Author Archive

Accelerate your security deployment with FastTrack for Microsoft 365

This blog is part of a series that responds to common questions we receive from customers about Microsoft 365 Security and Enterprise Mobility + Security. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Inpart one of this series, we outlined Tips for getting started on your security deployment.

Microsoft has a service designed specifically to help you deploy and drive adoption of Microsoft Security across your organization: FastTrack for Microsoft 365.

FastTrack is included with your subscription and gives you access to Microsoft engineers and managers in 13 different languages to support your deployments. With more than 40,000 new customers deployed, FastTrack has experience and best practices that can really help make your deployment smoother as our customer success stories can attest. FastTrack follows a proven and highly recommended modelcomprised of stages for envisioning, deploying and driving adoptionthat can be applied to any point of your deployment journey.

FastTrack also has a track record of success with customers:

  • 38 percent reduction in time to onboard
  • 3.5x increase in active usage
  • 67 percent increase satisfaction

We saw what Microsoft was putting into Intune and saw that it could protect our data while helping us remain productive, and that it would grow with our future needs. And the other thing was the magnitude of positive experience and support from the FastTrack Center.
– Willem Bagchus: Messaging and Collaboration Specialist, United Bank


We’re thrilled with what we are hearing from customers and learning through FastTrack. Here’s a sampling of some of the best practices FastTrack has developed for driving a successful deployment of Microsoft Security:

  1. Take time at the outset to envision your success: Know your goals and key scenarios you want to enable, familiarize yourself with the products, map key stakeholders, and influencers, tackle quick wins, build a communications plan, and remember the end user.
  2. Deploy and realize your vision thoughtfully: Test and pilot thoroughly, have a migration strategy, and get experts to help with the tough questions.
  3. Drive adoption across your organization with great communications: Hold launch events, provide trainings, encourage ongoing engagement and thoroughly communicate the changes (and how users can get started) through assets like an FAQ, posters, brown bags, etc.

Of course, there are far too many tips, nuances, and best practices to list hereyoull get far more when you reach out to the FastTrack team directly.

To recap, Microsoft 365 Security, including Office 365, Windows 10 and EMS, is a critical part of your organizational security strategy and FastTrack for Microsoft 365 provides the optimum deployment and adoption support. Get started on your journey today with a request for assistance from the FastTrack security page.

Categories: Uncategorized Tags:

Microsoft Security Intelligence Report volume 23 is now available

As security incidents and events keep making headlines, Microsoft is committed to helping our customers and the rest of the security community to make sense of the risks and offer recommendations. Old and new malware continues to get propagated through massive botnets, attackers are increasing focus on easier attack methods such as phishing, and ransomware attacks have evolved to be more rapid and destructive. The latest Microsoft Security Intelligence Report, which is now available for download at, dives deep into each of these key themes and offers insight into additional threat intelligence.

The report, which is based on Microsofts analysis of on-premises systems and cloud services, focuses on threat trends since February 2017. Anonymous data sources for the report come from consumer and commercial on-premises systems and cloud services that Microsoft operates on a global scale, such as Windows, Bing, Office 365, and Azure. At Microsoft, we have massive depth and breadth of intelligence. Across these services, each month we scan 400 billion email messages for phishing and malware, process 450 billion authentications, execute more than 18 billion web page scans, and scan more than 1.2 billion devices for threats.

Here are three key themes from the report:

Botnets continue to impact millions of computers globally.
In November 2017, as part of a public/private global partnership, Microsoft disrupted the command-and-control infrastructure of one of the largest malware operations in the world the Gamarue botnet. Microsoft analyzed over 44,000 malware samples, which uncovered the botnets sprawling infrastructure, and discovered that Gamarue distributed over 80 different malware families. The top three malware classes distributed by the Gamarue botnet were ransomware, trojans, and backdoors. The disruption resulted in a 30% drop in infected devices in just a three month-period.

Easy marks methods like phishing are commonly used by cybercriminals.
As software vendors incorporate stronger security measures into their products, it is becoming more expensive for hackers to successfully penetrate software. By contrast, it is easier and less costly to trick a user into clicking a malicious link or opening a phishing email. In 2017 we saw low-hanging fruit methods being used such as phishing — to trick users into handing over credentials and other sensitive information. In fact, phishing was the top threat vector for Office 365-based threats during the second half of 2017. Other low-hanging fruit for attackers are poorly secured cloud apps. In our research, we found that 79% of SaaS storage apps and 86% of SaaS collaboration apps do not encrypt data both at rest and in transit.

Ransomware remains a force to be reckoned with.
Money is ultimately what drives cybercriminals, so extorting cryptocurrency and other payments by threatening potential victims with the loss of their data remains an attractive strategy. During 2017, three global ransomware outbreaksWannaCrypt, Petya/NotPetya, and BadRabbitaffected corporate networks and impacted hospitals, transportation, and traffic systems. We found that the region with the greatest number of ransomware encounters was Asia. The ransomware attacks observed last year were very destructive and moved at an incredibly rapid pace. Because of the automated propagation techniques, they infected computers faster than any human could respond and they left most victims without access to their files indefinitely.

A key insight in the report is that these threats are interrelated. For example, ransomware was one of the most prominent types of malware distributed by the Gamarue botnet. Another example is that cybercriminals are attempting to take advantage of legitimate platform features to attach a ‘weaponized’ document (for example, a Microsoft Office document) containing ransomware in a phishing email.

What can be done in the enterprise? Following standard information security practices, such as keeping software and security solutions up-to-date, is important. The proliferation of low-cost attack methods such as social engineering is a reminder of the importance of security awareness training for employees to keep them apprised of latest phishing techniques. The report covers more detailed recommendations.

Research and engineering teams from Windows Defender, Office, Azure, Bing, the Microsoft Digital Crimes Unit, and others generously contributed their findings and insights to this Security Intelligence Report. You can download it today at

Finally, tune into our webcast on April 10, 2018 at 10am PDT: Microsoft Security Intelligence Report Volume 23Breaking Botnets and Wrestling Ransomware, where well do a deep dive on the insights from the Security Intelligence Report and discuss recommendations on how to protect your organization. Register today.

For our perspectives on additional trending threats and topics, check out the Microsoft Secure Blog, and the Microsoft Security site to learn about Microsoft’s enterprise cybersecurity solutions.

Categories: Uncategorized Tags:

How Office 365 protects your organization from modern phishing campaigns

This post is authored by Debraj Ghosh, Senior Product Marketing Manager, Microsoft 365 Security.

We often allude to the benefits of having an integrated threat protection stack in Office 365. Today we wanted to take the opportunity to walk you through how the combined features and services in the Office 365 threat management stack help your organization protect, detect, and respond to a potential phishing attack. Phishing is the term for socially engineered attacks designed to harvest credentials or personally identifiable information (PII). Attackers use a variety of strategies to make the recipient believe the email is coming from a legitimate source. Phish emails often convey a sense of urgency to the recipient to take an action described in the email. We see phishing emails come in a variety of forms including:

  • Spoofing: where the sending domain matches a legitimate business
  • Impersonation: of users, domain, and brands (where emails are crafted to look like they are coming from specific users, domains and brands)
  • Content Based Attacks: emails contain malicious links or attachments

In this post, well review how Office 365 threat protection services provide holistic end-to-end protection against todays most sophisticated phishing campaigns.

End to end security focus

The Office 365 threat protection stack combines a rich set of features designed to prevent phishing attacks, as well as capabilities offered to security teams that more effectively and efficiently enable detection and response to phishing attacks. Our services help:

  1. Protect set up and configure Office 365s security services to keep end users secure.
  2. Detect determine if a threat has entered the tenant and who or what was impacted.
  3. Respond remediate a threat or attack to return your tenant to a safe, no threat state


Our protection investments begin with a view to eliminating attacks before they impact your organization. Office 365 offers a rich, robust, comprehensive, and multi-layered solution to address phish attacks. Figure 1 shows the Anti-Phish stack leveraged by Office 365. During the mail-flow protection stage, all emails must pass our authentication which includes explicit anti-spoof frameworks including SPF, DMARC, and DKIM. Emails must also pass implicit authentication built on additional machine learning models which determine email authenticity. Additionally, our newly launched anti-impersonation features are designed to flag highly targeted and advanced spear-phishing emails. Content in the form of attachments, links, and images are examined. Further, attachments and links are detonated and examined for malicious content. Soon we will launch internal safe links enabling protection from compromised user accounts.

Figure 1. Office 365 threat protection anti-phish stack

Office 365 threat protection also offers organizations the ability to train users to be more vigilant against the variety of threat scenarios that impact organizations. Attack Simulator is a new feature in public previewoffered to Office 365 Threat Intelligence customers. One of the initial threat simulations available in Attack Simulator is a Display Name Spear Phishing Attack. Spear phishing is a subset of phishing attacks which is targeted, often aimed at a specific group, individual, or organization. These attacks are customized and tend to leverage a sender name or common domain that creates trust with the recipient. Attack Simulator harnesses signal from Office 365 Threat Intelligence which provides visibility into an organizations most targeted and potentially most vulnerable users and enables admins to launch simulated threats targeting those very same users. This provides the most targeted users with training on how to recognize phish emails and provides admins visibility on how those users behave during an attack – enabling optimal policy updates and security protocols. Figure 2 shows an example of a simulated phish email created with Attack Simulator.

Figure 2. Example spear phishing email created with Attack Simulator

We believe customers will benefit from Attack Simulator and the ability to help train end users to spot malicious emails. One key aspect of that training is to inspect the URL behind the hyperlink. With the Native Link Rendering feature launching later this year, end users can hover over hyperlinks in their email and view where the link is pointing to. This is useful since the actual destination of a link can provide important indicators of whether the link is trustworthy or linking to a malicious site. Figure 3 demonstrates how native link rendering allows the user to inspect a link in the body of an email.

Figure 3. Native Link Rendering


If an Office 365 Advanced Threat Protection (ATP) user does click on a malicious link, they will be protected by ATP Safe Links at the time of click. This is part of the post-delivery protection layer shown in Figure 1. Time-of-click protection offered by ATP Safe Links is important because many of todays advanced threats leverage some form of link morphing. The email initially includes a benign link and passes through basic security filters undetected. Once past these filters, the link morphs and points to a malicious site. Therefore, time-of-click protection is essential for protecting users from these threats.

In the event an end user believes a link might be malicious, they can submit the email directly to Microsoft for analysis. Admins should enable the Report Message (Figure 4) add-in which end users can use to submit suspicious emails directly to Microsoft. Our 3500+ security engineering team will review the email and determine if it is actually malicious. If Microsoft classifies the email as malicious, new instances of the email are flagged and blocked across all Office 365 tenants.

Figure 4. Report Message Button

Giving end users the ability to report messages directly enables Microsoft to quickly expand its telemetry and depth of the threat landscape and broaden protection for all our customers. In fact, customers using the Exchange Online Protection (EOP) secure email gateway service, which is available with every Office 365 license, also benefit from our powerful integration and signal sharing across the Microsoft ecosystem.

Another key post-delivery anti-phishing feature is Zero-hour Auto Purge (ZAP), which moves all instances of malicious emails that Microsoft discovers to the junk mail folder – even after it has landed in a user inbox. This process happens quickly and emails that are not initially classified malicious but flagged by Office 365 ATP (or even services from our Windows platform such as Windows Defender Advanced Threat Protection) will be ZAPed to the junk mail folder. This new threat telemetry integrates with the Microsoft Intelligent Security Graph so that future instances of the newly classified malicious email will be blocked across the entire Microsoft ecosystem. We can evolve and stay ahead of the changing threat landscape by leveraging the direct threat telemetry from end users, continuously, and rapidly enhancing our protection for all our customers.

Figure 5. EOP ZAP Protection


With the newly released real-time ATP reports, customers have visibility into all malicious emails that targeted the tenant and blocked by Office 365. Administrators that use ATP can also see all emails that have been flagged and submitted by their end users as potential threats. With the User-reported threats view (Figure 6), admins can identify the sender of the email, the number of instances of the email, and the number of users who received the email. The ability to view emails submitted by end users is an extremely valuable tool because it empowers organizations security teams to identify malicious emails and trigger investigations on potential threats and impacts. The combination of these reports provides administrators and security teams a comprehensive view into the breadth and depth of different phishing campaigns targeting their organization. The User-reported submissions are also sent to Microsoft for further analysis.

Figure 6. User submissions report


We have demonstrated how Office 365 protects organizations from phishing campaigns using a multi-layered approach. Office 365 Threat Intelligence completes the threat protection stack by allowing organizations to more effectively and efficiently investigate, respond to, and remediate attacks to the organization. In fact, since Microsoft IT began leveraging Office 365 Threat Intelligence average time to resolution for social engineering incidents has reduced by 80 percent, and case throughput has increased 37 percent per month. Many enterprises have security operations teams whose goal is to assess the impact of threats to an organization. Using the Threat Explorer feature in the Security and Compliance Center, security analysts and administrators can search for all instances of potentially malicious emails. Thanks to a back-end designed specifically for efficient threat investigation and remediation, malicious emails can be quickly and easily identified with Threat Explorer. As shown in Figure 7, Threat Explorer provides many filtering and search options such as sender, recipient, subject, and several more to find the malicious emails. From the User-reported threats view, admins gain visibility into the sender of the email. This is critical since emails that are part of a phishing campaign often come from a unique sender address. Threat Explorer allows admins to filter by sender to find all emails sent from a specific email address. Once this filter has been applied, all emails sent from the unique address will be displayed in Threat Explorer. The admin can then select all the emails that need to be investigated from a specific sender from the message list at the bottom of the Threat Explorer.

Figure 7. Threat Explorer

After selecting the emails to investigate, admins can choose a variety of actions that can be taken on the messages including: move to junk, move to deleted items, soft delete, hard delete, and move to inbox as shown in Figure 8. Analysts can easily trigger the action to purge the malicious email campaign from all mailboxes in the organization or queue the incident for a manager to approve the action.

Figure 8. Triggering an action

There are common security issues admins may need to check over time for phish or other problems. Whether just reviewing events, getting alerts, or determining threat trends and reporting, Office 365’s Threat Intelligence Threat Tracker enables ongoing supervision of your security tasks. The Tracker Saved Query feature shown in Figure 9 allows you to save frequent searches, so admins can navigate quickly to a consistent set of events in Explorer. In case you need ongoing monitoring, you can setup tracking on the queries to get trending information on phish, malware, or other security events.

Figure 9. Saving an Explorer query in Office 365 Threat Intelligence

Office 365 Threat Protection

Microsoft has heavily invested in helping secure our customers for several years. In the last few years, as the level of cybercrime has increased, we have also increased our efforts and focus on developing and continuously enhancing advanced security solutions to protect customers from a wide variety of threats and types of attack. In this phishing scenario, you see a part of this continued focus on engineering security services giving end users ultimate protection from modern threats, while giving administrators a powerful set of tools with maximum control and flexibility for their security requirements. To begin experiencing best of breed protection for all your Office 365 users, we invite you to sign up for an Office 365 E5 trial today. Make sure to provide us your feedback so we can continue delivering the features and enhancements needed to keep your organization secure.

Categories: Uncategorized Tags:

Tips for getting started on your security deployment

This blog is part of a series that responds to common questions we receive from customers about how to most effectively deploy Microsoft 365 Security. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization.

This past year, weve been listening to our customers questions about how to deploy and drive adoption around the full suite of Microsoft 365 Security products. The questions we get most often include:

  • In what order should I deploy security features?
  • How do I deploy quickly and with minimal business disruption?
  • How do I as an IT Pro get buy-in from my business decision makers?
  • How do I get my users to actually use the solution?
  • How will this impact my end users?

This blog series will provide you with our best answers to these and related questions and offer tips from our security deployment experts.

The good news is that Microsoft 365 customers already have a powerful security solution to address security challenges. Together with Enterprise Mobility + Security, Windows 10, Office 365, our Microsoft 365 Security products deliver on todays most pressing security needs.

The Security capabilities in Microsoft 365 integrate where it counts and offers specialized tools for different functions. The result is a comprehensive security solution across your identity, devices, apps, and infrastructure:

One of the most common questions we receive is Where do I begin? Microsoft has provided a sampling of the most common security scenarios customers like you may be wanting to accomplish. To help you envision your plan, we provided the optimum combination of Microsoft 365 products and features you need to bring your scenarios to life Microsoft Security such as:

  • Work securely from anywhere, anytime
  • Detect and protect against external threats
  • Protect your data on files, apps, and devices
  • Protect your users and their accounts

How do I get started?

The first step to any effective security strategy is careful planning. Here are a few best practices to get you started:

  • Know your goals and tackle quick wins first. Trying to address every security challenge that comes along can quickly become overwhelming. Get very specific about what you are hoping to gain from a solution. And dont let the search for the perfect setup stand in the way of getting started with quick wins today. For example, setting up self-service password resets or getting company apps securely behind your cloud firewall can quickly show business value.
  • Map your key stakeholders and influencers. In addition to key influencers (CTO, CSO, CEO, business development managers, etc.), make sure to involve department managers and explore how the new security will impact people, processes, and data internally as well as externally with customers and partners.
  • Build a good communications plan. Quick user adoption starts with early user communication. Prepare your end users for the changes in advance so that there are no surprises. Communicate every step of the way during pilot and deployment phases. Dont just provide technical details, but try to capture also what they care abouthow the new scenarios will help them to do their job better, how to get started with the new software, where to go for more training, etc.

Well explore these and other planning best practices in future blog posts. Then well move on to key deployment and adoption considerations as well as specific security scenarios. Check back in a few weeks for our next blog post when we drill into FastTrack for Microsoft 365 Security.

Need help getting started? FastTrack provides you with a set of best practices, tools, resources, and experts committed to making your experience with the Microsoft Cloud a great one. Get started on your journey today with a request for assistance from the FastTrack security page.


Categories: Uncategorized Tags:

Cyber resilience for the modern enterprise

Many organizations are undergoing a digital transformation that leverages a mix of cloud and on-premises assets to increase business efficiency and growth. While increased dependence on technology is necessary for this transformation, and to position the business for success, it does pose risks from security threats. An organization cannot afford to wait until after users and systems have been compromised; it must be proactive.

It is impossible to be 100 percent secure. It can take less than 48 hours for attackers to gain complete control of a network,[1] and the median time to discover a breach is 99 days[2]. With incidents costing an average of $141 per lost or stolen record[3]and some cybersecurity events such as Petya costing $200-310 million[4], organizations must develop comprehensive risk management plans. These plans must keep a hybrid infrastructure resilient to a range of cyber threats encompassing both established and emerging threats. In addition, plans must help to manage the risk of emerging vulnerabilities, such as the recently disclosed processor vulnerabilities named Spectre and Meltdown.

Microsoft helps multiple global enterprises mitigate business impact by offering prescriptive guidance, as well as partnering with them to build a cyber resiliency plan and roadmap.

To learn more about how Microsoft views the importance of cyber resilience for the modern enterprise, get prescriptive guidance on building a cyber resiliency plan and roadmap, and find out what Microsoft is doing to help enterprises rapidly become resilient to commonly encountered attacks and vulnerabilities, check out these resources:

  1. Microsoft as a Trusted Advisor and Partner on Cyber Resilience white paper co-authored by members of Microsoft Enterprise Cybersecurity Group
  2. Cyber Resilience for the Modern Enterprise webinar featuring Diana Kelley (Field Chief Technology Officer) and Shawn Anderson (Executive Security Advisor) from the Microsoft Enterprise Cybersecurity Group
  3. Securing Azure customers from CPU vulnerability blog from the Microsoft Azure team

[1]Anatomy of a Breach. 2016. Microsoft. (

[2] M-Trends 2016. 2016. Mandiant Consulting. (

[3]2017 Cost of a Data Breach Study: Global Overview: Ponemon Institute. (

[4] NotPetya ransomware cost Merck more than $310 million. (

Categories: Uncategorized Tags:

Overview of rapid cyberattacks

Rapid cyberattacks like Petya and WannaCrypt have reset our expectations on the speed and scope of damage that a cyberattack can inflict. The Microsoft Enterprise Cybersecurity Group Detection and Response team worked extensively to help customers respond to and recover from these kinds of attacks. In 2017, among the global enterprise customers that we worked with, these rapid cyberattacks took down most or all IT systems in just about one hour, resulting in $200M – 300M USD of damage at several customers. [1]

Attackers assembled several existing techniques into a new form of attack that was both:

  • Fast – Took about an hour to spread throughout the enterprise
  • Disruptive – Created very significant business disruption at global enterprises

What is a rapid cyberattack?

Rapid cyberattacks are fast, automated, and disruptivesetting them apart from the targeted data theft attacks and various commodity attacks, including commodity ransomware, that security programs typically encounter:

Figure 1: Characteristics of rapid cyberattacks

  • Rapid and Automated – Much like the worms of decades past (remember Nimda? SQL Slammer?), these attacks happen very rapidly because self-propagation is fully automated once the malware is launched.
  • Disruptive Rapid cyberattacks are designed to be disruptive to business and IT operations by encrypting data and rebooting systems.

What are the technical and business impacts of a rapid cyberattack?

From a technical perspective, this represents the near-worst case technical risk, and resulting business risk, from a cybersecurity attack. While many of us in cybersecurity have grown accustomed to and jaded with sales presentations describing doomsday scenario tactics, these attacks indisputably represent real world cases of mass business impact on organizations.

For many of the Petya victims, most or all their computers were taken down in about one hour (~62,000 servers and workstations in a global network, in one case). In these customer environments where our incident response teams were engaged, many critical business operations came to a full stop while the IT team recovered systems.

From a business perspective, some organizations suffered losses in the range $200M – 300M USD and had to change the operating results they reported to shareholders. Note that the actual level of business impact can vary by industry, organization size, existing risk management controls, and other factors. However, its clear that the monetary and resource impacts from rapid attacks can be significant.

What makes rapid cyberattacks different from other attacks?

Petya differed from several accepted attack norms, taking many defenders by surprise. Here are four of the ways it did so:

Figure 2: What made Petya different

  1. Supply chain – One of the more unusual aspects of the Petya attack is that it used a supply chain attack to enter target environments instead of phishing or browsing, which are vastly more prevalent methods used by threat actors for most attacks. While we are seeing an emerging trend of supply chain attacks, particularly in IT supply chain components like the MEDoc application, it is still a small minority of attack volume vs. the usual phishing/browsing attack methods.
  2. Multi-technique While Petya wasnt the first malware to automate propagation or use multiple propagation techniques, its implementation was an extremely effective combination of exploiting a powerful software vulnerability and using impersonation techniques.
  3. Fast The propagation speed of Petya cannot be understated. Prior to AV signatures being available, it left very little time for defenders to react (detect + manually respond or detect + write automatic response rules), leaving defenders completely reliant on preventive controls under Protect function in the NIST cybersecurity frameworkand recovery processes.
  4. Destructive Petya rebooted the system and encrypted the master file table (MFT) of the filesystem. This made it more difficult to recover individual machines, but also spared many enterprises an even worse impact because it didnt encrypt storage which wasnt accessible after this reboot (e.g. Petyas boot code didnt have SAN drivers and couldnt reach that storage).

More information

To learn more about rapid cyber attacks and how to protect against them, watch the on-demand webinar: Protect Against Rapid Cyberattacks (Petya [aka NotPetya], WannaCrypt, and similar).

Look out for the next blog post of a 3-part series to learn how Petya works and key takeaways.


Categories: Uncategorized Tags:

Azure Backup offers several mechanisms to protect against ransomware

The start of a new year is the perfect time to reassess your security strategy and tactics especially when looking back at the new levels of ransomwares reach and damage in 2017.

Its no secret that ransomware attacks are increasing. In fact, a business is hit with ransomware every 40 seconds. If ransomware does get a hold of your data, you can pay a large amount of money hoping that you will get your data back. The alternative is to not pay anything and begin your recovery process. Whether you pay the ransom or not, your enterprise loses time and resources dealing with the aftermath. Microsoft invests in several ways to help you mitigate the effects of ransomware.

For example, in the Windows 10 Fall Creators Update, Windows Defender Exploit Guard has a feature that prevents unauthorized access to important files. The feature, controlled folder access, works with Windows Defender Advanced Threat Protection. All applications are assessed, which includes any executable file, including .exe, .scr, .dll files and others, and determineif they are malicious or safe. If an application is determined to be malicious or suspicious, it will not be allowed to make any changes to any files in a protected folder. In cases of ransomware, this helps protect files from attempted encryption by the malware. As malware becomes increasingly more sophisticated, older platforms are much more susceptible to ransomware attacks. Windows 10 has several defenses against ransomware that could help in case of a future attack.

One area to reconsider is your current backup policy and the potential outcomes to your business if your backup data is compromised by ransomware.

With Azure Backup, we are changing the ransomware story. You, not ransomware, are in control of your data. Azure Backup gives you three ways you can proactively protect your data in Azure and on-premises from ransomware. The first step is to back up your data. You need to back up virtual machines running in Azure and on-premises virtual machines, physical services, and files to Azure. If your on-premises data is compromised, youll have several copies of your data in Azure. This gives you the flexibly to restore your data back to a specific period in time and keep your business moving forward.

Next, you can set up a six-digit PIN directly from the Azure portal as an additional layer of protection for your Azure Backups. Only users with valid Azure credentials can then create and receive this security PIN required to be entered before any backup operation is performed.

Finally, Azure Backup provides just-in-time notifications to alert you to potential ransomware attacks. If a suspicious activity is attempted with your backups, a notification is immediately sent to you to get involved before ransomware has the chance.

If you are an IT professional, you can get started today by creating a free Azure Backup account. For more information on how Azure Backup protects against ransomware, check out our interactive infographic.

Microsoft is committed to helping you protect against and respond to evolving attacks. To learn more about other Microsoft security solutions, visit

  • Kaspersky Security Bulletin 2016

Categories: Uncategorized Tags:

How to disrupt attacks caused by social engineering

This post is authored by Milad Aslaner, Senior Program Manager, Windows & Devices Group.

A decade ago, most cyber-attacks started with a piece of malware or a complex method to directly attack the infrastructure of a company. But this picture has changed and today all it takes is a sophisticated e-mail phishing for an identity.

Figure 1: Trying to identify a loophole in the complex infrastructure

Digitalization is happening and there is no way around it. Its a necessity for all industries and a natural evolutionary step in society. Its not about when or if digital transformation is happening, but how. Our Microsoft security approach is targeted to enable a secure digital transformation. We achieve that by enabling our customers to protect, detect and respond to cybercrime.

The art of social engineering is nothing new itself and was already present in the age where broadband connections didnt even exist. At that time, we used to call these kinds of threat actors not hackers but con men. Frank Abagnale, Senior Consultant at Abagnale & Associates once said In the old days, a con man would be good looking, suave, well dressed, well-spoken and presented themselves really well. Those days are gone because it’s not necessary. The people committing these crimes are doing them from hundreds of miles away.

Threat actor groups such as STRONTIUM are nothing else than a group of modern con men. They follow the same approach as traditional con men, but they do it in the digital world. They prefer this approach because it has become easier to send a sophisticated phishing email than to find a new loophole or vulnerability allowing them to access critical infrastructure directly.

Figure 2: Example of a STRONTIUM phishing email

Keith A. Rhodes, Chief Technologist at the U.S. General Account Office says, There’s always the technical way to break into a network but sometimes it’s easier to go through the people in the company. You just fool them into giving up their own security.”

According to the Verizon data breach investigation report from 2016, 30 percent of phishing emails were opened. It took a recipient an average of only 40 seconds to open the email and an additional 45 seconds to also open the malicious attachment. 89 percent of all phishing emails were sent by organized crime syndicates and 9 percent by state-sponsored threat actors.

Figure 3: Verizon Data Breach Report 2016

The weakest link remains the human. But while some could argue and say the user is to blame, the reality is that many of the targeted phishing emails are so sophisticated that it is impossible for the average user to notice the difference between a malicious and a legitimate email.

Figure 4: Example phishing emails that look legitimate at first look

Preparing a phishing email can take only a few minutes. First, the threat actors crawl social and professional networks and find as much personal information about the victim as possible. This could include organizational charts, sample corporate documents, common email headlines, pictures of the employee badge and more. There are professional tools available that pull much of this information from public or leaked databases. In fact, if needed, the threat actor can purchase the information from the dark web. For example, one million compromised email and passwords can be traded for approximately $25, bank account logins can be traded for $1 per account, and social security numbers cost approximately $3, including birth date verification. Second, the threat actor prepares an e-mail template that will look familiar to the recipient, such as for example a password reset email, and lastly, they will send it to the user.

Social engineering has become a very powerful way for many threat actors and depending on the objective of the threat actors they either leverage computer-based, mobile-based, or human-based social engineering.

Figure 5: Stages of a phishing attack

  • Phase 1: Threat actor targets employee(s) via phishing campaign
  • Phase 2: An employee opens the attack email which allows the threat actor access to load the malicious payload or compromise the user identity
  • Phase 3: The workstation is compromised, threat actor persists malware, threat actor gathers credentials
  • Phase 4: Threat actors use stolen credentials to move laterally and gain unsolicited access and compromise key infrastructure elements
  • Phase 5: Threat actors exfiltrate PII and other sensitive business data

The built-in functionality of Enterprise Mobility + Security, Windows 10, Office 365, and Microsoft Azure enables organizations to disrupt these attacks. Below is a visualization allowing you to quickly understand which functionality helps in which phase:

Today, the entry level for threat actors to launch a cyber-attack is very low, therefore, it is critical that cybersecurity is a CEO matter. Organizations need to move away from We have a firewall, anti-virus, and disk encryption technology so we are secure mentality to a cyber-attacks will happen, therefore we can no longer only focus on building walls but also become able to detect and responds breaches quickly mindset. Assuming breach is key. It doesnt matter how large or in which industry an organization is, every company has data that can be valuable for a threat actor or in some cases even a nation-state.

A consistent approach to information security is critical in today’s world. It includes having the right incident response processes in place, technologies that help protect, detect and respond cyber-attacks and lastly IT and end-user readiness.

For more information about Microsoft security products and solutions, as well as resources to help you with your security strategy, visit

Categories: Uncategorized Tags:

How Microsoft tools and partners support GDPR compliance

This post is authored by Daniel Grabski,Executive Security Advisor, Microsoft Enterprise Cybersecurity Group.

As an Executive Security Advisor for enterprises in Europe and the Middle East, I regularly engage with Chief Information Security Officers (CISOs), Chief Information Officers (CIOs) and Data Protection Officers (DPOs) to discuss their thoughts and concerns regarding the General Data Protection Regulation, or GDPR. In my last post about GDPR, I focused on how GDPR is driving the agenda of CISOs. This post will present resources to address these concerns.

Some common questions are How can Microsoft help our customers to be compliant with GDPR? and, Does Microsoft have tools and services to support the GDPR journey? Another is, How can I engage current investments in Microsoft technology to address GDPR requirements?

To help answer these, I will address the following:

  • GDPR benchmark assessment tool
  • Microsoft partners & GDPR
  • Microsoft Compliance Manager
  • New features in Azure Information Protection

Tools for CISOs

There are tools available that can ease kick-off activities for CISOs, CIOs, and DPOs. These tools can help them better understand their GDPR compliance, including which areas are most important to be improved.

  • To begin, Microsoft offers a free GDPR benchmark assessment tool which is available online to any business or organization.The assessment questions are designed to assist our customers to identify technologies and steps that can be implemented to simplify GDPR compliance efforts. It is also a tool allowing increased visibility and understanding of features available in Microsoft technologies that may already be available in existing infrastructures. The tool can reveal what already exists and what is not addressed to support each GDPR journey. As an outcome of the assessment, a full report is sentan example of which is shown here.

Image 1: GDPR benchmarking tool

As an example, see below the mapping to the first question in the Assessment. This is based on how Microsoft technology can support requirements about collection, storage, and usage of personal data; it is necessary to first identify the personal data currently held.

  • Azure Data Catalog provides a service in which many common data sources can be registered, tagged, and searched for personal data. Azure Search allows our customers to locate data across user-defined indexes. It is also possible to search for user accounts in Azure Active Directory. For example, CISOs can use the Azure Data Catalog portal to remove preview data from registered data assets and delete data assets from the catalog:

Image 2: Azure Data Catalogue

  • Dynamics 365 provides multiple methods to search for personal data within records such as Advanced Find, Quick Find, Relevance Search, and Filters. These functions each enable the identification of personal data.
  • Office 365 includes powerful tools to identify personal data across Exchange Online, SharePoint Online, OneDrive for Business, and Skype for Business environments. Content Search allows queries for personal data using relevant keywords, file properties, or built-in templates. Advanced eDiscovery identifies relevant data faster, and with better precision, than traditional keyword searches by finding near-duplicate files, reconstructing email threads, and identifying key themes and data relationships. Image 3 illustrates the common workflow for managing and using eDiscovery cases in the Security & Compliance Center and Advanced eDiscovery.

Image 3: Security & Compliance Center and Advanced eDiscovery

  • Windows 10 and Windows Server 2016 have tools to locate personal data, including PowerShell, which can find data housed in local and connected storage, as well as search for files and items by file name, properties, and full-text contents for some common file and data types.

A sample outcome, based on one of the questions regarding GDPR requirements, as shown in Image 4.

Image 4: example of the GDPR requirements mapped with features in the Microsoft platform

Resources for CISOs

Microsofts approach to GDPR relies heavily on working together with partners. Therefore, we built a broader version of the GDPR benchmarking tool available to customers through the extensive Microsoft Partner Network. The tool provides an in-depth analysis of an organizations readiness and offers actionable guidance on how to prepare for compliance, including how Microsoft products and features can help simplify the journey.

The Microsoft GDPR Detailed Assessmentis intended to be used by Microsoft partners who are assisting customers to assess where they are on their journey to GDPR readiness. The GDPR Detailed Assessment is accompanied by supporting materials to assist our partners in facilitating customer assessments.

In a nutshell, the GDPR Detailed Assessment is a three-step process where Microsoft partners engage with customers to assess their overall GDPR maturity. Image 5 below presents a high-level overview of the steps.

Image 5

The duration for the partner engagement is expected to last 3-4 weeks, while the total effort is estimated to be 10 to 20 hours, depending on the complexity of the organization and the number of participants as you can see below.

Image 6: Duration of the engagement

The Microsoft GDPR Detailed Assessment is intended for use by Microsoft partners to assess their customers overall GDPR maturity. It is not offered as a GDPR compliance attestation. Customers are responsible to ensure their own GDPR compliance and are advised to consult their legal and compliance teams for guidance. This tool is intended to highlight resources that can be used by partners to support a customers journey towards GDPR compliance.

We are all aware that achieving organizational compliance may be challenging. It is hard to stay up-to-date with all the regulations that matter to organizations and to define and implement controls with limited in-house capability.

To address these challenges, Microsoft announced a new compliance solution to help organizations meet data protection and regulatory standards more easily when using Microsoft cloud services Compliance Manager. The preview program, available today, addresses compliance management challenges and:

  • Enables real-time risk assessment on Microsoft cloud services
  • Provides actionable insights to improve data protection capabilities
  • Simplifies compliance processes through built-in control management and audit-ready reporting tools

Image 7 shows a dashboard summary illustrating a compliance posture against the data protection regulatory requirements that matter when using Microsoft cloud services. The dashboard summarizes Microsofts and your performance on control implementation on various data protection standards and regulations, including GDPR, ISO 27001, and ISO 27018.

Image 7: Compliance Manager dashboard

Having a holistic view is just the beginning. Use the rich insights available in Compliance Manager to go deeper to understand what should be done and improved. Each Microsoft-managed control illuminates the implementation and testing details, test date, and results. The tool provides recommended actions with step-by-step guidance. It aides better understanding of how to use the Microsoft cloud features to efficiently implement the controls managed by your organization. Image 8 shows an example of the insight provided by the tool.

Image 8: Information to help you improve your data protection capabilities

During the recentMicrosoft Ignite conference, Microsoft announced Azure Information Protection scanner. The feature is now available in public preview. This will help to manage and protect significant on-premise data and help prepare our customers and partners for regulations such as GDPR.

We released Azure Information Protection (AIP) to provide the ability to define a data classification taxonomy and apply those business rules to emails and documents. This feature is critical to protecting the data correctly throughout the lifecycle, regardless of where it is stored or shared.

We receive a lot of questions about how Microsoft can help to discover, label, and protect existing files to ensure all sensitive information is appropriately managed. The AIP scanner can:

  • Discover sensitive data that is stored in existing repositories when planning data-migration projects to cloud storage, to ensure toxic data remains in place.
  • Locate data that includes personal data and learn where it is stored to meet regulatory and compliance needs
  • Leverage existing metadata that was applied to files using other solutions

I encourage you to enroll for the preview version of Azure Information Protection scanner and to continue to grow your knowledge about how Microsoft is addressing GDPR and general security with these helpful resources:

About the author:

Daniel Grabski is a 20-year veteran of the IT industry, currently serving as an Executive Security Advisor for organizations in Europe, the Middle East, and Africa with Microsoft Enterprise Cybersecurity Group. In this role he focuses on enterprises, partners, public sector customers and critical infrastructure stakeholders delivering strategic security expertise, advising on cybersecurity solutions and services needed to build and maintain secure and resilient ICT infrastructure.

Categories: Uncategorized Tags:

Minimize cybersecurity risk with Software Asset Management

This post is authored by Patam Chantaruck, General Manager of Worldwide Software Asset Management & Compliance.

By 2021, worldwide cybercrime damage is expected to reach $6 trilliondouble what it cost businesses in 2015. Unapproved apps, unmanaged devices, poor password protection, and other security issues are leaving far too many organizations vulnerable to attack. And as organizations embrace digital transformation, it becomes increasingly urgent for them to increase control over their IT infrastructures and reduce security risks.

The question is: where to start?

Driving greater security through software asset management

Software asset management (SAM) is a set of proven IT practices that unites people, processes, and technology to control and optimize the use of software across an organization. SAM is designed to help you control costs, manage business and legal risks, optimize licensing investments, and align IT investments with business needs.

Effective SAM can identify discrepancies between software licenses owned and deployed, thus providing insights into software usage. These insights are then used to devise upgrade plans for each software release that will optimize license use, ensure worthwhile software investments, save money, reduce security risks associated with software piracy, and promote good corporate governance, including management effectiveness and transparency.

Introducing the Microsoft SAM cybersecurity engagement

At Microsoft, we take SAM a step further with our cybersecurity engagement. This comprehensive analysis of your cybersecurity infrastructureincluding your current software deployment, usage, and licensing datahelps to ensure that you have the right processes in place to minimize cyber-risk. Through this engagement we also provide prescriptive cybersecurity guidance and best practices, freeing your organization to focus on innovation instead of protection.

A Microsoft SAM cybersecurity engagement will help you:

  • Minimize data loss, fraud, and employee downtime
  • Save money combatting cyberattacks and increasing efficiencies
  • Securely manage software assets and promote reliable cybersecurity practices
  • Build a resilient IT infrastructure that can quickly respond to threats
  • Ensure that you have a secure and effective defense against attacks

What IDC has to say about SAM

IDC has identified SAM as a key component to securing infrastructure and battling cyberattacks and predicts that an increasing number of organizations will rely on SAM practices to reduce risks. Below is a direct quote from The Business Value of Software Asset Management:

Cyberattacks often take advantage of the high vulnerability of end-of-life (EOL) IT systems and/or software that have ceased to receive product updates and security patches from vendor sources. Understanding risk impact is challenging when there is limited or no understanding of where the assets reside and precisely how the assets support the business. To that end, SAM initiatives enable organizations to quickly discover how many devices and applications are in the environment, along with their location and their warranty status, which can significantly reduce unnecessary cost, waste, and cybersecurity risks. Establishing a comprehensive asset management program provides a common source of record, which enables IT to carry out more timely security patches and identify security threats sooner as well as better respond to software audits. Therefore, asset management should be viewed holistically as an essential component of an effective IT infrastructure, service, and cybersecurity management program.

How SAM helped a sugar manufacturer reduce security risks

Here is one example of how Microsoft SAM for cybersecurity is helping customers around the world.

Ranking as the fourth largest sugar manufacturer in the world, Mitr Phol Group wanted to achieve effective SAM and reduce security risks. They moved away from decentralized IT systems to a more consolidated structure, centralizing the organizations software deployments and management. To further increase the value of their established SAM processes, they became the first company in Thailand to conduct SAM for cybersecurity. As a result, they were able to identify and remediate system vulnerabilities and mitigate security risks and threat impacts while protecting their sensitive data.

SAM should be a key part of your security strategy. And Microsoft can help. To learn more, visit to hear how other customers are benefiting. Find a SAM partner near you to help you establish Software Asset Management practice.

Categories: Uncategorized Tags:

Defending against ransomware using system design

This post is authored by Michael Melone, Principal Cybersecurity Consultant, Enterprise Cybersecurity Group.

Earlier this year, the world experienced a new and highly-destructive type of ransomware. The novel aspects of WannaCry and Petya were not skills as ransomware, but the combination of commonplace ransomware tactics paired with worm capability to improve propagation.

WannaCry achieved its saturation primarily through exploiting a discovered and patched vulnerability in a common Windows service. The vulnerability (MS17-010) impacted the Windows Server service which enables communication between computers using the SMB protocol. Machines infected by WannaCry propagate by connecting to a nearby unpatched machine, performing the exploit, and executing the malware. Execution of the exploit did not require authentication, thus enabling infection of any unpatched machine.

Petya took this worming functionality one step further and additionally introduced credential theft and impersonation as a form of worming capability. These techniques target single sign-on technologies, such as traditional domain membership. This added capability specifically targeted enterprise environments and enabled the malware to use a single unpatched endpoint to springboard into the network, then used active sessions on the machine to infect other machines regardless of patch level. To an enterprise, a single unpatched endpoint paired with poor credential hygiene could be used to enable propagation throughout the enterprise.

Most impersonation and credential theft attacks are possible only when malware obtains local administrator or equivalent authorization to the operating system. For Petya, this would mean successful exploitation of MS17-010, or running under the context of a user with local administrator authorization.

Measuring the value of a user account

To a hacker, an infected or stolen identity is measurable in two ways: the breadth of computers that trust and grant authorization to the account and the level of authorization granted upon successful authentication. Since encryption can be performed by any user account, ransomware benefits most when it infects an account which can convey write authorization to a large amount of data.

In most cases (thus far), the data sought out by ransomware has been either local files or those accessible over a network attached share data which can be accessed by the malware using out-of-the-box operating system interfaces. As such, data encrypted by most ransomware includes files in the users profile, home directory, or on shared directories where the user has access and write authorization.

In the case of WannaCry, the identity used by the ransomware was SYSTEM an effectively unrestricted account from an authorization perspective. Running as SYSTEM, WannaCry had authorization to encrypt any file on the infected machine.

Petyas encryption mechanism required the ability to overwrite the boot sector of the hard drive to invoke its encryption mechanism. The malware then creates a scheduled task to restart the machine at least 10 minutes later to perform the encryption. The offline encryption mechanism prevented destruction of network files by Petya.

Infected machines and worms

Pivoting our focus to the worm aspect of these ransomware variants, the value of an infected host to a hacker is measurable in two ways: the quantity of newly accessible targets resulting from infection and the data which now becomes available because of the infection. Malware with worming capability focuses on widespread propagation, thus machines which can access new targets are highly valuable.

To both WannaCry and Petya, a newly infected system offered a means to access previously inaccessible machines. For WannaCry, any potential new targets needed to be vulnerable to MS17-010. Vulnerability gave both malware variants SYSTEM-level authority, thus enabling successful execution of their payload.

Additionally, in the case of Petya, any machine having reusable credentials in memory furthered its ability to propagate. Petya searches for active sessions on an infected machine and tries to use the session to infect machines which may not have been vulnerable to MS17-010. As a result, a single vulnerable endpoint may expose a reusable administrative credential usable to infect potential targets which grant that credential a necessary level of authorization.

Codifying the vulnerability

To defend against a ransomware application with worm capability we need to target the following areas:

  • Ransomware

    • Reduce the authorization level of users relative to the operating system of an infected machine
    • Perform backups or versioning of files to prevent loss of data due to encryption, deletion, or corruption
    • Limit authorization to delete or tamper with the data backups

  • Worms

    • Reduce the ability for an infected host to access a potential infection target
    • Reduce the number of remotely exploitable vulnerabilities that provide remote code execution
    • Reduce exposure of reusable credentials relative to the likelihood of a host to compromise

Resolving Concerns through design

Many of the risks associated with ransomware and worm malware can be alleviated through systems design. Referring to our now codified list of vulnerabilities, we know that our solution must:

  • Limit the number (and value) of potential targets that an infected machine can contact
  • Limit exposure of reusable credentials that grant administrative authorization to potential victim machines
  • Prevent infected identities from damaging or destroying data
  • Limit unnecessary risk exposure to servers housing data

Windows 10, BYOD, and Azure AD Join

Windows 10 offers a new management model that differs significantly from traditional domain joined machines. Azure Active Directory joined machines can still convey identity to organizational resources; however, the machine itself does not trust domain credentials. This design prevents reusable accounts from exposure to workstations, thus protecting the confidentiality of the credential. Additionally, this limits the impact of a compromised domain account since Azure AD joined machines will not trust the identity.

Another benefit of Windows 10 with Azure AD is the ability to move workstations outside of the firewall, thus reducing the number of potential targets once infection occurs. Moving endpoints outside the firewall reduces the impact of any workstation threat by reducing the benefits normally gained by compromising a machine within the corporate firewall. As a result, this design exposes fewer server ports to potentially compromised endpoints, thus limiting the attack surface and reducing the likelihood of worm propagation.

Moving workstations outside of the firewall offers added security for the workstation as well. Migrating to a BYOD architecture can enable a more stringent client firewall policy, which in turn reduces the number of services exposed to other hosts, and thus improves the machines defense against worms and other inbound attacks.

Additionally, most organizations use many laptops which often connect from untrusted locations outside the firewall. While outside of the firewall, these machines can connect to untrusted sources, become infected, then bring the infection inside the firewall next time it is able to connect to the internal network. This causes confusion when trying to identify the initial infection during an incident response, and potentially exposes the internal network to unnecessary risk.

Consider migration file shares to OneDrive or Office365

Migrating data from traditional file shares into a solution such as SharePoint or OneDrive can limit the impact of a ransomware attack. Data stored in these technologies can enforce version control, thus potentially simplifying recovery. To further protect this data, limit the number of SharePoint users who had administrative authority to the site to prevent emptying of the recycle bin.

Ensure resilient backups

When an attack occurs, it is crucial to ensure ransomware cannot destroy data backups. Although convenient, online data backups may be subject to destruction during an attack. Depending on design, an online backup solution may trust a stolen reusable single sign-on credential to enable deletion or encryption of backup data. If this occurs, backups may be rendered unusable during the attack.

To prevent against this, consider Azure Cloud Backup a secure off-site backup solution. Azure Cloud Backup is managed through the Azure Portal which can be configured to require separate authentication, to include multi-factor authentication. Volumes used to store backup data reside in Azure and cannot be initialized or overwritten using on-premises domain credentials.


Windows 10 and BYOD architecture offers significant defense against a variety of cyberattacks, to include worms and ransomware. This article covers only some of the protections that Windows 10 offers against credential theft, bootkits, rootkits, and other malware techniques employed by this class of highly destructive malware.

To better defend your organization against future malware outbreaks:

Categories: Uncategorized Tags:

Learn from leading cybersecurity experts

More than 170K technology and business leaders from across the world depend on Microsofts Modern Workplace monthly webcast to shed new light on business challenges related to technology. Over the past four years, Modern Workplace has had the worlds leading experts share their advice on technology topics, such as security, including CISOs, Chief Privacy Officers, Cyber Intelligence Advisors, and Chief Digital Officers. Just in the past year, Modern Workplace security episodes included:

These episodes include more than just security checklists and basicsthey go into depth around the decisions business leaders are faced with every day. In the episode on data privacy, Hillery Nye, Chief Privacy Officer at Glympse, explained how the startup company made a very conscious decision to not collect data that it could have easily gathered from its real-time location sharing app. The company collects customer data and uses it for very specific purposes, but it never stores or sells that data. The company may have given up some opportunities to monetize its customer data, but Nye feels that the company gains even more by being a responsible corporate citizen and establishing a reputation for privacy. She discussed how a companys brand is affected by its privacy policies, and how businesses can better align their privacy policies with business strategy for long term success.

The Modern Workplace series has been nominated for four regional Emmy awards because of its creative presentation of diverse perspectives and insights. To learn more about how technology can help drive your business, check out the Modern Workplace episodes on-demand today!

Categories: Uncategorized Tags:

A 4-point action plan for proactive security

It can be difficult these days to make sense of all the potential ways you could step up your security. But with automated attacks moving faster and faster, many organizations are feeling a real need to change their approach and get more proactive about security.

Should you focus on endpoint detection and response (EDR)? Should you deploy multi-factor authentication (MFA) to control access to all your corporate resources? Or do you need to control your cloud apps and infrastructure more closely with a cloud access security broker (CASB)? Should your first step be deploying data loss prevention (DLP)?

If youre feeling a little confused about where to start, join us for our webinar: A 4-point action plan for proactive security. Well share how Microsoft approaches security and how you can cut through all the confusion to prioritize a few projects that will have real impact on your level of protection.

Categories: Uncategorized Tags:

Event recap: Security at Microsoft Ignite

Microsoft Ignite recently gathered 24,000+ attendees from around the world in Orlando, FL. CEO Satya Nadella kicked off an exciting week with his Vision Keynote by articulating how we enable digital transformation, specifically through empowering employees, engaging customers, optimizing operations, and finally through transforming products.

Commitment to security, privacy, and transparency

At the event, Microsoft reaffirmed its commitment to security, privacy, and transparency to its customers and partners through all the four main solution areas: Modern Workplace, Business Applications, Applications & Infrastructure, and Data & Artificial Intelligence. Julia White explained Microsofts approach to security during her session, Microsoft 365: Step up your protection with intelligent security.

Learnings from our customers and partners

During the event, the Microsoft team had the privilege to engage in 410,000 unique interactions within the Expo. In addition, 8,000+ labs were consumed, 54 sessions, two general sessions, 40 breakout sessions across CE, Windows and Office 365 tracks and 12 theater sessions. Our top three security takeaways were:

  1. Build awareness of Microsofts commitment to security and privacy
  2. Early and frequent product updates communications
  3. Transparency from Microsoft equates to trust from customers

Key security related sessions to check out

Key security sessions we recommend you check out are based entirely upon feedback from our customers and partners who attended the sessions. Please take a moment to watch them and learn about new ways you can improve the security posture of your organization.

On demand access to content

All breakout sessions and general sessions were recorded for on demand viewing. These recordings are now available at Microsoft Ignite on demand sessions. Please continue to share this link with your customers and partners. Labs will be available for 6 months through MyIgnite.


Microsoft Ignite was a fantastic week for all who attended. We not only shared product visions, but also, we listened and learned from engagements with customers and partners. With continued advances in our security offerings and development in better ways for partners to build a more modern, collaborative and secure work environment, it will be an exciting year for Security.

Categories: Uncategorized Tags:

Cybersecurity in a modern age

By 2021, worldwide cybercrime damage is expected to reach $6 trilliondouble what it cost businesses in 2015. As digital transformation sweeps the globe, the imminent threat of cybercrime grows alongside it. As a result, new techniques in cybersecurity must be developed at a growing rate to keep pace.

Digital-first is the new business frontier, and if we want to keep this landscape a safe space to store and share information, we must be able to quickly identify opportunities to bolster security and adapt to evolving threats. Microsofts cloud technology offers organizations the tools to advance security, enhance government compliance, improve security education, and enable industry collaboration to shut down new threats. Microsoft is creating a new path toward digital transformation in a secure space.

Through cloud technologies, IT professionals now have advanced tools at their fingertips that provide real-time visibility into cybersecurity and the ability to proactively thwart threats before they become an issue. As more organizations move to the cloud, management of security risks can occur in real time. This real-time action on cyber threats helps create cost efficiency, and allows for frequent and seamless updates without reconfiguration, giving IT leaders the upper hand in staying compliant with regulatory guidelines.

With cloud-based technology come real solutions in data loss prevention. IT professionals are using the cloud to secure employee data in new and highly effective ways. Through improved cloud encryption capabilities, organizations can better help protect sensitive information in motion and at rest. Even if cybercriminals are able to breach your network and bypass the first lines of cyber defense, encryption helps keep organizational data from falling into unauthorized hands. Additionally, advanced measures like multi-factor authentication (MFA) and Single Sign-On (SSO) provide additional layers of security by ensuring only those with the proper credentials are able to gain access to information and company platforms. These solutions and innovations in tech security are just the beginning.

With the advent of new technology and the digitization of how IT experts and professionals communicate, a quicker dissemination of knowledge can occur in a collaborative space. Experts can share and explore new ideas and concepts to quickly improve upon cloud technology and how to best address security concerns. By partnering up, industries are able to break new ground on how to secure information, share information, and revolutionize the way government, private enterprise, education systems, and average people navigate a digitally transforming world.

Ready to discover how Microsoft technology is transforming security for a digital-first, cloud-first world, and participate in interactive sessions led by subject matter experts? Microsoft is hosting a series of Security Forums in cities across the United States to demonstrate how organizations can use the latest technology to update and improve their cybersecurity efforts. We invite you to join your fellow IT professionals alongside Microsoft experts to discuss new ways to address evolving cyber threats. Find out how your business can use the power of the cloud to boost security, and get a firsthand look at what Microsoft has to offer.

For more information, including locations near you and a full event calendar, visit the Microsoft Security Forum events page. Dont delay, as seats are limited. Register now to save your spot!

Categories: Uncategorized Tags:

Microsoft and Progeny Systems enhance security for mobile applications across U.S. Government

In our mobile-first, cloud-first world, security is paramount for organizations of any size. It is especially critical to applications used across the U.S. Government, which is why we are working with the Department of Homeland Security (DHS) Science and Technology Directorate and Progeny Systems to enhance mobile application security.

In support of the broader federal initiative to enable access to quality digital government information and services anywhere, anytime, on any device, Progeny will build a mobile application development security framework for iOS, Android and Windows apps that will be used across several US Government agencies, both for public facing and internal enterprise use cases. This framework will broadly enable developers across the United States Government to focus on building mobile apps that provide business value, with the confidence that security is built in.

The cross-platform, native approach using Visual Studio, the open-source .NET framework, and Xamarin platform will enable developers to build higher quality apps that are fully compliant with the National Information Assurance Partnership (NIAP) mobile app vetting standards, the National Institutes of Standards and Technology (NIST) 800-163 guidance and the Department of Homeland Securitys Mobile Application Playbook. Utilizing Microsofts leading mobile application development tools, the framework will support mobile apps built to run on-premise and on any cloud platform, including government-only clouds such as Azure Government, which meet critical government regulatory compliance requirements.

Id like to congratulate the Department of Homeland Security Science and Technology Directorate for their commitment to addressing the mandates of both security and mobility for their stakeholders, said Greg Myers, Microsoft Vice President of Federal. We look forward to partnering with DHS and ultimately, by bringing mobile, secure, and compliant technology solutions helping them fulfil their critical mission.

Microsofts latest award from the DHS comes on the heels of several related public sector certifications and big data and analytics enhancements to our leading mobile apps and security. It also builds on our current work with the Department of Veterans Affairs and Applied Research Associates, whose Instant Notification System enables the U.S. governments Combating Terrorism and Threat Support Offices Tactical Support Working Group (TSWG) to quickly and effectively notify team members about suspicious packages or events over commercially available networks.

You can read more about our mobile application security work with the Department of Homeland Security (DHS) Science and Technology Directorate and Progeny Systems in their news release. For details on Microsofts leadership in mobile application development, visit Gartners Magic Quadrant report.

Categories: Uncategorized Tags:

Easily create securely configured virtual machines

This blog post is authored by Jonathan Trull, Cheif Security Advisor, Enterprise Cybersecurity Group.

While a securely configured operating system is essential to repelling todays cyber attacks, the base images provided by vendors do not come pre-hardened and require significant research, expertise, and proper configuration by the customer. To make it easier for Microsoft customers to deploy secured virtual machines out of the box, I am excited to share the recent availability for purchase of hardened virtual machine images within Azure, based on the partnership between Microsoft and the Center for Internet Security(CIS). CIS is a non-profit entity focused on developing global standards and recognized best practices for securing IT systems and data against the most pervasive attacks. Hardened images are virtual machine images that have been hardened, or configured, to be more resilient to cyber attacks. These images are available in the Azure Marketplace and can be used by Azure customers to create new, securely configured virtual machines.

Establishing and maintaining the secure configuration of an entitys IT infrastructure continues to be a core tenet of information security. History has shown that the misconfiguration or poor configuration of laptops, servers, and network devices is a common cause of data breaches. Global standards, governments, and regulatory bodies have also highlighted the importance of establishing and maintaining secure configurations, and in many cases, have mandated their use due to their effectiveness. I have included a few of the most relevant and wide-ranging examples in the table below.

Source Control Reference
Center for Internet Security Critical Security Controls CIS Control 3 Secure configurations for hardware and software on mobile devices, laptops, workstations, and servers
Australian Signals Directorate Strategies to Mitigate Cyber Security Incidents User Application Hardening
Server Application Hardening
Operating System Hardening
US NIST Cyber Framework PR.IP-1: A baseline configuration of information technology/ industrial control systems is created and maintained
Payment Card Industry Build and maintain a secure network and systems

Accessing and Deploying CIS Hardened Images

To view the CIS hardened images, login to the Azure portal and navigate to the Marketplace. You can then search for and filter on the Center for Internet Security. As you can see below, there are hardened images for many of the common operating systems, including Windows Server 2012, Oracle Linux, and Windows Server 2016.

From within the Marketplace blade, you can then select the appropriate image and select the create button to start the deployment journey within the portal or gain further details on deploying the image programmatically. Below is an example showing the start of the deployment of new CIS hardened Windows Server 2016 image.

The hardened images are configured based on the technical specifications established in the related benchmark. These benchmarks are freely available on the CIS website in PDF format.

The CIS benchmarks contain two levels, each with slightly different technical specifications:

  • Level 1 Recommended, minimum security settings that should be configured on any system and should cause little or no interruption of service or reduced functionality
  • Level 2 Recommended security settings for highly secure environments and could result in some reduced functionality.

Prior to deploying one of the CIS hardened images, it is important for the administrator to review the benchmarks specifications and ensure it conforms to the companys policy, procedures, and standards and perform sufficient testing before deploying to a production environment.

CIS is working to release additional, hardened images, so check the Azure Marketplace for new updates.

Categories: Uncategorized Tags:

What Am I Missing? How to see the users you’re denied from seeing

This blog post is authored by Michael Dubinsky, Principal PM Manager, Microsoft ATA / Azure ATP.

Recently Andy (@_wald0) and Will (@harmj0y), who are amazing contributors to the security community, have published the whitepaperAn ACE Up the Sleeve: Designing Active Directory DACL Backdoors.

In this whitepaper they discuss different methods which can be used by attackers to remain persistent and stealthy in the environment to avoid detection.

In general, this is a very important goal for an attacker and is a big part of a successful mission performed either by a nation state or by a hacker group.

Specifically, in the whitepaper Andy and Will mention the option to setup a Deny ACE on an object created by the attacker. This will cause the object in question to become invisible (not be returned in LDAP queries performed to the Active Directory), which causes the object to avoid being seen (and monitored) by any service account used by monitoring solutions.

This does sound like an issue, as denying permissions from a Domain Admin principle (or the Everyone principle for that matter) will cause an object to become invisible. A cool idea indeed.

So, this made me think is there a way we can identify all the objects to which I dont have permissions?

Sounds like a tough task, however after going through some of the possible resolution APIs together with the ATA security research team, Marina has come across this statement for the LsaLookupSIDs:

There is no access check that would require the caller to be able to read the SID or account name to perform the mapping.

Now that weve found a method to query a SID and get a result regardless of the ACL we can verify whether the object exists or not.

The next step is to identify whether its a permissions issue. In order to validate whether its a permissions issue or not, we can compare the results of this API with the LDAP query results.

If only the LsaLookupSIDs returns a result while the LDAP query fails this means one thing (after cleaning up several bugs related to SidHistory) we dont have permissions on the object!

Ive made a small PowerShell script to demonstrate this capability. The script enumerates all RIDs in a specific domain and compares the LDAP result to the LsaLookupSIDs result to see what I am missing.

The script can be found at

This should make discovering ACL hidden objects a little bit easier.

Categories: Uncategorized Tags:

SharePoint and OneDrive: security you can trust, control you can count on

This post is authored by Bill Baer, Senior Product Marketing Manager, SharePoint and OneDrive Team.

In todays complex and regulated environment, businesses need to focus on building more secure solutions that deliver value to their customers, partners, and shareholdersboth in the cloud and on-premises.

Microsoft has been building enterprise software for decades and running some of the largest online services in the world. We draw from this experience to keep making SharePoint and OneDrive more secure for users, by implementing and continuously improving security-aware software development, operational management, and threat-mitigation practices that are essential to the strong protection of your services and data.

SharePoint and OneDrive are uniquely positioned to help you address these evolving security challenges. To begin with, Microsoft has continued to evolve with new standards and regulations. This has been a guiding principle as we think about security for SharePoint and OneDrive. Right alongside that principle is this one: There is no security without usability. If security gets in the way of productivity, users will find a different, less secure way to do their work.

SharePoint and OneDrive allow your organization to go beyond its regular business rhythms and be nimbler in responding to market changes and opportunities. These solutions enable users to access the files and documents they need wherever they’re doing work while sharing and collaborating in real-time. And you control and own your data while Microsoft takes care of it. Explore the many options SharePoint and OneDrive provide to secure you and your information and then read our eBook Securing your content in the new world of work with SharePoint and OneDrive.

For businesses, the time is now to reevaluate security practices. In the modern communications and collaboration, landscape connectivity is ubiquitous and the ability to work remotely has become an ingrained part of the work practice. People have come to expect to be able to access email and documents from anywhere on any device – and for that experience to be seamless.

While this has been an enormous boost to productivity, it also presents huge challenges for security. Previously, businesses needed to concern themselves with a firewall that ended at the corporate boundary. Now that boundary has shifted to the end user. Businesses need to ensure sure that corporate data is safe while enabling users to stay productive in today’s mobile-first world, where the threat landscape is increasingly complex and sophisticated.

We know that data loss is non-negotiable, and overexposure to information can have legal and compliance implications. SharePoint and OneDrive provide a broad array of features and capabilities designed to make certain that your sensitive information remains that way with investments across our security and compliance principles to include compliance tools that span on-premises servers and Office 365 while providing a balance between enabling user self-service.

The rapidly-changing security landscape means that your organization’s content – its knowledge – is being shared more broadly, and accessed from more devices and more locations, than ever before. We’re committed to the security, privacy, and compliance of your data, and we continuously innovate intelligent ways to protect your content and to empower you to govern and manage information. Last month we announced label-based classification for information management policies, which enable a more dynamic governance of content across SharePoint, Exchange, and Skype, and Microsoft Teams. We’re continuously working to ensure content usage adheres to corporate policy defending your organization from todays growing and evolving advanced threats.

To learn more about security and compliance with SharePoint and OneDrive:

Categories: Uncategorized Tags:

Announcing support for TLS 1.1 and TLS 1.2 in XP POSReady 2009

This post is authored by Arden White, Senior Program Manager, Windows Servicingand Delivery.

As a follow-up to our announcement regarding TLS 1.2 support at Microsoft, we are announcing that support for TLS1.1/TLS 1.2 on Windows Embedded POSReady 2009 and Windows Embedded Standard 2009 is now available for download as of October 17th, 2017. Were offering this support in recognition that our customers have a strong demand for support for these newer protocols in their environment.

This update for Windows Embedded POSReady 2009 and Windows Embedded Standard 2009 will include support for both TLS 1.1 and TLS 1.2. For application compatibility purposes, these protocols will be disabled by default in a manner similar to the TLS 1.1/TLS 1.2 support that was disabled by default in Windows 7 and Windows Server 2008 R2. After downloading and installing the update these protocols can be enabled by setting the registry keys described in KB4019276.

This update is being made available on the following timeline:

Release Date Channels Classification
October 17, 2017 Microsoft Catalog
January 16, 2018 Windows Update/WSUS/Catalog Optional
February 13, 2018 Windows Update/WSUS/Catalog Recommended

Categories: Uncategorized Tags: