Archive

Author Archive

Kicking off the Microsoft Graph Security Hackathon

December 3rd, 2018 No comments

Cybersecurity is one of the hottest sectors in tech with Gartner predicting worldwide information security spending to reach $124 billion by the end of 2019. New startups and security solutions are coming onto the market while attackers continue to find new ways to breach systems. The security solutions market has grown at a rapid pace as a result. Our customers face immense challenges in integrating all these different solutions, tools, and intelligence. Oftentimes, the number of disconnected solutions make it more difficultrather than easierto defend and recover from attacks.

We invite you to participate in the Microsoft Graph Security Hackathon for a chance to help solve this pressing challenge and win a piece of the $15,000 cash prize pool.* This online hackathon runs from December 1, 2018 to March 1, 2019 and is open to individuals, teams, and organizations globally.

The Microsoft Graph Security API offers a unified REST endpoint that makes it easy for developers to bring security solutions together to streamline security operations and improve cyber defenses and response. Tap into other Microsoft Graph APIs as well as mash up data and APIs from other sources to extend or enrich your scenarios.

Prizes

In addition to learning more about the Microsoft Graph and the security API, the hackathon offers these awesome prizes for the top projects:

  • $10,000 cash prize for the first-place solution, plus a speaking opportunity at Build 2019.
  • $3,000 cash prize for the runner up solution.
  • $2,000 cash prize for the popular choice solution, chosen via public voting.

In addition, all three winning projects, and the individuals or teams in the categories above, will be widely promoted on Microsoft blog channelsgiving you the opportunity for your creative solutions to be known to the masses. The criteria for the judging will consist of the quality of the idea, value to the enterprise, and technical implementation. You can find all the details you need on the Microsoft Graph Security Hackathon website.

Judging panel

Once the hackathon ends on March 1, 2019, judging commences immediately after by our amazing judges. Well announce the winners on or before April 1, 2019. The hackathon will be judged by a panel of Microsoft and non-Microsoft experts and influencers in the developer community and in cybersecurity, including:

  • Ann Johnson, Corporate Vice President for Cybersecurity Solutions Group for Microsoft
  • Scott Hanselman, Partner Program Manager for Microsoft
  • Mark Russinovich, CTO Azure for Microsoft
  • Rick Howard, Chief Security Officer Palo Alto Networks

We will announce more judges in the coming weeks!

Next steps

Let the #graphsecurityhackathon begin

*No purchase necessary. Open only to new and existing Devpost users who are the age of majority in their country. Game ends March 1, 2019 at 5:00 PM Eastern Time. For details, see the official rules.

The post Kicking off the Microsoft Graph Security Hackathon appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Secure your privileged administrative accounts with a phased roadmap

November 29th, 2018 No comments

In my role, I often meet with CISOs and security architects who are updating their security strategy to meet the challenges of continuously evolving attacker techniques and cloud platforms. A frequent topic is prioritizing security for their highest value assets, both the assets that have the most business value today as well as the initiatives that the organization is banking on for the future. This typically includes intellectual property, customer data, key new digital initiatives, and other data that, if leaked, would do the greatest reputational and financial damage. Once weve identified the highest value assets, it inevitably leads to a conversation about all the privileged accounts that have administrative rights over these assets. Most of our customers recognize that you can no longer protect the enterprise just by securing the network edge; the cloud and mobile devices have permanently changed that. Identities represent the critically important new security perimeter in a dual perimeter strategy while legacy architectures are slowly phased out.

Regardless of perimeter and architecture, there are few things more important to a secure posture than protecting admins. This is because a compromised admin account would cause a much greater impact on the organization than a compromised non-privileged user account.

If you are working on initiatives to secure your privileged accounts (and I hope you are ), this post is designed to help. Ive shared some of the principles and tools that Microsoft has used to guide and enhance our own security posture, including some prescriptive roadmaps to help you plan your own initiatives.

Protect the privileged access lifecycle

Once you start cataloging all the high-value assets and who can impact them, it quickly becomes clear that we arent just talking about traditional IT admins when we talk about privileged accounts. There are people who manage social media accounts rich with customer data, cloud services admins, and those that manage directories or financial data. All of these user accounts need to be secured (though most organizations start with IT admins first and then progress to others, prioritized based on risk or the ability to secure the account quickly).

Protecting the privileged access lifecycle is also more than just vaulting the credentials. Organizations need to take a complete and thoughtful approach to isolate the organizations systems from risks. It requires changes to:

  • Processes, habits, administrative practices, and knowledge management.
  • Technical components such as host defenses, account protections, and identity management.

Principles of securing privileged access

Securing all aspects of the privileged lifecycle really comes down to the following principles:

  • Strengthen authentication:

    • Move beyond relying solely on passwords that are too often weak, or easily guessed and move to a password-less, Multi-Factor Authentication (MFA) solution that uses at least two forms of authentication, such as a PIN, biometrics, and/or a code generated by a device.
    • Make sure you detect and remediate leaked credentials.

  • Reduce the attack surface:

    • Remove legacy/insecure protocols.
    • Remove duplicate/weak passwords.
    • Reduce dependencies.

  • Increase monitoring and detection.
  • Automate threat response.
  • Ensure usability for administrators.

To illustrate the importance we place on privileged access controls, Ive included a diagram that shows how Microsoft protects itself. Youll see we have instituted traditional defenses for securing the network, as well as made extensive investments into development security, continuous monitoring, and processes to ensure we are looking at our systems with an attackers eye. You can also see how we place a very high priority on security for privileged users, with extensive training, rigorous processes, separate workstations, as well as strong authentication.

Prioritize quick, high-value changes first using our roadmap

To help our customers get the most protection for their investment of time/resources, we have created prescriptive roadmaps to kickstart your planning. These will help you plan out your initiatives in phases, so you can knock out quick wins first and then incrementally increase your security over time.

Check out the Azure Active Directory (Azure AD) roadmap to plan out protections for the administration of this critical system. We also have an on-premises roadmap focused on Active Directory admins, which Ive included below. Since many organizations run hybrid networks, we will soon merge these two roadmaps.

On-premises privileged identity roadmap

There are three stages to secure privileged access for an on-premises AD.

Stage 1 (30 days)

Stage 1 of the roadmap is focused on quickly mitigating the most frequently used attack techniques of credential theft and abuse.

1. Separate accounts: This is the first step to mitigate the risk of an internet attack (phishing attacks, web browsing) from impacting administrative privileges.

2 and 3. Unique passwords for workstations and servers: This is a critical containment step to protect against adversaries stealing and re-using password hashes for local admin accounts to gain access to other computers.

4. Privileged access workstations (PAW) stage 1: This reduces internet risks by ensuring that the workstations admins use every day are protected at a very high level.

5. Identity attack detection: Ensures that security operations have visibility into well-known attack techniques on admins.

Stage 2 (90 days)

These capabilities build on the mitigations from the 30-day plan and provide a broader spectrum of mitigations, including increased visibility and control of administrative rights.

1. Require Windows Hello for business: Replace hard-to-remember and easy-to-hack passwords with strong, easy-to-use authentication for your admins.

2. PAW stage 2: Requiring separate admin workstations significantly increases the security of the accounts your admins use to do their work. This makes it extremely difficult for adversaries to get access to your admins and is modeled on the systems we use to protect Azure and other sensitive systems at Microsoft (described earlier).

3. Just in time privileges: Lowers the exposure of privileges and increases visibility into privilege use by providing them to admins as they need it. This same principle is applied rigorously to admins of our cloud.

4. Enable credential guard on Windows 10 workstations: This isolates secrets for legacy authentication protocols like Kerberos and NTLM on all Windows 10 user workstations to make it more difficult for attackers to operate there and reach the admins.

5. Leaked credentials 1: This enables you to detect a risk of a leaked password by synchronizing password hashes to Azure AD where it can compare them to known leaked credentials.

6. Lateral movement vulnerability detection: Discover which sensitive accounts in your network are exposed because of their connection to non-sensitive accounts, groups, and machines.

Stage 3: Proactively secure posture

These capabilities build on the mitigations from previous phases and move your defenses into a proactive posture. While there will never be perfect security, this represents the strongest protections against privilege attacks currently known and available today.

1. Review role-based access control: Protect identity and management systems using a set of buffer zones between full control of the environment (Tier 0) and the high-risk workstation assets that attackers frequently compromise.

2. PAW stage 3: Expands your protection by separating internet risks (phishing attacks, web browsing) from all administrative privileges, not just AD admins.

3. Lowers the attack surface of domain and domain controller: This hardens these sensitive assets to make it difficult for attackers to compromise them with classic attacks like unpatched vulnerabilities and exploiting configuration weaknesses.

4. Leaked credentials 2: This steps up the protection of admin accounts against leaked credentials by forcing a reset of passwords using conditional access and self-service password reset (versus requiring someone to review the leaked credentials reports and manually take action).

Securing your administrative accounts will reduce your risk significantly. Stay tuned for the hybrid roadmap, which will be completed in early 2019.

The post Secure your privileged administrative accounts with a phased roadmap appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

How to help maintain security compliance

November 26th, 2018 No comments

This is the last post in our eight-blog series on deploying Intelligent Security scenarios. To read the previous entries, check out the Deployment series page.

Image taken at the Microsoft Ignite Conference.

Your employees need to access, generate, and share organizational information ranging from extremely confidential to informal; you must ensure that all information and the movement of that information comply with industry standards without inhibiting workflow. Microsoft 365 security solutions can help you know whats happening with your data, set permissions and classifications, and discover and help prevent leaks.

How can I make it easier to manage compliance processes?

To better manage compliance processes, the first thing youll want to do is distribute the work out to compliance specialists across your organization. The Microsoft 365 Security & Compliance Center (Figure 1) makes this easy by providing a central location to assign people to specific compliance tasks, such as data loss prevention, eDiscovery, and data governance.

Figure 1: The Microsoft 365 Security & Compliance Center Dashboard.

Next, youll need to decide on your policies and data classifications that will allow you to take actions on data. To streamline this compliance task, Microsoft Advanced Data Governance offers automatic data classification and proactive policy recommendationssuch as retention and deletion policiesthroughout the data lifecycle. You can enable default system alerts to identify data governance risks, for example, detecting an employee deleting a large volume of files. You can also create custom alerts by specifying alert-matching conditions, thresholds, or other activities that require admin attention.

How do I assess data protection controls in an ever-changing compliance landscape?

The Microsoft Security Compliance Manager (Figure 2) provides tools to proactively manage evolving data privacy regulations. You can perform ongoing risk assessments on security, compliance, and privacy controls across 11 assessments, including these standards:

  • ISO 27001
  • ISO 27018
  • NIST 800-53
  • NIST CSF
  • CSA CCM

Plus, regional standards and regulations, including:

  • GDPR

As well as industry standards and regulations, such as:

  • HIPAA/HITECH
  • FFIEC
  • NIST 800-171
  • FedRAMP Moderate
  • FedRAMP High

Additionally, the Compliance Manager provides you with step-by-step guidance of how to implement controls to enhance your compliance posture and keep you updated with the current compliance landscape. In addition, built-in collaboration tools to help you assign, track, and record compliance activities to prepare for internal or external audits.

Figure 2: Compliance Manager provides tools to proactively manage evolving data privacy regulations.

How can I protect my data no matter where it lives or travels?

With employees, partners, and other users sharing your data over cloud services, mobile devices, and apps, you need solutions that understand what data is sensitive and automatically protect and govern that data. The unified labeling experience for Microsoft 365 in the Security & Compliance Center provides a tool that allows you to configure data sensitivity labels and protection policies across Azure Information Protection and Office 365 in one location (Figure 3). You can create and customize labels that define the sensitivity of the datafor example, a label of General means the file doesnt contain sensitive information, while Highly Confidential means the file contains very sensitive information. For each label, you can configure protection settings, such as adding encryption and access restrictions, or adding visual markings such as watermarks or headers/footers. To support data governance compliance, you can set policies for data retention, deletion, and disposition, and then automatically apply or publish these labels to users.

Figure 3: Configure data sensitivity labels and protection policies across Azure Information Protection and Office 365 in one location.

There are over 85 built-in sensitive information types that you can use to automatically detect common sensitive data types that may be subject to compliance requirements, such as credit card information, bank account information, passport IDs, and other personal data types. You can also create your own custom sensitive information types (such as employee ID numbers) or upload your own dictionary of terms that you want to automatically detect in documents and emails.

How can I help protect privileged accounts from compromise?

Controlling privileged access can reduce the risk of data compromise and help meet compliance obligations regarding access to sensitive data. Privileged access management (PAM) in Office 365 (Figure 4), available in the Microsoft 365 Admin Center, allows you to enforce zero standing access for your privileged administrative accounts. Zero standing access means users dont have privileges by default. When permissions are provided, its at the bare minimum with just enough access to perform the specific task. Users who need to perform a high-risk task must request permissions for access, and once received all activities are logged and auditable. Its the same principle that defines how Microsoft gives access to its datacenters and reduces the likelihood that a bad actor can gain access to your privileged accounts.

Figure 4: Privileged access management allows you to enforce zero standing access for your privileged administrative accounts.

Plan for success with Microsoft FastTrack. FastTrack comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving user adoption, FastTrack is your benefit service that is ready to assist you. Get started with FastTrack for Microsoft 365.

Want to learn more?

For more information and guidance on this topic, check out the white paper Maintain compliance with controls and visibility that adhere to global standards. You can find additional security resources on Microsoft.com.

Coming Soon! Stay tuned for our new series: Top 10 actions you can take with Microsoft 365 Security.

More blog posts from the deploying intelligent security scenario series:

Other blog posts from the security deployment series:

The post How to help maintain security compliance appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

CISO series: Lessons learned—4 priorities to achieve the largest security improvements

November 13th, 2018 No comments

In my past life as CISO, Ive worked for small companies, state governments, and large enterprises, and one thing that has been true at all of them is that there is an infinite number of security initiatives in each organization you could implement, yet the resources to accomplish those tasks are finite. To be an effective CISO, I had to learn to appropriate the resources under my control toward the solutions that confront the greatest risk to the most valuable parts of the business. I also had to learn how to extend my own resource pool by persuading every individual at the company that they had a role to play in protecting the organization. In short, I learned to aggressively prioritize resources, quantify risk, and influence others.

In this blog, Ill share the methods Ive used to prioritize where and how I spend my resources. There really are just four priorities to achieve the largest security improvements:

  1. Identify what is under your control.
  2. Formulate a security strategy.
  3. Implement good cybersecurity hygiene.
  4. Disrupt the cyber kill chain.

Identify the business you are charged with protecting

Before you can begin to allocate your resources, you first need to identify what is under your control. What are the capital and operating budgets available for security, and who are the people responsible for security? You may manage security professionals both inside and outside the company, and you need to know who they are and their strengths and weaknesses. When it comes time to assign people and budgets to your priorities, this knowledge will prove crucial.

You must also know the business. Get clear about which products, services, and lines of business are the biggest drivers of the organizations success. Once you understand what drives the business and the resources you control, you will need to formulate a strategy.

Formulate a security strategy

Understanding the most critical business drivers will help you formulate a security strategy,which Ive written about in more detailin a previous post. When you have your security strategy, youre ready to establish a strong cybersecurity hygiene.

Implement good cybersecurity hygiene

One example of how Ive prioritized security initiatives as a CISO comes from my time at the State of Colorado. When I first stepped into the CISO role in Colorado state government, I needed to modernize their security approach and address vulnerabilities across the enterprise with a very limited budget. I wanted to show results quickly, so I chose to focus on the small things that could be implemented easily and would drive the greatest reduction in risk.

This approachoften referred to as cybersecurity hygieneconcentrates on hardening systems by leveraging secure configurations, putting in place processes and tools to ensure data, devices, and the network are protected against vulnerabilities, and maintaining the patch levels of critical systems

Before you move on to more complex initiatives, be sure youve walked through each of the following steps:

Inventory your network: The first step is to identify every inch of your network, because you cant protect what you cant see. You must know what type of equipment is on your network and whether it is part of internal networks, hosted on the internet, or part of a cloud platform. Once you know what you have, you need to maintain a continuously updated inventory of the hardware and software thats authorized to be on your network.

Scan and patch: When youve identified all the devices and applications on your network, you should scan them from a central point on a regular basis and patch and deactivate themremotelyas necessary. For larger organizations, the scale of this operation is the challenge, especially with limited maintenance windows, a proliferation of web apps and devices, and architectural complexities. Flexible and scalable security scanning services are therefore becoming increasingly necessary.

Continuously look for vulnerabilities: The frequency and complexity of attacks continue to increase, so it is no longer an option to scan your network on a semi-regular basis. You should try to constantly monitor for threats, and quickly address them within your network.

To help you with this process, you can read more details on cybersecurity hygiene. You should also leverage the cloud as it helps you to quickly modernize and sunset legacy and vulnerable systems, provides more automation, and allows you to inherit and extend your security team by gaining from the expertise of the cloud security provider.

Once your systems are hardened and you have a process and tools to continuously monitor your network, you should next focus on interrupting the most common methods hackers use to enter your network, what we refer to as the cyber kill chain.

Understand and disrupt the cyber kill chain

The kill chain is a workflow that cybercriminals deploy to infiltrate a company. Attackers of all sizes have had great success with this approach, so it is worth understanding and then implementing solutions to circumvent it.

External recon: Most hackers begin their attack by gathering intelligence on your company. They collect data on employees, executives, technologies, and supply chain to increase the odds of a successful attack.

Solution: Enable Multi-Factor Authentication to require that users sign in with two forms of verification, reducing the likelihood that theyll be compromised.

Compromised machine: At this stage, the attacker targets a carefully selected employee with a phishing campaign. This campaign is designed to trick the user into executing an attachment or visiting a site that will install a backdoor on the employees computer, giving them the ability to control the computer.

Solution: Implement Office 365 Advanced Threat Protection to protect against malicious files.

Internal recon: Once an attacker has compromised a machine, theyll begin to gather intelligence that is newly available, such as credentials stored locally on the machine. Theyll also map internal networks and systems. This new information will allow them to plan their next move.

Solution: Use Windows 10s security features designed to both stop the initial infection and, if infected, prevent further lateral movement.

Domain dominance: The attacker will try to elevate their access within the network to gain access to a privileged account and your company data.

Solution: Use Microsoft Advanced Threat Analytics to provide a robust set of capabilities to detect this stage of an attack.

Data consolidation and exfiltration: If an attacker gains access to your data, the final step would be to package it up and move it out of the organization without detection, in a process called “data consolidation and exfiltration.” Paying close attention to the first phases of an attack will hopefully prevent an attacker from getting this far.

Focus on what matters most to the business

Even the largest enterprise is faced with tough choices when allocating security resources. If you are smart about how you appropriate them, you can make choices that have the greatest chance of protecting your organization. It starts with understanding your current state, both your resources and the most critical business drivers, formulating a solid strategy, implementing good cybersecurity maintenance, and finally, disrupting the cybersecurity kill chain.

In the coming weeks, I will share lessons Ive learned to evaluate risks quantitatively. And following this, I will talk about how Ive learned to influence others to take their role in protecting the organization very seriously.

To read more blogs from the series, visit the CISO series page.

The post CISO series: Lessons learned—4 priorities to achieve the largest security improvements appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

CISO series: Build in security from the ground up with Azure enterprise

November 1st, 2018 No comments

As an executive security advisor at Microsoft and a former CISO, I meet with other CISOs every week to discuss cybersecurity, cloud architecture, and sometimes everything under the sun regarding technology. During these discussions with CISOs and other senior security executives of large enterpriseswho are in the beginning stages of a cloud migrationI find theyre excited about the increased flexibility of Microsoft Azure services and the consumption-based model it offers their business units. Regardless of where they are in the journey, they also have some concerns. For example, they need to figure out how to enforce security policies when IT no longer serves as the hub for services and applications.

Specifically, they come to me with the following three questions:

  1. We are interested in Microsoft and already have many of your security solutions. How do these tools translate to a hybrid-cloud solution and where do we start?
  2. Security impacts many parts of the organization outside of the security team. Who do we need to bring to the table across the organization for this to be a successful migration to a secure cloud?
  3. Can we create a roadmap or strategy to guide our journey to the cloud?

It really comes down to balancing agility with governance. Many of my customers have found that the Azure enterprise scaffold and Azure Blueprints (now in preview) can help them balance these two critical priorities. I hope my suggestions and insight help you to understand how to use these tools to smooth your cloud migration.

Establish a flexible hierarchy as the baseline for governance

Scaffolding and blueprints are concepts borrowed from the construction industry. When a construction crew builds a large, complex, and time-consuming project they refer to blueprints and erect scaffolding. Together these tools simplify the process and provide guardrails to guide the builder. You can think of the Azure enterprise scaffold and Azure Blueprints in the same way.

  • Scaffolding is a flexible framework that applies structure and anchors for services and workloads built on Azure. It is a layered process designed to ensure workloads meet the minimum governance requirements of your organization while enabling business groups and developers to quickly meet their own goals.
  • Blueprints are common cloud architecture examples that you can customize for your needs.

Customers find the Azure enterprise scaffold valuable because it can be personalized to the needs of the company for billing, resource management, and resource access. It is grounded in a hierarchy that gives you a structure for subdividing the environment into up to four nested layers to match your organization’s structure:

Enterprise enrollmentThe biggest unit of the hierarchy. Enterprise enrollment defines the specifics of your contracted cloud services.

DepartmentsWithin the enterprise agreement are departments, which can be broken down according to what works best for your organization. Three of the most popular patterns are by function (human resources, information technology, marketing), by business unit (auto, aerospace), and by geography (North America, Europe).

SubscriptionsWithin departments are accounts and then subscriptions. Subscriptions can represent an application, the lifecycle of a service (such as production and non-production), or the departments in your organization.

Resource groupsNested in subscriptions are resource groups, which allow you to put resources into meaningful groups for management, billing, or natural affinity. This hierarchy serves as the foundation for security policies and processes that you will layer on next.

Safeguard your identities and privileged access

When I talk with security executives about implementing security policies, we always start our discussion with identity. You can do the same by identifying who and what systems should have access to what resourcesand how you want to control this access. Once you connect your Azure Active Directory (Azure AD) to your on-premises Active Directory (AD)using the AD Connect toolyou can use role-based access control (RBAC) to assign users to roles, such as owner, contributor, or others that you create. Dont forget to set up Multi-Factor Authentication (MFA) and adhere to the principle of granting the least privilege required to do the work. See Azure identity management best practices for more resources and security tips.

With your hierarchy established and resources assigned, you can use Azure Policy and Initiatives to define policies and apply them to subscriptions.

A couple examples of popular policies include:

  • Restrict specific resources to a geographical region to comply with country or region-specific regulations.
  • Prohibit certain resources, such as servers or data, from being deployed publicly.

Policies are a powerful tool that let you give business units access to the resources they need without exposing the enterprise to additional risk.

You will also need a plan for securing privileged accounts. I recommend creating a privileged access workstation when you start building out your security forest for administrators. Privileged access workstations provide a dedicated operating system for sensitive tasks that separates them from daily workstations and provide additional protection from phishing attacks and other vulnerabilities. With a good identity and access policy in place you have started down the path of trust but verify or building a zero-trust environment.

Gain greater visibility into the security of your entire environment

One big advantage of moving to the cloud is how much more visibility you get into the security of your environment versus on-premises. Azure offers several additional capabilities that allow you to protect your resources and detect threats. TheAzure Security Centerprovides a unified view of the security status of resources across your environment. It includes advanced threat protection that uses artificial intelligence (AI) to detect incoming attacks and sends alerts in a way thats easy to digest. Security DevOps toolkits are a collection of scripts, tools, and automations that allow you to integrate security into native DevOps workflows. Azure update management ensures all your servers are patched with the latest updates.

Get started with Azure Blueprints

Using the scaffolding and blueprints framework can help you establish a secure foundation for your Azure environment by safeguarding identities, resources, networks, and data. Ive touched on a few of the components, and you can dig into the nitty gritty in this article. When youre ready to get started, Azure Blueprintsare available in preview. This capability will allow you to deploy the Azure enterprise scaffold model to your organization. Numerous organizations have used the blueprints and followed the scaffolding approach to successfully roll out their cloud strategy securely and faster than they expected.

As a final note of consideration as you work through your organizations cloud/security strategymake sure you have all the stakeholders in the room. Many times, there are other parts of the organization who own security controls but are outside of the security organization. These might include operations, legal, human resources, information technology, and others. These stakeholders should be brought into the scaffolding and blueprint discussions, so they understand their roles and responsibilities as well as provide input.

If you want to discuss this further or need assistance, please reach out to your Microsoft account team.

The post CISO series: Build in security from the ground up with Azure enterprise appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

How to share content easily and securely

October 31st, 2018 No comments

This is the seventh post in our eight-blog series on deploying Intelligent Security scenarios. To read the previous entries, check out the Deployment series page.

Image taken at the Microsoft Ignite Conference.

Cumbersome restrictions and limitations on mobile devices, apps, and remote access can be taxing from an IT perspective and frustrating for your employees. Your users need to be able to create, access, and share files from anywhere, and IT needs to ensure that these actions wont compromise your companys security.

Microsoft 365 offers security solutions that help secure your collaboration and productivity apps. That way your employees can connect and communicate wherever they are, using tools they are familiar with, as securely as if they were right at their desks.

How can I securely share documents outside my organization?

Classify documents based on content sensitivity

First, classify documents using Azure Information Protection (AIP). With AIP, you can configure policies to classify, label, and protect data based on its sensitivity. Data can be classified according to standards you define for content, context, and source. These classifications can then be applied automatically or manually, or you can prompt your employees to decide what classification to apply with in-product suggestions.

To classify documents using AIP, you must first configure your companys classification policy. Configure the policy by signing in to the Azure portal as an administrator and then select Azure Information Protection in the apps list. All AIP users start with a default policy that you can configure to suit your needs. Once you have created the policy that works best, publish your changes to deploy the policy to all managed apps and devices.

Use email to share files

Your employees can use email file attachments in Microsoft Outlook to share files. With Outlook, users can take files from their business or personal device, attach files to an email, and access a dedicated library where all group files are stored. If your employees need to send a sensitive message to external users, they can increase security by encrypting the message using Office 365 Message Encryption and the message recipient will decrypt the message using the Office 365 Message Encryption viewer.

Enable users to collaborate

To ensure that shared documents are only viewed by the right person, your users can share files with internal or external partners through OneDrive for Business and apply security features such as password protection and Multi-Factor Authentication.

Microsoft Teamsa chat-based workspaceenables teams to be more productive by giving them a single and secure location that brings together everything a team needs all in one hub, including chats, meetings, calls, files, and tools. Azure Active Directory (Azure AD) conditional access policies can be configured to secure the data in Teams. You can deploy Teams through Microsoft System Center Configuration Manager (ConfigMgr) or Microsoft Intune.

Yammer helps your users improve engagement with everyone in your organization through social networking. Use the security features in Yammer to help protect sensitive organizational data. Yammer supports Azure AD single sign-on authentication, allows admins to set password policies, and provides admins with session management tools that let you see the devices users are signed in to. You can manage access and permissions in Yammer by setting up the Yammer network to comply with your organizations standards.

Identify risky applications and shadow IT

Microsoft Cloud App Security allows you to more securely share documents via third-party applications by identifying the cloud apps on your network. By gaining visibility into shadow IT, you can help protect your information using policies for data sharing and data loss prevention.

How can I work on documents across devices securely?

To work more securely across different devices you will need to manage your mobile devices and set app protection policies. You can use Intune to manage your users mobile devices. To help prevent data loss, you will want to protect company data that is accessed from devices that you dont manage. You can apply Intune app protection policies that restrict access to company resources and avoid company and personal data from getting intermingled. Company data can end up in locations like personal storage or transferred to apps beyond your purview and result in data loss. App protection policies can be used to prevent company data from saving to the local storage of an unmanaged device or moving the data to other apps that aren’t protected by app protection policies.

Deployment tips from our experts

Enable security features in Office 365 appsOffice 365 apps like Outlook, OneDrive, Teams, and Yammer all come with built-in features that enable users to more securely share files and be productive. A few simple things you can do include:

Classify and share documents securelyClassify documents in AIP to track and control how information is used. Then share documents securely via third-party applications using Microsoft Cloud App Security to protect your information.

Prevent data loss on mobile devicesManage mobile devices with Intune and through mobile device management. Then implement app-level controls with Intune app protection policies to help prevent data loss.

Plan for success with Microsoft FastTrackFastTrack comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving end-user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.

Want to learn more?

For more information and guidance on this topic, check out the white paper Store and share files inside and outside your organization to work securely across organizational boundaries. You can find additional security resources on Microsoft.com.

Coming Soon! Using controls for security compliance will be the last installment of our Deploying intelligent scenarios series. In November, we will kick off a new series: Top 10 security deployment actions with Microsoft 365 Security.

More blog posts from this series:

The post How to share content easily and securely appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

CISO series: Partnering with the C-Suite on cybersecurity

October 24th, 2018 No comments

In my last blog, we looked at five communication techniques that can help engage business managers in the work of cybersecurity. This week, well look at how to use those techniques to bring the C-Suite into the conversation.

Not too long ago, I was speaking with the CIO of a large company (some details have been changed to protect the innocent) about one of my favorite topics: how to define security policies that balance user productivity and business risk. Before long, the CIO said, Trust me, I know all about that. I stopped talking and started listening. He proceeded to tell me about an incident from a previous November. Apparently, during a small window between meetings, he decided to take advantage of the free time to do some online holiday shopping. Were all crushed for time, he knew exactly what he wanted, it took just a few minutes, and then he was off to his meeting. Only he didnt make it very far before the head of security approached to report a security policy violation. Can you believe it? The CIO said. My online shopping was flagged! I had a feeling I knew where this story was going. I got flagged for violating my own policy! he said.

The CIO then explained, It was the middle of summer, and we had just had a small security scare. At the time, the only thing I cared about was doing everything in our power to prevent a bigger incident from happening. By the time the holidays rolled around, Id forgotten all about it. To balance employee productivity, satisfaction, and corporate risk the company decided to allow access to a few selected shopping sites during November and December.

His story got me thinking. Could the company have established a more flexible policy back in the summer if the policy team had properly explained the pros and cons of the restrictive no shopping ever policy? Maybe. There is no way to know definitively. One things for sure: the experience itself clearly made an impression on the CIO. Im a big believer in learning through experience, but since we cant learn every lesson by living through it, there are opportunities to have productive conversations with executives that can increase engagement and mitigate these sorts of issues.

Five communication strategies for engaging executives and the C-Suite with security

Using the same proven communication strategies to frame up security for business managers that we shared in the last blog, Ill show how you can apply those techniques to your conversations with executives and the C-Suite. Heres a hint: it all starts with the same underlying concept. No matter how high up in the organization she or he is, or how many people or responsibilities they have, your CIO is humanand so is your entire executive team. If you apply communication strategies that have been proven to work outside of cybersecurity, you can get your CIO and other executives more involved in security decision-making.

  • FeelOne thing that my conversation with the CIO demonstrates is the role that emotions play. The original policy to lock down all ecommerce on company devices and networks was driven by fear. Emotions are understandable, but they can also drive us to make rash decisions that we regret later. You can diffuse an emotional situation by listening first. Try to understand where the CIO is coming from before you respond to his or her emotions. And above all, resist the temptation to scare an executive into taking security seriously by throwing scary statistics at them. That will only backfire.
  • FocusCIOs and other executives are bombarded with decisions and issues all day long. It can be challenging to get them to focus on your agenda, but its important if you want them to make smart security decisions. Set a meeting for a quiet period in their calendar or have a planning meeting set aside where its agreed cell phones are off and brains are fully engaged. Its amazing what we can accomplish when were not distracted.
  • Slow downThis goes hand in hand with Focus. The timing of and the amount of time for the discussion can also dictate the outcome. Allow space for questions and thoughtfulness. Ive led Executive Introduction to Threat Modeling classes using implantable medical devices (IMDs) and fitness wearables as examples. In the first five minutes most of the class leans toward thinking the IMDs pose all the risk. But once theyve taken the time to threat model both devices for themselves, they realize fitness wearables can be on-trivial threat vectors.
  • SimplifyTailor your conversation for your audience. Tech speak may resonate with a CIO, but other executives will get lost if you get too techy. And no matter who you are speaking with, its important that you speak in the language of business goals. How do your proposals and ideas best advance the goals of the executive that you are speaking with? And dont be afraid to engage the C-Suite in the activity of simplifying. If you ask the executives to think about how theyd explain ransomware or phishing to a very non-tech savvy relative, theyll be able to connect more closely with the technical risks and also, hopefully, have a bit more empathy for you, the security geek, whos tasked with explaining tough security risks to them.
  • SparkTap into the incredible power of why. Why does your company do what it does? Make sure your security pitch aligns to this overall mission. Explain how your security efforts get the company closer to achieving its vision. Go back to your corporate vision statement and ask the execs if a proposed policy or control ultimately supports that mission. When a CEO participating in an incident response simulation opts to report an incident, not because its legally required, but because our corporate values mean radical transparency with our customers, youve sparked real connection between technical risk management and the business.

Experience is one of our great teachers. As the CIO in this story learned, some security rules look good until they get in the way of executives. And some security measures may seem costly and unnecessary, but when weighed against massive reputational damage or material financial loss, those investments calibrate as frugal and wise. You don’t have to make your CIO a cyber ninja to have a productive conversation. To effect real change, engage executives as human beings in the cybersecurity policy and strategy decision-making process.

The post CISO series: Partnering with the C-Suite on cybersecurity appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Top 10 security steps in Microsoft 365 that political campaigns can take today

October 23rd, 2018 No comments

The increasing frequency of cyberattacks make clear that more must be done to protect key democratic institutions from cyber-enabled interference. Withjust a fewweeks left before theU.S.midtermelections and early voting under way,campaignsmust stay vigilant in protecting against cyberattacks to their online collaboration tools, including email.Microsoft recommendstaking action today to protect against phishing, malware,account compromise, and other threatsseeTop 10 ways to secure Office 365 and Microsoft 365 Business plans from cyberthreats.These recommendations are tailored for small to mid-sized political campaigns and election-focused stakeholders usingOffice 365or Microsoft 365. Any organizationespecially those without full-time IT security staffcan benefit fromtaking these actions.

This guidanceprovidesstep-by-step instructions forusing10 high-impact securitycapabilities.Theseactions help you implement many of the best practicesrecommended intheCybersecurity Campaign Playbook,created by the Defending Digital Democracy program at Harvard Kennedy SchoolsBelferCenter for Science and International Affairs.

Top 10cybersecurityrecommendations:

  1. Setuptwo-stepverification forall staff.
  2. Traincampaign staff to quickly identify phishing attacks.
  3. Use dedicated accountsfor administration.
  4. Raise the level of malware protection in mail.
  5. Protect against ransomware.
  6. Preventemailsauto-forwardingoutside of the campaign.
  7. Increase encryptionfor sensitive emails.
  8. Protect your email from phishing attacks.
  9. Protect against malicious attachments in email.
  10. Protect against phishing attacksthat includemalicious website links in email or other files.

Read Top 10 ways to secure Office 365 and Microsoft 365 Business plans from cyberthreatsfor details on how to implement each action.

These recommendations are provided as part of Microsofts ongoing commitment to theDefending Democracy Program. Qualifying organizations using Office 365 can also take advantage ofMicrosoftAccountGuardfor additional protectionto leverageMicrosoftsstate-of-the-artthreatdetectionand notification in case of targeted nation-state cyberattacks.

The post Top 10 security steps in Microsoft 365 that political campaigns can take today appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

CISO series: Building a security-minded culture starts with talking to business managers

October 18th, 2018 No comments

Cybersecurity is everyones business; protecting the company and its users against data leaks is no longer just the responsibility of IT and security operations. Everyone from the board to Firstline Workers has an important role to play. A culture that encourages individuals to believe they have a part in defending the company against malicious behavior requires that each person is aware of the day-to-day risks and knows how their actions and choices can mitigate, or increase, those risks. This is why we will be writing a new series of blog posts for senior security experts and executives called the CISO series to help further discussions from within the organization to the boardroom to the customer and help establish that security culture and mindset.

If you are like many of your peers, one of the initiatives that youve put in place to create a culture where everyone in your organization takes security seriously is a required, annual security training for all employees. And, hopefully, it seems to be working. Feedback from security training indicates that employees have a better understanding of their role in cybersecurity. Even more important, many of your users have begun to take steps to improve their security posture, such as by reporting suspicious emails rather than clicking the links.

There’s just one problem. Today, one of your security operations managers brings to your attention a report showing that the sales division consistently gets low scores on the training. The sales team promotes your business products throughout the worldin Asia, Europe, North America, and South Americaoften accessing company data from overseas via unsecured wireless. If anyone needs to ace this training, its this team. Youre tempted to get on the phone immediately and provide the VP of Sales a litany of scary statistics that prove how critical this training is. But, fortunately, you stop yourself. If you have any hope of increasing compliance, you need this manager engaged in the solution and on your side. Whats more, if you handle the discussion properly, the VP of Sales could give you insights to help you craft a program that his team will embrace more enthusiastically.

Turn business managers into security evangelists

If you have any hope of turning the VP of Sales into an advocate you need to frame security in the language of the business by quantifying business impacts. Youve heard this before, but what does it mean in practice? What if we start with an even more basic truth: The most important thing to remember about the VP of Sales is that he/she is a human being. And so is everyone on the team. In other words, tried and true communication strategies that have been proven to work outside of cybersecurity also work with humans who happen to be business managers.

Five communication strategies proven to work

Take a look at the following communication strategies and see how they can be customized for your conversation with your own VP of Sales:

  • FeelYou probably have a list of statistics that could scare the VP of Sales into compliance, but they also might backfire, causing them to shut down. A more effective approach is to dial down the emotional undercurrent of the conversation and start by listening. You may think you know why the sales team has low training compliance, then again, maybe you dont. The very first step is understanding their side. Dont move on to solutions until you both are confident that you understand why the team has not prioritized the training.
  • FocusEveryone is trying to do 10 things at once, but continuous partial attention means we cant focus on whats important. Once you understand why the sales team has not been scoring high marks on the training, you can engage the business manager (VP of Sales) in a conversation that is laser-focused on their team needs, making it more likely that you both will put your full attention on the issue.
  • Slow downTime limits make us think less strategically. If you need time to gather the data that will support your case, consider calling for a pause, so you can do your due diligence. And make sure you time your conversation with the VP during a quiet time in the quarter. Year end is a hectic time for sales, and the worst time to try and squeeze in a cyber awareness discussion.
  • SimplifyRemember that tech speak is not the right language for this audience. Give some thought to how your security training supports the goals of the sales team. Access to reliable customer data like escalations and licenses is critical to a successful mobile data force. Cybersecurity is about ensuring the sales team has confidential access to that data wherever and whenever they need it. The VP will more likely understand your priorities if they understand how theyre aligned to their priorities.
  • SparkTap into the incredible power of why by explaining why your company needs security compliance. Make sure your security pitch and training align to this overall mission. Explain how your security efforts get the company closer to achieving its vision.

Creating a culture where everyone takes accountability for defending the enterprise against cybercrime will require that we get everyone engaged from the board and C-Suite executive to business managers and Firstline Workers. As you embark on this effort, keep in mind that how you say it is as important as what you say. You can create a path to success if you understand the motivations and goals of the business, and if you dont forget one core truth: Were all human. Please stay tuned for our next blog in this series where I will give you tips for engaging your C-Suite executive team in the cybersecurity conversation.

The post CISO series: Building a security-minded culture starts with talking to business managers appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

How Office 365 learned to reel in phish

October 17th, 2018 No comments

Today’s post was coauthored by Debraj Ghosh, Senior Product Marketing Manager, and Jason Rogers, Principal Group Program Manager at Microsoft.

We recently reported how we measure catch rates of malicious emails for Office 365 Exchange Online Protection (EOP) (available with any Office 365 subscription) and Advanced Threat Protection (ATP) (available as a standalone service or with Office 365 E5).

Today, we’re sharing the results from the enhancements we made to anti-phish capabilities for Office 365 to address impersonation, spoof, and phish content and internal phish emails sent from compromised accounts. Over the last year, Microsofts threat analysts discovered threat actors pivoting from malware to sophisticated, often targeted phishing campaigns. The scale of these attacks and how quickly users click through on malicious links is shown in Figure 1.

Figure 1. Phish email statistics from Office 365 from January 2018 to September 2018.

Understanding the phish landscape

To develop solutions mitigating these modern phishing campaigns, our engineers rigorously analyzed phish emails in Office 365, uncovering a general pattern of phish campaigns following the path shown in Figure 2.

Figure 2. Phish email campaign pathway from initial reconnaissance to data exfiltration.

Additionally, since Office 365 is one of the worlds largest email service providers, Microsoft gains visibility and experience across mostif not alltypes of cyber threats. Every day, Microsoft analyzes 6.5 trillion signals, and each month we analyze 400 billion emails, while detonating 1 billion items in our sandbox. This telemetry helps us understand the full spectrum of phish attacks and the sophisticated and varied methods used by attackers, summarized in Figure 3. With this understanding of the phish landscape, our engineers not only designed new capabilities, but also enhanced existing capabilities to address the phishing emails being launched at customers.

Figure 3. Phish emails attack spectrum and variety of attack methods.

Understanding the situation

When we began our journey of enhancing our anti-phish capabilities, we admittedly were not best of breed at mitigating phish. As we alluded to previously, transparency with customers is a core priority at Microsoft. Figure 4 shows the number of phish emails that Microsoft (Office 365) missed in comparison to several other vendors also protecting email for customers within Office 365.

From November 2017 to January 2018, you see that Office 365 (orange bar in Figure 4) was not the best solution at phish catch. (We previously discussed how we measure phish catch.) The values are based on normalized email volume. As the inset plot shows, the scale of mail volume in Office 365 far exceeds the mail volume of third-party vendors. Fundamentally, this scale is one our differentiators and strengths as it offers us much greater depth and breadth into the threat landscape.

Figure 4. Normalized phish email miss from November 2017 to January 2018 in Office 365 email traffic. Inset shows actual mail flow volume.

Solving the problem with our technology, operations, and partnerships

Leveraging our signal from mail flow, the expertise of 3,500 in-house security professionals, and our annual $1 billion investment in cybersecurity, we strategically addressed the growing wave of phishing campaigns. Our engineers determined four categories of phish emails and designed capabilities addressing each type. Figure 5 summarizes the enhancements made to the anti-phish capabilities in Office 365.

Figure 5. Phish email categories and anti-phish enhancements made in Office 365 to address the categories.

Details on all the anti-phish updates for Office 365 are available in the following posts:

While the enhancements are interesting, ultimately, catch rate is the parameter that counts, and it is important to remember that no solution can ever stop all threats. Sometimes misses occur, and the most effective solution will miss the least. To this end, we are very excited to share our phish miss rate from May 1, 2018 to September 16, 2018. As you can see in Figure 6, today, when compared to the same set of vendors that we compared ourselves to in November to January, we exhibit the lowest miss rate of phish emails in Office 365. Figure 6 is the culmination of the incredible focus, drive, and expertise of Microsoft researchers and engineers working together to push the boundaries of threat research, machine learning, and development of algorithms that together provide customers the most impressive and effective protection against phish emails available for Office 365 today.

Figure 6. Normalized Phish Email Miss Rate in Office 365 from May 1, 2018 to September 16, 2018. Inset is a blowup of the graph from August 1, 2018 to September 16, 2018.

While the graph in Figure 6 is illuminating, we also want to share statistics from Office 365 EOP/ATP related to phish mitigation. Figure 7 is a summary of the remarkable impact these powerful new anti-phish capabilities across EOP/ATP have had with helping secure Office 365 users, and further showcases our tremendous depth and scale into the threat landscape. For those unfamiliar with Office 365 ATP, Safe Links provides time of click protection from malicious links in email where the click triggers several different protection technologies, including URL reputation checks, machine learning capabilities, and link detonation as needed. Recently, Safe Links expanded its capabilities to intra-org emails, making Office 365 ATP the only service to offer this type of protection while ensuring the internal emails remain within the compliance boundary of Office 365. We hope you agree at that the anti-phish capabilities have evolved at a remarkable pace and with amazing results.

Figure 7. The impact to end users from the enhanced anti-phish capabilities in Office 365.

Learn more

We hope this post provides a good overview on how we are helping customers with modern phishing campaigns. Please be sure to check out the Ignite session, Secure enterprise productivity with Office 365 threat protection services including EOP, ATP, and Threat Intelligence, where we give more details. Your feedback enables us to continue improving and adding features that will continue to make ATP the premiere advanced security service for Office 365. If you have not tried Office 365 ATP for your organization yet, you should begin a free Office 365 E5 trial today and start securing your organization from the modern threat landscape.

The post How Office 365 learned to reel in phish appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Secure file storage

October 16th, 2018 No comments

Image taken at the Microsoft Ignite Conference.

This is a blog series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series, youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out Collaborate Securely, the fifth blog in our eight-blog series on deploying intelligent security scenarios.

Employees are often tasked with preparing documents that require them to gather expertise from various people, often both internal and external to their organization. This common practice can expose your company data at unsecured points along the way. To mitigate risk, Microsoft 365 has simplified and secured the process of sharing files so that employees can easily gather data, expert opinions, edits, and responsesfrom only the right people in a single document.

 

How can I centrally store information, so its discoverable by colleagues but not anyone else?

To answer this question, lets start with storage first, then move to search.

Store securely

To help your employees easily discover relevant data for their projects and keep that data internal and secure, you can build a team site in SharePoint Online. If your employees need to make their notes or informal insights discoverable, but keep the information secure, deploy OneNote and have employees password-protect their notes.

You can deploy OneNote through Microsoft Intune to your Intune-managed employee devices, or have your employees sign in with their Microsoft Azureprovisioned ID and download OneNote to their devices. The owner of the SharePoint library, list, or survey can change permissions to let the right people access the data they need while restricting others. You can also empower your employees to build and maintain their own SharePoint Online team with security safeguards that you have established.

Search securely

Once youve set up your team site, SharePoint Intelligent Search and Discovery allows both you and your employees to discover and organize relevant information from other employees work files across Microsoft 365. It keeps your organizations documents discoverable only within your protected cloud, according to each users permission settings. You can also set permissions, so your employees will see only documents that you have already given them access to.

 

How do I make use of automation to ensure that employees have the correct permissions?

By enabling a dynamic group in Azure Active Directory (Azure AD), you will ensure that users can be automatically assigned to groups according to attributes that you define. For example, if users move to a new department, when their department name changes in Azure AD, rules will automatically assign them to new security groups defined for their new department. By using these Azure ADbased advanced rules that enable complex, attribute-based, dynamic memberships for groups, you can protect organizational data on several levels.

 

Deployment tips from our experts

  • Make information discoverable and secure. Help your employees easily discover relevant data for their projects. Start by building a team site in SharePoint Online. Store notes securely in Microsoft OneNote and ensure they discover relevant information across Office 365 with SharePoint Intelligent Search and Discovery.
  • Plan for success with Microsoft FastTrack. FastTrack comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving end-user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.

 

Want to learn more?

For more information and guidance on this topic, check out the white paper Empower people to discover, share, and edit files and information securely. You can find additional security resources on Microsoft.com.

Coming Soon! Share files easily and securely is the seventh installment of our Deploying Intelligent Scenarios” series. In November, we will kick off a new series: “Top 10 Security Deployment Actions with Microsoft 365 Security.”

 

More blog posts from this series

The post Secure file storage appeared first on Microsoft Secure.

Categories: Cloud Computing Tags:

Making it real—harnessing data gravity to build the next gen SOC

October 15th, 2018 No comments

This post was coauthored by Diana Kelley, Cybersecurity Field CTO, andSin John,EMEA Chief Security Advisor, Cybersecurity Solutions Group.

In our first blog, Diana and I talked about the concept of data gravity and how it could, conceptually, help organizations take a more cloud-ready approach to security operations and monitoring. In this post we address the question: How do we make this a reality in the security operations center (SOC) while we are under increased and constant pressure from motivated threat actors?

The answer lies in a new approach to monitoring called Security Orchestration, Automation and Response (SOAR), which is founded upon addressing the challenge of connecting and investigating issues across multiple security platforms. SOAR addresses the challenges of evolving security operations beyond the traditional security information and event management (SIEM) model into one that allows correlation across all the data gravity wells. Core to this is being able to take an event from one system (for example an endpoint like a laptop) and in real-time correlate that across different systemssuch as a mail hygiene gatewayin order to build evidence and apply context needed for a fast and efficient investigation. This is something that analysts have historically done manually to investigate an issue: look across multiple different evidence points to find the information behind an event to determine if its a false positive or if needs further investigation. Historically deciding what incidents need investigation was left to the SIEM model, but as we discussed in the last blog both the difficulties with false positives and the rules of data gravity make this more difficult to achieve.

Lets discuss how this can be achieved using Microsoft as an example.

We have a number of significant areas of data gravity within the technology that Microsoft customers use. These are Office 365, Windows, and Azure, each with a different focus and level of protection, but is what we need bring to together to share insights and events across these technical areas. This is where the Intelligent Security Graph comes into play for us. This is a subset of the Microsoft Graph focused specifically on sharing security information and insights that we see across our infrastructure:

Each of the areas of security products we have integrated with the graph allow us to share insights across different areas and build orchestration capability, context, and automation across systems without necessarily having to pull them all into one single aggregated log store. Analysis is done, as and when required, often driven by the machine learning and behavioral techniques that help to determine what information is needed.

The next step is to make this information available to others and why we released the graph security API. This is an open and free API that allows customers to interrogate Microsoft data in real-time for alerts and context that the Office 365, Windows, and Azure security systems hold. This allows organizations to integrate alerts into their own SOC or build automated playbooks and investigations built across the platform. This isnt just about orchestrating across Microsoft. The law of data gravity says that we must integrate with others and many leading security vendors have also integrated into the API to provide information into our platform for integration, and also to allow them to real-time query Microsoft to provide context in their own platforms.

When insights across multiple data gravity wells can be accessed and correlated in near real-time, the SOC analyst can spend far less time writing SIEM rules and more time tuning orchestration and automation that is focused on improving insight, reducing false positives, and investigating the important information. The capability that SOC vendors should be focusing on is building a real-time investigation platform that enables analysts to investigate security event signal across multiple vendors and investigate in real-time, by respecting the laws of data gravity. Meaningful insights and reducing mean time to identify (MTTI) and mean time to remediate (MTTR) are far better measures of SOC effectiveness than how many events per second (EPS) are processed.

To make the SOC of tomorrow a reality, the question you ask your security vendors needs to change. Instead of asking Can you send all your logs into my SIEM? ask these questions instead:

  • How do you orchestrate events across your own platform?
  • Do you provide APIs for me to query in real-time?
  • How do you integrate with other vendors?
  • What partnerships, orchestration, and automation capabilities do you have?

The SOC of tomorrow must look across multiple data sources, gravity wells, and hybrid clouds to provide a complete look at a company’s security posture. Look for vendors that understand this new architectural approach and are building cloud-aware solutions for tomorrow, not ones that are locked into an on-premises-centric past.

The post Making it real—harnessing data gravity to build the next gen SOC appeared first on Microsoft Secure.

Categories: cybersecurity, Security Response Tags:

Collaborate securely

October 1st, 2018 No comments

This is a blog series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out Protecting user identities, the fourth blog in our eight-blog series on deploying Intelligent Security Scenarios.

Image taken at the Microsoft Ignite Conference.

Your users can create, edit, and share a single document securely, even when working with multiple stakeholders, both inside and outside of your company. With Microsoft security solutions, users can identify, classify, track, and protect documents to prevent leaks and block access by unauthorized readers. These security measures travel with the document, making it easy and much less risky for stakeholders to download files.

How can I make it easier for groups of people to securely work on the same document?

Provide a common, secure identity for your employees, by first importing their user identities into Azure Active Directory (Azure AD). Then integrate your on-premises directories with Azure AD using Azure AD Connect, which allows you to create a common, secure identity for your users for Microsoft Office 365, Azure, and thousands of other software as a service (SaaS) applications that are integrated with Azure AD.

To make it easy for your employees to work securely with users from other organizations, enable Azure AD B2B collaboration capabilities. Now you can provide access to documents, resources, and applications to your partners while maintaining complete control over your own corporate data (see Figure 1). For your customers, Azure AD B2C lets you build identities on Windows, Android, and iOS devices, or for the web, and allow your customers’ users to sign in with their existing social accounts or personal emails.

Infographic detailing Azure Active Directory security.

Figure 1. Azure AD B2B collaboration enables organizations using Azure AD to work securely with users from other organizations while maintaining control over their own corporate data.

How can I protect organizational data when my users view, edit, and share documents?

Azure Information Protection enables you to configure policies and label a document to control who can see, edit, or share it. For example, a user could apply a Confidential label to a sensitive document that would then prevent it from being shared externally. You can also track who opened a document and where, and then determine what that person can do with the document after its opened.

With Microsoft Data Loss Prevention (DLP) in Microsoft Exchange, you can take your information protection one step further and create rules that automatically identify sensitive content and apply the appropriate policy. For example, you can identify any document containing a credit card number thats stored in any OneDrive for Business site, or you can monitor just the OneDrive sites of specific people.

In addition to DLP, OneDrive for Business offers its own set of options for protecting and controlling the flow of organizational information. For example, you can block file syncing on unmanaged devices, audit actions on OneDrive for Business files, and use mobile device management policies to manage any device that connects to your organizations OneDrive for Business account. You can control as much or as little of your employee permissions as you need to.

How can I protect email?

The same Microsoft DLP capabilities above can be applied to email on Exchange Online to better control data in email and prevent accidental data leaks. Use Office 365 Message Encryption for email sent via Outlook.com, Yahoo!, Gmail, and other email services. Email message encryption helps you make sure that only intended recipients can view message content. Office 365 administrators can define message flow rules to determine the conditions for encryption. For example, a rule can require the encryption of all messages addressed to a specific recipient.

Deployment tips from our experts

Start by provisioning employee identities in Azure AD. Identity is the foundation for secure collaboration. Your first step is to import employee identities into Azure AD and then integrate your on-premises directories with Azure Active Directory using Azure AD Connect.

Collaborate securely with other organizations. With Azure AD B2B and Azure AD B2C capabilities, you can work securely with customers and partners.

Protect documents and emails. Help protect information through access control, classification, and labeling that extend to shared documents and external stakeholders with Azure Information Protection. Then define message flow rules in Office 365 Message Encryption to determine the conditions for email encryption.

Plan for success with Microsoft FastTrack. FastTrack comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.

Want to learn more?

For more information and guidance on this topic, check out the white paper Collaborate and share documents securely in real-time. You can find additional security resources on Microsoft.com.

Coming soon! Productive and Secure, the sixth installment of our Deploying Intelligent Scenarios series. In November, we will kick off a new series, Top 10 Security Deployment Actions with Microsoft 365 Security.

More blog posts from this series

The post Collaborate securely appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Delivering security innovation that puts Microsoft’s experience to work for you

September 24th, 2018 No comments

Cybersecurity is the central challenge of our digital age. Without it, everything from our personal email accounts and privacy to the way we do business, and all types of critical infrastructure, are under threat. As attackers evolve, staying ahead of these threats is getting harder.

Microsoft can help. We focus on three areas: running security operations that work for you, building enterprise-class technology, and driving partnerships for a heterogeneous world. We can tip the scales in favor of the good guys and make the world a safer place.

Security operations that work for you

Every day, we practice security operations at a global scale to protect our customers, in the process analyzing more than 6.5 trillion signals. This is the most recent chapter in a journey down the experience curve that we have been on for more than a decade. Beginning with securing the operating system platform, our Microsoft Threat Intelligence Center (MSTIC) learned to build multi-dimensional telemetry to support security use cases, and to spot that rogue exploit in a distant crash dump bucket. Today, more than 3,500 full-time security professionals work to secure datacenters, run our Cyber Defense Operations Center, hack our own defenses, and hunt down attackers. We block more than 5 billion distinct malware threats per month. Just one recent example shows the power of the cloud. Microsofts cloud-based machine learning models detected a stealthy and highly targeted attack on small businesses across the U.S. with only 200 discrete targets called Ursnif and neutralized the threat. We surface this operational experience and the insights we derived in the security technology we build.

Building enterprise-class technology

It is the cloud that enables us to take all this signal, intelligence, and operational experience and use it to help our customers be more secure, with enterprise-class security technology. For example, we use the insights from processing hundreds of billions of authentications to cloud services a month to deliver risk-based conditional access for customers in Azure Active Directory (AD).

The end of the password era

We are not only protecting the Microsoft platform though. Our security helps protect hundreds of thousands of line-of-business and SaaS apps as they connect to Azure AD. We are delivering new support for password-less sign-in to Azure AD-connected apps via Microsoft Authenticator. The Authenticator app replaces your password with a more secure multi-factor sign-in that combines your phone and your fingerprint, face, or PIN. Using a multi-factor sign-in method, you can reduce compromise by 99.9 percent, and you can make the user experience simpler by eliminating passwords. No company lets enterprises eliminate more passwords than Microsoft. Today, we are declaring an end to the era of passwords.

Improving your security posture with a report card

Microsoft Secure Score is the only enterprise-class dynamic report card for cybersecurity. By using it, organizations get assessments and recommendations that typically reduce their chance of a breach by 30-fold. It guides you to take steps like securing admin accounts with Multi-Factor Authentication (MFA), securing user accounts with MFA, and turning off client-side email forwarding rules. Starting today, were expanding Secure Score to cover all of Microsoft 365. We are also introducing Secure Score for your hybrid cloud workloads in the Azure Security Center, so you have full visibility across your estate.

Putting cloud intelligence in your hands with Microsoft Threat Protection

By connecting our cloud intelligence to our threat protection solutions, we can stem a mass outbreak or find a needle in a haystack. A recent highly localized malware campaign, for example, targeted just under 200 home users and small businesses in a few U.S. cities. It was designed to fly under the radar, but Windows Defenders cloud-based machine learning models detected the malicious behavior and stopped it cold.

To help security operations professionals benefit from our experience, we created a community where our researchers and others from the industry can share advanced queries to hunt attackers and new threats, giving us all more insight and better protection.

Today, were announcing Microsoft Threat Protection, an integrated experience for detection, investigation, and remediation across endpoints, email, documents, identity, and infrastructure in the Microsoft 365 admin console. This will let analysts save thousands of hours as they automate the more mundane security tasks.

Protecting data wherever it goes

Cloud workloads are often targeted by cybercriminals because they operate on some of the most sensitive data an organization has. We made Azure the first cloud platform to offer confidentiality and integrity of data while in useadding to the protections already in place to encrypt data in transit and at rest. Azure confidential computing benefits will be available soon on a new DC series of virtual machines in Azure, enabling trusted execution environments using Intel SGX chipsets to protect data while it is computed on.

Sensitive data isnt only in databases and cloud workloads. A huge amount of the information we share in email and documents is private or sensitive too. To effectively protect your most important data, you need intelligent solutions that enable you to automatically discover, classify, label, protect, and monitor itno matter where it lives or travels. The Microsoft Information Protection solutions we announced last year help to do just that. Today, we are rolling out a unified labeling experience in the Security & Compliance center, which gives you a single, integrated approach to creating data sensitivity and data retention labels. We are also previewing labeling capabilities that are built right into Office apps across all major platforms, and extending labeling and protection capabilities to include PDF documents. The Microsoft Information Protection SDK, now generally available, enables other software creators to enhance and build their own applications that understand, apply, and act on Microsofts sensitivity labels.

Driving partnerships for a heterogenous world

To address a challenge as big as cybersecurity, we do more than only drive technological innovation. We invest in a broad set of technology and policy partnership initiatives.

We work across the industry to advance the state of the art and to lead on standards through organizations like the FIDO alliance, and to tackle emerging new ecosystem challenges like security for MCU-powered devices with innovations such as Azure Sphere, now available for preview.

We also work with our fellow security vendors to integrate the variety of security tools that our mutual customers use through our Microsoft Intelligent Security Association. Specifically, the Microsoft Graph Security API, generally available starting today, helps our partners work with us and each other to give you better threat detection and faster incident response. It connects a broad heterogeneous ecosystem of security solutions via a standard interface to help integrate security alerts, unlock contextual information, and simplify security automation.

Microsoft is working with tech companies, policymakers, and institutionscritical to the democratic processon strategies to protect our midterm elections. The Defending Democracy program is working to protect political campaigns from hacking, increase security of the electoral process, defend against disinformation, and bring greater transparency to political advertising online. Part of this program is the AccountGuard initiative that provides state-of-the-art cybersecurity protection at no extra cost to all candidates and campaign offices at the federal, state, and local level, as well as think tanks and political organizations. Weve had strong interest in AccountGuard and in the first month onboarded more than 30 organizations. Weve focused on onboarding large national party operations first and have successfully done so for committees representing both major U.S. parties as well as high profile campaigns and think tanks, and we are working to onboard additional groups each week. Microsoft is developing plans to extend our Defending Democracy program to democracies around the world.

Since participating in the establishment of the Cybersecurity Tech Accord, an agreement to defend all customers everywhere from malicious attacks by cybercriminal enterprises and nation states, we have seen that group nearly double in size with 27 new organizations joining from around the globe, including Panasonic, Salesforce, Swisscom, and Rockwell Automation to name a few, bringing total signatories to 61. Our Digital Crimes Unit has worked with global law enforcement agencies to bring criminals to justice: to date, taking down 18 criminal bot-nets and rescuing nearly 500 million devices from secret bot-net control. In partnership with security teams across the company, the Digital Crimes Unit has also combatted nation-state hackers, using innovative legal approaches 12 times in two years to shut down 84 fake websites, often used in phishing attacks and set up by a group known as Strontium that is widely associated with the Russian government.

Our unique leadership and unmatched breadth of impact in security comes with a unique responsibility to make the world a safer place. We embrace it, and I am optimistic about what we can do. Together with our customers, we are turning the tide in cybersecurity.

Ill be talking about these announcements and more today in my session at Ignite. If youre not in Orlando, you can live stream it. To learn more about Microsofts security offerings, visit Microsoft.com/security.

The post Delivering security innovation that puts Microsoft’s experience to work for you appeared first on Microsoft Secure.

Categories: cybersecurity, Featured Tags:

Practical application of artificial intelligence that can transform cybersecurity

September 5th, 2018 No comments

As I write this blog post, Im sitting by the beach on my computer in a sunny destination while my family plays in the water. Were on vacation, but we all have our own definition of fun. For me its writing blogs on the beachreally! The headspace is outstanding for uninterrupted thinking time and focus. However, my employer may not find my vacation destination to be the safest place to access certain applications and data. They want me to strongly authenticate, and they want to understand the health of the systems and devices I am using, as well as the network and geolocation. But thanks to the power of machine learning and conditional access I am able to write this blog when and where I want. My employer is able to enforce all-encompassing security measures to ensure my device, location, and network are safe and confirm its really me trying to sign in.

The ability for my organization to reason over all of the data, including location, device health, sign-in, and app health, is just one example of the way artificial intelligence (AI) is helping us evolve the tools we use to fight cybercrime. In this post Ill focus on two practical use cases for deploying AI in the cybercrime battlefield. In the first example, I explain how layering AI onto on-premises Security Information and Event Management (SIEM) solutions can give you better insights and predictive capabilities. The second use case is the one I just hinted at, which is how we can take AI even further to protect user access. By the end I hope Ive proven to you that there is tremendous opportunity to use AIparticularly machine learningto improve the efficacy of cybersecurity, the detection of hackers, and even prevent attacks before they occur.

If you are skeptical, I understand. I often tell a story about how for many years at the annual RSA Conference, vendors and customers rallied around themes such as the year of the smart card, the year of biometrics, “the year of machine learning, the year of blockchain. Some of these technologies never lived up to their promise, and many are still nascent and immature in their application, architecture, and use cases. But I think there are practical applications of AI that will meet our expectations, especially when it comes to cybersecurity. If one reflects on broad based attacks like WannaCry and NotPetya and critical vulnerabilities like Spectre and Meltdown, it only stands to reason that the attack surface is rapidly growing, the bad actors are becoming more sophisticated, and the need for tool evolution is compelling. AI is the path to that evolution. As an industry, we need to be cautious in how we position and explain machine learning and AI, avoiding confusion, conflating capabilities, and overpromising results. There is definitely a place for both, and they are highly complementary. AI has the power to deliver on some of the legacy promise of machine learning, but only if it is trained, architected, and implemented properly.

Like all technologies, there is a risk that AI will be misused or poorly used. For the purpose of this blog, I ask you to make the assumption that the tech is being used ethically, the engines are properly trained in a non-biased manner, and the user understands the full capability of the technology they are deploying. Am I asking you to suspend reality? No, I am simply asking you to imagine the potential if we fully harness AI to further improve our cybersecurity defenses and recognize the threat of bad actors who will also embrace AI now and in the future. Please also read The Future Computed: Artificial Intelligence and its role in society by Brad Smith and Harry Shum for a broader vision on AI and its role in society.

Using AI to gain powerful insights

There are several use cases where AI is interesting for cybersecurity applications but lets first start with what is possibly the most obvious use casemaking sense of signal and intelligence. Collective sigh readers before continuing. I understand the consternation related to legacy SIEM solutions, and your visceral response. SIEM solutions were purpose-built to collect logs and data from a wide range of sources, largely for compliance, and they do this particularly well. They also enable users to effectively produce reporting specific to a use case. They do not, however, work well in detecting real-time attacks and allowing an organization to automate and/or orchestrate defenses that will minimize damage to the organization.

Take a moment to think about how powerful it would be to apply the machine learning algorithms that exist today to the data and logs that SIEM collects. AI could reason over the data at global scale in near real-time using the cloud and produce attack scenarios, which you could then tie to a security operations tool that automates the response and defenses based on the outcome of the AI reasoning. With a large volume of globally sourced data, you could use AI to look at anomalies in the behavior patterns of humans, devices, data, and applications at scale and make accurate predictions of the threats to your enterpriseallowing you to deploy defenses well in advance of a specific attack. AI, when trained and deployed properly, has the ability to allow your enterprise to be this effective. You can continue to gain value from the on-premise SIEM infrastructure you built and use the data you gathered for historical context. The cloud provides a true value in this use case in its ability to analyze the data at a global scale. And finally, AI will become predictive as it learns what is normal and what isnt normal. You can then automate responses via tooling that will allow your admins to focus only on the highest value tasks.AI will reduce the workload of security administrators in the short term, reducing duplication and increasing efficacy of signal.

Intelligently secure conditional access

My ability to write this blog from the beach is evidence that todays systems for conditional access are good and getting better. The ability to provide access control based on the authentication of the user, device, data, application, and known geo-location provide us a certain level of confidence. The tools that exist can potentially maintain state, have the potential to be quite granular, and are powered by global cloud networks. They often use machine learning to detect anomalous behavior, but todays tooling suffers from a dependence on legacy architecture, technical debt, dependence on the integration of disparate authentication systems, and hybrid systems. The tooling is often built for just one environment, one use case, or one system of record. In most large, complex enterprises, security admins dont have the luxury of using the most up-to-date tools for a single environment or use case. Their environments are complex, the attack surface is large, and their users are often unaware of sophisticated security risks. I encounter this in my own home when I explain to family members the inherent risks of free, public Wi-Fi, as an example.

AI for conditional access use cases is not only practical, its necessary. We have long lived with an employee base that is working from a large variety of personal and company-issued devices and working from a wide range of locations including corporate owned office space, shared work facilities, coffee houses, hotel rooms, conference facilities, and other global locations. There is also still a gap in the security industry related to the percentage of the population that owns and successfully deploys Multi-Factor Authentication (MFA) tooling. Biometrics HAS actually made MFA more ubiquitous by reducing the friction and expense of purchasing and deploying authentication systems, but organizations are still not investing in MFA across 100 percent of their enterprises. Cybersecurity, like many fields, operates on a risk model. High risk applications and users equal higher security profiles and tools. Now, imagine if we can reduce the risk while also reducing the friction of rolling out tools? AI is dependent on data and good architects and developers to truly live up to its promise, but it is systems agnostic. The data you supply from your mainframe is not ranked higher in priority than the data you supply from the cloud, unless you create a scenario where you desire specific data types to be higher priority or ordinal in ranking.

Conditional accesspowered by AI reasoning over the behavior of the user, device, data, application, network, location, etc.has the ability to create much safer data access for companies and reduce the overall risk. Imagine a dynamic, real-time, global environment whereregardless of where your users choose to workyou can determine their precise level of access and change their level of access in real-time without human intervention. Did something change that causes concern, and would you like your user to reauthenticate? Do you want to block access to some or all systems? Do you want to block access to certain data sets or require some level of encryption? The AI enginelinked with automated toolingwill give you this ability and provide the logging and reporting needed to support the automated actions or human intervention. Your ability to integrate with current tooling to enforce the actions will be the highest bar to full usage in your environment.

There are no silver bullets when it comes to technology and, particularly, cybersecurity. I have talked about two use cases where I believe AI can improve cybersecurity, but there are others a well, such as AI’s ability to allow more robust device-related IoT detection, sophisticated malware detection, and improvements in vulnerability management. The bad actors will continue to innovate and create weapons that can be deployed for large scale attacks. The attack surface is growing with the proliferation of IoT devices on corporate networks on control systems. As an industry, we have a moral responsibility and imperative to continue improving processes, training, and technology to meet new and yet to be developed threats. Artificial intelligence is one weapon in our tool bag. It must be used prudently. And when used effectively, it can truly be a change agent for the industry. Check out my blog, Application fuzzing in the era of Machine Learning and AI, where I wrote about application fuzzing and AI.

Check back in a month when I will blog about how we can use AI to improve device-related IoT detection. In the meantime, I invite you to follow me at @ajohnsocyber.

Categories: cybersecurity Tags:

Protecting user identities

September 4th, 2018 No comments

Image of four hands collaborating over a drawing of a lightbulb.

This is a blog series that responds to common questions we receive from customers about the deployment of Microsoft 365 security solutions. In this series, youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out Cybersecurity threats: How to discover, remediate, and mitigate, the third blog in our eight-part series on deploying Intelligent Security scenarios.

Its not just a problem for consumers. Identity theft in the workplace is also on the riseand with good reason. Stealing employee credentials is an easy path to bypassing security around sensitive data, making unauthorized purchases, and many other cybercrimes.

Microsoft 365 security solutions help you protect users and corporate accounts. By making identity the control plane, Microsoft 365 offerings manage identities as the first step to providing access to corporate resources and restricting users who are high risk. Tools like single sign-on (SSO), Multi-Factor Authentication (MFA), and Windows 10 Hello for Business help you secure access. Additionally, there are actions you can take if an identity is compromised and ways to lock down or wipe devices to protect sensitive data in case of loss or theft.

How do I provide secure access for my users?

Managing identities is the first step in protecting your environment. You can provision user identities through Azure Active Directory (Azure AD) and then connect to your on-premises Active Directory, allowing you to centralize identities for each user. Then you can set conditional access policies in Azure AD (Figure 1) for users in your organization. Conditional access policies allow you to control how users access cloud apps. You can set conditions that restrict access based on sign-in risk, user location, or client app, as well as only allowing access to managed devices. Start by implementing recommended identity access policies.

Managing user access is your next step. Azure AD SSO lets you manage authentication across devices, cloud apps, and on-premises apps with one user sign-in. Once you enable SSO, your employees can access resources in real-time on any device in addition to confidential or sensitive work documents away from the office. Next, deploy MFA in Azure AD to reauthenticate high-risk users, and take automated action to secure your network.

Figure 1. Set user policies using Azure AD conditional access.

Finally, encourage your employees to use Windows Hello for Business. Its a security feature that allows users unlock their device using their PCs camera, PIN, or their fingerprint.

How do I ensure that my employees credentials are not compromised?

Whats needed is a multi-layered approach to identity protection that goes beyond passwords and starts to identify risk even before a password is entered.

Early and active monitoring of potential threats is essential. With Azure AD Identity Protection, you get an overview of risk and vulnerabilities that may be affecting your organizations identities. You can then set up risk-based conditional access policies to automatically mitigate threats. Risk-based conditional access uses machine learning to identify high-risk users. For example, a user may be flagged based on unfamiliar locations or failed sign-ins from the same IP address. Once flagged, a user can be required to use MFA in Azure AD or be blocked altogether (Figure 1).

Another useful monitoring tool is Azure AD Privileged Identity Management (PIM). With Azure AD PIM, you can monitor admin access to resources and minimize the number of people who have access to them. By continuously monitoring these high access points, you limit vulnerabilities. You can configure Azure AD PIM in the Azure portal to generate alerts when theres suspicious or unsafe activity in your environment and then recommend mitigation strategies.

Along with monitoring, Microsoft 365 security solutions offer tools to better protect a users credentials. Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them, thus helping prevent unauthorized access to these secrets which can lead to credential theft attacks.

Deployment tips from the experts

Start by managing user identities as your control plane. Provision your user identities through Azure AD and use Azure AD Connect to integrate identities across Azure AD and your on-premises AD. Enable MFA for all administrators, set conditional access policies, and initiate SSO.

Manage your devices from the cloud. Managing employee devices remotely engenders productivity and bolsters security. Deploy Microsoft Intune as your mobile device manager for company- and employee-owned devices.

Plan for success with Microsoft FastTrack. FastTrack comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving end-user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.

Want to learn more?

For more information and guidance on this topic, check out the Protect your users and their identity white paper. You can find additional security resources on Microsoft.com.

More blog posts from this series:

Categories: cybersecurity Tags:

Building the security operations center of tomorrow—harnessing the law of data gravity

August 30th, 2018 No comments

This post was coauthored by Diana Kelley, Cybersecurity Field CTO, and , EMEA Chief Security Advisor, Cybersecurity Solutions Group.

Youve got a big dinner planned and your dishwasher goes on the fritz. You call the repair company and are lucky enough to get an appointment for that afternoon. The repairperson shows up and says, Yes, its broken, but to figure out why I will need to run some tests. They start to remove your dishwasher from the outlet. What are you doing? you ask. Im taking it back to our repair shop for analysis and then repair, they reply. At this point, youre annoyed. You have a big party in three hours, and taking the dishwasher all the way back to the shop for analysis means someone will be washing dishes by hand after your partywhy not test it right here and right now so it can be fixed on the spot?

Now, imagine the dishwasher is critical business data located throughout your organization. Sending all that data to a centralized location for analysis will give you insights, eventually, but not when you really need it, which is now. In cases where the data is extremely large, you may not be able to move it at all. Instead it makes more sense to bring services and applications to your data. This at the heart of a concept called data gravity, described by Dave McCrory back in 2010. Much like a planet, your data has mass, and the bigger that mass, the greater its gravitational pull, or gravity well, and the more likely that apps and services are drawn to it. Gravitational movement is accelerated when bandwidth and latency are at a premium, because the closer you are to something the faster you can process and act on it. This is the big driver of the intelligent cloud/intelligent edge. We bring analytics and compute to connected devices to make use of all the data they collect in near real-time.

But what might not be so obvious is what, if anything, does data gravity have to do with cybersecurity and the security operations center (SOC) of tomorrow. To have that discussion, lets step back and look at the traditional SOCs, built on security information and event management (SIEM) solutions developed at the turn of the century. The very first SIEM solutions were predominantly focused on log aggregation. Log information from core security tools like firewalls, intrusion detection systems, and anti-virus/malware tools were collected from all over a company and moved to a single repository for processing.

That may not sound super exciting from our current vantage point of 2018, but back in 2000 it was groundbreaking. Admins were struggling with an increasing number of security tools, and the ever-expanding logs from those tools. Early SIEM solutions gave them a way to collect all that data and apply security intelligence and analytics to it. The hope was that if we could gather all relevant security log and reporting data into one place, we could apply rules and quickly gather insights about threats to our systems and security situational awareness. In a way this was antidata gravity, where data moved to the applications and services rather than vice versa.

After the initial hype for SIEM solutions, SOC managers realized a few of their limitations. Trying to write rules for security analytics proved to be quite hard. A minor error in a rule led to high false positives that ate into analyst investigative time. Many companies were unable to get all the critical log data into the SIEM, leading to false negatives and expensive blind spots. And one of the biggest concerns with traditional SIEM was the latency. SIEM solutions were marketed as real-time analytics, but once an action was written to a log, collected, sent to the SIEM, and then parsed through the SIEM analytics engine, quite a bit of latency was introduced. When it comes to responding to fast moving cyberthreats, latency is a distinct disadvantage.

Now think about these challenges and add the explosive amounts of data generated today by the cloud and millions of connected devices. In this environment its not uncommon that threat campaigns go unnoticed by an overloaded SIEM analytics engine. And many of the signals that do get through are not investigated because the security analysts are overworked. Which brings us back to data gravity.

What was one of the forcing factors for data gravity? Low tolerance for latency. What was the other? Building applications by applying insights and machine learning to data. So how can we build the SOC of tomorrow? By respecting the law of data gravity. If we can perform security analytics close to where the data already is, we can increase the speed of response. This doesnt mean the end of aggregation. Tomorrows SOC will employ a hybrid approach by performing analytics as close to the data mass as possible, and then rolling up insights, as needed, to a larger central SOC repository for additional analysis and insight across different gravity wells.

Does this sound like an intriguing idea? We think so. Being practitioners, though, we most appreciate when great theories can be turned into real-world implementations. Please stay tuned for part 2 of this blog series, where we take the concept of tomorrows SOC and data gravity into practice for today.

Finding the signal of community in all the noise at Black Hat

August 16th, 2018 No comments

I dont know about you, but I find large conferences overwhelming. Dont get me wrong, nothing beats the innovative potential of bringing a diverse group of brilliant people together to hash through thorny issues and share insights. But there are so many speakers, booths, and people, it can be a challenge to find the signal in all the noisedid I mention conferences are also really loud?

So last week when I stepped into the first of multiple showrooms at the Mandalay Hotel in Las Vegas for the Black Hat Briefing, I have to admit I felt a little nostalgia for the very first Black Hat Conference. It was 1997 at the old Aladdin Casino in Las Vegas. A casino with a long and colorful history, slated to close a few months after the conference ended. 1997: That was before Facebook and the iPhone, before the cloud. At the time, the RSA Conference was still mostly focused on cryptography, and those of us concerned about security vulnerabilities and how they impacted practitioners day in and day out had few opportunities to just get together and talk. The first Black Hat Briefing was very special. If my memory serves, there were only a couple hundred of us in attendancecompared to thousands todayand through those connections we built a community and an industry.

Building a community was key to creating the information security industry that exists today, and I believe that building community is just as critical now as we face down the new security threats of a cloud-and-edge world, an IoT world. We need the whole defender communitywhite hat hackers, industry, and governmentworking together to protect the security of our customers.

The security research community plays a fundamental role in community-based defense

Over the last few years, Microsoft has been expanding and redefining what makes up our security communityone of the many positive evolutions since that first Black Hat. Like most tech companies, we once believed that any hacker outside of the organization posed a risk, but as weve gotten to know each other through many years of hard-earned trust and collaboration, we, and the security research community, have learned that our values arent so different. Sometimes the only way to make something stronger is to break it. We know we cant on our own find all the gaps and errors in code that lead to vulnerabilities that criminals exploit to steal money and data. We need great minds both inside and outside our organization. Many of those great minds in the security research community collaborate with us through the Microsoft Security Response Center, and Black Hat was the perfect place to announce the subset of those researchers that made our annual Top 100 Security Researchers List.

Image of the Top 100 sign at the Black Hat Conference.

 

We really appreciate the ongoing support from the community and encourage new researchers to report vulnerabilities to the Microsoft Security Response Center and participate in the Microsoft Bounty Program.

It takes a community to protect the security of our customers

As much as Microsoft values the relationship we have with researchers, we also attended Black Hat as industry partners. We want to help educate our peers on notable vulnerabilities and exploits, and share knowledge following major security events. As an example, one of our sessions focused on how Spectre and Meltdown are a wake-up call on multiple dimensions: how we engineer, how we partner, how we react when we find new security vulnerabilities, and how we need to become more coordinated. When I think about what was so exciting about that first conference, this is what comes to mind: those moments when we hear what our partners have learned, share what we know, and build on those insights to strengthen our collective response. The tech industry is increasingly interdependent. Its going to take all of us working together to protect the safety and security of our customers devices and data.

Image of the Black Hat Conference in Las Vegas.

 

But the meeting of the minds at annual security conferences, while important, is not enough. Microsoft also believes that we need a more structured approach to our collaboration. Cybersecurity is not just about threats from hackers and criminal groups; it has increasingly become a situation where we’re facing a cyberweapons arms race with governments attacking users around the world. We know this is a challenge we must pursue with our partners and customers, with a sense of shared responsibility and a focus on constantly making it easier for everyone to benefit from the latest in security advances. Microsoft has been working to help organize the industry in pursuit of this goal.

This past April during the RSA Conference, we came together as initially 34 companies, now 44 companies, and agreed to a new Cybersecurity Tech Accord. In this accord, we all pledge to help protect every customer, regardless of nationality, and will refrain from helping governments attack innocent civilians. It’s a foundationon which we are buildingto take coordinated action and to work with all our partners and many others to strengthen the resilience of the ecosystem for all our customers.

I admit it, I do sometimes miss attending those small, tightly knit conferences of old. But Im even more inspired about the possibilities that I see as we continue to build on these collaborative models. Weve seen a lot of progress recently working with our partners and the security research community. If you listen closely, I think you can hear the signal breaking through.

How Microsoft 365 Security integrates with your broader IT ecosystem—part 3

August 14th, 2018 No comments

Todays post was coauthored by Debraj Ghosh, Senior Product Marketing Manager, and Diana Kelley, Cybersecurity Field CTO.

Customer satisfaction is one of the most important goals for Microsoft 365 Security. In part 1 of this series, we discussed Microsofts overall security strategy for connecting with the broader security community, and in part 2, we looked at how Microsoft services help secure non-Microsoft services of an organizations IT environment.

In the final part of this blog series, we highlight how Microsoft 365 Security solutions work together to help customers secure their IT environments. The benefits of Microsoft 365 Security services are universal, as demonstrated by the fact that our customers are large and small, and focused on different industry verticals across the globe.

Helping enable a mobile workforce at a healthcare network

Sutter Health is a not-for-profit network of healthcare professionals and hospitals serving Northern California. CTO Wes Wrights main goal is to provide IT and software solutions that allow employees to maximize their time spent on patient and family care. Sutter Healths network employs nearly 52,000 people, supporting 24 acute care hospitals and care centers, serving more than 100 communities. Sutter has an ecosystem of 65,000 mobile devices and modernizing IT was not trivial for them. They deployed Microsoft Intune to help manage and support an internal app store called the Sutter Intune Store. Intune also helps ensure Sutters clinical and business partners can access and use Sutter Health authorized apps from anywhere, at any time. Their Intune-powered solution is designed to:

  • Manage and secure any mobile device used by the workforce to access company data.
  • Manage and secure the mobile apps used by their workforce.
  • Protect company information even after it is accessed.
  • Ensure devices and apps are compliant with company security policies.

With services like Intune (Figure 1), simplifying security management and reducing IT complexity, Sutter Health can support the latest devices, embrace modern apps, leverage a distributed workforce, and deliver the highest quality patient care.

Figure 1. The Intune architecture diagram.

Enhancing productivity through security at a power company

Wrtsil is a Finnish company manufacturing and servicing power sources and other equipment for the marine and energy markets. Joachim Kjellman, solutions manager at Wrtsil was looking for a solution with conditional access and multifactor authentication (MFA) capabilities. He selected Azure Active Directory (Azure AD), which enables single sign-on capability for all company resources anywhere with internet access, removing the need of unreliable VPN connections. Additionally, with Conditional Access, Wrtsil can provide remote access to apps that can be secured with MFA and managed when originating from unmanaged devices.Azure AD (Figure 2) is designed to help organizations:

  • Provide seamless access.
  • Facilitate collaboration.
  • Unlock IT efficiencies.
  • Enhance security and compliance.

Figure 2. Azure AD overview.

Azure AD also supports seamless collaboration (even on large-scale, complex projects) between Wrtsil and its contractors and partners. Azure AD B2B collaboration features ensure that access to shared resources is heavily protected. Azure AD has helped Wrtsil IT staffers save time and money, enabling Wrtsil to remain focused on serving their global customer base.

Securing an entire IT environment at a transportation firm

Throughout this series, we have discussed how Microsoft 365 Security services integrate well with the myriad IT solutions our customers utilize. However, some of our customers chose Microsoft 365 Security services to help secure their entire environment. HS1 Limited operates and maintains infrastructure for the high-speed railway connecting St. Pancras International Station in London and the Channel Tunnel, joining international high-speed routes between London, Paris, and Brussels, along with several domestic routes. The 50-person firm works with hundreds of counterparts and vendors, so security and collaboration are high priorities. Shawn Marcellin, IT and facilities manager at HS1 Limited needed a highly secure, collaborative solution without investing in a full datacenter and turned to Microsoft 365 E5. Marcellin adopted Microsoft 365 E5 for its advanced security features, including Windows Defender Advanced Threat Protection, Office 365 Advanced Threat Protection, and Office 365 Threat Intelligence. Identity management through Microsoft Azure Active Directory Premium P2 was another advantage of his choosing Microsoft 365 E5protecting data with Microsoft Cloud App Security and Office 365 Advanced Threat Protection. Marcellin is confident that the move to a total cloud-based, secure solution will continue to benefit HS1 Limited.

Figure 3. The entire Microsoft 365 Security reference architecture.

To learn more about how Microsoft security solutions fit together, read Cybersecurity Reference Architecture: Security for a Hybrid Enterprise.

Digging deeper

These are only a few examples of organizations using Microsoft 365 Security services to secure their extended or entire IT ecosystem. We encourage you to visit the Microsoft Secure site and learn more about the full scope of Microsoft 365 Security capabilities. Also, check out more customer stories to learn how organizations leverage Microsoft 365 Security.

To get started envisioning a plan, onboarding, and driving user adoption, go to FastTrack.microsoft.com, sign in with your subscription ID, and complete the Request for Assistance Form.

Thanks for reading this series. We hope you will try the services discussed in this blog to start benefitting from their capabilities, which include:

Categories: cybersecurity Tags:

Cybersecurity threats: How to discover, remediate, and mitigate

August 13th, 2018 No comments

Image of four hands collaborating over a drawing of a lightbulb.

This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blog, Protect your data in files, apps, and devices.

Constantly evolving threats to your company data can cause even the most conscientious employee to unknowingly open infected files or click on malicious web links. Security breaches are inevitable. You need to discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches.

Many common types of threats target attack vectors such as email, network endpoints, and user credentials. In this blog, we explain how Microsoft 365 threat protection solutions interoperate threat detection across these attack vectors (Figure 1).

Figure 1. Threat detection interoperates across Microsoft 365.

Protect identities: Azure Active Directory (Azure AD) and Azure Advanced Threat Protection (Azure ATP)

Azure ATP provides end-to-end network security by protecting user identities and credentials in stored in Azure Active Directory. To prevent identity credential attacks, Azure AD conditional access detects risk events, such as users with leaked credentials, sign-ins from anonymous IP addresses, impossible travel to atypical locations, infected devices, and IP addresses with suspicious activity or unfamiliar locations.

Azure ATP detects suspicious activities across the network attack surface, such as:

  • Reconnaissance work, during which attackers gather information on how the environment is built, what the different assets are, and which entities exist.
  • Lateral movement cycles, during which attackers invest time and effort in spreading their attack deeper inside your network.
  • Domain dominance (persistence), during which attackers capture the information, allowing them to resume their campaign using various sets of entry points, credentials, and techniques.

These services that protect specific parts of the attack surface can also share signals to alert services protecting other surfaces of the enterprise.

Azure ATP detects these suspicious activities and surfaces the information, including a clear view of who, what, when, and how, in the Azure ATP workspace portal, which can be accessed by signing in to your Azure AD user account.

Protect email: Microsoft Office 365 Advanced Threat Protection (Office 365 ATP)

Threat protection for Office 365 begins with Microsoft Exchange Online Protection, which provides protection against all known malicious links and malware. Office 365 ATP builds on this protection by offering holistic and ongoing protection across your Office 365 environment, including email and business apps, by securing user mailboxes, business-critical files, and online storage against malware campaigns in real-time.

Office 365 ATP Safe Links helps protect your environment by offering time-of-click protection from malicious links. If a link is unsafe, the user is warned not to visit the site or informed that the site has been blocked. Office 365 ATP and Exchange Online Protection can be configured in the Office 365 admin center.

Protect endpoints: Windows Defender Advanced Threat Protection (Windows Defender ATP)

For endpoint attacks, Windows Defender ATP provides near-instant detection and blocking of new and emerging threats using advanced file and process behavior monitoring and other heuristic solutions. These endpoint sensors collect and process behavioral signals from the operating system, which are then translated into insights, detections, and recommended responses to advanced threats. Windows Defender ATP offers dedicated protection updates based on machine learning, human and automated big-data analyses, and in-depth threat resistance research to identify attacker tools, techniques, and procedures, and to generate alerts when these are observed in collected sensor data.

Microsoft Device Guard is a feature of Windows 10 that provides increased security against malware and zero-day attacks by blocking anything other than trusted apps. Device Guard is managed in Microsoft System Center Configuration Manager (ConfigMgr).

Deployment tips from the experts

Now that you know more about how Microsoft 365 security solutions can protect your data, here are several proven tips to put it all into action.

Consider the key attack vectors. Devices, email, network, and identity credentials are the most common areas for cybersecurity attacks. To help secure these vectors:

Plan for success with FastTrack. This valuable service comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving end-user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.

Want to learn more?

For more information and guidance on this topic, stay tuned for the white paper Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches coming soon!

More blog posts from this series:

Categories: cybersecurity Tags: