Author Archive

Alternative ways for security professionals and IT to achieve modern security controls in today’s unique remote work scenarios

March 26th, 2020 No comments

With the bulk of end users now working remotely, legacy network architectures that route all remote traffic through a central corporate network are suddenly under enormous strain. The result can be poorer performance, productivity, and user experience. Many organizations are now rethinking their network infrastructure design to address these issues, especially for applications like Microsoft Teams and Office 365. At Microsoft, for example, we adopted split tunneling as part of our VPN strategy. Our customers have asked us for guidance on how to manage security in this changing environment.

An architecture that routes all remote traffic back to the corporate network was originally intended to provide the security team with the following:

  • Prevention of unauthorized access
  • Control of authorized user access
  • Network protections such as Intrusion Detection/Prevention (IDS/IPS) and Distributed Denial of Service (DDoS) mitigation
  • Data loss prevention (DLP)

In this post, we’ll address alternative ways of achieving modern security controls, so security teams can manage risk in a more direct-to-internet network architecture.

Prevention of unauthorized access

Multi-factor authentication (MFA) helps increase authentication assurance. We recommend requiring it for all users. If you are not ready to deploy to all users, consider entering an emergency pilot for higher risk or more targeted users. Learn more about how to use Azure Active Directory (Azure AD) Conditional Access to enforce MFA. You will also want to block legacy authentication protocols that allow users to bypass MFA requirements.

Control of authorized user access

Ensure only registered devices that comply with your organization’s security policies can access your environment, to reduce the risk that would be posed by resident malware or intruders. Learn more about how to use Azure AD Conditional Access to enforce device health requirements. To further increase your level of assurance, you can evaluate user and sign-on risk to block or restrict risky user access. You may also want to prevent your users from accessing other organizations’ instances of the Office 365 applications. If you do this with Azure AD tenant restrictions, only logon traffic needs to traverse the VPN.

Network protections

Some of the protections that you may have traditionally provided by routing traffic back through your corporate network can now be provided by the cloud apps your users are accessing. Office 365, for example, is globally distributed and designed to allow the customer network to route user requests to the closest Office 365 service entry point. Learn more about Office 365 network connectivity principles. We build resiliency into Office 365 to minimize potential disruption. We protect Office 365 and Azure from network attacks like DDoS on behalf of our customers.

With the above controls in place, you may be ready to route remote users’ traffic directly to Office 365. If you still require a VPN link for access to other applications, you can greatly improve your performance and user experience by implementing split tunneling.

We strongly recommend that you review VPN and VPS infrastructure for updates, as attackers are actively tailoring exploits to take advantage of remote workers. Microsoft Threat Intelligence teams have observed multiple nation state and cybercrime actors targeting unpatched VPN systems for many months. In October 2019, both the National Security Agency and National Cyber Security Centre issued alerts on these attacks. The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and Department of Commerce National Institute of Standards and Technology (NIST) have published useful guidance on securing VPN/VPS infrastructure.


To help you prevent the accidental disclosure of sensitive information, Office 365 has a rich set of built-in tools. You can use the built-in DLP capabilities of Teams and SharePoint to detect inappropriately stored or shared sensitive information. If part of your remote work strategy involves a bring-your-own-device (BYOD) policy, you can use Conditional Access App Control to prevent sensitive data from being downloaded to users’ personal devices.

Malware detection

By default, SharePoint Online automatically scans file uploads for known malware. Enable Exchange Online Protection to scan email messages for malware. If your Office 365 subscription includes Office 365 Advanced Threat Protection (ATP), enable it to provide advanced protection against malware. If your organization uses Microsoft Defender ATP for endpoint protection, remember that each user is licensed for up to five company-managed devices.

Additional resources

The post Alternative ways for security professionals and IT to achieve modern security controls in today’s unique remote work scenarios appeared first on Microsoft Security.

Welcoming and retaining diversity in cybersecurity

March 24th, 2020 No comments

I doubt I’d be in the role I am now if leaders at one of my first jobs hadn’t taken an interest in my career. Although I taught myself to code when I was young, I graduated from college with a degree in English Literature and began my post-college career in editorial. I worked my way up to Assistant Editor at a math and science college textbook publisher located in Boston, Massachusetts. I was responsible for acquisitions and training on the software that that the company distributed with its textbooks. The senior editors sent me to a conference in Florida to train the sales team on how to present the software to professors. This is where I met Jennifer. Jennifer headed up the network and IT support for our California parent company, and because we shared a room at the conference hotel, we got to know each other, and she saw me present. This interaction proved pivotal. When the publisher created a new position to support a network of AS/400s, Jennifer talked me into applying—and yes, she did have to talk me into it! Like a lot of young professionals, I was intimidated to take on such a different role. But I’m so glad she was looking out for me. It was the start of my career in technology, which ultimately led me to Microsoft.

My experience is a great example of how individuals and company culture can influence the trajectory of someone’s career. To celebrate Women in Cybersecurity month, Microsoft is exploring tactics to increase diversity in the tech industry. In the first post in the series, Ann Johnson wrote about mentorship. In this post, I share some ideas for cultivating the diverse talent that already work at your company to build a strong and diverse leadership team.

Retention is as important as recruitment

When we talk about the lack of diversity in tech, much of the conversation focuses around hiring. And it’s true that we need to dramatically increase the number of women, non-binary, and people of color that we recruit. But if we want to create more diverse technology teams, we also need to address the talent drain. Too often smart technologists with nontraditional backgrounds drop out of STEM careers. Studies have shown that up to 52 percent of women leave technology fields. This is nearly double the percentage of men who quit tech. And for those who think it’s because women don’t enjoy technology, 80+ percent of women in STEM say they love their work. The problem often comes down to culture. Which means it’s something we can fix! I’ve worked with and managed many neuro-diverse teams and here’s what I’ve seen work.

People aren’t books

One of the most famous pictures of Einstein shows him with his hair in disarray, sticking his tongue out. If you didn’t know he was one of the greatest thinkers in the world, you might assume he wasn’t the fastest electron in the universe. Or what does it say that many of us didn’t discover Katharine Johnson, another brilliant physicist, until 2017 when the movie “Hidden Figures” was released.

Our collective mental model for what an engineer or scientist is supposed to look and act like doesn’t reflect reality. Some people have purple hair, some like to work in yoga pants, some listen to loud music on headphones all day, or have creative face tattoos. And many are women or LGBTQ or people of color or disabled. People’s race, gender, appearance and work styles have no bearing on whether they are a hard worker or a valuable contributor. We know this, but often we don’t realize we’ve made a judgement based on unconscious biases.

How to address: Don’t judge people by their “covers.” This starts by acknowledging that your biases may not be explicit or intentional, but they still exist. Listen to what people say. Evaluate the work they produce. Observe how they collaborate with others. These are the indicators of the value they bring. And keep in mind that people who’ve been conditioned to believe that technology isn’t for them, may not exhibit the level of confidence you expect. It doesn’t mean they can’t do it. They may just need a little more encouragement (thank you, Jennifer!).

Women often leave jobs because they feel stalled in their careers. In one study, 27 percent of U.S. women said they feel stalled and 32 percent were considering quitting in the next year. For a variety of reasons, unconscious bias results in straight white men getting more opportunities on high profile projects, more ideas greenlit, and faster promotions. As a result, women get discouraged, do not feel supported and look for other opportunities. That is why in the previous blog, we focused on mentorship.

How to address: Be a champion for women and other underrepresented groups in your company. My relationship with Jennifer is a great example of this. She took an interest in my career, identified an opportunity and helped me get to the next rung. Our relationship was informal, but you can also create a structured sponsorship program. The goal is to go beyond mentorship and become an advocate for promising women, people of color, and other underrepresented groups. Use your influence to get them the right projects, the right advice, and the right exposure to help them advance their careers.

Nurture unique thinkers

Back when I was a manager at KPMG, we used to try to hire people who “think outside the box.” But the tricky part about hiring out of the box thinkers is that their ideas are, well, outside the box. Organizations often think they want people to shake things up but in practice many are uncomfortable being challenged. This leads them to quickly shut down bold new ideas. When original thinkers don’t feel valued, they take all that innovation and creativity elsewhere.

How to address: Build a culture of inclusion where everyone has a chance to share. Not every idea is great; in my career I’ve had more than my share of bad ones! But you should listen to and consider all opinions—even if they seem a little off the wall. It doesn’t mean you have to move them all forward, but sometimes an idea that sounds outlandish one day starts to make sense after a good night’s sleep. Or take a page from the women in the Obama administration and amplify ideas that have been overlooked.

Respect the hours

Not everyone can commit to a regular eight in the morning to six in the evening work week. Many people care for children, sick spouses, and elderly parents—being a caretaker is a skill in and of itself! In fact, this quality of being a caretaker is something that in most technology roles can be a valued asset. In addition to being a caretaker, others can’t work “regular” weeks because they’re finishing degrees or have other time challenges and commitments.

Varied approaches to time also apply to project milestones. People deal with deadlines differently—some get stressed if the deadline is too close (like me!) and do their work in advance, others need that adrenaline pump and wait until (almost) the last minute to deliver.

How to address: Institute and support flexible work hours, job sharing (two people share the same job, both doing it half-time), or three weeks on/one week off work schedules that enable people to contribute without requiring them to keep the same hours as everyone else. Trust that people can be productive even if they don’t work the same way or at the same time as your typical employee.

To build a diverse, experienced team of leaders, you need an environment that supports and accepts differences of all kinds. Don’t let bias about gender, appearance, or the hours someone can work get in the way of nurturing all those great hires into the next generation of great leaders. Our senior director for our cybersecurity operations team, Kristina, looks for diversity as this helps with managing the diversity of threats. Listen to her thoughts on diversity in our CISO Spotlight Episode 7.

What’s next

For those interested in how to find more diverse talent, next week Theresa Payton will share ideas from her experience recruiting girls, women, and other people with differing backgrounds into technology.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. To learn more about our Security solutions visit our website. Or reach out to me on LinkedIn or Twitter.

The post Welcoming and retaining diversity in cybersecurity appeared first on Microsoft Security.

Defending the power grid against supply chain attacks—Part 2: Securing hardware and software

March 23rd, 2020 No comments

Artificial intelligence (AI) and connected devices have fueled digital transformation in the utilities industry. These technological advances promise to reduce costs and increase the efficiency of energy generation, transmission, and distribution. They’ve also created new vulnerabilities. Cybercriminals, nation state actors, and hackers have demonstrated that they are capable of attacking a nation’s power grid through internet-connected devices. As utilities and their suppliers race to modernize our infrastructure, it’s critical that cybersecurity measures are prioritized.

In the first blog in the “Defending the power grid against cyberattacks” series, I walked through how the accelerated adoption of the Internet of Things (IoT) puts utilities and citizens at risk of attack from nation state actors. In this post, I’ll provide guidance for how utilities manufacturers can better protect the connected devices that are deployed in the energy industry.

Protect identities

If your organization supplies the energy industry, you may be targeted by adversaries who want to disrupt the power supply. One way they will try to access your company resources is by stealing or guessing user credentials with tactics like password spray or phishing. According to Verizon’s 2019 Data Breach Investigations Report, 80 percent of breaches are the result of weak or compromised passwords. Attackers target multiple people at a time, but they only need to succeed once to gain access.

Securing your company starts with safeguarding your identities. At the bare minimum, you should apply multi-factor authentication (MFA) to your administrative accounts. A better option is to require all users to authenticate using MFA. MFA requires that users sign in with more than just a password. The second form of authentication can be a one-time code from a mobile device, biometrics, or a secure FIDO2 key, among other options. MFA reduces your risk significantly because it’s much harder for an attacker to compromise two or more authentication factors.

Figure 1: You can use Conditional Access policies to define when someone is promoted to sign in with MFA.

Secure privileged access

In a supply chain attack, adversaries attack your organization to gain access to data and applications that will allow them to tamper with your product or service before it reaches its intended destination. Bad actors want to infiltrate your build environment or the servers that you use to push software updates. To accomplish this, they often target administrator accounts. Securing your administrative accounts is critical to protect your company resources. Here are a few steps you can take to safeguard these accounts:

  • Separate administrative accounts from the accounts that IT professionals use to conduct routine business. While administrators are answering emails or conducting other productivity tasks, they may be targeted by a phishing campaign. You don’t want them signed into a privileged account when this happens.
  • Apply just-in-time privileges to you administrator accounts. Just-in-time privileges require that administrators only sign into a privileged account when they need to perform a specific administrative task. These sign-ins go through an approval process and have a time limit. This will reduce the possibility that someone is unnecessarily signed into an administrative account.

Figure 2: A “blue” path depicts how a standard user account is used for non-privileged access to resources like email and web browsing and day-to-day work. A “red” path shows how privileged access occurs on a hardened device to reduce the risk of phishing and other web and email attacks.

  • Set up privileged access workstations for administrative work. A privileged access workstation provides a dedicated operating system with the strongest security controls for sensitive tasks. This protects these activities and accounts from the internet. To encourage administrators to follow security practices, make sure they have easy access to a standard workstation for other more routine tasks.

Safeguard your build and update environment

Bad actors don’t just target user accounts. They also exploit vulnerabilities in software. Many attacks take advantage of known vulnerabilities for which there are available patches. Keep software and operating systems up-to-date and patched to reduce your risk. Retire any technology that is no longer supported by the publisher and implement mandatory integrity controls to ensure only trusted tools run.

You also need to protect the software that your team writes. A proven and robust Secure Development Lifecycle (SDL) will guide your developers to build software that includes fewer vulnerabilities. Microsoft’s SDL includes 12 practices. For example, Microsoft SDL recommends that security and privacy requirements be defined at the beginning of every project. The guidelines also provide tips for managing the security risk of third-party software, performing threat modeling, and penetration testing, among other recommendations. By building security into the entire software process, the software you release will be more secure and less vulnerable to attack.

Assume breach

My recommendations will reduce your risk, but they won’t eliminate it entirely. To protect your company and customers, you’ll need to adopt an assume breach mindset. It’s not a matter of if you’ll be breached but when. Once you’ve accepted that you can’t prevent all attacks, put processes and tools in place that enable you to detect and respond to an incident as quickly as possible.

Endpoint detection and response solutions, like Microsoft Threat Protection, leverage AI to automate detection and response and correlate threats across domains. When incidents are detected, you will need an appropriate response. The National Institute of Standards and Technology (NIST) provides an incident response guide. You can also learn from Microsoft’s Security Response Center (MSRC), which shared how it developed an incident response plan.

Figure 3: An overview of an incident in Microsoft Threat Protection.

A good communication plan is an important component of a response plan. You will need to let customers know there was an incident and how you plan to address it. As the MSRC notes, “Clear, accurate communication builds confidence in the incident response process, maintains trust with customers, protects your brand, and is essential for fast effective response.”

Centralized IoT device management

In addition to operating a number of generation plants, utilities operate a network of thousands of substations and hundreds of thousands of miles of transmission and distribution lines. This requires them to deploy a large number of IoT devices to safely and efficiently deliver electricity to their customers. To effectively manage this network of IoT devices, suppliers should provide their customers with centralized IoT device management to update firmware, install security updates, and manage accounts and passwords.

Build trust

Protecting critical infrastructure from a destabilizing attack will require collaboration among utilities and suppliers in the industry. Device manufacturers and software publishers have a vital role to play in protecting critical infrastructure. By instituting and maintaining the security practices that I’ve recommended, you can dramatically reduce the risk to your organization and to the power grid.

Stay tuned for the final post in this series, “Part 3: Risk management strategies for the utilities industry,” where I’ll provide recommendations specifically for utilities.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Defending the power grid against supply chain attacks—Part 2: Securing hardware and software appeared first on Microsoft Security.

Protecting against coronavirus themed phishing attacks

March 20th, 2020 No comments

The world has changed in unprecedented ways in the last several weeks due to the coronavirus pandemic. While it has brought out the best in humanity in many ways, as with any crisis it can also attract the worst in some. Cybercriminals use people’s fear and need for information in phishing attacks to steal sensitive information or spread malware for profit. Even as some criminal groups claim they’ll stop attacking healthcare and nursing homes, the reality is they can’t fully control how malware spreads.

While phishing and other email attacks are indeed happening, the volume of malicious emails mentioning the coronavirus is very small. Still, customers are asking us what Microsoft is doing to help protect them from these types of attacks, and what they can do to better protect themselves. We thought this would be a useful time to recap how our automated detection and signal-sharing works to protect customers (with a specific recent example) as well as share some best practices you can use personally to stay safe from phishing attempts.

What Microsoft is doing

First, 91 percent of all cyberattacks start with email. That’s why the first line of defense is doing everything we can to block malicious emails from reaching you in the first place. A multi-layered defense system that includes machine learning, detonation, and signal-sharing is key in our ability to quickly find and shut down email attacks.

If any of these mechanisms detect a malicious email, URL, or attachment, the message is blocked and does not make its way to your inbox. All attachments and links are detonated (opened in isolated virtual machines). Machine learning, anomaly analyzers, and heuristics are used to detect malicious behavior. Human security analysts continuously evaluate user-submitted reports of suspicious mail to provide additional insights and train machine learning models.

Once a file or URL is identified as malicious, the information is shared with other services such as Microsoft Defender Advanced Threat Protection (ATP) to ensure endpoint detection benefits from email detection, and vice versa.

An interesting example of this in action occurred earlier this month, when an attacker launched a spear-phishing campaign that lasted less than 30 minutes.

Attackers crafted an email designed to look like a legitimate supply chain risk report for food coloring additives with an update based on disruptions due to coronavirus. The attachment, however, was malicious and delivered a sophisticated, multi-layer payload based on the Lokibot trojan (Trojan:Win32/Lokibot.GJ!MTB).

Screenshot of a phishing email about a coronavirus update.

Had this payload been successfully deployed, hackers could have used it to steal credentials for other systems—in this case FTP accounts and passwords—which could then be used for further attacks.

Only 135 customer tenants were targeted, with a spray of 2,047 malicious messages, but no customers were impacted by the attack. The Office 365 ATP detonation service, signal-sharing across services, and human analysts worked together to stop it.

And thanks to signal sharing across services, customers not using a Microsoft email service like Office 365, hosted Exchange, or, but using a Windows PC with Microsoft Defender enabled, were fully protected. When a user attempted to open the malicious attachment from their non-Microsoft email service, Microsoft Defender kicked in, querying its cloud-based machine learning models and found that the attachment was blocked based on a previous Office 365 ATP cloud detection. The attachment was prevented from executing on the PC and the customer was protected.

What you can do

While bad actors are attempting to capitalize on the COVID-19 crisis, they are using the same tactics they always do. You should be especially vigilant now to take steps to protect yourself.

Make sure your devices have the latest security updates installed and an antivirus or anti-malware service. For Windows 10 devices, Microsoft Defender Antivirus is a free built-in service enabled through Settings. Turn on cloud-delivered protection and automatic sample submission to enable artificial intelligence (AI) and machine learning to quickly identify and stop new and unknown threats.

Enable the protection features of your email service. If you have Office 365, you can learn about Exchange Online Protection here and Office 365 ATP here.

Use multi-factor authentication (MFA) on all your accounts. Most online services now provide a way to use your mobile device or other methods to protect your accounts in this way. Here’s information on how to use Microsoft Authenticator and other guidance on this approach.

MFA support is available as part of the Azure Active Directory (Azure AD) Free offering. Learn more here.

Educate yourself, friends, and colleagues on how to recognize phishing attempts and report suspected encounters. Here are some of the tell-tale signs.

  • Spelling and bad grammar. Cybercriminals are not known for their grammar and spelling. Professional companies or organizations usually have an editorial staff to ensure customers get high-quality, professional content. If an email message is fraught with errors, it is likely to be a scam.
  • Suspicious links. If you suspect that an email message is a scam, do not click on any links. One method of testing the legitimacy of a link is to rest your mouse—but not click—over the link to see if the address matches what was typed in the message. In the following example, resting the mouse on the link reveals the real web address in the box with the yellow background. Note that the string of IP address numbers looks nothing like the company’s web address.

  • Suspicious attachments. If you receive an email with an attachment from someone you don’t know, or an email from someone you do know but with an attachment you weren’t expecting, it may be a phishing attempt, so we recommend you do not open any attachments until you have verified their authenticity. Attackers use multiple techniques to try and trick recipients into trusting that an attached file is legitimate.
    • Do not trust the icon of the attachment.
    • Be wary of multiple file extensions, such as “pdf.exe” or “rar.exe” or “txt.hta”.
    • If in doubt, contact the person who sent you the message and ask them to confirm that the email and attachment are legitimate.
  • Threats. These types of emails cause a sense of panic or pressure to get you to respond quickly. For example, it may include a statement like “You must respond by end of day.” Or saying that you might face financial penalties if you don’t respond.
  • Spoofing. Spoofing emails appear to be connected to legitimate websites or companies but take you to phony scam sites or display legitimate-looking pop-up windows.
  • Altered web addresses. A form of spoofing where web addresses that closely resemble the names of well-known companies, but are slightly altered; for example, “” or “”.
  • Incorrect salutation of your name.
  • Mismatches. The link text and the URL are different from one another; or the sender’s name, signature, and URL are different.

If you think you’ve received a phishing email or followed a link in an email that has taken you to a suspicious website, there are few ways to report what you’ve found.

If you think the mail you’ve received is suspicious:

  • If you receive a suspicious email message that asks for personal information, select the checkbox next to the message in your Outlook inbox. Select the arrow next to Junk, and then point to Phishing scam.
  • Microsoft Office Outlook 2016 and 2019 and Microsoft Office 365. While in the suspicious message, select Report message in the Protection tab on the ribbon, and then select Phishing.

If you’re on a suspicious website:

  • Microsoft Edge. While you’re on a suspicious site, select the More (…) icon > Send feedback > Report Unsafe site. Follow the instructions on the web page that displays to report the website.
  • Internet Explorer. While you’re on a suspicious site, select the gear icon, point to Safety, and then select Report Unsafe Website. Follow the instructions on the web page that displays to report the website.

If you think you have a suspicious file:

  • Submit the file for analysis.

This is just one area where our security teams at Microsoft are working to protect customers and we’ll share more in the coming weeks. For additional information and best practices for staying safe and productive through remote work, community support and education during these challenging times, visit Microsoft’s COVID-19 resources page for the latest information.

The post Protecting against coronavirus themed phishing attacks appeared first on Microsoft Security.

Welcoming more women into cybersecurity: the power of mentorships

March 19th, 2020 No comments

From the way our industry tackles cyber threats, to the language we have developed to describe these attacks, I’ve long been a proponent to challenging traditional schools of thought—traditional cyber-norms—and encouraging our industry to get outside its comfort zones. It’s important to expand our thinking in how we address the evolving threat landscape. That’s why I’m not a big fan of stereotypes; looking at someone and saying they “fit the mold.” Looking at my CV, one would think I wanted to study law, or politics, not become a cybersecurity professional. These biases and unconscious biases shackle our progression. The scale of our industry challenges is too great, and if we don’t push boundaries, we miss out on the insights that differences in race, gender, ethnicity, sexuality, neurology, ability, and degrees can bring.

As we seek to diversify the talent pool, a key focus needs to be on nurturing female talent. Microsoft has hired many women in security, and we will always focus on keeping a diverse workforce. That’s why as we celebrate Women in Cybersecurity Month and International Women’s Day, the security blog will feature a few women cybersecurity leaders who have been implementing some of their great ideas for how to increase the number of women in this critical field. I’ll kick it off the series with some thoughts on how we can build strong mentoring relationships and networks that encourage women to pursue careers in cybersecurity.

There are many women at Microsoft who lead our security efforts. I’m incredibly proud to be among these women, like Joy Chik, Corporate Vice President of Identity, who is pushing the boundaries on how the tech industry is thinking about going passwordless, and Valecia Maclin, General Manager of Security Engineering, who is challenging us to think outside the box when it comes to our security solutions. On my own team, I think of the many accomplishments of  Ping Look, who co-founded Black Hat and now leads our Detection and Response Team (DART), Sian John, MBE, who was recently recognized as one of the top 50 influencers in cybersecurity in the U.K., and Diana Kelley, Microsoft CTO, who tirelessly travels to the globe to share how we are empowering our customers through cybersecurity—just to name a few. It’s important we continue to highlight women like these, including our female cybersecurity professionals at Microsoft who made the Top 100 Cybersecurity list in 2019. The inspiration from their accomplishments goes far beyond our Microsoft campus. These women represent the many Microsoft women in our talented security team. This month, you’ll also hear from some of them in subsequent blog posts on how to keep the diverse talent you already have employed. And to conclude the month, Theresa Payton, CEO at Fortalice Solutions, LLC., and the host of our CISO Spotlight series will share tips from her successful experience recruiting talented women into IT and cybersecurity.

Our cyber teams must be as diverse as the problems we are trying to solve

You’ve heard me say this many times, and I truly believe this: As an industry, we’ve already acknowledged the power of diversity—in artificial intelligence (AI). We have clear evidence that a variety of data across multiple sources and platforms enhances and improves AI and machine learning models. Why wouldn’t we apply that same advantage to our teams? This is one of several reasons why we need to take diversity and inclusion seriously:

  • Diverse teams make better and faster decisions 87 percent of the time compared with all male teams, yet the actual number of women in our field fluctuates between 10 and 20 percent. What ideas have we missed by not including more women?
  • With an estimated shortfall of 3.5 million security professionals by 2021, the current tech talent pipeline needs to expand—urgently.
  • Cyber criminals will continue to exploit the unconscious bias inherent in the industry by understanding and circumventing the homogeneity of our methods. If we are to win the cyber wars through the element of surprise, we need to make our strategy less predictable.

Mentoring networks must start early

Mentorship can be a powerful tool for increasing the number of women in cybersecurity. People select careers that they can imagine themselves doing. This process starts young. Recently a colleague’s pre-teen daughter signed up for an after-school robotics class. When she showed up at the class, only two other girls were in the room. Girls are opting out of STEM before they can (legally) opt into a PG-13 movie. But we can change this. By exposing girls to technology earlier, we can reduce the intimidation factor and get them excited. One group that is doing this is the Security Advisor Alliance. Get involved in organizations like this to reach girls and other underrepresented groups before they decide cybersecurity is not for them.

Building a strong network

Mentoring young people is important, but to solve the diversity challenges, we also need to bring in people who started on a different career path or who don’t have STEM degrees. You simply won’t find the talent you need through the anemic pipeline of college-polished STEM graduates. I recently spoke with Mari Galloway, a senior security architect in the gaming industry and CEO of the Women’s Society of Cyberjutsu (WSC) about this very topic in my podcast. She agreed on the importance of finding a mentor, and being a mentee.

Those seeking to get into cybersecurity need a network that provides the encouragement and constructive feedback that will help them grow. I have mentored several non-technical women who have gone on to have successful roles in cybersecurity. These relationships have been very rewarding for me and my mentees, which is why I advocate that everybody should become a mentor and a mentee.

If you haven’t broken into cybersecurity yet, or if you are in the field and want to grow your career, here are a few tips:

  • Close the skills gap through training and certificate programs offered by organizations like Sans Institute and ISC2. I am especially excited about Girls Go Cyberstart, a program for young people that Microsoft is working on with Sans Institute.
  • Build up your advocate bench with the following types of mentors:
    • Career advocate: Someone who helps you with your career inside your company or the one you want to enter.
    • Coach: Someone outside your organization who brings a different perspective to troubleshooting day-to-day problems.
    • Senior advisor: Someone inside or outside your organization who looks out for the next step in your career.
  • Use social media to engage in online forums, find local events, and reach experts. Several of my mentees use LinkedIn to start the conversation.
  • When you introduce yourself to someone online be clear that you are interested in their cumulative experience not just their job status.

For those already in cybersecurity, be open to those from the outside seeking guidance, especially if they don’t align with traditional expectations of who a cybersecurity professional is.

Mentorship relationships that yield results

A mentorship is only going to be effective if the mentee gets valuable feedback and direction from the relationship. This requires courageous conversations. It’s easy to celebrate a mentee’s visible wins. However, those moments are the result of unseen trench work that consists of course correcting and holding each other accountable to agreed upon actions. Be prepared to give and receive constructive, actionable feedback.

Creating inclusive cultures

More women and diverse talent should be hired in security not only because it is the right thing to do, but because gaining the advantage in fighting cybercrime depends on it. ​Mentorship is one strategy to include girls before they opt out of tech, and to recruit people from non-STEM backgrounds.

What’s next

Watch for Diana Kelley’s blog about how to create a culture that keeps women in the field.

Learn more about Girls Go Cyberstart.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter.

The post Welcoming more women into cybersecurity: the power of mentorships appeared first on Microsoft Security.

Forrester names Microsoft a Leader in 2020 Enterprise Detection and Response Wave

March 18th, 2020 No comments

I’m proud to announce that Microsoft is positioned as a Leader in The Forrester Wave™: Enterprise Detection and Response, Q1 2020. Among the Leaders in the report, Microsoft received the highest score in the current offering category. Microsoft also received the highest score of all participating vendors in the extended capabilities criteria. We believe Microsoft’s position as a Leader in this Forrester Enterprise Detection and Response Wave is not only a recognition of the value we deliver with our endpoint detection and response capabilities through Microsoft Defender Advanced Threat Protection (ATP), but recognition for our customers for their help in defining a market-leading product they really need and love using.

Microsoft Defender ATP, our endpoint protection solution, received the highest score possible (5 out of 5) in the endpoint telemetry, security analytics, threat hunting, ATT&CK mapping, and response capabilities criteria, as well in the Performance and Planned Enhancements criteria. The endpoint detection and response capabilities built into Microsoft Defender ATP empower defenders to achieve more and focus on remediating the threats that will have the biggest impact to their organization. Our broad and deep optics into the threat landscape and our built-in approach to security make our offerings unique.

The recently announced Microsoft Threat Protection, a solution that expands Microsoft Defender ATP from endpoint detection and response (EDR) to an extended detection and response (XDR) solution by combining our endpoint protection with protection for email and productivity tools (Office ATP), identity (Azure ATP), and cloud applications (Microsoft Cloud App Security), received the highest score of all participating vendors for its extended capabilities. As customers face cross-domain attacks, such as email phishing that leads to endpoint and identity compromise, Microsoft Threat Protection looks across these domains to understand the entire chain of events, identifies affected assets, like users, endpoints, mailboxes, and applications, and auto-heals them back to a safe state.

Microsoft is dedicated to protecting companies from real cyberattacks. We are focused on product excellence, innovation, and cutting-edge technology. The success of our customers is our highest priority, which is why we put such a strong emphasis on product excellence to translate the more than $1 billion a year investment, collaboration with over 100 Microsoft Intelligent Security Association (MISA) partners, and more than 3,500 security professionals into real, cloud-delivered protection for our customers. These partnerships, investments, and continuous innovation have led us to secure this leading spot as a provider that “matters most.”

For us, this latest recognition is a testament to our research and product teams’ ongoing commitment to provide our customers with an effective and comprehensive security solution and adds to a growing list of industry recognition of Microsoft Defender ATP.

This is our first time participating in this Forrester Enterprise Detection and Response Wave and we are truly excited to have been recognized as a Leader. It’s another proud milestone in our endpoint security journey with Microsoft Defender ATP and Microsoft Threat Protection to building an industry-leading endpoint and XDR solution that customers love.

Download this complimentary full report and read the analysis behind Microsoft’s positioning as a Leader.

For more information on our endpoint security platform, or to sign up for a trial, visit our Microsoft Defender ATP page.


The Forrester Wave™: Enterprise Endpoint Detection and Response, Q1 2020, Josh Zelonis, March 18, 2020.
This graphic was published by Forrester Research as part of a larger research document and should be evaluated in the context of the entire document. The Forrester document is available upon request from

The post Forrester names Microsoft a Leader in 2020 Enterprise Detection and Response Wave appeared first on Microsoft Security.

Work remotely, stay secure—guidance for CISOs

March 12th, 2020 No comments

With many employees suddenly working from home, there are things an organization and employees can do to help remain productive without increasing cybersecurity risk.

While employees in this new remote work situation will be thinking about how to stay in touch with colleagues and coworkers using chat applications, shared documents, and replacing planned meetings with conference calls, they may not be thinking about cyberattacks. CISOs and admins need to look urgently at new scenarios and new threat vectors as their organizations become a distributed organization overnight, with less time to make detailed plans or run pilots.

Based on our experiences working with customers who have had to pivot to new working environments quickly, I want to share some of those best practices that help ensure the best protection.

What to do in the short—and longer—term

Enabling official chat tools helps employees know where to congregate for work. If you’re taking advantage of the six months of free premium Microsoft Teams or the removed limits on how many users can join a team or schedule video calls using the “freemium” version, follow these steps for supporting remote work with Teams. The Open for Business Hub lists tools from various vendors that are free to small businesses during the outbreak. Whichever software you pick, provision it to users with Azure Active Directory (Azure AD) and set up single-sign-on, and you won’t have to worry about download links getting emailed around, which could lead to users falling for phishing emails.

You can secure access to cloud applications with Azure AD Conditional Access, protecting those sign-ins with security defaults. Remember to look at any policies you have set already, to make sure they don’t block access for users working from home. For secure collaboration with partners and suppliers, look at Azure AD B2B.

Azure AD Application Proxy publishes on-premises apps for remote availability, and if you use a managed gateway, today we support several partner solutions with secure hybrid access for Azure AD.

While many employees have work laptops they use at home, it’s likely organizations will see an increase in the use of personal devices accessing company data. Using Azure AD Conditional Access and Microsoft Intune app protection policies together helps manage and secure corporate data in approved apps on these personal devices, so employees can remain productive.

Intune automatically discovers new devices as users connect with them, prompting them to register the device and sign in with their company credentials. You could manage more device options, like turning on BitLocker or enforcing password length, without interfering with users’ personal data, like family photos; but be sensitive about these changes and make sure there’s a real risk you’re addressing rather than setting policies just because they’re available.

Read more in Tech Community on ways Azure AD can enable remote work.

You’ve heard me say it time and again when it comes to multi-factor authentication (MFA): 100 percent of your employees, 100 percent of the time. The single best thing you can do to improve security for employees working from home is to turn on MFA. If you don’t already have processes in place, treat this as an emergency pilot and make sure you have support folks ready to help employees who get stuck. As you probably can’t distribute hardware security devices, use Windows Hello biometrics and smartphone authentication apps like Microsoft Authenticator.

Longer term, I recommend security admins consider a program to find and label the most critical data, like Azure Information Protection, so you can track and audit usage when employees work from home. We must not assume that all networks are secure, or that all employees are in fact working from home when working remotely.

Track your Microsoft Secure Score to see how remote working affects your compliance and risk surface. Use Microsoft Defender Advanced Threat Protection (ATP) to look for attackers masquerading as employees working from home, but be aware that access policies looking for changes in user routines may flag legitimate logons from home and coffee shops.

How to help employees

As more organizations adapt to remote work options, supporting employees will require more than just providing tools and enforcing policies. It will be a combination of tools, transparency, and timeliness.

Remote workers have access to data, information, and your network. This increases the temptation for bad actors. Warn your employees to expect more phishing attempts, including targeted spear phishing aimed at high profile credentials. Now is a good time to be diligent, so watch out for urgent requests that break company policy, use emotive language and have details that are slightly wrong—and provide guidance on where to report those suspicious messages.

Establishing a clear communications policy helps employees recognize official messages. For example, video is harder to spoof than email: an official channel like Microsoft Stream could reduce the chance of phishing while making people feel connected. Streaming videos they can view at a convenient time will also help employees juggling personal responsibilities, like school closures or travel schedule changes.

Transparency is key. Some of our most successful customers are also some of our most transparent ones. Employee trust is built on transparency. By providing clear and basic information, including how to protect their devices, will help you and employees stay ahead of threats.

For example, help employees understand why downloading and using consumer or free VPNs is a bad idea. These connections can extract sensitive information from your network without employees realizing. Instead, offer guidance on how to leverage your VPN and how it’s routed through a secure VPN connection.

Employees need a basic understanding of conditional access policies and what their devices need to connect to the corporate network, like up-to-date anti-malware protection. This way employees understand if their access is blocked and how to get the support they need.

Working from home doesn’t mean being isolated. Reassure employees they can be social, stay in touch with colleagues, and still help keep the business secure. Read more about staying productive while working remotely on the Microsoft 365 blog.

The post Work remotely, stay secure—guidance for CISOs appeared first on Microsoft Security.

Empower Firstline Workers with Azure AD and YubiKey passwordless authentication

March 12th, 2020 No comments

At the end of February, Microsoft announced the FIDO2 passwordless support for hybrid environments. The integration of FIDO2-based YubiKeys and Azure Active Directory (Azure AD) is a game changer. It combines the ubiquity of Azure AD, the usability of YubiKey, and the security of both solutions to put us on the path to eliminate passwords in the enterprise. Think about that for a moment. Imagine never being asked to change your password again, no more password spreadsheets or vault apps. No more phishing and password spray! Would it be too much to compare it to the moon landing? Probably. But it’s at least as monumental to security as the introduction of passwords themselves. Now think about how much passwordless authentication will improve everyday work for Firstline Workers. Today I’ll share why usability and user experience are so important and how you can modernize work (and security) while reducing costs for Firstline Workers. I’ll also provide advice on transitioning your hybrid environment to passwordless.

User experience matters

Do you want to know why attackers have been so successful? Because they’ve paid attention to user experience. The tools they use to trick users to hand over passwords have been carefully updated to feel legitimate to users. One tool even has a Help Desk, if you can believe that! And it’s working. Many users don’t even realize they’ve given up their password. Bad actors can focus on usability because the economics of hacking are cheap. They don’t have to be present to interrupt a sign-in, and they only need one password to gain access and move laterally to increase privileges. They don’t need a high success rate to achieve a good payoff, which allows them to take the time to get it right. They use that time to research companies for good targets and improving the user experience of their phishing attempts.

Yubico understands the importance of usability and makes security tools accessible and easy to use. Our flagship product, YubiKey, was designed with these principles in mind. The YubiKey is a hardware token with a cryptographic element that supports FIDO2 standards. It is not a password storage device, nor does it contain any personal information. With traditional passwords, the server requests a password, and if the user hands over the password, the server has no way to validate if that user should have that password. With a YubiKey, the server sends a challenge to the user. The user plugs the key in and touches it to sign the challenge. It requires the user to be physically present, so it eliminates remote takeovers of accounts. The ability to work from anywhere in the world is what enables cybercrime.


Equally important is its simplicity. Users don’t need to find a code on a separate device or remember complicated passwords or a PIN. The same key can be used across all their devices and accounts, and you can attach it to a keychain. (Take a look at this video to see it in action.)

Transform the Firstline Worker experience, securely

The biggest opportunity for the Azure AD and YubiKey integration to make a real difference is with Firstline Workers. Firstline Workers are more than 2 billion people worldwide who work in service- or task-oriented roles across industries such as retail, hospitality, travel, and manufacturing. They are often mobile, and many serve as the first touchpoint with your customers. Incredibly important to your business, they have been underserved by the cloud revolution. Firstline Workers typically aren’t issued a computer, and the computers they do use may not have a lot of connectivity. This makes it difficult to stay connected to corporate communications or interact digitally with coworkers. It can also prevent them from efficiently doing their jobs. For example, it can be challenging to serve customers if an employee needs to sign into an available computer to answer a question.

One call center reduced the steps to sign in from 13 steps to six—that’s a 60 percent reduction.

There are a lot of hidden costs to password resets. To reduce this time, Firstline Worker passwords often never change. They have developed the same familiar bad habits as office workers: they write down passwords or reuse the same one across multiple sites. Lurking in the wings are the bad actors who just need one password to infiltrate your organization.

YubiKey reduces that risk and empowers your Firstline Workers. With a YubiKey users can easily move from device to device. This can dramatically improve the work experience. It also drives better business outcomes. One call center that implemented YubiKey authentication cut its sign-in process from 13 steps to six—that’s a 60 percent reduction. Reducing time spent signing in can drive huge costs reductions.

The Azure AD and YubiKey integration can support your digital transformation goals in the field. Firstline Workers will easily access the information they need whether that is for customer service or building new products—with significantly less risk of an account takeover.

Transition your hybrid environment to passwordless

YubiKey is a good fit for companies who are invested in Microsoft technology because the device includes several generations of solutions. It works with legacy applications (we can protect anything from Windows XP on up) and cloud solutions like Azure and Office 365. It can support one-time passwords (OTP) with Active Directory or smart card capabilities. If you use Active Directory Federation Services to authenticate, there is a plugin that integrates with on-premises. It’s also compatible with cloud-based authentication, and we are working with Microsoft on integration with Azure Active Directory. Our latest YubiKey 5 Series supports the following authentication technologies:

  • FIDO2
  • U2F
  • PIV
  • Yubico OTP

As a first step towards passwordless, no matter your environment, start by implementing multi-factor authentication (MFA) everywhere, using the YubiKey as a hardware-based backup to a username and password.

Learn more

Yubico is committed to developing new technology to help users trust what they are doing online. We are working with Microsoft to build the latest and greatest into Azure AD. Join us at one of our co-hosted workshops with Microsoft where we will walk you through how you can plan your journey towards eliminating passwords.

Read Alex Simons’ blog announcement about Azure Active Directory support for FIDO2 security keys.   For more information on Microsoft Security solutions, visit

The post Empower Firstline Workers with Azure AD and YubiKey passwordless authentication appeared first on Microsoft Security.

Guarding against supply chain attacks—Part 3: How software becomes compromised

March 11th, 2020 No comments

Do you know all the software your company uses? The software supply chain can be complex and opaque. It’s comprised of software that businesses use to run operations, such as customer relationship management (CRM), enterprise resource planning (ERP), and project management. It also includes the third-party components, libraries, and frameworks that software engineers use to build applications and products. All this software can be difficult to track and can be vulnerable to attack if not known and/or not managed properly.

In the U.S. Department of Defense’s Defense Federal Acquisition Regulation Supplement, a supply chain risk is defined as “the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.”

If you rely on a web of software providers, it’s important that you understand and mitigate your risk. This Part 3 of our five-part blog series entitled “Guarding against supply chain attacks” illustrates how software supply chain attacks are executed and offers best practices for improving the quality of the software that undergirds your applications and business.

Examples of software supply chain attacks with global reach

Starting in 2012 the industry began to see a marked increase in the number of attacks targeted at software supply chains each year. Like other hacking incidents, a well-executed software supply chain attack can spread rapidly. The following examples weaponized automatic software updates to infect computers in large and small companies in countries all over the world and highlight how they have evolved over time.

  • The Flame malware of 2012 was a nation-state attack that tricked a small number of machines in the Middle East into thinking that a signed update had come from Microsoft’s trusted Windows Update mechanism, when in fact it had not. Flame had 20 modules that could perform a variety of functions. It could turn on your computer’s internal microphone and webcam to record conversations or take screenshots of instant messaging and email. It could also serve as a Bluetooth beacon and tap into other devices in the area to steal info. Believed to come from a nation state, Flame sparked years of copycats. While Flame was a supply chain “emulation” (it only pretended to be trusted), the tactic was studied and adopted by both nation states and criminals, and included noted update attacks like Petya/NotPetya (2017), another nation-state attack, which hit enterprises in over 20 countries. It included the ability to self-propagate (like worms) by building a list of IP addresses to spread to local area networks (LANS) and remote IPs.
  • CCleaner affected 2.3 million computers in 2018, some for more than a month. Nation-state actors replaced original software versions with malware that had been used to modify the CCleaner installation file used by customers worldwide. Access was gained through the Piriform network, a company that was acquired by Avast before the attack was launched on CCleaner users. As Avast says in a blog on the subject, “Attackers will always try to find the weakest link, and if a product is downloaded by millions of users it is an attractive target for them. Companies need to increase their attention and investment in keeping the supply chain secure.”
  • In May 2017, Operation WilySupply compromised a text editor’s software updater to install a backdoor on target organizations in the financial and IT sectors. Microsoft Defender Advanced Threat Protection (ATP) discovered the attack early and Microsoft worked with the vendor to contain the attack and mitigate the risk.

Implanting malware

There are three primary ways that malicious actors infect the software supply chain:

  • Compromise internet accessible software update servers. Cybercrooks hack into the servers that companies use to distribute their software updates. Once they gain access, they replace legitimate files with malware. If an application auto-updates, the number of infections can proliferate quickly.
  • Gain access to the software infrastructure. Hackers use social engineering techniques to infiltrate the development infrastructure. After they’ve tricked users into sharing sign-in credentials, the attackers move laterally within the company until they are able to target the build environment and servers. This gives them the access needed to inject malicious code into software before it has been complied and shipped to customers. Once the software is signed with the digital signature it’s extremely difficult to detect that something is wrong.
  • Attack third-party code libraries. Malware is also delivered through third-party code, such as libraries, software development kits, and frameworks that developers use in their applications.

Safeguarding your software supply chain

There are several steps you can take to reduce the vulnerabilities in your software. (We’ll address the vulnerabilities and mitigation strategies related to people and processes in our next post.):

  • Much like the hardware supply chain, it’s important to inventory your software suppliers. Do your due diligence to confirm there are no red flags. The NIST Cyber Supply Chain Best Practices provide sample questions that you can use to screen your software suppliers, such as what malware protection and detection are performed and what access controls—both cyber and physical—are in place.
  • Set a high standard of software assurance with partners and suppliers. Governmental organizations such as the Department of Homeland Security, SafeCODE, the OWASP SAMM, and the U.K. National Cyber Security Centre’s Commercial Product Assurance (CPA) provide a model. You can also refer to Microsoft’s secure development lifecycle (SDL). The SDL defines 12 best practices that Microsoft developers and partners utilize to reduce vulnerabilities. Use the SDL to guide a software assurance program for your engineers, partners, and suppliers.
  • Manage security risks in third-party components. Commercial and open-source libraries and frameworks are invaluable for improving efficiency. Engineers shouldn’t create a component from scratch if a good one exists already; however, third-party libraries are often targeted by bad actors. Microsoft’s open source best practices can help you manage this risk with four steps:
    1. Understand what components are in use and where.
    2. Perform security analysis to confirm that none of your components contain vulnerabilities
    3. Keep components up to date. Security fixes are often fixed without explicit notification.
    4. Establish an incident response plan, so you have a strategy when a vulnerability is reported.

Learn more

“Guarding against supply chain attacks” is a five-part blog series that decodes supply chain threats and provides concrete actions you can take to better safeguard your organization. Previous posts include an overview of supply chain risks and an examination of vulnerabilities in the hardware supply chain.

We also recommend you explore NIST Cybersecurity Supply Chain Risk Management.

Stay tuned for these upcoming posts as we wrap up our five-part series:

  • Part 4—Looks at how people and processes can expose companies to risk.
  • Part 5—Summarizes our advice with a look to the future.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. For more information about Microsoft Security solutions, visit our website: Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Guarding against supply chain attacks—Part 3: How software becomes compromised appeared first on Microsoft Security.

Threat hunting: Part 1—Why your SOC needs a proactive hunting team

March 10th, 2020 No comments

Cybersecurity can often feel like a game of whack-a-mole. As our tools get better at stopping one type of attack, our adversaries innovate new tactics. Sophisticated cybercriminals burrow their way into network caverns, avoiding detection for weeks or even months, as they gather information and escalate privileges. If you wait until these advanced persistent threats (APT) become visible, it can be costly and time-consuming to address. It’s crucial to augment reactive approaches to cybersecurity with proactive ones. Human-led threat hunting, supported by machine-learning-powered tools like Azure Sentinel, can help you root out infiltrators before they access sensitive data.

This threat hunting blog series will dig into all aspects of threat hunting, including how to apply these techniques to your security operations center (SOC). Today’s post delves into what threat hunting is, why it’s important, and how Azure Sentinel can support your defenders. Future posts will examine how you can use other Microsoft solutions for proactive hunting.

Assume breach and be proactive

Traditional cybersecurity is reactive. Endpoint detection tools identify potential incidents, blocking some and handing off others to people to investigate and mitigate. This works for many of the routine, automated, and well-known attacks—of which there are many. However, our most sophisticated adversaries understand how these security solutions work and continuously evolve their tactics to get around them. The goal of the attackers is to remain undetected so they can gain access to your most sensitive information. To stop them, first you must find them.

Threat hunting is a proactive approach to cybersecurity, predicated on an “assume breach” mindset. Just because a breach isn’t visible via traditional security tools and detection mechanisms doesn’t mean it hasn’t occurred. Your threat hunting team doesn’t react to a known attack, but rather tries to uncover indications of attack (IOA) that have yet to be detected. Their job is to outthink the attacker.

Invest in people

Because threat hunting is concerned with emerging threats rather than known attack methods, people take the lead. It’s therefore important that they have the time and authority to research and pursue hypotheses. This isn’t possible if they are bogged down with security alerts. Many SOCs, including those at Microsoft, establish a three-tier model to address known and unknown threats. Tier 1 and Tier 2 analysts respond to alerts. Tier 3 analysts conduct research focused on revealing undiscovered adversaries. You can learn more about how Microsoft organizes its SOC in Lessons learned from the Microsoft SOC—Part 2a: Organizing people.


Figure 1. SOC using a three-tier approach: Tier 1 addresses high speed remediation, Tier 2 performs deeper analysis and remediation, and Tier 3 conducts proactive hunts.

Develop an informed hypothesis

Threat hunting starts with a hypothesis. Threat hunters may generate a hypothesis based on external information, such as threat reports, blogs, and social media. For example, your team may learn about a new form of malware in an industry blog and hypothesize that an adversary has used that malware in an attack against your organization. Internal data and intelligence from past incidents also inform hypothesis development.

Once the team has a hypothesis, they examine various techniques and tactics to uncover artifacts that were left behind. A great tool for helping with hypothesis development and research is the MITRE ATT&CK™ (adversarial tactics, techniques, and common knowledge) framework. These adversary tactics and techniques are grouped within a matrix and include the following categories:

  • Initial access—Techniques used by the adversary to obtain a foothold within a network, such as targeted spear-phishing, exploiting vulnerabilities or configuration weaknesses in public-facing systems.
  • Execution—Techniques that result in an adversary running their code on a target system. For example, an attacker may run a PowerShell script to download additional attacker tools and/or scan other systems.
  • Persistence—Techniques that allow an adversary to maintain access to a target system, even following reboots and credential changes. An example of a persistence technique would be an attacker creating a scheduled task that runs their code at a specific time or on reboot.
  • Privilege escalation—Techniques leveraged by an adversary to gain higher-level privileges on a system, such as local administrator or root.
  • Defense evasion—Techniques used by attackers to avoid detection. Evasion techniques include hiding malicious code within trusted processes and folders, encrypting or obfuscating adversary code, or disabling security software.
  • Credential access—Techniques deployed on systems and networks to steal usernames and credentials for re-use.
  • Discovery—Techniques used by adversaries to obtain information about systems and networks that they are looking to exploit or use for their tactical advantage.
  • Lateral movement—Techniques that allow an attacker to move from one system to another within a network. Common techniques include “Pass-the-Hash” methods of authenticating users and the abuse of the remote desktop protocol.
  • Collection—Techniques used by an adversary to gather and consolidate the information they were targeting as part of their objectives.
  • Command and control—Techniques leveraged by an attacker to communicate with a system under their control. One example is that an attacker may communicate with a system over an uncommon or high-numbered port to evade detection by security appliances or proxies.
  • Exfiltration—Techniques used to move data from the compromised network to a system or network fully under control of the attacker.
  • Impact—Techniques used by an attacker to impact the availability of systems, networks, and data. Methods in this category would include denial of service attacks and disk- or data-wiping software.

Conduct investigation with Azure Sentinel

Although threat hunting starts with a human generated hypothesis, threat protection tools, like Azure Sentinel, make investigation faster and easier. Azure Sentinel is a next-generation, cloud-based SIEM that uses machine learning and artificial intelligence (AI) to help security professionals detect previously unknown incidents, investigate suspicious activity and threats, and respond quickly to an incident. It’s an invaluable tool for threat hunting. Azure Sentinel’s built-in hunting queries help teams ask the right questions to find issues in the data already on your network. Within Azure Sentinel, an analyst can create a new query; modify existing queries; bookmark, annotate, and tag interesting findings; and launch a more detailed investigation.

Figure 2: Azure Sentinel Hunting Dashboard: The dashboard includes menus to create new queries, run all queries, and bookmark data. The dashboard also shows the number of hunting queries that exist and a pane that shows the actual Kusto Query Language for each query.

Azure Sentinel ships with built-in hunting queries that have been written and tested by Microsoft security researchers and engineers. The following 16 hunting queries were provided by Microsoft:

  • Anomalous Azure Active Directory apps based on authentication location
  • Base64-encoded Windows executables in process command lines
  • Process executed from binary hidden in Base64-encoded file
  • Enumeration of users and groups
  • Summary of failed user log-ins by reason of failure
  • Host with new log-ins
  • Malware in recycle bin
  • Masquerading files
  • Azure Active Directory sign-ins from new locations
  • New processes observed in last 24 hours
  • Summary of users created using uncommon and undocumented command line switches
  • Powershell downloads
  • Cscript daily summary breakdown
  • New user agents associated with clientIP for SharePoint uploads and downloads
  • Uncommon processes—bottom 5 percent
  • Summary of user log-ins by log-in type

Threat hunters can also leverage a Github repository of hunting queries provided by Microsoft researchers, internal security teams, and partners. Azure Sentinel also makes it easy for your threat hunters to select a MITRE ATT&CK framework tactic that they want to query. Despite the mountains of data your team must parse in their investigation, Azure Sentinel improves the odds they will pursue the right leads.

Learn more

Effective cybersecurity requires several complementary approaches. You need to be alert to the incidents that your threat detection tools uncover. You also need to proactively hunt for threats that lurk in the shadows. Adding threat hunting capabilities to your SOC can reduce your risk from hidden adversaries. I hope this blog helps you see ways to apply these tactics in your organization. Stay tuned for future posts in this series, where I’ll walk you through practical examples of threat hunting using Azure Sentinel, as well as demonstrate how to use other Microsoft tools for such activities.

In the meantime, learn more about Azure Sentinel. For getting the best use out of Azure Sentinel, see Microsoft Azure Sentinel: Planning and implementing Microsofts cloud-native SIEM solution (IT Best Practices—Microsoft Press).

Bookmark the Security blog to keep up with our expert coverage on security matters and visit our website at Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Threat hunting: Part 1—Why your SOC needs a proactive hunting team appeared first on Microsoft Security.

Categories: CISO series, Ciso series page Tags:

Real-life cybercrime stories from DART, the Microsoft Detection and Response Team

March 9th, 2020 No comments

When we published our first blog about the Microsoft Detection and Response Team (DART) in March of 2019, we described our mission as responding to compromises and helping our customers become cyber-resilient. In pursuit of this mission we had already been providing onsite reactive incident response and remote proactive investigations to our customers long before our blog. And our response expertise has been leveraged many times by government and commercial entities around the world to help secure their most sensitive, critical environments.

When our team works on the frontlines of cybersecurity, chasing adversaries in many different digital estates on a daily basis, our experiences become valuable lessons on attacker methods as well as security best practices. And because of this, our colleagues and customers have been asking for case studies, reports, and even anecdotes from DART engagements.

Finally, we can respond to these inquiries by publishing our first DART Case Report 001: …And Then There Were Six. Case Report 001 is a story of cybercrime when DART was called in to help identify and evict an attacker, only to discover there were already 5 more adversaries in the same environment. Read the full report for the details.

In the DART Case Reports, you will find unique stories from our team’s engagements around the globe; details on the attacker(s) methods, a diagram of how they progressed in the environment, how DART was able to identify and evict them, as well as best practices to avoid similar incidents.

What you won’t find is any information about our customers, or their defenses, because in our reports we will focus solely on the attacker Tactics, Techniques, and Procedures (TTP) and how to defend against them. Read our first report, reach out to your Microsoft account manager or Premier Support contact if you need more information on DART services—and stay tuned for more DART Case Reports.


DART leverages Microsoft’s strategic partnerships with security organizations around the world and with internal Microsoft product groups to provide the most complete and thorough investigation possible.

The post Real-life cybercrime stories from DART, the Microsoft Detection and Response Team appeared first on Microsoft Security.

Real-life cybercrime stories from DART, the Microsoft Detection and Response Team

March 9th, 2020 No comments

When we published our first blog about the Microsoft Detection and Response Team (DART) in March of 2019, we described our mission as responding to compromises and helping our customers become cyber-resilient. In pursuit of this mission we had already been providing onsite reactive incident response and remote proactive investigations to our customers long before our blog. And our response expertise has been leveraged many times by government and commercial entities around the world to help secure their most sensitive, critical environments.

When our team works on the frontlines of cybersecurity, chasing adversaries in many different digital estates on a daily basis, our experiences become valuable lessons on attacker methods as well as security best practices. And because of this, our colleagues and customers have been asking for case studies, reports, and even anecdotes from DART engagements.

Finally, we can respond to these inquiries by publishing our first DART Case Report 001: …And Then There Were Six. Case Report 001 is a story of cybercrime when DART was called in to help identify and evict an attacker, only to discover there were already 5 more adversaries in the same environment. Read the full report for the details.

In the DART Case Reports, you will find unique stories from our team’s engagements around the globe; details on the attacker(s) methods, a diagram of how they progressed in the environment, how DART was able to identify and evict them, as well as best practices to avoid similar incidents.

What you won’t find is any information about our customers, or their defenses, because in our reports we will focus solely on the attacker Tactics, Techniques, and Procedures (TTP) and how to defend against them. Read our first report, reach out to your Microsoft account manager or Premier Support contact if you need more information on DART services—and stay tuned for more DART Case Reports.


DART leverages Microsoft’s strategic partnerships with security organizations around the world and with internal Microsoft product groups to provide the most complete and thorough investigation possible.

The post Real-life cybercrime stories from DART, the Microsoft Detection and Response Team appeared first on Microsoft Security.

IT executives prioritize Multi-Factor Authentication in 2020

March 5th, 2020 No comments

In 2020, many IT executives will roll out or expand their implementation of Multi-Factor Authentication (MFA) to better safeguard identities. This is one of the key findings of a survey conducted by Pulse Q&A for Microsoft in October 2019.1 Specifically, 59 percent of executives will implement or expand MFA within three to six months. Another 26 percent will do so within 12 months. These executives are initiating these projects because they believe that MFA provides better security preparedness. They’re right. MFA, which requires that users authenticate with at least two factors, can reduce the risk of identity compromise by as much as 99.9 percent over passwords alone.

Protecting identities is vital to cybersecurity. Bad actors use compromised identities to gain a foothold in an organization, avoiding detection for an average of 100 days.2 Historically, organizations have relied on passwords to safeguard identities, but passwords alone aren’t enough. Eighty percent of hacking related breaches can be attributed to weak or compromised passwords, according to Verizon’s 2019 Data Breach Investigations Report. MFA reduces risk because it’s significantly harder to compromise two or more authentication factors.

Beyond passwords, there are several different authentication factors that organizations can implement to better protect their identities. Basic MFA augments passwords with SMS, one-time passwords (OTP), and codes generated by a mobile device. Strong MFA utilizes high assurance factors such as FIDO security keys and smart cards to authenticate users. Fingerprint scans, facial scans, and other biometrics are secure authentication methods that can simplify sign-in for users. Sixty-four percent of the executives in the survey use basic MFA. Forty-three percent use strong MFA. Biometrics was cited by 11 percent of respondents.

But things are changing fast. Ninety-one percent of executives plan to evolve their MFA implementation in the coming year. Twenty-two percent want to move to strong MFA. Another 13 percent will migrate toward biometrics. Better security is the primary driver of these changes.

2020 is the year to prioritize MFA. You can significantly reduce your risk of identity compromise by augmenting or replacing passwords with other authentication factors. Learn how organizations are using MFA.


1Pulse Q&A Inc. conducted research for Microsoft in October 2019 with 100 Security and IT executives in North America representing 17 industry sectors.

2The median number of days an organization is compromised before discovering a breach in 2017 is 101 days in comparison to 99 in 2016. Source: FireEye M-Trends 2018 Report

The post IT executives prioritize Multi-Factor Authentication in 2020 appeared first on Microsoft Security.

Categories: cybersecurity Tags:

Quick wins—single sign-on (SSO) and Multi-Factor Authentication (MFA)

March 3rd, 2020 No comments

With Multi-Factor Authentication (MFA) and single sign-on (SSO) being a few of the most effective countermeasures against modern threats, organizations should consider a Cloud Identity as a Service (IDaaS), and MFA solution, like Azure Active Directory (AD).

Here are seven benefits:

  1. Azure AD is simple to set up and works with almost everything, meaning once identity is in the cloud. It may be accessed by any entity that requires access and used for all on-premises and cloud applications. Azure AD MFA—using the Microsoft Authenticator app—is one the easiest MFA solutions for users to adopt and one of the fastest ways to take a passwordless approach.

To learn more, read Microsoft Recommending Non-Expiring Passwords to Office 365 Customers.

  1. SSO reduces the threat of untimely termination/identity decommissioning by decreasing “identity sprawl,” so you can have one identity in multiple applications per user.

To learn more, read Azure AD Seamless Single Sign-on.

  1. A single, unified MFA reduces the success of phishing attacks due to password reuse or social engineering with the enforcement of MFA.

To learn more, read Email Phishing Protection Guide—Part 3: Enable Multi Factor Authentication (MFA).

  1. The SSO/IDaaS approach paves the way for eliminating basic authentication and password spray attacks.

To learn more, read Your Pa$$word doesn’t matter.

  1. MFA and SSO increases user satisfaction—making the CISO a business enabler rather than a productivity and collaboration roadblock.

To learn more, read Go passwordless to strengthen security and reduce costs.

  1. Azure AD is more available than on-premises AD FS and other IDaaS. Microsoft guarantees 99.9 percent uptime—a difficult SLA to achieve on-premises.

For details, see SLA for Azure Active Directory.

  1. Azure AD Conditional Access enforces the Zero Trust model for all authentications.

To learn more, visit Achieve Zero Trust with Azure AD conditional access.

Also, bookmark the Security blog to keep up with our expert coverage on security matters. Follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Quick wins—single sign-on (SSO) and Multi-Factor Authentication (MFA) appeared first on Microsoft Security.

Categories: cybersecurity Tags:

Microsoft identity acronyms—what do they mean and how do they relate to each other?

March 2nd, 2020 No comments

As a security advisor working with one to three Chief Information Security Officers (CISOs) each week, the topic of identity comes up often. These are smart people who have often been in industry for decades. They have their own vocabulary of acronyms that only security professionals know such as DDoS, CEH, CERT, RAT, and 0-Day (if you don’t know one or several of these terms, I encourage you to look them up to build your vocabulary), but they often find themselves confused by Microsoft’s own set of acronyms.

This is the first in a blog series that aims to lessen some confusion around identity by sharing with you some of the terms used at Microsoft. Terms like MFA, PIM, PAM, MIM, MAM, MDM, and a few others. What do they mean and how do they relate to each other?

Multi-Factor Authentication or MFA

Let’s start with what identity means to Microsoft. Identity is the ability to clearly and without doubt ensure the identification of a person, device, location, or application. This is done by establishing trust verification and identity verification using what Microsoft calls Multi-Factor Authentication or MFA. This is a combination of capabilities that allow the entity to establish trust and verify who or what they are.

MFA is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: something the user and only the user knows (such as a password or PIN), something the user and only the user has (such as a mobile device or FIDO key), and something the user and only the user is (a biometric such as a fingerprint or iris scan).

Microsoft does this with technologies such as Azure Active Directory (Azure AD) in the cloud combined with Windows Hello. Azure AD is Microsoft’s identity and access management solution. Windows Hello is a Windows capability that allows a user to verify who they are with an image, a pin, or other biometric. The person’s identity is stored via an encrypted hash in the cloud, so it’s never shared in the clear (unencrypted). A cryptographic hash is a checksum that allows someone to proof that they know the original input (e.g., a password) and that the input (e.g., a document) has not been modified.

Privileged Identity Management or PIM

What is Privileged Identity Management or PIM? Organizations use PIM to assign, activate, and approve privileged identities in Azure AD. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions to sensitive resources.

Key features of PIM include:

  • Just-in-time privileged access to Azure AD and Azure resources.
  • Time-bound access to resources.
  • An approval process to activate privileged roles.
  • MFA enforcement.
  • Justification to understand why users activate.
  • Notifications when roles are activated.
  • Access reviews and internal and external audit history.

Privileged Access Management or PAM

What is Privileged Access Management or PAM? Often confused with PIM, PAM is a capability to help organizations manage identities for existing on-premises Active Directory environments. PAM is an instance of PIM that is accessed using Microsoft Identity Manager or MIM. Confused? Let me explain.

PAM helps organizations solve a few problems including:

  • Making it harder for attackers to penetrate a network and obtain privileged account access.
  • Adding protection to privileged groups that control access to domain-joined computers and the applications on those computers.
  • Providing monitoring, visibility, and fine-grained controls so organizations can see who their privileged admins are and what they are doing.

PAM gives organizations more insight into how admin accounts are being used in the environment.

Microsoft Identity Manager or MIM

But I also mentioned MIM… What is this? Microsoft Identity Manager or MIM helps organizations manage the users, credentials, policies, and access within their organizations and hybrid environments. With MIM, organizations can simplify identity lifecycle management with automated workflows, business rules, and easy integration with heterogenous platforms across the datacenter. MIM enables Active Directory to have the right users and access rights for on-premises apps. Azure AD Connect can then make those users and permissions available in Azure AD for Office 365 and cloud-hosted apps.

OK, so now we know that:

  • PIM is a capability to help companies manage identities in Azure AD.
  • PAM is an on-premises capability to manage identities in Active Directory.
  • MIM helps organizations manage users, credentials, policies, and on-premises access.

Mobile Application Management or MAM

What’s left… Oh yes: Mobile Application Management or MAM. MAM is important because if organizations can only manage identities—but not the apps then they miss a key aspect of protecting data. MAM is connected to a Microsoft capability called Microsoft Intune and is a suite of management features to publish, push, configure, secure, monitor, and update mobile apps for users.

MAM works with or without enrollment of the device, which means organizations can protect sensitive data on almost any device using MAM-WE (without enrollment). If organizations enable MFA, they can verify the user on the device. MAM also helps manage that apps the trusted user or entity can access. If you add in the Mobile Device Management or MDM feature of Intune, you can force enrollment of devices and then use MAM to manage the apps.

It’s well known that Microsoft has a lot of acronyms. This is the first in a series of blog posts aimed to assist you in navigating the acronym forest created by companies and industry. The Microsoft Platform includes a powerful set of capabilities to help encourage users to make the right decisions and gives security leadership, like you, the ability to manage and monitor identities and control access to critical files and network assets.

The post Microsoft identity acronyms—what do they mean and how do they relate to each other? appeared first on Microsoft Security.

MISA expands with new members and new product additions

February 24th, 2020 No comments

Another RSA Conference (RSAC) and another big year for the Microsoft Intelligent Security Association (MISA). MISA was launched at RSAC 2018 with 26 members and a year later we had doubled in size to 53 members. Today, I am excited to share that the association has again doubled in size to 102 members.

New members expand the portfolio of MISA integrations

Our new members include a number of ecosystem partners, like RSA, ServiceNow, and Net Motion, which have developed critical integrations that benefit our shared customers and we look forward to deepening our relationship through MISA engagement.

New MISA member RSA is now using Azure Active Directory’s risky user data and other Microsoft security signals to enrich their risk score engine. Additionally, RSA also leverages the Graph Security API to feed their SIEM solution, RSA NetWitness with alerts from the entire suite of Microsoft Security solutions.

 “RSA is excited to showcase the RSA SecurID and RSA NetWitness integrations with Microsoft Security products. Our integrations with Microsoft Defender ATP, Microsoft Graph Security API, Azure AD, and Microsoft Azure Sentinel, help us to better secure access to our mutual customer’s applications, and detect threats and attacks. We’re excited to formalize the long-standing relationship through RSA Ready and MISA to better defend our customers against a world of increasing threats.”
—Anna Sarnek, Head of Strategic Business Development, Cloud and Identity for RSA

The ServiceNow Security Operations integration with Microsoft Graph Security API enables shared customers to automate incident management and response, leveraging the capabilities of the Now Platform’s single data model to dramatically improve their ability to prioritize and respond to threats generated by all Microsoft Security Solutions and custom alerts from Azure Sentinel.

“ServiceNow is pleased to join the Microsoft Intelligent Security Alliance to accelerate security incident response for our shared customers. The ServiceNow Security Operations integration with Azure Sentinel, via the graph security API, enables shared customers to automate incident management and response, leveraging the capabilities of the Now Platform’s single data model to dramatically improve their ability to prioritize and respond to threats.”
—Lou Fiorello, Head of Security Products for ServiceNow

Microsoft is pleased to welcome NetMotion, a connectivity and security solutions company for the world’s growing mobile workforce, into the security partner program. Using NetMotion’s class-leading VPN, customers not only gain uncompromised connectivity and feature parity, they benefit from a VPN that is compatible with Windows, MacOS, Android and iOS devices. For IT teams, NetMotion delivers visibility and control over the entire connection from endpoint to endpoint, over any network, through integration with Microsoft Endpoint Manager (Microsoft Intune).

“NetMotion is designed from the ground up to protect and enhance the user experience of any mobile device. By delivering plug-and-play integration with Microsoft Endpoint Manager, the mobile workforce can maximize productivity and impact without any disruption to their workflow from day one. For organizations already using or considering Microsoft, the addition of NetMotion’s VPN is an absolute no-brainer.”
—Christopher Kenessey, CEO of NetMotion Software

Expanded partner strategy for Microsoft Defender Advanced Threat Protection (ATP)

The Microsoft Defender ATP team worked with our ecosystem partners to take their rich and complete set of APIs a step further to extend the power of our combined platforms. This helps customers strengthen their network and endpoint security posture, add continuous security validation and attack simulation testing, orchestrate and automate incident correlation and remediation, and add threat intelligence and web content filtering capabilities. Read Extending Microsoft Defender ATP network of partners to learn more about their partner strategy expansion and their open framework philosophy.

New product teams join the association

In addition to growing our membership, MISA expanded to cover 12 of Microsoft’s security solutions, including our latest additions: Azure Security Center for IoT Security and Azure DDoS.

Azure Security Center for IoT Security announces five flagship integration partners

The simple onboarding flow for Azure Security Center for IoT enables you to protect your managed and unmanaged IoT devices, view all security alerts, reduce your attack surface with security posture recommendations, and run unified reports in a single pane of glass.

Through partnering with members like Attivo Networks, CyberMDX, CyberX, Firedome, and SecuriThings, Microsoft is able to leverage their vast knowledge pool to help customers defend against a world of increasing IoT threats in enterprise. These solutions protect managed and unmanaged IoT devices in manufacturing, energy, building management systems, healthcare, transportation, smart cities, smart homes, and more. Read more about IoT security and how these five integration partners are changing IoT security in this blog.

Azure DDoS Protection available to partners to combat DDoS attacks

The first DDoS attack occurred way back on July 22, 1999, when a network of 114 computers infected with a malicious script called Trin00 attacked a computer at the University of Minnesota, according to MIT Technology Review. Even after 20 years DDoS continues to be an ever-growing problem, with the number of DDoS attacks doubling in the last year alone and the types of attacks getting increasingly sophisticated with the explosion of IoT devices.

Azure DDoS Protection provides countermeasures against the most sophisticated DDoS threats. The service provides enhanced DDoS mitigation capabilities for your application and resources deployed in your virtual networks. Technology partners can now protect their customers’ resources natively with Azure DDoS Protection Standard to address the availability and reliability concerns due to DDoS attacks.

“Extending Azure DDoS Protection capabilities to Microsoft Intelligent Security Association will help our shared customers to succeed by leveraging the global scale of Azure Networking to protect their workloads against DDoS attacks”
—Anupam Vij, Principal Product Manager, Azure Networking

Learn more

To see MISA members in action, visit the Microsoft booth at RSA where we have a number of our security partners presenting and demoing throughout the week. To learn more about the Microsoft Intelligent Security Association, visit our webpage or the video playlist of member integrations. For more information on Microsoft security solutions, visit our website.

The post MISA expands with new members and new product additions appeared first on Microsoft Security.

Azure Sphere—Microsoft’s answer to escalating IoT threats—reaches general availability

February 24th, 2020 No comments

Today Azure Sphere—Microsoft’s integrated security solution for IoT devices and equipment—is widely available for the development and deployment of secure, connected devices. Azure Sphere’s general availability milestone couldn’t be timelier. From consumer device hacking and botnets to nation state driven cyberterrorism, the complexity of the landscape is accelerating. And as we expand our reliance on IoT devices at home, in our businesses and even in the infrastructure that supports transit and utilities, cybersecurity threats are increasingly real to individuals, businesses and society at large.

From its inception in Microsoft Research to general availability today, Azure Sphere is Microsoft’s answer to these escalating IoT threats. Azure Sphere delivers quick and cost-effective device security for OEMs and organizations to protect the products they sell and the critical equipment that they rely on to drive new business value.

To mark today’s general availability milestone, I sat down with Galen Hunt, distinguished engineer and product leader of Azure Sphere to discuss the world of cybersecurity, the threat landscape that businesses and governments are operating in, and how Microsoft and Azure Sphere are helping organizations confidently and securely take advantage of the opportunities enabled by IoT.


ANN JOHNSON: Let me start by asking about a comment I once heard you make, where you refer to the internet as “a cauldron of evil.” Can you give us a little insight into what you mean?

GALEN HUNT: Well, I actually quote James Mickens. James is a former colleague at Microsoft Research, and he’s now a professor at Harvard. Those are his words, the idea of the internet being a cauldron of evil. But I love it, because what it really captures is what the internet really is.

The internet is a place of limitless potential, but when you connect a device to the internet, you’re also creating a two-way street; anybody can come in off the internet and try to attack you.

Everything from nation states to petty criminals to organized crime is out there, operating on the internet. As we think about IoT—which is my favorite topic—being aware of the dangers is the first step to being prepared to address them.

ANN JOHNSON: When you’re thinking about folks that are in charge of security organizations, or even folks who have to secure the environment for themselves, what do you view as the biggest threats, and also the biggest opportunities for companies like Microsoft to address those threats?

GALEN HUNT: I think the biggest threat is—and I’m coming at this from the IoT side of things—as we’re able to connect every single device in an enterprise or every single device in a home to the internet, there’s real risk. By compromising those devices, someone can invade our privacy, they can have access to our data, they can manipulate our environment. Those are real risks.

In the traditional internet, the non-Internet-of-Things internet, the damage that could be done was purely digital. But in a connected IoT environment, remote actors are able to affect or monitor not just the digital environment but also the actual physical environment. So that creates all sorts of risks that need to be addressed.

In response, the power that a company like Microsoft can bring is our deep experience in internet security. We’ve been doing it for years. We can help other organizations leverage that experience. That’s a tremendous opportunity we have to help.

ANN JOHNSON: So, with that, walk us through what Azure Sphere is—how do you see our customers and our partners leveraging the technology?

GALEN HUNT: There are four components to Azure Sphere: three of them are powered by technology and one of them is powered by people. Those components combine to form an end-to-end solution that allows any organization that’s building or connecting devices to have the very best of what we know about making internet-connected devices secure.

Let’s talk about the four components.

The first of the three technical components is the certified chips that are built by our silicon partners, they have the hardware root of trust that Microsoft created. These are chips that provide a foundation of security, starting in the silicon itself, and provide connectivity and compute power for these devices.

The second technical component of Azure Sphere is the Azure Sphere operating system. This runs on the chips and creates a secure software environment.

The third technical component is the cloud-based Azure Sphere security service. The security service connects with every single Azure Sphere chip, with every single Azure Sphere operating system, and works with the operating system and the chip to keep the device secured throughout its lifetime.

ANN JOHNSON: So, you’ve got hardware, software, and the cloud, all working together. What about the human component?

GALEN HUNT: The fourth component of Azure Sphere is our people and all their security expertise. Our team provides ongoing security monitoring of Azure Sphere devices and, actually, of the full ecosystem. As we identify new types of attacks and new emerging security vulnerabilities, we will upgrade our operating system and the cloud services to mitigate against those new kinds of attacks. Then we will deploy updates to every Azure Sphere-based device, globally. So, we’re providing ongoing support, and ongoing security improvements for those devices.

ANN JOHNSON: I want to make this real for folks. Walk me through a use case; where would somebody actually implement and use Azure Sphere? How does their infrastructure or architecture fit in?

GALEN HUNT: Okay, let’s start with a device manufacturer. They say, okay we’re going to create a new device, and we want to have that device be an IoT device. We want it to connect to the internet, so it can be integrated into an organization’s digital feedback loop. And so, they will buy a chip, an Azure Sphere-based microcontroller or SoC, which will serve as the primary processing component, and they build that into their device. The Azure Sphere chip provides the compute power and secured connectivity.

Now, of course not everybody is building a brand-new device from scratch. There are a lot of existing devices out there that are very valuable. Sometimes they’re too valuable to take on the risk of connecting them and exposing them to the internet. One of the things we’ve developed during the Azure Sphere preview period is a new class of device that we call a “guardian module.” The guardian module is a very small device—no larger than the size of a deck of cards—built around an Azure Sphere chip. An organization interested in connecting existing devices can connect through the guardian module and pull data from that existing device and securely connect it to the cloud. The guardian modules, powered by Azure Sphere, are a way to add highly secure connectivity—even to existing devices—that’s protected by Microsoft.

ANN JOHNSON: Interesting, it solves a pretty big problem with device security, especially as we continue to see a massive proliferation of devices in our environment, most of which are unmanaged. What do you think is slowing the broad adoption of security related to connected devices?

GALEN HUNT: Well, there are a couple of things. I think the biggest barrier, up until now, has been the lack of an end-to-end solution. For companies that have had aspirations to build or to buy highly secured devices, each device has been a one-off. Customers have had to completely build a unique solution for each device, and that just takes an incredible amount of expertise and hard work.

The other obstacle I’ve found is that organizations realize that they need secure devices, but they just don’t know where to begin. They don’t know what they should be looking for, from a device security perspective. There’s a bit of a temptation to look for a security feature checklist instead of really understanding what’s required to have a device that’s highly secured.

ANN JOHNSON: I know you’ve given this a lot of consideration and your background gives you a deeper view into what it takes to secure devices. You wrote a paper on the seven properties of highly secure devices, based on a lot of research you’ve done on the topic. How did you coalesce on the seven properties and how customers can implement them securely?

GALEN HUNT: Yes, I’m a computer scientist, and for over 15 years I ran operating systems research in Microsoft Research. About five years ago, someone walked into my office with a schematic, or a floor map, of a brand new—actually, still under development—microcontroller. This was actually the very first of a new class of a microcontroller.

A microcontroller, for anybody who is not familiar, is a single-chip computer that has processer, and storage, memory, and IoT capabilities. Microcontrollers are used in everything from toys, to appliances, even industrial equipment. Well, this was the first time I had seen a microcontroller, a programmable microcontroller, with the physical capabilities required to be able to connect to the internet—built in—and at a price point that was just a couple of dollars.

When I looked at this thing, I realized that for the price of a cup of coffee, anything on the planet that had electricity could be turned into an internet device. I realized I was looking at the fifth generation of computing, and that was a terribly exciting thought. But the person who had come into my office was asking, what kind of code should we run on this so that it would be secure if we did want to build internet-connected devices with it?

And what I realized, really quickly, was that even though it had some great security features, it lacked much of what was required to build a secure device from a software perspective, and that set me off on journey. I imagined this dystopian future where there are nine billion new insecure devices being added to the world’s population, every year.

ANN JOHNSON: Sure, the physical risks of device hacking make nine billion insecure IoT devices a daunting thought.

GALEN HUNT: Well for me, that was a really scary thought. And as a scientist, I said, well we know that Microsoft and our peer companies have built devices that have been out on the internet. They’ve been connected for at least a five-year period and have withstood relentless attacks from hackers and other ne’er-do-wells. The driving question of our next phase of work was: why are some devices highly secure, and what is it that separates them?

And we did a very scientific study of finding these secure devices and trying to figure out the qualities and the properties that they had in common, and this led to our list of these seven properties. We published that paper, which then led to more experiments.

Now, the devices we found that had these seven properties were devices that had hundreds of dollars in electronics in them, and, you know, that’s not going to scale to every device on the planet. You’re not going to be able to add hundreds of dollars of electronics to every device on the planet, like a light bulb, in order to get security.

Then we wondered if we could build a very, very small and a very, very economical solution that contained all seven properties. And that’s what ultimately led us to Azure Sphere. It’s a solution that, really, for just a few dollars, any company can build a device that is highly secured.

ANN JOHNSON: So, the device itself is highly secured; it has all these built-in capabilities, but one of the biggest problems our customers face is fundamentally a talent shortage, right? Is there something that we’re inherently doing here, with Azure Sphere, that could make it easier for customers?

GALEN HUNT: Yes. Fundamentally what we’re trying to do is create a scalable solution, and it is Microsoft talent that helps these companies create these highly secure devices. There’s something like a million-plus openings in the field of security professionals. Globally there’s a huge talent shortage.

With Azure Sphere we allow a company that doesn’t have really deep security expertise to draft off of our security talent. There are a few areas of expertise that one has to have in order to build a highly-secure device with similar capabilities to Azure Sphere.

Sometimes I’ll use the words technology, talent, and tactics. You have to have the technical expertise to actually build a device that has a high degree of security in it. Not just a device with a checklist of features, but with true integration across all components for gap-free security. Then, once the device is built and deployed out into the wild, you need the talent to fight the ongoing security battle. That talent is watching for and detecting emerging security threats and coding up mitigations to address them. And finally, you’ll have to scale out those updates to every device. That’s a really deep set of expertise, talent, and tactics and, for the most part, it’s very much outside of what many companies know how to do.

When building on top of Azure Sphere, instead of staffing or developing all of this expertise outside of their core business, organizations can instead outsource that to Microsoft.

ANN JOHNSON: That’s a really great way to put it. It also gives you that end-to-end security integration, right? Because I would imagine Azure Sphere is going to integrate with all of Microsoft’s infrastructure and services?

GALEN HUNT: In building Azure Sphere, we leveraged pretty deeply a lot of expertise and a lot of talent that we have at Microsoft. Take, for example, the infrastructure that we use to scale out the deployment of new updates. We leveraged the infrastructure that Microsoft created for the Windows update service—and, our operating system is much, much smaller than Windows. So now we have the capability to update billions of devices, globally, per hour. We also have a place where we can tie Azure Sphere into the Azure Security Center for IoT.

We also really drew on all of the expertise around Visual Studios for very scalable software development. We brought that power even to the smaller microcontroller class devices.

And the hardware root of trust that we put inside of every single Azure Sphere chip. That hardware root of trust is not something that we just created, just woke up one day and said, hey, let’s build a hardware root of trust from scratch. We actually built it based on our learning from the Xbox console.

The Xbox console, over 15 years has made three huge generational leaps. Those consoles can live in hostile environments—from a digital security perspective and a physical security perspective. So, we’ve taken everything we’ve learned about how to make those devices highly secured and applied it to building the hardware root of trust inside Azure Sphere. These are some of the ways that we’re really leveraging a lot of Microsoft’s deep expertise.

ANN JOHNSON: Today, marks the general availability of Azure Sphere—which I’m super excited about, by the way! But I know you’ve been thinking for a long time about how we solve some of these bigger problems, particularly the explosion of IoT, and how customers are going to have to think about that within the next two, to three, to five, to ten years from now. What are the challenges you see ahead for us, and what are the benefits our customers will be able to realize?

GALEN HUNT: We’re excited as well—it’s a huge milestone for the team. Even at this point, at GA, we’re only at the beginning of our real journey with our customers. One of our immediate next steps is scaling out the silicon ecosystem. MediaTek is our first silicon partner. Their MT3620 chip is available in volume today, and it’s the perfect chip, especially for guardian modules and adding secure connectivity to many, many devices.

With microcontrollers, there are many, many verticals. They range in everything from toys to home appliances, to big industrial equipment. And no single chip scales across that entire ecosystem effectively, so we’ve engaged other silicon partners. In June, NXP, the world’s number one microcontroller manufacturer, announced their timeline for their very first Azure Sphere chip. And that chip will add much larger compute capabilities. For example, they’ll do AI, and vision, and graphics, and more sophisticated user interfaces. And then in October, Qualcomm announced that they’ll build the very first cellular native Azure Sphere chip.

The other place we see ourselves growing is in adding more enterprise readiness features. As we’ve engaged with some of our early partners, for example, Starbucks, and have helped them deploy Azure Sphere across their stores in North America, we’ve realized that there’s a lot we can do to really help integrate Azure Sphere better with existing enterprise systems to make that very, very smooth.

ANN JOHNSON: There’s a lot of noise about tech regulations, certainly about IoT and different device manufacturing procedures. How are we thinking about innovation in the context of balancing it with regulation?

GALEN HUNT: So, let’s talk about innovation and regulation. There are times when you want to step out of the way and just let people innovate as much as possible. And then there are times as an industry, or as a society we want to make sure we establish a baseline.

Take food safety, for example. The science of food safety is very well established. Having regulations makes sure that no one cuts corners on safety for the sake of economic expediency. Most countries have embraced some kind of regulations around food safety.

IoT is another industry where it’s in everybody’s favor that all devices be secure. If consumers and enterprises can know that every device has a strong foundation of security and trustworthiness, then they’ll be more likely to buy devices, and build devices, and deploy devices.

And so I really see it as an opportunity whereby collectively and, with governments encouraging baseline levels of security, agreeing on a strong foundation of security we’ll all feel confident in our environment, and that’s really a positive thing for everybody.

ANN JOHNSON: That’s really a great perspective, and I think that we’ve always been that way at Microsoft, right? We view regulation in a positive way and thinking that it needs to be the right regulation across a wide variety of things that we’re doing, whether it be AI, just making sure that it’s being used for ethical use cases.

Which brings me to that last-wrap question, what’s next, what are your next big plans, what’s your next big security disruption?

GALEN HUNT: We recently announced new chips from NXP and Qualcomm, we’ll continue our focus on expanding our silicon and hardware ecosystem to deliver more choice for our customers. And then beyond that, our next big plan is to take Azure Sphere everywhere. We’ve demonstrated it’s possible, but I think we’re just starting to scratch the surface of secured IoT. There’s so much ability for innovation, and the devices that people are building, and the way that we’re using devices. When we’re really able to close this digital feedback loop and really interact between the digital world and the physical world, it’s just a tremendous opportunity, and so that’s where I’m going.

ANN JOHNSON: Excellent, well, I really appreciate the conversation. Azure Sphere is a great example of the notion that while cybersecurity is complex, it does not have to be complicated. Azure Sphere helps our customers overcome today’s complicated IoT security challenges. Thank you, Galen, for some great insights into the current IoT security landscape and how Microsoft and Azure Sphere are advancing IoT device security with the broad availability of Azure Sphere today.


If you are interested in learning more about how Azure Sphere can help you securely fast track your next IoT innovation.


About Ann Johnson and Galen Hunt

Ann Johnson is the Corporate Vice President of the Cybersecurity Solutions Group at Microsoft where she oversees the go-to-market strategies of cybersecurity solutions. As part of this charter, she leads and drives the evolution and implementation of Microsoft’s short- and long-term security, compliance, and identity solutions roadmap with alignment across the marketing, engineering, and product teams.

Prior to joining Microsoft, her executive leadership roles included Chief Executive Officer of Boundless Spatial, President and Chief Operating Officer of vulnerability management pioneer Qualys, Inc., and Vice President of World Wide Identity and Fraud Sales at RSA Security, a subsidiary of EMC Corporation.

Dr. Galen Hunt founded and leads the Microsoft team responsible for Azure Sphere. His team’s mission is to ensure that every IoT device on the planet is secure and trustworthy. Previously, Dr. Hunt pioneered technologies ranging from confidential cloud computing to light-weight container virtualization, type-safe operating systems, and video streaming. Dr. Hunt was a member of Microsoft’s founding cloud computing team.

Dr. Hunt holds over 100 patents, a B.S. degree in Physics from University of Utah and Ph.D. and M.S. degrees in Computer Science from the University of Rochester.

The post Azure Sphere—Microsoft’s answer to escalating IoT threats—reaches general availability appeared first on Microsoft Security.

Microsoft Insider Risk Management and Communication Compliance in Microsoft 365 now generally available

February 20th, 2020 No comments

Microsoft Insider Risk Management and Communication Compliance in Microsoft 365—now generally available—help organizations address internal risks, such as IP theft or code of conduct policy violations. The new Microsoft Insider Risk Management solution helps to quickly identify, detect, and act on insider threats. The solution leverages Microsoft Graph and other services to analyze real-time native signals across Microsoft 365 and third-party applications—including file activity, communications sentiment, abnormal user behaviors, and HR events. Communication Compliance in Microsoft 365 leverages machine learning to quickly identify and help you act on code of conduct policy violations in company communications channels, while also helping regulated organizations meet specific supervisory compliance requirements.

To learn more, read Leverage AI and machine learning to address insider risks.

The post Microsoft Insider Risk Management and Communication Compliance in Microsoft 365 now generally available appeared first on Microsoft Security.

Categories: Microsoft 365 Tags:

Free import of AWS CloudTrail logs through June 2020 and other exciting Azure Sentinel updates

February 20th, 2020 No comments

SecOps teams are increasingly challenged to protect assets across distributed environments, analyze the growing volume of security data, and prioritize response to real threats.

As a cloud-native SIEM solution (security information and event management), Azure Sentinel uses artificial intelligence (AI) and automation to help address these challenges. Azure Sentinel empowers SecOps teams to be more efficient and effective at responding to threats in the cloud, on-premises, and beyond.

Azure Sentinel

Intelligent security analytics for your entire enterprise.

Learn more

Our innovation continues, and we have some exciting news to share for the RSA 2020 conference including the ability to import AWS CloudTrail data for free through June 2020, opportunities to win up to $1,000 for community contributions, and many other product updates.

Enable unified response across multiple clouds—now with free import of AWS CloudTrail data through June 2020

More than 60 percent of enterprises have a hybrid cloud strategy—a combination of private and multi-cloud deployments. We’re committed to help SecOps teams defend the entire stack, not just Microsoft workloads. That’s why Azure Sentinel includes built-in connectors to bring together data from Microsoft solutions with data from other cloud platforms and security solutions.

You can already ingest data from Azure activity logs, Office 365 audit logs, and alerts from Microsoft 365 security solutions at no additional cost. To further help our customers secure their entire multi-cloud estate, today we’re announcing the ability to import your AWS CloudTrail logs into Azure Sentinel at no additional cost from February 24, 2020 until June 30, 2020.

New and existing customers of Azure Sentinel can take advantage of this offer by using the built-in connector for AWS CloudTrail logs. Data retention charges after 90 days period and other related charges are applicable during this time as per Azure Sentinel terms. Learn more about Azure Sentinel pricing.

Image of AWS CloudTrail logs.

Once connected to your AWS CloudTrail logs, you can visualize and get relevant insights using built-in workbooks. You can even customize these dashboards and combine insights from other sources to meet your needs:

Image of AWS network activities.

Detections and hunting queries developed by Microsoft Security experts will make it easier to identify and respond to potential threats in your AWS environment:

Image showing credential abuse in AWS CloudTrail.

Gain visibility into threats targeting IoT

With the exponential growth in connected devices creating an uptick in attacks targeting IoT, it is critical for enterprise SecOps teams to include IoT data in their scope. A new Azure Security Center for IoT connector makes it easy for customers to onboard data from Azure IoT Hub-managed deployments into Azure Sentinel. Customers can now monitor alerts across all IoT Hub deployments along with other related alerts in Azure Sentinel, inspect and triage IoT incidents, and run investigations to track an attacker’s lateral movement within their enterprise.

With this announcement Azure Sentinel is the first SIEM with native IoT support, allowing SecOps and analysts to identify threats in these complex converged environments.

In addition, Upstream Security, a cloud-based automotive cybersecurity detection and response company, is launching integration with Azure Sentinel. This will enable customers to send threats detected by Upstream Security’s C4 platform to Azure Sentinel for further investigation.

Collect data from additional data sources

We’re continually adding new data connectors from leading security solutions and partners. Each of these data connectors have sample queries and dashboards to help you start working with the data immediately in Azure Sentinel:

  • Forcepoint—Three new connectors enable customers to bring in data from Forcepoint NextGen Firewall logs (NGFW), Cloud Access Security Broker (CASB) logs and events, and Data Loss Prevention (DLP) incident data in Azure Sentinel.
  • Zimperium—Customers can use the Zimperium Mobile Threat Defense (MTP) connector to get Zimperium threat logs in Azure Sentinel.
  • Squadra technologies—Customers can get their Squadra secRMM (security removable media manager) event data for the USB removable devices in Azure Sentinel.

Bring SIGMA detections to Azure Sentinel

The SOC Prime Threat Detection Marketplace—which includes 950+ rules mapped to MITRE ATT&CK to address over 180 attacker techniques—now supports Azure Sentinel analytics rules. The SOC Prime marketplace provides unprecedented access to the latest threat detection content from the SIGMA community, SOC Prime team, and its Threat Bounty Program members. New detection rules are continuously created and updated by security researchers and published daily at the SOC Prime marketplace, helping companies to detect latest threats, vulnerability exploitation attempts and enable TTP-based threat hunting. Once the rules are published, using the Azure Sentinel integration you can instantly deploy them from within TDM to your Azure Sentinel instance with just one click.

Use ReversingLabs threat intelligence to inform threat response

ReversingLabs brings two new integrations to Azure Sentinel, enabling customers to leverage rich ReversingLabs threat intelligence for hunting and investigation in Azure Sentinel. The first integration features an Azure Sentinel Notebooks sample that connects to the Reversing Labs API to enable hunting scenarios that include ReversingLabs threat intelligence data. In addition, a new ReversingLabs TitaniumCloud connector for Azure Logic Apps and sample playbook enable security incident responders to automatically identify key information about file-based threats to rapidly triage incoming alerts.

Detect threats with greater confidence using new machine learning models

Azure Sentinel uses AI-based Fusion technology to stitch together huge volumes of low and medium fidelity alerts across different sources and then elevates the combined incidents to a high priority alert that security professionals can investigate. Learn how Azure Sentinel evaluated nearly 50 million suspicious signals for Microsoft in a single month to create just 23 high confidence incidents for our SecOps team to investigate.

In addition to the existing machine learning detections that look for multi-stage attacks, we are introducing several new scenarios in public preview using Microsoft Defender Advanced Threat Protection (ATP) and Palo Alto logs. These new detections will help SecOps teams to identify attacks that may otherwise be missed and reduce the mean time to remediate threats.

Manage incidents across multiple tenants and workspaces

Managed security service providers and large enterprises often need a central place to manage security incidents across multiple workspaces and tenants. Integration of Azure Sentinel with Azure Lighthouse now lets you view and investigate incidents from different tenants and workspaces in a central pane. This will also help enterprises who need to keep separate workspaces in different regions to meet regulatory requirements while managing incidents in a central place.

Join the Azure Sentinel private preview in Azure Government

Azure Sentinel is now available in private preview in Azure Government, starting with US Gov Virginia region. To join the preview please contact us at

Azure Sentinel is currently going through the FedRAMP-High certification process, and Microsoft anticipates achieving compliance by the summer of 2020.

Get rewarded up to $1,000 for your contributions to the Azure Sentinel community

Cybersecurity is a community-driven effort with defenders helping each other to scale against sophisticated, rapidly evolving threats. Azure Sentinel has a thriving community of threat hunters that share hunting, detection and investigation queries, automated workflows, visualizations, and much more in the Azure Sentinel GitHub repository.

We’re announcing a special program for our threat hunter community, featuring:

Review the Recognition and Rewards documentation and see our newly redesigned GitHub experience.

Try Azure Sentinel and visit us at the RSA Conference 2020

Since the general availability of Azure Sentinel last September, there are many examples of how Azure Sentinel helps customers like ASOS, Avanade, University of Phoenix, SWC Technology Partners, and RapidDeploy improve their security across diverse environments while reducing costs.

It’s easy to get started. You can access the new features in Azure Sentinel today. If you are not using Azure Sentinel, we welcome you to start a trial.

Our team will be showcasing Azure Sentinel at the RSA Conference next week. Take a look at all the featured sessions, theater sessions and other activities planned across Microsoft Security technologies. We hope to meet you all there.

Also, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Free import of AWS CloudTrail logs through June 2020 and other exciting Azure Sentinel updates appeared first on Microsoft Security.

Azure Sentinel uncovers the real threats hidden in billions of low fidelity signals

February 20th, 2020 No comments

Cybercrime is as much a people problem as it is a technology problem. To respond effectively, the defender community must harness machine learning to compliment the strengths of people. This is the philosophy that undergirds Azure Sentinel. Azure Sentinel is a cloud-native SIEM that exploits machine learning techniques to empower security analysts, data scientists, and engineers to focus on the threats that matter. You may have heard of similar solutions from other vendors, but the Fusion technology that powers Azure Sentinel sets this SIEM apart for three reasons:

  1. Fusion finds threats that fly under the radar, by combining low fidelity, “yellow” anomalous activities into high fidelity “red” incidents.
  2. Fusion does this by using machine learning to combine disparate data—network, identity, SaaS, endpoint—from both Microsoft and Partner data sources.
  3. Fusion incorporates graph-based machine learning and a probabilistic kill chain to reduce alert fatigue by 90 percent.

Azure Sentinel

Intelligent security analytics for your entire enterprise.

Learn more

You can get a sense of how powerful Fusion is by looking at data from December 2019. During that month, billions of events flowed into Azure Sentinel from thousands of Azure Sentinel customers. Nearly 50 billion anomalous alerts were identified and graphed. After Fusion applied the probabilistic kill chain, the graph was reduced to 110 sub graphs. A second level of machine learning reduced it further to just 25 actionable incidents. This is how Azure Sentinel reduces alert fatigue by 90 percent.

Infographic showing alerts to high-fidelity incidents.

New Fusion scenarios—Microsoft Defender ATP + Palo Alto firewalls

There are currently 35 multi-stage attack scenarios generally available through Fusion machine learning technology in Azure Sentinel. Today, Microsoft has introduced several additional scenarios—in public preview—using Microsoft Defender Advanced Threat Protection (ATP) and Palo Alto logs. This way, you can leverage the power of Sentinel and Microsoft Threat Protection as complementary technologies for the best customer protection.

  • Detect otherwise missed attacks—By stitching together disparate datasets using Bayesian methods, Fusion helps to detect attacks that could have been missed.
  • Reduce mean time to remediate—Microsoft Threat Protection provides a best in class investigation experience when addressing alerts from Microsoft products. For non-Microsoft datasets, you can leverage hunting and investigation tools in Azure Sentinel.

Here are a few examples:

An endpoint connects to TOR network followed by suspicious activity on the Internal network—Microsoft Defender ATP detects that a user inside the network made a request to a TOR anonymization service. On its own this incident would be a low-level fidelity. It’s suspicious but doesn’t rise to the level of a high-level threat. Palo Alto firewalls registers anomalous activity from the same IP address, but it isn’t risky enough to block. Separately neither of these alerts get elevated, but together they indicate a multi-stage attack. Fusion makes the connection and promotes it to a high-fidelity incident.

Infographic of the Palo Alto firewall detecting threats.

A PowerShell program on an endpoint connects to a suspicious IP address, followed by suspicious activity on the Internal network—Microsoft Defender ATP generates an alert when a PowerShell program makes a suspicious network connection. If Palo Alto allows traffic from that IP address back into the network, Fusion ties the two incidents together to create a high-fidelity incident

An endpoint connects to a suspicious IP followed by anomalous activity on the Internal network—If Microsoft Defender ATP detects an outbound connection to an IP with a history of unauthorized access and Palo Alto firewalls allows an inbound request from that same IP address, it’s elevated by Fusion.

How Fusion works

  1. Construct graph

The process starts by collecting data from several data sources, such as Microsoft products, Microsoft security partner products, and other cloud providers. Each of those security products output anomalous activity, which together can number in the billions or trillions. Fusion gathers all the low and medium level alerts detected in a 30-day window and creates a graph. The graph is hyperconnected and consists of billions of vertices and edges. Each entity is represented by a vertex (or node). For example, a vertex could be a user, an IP address, a virtual machine (VM), or any other entity within the network. The edges (or links) represent all the activities. If a user accesses company resources with a mobile device, both the device and the user are represented as vertices connected by an edge.

Image of an AAD Detect graph.

Once the graph is built there are still billions of alerts—far too many for any security operations team to make sense of. However, within those connected alerts there may be a pattern that indicates something more serious. The human brain is just not equipped to quickly remove it. This is where machine learning can make a real difference.

  1. Apply probabilistic kill chain

Fusion applies a probabilistic kill chain which acts as a regularizer to the graph. The statistical analysis is based on how real people—Microsoft security experts, vendors, and customers—triage alerts. For example, defenders prioritize kill chains that are time bound. If a kill chain is executed within a day, it will take precedence over one that is enacted over a few days. An even higher priority kill chain is one in which all steps have been completed. This intelligence is encoded into the Fusion machine learning statistical model. Once the probabilistic kill chain is applied, Fusion outputs a smaller number of sub graphs, reducing the number of threats from billions to hundreds.

  1. Score the attack

To reduce the noise further, Fusion uses machine learning to apply a final round of scoring. If labeled data exists, Fusion uses random forests. Labeled data for attacks is generated from the extensive Azure red team that execute these scenarios. If labeled data doesn’t exist Fusion uses spectral clustering.

Some of the criteria used to elevate threats include the number of high impact activity in the graph and whether the subgraph connects to another subgraph.

The output of this machine learning process is tens of threats. These are extremely high priority alerts that require immediate action. Without Fusion, these alerts would likely remain hidden from view, since they can only be seen after two or more low level threats are stitched together to shine a light on stealth activities. AI-generated alerts can now be handed off to people who will determine how to respond.

The great promise of AI in cybersecurity is its ability to enable your cybersecurity people to stay one step ahead of the humans on the other side. AI-backed Fusion is just one example of the innovative potential of partnering technology and people to take on the threats of today and tomorrow.

Learn more

Read more about Azure Sentinel and dig into all the Azure Sentinel detection scenarios.

Also, bookmark the Security blog to keep up with our expert coverage on security matters. Follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Azure Sentinel uncovers the real threats hidden in billions of low fidelity signals appeared first on Microsoft Security.