Author Archive

Azure Backup offers several mechanisms to protect against ransomware

The start of a new year is the perfect time to reassess your security strategy and tactics especially when looking back at the new levels of ransomwares reach and damage in 2017.

Its no secret that ransomware attacks are increasing. In fact, a business is hit with ransomware every 40 seconds. If ransomware does get a hold of your data, you can pay a large amount of money hoping that you will get your data back. The alternative is to not pay anything and begin your recovery process. Whether you pay the ransom or not, your enterprise loses time and resources dealing with the aftermath. Microsoft invests in several ways to help you mitigate the effects of ransomware.

For example, in the Windows 10 Fall Creators Update, Windows Defender Exploit Guard has a feature that prevents unauthorized access to important files. The feature, controlled folder access, works with Windows Defender Advanced Threat Protection. All applications are assessed, which includes any executable file, including .exe, .scr, .dll files and others, and determineif they are malicious or safe. If an application is determined to be malicious or suspicious, it will not be allowed to make any changes to any files in a protected folder. In cases of ransomware, this helps protect files from attempted encryption by the malware. As malware becomes increasingly more sophisticated, older platforms are much more susceptible to ransomware attacks. Windows 10 has several defenses against ransomware that could help in case of a future attack.

One area to reconsider is your current backup policy and the potential outcomes to your business if your backup data is compromised by ransomware.

With Azure Backup, we are changing the ransomware story. You, not ransomware, are in control of your data. Azure Backup gives you three ways you can proactively protect your data in Azure and on-premises from ransomware. The first step is to back up your data. You need to back up virtual machines running in Azure and on-premises virtual machines, physical services, and files to Azure. If your on-premises data is compromised, youll have several copies of your data in Azure. This gives you the flexibly to restore your data back to a specific period in time and keep your business moving forward.

Next, you can set up a six-digit PIN directly from the Azure portal as an additional layer of protection for your Azure Backups. Only users with valid Azure credentials can then create and receive this security PIN required to be entered before any backup operation is performed.

Finally, Azure Backup provides just-in-time notifications to alert you to potential ransomware attacks. If a suspicious activity is attempted with your backups, a notification is immediately sent to you to get involved before ransomware has the chance.

If you are an IT professional, you can get started today by creating a free Azure Backup account. For more information on how Azure Backup protects against ransomware, check out our interactive infographic.

Microsoft is committed to helping you protect against and respond to evolving attacks. To learn more about other Microsoft security solutions, visit

  • Kaspersky Security Bulletin 2016

Categories: Uncategorized Tags:

How to disrupt attacks caused by social engineering

This post is authored by Milad Aslaner, Senior Program Manager, Windows & Devices Group.

A decade ago, most cyber-attacks started with a piece of malware or a complex method to directly attack the infrastructure of a company. But this picture has changed and today all it takes is a sophisticated e-mail phishing for an identity.

Figure 1: Trying to identify a loophole in the complex infrastructure

Digitalization is happening and there is no way around it. Its a necessity for all industries and a natural evolutionary step in society. Its not about when or if digital transformation is happening, but how. Our Microsoft security approach is targeted to enable a secure digital transformation. We achieve that by enabling our customers to protect, detect and respond to cybercrime.

The art of social engineering is nothing new itself and was already present in the age where broadband connections didnt even exist. At that time, we used to call these kinds of threat actors not hackers but con men. Frank Abagnale, Senior Consultant at Abagnale & Associates once said In the old days, a con man would be good looking, suave, well dressed, well-spoken and presented themselves really well. Those days are gone because it’s not necessary. The people committing these crimes are doing them from hundreds of miles away.

Threat actor groups such as STRONTIUM are nothing else than a group of modern con men. They follow the same approach as traditional con men, but they do it in the digital world. They prefer this approach because it has become easier to send a sophisticated phishing email than to find a new loophole or vulnerability allowing them to access critical infrastructure directly.

Figure 2: Example of a STRONTIUM phishing email

Keith A. Rhodes, Chief Technologist at the U.S. General Account Office says, There’s always the technical way to break into a network but sometimes it’s easier to go through the people in the company. You just fool them into giving up their own security.”

According to the Verizon data breach investigation report from 2016, 30 percent of phishing emails were opened. It took a recipient an average of only 40 seconds to open the email and an additional 45 seconds to also open the malicious attachment. 89 percent of all phishing emails were sent by organized crime syndicates and 9 percent by state-sponsored threat actors.

Figure 3: Verizon Data Breach Report 2016

The weakest link remains the human. But while some could argue and say the user is to blame, the reality is that many of the targeted phishing emails are so sophisticated that it is impossible for the average user to notice the difference between a malicious and a legitimate email.

Figure 4: Example phishing emails that look legitimate at first look

Preparing a phishing email can take only a few minutes. First, the threat actors crawl social and professional networks and find as much personal information about the victim as possible. This could include organizational charts, sample corporate documents, common email headlines, pictures of the employee badge and more. There are professional tools available that pull much of this information from public or leaked databases. In fact, if needed, the threat actor can purchase the information from the dark web. For example, one million compromised email and passwords can be traded for approximately $25, bank account logins can be traded for $1 per account, and social security numbers cost approximately $3, including birth date verification. Second, the threat actor prepares an e-mail template that will look familiar to the recipient, such as for example a password reset email, and lastly, they will send it to the user.

Social engineering has become a very powerful way for many threat actors and depending on the objective of the threat actors they either leverage computer-based, mobile-based, or human-based social engineering.

Figure 5: Stages of a phishing attack

  • Phase 1: Threat actor targets employee(s) via phishing campaign
  • Phase 2: An employee opens the attack email which allows the threat actor access to load the malicious payload or compromise the user identity
  • Phase 3: The workstation is compromised, threat actor persists malware, threat actor gathers credentials
  • Phase 4: Threat actors use stolen credentials to move laterally and gain unsolicited access and compromise key infrastructure elements
  • Phase 5: Threat actors exfiltrate PII and other sensitive business data

The built-in functionality of Enterprise Mobility + Security, Windows 10, Office 365, and Microsoft Azure enables organizations to disrupt these attacks. Below is a visualization allowing you to quickly understand which functionality helps in which phase:

Today, the entry level for threat actors to launch a cyber-attack is very low, therefore, it is critical that cybersecurity is a CEO matter. Organizations need to move away from We have a firewall, anti-virus, and disk encryption technology so we are secure mentality to a cyber-attacks will happen, therefore we can no longer only focus on building walls but also become able to detect and responds breaches quickly mindset. Assuming breach is key. It doesnt matter how large or in which industry an organization is, every company has data that can be valuable for a threat actor or in some cases even a nation-state.

A consistent approach to information security is critical in today’s world. It includes having the right incident response processes in place, technologies that help protect, detect and respond cyber-attacks and lastly IT and end-user readiness.

For more information about Microsoft security products and solutions, as well as resources to help you with your security strategy, visit

Categories: Uncategorized Tags:

How Microsoft tools and partners support GDPR compliance

This post is authored by Daniel Grabski,Executive Security Advisor, Microsoft Enterprise Cybersecurity Group.

As an Executive Security Advisor for enterprises in Europe and the Middle East, I regularly engage with Chief Information Security Officers (CISOs), Chief Information Officers (CIOs) and Data Protection Officers (DPOs) to discuss their thoughts and concerns regarding the General Data Protection Regulation, or GDPR. In my last post about GDPR, I focused on how GDPR is driving the agenda of CISOs. This post will present resources to address these concerns.

Some common questions are How can Microsoft help our customers to be compliant with GDPR? and, Does Microsoft have tools and services to support the GDPR journey? Another is, How can I engage current investments in Microsoft technology to address GDPR requirements?

To help answer these, I will address the following:

  • GDPR benchmark assessment tool
  • Microsoft partners & GDPR
  • Microsoft Compliance Manager
  • New features in Azure Information Protection

Tools for CISOs

There are tools available that can ease kick-off activities for CISOs, CIOs, and DPOs. These tools can help them better understand their GDPR compliance, including which areas are most important to be improved.

  • To begin, Microsoft offers a free GDPR benchmark assessment tool which is available online to any business or organization.The assessment questions are designed to assist our customers to identify technologies and steps that can be implemented to simplify GDPR compliance efforts. It is also a tool allowing increased visibility and understanding of features available in Microsoft technologies that may already be available in existing infrastructures. The tool can reveal what already exists and what is not addressed to support each GDPR journey. As an outcome of the assessment, a full report is sentan example of which is shown here.

Image 1: GDPR benchmarking tool

As an example, see below the mapping to the first question in the Assessment. This is based on how Microsoft technology can support requirements about collection, storage, and usage of personal data; it is necessary to first identify the personal data currently held.

  • Azure Data Catalog provides a service in which many common data sources can be registered, tagged, and searched for personal data. Azure Search allows our customers to locate data across user-defined indexes. It is also possible to search for user accounts in Azure Active Directory. For example, CISOs can use the Azure Data Catalog portal to remove preview data from registered data assets and delete data assets from the catalog:

Image 2: Azure Data Catalogue

  • Dynamics 365 provides multiple methods to search for personal data within records such as Advanced Find, Quick Find, Relevance Search, and Filters. These functions each enable the identification of personal data.
  • Office 365 includes powerful tools to identify personal data across Exchange Online, SharePoint Online, OneDrive for Business, and Skype for Business environments. Content Search allows queries for personal data using relevant keywords, file properties, or built-in templates. Advanced eDiscovery identifies relevant data faster, and with better precision, than traditional keyword searches by finding near-duplicate files, reconstructing email threads, and identifying key themes and data relationships. Image 3 illustrates the common workflow for managing and using eDiscovery cases in the Security & Compliance Center and Advanced eDiscovery.

Image 3: Security & Compliance Center and Advanced eDiscovery

  • Windows 10 and Windows Server 2016 have tools to locate personal data, including PowerShell, which can find data housed in local and connected storage, as well as search for files and items by file name, properties, and full-text contents for some common file and data types.

A sample outcome, based on one of the questions regarding GDPR requirements, as shown in Image 4.

Image 4: example of the GDPR requirements mapped with features in the Microsoft platform

Resources for CISOs

Microsofts approach to GDPR relies heavily on working together with partners. Therefore, we built a broader version of the GDPR benchmarking tool available to customers through the extensive Microsoft Partner Network. The tool provides an in-depth analysis of an organizations readiness and offers actionable guidance on how to prepare for compliance, including how Microsoft products and features can help simplify the journey.

The Microsoft GDPR Detailed Assessmentis intended to be used by Microsoft partners who are assisting customers to assess where they are on their journey to GDPR readiness. The GDPR Detailed Assessment is accompanied by supporting materials to assist our partners in facilitating customer assessments.

In a nutshell, the GDPR Detailed Assessment is a three-step process where Microsoft partners engage with customers to assess their overall GDPR maturity. Image 5 below presents a high-level overview of the steps.

Image 5

The duration for the partner engagement is expected to last 3-4 weeks, while the total effort is estimated to be 10 to 20 hours, depending on the complexity of the organization and the number of participants as you can see below.

Image 6: Duration of the engagement

The Microsoft GDPR Detailed Assessment is intended for use by Microsoft partners to assess their customers overall GDPR maturity. It is not offered as a GDPR compliance attestation. Customers are responsible to ensure their own GDPR compliance and are advised to consult their legal and compliance teams for guidance. This tool is intended to highlight resources that can be used by partners to support a customers journey towards GDPR compliance.

We are all aware that achieving organizational compliance may be challenging. It is hard to stay up-to-date with all the regulations that matter to organizations and to define and implement controls with limited in-house capability.

To address these challenges, Microsoft announced a new compliance solution to help organizations meet data protection and regulatory standards more easily when using Microsoft cloud services Compliance Manager. The preview program, available today, addresses compliance management challenges and:

  • Enables real-time risk assessment on Microsoft cloud services
  • Provides actionable insights to improve data protection capabilities
  • Simplifies compliance processes through built-in control management and audit-ready reporting tools

Image 7 shows a dashboard summary illustrating a compliance posture against the data protection regulatory requirements that matter when using Microsoft cloud services. The dashboard summarizes Microsofts and your performance on control implementation on various data protection standards and regulations, including GDPR, ISO 27001, and ISO 27018.

Image 7: Compliance Manager dashboard

Having a holistic view is just the beginning. Use the rich insights available in Compliance Manager to go deeper to understand what should be done and improved. Each Microsoft-managed control illuminates the implementation and testing details, test date, and results. The tool provides recommended actions with step-by-step guidance. It aides better understanding of how to use the Microsoft cloud features to efficiently implement the controls managed by your organization. Image 8 shows an example of the insight provided by the tool.

Image 8: Information to help you improve your data protection capabilities

During the recentMicrosoft Ignite conference, Microsoft announced Azure Information Protection scanner. The feature is now available in public preview. This will help to manage and protect significant on-premise data and help prepare our customers and partners for regulations such as GDPR.

We released Azure Information Protection (AIP) to provide the ability to define a data classification taxonomy and apply those business rules to emails and documents. This feature is critical to protecting the data correctly throughout the lifecycle, regardless of where it is stored or shared.

We receive a lot of questions about how Microsoft can help to discover, label, and protect existing files to ensure all sensitive information is appropriately managed. The AIP scanner can:

  • Discover sensitive data that is stored in existing repositories when planning data-migration projects to cloud storage, to ensure toxic data remains in place.
  • Locate data that includes personal data and learn where it is stored to meet regulatory and compliance needs
  • Leverage existing metadata that was applied to files using other solutions

I encourage you to enroll for the preview version of Azure Information Protection scanner and to continue to grow your knowledge about how Microsoft is addressing GDPR and general security with these helpful resources:

About the author:

Daniel Grabski is a 20-year veteran of the IT industry, currently serving as an Executive Security Advisor for organizations in Europe, the Middle East, and Africa with Microsoft Enterprise Cybersecurity Group. In this role he focuses on enterprises, partners, public sector customers and critical infrastructure stakeholders delivering strategic security expertise, advising on cybersecurity solutions and services needed to build and maintain secure and resilient ICT infrastructure.

Categories: Uncategorized Tags:

Minimize cybersecurity risk with Software Asset Management

This post is authored by Patam Chantaruck, General Manager of Worldwide Software Asset Management & Compliance.

By 2021, worldwide cybercrime damage is expected to reach $6 trilliondouble what it cost businesses in 2015. Unapproved apps, unmanaged devices, poor password protection, and other security issues are leaving far too many organizations vulnerable to attack. And as organizations embrace digital transformation, it becomes increasingly urgent for them to increase control over their IT infrastructures and reduce security risks.

The question is: where to start?

Driving greater security through software asset management

Software asset management (SAM) is a set of proven IT practices that unites people, processes, and technology to control and optimize the use of software across an organization. SAM is designed to help you control costs, manage business and legal risks, optimize licensing investments, and align IT investments with business needs.

Effective SAM can identify discrepancies between software licenses owned and deployed, thus providing insights into software usage. These insights are then used to devise upgrade plans for each software release that will optimize license use, ensure worthwhile software investments, save money, reduce security risks associated with software piracy, and promote good corporate governance, including management effectiveness and transparency.

Introducing the Microsoft SAM cybersecurity engagement

At Microsoft, we take SAM a step further with our cybersecurity engagement. This comprehensive analysis of your cybersecurity infrastructureincluding your current software deployment, usage, and licensing datahelps to ensure that you have the right processes in place to minimize cyber-risk. Through this engagement we also provide prescriptive cybersecurity guidance and best practices, freeing your organization to focus on innovation instead of protection.

A Microsoft SAM cybersecurity engagement will help you:

  • Minimize data loss, fraud, and employee downtime
  • Save money combatting cyberattacks and increasing efficiencies
  • Securely manage software assets and promote reliable cybersecurity practices
  • Build a resilient IT infrastructure that can quickly respond to threats
  • Ensure that you have a secure and effective defense against attacks

What IDC has to say about SAM

IDC has identified SAM as a key component to securing infrastructure and battling cyberattacks and predicts that an increasing number of organizations will rely on SAM practices to reduce risks. Below is a direct quote from The Business Value of Software Asset Management:

Cyberattacks often take advantage of the high vulnerability of end-of-life (EOL) IT systems and/or software that have ceased to receive product updates and security patches from vendor sources. Understanding risk impact is challenging when there is limited or no understanding of where the assets reside and precisely how the assets support the business. To that end, SAM initiatives enable organizations to quickly discover how many devices and applications are in the environment, along with their location and their warranty status, which can significantly reduce unnecessary cost, waste, and cybersecurity risks. Establishing a comprehensive asset management program provides a common source of record, which enables IT to carry out more timely security patches and identify security threats sooner as well as better respond to software audits. Therefore, asset management should be viewed holistically as an essential component of an effective IT infrastructure, service, and cybersecurity management program.

How SAM helped a sugar manufacturer reduce security risks

Here is one example of how Microsoft SAM for cybersecurity is helping customers around the world.

Ranking as the fourth largest sugar manufacturer in the world, Mitr Phol Group wanted to achieve effective SAM and reduce security risks. They moved away from decentralized IT systems to a more consolidated structure, centralizing the organizations software deployments and management. To further increase the value of their established SAM processes, they became the first company in Thailand to conduct SAM for cybersecurity. As a result, they were able to identify and remediate system vulnerabilities and mitigate security risks and threat impacts while protecting their sensitive data.

SAM should be a key part of your security strategy. And Microsoft can help. To learn more, visit to hear how other customers are benefiting. Find a SAM partner near you to help you establish Software Asset Management practice.

Categories: Uncategorized Tags:

Defending against ransomware using system design

This post is authored by Michael Melone, Principal Cybersecurity Consultant, Enterprise Cybersecurity Group.

Earlier this year, the world experienced a new and highly-destructive type of ransomware. The novel aspects of WannaCry and Petya were not skills as ransomware, but the combination of commonplace ransomware tactics paired with worm capability to improve propagation.

WannaCry achieved its saturation primarily through exploiting a discovered and patched vulnerability in a common Windows service. The vulnerability (MS17-010) impacted the Windows Server service which enables communication between computers using the SMB protocol. Machines infected by WannaCry propagate by connecting to a nearby unpatched machine, performing the exploit, and executing the malware. Execution of the exploit did not require authentication, thus enabling infection of any unpatched machine.

Petya took this worming functionality one step further and additionally introduced credential theft and impersonation as a form of worming capability. These techniques target single sign-on technologies, such as traditional domain membership. This added capability specifically targeted enterprise environments and enabled the malware to use a single unpatched endpoint to springboard into the network, then used active sessions on the machine to infect other machines regardless of patch level. To an enterprise, a single unpatched endpoint paired with poor credential hygiene could be used to enable propagation throughout the enterprise.

Most impersonation and credential theft attacks are possible only when malware obtains local administrator or equivalent authorization to the operating system. For Petya, this would mean successful exploitation of MS17-010, or running under the context of a user with local administrator authorization.

Measuring the value of a user account

To a hacker, an infected or stolen identity is measurable in two ways: the breadth of computers that trust and grant authorization to the account and the level of authorization granted upon successful authentication. Since encryption can be performed by any user account, ransomware benefits most when it infects an account which can convey write authorization to a large amount of data.

In most cases (thus far), the data sought out by ransomware has been either local files or those accessible over a network attached share data which can be accessed by the malware using out-of-the-box operating system interfaces. As such, data encrypted by most ransomware includes files in the users profile, home directory, or on shared directories where the user has access and write authorization.

In the case of WannaCry, the identity used by the ransomware was SYSTEM an effectively unrestricted account from an authorization perspective. Running as SYSTEM, WannaCry had authorization to encrypt any file on the infected machine.

Petyas encryption mechanism required the ability to overwrite the boot sector of the hard drive to invoke its encryption mechanism. The malware then creates a scheduled task to restart the machine at least 10 minutes later to perform the encryption. The offline encryption mechanism prevented destruction of network files by Petya.

Infected machines and worms

Pivoting our focus to the worm aspect of these ransomware variants, the value of an infected host to a hacker is measurable in two ways: the quantity of newly accessible targets resulting from infection and the data which now becomes available because of the infection. Malware with worming capability focuses on widespread propagation, thus machines which can access new targets are highly valuable.

To both WannaCry and Petya, a newly infected system offered a means to access previously inaccessible machines. For WannaCry, any potential new targets needed to be vulnerable to MS17-010. Vulnerability gave both malware variants SYSTEM-level authority, thus enabling successful execution of their payload.

Additionally, in the case of Petya, any machine having reusable credentials in memory furthered its ability to propagate. Petya searches for active sessions on an infected machine and tries to use the session to infect machines which may not have been vulnerable to MS17-010. As a result, a single vulnerable endpoint may expose a reusable administrative credential usable to infect potential targets which grant that credential a necessary level of authorization.

Codifying the vulnerability

To defend against a ransomware application with worm capability we need to target the following areas:

  • Ransomware

    • Reduce the authorization level of users relative to the operating system of an infected machine
    • Perform backups or versioning of files to prevent loss of data due to encryption, deletion, or corruption
    • Limit authorization to delete or tamper with the data backups

  • Worms

    • Reduce the ability for an infected host to access a potential infection target
    • Reduce the number of remotely exploitable vulnerabilities that provide remote code execution
    • Reduce exposure of reusable credentials relative to the likelihood of a host to compromise

Resolving Concerns through design

Many of the risks associated with ransomware and worm malware can be alleviated through systems design. Referring to our now codified list of vulnerabilities, we know that our solution must:

  • Limit the number (and value) of potential targets that an infected machine can contact
  • Limit exposure of reusable credentials that grant administrative authorization to potential victim machines
  • Prevent infected identities from damaging or destroying data
  • Limit unnecessary risk exposure to servers housing data

Windows 10, BYOD, and Azure AD Join

Windows 10 offers a new management model that differs significantly from traditional domain joined machines. Azure Active Directory joined machines can still convey identity to organizational resources; however, the machine itself does not trust domain credentials. This design prevents reusable accounts from exposure to workstations, thus protecting the confidentiality of the credential. Additionally, this limits the impact of a compromised domain account since Azure AD joined machines will not trust the identity.

Another benefit of Windows 10 with Azure AD is the ability to move workstations outside of the firewall, thus reducing the number of potential targets once infection occurs. Moving endpoints outside the firewall reduces the impact of any workstation threat by reducing the benefits normally gained by compromising a machine within the corporate firewall. As a result, this design exposes fewer server ports to potentially compromised endpoints, thus limiting the attack surface and reducing the likelihood of worm propagation.

Moving workstations outside of the firewall offers added security for the workstation as well. Migrating to a BYOD architecture can enable a more stringent client firewall policy, which in turn reduces the number of services exposed to other hosts, and thus improves the machines defense against worms and other inbound attacks.

Additionally, most organizations use many laptops which often connect from untrusted locations outside the firewall. While outside of the firewall, these machines can connect to untrusted sources, become infected, then bring the infection inside the firewall next time it is able to connect to the internal network. This causes confusion when trying to identify the initial infection during an incident response, and potentially exposes the internal network to unnecessary risk.

Consider migration file shares to OneDrive or Office365

Migrating data from traditional file shares into a solution such as SharePoint or OneDrive can limit the impact of a ransomware attack. Data stored in these technologies can enforce version control, thus potentially simplifying recovery. To further protect this data, limit the number of SharePoint users who had administrative authority to the site to prevent emptying of the recycle bin.

Ensure resilient backups

When an attack occurs, it is crucial to ensure ransomware cannot destroy data backups. Although convenient, online data backups may be subject to destruction during an attack. Depending on design, an online backup solution may trust a stolen reusable single sign-on credential to enable deletion or encryption of backup data. If this occurs, backups may be rendered unusable during the attack.

To prevent against this, consider Azure Cloud Backup a secure off-site backup solution. Azure Cloud Backup is managed through the Azure Portal which can be configured to require separate authentication, to include multi-factor authentication. Volumes used to store backup data reside in Azure and cannot be initialized or overwritten using on-premises domain credentials.


Windows 10 and BYOD architecture offers significant defense against a variety of cyberattacks, to include worms and ransomware. This article covers only some of the protections that Windows 10 offers against credential theft, bootkits, rootkits, and other malware techniques employed by this class of highly destructive malware.

To better defend your organization against future malware outbreaks:

Categories: Uncategorized Tags:

Learn from leading cybersecurity experts

More than 170K technology and business leaders from across the world depend on Microsofts Modern Workplace monthly webcast to shed new light on business challenges related to technology. Over the past four years, Modern Workplace has had the worlds leading experts share their advice on technology topics, such as security, including CISOs, Chief Privacy Officers, Cyber Intelligence Advisors, and Chief Digital Officers. Just in the past year, Modern Workplace security episodes included:

These episodes include more than just security checklists and basicsthey go into depth around the decisions business leaders are faced with every day. In the episode on data privacy, Hillery Nye, Chief Privacy Officer at Glympse, explained how the startup company made a very conscious decision to not collect data that it could have easily gathered from its real-time location sharing app. The company collects customer data and uses it for very specific purposes, but it never stores or sells that data. The company may have given up some opportunities to monetize its customer data, but Nye feels that the company gains even more by being a responsible corporate citizen and establishing a reputation for privacy. She discussed how a companys brand is affected by its privacy policies, and how businesses can better align their privacy policies with business strategy for long term success.

The Modern Workplace series has been nominated for four regional Emmy awards because of its creative presentation of diverse perspectives and insights. To learn more about how technology can help drive your business, check out the Modern Workplace episodes on-demand today!

Categories: Uncategorized Tags:

A 4-point action plan for proactive security

It can be difficult these days to make sense of all the potential ways you could step up your security. But with automated attacks moving faster and faster, many organizations are feeling a real need to change their approach and get more proactive about security.

Should you focus on endpoint detection and response (EDR)? Should you deploy multi-factor authentication (MFA) to control access to all your corporate resources? Or do you need to control your cloud apps and infrastructure more closely with a cloud access security broker (CASB)? Should your first step be deploying data loss prevention (DLP)?

If youre feeling a little confused about where to start, join us for our webinar: A 4-point action plan for proactive security. Well share how Microsoft approaches security and how you can cut through all the confusion to prioritize a few projects that will have real impact on your level of protection.

Categories: Uncategorized Tags:

Event recap: Security at Microsoft Ignite

Microsoft Ignite recently gathered 24,000+ attendees from around the world in Orlando, FL. CEO Satya Nadella kicked off an exciting week with his Vision Keynote by articulating how we enable digital transformation, specifically through empowering employees, engaging customers, optimizing operations, and finally through transforming products.

Commitment to security, privacy, and transparency

At the event, Microsoft reaffirmed its commitment to security, privacy, and transparency to its customers and partners through all the four main solution areas: Modern Workplace, Business Applications, Applications & Infrastructure, and Data & Artificial Intelligence. Julia White explained Microsofts approach to security during her session, Microsoft 365: Step up your protection with intelligent security.

Learnings from our customers and partners

During the event, the Microsoft team had the privilege to engage in 410,000 unique interactions within the Expo. In addition, 8,000+ labs were consumed, 54 sessions, two general sessions, 40 breakout sessions across CE, Windows and Office 365 tracks and 12 theater sessions. Our top three security takeaways were:

  1. Build awareness of Microsofts commitment to security and privacy
  2. Early and frequent product updates communications
  3. Transparency from Microsoft equates to trust from customers

Key security related sessions to check out

Key security sessions we recommend you check out are based entirely upon feedback from our customers and partners who attended the sessions. Please take a moment to watch them and learn about new ways you can improve the security posture of your organization.

On demand access to content

All breakout sessions and general sessions were recorded for on demand viewing. These recordings are now available at Microsoft Ignite on demand sessions. Please continue to share this link with your customers and partners. Labs will be available for 6 months through MyIgnite.


Microsoft Ignite was a fantastic week for all who attended. We not only shared product visions, but also, we listened and learned from engagements with customers and partners. With continued advances in our security offerings and development in better ways for partners to build a more modern, collaborative and secure work environment, it will be an exciting year for Security.

Categories: Uncategorized Tags:

Cybersecurity in a modern age

By 2021, worldwide cybercrime damage is expected to reach $6 trilliondouble what it cost businesses in 2015. As digital transformation sweeps the globe, the imminent threat of cybercrime grows alongside it. As a result, new techniques in cybersecurity must be developed at a growing rate to keep pace.

Digital-first is the new business frontier, and if we want to keep this landscape a safe space to store and share information, we must be able to quickly identify opportunities to bolster security and adapt to evolving threats. Microsofts cloud technology offers organizations the tools to advance security, enhance government compliance, improve security education, and enable industry collaboration to shut down new threats. Microsoft is creating a new path toward digital transformation in a secure space.

Through cloud technologies, IT professionals now have advanced tools at their fingertips that provide real-time visibility into cybersecurity and the ability to proactively thwart threats before they become an issue. As more organizations move to the cloud, management of security risks can occur in real time. This real-time action on cyber threats helps create cost efficiency, and allows for frequent and seamless updates without reconfiguration, giving IT leaders the upper hand in staying compliant with regulatory guidelines.

With cloud-based technology come real solutions in data loss prevention. IT professionals are using the cloud to secure employee data in new and highly effective ways. Through improved cloud encryption capabilities, organizations can better help protect sensitive information in motion and at rest. Even if cybercriminals are able to breach your network and bypass the first lines of cyber defense, encryption helps keep organizational data from falling into unauthorized hands. Additionally, advanced measures like multi-factor authentication (MFA) and Single Sign-On (SSO) provide additional layers of security by ensuring only those with the proper credentials are able to gain access to information and company platforms. These solutions and innovations in tech security are just the beginning.

With the advent of new technology and the digitization of how IT experts and professionals communicate, a quicker dissemination of knowledge can occur in a collaborative space. Experts can share and explore new ideas and concepts to quickly improve upon cloud technology and how to best address security concerns. By partnering up, industries are able to break new ground on how to secure information, share information, and revolutionize the way government, private enterprise, education systems, and average people navigate a digitally transforming world.

Ready to discover how Microsoft technology is transforming security for a digital-first, cloud-first world, and participate in interactive sessions led by subject matter experts? Microsoft is hosting a series of Security Forums in cities across the United States to demonstrate how organizations can use the latest technology to update and improve their cybersecurity efforts. We invite you to join your fellow IT professionals alongside Microsoft experts to discuss new ways to address evolving cyber threats. Find out how your business can use the power of the cloud to boost security, and get a firsthand look at what Microsoft has to offer.

For more information, including locations near you and a full event calendar, visit the Microsoft Security Forum events page. Dont delay, as seats are limited. Register now to save your spot!

Categories: Uncategorized Tags:

Microsoft and Progeny Systems enhance security for mobile applications across U.S. Government

In our mobile-first, cloud-first world, security is paramount for organizations of any size. It is especially critical to applications used across the U.S. Government, which is why we are working with the Department of Homeland Security (DHS) Science and Technology Directorate and Progeny Systems to enhance mobile application security.

In support of the broader federal initiative to enable access to quality digital government information and services anywhere, anytime, on any device, Progeny will build a mobile application development security framework for iOS, Android and Windows apps that will be used across several US Government agencies, both for public facing and internal enterprise use cases. This framework will broadly enable developers across the United States Government to focus on building mobile apps that provide business value, with the confidence that security is built in.

The cross-platform, native approach using Visual Studio, the open-source .NET framework, and Xamarin platform will enable developers to build higher quality apps that are fully compliant with the National Information Assurance Partnership (NIAP) mobile app vetting standards, the National Institutes of Standards and Technology (NIST) 800-163 guidance and the Department of Homeland Securitys Mobile Application Playbook. Utilizing Microsofts leading mobile application development tools, the framework will support mobile apps built to run on-premise and on any cloud platform, including government-only clouds such as Azure Government, which meet critical government regulatory compliance requirements.

Id like to congratulate the Department of Homeland Security Science and Technology Directorate for their commitment to addressing the mandates of both security and mobility for their stakeholders, said Greg Myers, Microsoft Vice President of Federal. We look forward to partnering with DHS and ultimately, by bringing mobile, secure, and compliant technology solutions helping them fulfil their critical mission.

Microsofts latest award from the DHS comes on the heels of several related public sector certifications and big data and analytics enhancements to our leading mobile apps and security. It also builds on our current work with the Department of Veterans Affairs and Applied Research Associates, whose Instant Notification System enables the U.S. governments Combating Terrorism and Threat Support Offices Tactical Support Working Group (TSWG) to quickly and effectively notify team members about suspicious packages or events over commercially available networks.

You can read more about our mobile application security work with the Department of Homeland Security (DHS) Science and Technology Directorate and Progeny Systems in their news release. For details on Microsofts leadership in mobile application development, visit Gartners Magic Quadrant report.

Categories: Uncategorized Tags:

Easily create securely configured virtual machines

This blog post is authored by Jonathan Trull, Cheif Security Advisor, Enterprise Cybersecurity Group.

While a securely configured operating system is essential to repelling todays cyber attacks, the base images provided by vendors do not come pre-hardened and require significant research, expertise, and proper configuration by the customer. To make it easier for Microsoft customers to deploy secured virtual machines out of the box, I am excited to share the recent availability for purchase of hardened virtual machine images within Azure, based on the partnership between Microsoft and the Center for Internet Security(CIS). CIS is a non-profit entity focused on developing global standards and recognized best practices for securing IT systems and data against the most pervasive attacks. Hardened images are virtual machine images that have been hardened, or configured, to be more resilient to cyber attacks. These images are available in the Azure Marketplace and can be used by Azure customers to create new, securely configured virtual machines.

Establishing and maintaining the secure configuration of an entitys IT infrastructure continues to be a core tenet of information security. History has shown that the misconfiguration or poor configuration of laptops, servers, and network devices is a common cause of data breaches. Global standards, governments, and regulatory bodies have also highlighted the importance of establishing and maintaining secure configurations, and in many cases, have mandated their use due to their effectiveness. I have included a few of the most relevant and wide-ranging examples in the table below.

Source Control Reference
Center for Internet Security Critical Security Controls CIS Control 3 Secure configurations for hardware and software on mobile devices, laptops, workstations, and servers
Australian Signals Directorate Strategies to Mitigate Cyber Security Incidents User Application Hardening
Server Application Hardening
Operating System Hardening
US NIST Cyber Framework PR.IP-1: A baseline configuration of information technology/ industrial control systems is created and maintained
Payment Card Industry Build and maintain a secure network and systems

Accessing and Deploying CIS Hardened Images

To view the CIS hardened images, login to the Azure portal and navigate to the Marketplace. You can then search for and filter on the Center for Internet Security. As you can see below, there are hardened images for many of the common operating systems, including Windows Server 2012, Oracle Linux, and Windows Server 2016.

From within the Marketplace blade, you can then select the appropriate image and select the create button to start the deployment journey within the portal or gain further details on deploying the image programmatically. Below is an example showing the start of the deployment of new CIS hardened Windows Server 2016 image.

The hardened images are configured based on the technical specifications established in the related benchmark. These benchmarks are freely available on the CIS website in PDF format.

The CIS benchmarks contain two levels, each with slightly different technical specifications:

  • Level 1 Recommended, minimum security settings that should be configured on any system and should cause little or no interruption of service or reduced functionality
  • Level 2 Recommended security settings for highly secure environments and could result in some reduced functionality.

Prior to deploying one of the CIS hardened images, it is important for the administrator to review the benchmarks specifications and ensure it conforms to the companys policy, procedures, and standards and perform sufficient testing before deploying to a production environment.

CIS is working to release additional, hardened images, so check the Azure Marketplace for new updates.

Categories: Uncategorized Tags:

What Am I Missing? How to see the users you’re denied from seeing

This blog post is authored by Michael Dubinsky, Principal PM Manager, Microsoft ATA / Azure ATP.

Recently Andy (@_wald0) and Will (@harmj0y), who are amazing contributors to the security community, have published the whitepaperAn ACE Up the Sleeve: Designing Active Directory DACL Backdoors.

In this whitepaper they discuss different methods which can be used by attackers to remain persistent and stealthy in the environment to avoid detection.

In general, this is a very important goal for an attacker and is a big part of a successful mission performed either by a nation state or by a hacker group.

Specifically, in the whitepaper Andy and Will mention the option to setup a Deny ACE on an object created by the attacker. This will cause the object in question to become invisible (not be returned in LDAP queries performed to the Active Directory), which causes the object to avoid being seen (and monitored) by any service account used by monitoring solutions.

This does sound like an issue, as denying permissions from a Domain Admin principle (or the Everyone principle for that matter) will cause an object to become invisible. A cool idea indeed.

So, this made me think is there a way we can identify all the objects to which I dont have permissions?

Sounds like a tough task, however after going through some of the possible resolution APIs together with the ATA security research team, Marina has come across this statement for the LsaLookupSIDs:

There is no access check that would require the caller to be able to read the SID or account name to perform the mapping.

Now that weve found a method to query a SID and get a result regardless of the ACL we can verify whether the object exists or not.

The next step is to identify whether its a permissions issue. In order to validate whether its a permissions issue or not, we can compare the results of this API with the LDAP query results.

If only the LsaLookupSIDs returns a result while the LDAP query fails this means one thing (after cleaning up several bugs related to SidHistory) we dont have permissions on the object!

Ive made a small PowerShell script to demonstrate this capability. The script enumerates all RIDs in a specific domain and compares the LDAP result to the LsaLookupSIDs result to see what I am missing.

The script can be found at

This should make discovering ACL hidden objects a little bit easier.

Categories: Uncategorized Tags:

SharePoint and OneDrive: security you can trust, control you can count on

This post is authored by Bill Baer, Senior Product Marketing Manager, SharePoint and OneDrive Team.

In todays complex and regulated environment, businesses need to focus on building more secure solutions that deliver value to their customers, partners, and shareholdersboth in the cloud and on-premises.

Microsoft has been building enterprise software for decades and running some of the largest online services in the world. We draw from this experience to keep making SharePoint and OneDrive more secure for users, by implementing and continuously improving security-aware software development, operational management, and threat-mitigation practices that are essential to the strong protection of your services and data.

SharePoint and OneDrive are uniquely positioned to help you address these evolving security challenges. To begin with, Microsoft has continued to evolve with new standards and regulations. This has been a guiding principle as we think about security for SharePoint and OneDrive. Right alongside that principle is this one: There is no security without usability. If security gets in the way of productivity, users will find a different, less secure way to do their work.

SharePoint and OneDrive allow your organization to go beyond its regular business rhythms and be nimbler in responding to market changes and opportunities. These solutions enable users to access the files and documents they need wherever they’re doing work while sharing and collaborating in real-time. And you control and own your data while Microsoft takes care of it. Explore the many options SharePoint and OneDrive provide to secure you and your information and then read our eBook Securing your content in the new world of work with SharePoint and OneDrive.

For businesses, the time is now to reevaluate security practices. In the modern communications and collaboration, landscape connectivity is ubiquitous and the ability to work remotely has become an ingrained part of the work practice. People have come to expect to be able to access email and documents from anywhere on any device – and for that experience to be seamless.

While this has been an enormous boost to productivity, it also presents huge challenges for security. Previously, businesses needed to concern themselves with a firewall that ended at the corporate boundary. Now that boundary has shifted to the end user. Businesses need to ensure sure that corporate data is safe while enabling users to stay productive in today’s mobile-first world, where the threat landscape is increasingly complex and sophisticated.

We know that data loss is non-negotiable, and overexposure to information can have legal and compliance implications. SharePoint and OneDrive provide a broad array of features and capabilities designed to make certain that your sensitive information remains that way with investments across our security and compliance principles to include compliance tools that span on-premises servers and Office 365 while providing a balance between enabling user self-service.

The rapidly-changing security landscape means that your organization’s content – its knowledge – is being shared more broadly, and accessed from more devices and more locations, than ever before. We’re committed to the security, privacy, and compliance of your data, and we continuously innovate intelligent ways to protect your content and to empower you to govern and manage information. Last month we announced label-based classification for information management policies, which enable a more dynamic governance of content across SharePoint, Exchange, and Skype, and Microsoft Teams. We’re continuously working to ensure content usage adheres to corporate policy defending your organization from todays growing and evolving advanced threats.

To learn more about security and compliance with SharePoint and OneDrive:

Categories: Uncategorized Tags:

Announcing support for TLS 1.1 and TLS 1.2 in XP POSReady 2009

This post is authored by Arden White, Senior Program Manager, Windows Servicingand Delivery.

As a follow-up to our announcement regarding TLS 1.2 support at Microsoft, we are announcing that support for TLS1.1/TLS 1.2 on Windows Embedded POSReady 2009 and Windows Embedded Standard 2009 is now available for download as of October 17th, 2017. Were offering this support in recognition that our customers have a strong demand for support for these newer protocols in their environment.

This update for Windows Embedded POSReady 2009 and Windows Embedded Standard 2009 will include support for both TLS 1.1 and TLS 1.2. For application compatibility purposes, these protocols will be disabled by default in a manner similar to the TLS 1.1/TLS 1.2 support that was disabled by default in Windows 7 and Windows Server 2008 R2. After downloading and installing the update these protocols can be enabled by setting the registry keys described in KB4019276.

This update is being made available on the following timeline:

Release Date Channels Classification
October 17, 2017 Microsoft Catalog
January 16, 2018 Windows Update/WSUS/Catalog Optional
February 13, 2018 Windows Update/WSUS/Catalog Recommended

Categories: Uncategorized Tags:

Advanced Threat Analytics security research network technical analysis: NotPetya

This post is authored by Igal Gofman, Security Researcher, Advanced Threat Analytics.

On June 27, 2017 reports on a new variant of Petya (which was later referred to as NotPetya) malware infection began spreading across the globe. It seems the malwares initial infection delivered via the “M.E.doc” update service, a Ukrainian finance application. Based on our investigation so far, the propagation steps executed by the malware can be considered sophisticated and well tested.
The malware distributes itself as a DLL file, spreading over internal networks using different lateral movement techniques.

This blog post focuses on the network behavior analysis of NotPetya and the techniques it uses to propagate in the network. This is ongoing research, and well update with additional findings as those become available.

Malware Propagation Flows

Delivery & Initial execution

The malware is delivered via the “M.E.doc” service to infect the first endpoint.

The malware executes and extracts the relevant components to disk. These include:

  1. PsExec – Network remote execution tool.
  2. A credential dumping tool.

More information on these steps can be found at the Windows Security blog.


The internal network is probed using multiple discovery methods to identify new workstations and domain controllers. These include:

  • LANMAN NetServerEnum2 API used to get information about workstations and domain controllers.
  • Probing using ports 139 and 445 to other endpoints.
  • If a domain controller is accessible, the malware queries its DHCP Service to enumerate DHCP subnet.
  • In case DHCP subnets are discovered, the malware will continue its discovery against those subnets as well.

Reconnaissance example – NetServerEnum2

In the screenshot above, we can see the NetServerEnum2 API used by the infected machine.
The response includes the domain controller and a list of all known workstations response.

Lateral Movement

To spread itself on the network, the malware tries to access the administrative share ($admin).

  • If the SeDebugPrivilege privilege obtained (Step2), a credentials dumping tool is used to recover additional user credentials from the local memory.
  • Our lab tests have shown that in addition to the current account session, only one additional user is used by the malware to probe the remote hosts. The malware seems to ignore memory dumped users who were tagged under a new credentials session. Moreover, it seems like only one user (the last one who is in memory) is used to probe the destination host
  • Each target endpoint is accessed using multiple authentication protocols, such as NTLM and Kerberos over GSSAPI (SPNEGO). The credentials used for access are:

    • Current user context, under which the malware is running.
    • Successfully dumped credentials (if available).

In the screenshot below, we can see multiple CIFS ticket requests performed by the malware on behalf of the dumped user. Such broad abnormal access attempts performed by the malware will be detected by Microsoft Advanced Threat Analytics (ATA) abnormal behavior detection. Based on previously learned user behavior analytics, the detection mechanism will recognize and alert on the abnormal resource access performed by the malware using the compromised credentials.

Multiple TGS-REQ

In the screenshot above, we can see multiple CIFS ticket requests.

Example of abnormal user access – ATA

Remote Execution

If access to the administrative share was obtained, the malware copies itself to the target host and executes PSEXEC and WMIC.

Malware Copy

PSEXEC Service creation

In the screenshot above, the infected host starts executing the PSEXEC tool.

Exploitation (optional)

If all propagation steps failed, the malware tries to execute one of the SMB exploits (MS17-010).

Available SMB Exploits:

  1. EternalBlue CVE-2017-0144
  2. EternalRomance – CVE-2017-0145

The above steps are performed simultaneously, using multiple threads and runs against each target host. For further information regarding the SMB exploit mitigation, malware encryption steps and initial infection stage, please refer to the Petya worm capabilities blog post.

The spreading capabilities used by the NotPetya malware introduce a new level of sophistication when executing lateral movement.

Detection and mitigation

Microsoft Advanced Threat Analytics allows customers to detect and to investigate a variety of advanced techniques including the lateral movement technique used by NotPetya.

This type of lateral movement can be detected by ATA as abnormal resource access – given the large scanning performed by the user to attempt access additional endpoints on the subnet.

There are several ways customers can detect and prevent NotPetya from impacting their environment.

First, we strongly recommend customers that have not yet installed security update MS17-010 to do so as soon as possible. If applying the patch is not possible, disable SMB V1 on the corporate networks.

Second, we recommend that you verify good credential hygiene. To learn more, read the following article about protecting high value assets with secure admin workstations.

Additional Resources



Categories: Uncategorized Tags:

New Microsoft 365 features to accelerate GDPR compliance

This post is authored by Alym Rayani, Director Office 365 Security. 

New capabilities in Microsoft 365 help simplify your GDPR compliance journey

Today we made several Microsoft 365 security and compliance announcements and updates as part of the news from the Microsoft Ignite conference. I wanted to share how these new capabilities provide customers with a more complete and protected solution to simplify their journey to compliance with the General Data Protection Regulation (GDPR).

Earlier this year, we brought together Office 365, Enterprise Mobility + Security, and Windows into a single, always-up-to-date solution called Microsoft 365 – relieving organizations from much of the cost of multiple, fragmented systems that were not necessarily designed to be compliant with modern standards. These announcements at Ignite add to our extensive capabilities that organizations are already using to secure and manage their data, users, and devices.

A platform you can trust, and verify

We understand that organizations with GDPR responsibilities will have additional needs to demonstrate compliance, and we’re investing in tools to help them achieve those goals.

Microsoft 365 users enjoy built-in security and compliance for the apps, services, and devices that they use every day. Microsoft has a long history of transparency, defense-in-depth, and privacy-by-design that enabled us to be the first enterprise cloud services provider to implement the rigorous controls needed to earn approval for the EU Model Clauses, the first to achieve ISO’s 27018 cloud privacy standard, and the first to offer contractual commitments to the GDPR.

Introducing Compliance Manager – We understand that achieving your organizational compliance goals can be very challenging. It’s hard to stay up-to-date with all the regulations that matter to your organization, and to define and implement the controls.

We’re pleased to introduce Compliance Manager, a new compliance solution that helps you to manage your compliance posture from one place. Compliance Manager enables you to conduct real-time risk assessment, providing one intelligent score that reflects your compliance performance against data protection regulatory requirements when using Microsoft cloud services.

You will also be able to use the built-in control management and audit-ready reporting tools to improve and monitor your compliance posture. Read our Tech Community Blog to learn more about Compliance Manager, and sign up for the preview program, which will be available starting in November.

Example of Compliance Manager dashboard

General availability of service encryption with Customer Key – We’re announcing the availability of service encryption with Customer Key, which can help regulated customers demonstrate additional compliance controls by managing the encryption keys for their Office 365 data. Here is an example of how Customer Key works in SharePoint Online:

Simplify how you govern data

Organizations face ever increasing quantities of complex electronic data. Gaining control over this data overload so that you know what to keep and find what’s relevant – when you need it – is critical for both security and compliance purposes. Today we are introducing several new features which further enhance the already rich set of capabilities available with Microsoft Information Protection and Advanced Data Governance.

Companies of all sizes and industries need to protect their sensitive data and ensure that it doesn’t get into the wrong hands. Employees are using more SaaS apps, creating more data, and working across multiple devices. While this has enabled people to do more, it has also increased the risk of data loss – it is estimated that 58% of workers have accidentally shared sensitive data with the wrong person.

Microsoft’s Information Protection solutions help you identify, classify, protect and monitor your sensitive data – as it is created, stored, or shared. We made several investments across our information protection solutions – helping provide more comprehensive protection across the data lifecycle. A key part of our vision is to provide a more consistent and integrated classification, labeling, and protection approach across our information protection technologies, enabling persistent protection of your data – everywhere. Microsoft Cloud App Security now deeply integrates with Azure Information Protection to classify and label files that reside in cloud applications.

Advanced Data Governance enhancements, including event based retention in Office 365 Advanced Data Governance, allows customers to create events which will trigger the retention period of data in Office 365 to consistently comply with internal business requirements. Disposing of data in a defensible manner allows organizations to effectively reduce their security and compliance risks. This feature is currently in the standard Office 365 Universal Preview Program and available for you to try.

New Multi-Geo Capabilities in Office 365 enable a single tenant to span multiple Office 365 datacenter geographies (geos) to store data at-rest and on a per-user basis in customer specified geos. Multi-Geo helps customers address organizational, regional, and local data residency requirements and enables modern collaboration experiences for their globally dispersed employees. Learn more about Multi-Geo.

Also, we are announcing the general availability of improvements to Office 365 message encryption, which makes it easier to share protected emails with anybody – inside or outside of your organization. Recipients can view protected Office 365 emails on a variety of devices, using common email clients or even consumer email services such as Gmail,, and

Use intelligent tools to better discover and control your data

Many organizations are evaluating how to find and protect the personal data they collect. With the explosion of data and its increasing value – many organizations cannot adequately manage their assets with traditional manual processes.

Unfortunately, even once you know where all the data is and how it should be managed, you must constantly ensure it is protected from threats. The GDPR requires organizations take appropriate measures to prevent unauthorized access or disclosure and to notify stakeholders in the case of breach. Today, on average attacks exist for over 90 days in an environment prior to detection. Microsoft continues to invest in tools that help detect attacks sooner and then remediate, as well as in pre-breach attack prevention tools.

Analysis of non-Office 365 data with Advanced eDiscovery: While the amount of data being generated and stored in Office 365 is growing at an exponential rate, many organizations still have data in legacy file shares and archives. Data is also being generated in other cloud services which may be relevant for an eDiscovery case surrounding a Data Subject Request. Analysis of non-Office 365 data allows organizations to import the case-specific copy of such data into a specifically assigned Azure container and analyze it using Office 365 Advanced eDiscovery. Having one eDiscovery workflow for both Office 365 and non-Office 365 data provides organizations with the consistency they need to make defensible decisions across the entire data set of a case.

This feature is currently in preview and requires an Advanced eDiscovery license for each user whose data is being analyzed. Later this year, in addition to Advanced eDiscovery licenses this feature will require the purchase of the eDiscovery Storage plan for all non-Office 365 data imported into the specifically assigned Azure container for analysis by Advanced eDiscovery. The eDiscovery Storage plan comes in increments of 500GB of storage and is priced at $100 per month.

Example of Advanced eDiscovery

To better protect your users against threats, we also improved our anti-phishing capabilities in Office 365 Advanced Threat Protection, with a focus on mitigating content phishing, domain spoofing, and impersonation campaigns. Office 365 Advanced Threat Protection is also expanded to help secure SharePoint Online, OneDrive for business, and Teams. In Windows, we added Windows Defender Application Control, which is powered by the Microsoft Intelligent Security Graph to make it less likely that malicious code can run on that endpoint.

On the post-breach detection side, we announced the limited preview of a brand-new service – Azure Advanced Threat Protection for users – that brings our on-premises identity threat detection capabilities to the cloud and integrates them with the Microsoft Intelligent Security Graph. Finally, as previously announced earlier in the month, Windows Defender Advanced Threat Protection is integrating Hexadite’s AI technology to automatically investigate new alerts, determine the complexity of a threat, and take the necessary actions to remediate it.

Office 365 security management updates – We have also made a few updates to Advanced Security Management to give you even better visibility and control over Office 365. To help organizations in the EU meet their compliance obligations, starting in October, we will begin hosting Advanced Security Management in our EU datacenter region. We are also giving you additional visibility into the service by adding support for activities from Skype for Business, Yammer and Office 365 Threat Intelligence. The signals from these services will be used to generate activity alerts and be factored into anomaly detection alerts. Lastly, to better align our Microsoft 365 investments, we are renaming Advanced Security Management to Office 365 Cloud App Security.

Taking the next step on your GDPR compliance journey

The GDPR is compelling every organization to consider how they will respond to today’s security and compliance challenges. It may require significant changes to how your business gathers, uses, and governs data.

As a global company with hundreds of millions of customers around the globe, we are subject to many stringent regulations including the GDPR and we understand the challenges you face. As your trusted partner, we are committed to going beyond our minimum responsibilities and always working on behalf of your best interests. To that end, Microsoft is an active participant in a community of compliance experts that can support all aspects of your GDPR journey – such as audit and consulting, cloud migration assistance, as well as delivering specific point solutions.

For more details on these announcements and the other capabilities of Microsoft 365, read the new whitepaper: Accelerate your GDPR compliance journey with Microsoft 365.


Categories: announce Tags:

Security at Microsoft Ignite

Microsoft Ignite begins this Sunday, September 24, with pre-day training and registration! The Microsoft Ignite event delivers the largest and most comprehensive perspective on the future of Enterprise technology at one conference. Everyone who attends— IT pros and Enterprise developers—gets inspiration, training, and connections to drive their business forward with Microsoft technology. 26,000+ IT and Enterprise developer customers and prospects come to collaborate and learn how Microsoft technology can help them achieve success.

Top three things to do before you go:

  1. Download the mobile app
    • The mobile apps allow you to easily access My Conference, session details, evaluations, attendee networking, maps, event notifications, partners, and more. Download it now for your device: Window | IOS | Android
  2. Set up your attendee profile
    • Connect with attendees at the events. Setting up your profile helps attendees discover Microsoft experts and get their questions answered. After your edits are complete, your profile will be updated in the apps and in MyIgnite.
  3. Get ready for a great show
    • Confirm your hotel reservation
    • Familiarize yourself with our event and resources
    • Have fun!

Key security sessions to attend at Ignite

But that’s not all, we have a huge selection of security related content, 345 sessions to be exact. Sessions have been designed to not only meet your product needs, but also your expertise needs. Find a complete list of security sessions here.

Who is attending from Microsoft

This year we are rolling out a fantastic new tool simply known as Expert Finder. All Microsoft staff will be tagged with the areas of expertise and can easily be located on the expo floor. Work with staff onsite at the Expo to locate the expert(s) that you need to speak with.

The Expert Finder tool can be found here. (note – not all attendees will have access)

Where to find Security onsite: In the expo

We have full coverage of security topics in the expo. From getting help desk answers to seeing demos, you are sure to walk away with the information you need.

You’ll find us in the expo during the following times:

  • Monday: 12:30 – 7:30pm
    • Social hour: 5:30pm – 7:30pm
  • Tuesday: 10:00am – 6pm
    • Social hour: 5:30pm – 7:30pm
  • Wednesday: 10:00am – 6:00pm
    • Social hour: 5:30pm – 6:00pm
  • Thursday: 10:00am – 4:00pm

Below you can see where the Security area is located within the Expo, as noted by the red circle.

Networking opportunities

Ignite it not only about talking with the Microsoft experts, it’s also a great time to network with your peers. Here is a list of great opportunities for you to network during the event:

  • Immersion zone
    • Get “Hands-on”- you’ll find Labs, workshops, mixed reality experiences, learning experts and more!
  • Visit the security and privacy Microsoft Tech Community
    • Learn and see what other attendees are talking about. Then take the opportunity to not only to collaborate virtually, but set up time to network face-to-face while at the event.
  • Social hours
    • Wind down the day and enjoy a drink with security related professions, social hours are posted above.
  • Celebration event
    • More details to come, but on Thursday we have an amazing celebration event!

In the week following Ignite, we will summarize our lessons learned, product announcements, and customer feedback received from the event.

To learn more about Microsoft security solutions and services, visit

We hope you have a lot of fun, make amazing connections, and walk away with inspiring insights at this year’s Ignite conference. We’re looking forward to seeing you there!

Categories: Uncategorized Tags:

3 key tenets to help with security management


This post is authored by Berk Veral, Director, Product Marketing, Enterprise Cybersecurity Group.

Across industries, as attack methods have become more sophisticated and complex, organizations have been responding by deploying more security solutions, which in turn has tremendously increased the complexity of security management.

Today, organizations must manage distributed resources across many environments and given the constantly evolving threats, this means more attacks surfaces that need to be protected.

In some cases, an organization may end up having multiple point solutions even within a single workload to address specific security concerns. However, managing a growing number of individual security controls becomes a true nightmare. You lose visibility into the security state of that workload, let alone the security of the entire organization.

Managing a high number of point solutions and vendors coupled with increasing ‘noise’ caused by diverse datasets with varying levels of fidelity adds to the complexity of security management. It becomes harder to gain optimal insight into end points and results in even less visibility to the security posture of your entire network.

Often, these point solutions don’t share any information as they are not integrated, which leads to the most dangerous of your challenges: ineffective responses to threats that grow both in number and sophistication in targeting your organization and your customers.

More solutions to deploy, more vendors manage, with less insight and ineffective threat response ultimately manifests itself in higher costs of security for CISOs as well.

How can CISOs efficiently manage security?

In today’s connected, technology-driven world, where digital transformation is the only way to survive for any organization, an efficient security management practice becomes the cornerstone of any long-term strategy of CISOs, regardless of their industry.

Whether your assets are deployed in the cloud, on-premises, or a across a hybrid environment, your organization’s security has 4 core components for you to manage and secure:

  • Identity;
  • Devices or end points;
  • Apps and data;
  • And infrastructure.

And across these 4 core components, an effective security management solution should provide 3 key tenets – Visibility, Control, and Guidance:

  • Full visibility that helps you understand the security state and risks across resources;
  • Built-in security controls to help you define consistent security policies;
  • Effective guidance to help elevate your security through actionable intelligence and recommendations.

Vendor consolidation & intelligence is key

An effective security management solution is not about a single console. It is about integration where it counts, but with the freedom of specialized tools for different functions.

Microsoft helps you consolidate from a plethora of specialized functions and tools to few. Our offerings provide functionality to ensure specialized security teams have the flexibility and freedom to manage around the unique needs of specific areas such as identity, devices, apps or infrastructure. However, the key that makes Microsoft security management consoles much more effective is the vast intelligence that is built into our solutions, which helps your organization maintain a consistent and robust security posture.

Microsoft has a unique perspective as we face the same adversaries our customers do, but because of the scale of technology we build and operate, we capture a massive amount of security related-signal:

  • Nearly 1 billion Windows devices updated worldwide each month, and we operate the largest anti-virus and anti-malware service in the world
  • Over 450 billion authentications processed monthly into our cloud services
  • Over 400 billion emails scanned monthly for spam and malware through Office 365 and
  • More than 18 billion Bing web page scans per month

We build this intelligence into our products and services – harnessing the power of machine learning, processing trillions of pieces of data, from billions of devices, we enable our customers detect relevant threats faster and prioritize response. Our security management solutions are built to work for you. This shared intelligence is leveraged by management consoles across identity, devices, apps, data, and infrastructure – helping security admins and operation center teams to get important insights optimized for their workloads.

The key for a CISO’s success in managing security is not about a single console across everything, but consolidation wherever it makes sense. This gives CISOs the best of all capabilities and allows them the flexibility when they need it.

With single vendor management, built-in controls that come with Microsoft solutions, and the unmatched intelligence, Microsoft becomes your trusted partner in achieving intelligent security management.

Categories: Uncategorized Tags:

New IIS functionality to help identify weak TLS usage

This post is authored by Andrew Marshall, Principal Security Program Manager, TwC Security, Yanbing Shi, Software Engineer, Internet Information Services Team, and Sourabh Shirhatti, Program Manager, Internet Information Services Team.

As a follow-up to our announcement regarding TLS 1.2 support at Microsoft, we are announcing new functionality in Windows Server 2012R2 and Windows Server 2016 to increase your awareness of clients connecting to your services with weak security protocols or cipher suites.

IIS logs can already be used to correlate client IP address, user agent string, and service URI. With the addition of the new custom logging fields detailed below, you will be able to quantify the usage of outdated security protocols and ciphers by clients connecting to your services.

To enable this new functionality, these four server variables need to be configured as the sources of the custom fields in IIS applicationHost.config. The custom logging can be configured on either server level or site level. Here is a sample site-level configuration:

 <site name="Default Web Site" id="1" serverAutoStart="true">
 <application path="/">
 <virtualDirectory path="/" physicalPath="C:\inetpub\wwwroot" />
 <binding protocol="https" bindingInformation="*:443:" />
 <clear />
<add logFieldName="crypt-protocol" sourceName="CRYPT_PROTOCOL" sourceType="ServerVariable" />
<add logFieldName="crypt-cipher" sourceName="CRYPT_CIPHER_ALG_ID" sourceType="ServerVariable" />
<add logFieldName="crypt-hash" sourceName="CRYPT_HASH_ALG_ID" sourceType="ServerVariable" />
<add logFieldName="crypt-keyexchange" sourceName="CRYPT_KEYEXCHANGE_ALG_ID" sourceType="ServerVariable" />

Each SSL info field is a hexadecimal number that maps to either a secure protocol version or cipher suite algorithm.
For an HTTP plain-text request, all four fields will be logged as ‘-‘.

A sample log and explanation of the new fields follows:

For more information visit Official Microsoft Documentation for Custom Logging Fields in IIS.
Categories: Uncategorized Tags:

Microsoft perspective on cyber resilience

This post is authored by Ann Johnson, Vice President, Enterprise Cybersecurity Group.

In the wake of recent ransomware outbreaks, I wanted to understand how impacted firms have evolved their thinking on cyber resilience planning and implementation. I asked the Detection and Response Team at Microsoft, who help our customers proactively and in real time to respond and recover from cyberattacks, to share their experiences. I’ve included below a few anonymized customer scenarios the team shared with me, which point to the acute need for a cyber resilience plan.

What follows is a reference framework of Microsoft capabilities which can help our customers become more agile in the face of modern attacks. In other words, this post is about mapping the road to cyber resilience.

Why cyber resilience matters

Organizations globally are highly dependent on technology to conduct personal and business-related tasks. As of the end of Q1CY2017, there were over 3.7B Internet users worldwide and this population is growing. As Internet adoption is growing, the attack surface is growing. The current cybersecurity threat landscape creates a real risk to people and assets. Therefore, organizations should maintain a balance between allowing access and managing risk. Commonly, enterprise organizations approach cybersecurity by implementing tools and technologies and personnel for “protection” and “incident response”. While this is important, the root purpose of implementing cybersecurity tools and technologies is business continuity. Enterprise organizations should also be thinking at a strategic level about the “big picture” of how to fortify their critical systems, IT infrastructure, and data centers to stay resilient in the face of human errors and cyberthreats that cause downtime. This is where a cyber resilience strategy comes into play. Organizations need to build a cyber resilience strategy and execute a cyber resilience program specifically tailored to their business needs to ensure business continuity in the event of a security incident.

According to Accenture’s “State of Cybersecurity and Digital Trust”, while 75% of all survey takers say they have high cybersecurity confidence levels, only 37% claim they have confidence in their organization’s ability to monitor for breaches and 36% claim confidence in their ability to minimize disruptions. According to Gartner, the average cost of downtime is USD $5,600 per minute—over USD $300,000 per hour. Human error is the most common contributor to downtime. Some studies conclude that human error accounts for 75% of downtime.

With organizations more reliant on IT than ever before, it is important to acknowledge business continuity and disaster response (BCDR) as a vital component to the entire organization, instead of as an issue that has implications for IT teams only. Every enterprise organization needs to be prepared to handle outages caused by unforeseen events. Downtime of critical applications and services could lead to a stop in productivity and operations, lost revenues, and lower customer confidence in the organization. A strong cyber resilience plan effectively executed can help organizations’ computer systems, IT infrastructure and data centers withstand impact from cyberthreats and human error.

Cyber resilience scenarios

There are many news stories about organizations who have suffered from cyberattacks and/or data breaches. Developing a strategy and taking actions in support of cyber resilience may help reduce the extent and cost of recovery from damage due to such incidents.

Example #1 – Ransomware infecting multiple organizations globally:

Recent ransomware attacks in the first half of 2017 have highlighted the need to be able to access critical IP, systems, and infrastructure even when it’s locked down by ransomware. WannaCry ransomware impacted multiple industries and companies worldwide, including automobile manufacturing plants that had to halt production for some time. Regardless of the motivation of the attack, clearly it resulted in unplanned downtime and recovery costs to impacted companies.

A key takeaway is ransomware can impact any type of organization. Keeping computer systems patched and up-to-date, backing up data regularly, having fully tested disaster recovery plans in place, and providing education on cyberthreats (e.g. phishing and ransomware) to direct employees and contractors can help to at least reduce the extent of damage from such an incident.

Example #2 – Data breaches continue to impact US healthcare industry:

Cyberattacks continue to measurably impact the healthcare industry since cybercriminals who successfully gain access to medical data could use it for conducting fraud or identity theft for lucrative purposes. Also, the personal data often includes information on a patient’s medical history, which may be used in targeted spear-phishing attacks. As of August 9, 2017, the US Department of Health and Human Services’ HIPAA Breach Reporting Tool website – often called the “wall of shame” – showed a total of 2,018 breaches since 2009. The number of individuals affected by health data breaches also has surged in recent years, from 31.5 million as of May 30, 2014, to about 175 million as of August 9, 2017.

There are three key takeaways from these trends and statistics. The first is that healthcare personnel and patients need to be alert to and inform their IT organization of suspicious communications (fraud/phishing emails) and identity theft incidents as much as possible. Another takeaway is that personal health and identification information should not be exposed without an express requirement to share (e.g. for a patient to offer proof of identity for a medical examination or procedure). Further, the use of data classification and information protection solutions can help reduce the impact of exposure by protecting sensitive information across its lifecycle.

Example #3 – Human error led to client information exposure for financial services firm:

Financial services and banking industries, despite putting in place relatively tighter monitoring and controls over their infrastructure and data than other industries, continue to be impacted by data breaches. In early 2017, a financial services firm inadvertently left exposed to the public a database containing sensitive information on thousands of its clients. The company claimed that the incident was due to human error by a 3rd party vendor.

A key takeaway is that it is important for organizations to hold accountable all contractors with access to the organization’s network and data. For instance, this was a major issue that came to light even with the outbreak of the Petya ransomware, in that 3rd party contractors failed to follow organizational cybersecurity policies, which was a root cause of the crisis.

Considerations for a cyber resilience program

To enhance the ability for computer systems, IT infrastructure, and data centers to withstand damages from human error, cyberthreats, and cyberattacks, we suggest enterprise organizations consider a cyber resilience program that leverages the combination of people, processes, and cloud services.


Every person with corporate network access, including full-time employees, consultants, and contractors, should be regularly trained to develop a cyber resilient mindset. This includes not only adhering to IT security policies around identity-based access control, but also alerting IT to suspicious events and infections as soon as possible to help minimize time to remediation.


Organizations should consider implementing several processes for an effective cyber resilient posture. Some of these can be implemented as IT security policies. Suggested processes include the ones listed in the table below.

Cloud services:

To maintain cyber resilience, the suggested processes should be performed on a regular basis based upon the threshold of the business to handle risk and its ability to operationally execute the processes through a combination of human efforts and technology products and services.

Fortunately, cloud service based architectures can be used to rapidly reconstitute on-premises infrastructure or fail over to a mirrored infrastructure. A key consideration when adopting cloud services is to look at how the provider conducts their assessments and look for 3rd party audits and certifications as examples of how they are performing.

Cloud services such as Microsoft Azure and Office 365 can serve at least as a first step towards helping customers with their cyber resilience needs.



Microsoft Services

Early warning and alerting system Organizations should receive early warning and alerts on suspicious or investigation-worthy electronic information.


Azure Security Center automatically collects, analyzes, and integrates log data from your Azure resources, which can be used for eDiscovery.

Office 365:

eDiscovery in Office 365 can be used to search for content in Exchange Online mailboxes, Office 365 Groups, Microsoft Teams, SharePoint Online and sites, and Skype for Business conversations.

Incorporate cyber incidents into disaster recovery and business continuity planning Incorporate cyber incidents into your existing disaster recovery and business continuity planning, and characterize or assign a higher likelihood to these incidents than to traditional acts of nature.



If you are looking to implement disaster recovery for all your major IT systems—without the expense of secondary infrastructure, Microsoft offers a variety of architectures available to help organizations design and implement secure, highly-available, performant, and resilient solutions on Azure.

Office 365:

Office 365 offerings are delivered by highly resilient systems that help to ensure high levels of service. Service continuity provisions are part of the Office 365 system design. These provisions enable Office 365 to recover quickly from unexpected events such as hardware or application failure, data corruption, or other incidents that affect users. These service continuity solutions also apply during catastrophic outages (for example, natural disasters or an incident within a Microsoft data center that renders the entire data center inoperable).

Platform hardening Lock down platform against hacking attempts.


From a platform hardening perspective, Microsoft performs our own internal assessments through penetration testing and red teams. Microsoft uses Red Teaming to simulate real-world breaches, conduct continuous security monitoring, and practice security incident response to validate and improve the security of Microsoft Azure and Office 365. We strive to provide a robust cloud platform that customers can depend on for accessing critical applications and data in a secure manner.

Office 365:

Office 365 is a security-hardened service, designed following the Microsoft Security Development Lifecycle. We bring together best practices from two decades of building enterprise software and managing online services to give you an integrated software-as-a-service solution.

Protect against email cyberthreats Implement security policies for detecting and protecting users from opening email based web links and attachments that are suspicious or malicious (e.g. phishing).

Office 365:

Office 365 Advanced Threat Protection helps protect mailboxes against new, sophisticated attacks in real time. By protecting against unsafe attachments and expanding protection against malicious links, it complements the security features of Exchange Online Protection to provide better zero-day protection.

Control access Limit access to data and applications, to reduce risk.


Azure Multi-Factor Authentication helps safeguard access to data and applications, and helps to meet customer demand for a simple sign-in process. Get strong authentication with a range of easy verification options—phone call, text message, or mobile app notification—and allow customers to choose the method they prefer.

Office 365:

Multi-Factor Authentication for Office 365 helps secure access to Office 365. It increases the security of user logins for cloud services above and beyond just a password. Users are required to acknowledge a phone call, text message, or an app notification on their smartphone after correctly entering their password. Only after this second authentication factor has been satisfied can a user sign in.

Detect and defend against rogue systems Apply conditional access-based security defenses to systems that have gone rogue


Conditional access in Azure Active Directory enables you to enforce controls on the access to apps in your environment based on specific conditions. With controls, you can either tie additional requirements to the access or you can block it. The implementation of conditional access is based on policies. A policy-based approach simplifies your configuration experience because it follows the way you think about your access requirements.

Office 365:

Device Health Attestation (DHA) for Office 365 enables enterprises to raise the security bar of their organization to hardware monitored and attested security, with minimal or no impact on operation cost. You can use DHA to assess device health for:

  • Windows 10 and Windows 10 Mobile devices that support TPM 1.2 or 2.0.
  • On-premises devices that are managed by using Active Directory with Internet access, devices that are managed by using Active Directory without Internet access, devices managed by Azure Active Directory, or a hybrid deployment using both Active Directory and Azure Active Directory.
Vulnerability assessment Learn about vulnerabilities in order of severity to be able to focus mitigation efforts on those presenting the most risk to the organization


The vulnerability assessment in Azure Security Center is part of the Security Center virtual machine (VM) recommendations. If Security Center doesn’t find a vulnerability assessment solution installed on your VM, it recommends that you install one.

Software updates and patching Continuously patch vendor software as new updates become available to help reduce probability of attack or at least mitigate damage incurred.



Hosting applications in Microsoft Azure not only alleviates management of systems for companies. It also helps with system updates and keeping servers up to date. As new security vulnerabilities are identified, Microsoft will automatically apply updates to Microsoft Azure roles (if configured to do so). Admins can choose to have Microsoft keep their roles (instances) up to date and apply these updates when they are available, thereby eliminating a tremendous administrative effort for the company.

Office 365:

Microsoft Office 365 ProPlus software can receive updates automatically from the Internet or from an on-premises location (based on organization’s preference).

Identification-based access control Protect access to applications and resources end-to-end: across the corporate datacenter and into the cloud.



Microsoft identity and management solutions enable you to centrally manage identities across your datacenter and the cloud:

  • Azure Active Directory cloud identity and access management solutions – get single sign-on to thousands of cloud apps and access to web apps that you run on-premises with Azure Active Directory Premium. Built for ease of use, Azure Active Directory management tools enable collaboration and deliver holistic identity protection and adaptive access control.
  • Azure Active Directory B2C – cloud identity service allows you to connect to any customer. Governments and enterprises worldwide are using this service to serve their applications to their citizens and customers with fully customizable experiences, while protecting their identities at the same time.

Office 365:

Office 365 uses Azure Active Directory cloud based user authentication service to manage users. You can choose from three main identity models in Office 365 when you set up and manage user accounts:

  • Cloud identity. Manage your user accounts in Office 365 only. No on-premises servers are required to manage users; it’s all done in the cloud.
  • Synchronized identity. Synchronize on-premises directory objects with Office 365 and manage your users on-premises. You can also synchronize passwords so that the users have the same password on-premises and in the cloud, but they will have to sign in again to use Office 365.
  • Federated identity. Synchronize on-premises directory objects with Office 365 and manage your users on-premises. The users have the same password on-premises and in the cloud, and they do not have to sign in again to use Office 365. This is often referred to as single sign-on.
Regular data backups Back up data in case your organization is impacted by ransomware or other cyberthreats.


Azure Backup enables protection for hybrid backups via prevention, alerting, and recovery features.

Office 365:

OneDrive for Business is an integral part of Office 365, and provides place in the cloud where you can store, share, and sync work files. It also allows for incremental restoration of files.

Protection of administrative credentials Secure administrative credentials from compromise and misuse.
  • Microsoft Cloud Services, including Azure and Office 365, are built on a foundation of trust and security. The following and many other principles apply to our cloud services:
  • Microsoft provides you security controls and capabilities to help you protect your data and applications.
  • You own your data and identities and the responsibility for protecting them, the security of your on-premises resources, and the security of cloud components you control.

How Microsoft partners with the ecosystem

Cyber resiliency is not a problem we can address alone. Our commitment is to make sure our products work with technology our customers already use. Microsoft is fostering a vibrant ecosystem of partners who help us raise the bar across the industry. Through our technology partner network, we can offer proactive vulnerability tools as well as more feature rich solutions like application firewall and threat detection to customers. We also collaborate extensively with customers and industry standards bodies to help us meet specific customer cyber resiliency needs and industry regulations. Microsoft has been working with the Center for Internet Security (CIS) to demonstrate that our operating systems and most recently, our cloud platform, Azure, have been hardened against cyberthreats. We are working towards getting Azure to pass the CIS Benchmark requirements. CIS Benchmarks are the only consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia. Also, Microsoft is actively working to align our offerings with the SANS Critical Security Controls set of recommendations, which organizations use to prepare for the most important actual threats that exist in today’s Internet world.


Developing and executing a cyber resilience program is not trivial – it is a journey, not a destination. It requires organizational focus, commitment, and effort. For additional, detailed guidance on this topic, stay tuned for a white paper to be published later this year.

Ann Johnson, Vice President
Enterprise & Cybersecurity

Ann Johnson leads Enterprise & Cybersecurity at Microsoft. Her organization empowers global enterprises to confidently move to the cloud by modernizing their architectures for maximum business agility and security. Ann is a recognized industry leader with a proven track record for building and leading high-performing global enterprise software go-to-market teams. Ann has a background in cybersecurity, infrastructure and storage and is a frequent speaker on topics of online banking fraud, information security, healthcare security, mobile security, workforce diversity, privacy and compliance. She currently serves on the board of the Security Advisor Alliance and as Board Advisor to the biometric security firm HYPR.

Categories: Uncategorized Tags: