Author Archive

Compliance joins Microsoft Intelligent Security Association (MISA)

March 3rd, 2021 No comments

Like many of you, I’m thrilled to have my 2020 calendar safely in the recycling pile. During that time though, you too might have noticed how, perhaps unknowingly, you were able to turn some of last year’s lemons into lemonade. Maybe you developed a deeper appreciation for everyday moments and the people in your life, gaining a new perspective on what matters most.

For my team, seeing the Microsoft Intelligent Security Association (MISA) grow to 190 partner companies has been a bright spot in a dark year. To date, MISA members have created 215 product integrations, and I’m pleased to announce that our pilot program for adding managed security service providers (MSSPs) has formally transitioned. MISA now includes 39 MSSP members who have created 76 MSSP offers since the beginning of the fiscal year.

“Microsoft Security integrates with a broad ecosystem of platforms and cloud providers, so they work with the things you already have in your environment; whether those things are from Microsoft, or not. Our partners are key to helping facilitate this integration.”Vasu Jakkal, CVP, Security, Compliance and Identity

“Adding managed security service providers promises to increase the ecosystem’s value even more by offering an extra layer of threat protection—reducing the day-to-day involvement of in-house security teams. It’s another important step in strengthening and simplifying security at a time when risk mitigation is one of IT’s highest priorities.”Shawn O’Grady, Senior Vice President and General Manager, Cloud + Data Center Transformation at Insight

Because Microsoft’s footprint extends across many technologies, we have an advantage in creating holistic solutions that encompass the full breadth of security, compliance, and identity. In keeping with that end-to-end approach, we’ve expanded MISA to include 5 new compliance products, growing the MISA product portfolio to 18.

“The explosion of data from digital transformation and remote work make the integration of security and compliance tools across internal and external ecosystems more critical than ever. Together with the deep expertise of our MISA members, we can help our customers address their complex, evolving security and compliance needs.”Alym Rayani, General Manager, Microsoft Compliance

Compliance comes to MISA

Microsoft compliance products help our customers assess their compliance risk, protect their sensitive data, and govern it according to regulatory requirements. Through MISA, members get support in building managed services and integrations that:

  1. Protect and govern data wherever it lives.
  2. Identify and take actions on critical insider risks.
  3. Simplify compliance and reducing risk.
  4. Investigate and respond with relevant data.

“TeleMessage is excited to bring our Mobile Communication Archiving products to be a part of Microsoft’s security solutions. Being a MISA member allows us to work closely with the Microsoft teams and allows us to provide seamless, secure, and compliant integrations delivering all popular forms of mobile communication.”—Guy Levit, CEO at TeleMessage

Microsoft Information Protection has been part of MISA since the association began in 2018, providing broad coverage across devices, apps, cloud services, and on-premises systems. This year, we’re continuing to develop our holistic partner community across security, compliance, and identity by adding five additional Microsoft compliance products to our portfolio:

  • Microsoft Information Governance: Keep what you need and delete what you don’t. Apply compliance solutions and a deletion workflow for email, documents, instant messages, social media, document collaboration platforms, and more.
  • Microsoft Data Loss Prevention: Help users stay compliant without interrupting their workflow—prevent the accidental sharing of sensitive information across Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, and desktop versions of Excel, PowerPoint, and Microsoft Word.
  • Microsoft 365 Insider Risk Management: Identify critical insider risks and take the appropriate action. With built-in privacy controls, use native and third-party signals to identify, investigate, and remediate malicious and inadvertent activities in your organization.
  • Microsoft Advanced eDiscovery: Gain an end-to-end workflow to collect, analyze, preserve, and export content that’s responsive to your organization’s internal and external investigations. Identify persons of interest and their data sources, then manage the legal-hold communication process.
  • Microsoft Compliance Manager: Get help throughout your compliance journey, from taking inventory of your data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.

“Joining MISA enhances our relationship with Microsoft and our commitment to being an information governance and compliance leader providing solutions for organizations to bring third-party data into Microsoft 365 archive,” said Charles Weeden, Managing Partner of 17a-4, LCC. “DataParser’s connectors will allow Microsoft 365 Compliance users to ingest content from various sources, such as Bloomberg, Slack, Symphony, Webex Teams and many others.”

Connectors and APIs to extend compliance capabilities

Organizations today face an intimidating amount of data to protect across disparate systems, both on-premises and in the cloud. That’s why Microsoft compliance solutions span information protection and governance, data-loss prevention, insider risk, eDiscovery, audit, and compliance management—including your non-Microsoft data.

Microsoft 365 compliance enables organizations to extend, integrate, accelerate, and support their compliance solutions with three key building blocks:

All of these new capabilities exist within Microsoft’s integrated compliance platform. Meaning, customers only need to set compliance policies a single time, regardless of the data source.

“The Veritas Merge1 connector platform integration with M365 allows our joint customers to configure, connect, and capture a vast number of data sources from within the M365 compliance center. The integration makes it easy to quickly identify which data sources need to be captured, to configure connectivity to those data sources and to pull data into M365 all from within the Azure infrastructure. Our development teams have worked closely together for over 12 months to make sure the workflow is simple and the capabilities are robust. With the increase in global regulations over the past several years, our goal is to simplify compliance, and we believe we have achieved that by working together with Microsoft.”David Scott, Sr. Director, Digital Compliance at Veritas Technologies

Microsoft Security lights the way

As the global pandemic forced millions into remote work last year, hackers took advantage and upped their game, as seen with the recent Solorigate attack. Many organizations saw their sensitive data created, viewed, and distributed across multiple fragmented platforms that increased the potential attack surface. Because we view security as part of the common good, we chose to take a proactive approach; shifting cybersecurity away from the shadows and into a place of innovation and empowerment.

“MISA has helped us promote successful integrations with Azure Security Graph API and Azure Active Directory, both now deeply embedded in Barracuda security solutions.”Tim Jefferson, SVP Data, Networking, and Applications, Barracuda Networks

During Microsoft Ignite, March 2-4, 2021, you’ll see added investment in our security, compliance, and identity portfolio as we continue to innovate and create holistic solutions that support cultures of security for our customers and partners, based on four basic principles:

  • Protect everything: Safeguard your entire organization with integrated security, compliance, and identity solutions built to work across platforms and cloud environments.
  • Simplify the complex: Prioritize risks with unified management tools and strategic guidance created to maximize the human expertise inside your company.
  • Catch what others miss: Enable AI, automation, and human expertise to help you detect threats quickly, respond effectively, and fortify your security posture.
  • Grow your future: Gain the peace of mind that comes with a comprehensive security solution, empowering you to grow, create, and innovate across your business.

To learn more about upcoming big announcements at Microsoft Ignite this week, visit our latest blog posts:

To learn more about Microsoft Security solutions, visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Compliance joins Microsoft Intelligent Security Association (MISA) appeared first on Microsoft Security.

Identity at Microsoft Ignite: Strengthening Zero Trust defenses in the era of hybrid work

March 2nd, 2021 No comments

We’re now a year into our new reality, and two trends stand out. First, people need even more flexibility as we work, learn, and collaborate in a world without perimeters. And second, bad actors are getting even more sophisticated. They’re adding new attack vectors and combining them in new creative ways, as we just saw with Solorigate.

In January, I shared our top five identity priorities for 2021 to help you strengthen security and accelerate your transition to the new hybrid work era. More than ever, organizations need to strengthen their defenses to give employees, partners, and customers the flexibility to work from anywhere using apps that live inside and outside the traditional corporate network perimeter. That’s why Zero Trust, a security strategy that combines maximum flexibility with maximum security, is so crucial.

For IT pros and security professionals, the implementation of Zero Trust should be simple and straightforward. For users, it should never get in the way, and it should fit into familiar workflows and habits. This week, on the virtual Microsoft Ignite stage, I’m announcing several Azure Active Directory (Azure AD) innovations that will help make life easier for you and your employees now—and help you stay prepared for whatever comes next.

Give your employees a secure and seamless user experience

As part of our commitment to making security as seamless as possible, passwordless authentication is now generally available for organizations to deploy at scale. Your IT admins, employees, and partners can benefit from increased security and simplicity. We’ve made it easy to roll out passwordless at scale with expanded policies that define which authentication methods specific users or groups can use. New reporting capabilities allow you to see the usage and adoption of passwordless authentication methods across your organization. To help you simplify and secure remote access, we’ve also released the preview of Temporary Access Pass, a time-limited code used to set up and recover a passwordless credential.

Azure AD Temporary Access Pass

Microsoft already has more than 200 million passwordless users across our consumer and enterprise services. We’re excited to see even more customers adopting passwordless each day. Axiata Group is the first company in Southeast Asia to eliminate passwords for their employees. They went passwordless using Windows Hello for Business and the Microsoft Authenticator app. Abid Adam, group chief risk and compliance officer at Axiata Group said, “Rather than make their lives miserable with long passwords that create risk for the organization, we turned to biometrics. Now with Windows Hello, security is baked into our ecosystem, and we have better access to information with greater barriers to bad actors. It’s a win-win for our security team, our employees, and the company.” Similarly, in Europe, Umeå municipality wanted to strengthen security and eliminate the use of passwords. With help from Onevinn and Yubico partners, they were able to roll out their first passwordless deployment in less than 10 days. Watch my interview on Microsoft Mechanics to see passwordless in action.

Going passwordless not only simplifies the user experience but also strengthens your security posture. And thanks to Azure AD Conditional Access, you no longer need to request multifactor authentication every time someone accesses an app that touches sensitive data. Instead, you can step up authentication based on what the user is trying to do within the app—for example, downloading a highly confidential document. With Azure AD Conditional Access authentication context, now in preview, you can move away from one-size-fits-all security and adopt more granular policies that protect resources with the right level of controls based on user actions or the data they are trying to access.

Azure AD Conditional Access authentication context


  • General availability of passwordless authentication.
  • Preview of Temporary Access Pass.
  • Preview of Azure AD Conditional Access authentication context.

Secure access to all apps

Most of you manage multi-cloud environments. Your developers are building apps that are distributed across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform. They need to sign in to each cloud with only one set of credentials. So that you can quickly configure single-sign-on (SSO) and user provisioning, we’re constantly expanding the Azure AD app gallery with as many pre-integrations as possible—even with our competitors.

AWS Single Sign-On app is now pre-integrated with Azure AD and available in the app gallery. This integration lets you connect Azure AD to AWS SSO, a cloud-based service that simplifies SSO access across multiple AWS accounts and resources. You can centralize management of user access to AWS, while your employees can gain access using their Azure AD credentials.

AWS SSO pre-integrated with Azure AD

During the past year, many organizations have relied on our Azure AD App Proxy service to help employees secure remote access to on-premises apps. Usage grew more than 100 percent last year, helping organizations move away from VPN solutions. Today, we’re adding two new features to help you get the most out of App Proxy. First, native support for header-based authentication with App Proxy is now generally available. Second, traffic optimization by region for App Proxy is now in preview. This new feature lets you designate which region your App Proxy service connector group should use and select the same region as your apps. This new feature helps reduce latency and improve performance.

Azure AD App Proxy support for header-based authentication apps

To protect your legacy, on-premises applications, we’re expanding the list of our secure hybrid access partnerships to include Datawiza, Perimeter 81, Silverfort, and Strata. In addition to connecting your on-premises apps, partners like Datawiza, Strata, and Silverfort can help you discover and prioritize apps and resources to migrate to Azure AD. “Silverfort is thrilled to be able to collaborate with Azure AD to enable unified secure access to legacy, on-premises apps, and resources,” said Ron Rasin, vice president of product and strategic alliances at Silverfort. “Identity has become the primary security control plane making it critical that organizations can discover, prioritize, and migrate the apps and resources to a central identity solution like Azure AD.”

Solorigate taught us that in many cases, cloud environments are more secure than on-premises. To strengthen your defenses, it’s critical to minimize your on-premises footprint and manage all your apps from the cloud. The process of discovering applications across different environments and prioritizing them for cloud modernization can be daunting, however. To make it easier, we’re announcing the general availability of Active Directory Federation Services (AD FS) activity and insights report. This report assesses all AD FS applications for compatibility with Azure AD, checks for any issues, and provides guidance on preparing individual applications for migration to Azure AD.

AD FS activity and insights report


  • AWS Single Sign-On now available in Azure AD app gallery.
  • General availability of AD FS activity and insights report.
  • New secure hybrid access partnerships with Datawiza, Perimeter 81, Silverfort, and Strata.
  • General availability of Azure AD App Proxy support for header-based authentication apps.
  • Preview of Azure AD App Proxy support for traffic optimization by region.

Secure your customers and partners

A strong Zero Trust approach requires that we treat access requests from customers, partners, and vendors just like requests from employees: verify every request, allow users to access the data they need only when they need it, and don’t let guests overstay their welcome. With Azure AD, you can apply consistent access policies to all types of external users.

Generally available starting this month, Azure AD External Identities is a set of capabilities for securing and managing identity and access for customers and partners. Self-service sign-up user flows in Azure AD apps make it easy to create, manage, and customize onboarding experiences for external users, with little to no application code. You can integrate support for sign-in using Google and Facebook IDs and extend the flow with powerful API connectors. Using Azure AD Identity Protection, you can protect your business-to-business (B2B) and business-to-consumer (B2C) apps and users with adaptive, machine learning–driven security.

Azure AD External Identities admin portal and user experience

With automated guest access reviews for Microsoft Teams and Microsoft 365 groups, now generally available, Azure AD will prompt you to review and update access permissions for all guests added to new or existing Teams or groups on a regular schedule. The process of cleaning up access to sensitive resources that your guest users no longer need will become less manual—and less neglected.


  • General availability of Azure AD External Identities.
  • General availability of Azure AD access reviews for all guests in Teams and Microsoft 365 groups.

The future of identity is bright

While 2020 was a challenging year, we have much to look forward to in 2021, with innovations that will deliver more security, transparency, and privacy for users. Last Microsoft Ignite, I talked about verifiable credentials and our commitment to empowering every person to own their own identity thanks to decentralized identifiers. I’m happy to share that Azure AD verifiable credentials is entering preview in just a few weeks. Developers will get an SDK, with quick-start guides, for building apps that request and verify credentials, just like they do with usernames and passwords. I’m also excited to announce that we are partnering with some of the leading ID verification partners—Acuant, Au10tix, Idemia, Jumio, Socure, Onfido, Vu Security—to improve verifiability and secure information exchange.

Verifiable credentials let organizations confirm information about someone—like their education and professional certifications—without collecting and storing their personal data. This will revolutionize the way we grant permissions to access our information. Organizations will be able to issue digital versions of a variety of credentials such as physical badges, loyalty cards, and government-issued paper documents based on open standards. Because the digital information is verified by a known party, it’s more trustworthy, and verification will only take minutes instead of days or weeks.

Azure AD verifiable credentials

Individuals get more control over what information they share with whom, and they can restrict access to that shared information at any time. They only have to verify a credential once to use it everywhere. To manage their credentials, they can use the Microsoft Authenticator app and other wallet apps that support open standards, such as the pilot application built by Keio University for their students.


  • Preview of Azure AD verifiable credentials.

And finally, I’m happy to share that we’re releasing a new Microsoft Identity and Access Administrator Certification, which you can find at the Microsoft Security Resources portal. This training helps admins design, implement, and operate Azure AD as the organization’s security control plane.


  • Release of the Microsoft Identity and Access Administrator Certification.

The new features announced at Microsoft Ignite will make it easier to provide seamless user experiences in the hybrid workplace and to strengthen your defenses against attacks that are increasingly sophisticated. As you try these new tools, please send us your feedback so we can continue to build advancements that help you keep your employees secure, connected, and productive.

Let’s make 2021 the Year of Passwordless!

To see these features in action when I take the Microsoft Ignite stage tomorrow, register for free at Microsoft Ignite and watch my session starting at 5 PM Pacific Time. Follow Microsoft Identity at @AzureAD on Twitter for more news and best practices.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security Blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Identity at Microsoft Ignite: Strengthening Zero Trust defenses in the era of hybrid work appeared first on Microsoft Security.

Microsoft brings advanced hardware security to Server and Edge with Secured-core

March 2nd, 2021 No comments

A cursory look at recent headlines reveals two clear trends. First, organizations around the world are embracing digital transformation using technologies across cloud and edge computing to better serve their customers and thrive in fast-paced environments. Second, attackers are constantly innovating new attacks as technology changes and targeting these organizations’ high-value infrastructure with advanced technical capabilities connected to both cybercrime and espionage.

The MagBo marketplace, which sells access to more than 43,000 hacked servers, exemplifies the ever-expanding cybercrime threat. Compromised servers are being exploited to mine cryptocurrency and are being hit with ransomware attacks. Meanwhile, IoT vulnerabilities are on the rise, with more than half of IoT devices deemed susceptible to attack. In addition to these risks, companies often struggle with a lack of expertise and familiarity with security standards as well as complex regulations like the IoT Cybersecurity Improvement Act of 2020.

Given these factors, continuing to raise the security bar for critical infrastructure against attackers and also make it easy for organizations to hit that higher bar is a clear priority for both customers and Microsoft. As systems like the Xbox show, successfully protecting systems requires a holistic approach that builds security from the chip to the cloud across hardware, firmware, and the operating system. Using our learnings from the Secured-core PC initiative, Microsoft is collaborating with partners to expand Secured-core to Windows Server, Azure Stack HCI, and Azure-certified IoT devices, as well as bring the Secured-core values of advanced hardware-based protection and simpler security enablement to the server and IoT ecosystem.

Powerful protection with Secured-core Server and Edge Secured-core

Following Secured-core PC, we are introducing Secured-core Server which is built on three key pillars: simplified security, advanced protection, and preventative defense. Secured-core Servers come with the assurance that manufacturing partners have built hardware and firmware that satisfy the requirements of the operating system (OS) security features. Like Secured-core PC and Secured-core Server, Edge Secured-core advances built-in security for IoT devices running a full OS. Edge Secured-core also expands Secured-core coverage to Linux, in addition to Windows platforms.

Simplified security

New functionality in the Windows Admin Center makes it easy for customers to configure the OS security features of Secured-core for Windows Server and Azure Stack HCI systems. The new Windows Admin Center security functionality will allow enabling advanced security with a click of the button from a web browser anywhere in the world. With integrated Azure Stack HCI systems, manufacturing partners can also enable OS features, further simplifying the configuration experience for customers so that Microsoft’s best server security is available right out of the box. For Windows Server and validated Azure Stack HCI solutions, customers can look for Secured-core certified systems to simplify acquiring secure hardware platforms.

The Windows Admin Center will allow easy management of Secured-core functionality from any browser

The Azure Certified Device program already helps customers find the right edge and IoT solutions for their needs. We are adding the Edge Secured-core public preview to the Azure Certified Device program. Edge Secured-core devices meet extra security requirements around device identity, secure boot, OS hardening, device updates, data protection, and vulnerability disclosures, which will be uniquely identifiable on the Azure Certified Device catalog.

Advanced protection

Secured-core Servers maximize hardware, firmware, and OS capabilities to help protect against current and future threats. These safeguards create a platform with added security for critical applications and data used on the server. Secured-core functionality spans the following areas:

  • Hardware root-of-trust: Trusted Platform Module 2.0 (TPM 2.0) comes standard with Secured-core Servers, providing a protected store for sensitive keys and data, such as measurements of the components loaded during boot. Being able to verify that firmware that runs during boot is validly signed by the expected author and not tampered with helps improve supply chain security. This hardware root-of-trust elevates the protection provided by capabilities like BitLocker, which uses the TPM 2.0 and facilitates the creation of attestation-based workflows that can be incorporated into zero-trust security strategies.
  • Firmware protection: In the last few years, there has been a significant uptick in firmware vulnerabilities, in large part due to the higher level of privileges that firmware runs combined with limited visibility into firmware by traditional anti-virus solutions. Using processor support for Dynamic Root of Trust of Measurement (DRTM) technology, Secured-core systems put firmware in a hardware-based sandbox helping to limit the impact of vulnerabilities in millions of lines of highly privileged firmware code.
  • Virtualization-based security (VBS): Secured-core Servers support VBS and hypervisor-based code integrity (HVCI). The cryptocurrency mining attack mentioned earlier leveraged the EternalBlue exploit. VBS and HVCI help protect against this entire class of vulnerabilities by isolating privileged parts of the OS, like the kernel, from the rest of the system. This helps to ensure that servers remain devoted to running critical workloads and helps protect related applications and data from attack and exfiltration.

Edge Secured-core devices come with a built-in security agent, a zero-trust attestation model, and security by default, delivering on the following security features:

  • Hardware-based device identity.
  • Capable of enforcing system integrity.
  • Stays up to date and is remotely manageable.
  • Provides protection for data at rest and data in transit.
  • Built-in security agent and hardening.

Edge secured-core brings security from the edge to the cloud by leveraging devices, platforms and services

Preventative defense

Secured-core Servers and Edge Secured-core have security mitigations built into the hardware and OS platform to help thwart common attack vectors. Secured-core functionality helps proactively close the door on the many paths that attackers may try to exploit, and it allows IT and SecOps teams to optimize their time across other priorities.

Coming soon, with the support of the ecosystem

Secured-core Servers across Windows Server 2022 and Azure Stack HCI will help customers stay ahead of attackers and help protect their infrastructure across hardware, firmware, and operating systems. Supported hardware will be available in future product generations from Intel, AMD, and our vibrant OEM ecosystem.

“Continuing the rich tradition of innovation in hardware security, AMD is excited to partner with Microsoft to enable Secured-core Server with its future EPYC processors”, said Akash Malhotra, AMD director, security product management. “With attacks on firmware increasing, a tight integration between AMD hardware security features and the Windows Server operating system will benefit users across the ecosystem.”

“Today’s distributed world demands a new era of security. Intel and Microsoft are working together to provide innovative levels of security controls that provide customers with unified, integrated protection,” said Jeremy Rader, General Manager, Intel Cloud and Enterprise Group. “We’re combining the power of Secured core server with our 3rd Gen Intel Xeon Scalable processors (code-named Ice Lake) that creates a chain of trust across all layers of compute, from the hardware, to the firmware to the OS. Customers get a seamless root of trust that combines the most advanced security with management ease.”

You can learn more about Secured-core Servers and Windows Server 2022 security in the related blog.

To get started with Edge Secured-core certification, browse the following resources:

To learn more about Secured-core Servers and Edge Secured-core, be sure to join us during Microsoft Ignite from March 2-4, 2021.

The post Microsoft brings advanced hardware security to Server and Edge with Secured-core appeared first on Microsoft Security.

4 ways Microsoft is delivering security for all in a Zero Trust world

March 2nd, 2021 No comments

If there’s one thing the dawning of 2021 has shown, it’s that security isn’t getting any easier. Recent high-profile breach activity has underscored the growing sophistication of today’s threat actors and the complexity of managing business risk in an increasingly connected world. It’s a struggle for organizations of every size and for the public and private sector alike. As we move into this next phase of digital transformation, with technology increasingly woven into our most basic human activities, the questions that we as security defenders must ask ourselves are these: How do we help people to have confidence in the security of their devices, their data, and their actions online? How do we protect people, so they have peace of mind and are empowered to innovate and grow their future? How do we foster trust in a Zero Trust world?

As defenders ourselves, we are passionate proponents of a Zero Trust mindset, encompassing all types of threats—both outside in and inside out. We believe the right approach is to address security, compliance, identity, and device management as an interdependent whole and to extend protection to all data, devices, identities, platforms, and clouds—whether those things are from Microsoft or not.

You may have heard us talk about our commitment to security for all, and that’s at the heart of it. We are deeply inspired to empower people everywhere to do the important work of defending their communities and their organizations in an ever-evolving threat landscape.

With that approach in mind, today I’m excited to share several additional innovations across four key areas with you—identity, security, compliance, and skilling—to give you the holistic security protection you need to meet today’s most challenging security demands.

1. Identity: The starting point of a Zero Trust approach

Adopting a Zero Trust strategy is a journey. Every single step you take will make you more secure. In today’s world, with disappearing corporate network perimeters, identity is your first line of defense. While your Zero Trust journey will be unique, if you are wondering where to start, our recommendation is to start with a strong cloud identity foundation. The most fundamental steps like strong authentication, protecting user credentials, and protecting devices are the most essential.

Today we are announcing new ways that Azure Active Directory (Azure AD), the cloud identity solution of choice for more than 425 million users, can help you on your Zero Trust journey:

  • Passwordless authentication, which eliminates one of the weakest links in security today, is now generally available for cloud and hybrid environments. Now you can create end-to-end experiences for all employees, so they no longer need passwords to sign in to the network. Instead, Azure AD now lets them sign in with biometrics or a tap using Windows Hello for Business, the Microsoft Authenticator app, or a compatible FIDO2 security key from Microsoft Intelligent Security Association partners such as Yubico, Feitian, and AuthenTrend. With Temporary Access Pass, now in preview, you can generate a time-limited code to set up or recover a passwordless credential.
  • Azure AD Conditional Access, the policy engine at the heart of our Zero Trust solution, now uses authentication context to enforce even more granular policies based on user actions within the app they are using or sensitivity of data they are trying to access. This helps you appropriately protect important information without unduly restricting access to less sensitive content.
  • Azure AD verifiable credentials is entering preview in just a few weeks. Verifiable credentials let organizations confirm information—like their education or the professional certifications someone provides—without collecting and storing their personal data, thereby improving security and privacy. In addition, new partnerships integrating Azure AD verifiable credentials with leading identity verification providers like Onfido, Socure, and others will improve verifiability and secure information exchange. Customers such as Keio University, the government of Flanders, and the National Health Service in the UK are already piloting verifiable credentials.

Learn more about our Azure AD announcements in today’s blog post by Joy Chik.

2. Security: Simplifying the “assume breach” toolset

In today’s landscape, your security approach should start with the key Zero Trust principle of assume breach. But too often, complexity and fragmentation stand in the way. It is our commitment to helping you solve this, as we build security for all, delivered from the cloud.

This begins with integrated solutions that let you focus on what matters and deliver visibility across all your platforms and all your clouds. Some vendors deliver endpoint or email protection, while others deliver Security Information and Event Management (SIEM) tools, and integrating those pieces together can be a time-consuming challenge. Microsoft takes a holistic approach that combines best-of-breed SIEM and extended detection and response (XDR) tools built from the ground up in the cloud to improve your posture, protection, and response. This gives you the best-of-breed combined with the best-of-integration so you don’t have to compromise.

Today we are making the following announcements to simplify the experience for defenders with modern and integrated capabilities:

  • Microsoft Defender for Endpoint and Defender for Office 365 customers can now investigate and remediate threats from the Microsoft 365 Defender portal. It provides unified alerts, user and investigation pages for deep, automated analysis and simple visualization, and a new Learning Hub where customers can leverage instructional resources with best practices and how-tos.
  • Incidents, schema, and user experiences are now common between Microsoft 365 Defender and Azure Sentinel. We also continue to expand connectors for Azure Sentinel and work to simplify data ingestion and automation.
  • The new Threat Analytics provides a set of reports from expert Microsoft security researchers that help you understand, prevent, and mitigate active threats, like the Solorigate attacks, directly within Microsoft 365 Defender.
  • We are bringing Secured-core to Windows Server and edge devices to help minimize risk from firmware vulnerabilities and advanced malware in IoT and hybrid cloud environments.

Learn more about our threat protection announcements in today’s blog post by Rob Lefferts and Eric Doerr. Learn more about our Secured-core announcements in today’s blog post by David Weston. You can also learn more about new security features in Microsoft Teams in today’s blog post by Jared Spataro.

Today’s announcements continue, and strengthen, our commitment to deliver best-of-breed protection, detection, and response for all clouds and all platforms with solutions like Defender for Endpoint—a leader in the Gartner Magic Quadrant, available for Android, iOS, macOS, Linux, and Windows; and Azure Sentinel—which looks across your multi-cloud environments, including AWS, Google Cloud Platform, Salesforce service cloud, VMware, and Cisco Umbrella.

3. Compliance: Protection from the inside out

At Microsoft, we think of Zero Trust as not only the practice of protecting against outside-in threats, but also protecting from the inside out. For us, addressing the area of compliance includes managing risks related to data.

And that isn’t just the data stored in the Microsoft cloud, but across the breadth of clouds and platforms you use. We’ve invested in creating that inside-out protection by extending our capabilities to third parties to help you reduce risk across your entire digital estate.

Today we are announcing these new innovations in compliance:

  • Co-authoring of documents protected with Microsoft Information Protection. This enables multiple users to work simultaneously on protected documents while taking advantage of the intelligent, unified, and extensible protection for documents and emails across Microsoft 365 apps.
  • Microsoft 365 Insider Risk Management Analytics, which can identify potential insider risk activity within an organization and help inform policy configurations. With one click, customers can have the system run a daily scan of their tenant audit logs, including historical activity, and leverage Microsoft 365’s Insider Risk Management machine learning engine to identify potential risky activity with privacy built-in by design.
  • Microsoft 365 now offers data loss prevention (DLP) for Chrome browsers and on-premises server-based environments such as file shares and SharePoint Server.
  • Azure Purview is integrated with Microsoft Information Protection, enabling you to apply the same sensitivity labels defined in Microsoft 365 Compliance Center to data residing in other clouds or on-premises. With Azure Purview, a unified data governance solution for on-premises, multi-cloud, and software as a service (SaaS) data, you can scan and classify data residing in AWS Simple Storage Services (S3), SAP ECC, SAP S4/HANA, and Oracle Database.

Learn more about our compliance announcements in today’s blog post by Alym Rayani.

4. Skilling: Power your future through security skilling

We know that many of you continue to struggle to fill the security skills gap with an estimated shortfall of 3.5 million security professionals by 2021. That’s why we strive to ensure you have the skilling and learning resources you need to keep up in our world of complex cybersecurity attacks. We are excited to announce two different ways Microsoft is supporting skilling cybersecurity professionals.

First, Microsoft has four new security, compliance, and identity certifications tailored to your roles and needs, regardless of where you are in your skilling journey. To learn more about these new certifications, please visit our resource page for Microsoft Certifications.

  • Security, Compliance, and Identity Fundamentals certification will help individuals get familiar with the fundamentals of security, compliance, and identity across cloud-based and related Microsoft services.
  • Information Protection Administrator Associate certification focuses on planning and implementing controls that meet organizational compliance needs.
  • Security Operations Analyst Associate certification helps security operational professionals design threat protection and response systems.
  • Identity and Access Administrator Associate certification help individuals design, implement and operate an organization’s identity and access management systems by using Azure Active Directory.

We also recognize that the world we live in is complex but growing your skills shouldn’t be. The Microsoft Security Technical Content Library will help you find content relevant to your needs. Use it to access content based on your own needs today.

You can also learn more on today’s Tech Community blog post.

Security for all

We at Microsoft Security are committed to helping build a safer world for all. Every day, we are inspired by the work of our defenders and we are focused on delivering innovations, expertise, and resources that tip the scale in favor of defenders everywhere because the work you do matters. Security is a team sport, and we’re all in this together.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 4 ways Microsoft is delivering security for all in a Zero Trust world appeared first on Microsoft Security.

Categories: cybersecurity, Zero Trust Tags:

Microsoft unifies SIEM and XDR to help stop advanced attacks

March 2nd, 2021 No comments

For all of us in security, the last twelve months have been an incredible series of challenges—from balancing remote work with family priorities, to helping build resilient businesses, and protecting against the latest attacks. 2020 showed us that while we have made great progress, there is still a lot we can do as individuals, organizations, and as a community to keep secure. Here at Microsoft, we’re committed to applying these learnings to help create a stronger, more unified approach to security for all—no matter what platform you’re on, device you’re trying to protect, or cloud your data is in.

To help protect against advanced attacks, last September at Microsoft Ignite we shared our vision to create the most complete approach to securing your digital landscape, all under a single umbrella. We combined the breadth of Azure Sentinel, our cloud-native SIEM (security information and event management) with the depth of Microsoft 365 Defender and Azure Defender, our XDR (extended detection and response) tools, to help fight against attacks that take advantage of today’s diverse, distributed, and complex environments.

Today we are taking the next step in unifying these experiences and delivering enhanced tools and intelligence to stop modern threats.

Unified experiences

Most SIEMs on the market today simply take logs from multiple sources. Azure Sentinel accepts logs across your environment with many third-party security products and can go a step further with Azure Defender and Microsoft 365 Defender. Starting today, incidents, schema, and alerts are shared between Azure Sentinel and Microsoft 365 Defender. This means you get a unified view in Azure Sentinel, then can seamlessly drill down into an incident for more context in Microsoft 365 Defender.

For example: Start in Azure Sentinel for your bird’s eye view to understand an overarching incident, then move directly into Microsoft 365 Defender to investigate an asset or a user in more detail. You can even remediate and close the incident directly within Microsoft 365 Defender, all while maintaining bi-directional syncing with Azure Sentinel. This is next level SIEM integration you won’t find anywhere else.

On the Microsoft 365 Defender side, we are working to reduce the number of portal experiences. The goal is to have a single unified XDR experience for securing end-user environments, rather than a suite of products. Today marks a significant milestone in that effort as we integrate the capabilities of Microsoft Defender for Endpoint and Defender for Office 365 together into the unified Microsoft 365 Defender portal. These changes simplify tasks that would require multiple experiences across comparable products in the market. We have also taken the opportunity to significantly enhance the email entity page with a new 360-degree view of email alerts with relevant context and email alert capabilities.

Enhanced tools and intelligence to stop advanced attacks

As well as unifying the capabilities of Microsoft Defender for Endpoint and Defender for Office 365 into Microsoft 365 Defender, we have also created new enhanced experiences including:

  • Threat Analytics, now in preview, provides detailed threat intelligence reports from expert Microsoft security researchers that help you understand, prevent, and mitigate active threats.
  • Learning Hub where you can use instructional resources with best practices and how-tos.
  • Attack Simulation Training in Microsoft Defender for Office 365 which helps you detect, prioritize, and remediate phishing risks. It uses neutralized versions of real attacks to simulate the continually changing attacker landscape, enabling highly accurate and up-to-date detection of risky behavior, with rich reporting and analytics to help customers measure their progress.

With Azure Sentinel, we’re focused on giving you a richer organization-wide view with expanded data collection and helping you to respond faster with new incident response and automation capabilities. Today we are announcing more than 30 new connectors to simplify data collection across your entire environment, including multi-cloud environments. These new connectors include Salesforce service cloud, VMWare, Cisco Umbrella, and Microsoft Dynamics.

New automation rules in Azure Sentinel

We’re also expanding Azure Sentinel’s SOAR capabilities. Today we’re introducing automation rules (a new and simple framework for automating common tasks), and new automation connectors with additional built-in SOAR playbooks. These new playbooks enable automation workflows such as blocking a suspicious IP address with Azure Firewall, isolating endpoint devices with Microsoft Intune, or updating the risk state of a user with Azure Active Directory Identity Protection. You can learn more about these Azure Sentinel innovations on the Azure Sentinel Microsoft Ignite 2021 announcement blog.

Finally, Azure Defender now provides improved alerts features, including improved triaging experience with better performance for larger alert lists, alerts from Azure Resource Graph, sample creation feature for Azure Defender alerts, and alignment with Azure Sentinel’s incident experience. To learn more about these and other Azure Security Center announcements, please read the Azure Security Center Microsoft Ignite 2021 announcement blog.

Integrated threat protection from Microsoft comprises Azure Sentinel, a cloud-native SIEM, Microsoft 365 Defender that provides XDR capabilities for end-user environments, and Azure Defender that provides XDR capabilities for infrastructure and cloud platforms.

Looking ahead

We’ve been on a long journey to figure out how to understand and help you protect against advanced attacks. We’re only just getting started on our mission and will continue to unify tools and add intelligence to help keep your environment healthy and secure.

Be sure to check out our Microsoft Ignite session, and learn more about our SIEM + XDR offering.

As always, thank you for your continued partnership on this journey.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

-Rob, Eric, and our entire Microsoft Security Team

The post Microsoft unifies SIEM and XDR to help stop advanced attacks appeared first on Microsoft Security.

Securing and governing data in a new hybrid work reality

March 2nd, 2021 No comments

The past year has led to an evolution in not only how we think about work, but more importantly, where work gets done. Arguably, gone are the days that your organization’s data is limited to the protected confines of your corporate network as your people continue to work remotely, return in some capacity to the office, or even adopt some hybrid of the two. With your people working across networks, devices, clouds, and apps, how do you ensure your data remains not only secure but compliant?

A culture of security starts by securing data where people get work done. We have been investing in innovation to make this easier, and I’m sharing with you some additional capabilities that enable you to extend data protection and governance across apps, clouds, endpoints, and on-premises file repositories that keep your people collaborative and productive while ensuring your most valuable asset—your data—remains secure and compliant wherever it lives.

Co-authoring of Microsoft Information Protection-protected documents now available in preview

With the shift to remote work, people are creating, storing, and sharing data in new ways. Collaboration and productivity are critical to getting work done, but you still need to ensure that the data remains safe wherever it is. Data classification in Microsoft Information Protection protects your business-critical data so your people can collaborate securely without having to sacrifice productivity.

Today we are announcing the ability for multiple users to simultaneously edit a Microsoft Office document that has been encrypted using Microsoft Information Protection, now in preview. In the past, you had to choose between encrypting sensitive content and collaborating on it. If you encrypted the content, only one person could edit at a time. Everyone else would be locked out, and AutoSave would be disabled to preserve the encryption. With this new unique capability, multiple people can now be co-authors on a Word, Excel, or PowerPoint document simultaneously, frictionlessly, with auto-save, while maintaining the sensitivity labeling and document protections.

Learn more on Tech Community and Microsoft docs.

Microsoft 365 data loss prevention now available in preview for Chrome and on-premises

Enabling a comprehensive and flexible approach to data loss prevention solutions is one of the most important ways to protect your data.  We have been investing heavily in this area, and our unified Data Loss Prevention (DLP) solution—a key part of Microsoft Information Protection—understands and classifies your data, keeps it protected, and prevents data loss across Microsoft 365 Apps (including Word, PowerPoint, Excel, and Outlook), services (including Microsoft Teams, SharePoint, and Exchange), third-party software as a service (SaaS) applications, and more—on-premises or in the cloud. Microsoft’s unified data loss prevention approach provides simplicity, enabling you to set a data loss prevention (DLP) policy once and have it enforced across services, endpoints, and first-and third-party apps.

A few months ago, we announced Endpoint DLP, which provides built-in data loss prevention into Windows 10 and Microsoft Edge. Today we’re announcing that we are extending Microsoft’s unified DLP capabilities natively to Chrome browsers and on-premises file shares and SharePoint Server.

You can learn more about this preview on Tech Community.

Microsoft Azure Purview provides new multi-cloud support

In December 2020, we announced Azure Purview, a unified data governance service that facilitates the mapping and control of organizational data no matter where it resides. Azure Purview is integrated with Microsoft Information Protection, which means you can apply the same sensitivity labels defined in Microsoft 365 Compliance Center to your data in Azure.

Today we’re sharing that we are extending Azure Purview’s ability to automatically scan and classify data to other platforms, such as AWS Simple Storage Services (S3), SAP ECC, SAP S4/HANA, and Oracle Database. Available now in preview, you can now automatically scan and classify data residing within various on-premises data stores using the Azure Purview Data Map.

We are also expanding the insight available within Azure Purview. Available now in preview, Azure Purview can now scan Azure Synapse Analytics workspaces, which enables you to discover and govern data across your serverless and dedicated SQL pools. This expands on Azure Purview’s existing tools enabling customers to scan data across various sources via out-of-the-box connectors in the Data Map.

You can learn more in the Azure Purview blog.

Microsoft 365 Insider Risk Management Analytics available in preview

Another important component of securing your data as people work in new and different ways is effectively managing insider risk. Balancing the ability to quickly identify and manage insider risks while maintaining a dynamic culture of trust and collaboration is a priority for security leaders.

With privacy built-in, pseudonymization on by default, and strong role-based access controls, Insider Risk Management in Microsoft 365 is used by businesses worldwide to quickly get started using machine learning to identify insider risks and take action with integrated collaboration workflows.

Today we’re announcing Microsoft 365 Insider Risk Management Analytics, which can identify potential insider risk activity within an organization and help inform policy configurations. With one click, customers can have the system run a daily scan of their tenant audit logs, including historical activity, and leverage Microsoft 365’s Insider Risk Management Machine Learning engine to identify potential risky activity with privacy built-in by design. Insider Risk Management Analytics will start rolling out to tenants in public preview in mid-March 2021.

For more information, check out the Tech Community blog.

Continued investments to help you address compliance and risk

We’ve been hard at work across our entire portfolio to ensure you have the capabilities you need to protect and govern your data while addressing regulatory compliance and eDiscovery. Here are a few more announcements we’re making today:

  • Additional assessment templates and enhanced capabilities in Compliance Manager to increase regulation visibility, further enrich the user experience, and save you valuable time.
  • Further guidance to get started with Advanced Audit to support your forensic investigations when you suspect a data breach.

In addition, our partner ecosystem plays a critical role in helping you to address your compliance and risk management needs. I’m announcing today that we are expanding the Microsoft Intelligent Security Association (MISA) to include risk management and compliance partners to enable greater scale and customization.

We will continue to innovate and work closely alongside you, our partners, and the industry to improve compliance and security for everyone. We’re on this journey together.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Securing and governing data in a new hybrid work reality appeared first on Microsoft Security.

Microsoft listed as a Representative Vendor in 2020 Gartner Market Guide for Insider Risk Management Solutions

February 23rd, 2021 No comments

While organizations have long prioritized external cybersecurity risks, many have not paid enough attention to the risks posed by trusted insiders in their organizations. This is a mistake. Insiders often already have access to sensitive data, and the risks, whether malicious or inadvertent, can potentially cause greater damage than external cybersecurity risks.

Two years ago, after a conversation with our Chief Information Security Officer (CISO), Bret Arsenault, we embarked upon an incredible journey developing Insider Risk Management in Microsoft 365, which organizations could use to identify and manage insider risks.

In recognition of these investments, I am announcing that Gartner has listed Microsoft as a Representative Vendor in the 2020 Market Guide for Insider Risk Management Solutions. To us, this recognition reinforces our leadership in delivering an innovative solution that allows organizations to quickly identify and collaboratively manage insider risks while maintaining employee privacy.

According to Gartner, “security and risk management leaders need an insider threat mitigation program that is composed of people, processes and technology.”

A few learnings from the report:

  • The number of incidents has increased by a staggering 47 percent in just two years, from 3,200 in 2018 to 4,700 in 2020.
  • Organizations impacted by insider threats spent an average of $11.45 million in 2020—up 31 percent from $8.76 million in 2018.
  • More than 60 percent of reported insider threat incidents were the result of a careless employee or contractor, and 23 percent were caused by malicious insiders.

We continue to work closely with our customers to gather feedback to help us build better products. Your input provides critical insights as we strive to enrich our Insider Risk Management solution to help you on your journey in identifying and managing insider risks.

For more details about our information archiving solution, visit our website. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Gartner, Market Guide for Insider Risk Management Solutions, 29 December 2020, Jonathan Care, Brent Predovich, Paul Furtado.

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post Microsoft listed as a Representative Vendor in 2020 Gartner Market Guide for Insider Risk Management Solutions appeared first on Microsoft Security.

Categories: cybersecurity Tags:

Turning the page on Solorigate and opening the next chapter for the security community

February 18th, 2021 No comments

The recent Solar Winds attack is a moment of reckoning. Today, as we close our own internal investigation of the incident, we continue to see an urgent opportunity for defenders everywhere to unify and protect the world in a more concerted way. We also see an opportunity for every company to adopt a Zero Trust plan to help defend against future attacks. 

The Microsoft Security Research Center (MSRC), which has shared learnings and guidance throughout the Solorigate incident, confirmed today that following the completion of our internal investigation we’ve seen no evidence that Microsoft systems were used to attack others. There was also no evidence of access to our production services or customer data.  

However, a concerning aspect of this attack is that security companies were a clear target. Microsoft, given the expansive use of our productivity tools and leadership in security, of course was an early target. 

But while this highly-sophisticated nation state actor was able to breach the gate, they were met by unified team of human and digital defenders. There are several reasons why we were able to limit the scope and impact of this incident for our company, customers, and partners, but ultimately, they all boil down to a few fundamental ways we approach security.  

We believe these approaches represent an opportunity for all IT and security teams as we collectively navigate a rapidly evolving and sophisticated threat landscape 

Adopt a Zero Trust mindset

A key action is implementing a Zero Trust architectureIn this approach, companies must assume all activity—even by trusted users—could be an attempt to breach systems, and everything a company does should be designed around that assumption.  

Tguard against these pervasive threats, it’s recommended that organizations deploy zero-trust architecture and defense-in-depth protections, installing defenses like a layer cake across code, coding tools, email, cloud apps, endpoints, identities, the developer community, defender productseverything. 

Zero Trust is a proactive mindset. When every employee at a company assumes attackers are going to land at some point, they model threats and implement mitigations to ensure that any potential exploit can’t expand. The value of defense-in-depth is that security is built into key areas an actor might try to break, beginning at the code level and extending to all systems in an end-to-end way.  

Customer Guidance: As companies think about deploying a zero-trust posture and making a transition from implicit trust to explicit verification, the first step to consider is protecting identities, especially privileged user accounts. Gaps in protecting identities (or user credentials), like weak passwords or lack of multifactor authentication, are opportunities for an actor to find their way into a system, elevate their status, and move laterally across the environments targeting email, source code, critical databases and more. We witnessed this in Solorigate when abandoned app accounts with no multi-factor authentication were used to access cloud administrative settings with high privilege. To explore protecting privileged identity and access, companies should review our post on Securing privileged access overview | Microsoft Docs. 

Embrace the cloud

We were also reminded of the importance of cloud technology over on-premises software. Cloud technologies like Microsoft 365, Azure, and the additional premium layers of services available as part of these solutions, improve a defender’s ability to protect their own environment.  

Baseline layers of protection are not enough for today’s sophisticated threats. Defense strategies must match up to these increasingly sophisticated attacks while factoring in the complexities of securing a remote workforce. If you are not thinking about advanced layers of protection that can detectalert, prevent and respond to attacks across identities, email, cloud apps, and endpoints, you may be locking a door while leaving the window open. From Microsoft, consider technologies like Azure Active Directory and Microsoft 365 Defender. 

One of the most important pieces of guidance for any security posture that we can share right now is to layer up, no matter who your security vendors are. 

In addition, with the Microsoft cloud, customers benefit from industry-leading threat intelligence, powerful AI, machine learning, and defense-in-depth capabilities that most companies simply could not develop on their own. Our platform and services assess over eight trillion security signals every day, enabling Microsoft to take more of the work off a defender’s plate. Our technology can surface and correlate security alerts that could represent a larger issue or remediate issues on demand with our own threat experts. As an example, in 2020 over 30 billion email threats were blocked by Microsoft cloud technology. 

Customer Guidance: One of the things our customers should consider is managing identity and access from the cloud. When you rely on on-premises services, like authentication server, it is up to a customer to protect their identity infrastructure. With a cloud identity, like Azure Active Directory, we protect the identity infrastructure from the cloud. Our cloud-scale machine learning systems reason over trillions of signals in real time. So, we can detect and remediate attacks that nobody else can see. 

Strengthen the community of defenders

Finally, we know that we all have an important role to play in strengthening and empowering the defender community at large. It was great to see this sharing in action in December when FireEye first alerted the community of a “global intrusion campaign.”  

At Microsoft, communicating and collaborating with our customers and partners is a top priority. Over the past several weeks, security teams across Microsoft (Microsoft Threat Intelligence Center/MSTICMicrosoft Detection and Response Team/DARTMicrosoft Cyber Defense Operations Center/CDOC and Microsoft Security Response Center/MSRC) met daily and directly collaborated with customers and partners to share information and respond. We shared the latest threat intelligence, indicators of compromise (IOC), published more than 15 blogs with technical guidance and best practices, and notified customers of potentially related activity. We also offered security trials across our end-to-end product portfolio to give organizations the tools needed to combat this threat.  

This sharing is invaluable to the entire community.  

Customer Guidance: We encourage every company, of every size, to work with the community to share information, strengthen defenses and respond to attacks. Join our Microsoft Security and Compliance Tech Community to start or participate in a variety of community discussions. 

Security is a journey of progress over perfection, and with these three approaches working in unison, we can all help to make the world more safe and secure. 

The post Turning the page on Solorigate and opening the next chapter for the security community appeared first on Microsoft Security.

Categories: cybersecurity Tags:

6 strategies to reduce cybersecurity alert fatigue in your SOC

February 17th, 2021 No comments

Today, organizations are faced with the increasingly difficult task of trying to protect their expanding digital estate from sophisticated cybersecurity threats. Migration to the cloud and a mobile workforce has dissolved the network boundary and projected the digital estate beyond its traditional confines. Data, users, and systems are everywhere. Additionally, these systems are increasingly domiciled in the cloud and generating a considerable amount of security data. To add to this, on average, companies with over 1,000 employees maintain about 70 security products from 35 different vendors, according to a recent report by CCS Insight. The end result? A vast amount of alerts that security operations center (SOC) teams have to contend with. Unsurprisingly, according to an ESG¹ study, 44 percent of these alerts go uninvestigated due to a combination of talent scarcity and the multiplicity of security solutions generating a huge volume of alerts.

To help our customers address alert fatigue but still maintain detection efficacy, Microsoft is leveraging the power of Threat Intelligence, native solution integration, AI, and automation to deliver a unique SIEM and XDR approach—to help tackle the challenge of alert fatigue. But first things first—what exactly are alerts, events, and incidents in the context of security operations? Below is a graphic that will help answer this question before we delve deeper into how Microsoft technology is helping SOC teams sift through high volumes of alerts and narrow down to manageable high-fidelity incidents.

Diagram distinguishing between events, alerts and incidents

Let us now look at the six strategies that Microsoft employs to help our customers deal with the alert fatigue problem:

1. Threat intelligence

To combat cyberthreats, Microsoft amalgamates trillions of daily signals, across all clouds and all platforms, for a holistic view of the global security ecosystem. Using the latest in machine learning and artificial intelligence techniques—plus the power of smart humans—we put these signals to work on behalf of our customers taking automated actions when threats are detected, and providing actionable intelligence to security teams when further contextual analysis is required.

2. Native integration

Microsoft leverages the tight integration across its threat protection solution stack to help customers connect the dots between disparate threat signals and develop incidents by grouping quality alerts from different parts of their environment and stitching together the elements of a threat. First-party security solutions within the Microsoft 365 Defender offering enable our customers to benefit from real-time interactions amongst the tools, backed by insights from the Intelligent Security Graph. As a result, the quality of alerts is improved, false positives are significantly reduced at source, and in some cases, automatic remediation is completed at the threat protection level. Additionally, this can be combined with log data drawn from third-party solutions such as network firewalls and other Microsoft solutions to deliver an end-to-end investigation and remediation experience, as depicted in the image below.

Image showing integration of Microsoft's XDR offering

3. Machine learning

The third strategy that we employ is the ingestion of billions of signals into our security information and event management (SIEM) solution (Azure Sentinel) then passing those signals through proven machine learning models. Machine Learning is at the heart of what makes Azure Sentinel a game-changer in the SOC, especially in terms of alert fatigue reduction. With Azure Sentinel we are focusing on three machine learning pillars: Fusion, Built-in Machine Learning, and “Bring your own machine learning.” Our Fusion technology uses state-of-the-art scalable learning algorithms to correlate millions of lower fidelity anomalous activities into tens of high fidelity incidents. With Fusion, Azure Sentinel can automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill-chain.

On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be difficult to catch. Secondly, with built-in machine learning, we pair years of experience securing Microsoft and other large enterprises with advanced capabilities around techniques such as transferred learning to bring machine learning to the reach of our customers, allowing them to quickly identify threats that would be difficult to find using traditional methods. Thirdly, for organizations with in-house capabilities to build machine learning models, we allow them to bring those into Azure Sentinel to achieve the same end-goal of alert noise reduction in the SOC. Below is a real-life depiction captured within a certain month where machine learning in Azure Sentinel was used effectively to reduce signal noise.

4. Watchlists

Watchlists ensure that alerts with the listed entities are promoted, either by assigning them a higher severity or by alerting only on the entities defined in the watchlist. Among other use-cases, Azure Sentinel leverages Watchlists as a high-fidelity data source that can be used to reduce alert fatigue. For example, this is achieved by creating “allow” lists to suppress alerts from a group of users or devices that perform tasks that would normally trigger the alert, thereby preventing benign events from becoming alerts.


User and entity behavior analytics (UEBA) is natively built into Azure Sentinel targeting use-cases such as abuse of privileged identities, compromised entities, data exfiltration, and insider threat detection. Azure Sentinel collects logs and alerts from all of its connected data sources, then analyzes them and builds baseline behavioral profiles of your organization’s entities (users, hosts, IP addresses, applications, and more) across peer groups and time horizons. With the UEBA capability, SOC analysts are now empowered to reduce not just false positives but also false negatives. UEBA achieves this by automatically leveraging contextual and behavioral information from peers and the organization that typical alert rules tend to lack. The image below depicts how UEBA in Azure Sentinel narrows down to only the security-relevant data to improve detection efficiency:

image showing UEBA efficiency funnel

6. Automation

The lower tiers of a SOC are typically tasked with triaging alerts, and this is where the critical decisions need to be made as to whether alerts are worth investigating further or not. It is also at this point that automation of well-known tasks that do not require human judgment can have the most significant impact in terms of alert noise reduction. Azure Sentinel leverages Logic Apps native to Azure to build playbooks that automate tasks of varying complexity. Using real-time automation, response teams can significantly reduce their workload by fully automating routine responses to recurring types of alerts, allowing SOC teams to concentrate more on unique alerts, analyzing patterns, or threat hunting. Below is an example of a security playbook that will open a ticket in ServiceNow and send a message to an approver. With a click of a button, if they confirm activity from a malicious IP as a true positive, then automatically that IP is blocked at the firewall level, and the user’s ID is disabled in Azure Active Directory.

cross-vendor security remediation playbook


We have looked at 6 effective strategies that organizations can use to minimize alert fatigue and false positives in the SOC. When combined together across a unified ecosystem including Threat Intelligence, the Microsoft Security suite, UEBA, automation, and orchestration capabilities tightly integrated with the Azure platform and Azure Sentinel alert noise can be significantly reduced. Additionally, Azure Sentinel offers capabilities such as alert grouping and the intuitive Investigation Graph which automatically surfaces prioritized alerts for investigation and also provides automated expert guidance when investigating incidents. To significantly increase your detection rates and reduce false positives while simplifying your security infrastructure, including our unique SIEM and XDR solution comprising Azure Sentinel and Microsoft Defender capabilities into your threat defense and response strategy.

Unified security ecosystem funnel

Additional resources

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Special thanks to Sarah Young, Chi Nguyen, Ofer Shezaf, and Rafik Gerges for their input. 

¹ESG: Security Analytics and Operations: Industry Trends in the Era of Cloud Computing 2019.

The post 6 strategies to reduce cybersecurity alert fatigue in your SOC appeared first on Microsoft Security.

Sophisticated cybersecurity threats demand collaborative, global response

February 4th, 2021 No comments

Microsoft’s response to Solorigate

Since December, the United States, its government, and other critical institutions including security firms have been addressing the world’s latest serious nation-state cyberattack, sometimes referred to as ‘Solorigate’ or ‘SUNBURST.’ As we shared earlier this is a moment of reckoning for our industry and needs a unified response of defenders across public and private sectors. Microsoft is committed to protecting our customers and safeguarding our communities and we are proud to partner with industry partners to respond to this attack and strengthen our collective defenses. We believe transparency and clarity are important for strong cybersecurity and in that spirit, we are sharing information about some commonly asked questions. We look forward to serving and protecting our customers and communities.

Question: What has Microsoft’s role been in the Solorigate incident?


As Brad Smith wrote on December 17, 2020, Solorigate is a moment of reckoning for security. We believe the Solorigate incident is an opportunity for the industry to work together to share information, strengthen defenses, and respond to attacks. We are proud to be part of the collaborative work being done to empower the defender community. Over the past two months, there have been several disclosures related to the Solorigate actor and Microsoft has had a unique perspective from several angles:

  • Helping investigate with FireEye.
  • Using indicators to find unusual activity and notifying customers and partners.
  • Helping with customer investigations.
  • Investigating our own environment.

In all of our investigations to date, data hosted in Microsoft services (including email) was sometimes a target in the incidents, but the attacker had gained privileged credentials in some other way.

Find the latest findings and guidance on Solorigate here.

Question: With your broad engagement, you’ve been criticized for not disclosing details as soon as you knew about them. How do you respond?


We believe the Solorigate incident is an opportunity for the industry to work together to share information, strengthen defenses, and respond to attacks.

We have a very talented and experienced cybersecurity response team. In those situations where we provide investigative support to other organizations, we are restricted from sharing details. In these engagements, as well as when we notify organizations, those organizations have control in deciding what details they disclose and when they disclose them.

Additionally, investigations sometimes discover early indicators that require further research before they are actionable. Taking the time to thoroughly investigate incidents is necessary in order to provide the best guidance to the broader security community, our customers, and our partners.

We share actionable information regularly on our Solorigate resource center, and we are committed to providing additional updates if and when we discover new information to help inform and enable the community.

Question: The Cybersecurity & Infrastructure Security Agency (CISA) says other attack vectors have been discovered apart from SolarWinds. Has Microsoft in any way been an initial entry point for the Solorigate actor?


No. In our investigations to date, data hosted in Microsoft services (including email) was sometimes a target in the incidents, but the attacker had gained privileged credentials in some other way.

From the beginning, we have said that we believe this is a sophisticated actor that has many tools in its toolkit, so it is not a surprise that a sophisticated actor would also use other methods to gain access to targets. In our investigations and through collaboration with our industry peers, we have confirmed several additional compromise techniques leveraged by the actor, including password spraying, spearphishing, use of webshell, through a web server, and delegated credentials.

As we learn more from our engagements, we will continue to improve our security products and share learnings with the community. For the most up-to-date information and guidance, please visit our resource center.

Question: What should we know about the Microsoft notifications to customers? Does that mean you detected a compromise in Microsoft services?


No, it means our telemetry indicated unusual activity in authorized accounts.

As part of the investigative team working with FireEye, we were able to analyze the attacker’s behavior with a forensic investigation and identify unusual technical indicators that would not be associated with normal user interactions. We then used our telemetry to search for those indicators and identify organizations where credentials had likely been compromised by the Solorigate actor.

Microsoft directly notifies the affected customers to provide the indicators they need to investigate the observed behavior with their organizational knowledge and within their specific context.

Question: Some have interpreted the wording in the SolarWinds 8K to mean that they were made aware of or were investigating an attack vector related to Microsoft Office 365. Has that been investigated?

The 8K wording is, “SolarWinds uses Microsoft Office 365 for its email and office productivity tools. SolarWinds was made aware of an attack vector that was used to compromise the Company’s emails and may have provided access to other data contained in the Company’s office productivity tools.”


We have investigated thoroughly and have found no evidence they were attacked via Office 365. The wording of the SolarWinds 8K filing was unfortunately ambiguous, leading to erroneous interpretation and speculation, which is not supported by the results of our investigation. SolarWinds has confirmed these findings in their blog on February 3, 2021.

Question: Reuters broke news on December 17, 2020, alleging that “Microsoft’s own products were then used to further the attacks” and saying it was not immediately clear “how many Microsoft users were affected by the tainted products.” Is that article accurate?


No, it is not accurate. As we said at the time, and based upon all investigations since, we have found no indications that our systems were used to attack others. Data hosted in Microsoft services (including email) were sometimes a post-compromise target of attack, but only after an attacker had gained privileged credentials in some other way.

Question: Some companies say the hackers entered its systems via Microsoft products. Do you dispute this?


We’ve investigated each situation as we became aware of it and in each case, data hosted in Microsoft services (including email) were a target in the incident, but the attacker had gained privileged credentials in another way.

Question: When did Microsoft know about being attacked by the Solorigate actor?


Our security teams work continually to protect users, devices, and data from ongoing threats to our environment, but the investigations specifically focused on the Solorigate actor began when we became aware of the malicious SolarWinds applications.

We published a Microsoft Internal Solorigate Investigation Update on December 31, 2020, and will provide another update soon.

Question: Given how serious Solorigate is, what can be done? What is the big takeaway?


The cybersecurity industry has long been aware that sophisticated and well-funded actors were theoretically capable of advanced techniques, patience, and operating below the radar, but this incident has proven that it isn’t just theoretical.

We believe the Solorigate incident has proven the benefit of the industry working together to share information, strengthen defenses, and respond to attacks.

Additionally, the attacks have reinforced two key points that the industry has been advocating for a while now—defense-in-depth protections and embracing a zero trust mindset.

Defense-in-depth protections and best practices are really important because each layer of defense provides an extra opportunity to detect an attack and take action before they get closer to valuable assets. We saw this ourselves in our internal investigation, where we found evidence of attempted activities that were thwarted by defense-in-depth protections. So, we again want to reiterate the value of industry best practices such as outlined here, and implementing Privileged Access Workstations (PAW) as part of a strategy to protect privileged accounts.

A zero trust, “assume breach” philosophy is an important approach to defense. Many of the techniques we’ve observed are post-compromise techniques, so security companies and Microsoft are looking for ways to improve detections and provide protection even when an attacker gains unauthorized access.

The post Sophisticated cybersecurity threats demand collaborative, global response appeared first on Microsoft Security.

Categories: cybersecurity Tags:

The state of apps by Microsoft identity: Azure AD app gallery apps that made the most impact in 2020

January 27th, 2021 No comments

2020 was an unprecedented year, to say the least. The COVID-19 global pandemic drastically changed how we work, learn, and collaborate. Organizations had to find new ways to connect and maintain productivity while providing secure access to critical apps and resources. Our own Microsoft services, like Teams, served as the lifeline for remote and hybrid work and learning during the pandemic—growing rapidly from 44 million daily active users in March 2020 to 115 million daily active users this past October. But we know that businesses need many tools and apps to succeed, and our commitment is to ensure that solutions work seamlessly and securely across platforms and extend to all clouds and apps.

Recently, we analyzed enterprise cloud app usage and took a deeper look at how and what applications organizations are securing with Azure Active Directory (Azure AD). In our analysis, we looked at organizations’ application usage within our Azure AD app gallery, excluding Microsoft applications such as Azure, Dynamics 365, Office 365, and Teams. Our Azure AD app gallery enables organizations to quickly secure and manage apps of all types and includes thousands of pre-integrated apps. We’re seeing customers of all sizes integrate all their apps with Azure AD to give their workforce a more convenient and secure experience. Read on for insights into how app usage shifted in 2020 compared to the years prior.

The rise of security and collaboration apps to enable remote work

The challenges of 2020 forced leaders to rethink their priorities to ensure their teams can securely access apps from anywhere, anytime. The statistics reflect this. For example, the number of monthly active users of Azure AD app gallery apps has increased 109 percent year-over-year. And last year, when Microsoft surveyed 800 business leaders about their views of the pandemic threat landscape, they listed “Providing secure remote access to resources, apps, and data” as their number one challenge.

Line graph showing Azure AD app gallery monthly active users has grown over 109% year-over-year.

It’s no surprise, then, that apps and services that help ensure secure, remote access to on-premises, and cloud resources grew tremendously last year. Organizations have recognized that remote access to all apps including legacy, on-premises apps have become critically important in the new way of work. Security tools like Citrix ADC, Palo Alto Networks Prisma Access, and Zscaler Private Access, which help employees securely access any app regardless of location, have become business-critical, making them some of the fastest-growing applications in our app gallery this past year.

In addition to increasing investments in the security space, communication, and collaboration apps have been instrumental to ensure business continuity. We recognize that securing any app is a team effort, so we work closely with app providers of all types to integrate with Azure AD, even Microsoft competitors. Apps like Cisco Webex, Google Cloud / Google Workspace, Workplace from Facebook, and Zoom are some of the top apps Azure AD secures to help organizations maintain productivity while helping people feel more connected.

We’ve also continued to see a few apps consistently in our most popular apps list. Human Resource apps like SAP SuccessFactors and Workday and IT Service Management apps like ServiceNow continue to see widespread usage among our customers in 2020.

The top apps of 2020

The global pandemic clearly had an impact on which apps were used the most. Companies shifting to remote work improved productivity with apps that strengthened communication, collaboration, and security.

For the first time, security apps like Palo Alto Networks Prisma Access and Zscaler Private Access made their way to the top 15 apps by monthly active users. Other newcomers to the top 15 apps list include collaboration and communication apps; Workplace from Facebook and Zoom. Zoom not only made its 2020 debut within the top 15 on this list, it catapulted to number 5.

Table showing the top 15 applications in the Azure AD app gallery by monthly active users in 2020, 2019 and 2018.

ServiceNow continues to lead in monthly active users for the third year in a row. Google Cloud / Google Workspace, SAP SuccessFactors, and Workday have maintained their leading ranks through the years, as organizations of all sizes need HR, IT Service Management, and general productivity applications.

From Q1 2020 to Q2 2020, as the global pandemic hit, many of these top apps accelerated in usage to help provide secure remote access for users and to help manage their digital workflows.

Line graph that shows monthly active users of the top 15 applications by monthly active users graphed from Q3 2018 to Q4 2020.

We also noticed some subtle differences when comparing the most popular apps by monthly active users with the most popular apps by the number of organizations. Popularity by the number of organizations looks at the apps most used among our customers. With organizations relying more heavily on video conferencing, Zoom made the jump from number 10 in 2018 to number 1 in 2020, pushing list leaders like Google Cloud / Google Workspace, and Salesforce from the top two spots.

In addition to Zoom, KnowBe4 Security Awareness made its way to the top 5 apps in 2020. It rose from number 12 in 2018 to number 8 in 2019, increasing steadily in usage from the beginning of quarter two 2020 to the end of the year, stressing the importance of security training and awareness within the workforce.

Table showing the top 15 applications in the Azure AD app gallery by number of organizations in 2020, 2019, 2018.

Cisco Webex, DocuSign, Mimecast Personal Portal, and Palo Alto Networks Prisma Access made their first appearance on this list in 2020, reinforcing the shifts we’ve seen throughout our analysis.

Unlike the security and collaboration apps that topped the list, apps like SAP Concur, a travel and expense management service, dropped off the top 15 list. Due to travel restrictions, those used to traveling regularly for work have swapped out face-to-face meetings for virtual calls from home.

Line graph that shows number of organizations of the top 15 applications by number of organizations graphed from Q3 2018 to Q4 2020.

The most popular apps by organization size

When we analyzed the most popular apps used based on organization size, we found several apps commonly deployed in organizations of all sizes: Google Cloud / Google Workspace, Salesforce, and Zoom.

In contrast, deployment of HR and IT service management apps, necessary to ensure business continuity during the pandemic, differ based on the organization size. These apps have not only helped enable remote onboarding and offboarding, but they’ve also helped IT teams fulfill employee requests for applications, devices, or services.

While enterprise and mid-market organizations use HR apps such as SAP SuccessFactors and Workday, small businesses commonly use BambooHR. And HR apps like UltiPro and Cornerstone OnDemand are used more by mid-market businesses.

Enterprise and mid-market organizations regularly deploy the IT service management app ServiceNow, while small businesses predominantly use Freshservice.

The top 10 most popular apps in the Azure AD app gallery based on organization size. Organization size based on enterprise (5000+ monthly active users), mid-market (250-4999 monthly active users) and small business (<250 monthly active users).

The most popular apps by industry

The same broad trends and app usage apply to the most popular apps by industry. Apps like Google Cloud / Google Workspace, Salesforce, ServiceNow, Workday, and Zoom are popular across all industries. Security, collaboration, and workflow management were priorities this past year despite the differences between each industry.

One industry, education, had a distinct set of popular apps, with apps like Brightspace, Canvas, and Clever ranking in the top five. These learning management systems helped schools and institutions adapt to remote learning and became central hubs for digital instruction this past year.

For shift-based industries that rely on frontline workers, like Retail and Healthcare, Kronos is a popular app to help with workforce management activities like employee scheduling.

The top 5 most popular apps in the Azure AD app gallery based on industry. Industries include travel, telecom, retail, professional services, manufacturing, healthcare, government, financial services, education, consumer goods, automotive, energy

The most popular apps by category

This year, we also analyzed the most popular apps across app categories based on monthly active users. We looked at the top five apps across 10 app categories, ranging from education apps to security apps to IT service management apps, as summarized in the table below.

The top 5 most popular apps in the Azure AD app gallery based on application category. Categories include, education, human resources, security, IT service management, data services, travel and expenses, CRM, communication and collaboration, content management, project management.

2020’s fastest-growing apps

Apps that help employees with secure remote work are not only some of the most popular but also among the fastest-growing. Half of the top 10 fastest growing apps in 2020 were security-focused. Apps from our secure hybrid access partnerships—Citrix ADC, Palo Alto Networks Prisma Access, and Zscaler Private Access—which enable customers to access legacy and on-premises apps, have also grown quickly. Other security apps include Cisco Umbrella, the fastest growing app this past year, and BeyondTrust Remote Support.

Zoom saw extraordinary growth in 2020. Its place as the third fastest-growing app this past year is particularly impressive given it was already popular and widely used. Data management and analytics solutions grew quickly this year too. Snowflake and SAP Analytics Cloud became the eighth and ninth fastest-growing apps, respectively.

This past year also saw Amazon Business become one of the fastest-growing apps. Amazon Business is a marketplace that simplifies the purchasing process and helps get products into the hands of organizations. The pandemic accelerated online shopping for consumers and it’s no different for businesses. Businesses have shifted their purchasing and procurement to online with Amazon Business becoming the fifth fastest growing app in 2020.

Bar chart showing the fastest growing apps by year-over-year percentage growth by monthly active users in the Azure AD app gallery in 2020.

Secure digital transformation

Whether we look at the most popular apps by monthly active users, the number of organizations, industries, or customer type, or we look at the fastest growing apps of 2020, investment in security is an undeniable trend. The pandemic has both accelerated digital transformation timelines and increased the need for advanced security that organizations can rely on to provide secure access to their users wherever they may be working.

We’ve seen more users turn on security capabilities like multi-factor authentication (MFA)—the number of monthly active users utilizing MFA with Azure AD has grown 150 percent year-over-year. Passwordless technology also experienced a breakthrough year. Passwordless usage in Azure AD went up by more than 50 percent for Windows Hello for Business, passwordless phone sign-in with Microsoft Authenticator, and FIDO2 security keys.

Our own Azure AD App Proxy service, which helps organizations with remote access to critical on-premises apps, also experienced huge growth this past year. From February to March, the number of monthly active users spiked by roughly 60 percent as the global pandemic started to take hold. Since then, the number of monthly active users has continued to rise, increasing by roughly 100 percent year-over-year. Thanks to Azure AD App Proxy, organizations have been able to quickly provide secure, remote access to mission-critical apps that reside on-premises or use legacy authentication protocols like HTTP or header-based.

Line graph showing Azure AD app proxy monthly active users has grown over 100% year-over-year.

That’s a wrap on 2020

Users, organizations, and industries alike are investing in improving security and collaboration. Cloud-based apps that provide secure access and reliable communication have become a vital part of organizations’ day-to-day operations.

App adoption is growing, and the changing digital landscape has changed the way people work. From security apps like Palo Alto Networks Prisma Access to education apps like Blackboard Learn and communication apps like Zoom or Teams, people are relying more heavily on cloud apps to get their work done. We expect these trends to continue past 2020 as security remains a top priority and remote work continues to require advanced communication and collaboration capabilities. In the wake of 2020, companies will continue to evaluate the cultural and business impact of the shift to remote work and to try to understand where that shift will take them in 2021.

Connecting all of your apps to Azure AD can help safeguard and streamline access while simplifying management and reducing costs. In fact, Forrester estimates that customers can gain a 123 percent return on investment by secure all apps with Azure AD. To learn how to help your employees working from home remain productive, visit our secure remote work resources or read the Top 5 ways Azure AD can help you enable remote work. We hope you’ve enjoyed this year’s app trends data report, which you can also download here, and we look forward to seeing you next year.


Microsoft takes privacy seriously. We remove all personal data and organization-identifying data, such as company name, from the data before using it to produce reports. We never use customer content such as information within an email, chat, document, or meeting to produce reports. Application usage and trend data in this report was analyzed based on applications available in the Azure AD app gallery. We excluded Microsoft owned applications from the data such as Office 365, Teams, Azure, Dynamics, LinkedIn, GitHub, and other Microsoft applications from this report. The report includes data from December 31, 2018, to December 31, 2020.

The post The state of apps by Microsoft identity: Azure AD app gallery apps that made the most impact in 2020 appeared first on Microsoft Security.

Announcing the general availability of Azure Defender for IoT

January 27th, 2021 No comments

As businesses increasingly rely on connected devices to optimize their operations, the number of IoT and Operational Technology (OT) endpoints is growing dramatically—industry analysts have estimated that CISOs will soon be responsible for an attack surface multiple times larger than just a few years ago.

Today we are announcing that Azure Defender for IoT is now generally available.

Defender for IoT adds a critical layer of security for this expanding endpoint ecosystem. In contrast to user devices (laptops and phones) and server infrastructure, many IoT and OT devices do not support the installation of agents and are currently unmanaged and therefore invisible to IT and security teams. Without this visibility, it is extremely challenging to detect if your IoT and OT infrastructure has been compromised. Further increasing risk, many of these devices were not designed with security in mind and lack modern controls such as strong credentials and automated patching.

As a result, there is understandable concern about Cyber-Physical System (CPS) risk in OT and industrial control system (ICS) environments such as electricity, water, transportation, data centers, smart buildings, food, pharmaceuticals, chemicals, oil and gas, and other critical manufactured products. Compared to traditional IT risk, the business risk associated with IoT and OT is distinct and significant:

  • Production downtime, resulting in revenue impact and critical shortages.
  • Theft of proprietary formulas and other sensitive intellectual property, causing loss of competitive advantage.
  • Safety and environmental incidents, leading to brand impact and corporate liability.

Traditional security tools developed for IT networks are unable to address these risks as they lack awareness of specialized industrial protocols such as Modbus, DNP3, and BACnet and this different class of equipment from manufacturers like Rockwell Automation, Schneider Electric, Emerson, Siemens, and Yokogawa.

Proactive IoT and OT security monitoring and risk visibility

With Defender for IoT, industrial and critical infrastructure organizations can now proactively and continuously detect, investigate, and hunt for threats in their IoT and OT environments. Incorporating specialized IoT and OT aware behavioral analytics and threat intelligence from our recent acquisition of CyberX, Azure Defender for IoT is an agentless security solution for:

  • Auto-discovery of IoT and OT assets.
  • Identification of vulnerabilities and prioritizing mitigations.
  • Continuously monitoring for IoT and OT threats, anomalies, and unauthorized devices.
  • Delivering unified IT and OT security monitoring and governance. This is achieved via deep integration with Azure Sentinel, Microsoft’s cloud-native SIEM and SOAR platform, for sharing rich contextual information about IoT and OT assets and threats related to incidents. Support is also provided for other SOC workflows and security stacks including Splunk, IBM QRadar, and ServiceNow.

Azure Defender for IoT provides comprehensive IoT and OT security including asset discovery, vulnerability management, and continuous threat detection, combined with deep Azure Sentinel integration

Azure Defender for IoT provides comprehensive IoT and OT security including asset discovery, vulnerability management, and continuous threat detection, combined with deep Azure Sentinel integration.

Fast and flexible deployment options

Defender for IoT is agentless, has deeply embedded knowledge of diverse industrial protocols, and makes extensive use of machine learning and automation, eliminating the need to manually configure any rules or signatures or have any prior knowledge of the environment.

This means that Defender for IoT can typically be rapidly deployed (often in less than a day), making it an ideal solution for organizations with tight deadlines and short plant maintenance windows. Plus, it uses passive, non-invasive monitoring via an on-premises edge sensor which analyzes a copy of the network traffic from a SPAN port or TAP—so there’s zero impact on IoT and OT network performance or reliability.

To provide customers flexibility and choice, Defender for IoT offers multiple deployment options:

  • On-premises for highly regulated or sensitive environments.
  • Azure-connected for organizations looking to benefit from the scalability, simplicity, and continuous threat intelligence updates of a cloud-based service, plus integration with the Azure Defender XDR.
  • Hybrid where security monitoring is performed on-premises but selected alerts are forwarded to a cloud-based SIEM like Azure Sentinel.

Onboarding the network sensor to connect to Azure Sentinel via Azure IoT Hub

Onboarding the network sensor to connect to Azure Sentinel via Azure IoT Hub (optional). 

Proven in some of the world’s most complex and diverse environments

The technology delivered with Defender for IoT has been deployed in some of the world’s largest and most complex environments, including:

  • Three of the top 10 U.S. energy utilities, plus energy utilities in Canada, EMEA, and APAC.
  • Three of the top 10 global pharmaceutical companies.
  • Global 2000 firms in manufacturing, chemicals, oil and gas, and life sciences.
  • One of the world’s largest regional water utilities.
  • Building management systems (BMS) for data centers and smart buildings worldwide, including in Microsoft’s own Azure data centers.
  • Multiple government agencies.

Getting started with Azure Defender for IoT

You can try Defender for IoT for free for the first 30 days and for up to 1,000 devices. After that, you pay on a per-device basis in increments of a thousand devices. Visit the product page and getting started pages to learn more.

For more detailed product information:

  • Read our blog post describing the product architecture and capabilities in more detail, titled “Go inside the new Azure Defender for IoT.”
  • Watch our 30-minute Ignite session with a demo showing how integration with Azure Sentinel and IoT and OT-specific SOAR playbooks enable faster detection and response to multistage attacks that cross IT and OT boundaries, using the TRITON attack on a petrochemical facility as an example.
  • If you’re currently using Azure Defender for IoT, read our article about updating it with the latest threat intelligence package for detecting threats related to the compromise of the SolarWinds Orion product and theft of FireEye’s Red Team tools.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Announcing the general availability of Azure Defender for IoT appeared first on Microsoft Security.

Protecting multi-cloud environments with Azure Security Center

January 27th, 2021 No comments

We’ve heard from many of you that multi-cloud adoption is becoming a standard operating model for your organization and that it’s challenging to have the right security controls and posture across your environment. Historically, security teams have not had effective tools to secure multi-cloud infrastructure, and often they needed to address the problem by adding more people.

This is why in September we introduced multi-cloud security support in public preview, and today we are excited to announce the general availability of these capabilities. Now you can onboard multi-cloud resources to Azure Security Center, such as Google Cloud Platform (GCP) and Amazon Web Services (AWS), you can protect your servers with Azure Defender for Servers based on Azure Arc, and we’ve added multi-cloud support to Azure Secure Score, making it easier to focus on the most important things to improve your overall security posture.

Thycotic Logo

“Now that Microsoft supports multi-cloud environments—Amazon Web Services and Google Cloud Platform—there’s no reason for us to look at any other vendor. We get everything we need with Azure Defender.”—Terence Jackson, Chief Information Security and Privacy Officer, Thycotic

Learn more about the Thycotic case study.


When we started developing Azure Security Center, our charter was clear—be the best solution to protect Azure Resources. As we listened to customers, we clearly heard the need to protect resources in multiple clouds, and the desire to simplify tools to manage multi-cloud. We have grown to support these broader needs. Azure Security Center now protects not only hybrid but also multi-cloud resources, including AWS and GCP. The following functionality is now generally available to our customers:

  • Customers can connect their AWS or GCP accounts to ASC to get a unified multi-cloud view of security posture. Specifically, AWS Security Hub and GCP Security Command Center detected misconfigurations and findings are now included in our Secure Score Model and Regulatory Compliance Experience.
  • Azure Defender for Servers leverages Azure Arc to simplify the on-boarding and security of virtual machines running in AWS, GCP, and hybrid clouds. This includes automatic agent provisioning, policy management, vulnerability management, embedded EDR, and more.
  • These new features complement the multi-cloud support for Azure Defender for SQL that was released in December.

In addition to new multi-cloud support, Azure Security Center continues to be one of the best of breed solutions to protect Azure resources. Today we are improving the richness of security recommendations in Azure by turning on Azure Security Benchmark as the default security policy for Azure Security Center.  As a result, Azure Secure Score now reflects a much broader set of recommendations and spans a broader set of Azure resources.

Also, the full control set layout of the Azure Security Benchmark in the compliance dashboard is now available to all Azure Security Center customers, including Azure Security Center free tier as well as the existing Azure Defender customers. Customers can now view their compliance relative to the benchmark controls in compliance view while viewing the detailed impact on their Secure Score. By prioritizing remediation of security recommendations using Secure Score metrics, customers can achieve a higher Secure Score and attain their compliance goals, all at the same time.

Finally, in response to your feedback, we have added the ability to exempt resources from the Secure Score both at a subscription level and now at a management group level. This is most useful in cases where you have a third-party technology in place to address a recommendation, such as turning on multi-factor authentication (MFA).

Multi-cloud is going to be a big area of focus for you—and for us—going forward. We are committed to supporting your broad security needs, by continuing to expand our multi-cloud and hybrid support, as well as continuing to provide best of breed solutions to secure Azure. For more information, please visit the Azure Security Center and the Azure Security Center documentation. We are here to listen and build great products that help you thrive—keep the feedback coming.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Protecting multi-cloud environments with Azure Security Center appeared first on Microsoft Security.

How companies are securing devices with Zero Trust practices

January 25th, 2021 No comments

Organizations are seeing a substantial increase in the diversity of devices accessing their networks. With employees using personal devices and accessing corporate resources from new locations in record numbers, IT leaders are seeing an increase in their attack surface area. They’re turning to Zero Trust security models to ensure they have the visibility they need, and their data is protected as its accessed from outside the corporate network using a wider variety of devices.

We surveyed IT leaders around the world to determine how they’re using Zero Trust practices to protect their devices and enable access to the corporate network from unsecured devices.

A clickable link to the full PDF infographic to the Zero Trust whitepaper

  1. More personal devices are accessing corporate resources than ever. In response to the substantial shift to remote work, IT leaders report seeing more of their employees using personal devices to access their networks. As a result, they’re prioritizing device management solutions to improve security and control on personal devices.
  2. Devices accessing the network are monitored but often left out of access decisions. While most IT leaders report that they’re monitoring device health and compliance, the majority aren’t currently using that status in their access decision making. Preventing unauthorized and risky devices is critical to protecting corporate data in a modern environment.
  3. Personal devices are widely agreed to increase risk exposure. Over 92 percent of IT leaders agree that a proliferation of personal devices is increasing their attack surface area. However, much less say they’re prepared for managing access from unsecured devices.

Check out the infographic for more details.

If you’re looking at how to help prevent devices from being the weakest link in your security strategy, check out our Zero Trust deployment guidance for endpoints.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How companies are securing devices with Zero Trust practices appeared first on Microsoft Security.

Identity governance: The power of “Why not?”

January 25th, 2021 No comments

Innovation requires the courage to take risks and the leadership skills to show others that risks are worth taking. That’s why I love working with people like Joe Dadzie, a partner group program manager in identity governance. Joe has a long history of championing disruptive technology breakthroughs and delivering for our customers. He’s never shied away from pushing boundaries or breaking free from “the way we’ve always done things” to build better solutions. By his example, he inspires fearlessness in his team and in those he mentors. Joe’s achievements remind all of us in identity that when we focus on the needs of our customers, everyone wins. I hope you enjoy his remarkable story. 

The power of “Why not?” 

A profile headshot of Joe Dadzie, wearing a grey shirt against a cream-colored wall.

The first time Joe Dadzie traveled outside his native Ghana, in 1991, he flew to Boston on a one-way ticket. “I had no freaking clue what the U.S. was like,” he laughs. Inspired by a U.S. State Department advisor whose husband was the first Ghanaian ever to attend Dartmouth, Joe was heading to the New Hampshire-based college to study engineering. “I didn’t know anything about computers,” he admits. “And I had no idea New Hampshire would be so cold!” 

Thirty years later, Joe works in a warmer climate, designing governance technologies in the identity division at Microsoft. “Organizations have security and compliance requirements,” he explains. “They need to reduce the risk of data loss or leakage, and if they’re in regulated industries, they have to pass audits. At the same time, they need to empower their employees to work effectively, with the fewest possible constraints. My team designs tools to help them.” 

Every project Joe’s ever worked on started the same way—with some customer challenge he became fixated on solving. “I’m never going to be a computer science dude,” the twenty-five-year software industry veteran confesses. He finds “super hard problems” infinitely more fascinating than technology. “Utility is more interesting to me because when I look at the groundbreaking technologies I’ve worked on over the years, they rose up, and now some of them are gone.”  

The successive extinctions of technology paradigms in favor of the “hottest new thing” form the mile markers of Joe’s career: from floppies to CDs, from the FAT file system to NTFS, from shrink-wrapped software to cloud-based services. He not only takes change in stride, he pushes it, leading more than one manager to question his sanity. 

“When we proposed Windows Update, the whole notion that you could install things over the Internet didn’t exist,” he recalls. People worried about the optics of taking control of people’s machines for automatic updates. “Are you guys crazy? Nobody wants that!” he remembers his colleagues shrieking. 

“When we did that first Windows service pack, 250 megabytes over the internet, that was revolutionary,” Joe asserts. “Were we going to bring the internet down? We didn’t. And now, Windows Update is baked in for securing users around the world. It just happens.” Software updates that once started with tearing the plastic off the latest release and inserting a disk happen today whenever someone launches a program. Twenty years after Windows Update first started patching PCs, the whole world goes “crazy” every day. 

The “try it” spirit 

Joe is not, in fact, crazy. He’s simply incurably optimistic, responding to each no-one-has-done-this-before challenge with an unassuming “Why not?”  

He’s greeted challenges this way since an early age. “Where I grew up, nobody applied to the top high schools,” Joe says. “I thought it was weird. Why does the teacher say that nobody from our elementary school should apply to this high school? Why not? I think I’m smart enough.” Joe did apply, and he ended up at a top high school in Ghana, where he became a top student—one of the few who achieved a perfect score on the national Ordinary Level General Certificate of Education exam. 

He credits his parents with instilling in him the “you should be able to try stuff” spirit that got him where he is today. “Both of them actually left Ghana to study,” Joe says. “They took this leap of going to England to try something new, did okay, and came back.” Following their lead, Joe applied to colleges in the United States with support from local mentors. The U.S. State Department advisor reassured him that scholarships would cover the tuition he couldn’t afford. An eye surgeon and Stanford University professor who worked with his mom, a nurse, covered his SAT test and college application fees.  

“I got into Dartmouth and told myself to take the leap of faith,” Joe recalls. “Try this. I may not know where it goes, but what’s the worst that could happen? I would go back to Ghana.” 

Maximizing opportunity 

Before matriculating at Dartmouth, Joe had never used computers. He was stunned to learn that the engineering department required all students to buy one—a Mac. “I was like, what the heck is this thing?” he jokes. While other students arrived already knowing how to code, Joe started with basic computer science classes, his sense of obligation fueling his work ethic. 

“I was conscious of not wasting the opportunity that I had,” Joe says. He literally did the math, calculating how much a skipped class would cost in scholarship dollars—a lot of money when converted to Ghanaian currency. “Look,” he reasons, “if you’ve got into someplace through the help of others, maximize it and focus on performance.” 

At first, Joe had no interest in the software industry. “I did a project with a physics professor that ended up being a computer project,” he says. That project, listed on Joe’s resume, caught the eye of a recruiter who encouraged him to attend an info session about Microsoft’s summer internship program. Intrigued by the prospect of visiting the American West Coast, he applied. “Hey, I may not get it because I’m not a computer science guy, but why not try it out?” he told himself. He flew to Redmond, did the interview, and got an offer. 

His summer project—figuring out how to make the software setup process easier for customers—established the tone for the rest of his career. “That internship was fun,” he reminisces. “I got to learn new things, didn’t have to dress up for work, and got to play soccer every lunchtime.” By the end of the internship, Joe was sold on a career in software. He turned down higher-paying offers from consulting and Wall Street firms to return to Microsoft, casual attire, and lunchtime scrimmages.  

Advocating for customers 

In 2000, after working on Windows Update for several months, Joe proposed a corporate version in a paper he submitted for Bill Gates’ ThinkWeek“Enterprise customers were telling us that they wanted a way to manage updates themselves. I got an email about ThinkWeek that said anybody can submit an idea. I said, ‘Okay, let’s submit something.’ I didn’t know if anyone would read it, but I wanted to respond to customer feedback, and the ThinkWeek paper seemed like an opportunity to do that.”  

Reviewers, including Gates, liked the idea of what became the Software Update Service (SUS). Within six months, Joe and his small team of “one other program manager and two or three developers” shipped a beta. Customers responded to SUS with a request that Microsoft extend it to help them manage updates to devices for remote employees and road warriors. Thus, Intune was born. Joe proudly recalls the “awesome customer feedback” they received when Intune shipped. “They wanted to use it!” he enthuses. 

A decade later, Joe returned to Ghana for his sabbatical. “It was 2011. When I talked to people, I realized that I was way too Microsoft-insular.” He noticed, for example, that much of the technology others now used had no Microsoft bits in them. When he returned to work, he struggled to reconcile what customers were telling him they wanted with the strategy his leaders wanted to follow. His father’s death in February 2012 forced him to reassess his priorities, and after seventeen years at Microsoft, he left. 

With no clear plans on what to do next, Joe spent the next two years on a soccer field, training with his pre-teen son, and “learning the non-Microsoft stack” by developing an app for managing soccer teams. For about a year, he also worked on the loyalty platform for a major retailer. 

Then serendipity struck again. 

A new mission 

A Facebook post from a Microsoft friend that said, “When your CEO asks you to take on a new job, you can’t say no,” piqued Joe’s curiosity. “I had been hearing people say that Satya was changing the Microsoft culture,” he says. “So, I reached out.” After talking with several Microsoft managers about potential roles, he decided to take another leap of faith: rejoining the company. 

Although he had an offer from one of his previous teams, Joe liked the identity division’s customer-centric culture and the allure of the unfamiliar. He missed the thrill of seeing a new product area come to life. “All of my previous successes had come from listening to customers, and I liked the idea of taking an unknown thing, then pulling in disparate data to figure it out, plan, and just go solve it.”  

When Joe joined the identity effort, he inherited a single program manager and an on-premises governance tool, Microsoft Identity Manager (MIM). The first thing he did was to resurrect the process that had served him so well in the past: listen to customers, spot the trend, and propose big bold solutions to address it.  

“I knew nothing about identity, so I was like, okay, go on a listening tour,” Joe muses. “What issues did people have with this tool that I own? All the customers were saying, ‘It requires a bunch of consultants. The UI is complicated,’ et cetera.” Microsoft partners told Joe they didn’t use any of the governance capabilities in MIM because they were too complex and not fully integrated. “But even though people complained about MIM, almost every large company had deployed it in some critical area,” Joe reveals. “We concluded that making governance tools easier to use and more integrated would probably solve their problems.” 

An integrated approach  

When Joe embarked on his new mission, the industry had been treating identity governance as separate from access management. Joe doesn’t feel an obligation to preserve their dictionary definitions by insisting the two functions stay separate. “If you focus on the customer problem that governance is a means to help reduce access risk in an organization,” he contends, “then all the things you need in access management and governance have to form a continuum. It cannot be two separate things. 

“The customer is trying to solve a problem that these tools will come together to solve,” he insists. “It’s an end-to-end problem that’s not just about compliance. We also have to enable productivity.” This means simplifying the process of granting people access to resources when they need them and removing access when they don’t while ensuring that IT managers have a complete history they can easily report to regulators.  

“In the governance space, we are trying to help organizations answer four basic questions,” Joe says. “Who has or should have access to resources? What can they do with their access? Should they continue to have that access? And how do you prove that? 

Customers, whether end-users or IT managers, shouldn’t have to “worry,” Joe emphasizes. The system should provide answers automatically. “If there’s a regulatory need to insist that people get approval before accessing a particular resource, then we’ll provide those tools,” he says. “We make it easy for employees to go to the resource, request access, and get that access quickly. Then we automatically remove access when the project ends.” 

Embracing serendipity 

Joe’s Microsoft career has been a series of challenges, choices, and serendipitous opportunities to work on pioneering projects: CD boot, unattended install, common installers, patch updates, Microsoft Intune, and now identity governance. He’s tackled them all with the same aplomb that got him into the high school his teachers had said wasn’t meant for students like him.  

“If you focus on the customer problem, most of the time you get it right,” he offers. “And if things get screwed up, you can fix it and move forward. So why panic and get all riled up?” 

Reflecting back on his career path, he says, “Sometimes it’s about not being afraid of serendipitous opportunities to go learn something new and experience the good things that come out of it.”  

He shares his own story to encourage others to take on new challenges. “My experiences may help other people do more than they think they’re capable of,” he says. Recalling his first flight out of Ghana, when he was a teenager heading to college in a strange land, he asks his mentees, “What’s the worst that could happen? You may fail and have to start over. Or maybe you will change the world. So…Why not?” 

To learn more about Microsoft Identity solutions, visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @AzureAD and @MSFTSecurity for the latest news and updates on cybersecurity. 

The post Identity governance: The power of “Why not?” appeared first on Microsoft Security.

Blue Cedar partners with Microsoft to combat BYOD issues

January 21st, 2021 No comments

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA.  

Bring Your Own Device (BYOD) has been a divisive topic within corporations for years. Employees wanted the convenience of working on their own smart devices, and business decision-makers recognized the cost and productivity benefits. IT teams knew unmanaged devices would result in more work and security holes. 

As you know, the business side won out. The line-of-business (LOB) mobile app market exploded, and BYOD became the rule rather than the exception. Today, corporate IT teams manage hundreds of mobile LOBs ranging from apps developed in house to Microsoft 365, with more on the horizon. There is one thing that everyone can agree on, however: Employers should not manage their employees’ personal devices. 

Establishing data boundaries

IT teams constantly struggle to walk the delicate line of managing corporate data without impinging on personal data. The Microsoft Intune and Microsoft Office 365 teams set out to solve the problem together. The teams worked together to develop app protection policies (APPs) for what would become Microsoft Endpoint Manager (MEM). The APP places restrictions on how Office 365 data can be used on a completely managed or completely unmanaged device. Specifically:  

  • Data can only be shared between managed Office 365 apps. 
  • Users cannot forward it or save it to a non-Office 365 resource. 

Blue Cedar’s solution for Microsoft

IT and security teams have been searching for a solution to accommodate BYOD that won’t compromise network security. The Blue Cedar Platform is a no-code Integration service that enables new capabilities to be added to Mobile apps post-build without requiring a developer. With a couple of clicks, you can add Intune MAM, Azure Active Directory Authentication, and other SDKs into your compiled mobile app. The platform works with native apps or apps written using a mobile framework and integrates into your existing app delivery workflow. Built-in integrations with GitHub and the Intune cloud allow you to build seamless workflows that add new app capabilities and skip manual operations.  

Feature highlights: 

  • Add Microsoft Endpoint Manager App Protection Policy capabilities.  
  • Add new app authentication flows include the use of the Microsoft authenticator app. 
  • Keep corporate data separate from personal data. 
  • Allow users to BYOD without creating security vulnerabilities. 
  • Maintains end-user privacy. 

Secure VPN connections to on-premises resources

There is one last thing I’d like to tell you about today—and it’s a potential gamechanger for many organizations. Many companies still maintain critical data on-prem, meaning employees can’t easily access it from their mobile devices. Utilizing our patented No-code integration technology, VPN capabilities can be added to mobile apps allowing them to attach to the corporate network. 

Our in-app VPN functionality enables users to automatically connect to on-premises and in-cloud networks without requiring device management or complex VPN configuration. Our VPN connectivity is transparent and secured via a multi-factor authentication backed by Azure AD 

Infographic showing Secure VPN connections to on-premises resources using Blue Cedar

Secure VPN feature highlights: 

  • Extends network availability to on-prem networks. 
  • Permits login with Azure AD credentials. 
  • Separates corporate data from personal data.
  • Improves productivity. 

The Blue Cedar platform is also the only way to securely connect Intune-enabled apps to both cloud and on-premises databases for a single sign-on (SSO) experience without bringing the devices under management. 

Better BYOD for your organization

BYOD is here to stay; the Blue Cedar collaboration with Microsoft will save you time, resources, and budget while providing secure mobile access to your on-prem or cloud-based resources.  

To learn more about Blue Cedar Platform, visit the Blue Cedar listing in the Azure Marketplace or visit our web page about Blue Cedar’s no-code integration service. 

To learn more about the Microsoft Intelligent Security Association (MISA), visit the MISA website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.  

For more information about Microsoft Security Solutions, visit the Microsoft Security website. Bookmark the Security blog to keep up with our expert coverage of security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.  

The post Blue Cedar partners with Microsoft to combat BYOD issues appeared first on Microsoft Security.

How IT leaders are securing identities with Zero Trust

January 19th, 2021 No comments

The past twelve months have been a remarkable time of digital transformation as organizations, and especially digital security teams, adapt to working remotely and shifting business operations. IT leaders everywhere turned to Zero Trust approaches to alleviate the challenges of enabling and securing remote work. Using Zero Trust to secure users, data, and devices (wherever they may be) has changed from optional to a business imperative overnight.

In this short report, we surveyed IT leaders around the world to determine how they’re implementing Zero Trust practices to protect their identities and ensure their employees have secure access to resources.A clickable link to the full PDF infographic to the Zero Trust whitepaper

  1. Most IT leaders are already using Zero Trust practices with their identity management solutions. While the majority of IT leaders have already implemented Zero Trust practices into their identity and access solution, only a monitory have moved on to more advanced controls that utilize automation and AI-based threat analysis.
  2. Multi-factor authentication (MFA) and Single Sign-On (SSO) are the most common. Additionally, a majority are analyzing risk before granting access—a critical proactive step to preventing unauthorized access to corporate resources.
  3. Identities and devices are the top priority for most organizations. With employees working outside the corporate network and increasingly using personal devices, this is no surprise. However, surprisingly, the majority of IT leaders do not rate identities as the most mature component in their Zero Trust strategy.
  4. Zero Trust is still in infancy. Despite substantial growth in Zero Trust efforts over the past twelve months, only one in ten IT leaders report feeling very confident in their Zero Trust identity management roadmap.

Read the full report for more details.

If you’re looking for how to help prevent endpoints from being the weakest link in your security strategy, check out our Zero Trust deployment guidance for identities.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How IT leaders are securing identities with Zero Trust appeared first on Microsoft Security.

Azure Active Directory empowers frontline workers with simplified and secure access

January 13th, 2021 No comments

Howdy folks,

The past year has shown us all just how critical frontline workers are to our communities and our economy. They’re the people behind the counter, in the call centers, in hospital ICUs, on the supermarket floor—doing the critical work that makes the difference in feeding our families, caring for the sick, and driving the long-tail economy. Frontline workers account for over 80 percent of the global workforce—two billion people worldwide. Yet because of high scale, rapid turnover, and fragmented processes, frontline workers often lack the tools to make their demanding jobs a little easier.

We believe identity is at the center of digital transformation and the key to democratizing technology for the entire frontline workforce including managers, frontline workers, operations, and IT. This week at the National Retail Federation (NRF) tradeshow, we announced several new features for frontline workers. Building on this announcement, I’m excited to dive into three generally available Azure Active Directory features that empower frontline workers:

1. Streamline common IT tasks with My Staff

Azure Active Directory provides the ability to delegate user management to frontline managers through the My Staff portal, helping save valuable time and reduce security risks. By enabling simplified password resets and phone management directly from the store or factory floor, managers can grant access to employees without routing the request through the helpdesk, IT, or operations.

Delegated user management in the My Staff portal

Figure 1: Delegated user management in the My Staff portal

2. Accelerate onboarding with simplified authentication

My Staff also enables frontline managers to register their team members’ phone numbers for SMS sign-in. In many verticals, frontline workers maintain a local username and password—a cumbersome, expensive, and error-prone solution. When IT enables authentication using SMS sign-in, frontline workers can log in with single sign-on (SSO) for Microsoft Teams and other apps using just their phone number and a one-time passcode (OTP) sent via SMS. This makes signing in for frontline workers simple and secure, delivering quick access to the apps they need most.

Showing SMS sign-in on two devices

Figure 2: SMS sign-in

Additional layers of Conditional Access enable you to control who is signing in using SMS, allowing for a balance of security and ease of use.

3. Improve security for shared devices

Many companies use shared devices so frontline workers can do inventory management and point-of-sale transactions—without the IT burden of provisioning and tracking individual devices. With shared device sign out, it’s easy for a firstline worker to securely sign out of all apps and web browsers on any shared device before handing it back to a hub or passing it off to a teammate on the next shift. You can choose to integrate this capability into all your line-of-business iOS and Android apps using the Microsoft Authentication Library.

Shared device sign-out screen

Figure 3: Shared device sign-out screen

Additionally, you can use Microsoft Endpoint Manager to set up and customize how frontline workers use shared devices, with three new preview features for provisioning, setting up device-based Conditional Access policies, and customizing the sign-in experience with Managed Home Screen.

Looking ahead

Working in partnership with our customers, we’re committed to bringing you purpose-built frontline capabilities that deliver secure identity and access that is tailored to your needs and environment. We’ll continue to innovate in 2021, adding features that simplify work, bring people together, and help organizations of all sizes achieve more.

To learn more about Microsoft Identity solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @AzureAD and @MSFTSecurity for the latest news and updates on cybersecurity.

The post Azure Active Directory empowers frontline workers with simplified and secure access appeared first on Microsoft Security.

Categories: Azure Security, cybersecurity Tags:

Privacy breaches: Using Microsoft 365 Advanced Audit and Advanced eDiscovery to minimize impact

January 6th, 2021 No comments

GDPR, HIPPA, GLBA, all 50 U.S. States, and many countries have privacy breach reporting requirements. If an organization experiences a breach of customer or employee personal information, they must report it within the required time frame. The size and scope of this reporting effort can be massive. Using Microsoft 365 Advanced Audit and Advanced eDiscovery to better understand the scope of the breach can minimize the burden on customers as well as the financial and reputational cost to the organization.

A changing privacy landscape

In 2005 ChoicePoint, a Georgia-based financial data aggregator had a data breach of 145,000 of its customers. There were multiple security lapses and resulting penalties, but initially, only ChoicePoint’s California-based customers were required to be notified because, at the time, California, with California Senate Bill 1386, was the only state that had a mandatory privacy breach notification law.

Since that time, all 50 U.S. States have put in place mandatory privacy breach notification laws. Countries in the Americas, the Middle East, Europe, and Asia have adopted privacy standards including mandatory breach notification. Broader regulations that address this issue include California Consumer Privacy Act, China’s Personal Information Security Specification, Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD), and the European General Data Protection Regulation (GDPR). Given how often these laws are added or updated, it’s challenging for any organization to keep up. As one solution, Microsoft 365 Compliance Manager provides a set of continually updated assessments (174 and growing) to assist our customers with these standards.

A board-level business risk

The reputational and financial risk to a company from a privacy breach can be massive. For example, under California Civil Code 1798.80, which deals with the breach of personal health information, there is a penalty of up to $25,000 per patient record breached. For many standards, there are not only regulatory penalties imposed, but also the right of private action by those whose records have been breached (such as, those who have had their records breached can sue for damages, creating financial liability for a company beyond the regulatory penalties).

There are timeframes under which notification must be made. The California Code requires notification to the regulator within 15 days after unauthorized disclosure is detected. Article 33 of GDPR requires notification to the regulator within 72 hours after the organization becomes aware of the breach.

According to a list compiled by the Infosec Institute, the average cost of a data breach in 2019 was $3.9 million but can range as high as $2 billion in cases like the Equifax breach of 2017.

The reputational damage associated with a breach of customer, employee, or other stakeholders’ personal or business information can substantially reduce a company’s value.

The scope of notification (if any is needed at all) and remediation depends on understanding the scope of the breach in a timely fashion. In the absence of reliable information, companies need to make worst-case assumptions that may result in larger notifications, higher costs, and unnecessary hardship for customers and other stakeholders.

Preparation for breach

As security and compliance professionals, our priority is to avoid breaches with a defense in depth strategy including Zero Trust architecture.

Microsoft has comprehensive security solutions for Microsoft 365, as well as compliance and risk management solutions that enable our compliance pillar framework:

But we also must prepare for breaches even as we defend against them. Part of that preparation is putting our organization in a position to scope a breach and limit its impact. This means ensuring we have the data governance and signal in place before the breach happens. Security professionals know that they have to deploy solutions like Data Loss Prevention, firewalls, and encryption to defend against attacks, but they may not focus as much on having the right audit data available and retained, and visualizations and playbooks in place beforehand to scope a future breach.

Use Microsoft 365 Advanced Audit and Advanced eDiscovery to investigate compromised accounts

The Microsoft 365 Advanced Audit solution makes a range of data available that is focused on what will be useful to respond to crucial events and forensic investigations. It retains this data for one year (rather than the standard 90-day retention), with an option to extend the retention to ten years. This keeps the audit logs available to long-running investigations and to respond to regulatory and legal obligations.

These crucial events can help you investigate possible breaches and determine the scope of compromise. Advanced Audit provides the following crucial events:

There are built-in default alert policies that use the Advanced Audit data to provide situational awareness either through Microsoft 365’s own security and compliance portal, through Microsoft’s Azure Sentinel cloud-native SIEM, or through a customer’s third-party SIEM. A customer can create customized alerts to use the audit data as well.

Let’s look at how a customer might use Advanced Audit to investigate a compromised account and scope the extent of a data breach:

In an account takeover, an attacker uses a compromised user account to gain access and operate as a user. The attacker may or may not have intended to access the user’s email. If they intend to access the user’s email, they may or may not have had the chance to do so. This is especially true if the defense in-depth and situational awareness discussed above is in place. The attack may have been detected, password changed, account locked, and more.

If the user’s email has confidential information of customers or other stakeholders, we need to know if this email was accessed. We need to separate legitimate access by the mailbox owner during the account takeover from access by the attacker.

With Advanced Audit, we have this ability. Without it, a customer will have to assume all information in the user’s mailbox is now in the hands of the attacker and proceed with reporting and remediation on this basis.

The MailItemsAccessed audit data item will indicate if a mailbox item has been accessed by a mail protocol. It covers mail accessed by both sync and bind. In the case of sync access, the mail was accessed by a desktop version of the Outlook client for Windows or Mac. In bind access, the InternetMessageId of the individual message will be recorded in the audit record.

We have the ability to forensically analyze mail access via a desktop client or via Outlook Web Access.

We also need to differentiate between the mailbox owner’s legitimate access to a mail item during the attack time period and access by the attacker. We can do this by examining the audit records to see the context of the access, including the session ID and IP address used for access. We match these with other audit records and known good access by the user.

Advanced Audit retains other events like Teams Joins, File Accessed, Messages Sent, Searches Queries, and many others that can support a breach analysis.

When we’ve properly scoped the data that the attacker has had access to, we want to deep dive and inspect the content.

With Advanced eDiscovery we can collect all emails, documents, Microsoft Teams, and Yammer interactions of the account that was taken over. We can search for confidential information and metadata to identify the material in question:

There is metadata for each item which, for emails, includes InternetMessageID as well as many other items such as from, to, and when it was sent, and any Microsoft Information Protection sensitivity label.

Advanced Audit and Advanced eDiscovery are an important part of an effective security risk and compliance strategy. These Microsoft 365 native tools allow our customers to understand the true scope of a breach. It has the potential to substantially reduce or eliminate the reporting requirements stemming from a compromised account. Advanced Audit can reduce the financial and reputational damage to a company, its customers, employees, partners, and other stakeholders.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This document is not intended to communicate legal advice or a legal or regulatory compliance opinion. Each customer’s situation is unique, and legal and regulatory compliance should be assessed in consultation with their legal counsel.

The post Privacy breaches: Using Microsoft 365 Advanced Audit and Advanced eDiscovery to minimize impact appeared first on Microsoft Security.

The dynamic duo: How to build a red and blue team to strengthen your cybersecurity, Part 1

January 5th, 2021 No comments

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the first post of our new Voice of the Community blog series, Microsoft Product Marketing Manager Natalia Godyla talks with Jake Williams, Founder of Rendition Infosec. In part one of this blog Jake shares his insights on the 2020 threat landscape—who to watch for and why—and how to think about red and blue teaming within your organization.

Looking back at the threat landscape of 2020, what stands out?  

The biggest thing that stands out has to be the continued ransomware advances. With IANS, I actually coined the term ransomware 2.0 in early 2019. We were trying to differentiate between the drive-by ransomware attacks and what I call the more APT-style ransomware attacks, where they’re doing lateral movement and actively targeting backups before encryption. Disaster recovery (DR) plans work for the former but really not the latter because the latter cases are actively targeting disaster recovery infrastructure. What I saw this year was just a lot of advancement in attacks.

The second thing is that the number of different groups that are using that commodity malware has definitely gone up. They’re using that commodity malware to get back into orbit for initial access into a network. We’re seeing a lot more of that, like TrickBot. Cybersecurity professionals I’m talking to say, “the TrickBot takedown” but it was an interruption, not a takedown, unlike other malware and botnets in the past that have been wiped out. DNSChanger is a good example. DNSChanger was cut off at the knees but not TrickBot. This is a flesh wound.

We’re seeing a lot more of this commodity malware being used as an entryway. This is the stuff that a lot of folks, myself included, have been talking about for years. This is always a risk. You can’t just say, “Don’t worry, Microsoft Defender Antivirus caught and quarantined it so we’re good now.” From maybe mid-September on, it’s been even more viral than the rest of the year put together. It’s really accelerating, too.

What critical threat groups should security teams be actively monitoring? 

The week before last, I was in a dark web forum and an account that I and a number of other folks in the intel community assess with moderate confidence to be associated with Ryuk was advertising for help with their ransomware operations. They’re looking for experienced ransomware operators, and they have a whole set of criteria, including that they want to see a history that you’re getting an average $400,000 payout. They haven’t asked for help in the past. They have more work than they can handle. That gives you an idea of scope, and I think it comes from the commodity malware. Before now, I haven’t seen large, established ransomware groups advertising for help with their operations. If they thought those accesses were going to last forever, they wouldn’t worry about recruiting others right now.

There’s definitely a place for dark web monitoring but most organizations don’t have the maturity level where they’re getting a good return on that investment. Because even if I tell you that cybercrime groups are recruiting, how do I take that and turn that into something actionable that will help with detection and prevention? I don’t know how much any guidance I provide will help if you’re not patching domain controllers.

From a cybercrime standpoint, we’re seeing a lot more lateral movement being critical to cybercriminals’ attacks. We’re not seeing as many point attacks where they land a phishing email and bam, they’ve extracted a bunch of data and gone. It sounds almost like a cop-out but focus on lateral movement because it kills two birds with one stone. Nation-state groups have to do a lateral movement. So do cybercrime groups to get maximum payouts. Once they’ve had a bite of that big apple, how do they ever go back? I think you’re seeing more groups spending in some cases up to six weeks in a network before they’re doing data extraction and playing a little bit of a longer game versus that immediate gratification.

Cybersecurity mixes both defensive and offensive practices to combat cybercrime. How should organizations think about red and blue teaming in their organization? Do organizations need both, and why?  

A huge majority of people who get into cybersecurity these days want to be red team. I get it. It’s sexy. Bottom line, if you’re thinking of red team as those folks who are actually attempting to penetrate your internal network, I think the number is 1 to 20, 1 to 25, or something like that compared to blue team. You need a lot less red team focus. I’m not saying that organizations where red team is similarly sized to blue don’t provide value. They definitely do, but it’s a question of could you take those same resources and plug them elsewhere and get more value? I think generally, I need a lot more defense than I need offense.

In way too many organizations that have much more balanced red and blue teams, I see a lot of red teams identifying problems that the blue team simply can’t fix from a resourcing standpoint. I also am working with organizations that have very large red teams but haven’t yet moved into hunt teaming. In those situations, I don’t know whether you put hunt under red or blue. I’m ambivalent there but the bottom line is I do need the red team, but I need them for a lot less than a lot of people use them for. I say that as an ex-government hacker; and I still do red team occasionally, but it’s just not where most organizations are going to get the most significant return on investment. I’m not trying to say red team isn’t important but generally, we need to structure significantly more blue team people than red team, and that’s just an unpopular thing for a lot of people to hear.

If you don’t have a solid blue team and have holes today in your defenses, you shouldn’t have a red team. When people say, “We need our own internal red team,” my question is, “Have you had an external red team come in and do a red team evaluation? And if you have, have you actioned those findings?” Not one of them but all of them. If the answer is no, we need to step back and figure out what we need to do. Let’s make sure that you’ve got a blue team that is functioning today and ready to roll forward with the recommendations from the red team. Separate from pragmatism, there’s also a legality issue. Knowing about something and not doing anything about it puts you in a more legally compromising position than not knowing about it at all.

That’s what we find a lot of folks with internal red teams end up with. They’ve got this red team that is basically pushing identified risks into a funnel. How much are we stuffing that funnel? How much do we need defense versus offense?

How does an organization know when to hire an internal red team? What’s the breaking point?

A lot of that depends on the reaction. How quickly are you actioning those findings? If you’re in a spot where you fix all the findings from the annual red team in two months, that’s when I would say, “Yes, without a shadow of a doubt, let’s go hire a red team.” Because that’s going to give me more of that constant churn of findings. On the other hand, if it takes you nine months to get through those findings, you’re going to have another external red team likely in a month anyway. Where’s our value there? If it takes you somewhere in the middle, a lot of it is going to depend on how much risk do we accept.

When we’re documenting where we have gaps and where we don’t, it comes down to where can I get the best return on my investment for our organization? If I still have a lot of blue team gaps, investing in red team would be throwing more gaps at blue team, which causes huge morale issues.

Keep an eye for the second part of the interview as Jake Williams shares best practices on how to structure and evolve red and blue teaming within your organization.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity or on LinkedIn for the latest news and updates on cybersecurity.

The post The dynamic duo: How to build a red and blue team to strengthen your cybersecurity, Part 1 appeared first on Microsoft Security.