Author Archive

Modern browsers are closing the door on Java exploits, but some threats remain

September 26th, 2016 No comments

Was 2015 the year the industry finally eradicated Java exploitation? Well, not quite, but the good news is we’re getting there.

It should be no surprise that encounters with Java exploits continued to decrease significantly in the second half of 2015 — All of the most commonly encountered exploits target vulnerabilities that were addressed with security updates years ago. While Java was once the vehicle of choice for attackers, modern browser technologies have rendered such exploits largely ineffective.

This is good news for IT security teams is that they can now concentrate more resources on emerging threats like those that have been targeting Adobe Flash. Despite the positive trend, it doesn’t mean organizations can ignore the threat of Java exploits entirely. As you can see in the graph below, some of the more common Java-based threats are still out there. While they are occurring much less frequently than they were years ago, organizations still need to ensure they are protected.

The fact that these numbers continue to decline is likely due to several important changes in the way web browsers evaluate and execute Java applets. The default web browser in Windows 10 is Microsoft Edge, which does not support Java or other ActiveX plug-ins at all. This in effect eliminates the possibility of Java exploits being delivered within the browser.

Other browsers are also built to eliminate or mitigate exploits:

  • As of September 1, 2015, Google Chrome stopped supporting the NPAPI plug-in architecture that many Java applets rely upon due to security concerns. Like Edge, Chrome no longer works with most Java-based plug-ins.
  • Mozilla Firefox currently allows users to disable Java applets by deselecting “Enable JavaScript” under its Content tab, and has announced that it will also discontinue NPAPI support by the end of 2016.
  • Internet Explorer 11 provides a mechanism to validate that a webpage is safe before allowing embedded Java applets. Further updates to Internet Explorer released in 2014 hardened the browser against Java exploitation by reducing use-after-free exploits and blocking out-of-date ActiveX controls.

Persistent threats

The fact that new browsers are flexing muscles in the security space is good news, but the bad news is that some threats still persist. The chart above shows that each of these exploits is in decline, but they are all risks that security teams should be aware of, especially where there are out-of-date Java installations:

  • CVE-2012-1723. This is the most common individual Java exploit we encountered in late 2015, and one we discussed way back in 2012. It works by tricking the Java Runtime Environment (JRE) into treating one type of variable like another type. Oracle confirmed the existence of the vulnerability in June 2012, and addressed it the same month with its June 2012 Critical Patch Update. The vulnerability was observed being exploited in the wild beginning in early July 2012, and has been used in a number of exploit kits.
  • CVE-2010-0840 is a JRE vulnerability that was first disclosed in March 2010 and addressed by Oracle with a security update the same month. The vulnerability was previously exploited by some versions of the Blackhole exploit kit (detected as JS/Blacole), which has been inactive in recent years.
  • CVE-2012-0507 allows an unsigned Java applet to gain elevated permissions and potentially have unrestricted access to a host system outside its sandbox environment. The vulnerability is a logic error that allows attackers to run code with the privileges of the current user, which means that an attacker can use it to perform reliable exploitation on other platforms that support the JRE, including Apple Mac OS X, Linux, VMWare, and others. Oracle released a security update in February 2012 to address the issue.
  • CVE-2013-0422 first appeared in January 2013 as a zero-day vulnerability. CVE-2013-0422 is a package access check vulnerability that allows an untrusted Java applet to access code in a trusted class, which then loads the attacker’s own class with elevated privileges. Oracle published a security update to address the vulnerability on January 13, 2013. For more information about CVE-2013-0422 is available here.
  • In addition, Obfuscator is a generic detection for programs that have been modified by malware obfuscation, often in an attempt to avoid detection by security software. Files identified as Java/Obfuscator can represent exploits that target many different Java vulnerabilities.

For a thorough analysis on the state of malware in the latter half of 2015, take a look at our latest Security Intelligence Report. And for a high-level look at the top ten trends and stats that matter most to security professionals right now, be sure and download our 2016 Trends in Cybersecurity e-book.

Hacks for sale: Exploit kits provide easy avenue for unskilled attackers

September 19th, 2016 No comments

One of the most common cyber-attack vehicles we’ve seen over the years involves so-called “exploit kits.” These are collections of exploits bundled together and sold as commercial software or as a service.

A typical kit includes a collection of web pages with exploits for several vulnerabilities in popular web browsers, browser add-ons, or other types of software. When an attacker installs the kit on a web server, visitors to the attacker’s malicious webpage who don’t have appropriate security updates installed are at risk of their computers being compromised through drive-by download attacks.

One reason exploit kits are so dangerous to both consumers and businesses is that an attacker needn’t be a skilled hacker to use one. Prospective attackers can buy or rent exploit kits on malicious hacker forums and other outlets. Lower skilled attackers can use the kits to perform sophisticated attacks, which contributes to the fact that they have become so widespread over time. In fact, exploit kits accounted for four of the ten most commonly encountered threats during the second half of 2015 according to our 2016 Trends in Cybersecurity e-book.

What can you do to protect your organization?

To protect your organization, it’s important that your security teams understand which exploits and exploit kits are being used most often by attackers. The graphic below shows the most frequently encountered exploits noted in our latest Security Intelligence Report, and we detail three of the more common exploits, and the kits they are a part of, below.

Most frequently encountered exploits noted in our latest Security Intelligence Report

Most frequently encountered exploits noted in our latest Security Intelligence Report

Exploit Kit: Axpergle
A.K.A.: Angler

Axpergle is the most common exploit, commonly found in the Angler exploit kit. It targets Internet Explorer, Adobe Flash Player and Java. Exploit kit authors frequently change the exploits included in their kits in an effort to stay ahead of software publishers and security software vendors. Exploits targeting zero-day vulnerabilities — those for which no security update has yet been made available by the vendor — are highly sought after by attackers, and the Axpergle authors added several zero-day Flash Player exploits to the kit in 2015.

Exploit Kit: HTML/Meadgive

Other exploit kits were encountered at much lower levels. Encounters involving the RIG exploit kit (also known as Redkit, Infinity, and Goon, and detected as HTML/Meadgive) more than doubled from summer to fall of 2015, but remained far below those involving Angler.

Exploit Kit: Win32/Anogre
A.K.A.: Sweet Orange

Encounters involving the Sweet Orange kit (detected as Win32/Anogre), the second most commonly encountered exploit kit in the first quarter of 2015, decreased to negligible levels by the end of the year.

Take the first step — Keep software up to date

Keeping your software up to date is one of the most effective defenses against exploit kits and their ever-evolving attacks.

To keep up with all the latest news about exploit kits, as well as viruses, malware and other known threats, make sure to bookmark the Microsoft Malware Protection Center blog for frequent updates. And for a high-level look at the top 10 trends and stats that matter most to security professionals right now, be sure and download the 2016 Trends in Cybersecurity e-book.

Keep Microsoft software up to date — and everything else too

September 14th, 2016 No comments

Many of the CIOs and CISOs that I talk to, have, over time, developed mature vulnerability assessment methodologies and security updating processes. But frequently, I find that the focus of these processes is squarely on keeping Microsoft operating systems and browsers up to date. Of course vulnerabilities in popular operating systems or browsers have the potential to affect a broad audience. Another reason for this focus is that Microsoft has made updating relatively easy by offering updates via Windows Update, Microsoft Update, and via various tools like Windows Server Update Services and others.

But data from our latest Security Intelligence Report suggests that customers need to keep all of their software up-to-date, not just Microsoft software.

In the last half of 2015 there were nearly 3,300 vulnerability disclosures across the industry, of which 305 were in Microsoft products. With more than 90 percent of reported vulnerabilities occurring outside the Microsoft portfolio, organizations need to monitor their entire technology stack to minimize their risk.

Microsoft products accounted for less than 10 percent of industrywide vulnerabilities in the second half of 2015.

Microsoft products accounted for less than 10 percent of industrywide vulnerabilities in the second half of 2015.

This is consistent with previous years as well. The software industry worldwide includes thousands of vendors, and historically, vulnerabilities for Microsoft software have accounted for between three and ten percent of disclosures in any six-month period.

To find out what’s happening in the world of software vulnerabilities across your IT environment, take some time to review our latest Security Intelligence Report and the information available through the National Vulnerability Database (NVD), the U.S. government’s repository of standards-based vulnerability management data. And for a high-level look at the top ten trends and stats that matter most to security professionals right now, be sure and download our 2016 Trends in Cybersecurity e-book.

As strong as your weakest link: A look at application vulnerability

September 6th, 2016 No comments

When it comes to patching and updating software vulnerabilities, operating systems and web browsers seem to get all the love.

But in reality, vulnerabilities in those two types of software usually account for a minority of the publicly disclosed vulnerabilities published in the National Vulnerability Database (NVD), the U.S. government’s repository of standards-based vulnerability management data.

Where are the rest of the vulnerabilities? The majority are in applications (i.e. software that doesn’t ship as part of operating systems or browsers), and unless you’re spending time protecting those too, your application layer could be a big chink in your IT armor. CIOs, CISOs and their security teams need to focus on assessing and patching known vulnerabilities in all business apps, or they could in fact be missing the bulk of the vulnerabilities that exist in their environments.

Vulnerabilities in applications other than web browsers and operating system applications accounted for 44.2% of all disclosures in the second half of 2015.

Vulnerabilities in applications other than web browsers and operating system applications accounted for 44.2% of all disclosures in the second half of 2015.

But separating core OS applications and web browsers from the rest of the application layer can be a bit murky. Comparing vulnerabilities that affect a computer’s operating system to vulnerabilities that affect other components, such as applications and utilities, requires a determination of whether the affected component is part of an operating system. This determination is not always simple and straightforward, given the componentized nature of modern operating systems.

For example, some programs (like photo editors) ship by default with operating system software, but can also be downloaded from the software vendor’s website and installed individually. Linux distributions, in particular, are often assembled from components developed by different teams, many of which provide crucial operating functions such as a graphical user interface (GUI) or Internet browsing.

To help companies navigate this issue and facilitate analysis of operating system and browser vulnerabilities, the Microsoft Security Intelligence Report distinguishes among four different kinds:

  • Core operating system vulnerabilities are those with at least one operating system platform enumeration in the NVD that do not also have any application platform enumerations.
  • Operating system application vulnerabilities are those with at least one OS platform enumeration and at least one application platform enumeration listed in the NVD, except for browsers.
  • Browser vulnerabilities are those that affect components defined as part of a web browser, including web browsers such as Internet Explorer and Apple’s Safari that ship with operating systems, along with third-party browsers such as Mozilla Firefox and Google Chrome.
  • Other application vulnerabilities are those with at least one application platform enumeration in the NVD that do not have any OS enumerations, except for browsers.

With those distinctions in mind, the latest SIR reports that disclosures of vulnerabilities in applications decreased in the second half of 2015, but remained the most common type of vulnerability during the period, accounting for 44.2 percent of all disclosures — a big number that any organization’s security team should be paying attention to.

Meanwhile, the other categories are important too. Core operating system vulnerability disclosures increased dramatically from the first half of the year, moving into second place at 24.5 percent. Operating system application disclosures decreased slightly to account for 18.6 percent, while browser disclosures increased by more than a third to account for 12.8 percent.

The key to keeping any organization safe is to stay on top of all disclosures, no matter which part of the stack they belong in. To stay on top of possible vulnerabilities across your software stack, take a look at our latest Security Intelligence Report and the information available through the NVD. And for a high-level look at the top 10 trends and stats that matter most to security professionals right now, be sure and download our 2016 Trends in Cybersecurity e-book.

Rise in severe vulnerabilities highlights importance of software updates

August 17th, 2016 No comments

In the context of computer security, vulnerabilities are weaknesses in software that could allow an attacker to compromise the integrity, availability, or confidentiality of either the software itself or the system it’s running on. Some of the worst vulnerabilities allow attackers to exploit the compromised system by causing it to run malicious code without the user’s knowledge. The effects of this can range from the annoying (experiencing unwanted pop-up ads) to the catastrophic (leaking sensitive customer information).

For this reason, disclosing vulnerabilities to the public as they are found is an important part of the software industry. It’s an effort that goes well beyond the software companies who develop the code. Disclosures can come from a variety of sources, including publishers of the affected software, security software vendors, independent security researchers, and even malware creators.

Attackers and the malware they create routinely attempt to use unpatched vulnerabilities to compromise and victimize organizations, so it’s imperative that CIOs, CISOs and the rest of an organization’s security team pay close attention to disclosures as they are announced. Doing so can help the security team understand if their IT environment is at increased risk, and whether putting new mitigations in place is warranted.

Industry-wide vulnerability disclosures each half year into the second half of 2015

Industry-wide vulnerability disclosures each half year into the second half of 2015

This year the importance of tracking disclosures was highlighted as vulnerability disclosures across the industry increased 9.4 percent between the first and second half of 2015, to almost 3,300.

Even more troubling, disclosures of high-severity vulnerabilities increased 41.7 percent across the industry in the second half of 2015, to account for 41.8 percent of the total — the largest share for such vulnerabilities in at least three years.

These are the vulnerabilities that security teams dread as they enable attackers to gain easy access to software, PCs, devices, and servers. For organizations that work with sensitive customer data or that must comply with security regulations to maintain contracts, the results of such an infection are potentially dire.

Vendors with a known vulnerability in their products will generally issue a patch to close the door, so staying abreast of those updates is a critical concern for security professionals. With over 6,000 vulnerabilities publicly disclosed per year across the industry, it’s important that organizations assess all software in their IT environment and ensure that it is updated.

For an analysis of vulnerabilities disclosed in the latter half of 2015, take a look at our latest Security Intelligence Report and the information available through the NVD. And for a high-level look at the top 10 trends and stats that matter most to security professionals right now, be sure and download our 2016 Trends in Cybersecurity e-book.

Learn more at Microsoft Secure.

Categories: cybersecurity, security, vulnerabilities Tags:

Announcing Azure Information Protection

June 22nd, 2016 No comments

For most of the enterprise customers that I have talked with over the years, one of the most challenging aspects of data protection for their organization has been data classification. But the majority of these customers readily agree that data classification is key to effectively protecting their organization’s most important data and enabling their mobile and cloud security strategies.

Microsoft has been working to help customers with this common challenge. Today, a new product that combines Azure Rights Management and capabilities from Microsoft’s recent acquisition of Secure Islands, has been unveiled. It’s called Microsoft Azure Information Protection.

Please check out all the details on the Enterprise Mobility & Security blog.

Tim Rains

Director, Security

Categories: Uncategorized Tags:

What’s Been Happening in the Threat Landscape in the European Union

June 14th, 2016 No comments

Recently, I had the opportunity to visit customers in several countries in the European Union (EU). The threat landscape in the EU has been changing rapidly, and in some unpredictable ways. I thought it was time to share some new data and insights based on data from the latest volume of the Microsoft Security Intelligence Report.

I have written about the threat landscape in the EU many times in the past. If you are interested in reading some of these previously published articles, here’s a partial list:

The Latest Picture of the Threat Landscape in the European Union – part 1
The Latest Picture of the Threat Landscape in the European Union – part 2
The Latest Picture of the Threat Landscape in the European Union – part 3
Ransomware is on the Rise, Especially in Europe
The Threat Landscape in the European Union at RSA Conference Europe 2013
European Union check-up: Locations with Lowest Infection Rates in the EU and What We Can Learn From Them
European Union Check-Up: Malicious Websites Hosted in the EU
European Union check-up: Romania still tops the list of most infected in the EU
Cyber-Threats in the European Union: First Half 2012
Cyber-Threats in the European Union
The Threat Landscape Shifts Significantly in the European Union – Part 1
The Threat Landscape Shifts Significantly in the European Union – Part 2
The Threat Landscape Shifts Significantly in the European Union – Part 3

Let’s start by looking at the locations in the EU with the lowest and highest malware encounter rates (ER). ER is the percentage of computers running Microsoft real-time security software that report detecting malware or unwanted software during a given period of time. The worldwide average ER in the fourth quarter of 2015 was 20.8%. As Figure 1 illustrates, the “usual suspects” have the lowest ERs in the EU including Finland (8.6%), Sweden (11.4%), and Denmark (11.7%).

Figure 1: Locations in the EU with the lowest encounter rates in the fourth quarter of 2015 (4Q15)

Figure 2 shows us that the locations with the highest ERs in the EU include Romania (31.3%), Bulgaria (29.8%), and Croatia (27.5%). As high as the ERs for these locations were in the fourth quarter of 2015, they were significantly lower than the countries/regions with the highest ERs in the world during the same period. These locations include Pakistan (63.0%), Indonesia (60.6%), the Palestinian Territories (57.3%), and Bangladesh (57.2%).

Figure 2: Locations in the EU with the highest encounter rates in the fourth quarter of 2015 (4Q15)

You might have noticed the upward ER trend in figures 1 and 2. This is upward trend even more pronounced when looking at the malware infection rates in the region as seen in figures 3 and 4; these are systems that encountered malware and were successfully infected, a measure called computers cleaned per mille (CCM). The worldwide average infection rate in the fourth quarter of 2015 was 16.9 systems infected with malware for every 1,000 scanned by the Malicious Software Removal Tool (MSRT) or 1.69% of the 600 to 700 million systems the MSRT executes on each month. The worldwide infection rate almost tripled from the same period a year earlier. The average infection rate for the 28 countries/regions in the EU during the same period was a CCM of 21.1 or 2.1%. This is a CCM increase of 15.5 from a year earlier.

Figure 3: Locations in the EU with the lowest malware infection rates (CCM) in the fourth quarter of 2015 (4Q15)

Even locations with consistently low malware infection rates saw large increases between the third and fourth quarters of 2015. As seen in Figure 3, Finland’s CCM, for example, nearly quadrupled in the fourth quarter. Figure 4 illustrates the locations with the highest infection rates in the EU, which include Romania (36.4), Croatia (35.2), Spain (34.0), while the worldwide average was 16.9. For context, the locations with the highest CCMs in the world during the same period include Mongolia (93.3), Libya (85.3), the Palestinian Territories (80.0).

Figure 4: Locations in the EU with the highest malware infection rates (CCM) in the fourth quarter of 2015 (4Q15)

You are probably wondering what caused such a rapid increase in infection rates in the EU and worldwide? It would be easy to believe that the threat landscape just got a whole lot worse, but that’s not really the case. Every month, the Microsoft Malware Protection Center typically adds detection capabilities to the MSRT for one or more new families of malware that researchers believe are globally prevalent. Then the MSRT executes on 600 to 700 million systems worldwide. If researchers were correct about the families they added to the MSRT, the MSRT will clean the newly added threats from systems infected with those threats around the world.

Sometimes, like in the fourth quarter of 2015, one of the threats they added detection for was really prevalent and gets cleaned from lots of systems. The worldwide infection rate increased 175.9 percent in the final quarter of 2015, from a CCM of 6.1 in the third quarter to 16.9 in fourth quarter. Almost all of this increase was due to Win32/Diplugem, a browser modifier that shows extra advertisements as the user browses the web. The CCM for Diplugem alone in 4Q15 was 11.7, nine times as high as the CCM for the next most prevalent family, Win32/Gamarue.

As seen in Figure 5, detection for Win32/Diplugem, was added to the MSRT in the fourth quarter and was removed from more computers in the EU in 4Q15 than any other family by a significant margin. In the EU, Win32/Diplugem was removed from 15.4 computers for every 1,000 computers the MSRT executed on in the fourth quarter, or 1.54% of systems.

Figure 5: The top 10 families of threats cleaned by the MSRT in the EU during the fourth quarter of 2015

One other threat family I will call your attention to is Win32/CompromisedCert. This is the third threat family listed in the top threats cleaned in the EU, in Figure 5. This is a detection for the Superfish VisualDiscovery advertising program that was preinstalled on some Lenovo laptops sold in 2014 and 2015. It installs a compromised trusted root certificate on the computer, which can be used to conduct man-in-the-middle attacks on the computer. This threat was cleaned consistently on systems in the EU throughout 2015. I was surprised to see Win32/CompromisedCert on the top 4 list of threats cleaned in locations like the UK, Germany and the Netherlands.

Almost everyone I talked to during my recent trip to some locations in the EU, was concerned about Ransomware. I wrote an article on Ransomware recently that provides some good context on this type of threat: Ransomware: Understanding the Risk. The data for the last half of 2015 suggests there was a slight increase in the ER for ransomware (0.26 percent in 3Q15, 0.40 percent in 4Q15), but it’s still a fraction of 1 percent and much lower than almost every other category of malware.

In the EU, 18 of the 28 countries had Ransomware encounter rates above the worldwide average as Figure 6 illustrates. Systems in Portugal and Italy encountered Ransomware more than any other locations in the EU. This isn’t surprising – I wrote that Ransomware was on the rise, especially in Europe, years ago. The good news is that Ransomware is one of the least encountered threats in the EU as Figure 7 illustrates.

Figure 6: Ransomware Encounter Rates in the EU during the fourth quarter of 2015

Figure 7 illustrates shows us which locations in the EU have the highest and lowest encounter rates across different threat categories. The numbers in red are the highest ERs for that threat category while the numbers in pink are above the worldwide average. The numbers that aren’t shaded are the lowest ERs for that threat category and are below the worldwide average. With this data, I find it especially noteworthy that every location in the EU, with the exception of Finland, had encounter rates for Exploits above the worldwide average, in many cases two or three times higher. A contributing factor is that the Angler exploit kit (JS/Axpergle) was one of the most encountered threats in the EU in 2015, being encountered by more than 1% of systems in the fourth quarter of 2015.

Figure 7: Encounter Rates for Threat Categories in the EU during the fourth quarter of 2015

From drive-by download URL data provided by Bing, Slovakia and Cyprus hosted the highest number of drive-by download pages per 1,000 URLs in the EU, as seen in Figure 8.

Figure 8: Drive-by download pages indexed by Bing at the end of the fourth quarter of 2015, per 1,000 URLs in each country/region

Guidance to Protect Your Organization

Based on the specific threats we see in the EU, let me give you some guidance to help protect your organization.

  • Security Updates: given most locations in the EU have above average Exploit encounter rates and that the Angler exploit kit (JS/Axpergle) is a top threat encountered in the region, its critical for organizations to keep all software up to date with the latest security updates. This isn’t just your Microsoft software, it includes software from Adobe, Oracle, and every other vendor your organization procures software from. If you have vendors that don’t provide you with security updates, your organization isn’t getting its money’s worth. Data from the new Security Intelligence Report on industry vulnerability disclosures, shows us that there were 6,384 vulnerabilities disclosed across the industry in 2015 alone, which is a typical year. Organizations need to patch all of those vulnerabilities in their environment to protect themselves from the high level of exploit activity in the EU. Demand security updates from all of your vendors.
  • Up-to-date Anti-Malware Software: don’t let security experts convince you that anti-virus software is a waste of time. No software or hardware can protect your organization from all current and future threats. But running up-to-date anti-malware software from a trusted vendor will protect your organization from millions of current and future threats. We know from many studies over the years, using data from hundreds of millions of systems around the world, systems that run current anti-malware solutions have significantly lower malware infection rates than those that don’t (as seen in Figure 9).Figure 9: Infection rates for protected and unprotected computers in 2015
  • Ransomware: if you are trying to evaluate the risk to your organization that Ransomware poses, keep calm and stay vigilant; this is a low probability, high impact threat where there are numerous mitigations available. The best mitigation is maintaining current offline backups for critical data. Check out these two articles: Ransomware: Understanding the Risk, How to Deal with Ransomware.
  • Malicious Websites: one of the best ways organizations can protect their users from malicious and compromised websites is by mandating the use of web browsers with appropriate protection features built in and by promoting safe browsing practices. For in-depth guidance, see this article.
  • Modern Operating Systems and Browsers: the latest data clearly shows us that using a modern operating system, like Windows 10, and a modern browser, like Microsoft Edge, provides significant protection against the type of modern day threats I discussed in this article. If you haven’t done so yet, evaluate these newer products versus the older products your organization might be using. On older operating systems, like Windows 7, use the Enhanced Mitigation Experience Toolkit (EMET), if possible, to minimize exploitation of vulnerabilities in the software in your environment. See for more information.
  • Regional Security Experts’ Advice: there are six things that security experts in the consistently least infected countries/regions in the world (like Finland) tell us helps them. Here’s the list:
    • Strong public – private partnerships that enable proactive and response capabilities
    • CERTs, ISPs and others actively monitoring for threats in the region enable rapid response to emerging threats
    • An IT culture where system administrators respond rapidly to reports of system infections or abuse is helpful
    • Enforcement policies and active remediation of threats via quarantining infected systems on networks in the region is effective
    • Regional education campaigns and media attention that help improve the public’s awareness of security issues can pay dividends
    • Low software piracy rates and widespread usage of Windows Update/Microsoft Update has helped keep infection rates relatively low

This was a long article, but I hope it was worth the time you spent reading it. You can get more details on every country/region in the EU and almost a hundred more locations, by visiting and clicking on Regional Threat Assessment.

Tim Rains
Director, Security

Dream Team for Moving to the Cloud

June 9th, 2016 No comments

The U.S. men’s basketball team suffering defeat, placing third even, at the 1988 Summer Olympics, in which the U.S. should unquestionably have dominated, renewed calls to use professional athletes in the games. The following year it was agreed, and U.S. basketball asked the NBA to supply players for the upcoming 1992 games in Barcelona. The Dream Team was assembled. What followed was a phenomenon like no one had anticipated. Of course the team swept the games and earned Olympic gold. The games, and the game of basketball, have never been the same.

What if your organization’s move to the cloud could be just as game-changing? To make it so, you need to assemble your own Dream Team for making the move. Who’s your Michael Jordan or Magic Johnson? Larry Bird? Or your Charles Barkley at the table for moving to the cloud?

Getting a team of the right players together from the onset, to discuss and debate the move all at the same time, can dramatically accelerate the discussion and get your business to the cloud sooner. I have talked to many, many customers over the years about adopting cloud services. Very often these conversations would uncover security blockers that were preventing enterprise customers from adopting the cloud. What I discovered after so many great meetings is exactly who needs to be on the Dream Team:

  • Your chief information security officer (CISO) or highest ranking security role in the organization. This person is responsible for defining the security policy, and signing off on the cloud security plan.
  • The chief information officer is the center on the team. This role helps balance the business realities with all the things the CISO and vice president of infrastructure might be concerned about, as well as ensuring legal sign off.
  • Chief privacy officer, or highest ranking privacy role. This person is responsible for your organization’s privacy policy. Privacy and security are typically two top-of-mind topics when organizations initially evaluate moving to the cloud, as well as two of the main principles of Microsoft’s Trusted Cloud.
  • Your organization’s general counsel, or highest ranking attorney. Because, let’s face it, very little is going to happen if legal doesn’t approve it. Attorneys who ultimately approve an organization’s cloud service contracts needs to understand the roles and shared responsibilities between cloud service providers and their organization to understand risks that might be important to the organization.
  • If the IT infrastructure team is separate from any of the teams led by the aforementioned leaders, be sure to include their leader as well because they will likely be part of the deployment. If their questions aren’t addressed up front, early in the evaluation process, the organization might procure a cloud service, but deployment could face lengthy delays.
  • In regulated industries, the highest ranking compliance officer needs also to be included. Ensuring that your organization’s compliance obligations are met by the cloud service(s) you are planning to use typically isn’t optional. Bringing your compliance officer on your cloud evaluation journey will help accelerate the process.

Getting this team into a room together, likely more than once, gets key questions answered quickly. It will also help the evaluation process stay on course if one of the organization’s leaders should change roles or leave the organization.

Magic Johnson famously commented after the 1992 Olympics, “I look to my right, there’s Michael Jordan … I look to my left, there’s Charles Barkley or Larry Bird … I didn’t know who to throw the ball to!” Everyone on your Cloud Dream Team has a key stake in the move. Frankly, many at the table are wondering what the other thinks, so it is best to get it all out in the open. This will eliminate second-guessing and accelerate getting all the answers to key questions. The longer it takes to get the team using the same play book, the harder it will be to start winning.

One factor in conversations about trusting the cloud that often gets overlooked is innovation. Security, privacy and compliance are very important considerations when evaluating cloud services. But, for those organizations already using the cloud, the pace of innovation they see compared with their own datacenters is typically one of the biggest benefits they tell me about. Don’t underestimate the importance of innovation, around security for example, when evaluating cloud services. Check out the number of security-related offerings on Microsoft’s cloud platform road map at any given time and you might be pleasantly surprised. The younger, up-and-coming companies I have talked with aren’t encumbered by an on-premises IT legacy. If you are watching the up-and-comers in your industry and others, like Michael Jordan studied the game tapes of the competition in the 1992 Olympics, you’ll notice that they are not held back by an on-premises past. For them there is no question about the clear advantages of a mobile-first, cloud-first world. These young organizations are far ahead in this regard.

So who’s on your Dream Team? Start assembling them and preparing to take advantage of the benefits of the cloud. To learn more, visit our Trusted Cloud website.

Tim Rains
Director, Security

Categories: Cloud Computing Tags:

#AzureAD a leader in the 2016 Gartner IDaaS MQ!

June 7th, 2016 No comments

Gartner released their Magic Quadrant for Identity and Access Management as a Service (IDaaS) for 2016 and Azure Active Directory was placed in the “Leaders” quadrant.

Microsoft is the only vendor in the Leaders quadrant across Gartner’s Magic Quadrants for IDaaS, Cloud Infrastructure as a Service (IaaS), Server Virtualization, Application Platform as a Service, Cloud Storage Services, and as a leader across the data platform and productivity services.

More details available on the Active Directory Team Blog.

Tim Rains
Director, Security

Categories: Uncategorized Tags:

What do Goldie Hawn, Kobe Bryant, Al Gore, Jessica Alba, Tony Blair, Wayne Gretzky, and Microsoft’s Tim Rains all have in common? The Milken Institute Global Conference 2016

May 20th, 2016 No comments


A couple of weeks ago I was very honored to participate in a panel at the Milken Global Conference. This was an excellent event with a true C-suite audience in attendance. The list of speakers at this event was unbelievable.

The panel I participated on was called “Cyber Resilience: New Line of Defense for Business.” We discussed many topics including the current state of the threat landscape and available security mitigations, communicating effectively with boards of directors on security risks and mitigations, supply chain security challenges, the shortage of security talent across the industry, and others.

You can watch a video of this panel and get details on all the panelists here.

Tim Rains
Director, Security

Categories: cybersecurity Tags:

Protecting Identities in the Cloud: Mitigating Password Attacks

May 5th, 2016 No comments

We just released a new volume of the Microsoft Security Intelligence Report. Included in the report, for the first time, is security data from the Microsoft cloud that reveals how we are leveraging an intelligent security graph to inform how we protect endpoints, better detect attacks and accelerate our response, to help protect our customers.

In November we outlined Microsoft’s new approach to how we Protect, Detect and Respond to security threats. We have been evolving our ability to get real-time insights and predictive intelligence across our network so we can stay a step ahead of the threats and protect customers.

The challenge is to correlate our security data with our threat intelligence data. To do this, we collect trillions of signals from billions of sources to build an intelligent security graph that can learn from one area and apply across the Microsoft platform. The intelligent security graph is powered by inputs we receive across our endpoints, consumer services, commercial services and on-premises technologies.

The new Security Intelligence Report contains many insights from this data and analysis. Here are some examples:

  • From a sensor network made up of hundreds of millions of systems running Microsoft anti-malware software, the data shows us that:
    • The number of systems that encountered malware in 2015 increased in the second half of the year. The worldwide encounter rate increased to 20.5% by the end of 2015, an increase of 5.5% from six months earlier.
    • The locations with the highest encounter rates were Pakistan, Indonesia, the Palestinian territories, Bangladesh, and Nepal which all had encounter rates above 50%.
    • Exploit kits accounted for four of the 10 most commonly encountered exploits during the second half of 2015. The Angler exploit kit was the most commonly encountered exploit kit family.
    • Although ransomware had relatively low encounter rates (worldwide ER for ransomware in the first quarter of 2015 was 0.35 percent and 0.16 percent in the second quarter), its use in ransomware-as-a-service kits and targeted attacks is increasing.
  • SmartScreen Filter is a feature in Internet Explorer and Microsoft Edge that offers users protection against phishing sites and sites that host malware. Based on phishing data from the SmartScreen:
    • Phishing sites that targeted online services received the largest share of impressions during the period, and accounted for the largest number of active phishing URLs
    • Sites that targeted financial institutions accounted for the largest number of active phishing attacks during the period

As I mentioned we’ve published cloud service security data in this Security Intelligence Report, for the first time. Let me share some of that data with you and why we are excited about how the cloud is improving the insights from our intelligent security graph.

Mitigating Password Attacks

The massive scale of Microsoft’s cloud enables us to gather an enormous amount of intelligence on malicious behavior, which in turn allows us to prevent the compromise of Microsoft Accounts and Azure Active Directory accounts, and block the use of leaked or stolen credentials.

Azure Active Directory provides single sign-on to thousands of cloud (SaaS) apps such as Office 365, Workday, Box, Google Apps and more, and access to web apps organizations run on-premises, and Microsoft Accounts are used by consumers to sign into services like Bing,, OneDrive, Skype, and Xbox LIVE.
The scale of these services provides tremendous insight into attackers’ efforts to compromise the user accounts of consumers and enterprises.
  1. At the end of 2015, Azure Active Directory was being used by 8.24 million tenants with over 550 million users.
  2. Azure Active Directory averaged over 1.3 billion requests per day.
  3. Every day, Microsoft processed over 13 billion logins from hundreds of millions of Microsoft Account users.

To prevent and mitigate attacks on the consumers and organizations using these services, we use a multi-layered system of protection mechanisms. The keystone of these protection systems is machine learning. Every day, our machine learning systems process more than 10 terabytes of data, including information on over 13 billion logins from hundreds of millions of Microsoft Account users.

We combine this with other protection algorithms and data feeds from:

  • The Microsoft Digital Crimes Unit
  • The Microsoft Security Response Center
  • Phishing attack data from and Exchange Online
  • Information acquired by partnering with academia, law enforcement, security researchers, and industry partners around the world

All this data helps us create a comprehensive protection system that helps keep our customers’ accounts safe. The system deflects tens of thousands of location-based attacks per day, and automatically blocks tens of thousands of requests each day that use credentials that have likely been stolen or leaked. Microsoft Accounts that are determined to be compromised are automatically entered into an account recovery process that allows only the rightful owner to regain sole access to the account.

Multiple algorithms look at a wide range of data produced by our systems working in real-time to stop attacks before they are successful, and, retroactively, to swiftly remediate accounts for whom an attack worked and remove access from a bad actor. For example, we also use tools such as incorrect password lockout and location-based blocking.

The Advantages of Machine Learning

Microsoft’s machine learning systems use various data points to determine when an account login attempt, even with a valid password, is likely fraudulent.

For Microsoft Accounts, these login attempts are blocked until a second factor of authentication is provided. For Azure Active Directory, Identity Protection allows administrators to create policies that do the same, requesting MFA or outright blocking the attempt based on the risk score of the login.

One of the factors the machine learning system uses to block login attempts is whether the location of the login attempt is a familiar location to the legitimate user.

New Threat Intelligence Provides Details on Attacks
Here is some the new data published we in this Security Intelligence Report:

  1. Compromised login attempts were blocked from unfamiliar locations nearly three quarters of the time.
  2. Attackers were located in different parts of the world:
    • 49% in Asia
    • 20% in South America
    • 14% in Europe
    • 13% in North America
    • 4% in Africa

Understanding where attacks are originating from, allows us to recognize attack patterns which we can then use to protect other systems and customers.

From all this data gathering and analysis, each day Microsoft’s account protection systems automatically detect and prevent more than 10 million attacks, from tens of thousands of locations, including millions of attacks where the attacker has valid credentials. That’s over 4 billion attacks prevented last year alone.

Very few organizations can access this much high quality data, aggregate it, and analyze it, every day, on-premises, and use it to make timely security decisions. Through our machine learning capabilities, the Microsoft cloud protects customers in a highly sophisticated way, faster than most organizations could do on-premises.


In every Security Intelligence Report, we provide some guidance that helps protect people and organizations. There are a few things people can do to protect their accounts and devices from password based attacks:

  • The security of your account is particularly important if your username is an email address, because other services may rely on your email address to verify your identity. If an attacker takes over your account, they may be able to take over your other accounts too (like banking and online shopping) by resetting your passwords by email.
  • Tips for creating a strong and unique password:
    • Don’t use a password that is the same or similar to one you use on any other website. A cybercriminal who can break into that website can steal your password from it and use it to steal your account.
    • Don’t use a single word (e.g. “princess”) or a commonly-used phrase (e.g. “Iloveyou”).
    • Do make your password hard to guess even by those who know a lot about you (such as the names and birthdays of your friends and family, your favorite bands, and phrases you like to use).
  • Two-step verification boosts account security by making it more difficult for hackers to sign in—even if they know or guess your password.
  • If you turn on two-step verification and then try to sign in on a device we don’t recognize, we’ll ask you for two things:
    • Your password.
    • An extra security code.
    • We can send a new security code to your phone or your alternate email address, or you can get one through an authenticator app on your smartphone.
  • If your organization hasn’t started leveraging the cloud because you don’t think you can get the visibility or control you need, it’s time to re-evaluate it – the scale, and the threat intelligence and new security capabilities it enables, are likely going to provide higher ROI than you can get on-premises.
  • Organizations should evaluate how the cloud will help them evolve to a “protect, detect, respond” security strategy. Evaluate Azure Active Directory Identity Protection, which is in preview right now.

The new Security Intelligence Report is available at

Tim Rains
Director, Security

Microsoft Security Intelligence Report Volume 20 is now available

May 5th, 2016 No comments

The latest volume of the Microsoft Security Intelligence Report (SIR) is now available for free download at

We’ve been publishing threat intelligence reports for our customers, partners and the industry for 10 years now. During that time, we’ve published over 12,500 pages of threat intelligence, 100+ blog posts, many videos, and delivered thousands of customer briefings all over the world.

This new volume of the report includes threat data from the second half of 2015 as well as longer term trend data on industry vulnerabilities, exploits, malware, and malicious websites. The report also provides deep dive threat data for over 100 countries/regions.

There are a couple of new sections in this volume of the SIR that I’m excited to share.

First, the report includes a section called “PLATINUM: Targeted attacks in South and Southeast Asia.” This section provides details on a newly discovered determined adversary group, which Microsoft has code-named PLATINUM. This group has conducted several cyber espionage campaigns since 2009, focusing on targets associated with governments and related organizations in southeast Asia. This information can help you understand mitigations that can significantly reduce the risks that organizations face from such groups.

The other section I’m excited about is called “Protecting Identities in the Cloud: Mitigating Password Attacks.” This section of the report focuses on some of the things that Microsoft does to prevent account compromise inside our cloud services. This is the first time we’ve published data like this in the SIR.

There is a lot of other new data in this report that I hope you’ll find useful.

You can download Volume 20 of the Microsoft Security Intelligence Report at

Tim Rains
Director, Security

Ransomware: Understanding the Risk

April 22nd, 2016 No comments

Ransomware is a type of malware that holds computers or files for ransom by encrypting files or locking the desktop or browser on systems that are infected with it, then demanding a ransom in order to regain access. Criminals have used high pressure techniques to get victims to pay the ransom, such as:

  • Make encrypted data unrecoverable after a certain period of time
  • Threaten to post captured (potentially sensitive) data publicly
  • Use fear by claiming to be law enforcement and threaten prosecution
  • Increase the ransom payment amount as time goes on
  • Render the machine unbootable when it overwrites the Master Boot Record and encrypts physical sectors on disk
  • Threaten to erase all data and render all enterprise computers inoperable

Figure 1: An example of a ransomware ransom demand

There is heightened concern across the industry about ransomware because of some high profile cases that illustrate ransomware isn’t just a threat for consumers to worry about, as it is being used in attacks on enterprises as well.

Although we know attackers that leverage ransomware are motivated by profit, the underlying reasons they have attacked specific organizations or industries are not as straight forward. Some attackers might very well be targeting specific industries with ransomware attacks. Other attackers might simply be leveraging their capabilities; i.e. they have developed the capability to exploit specific vulnerabilities in specific platforms or specific line-of-business applications that happen to be primarily used in, or get heavy use by, specific industries.

Ransomware is a topic that I have written about in the past (Ransomware: Ways to Protect Yourself & Your Business, Ransomware is on the Rise, Especially in Europe) and that we have covered extensively in some volumes of the Microsoft Security Intelligence Report. The Microsoft Malware Protection Center has provided extensive information about this category of threats (Ransomware, No mas, Samas: What’s in this ransomware’s modus operandi?, The three heads of the Cerberus-like Cerber ransomware, Locky malware, lucky to avoid it, MSRT October 2015: Tescrypt, MSRT September 2015: Teerac, MSRT July 2015: Crowti, Emerging ransomware: Troldesh, Your Browser is (not) Locked, etc.)

Given the heightened concern in the industry, I thought it was time to examine if the risk associated with this threat category has been increasing. This will help CISOs, security teams, and risk managers understand if they should prioritize this risk differently now than they have in the past. As always, risk is the combination of probability and impact.

Let me start by providing some data and insights that will help organizations understand the probability component associated with the risk of ransomware. Using data from the Microsoft Security Intelligence Report, which includes data based on telemetry from hundreds of millions of systems around the world, we can see that ransomware has been encountered worldwide much less frequently than almost all other types of malware. Figure 2 illustrates the encounter rates for malware categories for each quarter ending in the second quarter of 2015. The encounter rate (ER) is the percentage of computers running Microsoft real-time security software that report detecting malware or potentially unwanted software during a quarter. Most of these encounters are from systems running Microsoft Security Essentials or Windows Defender reporting that they blocked malware from installing on them.

Figure 2: Encounter rates for significant malware categories, third quarter of 2014 (3Q14) – second quarter of 2015 (2Q15)

The worldwide ER for ransomware in the first quarter of 2015 (1Q15) was 0.35 percent and 0.16 percent in the second quarter (2Q15) as seen in Figure 2. While the ER for Trojans was 3.92 percent and 4.45 percent in 1Q15 and 2Q15 respectively. That means the ER for Trojans was 11 times higher than the ransomware ER in 1Q15 and 28 times higher in 2Q15. More recent data for the last half of 2015 suggests there was a slight increase in the ER for ransomware (0.26 percent in 3Q15, 0.40 percent in 4Q15), but it’s still a fraction of 1 percent and much lower than almost every other category of malware. The most recent data, from the last month (March 2016), suggests that the worldwide ER for ransomware was 0.2 percent, putting it almost on par with the ER for Trojan Downloaders & Droppers, but still lower than viruses (file infectors) and most other threat categories.

Although the global encounter rate is just a fraction of a percent, there are some countries/regions that have higher ransomware encounter rates. i.e. the probability of encountering ransomware is higher in some locations than others. For example, the ER in Mexico was 5 times higher at 0.8 percent during the same period. France and Canada had ransomware encounter rates 4.4 times higher than the worldwide average at 0.7 percent, while the United States, Russia and Turkey all had elevated ransomware encounter rates, 3.75 times higher than the worldwide average, at 0.6 percent.

The locations that had the highest ransomware ERs in the world in 2015 are listed in Figures 3 and 4. Portugal and Italy were among the locations with the highest ransomware ERs in both halves of 2015.

Figure 3 (left): The countries/regions with the highest ransomware encounter rates in the world in the first half of 2015; Figure 4 (right): The countries/regions with the highest ransomware encounter rates in the world in the second half of 2015

Although the ransomware ER in the UAE, for example, in the first half of 2015 was the highest in the world, ransomware is still one of the least encountered categories of threats there as Figure 5 illustrates. A ransomware family does not appear in the top 10 list of threats in the UAE.

Figure 5: Malware encountered in the United Arab Emirates in the second quarter of 2015, by category

The infection rate is typically a fraction of the ER because systems have to encounter malware before they can get infected. Data in several volumes of the Security Intelligence Report suggests that 70 percent to 80 percent of systems that run the MSRT also run up-to-date real time antivirus. This means most systems will be able to block the installation of known commodity ransomware before they can become infected. Thus ER is typically much greater than the actual infection rate.

The malware infection rate, called the Computers Cleaned per Mille (CCM), is measured by the number of computers cleaned for every 1,000 unique computers that run the Windows Malicious Software Removal Tool (MSRT). For example, if MSRT has 50,000 executions in a particular location in the first quarter of the year and removes infections from 200 computers, the CCM for that location in the first quarter of the year is 4.0 (200 ÷ 50,000 × 1,000).

Detection for new malware families are typically added to the MSRT every month. The MSRT cleans many of the most prevalent families of ransomware like Win32/Crowti, Ransom: Win32/Reveton, and Win32/Samas. Of these, Crowti had the highest CCM in the second half of 2015, 0.04 in 3Q15 and 0.01 in 4Q15. This means that for every 1,000 systems the MSRT executed on in the fourth quarter of 2015, 0.01 was cleaned of Crowti; that’s 1/1000 of a percent of the hundreds of millions of systems the MSRT executes on each month.

The ER data I outlined above suggests that ransomware represents a risk that has been lower probability relative to other types of malware in most parts of the world. But the rapid evolution of ransomware suggests that these numbers could rise in the future. Email (spam, spear-phishing, etc), social engineering using Word and Excel macros, drive-by download attacks, and removable storage devices (USB drives) are among the most common ways attackers have distributed ransomware. This has been evolving rapidly.

The ability for less-skilled attackers to mount ransomware campaigns has increased recently, due to the emergence of ransomware-as-a-service (RaaS) offerings on the darkweb. Sarento and Enrume are ransomware families that are examples of this approach. Ransomware is being increasingly paired with exploit kits, such as JS/Axpergle (a.k.a. Angler), and other malware to gain persistence in victims’ environments. More attackers using more distribution points has led to more enterprises encountering ransomware as figures 6 and 7 illustrate. Additionally, ransomware can be distributed to systems via other malware, i.e. existing infections, to increase attacker monetization of the assets they control.

When comparing these figures, notice how the ER for ransomware increased between the first and second halves of 2015 surpassing the ER of Password Stealers & Monitoring Tools. Also notice that the ER for ransomware on domain joined systems surpassed that of non-domain joined systems.

Figure 6: Malware and unwanted software encounter rates for domain-based and non-domain computers, in the first half of 2015, by category

Figure 7: Malware and unwanted software encounter rates for domain-based and non-domain computers, in the second half of 2015, by category

More sophisticated attackers that target enterprises try to encrypt as much of their target’s critical data as possible. To do this, they need to move beyond encrypting data on a single device. They use all the dirty tricks in their toolkits to get a foothold in an organization’s IT environment including exploiting unpatched vulnerabilities, taking advantage of misconfigured systems and weak passwords, and of course social engineering.

The main entry points for these attacks are vulnerable Internet facing servers and user workstations. Once they have compromised a single system, they use tactics similar to “APT” style attacks to traverse the infrastructure looking for more data to encrypt. To do this, they will gather credentials on the initial point of entry, attempt to gain elevated privileges (e.g. domain administrator), use those credentials to map out the organization’s network, then move laterally to new hosts, gathering more credentials that will allow them to encrypt data on as many machines as possible. Attackers will also deny the victim organization access to their backups, if they can, to increase the motivation to pay the ransom.

Once attackers have access to data (.pdf, .xlsx, .docx, etc) they believe is valuable to the victim organization, they encrypt it. As ransomware has been evolving, more of this malware has been employing correctly implemented strong encryption algorithms (Advanced Encryption Standards (AES) for example), that prevents recovery without a valid decryption key or restoring the original files from backup. Without backups, the impact of this type of attack to a business could be severe; the loss of intellectual property, customer data, and financial records could have irreversible consequences on a business.

The Samas family (Ransom:MSIL/Samas) of ransomware is a great example of ransomware using some of these tactics.  The MMPC has published a great article on this family: No mas, Samas: What’s in this ransomware’s modus operandi?

Detection for Samas was added to the MSRT in April 2016. The infection rate (CCM) for Samas is virtually zero, as it has only been seen used in targeted attacks versus used in broad attacks as commodity ransomware.

Figure 8: Ransom:MSIL/Samas infection chain

Ransomware has been evolving quickly. Last month (March 2016) the top 5 ransomware families encountered included Ransom:Win32/Tescrypt, Ransom:Win32/Locky, Ransom:Win32/Crowti, Ransom:JS/Brolo, Ransom:Win32/Teerac.

Although commodity ransomware has relatively low encounter rates and low infection rates, when determining the probability and impact in ransomware risk calculations it’s important to consider that ransomware is also being used as part of ransomware-as-a-service kits and by determined adversaries in targeted attacks.

The fact that ransomware families aren’t very prevalent at this point is good news. But that doesn’t make it any less painful to the users and organizations that have been victimized. This is why Microsoft is so committed to continually raising the bar on attackers and helping our customers with these threats. There is a plethora of mitigations available for enterprise customers, both on-premises and cloud-based. Windows 10 has numerous advanced security features that can make it much harder for attackers to be successful with ransomware. The Office 365 Security team published an excellent article that provides some great mitigations, a highly recommended read: How to Deal with Ransomware.

Additionally, I asked some of the experts in Microsoft’s Enterprise Cybersecurity Group to provide some guidance based on the work they are doing to help enterprise customers protect, detect and respond to ransomware cases. The Enterprise Cybersecurity Group has unique, industry-leading cybersecurity expertise from client to cloud that I’m excited to tap. They have helped numerous enterprise customers protect, detect and respond to some of the most sophisticated ransomware attacks to date. This experience informs their approach, something partially summarized in the table below.

Detect Ingress protections
Auto-scale endpoint protections
Behavioral and deterministic detections leveraging Deep Packet Inspection
Protect Reputational services
High Value Asset protection, containment, isolation
Respond Response planning
Offline backups
Regular hunting and validation

We will share more from the Enterprise Cybersecurity Group in the next article in this series on ransomware.

Tim Rains
Director, Security

Cloud Security Alliance Summit 2016: I Survived the Shark Tank

March 21st, 2016 No comments

A few weeks back I had the opportunity to I speak at the Cloud Security Alliance Summit 2016 held in San Francisco, California. Microsoft was a Platinum sponsor of the event. I participated in a panel discussion on cloud security that focused on lessons learned from a cloud services provider’s point of view. Google, Dropbox, and Rackspace also participated on the panel.

The panel was moderated by Robert Herjavec, CEO of the Herjavec Group and star of ABC’s Shark Tank. Robert was a gracious and fun moderator to work with and I managed to survive the panel without a shark bite!

Also from Microsoft, Bruce Cowper delivered a keynote titled “Trusted Cloud” in which Bruce discussed the gap between how much people trust their on-premises infrastructure and the enterprise cloud services they consume, and examined reasons for the difference.

Tim Rains
Director, Security

Categories: Cloud Computing Tags:

TechNet Virtual Conference 2016: security, patching, vulnerabilities and exploitation

March 8th, 2016 No comments

Last week I participated in the TechNet Virtual Conference 2016. It was a great three-day event with many excellent speakers that discussed a wide range of topics. The sessions were anchored by journalist Mary Jo Foley and Senior Microsoft Evangelist Rick Claus.

If you missed the event last week, the good news is that the videos are available to view on-demand.

There were a couple of sessions that focused on security during the virtual conference including this one on Windows 10: “Day 2: Windows 10 Security – Protection Against Modern Security Threats.”

My ~30-minute session primarily focused on trends in exploitation, but I discussed a bunch of things related to security, the top ways systems get compromised, and security updates.

Day 1: Tim Rains on Security and Patching Vulnerabilities


Tim Rains
Director, Security

Categories: cybersecurity Tags:

Progress Report: Enterprise security for our mobile-first, cloud-first world

February 25th, 2016 No comments

Today Microsoft made numerous announcements about new security capabilities, products and features. These are all designed to help our customers accelerate the adoption of a more holistic security posture that helps protect, detect and respond to modern security threats.

All of the details are available in this article: Progress Report: Enterprise security for our mobile-first, cloud-first world.

Tim Rains
Director, Security

Categories: cybersecurity Tags:

Five things you should know about cloud security

January 6th, 2016 No comments

Security threats continue to dominate news cycle today. As more companies move to the cloud, privacy and transparency are also hot topics in the news. The result: organizations are increasingly weighing the benefits of new, cloud-based opportunities against the corresponding risks and mitigation costs.

Microsoft is committed to providing a cloud you can trust. We believe there are five critical areas you need to know about cloud security:

  • Security options and capabilities available in the cloud
  • Maintaining privacy and control of your data
  • Addressing industry compliance rules
  • The need for transparency and visibility into how your data is stored and protected
  • Taking advantage of hybrid options without sacrificing the benefits of the cloud

To help you understand how the cloud offers security and privacy controls that are likely better than those your organization uses on-premises, I’ll be offering a webinar that covers these five critical areas, and offers tools and strategies on everything from encryption considerations, including encryption at rest and in transit; physical data center security, and platform security. I’ll also cover privacy and data control topics including where your data is physically housed and how long a provider can keep your data after you decide to leave a service. I’ll also address how to work through industry compliance questions, hybrid options (for data you decide not to move to the cloud), and the level of transparency you should expect from your provider. I hope you’ll join me.

The “Cloud security: 5 things you need to know” webinar will be held on January 12, 2016. Registration is now open. Register now!

Categories: Uncategorized Tags:

Securing Privileged Access

December 15th, 2015 No comments

We’ve all probably heard the old axiom that a chain is only as strong as its weakest link. In the context of cybersecurity, in many IT environments the weakest link is the workstations that administrators with privileged accounts use to connect to critical infrastructure and applications. If these management workstations aren’t properly secured, high privilege user credentials can be stolen, and those stolen credentials will be used to compromise more infrastructure, applications and data.

One of the most common questions I get from security professionals who are trying to mitigate credential theft and reuse attacks is how to create a management workstation that secures privileged accounts?

I’d like to highlight some excellent new guidance that colleagues of mine in Microsoft’s new Enterprise Cybersecurity Group recently contributed to:

This new guidance was the result of a collaboration of folks from across Microsoft including contributions from the Enterprise Cybersecurity Group, our internal Microsoft IT security teams, the Microsoft Azure security team, as well as consultants in Microsoft Consulting Services and Premier Field Engineers that deliver these solutions every day, and many others across the company.

While they are pretty busy helping customers defend against cyberattacks, the authors are interested in hearing suggestions on how to improve this guidance. Please send feedback to

Tim Rains
Chief Security Advisor
Enterprise Cybersecurity Group

Categories: cybersecurity Tags:

Cloud security controls series: Azure Security Center

December 11th, 2015 No comments

The “holy grail” of security capabilities that I’ve heard so many CISOs talk about, enables them to manage the security of the systems in their organization using a policy-based approach that provides them with a single place to monitor which systems meet their security policies, which systems do not meet policies and also helps them remediate the issues with non-compliant systems.

Taking this policy-based approach a giant step further by augmenting it with cloud scale security data analytics and credible threat intelligence feeds from Microsoft and trusted third parties, and then tightly integrating all of these capabilities with your organization’s identity management strategy and on-premises Security Information and Event Management (SIEM), and this looks a lot like the security nirvana that so many of the CISOs I know, have been asking for.

This is essentially what the new Azure Security Center does; it provides integrated security monitoring and policy management for your Azure resources across your organization’s Azure subscriptions. This is a brand new capability in Microsoft Azure, that is now in public preview.

The capabilities of the Azure Security Center have been conveniently categorized into prevention, detection, and response capabilities (I have circled these in red in the screen shot below). I describe this as convenient because it aligns well with the “protect, detect, and respond” security strategy that so many of the enterprise customers I talk to are actively using today.

Policy-based Monitoring
Azure Security Center enables organizations to monitor and manage Azure resources such as virtual machines, networking resources, SQL resources, and applications. Setting a security policy on your Azure subscription and enabling data collection (seen in the screenshot below) will define which security expert recommendations you want to see based on the data and analysis of the security configurations and events collected on your Azure resources.

When data collection is enabled, a data collection agent is automatically installed on each virtual machine in the Azure subscription that the policy applies to. This will enable Azure Security Center to provide a data-driven view of what is happening with all of these resources. You decide where (which Azure region) the data collected on your Azure resources resides in order to maintain any data residency policies your organization might have.

More information on security policies in the Azure Security Center is available in this article: Setting security policies in Azure Security Center.

Security Expert Recommendations
The Azure Security Center periodically analyses the security state of your Azure resources; the data collected from the virtual machines in your Azure subscription enables Azure Security Center to monitor the state of your Azure resources against the policy and provide you with recommendations for the areas you that you specified in the policy. When potential security vulnerabilities are identified, recommendations are created. The recommendations guide you through the process of configuring the security controls that mitigate the vulnerabilities that were identified. This capability will help countless organizations that don’t have fulltime security experts on staff.

In the example screen shot below issues are identified by resource (virtual machines, networking, SQL, applications) and by severity (high, medium, low). From the identified issues, numerous different recommendations are generated and listed.

Here’s a less complicated example. Once I enabled data collection and defined a security policy for my Azure subscription that included “Access Control Lists on endpoints”, a medium severity recommendation appeared in the list of recommendations.

This alerted me to the fact that my virtual machine in Azure had two unprotected endpoints (PowerShell and Remote Desktop) and recommended that Access Control Lists for these ports be implemented (seen in the screen shot below). Clicking on Remote Desktop in the list gave me the opportunity to configure the Access Control List.


More information on security recommendations in the Azure Security Center is available in this article: Implementing security recommendations in Azure Security Center.

Automatically Identifies Threats and Enables Response
A big part of the Azure Security Center’s value proposition are its threat detection and response capabilities. It automatically collects and analyzes log data from Azure resources, network traffic, and partner solutions like firewalls and anti-malware software. It uses this data to detect threats and generate a list of prioritized alerts (seen in the screen shots below).

A closer look at the RDP activity detected in this example reveals the details in the screen shot below. Azure Security Center will make context-aware suggestions on what response actions can help with items in the list. In the case of the suspicious RDP activity this might include action like filtering the IP address that is connecting to the system’s RDP port by using a Network ACL or a Network Security Group rule.


Detecting meaningful security events through all the noise generated in a large IT environment is challenging, even in environments that have one or more SIEM systems deployed.  Azure Security Center will help security teams cut through the noise to more easily detect threats and material security events that might otherwise appear to be noise or anomalies in logs that have not been aggregated and analyzed.

Azure Security Center can detect and help remediate many types of attacks. Some examples include network based attacks like Remote Desktop Protocol (RDP) grinding/abuse (seen in the screen shot above), and compromised virtual machines using the large scale threat intelligence and machine learning capabilities built into Azure Security Center.

More information on security alerts is available in this article: Managing and responding to security alerts in Azure Security Center.

For those organizations that want to export data from Azure, there’s an API available to help do this. I discussed the API and PowerShell script in a previous article on Azure Active Directory‘s Access and Usage Reports.

I’m just scratching the surface of the capabilities in the brand new Azure Security Center. I am very excited about its set of capabilities because so many security experts and CISOs will benefit from them.

Here are some more resources for you to learn more about the Azure Security Center:

Azure Security Center now available
Getting started with Azure Security Center
New Azure Security Center helps you prevent, detect, and respond to threats (video)
Azure Security Center videos

Tim Rains
Chief Security Advisor
Enterprise Cybersecurity Group

Categories: Uncategorized Tags:

Tracking Lateral Movement blog series by Jessica Payne

December 10th, 2015 No comments

I’d like to highlight a great new series of articles that a colleague of mine in Microsoft’s new Enterprise Cybersecurity Group, Jessica Payne, has recently started publishing. Lateral movement is a topic that literally every security professional I talk to is interested in, these days.

Here’s the first article Jessica has published in the series:

Tracking Lateral Movement Part One – Special Groups and Specific Service Accounts

Tim Rains
Chief Security Advisor
Enterprise Cybersecurity Team

Categories: cybersecurity Tags: