Archive

Author Archive

Assessing Microsoft 365 security solutions using the NIST Cybersecurity Framework

This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series, youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blogNew FastTrack benefit: Deployment support for Co-management on Windows 10 devices.

Microsoft 365 security solutions align to many cybersecurity protection standards. One widely-adopted standard is the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). Developed for the US government, NIST CSF is now also used by governments and enterprises worldwide as a best practice for managing cybersecurity risk. Mapping your Microsoft 365 security solutions to NIST CSF can also help you achieve compliance with many certifications and regulations, such as FedRAMP, and others.

Microsoft 365 security solutions are designed to help you empower your users to do their best work securely, from anywhere and with the tools they love. Our security philosophy is built on four pillars: identity and access management, threat protection, information protection, and security management. Microsoft 365 E5 (see Figure 1.) includes products for each pillar that work together to keep your organization safe.

Figure 1.The Microsoft 365 security solutions

At the heart of NIST CSF is the Cybersecurity Framework Core a set of Functions and related outcomes for improving cybersecurity (see Figure 2). In this blog, well show you examples of how you can assess Microsoft 365 security capabilities using the four Function areas in the core: Identify, Protect, Detect and Respond.* Well also provide practical tips on how you can use Microsoft 365 Security to help achieve key outcomes within each function.

Figure 2.The NIST Cybersecurity Framework Core

Identify

Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

The purpose of this function is to gain a better understanding of your IT environment and identify exactly which assets are at risk of attack. From there, you can start to align these assets and associated risks to your overall business goals (including regulatory and industry requirements) and prioritize which assets require attention.

For example, the Asset management category is about identifying and managing the data, personnel, devices, and systems that enable an organization to achieve its business purpose in a way that is consistent with their relative importance to business objectives and the organizations risk strategy.

Microsoft 365 security solutions help identify and manage key assets such as user identity, company data, PCs and mobile devices, and cloud apps used by company employees. First, provisioning user identities in Microsoft Azure Active Directory (AD) provides fundamental asset and user identity management that includes application access, single sign-on, and device management. Through Azure AD Connect, you can integrate your on-premises directories with Azure Active Directory. (See Figure 3.) This capability allows for a common secure identity for users of Microsoft Office 365, Azure, and thousands of other Software as a Service (SaaS) applications pre-integrated into Azure AD.

Figure 3.Through Azure AD Connect, you can integrate your on-premises directories with Azure Active Directory

Deployment Tip:Start by managing identities in the cloud with Azure AD to get the benefit of single sign-on for all your employees. Azure AD Connect will help you integrate your on-premises directories with Azure Active Directory.

Protect

Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.

The Protect function focuses on policies and procedures to protect data from a potential cybersecurity attack.

Microsoft 365 security solutions support NIST CSF related categories in this function. For example, the Identity management and access control category is about managing access to assets by limiting authorization to devices, activities, and transactions. Your first safeguard against threats or attackers is to maintain strict, reliable, and appropriate access control. Azure Active Directory Conditional Access evaluates a set of configurable conditions, including user, device, application, and risk (see Figure 4.) Based on these conditions, you can then set the right level of access control. For access control on your networks.

Figure 4. Azure AD Conditional Access evaluates a set of configurable conditions, including user, device, application, and risk

Deployment Tip:Manage access control by configuring conditional access policies in Azure AD. Use conditional access to apply conditions that grant access depending on a range of factors or conditions, such as location, device compliance, and employee need.

Detect

Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

The Detect function covers systems and procedures that help you monitor your environment and detect a security breach as quickly as possible.

Microsoft 365 security solutions provide you with solutions that detect and protect against Anomalies and events in real time. Microsoft 365 security solutions offer advanced threat protection (see Figure 5.), security and audit log management, and application whitelisting to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. Microsoft 365 has capabilities to detect attacks across these three key attack vectors:

  • Device-based attacksWindows Defender Advanced Threat Protection provides near-instant detection and blocking of new and emerging threats using advanced file and process behavior monitoring and other heuristics. The Alerts queue shows a list of alerts that are flagged from machines in your network.
  • Email-based attacksOffice 365 Advanced Threat Protection protects your emails, attachments, online storage, files, and environment through a variety of technology, including Safe Attachments, Exchange Online Protection, and rich reporting and tracking insights
  • Identity credential attacksAzure Advanced Threat Protection Azure ATP takes information from logs and network events to learn the behavior of users in the organization and build a behavioral profile about them. Then it detects suspicious activities, searching for malicious attacks, abnormal behavior, and security issues and risks.

Figure 5.Threat detection integrated across Microsoft 365

Respond

Response processes and procedures are executed and maintained to ensure timely response to detected cybersecurity events

The Respond Function provides guidelines for effectively containing a cybersecurity incident once it has occurred through development and execution of an effective incident response plan.

Microsoft 365 security solutions directly support the Response Planning category based on a variety of visibility reports and insights. Azure AD Access and Usage reports allow you to view and assess the integrity and security of your organizations implementation of Azure AD. With this information, you can better determine where possible security risks may lie and adequately plan to mitigate those risks. These reports are also used for event Mitigation including anomaly reports, integrated application reports, error reports, user-specific reports, and activity logs that contain a record of all audited events within the last 24 hours, last 7 days, or last 30 days. Supporting the Analysis category, Microsoft offers guidance and education on Windows security and forensics to give organizations the ability to investigate cybercriminal activity and more effectively respond and recover from malware incidents.

Want to Learn More?

For more information and guidance on assessing Microsoft 365 security solutions using the NIST CSF, check out the whitepaper.

Deployment Tip:For more help with Microsoft 365 security, consider FastTrack for Microsoft 365. Whether youre planning your initial Microsoft 365 Security rollout, need to onboard your product, or want to drive end user adoption, FastTrack is your benefit service and is ready to assist you. Get started at FastTrack for Microsoft 365.

* Although Microsoft offers customers some guidance and tools to help with certain the fifth Recover function (data backup, account recovery), Microsoft 365 doesnt specifically address this function. Note also that Microsoft isnt endorsing this NIST framework – there are other standards for cybersecurity protection – but we find it helpful to baseline against commonly used scenarios.


More blog posts from this series:

Categories: Uncategorized Tags:

The need and opportunity for adaptive prevention in the cloud

This post is authored by Michael Bargury, Data Scientist, C+E Security.

The need

The cloud introduces new security challenges, which differ from classic ones by diversity and scale. Once a Virtual Machine (VM) is up and running with an open internet port, it is almost instantaneously subject to vulnerability scanning and Brute Force (BF) attacks. These attacks are usually not directed at a specific organizations environment. Instead, they cover a broad range of environments, hoping to infiltrate even a small fraction of them, to be used for their computational power or as part of a botnet.

The agile nature of the cloud allows organizations to build elaborate and highly customized environments. These environments constantly change, as customers utilize the clouds ability to adapt to variations in computational or network communication demands. Although this agility is one of the clouds top offerings, it also makes it harder to apply and maintain security best practices. As your environment changes, the security measurements needed to protect it might change as well. Moreover, while security experts can manually analyze common environment scenarios and offer security recommendations, the huge diversity in the cloud renders these recommendations useless for many organizations, which requires more tailor-suited solutions.

Proper security recommendations have the potential to make a huge impact on an organizations security. They can minimize attack surface, essentially blocking attacks before they occur.

The opportunity

On the other hand, the cloud provides unique opportunities, which are impossible or impractical for most organizations on their own. The broad visibility and the diversity of environments allow statistical models to detect abnormal activities across the cloud. Organizations can anonymously share their security-related data with trusted 3rd parties such as Azure Security Center (ASC), which can leverage this data to provide better detection and security recommendations for all organizations. Essentially, the cloud allows organizations to combine their knowledge in a way, which is much larger than the sum of its parts.

Leveraging these cloud-unique opportunities gives birth to a whole new world of customized security recommendations. Instead of a single one-fits-all best practice, the cloud allows customized best practices to be generated and updated constantly, as a cloud environment is built and evolved. Imagine an agent, which detects a security risk associated with a machine placed under the wrong subnet, or an automatically updating firewall.

Example

Let us dive into a very basic, yet typical scenario. As a developer in a cloud-based organization, I would like to deploy a new SQL-Server on Windows. I deploy a new Windows VM, install SQL-Server and create an inbound rule in my Network Security Group (NSG) to allow for incoming communication in port 1433.

A few months later, the SQL-Server had long been deleted. The VM is being used for something else entirely. The only thing left from my initial deployment is the inbound rule on port 1433, which has been forgotten by the individual who deleted the SQL-Server. This leaves an opening for malicious intenders to gain access to my machine, or simply to cause an overuse of resources by bombarding it with requests. After a while, I get a security alert from ASC. There was a successful BF attack on my machine, and it is now compromised. Looking at the logs, I see that the attack was carried through port 1433.

A good security recommender system would have identified that port 1433 is no longer in use by SQL Server, and prompt me with a recommendation to close it before the machine was compromised.

Learning scenario

Taking the perspective of a cloud provider, we will now devise a way to detect the scenario mentioned above and recommend a mitigation on time.

We can safely assume that most Azure customers use port 1433 for SQL-Server communication, as it is the default port used in SQL-Server software. This reduces our problem to the following goal: find machines with an inbound rule for port 1433, which do not run SQL-Server software.

But wait, how do we know which SQL-Server software to look for the absence of? We can try to manually devise a list of executables with underline SQL-Server, but there must be a better way.

Remember, we have assumed that most Azure customers use port 1433 for SQL-Server communication. Utilizing this assumption, we can learn which executable is unusually common in machines with an inbound rule on port 1433, out of the entire population of Azure VMs.

And so, our final goal becomes: find machines with an inbound rule for port 1433, which do not run common executables within this group.

We can try to reach this goal in several ways. We can take a classification approach. We use two weeks of executable executions, from 30K Azure machines that use ASCs monitoring agent.

First, we devise a list of distinct executables. We are looking for executables of a very common software so we can filter the list by executables that run in more than 10 Azure VMs, to reduce noise. This leaves us with 4,361 distinct executables.

We represent each Azure VM as a vector of indicators of executables run by that VM. For example, consider A, which ran only a single executable. That VM would be represented by zero-vector, with a single coordinate containing a one, which represents that executable. Next, we label each VM by whether or not it has port 1433 open for inbound traffic.

We will treat our dataset as a classification problem: given a binary feature vector for each VM, predict whether its port 1433 is open for inbound traffic. Notice that we already know the answer to this question. Therefore, we will be able to measure the accuracy of our model.

We train a Random Forest (RF) model to solve the classification problem. We use an RF for multiple reasons. First, it forces the model to only consider a small subset of features, which corresponds to a small number of executables which we hope would be SQL-Server related. Second, allowing only a few trees in the RF will yield a simple classification model, easily interpretable and understandable.

To avoid overfitting, we use hypothesis validation. We split our dataset 70-30 percent to train-test dataset. We train the model on the training set and measure its performance on the test set.

// Error = (# wrong classifications) / (# samples)

Train error = 0.00095

Test error = 0.00128

The model performs very well, with low classification error both for the train and test sets.

Lets think about what happened here. The model was able to accurately predict whether a VM has an inbound rule for port 1433, using a small list of executables ran by that VM. This implies that there is some set of executables, which are extremely common among VMs which can be addressed on port 1433. To examine these executables, we can look at the top ten features by importance (significance to classification) provided by our classifier:

  1. \\program files\\microsoft sql server\\mssql_ver.mssqlserver\\mssql\\binn\\sqlagent.exe

  2. \\program files\\microsoft sql server iaas agent\\bin\\ma\\agentcore.exe

  3. \\packages\\plugins\\microsoft.compute.vmaccessagent\\version\\bin\\jsonvmaccessextension.exe

  4. \\program files\\microsoft sql server iaas agent\\bin\\sqlservice.exe

  5. \\program files\\microsoft sql server\\mssqlmssqlserver\\mssql\\binn\\databasemail.exe

  6. \\windows\\microsoft.net\\framework\\version\\ngen.exe

  7. \\program files (x86)\\microsoft sql server\\version\\tools\\binn\\sqlexe

  8. \\packages\\plugins\\microsoft.sqlmanagement.sqliaasagent\\version\\sqliaasextensiondeployer.exe

  9. \\packages\\plugins\\microsoft.enterprisecloud.monitoring.microsoftmonitoringagent\\version\\mmaextensionheartbeatservice.exe

  10. \\program files\\microsoft sql server\\mssqlmssqlserver\\mssql\\binn\\fdhost.exe

This is excellent. Our model found that the best indicators for port 1433 being open, is having SQL-Server related executables running on the VM. This validates our assumption that most Azure customers use port 1433 for SQL-Server communication! Otherwise, our model wasnt able to get such high accuracy scores by using SQL-Server executables as features.

Returning to our initial goal we are looking for machines which do not run executables which are very common within this group. For these machines, there is no way the model can detect that their port 1433 is open, judging from SQL-Server related executables. Hence, these machines should correspond with our models classification errors! More specifically, we are looking for false negatives (FN, the model wrongly classifies the VM to have a closed port 1433).

Let’s examine one of these VMs. Here is its list of ran executables:

  1. \windows\softwaredistribution\download\install\: [exe, windows-ver-delta.exe]

  2. \windowsazure\guestagent_ver\collectguestlogs.exe

  3. \program files\microsoft security client\mpcmdrun.exe

  4. \windows\servicing\trustedinstaller.exe

  5. \windows\winsxs\amd64_microsoft-windows-servicingstack_ver\tiworker.exe

  6. \program files\microsoft office 15\clientx64\officec2rclient.exe

  7. \program files\java\: [jre_ver\bin\jp2launcher.exe, 8.0_144\bin\javaws.exe]

  8. \program files (x86)\common files\java\java update\jucheck.exe

  9. \windows\microsoft.net\framework64\ver\: [exe, ngen.exe]

  10. \windows\microsoft.net\framework\ver\: [exe, ngentask.exe]

  11. \windows\system32\inetsrv\w3wp.exe

  12. \windows\system32\wbem\: [exe, wmiprvse.exe]

  13. \windows\system32\: [taskhostex.exe, mrt.exe, schtasks.exe, taskeng.exe, wsqmcons.exe, rundll32.exe, sc.exe, lpremove.exe, mpsigstub.exe, ceipdata.exe, defrag.exe, sppsvc.exe, cmd.exe, conhost.exe, svchost.exe, aitagent.exe, taskhost.exe, mrt-ver.exe, sppextcomobj.exe, wermgr.exe, werfault.exe, tzsync.exe, slui.exe]

Indeed,we dont see SQL-Server here! Actually, it seems like this VM is running mostly Windows/Azure updates. We can issue a recommendation for this VM to remove its inbound rule for port 1433. Looking at past ASC alerts, we can see that this machine was brute forced on six different days, providing valuable attack surface to malicious intenders. Our model can put an end to that!

Overall, we found five machines which might have port 1433 open for no reason (FN of the classification model).

Generalization

Now that we have a working model and a nice Proof of Concept, we might consider applying it for similar scenarios. After all, why focus only on port 1433 and SQL-Server, when our model didnt depend on either of these as an assumption.

We can generalize our scenario and solution to the following:

  • Goal: find machines with an inbound rule for port X, which do not run executables which are very common within this group.
  • Method: Train an RF to predict whether or not a machine has port X open for inbound traffic, based on the executables ran. Output the machine that was misclassified by the RF.

Conclusions

The scenario developed above is only the tip on the iceberg. The Azure Security Center (ASC) team is working hard on providing adaptive prevention capabilities, to enable better security for Azure customers. For information about the first adaptive prevention feature in ASC, see How Azure Security Center uses machine learning to enable adaptive application control. To learn about the use of Machine Learning in ASC, see Machine Learning in Azure Security Center.

Categories: Uncategorized Tags:

New FastTrack benefit: Deployment support for Co-management on Windows 10 devices

This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blog Getting the most value out of your security deployment.

We are pleased to announce that FastTrack for Microsoft 365 (a benefit of your Microsoft 365 subscription for planning, deployment and adoption), now provides deployment support for Co-management on your Windows 10 devices. Id like to provide a few highlights on what you can expect.

What is Co-management?

Co-management is the integration between Configuration Manager and Microsoft Intune that enables a Windows 10 device to be managed by Configuration Manager and Intune at the same time. This provides you with an opportunity to enable remote actions that can be taken on the device, like remote factory reset or selective wipe for lost or stolen devices. Some additional advantages include conditional access, enabling you to ensure devices accessing your corporate network are compliant with your company policies and requirements. And, with your Windows 10 device you have Windows AutoPilot which is automatic enrollment that enrolls devices in Intune. This can let you lower your provisioning costs on new Windows 10 devices from the cloud. Co-management empowers you to complement Configuration Manager with Intune and more easily bring all this together where cloud makes sense for your organization as seen in Figure 1 below.

Figure 1: Co-management architecture

What can you expect

As part of our deployment support, the FastTrack team will provide guidance on the following activities:

  • Enabling Active Directory auto enrollment
  • Enabling hybrid Azure Active Directory
  • Enabling the Cloud Management Gateway
  • Enabling Co-management in Configuration Manager
  • Switch over supported device management capabilities from Configuration Manager to Intune:

    • Device conditional access policies
    • Resource Access profiles
    • Windows Update for Business policies
    • EndPoint Protection policies

  • Setting up Intune to deploy the Configuration Manager agent to new devices

FastTrack for Microsoft 365 benefits

FastTrack continues to invest in bringing you end to end services for planning, onboarding and driving adoption of your eligible subscriptions, and comes at no additional charge. It is our commitment to help you to realize the value of your Microsoft 365 investment with a faster deployment and time to value.

FastTrack lets you engage with our FastTrack specialists and provides best practices, tools and resources to help you quickly and easily enable Microsoft 365 in your environment, now including co-management for Windows 10 devices.

Get started

To request assistance from FastTrack, you can get started by going to our FastTrack website. Click on the Sign In prompt, and enter your company or school ID. Go to the dashboard, and from there follow the prompts to access the Request for Assistance form. Your submission will be reviewed and routed to the appropriate team that will address your specific needs and eligibility.

The FastTrack website also provides you with best practices, tools, and resources from the experts to help make your deployment experience with the Microsoft Cloud a great one.


More blog posts from this series:

Categories: Uncategorized Tags:

Updating your cybersecurity strategy to enable and accelerate digital transformation

This post is authored by Cyril Voisin, Cheif Security Advisor, Enterprise Cybersecurity Group.

Nowadays every company is becoming a digital company to some extent. Digital transformation changes the way business is done. For example, it puts more control into the hands of employees, who now demand anytime, anywhere connectivity to the solutions and data they need to accomplish their objectives. Adoption of digital technologies takes place at every level of the organization, and shadow IT reminds us that employees may procure their own IT solutions to be more productive. Solutions require careful security considerations before being approved. Therefore, its important to redefine your strategy to support both security and productivity, based on sound risk management.

Over the last decade, the security landscape has changed dramatically. Therefore, the security approach must be adapted to a new world of constant change and massive digitalization. With dramatic events such as Wannacry or NotPetya, cybersecurity has become a board conversation. Savvy enterprises now consider cybersecurity risks as strategic, the same way they consider financial risks.

Defining a crisp modern security strategy to support business success

A modern security agenda needs to define the purpose of the security team, its vision and mindset. It should also explain the high-level strategies it will employ, and how it will be organized, including the definition of priorities and deadlines and how the results will be measured. The figure below shows an example of a modern security agenda that can be summarized in a single slide for the purpose of sharing with your executive team.

Download the whitepaper on cybersecurity for digital transformation

More detailed information regarding enabling and accelerating digital transformation is available in this whitepaper. It is designed to articulate what a modern security strategy can look like, and is useful for CISOs, CIOs, CDOs, and potentially board members who want to learn more about secure transformation and benchmark their own teams. It was first released as an exclusive distribution in Dubai in October 2017, and now we are making it more broadly available today.

You can download the whitepaper here.

For more information on deployment planning and FastTrack guidance,check out related deployment series blogs.

Categories: Uncategorized Tags:

Getting the most value out of your security deployment

This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blog Now that you have a plan, its time to start deploying.

In our previous blog, we covered some of the tactical issues that youll want to consider planning your Microsoft 365 Security deployment. Now well move to the third and final step of an effective planning process: Drive Value.

The Drive Value stage is about helping your employees to embrace and adopt the new tools and processes that are a part of your new Microsoft Security infrastructure.

The FastTrack team can help you create and implement an adoption plan that leads you and your team smoothly out of the test phase and into wider user adoption. Drawing from thousands of customer experiences, weve assembled a variety of proven engagement tactics that you can apply directly to your own rollout. Well make sure you have the knowledge, support, and materials you need for success.

Your checklist to Drive Value

The following checklist provides some of the items and actions that our FastTrack team can help you with you during the Drive Value step:

Implement the adoption plan

  • Going beyond your test group to a broader population of users can be difficult. Having a plan in place to help your users adopt and embrace change will make this easier. Microsoft FastTrack will help you build a multifaceted adoption plan using best practices.

Hold launch and training events

  • Make it informative and fun using Microsoft FastTrack resources to help you drive end-user adoption. One idea is to set up a booth or a kiosk outside your lunch area or host lunch and learn events for your users. These events serve to support your users with face-to-face questions & answers as well as driving excitement and adoption. They are a great way to distribute resources your users can take with them.

Encourage ongoing engagement

  • As you implement the adoption plan, FastTrack will monitor and assist you at designated points along the way. Together, youll work with your internal business stakeholders to drive adoption of new technology and work out any productivity issues. Leveraging the Service Management Toolkit and the Admin Learning Center helps you stay informed and effectively manage the new environment

Keep everyone informed: provide an FAQ and supporting materials

  • Microsoft FastTrack has templates you can send to your users to educate them about specific features, explain deployment within the organization, how they can register and enroll, and more. These tools and guides are specifically geared toward different departments within your organization, including individuals in HR, R&D, finance, legal, IT, and sales. You can also work with your internal communications teams to develop appropriate supporting collateral.

Ready to take the next step? Start your success plan

Our FastTrack Success Plan is an online tool that walks you through each step of Microsoft 365 Security planning process, from Envisioning to Onboarding to Driving Value.

The Success Plan can be launched by either you or your Microsoft Partner and provides all the guidance and resources you need to plan a successful Microsoft 365 Security deployment. Once completed, the plan also provides you with a clear path to help you get the most out of your FastTrack services. To get started, simply sign in to FastTrack at: https://fasttrack.microsoft.com/

FastTrack provides end to end guidance for planning, onboarding, and driving end user adoption for Microsoft 365 which is comprised of Enterprise Mobility + Security (EMS), Windows 10, and Office 365.


More blog posts from this series:

Categories: Uncategorized Tags:

Data classification and protection now available for structured data in SQL

This post is authored by Gilad Mittelman, Senior Program Manager, SQL Data Security.

Data privacy and data security have become one of the most prominent topics in organizations in almost every industry across the globe. New regulations that formalize requirements are emerging around these topics and compel organizations to comply.

The upcoming EU Global Data Protection Regulation (GDPR), which takes effect on May 25, 2018, is one of the most noteworthy of these new regulations. It sets a new global bar for privacy rights, security, and compliance, mandating many requirements and obligations on organizations across the globe. Complying with this regulation will necessitate significant investments in data handling and data protection for a very large number of organizations.

GDPR and Microsoft SQL

SQL Information Protection (SQL IP), now in public preview, complements the existing Microsoft Information Protection (MIP) unstructured data classification framework (Azure Information Protection, Microsoft 365) and extends it with new structured data classification capabilities.

Microsoft SQL customers who are subject to the GDPR, whether managing cloud-based or on-premises databases or both, will need to ensure that qualifying data in their database systems is aptly handled, protected and monitored according to GDPR principles. This means that many customers will need to review or modify their database management and data handling procedures, especially focusing on the security of data processing as stipulated in the GDPR the first step in this journey to compliance is discovering and tagging where such sensitive data resides within the database environment.

SQL IP introduces advanced capabilities built into Azure SQL Database and SQL Server for discovering, classifying, labeling and protecting the sensitive data in your SQL databases.

Discovering and classifying your most sensitive data (business, financial, healthcare, PII, etc.) can play a pivotal role in your organizational information protection stature. It can serve as infrastructure for:

  • Helping meet data privacy standards and regulatory compliance requirements, such as GDPR.
  • Data-centric security scenarios, such as monitoring (auditing) and alerting on anomalous access to sensitive data.
  • Controlling access to and hardening the security of databases containing highly-sensitive data.

What is SQL Information Protection?

SQL IP introduces a set of advanced services and new SQL capabilities, forming a new information protection paradigm in SQL aimed at monitoring and protecting the data, not just the database:

  • Discovery and recommendations A built-in classification engine scans your database and identifies columns containing potentially sensitive data. It then provides you an effortless way to review and apply the appropriate classification recommendations via the Azure portal or via SQL Server Management Studio.
  • Labeling Sensitivity classification labels can be persistently tagged on columns using new classification metadata attributes introduced into the SQL Engine. This metadata can then be utilized for advanced sensitivity-based auditing and protection scenarios.
  • Monitoring/Auditing Sensitivity of the query result set is calculated in real time and used for auditing access to sensitive data. Additional logic can then be applied on top of the audit logs, for identifying and alerting on anomalous access to sensitive data, data extraction of large volumes of PII, etc.
  • Visibility – The database classification state can be viewed in a detailed dashboard in the portal as seen in Figure 1 below. Additionally, you can download a report (in Excel format) to be used for compliance & auditing purposes, as well as other needs.

Figure 1: Data discovery and classification dashboard

SQL Information Protection in action demo video

The following video demonstrates the main SQL Information Protection public preview capabilities for Azure SQL DB and SQL Server:

What’s next?

Additional SQL IP capabilities will continue rolling out throughout the upcoming year, with a focus on scale and automation.

Well be introducing centralized management via Azure Security Center, enabling organizations to customize the organizational information protection policy with proprietary labels and discovery (recommendations) logic enrichment. Well also be introducing centralized dashboards for visibility into the sensitivity state of all resources across the entire database estate.

In addition, various automation capabilities will be exposed, for supporting fully automated classification and labeling of large numbers of databases at scale.

We encourage customers to contact us with any questions or feedback at sqlsecurityfd@microsoft.com.

Additional resources on SQL Information Protection

More details on using SQL Information Protection can be found in:

Categories: Uncategorized Tags:

Partnerships power the future of better security

This post is authored by Jeremy Dallman, Principal Program Manager.

 

Our goal in building the Microsoft Graph Security API is to enable customers to share insights and take action across security solutions to improve protection and speed response. By creating a connected security ecosystem, Microsoft and partners can enable developers to simplify integration and alert correlation, unlock valuable context to aid investigation, and streamline security operations.

Palo Alto Networks shares the vision of enabling better integration to benefit our joint customers. They are a member of Microsoft Intelligent Security Association and as part of the Graph Security API launch at RSA, we showcased an application that demonstrated the power of integration between multiple Microsoft and Palo Alto Networks security offerings. We demonstrated how a Palo Alto Networks provider for the Security Graph can prevent successful cyberattacks by correlating alerts from Microsoft with its threat intelligence, firewall logs, and automated firewall policy changes.

Microsoft Graph Security API proof of concept integration using PowerBI

Our close collaboration continues and this week at the Palo Alto Networks user conference, Ignite 2018, we will unveil the latest joint innovation. Microsoft and Palo Alto Networks have worked to connect the Microsoft Graph Security API and the Palo Alto Networks Application Framework with a provider that brokers interactions between the two platforms. We will also demo a Microsoft PowerBI solution that accesses information from both the Palo Alto Networks Application Framework and the Microsoft Graph Security API giving our customers the ability to query and access all of their security data through a common interface.

For those attending Ignite this week, be sure to join the Wednesday (5/23) 4:00PM session where Jason Wescott and Francesco Vigo will discuss the collaboration between Microsoft Graph Security API and the Palo Alto Networks Application Framework. If you arent at Ignite, visit the Graph Security API documentation or sign up to request access to the Palo Alto Networks Application Framework API to start exploring how you can take advantage of this powerful collaboration!

Categories: cybersecurity, Security Development Tags:

Now that you have a plan, it’s time to start deploying

This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series, youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blog First Things First: Envisioning Your Security Deployment.

In our previous blog post, we covered how FastTrack for Microsoft 365 can help you envision a successful Microsoft 365 security deployment. Now, well cover the next phase of our three-phase planning approach: Onboard. This is where you move from strategy and objectives to the practical details of your deployment planning.

The Onboard phase is a critical time to remove any blockers you have, clean up any issues that might prevent your preferred deployment approach, and then start setting up services and users that integrate with your environment. The FastTrack team can help coordinate the setup, configuration, and provisioning of many of your Microsoft 365 services.

We will cover how to Drive Value with FastTrack for Microsoft 365 in our next blog. But first

Your onboard checklist

The following checklist provides some of the items and actions that our FastTrack team can help you work through during the Onboard phase:

Network and Client

  • Identify and prepare DNS, network, and infrastructure needs
  • Configure DNS for eligible services
  • Configure TCP/IP protocols and firewall ports
  • Identify and prepare client needs (Internet browser, client operating system, and services’ needs)
  • Enable eligible services that have been purchased and defined as part of onboarding
  • Establish the timeline for remediation activities
  • Activate your Microsoft online service tenant or subscription
  • Validate connectivity to Microsoft online services

Identity

  • Provision user identity including licensing
  • Configure Azure AD Identity Protection
  • Configure Self Service Password Reset (SSPR)
  • Configure Azure Multi-Factor Authentication
  • Configure Privileged Identity Management
  • Set up Azure AD Conditional Access policies
  • Synchronize Azure AD Connect directory (with password writeback and password hash sync)

Access Management

  • Configure identities to be used by Intune, by either leveraging your on-premises Active Directory or cloud identities (Azure AD)
  • Add users to your Intune subscription, define IT admin roles (Helpdesk operator, admins, etc.), and create user and device groups
  • Configure and deploy Intune app protection policies for each supported platform and prepare line-of-business apps for app protection policies

Mobile Device Management (MDM)

  • Configure your MDM authority and policies and test to validate MDM management policies
  • Configure profiles on devices for supported platforms
  • Enroll devices of each supported platform to Intune or Configuration Manager with Microsoft Intune service

Ready for action? Start with a Success Plan

Our FastTrack Success Plan is an online tool that walks you through each step of Microsoft 365 Security planning process, from Envisioning to Onboarding to Driving Value and adoption with users.

The Success Plan can be launched by either you or your Microsoft Partner and provides all the guidance and resources you need to plan a successful Microsoft 365 Security deployment. Once completed, the plan also provides you with a clear path to help you get the most out of your FastTrack services. To get started, simply sign in to FastTrack.

FastTrack provides end to end guidance for planning, onboarding, and driving end user adoption for Microsoft 365 which is comprised of Enterprise Mobility + Security (EMS), Windows 10, and Office 365.


More blog posts from this series:

Categories: Uncategorized Tags:

Securing the modern workplace with Microsoft 365 threat protection – part 4

This post is authored by Debraj Ghosh, Senior Product Marketing Manager, Microsoft 365 Security.

Responding to ransomware in the Modern Workplace

Over the last few weeks, we have shared the roots of Microsoft 365 threat protection and how Microsoft 365 threat protection helps protect against and detect a modern ransomware attack. Today, we conclude our blog series by discussing how Microsoft 365 threat protection can help respond to attacks and also helps educate and raise awareness of threats to end users. In our ransomware scenario, once the threat has been detected, Microsoft 365 also helps respond and remediate with automation playing a key role in making the response more manageable, accurate, and less time consuming for administration. Microsoft 365 threat protection response and remediation services are shown in figure 1 below.

Ransomware Detection with Microsoft 365
Windows Defender Advanced Threat Protection
Azure Advanced Threat Protection
Microsoft Cloud App Security
Azure Security Center
Office 365 Advanced Threat Protection
Office 365 Threat Intelligence

Figure 1. Microsoft 365 threat protection helps detect threats to the modern workplace

In our ransomware scenario, Windows Defender Advance Threat Protection (WDATP) alerts security operations teams about suspicious activities such as programs launching self-replicating copies. If the ransomware does manage to infect multiple devices, WDATP automatically investigates alerts, applies artificial intelligence to determine whether a threat is real and then decides what action to take. It then automatically remediates the threat from affected endpoints to stop further damage as shown in figure 2.

Figure 2. WDATP automation mapping the propagation of a threat

WDATP provides manual machine level responses, such as isolating a machine to contain the threat. Further, forensic data is collected to better understand the attack and the attacker. WDATP also includes file level response by quarantining or blocking malicious files. Azure Security Center also leverages automation by helping orchestrate these common security workflows:

  • Routing alerts to a ticketing system
  • Applying additional security controls
  • Gathering additional information
  • Asking a user to validate an action
  • Blocking a suspicious user account
  • Restricting traffic from an IP address

Azure Security Center employs behavioral analytics to uncover patterns and malicious activity to enable proactive policies to be set in place to help prevent impact from future attacks. Response times are also improved with expanded signal from Azure Security Centers 3rd party integrations with firewalls and anti-malware engines. While Azure Security Center enables security operations personnel to respond to threats to the enterprise infrastructure, admins can quickly respond to threats to user identities by creating activity policies with Microsoft Cloud App Security (shown in figure 3) which can take the action of suspending a user account when the predefined conditions are met. In our example, the ransomware propagates using the brute force password technique which requires multiple logins, thus login failures from a unique account are likely and this can be a trigger for Microsoft Cloud App Security to suspend an account. One of the powerful benefits of Microsoft Cloud App Security is that it extends protection beyond the Microsoft ecosystem. Even if login attempts are made from popular enterprise applications that are not Microsoft client apps, Microsoft Cloud App Security enables admins to respond to the anomalous activity.

 

Figure 3. Microsoft Cloud App Security General Dashboard

In Microsoft 365, threat response and remediation is offered with Office 365 Threat Intelligence. Using the Threat Explorer feature, security analysts and administrators can search for all instances of potentially malicious emails that may contain ransomware. The back-end is designed for efficient threat investigation and remediation. Emails that are part of a ransomware campaign can easily be discovered using a variety of search filters with the Threat Explorer shown in figure 4. The admin can select all the emails that need to be investigated from a specific sender and choose to take immediate action on potentially malicious emails including: move to junk, move to deleted items, soft delete, hard delete, and move to inbox. Choosing the delete action purges the malicious emails from all tenant mailboxes. There is also the option of creating an incident so that a manager must approve the action.

Figure 4. Office 365 Threat Explorer email remediation actions

Educating end users about ransomware in the modern workplace

We discussed cyber education as an important element for protecting organizations. Having end users who are prepared and informed on spotting potential cyber attacks is a powerful manner to preventing attacks from harming an organization. Attack Simulator, shown in figure 5, is a new feature of Office 365 Threat Intelligence currently in public preview. Among several simulations is the Display Name Spear Phishing Attack. Spear phishing is a subset of phishing, aimed at a specific group, individual, or organization and as we discussed before, a method of spreading ransomware. Attack Simulator harnesses signal from Office 365 Threat Intelligence which provides visibility into an organizations most targeted and potentially most vulnerable users and enables admins to launch simulated threats targeting those very same users. This provides the most targeted users with training on recognizing phish emails which include ransomware and provides admins visibility on how those users behave during an attack, enabling optimal policy updates and security protocols.

Figure 5. Attack Simulator UI

Since the attack surface of the modern workplace is complex and broad, Attack Simulator will begin to offer simulated attacks made through other attack vectors as it moves from preview to GA. Attack Simulator will help raise user awareness and effectiveness at spotting attacks from all the common attack vectors.

Microsoft 365 threat protection

Microsoft has heavily invested in helping secure our customers for many years by building security in our products from the ground up. In the last few years, as the level of cybercrime has increased, we have also increased our efforts and focus on developing and continuously updating advanced security solutions to protect customers from a wide variety of threats and types of attack. In this ransomware scenario, you see as an example, our continued focus on security which provides end users ultimate protection from modern threats, while giving administrators a powerful set of tools to help protect, detect, respond and even educate against these threats. Threat protection is only one key aspect of Microsoft 365. Learn more about Microsoft 365 and understand how it can help your organization through its digital transformation journey. Additionally, follow the links below to learn more about the Microsoft 365 threat protections services and experience them by starting a trial.

Categories: Uncategorized Tags:

Use Windows Information Protection (WIP) to help make accidental data leakage a thing of the past

Have you always wished you could have mobile application management (MAM) on Windows?

Now you can!

Windows Information Protection (WIP) is an out-of-the box data leakage prevention feature for Windows 10 that can automatically apply protection for work files and data to prevent accidental data leakage. With 600 million active Windows 10 devices, corporate customers continuing to deploy in earnest throughout 2018, and support for WIP built right into Office 365 ProPlus, its benefits are within easy reach.

Sixty to eighty percent of data leakage is accidental (see ICO data for 2016 and 2017). WIP is a key feature that offers much needed data protection for files at rest on the Windows platform, for any organization with sensitive data, big or small. In todays security ecosystem, companies are spending $93B on security features (enough to host seven Olympic Games!). Yet companies still saw a 29 percent increase in data leakage worldwide between 2016 and 2017. WIP comes as a timely solution.

With Windows 10, Microsoft is providing a fundamental solution to this growing problem. Recognizing that the risk of leak comes from both fully managed devices and personal devices accessing work resources, we designed WIP to be deployed on PC and mobile devices running Windows 10. WIP is designed for organizations of all shapes and sizes, as a scalable solution that works to prevent accidental data leakage for end users.

WIP protects users and organizations from accidental leaks via copy-and-paste, drag-and-drop, removable storage (e.g., USB thumb drives), and unauthorized applications (e.g., non-work cloud storage providers). Windows shell integration appears in clear but unobtrusive ways. Elements like File Ownership are displayed and selectable in Explorer and File Save As dialog. Helpful briefcase icons mark resources when you are in a work context in places like window title bars, and Microsoft Edges navigation bar. Unauthorized applications are blocked from single sign-in with work credentials. WIP also includes the ability to perform selective wipe of business information, while leaving personal data behind.

WIP has three simple policy enforcement modes. It lets you choose how and whether the user experience in the clipboard, save dialog, and similar data-sharing cases have options (overrides) to move work content to non-work context. You can decide to Hide Overrides, Allow Overrides for your users, or even deploy in Silent mode just for auditing. Silent mode does not restrict unmanaged apps from opening work data the way Hide Overrides and Allow Overrides do, so you can get away with configuring less, yet still benefiting from the BYOD selective wipe capability for your work data, such as data downloaded from OneDrive for Business and Outlook email. This means when you or your user decides to unenroll their work account from their personal device, that work data stops being accessible.

WIP policy can be deployed in a few clicks in Microsoft Intune for MAM-only (without enrollment) targeting, MDM (with enrollment), or both. Being able to apply MAM-only policy will help you finally enable BYOD in regions and situations where fully managing the personal device is unacceptable. For companies that are not yet fully in the cloud, WIP policy can also be set on domain-joined computers using System Center Configuration Manager. Then, when youre ready for co-management, you can move the WIP policy management authority to Microsoft Intune.

Your corporate files can also be automatically encrypted with a local key when downloaded to WIP-managed devices. You can do this by configuring your corporate network boundary. Using network isolation policies, you can identify your LAN and corporate cloud resources, which Edge and other applications will use to recognize work sites and encrypt the data that comes from there. This works even better when combined with Conditional Access controls on Exchange Online and SharePoint Online to ensure that only managed devices can reach that data.

Additionally, WIP Learning lets you see the applications you didnt know are used with work data. It reports any app not in your policy that tries to access a work resource. You can see this data in Microsoft Intune or your Windows Analytics portal, if you have Azure Log Analytics (formerly Microsoft Operations Management Suite or OMS). WIP Learning allows you to tune your app policy to add legitimate work apps and even detect apps that should not be trying to access work data. Combined with Silent mode, you can deploy and see the immediate benefit of selective wipe control and auditing, while tuning your app list for different deployment groups in preparation for enabling boundary enforcement.

WIP provides a robust and automatic solution for protecting work data coming to the Windows device, but it also pairs well with Azure Information Protection (AIP). AIP adds the ability to control and help secure email, documents, and sensitive data that are shared, even outside your company and in the Azure cloud. WIP, combined with AIP, provides application-level access control capabilities while preventing unauthorized applications from accessing business information at rest and in flight. At the same time, WIPs simple business vs personal information classification system ensures simplicity and ease of use.

USB flash drives arent the only way data can leave a device. With the app restrictions on accessing work data, you can use WIP to guide users to use Outlook with their corporate email account to send work attachments, and SharePoint or OneDrive for Business to collaborate on work documents. This lets you enhance your overall data protection with Office DLP outbound rules, send email notifications, policy tips, and Office 365 Information Protection for GDPR.

WIP originally shipped in the Windows 10 Anniversary Update (version 1607) and since then, working across Microsoft and with industry, we have made a number of improvements, including:

  1. Support for Office 365 ProPlus, Microsoft Teams, and numerous inbox apps
  2. Simplified management Intune quick setup, WIP Learning for Apps and Network Boundary policy
  3. Manageable as MAM-only (i.e. without full device enrollment)
  4. Improved Recovery (e.g. data access resumes via re-enrollment or re-adding your work account)
  5. AIP integration to enable roaming data on removable storage (e.g. USB thumb drives)
  6. Support from 3rd party apps such as from Citrix (ShareFile), DropBox (desktop sync client), Foxit (Reader, PhantomPDF), and WinZip (WinZip 21, WinZip 22)

With all these features available, WIP is easier than ever to deploy and maintain. Enable this fast, robust, user-friendly security solution to help ensure a more effortlessly secure user experience for your organization.

More information on Windows Information Protection (WIP) found in the following resources:

The final compliance countdown: Are you ready for GDPR?

On May 25, the General Data Protection Regulation (GDPR) will replace the Data Protection Directive as the new standard on data privacy for all organizations that do business with European Union (EU) citizens.[1]When GDPR goes into effect, government agencies and organizations that control, maintain, or process information involving EU citizens will be required to comply with strict new rules regarding the protection of personal customer data.

GDPRs broad scope and holistic interpretation of personal information leaves these agencies and organizations responsible for protecting a wide range of data types, including genetic and biometric data.[2]Leading up to the GDPR rollout, many companies will be reevaluating their current data storage and sharing methods, and determining whether they need to implement new strategies. More than ever, this regulatory transition highlights the importance of prioritizing a strong and comprehensive security stance within your organization.

According to a recent GDPR benchmarking survey, although 89 percent of organizations have (or plan to have) a formal GDPR-readiness program, only 45 percent have completed a readiness assessment.[3]Regardless of where your organization and its security protocols are in terms of GDPR-readiness, Microsoft can help. Microsoft has been working on GDPR-compliant business and engineering solutions for the better part of a year. Because of our extensive experience developing products with security built-in, weve been a leading voice on privacy and GDPR-related issues with EU regulators.

Weve turned these conversations and insights into a free, four-part video series. Watch the Countdown: Preparing for GDPR series today to hear from industry experts and learn more about Microsofts commitment to helping your organization achieve GDPR-compliance.

You can also read more about our point of view on this transition as the first hyper-scale cloud vendor to offer GDPR terms and conditions in the enterprise space.

Finally, you are invited to a free May 25th GDPR live webcast, Safeguarding individual privacy rights with the Microsoft Cloud. Youll learn how you can:

  • Use GDPR fundamentals to assess and manage you compliance risk.
  • Help protect your customers’ data with our built-in, intelligent security capabilities.
  • Meet your own compliance obligations by streamlining their processes.


[1] https://www.eugdpr.org

[2] https://www.csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html

[3] https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/risk/deloitte-nwe-gdpr-benchmarking-survey-november-2017.pdf

Categories: Uncategorized Tags:

Securing the modern workplace with Microsoft 365 threat protection – part 3

This post is authored by Debraj Ghosh, Senior Product Marketing Manager, Microsoft 365 Security.

Detecting ransomware in the modern workplace

Over the last two weeks, we have shared with you the roots of Microsoft 365 threat protection and how Microsoft 365 threat protect helps protect the modern workplace from ransomware. This week, we discuss how Microsoft 365 threat protection helps detect ransomware in the modern workplace. Detection is critical for any best in class security solution especially when the person does not use Microsoft Edge with the benefits of its web protection. In our web-based scenario, the user can access the website through another browser, download the “software update” and infect their machine with ransomware. Microsoft 365 offers detection capabilities across all threat vectors and figure 1 summarizes the services which help to detect threats.

Ransomware Detection with Microsoft 365
Windows Defender Advanced Threat Protection
Azure Advanced Threat Protection
Microsoft Cloud App Security
Azure Security Center
Office 365 Advanced Threat Protection
Office 365 Threat Intelligence

Figure 1. Microsoft 365 threat protection helps detect threats to the modern workplace

For example, with ransomware downloads from the web, Windows Defender ATPs (WDATP) next-gen antivirus protection does an initial analysis of the file and sends all suspicious files to a detonation chamber. The file verdict is quickly determined. If a malicious verdict is returned, WDATP immediately begins blocking the threat. Todays most sophisticated ransomware is designed to spread laterally across networks increasing its potential impact. Fortunately, WDATP enables security operations specialists to isolate machines from the network, stopping threats from spreading. Also, WDATP provides granular visibility into the device ecosystem so that a compromised device can be easily identified. Built-in threat intelligence is leveraged to help detect the latest threats and provide real-time threat monitoring. As we alluded to, signal sharing via the intelligent security graph is a powerful differentiator of Microsoft 365, enabling threat detection across any threat vector. Once WDATP determines the downloaded files are malicious, it shares this signal with the Intelligent Security Graph enabling our other platforms to become aware of the threat.

The seamless integration, for example, allows admins to pivot directly from the device analysis in WDATP to user profiles in Azure ATP without losing context allowing a detailed investigation of the incident as shown in Figure 2 below.

Figure 2. Signal sharing and event timeline shared between WDATP and Azure ATP

Often, ransomware uses a brute force password method to move laterally through a network which our Azure ATP service is specifically designed to detect. A brute force password attack may attempt multiple logins until a correct password is used to enter an account. This anomalous behavior would be detected by Azure ATP and with signals shared from WDATP, the anomaly would be quickly assigned to the ransomware and blocked from being downloaded onto any part of the network (device, user, etc). Azure ATP enables security operations analysts to investigate the type of intrusions and methods used by attackers to gain privileged access to user identities and provides a clear attack and event timeline. While Azure ATP detects anomalies at the network level, Microsoft Cloud App Security can detect abnormal file and user behavior within native Microsoft cloud apps such as Office 365, as well as third-party cloud applications. To detect ransomware attacks, Microsoft Cloud App Security identifies behavioral patterns that reflect ransomware activity; for example, a high rate of file uploads or file deletion activities, coupled with threat intelligence capabilities, such as the detection of known ransomware extensions. Microsoft Cloud App Security will alert on these abnormalities using anomaly detection policies that provide out-of-the-box user and entity behavioral analytics (UEBA) and machine learning (ML) capabilities, as well as fully customizable activity policies, enabling SecOps to detect these anomalies instantly. Learn more about how Microsoft Cloud App Security and Azure ATP work in tandem to help detect an actual ransomware attack.

Azure Security Center is also connected with WDATP and provides infrastructure level alerts and even provides an investigation path so admins can fully view the threat propagation details. The service includes threat intelligence which maps the threat source and provides the potential objectives of the threat campaign. What happens if an attacker senses that the web-based attack vector is being blocked and pivots to sending the ransomware via email as an attachment download? Microsoft 365 integration is again crucial as WDATP also shares the signal with Office 365 and once our ransomware is identified by WDATP, Office 365 will begin blocking the threat too. With Office 365 ATPs real-time reporting and Office 365 threat intelligence, admins gain full visibility into all users who receive ransomware via email. Both Office ATP and Office threat intelligence services also track threats found in SharePoint Online, OneDrive for Business, and Teams so detection extends to the entire Office 365 suite. With Microsoft 365 threat protection, threats can be easily detected no matter how an attack is launched. Figure 3 shows the new Microsoft 365 Security and Compliance Center which is the hub from where admins can access the information from the different services.

Figure 3. Microsoft 365 Security and Compliance center which connects the Azure, Office 365, and Windows workloads

Next week we conclude our Microsoft 365 threat protection blog series by covering the remediation and education capabilities offered by Microsoft 365 threat protection. We will demonstrate how Microsoft 365 threat protection workloads can help quickly remediate a ransomware attack and also help educate end users on how to behave and react when under attack.


More blog posts from this series:

Categories: Uncategorized Tags:

Securing the modern workplace with Microsoft 365 threat protection – part 2

This post is authored by Debraj Ghosh, Senior Product Marketing Manager, Microsoft 365 Security.

Protecting the modern workplace against Ransomware

Last week, we shared the roots of Microsoft 365 threat protection. This week, we want to share how Microsoft 365 threat protection services work together to help organizations protect themselves. Figure 1 is a graphical representation of the Microsoft advanced threat protection services which secure the attack surface.

Figure 1. Microsoft 365 advanced threat protection services work together to protect the modern workplace from attacks.

We continue with our ransomware scenario. Ransomware restricts data access by encrypting the user’s files or locking computers. Victims are required to pay a ransom to regain access to their machine and/or files. Microsoft closely monitors the threat landscape and our security intelligence provided in figure 2shows ransomware remains a prevalent and lethal threat type. All forms of ransomware can be launched at an organization through email, the device ecosystem, or through the enterprise infrastructure.

Figure 2. Monthly ransomware and ransomware downloader encounters, July 2016 to June 2017.

With so many different attack vectors a point service will be unable to mitigate the variety of potential ransomware attacks. Having services that protect specific parts of the attack surface that can also share signals to alert services protecting other surfaces of the enterprise is the only way to help ensure full and near real-time security. In many ransomware scenarios, users receive an email suggesting a necessary software update which can be done downloading an attachment. The attachment will contain a trojan downloader which can run a ransomware payload once opened. Figure 3 shows the Microsoft 365 threat protection services which can help protect the modern workplace from ransomware attacks.

Ransomware Protection with Microsoft 365
Windows Defender Advanced Threat Protection
Office 365 Advanced Threat Protection
Azure Security Center

Figure 3. Ransomware protection services for M365 threat protection.

All Microsoft 365 threat protection users have email protected with Office 365 ATP which helps stop unknown advanced threats sent via email. Office ATP will detonate all email attachments, determine if the file is malicious, and remove the file before final delivery of the email to a user mailbox. Additionally, Office ATP will assess links at the time of click when in both the body of an email and detonate links embedded in attachments to determine if they point to a malicious website. Since the attack surface is broad often attacks are made directly at devices. As such, several new enhancements helping prevent ransomware are built into the latest version of Windows 10, leveraging machine learning and behavior based technologies which lead the evolution of malware prevention. To directly attack the device, imagine if our attacker creates a website hosting exploit kits containing ransomware. Users visiting the site mistakenly download ransomware directly from the website. In such an event, Microsofts Edge leverages Windows Defender ATPs browser protection capability which determines if a site is malicious and can block access, helping secure the ransomware entry point. Ransomware attacks also target workloads running in the cloud. Azure Security Center helps provide visibility into your cloud infrastructure leveraging machine learning backed up by the Intelligent Security Graph to provide actionable alerts and recommendations on mitigating such threats as shown in figure 4. While none of these services alone can protect the entire modern workplace, together as Microsoft 365 threat protection, organizations can have confidence that Microsoft helps reduce threats from all vectors. Next week, well demonstrate how Microsoft 365 threat protection services help detect ransomware attacks.

Figure 4. The Azure Security Center Dashboard.


More blog posts from this series:

Categories: Uncategorized Tags:

First things first: Envisioning your security deployment

This blog post is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 Security solutions. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blog Accelerate your security deployment with FastTrack for Microsoft 365.

Every successful project begins with a planning phase and planning a successful Microsoft 365 Security deployment is no different. Before digging into how you will roll out your new security infrastructure, start by asking what you want to achieve from both a business and technical standpoint. We will cover how to Onboard with FastTrack for Microsoft 365 in our next blog post.

Do all end users need anytime, anyplace access of data? Do they require access across all devices, or just selected devices? What data do you need to protect? Are different levels of security required for different users or groups? What about compliance considerations and company policies? Do you want your partners and customers to have secure access? This may not even be an option if government regulations restrict what controls you need to put in place.

FastTrack for Microsoft 365 can help work through these and other critical security planning considerations. FastTrack provides end to end guidance for planning, onboarding, and driving end user adoption for Microsoft 365 which is comprised of Enterprise Mobility + Security (EMS), Windows 10, and Office 365.

Based on thousands of customer experiences, we developed a three-step planning approach: Envision, Onboard, and Drive Value. The Envisioning phase can help you lay the groundwork for an effective security deployment plan.

Envisioning is a systematic way to match Microsoft 365 Security features with relevant company goals. It involves identifying and prioritizing relevant scenarios while learning about the tools and resources available as you plan for your rollout. In many ways, this stage is the most critical part of your journey, as youre setting the business goals youll measure your success against later.

Your Envisioning Checklist

The following checklist provides a few tips that our FastTrack for Microsoft 365 managers and engineers use to help you get your Envision step underway.

  • Know your goals and scenarios
    Decide what specific products and feature sets you want to enable and why by understanding what they will do for your company and your end users. Here are some examples:

    • Do you plan to secure your cloud resources and force users to provide additional verification to access them? For instance, are you thinking about

      • MFA (Multi-Factor Authentication).
      • Mobile Device Management
      • Azure Active Directory Domain Join
      • App access management

    • Are you considering empowering users to manage their own password resets?
    • Consider how you control admin access to cloud services (like O365), such as permanent rights granted to their account, or requiring MFA for admins.
    • What will be your device management strategy?

      • Which platforms (iOS, Android, Windows, etc.)?
      • Do you have corporate owned devices, will you allow BYOD (Bring Your Own Device), or both?

  • Leverage the resources to build your understanding
    Define the minimum requirements to deploy and determine if those requirements will work on your legacy architecture. You can find product videos, infographics, and demos at Microsoft Docs and FastTrack resources.
  • Map your key stakeholders and influencers
    Determine who will lead your organizations various teams and departments in this transformation, which employees will need special training based on how the new security tools affect their work, and who will own deployment and ongoing operations. FastTrack will use this information to identify the context of your deployment as it maps to your employees.

As youll discover, Envisioning can quickly add clarity and focus to an otherwise complex security roll-out. Ready to kick off a successful Envisioning process?

Start with a Success Plan

Our FastTrack Success Plan is an online tool that walks you through each step of your Envisioning experience. The Success Plan can be launched by either you or your Microsoft Partner and provides all the guidance and resources you need to plan a successful Microsoft 365 Security deployment. Once completed, the plan also provides you with a clear path to help you get the most out of your FastTrack services. To get started, simply sign in to FastTrack.


More blog posts from this series:

Categories: Uncategorized Tags:

Securing the modern workplace with Microsoft 365 threat protection – part 1

This post is authored by Debraj Ghosh, Senior Product Marketing Manager, Microsoft 365 Security.

The roots of Microsoft 365 threat protection

Over the next few weeks, well introduce you to Microsoft 365s threat protection services and demonstrate how Microsoft 365s threat protection leverages strength of signal, integration, machine learning and AI to help secure the modern workplace from a ransomware attack. Previously, we showcased how Office 365 helps mitigate modern phishing attacks. Microsoft 365 threat protection goes even further, providing robust protection, detection, and response capabilities across an organizations entire attack surface. For those not aware, Microsoft 365 was introduced at last years Microsoft Inspire conference, to provide an intelligent, integrated, and secure solution for the modern workplace, combining the benefits of Microsofts flagship Windows, Office 365, and Enterprise Mobility Suite (EMS) platforms. Figure 1 shows the services which are part of Microsoft 365 threat protection and jointly help secure the modern workplace so organizations can initiate and drive their digital transformation.

Figure 1. The Microsoft 365 threat protection security services

Microsoft is committed to a security first mindset

Microsoft has always been securing products and platforms to protect our customers who rely on our software and cloud services. Our security focus is essential to meet the 24/7 business cycle demands and helps ensure our customers rarely experience downtime from a security event. Microsoft invests $1B+ annually on security, employs 3500+ security professionals, and has built several strong ecosystem partnerships. As the modern workplace grows in complexity, Microsoft continues building and enhancing its security capabilities to help our customers stay ahead of modern threats. Microsoft itself is one of the worlds largest enterprises and uses the same security products to protect our organization that we offer our customers.

The Microsoft Intelligent Security Graph

For our teams at Microsoft (both in operations and development), security really begins with the Microsoft Intelligent Security Graph. It is the platform that powers Microsoft security products and services by using advanced analytics to link threat intelligence and security signals from Microsoft and partners to identify and mitigate cyberthreats. Intelligence in the Intelligent Security Graph comes from consumer and commercial services that Microsoft operates on a global scale, such as Windows, Office 365, and Azure as shown in figure 2. At Microsoft, we have massive depth and breadth of intelligence. Across our global services, each month we scan 400 billion email messages for phishing and malware, process 450 billion authentications, execute more than 18 billion web page scans, and scan more than 1.2 billion devices for threats, nearly 2.6 billion monthly unique file scans, and more than 200 cloud services. Importantly, this data always goes through strict privacy and compliance boundaries before being used for security.

Figure 2. Microsofts Global Threat Intelligence is one of the largest in industry

Signal from the graph is analyzed using a combination of Microsofts industry leading artificial intelligence and machine learning capabilities coupled with the expertise of security researchers, analysts, hunters, and engineers across the company to quickly identify attacks and emerging trends so that we can evolve the immediate detections and capabilities of Microsoft 365. All our security capabilities leverage the graph, including the threat protection services comprised of Windows Defender Advanced Threat Protection (WDATP), Office 365 Advanced Threat protection (ATP), Office 365 Threat Intelligence, Microsoft Cloud App Security, Azure Security Center, and the newly launched Azure Advanced Threat Protection (Azure ATP).

These threat protection services also share threat signal with each other through the graph and this signal sharing enables each service to leverage threat data from not only the threats blocked by that service but also threat in the entire threat landscape. While this post uses the example of a sophisticated ransomware attack, customers who leverage the entire Microsoft 365 threat protection stack will have near real-time protection from many types of new and unknown threats (e.g. 0-days, advanced phishing, advanced malware, etc) for their device ecosystem, Office 365 ecosystem, and cloud, on-premises, or hybrid infrastructures by leveraging the Intelligent Security Graph.

Microsoft 365 threat protection

The modern workplace is exposed to the rapid evolution of cyber threats, from individual threats, to sophisticated organizational breaches, to rapid cyberattacks. With the growing complexity of the modern workplace, the attack surface has rapidly expanded, to a point where no single service can adequately protect an organization. To address this, we focused on developing different services that specialize on the main threat vectors and then integrating them together via the Intelligent Security Graph. The modern workplace is composed of employee identities, enterprise applications and data, devices, and infrastructure. Microsoft 365 threat protection helps mitigate advanced threats from each of these potential threat vectors providing an end to end, holistic solution securing an organizations entire attack surface enabling:

  • Protection against advanced threats such as 0-days, targeted phishing, ransomware, and others
  • Detection when a breach has occurred, who has been breached, what data has been compromised
  • Response remediate from an attack and return the organization to a no threat state
  • Education end users on how to react or respond to different types of threats

While most security solutions do not include an educational component, we have seen that many of our customers now help educate their end users on how to react and behave in the event of a cyberattack. To help address this important aspect of security, we now offer tools that can help educate end users. While the majority of attacks are still initiated via email, 2017s most destructive attacks, NotPetya and WannaCry, were not email based. One of the benefits of Microsoft 365 threat protection is seamless integration that enables rapid transfer of information across platforms and services to help ensure all attack surfaces are quickly secured no matter where a threat originates. Over the next few weeks, we will cover Microsoft 365 and how to enable (1) Protection (2) Detection (3) Response and Education. Next week, well demonstrate how Microsoft 365 threat protection helps organizations protect an enterprise from a ransomware attack.

Categories: Uncategorized Tags:

Connect to the Intelligent Security Graph using a new API

Most organizations deal with high volumes of security data and have dozens of security solutions in their enterprise, making the task of integrating various products and services daunting and complex. The cost, time, and resources necessary to connect systems, enable correlation of alerts, and provide access to contextual data is extremely high. These challenges hinder the ability for organizations to move quickly when detecting and remediating threats in a world of fast-moving, disruptive attacks.

By connecting security data and systems, we can gain an advantage over todays adversaries. At Microsoft, our security products are powered by the Intelligent Security Graph which synthesizes massive amounts of threat intelligence and security signals from across Microsoft products, services, and partners using advanced analytics to identify and mitigate cyberthreats. This week at the RSA conference, we announced the public preview of a Security API that empowers customers and partners to build on the Intelligent Security Graph. By connecting security solutions and integrating with existing workflows, alerts and contextual information from multiple solutions can be easily consolidated and correlated to inform threat detection, and actions can be taken to streamline incident response. The unified API will make these connections easier by providing a standard interface and uniform schema to integrate and correlate security alerts from multiple sources, enrich investigations with contextual data, and automate security operations for greater efficiency.

The Security API is part of the Microsoft Graph, which is a unified rest API for integrating data and intelligence from Microsoft products and services. Using Microsoft Graph, developers can rapidly build solutions that authenticate once and use a single API call to access or act on security insights from multiple security solutions. Additional value is uncovered when you explore the other Microsoft Graph entities (Office 365, Azure Active Directory, Intune, and more) to tie business context with your security insights.

This public preview supports API access of Alerts from Azure Security Center and Azure Active Directory Identity Protection with Intune and Azure Information Protection coming soon. We are also announcing support for high volume streaming of alerts to a SIEM through Security API integration with Azure Monitor. This will enable seamless ingestion of alerts from multiple sources directly into a SIEM. Over the coming months, well add many more Microsoft and partner security solutions integrations as data providers. We will also add new capabilities that unlock new security context through Security Inventory and take Actions to automation security operations through the same Security API.

Enabling ecosystem partners

The Security API opens up new possibilities for integration partners to build with the Intelligent Security Graph. Partners can not only consume security insights from the Graph but they can allow their alerts, context, and automation to be enabled in the Graph at peer level with integrated Microsoft products. By forming a connected, extended ecosystem of security technologies, Microsoft and partners can deliver better protections for our customers. Some partners have already onboarded to the Security APIs and many other integrations are in progress:

 

Anomali integrates with the Security API to correlate alerts from Microsoft Graph with threat intelligence, providing earlier detection and response to cyber threats.

The Security Graph API allows us to receive not only actionable alert information but allows security analysts to pivot and enrich alerts with asset and user information. Colby DeRodeff, Co-founder and Chief Strategy Officer of Anomali

 

Palo Alto Networks can enrich alerts from Microsoft Graph Security with threat intelligence speeding up detection and prevention of cyberattacks for our shared customers.

The adoption of public clouds is accelerating, but so is the threat level to the applications and data inside organizations. Todays announcement of the Microsoft Graph Security API sets the stage for expanding the built-in security features we can offer our joint customers and to help organizations safely embrace the cloud. Andy Horwitz, Vice President, Business and Corporate Development, Palo Alto Networks

 

PwC uses alerts and context from Microsoft Graph in its Secure Terrain solution to deliver improved visibility and protection.

The integration with Secure Terrain offers users a streamlined way to investigate Microsoft Graph alerts in the context of the broader enterprise and perform threat hunting investigations. Christopher Morris, Principal at PricewaterhouseCoopers

Building intelligent security applications

Customers, managed service providers, and technology partners, can leverage the Security APIs to build and integrate a variety of applications. Some examples include:

  • Custom security dashboards. Surface rich alerts in your custom Security Operations Center dashboards streamline alerts and add contextual information about related entities
  • Security operations tools. Manage alerts in your ticketing, security or IT management system keep alert status and assignments in sync, automate common tasks
  • Threat protection solutions. Correlate alerts and contextual information for improved detections, take action on threats block an IP on firewall or run an AV scan
  • Other applications. Add security functionality to non-security applications HR, financial, and healthcare apps

Get started today:

Join us at the Microsoft booth, N3501 in the north expo hall, at RSA Conference 2018 in San Francisco. Youll get the chance to speak to experts and see how our partners are using the API.

To learn more and get started today with using the Microsoft Graph Security API, check out the following resources:

Categories: Uncategorized Tags:

Microsoft to deliver new products and strategies for security innovation at 2018 RSA Conference

At the 2018 RSA Conference, our senior leaders will dissect modern cyber defense strategies, and reveal new products to detect and block cyber attacks when they happen. Our objective is to arm business, government and consumers with deeply integrated intelligence and threat protection capabilities across platforms and products. To this end, we have much to share, joining tech giants and top security leaders and pioneers to expand the frontlines of cyber defense.

The theme of this years RSA Conference is Now Matters, a nod to the pressure and urgency to protect governments, economies, and nearly half of the worlds population who connects to the Internet. Microsoft President Brad Smith keynotes a valuable session, The Price of Cyber Warfare, detailing a new reality that emerged for people and infrastructure from the WannaCry and Not Petya attacks.

In addition to the keynote, several of our senior leaders will host the following industry leading sessions:

Within these sessions, we will preview our new products and strategies, dive into IoT, and explore commercial scenarios that touch the gig economy.

Join us at booth 3501 in the North Expo which will be stocked with rich content and product experts to help answer your questions, including anything from our recently released Microsoft Security Intelligence Report. The booth schedule is also loaded with engaging demo stations showcasing identity and access management, information protection, threat protection, security management, GDPR and compliance solutions, and Intelligent Security Graph. Were also holding a variety of presentations on key topics in our booth, such as:

  • Windows Defender ATP Unified platform for endpoint security
  • Anti-phish Technologies to Protect Your Office 365 Environment
  • Our Journey to a World without Passwords with Windows Hello
  • Secure IaaS Deployments Using Microsoft Azure Security Center
  • Simplify Compliance with Compliance Manager

Stop by our booth 3501 in the North Expo any time to view to these demos and presentations or visit Microsoft.com/rsa to help plan your conference schedule. Be sure to check back on the Microsoft Secure blog to get more information on the Microsoft announcements as they take place and for post RSA content.

Categories: Uncategorized Tags:

Join Microsoft for a security in a day workshop

Let’s talk about an integrated security experience. Many of our customers are in various stages of cybersecurity maturity:

Initializing

  • Firefighting
  • No formal security program

Developing

  • Point solutions/tools for basic controls
  • Pockets of expertise

Defining

  • Aligned to frameworks
  • Documented controls
  • Begins to integrate signals for faster response

Managing

  • Intelligence driven response and recovery
  • Organization wide emphasis
  • C-suite sponsorship

Optimizing

  • Continuous improvement through innovation
  • Aims to be predictive
  • Trusted intel sharing

But what is the goal at the end of the day as you move up the maturity model? Some people may say “to be secure.” The problem with that is there is no checkbox for “you are secure.” So, the question customers must ask themselves is, am I secure enough? If you look at the security model and say, no, I’m not mature enough, I’m not predictive enough – how can I improve that? Then there is almost a limitless number of investments you can make into security. But how do you know where to invest and what is the real strategy behind those investments?

One of the frameworks you can take up is to switch the question from a defender’s dilemma and into an attacker’s dilemma and ruin the attackers, economic model. There are a few components you can put together to drive that outcome.

Break the known attack playbook

To decide where to make the investments, you can try to be predictive and see what some of the known attack playbooks (e.g. phishing, ransomware) are in use and break them down. Take a look at the opportunities to disrupt those plays. Can you identify what that play is and how to disrupt it? Different plays require different options so that you can proactively take the time to raise the cost to the attacker.

Agile response & recovery

If the attacker gets past the first line of defense, have a next line of defense thats ready. Assume breach as an approach to thinking like the attacker. As you start to proactively identify what is the targeted asset, what is the threat to your company? What are the attack vectors your company is most vulnerable to? What are the trends you are seeing? You can then start to answer how to set up your response and recovery against those playbooks in an intelligent and holistic way.

Eliminate other attack vectors

This can be done as you’re able to over time or you can pivot very quickly towards future attacks. The better you get at the first two pieces, the more components you have in play to make up the puzzle to get here. Nobody really knows what those other attack vectors may be, but to be very solid in breaking the known attack playbook and agile response and recovery will help set you up for success, because similar components may be used.

Where do I start?

We have a series of Security in a Day Workshops in April and June (schedule for June coming soon) at our local Microsoft Technology Centers where you can spend the day digging into different risk profiles and learn how to strategize your move up the maturity model. Our Microsoft Security partners will cover the why, the how, and strategies to dig into the attack profiles and how to mitigate those risks so that you can build your integrated security experience. Find a local event near you or click on the link down below:

Chicago April 11th, 2018
Reston April 11th, 2018
New York April 12th, 2018
Bellevue April 12th, 2018
Philadelphia, April 17th, 2018
San Francisco, April 18th, 2018
Irvine, April 26th, 2018

Categories: Uncategorized Tags:

Security baselines should underpin efforts to manage cybersecurity risk across sectors

This post is authored byAngela McKay, Director of Cybersecurity Policy and Amanda Craig, Senior Cybersecurity Strategist, CELA.

Organizations are leveraging technology to transform their operations, products, and services, and governments are increasingly focusing on how to enable such dynamic change while also managing risks to their critical infrastructure, economies, and societies. Across sectors and regions, theyre developing, updating, and gathering feedback on cybersecurity policies and legislation, aiming to build resiliency into their nations approaches to digital transformation.

Industry and governments must collaborate to build a more resilient ecosystem. In sharing lessons learned from operating across diverse environments, global companies can accelerate efforts to protect global infrastructure and technology. Similarly, by leveraging lessons learned through not only their own experiences but also those of industry, governments can ensure their efforts to enhance resiliency are both practicable and effective. This mutual collaboration through public-private partnerships can help to drive meaningful outcomes, which will continue to be critical to improving collective cybersecurity defense and responding to evolving threats.

On March 27, 2018, Microsoft demonstrated its commitment to this mission by joining with five other companies to launch the Coalition to Reduce Cyber Risk (CR2), a global, cross-sector group that will partner with governments to advance cyber risk management. Collaboration with leaders from other sectors and regions will highlight how cybersecurity impacts the global, interdependent economy. It will also provide unique insights as CR2 contributes to governments efforts.

Today, we are further pursuing this mission by publishing a whitepaper on the role of security baselines, a set of foundational activities through which organizations can advance cyber risk management. We advocate for baselines that engage executives and embed flexibility, enabling organizations security capabilities and investments to evolve with rapidly changing threats. We also advocate for baselines that are applicable across sectors and regions.

Cross-sector, globally relevant security baselines are increasingly essential because they address the reality that interdependencies between sectors and regions are significant and growing, fuelled by regional and global economic integration and by the horizontal growth of technology across previously unrelated vertical sectors. Todays cybersecurity threats, risk mitigations, and infrastructure operations are unlikely to be confined to just one sector or region, creating a need for interoperability across sectoral approaches and jurisdictions.

There are some existing examples of cross-sector, globally relevant security baselines that engage executives and embed flexibility in risk management. In particular, the recently published ISO/IEC 27103 is relevant across sectors and geographies, based on risk management principles, and grounded in a flexible approach. Specifically, it integrates an outcomes-focused approach with controls-based ISO/IEC references that are supported globally and used by different sectors.

Governments that are cognizant of sectoral and geographic interdependencies while developing or updating security baselines could make progress in managing risk while supporting growth within their domestic infrastructure and economy. In addition, governments that engage technology providers, business leaders, critical infrastructure operators, and civil society organizations while developing or updating baselines will have more seamless implementation of cybersecurity policies.

Through CR2 and in direct engagements, we look forward to the opportunity to continue to partner with governments, others in industry, and other stakeholders to build or update security baselines. In our experience, around the world, cybersecurity policies built through partnerships are likely to operate more consistently and predictably, not only helping cybersecurity but also giving businesses, innovators, and citizens the confidence they need to make the most of technology and innovation.

Categories: Uncategorized Tags:

Take these steps to stay safe from counterfeit software and fraudulent subscriptions

This post is authored by Matt Lundy, Assistant General Counsel, Microsoft.

Software piracy and fraudulent subscriptions are serious, industry-wide problems affecting consumers and organizations around the world.

In 2016, 39 percent of all software installed on computers was not properly licensed, according to a survey conducted by BSA and The Software Alliance. And each year, tens of thousands of people report to Microsoft that they bought software that they later learned was counterfeit.

What can appear to be a too-good-to-be-true deal for a reputable software program, can in fact be a counterfeit copy or a fraudulent subscription. In many cases, such illegitimate software downloads may also be riddled with malware including computer viruses, Trojan horses, spyware, or even botware, designed to damage your computer, destroy your data, compromise your security, or steal your identity. And in the world of cloud computing, where many applications are often delivered as a subscription service, consumers could be unwittingly sending payments to cybercriminals, unaware that cybercriminals selling fraudulent subscriptions will not provide needed administrative support.

Curbing the proliferation of software piracy

Cybercriminals are always looking for ways to trick consumers and the outcome can be costly. According to report released by the Ponemon Institute in 2017, the average cost of cybercrime globally climbed to $11.7M per organization, a staggering 62 percent increase over the last five years. And a recent Juniper Research report, Cybercrime & the Internet of Threats 2017, states that “the estimated cost to the global economy as a result of cybercrime is projected to be $8 trillion by 2022.

How do cybercriminals deceive consumers? There are many ways. One common technique is to set up a fake website that falsely claims the software subscriptions or copies offered for sale on the site are legitimate. Sophisticated cybercriminals go to great lengths to make their websites look authentic to trick consumers into buying fraudulent subscriptions or counterfeit software.

For decades, through partnerships with industry, governments, and other agencies, Microsoft has been working to fight software counterfeiting and to protect consumers from the dangers posed by this and other types of cybercrime. Today, Microsofts Digital Crimes Unit (DCU), a unique group of cybercrime-fighting investigators, analysts, and lawyers, works globally to detect and prevent fraud targeting our customers. Our priority is to protect our customers and help create a secure experience for everyone. One of the key ways we do this is to work with law enforcement and other organizations to bring the perpetrators of cybercrime to justice.

In addition to the innovative technology and legal strategies that the Microsoft DCU uses to combat counterfeit products and fraudulent subscriptions globally, the company also aims to raise awareness of this issue among consumers and help protect them from the risks associated with counterfeit software and fraudulent subscriptions.

Protect yourself from software piracy and fraud

While software companies and law enforcement are working to curb cybercriminals ability to counterfeit and sell software and services, consumers can help protect themselves by remaining vigilant and only purchasing through legitimate sources. In addition, if you do come across illegitimate sources or you discover you have inadvertently purchased suspect counterfeit Microsoft software, report your experiences to Microsoft.

Here are a few useful Microsoft resources to help you protect yourself from inadvertently purchasing counterfeit software or fraudulent software subscriptions as well as resources in case you think you may have done so:

 

Categories: Uncategorized Tags: