azure AD and Intune, which then denies the access to the application from that device. The compromised device and user credentials are blocked from further access to corporate resources. Once the device is auto-remediated by Windows Defender ATP, access is re-granted for the user on the remediated device.

This illustrates how conditional access and Windows Defender ATP work together to help prevent the lateral movement of malware, provide attack isolation, and ensure protection of corporate resources.

Azure AD applications such as Office 365, Exchange Online, SPO, and others

The executives at SurelyMoney store a lot of high-value confidential documents in Microsoft SharePoint, an Office 365 application. Using a compromised device, the attacker tries to steal these documents. However, conditional access tight coupling with O365 applications prevents this from taking place.

Office 365 applications like Microsoft Word, Microsoft PowerPoint, and Microsoft Excel allow an organizations employees to collaborate and get work done. Different users can have different permissions, depending on the sensitivity or nature of their work, the group they belong to, and other factors. Conditional access facilitates access management in these applications as they are deeply integrated with the conditional access evaluation. Through conditional access, security admins can implement custom policies, enabling the applications to grant partial or full access to requested resources.

Figure 3. Zero Trust network model for Azure AD applications

Line of business applications

SurelyMoney has a custom transaction-tracking application connected to Azure AD. This application keeps records of all transactions carried out by customers. The attacker tries to gain access to this application using the harvested user credentials. However, conditional access prevents this breach from happening.

Every organization has mission-critical and business-specific applications that are tied directly to the success and efficiency of employees. These typically include custom applications related to e-commerce systems, knowledge tracking systems, document management systems, etc. Azure AD will not grant an access token for these applications if they fail to meet the required compliance and risk policy, relying on a binary decision on whether access to resources should be granted or denied.

Figure 4. Zero Trust network model expanded for line of business apps

On-premises web applications

Employees today want to be productive anywhere, any time, and from any device. They want to work on their own devices, whether they be tablets, phones, or laptops. And they expect to be able to access their corporate on-premises applications. Azure AD Application Proxy allows remote access to external applications as a service, enabling conditional access from managed or unmanaged devices.

SurelyMoney has built their own version of a code-signing application, which is a legacy tenant application. It turns out that the user of the compromised device belongs to the code-signing team. The requests to the on-premises legacy application are routed through the Azure AD Application Proxy. The attacker tries to make use of the compromised user credentials to access this application, but conditional access foils this attempt.

Without conditional access, the attacker would be able to create any malicious application he wants, code-sign it, and deploy it through Intune. These apps would then be pushed to every device enrolled in Intune, and the hacker would be able to gain an unprecedented amount of sensitive information. Attacks like these have been observed before, and it is in an enterprises best interests to prevent this from happening.

Figure 5. Zero Trust network model for on-premises web applications

Continuous innovation

At present, conditional access works seamlessly with web applications. Zero Trust, in the strictest sense, requires all network requests to flow through the access control proxy and for all evaluations to be based on the device and user trust model. These network requests can include various legacy communication protocols and access methods like FTP, RDP, SMB, and others.

By leveraging device and user trust claims to gate access to organizational resources, conditional access provides comprehensive but flexible policies that secure corporate data while ensuring user productivity. We will continue to innovate to protect the modern workplace, where user productivity continues to expand beyond the perimeters of the corporate network.

 

 

Sumesh Kumar, Ashwin Baliga, Himanshu Soni, Jairo Cadena
Enterprise & Security

Updating your cybersecurity strategy to enable and accelerate digital transformation

This post is authored by Cyril Voisin, Cheif Security Advisor, Enterprise Cybersecurity Group.

Nowadays every company is becoming a digital company to some extent. Digital transformation changes the way business is done. For example, it puts more control into the hands of employees, who now demand anytime, anywhere connectivity to the solutions and data they need to accomplish their objectives. Adoption of digital technologies takes place at every level of the organization, and shadow IT reminds us that employees may procure their own IT solutions to be more productive. Solutions require careful security considerations before being approved. Therefore, its important to redefine your strategy to support both security and productivity, based on sound risk management.

Over the last decade, the security landscape has changed dramatically. Therefore, the security approach must be adapted to a new world of constant change and massive digitalization. With dramatic events such as Wannacry or NotPetya, cybersecurity has become a board conversation. Savvy enterprises now consider cybersecurity risks as strategic, the same way they consider financial risks.

Defining a crisp modern security strategy to support business success

A modern security agenda needs to define the purpose of the security team, its vision and mindset. It should also explain the high-level strategies it will employ, and how it will be organized, including the definition of priorities and deadlines and how the results will be measured. The figure below shows an example of a modern security agenda that can be summarized in a single slide for the purpose of sharing with your executive team.

Download the whitepaper on cybersecurity for digital transformation

More detailed information regarding enabling and accelerating digital transformation is available in this whitepaper. It is designed to articulate what a modern security strategy can look like, and is useful for CISOs, CIOs, CDOs, and potentially board members who want to learn more about secure transformation and benchmark their own teams. It was first released as an exclusive distribution in Dubai in October 2017, and now we are making it more broadly available today.

You can download the whitepaper here.

For more information on deployment planning and FastTrack guidance,check out related deployment series blogs.

Categories: Uncategorized Tags:

Machine learning vs. social engineering

Machine learning is a key driver in the constant evolution of security technologies at Microsoft. Machine learning allows Microsoft 365 to scale next-gen protection capabilities and enhance cloud-based, real-time blocking of new and unknown threats. Just in the last few months, machine learning has helped us to protect hundreds of thousands of customers against ransomware, banking Trojan, and coin miner malware outbreaks.

But how does machine learning stack up against social engineering attacks?

Social engineering gives cybercriminals a way to get into systems and slip through defenses. Security investments, including the integration of advanced threat protection services in Windows, Office 365, and Enterprise Mobility + Security into Microsoft 365, have significantly raised the cost of attacks. The hardening of Windows 10 and Windows 10 in S mode, the advancement of browser security in Microsoft Edge, and the integrated stack of endpoint protection platform (EPP) and endpoint detection and response (EDR) capabilities in Windows Defender Advanced Threat Protection (Windows Defender ATP) further raise the bar in security. Attackers intent on overcoming these defenses to compromise devices are increasingly reliant on social engineering, banking on the susceptibility of users to open the gate to their devices.

Modern social engineering attacks use non-portable executable (PE) files like malicious scripts and macro-laced documents, typically in combination with social engineering lures. Every month, Windows Defender AV detects non-PE threats on over 10 million machines. These threats may be delivered as email attachments, through drive-by web downloads, removable drives, browser exploits, etc. The most common non-PE threat file types are JavaScript and VBScript.

Figure 1. Ten most prevalent non-PE threat file types encountered by Windows Defender AV

Non-PE threats are typically used as intermediary downloaders designed to deliver more dangerous executable malware payloads. Due to their flexibility, non-PE files are also used in various stages of the attack chain, including lateral movement and establishing fileless persistence. Machine learning allows us to scale protection against these threats in real-time, often protecting the first victim (patient zero).

Catching social engineering campaigns big and small

In mid-May, a small-scale, targeted spam campaign started distributing spear phishing emails that spoofed a landscaping business in Calgary, Canada. The attack was observed targeting less than 100 machines, mostly located in Canada. The spear phishing emails asked target victims to review an attached PDF document.

When opened, the PDF document presents itself as a secure document that requires action a very common social engineering technique used in enterprise phishing attacks. To view the supposed secure document, the target victim is instructed to click a link within the PDF, which opens a malicious website with a sign-in screen that asks for enterprise credentials.

Phished credentials can then be used for further attacks, including CEO fraud, additional spam campaigns, or remote access to the network for data theft or ransomware. Our machine learning blocked the PDF file as malware (Trojan:Script/Cloxer.A!cl) from the get-go, helping prevent the attack from succeeding.

Figure 2. Phishing email campaign with PDF attachment

Beyond targeted credential phishing attacks, we commonly see large-scale malware campaigns that use emails with archive attachments containing malicious VBScript or JavaScript files. These emails typically masquerade as an outstanding invoice, package delivery, or parking ticket, and instruct targets of the attack to refer to the attachment for more details. If the target opens the archive and runs the script, the malware typically downloads and runs further threats like ransomware or coin miners.

Figure 3. Typical social engineering email campaign with an archive attachment containing a malicious script

Malware campaigns like these, whether limited and targeted or large-scale and random, occur frequently. Attackers go to great lengths to avoid detection by heavily obfuscating code and modifying their attack code for each spam wave. Traditional methods of manually writing signatures identifying patterns in malware cannot effectively stop these attacks. The power of machine learning is that it is scalable and can be powerful enough to detect noisy, massive campaigns, but also specific enough to detect targeted attacks with very few signals. This flexibility means that we can stop a wide range of modern attacks automatically at the onset.

Machine learning models zero in on non-executable file types

To fight social engineering attacks, we build and train specialized machine learning models that are designed for specific file types.

Building high-quality specialized models requires good features for describing each file. For each file type, the full contents of hundreds of thousands of files are analyzed using large-scale distributed computing. Using machine learning, the best features that describe the content of each file type are selected. These features are deployed to the Windows Defender AV client to assist in describing the content of each file to machine learning models.

In addition to these ML-learned features, the models leverage expert researcher-created features and other useful file metadata to describe content. Because these ML models are trained for specific file types, they can zone in on the metadata of these file types.

Figure 4. Specialized file type-specific client ML models are paired with heavier cloud ML models to classify and protect against malicious script files in real-time

When the Windows Defender AV client encounters an unknown file, lightweight local ML models search for suspicious characteristics in the files features. Metadata for suspicious files are sent to the cloud protection service, where an array of bigger ML classifiers evaluate the file in real-time.

In both the client and the cloud, specialized file-type ML classifiers add to generic ML models to create multiple layers of classifiers that detect a wide range of malicious behavior. In the backend, deep-learning neural network models identify malicious scripts based on their full file content and behavior during detonation in a controlled sandbox. If a file is determined malicious, it is not allowed to run, preventing infection at the onset.

File type-specific ML classifiers are part of metadata-based ML models in the Windows Defender AV cloud protection service, which can make a verdict on suspicious files within a fraction of a second.

Figure 5. Layered machine learning models in Windows Defender ATP

File type-specific ML classifiers are also leveraged by ensemble models that learn and combine results from the whole array of cloud classifiers. This produces a comprehensive cloud-based machine learning stack that can protect against script-based attacks, including zero-day malware and highly targeted attacks. For example, the targeted phishing attack in mid-May was caught by a specialized PDF client-side machine learning model, as well as several cloud-based machine learning models, protecting customers in real-time.

Microsoft 365 threat protection powered by artificial intelligence and data sharing

Social engineering attacks that use non-portable executable (PE) threats are pervasive in todays threat landscape; the impact of combating these threats through machine learning is far-reaching.

Windows Defender AV combines local machine learning models, behavior-based detection algorithms, generics, and heuristics with a detonation system and powerful ML models in the cloud to provide real-time protection against polymorphic malware. Expert input from researchers, advanced technologies like Antimalware Scan Interface (AMSI), and rich intelligence from the Microsoft Intelligent Security Graph continue to enhance next-generation endpoint protection platform (EPP) capabilities in Windows Defender Advanced Threat Protection.

In addition to antivirus, components of Windows Defender ATPs interconnected security technologies defend against the multiple elements of social engineering attacks. Windows Defender SmartScreen in Microsoft Edge (also now available as a Google Chrome extension) blocks access to malicious URLs, such as those found in social engineering emails and documents. Network protection blocks malicious network communications, including those made by malicious scripts to download payloads. Attack surface reduction rules in Windows Defender Exploit Guard block Office-, script-, and email-based threats used in social engineering attacks. On the other hand, Windows Defender Application Control can block the installation of untrusted applications, including malware payloads of intermediary downloaders. These security solutions protect Windows 10 and Windows 10 in S mode from social engineering attacks.

Further, Windows Defender ATP endpoint detection and response (EDR) uses the power of machine learning and AMSI to unearth script-based attacks that live off the land. Windows Defender ATP allows security operations teams to detect and mitigate breaches and cyberattacks using advanced analytics and a rich detection library. With the April 2018 Update, automated investigation and advance hunting capabilities further enhance Windows Defender ATP. Sign up for a free trial.

Machine learning also powers Office 365 Advanced Threat Protection to detect non-PE attachments in social engineering spam campaigns that distribute malware or steal user credentials. This enhances the Office 365 ATP comprehensive and multi-layered solution to protect mailboxes, files, online storage, and applications against threats.

These and other technologies power Microsoft 365 threat protection to defend the modern workplace. In Windows 10 April 2018 Update, we enhanced signal sharing across advanced threat protection services in Windows, Office 365, and Enterprise Mobility + Security through the Microsoft Intelligent Security Graph. This integration enables these technologies to automatically update protection and detection and orchestrate remediation across Microsoft 365.

 

Gregory Ellison and Geoff McDonald
Windows Defender Research

 

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Cybersecurity Reference Architecture: Security for a Hybrid Enterprise

June 6th, 2018 No comments

The Microsoft Cybersecurity Reference Architecture describes Microsofts cybersecurity capabilities and how they integrate with existing security architectures and capabilities. We recently updated this diagram and wanted to share a little bit about the changes and the document itself to help you better utilize it.

How to use it

We have seen this document used for several purposes by our customers and internal teams (beyond a geeky wall decoration to shock and impress your cubicle neighbors).

  • Starting template for a security architecture – The most common use case we see is that organizations use the document to help define a target state for cybersecurity capabilities. Organizations find this architecture useful because it covers capabilities across the modern enterprise estate that now spans on-premise, mobile devices, many clouds, and IoT / Operational Technology.
  • Comparison reference for security capabilities – We know of several organizations that have marked up a printed copy with what capabilities they already own from various Microsoft license suites (many customers don’t know they own quite a bit of this technology), which ones they already have in place (from Microsoft or partner/3rd party), and which ones are new and could fill a need.
  • Learn about Microsoft capabilities – In presentation mode, each capability has a “ScreenTip” with a short description of each capability + a link to documentation on that capability to learn more.

  • Learn about Microsoft’s integration investments – The architecture includes visuals of key integration points with partner capabilities (e.g. SIEM/Log integration, Security Appliances in Azure, DLP integration, and more) and within our own product capabilities among (e.g. Advanced Threat Protection, Conditional Access, and more).
  • Learn about cybersecurity – We have also heard reports of folks new to cybersecurity using this as a learning tool as they prepare for their first career or a career change.

As you can see, Microsoft has been investing heavily in security for many years to secure our products and services as well as provide the capabilities our customers need to secure their assets. In many ways, this diagram reflects Microsoft massive ongoing investment into cybersecurity research and development, currently over $1 billion annually (not including acquisitions).

What has changed in the reference architecture and why

We made quite a few changes in v2 and wanted to share a few highlights on what’s changed as well as the underlying philosophy of how this document was built.

  • New visual style – The most obvious change for those familiar with the first version is the simplified visual style. While some may miss the “visual assault on the senses” effect from the bold colors in v1, we think this format works better for most people.
  • Interactivity instructions – Many people did not notice that each capability on the architecture has a quick description and link to more information, so we added instructions to call that out (and updated the descriptions themselves).
  • Complementary content – Microsoft has invested in creating cybersecurity reference strategies (success criteria, recommended approaches, how our technology maps to them) as well as prescriptive guidance for addressing top customer challenges like Petya/WannaCrypt, Securing Privileged Access, and Securing Office 365. This content is now easier to find with links at the top of the document.
  • Added section headers for each grouping of technology areas to make it easier to navigate, understand, and discuss as a focus area.
  • Added foundational elements – We added descriptions of some core foundational capabilities that are deeply integrated into how we secure our cloud services and build our cybersecurity capabilities that have been added to the bottom. These include:

    • Trust Center – This is where describe how we secure our cloud and includes links to various compliance documents such as 3rd party auditor reports.
    • Compliance Manager is a powerful (new) capability to help you report on your compliance status for Azure, Office 365, and Dynamics 365 for General Data Protection Regulation (GDPR), NIST 800-53 and 800-171, ISO 27001 and 27018, and others.
    • Intelligent Security Graph is Microsoft threat intelligence system that we use to protect our cloud, our IT environment, and our customers. The graph is composed of trillions of signals, advanced analytics, and teams of experts hunting for malicious activities and is integrated into our threat detection and response capabilities.
    • Security Development Lifecycle (SDL) is foundational to how we develop software at Microsoft and has been published to help you secure your applications. Because of our early and deep commitment to secure development, we were able to quickly conform to ISO 27034 after it was released.

  • Moved Devices/Clients together – As device form factors and operating systems continue to expand and evolve, we are seeing security organizations view devices through the lens of trustworthiness/integrity vs. any other attribute.

    • We reorganized the Windows 10 and Windows Defender ATP capabilities around outcomes vs. feature names for clarity.
    • We also reorganized windows security icons and text to reflect that Windows Defender ATP describes all the platform capabilities working together to prevent, detect, and (automatically) respond and recover to attacks. We added icons to show the cross-platform support for Endpoint Detection and Response (EDR) capabilities that now extend across Windows 10, Windows 7/8.1, Windows Server, Mac OS, Linux, iOS, and Android platforms.
    • We faded the intranet border around these devices because of the ongoing success of phishing, watering hole, and other techniques that have weakened the network boundary.

  • Updated SOC section – We moved several capabilities from their previous locations around the architecture into the Security Operations Center (SOC) as this is where they are primarily used. This move enabled us to show a clearer vision of a modern SOC that can monitor and protect the hybrid of everything estate. We also added the Graph Security API (in public preview) as this API is designed to help you integrate existing SOC components and Microsoft capabilities.
  • Simplified server/datacenter view – We simplified the datacenter section to recover the space being taken up by duplicate server icons. We retained the visual of extranets and intranets spanning on-premises datacenters and multiple cloud provider(s). Organizations see Infrastructure as a Service (IaaS) cloud providers as another datacenter for the intranet generation of applications, though they find Azure is much easier to manage and secure than physical datacenters. We also added Azure Stack capability that allows customers to securely operate Azure services in their datacenter.
  • New IoT/OT section – IoT is on the rise on many enterprises due to digital transformation initiatives. While the attacks and defenses for this area are still evolving quickly, Microsoft continues to invest deeply to provide security for existing and new deployments of Internet of Things (IoT) and Operational Technology (OT). Microsoft has announced $5 billion of investment over the next four years for IoT and has also recently announced an end to end certification for a secure IoT platform from MCU to the cloud called Azure Sphere.
  • Updated Azure Security Center – Azure Security Center grew to protect Windows and Linux operating system across Azure, on-premises datacenters, and other IaaS providers. Security Center has also added powerful new features like Just in Time access to VMs and applied machine learning to creating application whitelisting rules and North-South Network Security Group (NSG) network rules.
  • Added Azure capabilities including Azure Policy, Confidential Computing, and the new DDoS protection options.
  • Added Azure AD B2B and B2C – Many Security departments have found these capabilities useful in reducing risk by moving partner and customer accounts out of enterprise identity systems to leverage existing enterprise and consumer identity providers.
  • Added information protection capabilities for Office 365 as well as SQL Information Protection (preview).
  • Updated integration points – Microsoft invests heavily to integrate our capabilities together as well as to ensure use our technology with your existing security capabilities. This is a quick summary of some key integration points depicted in the reference architecture:

    • Conditional Access connecting info protection and threat protection with identity to ensure that authentications are coming from a secure/compliant device before accessing sensitive data.
    • Advanced Threat Protection integration across our SOC capabilities to streamline detection and response processes across Devices, Office 365, Azure, SaaS applications, and on Premises Active Directory.
    • Azure Information Protection discovering and protecting data on SaaS applications via Cloud App Security.
    • Data Loss Protection (DLP) integration with Cloud App Security to leverage existing DLP engines and with Azure Information Protection to consume labels on sensitive data.
    • Alert and Log Integration across Microsoft capabilities to help integrate with existing Security Information and Event Management (SIEM) solution investments.

Feedback

We are always trying to improve everything we do at Microsoft and we need your feedback to do it! You can contact the primary author (Mark Simos) directly on LinkedIn with any feedback on how to improve it or how you use it, how it helps you, or any other thoughts you have.

 

Categories: Uncategorized Tags:

Virtualization-based security (VBS) memory enclaves: Data protection through isolation

The escalating sophistication of cyberattacks is marked by the increased use of kernel-level exploits that attempt to run malware with the highest privileges and evade security solutions and software sandboxes. Kernel exploits famously gave the WannaCry and Petya ransomware remote code execution capability, resulting in widescale global outbreaks.

Windows 10 remained resilient to these attacks, with Microsoft constantly raising the bar in platform security to stay ahead of threat actors. Virtualization-based security (VBS) hardens Windows 10 against attacks by using the Windows hypervisor to create an environment that isolates a secure region of memory known as secure memory enclaves.

Figure 1. VBS secure memory enclaves

An enclave is an isolated region of memory within the address space of a user-mode process. This region of memory is controlled entirely by the Windows hypervisor. The hypervisor creates a logical separation between the normal world and secure world, designated by Virtual Trust Levels, VTL0 and VT1, respectively. VBS secure memory enclaves create a means for secure, attestable computation in an otherwise untrusted environment.

VBS enclaves in Microsoft SQL Server

A key technology that will leverage VBS secure memory enclaves is Microsoft SQL Server. The upcoming SQL Server secure enclave feature ensures that sensitive data stored in an SQL Server database is only decrypted and processed inside an enclave. SQL Servers use of secure enclaves allows the processing of sensitive data without exposing the data to database administrators or malware. This reduces the risk of unauthorized access and achieves separation between those who own the data (and can view it) and those who manage the data (but should have no access). To learn more about the use of secure enclaves in SQL Server, see the blog post Enabling confidential computing with Always Encrypted using enclaves.

Data protection

One of the major benefits of secure memory enclaves is data protection. Data resident in an enclave is only accessible by code running inside that enclave. This means that there is a security boundary between VTL0 and VTL1. If a process tries to read memory that is within the secure memory enclave, an invalid access exception is thrown. This happens even when a kernel-mode debugger is attached to the normal process the debugger will fail when trying to step into the enclave.

Code integrity

Code integrity is another major benefit provided by enclaves. Code loaded into an enclave is securely signed with a key; therefore, guarantees can be made about the integrity of code running within a secure memory enclave. The code running inside an enclave is incredibly restricted, but a secure memory enclave can still perform meaningful work. This includes performing computations on data that is encrypted outside the enclave but can be decrypted and evaluated in plaintext inside the enclave, without exposing the plaintext to anything other than the enclave itself. A great example of why this is useful in a multi-tenant cloud computing scenario is described in the Azure confidential computing blog post. This move allowed us to continually make significant innovations in platform security.

Attestation

Attestation is also a critical aspect of secure memory enclaves. Sensitive information, such as plaintext data or encryption keys, must only be sent to the intended enclave that must be trusted. VBS enclaves can be put into debug mode for testing but lose memory isolation. This is great for testing, but in production this impacts the security guarantees of the enclave. To ensure that a production secure enclave is never in debug mode, an attestation report is generated to state what mode the enclave is in (among various other configuration and identity parameters). This report is then verified by a trust relationship between the consumer and producer of the report.

To establish this trust, VBS enclaves can expose an enclave attestation report that is fully signed by the VBS-unique key. This can prove the relationship between the enclave and host, as well as the exact configuration of the enclave. This attestation report can be used to establish a secure channel of communication between two enclaves. In Windows this is possible simply by exchanging the report. For remote scenarios, an attestation service can use this report to establish a trust relationship between a remote enclave and a client application.

One feature that relies on secure memory enclave attestation is Windows Defender System Guard runtime attestation, which allows users to measure and attest to all interactions from the enclave to other capabilities, including areas of runtime and boot integrity.

Figure 2. Windows Defender System Guard runtime attestation

Elevating data security

There are many secure memory enclave technologies in the industry today. Each have pros and cons in capabilities. The benefit of using a VBS secure memory enclave is that there are no special hardware requirements, only that the processor supports hypervisor virtualization extensions:

Additionally, VBS enclaves do not have the same memory constraints as a hardware-based enclave, which are usually quite limited.

VBS secure memory enclaves provide hardware-rooted virtualization-based data protection and code integrity. They are leveraged for new data security capabilities, as demonstrated by Azure confidential computing and the Always Encrypted feature of Microsoft SQL Server. These are examples of the rapid innovation happening all throughout Microsoft to elevate security. This isnt the last youll hear of secure memory enclaves. As Microsoft security technologies continue to advance, we can expect secure memory enclaves to stand out in many more protection scenarios.

 

 

Maxwell Renke, Program manager, Windows

Chris Riggs, Principal Program Manager, Microsoft Offensive Security Research

 

Getting the most value out of your security deployment

This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blog Now that you have a plan, its time to start deploying.

In our previous blog, we covered some of the tactical issues that youll want to consider planning your Microsoft 365 Security deployment. Now well move to the third and final step of an effective planning process: Drive Value.

The Drive Value stage is about helping your employees to embrace and adopt the new tools and processes that are a part of your new Microsoft Security infrastructure.

The FastTrack team can help you create and implement an adoption plan that leads you and your team smoothly out of the test phase and into wider user adoption. Drawing from thousands of customer experiences, weve assembled a variety of proven engagement tactics that you can apply directly to your own rollout. Well make sure you have the knowledge, support, and materials you need for success.

Your checklist to Drive Value

The following checklist provides some of the items and actions that our FastTrack team can help you with you during the Drive Value step:

Implement the adoption plan

  • Going beyond your test group to a broader population of users can be difficult. Having a plan in place to help your users adopt and embrace change will make this easier. Microsoft FastTrack will help you build a multifaceted adoption plan using best practices.

Hold launch and training events

  • Make it informative and fun using Microsoft FastTrack resources to help you drive end-user adoption. One idea is to set up a booth or a kiosk outside your lunch area or host lunch and learn events for your users. These events serve to support your users with face-to-face questions & answers as well as driving excitement and adoption. They are a great way to distribute resources your users can take with them.

Encourage ongoing engagement

  • As you implement the adoption plan, FastTrack will monitor and assist you at designated points along the way. Together, youll work with your internal business stakeholders to drive adoption of new technology and work out any productivity issues. Leveraging the Service Management Toolkit and the Admin Learning Center helps you stay informed and effectively manage the new environment

Keep everyone informed: provide an FAQ and supporting materials

  • Microsoft FastTrack has templates you can send to your users to educate them about specific features, explain deployment within the organization, how they can register and enroll, and more. These tools and guides are specifically geared toward different departments within your organization, including individuals in HR, R&D, finance, legal, IT, and sales. You can also work with your internal communications teams to develop appropriate supporting collateral.

Ready to take the next step? Start your success plan

Our FastTrack Success Plan is an online tool that walks you through each step of Microsoft 365 Security planning process, from Envisioning to Onboarding to Driving Value.

The Success Plan can be launched by either you or your Microsoft Partner and provides all the guidance and resources you need to plan a successful Microsoft 365 Security deployment. Once completed, the plan also provides you with a clear path to help you get the most out of your FastTrack services. To get started, simply sign in to FastTrack at: https://fasttrack.microsoft.com/

FastTrack provides end to end guidance for planning, onboarding, and driving end user adoption for Microsoft 365 which is comprised of Enterprise Mobility + Security (EMS), Windows 10, and Office 365.


More blog posts from this series:

Categories: Uncategorized Tags:

From the ground up to the cloud: Microsoft’s Intelligent Security supporting CISOs’ cloud transformation

May 30th, 2018 No comments

Its no secret that Microsoft has embraced the cloud in a big wayfrom enterprise solutions like Microsoft Azure to Office 365 and Windows. But a recent research report by Forrester focuses on an equally important shift in our approach to securityintegrating workforce and cloud security in ways that make them much easier for enterprise IT leaders to purchase and manage.

As Dark Readings Kelly Sheridan points out, Microsoft is focusing on bringing protections to where people are moving their work: into the cloud. Microsoft, like other cloud providers, is stomping into the security market, ready to shake things up and address the weaknesses they see in todays tools, she adds.

Sheridan cites the Forrester research that includes a focus on Microsofts plan to build security into each part of Azure, Office 365, and Windowsa strategy, which, the researchers say, will be as disruptive to the security space as the cloud has been for the enterprise.

A shifting security challenge

Our emphasis on integration through and into the cloud, mirrors the shifts CISOs have made as their own enterprises have embraced the cloud, requiring them to coordinate cloud and on-premise security solutions.

As summarized succinctly in Sheridans Dark Reading post, Forresters research highlights Microsofts strengths in telemetry and artificial intelligence, which yield unparalleled insights into how attackers interact with not only our products, but also other applications that run on Windows and other Microsoft platforms.

The report also cites Microsofts efforts to target the enterprise market by making security easy to buy and use, Sheridan writes. Microsoft, she adds, bundles technologies and simplifies deployment for security teams, which can use preconfigured security policies for new servers and containers. From C-level execs to Sec-Ops, our customers tell us they are overwhelmed by the rapid pace at which new cyber threats are released in the wild. Microsoft believes there is a need for the industry to shift to this next generation of security defense.

Scale and integration

The Forrester report also notes that embedded solutions address one of the biggest challenges cloud-focused CISOs face: scalability.

Scalability isnt an issue, Sheridan writes. As infrastructure and applications grow, so do cloud platforms. Teams dont need to worry about whether hardware can handle bandwidth upgrades or whether management servers can handle new endpoints.

And we continue to expand the scope of our security offerings. At Aprils RSA Conference 2018, Microsoft made a series of announcements that deepen our commitment to end-to-end security. Azure Sphere brings our security efforts to the connected microcontroller units (MCUs) that make up the Internet of Things (IoT), while a broad suite of technologies that together we call Microsoft 365 Intelligent Security emphasizes our commitment to integration. Intelligent Security offerings announced at RSA include a new API for Microsoft Graph that provides integrated data and alert reporting across security products, our Secure Score and Attack Simulator to help companies assess their security profiles, and additional support for strong authentication and threat prevention capabilities.

Disruption and drive

These shifts, according to Forrester, represent a significant disruption in the security marketplace. For CISOs, they also provide a strong argument for new thinking about security products in the enterprise and significant cost savings for moving to the cloud having security built in from the ground up. Gone are the days when security leaders opted for separate antivirus tools in lieu of Windows Defender, Sheridan writes. Now many question the business choice to buy an endpoint suite when Microsofts services have security built in.

At the same time, Forresters researchers caution against going all in with any single vendor, and we agree. Cybersecurity is a broad and complex space, and no one vendor can do it all. Thats why were working with microcontroller unit manufacturers on our IoT solutions, participating in a cybersecurity technology agreement with nearly 35 companies across the industry, and acquiring best-of-breed technology from innovative companies like Adallom and Aorato to bolster our capabilities in such areas as cloud security and malware detection. And along with the millions of threat indicators identified by the Intelligent Security Graph API, we work with a wide range of organizations to gather and share intelligence on threat attacks in real time. Together, these moves represent our commitment to work with all partners to secure the enterprisea simple but powerful idea that, in the security space, may ultimately become the most disruptive force of all.

Categories: Uncategorized Tags:

Adding transparency and context into industry AV test results

 

Corporate Vice President Brad Anderson recently shared his insights on how Windows Defender Advanced Threat Protection (Windows Defender ATP) evolved to achieve important quality milestones. Our Windows Defender ATP team is committed to delivering industry-leading protection, customer choice, and transparency on the quality of our solutions. In the continued spirit of these principles, we want to share the results of the January-February 2018 test conducted by independent antivirus tester AV-TEST and provide a transparency report that augments the test findings with contextual information to help our customers make informed decisions about Windows Defender ATP adoption.

Download the complete transparency report on January-February 2018 test results

 

At a high-level, the transparency report shows:

Protection: Windows Defender Antivirus (Windows Defender AV) achieved a perfect score in Protection, maintaining consistently high scores in this category.
Usability (false positives): Windows Defender AV achieved an improved Usability score of 5.5/6.0. Per our telemetry, samples that Windows Defender AV incorrectly classified (false positive) had very low prevalence and are not commonly used in business context.
Performance: Windows Defender AV improved this cycle, achieving a 5.5/6.0 Performance score and outperforming the industry in almost all areas. These results reflect the investments we put in optimizing Windows Defender AV performance for high-frequency actions (e.g., application run).

 

While independent tests can help assess a security solutions capabilities and protections, it is important to understand that antivirus tests are only one part of a complete quality assessment. To truly understand the protection quality of an endpoint protection platform (EPP) and endpoint detection and response (EDR) solution like Windows Defender ATP, its entire set of capabilities must be evaluated.

For instance, while Windows Defender ATPs antivirus capability achieved a perfect overall Protection score in the January-February 2018 tests and only missed two out of thousands of samples tested, it performed even better than the results suggest. The Windows Defender Security Intelligence team tested the two missed samples against the entire Windows Defender ATP stack to assess these samples ability to infect machines in real-world enterprise environments. The team was able to confirm that the two missed samples were detected and mitigated by other components of the Windows Defender ATP stack.

 

As threats become more sophisticated, Microsoft and other security platform vendors continue evolving their product capabilities to detect threats across different attack stages. We hope to see independent testers evolve their methodologies as well. Our customers need greater transparency and optics into what an end-to-end solution can accomplish in terms of total preventive protection, including the quality of individual components like antivirus. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on end-to-end security stack testing.

Meanwhile, we continue to focus on improving our next-generation antivirus solution while at the same time delivering new innovative capabilities like attack surface reduction and hardware-based isolation, just to name a few. In the Windows 10 April 2018 Update, you can experience these new and improved capabilities in Windows Defender ATP, which provides a complete endpoint protection platform (EPP) and endpoint detection and response (EDR) solution. To see these capabilities for yourself sign up for a 90-day trial of Windows Defender ATP today, or enable Preview features on existing tenants.

 

 

Zaid Arafeh

Senior Program Manager, Windows Defender Research team

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Want better apps? You need a (agile security) hero!

If weve learned anything from the rise of Marvel Cinematic Universe, its that good things tend to happen when heroes intervene. For securing new applications, this metaphor is a useful one because security isnt always top-of-mind for scrum teams, nor is it always conducive to meeting aggressive deadlines. But in the world of software security these heroes are critical because they are risk-aware, highly skilled developers who understand software design, robust development, and the importance of architecting for resiliency.

During my session at IANS Los Angeles Information Security Forum this week about driving security into DevSecOps, I was reminded how difficult it is for company leaders who are strapped for time and resources to find, train, and integrate these heroes. While I covered topics like how to measure the maturity of a DevSecOps program, and ways to incentivize the development team to work with security, the conversation often came back to finding good people and getting them integrated into existing team processes.

Meanwhile more organizations are moving to a full continuous integration/continuous deployment (CI/CD) model for faster software development as consumer demands evolve faster than ever and expectations rise alongside the rapid deployment of new enhancements and features in the market place. While this model can help improve the speed of new technology to market, the core of its success or failure is how well scrum teams collaborate to address complex design and implementation problems. Communication is another critical component, and can be the difference between a successful launch and an insurmountable gating factor, such as needing to punch a new hole in the firewall to get a service to run. The bottom line is nobody wins when security is compromised to standup a new release.

Scrum teams need a security master to facilitate this communication. But this individual isnt a scrum dictator sent to hijack control. They should be a facilitator who works with the scrum team and product owner to drive security into the development process. This is where these individuals really start to attain hero status because they arent just defining a critical set of security requirements, they are relationship builders fostering new collaborations.

A collaborative DevSecOps security hero guides the team through general security requirements, features, functions, and architectures in an appropriate fashion and cadence that can easily be integrated into existing processes. Its important for this scope of work to be well defined and present to meet the teams Definition of Done (DoD). Specific requirements defined by individual user stories in the working code spring help speed the process by ensuring security is represented properly in the DoD. These user stories are important artifacts that can be utilized by the entire scrum team for better alignment, and ensure there are no lengthy gating gotchas at the end of the process.

For example, a common vulnerability in modern applications revolves around the improper use, or lack of use, of cryptography with encrypting sensitive data. A general requirement could be written to protect data entered in a form cryptographically that ties back to a user story about a phase-locked loop (PLL). Once the data is encrypted it can be sent to a server team with agile security experts. By writing these agile security requirements and by addressing them systematically at all levels of the development process, teams can layer in security to existing user stories more quickly, resulting in apps services, or products with less vulnerabilities.

So where do scrum teams find these heroes? The right person might be closer than you think. Often you dont need to hire an outsider or pilfer resources from the security operations center. Instead, you can evaluate in-house developers with an affinity for security, a code expert in the reverse engineering team, or anyone in the release pipeline really who is interested, engaged, and shows the acumen to be a part of what the organization is looking to accomplish. The key is once youve identified and selected this individual that you nurture them. Provide additional security training, allow them the requisite time to fully understand the current processes in play, and ensure their annual business goals reflect their security work. Remember if someone is only rewarded for speed, security will take a back seat and your apps, services, and products will suffer.

Every organization has unique challenges, so start with one team and learn what works and what doesnt work before making broad, sweeping changes. Once the process is clicking, and new security requirements are flowing into your applications, you can radiate out the agile security hero model to your other internal, and even external (sourced via a third party) teams. Implementing this model doesnt mean your code will be perfectly secure. But having a security minded advocate in the scrum makes it a lot easier to incorporate secure measures and features into new releases.

Categories: cybersecurity Tags:

Data classification and protection now available for structured data in SQL

This post is authored by Gilad Mittelman, Senior Program Manager, SQL Data Security.

Data privacy and data security have become one of the most prominent topics in organizations in almost every industry across the globe. New regulations that formalize requirements are emerging around these topics and compel organizations to comply.

The upcoming EU Global Data Protection Regulation (GDPR), which takes effect on May 25, 2018, is one of the most noteworthy of these new regulations. It sets a new global bar for privacy rights, security, and compliance, mandating many requirements and obligations on organizations across the globe. Complying with this regulation will necessitate significant investments in data handling and data protection for a very large number of organizations.

GDPR and Microsoft SQL

SQL Information Protection (SQL IP), now in public preview, complements the existing Microsoft Information Protection (MIP) unstructured data classification framework (Azure Information Protection, Microsoft 365) and extends it with new structured data classification capabilities.

Microsoft SQL customers who are subject to the GDPR, whether managing cloud-based or on-premises databases or both, will need to ensure that qualifying data in their database systems is aptly handled, protected and monitored according to GDPR principles. This means that many customers will need to review or modify their database management and data handling procedures, especially focusing on the security of data processing as stipulated in the GDPR the first step in this journey to compliance is discovering and tagging where such sensitive data resides within the database environment.

SQL IP introduces advanced capabilities built into Azure SQL Database and SQL Server for discovering, classifying, labeling and protecting the sensitive data in your SQL databases.

Discovering and classifying your most sensitive data (business, financial, healthcare, PII, etc.) can play a pivotal role in your organizational information protection stature. It can serve as infrastructure for:

  • Helping meet data privacy standards and regulatory compliance requirements, such as GDPR.
  • Data-centric security scenarios, such as monitoring (auditing) and alerting on anomalous access to sensitive data.
  • Controlling access to and hardening the security of databases containing highly-sensitive data.

What is SQL Information Protection?

SQL IP introduces a set of advanced services and new SQL capabilities, forming a new information protection paradigm in SQL aimed at monitoring and protecting the data, not just the database:

  • Discovery and recommendations A built-in classification engine scans your database and identifies columns containing potentially sensitive data. It then provides you an effortless way to review and apply the appropriate classification recommendations via the Azure portal or via SQL Server Management Studio.
  • Labeling Sensitivity classification labels can be persistently tagged on columns using new classification metadata attributes introduced into the SQL Engine. This metadata can then be utilized for advanced sensitivity-based auditing and protection scenarios.
  • Monitoring/Auditing Sensitivity of the query result set is calculated in real time and used for auditing access to sensitive data. Additional logic can then be applied on top of the audit logs, for identifying and alerting on anomalous access to sensitive data, data extraction of large volumes of PII, etc.
  • Visibility – The database classification state can be viewed in a detailed dashboard in the portal as seen in Figure 1 below. Additionally, you can download a report (in Excel format) to be used for compliance & auditing purposes, as well as other needs.

Figure 1: Data discovery and classification dashboard

SQL Information Protection in action demo video

The following video demonstrates the main SQL Information Protection public preview capabilities for Azure SQL DB and SQL Server:

What’s next?

Additional SQL IP capabilities will continue rolling out throughout the upcoming year, with a focus on scale and automation.

Well be introducing centralized management via Azure Security Center, enabling organizations to customize the organizational information protection policy with proprietary labels and discovery (recommendations) logic enrichment. Well also be introducing centralized dashboards for visibility into the sensitivity state of all resources across the entire database estate.

In addition, various automation capabilities will be exposed, for supporting fully automated classification and labeling of large numbers of databases at scale.

We encourage customers to contact us with any questions or feedback at sqlsecurityfd@microsoft.com.

Additional resources on SQL Information Protection

More details on using SQL Information Protection can be found in:

Categories: Uncategorized Tags:

Partnerships power the future of better security

This post is authored by Jeremy Dallman, Principal Program Manager.

 

Our goal in building the Microsoft Graph Security API is to enable customers to share insights and take action across security solutions to improve protection and speed response. By creating a connected security ecosystem, Microsoft and partners can enable developers to simplify integration and alert correlation, unlock valuable context to aid investigation, and streamline security operations.

Palo Alto Networks shares the vision of enabling better integration to benefit our joint customers. They are a member of Microsoft Intelligent Security Association and as part of the Graph Security API launch at RSA, we showcased an application that demonstrated the power of integration between multiple Microsoft and Palo Alto Networks security offerings. We demonstrated how a Palo Alto Networks provider for the Security Graph can prevent successful cyberattacks by correlating alerts from Microsoft with its threat intelligence, firewall logs, and automated firewall policy changes.

Microsoft Graph Security API proof of concept integration using PowerBI

Our close collaboration continues and this week at the Palo Alto Networks user conference, Ignite 2018, we will unveil the latest joint innovation. Microsoft and Palo Alto Networks have worked to connect the Microsoft Graph Security API and the Palo Alto Networks Application Framework with a provider that brokers interactions between the two platforms. We will also demo a Microsoft PowerBI solution that accesses information from both the Palo Alto Networks Application Framework and the Microsoft Graph Security API giving our customers the ability to query and access all of their security data through a common interface.

For those attending Ignite this week, be sure to join the Wednesday (5/23) 4:00PM session where Jason Wescott and Francesco Vigo will discuss the collaboration between Microsoft Graph Security API and the Palo Alto Networks Application Framework. If you arent at Ignite, visit the Graph Security API documentation or sign up to request access to the Palo Alto Networks Application Framework API to start exploring how you can take advantage of this powerful collaboration!

Categories: cybersecurity, Security Development Tags:

Now that you have a plan, it’s time to start deploying

This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series, youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blog First Things First: Envisioning Your Security Deployment.

In our previous blog post, we covered how FastTrack for Microsoft 365 can help you envision a successful Microsoft 365 security deployment. Now, well cover the next phase of our three-phase planning approach: Onboard. This is where you move from strategy and objectives to the practical details of your deployment planning.

The Onboard phase is a critical time to remove any blockers you have, clean up any issues that might prevent your preferred deployment approach, and then start setting up services and users that integrate with your environment. The FastTrack team can help coordinate the setup, configuration, and provisioning of many of your Microsoft 365 services.

We will cover how to Drive Value with FastTrack for Microsoft 365 in our next blog. But first

Your onboard checklist

The following checklist provides some of the items and actions that our FastTrack team can help you work through during the Onboard phase:

Network and Client

  • Identify and prepare DNS, network, and infrastructure needs
  • Configure DNS for eligible services
  • Configure TCP/IP protocols and firewall ports
  • Identify and prepare client needs (Internet browser, client operating system, and services’ needs)
  • Enable eligible services that have been purchased and defined as part of onboarding
  • Establish the timeline for remediation activities
  • Activate your Microsoft online service tenant or subscription
  • Validate connectivity to Microsoft online services

Identity

  • Provision user identity including licensing
  • Configure Azure AD Identity Protection
  • Configure Self Service Password Reset (SSPR)
  • Configure Azure Multi-Factor Authentication
  • Configure Privileged Identity Management
  • Set up Azure AD Conditional Access policies
  • Synchronize Azure AD Connect directory (with password writeback and password hash sync)

Access Management

  • Configure identities to be used by Intune, by either leveraging your on-premises Active Directory or cloud identities (Azure AD)
  • Add users to your Intune subscription, define IT admin roles (Helpdesk operator, admins, etc.), and create user and device groups
  • Configure and deploy Intune app protection policies for each supported platform and prepare line-of-business apps for app protection policies

Mobile Device Management (MDM)

  • Configure your MDM authority and policies and test to validate MDM management policies
  • Configure profiles on devices for supported platforms
  • Enroll devices of each supported platform to Intune or Configuration Manager with Microsoft Intune service

Ready for action? Start with a Success Plan

Our FastTrack Success Plan is an online tool that walks you through each step of Microsoft 365 Security planning process, from Envisioning to Onboarding to Driving Value and adoption with users.

The Success Plan can be launched by either you or your Microsoft Partner and provides all the guidance and resources you need to plan a successful Microsoft 365 Security deployment. Once completed, the plan also provides you with a clear path to help you get the most out of your FastTrack services. To get started, simply sign in to FastTrack.

FastTrack provides end to end guidance for planning, onboarding, and driving end user adoption for Microsoft 365 which is comprised of Enterprise Mobility + Security (EMS), Windows 10, and Office 365.


More blog posts from this series:

Categories: Uncategorized Tags:

Securing the modern workplace with Microsoft 365 threat protection – part 4

This post is authored by Debraj Ghosh, Senior Product Marketing Manager, Microsoft 365 Security.

Responding to ransomware in the Modern Workplace

Over the last few weeks, we have shared the roots of Microsoft 365 threat protection and how Microsoft 365 threat protection helps protect against and detect a modern ransomware attack. Today, we conclude our blog series by discussing how Microsoft 365 threat protection can help respond to attacks and also helps educate and raise awareness of threats to end users. In our ransomware scenario, once the threat has been detected, Microsoft 365 also helps respond and remediate with automation playing a key role in making the response more manageable, accurate, and less time consuming for administration. Microsoft 365 threat protection response and remediation services are shown in figure 1 below.

Ransomware Detection with Microsoft 365
Windows Defender Advanced Threat Protection
Azure Advanced Threat Protection
Microsoft Cloud App Security
Azure Security Center
Office 365 Advanced Threat Protection
Office 365 Threat Intelligence

Figure 1. Microsoft 365 threat protection helps detect threats to the modern workplace

In our ransomware scenario, Windows Defender Advance Threat Protection (WDATP) alerts security operations teams about suspicious activities such as programs launching self-replicating copies. If the ransomware does manage to infect multiple devices, WDATP automatically investigates alerts, applies artificial intelligence to determine whether a threat is real and then decides what action to take. It then automatically remediates the threat from affected endpoints to stop further damage as shown in figure 2.

Figure 2. WDATP automation mapping the propagation of a threat

WDATP provides manual machine level responses, such as isolating a machine to contain the threat. Further, forensic data is collected to better understand the attack and the attacker. WDATP also includes file level response by quarantining or blocking malicious files. Azure Security Center also leverages automation by helping orchestrate these common security workflows:

  • Routing alerts to a ticketing system
  • Applying additional security controls
  • Gathering additional information
  • Asking a user to validate an action
  • Blocking a suspicious user account
  • Restricting traffic from an IP address

Azure Security Center employs behavioral analytics to uncover patterns and malicious activity to enable proactive policies to be set in place to help prevent impact from future attacks. Response times are also improved with expanded signal from Azure Security Centers 3rd party integrations with firewalls and anti-malware engines. While Azure Security Center enables security operations personnel to respond to threats to the enterprise infrastructure, admins can quickly respond to threats to user identities by creating activity policies with Microsoft Cloud App Security (shown in figure 3) which can take the action of suspending a user account when the predefined conditions are met. In our example, the ransomware propagates using the brute force password technique which requires multiple logins, thus login failures from a unique account are likely and this can be a trigger for Microsoft Cloud App Security to suspend an account. One of the powerful benefits of Microsoft Cloud App Security is that it extends protection beyond the Microsoft ecosystem. Even if login attempts are made from popular enterprise applications that are not Microsoft client apps, Microsoft Cloud App Security enables admins to respond to the anomalous activity.

 

Figure 3. Microsoft Cloud App Security General Dashboard

In Microsoft 365, threat response and remediation is offered with Office 365 Threat Intelligence. Using the Threat Explorer feature, security analysts and administrators can search for all instances of potentially malicious emails that may contain ransomware. The back-end is designed for efficient threat investigation and remediation. Emails that are part of a ransomware campaign can easily be discovered using a variety of search filters with the Threat Explorer shown in figure 4. The admin can select all the emails that need to be investigated from a specific sender and choose to take immediate action on potentially malicious emails including: move to junk, move to deleted items, soft delete, hard delete, and move to inbox. Choosing the delete action purges the malicious emails from all tenant mailboxes. There is also the option of creating an incident so that a manager must approve the action.

Figure 4. Office 365 Threat Explorer email remediation actions

Educating end users about ransomware in the modern workplace

We discussed cyber education as an important element for protecting organizations. Having end users who are prepared and informed on spotting potential cyber attacks is a powerful manner to preventing attacks from harming an organization. Attack Simulator, shown in figure 5, is a new feature of Office 365 Threat Intelligence currently in public preview. Among several simulations is the Display Name Spear Phishing Attack. Spear phishing is a subset of phishing, aimed at a specific group, individual, or organization and as we discussed before, a method of spreading ransomware. Attack Simulator harnesses signal from Office 365 Threat Intelligence which provides visibility into an organizations most targeted and potentially most vulnerable users and enables admins to launch simulated threats targeting those very same users. This provides the most targeted users with training on recognizing phish emails which include ransomware and provides admins visibility on how those users behave during an attack, enabling optimal policy updates and security protocols.

Figure 5. Attack Simulator UI

Since the attack surface of the modern workplace is complex and broad, Attack Simulator will begin to offer simulated attacks made through other attack vectors as it moves from preview to GA. Attack Simulator will help raise user awareness and effectiveness at spotting attacks from all the common attack vectors.

Microsoft 365 threat protection

Microsoft has heavily invested in helping secure our customers for many years by building security in our products from the ground up. In the last few years, as the level of cybercrime has increased, we have also increased our efforts and focus on developing and continuously updating advanced security solutions to protect customers from a wide variety of threats and types of attack. In this ransomware scenario, you see as an example, our continued focus on security which provides end users ultimate protection from modern threats, while giving administrators a powerful set of tools to help protect, detect, respond and even educate against these threats. Threat protection is only one key aspect of Microsoft 365. Learn more about Microsoft 365 and understand how it can help your organization through its digital transformation journey. Additionally, follow the links below to learn more about the Microsoft 365 threat protections services and experience them by starting a trial.

Categories: Uncategorized Tags:

Use Windows Information Protection (WIP) to help make accidental data leakage a thing of the past

Have you always wished you could have mobile application management (MAM) on Windows?

Now you can!

Windows Information Protection (WIP) is an out-of-the box data leakage prevention feature for Windows 10 that can automatically apply protection for work files and data to prevent accidental data leakage. With 600 million active Windows 10 devices, corporate customers continuing to deploy in earnest throughout 2018, and support for WIP built right into Office 365 ProPlus, its benefits are within easy reach.

Sixty to eighty percent of data leakage is accidental (see ICO data for 2016 and 2017). WIP is a key feature that offers much needed data protection for files at rest on the Windows platform, for any organization with sensitive data, big or small. In todays security ecosystem, companies are spending $93B on security features (enough to host seven Olympic Games!). Yet companies still saw a 29 percent increase in data leakage worldwide between 2016 and 2017. WIP comes as a timely solution.

With Windows 10, Microsoft is providing a fundamental solution to this growing problem. Recognizing that the risk of leak comes from both fully managed devices and personal devices accessing work resources, we designed WIP to be deployed on PC and mobile devices running Windows 10. WIP is designed for organizations of all shapes and sizes, as a scalable solution that works to prevent accidental data leakage for end users.

WIP protects users and organizations from accidental leaks via copy-and-paste, drag-and-drop, removable storage (e.g., USB thumb drives), and unauthorized applications (e.g., non-work cloud storage providers). Windows shell integration appears in clear but unobtrusive ways. Elements like File Ownership are displayed and selectable in Explorer and File Save As dialog. Helpful briefcase icons mark resources when you are in a work context in places like window title bars, and Microsoft Edges navigation bar. Unauthorized applications are blocked from single sign-in with work credentials. WIP also includes the ability to perform selective wipe of business information, while leaving personal data behind.

WIP has three simple policy enforcement modes. It lets you choose how and whether the user experience in the clipboard, save dialog, and similar data-sharing cases have options (overrides) to move work content to non-work context. You can decide to Hide Overrides, Allow Overrides for your users, or even deploy in Silent mode just for auditing. Silent mode does not restrict unmanaged apps from opening work data the way Hide Overrides and Allow Overrides do, so you can get away with configuring less, yet still benefiting from the BYOD selective wipe capability for your work data, such as data downloaded from OneDrive for Business and Outlook email. This means when you or your user decides to unenroll their work account from their personal device, that work data stops being accessible.

WIP policy can be deployed in a few clicks in Microsoft Intune for MAM-only (without enrollment) targeting, MDM (with enrollment), or both. Being able to apply MAM-only policy will help you finally enable BYOD in regions and situations where fully managing the personal device is unacceptable. For companies that are not yet fully in the cloud, WIP policy can also be set on domain-joined computers using System Center Configuration Manager. Then, when youre ready for co-management, you can move the WIP policy management authority to Microsoft Intune.

Your corporate files can also be automatically encrypted with a local key when downloaded to WIP-managed devices. You can do this by configuring your corporate network boundary. Using network isolation policies, you can identify your LAN and corporate cloud resources, which Edge and other applications will use to recognize work sites and encrypt the data that comes from there. This works even better when combined with Conditional Access controls on Exchange Online and SharePoint Online to ensure that only managed devices can reach that data.

Additionally, WIP Learning lets you see the applications you didnt know are used with work data. It reports any app not in your policy that tries to access a work resource. You can see this data in Microsoft Intune or your Windows Analytics portal, if you have Azure Log Analytics (formerly Microsoft Operations Management Suite or OMS). WIP Learning allows you to tune your app policy to add legitimate work apps and even detect apps that should not be trying to access work data. Combined with Silent mode, you can deploy and see the immediate benefit of selective wipe control and auditing, while tuning your app list for different deployment groups in preparation for enabling boundary enforcement.

WIP provides a robust and automatic solution for protecting work data coming to the Windows device, but it also pairs well with Azure Information Protection (AIP). AIP adds the ability to control and help secure email, documents, and sensitive data that are shared, even outside your company and in the Azure cloud. WIP, combined with AIP, provides application-level access control capabilities while preventing unauthorized applications from accessing business information at rest and in flight. At the same time, WIPs simple business vs personal information classification system ensures simplicity and ease of use.

USB flash drives arent the only way data can leave a device. With the app restrictions on accessing work data, you can use WIP to guide users to use Outlook with their corporate email account to send work attachments, and SharePoint or OneDrive for Business to collaborate on work documents. This lets you enhance your overall data protection with Office DLP outbound rules, send email notifications, policy tips, and Office 365 Information Protection for GDPR.

WIP originally shipped in the Windows 10 Anniversary Update (version 1607) and since then, working across Microsoft and with industry, we have made a number of improvements, including:

  1. Support for Office 365 ProPlus, Microsoft Teams, and numerous inbox apps
  2. Simplified management Intune quick setup, WIP Learning for Apps and Network Boundary policy
  3. Manageable as MAM-only (i.e. without full device enrollment)
  4. Improved Recovery (e.g. data access resumes via re-enrollment or re-adding your work account)
  5. AIP integration to enable roaming data on removable storage (e.g. USB thumb drives)
  6. Support from 3rd party apps such as from Citrix (ShareFile), DropBox (desktop sync client), Foxit (Reader, PhantomPDF), and WinZip (WinZip 21, WinZip 22)

With all these features available, WIP is easier than ever to deploy and maintain. Enable this fast, robust, user-friendly security solution to help ensure a more effortlessly secure user experience for your organization.

More information on Windows Information Protection (WIP) found in the following resources:

The final compliance countdown: Are you ready for GDPR?

On May 25, the General Data Protection Regulation (GDPR) will replace the Data Protection Directive as the new standard on data privacy for all organizations that do business with European Union (EU) citizens.[1]When GDPR goes into effect, government agencies and organizations that control, maintain, or process information involving EU citizens will be required to comply with strict new rules regarding the protection of personal customer data.

GDPRs broad scope and holistic interpretation of personal information leaves these agencies and organizations responsible for protecting a wide range of data types, including genetic and biometric data.[2]Leading up to the GDPR rollout, many companies will be reevaluating their current data storage and sharing methods, and determining whether they need to implement new strategies. More than ever, this regulatory transition highlights the importance of prioritizing a strong and comprehensive security stance within your organization.

According to a recent GDPR benchmarking survey, although 89 percent of organizations have (or plan to have) a formal GDPR-readiness program, only 45 percent have completed a readiness assessment.[3]Regardless of where your organization and its security protocols are in terms of GDPR-readiness, Microsoft can help. Microsoft has been working on GDPR-compliant business and engineering solutions for the better part of a year. Because of our extensive experience developing products with security built-in, weve been a leading voice on privacy and GDPR-related issues with EU regulators.

Weve turned these conversations and insights into a free, four-part video series. Watch the Countdown: Preparing for GDPR series today to hear from industry experts and learn more about Microsofts commitment to helping your organization achieve GDPR-compliance.

You can also read more about our point of view on this transition as the first hyper-scale cloud vendor to offer GDPR terms and conditions in the enterprise space.

Finally, you are invited to a free May 25th GDPR live webcast, Safeguarding individual privacy rights with the Microsoft Cloud. Youll learn how you can:

  • Use GDPR fundamentals to assess and manage you compliance risk.
  • Help protect your customers’ data with our built-in, intelligent security capabilities.
  • Meet your own compliance obligations by streamlining their processes.


[1] https://www.eugdpr.org

[2] https://www.csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html

[3] https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/risk/deloitte-nwe-gdpr-benchmarking-survey-november-2017.pdf

Categories: Uncategorized Tags:

Enhancing Office 365 Advanced Threat Protection with detonation-based heuristics and machine learning

Email, coupled with reliable social engineering techniques, continues to be one of the primary entry points for credential phishing, targeted attacks, and commodity malware like ransomware and, increasingly in the last few months, cryptocurrency miners.

Office 365 Advanced Threat Protection (ATP) uses a comprehensive and multi-layered solution to protect mailboxes, files, online storage, and applications against a wide range of threats. Machine learning technologies, powered by expert input from security researchers, automated systems, and threat intelligence, enable us to build and scale defenses that protect customers against threats in real-time.

Modern email attacks combine sophisticated social engineering techniques with malicious links or non-portable executable (PE) attachments like HTML or document files to distribute malware or steal user credentials. Attackers use non-PE file formats because these can be easily modified, obfuscated, and made polymorphic. These file types allow attackers to constantly tweak email campaigns to try slipping past security defenses. Every month, Office 365 ATP blocks more than 500,000 email messages that use malicious HTML and document files that open a website with malicious content.

Figure 1. Typical email attack chain

Detonation-based heuristics and machine learning

Attackers employ several techniques to evade file-based detection of attachments and blocking of malicious URLs. These techniques include multiple redirections, large dynamic and obfuscated scripts, HTML for tag manipulation, and others.

Office 365 ATP protects customers from unknown email threats in real-time by using intelligent systems that inspect attachments and links for malicious content. These automated systems include a robust detonation platform, heuristics, and machine learning models.

Detonation in controlled environments exposes thousands of signals about a file, including behaviors like dropped and downloaded files, registry manipulation for persistence and storing stolen information, outbound network connections, etc. The volume of detonated threats translate to millions of signals that need to be inspected. To scale protection, we employ machine learning technologies to sort through this massive amount of information and determine a verdict for analyzed files.

Machine learning models examine detonation artifacts along with various signals from the following:

  • Static code analysis
  • File structure anomaly
  • Phish brand impersonation
  • Threat intelligence
  • Anomaly-based heuristic detections from security researchers

Figure 2. Classifying unknown threats using detonation, heuristics, and machine learning

Our machine learning models are trained to find malicious content using hundreds of thousands of samples. These models use raw signals as features with small modifications to allow for grouping signals even when they occur in slightly different contexts. To further enhance detection, some models are built using three-gram models that use raw signals sorted by timestamps recorded during detonation. The three-gram models tend to be more sparse than raw signals, but they can act as mini-signatures that can then be scored. These types of models fill in some of the gaps, resulting in better coverage, with little impact to false positives.

Machine learning can capture and expose even uncommon threat behavior by using several technologies and dynamic featurization. Features like image similarity matching, domain reputation, web content extraction, and others enable machine learning to effectively separate malicious or suspicious behavior from the benign.

Figure 3. Machine learning expands on traditional detection capabilities

Over time, as our systems automatically process and make a verdict on millions of threats, these machine learning models will continue to improve. In the succeeding sections, well describe some interesting malware and phishing campaigns detected recently by Office 365 ATP machine learning models.

Phishing campaigns: Online banking credentials

One of the most common types of phishing attacks use HTML and document files to steal online banking credentials. Gaining access to online bank accounts is one of the easiest ways that attackers can profit from illicit activities.

The email messages typically mimic official correspondence from banks. Phishers have become very good at crafting phishing emails. They can target global banks but also localize email content for local banks.
The HTML or document attachment are designed to look like legitimate sign-in pages or forms. Online banking credentials and other sensitive information entered into these files or websites are sent to attackers. Office 365s machine learning models detect this behavior, among other signals, to determine that such attachments are malicious and block offending email messages.

Figure 4. Sample HTML files that mimic online banking sign in pages. (Click to enlarge)

Phishing campaigns: Cloud storage accounts

Another popular example of phishing campaigns uses HTML or document attachments to steal cloud storage or email account details. The email messages imply that the recipient has received a document hosted in a cloud storage service. In order to supposedly open the said document, the recipient has to enter the cloud storage or email user name and password.

This type of phishing is very rampant because gaining access to either email or cloud storage opens a lot of opportunities for attackers to access sensitive documents or compromise the victims other accounts.

Figure 5. Sample HTML files that pose as cloud storage sign in pages. (Click to enlarge)

Tax-themed phishing and malware attacks

Tax-themed social engineering attacks circulate year-round as cybercriminals take advantage of the different country and region tax schedules. These campaigns use various messages related to tax filing to convincer users to click a link or open an attachment. The social engineering messages may say the recipient is eligible for tax refund, confirm that tax payment has been completed, or declare that payments are overdue, among others.

For example, one campaign intercepted by Office 365 ATP using machine learning implied that the recipient has not completed tax filing and is due for penalty. The campaign targeted taxpayers in Colombia, where tax filing ended in October. The email message aimed to alarm taxpayers by suggesting that they have not filed their taxes.

Figure 6. Tax-themed email campaign targeting taxpayers in Colombia. The subject line translates to: You have been fined for not filing your income tax returns

The attachment is a .rar file containing an HTML file. The HTML file contains the logo of Direccin de Impuestos y Aduanas Nacionales (DIAN), the Colombianes tax and customs organization, and a link to download a file.

Figure 7. Social engineering document with a malicious link

The link points to a shortened URL hxxps://bit[.]ly/2IuYkcv that redirects to hxxp://dianmuiscaingreso[.]com/css/sanci%C3%B3n%20declaracion%20de%20renta.doc, which downloads a malicious document.

Figure 8: Malicious URL information

The malicious document carries a downloader macro code. When opened, Microsoft Word issues a security warning. In the document are instructions to Enable content, which executes the embedded malicious VBA code.

Figure 9: Malicious document with malicious macro code

If the victim falls for this social engineering attack, the macro code downloads and executes a file from hxxp://dianmuiscaingreso.com/css/w.jpg. The downloaded executable file (despite the file name) is a file injector and password-stealing malware detected by Windows Defender AV as Trojan:Win32/Tiggre!rfn.

Because Office 365 ATP machine learning detects the malicious attachment and blocks the email, the rest of the attack chain is stopped, protecting customers at the onset.

Artificial intelligence in Office 365 ATP

As threats rapidly evolve and become increasingly complex, we continuously invest in expanding capabilities in Office 365 Advanced Threat Protection to secure mailboxes from attacks. Using artificial intelligence and machine learning, Office 365 ATP can constantly scale coverage for unknown and emerging threats in-real time.

Office 365 ATPs machine learning models leverage Microsofts wide network of threat intelligence, as well as seasoned threat experts who have deep understanding of malware, cyberattacks, and attacker motivation, to combat a wide range of attacks.

This enhanced protection from Office 365 ATP contributes to and enriches the integrated Microsoft 365 threat protection, which provides intelligent, integrated, and secure solution for the modern workplace. Microsoft 365 combines the benefits and security technologies of Office 365, Windows, and Enterprise Mobility Suite (EMS) platforms.

Office 365 ATP also shares threat signals to the Microsoft Intelligent Security Graph, which uses advanced analytics to link threat intelligence and security signals across Office 365, the Windows Defender ATP stack of defenses, and other sensors. For example, when a malicious file is detected by Office 365 ATP, that threat can also be blocked on endpoints protected by Windows Defender ATP and vice versa. Connecting security data and systems allows Microsoft security technologies like Office 365 ATP to continuously improve threat protection, detection, and response.

 

 

Office 365 Threat Research

Here is Homeland Security, black swans, and thwarted cyberattacks

May 9th, 2018 No comments

Last week, I had the honor of addressing The Homeland Security Training Institute (HSTI) at the College of DuPage as part of the HSTI Live educational series. The event featured other prominent speakers at the forefront of cybersecurity defense, including:

Dave Tyson, CEO of CISO Insights, a global cybersecurity consultant and Nicole Darden Ford, Vice President and Chief Information Security Officer of Baxter Healthcare. Dave broke down complex cybersecurity issues making them relatable to the audience, a skill hes also honed through his other business venture, CEO of cybereasylearning.com. Nicole shared her firsthand experiences dealing with the challenges and the successes of a modern CISO in the healthcare industry. Nicole has global responsibility for information security as well as information technology quality compliance and information governance.

I presented findings from the most recent Microsoft Security Intelligence Report v23, diving into themes and specifics behind old and new malware propagated through massive botnets, and phishing, and ransomware attacks. And, importantly, providing advice and guidance on steps organizations can take to help protect themselves and their critical assets.

It was a great set of talks that spawned a lot of interesting dialogs. After the event, I was stopped by someone who asked me why our cyber defenses arent sophisticated enough to stop all cyberattacks before they penetrate our systems. Its a fair question, especially when you consider the substantial amount of annual investment organizations make in hardware, software, and human capital. For example, its not uncommon for regulated and larger businesses to have teams dedicated to 24/7, 365 surveillance and monitoring of their systems. Yet, the bad guys still get in, plant malware, compromise proprietary information, and reveal sensitive customer data.

As I thought more deeply about the question of why we cant stop all attacks, I was reminded of Nassim Nicholas Talebs seminal book The Black Swan: The Impact of the Highly Improbable. Taleb dives into how some negative events, no matter how improbable they are, can cause massive consequences. This is within cybersecurity also as demonstrated by for example WannaCry. The attack cost organizations across the globe billions of dollars and made headlines for weeks! Yet far fewer people have heard of Bad Rabbit, largely because it was identified and stopped by Windows Defender Anti Virus in 14 minutes before it caused widespread damage. Catching new malware isnt easy, but using layered machine learning from device to cloud and sharing that learning across systems rapidly is helping to find and catch new malware more quickly. With Bad Rabbit, after the first device encounter, the cloud protection service used detonation-based malware classification to block the file and protect subsequent users who downloaded the dangerous file.

Another example of rapid intelligent response spoiling a massive attack comes from March of this year. The malware, named Dofoil was a cryptocurrency miner that exhibited advanced cross-process injection techniques, persistence mechanisms, and evasion methods. Windows Defender AV picked up on behavior-based signals to identify the infection attempts and block more than 80,000 instances of the attack within milliseconds.

What is often overlooked or unseen in all the headlines, is that most of our cyber defenses are deeply effective, especially when you consider the sheer number of attacks enterprises face every day. Its easy to lose sight of this when a devastating attack occurs and controls the news narrative. Microsoft threat data shared from partners, researchers, and law enforcement worldwide gives a clearer picture of the massive scale of data were regularly protecting. In a month, using the Intelligent Security Graph, were analyzing 400 billion emails, scanning 1.2 billion devices and 18 billion Bing web pages while detecting 5 billion threats. Again, Im not suggesting we catch everything malicious as billions of pieces of data and hardware are scanned. We dont. Some malware inevitably gets through our protective layers. But when you consider the scale of attacks, and the prominence of digital products and tools in enterprises, its important to remember that we as an industry of cybersecurity professionals very often get it right. Users all over the world are accustomed to switching on their devices and safely opening hundreds of emails a day, seeing the correct balance in their mobile banking app, and trusting their GPS to accurately guide them from point A to point B. Our digital lives are deeply intertwined with our personal and work lives, and more often than not, they coexist in harmony.

In sum, its true; the cybersecurity industry cannot claim the ability to stop all cyberattacks. But lets not overlook all of the attacks that are detected and prevented every day. The hardworking cybersecurity professionals, the same ones I shared the stage with at The Homeland Security Training Institute at the College of DuPage, are advancing our capabilities to thwart cybercrimes every day. Yes, weve got work to do, this is an ongoing battle, but the wins and ongoing work deserve to be recognized too.

Categories: Uncategorized Tags:

Securing the modern workplace with Microsoft 365 threat protection – part 3

This post is authored by Debraj Ghosh, Senior Product Marketing Manager, Microsoft 365 Security.

Detecting ransomware in the modern workplace

Over the last two weeks, we have shared with you the roots of Microsoft 365 threat protection and how Microsoft 365 threat protect helps protect the modern workplace from ransomware. This week, we discuss how Microsoft 365 threat protection helps detect ransomware in the modern workplace. Detection is critical for any best in class security solution especially when the person does not use Microsoft Edge with the benefits of its web protection. In our web-based scenario, the user can access the website through another browser, download the “software update” and infect their machine with ransomware. Microsoft 365 offers detection capabilities across all threat vectors and figure 1 summarizes the services which help to detect threats.

Ransomware Detection with Microsoft 365
Windows Defender Advanced Threat Protection
Azure Advanced Threat Protection
Microsoft Cloud App Security
Azure Security Center
Office 365 Advanced Threat Protection
Office 365 Threat Intelligence

Figure 1. Microsoft 365 threat protection helps detect threats to the modern workplace

For example, with ransomware downloads from the web, Windows Defender ATPs (WDATP) next-gen antivirus protection does an initial analysis of the file and sends all suspicious files to a detonation chamber. The file verdict is quickly determined. If a malicious verdict is returned, WDATP immediately begins blocking the threat. Todays most sophisticated ransomware is designed to spread laterally across networks increasing its potential impact. Fortunately, WDATP enables security operations specialists to isolate machines from the network, stopping threats from spreading. Also, WDATP provides granular visibility into the device ecosystem so that a compromised device can be easily identified. Built-in threat intelligence is leveraged to help detect the latest threats and provide real-time threat monitoring. As we alluded to, signal sharing via the intelligent security graph is a powerful differentiator of Microsoft 365, enabling threat detection across any threat vector. Once WDATP determines the downloaded files are malicious, it shares this signal with the Intelligent Security Graph enabling our other platforms to become aware of the threat.

The seamless integration, for example, allows admins to pivot directly from the device analysis in WDATP to user profiles in Azure ATP without losing context allowing a detailed investigation of the incident as shown in Figure 2 below.

Figure 2. Signal sharing and event timeline shared between WDATP and Azure ATP

Often, ransomware uses a brute force password method to move laterally through a network which our Azure ATP service is specifically designed to detect. A brute force password attack may attempt multiple logins until a correct password is used to enter an account. This anomalous behavior would be detected by Azure ATP and with signals shared from WDATP, the anomaly would be quickly assigned to the ransomware and blocked from being downloaded onto any part of the network (device, user, etc). Azure ATP enables security operations analysts to investigate the type of intrusions and methods used by attackers to gain privileged access to user identities and provides a clear attack and event timeline. While Azure ATP detects anomalies at the network level, Microsoft Cloud App Security can detect abnormal file and user behavior within native Microsoft cloud apps such as Office 365, as well as third-party cloud applications. To detect ransomware attacks, Microsoft Cloud App Security identifies behavioral patterns that reflect ransomware activity; for example, a high rate of file uploads or file deletion activities, coupled with threat intelligence capabilities, such as the detection of known ransomware extensions. Microsoft Cloud App Security will alert on these abnormalities using anomaly detection policies that provide out-of-the-box user and entity behavioral analytics (UEBA) and machine learning (ML) capabilities, as well as fully customizable activity policies, enabling SecOps to detect these anomalies instantly. Learn more about how Microsoft Cloud App Security and Azure ATP work in tandem to help detect an actual ransomware attack.

Azure Security Center is also connected with WDATP and provides infrastructure level alerts and even provides an investigation path so admins can fully view the threat propagation details. The service includes threat intelligence which maps the threat source and provides the potential objectives of the threat campaign. What happens if an attacker senses that the web-based attack vector is being blocked and pivots to sending the ransomware via email as an attachment download? Microsoft 365 integration is again crucial as WDATP also shares the signal with Office 365 and once our ransomware is identified by WDATP, Office 365 will begin blocking the threat too. With Office 365 ATPs real-time reporting and Office 365 threat intelligence, admins gain full visibility into all users who receive ransomware via email. Both Office ATP and Office threat intelligence services also track threats found in SharePoint Online, OneDrive for Business, and Teams so detection extends to the entire Office 365 suite. With Microsoft 365 threat protection, threats can be easily detected no matter how an attack is launched. Figure 3 shows the new Microsoft 365 Security and Compliance Center which is the hub from where admins can access the information from the different services.

Figure 3. Microsoft 365 Security and Compliance center which connects the Azure, Office 365, and Windows workloads

Next week we conclude our Microsoft 365 threat protection blog series by covering the remediation and education capabilities offered by Microsoft 365 threat protection. We will demonstrate how Microsoft 365 threat protection workloads can help quickly remediate a ransomware attack and also help educate end users on how to behave and react when under attack.


More blog posts from this series:

Categories: Uncategorized Tags: