Author Archive

A better cloud access security broker: Securing your SaaS cloud apps and services with Microsoft Cloud App Security

March 4th, 2021 No comments

Today’s business uses an average of 1,180 cloud apps¹, with many of those organizations securing their apps through cloud access security brokers (CASB). The organizational need for a CASB has grown alongside the use of cloud apps to enable remote work and greater user productivity. When security responsibilities for cloud apps are shared between you and the cloud application or cloud provider, there’s a chance that some key security practices may be overlooked.

Beyond the areas where your IT team or the platform provider are responsible for security, some SaaS apps and services may fall into an unprotected gray zone. According to the shared responsibility model, IT teams are responsible for securing their organizations’ identity and access management (IAM), network resources, endpoints, devices, passwords, and more. But there’s currently not much clear guidance around SaaS Security Posture Management (SSPM). That’s where the right CASB can make the difference.

How the right CASB can help

A CASB is designed to analyze session traffic to and from the cloud, as well as highlight risks and block inappropriate access. With so many people now working remotely on personal devices, a CASB helps ensure that users accessing your cloud apps (having been properly authenticated by your identity provider) have the rights and permissions to use the selected app—provided it’s from an allowed device, and the session adheres to any other policy conditions defined by your organization.

To accomplish all this, a CASB usually provides three primary services—app discovery and management, secure access to all your apps, data protection, and threat protection. App discovery tells you which cloud apps the employees in your organization are accessing and helps you decide how to manage those apps. Data protection ensures that your people aren’t accessing, using, and sharing sensitive data, and threat protection helps defend against inappropriate use of applications through malware, ransomware, or other threats.

A diagram showing the Microsoft Cloud App Security and its integration with CSAB solutions

For a large healthcare organization such as St. Luke’s, adopting Microsoft Cloud App Security enabled them to allow or block apps based on compliance with the Health Insurance Portability and Accountability Act (HIPAA) and reduce the possibility of leaked patient data.

“One of our challenges prior to deploying Cloud App Security was detecting shadow IT,” said Erin Boris, Information Security Strategic Specialist at SLUHN. “Gaining that visibility through Cloud App Security helps us with software inventory, app rationalization, and most importantly, data loss prevention.”  

Bridging the gap

SaaS Security Posture Management is a solution category that is part of the broader security posture management umbrella of features, specifically protecting SaaS products such as Office 365, Google Workspace, or Salesforce.

Gartner included SaaS Security Posture Management in the 2020 Gartner Hype Cycle for Cloud Security, defining SaaS Security Posture Management as “tools that continuously assess the security risk and manage the security posture of SaaS applications—offering suggestions for improved configuration to reduce risk.”

A CASB should help your team discover all SaaS apps within its purview, then determine which are shadow IT (a potential attack surface and a vector for malware). SaaS Security Posture Management takes it one step further to identify the abuse of these apps, identify misconfigurations, track configuration changes, and deploy automatic remediation to prevent data leakage and damage. SaaS Security Posture Management also covers SaaS storage, file sharing, and collaboration apps, which can be sources of data leakage.

The Microsoft Cloud App Security difference

Microsoft Cloud App Security helps secure all your cloud apps using sophisticated analytics to combat cyber threats across both cloud-native and on-premises apps and services, Microsoft and non-Microsoft alike. Recognized as a Leader in Gartner Magic Quadrant for Cloud Access Security Brokers2, Cloud App Security addressed key features this way:

  • Shadow IT discovery: Discover and manage unauthorized access that can put your security at risk via integration with Microsoft Defender for Endpoint, or also leverage your firewall and secure web gateway, and then choose to sanction or unsanction apps.
  • Information protection: Gain the power to enforce complex information and data loss prevention (DLP) policies across third-party apps through deep integration with Microsoft Information Protection, combined with the reverse proxy capabilities of Microsoft Cloud App Security.
  • Threat protection: Leverage the protection of the independent threat protection capabilities in MCAS, including our own UEBA capabilities as well as the native integration with Microsoft Defender suite, which includes Microsoft Defender for Endpoint, Microsoft Defender for Office, and Microsoft Defender for Identity to provide a unified view into devices, Office apps, and identities across on-premises and cloud resources. Monitor behaviors and blocking nefarious content.
  • Secure access: Connect with Azure Active Directory (Azure AD) to enforce and monitor access and session policies (such as leveraging conditional access from Azure Active Directory) across all managed cloud resources.
  • Security Posture Management: the recommendations and security practices that ensure each organization has intentionally set aside a standard of practices and then receives and implements the practices that help them achieve their goals.
    • CSPM: Cloud Security Posture Management provides multi-cloud security recommendations for the various workloads across IaaS such as AWS, GCP, and Azure.
    • SSPM: SaaS Security Posture Management helps secure multi-app environments and provide discovery for your SaaS apps, helping you identify misconfigurations, as well as track user activity and configuration changes—all to protect your data and to keep you compliant.

According to Forrester’s recent Total Economic Impact (TEI) study, Cloud App Security also helps customers save time and resources—delivering 151% ROI over three years and less than 3-month payback. Other key findings include: 

  • 80 percent reduction in time to monitor, assess, and govern cloud application portfolio risks.
  • 75 percent elimination of threats automatically due to increased visibility and automated threat protection.
  • 40 percent reduction in the likelihood of a data breach, with potential savings of more than $1.6 million over three years.
  • 90 percent reduction in hours required to audit cloud apps.

In all of your efforts to protect your cloud apps, Microsoft Cloud App Security delivers an easy and flexible solution with a basic investment of 15 hours to deploy. You’ll benefit from recommendations for your cloud security posture (based on Center for Internet Security standards), as well as suggestions on risk scoring for apps, connected information protection, labeling and encryption, and granular session controls from start to finish of every session. And Cloud App Security can grow incrementally, enabling the perfect balance between security for your organization and productivity for your users.

Learn more

For further information on how your organization can benefit from Microsoft Cloud App Security, connect with us at the links below:

Follow the Microsoft Cloud App Security Ninja blog and learn about Ninja Training.

Go deeper with these interactive guides:

To experience the benefits of full-featured CASB, sign up for a free trial—Microsoft Cloud App Security.

Follow us on LinkedIn at #CloudAppSecurity. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity on Twitter, and Microsoft Security on LinkedIn for the latest news and updates on cybersecurity.

¹Netskope report, 2018

2Gartner Magic Quadrant for Cloud Access Security Brokers, Craig Lawson, Steve Riley, October 28, 2020.

The Gartner document is available upon request from Microsoft.

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post A better cloud access security broker: Securing your SaaS cloud apps and services with Microsoft Cloud App Security appeared first on Microsoft Security.

Categories: cybersecurity Tags:

Becoming resilient by understanding cybersecurity risks: Part 3—a security pro’s perspective

February 24th, 2021 No comments

In part two of this blog series on aligning security with business objectives and risk, we explored the importance of thinking and acting holistically, using the example of human-operated ransomware, which threatens every organization in every industry. As we exited 2020, the Solorigate attack highlighted how attackers are continuously evolving. These nation-state threat actors used an organization’s software supply chain against them, with the attackers compromising legitimate software and applications with malware that installed into target organizations.

In part three of this series, we will further explore what it takes for security leaders to pivot their program from looking at their mission as purely defending against technical attacks to one that focuses on protecting valuable business assets, data, and applications. This pivot will enable business and cybersecurity leaders to remain better aligned and more resilient to a broader spectrum of attack vectors and attacker motivations.

What problem do we face?

First, let’s set a quick baseline on the characteristics of human-operated cyberattacks.

This diagram depicts commonalities and differences between for-profit ransomware and espionage campaigns:

diagram showing commonalities and differences between for-profit ransomware and espionage campaigns

Figure 1: Comparison of human-operated attack campaigns.

Typically, the attackers are:

  • Flexible: Utilize more than one attack vector to gain entry to the network.
  • Objective driven: Achieve a defined purpose from accessing your environment. This could be specific to your people, data, or applications, but you may also just fit a class of targets like “a profitable company that is likely to pay to restore access to their data and systems.”
  • Stealthy: Take precautions to remove evidence or obfuscate their tracks (though at different investment and priority levels, see figure one)
  • Patient: Take time to perform reconnaissance to understand the infrastructure and business environment.
  • Well-resourced and skilled in the technologies they are targeting (though the depth of skill can vary).
  • Experienced: They use established techniques and tools to gain elevated privileges to access or control different aspects of the estate (which grants them the privileges they need to fulfill their objective).

There are variations in the attack style depending on the motivation and objective, but the core methodology is the same. In some ways, this is analogous to the difference between a modern electric car versus a “Mad Max” style vehicle assembled from whatever spare parts were readily and cheaply available.

What to do about it?

Because human attackers are adaptable, a static technology-focused strategy won’t provide the flexibility and agility you need to keep up with (and get ahead of) these attacks. Historically, cybersecurity has tended to focus on the infrastructure, networks, and devices—without necessarily understanding how these technical elements correlate to business objectives and risk.

By understanding the value of information as a business asset, we can take concerted action to prevent compromise and limit risk exposure. Take email, for example, every employee in the company typically uses it, and the majority of communications have limited value to attackers. However, it also contains potentially highly sensitive and legally privileged information (which is why email is often the ultimate target of many sophisticated attacks). Categorizing email through only a technical lens would incorrectly categorize email as either a high-value asset (correct for those few very important items, but impossible to scale) or a low-value asset (correct for most items, but misses the “crown” jewels in email).

Business-centric security.

Figure 2: Business-centric security.

Security leaders must step back from the technical lens, learn what assets and data are important to business leaders, and prioritize how teams spend their time, attention, and budget through the lens of business importance. The technical lens will be re-applied as the security, and IT teams work through solutions, but looking at this only as a technology problem runs a high risk of solving the wrong problems.

It is a journey to fully understand how business value translates to technical assets, but it’s critical to get started and make this a top priority to end the eternal game of ‘whack-a-mole’ that security plays today.

Security leaders should focus on enabling this transformation by:

  1. Aligning the business in a two-way relationship:
  • Communicate in their language: explain security threats in business-friendly language and terminology that helps to quantify the risk and impact to the overall business strategy and mission.
  • Participate in active listening and learning: talk to people across the business to understand the important business services and information and the impact if that were compromised or breached. This will provide clear insight into prioritizing the investment in policies, standards, training, and security controls.
  1. Translating learnings about business priorities and risks into concrete and sustainable actions:
  • Short term focus on dealing with burning priorities:
    • Protecting critical assets and high-value information with appropriate security controls (that increases security while enabling business productivity)
    • Focus on immediate and emerging threats that are most likely to cause business impact.
    • Monitoring changes in business strategies and initiatives to stay in alignment.
  • Long term set direction and priorities to make steady progress over time, to improve overall security posture:
    • Zero Trust: Create a clear vision, strategy, plan, and architecture for reducing risks in your organization aligned to the zero trust principles of assuming breach, least privilege, and explicit verification. Adopting these principles shifts from static controls to more dynamic risk-based decisions that are based on real-time detections of anomalous behavior irrespective of where the threat derived.
    • Burndown technical debt as a consistent strategy by operating security best practices across the organization such as replacing password-based authentication with passwordless and multi-factor authentication (MFA), applying security patches, and retiring (or isolating) legacy systems. Just like paying off a mortgage, you need to make steady payments to realize the full benefit and value of your investments.
    • Apply data classifications, sensitivity labels, and role-based access controls to protect data from loss or compromise throughout its lifecycle. While these can’t completely capture the dynamic nature and richness of business context and insight, they are key enablers to guide information protection and governance, limiting the potential impact of an attack.
  1. Establishing a healthy security culture by explicitly practicing, communicating, and publicly modeling the right behavior. The culture should focus on open collaboration between business, IT, and security colleagues and applying a ‘growth mindset’ of continuous learning. Culture changes should be focused on removing siloes from security, IT, and the larger business organization to achieve greater knowledge sharing and resilience levels.

You can read more on Microsoft’s recommendations for security strategy and culture here.

In the next blog of the series, we will explore the most common attack vectors, how and why they work so effectively, and the strategies to mitigate evolving cybersecurity threats.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Becoming resilient by understanding cybersecurity risks: Part 3—a security pro’s perspective appeared first on Microsoft Security.

Securing Azure datacenters with continuous IoT/OT monitoring

February 22nd, 2021 No comments

Real people. IT professionals build and maintain the LinkedIn server farm which operates on 100% renewable energy. Power is hydro-generated and managed efficiently on-site with minimum new draw from external grid. State-of-the-art facility uses eco-friendly solutions such as using reclaimed water to cool the data center.

Figure 1: Industrial cooling system for datacenters.

As more intelligent devices and machinery become connected to the internet, Operational Technology (OT) and the Internet of Things (IoT) have become part of your enterprise network infrastructure—and a growing security risk. With every new factory sensor, wind turbine monitoring device, or smart building, the attack surface grows. Analysts estimate that there will be 37 billion industrial IoT (IIoT) devices by 2025. Even more alarming for business leaders, Gartner predicts that 75 percent of CEOs will be personally liable for cyber-physical incidents by 2024.

We’ve spent 15 to 20 years adding layers of telemetry and monitoring for IT security. However, most chief information security officers (CISOs) and security operations center (SOC) teams have little or no visibility into their OT risk. It’s clear that a new approach is needed, one that includes IoT and OT-specific incident response and best practices for bringing the two teams together to defend against increasingly sophisticated cyber threats.

A changing threat landscape

In every area of our lives, cyber-physical systems (CPS) go mostly unseen as they quietly monitor building automation, industrial robots, gas pipelines, HVAC systems, turbines, automated warehousing and logistics systems, and other industrial systems. In the past, OT risk was minimized because of “air-gapping” meaning, a physical divide was maintained between OT and IT networks. But digital transformation has disrupted all that. Now devices in the warehouse, refinery, and factory floor are connected directly to corporate IT networks and often to the internet.

Microsoft offers end-to-end IoT security solutions for new, or “greenfield,” IoT deployments, but most of today’s IoT and OT devices are still considered “unmanaged” because they’re not provisioned, tracked in a configuration management database (CMDB), or consistently monitored. These devices typically don’t support agents and lack built-in security such as strong credentials and automated patching—making them soft targets for adversaries looking to pivot deeper into corporate networks.

For OT security, the key priorities are safety and availability. Production facilities need to be up and running to keep generating revenue. However, beyond revenue losses, there’s a risk for catastrophic damage and possible loss of life when OT systems are breached. And like IT attacks, an OT breach also poses a risk for theft of intellectual property (IP). According to the Verizon Data Breach Investigations Report (DBIR), manufacturers are eight times more likely to be breached for theft of IP. OT security translates directly into three main types of business risks:

  • Revenue impact: In 2017, WannaCry malware shut down major automotive manufacturers and affected more than 200,000 computers across 150 countries, with damages ranging into billions of dollars. The same year, NotPetya ransomware nearly shut down the mighty Maersk shipping company and several CPG companies. The attack crippled Merck’s production facilities resulting in losses of $1.3 billion. Last year, LockerGoga shut down the systems of Norwegian aluminum manufacturing company Norsk Hydro and several other plants. In 2020, Ekans (snake spelled backward) ransomware became the latest OT threat by specifically shutting down industrial control systems (ICS).
  • IP theft: IP includes proprietary manufacturing processes, formulas, designs, and more. In one instance, Microsoft Security Response Center (MSRC) discovered hackers were compromising vulnerable IoT devices using their default credentials. Once inside, the hackers scanned the network to see what other systems they could access to get sensitive IP. One in five North American-based corporations reports that they have had IPs stolen within the last year.
  • Safety risks: The Triton attack on a petrochemical facility targeted safety controllers with the intent to cause major structural damage and possible loss of life. The attackers gained a foothold in the IT network then used living-off-the-land (LOTL) tactics to gain remote access to the OT network, where they deployed their purpose-built malware. As this attack demonstrated, increased connectivity between IT and OT networks gives adversaries new avenues of attack for compromising unmanaged OT devices.

The U.S. Cybersecurity and Infrastructure Agency (CISA) reports that adversaries are still using many of the tactics seen in the Triton cyberattack to compromise embedded devices in OT systems. CISA has issued three basic recommendations for securing OT:

  1. Create an up-to-date, detailed inventory and map of your OT network.
  2. Use the asset inventory or map to prioritize risks, such as unpatched systems, unauthorized connections between subnets, or unauthorized connections to the internet.
  3. Implement continuous monitoring with anomaly detection.

Azure datacenters—a strategic resource

Through our cloud, Microsoft serves more than a billion customers and more than 20 million businesses across 60 regions worldwide. Today we help secure more than 400,000 customers across 120 countries. These range from small businesses to large enterprises, with 90 of the Fortune 100 using four or more of our security, compliance, identity, and management solutions. Our SOCs process 8 trillion global signals daily. Datacenters are the building blocks of the Cloud, and Microsoft has been building datacenters for more than 30 years. Microsoft datacenters constitute a complex industrial-scale facility sitting at the intersection of operational technologies (OT) and information technologies (IT). This includes industrial control systems managing the climate, power and water, physical security systems, diverse MS and non-MS personnel managing the servers and equipment, various networks including LAN and WAN and WiFi, and diverse software tools. Exclusively leveraging IT security solutions is insufficient to secure datacenters because OT systems have a long lifespan, implement network segregation, rely on proprietary protocols, and patching can disrupt operations leading to safety risks.

Infographic showing details about Microsoft datacenters around the world

Figure 2: Microsoft datacenters.

The biggest risks in securing complex heterogeneous datacenter environments and generations are lack of visibility into the full datacenter stack, and IR plans and playbooks across OT and IT. To address this, we have implemented an end-to-end security monitoring system using Azure Defender for IoT and Azure Sentinel while integrating with Microsoft’s central SOC.

To strengthen its data centers’ operational resiliency worldwide, Microsoft’s Azure data center security team selected CyberX’s purpose-built IoT and OT cybersecurity platform in mid-2019. Microsoft subsequently acquired CyberX in June 2020 and recently released Azure Defender for IoT, which is based on CyberX’s agentless security platform.

Incorporating IoT and OT-aware behavioral analytics and threat intelligence, Azure Defender for IoT delivers continuous IoT and OT asset discovery, vulnerability management, and threat detection. As a Network Detection and Response (NDR) platform that uses passive monitoring and Network Traffic Analysis (NTA), it has zero performance impact on the OT network.

Azure Defender for IoT is now deeply integrated with Azure Sentinel and is available for on-premises, Azure-connected, and hybrid environments. By using both Azure Defender for IoT and Azure Sentinel as a unified, end-to-end IT and OT security solution, the Azure datacenter security team has been able to reduce complexity and prevent gaps that can lead to vulnerabilities.

Microsoft datacenters: Ingestion, detection, and investigation.

Figure 3: Microsoft datacenters: Ingestion, detection, and investigation.

How it works

Azure Sentinel processes alert both from IT and OT, including from Azure Defender for IoT for OT devices such as HMIs, PLCs, biometrics, and badge readers and IT devices such as physical hosts, firewalls, virtual machines, routers, and more. All information is integrated with our incident-response system and our central SOC (including OT and IT playbooks) where machine learning reduces false positives and makes our alerts richer—creating a feedback loop with Azure Sentinel, which further refines and improves our alerting capabilities.

Microsoft datacenter security monitoring and response:

  • Improves the quality of critical environment inventory for risk-based analysis.
  • Correlates significant security events across multiple sources.
  • Advances detections across industrial control system (ICS) networks for known malware, botnet, and command/control traffic.
  • Enables machine learning support for insider threat-detection via user and entity behavior analytics (UEBA).
  • Deploys OT and IT incident-response playbooks using Azure Logic Apps integrated with Microsoft SOC. For example, we implement OT and IT playbooks for scenarios like ransomware or malware, botnet, insider threat, and untracked data-bearing devices.
  • Detects anomalous activity while reducing noise.

In addition, the Microsoft cloud security stack—Microsoft Threat Intel Center (MSTIC) is being expanded with OT capabilities and threat intel.

OT and IT: Bridging the cultural divide

OT and IT have traditionally worked on separate sides of the air gap as laid out in the Purdue Model. But as I mentioned at the top, that physical divide has vanished into the cloud. Thinking in terms of an IT and OT persona that enables both teams to collaborate seamlessly is the security challenge for our time. Here are a few insights that can help bridge the gap:

  • Mature and boost IT security practices for OT: Patching an OT system isn’t the same as updating IT; there can be dangerous repercussions in the form of factory downtime or safety risks. Empathy is important; the liberties enjoyed in the IT world can’t be blindly applied on OT. However, don’t throw away IT security best practices—boost them with OT capabilities.
  • Embrace the security journey: Whether you’re in OT or IT, security improvements move like a dial, not a switch. Agree on your guiding principles and tenants, then constantly improving collaboration between OT and IT teams.
  • Understand the OT persona: IT teams should get to know what a day in the life of an OT person looks like. Our team shadowed OT activity by making site visits, which helped build understanding and establish working relationships.
  • Appreciate the other team’s priorities: When working with OT, this means understanding the importance of safety and availability. What might be a simple system patch in IT could cause downtime or a safety issue in OT. Establish a common vocabulary and metrics to work out issues together.
  • Acknowledge preconceptions: OT often feels like the IT security approach will cause disruptions and downtime, leading to audits, escalations, or worse. For that reason, our approach became: “Hey, we found a problem. Let’s solve it together.”
  • Be proactive versus reactive: Do security assessments together and keep the right people in the loop. Set up two-way trainings, such as joint tabletop or red team exercises, and plan for “worst day” scenarios. Create dedicated websites and SharePoint sites where people can reach out with confidence that their concerns will be addressed.

For more information on securing smart buildings and bridging the IT and OT gap, watch my SANS webinar presentation titled “Securing Building Automation & Data Centers with Continuous OT Security Monitoring.”

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Securing Azure datacenters with continuous IoT/OT monitoring appeared first on Microsoft Security.

What we like about Microsoft Defender for Endpoint

February 22nd, 2021 No comments

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA 

It’s no secret that the security industry generally likes Microsoft Defender for Endpoint. After a few months of using and integrating it with our platform here at Expel, we feel the same.

On Expel’s EXE Blog, we regularly share our thought process on how we think about security operations at scale at Expel and the decision support (or additional context) we provide our analysts through automation.

In short, Defender for Endpoint makes it easy for us to achieve our standard of investigative quality and response time, but it doesn’t require a heavy lift from our analysts. And that’s good news both for our customers and for us.

So, what is Microsoft Defender for Endpoint?

Defender for Endpoint is an enterprise endpoint security product that supports Mac, Linux, and Windows operating systems, along with Android and iOS. There are lots of cool things that Defender for Endpoint does at an administrative level (such as attack surface reduction and configurable remediation). However, from our vantage point, we know it best for its detection and response capabilities.

Defender for Endpoint is unique because not only does it combine an Endpoint Detection and Response (EDR) and AV detection engine into the same product, but for Windows 10 hosts, this functionality is built into the operating system, removing the need to install an endpoint agent.

With an appropriate Microsoft license, Defender for Endpoint and Windows 10 provide out-of-the-box protection without the need to mass-deploy software or provision sensors across your fleet.

How EDR tools help us as an XDR vendor

When we integrate with an EDR product like Defender for Endpoint in support of our customers, our goal is to predict the investigative questions that an analyst will ask and then automate the action of getting the necessary data from that tool.

This frees up our analysts to make the decision—versus making them spend time extracting the right data.

We think Defender for Endpoint provides the right toolset that helps us reach that goal—and removes some burden from our analysts—thanks to its APIs.

Thanks to Defender for Endpoint’s robust APIs, we augmented its capability to provide upfront decision support to our analysts. As a result, we’re able to arm them with the answers to the basic investigative questions we ask ourselves with every alert.

To find these answers, there are a few specific capabilities of Defender for Endpoint we use that allow us to pull this information into each alert:

  • Advanced hunting database.
  • Prevalence information.
  • Detailed process logging.
  • AV actions.

This way, our analysts don’t need to worry about fiddling with the tool but instead focus on analyzing the rich data it provides.

Check out a real-life example of how Expel analysts use Defender for Endpoint to triage an alert on behalf of a customer.

Defender for Endpoint helps reduce our alert-to-fix time

The decision support—or additional context about an alert—that Defender for Endpoint enables us to generate is powerful because it allows us to become specialists at analysis rather than specialists of a specific technology.

Defender for Endpoint provides a platform that allows our analysts to quickly and accurately answer important questions during an investigation.

Most importantly, though, having these capabilities emulated in the API allowed us to build on top of the Defender for Endpoint platform to be more efficient in providing high-quality detection and response.

And that’s a win-win for both Expel and our customers.

Learn more

To learn more about Expel, visit our listing on the Azure Marketplace.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website, where you can learn about the MISA program, product integrations and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post What we like about Microsoft Defender for Endpoint appeared first on Microsoft Security.

Forrester Consulting TEI Study: Azure Security Center delivers 219 percent ROI over 3 years and a payback of less than 6 months

February 18th, 2021 No comments

Azure Security Center is a critical tool to secure our multi-cloud workloads in the new world of remote work we find ourselves in today. We are excited to share that Forrester Consulting has just conducted a commissioned Total Economic Impact™ (TEI) study on behalf of Microsoft, which involved interviewing existing customers to create an accessible framework for organizations to evaluate the financial impact of Azure Security Center. The results are big—Azure Security Center delivers 219 percent return on investment (ROI) over three years and a payback of less than six months; reduces the risk of a cloud security breach by up to 25 percent, reduces time to threat mitigation by 50 percent, and reduces the cost of third-party security tools and services from consolidation by over $200,000 annually.

The Forrester study concluded that Azure Security Center reduces threat protection costs at scale, simplifies security posture management, and improves the efficiency and effectiveness of the Security Operations Center (SOC).

Forrester found that a composite organization experienced benefits of $3.56 million over three years versus costs of $1.1 million. This adds up to an ROI of 219 percent with payback in less than six months.

Cost Savings

Prior to using Azure Security Center, the customers were relying on multiple third-party cloud security tools implemented in different organizational siloes to understand their security posture and defend against potential threats. However, the distributed and disintegrated nature of this approach introduced inefficiencies into security workflows, produced a plethora of false-positive threat alerts, and limited visibility of the organization’s overall security posture, leading to potential security risk.

After the investment in Azure Security Center, the customers’ visibility into the security posture of their Azure workloads increased substantially, reducing the risk of cloud security breaches while also improving the productivity of security teams responsible for threat detection and remediation and security policy and regulatory compliance.

Forrester found that an organization experienced benefits of $3.56 million over three years versus costs of $1.1 million. This adds up to an ROI of 219 percent with payback in less than six months.

“We thought that if we could replace third-party tools with integrated Azure functionality, it might improve visibility. It might catch additional threats. It might ease configuration work, reducing management overhead in the end.”—IT security manager, professional services ¹

Reducing risk factors and time to respond

Forrester interviewed four customers with experience using Azure Security Center and aggregated the experiences of the interviewed customers, and combined the results into a single composite organization. This framework helps identify the cost, benefit, flexibility, and risk factors that affect the investment decision. According to aggregated data, Azure Security Center demonstrated strong benefits such as:

  • Reduced risk of a cloud security breach by up to 25 percent. By improving visibility into an organization’s security posture across all its Azure workloads and decreasing time to threat remediation, interviewed organizations shared that they were able to reduce the risk of cloud security breaches.
  • Reduced time to threat mitigation by 50 percent. Organizations that chose to also deploy Azure Defender within Azure Security Center shared that they were able to decrease their mean time to threat remediation by 50 percent. They were also able to reduce the number of threats needing remediation by 86 percent, thanks to false-positive threat alert reduction. Customers also benefitted from the fact that Microsoft’s scale and telemetry data enables Azure Security Center to update security recommendations and notify of important threats at speed.
  • Reduction in time spent on security policy and compliance management up to 30 percent. Azure Security Center also reduced the amount of time spent on updating security policies and on compliance-related workflows by between 20 percent and 30 percent. This resulted in the improved productivity of security administrators.
  • Reduced cost of third-party security tools and services from consolidation by over $200,000 annually. Customers shared that they reduced their spending and reliance on third-party security tools and services. Customers saved 20 percent to 30 percent on third-party security tools, reduced third-party security services by $180,000, and reduced third-party penetration test services by 50 percent.
  • Reduced risk of non-compliance. Customers improved their compliance posture with the added visibility and accessibility of regulatory compliance status through Azure Security Center. They were also able to make recommended fixes to improve compliance they might have otherwise missed.

“Whenever we got a vulnerability report, we’d have a hard time hunting down who was responsible to make sure they would remediate the issue. With Azure Security Center, our teams have full visibility into vulnerabilities, and the recommendations that are applicable to them.”—Cloud Security Specialist, Retail ¹

Protect your hybrid cloud workloads today

You can start monitoring your security posture for free using Azure Security Center today. Microsoft recommends protecting all your hybrid cloud workloads with Azure Defender. You can try Azure Defender free for 30 days. Then pay as you go for the workload protection you choose.

Download the full Forrester Consulting study, The Total Economic Impact™ of Azure Security Center. Get started and learn more about Azure Security Center and Azure Defender. To develop a proof of concept study, please visit our POC guide.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹ Customer quotes shared in this blog are anonymous as they are part of the Forrester Consulting Total Economic Impact™ of Azure Security Center study.

The post Forrester Consulting TEI Study: Azure Security Center delivers 219 percent ROI over 3 years and a payback of less than 6 months appeared first on Microsoft Security.

Categories: Azure Security, cybersecurity Tags:

Afternoon Cyber Tea: Evaluating individual and organizational cyber risk in a pandemic

February 16th, 2021 No comments

Cybersecurity professionals find themselves in high demand as organizations worldwide continue to grapple with how to secure millions of remote workers. James Turner is an industry analyst at CISO Lens and served as an adjudicator from 2017 to 2019 for the Australian government’s cyber war games: Operation Tsunami. In this episode of Afternoon Cyber Tea, James and I talk about how the COVID-19 pandemic has accelerated the critical need for cooperation across the cybersecurity industry, as well as the need for strengthening communication between governments and private organizations.

Our discussion really examines how the pandemic has pushed organizations toward greater cost efficiencies and a new mainstreaming of cybersecurity—democratizing the language and tools to make it part of everyone’s “9 to 5” experience.

“Everyone has a plan until they get hit in the face,” as James puts it. “Ransomware is off the hook—one organization just got hit with a 10 million dollar ransom. That’s more than the average Australian or New Zealand organization spends on security in a year.”

If the old saying that every crisis presents an opportunity holds true, James sees the pandemic as a tremendous catalyst for better information sharing amid budget cuts and a fragmented workforce. “The security operating centers at large banks are on speed-dial with each other because the attack against Company A hits Company B the next day. No organization, or even an entire country, can do it all by themselves.”

During our talk, we also touch on how the pandemic has pushed security professionals to look at new ways of optimizing delivery, such as utilizing an integrated security solution rather than an expensive niche product. “It’s given businesses a new appreciation for automatic patching,” James recounts. “My group of CISOs is discussing installing agents on personal devices; the legalities and logistics around that. Budgets are becoming an issue; so, I’m encouraging them to think like startups—get creative.”

James and I also examine how security professionals need to do a better job of evangelizing across the entire IT sector, including developing a ground-level understanding of your own organization’s business units. Cybersecurity will only be truly effective when it’s no longer part of an org chart but simply part of everyone’s job.

To hear my complete conversation with James Turner, listen to the full episode.

What’s next

In this ongoing podcast series, I talk with cybersecurity influencers about the evolving threat landscape and explore the promise of systems powered by AI, IoT, and other emerging tech. In every episode, we’ll look at empowering people and organizations to create a more secure, productive digital environment.

Listen to Afternoon Cyber Tea with Ann Johnson on:

  • Apple Podcasts: You can also download the episode by clicking the Episode Website link.
  • Podcast One: Includes the option to subscribe, so you’re notified as soon as new episodes are available.
  • CISO Spotlight page: Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Evaluating individual and organizational cyber risk in a pandemic appeared first on Microsoft Security.

A playbook for modernizing security operations

February 11th, 2021 No comments

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest post from our new Voice of the Community blog series, Microsoft Product Marketing Manager Natalia Godyla talks with Dave Kennedy, Founder and Chief Technology Officer at Binary Defense. Dave shares his insights on security operations—what these teams need to work effectively, best practices for maturing the security operations center (SOC), as well as the biggest security challenges in the years to come.

Natalia: What are the standard tools, roles, frameworks, and services for a security operations team? What are the basic elements a SecOps team needs to succeed?

Dave: Your security operations team must have visibility into your infrastructure, both on and off-premises. Visibility is key because many of these attacks start with one compromised asset or one compromised credential. They spread across the network and in many cases, they wreak a lot of damage. Your endpoints, network infrastructure, and cloud environments are where a lot of these issues happen. I recommend starting with high-risk areas like your endpoints.

Then, you need somewhere to ingest that data, such as security information and event management systems like Microsoft Azure Sentinel, and to go through log analysis and determine if anything has been compromised.

Also, frameworks like the MITRE ATT&CK framework are a great baseline of saying, well, here are specific attacks that we’ve seen in the wild that are mapped to specific adversaries that are in our industry vertical. That can help you prioritize those, get better at detection, and make sure you have the right logs coming into your environment to build detections.

Natalia: How can a team operationalize the MITRE ATT&CK framework?

Dave: When people first look at the MITRE ATT&CK framework, they freak out because it’s so big, but it’s a treasure trove of information. Everybody was focused on a castle mentality of being able to protect everything but what happens when an attacker is in your environment? Protection is still very important and you want to have protective mechanisms in place, but protection takes time and requires cultural changes in many cases. If you’re doing something like multifactor authentication, you have to communicate that to users.

The MITRE ATT&CK framework tells you what happens when attackers have gotten around your preventive controls. What happens when they execute code onto a system and take other actions that allow them to either extract additional information or move to different systems through lateral movement or post-exploitation scenarios and get access to the data? The MITRE ATT&CK framework is a way to conceptualize exactly what’s happening from an attacker’s standpoint and to build detections around those attack patterns.

With the damage we see, it’s usually several hours, days, or months that an attacker has had access to an environment. If we can shave that time down and detect them in the first few minutes or the first few hours of an attack and shut them down, we’ve saved our company a substantial amount of damage. It’s a framework to help you understand what’s happening in your environment and when unusual activities are occurring so you can respond much more effectively.

Natalia: How much of the MITRE ATT&CK framework should a security team build into their detections? How much should they rely on existing tools to map the framework?

Dave: Many tools today have already done a lot of mapping to things like the MITRE ATT&CK framework, but it’s not comprehensive. If you have an endpoint detection and response product, it may cover only 20 percent of the MITRE ATT&CK framework. Mapping your existing tools and technology to the MITRE ATT&CK framework is a very common practice. For instance, you may have an email gateway that uses sandboxing virtualization techniques that detonate potential malware to see whether it’s effective. That’s one component of your technology stack that can help cover certain components of the MITRE ATT&CK framework. You might have web content filtering that covers a different component of the framework, and then you have endpoint detection and responses (EDRs) that cover a percentage of the endpoint detection pieces.

Technology products can help you shave away the amount of effort that goes into the MITRE ATT&CK framework. It’s really important, though, that organizations map those out to understand where they have gaps and weaknesses. Maybe they need additional technology for better visibility into their environment. I’m a huge fan of the Windows systems service, System Monitor (Sysmon). If you talk to any incident responder, they’ll tell you that if they have access to Sysmon data logs, that’s a treasure trove of information from a threat hunting and incident response perspective.

It’s also important to look at it from an adversary perspective. Not every single adversary in the world wants to target your organization or business. If you’re in manufacturing, for instance, you’re not going to be a target of all adversaries. Look at what the adversaries do and what type of industry vertical they’re targeting so you don’t have to do everything in the MITRE ATT&CK framework. You can whittle the framework down to what’s important for you and build your detections based on which adversaries are most likely to target your organization.

Natalia: If a team has all the basics down and wants to mature their SecOps practices, what do you suggest?

Dave: Most security operations centers are very reactive. Mature organizations are moving toward more proactive hunting or threat hunting. A good example is if you’re sending all of your logs through Azure Sentinel, you can do things like Kusto Query Language and queries in analysis and data sets to look for unusual activity. These organizations go through command line arguments, service creations, parent-child process relationships, or Markov chaining, where you can look at unusual deviations of parent-child process relationships or unusual network activity.

It’s a continual progression starting off with the basics and becoming more advanced over time as you run through new emulation criteria or simulation criteria through either red teaming or automation tools. They can help you get good baselines of your environment and look for unusual traffic that may indicate a potential compromise. Adversary emulations are where you’re imitating a specific adversary attacker through known techniques discovered through data breaches. For example, we look at what happened with the SolarWinds supply chain attack—and kudos to Microsoft for all the research out there—and we say, here are the techniques these specific actors were using, and let’s build detections off of those so they can’t use them again.

More mature organizations already have that in place, and they’re moving toward what we call adversary simulation, where you take a look at an organization’s threat models and you build your attacks and techniques off of how those adversaries would operate. You don’t do it by using the same type of techniques that have previously been discovered. You’re trying to simulate what an attacker would do in an environment and can a blue team identify those.

Natalia: What are best practices for threat hunting?

Dave: Threat hunting varies based on timing and resources. It doesn’t mean you have to have dedicated resources. Threat hunting can be an exercise you conduct once a week, once a month, or once a quarter. It involves going through your data and looking for unusual activity. Look at all service creations. Look at all your command line arguments that are being passed. A large percentage of the MITRE ATT&CK framework can be covered just by parent-child process relationships and command line auditing in the environment. Look at East to West traffic, not just North to South. Look at all your audit logs. Go through Domain Name System (DNS traffic).

For instance, a user was using Outlook and then clicked on an email that opened an Excel document that triggered a macro that then called PowerShell or CMD EXE. That’s an unusual activity that you wouldn’t expect to see from a normal user so let’s hone in on that and figure out what occurred.

You can also conduct more purple teaming engagements, where you have a red team launch attacks and detection teams look through the logs at the same time to build better detections or see where you might have gaps in visibility. Companies that have threat hunting teams make it very difficult for red teamers to get around the different landmines that they’ve laid across the network.

Natalia: What should an incident response workflow look like?

Dave: An alert or unusual activity during a threat hunting exercise is usually raised to somebody to do an analysis. A SOC analyst typically has between 30 seconds and four minutes per alarm to determine whether the alarm is a false positive or something they need to analyze. Obviously, what stands out are things like obfuscation techniques, such as where you have PowerShell with a bunch of code that looks very unusual and obfuscation to try to evade endpoint protection products. Some of the more confusing ones are things like living off the land, which are attacks that leverage legitimate applications that are code signed by the operating system to download files and execute in the future.

A research phase kicks off to see what’s actually going on. If it’s determined that there is malicious activity, usually that’s when incident response kicks in. How bad is it? Have they moved to other systems? Let’s get this machine off the network and figure out everything that’s happening. Let’s do memory analysis. Let’s figure out who the actual attacker was. Can we combine this with red intelligence and determine the specific adversary? What are their capabilities? You start to build the timeline to ensure that you have all the right data and to determine if it’s a major breach or self-contained to one individual system.

We ran several incident response scenarios for customers that were impacted by the supply chain attacks on SolarWinds and the biggest challenge for the customers was their logs didn’t go back that far so it was very difficult for them to say definitively with evidence, that they know what happened.

Natalia: What does an incident responder need to succeed?

Dave: I’d strongly recommend doing an incident response readiness assessment for your organization. I also recommend centralized logging—whether that’s a security information and event management (SIEM) or a data analytics tool or a data lake—that you can comb through. I’m a huge advocate of Sysmon. You can do power execution, command line auditing, DNS traffic, process injection, and parent-child process relationships. I’d also suggest network logs. If you can do full packet captures, which not a lot of organizations can do, that’s also great. If you can pull data packets coming from a secure sockets layer (SSL) or transport layer security (TLS) and do remote memory acquisition, that’s also really important. Can we retrieve artifacts from systems in a very consistent way?

Tabletop exercises can also get executives and IT on the same page about how to handle incidents and work together. Running through very specific types of scenarios can help you figure out where you have gaps or weaknesses. When I was the Chief Security Officer at Diebold, we would run through three to four tabletop exercises a year and include our senior leadership, like our CEO and CFO, twice a year. It was eye-opening for them because they never really understood what goes into incident response and what can happen from a cyber perspective. We’d run through actual simulations and scenarios of very specific attacks and see how they would respond. Those types of scenarios really help build your team’s understanding and determine where you may need better communication, better tooling, or better ways to respond.

Natalia: What other strategies can security operators implement to try to avoid attacks?

Dave: When you look at layered defense, always improving protection is key. You don’t want to just focus on detection because you’re going to be in firefighting mode all the time. The basics really are a big deal: things like multifactor authentication, patch management, and security architecture.

Reducing the attack surface is important, such as with application control and allowed application lists. Application control is probably one of the most effective ways of shutting down most attacks out there today because you have a good baseline of your organization. That applies very consistently to things like the Zero Trust model. Become more of a service provider for your organization versus providing everything for your organization. Reducing your attack surface will eliminate the noise that incident responders or SOC analysts must deal with and allow them to focus on a lot of the high-fidelity type things that we want to see.

One of the things that I see continuously going into a lot of organizations is that they’re just always in firefighting mode, 90 percent of their alarms are false positives, and they’re in alarm fatigue. Their security operations center isn’t improving on detections. You really need somebody on the strategy side to come in and say: Can we lock our users down in a way that doesn’t hinder the business, but also lowers the attack surface?

Natalia: How does vulnerability assessment strategy fit into a SOC strategy?

Dave: Program vulnerabilities and exposures are key opportunities that attackers will use. When we look at historic data breaches, those that use direct exploitation and not phishing were using common vulnerabilities and exposures (CVE) typically of six months or older that allowed them access to a specific system. That makes it really important to reduce attack surfaces and understand where vulnerabilities are so we can make it a lot more difficult for attackers to get in.

It’s not a zero-day attack that’s hitting companies today. It’s out-of-date systems. It’s not patching appropriately. A lot of companies will do well on the operating system side. They’ll patch their Windows machines, their Linux machines, and Apple. But they fail really hard with the third-party applications and especially the web application tier of the house—middleware, microservices. In almost every case, it comes down to ownership of the application. A lot of times, IT will own the operating system platforms and the infrastructure that it’s on, but business owners typically sponsor those applications and so ownership becomes a very murky area. Is it the business owners that own the updates of the applications or does IT? Make sure you have clear owners in charge of making sure patches go out regularly.

If you’re not going through regular vulnerability assessments and looking for the vulnerabilities in your environment, you’re very predisposed to a data breach that attackers would leverage based on missing patches or missing specific security fixes. The first few stages of an attack are the most critical because that’s where most organizations have built their defenses. In the latter phases of post-exploitation, especially as you get to the exfiltration components, most organizations don’t have good detection capabilities. It’s really important to have those detection mechanisms in place ahead of time and ensure those systems are patched.

Natalia: We often discuss the challenges facing security today. Let’s take a different approach. What gives you hope?

Dave: What gives me hope is the shift in security. Ten years ago, we would go into organizations from a penetration testing perspective and just destroy these companies. And then the next year, we’d go in and we’d destroy these companies again. Their focus was always on the technical vulnerabilities and not on what happens after attackers are in your castle. The industry has really shifted toward the mindset of we have to get better at looking for deviations of patterns of behavior to be able to respond much more effectively. The industry is definitely tracking in the right direction, and that really gives me hope.

Learn how Microsoft Security solutions can help modernize Security Operations.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post A playbook for modernizing security operations appeared first on Microsoft Security.

Why threat protection is critical to your Zero Trust security strategy

February 8th, 2021 No comments

The corporate network perimeter has been completely redefined. Many IT leaders are adopting a Zero Trust security model where identities play a critical role in helping act as the foundation of their modern cybersecurity strategy. As a result, cybercriminals have shifted their focus and identities are increasingly under attack.

In this infographic, we explore how this shift is affecting IT leaders and how Microsoft can help apply threat protection to proactively prevent identity compromise and reduce alert fatigue.

  1. There’s been a significant increase in identity-based attacks. As IT leaders rely more heavily on identity in their security strategies, cybercriminals have increased their efforts on this threat vector. And with the shift to remote work in response to COVID-19, we’ve seen a notable number of pandemic-related phishing attacks.
  2. IT leaders need more visibility and protection. With the increase in threats, security professionals and admins are being overwhelmed with alerts. IT leaders are looking for more effective ways to manage alerts and better tools to proactively prevent attackers from being able to compromise accounts.
  3. Preventing identity compromise is more critical than ever. As IT leaders evolve their security strategies, people increasingly working remotely, and the number of identity-based attacks are rising, it’s vital for organizations to implement real-time, AI-based protections that prevent identity compromise.

Check out the infographic for more details.

If you’re interested in how Microsoft can help, see how Azure Active Directory (Azure AD) Identity Protection and Microsoft 365 Defender use real-time, cloud-based AI to proactively prevent identity compromise. Also check out our Security Unlocked podcast with Data Scientist Lead for Microsoft’s Identity Security and Protection team, Maria Peurtas Calvo, to hear how AI is being used to protect identities inside Microsoft products and services.

Visit our Zero Trust page to stay up-to-date on how the latest Microsoft products, features, and resources that can help you implement Zero Trust principles in your organization.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Why threat protection is critical to your Zero Trust security strategy appeared first on Microsoft Security.

Automating and operationalizing data protection with Dataguise and Microsoft Information Protection

February 4th, 2021 No comments

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA

In technical literature, the terms data discovery, classification, and tagging are sometimes used interchangeably, but there are real differences in what they actually mean—and each plays a critical role in an enterprise data protection strategy.

Data discovery is the process of reporting information about the sensitivity of a data object. The granularity of reporting typically includes what type of sensitive information is found, exactly where it is found, along with the exact cardinality of sensitive data elements. Data classification is the association of a label, which typically has some business value, to an object (file or a table). Classification is often stored as metadata in a separate system or an external data catalog and enables downstream usage of a data object based on security or privacy policies. Data tagging (labeling) is the application of an actual label (or classification) to the associated object.

The important thing to note here is that data discovery is always foundational to a data protection strategy. Classification and tagging depend on accurate discovery to drive the appropriate method of protection, which will ultimately depend on the consumption or utilization and privacy requirements for the data. The more comprehensive and efficient (automated and integrated) the data discovery, the more effective and cost-effective the data protection.

Dataguise and Microsoft Information Protection: Better together

 Now, you probably know that Microsoft Information Protection is a comprehensive suite of services and features that Microsoft offers for its customers to classify, label, and protect data. Microsoft Information Protection forms the core of many enterprise data protection strategies.

Dataguise is a sensitive data discovery and protection software that now integrates with Microsoft Information Protection. More specifically, it performs context-aware discovery of structured, unstructured, and semi-structured data, and can use the results of that discovery to report on data classification, tag data with Microsoft Information Protection-readable labels, and protect sensitive data either natively—via innumerable methods of masking, encryption, and monitoring—or by integrating with Microsoft Information Protection or a third-party data protection solution. It’s a highly scalable solution that relies on machine learning and other heuristics to allow for efficient, accurate data discovery in multi-petabyte, hybrid environments.

With Dataguise, discovery can be done at several levels to meet various risk, compliance, or data governance goals; but there are two kinds of discovery that are of particular interest here, and it’s important to distinguish them:

  1. Discovery of personal information and other sensitive data: This is the process of finding and reporting data governed by PII, PCI, PHI, and any similar policy, where all sensitive data needs to be discovered but not associated with an individual. Such requirements are typically driven by industry security standards or regulations.
  2. Identity-based data discovery: This is the process of finding and reporting data specifically related to an individual. The contents of the report may or may not be useful for directly identifying the associated individual, but the entirety of a report constitutes the breadth of information that an enterprise possesses about the given data subject. Identity-based discovery is typically driven by recent data privacy laws like GDPR in the EU, CCPA in California, and LGPD in Brazil.

A data protection strategy that takes both types of discovery into account and incorporates technologies to perform them accurately, efficiently, and comprehensively—can add value not only for information security or privacy teams but for risk, compliance, governance, analytics, marketing, and IT operations teams as well. When you think of all the ways an organization collects, uses, shares, and stores data across the enterprise, more granular visibility leads to more precise control and, therefore, greater business flexibility and agility to maximize data value.

Ultimately, Dataguise complements Microsoft Information Protection capabilities, making the combination extremely useful for the customer.

The discovery synergy: Dataguise augments Microsoft Information Protection scanning capabilities

Dataguise’s real strength lies in the fact that it can discover and report sensitive and personal data across relational databases, NoSQL databases, Hadoop, file shares, cloud stores like ADLS, S3, and GCS, and over 200 different cloud-based applications. Therefore, Dataguise primarily can extend Microsoft Information Protection’s scanning coverage to structured and unstructured data stored outside Microsoft products to the ones mentioned above. This is a game-changer, as Microsoft Information Protection can now be used to tag all co-located sensitive and personal data on all co-located platforms.

The protection synergy: Dataguise enhances downstream data protection capabilities for Microsoft Information Protection

 Dataguise uses Microsoft Information Protection’s SDK to seamlessly integrate discovery with Microsoft Information Protection’s tagging capability. Whether the tags power DLP, access control, or encryption and decryption solutions, Dataguise can either natively or by leveraging a third-party solution, team up with Microsoft Information Protection to create an end-to-end data protection strategy and automated implementation.

So how does this all work?

The integration is seamless and starts with defining the tags in Microsoft Information Protection. Then, there is a mapping of these tags to one or a combination of sensitive elements, out-of-the-box or custom in Dataguise. As Dataguise runs its discovery scans, it is using that mapping to report tags corresponding to each file that it has scanned. Now, using the Microsoft Information Protection SDK, these tags are applied to the corresponding file. Dataguise discovery uses context-aware discovery based on machine learning, which benefits Microsoft Information Protection by tagging files accurately and at scale. The figure below shows the flow:

An infographic that shows the flow of context-aware discovery based on machine learning.

Dataguise and Microsoft Information Protection bring a powerful combination of capabilities to any data protection strategy and implementation. The joint value of this integration lies in the fact that Dataguise can cover a broad range of platforms for discovery, and then leverage Microsoft Information Protection labeling to enable downstream data protection. Intelligent and context-aware data discovery is foundational to data protection, and with accurate optics, enterprise-wide implementation of comprehensive and automated data protection policies can be achieved.

For more information about the Dataguise Sensitive Data Discovery and Protection solution, please visit You can also find Dataguise on the Azure Marketplace.

Learn more

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

For more information about Microsoft Security Solutions, visit the Microsoft Security website. Bookmark the Security blog to keep up with our expert coverage of security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Automating and operationalizing data protection with Dataguise and Microsoft Information Protection appeared first on Microsoft Security.

Modernizing your network security strategy

February 4th, 2021 No comments

From the global pandemic to recent cyberattacks, our world has faced many challenges during the past 12 months. Some of these challenges we can’t change. However, I’m pleased about the ones we can, and are changing across the cybersecurity landscape. For example, to facilitate remote work and maintain business continuity, organizations are moving more of their apps to the cloud and delivering SaaS experiences.

We know, however, that cybercriminals are taking advantage of this shift. We have seen them increase DDoS attacks, ransomware, and phishing campaigns. So how do you, as a cybersecurity professional help your organization facilitate remote work while strengthening security, reliability, and performance?

The first step is to examine your organization’s security strategy and adopt a Zero Trust approach.

Join me and Sinead O’Donovan, Director of Program Management for Azure Security, in the next Azure Security Experts Series on February 18, 2021, from 10:00 AM to 11:00 AM Pacific Time, as we’re going to focus on another important aspect of Zero Trust network security.

There, we’ll step through three strategies using the cloud-native network security services like Azure Front Door and Azure Firewall to perform:

  • Segmentation: This includes apps and virtual network segmentation which aims to reduce the attack surface and prevent attackers from moving laterally.
  • Encryption: Enforcing encryption on the communication channel between user-to-app or app-to-app with industry standards like TLS/SSL.
  • Threat protection: Employing threat intelligence to help minimize risk from the most sophisticated attacks like bots and malware.

You’ll have the opportunity to take deep dives and see demos on how to use Azure network security cloud-native services for:

  • Application security and acceleration: Utilize new integrated services like Azure Web Application Firewall and CDN technology to provide app security, scalability, and resiliency.
  • Advanced cloud network threat protection: Apply advanced firewall capabilities for highly sensitive and regulated environments.

In just one hour, you’ll learn new networking strategies, improve your app security and performance, use cutting-edge network threat protection, and stay ahead of a constantly evolving threat landscape.

Register now.

Learn more

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Modernizing your network security strategy appeared first on Microsoft Security.

Afternoon Cyber Tea: Privacy, the pandemic, and protecting our cyber future

February 3rd, 2021 No comments

Much of our everyday life has moved online with the pandemic continuing to play a role in how we work and communicate with others. This migration has meant that security and privacy continue to remain top-of-mind for both security professionals and those who may not have given these cyber issues a second thought once before.

In this episode of Afternoon Cyber Tea, I had a chance to talk about this impact with cybersecurity expert Theresa Payton, CEO of Fortalice Solutions and co-founder of Dark Cubed.

In our discussion, we focus on Theresa’s experience with election security, social engineering, and about her book “Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth.” We also look at how the cyber operatives behind misinformation campaigns choose their targets, and how digital empathy and human-centered design can help combat cybercrime.

“Nation-state hackers invade social issues—such as fracking, elections, or vaccinations—all while posing as Americans,” Theresa explains. She recounts how, in researching her book, she found herself speaking to a group of Macedonian hackers who targeted the 2016 election, only to discover the hackers were apolitical. “We’re pro-capitalism,” they told her, explaining how they’d created detailed models that showed how much revenue they could earn by pushing certain candidates rather than others.

“Microsoft was one of the early leaders in offering free tools to help states improve their voting technology. They looked at something that could be a revenue generator, then chose to make it about the public good instead.”—Theresa Payton, CEO of Fortalice Solutions and co-founder of Dark Cubed

During our conversation, we talk about how social engineering attacks are often made easier by our own trusting natures, with vacation photos, birthdays, and other personal content providing the raw data hackers rely on. Since privacy settings for social media usually require users to opt-in, many users are unknowingly laying their online life out like a buffet for hackers. And, since many people don’t read the terms of service, they often have no idea what data is being collected, or what it’s being used for. Theresa mentions a study done by MIT researchers that found even anonymized data grabbed from phone records, credit card transactions, and mobile apps can be easily cross-referenced by zip code and gender to narrow the user’s identity to within just five people.

Theresa and I agree that people cannot be expected to be experts on cybersecurity or system designs, which is where digital empathy comes into play. As we get better at building security into systems, employees can be free to do what they were hired to do. “Microsoft has been leading the way in going passwordless,” Theresa says. “I’m excited that technology has finally caught up to our needs. Now we’ll only be limited by our own creative minds.”

Find out how Theresa went from working as a bank manager to handling cybersecurity at the George W. Bush White House and get some tips on how to protect yourself from social engineering schemes—listen to the full episode.

What’s next

In this ongoing podcast series, I talk with cybersecurity influencers about the evolving threat landscape and explore the promise of systems powered by AI, IoT) and other emerging tech. In every episode, we’ll look at how to empower people and organizations to create a more secure, productive digital environment.

Listen to Afternoon Cyber Tea with Ann Johnson on:

  • Apple Podcasts: You can also download the episode by clicking the Episode Website link.
  • Podcast One: Includes the option to subscribe—so you’re notified as soon as new episodes are available.
  • CISO Spotlight page: Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Privacy, the pandemic, and protecting our cyber future appeared first on Microsoft Security.

Recent enhancements for Microsoft Power Platform governance

February 1st, 2021 No comments

An emerging trend in digital transformation efforts has been the rise of low-code development platforms. Of course, these low-code platforms must be grounded in best-of-breed governance capabilities which include security and compliance features. Without strong governance, the full benefits of low-code development cannot be realized. It’s only natural that any low-code platform chosen by an organization must have strong security and compliance capabilities. Microsoft has developed the Power Platform which includes Power Apps, Power Automate, Power Virtual Agents, and Power BI to serve our customer’s needs for a robust low-code development platform that includes app development, automation, chatbots, and rich, detailed data analysis and visualization. We previously reported on the fundamental security and compliance capabilities offered with Microsoft Flow which was renamed Power Automate. In this blog, we’re going to discuss the integrated security and compliance capabilities across the Power Platform and provide an update on the new capabilities we’ve launched.

Foundations of governance

As the number of developers grows, governance becomes a key criterion to ensure digital transformation. As such, IT must create stronger guardrails to ensure the growing numbers of developers and the assets they create all remain compliant and secure. The Power Platform’s governance approach is multi-step with a focus on security, monitoring, administrative management, and application lifecycle management (figure 1). Check out our detailed governance and administration capabilities. The Power Platform also offers a Center of Excellence Starter Kit which organizations can use to evolve and educate employees on governance best practices. The Power Platform comes equipped with features that help reduce the complexity of governing your environment and empowers admins to unlock the greatest benefits from their Power Platform services. We’re reporting some of our newest capabilities to protect your organization’s data with tenant restrictions and blocking email exfiltration. We’re also announcing new analytics reports available for the robotic process automation (RPA) capability recently launched with Power Automate.

The Power Platform multi-step governance strategy

Figure 1: The Power Platform multi-step governance strategy.

Cross-tenant inbound and outbound restrictions using Azure Active Directory

The Power Platform offers access to over 400 connectors to today’s most popular enterprise applications. Connectors are proxies or wrappers around an API that allows the underlying service to ‘talk’ to Power Automate, Power Apps, and Azure Logic Apps. Control and access to these connectors and the data residing in the applications is a crucial aspect of a proactive governance and security approach. To this end, we have recently enhanced the cross-tenant inbound and outbound restrictions for Power Platform connectors. The Power Platform leverages Azure Active Directory (Azure AD) for controlling user authentication and access to data for important connectors such as Microsoft first-party services. While tenant restrictions can be created with Azure AD all up, enabling organizations to control access to software as a service (SaaS) cloud applications and services based on the Azure AD tenant used for single sign-on, they cannot target specific Microsoft services such as Power Platform exclusively. Organizations can opt to isolate the tenant for Azure AD-based connectors exclusively for Power Platform, using Power Platform’s tenant isolation capability. Power Platform tenant isolation works for connectors using Azure AD-based authentication such as Office 365 Outlook or SharePoint. Power Platform’s tenant isolation can be one way or two way depending on the specific use case. Tenant admins can also choose to allow one or more specific tenants in inbound or outbound direction for connection establishment while disallowing all other tenants. Learn more about tenant restrictions and tenant isolation. For now, this capability is available through support and will soon be available for admin self-service using Power Platform admin center.

In addition to leveraging Power Platform tenant isolation’s ability to prevent data exfiltration and infiltration for Azure AD-based connectors, admins can safeguard against connectors using external identity providers such as Microsoft account, Google, and much more—creating a data loss prevention policy that classifies the connector under the Blocked group.

Email exfiltration controls

Digital transformation has opened a variety of new communications channels. However, email remains the foundational method of digital communication and Microsoft Outlook continues as one of the dominant email services for enterprises. Preventing the exfiltration of sensitive data via email is crucial to maintaining enterprise data security. To this end, we have added the ability for Power Platform admins to prevent emails sent through Power Platform to be distributed to external domains. This is done by setting Exchange mail rules based on specific SMTP headers that are inserted in emails sent through Power Automate and Power Apps using the Microsoft 365 Exchange and Outlook connector. The SMTP headers can be used to create appropriate exfiltration (unauthorized transfer of data from one device to another) rules in Microsoft Exchange for outbound emails. For more details on these headers auto-inserted through Microsoft 365 Outlook connector, see SMTP headers. With the new controls, admins can easily block the exfiltration of forwarded emails and exempt specific flows (automated workflow created with Power Automate) or apps from exfiltration blocking. To block the exfiltration of forwarded emails, admins can set up Exchange mail flow rules to monitor or block emails sent by Power Automate and or Power Apps using the Microsoft 365 Outlook connector. Figure 2 is an example SMTP header for an email sent using Power Automate with the reserved word ‘Power Automate’ in the application header type.

Power Platform SMTP email header with reserved word ‘Power Automate’

Figure 2: Power Platform SMTP email header with reserved word ‘Power Automate.’

The SMTP header also includes the operation ID includes the type of email, which in figure 2 is a forwarded email. Exchange admins can use these headers to set up exfiltration blocking rules in the Exchange admin center. As you can see in figure 2, the SMTP header also includes a workflow identifier as the new ‘User-Agent’ header which is equal to the app or flow ID. Admins can exempt some flows (or apps) from the exfiltration due to the business scenario or use the workflow ID as part of the user-agent header to do the same. Learn more about how Power Platform helps admins prevent email exfiltration with these sophisticated new controls.

Powerful analytics for monitoring robotic process automation processes

One of the most exciting new capabilities offered with the Power Platform is Desktop Flows (previously known as UI flows) which provide robotic process automation (RPA)  available through Power Automate. Along with this powerful new feature, we have launched new analytics dashboards to ensure admins have full visibility with new RPA processes. Admins can view the overall status of automation that runs in the organization and monitor the analytics for automation that’s built with RPA automation from the Power Platform admin center. These analytics reports are accessible to users granted environment admin privilege. Admins can access the Power Platform admin center by clicking the Admin Center from the Power Automate portal settings menu. From the admin center, admins can access either Cloud flows (non-RPA automation) or Desktop flows. The Desktop flows page offers three types of reports:

  • Runs: Gives you an overview of daily, weekly, and monthly desktop flows run statics.
  • Usage: Usage of the different RPA processes.
  • Created: Analytics for recently created RPA processes.

Figure 3 shows an example of the new Runs report available in the admin center for Desktop flows. You can get more details on these powerful new analytics capabilities from our Microsoft docs page and our announcement blog. Check them both out.

New analytics ‘Run’ report for Desktop flows in Power Platform Admin Center

Figure 3: New analytics ‘Run’ report for Desktop flows in Power Platform admin center.

Join our community and get started today

Join the growing Power Platform community so you can get the latest updates, join discussions, and get ideas on how the Power Platform can help your organization. You can also learn how the products work from these learning modules available at Microsoft Learn. Be sure to check out some of our great assets which will get you more knowledgeable about the powerful tools available to ensure your organization benefits from low-code development with the Power Platform while adhering to some of the industry’s best compliance and security standards.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Recent enhancements for Microsoft Power Platform governance appeared first on Microsoft Security.

Why operational resilience will be key in 2021, and how this impacts cybersecurity

January 28th, 2021 No comments

The lessons we have learned during the past 12 months have demonstrated that the ability to respond to and bounce back from adversity in general, can impact the short-and long-term success of any organization. It can even dictate the leaders and laggards in any industry.

When we take into consideration that as security threats also become more daunting, with many organizations remaining in a remote work environment, global organizations must reach a state where their core operations and services are not disrupted by unexpected changes.

The key to success in surviving any unforeseen circumstances in 2021, will be operational resiliency. Operational resilience is the ability to sustain business operations during any major event, including a cyberattack. It requires a strategic and holistic view of what could go wrong and how an organization will respond. Consider the risk and response for a utility company, for example, an organization that relies on IoT data, or a manufacturer of medical supplies. While their approach may differ, the impact would be equally as devastating should their operational continuity be halted. In today’s digital world, preparing for cyber threats must be a strategic part of that plan just like any other form of continuity and disaster recovery.

Speaking with customers globally, we know they are not fully prepared to withstand a major cyber event. Whilst many firms have a disaster recovery plan on paper, nearly a quarter have never tested that plan and only 42 percent of global executives are confident their organization could recover from a major cyber event without it affecting their business.

It begins with Zero Trust. Zero Trust is based on three principles, verify explicitly, use least privilege access, and assume breach.

Verify explicitly

Rather than trust users or devices implicitly because they’re on the corporate network or VPN’ed into it, it is critical to assume zero trust and verify each transaction explicitly. This means enabling strong authentication and authorization based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.

This starts with strong user authentication. Multi-factor authentication (MFA) is essential, but it’s time to move away from passwords plus SMS and voice calls as authentication factors. Bad actors are getting more sophisticated all the time, and they have found a number of ways to exploit the publicly switched telephone networks (PSTN) that SMS and voice calls use as well as some social engineering methods for getting these codes from users.

For most users on their mobile devices, we believe the right answer is passwordless with app-based authentication, like Microsoft Authenticator, or a hardware key combined with biometrics.

Least privileged access

Least privileged access means that when we do grant access, we grant the minimum level of access the user needs to complete their task, and only for the amount of time they need it. Think about it this way, you can let someone into your building, but only during work hours, and you don’t let them into every lab and office.

Identity Governance allows you to balance your organization’s need for security and employee productivity with the right processes and visibility. It provides you with the capabilities to ensure that the right people have the right access to the right resources.

Assume breach

Finally, operate with the expectation of a breach, and apply techniques such as micro-segmentation and real-time analytics to detect attacks more quickly.

In a Zero Trust model, identities—whether they represent people, services, or IoT devices—define the control plane in which access decisions are made. Digital identities, such as transport layer security (TLS) and code signing certificates, SSH keys, secrets, and other cryptographic assets are critical to authentication, signing, and encryption.

That’s why having a strong identity is the critical first step to the success of a Zero Trust security approach.

Embracing Zero Trust allows organizations to harden their defenses while providing employees access to critical data, even during a cyber event. That’s because identity is the foundation of any Zero Trust security strategy because it automatically blocks attacks through adaptive security policies; across users and the accounts, devices, apps, and networks they are using. Identity is the only system that connects all security solutions together so we have end-to-end visibility to prevent, detect, and respond to distributed and sophisticated attacks thanks to cloud technology.

In a Zero Trust model, identities—whether they represent people, services, or IoT devices—define the control plane in which access decisions are made. Digital identities, such as TLS and code signing certificates, SSH keys, secrets, and other cryptographic assets are critical to authentication, signing, and encryption.

“Human identities” such as passwords, biometrics, and other MFA are critical to identifying and authenticate humans. Being a Zero Trust organization also means pervasive use of multi-factor authentication—which we know prevents 99 percent of credential theft and other intelligent authentication methods that make accessing apps easier and more secure than traditional passwords.

Identity is both the foundation for Zero Trust and acts as a catalyst for digital transformation. It automatically blocks attacks through adaptive security policies. It lets people work whenever and wherever they want, using their favorite devices and applications.

That’s because Zero Trust security relies heavily on pervasive threat signals and insights. It is essential to connect the dots and provide greater visibility to prevent, detect and respond to distributed and sophisticated attacks.

Future-proofing your security posture

As security threats become more daunting and many organizations remain in a remote work environment, global organizations must reach a state where their core operations and services will not be disrupted by unexpected global changes.

To maintain operational resilience, organizations should be regularly evaluating their risk threshold. When we talk about risk, this should include an evaluation of an organization’s ability to effectively respond to changes in the crypto landscape, such as a CA compromise, algorithm deprecation, or quantum threats on the horizon.

Bottom line: organizations must have the ability to operationally execute the processes through a combination of human efforts and technology products and services. The ability to do something as simple as restoring from recent backups will be tested in every ransomware attack, and many organizations will fail this test—not because they are not backing up their systems, but because they haven’t tested the quality of their backup procedures or practiced for a cyber event.

Operational resilience guidelines call for demonstrating that concrete measures are in place to deliver resilient services and that both incident management and contingency plans have been tested. Our new normal means that risks are no longer limited to commonly recognized sources such as cybercriminals, malware, or even targeted attacks. Operational resilience is the necessary framework we must have in place in order to maintain business continuity during any unforeseen circumstances in the year ahead.

We want to help empower every organization on the planet by continuing to share our learnings to help you reach the state where core operations and services won’t be disrupted by geopolitical or socioeconomic events, natural disasters, or even cyber events.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Why operational resilience will be key in 2021, and how this impacts cybersecurity appeared first on Microsoft Security.

5 identity priorities for 2021—strengthening security for the hybrid work era and beyond

January 28th, 2021 No comments

When I outlined the five identity priorities for 2020, the world was a very different place. Since then, the COVID-19 pandemic has forever changed how organizations run their businesses. It’s also changed the way we work, learn, and collaborate. What hasn’t changed is the critical role identity plays in helping organizations to be secure and productive.

Yesterday, we shared the progress we’ve made with our integrated security, compliance, identity, and management solutions. Identity alone has grown at an unprecedented pace—from 300 million monthly active users (MAU) in March 2020 to 425 million today. Organizations around the world have accelerated the adoption of security and collaboration apps. But behind these numbers are stories of customers like you, working tirelessly to help your organizations stay ahead.

As I prepare for our traditional customer co-innovation week and reflect on our customers’ challenges and business goals, I want to share our five identity priorities for this year. Many of the recommendations I outlined last year still apply. In fact, they’re even more relevant as organizations accept the new normal of flexible work while bad actors continue to master sophisticated cyber attack techniques. Our 2021 recommendations will help you strengthen your identity and security foundations for the long term, so you can be ready for whatever comes next.

1. Trust in Zero Trust

Zero Trust is back this year, but this time it’s at the top of the list. The “assume breach” mentality of Zero Trust has become a business imperative. Organizations need to harden their defenses to give employees the flexibility to work from anywhere, using applications that live outside of traditional corporate network protections. When the pandemic hit last year, we worked side by side with many of you. We noticed that organizations already on their Zero Trust journey had an easier time transitioning to remote work and strengthening their ability to fend off sophisticated attacks.

The good news is that 94 percent of the security leaders we polled last July told us they had already embarked on a Zero Trust journey. Wherever you are on your journey, we recommend making identity the foundation of your approach. You can protect against credentials compromise with essential tools like multifactor authentication (MFA) and benefit from innovations like risk assessment in Identity Protection, continuous access evaluation, Intune app-protection policies, as well as Microsoft Azure Active Directory (Azure AD) Application Proxy and Microsoft Tunnel.

Looking ahead, as more services act like people by running applications (via API calls or automation) and accessing or changing data, secure them using the same principles: make sure they only get access to the data they need, when they need it, and protect their credentials from misuse.

Where to start: Take the Zero Trust assessment and visit our Deployment Center for deployment guidelines.

2. Secure access to all apps

This was our top recommendation last year, and it couldn’t be more critical today. The growth in app usage with Azure AD shows that organizations are connecting more apps to single sign-on. While this provides seamless and secure access to more apps, the best experience will come from connecting all apps to Azure AD so people can complete all work-related tasks from home and stay safer during the pandemic. Connecting all apps to Azure AD also simplifies the identity lifecycle, tightens controls, and minimizes the use of weak passwords. The result is stronger security at a lower cost: Forrester estimates that such a move can save an average enterprise almost USD 2 million over three years.

Azure AD app gallery includes thousands of pre-integrated apps that simplify deployment of single sign-on and user provisioning. If you want to extend MFA and Conditional Access to legacy on-premises apps, including header-based apps, use Azure AD Application Proxy or an integrated solution from one of our secure hybrid access partners. With our migration tools, you can modernize authentication of all apps and retire your ADFS implementation. This will help prevent attacks that are particularly difficult to detect in on-premises identity systems.

It’s also important to limit the number of admins who can manage apps across your organization, to protect privileged accounts with MFA and Conditional Access, and to require just-in-time (JIT) elevation into admin roles with Privileged Identity Management.

Where to start: Learn how to use Azure AD to connect your workforce to all the apps they need.

3. Go passwordless

We’ll keep repeating the mantra “Go passwordless” as long as passwords remain difficult for people to remember and easy for hackers to guess or steal. Since last year we’ve seen great progress: in May, we shared that over 150 million users across Azure AD and Microsoft consumer accounts were using passwordless authentication. By November, passwordless usage in Azure AD alone had grown by more than 50 percent year-over-year across Windows Hello for Business, Microsoft Authenticator, and FIDO2 security keys from partners like AuthenTrend, Feitian, or Yubico.

Passwordless authentication can minimize or eliminate many identity attack vectors, including those exploited in the most sophisticated cyberattacks. At a minimum, going passwordless should be non-negotiable for admin-level accounts. Moreover, providing employees with a fast, easy sign-in experience saves time and reduces frustration. Forrester estimates that consolidating to a single identity solution and providing one set of credentials saves each employee 10 minutes a week on average, or more than 40 hours a year. Imagine additional savings from not having to reset passwords or mitigate phishing attacks.

Where to start: Read the Forrester Report, “The Total Economic Impact™ Of Securing Apps With Microsoft Azure Active Directory.”

4. Choose and build secure-by-design apps

Because attacks on applications are growing, it’s important to go a step beyond integrating apps with Azure AD to deploying apps that are secure by design. Build secure authentication into the apps you write yourself using the Microsoft Authentication Library (MSAL). Ideally, apps should go passwordless too, so ensure they’re using strong credentials like certificates. If your apps interact with other Microsoft services, take advantage of the identity APIs in Microsoft Graph. Whenever possible, choose third-party apps from verified publishers. Since publisher verification badges make it easier to determine whether an app comes from an authentic source, encourage your ISV partners to become verified publishers if they haven’t already.

Since most apps ask to access company data, administrators may choose to review consent requests before granting permissions. While neglecting to review requests is a security risk, doing it for every single app used by every single employee takes too much time and costs too much. Fortunately, new features like app consent policies and admin consent workflow help avoid the extreme choices of reviewing all requests or delegating full responsibility to employees. Regularly review your apps portfolio and take action on overprivileged, suspicious, or inactive apps.

Where to start: Update your applications to use Microsoft Authentication Library and Microsoft Graph API, adopt app consent policies and publisher verification practices, and follow identity platform best practices.

5. Break collaboration boundaries

We know that partners, customers, and frontline workers are essential to your business. They, too, need simple and secure access to apps and resources, so they can collaborate and be productive, while administrators need visibility and controls to protect sensitive data.

Simplify collaboration for external users with intuitive self-service sign-up flows and the convenience of using their existing email or social account. For frontline workers, Azure AD offers simple access, through sign-in with a one-time SMS passcode, which eliminates the need to remember new credentials. For frontline managers, the My Staff portal makes it easy to set up SMS sign-in, to reset passwords, and to grant access to resources and shared devices without relying on help desk or IT.

Visibility and control are easier to achieve when managing all identities using a common toolset. You can apply the same Conditional Access policies for fine-grained access control to services, resources, and apps. By setting up access review campaigns, or using automated access reviews for all guest users in Microsoft Teams and Microsoft 365 groups, you can ensure that external guests don’t overstay their welcome and only access resources they need.

Where to start: Learn more about Azure AD External Identities and using Azure AD to empower frontline workers.

Get started on the future now: Explore verifiable credentials

During the pandemic, you’ve had to support not only remote work but also remote recruiting. People usually show up to an interview with documentation in hand that confirms their identity and qualifications. It’s more complicated to vet candidates remotely, especially when hiring needs to happen quickly—for example, in the case of essential workers.

Microsoft and industry-leading ID verification partners are pushing the frontier of identity by transforming existing ID verification practices with open standards for verifiable credentials and decentralized identifiers. Verifiable credentials are the digital equivalent of documents like driver’s licenses, passports, and diplomas. In this paradigm, individuals can verify a credential with an ID verification partner once, then add it to Microsoft Authenticator (and other compatible wallets) and use it everywhere in a trustworthy manner. For example, a gig worker can verify their driver’s license and picture digitally, and then use it to get hired by a ride-sharing service and a food delivery company.

Such an approach can improve verification while protecting privacy across the identity lifecycle: onboarding, activating credentials, securing access to apps and services, and recovering lost or forgotten credentials. We’re piloting this technology with customers like the National Health Service in the UK and MilGears, a program of the United States Department of Defense that helps service members and veterans enroll in higher education and jumpstart their civilian careers.

Where to start: Watch our Microsoft Ignite session on Decentralized Identity and join the Decentralized Identity Foundation.

Whether your top priority is modernizing your infrastructure and apps or implementing a Zero Trust security strategy, we are committed to helping you every step of the way. Please send us your feedback so we know what identity innovations you need to keep moving forward on your digital transformation journey.

The post 5 identity priorities for 2021—strengthening security for the hybrid work era and beyond appeared first on Microsoft Security.

The dynamic duo: How to build a red and blue team to strengthen your cybersecurity, Part 2

January 21st, 2021 No comments

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the first post of our new Voice of the Community blog series, Microsoft Product Marketing Manager Natalia Godyla talks with Jake Williams, Founder of Rendition InfoSec. In part two of this blog, Jake shares his best practices on how to structure and evolve red and blue teaming within your organization.

What are best practices for organizations maturing their blue team?

First and foremost, go in and look at the event logs and turn on all of the logging that you think will be useful. I work with blue teams today up and down the Fortune 500, and I ask, “Where is this in your event logs?” And they say, “I think maybe my endpoint detection and response (EDR) platform may catch that.” Windows catches that. Windows detects the thing we’re talking about if you have it configured. It’s more than 100 event logs, and a lot of them are empty and the ones that are populated are not logging the best things you can log. A lot of the reason for that is logs get big.

The second cybersecurity best practice is to use Group Policy Object (GPO) and increase the size of your event logs dramatically. I think the security event log pegs at 20 megabytes. The way that I explain this to folks is I’ve never been an instant responder and worked the case where I walk in and think, “What am I going to do with all these logs?”

Third, actually walk through the audit policy. I want you to go look at it. If you’re a systems architect or a systems engineer, you have to know what’s even available. Not knowing what’s available from an audit standpoint is almost like going to a restaurant, never reading the menu and saying, “I heard you had a burger so I’m going to have that.” And you have no idea what else could be there that could be way better. Go read the menu. Find out what audit logs are available and increase the size of them dramatically.

We’ve had folks do one but not the other. There was this heartbreaking case a couple of years back where they called, and I ended up being on the flyaway team. When they called, we asked, “What auditing do you have available?” We told them to turn it on and increase the size of the event log, and they did one of those two. And when I got onsite, and I got into that server, there were 18 seconds of security event logs. 18 seconds. It was awesome that they turned some stuff on, but at the same time, I needed the log in general, not 18 seconds of activity. It was just heartbreaking.

What is your guidance to red teamers? What best practices should they consider?

Stop trying to be sexy. Every time there’s a major security conference like a Black Hat or a ShmooCon, I get some red teamers who come back and say, “I just saw this super cool, super awesome technique.” I ask, “Are attackers using that?” and they say, “I’m sure they will be.” When we have credible intelligence that they are, then we’re going to invest that time. Make sure you’re actually providing value back to the organization and understand what that means.

In late 2019, I was at a major insurance company and they have a red team that is about a third of the size of their blue team, which is just wrong. I asked, “Can I see an example of a report?” And the red team leader says, “No.” I said, “You do know I have an NDA with you. We’re physically here at your headquarters.” He said that they only share these reports with management and that executives understand the risks. He said that if they tell the blue team how they’re doing everything, they’ll catch the red team immediately.

The biggest outcome of this exercise became how do we stop doing red team for red team’s sake, such as to be a bunch of cool hackers and go break stuff. How do we turn this around where the red team is providing value to blue team? Security is a service provider to the organization, and red team ultimately should be driven by blue team (their customer). The red team’s goal isn’t to go sneak around and remain undetected for the sake of their egos. The goal is to identify vulnerabilities, missing patches or misconfigurations, or find gaps in coverage for monitoring. The customer for that is blue team. I look at the blue team as tasking the red team and saying, “Here’s what we need from you.” Red team’s hacking, sexy, cool stuff is secondary.

What kind of training would you recommend for red and blue teams?

If I’m a blue teamer, I’m going to be staying on the cutting edge of what’s the latest thing happening with system logs. I’m less about tools than I am about techniques. What do I have available from a detection standpoint? I’m not interested necessarily in my blue teamers going out and trying to figure out how to go through exploits, run exploits. That’s a red team kind of thing.

For a red team, send them to conferences. People don’t like to hear this, but the conferences are going to pay off better than any red team courses for anybody who has got more than a year of red team experience. The reason is the networking. You network, and you start getting put in these private Slack groups or on email lists. Everybody knows everybody. You’re going to hear about those newer techniques. I’m less about formalized training than I am about getting them into networking opportunities.

What do you think red and blue teams will continue to think about even after the pandemic? What changes are going to make long-lasting impacts on the security industry?

This applies to both red and blue teams, and it’s understanding the attack surface. Something that we’ve seen more than any previous year has to be software-as-a-service (SaaS). We shifted to work from home, depending on which part of the country, either over a 24 or a 48-hour period all the way up to maybe a two-week period. By any measure, it’s insanely fast for a lot of folks to do, and so they made a lot of changes to get stuff done without really looking at the long-term security implications.

I’m already discussing with clients how to go back and memorialize what they did as we ran home. In late March, most CISOs I talked to didn’t believe we’d still be at home at the end of the year. They thought this was a one-month or two-month situation so risks we were ready to accept for a month look a whole lot different than risks we’re going to live with in perpetuity.

For the folks rolling into holiday standdown time, now is the time to make some of those changes. On the red team side, another big one is: Know your scope, know your scope, know your scope. Just because I have data in Salesforce doesn’t mean you can go hack Salesforce. Your red team needs to know what they legally can do and what they ethically should do and make sure everyone is aligned there. From a blue team side, you figure out how you want them to evaluate the security of your Salesforce tenant. I think that’s really it, knowing what architecture changes we made as we moved into that fully remote environment, and how many of those need to be revisited. And the answer is a lot of them. I think it’s no secret that a lack of change control drives a lot of breaches.

Any last words of wisdom to help red and blue teams strengthen cybersecurity?

Both red and blue should absolutely be using threat intelligence. That doesn’t mean every org needs a dedicated cyber threat intelligence (CTI) analyst. It doesn’t mean go buy another threat intelligence feed. What I’m looking at is what we need to prioritize not based on what could happen but on what we know is happening. Those are two very different things. When I look at the range of possible bad things that could happen to us, I think: What are we actually seeing in the wild, both in our organizations and in other organizations?

When you learn about a threat that’s targeting a different industry, like healthcare, should you be paying attention to it? The answer is obviously yes, you should be. Just because it’s a big push in one industry doesn’t mean it’s not coming to you. All things equal, I’m going to prioritize more in my vertical, but I have to have an ear to the grindstone for what’s happening in other verticals as well.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity or on LinkedIn for the latest news and updates on cybersecurity.

The post The dynamic duo: How to build a red and blue team to strengthen your cybersecurity, Part 2 appeared first on Microsoft Security.

Using Zero Trust principles to protect against sophisticated attacks like Solorigate

January 19th, 2021 No comments

The Solorigate supply chain attack has captured the focus of the world over the last month. This attack was simultaneously sophisticated and ordinary. The actor demonstrated sophistication in the breadth of tactics used to penetrate, expand across, and persist in affected infrastructure, but many of the tactics, techniques, and procedures (TTPs) were individually ordinary.

Companies operating with a Zero Trust mentality across their entire environment are more resilient, consistent, and responsive to new attacks—Solorigate is no different. As threats increase in sophistication, Zero Trust matters more than ever, but gaps in the application of the principles—such as unprotected devices, weak passwords, and gaps in multi-factor authentication (MFA) coverage can be exploited by actors.

Zero Trust Principles

Applying Zero Trust

Zero Trust in practical terms is a transition from implicit trust—assuming that everything inside a corporate network is safe—to the model that assumes breach and explicitly verifies the security status of identity, endpoint, network, and other resources based on all available signals and data. It relies on contextual real-time policy enforcement to achieve least privileged access and minimize risks. Automation and Machine Learning are used to enable rapid detection, prevention, and remediation of attacks using behavior analytics and large datasets.

Zero Trust Policy

Verify explicitly

To verify explicitly means we should examine all pertinent aspects of access requests instead of assuming trust based on a weak assurance like network location. Examine the identity, endpoint, network, and resource then apply threat intelligence and analytics to assess the context of each access request.

When we look at how attackers compromised identity environments with Solorigate, there were three major vectors: compromised user accounts, compromised vendor accounts, and compromised vendor software. In each of these cases, we can clearly see where the attacker exploited gaps in explicit verification.

  • Where user accounts were compromised, known techniques like password spray, phishing, or malware were used to compromise user credentials and gave the attacker critical access to the customer network. On-premises identity systems are more vulnerable to these common attacks because they lack cloud-powered protections like password protection, recent advances in password spray detection, or enhanced AI for account compromise prevention.
  • Again, in cases where the actor succeeded, highly privileged vendor accounts lacked protections such as MFA, IP range restrictions, device compliance, or access reviews. In other cases, user accounts designated for use with vendor software were configured without MFA or policy restrictions. Vendor accounts should be configured and managed with the same rigor as used for the accounts which belong to the organization.
  • Even in the worst case of SAML token forgery, excessive user permissions and missing device and network policy restrictions allowed the attacks to progress. The first principle of Zero Trust is to verify explicitly—be sure you extend this verification to all access requests, even those from vendors and especially those from on-premises environments.

Cloud identity, like Azure Active Directory (Azure AD), is simpler and safer than federating with on-premises identity. Not only is it easier to maintain (fewer moving parts for attackers to exploit), your Zero Trust policy should be informed by cloud intelligence. Our ability to reason over more than eight trillion signals a day across the Microsoft estate coupled with advanced analytics allows for the detection of anomalies that are very subtle and only detectable in very large data sets. User history, organization history, threat intelligence, and real-time observations are an essential mechanism in a modern defense strategy. Enhance this signal with endpoint health and compliance, device compliance policies, app protection policies, session monitoring, and control, and resource sensitivity to get to a Zero Trust verification posture.

For customers that use federation services today, we continue to develop tools to simplify migration to Azure AD. Start by discovering the apps that you have and analyzing migration work using Azure AD Connect health and activity reports.

Least privileged access

Zero Trust: Microsoft Step by Step

Least privileged access helps ensure that permissions are only granted to meet specific business goals from the appropriate environment and on appropriate devices. This minimizes the attacker’s opportunities for lateral movement by granting access in the appropriate security context and after applying the correct controls—including strong authentication, session limitations, or human approvals and processes. The goal is to compartmentalize attacks by limiting how much any compromised resource (user, device, or network) can access others in the environment.

With Solorigate, the attackers took advantage of broad role assignments, permissions that exceeded role requirements, and in some cases abandoned accounts and applications which should have had no permissions at all. Conversely, customers with good least-privileged access policies such as using Privileged Access Workstations (PAW) devices were able to protect key resources even in the face of initial network access by the attackers.

Assume breach

Our final principle is to Assume Breach, building our processes and systems assuming that a breach has already happened or soon will. This means using redundant security mechanisms, collecting system telemetry, using it to detect anomalies, and wherever possible, connecting that insight to automation to allow you to prevent, respond and remediate in near-real-time.

Sophisticated analysis of anomalies in customer environments was key to detecting this complex attack. Customers that used rich cloud analytics and automation capabilities, such as those provided in Microsoft 365 Defender, were able to rapidly assess attacker behavior and begin their eviction and remediation procedures.

Importantly, organizations such as Microsoft who do not model “security through obscurity” but instead model as though the attacker is already observing them are able to have more confidence that mitigations are already in place because threat models assume attacker intrusions.

Summary and recommendations

It bears repeating that Solorigate is a truly significant and advanced attack. However ultimately, the attacker techniques observed in this incident can be significantly reduced in risk or mitigated by the application of known security best practices. For organizations—including Microsoft—thorough application of a Zero Trust security model provided meaningful protection against even this advanced attacker.

To apply the lessons from the Solorigate attack and the principles of Zero Trust that can help protect and defend, get started with these recommendations:

  1. More than any other single step, enable MFA to reduce account compromise probability by more than 99.9 percent. This is so important, we made Azure AD MFA free for any Microsoft customer using a subscription of a commercial online service.
  2. Configure for Zero Trust using our Zero Trust Deployment Guides.
  3. Look at our Identity workbook for Solorigate.

Stay safe out there.

Alex Weinert

For more information about Microsoft Zero Trust please visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Using Zero Trust principles to protect against sophisticated attacks like Solorigate appeared first on Microsoft Security.

Simplify compliance and manage risk with Microsoft Compliance Manager

January 14th, 2021 No comments

The cost of non-compliance is more than twice that of compliance costs. Non-compliance with the ever-increasing and changing regulatory requirements can have a significant impact on your organization’s brand, reputation, and revenue. According to a study by the Ponemon Institute and Globalscape, being compliant will cost you less compared to business disruptions, loss of revenue, and hefty fines.

Data explosion and regulatory environment

As organizations go through digital transformation, they are generating and consuming much more data than in the past to help them gain an edge over their competitors. This data is necessary to continue to stay relevant by empowering employees, engaging customers, and optimizing operations. Managing this data and the variety of devices on which it is created can be complicated, especially when it comes to ensuring compliance.

Not only is the amount of data IT must manage exploding, regulations on how that data can and should be handled are also increasing. Collecting customer and citizen data is often an integral part of how public and private sector organizations function. While there has been progress over the last few years, the challenge of maintaining and protecting personal data continues. Regulations are creating a need for the responsible usage of personal data, and the stakes are high. Not complying with regulations can result in significant fines and reduced credibility with regulators, customers, and citizens.

Manage compliance challenges

According to a recent report about the cost of compliance, there were more than 215 regulation updates a day from over 1,000 regulatory bodies all over the world, a slight decrease from the previous year. For example, enforcement of the California Consumer Privacy Act (CCPA), Brazil’s Lei Geral de Proteção de Dados (LGPD), and Thailand’s Personal Data Protection Act (PDPA) began in 2020.

Organizations face all kinds of risks, including financial, legal, people, IT, and cybersecurity risks. Below are some of the challenges we are seeing due to the dynamic nature of the compliance landscape.

  • Keeping up with constantly changing regulations is a struggle. With all the regulatory and standards bodies creating new or revising existing requirements and guidelines, keeping up to date is time and resource-intensive.
  • Point-in-time assessments create a digital blind spot. Many organizations rely on point-in-time assessments, like annual audits. Unfortunately, they can go out of date quickly and expose the organization to potential risks until the next assessment is done. Organizations are looking for ways to improve integration and create near real-time assessments to control risks caused by digital assets.
  • Inefficient collaboration and siloed knowledge lead to duplication of effort. Organizations are often challenged due to siloed knowledge concerning IT risk management. IT and security admins know the technology solutions but find regulations difficult to understand. Contrast that with compliance, privacy, and legal teams who tend to be familiar with the regulations but are not experts in the technology available to help them comply. In addition, many organizations start their compliance journey using general-purpose tools like Microsoft Excel and try to track compliance manually, but quickly outgrow this approach because of the complexities of managing compliance activities.
  • Complexity across IT environments hinders adoption. Understanding how to integrate the many solutions available and configure each one to minimize compliance risks can be difficult. This is especially true in organizations with solutions sourced from multiple vendors that often have overlapping functionality. Decision-makers want simple step-by-step guidance on how to make the tools work for the industry standards and regulations they are subject to.

Simplify compliance with Microsoft Compliance Manager

Microsoft Compliance Manager is the end-to-end compliance management solution included in the Microsoft 365 compliance center. It empowers organizations to simplify compliance, reduce risk, and meet global, industry, and regional compliance regulations and standards. Compliance Manager translates complicated regulations, standards, company policies, and other desired control frameworks into simple language, maps regulatory controls and recommended improvement actions, and provides step-by-step guidance on how to implement those actions to meet regulatory requirements. Compliance Manager helps customers prioritize work by associating a score with each action, which accrues to an overall compliance score. Compliance Manager provides the following benefits:

  • Pre-built assessments for common industry and regional standards and regulations, and custom assessments to meet your unique compliance needs. Assessments are available depending on your licensing agreement.
  • Workflow functionality to help you efficiently complete risk assessments.
  • Detailed guidance on actions you can take to improve your level of compliance with the standards and regulations most relevant for your organization.
  • Risk-based compliance score to help you understand your compliance posture by measuring your progress completing improvement actions.

Shared responsibility

For organizations running their workloads only on-premises, they are 100 percent responsible for implementing the controls necessary to comply with standards and regulations. With cloud-based services, such as Microsoft 365, that responsibility becomes shared between your organization and the cloud provider, although is ultimately responsible for the security and compliance of their data.

Microsoft manages controls relating to physical infrastructure, security, and networking with a software as a service (SaaS) offering like Microsoft 365. Organizations no longer need to spend resources building datacenters or setting up network controls. With this model, organizations manage the risk for data classification and accountability. And risk management is shared in certain areas like identity and access management. The chart below is an example of how responsibility is shared between the cloud customer and cloud provider with various on-premises and online services models.

shows the Shared responsibility model

Figure 1: Shared responsibility model

Apply a shared responsibility model

Because responsibility is shared, transitioning your IT infrastructure from on-premises to a cloud-based service like Microsoft 365 significantly reduces your burden of complying with regulations. Take the United States National Institute of Standards and Technology’s NIST 800-53 regulation as an example. It is one of the largest and most stringent security and data protection control frameworks used by the United States government and large organizations. If your organization were adhering to this standard and using Microsoft 365, Microsoft would be responsible for managing more than 75 percent of the 500 plus controls. You would only need to focus on implementing and maintaining the controls not managed by Microsoft. Contrast that situation with one where your organization was running 100 percent on-premises. In that case, your organization would need to implement and maintain all the NIST 800-53 controls on your own. The time and cost savings managing your IT portfolio under the shared responsibility model can be substantial.

shows the NIST examples of shared responsibilities

Figure 2: NIST examples of shared responsibilities

Assess your compliance with a compliance score

Compliance Manager helps you prioritize which actions to focus on to improve your overall compliance posture by calculating your compliance score. The extent to which an improvement action impacts your compliance score depends on the relative risk it represents. Points are awarded based on whether the action risk level has been identified as a combination of the following action characteristics:

  • Mandatory or discretionary.
  • Preventative, detective, or corrective.

Your compliance score measures your progress towards completing recommended actions that help reduce risks around data protection and regulatory standards. Your initial score is based on the Data Protection Baseline, which includes controls common to many industry regulations and standards. While the Data Protection Baseline is a good starting point for assessing your compliance posture, a compliance score becomes more valuable once you add assessments relevant to the specific requirements of your organization. You can also use filters to view the portion of your compliance score based on criteria that includes one or more solutions, assessments, and regulations. More on that later.

The image below is an example of the Overall compliance score section of the Compliance Manager dashboard. Notice that even though the number under Your points achieved is zero, the Compliance Score is 75 percent. This demonstrates the value of the shared responsibility model. Since Microsoft has already implemented all the actions it is responsible for, a substantial portion of what is recommended to achieve compliance is already complete even though you have yet to take any action.

Shows the Compliance Score from Microsoft Compliance Manager

Figure 3: Compliance Score from Microsoft Compliance Manager

For more information on Microsoft Compliance Manager, please visit the Microsoft Compliance Manager documentation. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Simplify compliance and manage risk with Microsoft Compliance Manager appeared first on Microsoft Security.

A “quick wins” approach to securing Azure Active Directory and Office 365 and improving your security posture

December 17th, 2020 No comments

In the last post, we discussed Office 365 and how enabling certain features without understanding all the components can lead to a false sense of security. We demonstrated how implementing a break glass account, multi-factor authentication (MFA), and the removal of legacy authentication can help secure your users and point your organization’s security posture in the right direction. While implementing those controls is an excellent start to hardening your environment, it is just the beginning. Read that blog here.

Security is critical, and any way that we can expedite threat prevention is highly welcomed. What if there was a way to get into a more secure state quickly.  How much time would this give you back to focus your attention on other tasks like actual customers (user base, clients)?

Do you wish there was a quick approach for security configurations in Azure Active Directory (Azure AD) and Office 365? I know I do, and thankfully we have some options here, and they are Secure Score and security defaults. Many of our customers are not aware that these features exist, or if they are aware, they fail to take advantage of using them.

“This blog post will provide an overview of Microsoft Secure Score and security defaults—two features that are easy to utilize and can significantly improve your security in Azure AD and Office 365 configurations.” 

What is Microsoft Secure Score? I am glad you asked

Microsoft Secure Score is a measurement developed to help organizations understand where they are now and the steps needed to improve their security posture. Microsoft Secure Score summarizes the different security features and capabilities currently enabled and provides you with the ability to compare your Score with other companies like yours and identify recommendations for areas of improvement.

Microsoft Secure Score screen image

Figure 1: Microsoft Secure Score screen image

How does Secure Score help organizations?

Secure Score provides recommendations for protecting your organization from threats. Secure Score will:

  • Objectively measure your identity security posture.
  • Plan for security improvements.
  • Review the success of your improvements.
  • The Score can also reflect third-party solutions that have been implemented and have addressed recommended actions.
  • The Secure Score reflects new services, thus keeping you up to date with new features and security settings that should be reviewed and if action on your part.

How is the Score determined?

Secure Score compares your organization’s configuration against anonymous data from other organizations with similar features to your organization, such as company size. Each improvement action is worth ten points or less, and most are scored in a binary fashion. If you implement the improvement action, like require MFA for Global Administrators or create a new policy or turn on a specific setting, you get 100 percent of the points. For other improvement actions, points are given as a percentage of the total configuration.

For example, an improvement action states you get ten points by protecting all your users with multi-factor authentication. You only have 50 of 100 total users protected, so that you would get a partial score of five points.

Additionally, your score will drop if routine security tasks are not completed regularly or when security configurations are changed. It will provide directions to the security team about what has changed and the security implications of those changes.

What are security defaults?

Security defaults, a one-click method for enabling basic identity security in an organization, are pre-configured security settings that help defend organizations against frequent identity-related attacks, such as password spray, replay, and phishing. Some of the critical features of Security Defaults include:

  • Requiring all users to register for Azure AD Multi-Factor Authentication (MFA) using the Microsoft Authenticator app.
  • Requiring administrators to perform multi-factor authentication.
  • Blocking legacy authentication protocols.
  • Requiring users to perform multi-factor authentication when necessary.
  • Protecting privileged activities like access to the Azure portal.

When should you use security defaults?

It would be best if you used security defaults in the following cases:

  • If you want to increase the overall security posture and don’t know how or where to start, security defaults are for you.
  • If you are using the free tier of Azure Active Directory licensing, security defaults are for you.

How is the Score determined?

Microsoft Secure Score has recently added improvement actions to support security defaults in Azure Active Directory, making it easier to help protect your organization with pre-configured security settings for frequent attack vectors.

When you turn on security defaults, you will be awarded full points for the following improvement actions:

  • Ensure all users can complete multi-factor authentication for secure access (nine points).
  • Require MFA for administrative roles (ten points).
  • Enable policy to block legacy authentication (seven points).

Get Started with Microsoft Secure Score and security defaults

Microsoft organizes Secure Score improvement actions into groups to help you focus on what you need to address for your organization:

  • Identity (Azure AD accounts and roles).
  • Data (Microsoft Information Protection).
  • Device (Microsoft Defender ATP, known as Configuration score).
  • Application (email and cloud apps, including Office 365 and Microsoft Cloud App Security).
  • Infrastructure (no improvement actions for now).

Secure Score

  • Start by logging into your Secure Score.
  • View your scores and where you need to improve.
  • Export all recommendations for your organization and turn this into an attack plan.
  • Prioritize the recommendations you will implement over the next 30, 60, 90, and 180 days.
  • Pick the tasks that are priorities for your organization and work these into your change control processes.

Security defaults

  • Start by logging in to your  Azure portal as a security administrator, Conditional Access administrator, or global administrator.
  • Browse to Azure Active Directory, and then Properties.
  • Select Manage security defaults.
  • Set the Enable security defaults, then toggle to Yes.
  • Select Save.

Enabling security defaults

Figure 2:  Enabling security defaults

There are many security enhancements that keep coming to Microsoft’s Cloud stack, so be sure you check your secure Score weekly. As the days go by and new security settings appear, your secure Score will reflect these changes. It is critical to check back often to ensure you are addressing any further recommendations.

Bumps in the road

Microsoft Secure Score and security defaults are straight forward ways to evaluate and improve your Azure AD and Office 365 configurations’ security. Security defaults help implement industry recommended practices, while Microsoft Secure Score creates a hands-on interface that simplifies the ongoing process of security assessment and improvement.

Our upcoming blog will explore the necessary built-in Azure tooling and open-source options that an organization can employ during investigative scenarios.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post A “quick wins” approach to securing Azure Active Directory and Office 365 and improving your security posture appeared first on Microsoft Security.

A breakthrough year for passwordless technology

December 17th, 2020 No comments

As 2020 draws to a close, most of us are looking forward to putting this year in the rearview mirror. Since we depend even more on getting online for everything in our lives, we’re more than ready to be done with passwords. Passwords are a hassle to use, and they present security risks for users and organizations of all sizes, with an average of one in every 250 corporate accounts compromised each month. According to the Gartner Group, 20 to 50 percent of all help desk calls are for password resets. The World Economic Forum (WEF) estimates that cybercrime costs the global economy $2.9 million every minute, with roughly 80 percent of those attacks directed at passwords.

In November 2019 at Microsoft Ignite, we shared that more than 100 million people were already using Microsoft’s passwordless sign-in each month. In May of 2020, just in time for World Password Day, that number had already grown to more than 150 million people, and the use of biometrics to access work accounts is now almost double what it was then. We’ve drawn strength from our customers’ determination this year and are set to make passwordless access a reality for all our customers in 2021.

2020: A banner year for passwordless technology

Infograph describing the passwordless technology achievements in 2020

February: We announced a preview of Azure Active Directory support for FIDO2 security keys in hybrid environments. The Fast Identity Online (FIDO) Alliance is a “cross-industry consortia providing standards, certifications, and market adoption programs to replace passwords with simpler, stronger authentication.” Following the latest FIDO spec, FIDO2, we enabled users with security keys to access their Hybrid Azure Active Directory (Azure AD) Windows 10 devices with seamless sign-in, providing secure access to on-premises and cloud resources using a strong hardware-backed public and private-key credential. This expansion of Microsoft’s passwordless capabilities followed 2019’s preview of FIDO2 support for Azure Active Directory joined devices and browser sign-ins.

June: I gave a keynote speech at Identiverse Virtual 2020 where I got to talk about how Microsoft’s FIDO2 implementation highlights the importance of industry standards in implementing Zero Trust security and is crucial to enabling secure ongoing remote work across industries. Nitika Gupta, Principal Program Manager of Identity Security in our team, showed how Zero Trust is more important than ever for securing data and resources and provided actionable steps that organizations can take to start their Zero Trust journey.

September: At Microsoft Ignite, the company revealed the new passwordless wizard available through the Microsoft 365 Admin Center. Delivering a streamlined user sign-in experience in Windows 10, Windows Hello for Business replaces passwords by combining strong MFA for an enrolled device with a PIN or user biometric (fingerprint or facial recognition). This approach gives you, our customers, the ability to deliver great user experiences for your employees, customers, and partners without compromising your security posture.

November: Authenticate 2020, “the first conference dedicated to who, what, why and how of user authentication,” featured my boss, Joy Chik, CVP of Identity at Microsoft, as the keynote speaker. Joy talked about how FIDO2 is a critical part of Microsoft’s passwordless vision, and the importance of the whole industry working toward great user experiences, interoperability, and having apps everywhere support passwordless authentication. November also saw Microsoft once again recognized by Gartner as a “Leader” in identity and access management (IAM).

MISA members lead the way

The Microsoft Intelligent Security Association (MISA) is an ecosystem of security partners who have integrated their solutions with Microsoft to better defend against increasingly sophisticated cyber threats. Four MISA members—YubiKey, HID Global, Trustkey, and AuthenTrend—stood out this year for their efforts in driving passwordless technology adoption across industries.

Yubico created the passwordless YubiKey hardware to help businesses achieve the highest level of security at scale.

“We’re providing users with a convenient, simple, authentication solution for Azure Active Directory.”—Derek Hanson, VP of Solutions Architecture and Alliances, Yubico

HID Global engineered the HID Crescendo family of FIDO-enabled smart cards and USB keys to streamline access for IT and physical workspaces—enabling passwordless authentication anywhere.

“Organizations can now secure access to laptops and cloud apps with the same credentials employees use to open the door to their office.”—Julian Lovelock, VP of Global Business Segment Identity and Access Management Solutions, HID

TrustKey provides FIDO2 hardware and software solutions for enterprises who want to deploy passwordless authentication with Azure Active Directory because: “Users often find innovative ways to circumvent difficult policies,” comments Andrew Jun, VP of Product Development at TrustKey, “which inadvertently creates security holes.”

AuthenTrend applied fingerprint-authentication technology to the FIDO2 security key and aspires to replace all passwords with biometrics to help people take back ownership of their credentials.

Next steps for passwordless in 2021

Our team has been working hard this year to join these partners in making passwords a thing of the past. Along with new UX and APIs for managing FIDO2 security keys enabling customers to develop custom solutions and tools, we plan to release a converged registration portal in 2021, where all users can seamlessly manage passwordless credentials via the My Apps portal.

We’re excited about the metrics we tracked in 2020, which show a growing acceptance of passwordless among organizations and users:

  • Passwordless usage in Azure Active Directory is up by more than 50 percent for Windows Hello for Business, passwordless phone sign-in with Microsoft Authenticator, and FIDO2 security keys.
  • More than 150 million total passwordless users across Azure Active Directory and Microsoft consumer accounts.
  • The number of consumers using Windows Hello to sign in to Windows 10 devices instead of a password grew to 84.7 percent from 69.4 percent in 2019.

We’re all hoping the coming year will bring a return to normal and that passwordless access will at least make our online lives a little easier.

Learn more about Microsoft’s passwordless story. To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post A breakthrough year for passwordless technology appeared first on Microsoft Security.

Becoming resilient by understanding cybersecurity risks: Part 2

December 17th, 2020 No comments

In part one of this blog series, we looked at how being resilient to cybersecurity threats is about understanding and managing the organizational impact from the evolution of human conflict that has existed since the dawn of humanity. In part two of this series, we further explore the imperative of thinking and acting holistically as a single organization working together to a common goal. Building true resilience begins with framing the issue accurately to the problem at hand and continuously (re)prioritizing efforts to match pace with evolving threats.

For this blog, we will use the example of a current cybersecurity threat that spans every organization in every industry as an example of how to put this into practice. The emergence of human-operated ransomware has created an organizational risk at a pace we have not seen before in cybersecurity. In these extortion attacks, attackers are studying target organizations carefully to learn what critical business processes they can stop to force organizations to pay, and what weaknesses in the IT infrastructure they can exploit to do it.


This type of threat enables attackers to stop most or all critical business operations and demand ransom to restore them by combining:

  • A highly lucrative extortion business model.
  • Organization-wide impact utilizing well-establish tools and techniques.

Whilst this may be uncomfortable reading, the ability to pre-empt and respond quickly to these cyberattacks is now an organizational imperative that requires a level of close collaboration and integration throughout your organization (which may not have happened to date).

Because these attacks directly monetize stopping your business operations, you must:

  • Identify and prioritize monitoring and protection for critical business assets and processes.
  • Restore business operations as fast as possible, when attacked.

Applying this in a complex organization requires you to:

  1. Know thyself: The first step towards resilience is identifying your critical business assets and processes and ensuring appropriate team members truly understand them so that appropriate controls can be implemented to protect and rapidly restore them. These controls should include business and technical measures such as ensuring immutable or offline backups (as attackers try to eliminate all viable alternatives to paying the ransom, including anti-tampering mechanisms).
  2. This is not a one-time event: Your business and technical teams need to work together to continuously evaluate your security posture relative to the changing threat landscape. This enables you to refine priorities, build mutual trust and strong relationships, and build organizational muscle memory.
  3. Focus on high-impact users: Just as your executives and senior managers have control and access over massive amounts of sensitive and proprietary information that can damage the organization if exposed; IT administrators also have access and control over the business systems and networks that host that information. Ransomware attackers traverse your network and target IT administrator accounts, making the seizure of privileged access a critical component of their attack success. See Microsoft’s guidance on this topic
  4. Build and sustain good hygiene: As we discussed in our first blog, maintaining and updating software and following good security practices is critical to building resilience to these attacks. Because organizations have a backlog of technical debt, it’s critical to prioritize this work to pay off the most important debt first.
  5. Ruthlessly prioritize: Ruthless prioritization applies a calm but urgent mindset to prioritizing tasks to stay on mission. This practice focuses on the most effective actions with the fastest time to value regardless of whether those efforts fit pre-existing plans, perceptions, and habits.
  6. Look through an attacker’s lens: The best way to prioritize your work is to put yourself in the perspective of an attacker. Establishing what information would be valuable to an attacker (or malicious insider), how they would enter your organization and access it, and how they would extract it will give you invaluable insights into how to prioritize your investments and response. Assess the gaps, weaknesses, and vulnerabilities that could be exploited by attackers across the end-to-end business processes and the backend infrastructure that supports them. By modeling the process and systems and what threats attackers can pose to them, you can take the most effective actions to remove or reduce risk to your organization.
  7. Exercise and stress test: This strategy will be tested by attackers in the real world, so you must proactively stress test to find and fix the weaknesses before the attackers find and exploit them. This stress testing must extend to both business processes and technical systems so that organizations build overall resilience to this major risk. This requires systematically removing assumptions in favor of known facts that can be relied upon in a major incident. This should be prioritized based on scenarios that are high impact and high likelihood like human-operated ransomware.

Whilst it’s tempting for experienced leaders and technical professionals to get caught up in how things have been done before, cybersecurity is a fundamentally disruptive force that requires organizations to work collaboratively and adopt and adapt the practices documented in Microsoft’s guidance.

“We cannot solve our problems with the same thinking we used when we created them.”—Albert Einstein

For all this to be successful, your organization must work together as a single coherent entity, sharing insights and resources from business, technical, and security teams to leverage diverse viewpoints and experiences. This approach will help you plan and execute pragmatically and effectively against evolving threats that impact all parts of your organization.

In our next blog, we will continue to explore how to effectively manage risk from the perspective of business and cybersecurity leaders and the capabilities and information required to stay resilient against cyberattacks.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Becoming resilient by understanding cybersecurity risks: Part 2 appeared first on Microsoft Security.