Archive

Archive for the ‘Cloud Computing’ Category

Disrupting the kill chain

This post is authored by Jonathan Trull, Worldwide Executive Cybersecurity Advisor, Enterprise Cybersecurity Group.

The cyber kill chain describes the typical workflow, including techniques, tactics, and procedures or TTPs, used by attackers to infiltrate an organization’s networks and systems.  The Microsoft Global Incident Response and Recovery (GIRR) Team and Enterprise Threat Detection Service, Microsoft’s managed cyber threat detection service, identify and respond to thousands of targeted attacks per year.  Based on our experience, the image below illustrates how most targeted cyber intrusions occur today.

attack-kill-chain

The initial attack typically includes the following steps:

  • External recon –  During this stage, the attacker typically searches publicly available sources to identify as much information as possible about their target.  This will include information about the target’s IP address range, business operations and supply chain, employees, executives, and technology utilized.  The goal of this stage is to develop sufficient intelligence to increase the chances of a successful attack. If the attacker has previously penetrated your environment, they may also refer to intelligence gathered during previous incursions.
  • Compromised machine – Attackers continue to use socially engineered attacks to gain an initial foothold on their victim’s network.  Why?  Because these attacks, especially if targeted and based on good intelligence, have an extremely high rate of success.  At this stage, the attacker will send a targeted phishing email to a carefully selected employee within the organization.  The email will either contain a malicious attachment or a link directing the recipient to a watering hole.  Once the user executes the attachment or visits the watering hole, another malicious tool known as a backdoor will be installed on the victim’s computer giving the attacker remote control of the computer.
  • Internal Recon and Lateral Movement – Now that the attacker has a foothold within the organization’s network, he or she will begin gathering information not previously available externally.  This will include performing host discovery scans, mapping internal networks and systems, and attempting to mount network shares.  The attacker will also begin using freely available, yet extremely effective tools, like Mimikatz and WCE to harvest credentials stored locally on the initially compromised machine and begin planning the next stage of the attack as shown below.

high-privileges-lateral-movement-cycle

  • Domain Dominance – At this stage, the attacker will attempt to elevate their level of access to a higher trusted status within the network.  The attacker’s ultimate goal is to access your data and the privileged credentials of a domain administrator offers them many ways to access to your valuable data stores.  Once this occurs, the attacker will begin to pivot throughout the network either looking for valuable data or installing ransomware for future extortion attempts or both.
  • Data Consolidation and Exfiltration – Now that the attacker has access to the valuable data within the organization’s systems, he or she must consolidate it, package it up, and send it out of the network without being detected or blocked.  This is typically accomplished by encrypting the data and transferring it to an external system controlled by the attacker using approved network protocols like DNS, FTP, and SFTP or Internet-based file transfer solutions.

Microsoft Secure and Productive Enterprise

The Microsoft Secure and Productive Enterprise is a suite of product offerings that have been purposely built to disrupt this cyber attack kill chain while still ensuring an organization’s employees remain productive.  Below, I briefly describe how each of these technologies disrupts the kill chain:

  • Office 365 Advanced Threat ProtectionThis technology is designed to disrupt the “initial compromise” stage and raise the cost of successfully using phishing attacks.
    Most attackers leverage phishing emails containing malicious attachments or links pointing to watering hole sites. Advanced Threat Protection (ATP) in Office 365 provides protection against both known and unknown malware and viruses in email, provides real-time (time-of-click) protection against malicious URLs, as well as enhanced reporting and trace capabilities.  Messages and attachments are not only scanned against signatures powered by multiple antimalware engines and intelligence from Microsoft’s Intelligent Security Graph, but are also routed to a special detonation chamber, run, and the results analyzed with machine learning and advanced analysis techniques for signs of malicious behavior to detect and block threats. Enhanced reporting capabilities also make it possible for security teams to quickly identify and respond to email based attacks when they occur.
  • Windows 10 –  This technology disrupts the compromised machine and lateral movement stages by raising the difficulty of successfully compromising and retaining control of a user’s PC and by protecting the accounts and credentials stored and used on the device.
    If an attacker still manages to deliver malware through to one of the organization’s employees by some other mechanism (e.g., via personal email), Windows 10’s security features are designed to both stop the initial infection, and if infected, prevent further lateral movement. Specifically, Windows Defender Application Guard uses new, hardware based virtualization technology to wrap a protective border around the Edge browser.  Even if malware executes within the browser, it cannot access the underlying operating system and is cleaned from the machine once the browser is closed.  Windows Device Guard provides an extra layer of protection to ensure that only trusted programs are loaded and run preventing the execution of malicious programs, and Windows Credential Guard uses the same hardware based virtualization technology discussed earlier to prevent attackers who manage to gain an initial foothold from obtaining other credentials stored on the endpoint.  And finally, Windows Defender Advanced Threat Protection is the DVR for your company’s security team.  It provides a near real-time recording of everything occurring on your endpoints and uses built-in signatures, machine learning, deep file analysis through detonation as a service, and the power of the Microsoft Intelligent Security Graph to detect threats.  It also provides security teams with remote access to critical forensic data needed to investigate complex attacks.
  • Microsoft Advanced Threat AnalyticsThis technology disrupts the lateral movement phase by detecting lateral movement attack techniques early, allowing for rapid response.
    If an attacker still manages to get through the above defenses, compromise credentials, and moves laterally, the Microsoft Advanced Threat Analytics (ATA) solution provides a robust set of capabilities to detect this stage of an attack.  ATA uses both detection of known attack techniques as well as a user-based analytics that learns what is “normal” for your environment so it can spot anomalies that indicate an attack. Microsoft ATA can detect internal recon attempts such as DNS enumeration, use of compromised credentials like access attempts during abnormal times, lateral movement (Pass-the-Ticket, Pass-the-Hash, etc.), privilege escalation (forged PAC), and domain dominance activities (skeleton key malware, golden tickets, remote execution).
  • Azure Security Center – While Microsoft ATA detects cyber attacks occurring within an organization’s data centers, Azure Security Center extends this level of protection into the cloud.

And now for the best part.  As shown in the image below, each of the above listed technologies is designed to work seamlessly together and provide security teams with visibility across the entire kill chain.

disrupting-the-kill-chain

Each of these technologies also leverage the power of the Microsoft Intelligent Security Graph, which includes cyber threat intelligence collected from Microsoft’s products and services, to provide the most comprehensive and accurate detections.

  • Cloud App Security, Intune, Azure Information Protection, and Windows 10 Information Protection – And finally, the Microsoft Secure and Productive Enterprise Suite provides significant capabilities to classify and protect data and prevent its loss.  Among other capabilities, Microsoft Cloud App Security can identify and control the use of unsanctioned cloud applications.  This helps organizations prevent data loss, whether from an attack or rogue employee, via cloud-based applications.  Intune and Windows 10 Information Protection prevent corporate data from being intermingled with personal data or used by unsanctioned applications whether on a Windows 10 device or on iOS or Android based mobile devices.  And finally, Azure Information Protection provides organizations and their employees with the ability to classify and protect data using digital rights management technology.  Organizations can now implement and enforce a need-to-know strategy thereby significantly reducing the amount of unencrypted data available should an attacker gain access to their network.

Finally, Microsoft’s Enterprise Cybersecurity Group (ECG) also offers a range of both proactive and reactive services that leverages the capabilities of the Secure and Productive Enterprise suite in combination with the Intelligent Security Graph to help companies detect, respond to, and recover from attacks.

In the coming weeks, I will be following up with blogs and demos that go deeper into each of the above listed technologies and discuss how companies can most effectively integrate these solutions into their security strategies, operations, and existing technologies.  To learn more about Microsoft technologies visit Microsoft Secure..

Categories: Cloud Computing, cybersecurity Tags:

Securing the new BYOD frontline: Mobile apps and data

With personal smartphones, tablets, and laptops becoming ubiquitous in the workplace, bring your own device (BYOD) strategies and security measures have evolved. The frontlines have shifted from the devices themselves to the apps and data residing on—or accessed through—them.

Mobile devices and cloud-based apps have undeniably transformed the way businesses operate. But they also introduce new security and compliance risks that must be understood and mitigated. When personal and corporate apps are intermingled on the same device, how can organizations remain compliant and protected while giving employees the best productivity experience? And when corporate information is dispersed among disparate, often unmanaged locations, how can organizations make sure sensitive data is always secured?

Traditional perimeter solutions have proved to be inadequate in keeping up with the stream of new apps available to users. And newer point solutions either require multiple vendors or are just too complex and time-consuming for IT teams to implement. Companies need a comprehensive, integrated method for protecting information—regardless of where it is stored, how it is accessed, or with whom it is shared.

Microsoft’s end-to-end information protection solutions can help reconcile the disparity between user productivity and enterprise compliance and protection. Our identity and access management solutions integrate with existing infrastructure systems to protect access to applications and resources across corporate data centers and in the cloud.

The following Microsoft solutions and technologies provide access control on several levels, offering ample coverage that can be up and running with the simple click of a button:

Identity and access management

Simplify user access with identity-based single sign-on (SSO). Azure Active Directory Premium (Azure AD) syncs with existing on-premises directories to simplify access to any application—even those in the cloud—with a secured, unified identity. No more juggling multiple combinations of user names and passwords. Users sign in only once using an authenticated corporate ID, then receive a token enabling access to resources as long as the token is valid. Azure AD comes pre-integrated with thousands of popular SaaS apps and works seamlessly with iOS, Android, Windows, and PC devices to deliver multi-platform access. Not only does unified identity with SSO simplify user access, it can also reduce the overhead costs associated with operating and maintaining multiple user accounts

Secure and compliant mobile devices

Microsoft Intune manages and protects devices, corporate apps, and data on almost any personal or corporate-owned device. Through Intune mobile device management (MDM) capabilities, IT teams can create and define compliance policies to meet specific business requirements, deploy policies to users or devices, and monitor device and/or user compliance from a single administration console. Intune compliance policies deliver complete visibility into users’ device health, and enable IT to block or restrict access if the device becomes non-compliant. IT administrators also have the option to install device settings that perform remote actions, such as passcode reset, device lock, data encryption, or full wipe of a lost, stolen, or non-compliant device.

Conditional access

Microsoft Intune can also help reinforce access protection by verifying the health of users and devices prior to granting privileges with conditional access policies. Intune policies evaluate user and device health by assessing factors like IP range, the user’s group enrollment, and if the device is managed by Intune and compliant with policies set by administrators. During the policy verification process, Intune blocks the user’s access until the device is encrypted, a passcode is set, and the device is no longer jailbroken or rooted. Intune integrates with cloud services like Office 365 and Exchange to confirm device health and grant access based on health results.

Multi-factor authentication

Multi-factor authentication is a feature built into Azure Active Directory that provides an additional layer of authentication to help make sure only the right people have the right access to corporate applications. It prevents unauthorized access to on-premises and cloud apps with additional authentication required, and offers flexible enforcement based on user, device, or app to reduce compliance risks.

To learn more about BYOD security, download the free eBook, Protect Your Data: 7 Ways to Improve Your Security Posture

 

Managing cloud security: Four key questions to evaluate your security position

As cloud computing and the Internet of Things (IoT) continue to transform the global economy, businesses recognize that securing enterprise data must be viewed as an ongoing process. Securing the ever-expanding volume, variety, and sources of data is not easy; however, with an adaptive mindset, you can achieve persistent and effective cloud security.

The first step is knowing the key risk areas in cloud computing and IoT processes and assessing whether and where your organization may be exposed to data leaks. File sharing solutions improve the way people collaborate but pose a serious point of vulnerability. Mobile workforces decentralize data storage and dissolve traditional business perimeters.

SaaS solutions turn authentication and user identification into an always-on and always-changing topic. Second, it’s worth developing the habit—if you haven’t already—of reviewing and adapting cloud security strategy as an ongoing capability. To that end, here are eight key questions to revisit regularly, four of which we dive deeper into below.

 

Is your security budget scaling appropriately?

Security teams routinely manage numerous security solutions on a daily basis and typically monitor thousands of security alerts. At the same time, they need to keep rapid response practices sharp and ready for deployment in case of a breach. Organizations must regularly verify that sufficient funds are allocated to cover day-to-day security operations as well as rapid, ad hoc responses if and when a breach is detected.

Do you have both visibility into and control of critical business data?

With potential revenue loss from a single breach in the tens of millions of dollars, preventing data leaks is a central pillar of cloud security strategy. Regularly review how, when, where, and by whom your business data is being accessed. Monitoring whether permissions are appropriate for a user’s role and responsibilities as well as for different types of data must be constant.

Are you monitoring shadow IT adequately?

Today, the average employee uses 17 cloud apps, and mobile users access company resources from a wide variety of locations and devices. Remote and mobile work coupled with the increasing variety of cloud-based solutions (often free) raises concerns that traditional on-premises security tools and policies may not provide the level of visibility and control you need. Check whether you can identify mobile device and cloud application users on your network, and monitor changes in usage behavior. To mitigate risks of an accidental data breach, teach current and onboarding employees your organization’s best practices for using ad hoc apps and access.

Is your remote access security policy keeping up?

Traditional remote access technologies build a direct channel between external users and your apps, and that makes it risky to publish internal apps to external users. Your organization needs a secure remote access strategy that will help you manage and protect corporate resources as cloud solutions, platforms, and infrastructures evolve. Consider using automated and adaptive policies to reduce time and resources needed to identify and validate risks.

Checklist

These are just a few questions to get you thinking about recursive, adaptive cloud security. Stay on top of your security game by visiting resources on Microsoft Secure.

Categories: Cloud Computing, IoT, SaaS, security Tags:

Introducing the Microsoft Secure blog

For the past ten years on this blog we have shared Microsoft’s point of view on security, privacy, reliability, and trust. It has become the place to go for in-depth articles on Microsoft products and services, as well as tips and recommendations for improving security in your organization.

Last November, Microsoft CEO Satya Nadella outlined our new approach to cybersecurity — one that leverages Microsoft’s unique perspective on threat intelligence, informed by trillions of signals from billions of sources. This new approach integrates security into the platform and incorporates solutions from our partners. We invest more than $1 billion in R&D each year to advance our capabilities in all of these areas. The umbrella term we give those investments is Microsoft Secure.

With this fresh perspective, we’ve heard great feedback from our customers—and they’ve asked us to share more. So now is a great time to refresh the blog – with a new look and feel, and a new name: the Microsoft Secure Blog.

We will continue to share information about Microsoft products and services, as well as our perspective on industry trends, from an expanded roster of experts and about an even broader range of topics that we know our readers are interested in.

Categories: Cloud Computing, cybersecurity Tags:

New Microsoft Azure Security Capabilities Now Available

In November, Microsoft CEO Satya Nadella outlined a new comprehensive, cross company approach to security for our mobile-first, cloud-first world. To support this approach, Microsoft invests more than a billion dollars in security research and development, every year. Today we are announcing the general availability of key security capabilities in the Microsoft Cloud, which are products of this research and development investment: Azure Security Center, Azure Active Directory Identity Protection, and Azure Active Directory Privileged Identity Management.

These investments strengthen our efforts in three important areas:

  1. To deliver a holistic security platform where our products and services work in concert with each other, and with our partners in the security ecosystem, to protect our customers.
  2. Microsoft’s unique insights into the threat landscape, informed by trillions of signals from billions of sources, create an intelligent security graph that we use to inform how we protect all endpoints, better detect attacks and accelerate our response.
  3. To ensure that when your organization leverages the Microsoft Cloud, it can improve your security posture, versus what you are doing to protect your on-premises IT environment alone.

Azure Security Center is generally available
We are announcing that Azure Security Center is generally available. Azure Security Center provides customers around the world with security management and monitoring capabilities for the millions of resources they run in Microsoft Azure helping them keep pace with rapidly evolving threats in ways they likely could not achieve in their own datacenters.

Driven by Microsoft’s new approach to security, Azure Security Center is transforming how customers protect their cloud workloads. Powered by advanced analytics and a rich set of protection capabilities built into Azure, Security Center helps customers protect, detect, and respond to threats.

Since the preview launched in December 2015, Azure Security Center has helped protect over a 100,000 Azure subscribers and hundreds of thousands of virtual machines – providing our customers with a unified view of the security state of all their cloud workloads, recommending ways to strengthen their security posture in accordance with their company policies, and using behavioral analysis and machine learning to detect threats.

In addition, Azure Security Center integrates with an ecosystem of partners like Barracuda.

“Microsoft is an important partner to Barracuda as we look to help customers improve security for their deployments in Azure. Azure Security Center is just one part of the compelling security agenda we have seen from Microsoft, and we believe the way it integrates Barracuda solutions will be a great benefit to our customers,” said Nicole Napiltonia, VP Strategic Alliances at Barracuda.

In addition to announcing general availability, Azure Security Center includes a number of new features today:

  • Integrated vulnerability assessment from partners like Qualys
  • Options for integrating Security Center recommendations and alerts with existing operations and security information event management (SIEM) solutions
  • Expanded support for Linux and Cloud Services VMs
  • New algorithms which detect lateral movement, internal reconnaissance, outgoing attacks, malicious scripts, and more
  • Alerts are now mapped against cyber kill chain patterns to provide customers with a single view of an attack campaign and all of the related alerts – so they can quickly understand what actions the attacker took and what resources were impacted

You can get more details on new security capabilities for Azure customers from the blog post by Sarah Fender, Principal Program Manager, Azure Cybersecurity. The blog provides information on how to quickly get started with Azure Security Center to get better control and protection for your Azure resources.

Azure Active Directory Identity Protection
Another great example of a new Microsoft security investment is Azure Active Directory Identity Protection. Azure Active Directory security capabilities are built on Microsoft’s long experience protecting identities used to access Microsoft’s consumer and enterprise services, and gains tremendous accuracy by analyzing the signal from over 14 billion logins every day to help identify potentially compromised user accounts.

Azure Active Directory Identity Protection builds on these capabilities and detects suspicious activities for end users and privileged identities based on signals like brute force attacks, leaked credentials, logins from unfamiliar locations and infected devices. Based on these suspicious activities, a user risk severity is calculated and risk-based policies can be configured allowing the service to automatically protect the identities of your organization from future threats.

Azure Active Directory Identity Protection will become generally available later in the quarter. Enterprise customers should evaluate the preview of Azure Active Directory Identity Protection now, so that they are ready to use it when it becomes generally available.

Azure Active Directory Privileged Identity Management
Some of the threats that keep Chief Information Security Officers up at night include threats to privileged identities like administrator accounts. Some examples of these threats include:

  • Malicious or rogue administrators
  • Administrator credentials leaked via phishing attacks
  • Administrator credentials cached on compromised systems
  • User accounts that are granted temporary elevated privileges that become permanent.

More and more organizations are realizing that they have to strictly manage privileged accounts and monitor their activities because of the risk associated with their misuse. With Azure AD Privileged Identity Management you can manage, control, and monitor access to resources in Azure AD as well as other Microsoft online services like Office 365 or Microsoft Intune.

Azure Active Directory Privileged Identity Management will become generally available later in the quarter. I encourage you to evaluate the preview that became available in May so that you are ready to adopt this great new cloud security capability when it is generally available next month.

More good news is that we’ve made it super easy and cost effective for enterprise customers to get Azure Active Directory Identity Protection and Azure AD Privileged Identity Management by including them in the new Microsoft Enterprise Mobility + Security (EMS) E5 suite. You can get all the details, including all the other mobility and security related products and services included in EMS that were just announced, here. If your security strategy reaches more broadly to include Office 365, Windows 10 Enterprise, and EMS, consider the recently announced offering called Secure Productive Enterprise.

These key cloud security capabilities are a big step forward, and will help our customers protect, detect and respond to threats in a mobile-first, cloud-first world. To learn more about our security strategy and investments, visit the Microsoft Secure website.

Michal Braverman-Blumenstyk
General Manager, Azure Security

Categories: Cloud Computing Tags:

Connecting the dots to get ahead of your next security challenge

It is turbulent times we live in. The same technology that provides unprecedented global connections and productivity also provides hackers unprecedented surface area to commit headline-earning crimes. That’s why Microsoft is investing over $1 billion annually in security capabilities and connecting dots across the critical endpoints of today’s cloud and mobile world to help you keep up with security challenges.

Join Ann Johnson and myself as we talk about the Top 5 security threats facing your business – and how to respond, on June 29th at 10:00 am PST to discover our unique approach to security and how to benefit from the insight into the threat landscape that Microsoft derives from trillions of signals from billions of sources.

Change comes fast. It used to be that many organizations would lock down their networks and not even allow external web browsing from within their networks. Today, users need to be connected to people all over the world, using all kinds of social media tools, and other applications, most in the cloud. New devices are coming on the market that have the potential to boost productivity in ways we’ve never seen. To not allow these actions and tools would doom your organization to obscurity. But cybercriminals have become more sophisticated, too. How do you avoid a security breach while still allowing employees to stay ahead of the curve? We’ll cover this balance in our webinar.

Microsoft has taken an end to end look at these issues, and has solutions that cross products, technologies, and platforms.

On the front lines, your employees hold the key to your network’s security every time they log on or open an email. Windows 10, with Microsoft Passport and Windows Hello, and Azure Active Directory, which we will touch on in the webinar, help you go beyond passwords and put authentication in the tough-to-replicate physical world of the user’s machine and biometrics. And Office 365 can help identify and isolate malicious attachments and links in your users’ emails before they harm your network.

Devices too. Your company laptop used to be pretty bare-bones, right? Use it for work, and that’s it. You had your own toys to use for personal stuff, and as time wore on those devices became more and more indispensable to your daily life. People started to connect to email servers from their phones, and the lines started blurring from there. It can create a security nightmare for IT, especially since everyone has a different favorite platform. We created Microsoft Enterprise Mobility Suite to ensure secure interactions with your network no matter what the device or platform. We will also cover ensuring device security while enabling mobile work in our webinar.

And then there’s the cloud. So many questions about security, manageability, control. Well, your employees aren’t waiting for you to figure it out; 80% of employees’ report using cloud apps that aren’t approved by IT. With Microsoft Cloud App Security, you can discover all the cloud apps in use on your network, and decide which ones to allow or block.

Say yes to rolling with the changes. Boost your organization’s productivity and rest assured that your network is protected because we have connected the dots in today’s cloud and mobile world.

Don’t miss out! Register today and join us on June 29, 2016 at 10:00 PST, for Top 5 security threats facing your business – and how to respond.

Julia White
General Manager, Cloud + Enterprise

Categories: Cloud Computing, cybersecurity Tags:

Dream Team for Moving to the Cloud

June 9th, 2016 No comments

The U.S. men’s basketball team suffering defeat, placing third even, at the 1988 Summer Olympics, in which the U.S. should unquestionably have dominated, renewed calls to use professional athletes in the games. The following year it was agreed, and U.S. basketball asked the NBA to supply players for the upcoming 1992 games in Barcelona. The Dream Team was assembled. What followed was a phenomenon like no one had anticipated. Of course the team swept the games and earned Olympic gold. The games, and the game of basketball, have never been the same.

What if your organization’s move to the cloud could be just as game-changing? To make it so, you need to assemble your own Dream Team for making the move. Who’s your Michael Jordan or Magic Johnson? Larry Bird? Or your Charles Barkley at the table for moving to the cloud?

Getting a team of the right players together from the onset, to discuss and debate the move all at the same time, can dramatically accelerate the discussion and get your business to the cloud sooner. I have talked to many, many customers over the years about adopting cloud services. Very often these conversations would uncover security blockers that were preventing enterprise customers from adopting the cloud. What I discovered after so many great meetings is exactly who needs to be on the Dream Team:

  • Your chief information security officer (CISO) or highest ranking security role in the organization. This person is responsible for defining the security policy, and signing off on the cloud security plan.
  • The chief information officer is the center on the team. This role helps balance the business realities with all the things the CISO and vice president of infrastructure might be concerned about, as well as ensuring legal sign off.
  • Chief privacy officer, or highest ranking privacy role. This person is responsible for your organization’s privacy policy. Privacy and security are typically two top-of-mind topics when organizations initially evaluate moving to the cloud, as well as two of the main principles of Microsoft’s Trusted Cloud.
  • Your organization’s general counsel, or highest ranking attorney. Because, let’s face it, very little is going to happen if legal doesn’t approve it. Attorneys who ultimately approve an organization’s cloud service contracts needs to understand the roles and shared responsibilities between cloud service providers and their organization to understand risks that might be important to the organization.
  • If the IT infrastructure team is separate from any of the teams led by the aforementioned leaders, be sure to include their leader as well because they will likely be part of the deployment. If their questions aren’t addressed up front, early in the evaluation process, the organization might procure a cloud service, but deployment could face lengthy delays.
  • In regulated industries, the highest ranking compliance officer needs also to be included. Ensuring that your organization’s compliance obligations are met by the cloud service(s) you are planning to use typically isn’t optional. Bringing your compliance officer on your cloud evaluation journey will help accelerate the process.

Getting this team into a room together, likely more than once, gets key questions answered quickly. It will also help the evaluation process stay on course if one of the organization’s leaders should change roles or leave the organization.

Magic Johnson famously commented after the 1992 Olympics, “I look to my right, there’s Michael Jordan … I look to my left, there’s Charles Barkley or Larry Bird … I didn’t know who to throw the ball to!” Everyone on your Cloud Dream Team has a key stake in the move. Frankly, many at the table are wondering what the other thinks, so it is best to get it all out in the open. This will eliminate second-guessing and accelerate getting all the answers to key questions. The longer it takes to get the team using the same play book, the harder it will be to start winning.

One factor in conversations about trusting the cloud that often gets overlooked is innovation. Security, privacy and compliance are very important considerations when evaluating cloud services. But, for those organizations already using the cloud, the pace of innovation they see compared with their own datacenters is typically one of the biggest benefits they tell me about. Don’t underestimate the importance of innovation, around security for example, when evaluating cloud services. Check out the number of security-related offerings on Microsoft’s cloud platform road map at any given time and you might be pleasantly surprised. The younger, up-and-coming companies I have talked with aren’t encumbered by an on-premises IT legacy. If you are watching the up-and-comers in your industry and others, like Michael Jordan studied the game tapes of the competition in the 1992 Olympics, you’ll notice that they are not held back by an on-premises past. For them there is no question about the clear advantages of a mobile-first, cloud-first world. These young organizations are far ahead in this regard.

So who’s on your Dream Team? Start assembling them and preparing to take advantage of the benefits of the cloud. To learn more, visit our Trusted Cloud website.

Tim Rains
Director, Security

Categories: Cloud Computing Tags:

Microsoft publishes guide for secure and efficient integration of cloud services into government operations

June 1st, 2016 No comments

Estimates show that the global cloud computing market grew by 28 percent last year. Cloud is becoming an established technology for conducting and enabling business. Likewise, around the world, public sector cloud adoption is on the rise. The IDC predicts that public sector spending on cloud services will grow to $128 billion by 2018, more than doubling the amount spent in 2014. Governments are no longer determining if they’ll move to the cloud; they are focusing on when and how to integrate cloud services efficiently, effectively, and securely.

While cloud computing is undoubtedly a transformative technology, questions continue to arise about how to best embrace the power and agility of cloud services. Governments are working to determine what role they should play, how to best capitalize on cloud’s potential, and how to ensure that security and resilience requirements are met. Microsoft is committed to supporting governments on this journey and has developed Transforming Government: A cloud assurance program guide, which we are publishing today.

The guide has been designed to help governments as they develop and implement cloud assurance programs. Governments are no strangers to technology, and many have long-established information assurance and IT security programs. In fact, many established programs and practices can be re-used and adapted for a cloud environment. Governments also need to consider different aspects of the cloud experience, including efficiency, cost, and user experience, keeping in mind the all-important balance between security, performance, and innovation. Once there is alignment and a clear understanding of the intended outcomes, governments can begin to establish processes in support of them.

In three distinct phases, our cloud assurance program guide demonstrates the benefits that can be derived from adapting a holistic approach to IT risk management to this new technology revolution. In developing cloud assurance programs, governments may need to realign or create new authorities or processes to build trust between cloud service providers and government cloud users. From there, they should consider working in partnerships with cloud providers, the architects of cloud services, to evolve their risk management approaches in ways that are consistent with cloud operations.

A purposefully structured cloud assurance program—one with clearly outlined objectives tied to risk-based outcomes—can lay a foundation for government innovation. Cloud assurance programs are the portal to accessing a plethora of cloud services and apps with confidence in best-in-class security. However, unlike boxed-products programs (such as Common Criteria) in which certification can take years, the rate of cloud innovation means that cloud assurance programs must be calibrated to match the pace of technology upgrades while still meeting the established security bar.

A mature approach is marked by customer-defined security outcomes (what security objectives governments want to achieve) and CSP-determined security techniques (how to meet those outcomes). It reflects a progressive dialogue that requires collaboration across the cloud assurance stakeholder community. As governments work to continuously improve their cloud assurance programs to this desired end-state, this guide offers interim steps that governments can implement today.

Establishing a cloud assurance program is an investment – but one that pays significant dividends.

Categories: Cloud Computing Tags:

Hacking Team Breach: A Cyber Jurassic Park

Paleontology is the scientific study of the life of long-extinct animals. Paleontologists hypothesize about the behavior of the different species of dinosaurs, sometimes based on a few collected fossils and bones. We can only imagine how much more they were able to learn if they had a chance to observe some living herds of dinosaurs.

Incident Response (IR) is the cyber equivalent of paleontology. In most cases, IR experts are called long after the breach had occurred. They find themselves searching for tiny forensic cyber “bones” and then try to glue them together in order to reassemble the threat actor doings on the victim’s environment.

This is what is so unique in the recently published report on the Hacking Team breach, written by the threat actor itself. It’s a very unique, publicly available, firsthand account of the attacker side of a targeted attack. Therefore, this report should be analyzed thoroughly as it serves an unparalleled learning opportunity for the security community.

Hacking Team Breach in a Nutshell

According to Hacking Team‘s own website the company’s mission is to “provide effective, easy-to-use offensive [cyber] technology to the worldwide law enforcement and intelligence communities.”

On July 5, 2015, the Hacking Team’s Twitter account was compromised to publish an announcement of a data breach against Hacking Team’s computer systems. The initial message read, “Since we have nothing to hide, we’re publishing all our e-mails, files, and source code …” and provided links to over 400 gigabytes of data, including alleged internal e-mails, invoices, and source code.

The breach had a great negative impact on the Hacking team’s business as it exposed some highly confidential business information on Hacking Team’s relationship with its customers, along with financial data and sensitive Intellectual Property such as the Zero-day vulnerabilities used by company to infect its customers’ targets.

The Devil is in the details

The attackers’ report sheds light on their specific Tactics, Techniques and Procedures (TTPs):

  1. External network Reconnaissance: The attacker discovered internet facing network devices, including a vulnerable embedded network device
  2. Internal network access: The attacker exploited a zero-day vulnerability in an embedded network device to update its firmware. The updated firmware included:
    1. A backdoor that enabled the attacker to access hacking team internal network with no need to re-use the zero-day vulnerability each time.
    2. Various hacking tools, allowing the attacker to further attack the internal network. Most notably, the inclusion of a SOCKS proxy allowed the attacker to launch internal network attacks from tools hosted on a computer in the internet.
  3. Internal Network Reconnaissance: Using the NMAP scanner (one of the tools in the updated firmware) attackers found a Network-attached storage (NAS) server, which allowed an unauthenticated access to its contents.
  4. Compromised credentials: With its SOCKS proxy, the attacker was able to remotely load the disk of the Exchange email server backed up on NAS server. In the safety of its external machine the attacker analyzed the disk using some forensic tools to discover a password of a domain user, which is a local administrator on the Exchange Server.
  5. Domain admin compromised credentials: With the compromised local administrator credentials the attacker was able to logon to the Exchange server, and download all emails. Using the Mimikatz tool, the attacker was able to extract additional credentials from the Exchange server memory, including the domain admin credentials (depicted below).
    060116_01
    Figure 1 Compromised Credentials found on the Exchange Server
  6. Domain dominance: Using the domain admin credentials the attacker was able to extract additional keys from the Active Directory (AD) server, including the powerful KRBTGT key to gain persistence over the victim’s domain. Additionally, the attacker abused the Group Policy central configuration mechanism, served from the AD server, in order to weaken a specific computer firewall configuration.
  7. Lateral movement: with the omnipotent Domain Admin credentials the attacker was able to remotely (via SOCKS proxy) copy all machines hard disks.
    However, Hacking Team’s source code resided on a segregated network. Therefore, the attacker needed to move to the computer of the network admin that had access to it. Using the WMI protocol (after disabling restrictive personal firewall settings with a rogue Group Policy update) the attacker gained access to that computer and obtained access to the source code.
  8. Exfiltration: The attacker sent the data through the internet, as the network admin machine was directly connected to the internet.
    060116_02
    Figure 2 Attackers Posted Screenshots on the Hacking Team’s Hijacked Twitter Account, Depicting the Network Admin Desktop During Exfiltration

Key Take-Aways

  • Assume breach: Once more we are reminded that defenders need to develop an “assume breach” mentality. Perimeter defenses will always fail in the case of a dedicated attacker – every embedded device, server, application, end point or user is an attack surface. Eventually one of them will have a vulnerability or be misconfigured.
    Therefore, companies must rebalance their security portfolio to put emphasis on their internal network defense.
  • Attackers Modus Operandi is to use compromised credentials: The attackers used compromised credentials to gain network persistence and move laterally within the network to reach to their destination from the initial infection point. Therefore, the defensive side needs to focus on protecting the identity of its users and other accounts (computers, services, etc.). Such protection can be applied by detecting anomalous usage of accounts and applying Multi-Factor Authentication (MFA).
  • Attackers Modus Operandi is NOT to use malware: Throughout their report, the attackers emphasize they refrain from leaving marks on disk. To do so, they:
    • Operate from the memory of rarely bootable servers to achieve disk-less persistency.
    • Install the exploit on embedded network device that cannot be scanned by traditional anti-malware solutions
    • Use internal network proxies to host their tools over the internet, away from the reach of anti-malware solutions and tunnel their attack through the network.
  • Protecting the Identity Management (IDM) system is pivotal: By using compromised Domain Administrator credentials, the attackers accessed the victim’s IDM system, Active Directory, to obtain additional keys, including the powerful KRBTGT key to gain persistence over the victim’s domain. With the same compromised credentials, attackers abused the Group Policy central configuration mechanism, served from the AD server, in order to weaken a specific computer configuration. Therefore, the defensive side must not only keep their Active Directory hygiene by regular patching and hardening, but also consider its monitoring. This is prudent guidance to follow for any identity management system, not limited to Active Directory.
  • Cloud migration: Some of the attack avenues exploited by the attacker, could have been blocked with some proper configuration and patching. However, migrating to a properly managed cloud based Service (SaaS) can relieve IT from taking care of such chores, reduce the organization’s attack surface and thus improve its security posture.  It would have been much more difficult access the backups and the server infrastructure which would helped prevent this breach.

 

Categories: Cloud Computing, cybersecurity Tags:

Estonia leading the way in driving digital continuity for government services

May 24th, 2016 No comments

We are at the threshold of unprecedented value creation for industry and society, driven by the accelerating pace of change enabled through digital technology. Whether it is about bringing together patient records so they can be shared quickly for better patient outcomes, or reimagining connectivity and predictive maintenance for cars to meet the expectations of road safety, digital transformation is changing how we work and live.

Called the Fourth Industrial Revolution, this significant disruption of traditional industries is fueled by speed, the falling cost of technology and how quickly companies are growing. There is broad agreement that the economic opportunity from digital transformation could be as high as $100 trillion across all industries over the next decade. But this impact is broader than economics alone. For instance, Governments must also consider the unique role they play in communities – literally holding the keys to the city, powering the grids, administering the most critical public systems. And it’s not just about implementing this or that technology to improve services, but building digital resilience to minimize interruption. Estonia is a great example of a government reinventing its systems. Microsoft is a proud partner.

Long considered a member of the Public Sector “Digital Masters,” Estonia continuously demonstrates a transformative vision. From embracing incubation and innovation, to trying out new ideas in a thoughtful, bold and measured way, stuff happens first in Estonia.

After exploring the broad concept of a digital “data embassy” (the focus of a joint Phase I research project), Estonia and Microsoft were interested in advancing strategic Information and Communications Technology (ICT) principles around “digital continuity.” In the face of natural or man-made interference, could cloud capabilities enhance digital resilience of government services? The Estonian Chief Information Officer and Microsoft set the course to find out.

In the process of this joint research project, we chose to evaluate the technical and policy aspects of “failing over” a critical government service in Microsoft Azure in the event of a disruption – part of a core element of meeting the needs of an advanced digital society and innovative government. Microsoft and the Estonian Ministry of Economic Affairs and Communications assessed the Estonia Land Register, the official digital record of land ownership in Estonia. Could the records be migrated to, and hosted on, the Microsoft Azure cloud computing platform? What technical and policy questions needed to be considered? Today, we published a video and our Proof of Concept findings in a Summary Report.

The Summary Report concludes with six recommendations for any government considering cloud computing. We continue to evaluate some of the harder questions about the operational requirements needed to support effective migration to and how to build trust in the public cloud.

Microsoft is delighted to participate in, learn from, and co-lead research projects such as this one, with the Estonia CIO and team. Public-private partnerships can advance digital transformation for governments, in turn, helping them better serve their citizens, empower their employees, optimize operations and transform their societies.

Categories: Cloud Computing, cybersecurity Tags:

Microsoft Trust Center adds new cloud services and certifications

The Microsoft Trust Center is expanding, and today we’re adding more of our enterprise cloud services—Microsoft Commercial Support, Microsoft Dynamics AX, and Microsoft Power BI. These services join Microsoft Azure, Microsoft Dynamics CRM Online, Microsoft Intune, and Microsoft Office 365 into the Trust Center.

Additionally, we are adding two new compliance attestations, ENS in Spain and FACT in the UK. These two new certifications, added to those announced in March—CS Mark in Japan and MPAA— bring our total to 37—the most comprehensive of any major cloud service provider in the world.

We launched the Trust Center in November 2015 to create a central point of reference for cloud trust resources and to detail our commitments to security, privacy and control, compliance, and transparency. It is here that we document our adherence to international and regional compliance certifications and attestations, and lay out the policies and processes that Microsoft uses to protect your privacy and your data. Here, too, you’ll find descriptions of the security features and functionality in our services as well as the policies that govern the location and transfer of the data you entrust to us.

The new Microsoft compliance certifications and attestations include:

  • ENS. The Esquema Nacional de Seguridad (National Security Framework) in Spain provides ICT security guidance to public administrations and service providers. Microsoft was the first cloud service provider to receive the ENS certification—for Azure and Office 365.
  • FACT. The Federation Against Copyright Theft in the UK developed a certification scheme based on ISO 27001 that focuses on physical and digital security to protect against the theft of intellectual property. Azure was the first multitenant public cloud to achieve FACT certification.
  • MPAA. Azure was the first hyperscale cloud provider to comply with the Motion Picture Association of America guidance and control framework for the security of digital film assets.
  • CS Mark. The Cloud Security Mark is the first security standard for cloud service providers in Japan. Microsoft achieved a CS Gold Mark for all three service classifications: Azure for IaaS and PaaS, and Office 365 for SaaS.

The Trust Center website reflects the principles that underpin our products and services:

  • Security. Get an overview of how security is built into the Microsoft Cloud from the ground up, with protection at the physical, network, host, application, and data layers so that our online services are resilient to attack.
  • Privacy and control. Get visibility into our datacenter locations worldwide, data access policies, and data retention policies, backed with strong contractual commitments in the Microsoft Online Services Terms.
  • Compliance. Here you’ll find comprehensive information on Microsoft Cloud certifications and attestations such as EU Model Clauses, FedRAMP, HIPAA, ISO/IEC 27001 and 27018, PCI-DSS, and SOC 1 and SOC 2. Each compliance page provides background on the certification, a list of compliant services, and detailed information such as implementation guides and best practices.
  • Transparency. The Microsoft Cloud is built on the premise that for you to control your customer data in the cloud, you need to understand as much as possible about how that data is handled. You’ll find a summary of the policies and procedures here.

Visit the Microsoft Trust Center.

Categories: Cloud Computing Tags:

Microsoft Trusted Cloud Security Summit

April 13th, 2016 No comments

Earlier this month, Microsoft hosted its third Trusted Cloud Security Summit in Washington DC. The event brought together a wide range of security stakeholders from the different Microsoft cloud offerings and over a 100 federal department and agency participants, particularly those looking to adapt the FedRAMP High baseline, such as the Department of Homeland Security, Federal Bureau of Investigations, Department of Justice, State Department, the Treasury and the Food and Drug Administration, amongst others. The interest in the event reflected the broader US government prioritization of cybersecurity, which was underlined by the announcement made by President Obama in February, introducing the new Cybersecurity National Action Plan.

Ensuring the security of government agencies using cloud technologies follows a similar vein and has been central to the government since the introduction of the Cloud First policy in 2011. The Federal Risk and Authorization Management Program, better known as FedRAMP, was developed shortly thereafter and has for a number of years served as a process which provides a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud services. The original process supported migration of low and moderate impact workloads to the cloud and has helped many government agencies make that critical move. However, that has not been the case for some of the more critical services.
041315_01

The FedRAMP High baseline aims to provide a higher categorization level for confidentiality, integrity and availability of cloud services; i.e. for those considered critical to government operations. While the High baseline addresses only 20% of government information and systems, it comprises over 50% of federal IT spend, reflecting a significant cost savings potential when migrating these workloads to the cloud. The pilot we participated in represented the last step in a year-long effort to develop the High baseline. The draft baseline has already been through two rounds of public comment and review from a Tiger Team from across multiple federal agencies.

Since FedRAMP was established, Microsoft has worked closely with the FedRAMP program management office to ensure our Federal cloud solutions meet or exceed public sector security, privacy and compliance standards. Our March Summit established that this has not changed, as it confirmed Microsoft as one of only three cloud service providers to be included in the FedRAMP High Baseline pilot and was on that point on track to achieve the appropriate level. Building on the FedRAMP authorization, Azure Government is also on track to achieve the DISA Level 4 authorization shortly, covering unclassified data that requires protection against unauthorized disclosure or other mission-critical data (i.e. controlled unclassified data).

The event itself, examined the development process of the FedRAMP High Baseline, as well its impact on federal cloud adoption. Matt Goodrich, Director for FedRAMP in GSA’s Office of Citizen Services and Innovative Technologies (OCSIT) talked about how the revision of the process will benefit both providers and the government, for example by limiting the certification time and providing more transparency, predictability and risk focus upfront through a focus on core capabilities instead of an exclusively controls-centric approach.

The Summit also served to examine some of Microsoft’s security capabilities that address other federal government cloud security priorities, including DOD’s FedRAMP+ and DHS’s Trusted Internet Connections programs. While both initiatives leverage the original FedRAMP process, they augment unique requirements for providers to demonstrate additional levels of assurance and operational visibility- capabilities that Microsoft’s cloud offerings can meet today.

For more on the security announcement made by Azure on the day, take a look at Matt Rathbun’s (Cloud Security Director, Azure) blog here.

Categories: Cloud Computing Tags:

What’s The Art of War got to do with cybercrime? Quite a bit, actually.

Sun Tzu wrote that mastery in the art of war is about subduing one’s enemy without having to fight. As the modern world contends with increasingly sophisticated cyberattacks from both criminal and political adversaries, this 2500-year-old cliché is key to enterprise security strategy.

Today, the “bad guys” of the Internet are both professional in their business tactics and entrepreneurial in how they leverage opportunity. They’re well-organized and use a mature supply chain. They’re operating cloud-based services offering bots, exploit kits, and more. Cybercrime as a Service (CaaS) shares many of the features of legitimate enterprises, and cyber warfare has become as much about business as it is about malfeasance.

The variety and frequency of attacks can make defending against cybercrime feel like a Sisyphean effort, but understanding the motivations and socio-economic model of modern cybercrime provides practical insight to protect, detect, and respond to likely attacks.

Know the adversary

There are many sorts of criminals who use the Internet for chaos and profit. The lone “haxx0r” trying his “leet skillz” against the establishment is still a relevant trope, but most of today’s cybercriminals operate in increasingly sophisticated teams.

  • Non-professional hackers. Non-professional hackers tend to use cobbled-together kits and communicate in open forums. Success is often due to luck as much as skill, but it only takes one breach to cause hundreds of millions of dollars in damage to a vulnerable enterprise.
  • Black hat hackers. These are the industrial-grade hackers who combine business expertise with technical prowess to create and use CaaS services. Their customers are other black hats, non-professionals, state-sponsored groups, and some rogue ones. Black hat hackers underpin a multibillion-dollar Dark Web economy that crosses borders and trades in compromised and stolen data.

Motives of malicious hackers can range from theft for barter and profit to professional fame or even a vendetta. Understanding these motives is to your advantage. If you can increase the level of effort required to breach your network and reduce or eliminate the attacker’s potential ROI, then you decrease interest in your system as a target for cybercrime.

Survey the battlefront

The Dark Web is both marketplace and delivery system for cybercrime activities, though to be clear, not everyone using the Dark Web is engaged in commercial/criminal hacking. The appeal of not being tracked lures many to anonymity networks (such as Tor) where activities include peer-to-peer file sharing, black market trafficking, political organizing, and so on. Anonymity and untraceability make the Dark Web the environment of choice to run botnets and buy and sell CaaS services.

Black hat hacking methods might vary based on a region or culture, but globalization is as much a factor in production, labor, and monetization patterns of CaaS as it is for legitimate multinational enterprises.

Recon enemy tactics

From exploit kits to ransomware, the products and services of CaaS are numerous and evolving. Cybercriminals use attack methods that are elusive by default and designed to exploit their target’s specific vulnerabilities. For a deep dive on black hat methodology, read “Understanding Cybercrime,” a Microsoft white paper. Here are some common CaaS services:

  • Exploit kits. Black hats buy and sell kits that target software vulnerabilities to infect PCs and devices with malware.
  • Anti-AV. These are services that allow cybercriminals to distribute malware without fear of being detected by commercial anti-virus products.
  • Breaching services. Black hats buy and sell tools and hacking services for breaching websites and company systems.
  • Compromised account data. Black hats can sell any of the assets they steal, or trade in stolen data among 2nd– and 3rd-party cybercrime entities.

Craft a defensive strategy

Another warfare truism is that the attacker only needs to succeed once, while the defender must succeed every time. Therefore, the goal in cybersecurity is not about being able to fight attacks from all comers; instead, it’s about making your enterprise so difficult or costly to attack that cybercriminals prefer to look elsewhere.

  • Examine your company’s business model and infrastructure from an adversary’s point of view. What do you have that might appear valuable to an attacker? Profile the type of person or organization who might have the motive, means, and opportunity to attack your interests.
  • Think through what would happen in the event of a data breach. An “assume breach” strategy emphasizes breach detection, incident response, and effective recovery. “Wargame” potential scenarios to fine-tune your defenses, so you’re able to respond quickly to threats and minimize impact.
  • Remember that people are both your greatest asset and your biggest potential liability. Social engineering (i.e., exploiting human nature) is one common way that black hats attack businesses and individuals. Identify points of vulnerability in regular human processes, such as when people switch between work and personal activities on devices. Train your teams to be smart and empowered defenders.

By the way, you might want to check out a test that Microsoft developed to help identify stack defense against attacks in the wild. Find out where your company’s gaps are and where you’re overdefended.

Last but not least, cultivate alliances

Business leaders sometimes worry that moving business processes to the cloud will increase vulnerability to cybercrime threats, but the reverse is actually true. At the risk of stretching the military strategy analogy, businesses defending themselves against cybercrime are more effective when they share intelligence, work together to contain enemy resources, and coordinate countermeasures.

CISOs must consider pros and cons when it comes to outsourcing data defense strategy, but walling in the enterprise is seldom a viable solution. (Military history is full of examples showing how well walls work. Which is not very.) Stay on top of threat intelligence through information security groups such as the Information Sharing and Analysis Center (ISAC) specific to your industry.

And it’s good to have help. At Microsoft, our Trusted Cloud commitment to enterprise customers is founded in 30+ years of studying malicious hacking and developing technology to defend against it. We have end-to-end expertise deploying on-premises and cloud-based networking solutions, infrastructure, and formal processes.

The Microsoft Digital Crimes Unit (DCU), in partnership with international law enforcement and global cybersecurity experts, works to discern patterns across the cloud, across industries, and across borders for comprehensive threat modeling, which enables us to develop predictions about cybercriminal behavior. In addition to disrupting cybercrime, the DCU focuses on child protection and preserving intellectual property rights. Read how the Microsoft DCU fights cybercrime in “Digital Detectives.”

To paraphrase The Art of War, success in battle comes from knowing the enemy’s motivations, means, and methods as well as you know your own.

Categories: Cloud Computing, cybersecurity Tags:

Microsoft Cloud App Security is generally available

Today, we are announcing that Microsoft Cloud App Security is now generally available as the latest addition to the secure platform we are building at Microsoft.

Cloud App Security, based on our Adallom acquisition, is a comprehensive cloud-delivered service built for IT and security teams to help combat one of the top security concerns today: “How can we gain deeper visibility, stronger controls and enhanced protection for cloud apps?”

The solution provides a set of capabilities to help companies design and enforce a process for securing cloud usage; from discovery and investigation capabilities, to granular control and protection. It is easy to deploy, setup and use and provides out-of-the-box value immediately, as well as rich tutorials for unlocking advanced capabilities.

Why do you need Cloud App Security?

Cloud applications are in use by most enterprises today, and we will soon reach the time where more corporate data will be stored in the cloud than on-premises. Moreover, everyone is using the cloud, and even companies without official SaaS apps in use have substantial Shadow IT usage of cloud. We know from past customer surveys that over 80% of employees admitted to using unapproved SaaS apps for corporate usage.

Let me share some brand new data from Microsoft Cloud App Security that will help put the scope of the Shadow IT challenge that many organizations face, into perspective:

  • On average, each employee uses 17 cloud apps, but many organizations don’t know what is in use, or whether these apps meet security, privacy and compliance requirements
  • In 91% of organizations, employees grant their personal accounts access to the organization’s cloud storage
  • 70% of the organizations allow cloud admin activity from non-corporate, unsecured networks
  • 75% of privileged cloud accounts are not in use. These accounts might be eating up the cost of a license, or worse, increasing the attack surface of the organization
  • On average, an organization shares 13% of its files externally, of which 25% are shared publicly

For security teams, it is important to have deep visibility, strong controls and threat protection for cloud apps. That is why we created Cloud App Security: to provide you with an easy and comprehensive solution so you can gain visibility into your cloud app usage and start controlling it via policy.

Why Microsoft?

As the need for visibility and control into cloud apps has increased the market for cloud app security, the Cloud Access Security Broker (CASB) market, has been one of the most active markets in the security space. Over several years, multiple companies have tried to provide an answer to this growing customer need; however, a comprehensive solution has yet to emerge. Today, customers often use only basic discovery capabilities without really leveraging cloud control capabilities. The crux of the matter is that cloud security is a paradigm shift from classic network-based security to something new and the market is waiting for a solution that can solve the different security issues across identity, device, data and application.

What do you get with Cloud App Security?

  • App Discovery: Cloud App Security identifies all cloud applications in your network—from all devices—and provides risk scoring and ongoing risk assessment and analytics
  • Data Control: With special focus on sanctioned apps, you can set granular controls and policies for data sharing and loss prevention (DLP) leveraging API-based integration. You can use either out-of-the box policies or build and customize your own
  • Threat Protection: Cloud App Security provides threat protection for your cloud applications leveraging user behavioral analytics and anomaly detection

How does the product work?

So let’s get into the details, the product we are announcing today has two main components; discovery of cloud usage in the company using log-based traffic analysis and granular control for sanctioned apps leveraging API-based integration. They can be deployed and configured within minutes, so easy that we can do it together in this blog:

Step 1: Upload network logs for analysis

As a first step, you grab network logs from any egress network device (see supported list here) and upload a sample log for immediate visibility. You can also configure an automatic collector at a later stage.
0406_01

Step 2: Connect your sanctioned apps
0406_02

Connecting an app is an easy one-click process. Simply click the “Connect an app” button and follow the relevant link (see list of supported apps for API integration here). Once you approve access, an Oauth token is created and Cloud App Security starts scanning the cloud app for users, data and activities.

That’s it! In two simple steps, Cloud App Security is connected and working. You can start handling out-of-the-box alerts or experiment with data control policies (more on this on upcoming blogs).

Without further ado, you are all invited to check it out! Visit our product page at www.cloudappsecurity.com and request a trial. We have detailed technical documentation to help you through the journey!

And of course, we would love to hear any suggestions or feedback you have.

Best Regards,

The Cloud App Security team

Categories: Cloud Computing Tags:

IoT webinar covers security tips for expanding interconnections

Cloud computing. Big data. The Internet of Things (IoT). Today, the continuous connection of smart products is unmatched at improving customer connections and providing opportunities for businesses to differentiate their products and services. You can listen to social buzz, see how people are using products and services in real time, and enhance your customers’ experiences with rolling feature updates.

At the same time, the always-on interconnectedness opens up attractive attack vectors for cybercrime and zombie bots. Securing your network and protecting your customers in the IoT landscape presents new complexities, but the good news is that comprehensive and effective defense is not only possible, it’s actually not that hard to acquire. All you need is a new mindset.

We’ll cover that new mindset, along with practical security tips you can use right away, in our upcoming webinar: Are my robots going to attack me? Tips for a secure IoT strategy. Don’t miss it!

Reserve your webinar seat now.

Helping you stay ahead of threats is one of the ways Microsoft puts our Trusted Cloud principles to work for our customers. Because trust in technology is critical, particularly where zombie robots are concerned.

Visit the Trusted Cloud

Categories: Cloud Computing Tags:

Cloud Security Alliance Summit 2016: I Survived the Shark Tank

March 21st, 2016 No comments

A few weeks back I had the opportunity to I speak at the Cloud Security Alliance Summit 2016 held in San Francisco, California. Microsoft was a Platinum sponsor of the event. I participated in a panel discussion on cloud security that focused on lessons learned from a cloud services provider’s point of view. Google, Dropbox, and Rackspace also participated on the panel.

The panel was moderated by Robert Herjavec, CEO of the Herjavec Group and star of ABC’s Shark Tank. Robert was a gracious and fun moderator to work with and I managed to survive the panel without a shark bite!
032116_01

Also from Microsoft, Bruce Cowper delivered a keynote titled “Trusted Cloud” in which Bruce discussed the gap between how much people trust their on-premises infrastructure and the enterprise cloud services they consume, and examined reasons for the difference.

Tim Rains
Director, Security
Microsoft

Categories: Cloud Computing Tags:

The Trusted Cloud: what do privacy and control really mean?

Data is today’s currency. Cloud computing and the Internet of Things are driving a business transformation that measures value in billions of petabytes. The cloud is a powerful game-changer for businesses all over the world, but with that power comes great responsibility. Managing the volume, variety, and disparate sources of data generated through mobile devices and other activities is a global challenge for enterprise.

Unsurprisingly, businesses have many questions about how customer and enterprise data is managed, used, and protected in the cloud. According to a recent Intralinks survey of over 300 IT decision makers, less than half of companies surveyed “monitor user activities and provide alerts to data policy violations,” while only 53 percent “classify information to align with access controls.” And here’s the kicker: a little under half of the surveyed companies have no policies or controls in place to govern access.

Data privacy and access control must be taken together because it’s impossible to meaningfully achieve the one without robustly addressing the other. An organization may set up its cloud with the world’s best security to keep data private, but then fail to use access control policies effectively to prevent data leaks or unauthorized access. From both a technological and a privacy perspective, CIOs and IT leaders must pay attention to how, when, where, and by whom their company’s petabytes may be legitimately accessed. Moreover, they need to manage access control to ensure compliance from legal, risk management, and regulatory standpoints.

The issue has become more urgent since the invalidation of the EU – US Safe Harbor Framework impelled nations as well as businesses and individual citizens to examine the meaning of privacy in data residency regulations around the globe. How government surveillance and law enforcement relate to the access control policies governing private data is a current, evolving concern for enterprise.

This is why we’ve put all of our engineering expertise as well as our industry leadership into the privacy and control commitment that underpins the Microsoft cloud. When you entrust your data to our cloud services, you retain control of the data as well as access to it. Learn how to use access control policies and get technical resources in the Microsoft Trust Center.


What privacy and control mean in the Trusted Cloud

Our Trusted Cloud principles drive our commitment to use customers’ data responsibly, be transparent about our privacy practices, and offer meaningful privacy and control choices to our customers.

You own your data, not us. When you use a Microsoft cloud service, you keep the ability to take your data with you when you terminate an agreement. When a subscription expires or you terminate your contract, Microsoft follows a 90-day retention policy and strict standards for overwriting storage before reuse.

Your data is not used for marketing. Our enterprise business model is not based on exploiting customer data. We do not use your data for purposes such as advertising that are unrelated to providing the cloud service.

We don’t use standing access.   We’ve engineered our cloud services so that the majority of operations are fully automated. Only a small set of activities require human involvement; access to your data by Microsoft personnel is granted only when necessary for support or operations, then revoked when no longer needed.

You can choose your datacenter location. Depending on which Microsoft cloud services you have, you may have flexibility in choosing where your data physically resides. Your data may be replicated for redundancy within the geographic area, but not transmitted outside it.

We protect data from government surveillance. Over several years, we’ve expanded encryption across all our services and reinforced legal protections for customer data. And we’ve enhanced transparency so that you can be assured that Microsoft does not build “back doors” into our products and services, nor do we provide any government with direct or unfettered access to customer data.

Law enforcement requests must go through you. Microsoft will not disclose your data to a third party except as you direct or as required by law. We’ll attempt to redirect third parties to request customer data directly from the data owner.

Categories: Cloud Computing Tags:

Headed to RSA? Here’s your event guide for trust in cloud services

February 16th, 2016 No comments

RSA Conference 2016 is fast approaching. The conference agenda is packed to cover the rapidly evolving issues in information security, with trust in cloud computing at the forefront. We’ll be there to lead industry discussions about trust in keynotes, deep-dive sessions and the expo hall.

Since planning your itinerary is a must to get the most out of RSA, here’s a preview of where and when Microsoft Security and Trusted Cloud activities are happening.

Preconference at the CSA Summit

Monday, Feb. 29, 2 p.m.

Leap Day, leap event — if you’re attending the ancillary Cloud Security Alliance (CSA) Summit, check out Microsoft GM Doug Hauger’s Trusted Cloud keynote. He’ll share the results of a recent survey on the “trust gap” between on-premises and cloud services, and examine the factors that drive trust in security leadership thought processes when making trust decisions.

Brad Smith’s keynote

Tuesday, March 1, 8:50 a.m.

Trust in the Cloud in Tumultuous Times

We are living in extraordinary times. While the evolution of cloud computing has transformed the way we work, recent geopolitical events have precipitated debates on the roles that governments and industry should play in defending and securing society, and the appropriate balance between security, privacy and the freedom of expression. Join Microsoft President and Chief Legal Officer Brad Smith as he puts modern events into context and discusses a path forward.

Trusted Cloud in North Expo, booth 3505  

Come chat with the Trusted Cloud team at the Microsoft booth in the North Expo. We’ll be there throughout the conference to discuss trust in cloud computing and answer your questions about security, privacy, compliance and transparency.

Microsoft and Trusted Cloud sessions at RSA 2016

Monday, Feb. 29

TCG: Securing the IoT With Trusted Computing 8:30 a.m.–12:30 p.m.

The root of security in the Internet of Things begins with trust, including trusted device identity and secure communications with protection of sensitive information. These foundational elements must come together to provide a more secure IoT solution. In this half-day RSA Conference session, you’ll hear from Microsoft Software Architect Paul England and industry leaders and see demonstrations of IoT security in action.

Wednesday, March 1

Hot Topics in Privacy: A Conversation with Adobe, Google and Microsoft  1:10 PM – 2:00 PM

Rapid expansion of social media, mobile devices, sharing culture and the Internet of Things pushed privacy to the top of consumers’ minds. With a pending European Data Protection Regulation, consumers want control of their data and breaches. There is no end to privacy issues facing society. Join privacy leaders from Google, Adobe and Microsoft as they explore the hot topics facing the industry.

Bringing Cybersecurity to the Boardroom 3:30 PM – 4:20 PM

As cybersecurity becomes a more pressing issue to the enterprise, security leaders are finding themselves presenting cybersecurity risks and strategies to a new group: the board of directors. Microsoft CVP and CISO Bret Arsenault will share his learnings on working with boards to provide the right level of risk awareness and to drive informed investments for an enterprise-level cybersecurity program.

Wednesday, March 2

Machine Learning and the Cloud: Disrupting Threat Detection and Prevention 10:20–11:10 a.m.

Machine learning with large data sets gives unprecedented insights and anomaly detection capability. Mark Russinovich, chief technology officer for Microsoft Azure, will explain how Microsoft uses the agility and scale of the cloud to protect its infrastructure and customers. Learn about the application of data mining and machine learning algorithms and security domain learnings to the vast amounts of data and telemetry gathered by its many different systems and services.

SaaS Attacks Happen: How cloud scale changes the security game 10:20 AM – 11:10 AM

Gain insights into how cloud security engineering is evolving to not only meet the unique risks of SaaS, but to leverage the advantages that this scale and uniformity can offer. Take a behind-the-scenes look at how Office 365 applies these unique SaaS security principles to protect hosted users and organizations from breach

Tracking Hackers on Your Network With Sysinternals Sysmon 11:30 a.m.–12:20 p.m.

Sysinternals Sysmon is an advanced system monitoring service that logs file manipulation, process and image loading, and other events that can be used to identify the presence of an attacker. Microsoft Azure CTO Mark Russinovich continues his RSA teaching tour with tips and tricks that will help you get the most out of this powerful hacker hunting tool.

Using Cloud-Scale Intelligence to Address Security Challenges 11:30 a.m.–12:20 p.m.

The rise of the cloud brings a new wave of evolution in security challenges. Microsoft CVP and CISO Bret Arsenault and Julia White, Cloud Platform general manager, will suggest new approaches that users and providers of cloud services can take to secure cloud platforms. They’ll examine Microsoft’s role in the world of cloud security, explain how to use cloud-scale security intelligence to improve protection, and discuss how to work with partners to enable additional security tools.  

Thursday, March 3

Managing Complex M&A Security Risks — A Detailed Case Study 9:10–10 a.m.

In this informative talk, Microsoft Director of Information Security & Risk Management Ahmad Mahdi will walk through the step-by-step approach one information security organization took to secure a massive acquisition with a global footprint. The acquisition included thousands of new employees and a myriad of technical, geopolitical and financial considerations.

Deconstructing Identity in Security 9:10–10 a.m.

Identity experts from across the industry — including Kim Cameron, Microsoft chief identity architect and distinguished engineer — will tackle tough questions and offer unique points of view on the role identity plays in security. They will deconstruct what identity means to security by sharing how their companies are building identity into the most popular cloud services in the world, and by showing what can be done to strengthen identity in a borderless world.

Data Classification—Reclaiming Infosec’s Redheaded Stepchild   9:10 AM – 10:00 AM

This session will explore the changing role data classification plays in data centric security and why security teams need to own the process.

Cloud Attacks Illustrated: Insights From the Cloud Provider 11:30 a.m.–12:20 p.m.

The past five years has seen remarkable growth in cloud services, and the trend is only growing stronger. As expected, attackers have been fast to respond and adapt attacks to cloud computing trends. Microsoft’s Craig Nelson, Azure security response manager, and Tomer Teller, senior security research PM, will show you the latest attack surfaces, trends, statistics and vectors that Microsoft has gathered from its own public cloud infrastructure.

Cloud Attacks Illustrated: Insights From the Cloud Provider (Focus-On) 2:10–3 p.m.

Continue the Cloud Attacks Illustrated: Insights from the Cloud Provider topic in a smaller group discussion and Q&A with Craig and Tomer. Note that this discussion-based session is limited to 50 attendees and no new slides will be presented. Admission to this session is first come, first served, so make sure to check the RSA program for scheduling details.

Managing Complex M&A Security Risks — A Detailed Case Study (Focus-On) 2:10–3 p.m.

Continue the earlier Managing Complex M&A Security Risks conversation in a smaller group with Q&A with Ahmad Mahdi. As noted in the Focus-On session above, attendance is limited to 50 and no new slides will be presented. Check the RSA program for details about Focus-On sessions.

Managing Complex M&A Security Risks – A Detailed Case Study (Discussion Session)  2:10 PM – 3:00 PM

Continue the Managing Complex M&A Security Risks – A Detailed Case Study conversation in a smaller group discussion and Q&A with the presenter. This session will be discussion based—no new slides will be presented. This session is limited to 50 attendees. Adding a session to your Schedule does not guarantee you a seat. Admission to this session is on a first come, first served basis.

Categories: Cloud Computing, cybersecurity Tags:

A Single, Unified Trust Center for the Microsoft Cloud

November 23rd, 2015 No comments

Today we’re pleased to announce that we have created a single Microsoft Trust Center at www.microsoft.com/trustcenter, which unifies the trust centers of our enterprise cloud services—Microsoft Azure, Microsoft Dynamics CRM Online, Microsoft Intune, and Microsoft Office 365.

Increasingly, our customers deploy multiple Microsoft cloud services, and many expressed a desire for a single point of reference for cloud trust resources. They have come to rely on the trust centers to document the adherence of our cloud services to international and regional standards, describe privacy and data protection policies and processes, and inform them about data transfer and location policies, as well as security features and functionality.

The Microsoft Trust Center gives everyone a single view into the commitments that we put at the heart of our trusted cloud: security of operations, data protection and privacy, compliance with local requirements, and transparency in how we do business. Now, customers can view a single page documenting which of our services comply with such standards as ISO 27018 or HIPAA, or our data location policies across services.

Information in the Trust Center is organized by our four underlying principles of security, privacy and control, compliance and transparency:

Security: Get an overview of how security is built into the Microsoft Cloud from the ground up, with protection at the physical, network, host, application, and data layers so that our online services are resilient to attack. Sections describe the individual security features of Azure, CRM Online, Office 365, and Intune.

Privacy and Control: Here we outline Microsoft Cloud privacy principles:

  • You own your own data describes Microsoft Cloud policies for data ownership; we will use your customer data only to provide the services we have agreed upon.
  • You are in control of your customer data provides datacenter maps for each service, and policies for data portability, retention, and access.
  • Responding to government and law enforcement requests to access customer data outlines our processes for responding, including our commitment to transparency and limits in what we will disclose.
  • We set and adhere to stringent privacy standards describes how privacy in the Microsoft Cloud is grounded in the Microsoft Privacy Standard and the Microsoft Secure Development Lifecycle, and backed with strong contractual commitments to safeguard customer data in the Microsoft Online Services Terms.

Compliance: Our combined compliance site contains comprehensive information on Microsoft Cloud certifications and attestations such as EU Model Clauses, FedRAMP, HIPAA, ISO/IEC 27001 and 27018, PCI-DSS, and SOC 1 and SOC 2. Each compliance page provides background on the certification, a list of compliant services, and detailed information such as implementation guides and best practices.

Transparency: The Microsoft Cloud is built on the premise that for you to control your customer data in the cloud, you need to understand as much as possible about how that data is handled. You’ll find a summary of the policies and procedures here.

We are committed to providing you the most trusted cloud on the planet though our foundational principles of security, privacy & control, compliance, and transparency.

Visit http://www.microsoft.com/TrustCenter

Doug Hauger
General Manager
National Cloud Programs

Categories: Cloud Computing Tags:

Cloud security controls series: Managing “Shadow IT”

October 26th, 2015 No comments

Some of the enterprise customers I have talked to, that are in the process of evaluating cloud services for use by their organization, have told me that they currently do not use cloud services. Some are adamant that no one within their organization is currently using the cloud, while others speculate that some business groups are undoubtedly using cloud apps unbeknownst to their IT department and without explicit organizational approval to do so. In both of these cases the customers don’t have much data to help them get insight into the “shadow IT” solutions that might be in use within their organizations. This worries CISOs and CIOs alike as corporate data they have been entrusted to protect could be leaving the organization via unapproved cloud apps that might not meet their organization’s security and privacy standards.

This is where Azure Active Directory Cloud App Discovery can help. Azure AD Cloud App Discovery is included in the Premium edition of Azure Active Directory. You can get information on the different editions of Azure Active Directory here.
102615_01

Azure Active Directory Cloud App Discovery enables you to:

  • Discover cloud applications in use within your organization. See the specific applications that were detected and track application usage over time.
  • Identify which users in your organization are using cloud applications. See the number of users using a particular application, and the identities of those users.
  • Data can be exported so that it can be further analyzed via PowerBI analytics or offline.
  • Prioritize applications to bring under IT control, with provisioning, single sign-on and conditional access policies.

The Azure Active Directory Cloud App Discovery Endpoint Agent is used to collect data on which cloud apps are being used on client systems that it is installed on. This agent can be installed on Windows 7, Windows 8, Windows 8.1, and Windows 10 based systems. Administrators of the Azure Active Directory tenant can download the agent installation package from the Azure portal. The agent can either be manually installed on client systems or installed across multiple machines in the organization using Group Policy or Microsoft System Center Configuration Manager (SCCM). The administrator has an option to configure regarding privacy notification or approval of agent installation and data collection (as seen below). I also provide a screen shot of what he user sees above the system tray on their system when the administrator selected the “require user consent” option below.
102615_02 102615_03

The agent captures the URLs, headers and metadata for HTTP and HTTPs connections originating from the system that it is installed on. This allows the agent to capture requests to all cloud applications accessed over HTTP or HTTPs (using the “Deep Inspection” option seen below) whether the user is using a browser or some other type of application.
102615_04

If applications use protocols other than HTTP or HTTPS to access cloud services, those apps won’t be discovered by the agent. The agent also captures the username of the user logged onto the system. The agent sends this data to the Azure Cloud App Discovery service over an encrypted channel where its stored in Azure blob storage; the data in the service is only visible to admins of the tenant and each tenant admin can only see the data for their tenant.
102615_05
102615_06

More information on the agent, the specific data it collects, and how the data is sent to the service from the clients is available in this article: Cloud App Discovery Security and Privacy Considerations.

Global Administrators or their delegates can decide which cloud apps they want the agent to track usage of. By default, all the apps in the Business apps category will be tracked, but any combination of the 1,465 apps (current count at the writing of this article) in 25 categories can be selected or all apps can be specified.
102615_07

For each application tracked, administrators will see the username of the user using the application, the machine name the app was used from, how many web requests were sent to the cloud app (multiple requests can be sent per operation so this number could be large), the volume of data sent out, the volume of data that came in, and the last date and time the app was accessed. A comma separated values (CSV) file with this data can be downloaded from Azure Cloud Discovery App in the Azure portal.
102615_08

Here are some other resources for you:

Cloud App Discovery
Azure Cloud App Discovery GA and our new Privileged Identity Management service
Azure Cloud App Discovery (video)
Cloud App Discovery – Frequently Asked Questions
Cloud App Discovery Group Policy Deployment Guide

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

Categories: Cloud Computing, cybersecurity Tags: