Archive

Archive for the ‘CISO’ Category

Afternoon Cyber Tea: Evaluating individual and organizational cyber risk in a pandemic

February 16th, 2021 No comments

Cybersecurity professionals find themselves in high demand as organizations worldwide continue to grapple with how to secure millions of remote workers. James Turner is an industry analyst at CISO Lens and served as an adjudicator from 2017 to 2019 for the Australian government’s cyber war games: Operation Tsunami. In this episode of Afternoon Cyber Tea, James and I talk about how the COVID-19 pandemic has accelerated the critical need for cooperation across the cybersecurity industry, as well as the need for strengthening communication between governments and private organizations.

Our discussion really examines how the pandemic has pushed organizations toward greater cost efficiencies and a new mainstreaming of cybersecurity—democratizing the language and tools to make it part of everyone’s “9 to 5” experience.

“Everyone has a plan until they get hit in the face,” as James puts it. “Ransomware is off the hook—one organization just got hit with a 10 million dollar ransom. That’s more than the average Australian or New Zealand organization spends on security in a year.”

If the old saying that every crisis presents an opportunity holds true, James sees the pandemic as a tremendous catalyst for better information sharing amid budget cuts and a fragmented workforce. “The security operating centers at large banks are on speed-dial with each other because the attack against Company A hits Company B the next day. No organization, or even an entire country, can do it all by themselves.”

During our talk, we also touch on how the pandemic has pushed security professionals to look at new ways of optimizing delivery, such as utilizing an integrated security solution rather than an expensive niche product. “It’s given businesses a new appreciation for automatic patching,” James recounts. “My group of CISOs is discussing installing agents on personal devices; the legalities and logistics around that. Budgets are becoming an issue; so, I’m encouraging them to think like startups—get creative.”

James and I also examine how security professionals need to do a better job of evangelizing across the entire IT sector, including developing a ground-level understanding of your own organization’s business units. Cybersecurity will only be truly effective when it’s no longer part of an org chart but simply part of everyone’s job.

To hear my complete conversation with James Turner, listen to the full episode.

What’s next

In this ongoing podcast series, I talk with cybersecurity influencers about the evolving threat landscape and explore the promise of systems powered by AI, IoT, and other emerging tech. In every episode, we’ll look at empowering people and organizations to create a more secure, productive digital environment.

Listen to Afternoon Cyber Tea with Ann Johnson on:

  • Apple Podcasts: You can also download the episode by clicking the Episode Website link.
  • Podcast One: Includes the option to subscribe, so you’re notified as soon as new episodes are available.
  • CISO Spotlight page: Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Evaluating individual and organizational cyber risk in a pandemic appeared first on Microsoft Security.

Why threat protection is critical to your Zero Trust security strategy

February 8th, 2021 No comments

The corporate network perimeter has been completely redefined. Many IT leaders are adopting a Zero Trust security model where identities play a critical role in helping act as the foundation of their modern cybersecurity strategy. As a result, cybercriminals have shifted their focus and identities are increasingly under attack.

In this infographic, we explore how this shift is affecting IT leaders and how Microsoft can help apply threat protection to proactively prevent identity compromise and reduce alert fatigue.

  1. There’s been a significant increase in identity-based attacks. As IT leaders rely more heavily on identity in their security strategies, cybercriminals have increased their efforts on this threat vector. And with the shift to remote work in response to COVID-19, we’ve seen a notable number of pandemic-related phishing attacks.
  2. IT leaders need more visibility and protection. With the increase in threats, security professionals and admins are being overwhelmed with alerts. IT leaders are looking for more effective ways to manage alerts and better tools to proactively prevent attackers from being able to compromise accounts.
  3. Preventing identity compromise is more critical than ever. As IT leaders evolve their security strategies, people increasingly working remotely, and the number of identity-based attacks are rising, it’s vital for organizations to implement real-time, AI-based protections that prevent identity compromise.

Check out the infographic for more details.

If you’re interested in how Microsoft can help, see how Azure Active Directory (Azure AD) Identity Protection and Microsoft 365 Defender use real-time, cloud-based AI to proactively prevent identity compromise. Also check out our Security Unlocked podcast with Data Scientist Lead for Microsoft’s Identity Security and Protection team, Maria Peurtas Calvo, to hear how AI is being used to protect identities inside Microsoft products and services.

Visit our Zero Trust page to stay up-to-date on how the latest Microsoft products, features, and resources that can help you implement Zero Trust principles in your organization.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Why threat protection is critical to your Zero Trust security strategy appeared first on Microsoft Security.

Afternoon Cyber Tea: Privacy, the pandemic, and protecting our cyber future

February 3rd, 2021 No comments

Much of our everyday life has moved online with the pandemic continuing to play a role in how we work and communicate with others. This migration has meant that security and privacy continue to remain top-of-mind for both security professionals and those who may not have given these cyber issues a second thought once before.

In this episode of Afternoon Cyber Tea, I had a chance to talk about this impact with cybersecurity expert Theresa Payton, CEO of Fortalice Solutions and co-founder of Dark Cubed.

In our discussion, we focus on Theresa’s experience with election security, social engineering, and about her book “Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth.” We also look at how the cyber operatives behind misinformation campaigns choose their targets, and how digital empathy and human-centered design can help combat cybercrime.

“Nation-state hackers invade social issues—such as fracking, elections, or vaccinations—all while posing as Americans,” Theresa explains. She recounts how, in researching her book, she found herself speaking to a group of Macedonian hackers who targeted the 2016 election, only to discover the hackers were apolitical. “We’re pro-capitalism,” they told her, explaining how they’d created detailed models that showed how much revenue they could earn by pushing certain candidates rather than others.

“Microsoft was one of the early leaders in offering free tools to help states improve their voting technology. They looked at something that could be a revenue generator, then chose to make it about the public good instead.”—Theresa Payton, CEO of Fortalice Solutions and co-founder of Dark Cubed

During our conversation, we talk about how social engineering attacks are often made easier by our own trusting natures, with vacation photos, birthdays, and other personal content providing the raw data hackers rely on. Since privacy settings for social media usually require users to opt-in, many users are unknowingly laying their online life out like a buffet for hackers. And, since many people don’t read the terms of service, they often have no idea what data is being collected, or what it’s being used for. Theresa mentions a study done by MIT researchers that found even anonymized data grabbed from phone records, credit card transactions, and mobile apps can be easily cross-referenced by zip code and gender to narrow the user’s identity to within just five people.

Theresa and I agree that people cannot be expected to be experts on cybersecurity or system designs, which is where digital empathy comes into play. As we get better at building security into systems, employees can be free to do what they were hired to do. “Microsoft has been leading the way in going passwordless,” Theresa says. “I’m excited that technology has finally caught up to our needs. Now we’ll only be limited by our own creative minds.”

Find out how Theresa went from working as a bank manager to handling cybersecurity at the George W. Bush White House and get some tips on how to protect yourself from social engineering schemes—listen to the full episode.

What’s next

In this ongoing podcast series, I talk with cybersecurity influencers about the evolving threat landscape and explore the promise of systems powered by AI, IoT) and other emerging tech. In every episode, we’ll look at how to empower people and organizations to create a more secure, productive digital environment.

Listen to Afternoon Cyber Tea with Ann Johnson on:

  • Apple Podcasts: You can also download the episode by clicking the Episode Website link.
  • Podcast One: Includes the option to subscribe—so you’re notified as soon as new episodes are available.
  • CISO Spotlight page: Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Privacy, the pandemic, and protecting our cyber future appeared first on Microsoft Security.

Why operational resilience will be key in 2021, and how this impacts cybersecurity

January 28th, 2021 No comments

The lessons we have learned during the past 12 months have demonstrated that the ability to respond to and bounce back from adversity in general, can impact the short-and long-term success of any organization. It can even dictate the leaders and laggards in any industry.

When we take into consideration that as security threats also become more daunting, with many organizations remaining in a remote work environment, global organizations must reach a state where their core operations and services are not disrupted by unexpected changes.

The key to success in surviving any unforeseen circumstances in 2021, will be operational resiliency. Operational resilience is the ability to sustain business operations during any major event, including a cyberattack. It requires a strategic and holistic view of what could go wrong and how an organization will respond. Consider the risk and response for a utility company, for example, an organization that relies on IoT data, or a manufacturer of medical supplies. While their approach may differ, the impact would be equally as devastating should their operational continuity be halted. In today’s digital world, preparing for cyber threats must be a strategic part of that plan just like any other form of continuity and disaster recovery.

Speaking with customers globally, we know they are not fully prepared to withstand a major cyber event. Whilst many firms have a disaster recovery plan on paper, nearly a quarter have never tested that plan and only 42 percent of global executives are confident their organization could recover from a major cyber event without it affecting their business.

It begins with Zero Trust. Zero Trust is based on three principles, verify explicitly, use least privilege access, and assume breach.

Verify explicitly

Rather than trust users or devices implicitly because they’re on the corporate network or VPN’ed into it, it is critical to assume zero trust and verify each transaction explicitly. This means enabling strong authentication and authorization based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.

This starts with strong user authentication. Multi-factor authentication (MFA) is essential, but it’s time to move away from passwords plus SMS and voice calls as authentication factors. Bad actors are getting more sophisticated all the time, and they have found a number of ways to exploit the publicly switched telephone networks (PSTN) that SMS and voice calls use as well as some social engineering methods for getting these codes from users.

For most users on their mobile devices, we believe the right answer is passwordless with app-based authentication, like Microsoft Authenticator, or a hardware key combined with biometrics.

Least privileged access

Least privileged access means that when we do grant access, we grant the minimum level of access the user needs to complete their task, and only for the amount of time they need it. Think about it this way, you can let someone into your building, but only during work hours, and you don’t let them into every lab and office.

Identity Governance allows you to balance your organization’s need for security and employee productivity with the right processes and visibility. It provides you with the capabilities to ensure that the right people have the right access to the right resources.

Assume breach

Finally, operate with the expectation of a breach, and apply techniques such as micro-segmentation and real-time analytics to detect attacks more quickly.

In a Zero Trust model, identities—whether they represent people, services, or IoT devices—define the control plane in which access decisions are made. Digital identities, such as transport layer security (TLS) and code signing certificates, SSH keys, secrets, and other cryptographic assets are critical to authentication, signing, and encryption.

That’s why having a strong identity is the critical first step to the success of a Zero Trust security approach.

Embracing Zero Trust allows organizations to harden their defenses while providing employees access to critical data, even during a cyber event. That’s because identity is the foundation of any Zero Trust security strategy because it automatically blocks attacks through adaptive security policies; across users and the accounts, devices, apps, and networks they are using. Identity is the only system that connects all security solutions together so we have end-to-end visibility to prevent, detect, and respond to distributed and sophisticated attacks thanks to cloud technology.

In a Zero Trust model, identities—whether they represent people, services, or IoT devices—define the control plane in which access decisions are made. Digital identities, such as TLS and code signing certificates, SSH keys, secrets, and other cryptographic assets are critical to authentication, signing, and encryption.

“Human identities” such as passwords, biometrics, and other MFA are critical to identifying and authenticate humans. Being a Zero Trust organization also means pervasive use of multi-factor authentication—which we know prevents 99 percent of credential theft and other intelligent authentication methods that make accessing apps easier and more secure than traditional passwords.

Identity is both the foundation for Zero Trust and acts as a catalyst for digital transformation. It automatically blocks attacks through adaptive security policies. It lets people work whenever and wherever they want, using their favorite devices and applications.

That’s because Zero Trust security relies heavily on pervasive threat signals and insights. It is essential to connect the dots and provide greater visibility to prevent, detect and respond to distributed and sophisticated attacks.

Future-proofing your security posture

As security threats become more daunting and many organizations remain in a remote work environment, global organizations must reach a state where their core operations and services will not be disrupted by unexpected global changes.

To maintain operational resilience, organizations should be regularly evaluating their risk threshold. When we talk about risk, this should include an evaluation of an organization’s ability to effectively respond to changes in the crypto landscape, such as a CA compromise, algorithm deprecation, or quantum threats on the horizon.

Bottom line: organizations must have the ability to operationally execute the processes through a combination of human efforts and technology products and services. The ability to do something as simple as restoring from recent backups will be tested in every ransomware attack, and many organizations will fail this test—not because they are not backing up their systems, but because they haven’t tested the quality of their backup procedures or practiced for a cyber event.

Operational resilience guidelines call for demonstrating that concrete measures are in place to deliver resilient services and that both incident management and contingency plans have been tested. Our new normal means that risks are no longer limited to commonly recognized sources such as cybercriminals, malware, or even targeted attacks. Operational resilience is the necessary framework we must have in place in order to maintain business continuity during any unforeseen circumstances in the year ahead.

We want to help empower every organization on the planet by continuing to share our learnings to help you reach the state where core operations and services won’t be disrupted by geopolitical or socioeconomic events, natural disasters, or even cyber events.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Why operational resilience will be key in 2021, and how this impacts cybersecurity appeared first on Microsoft Security.

Microsoft surpasses $10 billion in security business revenue, more than 40 percent year-over-year growth

January 27th, 2021 No comments

I joined Microsoft a little more than six months ago—amid a global pandemic and a new norm of remote work, as well as one of the most rapidly evolving threat landscapes in history. We’ve witnessed more sophisticated attacks, like the recent SolarWinds incident, as well as an increase in attack surfaces as devices and online experiences have become more central to the way we work, learn, and live.

In solving these complex challenges alongside our customers and partners, Microsoft takes cybersecurity out of a place of fear and makes it about innovation and empowerment. Every single day, I am inspired by the team here, by their great wisdom, resilience, expertise, and by their commitment to living the mission we espouse.

Yesterday, Satya shared an important milestone for our security business: $10 billion in revenue in the past 12 months representing more than 40 percent year-over-year growth. A number inclusive of our security, compliance, identity and management businesses, and a testament to the trust our customers have placed in us.

What drives us now is creating a true Zero Trust mindset, which we believe is the cornerstone of effective protection, the foundation for organizational resilience, and the future of security. As part of that, I want to explain more about the work we do to help keep our customers secure, what makes us unique and a look at some of our latest innovations.

What makes us different

Our approach to security is unique in the industry. Microsoft has two security superpowers—an integrated approach and our incredible AI and automation. We tackle security from all angles—inside-out and outside-in. It’s why we combine security, compliance, identity, and management as an interdependent whole. In security, a silo is an opportunity for an exploit. No one else brings these critical parts of risk management together, not as a suite but as an approach that solves problems for customers on their terms across clouds and platforms.

Given Microsoft’s footprint across so many technologies, we’ve been in a unique position to think holistically about the core aspects of security: stretching from identity and access management; through endpoint, email, and application security; to data loss prevention and into cloud security and SIEM. We have an approach that is truly end-to-end, and it is notable in how deeply this is embedded in our culture. Microsoft’s security organization is an intense, massive collaboration that drives services, intelligence, technologies, and people—all coming together as one humming machine with a singular mission.

Next, consider the tremendous number of signals we take in across our platforms and services, over eight trillion security signals every 24 hours. Using the latest in machine learning and artificial intelligence techniques—plus the power of smart humans—we put these signals to work on behalf of our customers. In 2020 alone, almost six billion malware threats were blocked on endpoints protected by Microsoft Defender.

Infographic that describes how Microsoft protects devices, secures identities, ensures compliance, and detects threats.

Today we help secure more than 400,000 customers across 120 countries. These range from small businesses to large enterprises, with 90 of the Fortune 100 using four or more of our security, compliance, identity, and management solutions.

Protecting our customers

Today’s world of security is really a cat and mouse game. You have to know what the adversaries and threat actors are up to every single day. However, a cyber-attack is ultimately about safety, a fundamental human need. We’ve seen what happens to people as they’re going through attacks, and it’s not pleasant. So, when we’re talking to customers around the world, our mission is really to give them peace of mind.

We can secure our customers best when we invest in these areas:

  • All clouds, all platforms: We believe that anything less than comprehensive security is no security at all. That’s why our security, compliance, identity, and management solutions work seamlessly across platforms and we strive to extend to all clouds and all apps, whether or not Microsoft is being used throughout the computing environment. A great example of this is Azure Sentinel, our cloud-based SIEM, which in less than a year, is now helping over 9,000 customers protect their cloud workloads. Our commitment to comprehensive security is so absolute that we are empowering our customers to protect their cloud workloads wherever they are hosted, including Amazon Web Services and Google Cloud Platform. And likewise, Microsoft Defender now protects iOS, Android, macOS, and Linux.
  • Simplicity in the face of complexity: In my first customer meeting at Microsoft, on which Satya joined me, a customer told me she just wanted a simple button that would make everything work—could Microsoft help? That really stuck with me. Our customers want to be enablers of innovation in their organizations, and they know that effective security is critical to that work. We must make it easier for them. We hear from our global user community that they want best-in-breed combined with best-in-integration. When faced with complexity, they want greater simplicity. It’s our mission to deliver that and help our customers adapt quickly to a changing world.
  • A vibrant ecosystem: Microsoft welcomes and encourages an industry of strong competition that makes us all better. The Microsoft Intelligent Security Association is a community of more than 175 partner companies who have created over 250 integrations with Microsoft products and services, helping organizations close the gaps between fragmented security solutions and minimize risk. In addition, we delivered an industry record of $13.7 million in bug bounty awards to 327 researchers from more than 55 countries in fiscal year 2020, to help find and address potential vulnerabilities in our products and services before they can be weaponized by malicious actors.

Some new multi-cloud, multi-platform solutions and a look ahead

In addition to our financial news, today we are pleased to share a bit of product news.

Azure Security Center multi-cloud support is now available, including a unified view of security alerts from Amazon Web Services and Google Cloud, as well as enhancements to Azure Defender to protect multi-cloud virtual machines. Today, we are also announcing the availability of Azure Defender for IoT, which adds a critical layer of agentless security for Operational Technology (OT) networks in industrial and critical infrastructure organizations; as well as Application Guard for Office, which opens documents in a container to protect users from malicious content. These new solutions help protect users and businesses across devices, platforms, and clouds.

According to the Microsoft identity 2020 app trends report, out today, providing secure remote access to resources, apps and data became the top challenge for business leaders in the past year. With Azure Active Directory (Azure AD), our cloud identity solution that provides secure and seamless access to 425 million users, organizations can choose from thousands of pre-integrated apps within the Azure AD app gallery, or bring their own apps. Microsoft Cloud App Security helps protect users, ensuring apps like Salesforce, Workday, and ServiceNow can be quickly adopted and safely managed. The enthusiasm we are seeing for both Azure AD and MCAS truly show the importance our customers are placing on secured third party applications.

Our work to make the world more secure for all really does extend to all—from the largest Fortune 100 companies and world governments to individuals. Last week we began rolling out new security features for Microsoft Edge including password generator and Password Monitor, as well as easier to understand options for managing data collection and privacy. We continue to invest in building solutions to help consumers stay more secure and look forward to sharing more in the future.

The milestones and announcements we have today give us an opportunity to celebrate the work of defenders around the world.

As we look to meet the challenges of the future, we’ll continue to invest in a vibrant ecosystem of partners and in building a competitive and cooperative industry that makes us all better. And we are laser-focused on delivering simplicity in face of complexity, so everything works, and our defender community is empowered to do more.

Ultimately security is about people, protecting people, bringing people together, sharing knowledge and tools to collectively strengthen our defenses. We look forward to sharing more in the coming months about new areas of focus and investment as we continue our commitment is to serve this community. We are for defenders, with defenders, and we are defenders ourselves. The fundamental ethos of our efforts is to make the world a safer place for all.

To learn more about Microsoft Security solutions visit our website and watch our webcast to learn how to streamline and strengthen your security.

Bookmark the Security blog to keep up with expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft surpasses $10 billion in security business revenue, more than 40 percent year-over-year growth appeared first on Microsoft Security.

How companies are securing devices with Zero Trust practices

January 25th, 2021 No comments

Organizations are seeing a substantial increase in the diversity of devices accessing their networks. With employees using personal devices and accessing corporate resources from new locations in record numbers, IT leaders are seeing an increase in their attack surface area. They’re turning to Zero Trust security models to ensure they have the visibility they need, and their data is protected as its accessed from outside the corporate network using a wider variety of devices.

We surveyed IT leaders around the world to determine how they’re using Zero Trust practices to protect their devices and enable access to the corporate network from unsecured devices.

A clickable link to the full PDF infographic to the Zero Trust whitepaper

  1. More personal devices are accessing corporate resources than ever. In response to the substantial shift to remote work, IT leaders report seeing more of their employees using personal devices to access their networks. As a result, they’re prioritizing device management solutions to improve security and control on personal devices.
  2. Devices accessing the network are monitored but often left out of access decisions. While most IT leaders report that they’re monitoring device health and compliance, the majority aren’t currently using that status in their access decision making. Preventing unauthorized and risky devices is critical to protecting corporate data in a modern environment.
  3. Personal devices are widely agreed to increase risk exposure. Over 92 percent of IT leaders agree that a proliferation of personal devices is increasing their attack surface area. However, much less say they’re prepared for managing access from unsecured devices.

Check out the infographic for more details.

If you’re looking at how to help prevent devices from being the weakest link in your security strategy, check out our Zero Trust deployment guidance for endpoints.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How companies are securing devices with Zero Trust practices appeared first on Microsoft Security.

How IT leaders are securing identities with Zero Trust

January 19th, 2021 No comments

The past twelve months have been a remarkable time of digital transformation as organizations, and especially digital security teams, adapt to working remotely and shifting business operations. IT leaders everywhere turned to Zero Trust approaches to alleviate the challenges of enabling and securing remote work. Using Zero Trust to secure users, data, and devices (wherever they may be) has changed from optional to a business imperative overnight.

In this short report, we surveyed IT leaders around the world to determine how they’re implementing Zero Trust practices to protect their identities and ensure their employees have secure access to resources.A clickable link to the full PDF infographic to the Zero Trust whitepaper

  1. Most IT leaders are already using Zero Trust practices with their identity management solutions. While the majority of IT leaders have already implemented Zero Trust practices into their identity and access solution, only a monitory have moved on to more advanced controls that utilize automation and AI-based threat analysis.
  2. Multi-factor authentication (MFA) and Single Sign-On (SSO) are the most common. Additionally, a majority are analyzing risk before granting access—a critical proactive step to preventing unauthorized access to corporate resources.
  3. Identities and devices are the top priority for most organizations. With employees working outside the corporate network and increasingly using personal devices, this is no surprise. However, surprisingly, the majority of IT leaders do not rate identities as the most mature component in their Zero Trust strategy.
  4. Zero Trust is still in infancy. Despite substantial growth in Zero Trust efforts over the past twelve months, only one in ten IT leaders report feeling very confident in their Zero Trust identity management roadmap.

Read the full report for more details.

If you’re looking for how to help prevent endpoints from being the weakest link in your security strategy, check out our Zero Trust deployment guidance for identities.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How IT leaders are securing identities with Zero Trust appeared first on Microsoft Security.

Simplify compliance and manage risk with Microsoft Compliance Manager

January 14th, 2021 No comments

The cost of non-compliance is more than twice that of compliance costs. Non-compliance with the ever-increasing and changing regulatory requirements can have a significant impact on your organization’s brand, reputation, and revenue. According to a study by the Ponemon Institute and Globalscape, being compliant will cost you less compared to business disruptions, loss of revenue, and hefty fines.

Data explosion and regulatory environment

As organizations go through digital transformation, they are generating and consuming much more data than in the past to help them gain an edge over their competitors. This data is necessary to continue to stay relevant by empowering employees, engaging customers, and optimizing operations. Managing this data and the variety of devices on which it is created can be complicated, especially when it comes to ensuring compliance.

Not only is the amount of data IT must manage exploding, regulations on how that data can and should be handled are also increasing. Collecting customer and citizen data is often an integral part of how public and private sector organizations function. While there has been progress over the last few years, the challenge of maintaining and protecting personal data continues. Regulations are creating a need for the responsible usage of personal data, and the stakes are high. Not complying with regulations can result in significant fines and reduced credibility with regulators, customers, and citizens.

Manage compliance challenges

According to a recent report about the cost of compliance, there were more than 215 regulation updates a day from over 1,000 regulatory bodies all over the world, a slight decrease from the previous year. For example, enforcement of the California Consumer Privacy Act (CCPA), Brazil’s Lei Geral de Proteção de Dados (LGPD), and Thailand’s Personal Data Protection Act (PDPA) began in 2020.

Organizations face all kinds of risks, including financial, legal, people, IT, and cybersecurity risks. Below are some of the challenges we are seeing due to the dynamic nature of the compliance landscape.

  • Keeping up with constantly changing regulations is a struggle. With all the regulatory and standards bodies creating new or revising existing requirements and guidelines, keeping up to date is time and resource-intensive.
  • Point-in-time assessments create a digital blind spot. Many organizations rely on point-in-time assessments, like annual audits. Unfortunately, they can go out of date quickly and expose the organization to potential risks until the next assessment is done. Organizations are looking for ways to improve integration and create near real-time assessments to control risks caused by digital assets.
  • Inefficient collaboration and siloed knowledge lead to duplication of effort. Organizations are often challenged due to siloed knowledge concerning IT risk management. IT and security admins know the technology solutions but find regulations difficult to understand. Contrast that with compliance, privacy, and legal teams who tend to be familiar with the regulations but are not experts in the technology available to help them comply. In addition, many organizations start their compliance journey using general-purpose tools like Microsoft Excel and try to track compliance manually, but quickly outgrow this approach because of the complexities of managing compliance activities.
  • Complexity across IT environments hinders adoption. Understanding how to integrate the many solutions available and configure each one to minimize compliance risks can be difficult. This is especially true in organizations with solutions sourced from multiple vendors that often have overlapping functionality. Decision-makers want simple step-by-step guidance on how to make the tools work for the industry standards and regulations they are subject to.

Simplify compliance with Microsoft Compliance Manager

Microsoft Compliance Manager is the end-to-end compliance management solution included in the Microsoft 365 compliance center. It empowers organizations to simplify compliance, reduce risk, and meet global, industry, and regional compliance regulations and standards. Compliance Manager translates complicated regulations, standards, company policies, and other desired control frameworks into simple language, maps regulatory controls and recommended improvement actions, and provides step-by-step guidance on how to implement those actions to meet regulatory requirements. Compliance Manager helps customers prioritize work by associating a score with each action, which accrues to an overall compliance score. Compliance Manager provides the following benefits:

  • Pre-built assessments for common industry and regional standards and regulations, and custom assessments to meet your unique compliance needs. Assessments are available depending on your licensing agreement.
  • Workflow functionality to help you efficiently complete risk assessments.
  • Detailed guidance on actions you can take to improve your level of compliance with the standards and regulations most relevant for your organization.
  • Risk-based compliance score to help you understand your compliance posture by measuring your progress completing improvement actions.

Shared responsibility

For organizations running their workloads only on-premises, they are 100 percent responsible for implementing the controls necessary to comply with standards and regulations. With cloud-based services, such as Microsoft 365, that responsibility becomes shared between your organization and the cloud provider, although is ultimately responsible for the security and compliance of their data.

Microsoft manages controls relating to physical infrastructure, security, and networking with a software as a service (SaaS) offering like Microsoft 365. Organizations no longer need to spend resources building datacenters or setting up network controls. With this model, organizations manage the risk for data classification and accountability. And risk management is shared in certain areas like identity and access management. The chart below is an example of how responsibility is shared between the cloud customer and cloud provider with various on-premises and online services models.

shows the Shared responsibility model

Figure 1: Shared responsibility model

Apply a shared responsibility model

Because responsibility is shared, transitioning your IT infrastructure from on-premises to a cloud-based service like Microsoft 365 significantly reduces your burden of complying with regulations. Take the United States National Institute of Standards and Technology’s NIST 800-53 regulation as an example. It is one of the largest and most stringent security and data protection control frameworks used by the United States government and large organizations. If your organization were adhering to this standard and using Microsoft 365, Microsoft would be responsible for managing more than 75 percent of the 500 plus controls. You would only need to focus on implementing and maintaining the controls not managed by Microsoft. Contrast that situation with one where your organization was running 100 percent on-premises. In that case, your organization would need to implement and maintain all the NIST 800-53 controls on your own. The time and cost savings managing your IT portfolio under the shared responsibility model can be substantial.

shows the NIST examples of shared responsibilities

Figure 2: NIST examples of shared responsibilities

Assess your compliance with a compliance score

Compliance Manager helps you prioritize which actions to focus on to improve your overall compliance posture by calculating your compliance score. The extent to which an improvement action impacts your compliance score depends on the relative risk it represents. Points are awarded based on whether the action risk level has been identified as a combination of the following action characteristics:

  • Mandatory or discretionary.
  • Preventative, detective, or corrective.

Your compliance score measures your progress towards completing recommended actions that help reduce risks around data protection and regulatory standards. Your initial score is based on the Data Protection Baseline, which includes controls common to many industry regulations and standards. While the Data Protection Baseline is a good starting point for assessing your compliance posture, a compliance score becomes more valuable once you add assessments relevant to the specific requirements of your organization. You can also use filters to view the portion of your compliance score based on criteria that includes one or more solutions, assessments, and regulations. More on that later.

The image below is an example of the Overall compliance score section of the Compliance Manager dashboard. Notice that even though the number under Your points achieved is zero, the Compliance Score is 75 percent. This demonstrates the value of the shared responsibility model. Since Microsoft has already implemented all the actions it is responsible for, a substantial portion of what is recommended to achieve compliance is already complete even though you have yet to take any action.

Shows the Compliance Score from Microsoft Compliance Manager

Figure 3: Compliance Score from Microsoft Compliance Manager

For more information on Microsoft Compliance Manager, please visit the Microsoft Compliance Manager documentation. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Simplify compliance and manage risk with Microsoft Compliance Manager appeared first on Microsoft Security.

Siemens USA CISO: 3 essentials to look for in a cloud provider

December 14th, 2020 No comments

In the latest episode of my series, The Shiproom, I spoke with Kurt John, Chief Cybersecurity Officer (CISO) at Siemens USA. Kurt is listed in Security Magazine’s Top 10 most influential cybersecurity leaders, and he also serves on a special cybersecurity committee organized by the Under-Secretary-General of the United Nations.

As CISO for Siemens USA, Kurt describes his job as “leveraging cybersecurity through our value chain to protect the trust society has in us to solve the world’s most complex problems.” Siemens has embraced industry 4.0 and IoT, leading the way in automation for operational technology (OT). The company has been operating in the United States for 160 years and today has 50,000 employees. The responsibility to protect all the people, devices, and intellectual property (IP) rests on Kurt’s shoulders.

“I think movement to the cloud is inevitable,” Kurt tells me in our discussion. “It’s just way too cost-effective. You can scale quickly. But not all cloud providers are created equal.” According to Kurt, a good cloud provider should deliver three things: flexibility, control, and visibility. “You need to have your eyes on everything happening in the cloud. Whether it’s changing business conditions or a threat from an adversary; you need to be able to adjust.”

At one point, a scientist from the future interrupts our conversation (you had to be there) to ask Kurt about the challenges of balancing on-premises data vs. cloud storage: “You want the relationship between the cloud and the enterprise to be as seamless as possible,” Kurt replies. “What’s most important—how well does the cloud provider deploy security controls? I need to be able to wrap my hands around any incident through good protection and detective mechanisms, and good reporting.”

We also touched on how a diverse security team offers better protection against today’s diverse cyber threats. “Diversity in the team immediately skyrockets creativity. With a team that’s physically and cognitively diverse. It’s a wonder what we can accomplish together.”

Talking about building a strong security team lead to how mentorship can play a role, Kurt himself mentors college students who are considering a career in tech. “There’s a myth that working in cybersecurity requires you to be incredibly technical. That’s just not the case. Cybersecurity is as big as you make it.”

Watch the whole discussion on The Shiproom: Siemens USA.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Siemens USA CISO: 3 essentials to look for in a cloud provider appeared first on Microsoft Security.

Understanding influences shaping the cybersecurity landscape, enabling digital transformation, and helping to protect our planet

December 3rd, 2020 No comments

The accelerated rate of digital transformation we have seen this past year presents both challenges and endless opportunities for individuals, organizations, businesses, and governments around the world. Cybersecurity is the underpinning of helping protect these opportunities. By examining the influences that are shaping the cyber landscape, and hearing from security experts, industry thought leaders, our customers, and partners—we help strengthen how Microsoft can protect these opportunities.

This month we wrapped season three of Afternoon Cyber Tea with Ann Johnson where Sandra Joyce, a threat intelligence expert joined me for the concluding episode to talk about election security and protecting ourselves against misinformation. Our discussion was incredibly illuminating, and it is a perfect example of the ground we continue to cover in these thoughtful conversations.

Each episode has surfaced perspectives on how our collective approach to cybersecurity ties directly to some of society’s most pressing issues, including the need for more diverse voices in the industry, the impact of a global health emergency, and the urgent need to reframe how we think about security.

The impact of a pandemic on global operations

James Turner, an industry analyst who works to support chief information security officers (CISOs) and strengthen the resilience of the economies for Australia and New Zealand shared his insights in this season’s first episode. He reminded us of that cybersecurity is everyone’s business, using the banking industry to emphasize collaboration between organizations on matters of security, even if those organizations are competitors. “The security operating centers at large banks are on speed dial with each other all the time because the attack against Company A hits Company B the next day.” 

Even during a global pandemic, which James has seen as a tremendous catalyst for information-sharing amid budget cuts and workforce impact, he says simply reaching out to peers remains critical to understanding and preventing threats.

For Microsoft’s Chief Information Security Officer, Bret Arsenault, the pandemic has also reinforced the importance of planning and testing emergency scenarios to combat bad actors who attempt to exploit human vulnerabilities and new realities of life and work online.

“We’ve seen a really big increase in ransomware and a lot of activity against Remote Desktop Protocol because so many people are remoting in. When you see broad usage, you will see broad bad actor campaigns against those things.”—Microsoft’s Chief Information Security Officer, Bret Arsenault, Microsoft

So as companies advance their digital transformation, the best way to enable a productive workforce is to secure it with a solid strategy to mitigate opportunism. And while a little digital empathy goes a long way, getting employees to think responsibly about their own security can help remote workforces avoid risk, too.

Reframing cybersecurity as a business imperative

The human side of cybersecurity remains one of the trickiest but most critical areas to tackle in the industry. Many guests said it’s integral to how they advise organizations on threat prevention and mitigation.

Jules Okafor, CEO and founder of RevolutionCyber, built her entire company on the premise of transforming institutional cyber mindset to drive behavior change among employees after seeing too many organizations focused on selling security products instead of solving problems.

That’s not a cyber mindset. It’s more about how do you surround people with cybersecurity in a way that helps them understand it will make them do their jobs better? Cybersecurity has to be better at aligning with the way people think.”—Jules Okafor, CEO and founder, RevolutionCyber

And I think all of my guests would agree cybersecurity should be prioritized throughout all levels and departments of an organization. Some companies are innovating how they do just that.

“Honestly, some of the most successful cybersecurity internal departments I’ve seen have reported out of risk or finance, not technology.”Tarah Wheeler, Security Researcher and Fulbright Scholar

Defining cybersecurity as one of the pillars of a business Tarah says, demonstrates that it is critical to your success and more than just an afterthought.

This prioritization reflects a level of understanding that Sandra, my most recent guest, said has become paramount in today’s threat landscape.

As the head of Mandiant Intelligence at FireEye, Sandra discourages a prevention-only mindset. Instead, she advises organizations to assume attacks will happen and to conduct threat profiles that help them strategize how to mitigate the damage when breaches occur.

“If you can understand where you sit in the ecosystem, you can prioritize more and, at the very least, get more efficient” she says. “Don’t just look at the initial intrusion. Don’t let the first day of an attack be the day you determine how to manage it.”

But these steps are not limited to organizations. Theresa Payton, CEO of Fortalice Solutions, and author of Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth, also offered individuals advice on how to guard against the influence of misinformation campaigns. Our conversation touched on the personal data collected by our devices, too, and what we trade for convenience and insights about the patterns of our lives.

That ubiquitous nature of technology in our lives right now really does have an implication on both privacy but also the risk-versus-reward tradeoff when that data could be really helpful,” she said.

While AI-enabled voice assistants, intelligent appliances, and more can benefit users—think, for example, of discovering an underlying health condition revealed by data collected by your smartwatch—Theresa cautioned against the innumerable unknowns about how that data could be used. And she called on organizations and governing bodies to build security into design and guardrails that prevent helpful technology from hurting us.

The pressing need for more diverse voices in cybersecurity

I am grateful for the chance to talk with guests of unique backgrounds and experiences to hear what inspires them and how they are shaking up the white, male-dominated cybersecurity industry. It became clear that promoting diverse voices goes beyond tapping into a cultural moment—it’s about strengthening the entire industry.

Camille Stewart, head of security policy and election integrity for Android and Google Play, may have put it best when she said, “Racism is inherently a cybersecurity issue because people are at the core of how security controls are adopted and how technology is used. If we do not address issues of systemic racism, the processes and institutions that we are building security into are inherently vulnerable.”

In other words, diversity is threat mitigation, in and of itself.

That is why Camille’s collaboration with Lauren Zabierek, executive director of the Cyber Project at Harvard Kennedy School’s Belfer Center for Science and International Affairs is so compelling. Together, they launched the #ShareTheMicInCyber campaign to amplify diverse, expert voices in cybersecurity and share insights to help organizations identify blind spots.

It is an important reminder that the cybersecurity industry is a community and that our ability to protect against threats is only as strong as our ability to identify them—together.

This is something I have so valued this season. The diversity of expertise, experiences, and backgrounds reflected in these episodes are, on a grander scale, helping to shape and improve our collective understanding of cybersecurity. I hope you will find useful takeaways from these leaders who are at the fore of securing and strengthening our industry.

Thank you to all who listened to season three of Afternoon Cyber Tea. All episodes are available to stream and download on PodcastOne, Spotify, and Apple Podcasts.

To learn more about Microsoft Security solutions visit our website. To learn more about CISO topics and solutions, watch the Microsoft CISO Spotlight Series with our host Theresa Payton. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Understanding influences shaping the cybersecurity landscape, enabling digital transformation, and helping to protect our planet appeared first on Microsoft Security.

Becoming resilient by understanding cybersecurity risks: Part 1

October 13th, 2020 No comments

All risks have to be viewed through the lens of the business or organization. While information on cybersecurity risks is plentiful, you can’t prioritize or manage any risk until the impact (and likelihood) to your organization is understood and quantified.

This rule of thumb on who should be accountable for risk helps illustrate this relationship:

The person who owns (and accepts) the risk is the one who will stand in front of the news cameras and explain to the world why the worst case scenario happened.

This is the first in a series of blogs exploring how to manage challenges associated with keeping an organization resilient against cyberattacks and data breaches. This series will examine both the business and security perspectives and then look at the powerful trends shaping the future.

This blog series is unabashedly trying to help you build a stronger bridge between cybersecurity and your organizational leadership.

A visualization of how to manage organizational risk through leadership

Organizations face two major trends driving both opportunity and risk:

  • Digital disruption: We are living through the fourth industrial revolution, characterized by the fusion of the physical, biological, and digital worlds. This is having a profound impact on all of us as much as the use of steam and electricity changed the lives of farmers and factory owners during early industrialization.
    Tech-disruptors like Netflix and Uber are obvious examples of using the digital revolution to disrupt existing industries, which spurred many industries to adopt digital innovation strategies of their own to stay relevant. Most organizations are rethinking their products, customer engagement, and business processes to stay current with a changing market.
  • Cybersecurity: Organizations face a constant threat to revenue and reputation from organized crime, rogue nations, and freelance attackers who all have their eyes on your organization’s technology and data, which is being compounded by an evolving set of insider risks.

Organizations that understand and manage risk without constraining their digital transformation will gain a competitive edge over their industry peers.

Cybersecurity is both old and new

As your organization pulls cybersecurity into your existing risk framework and portfolio, it is critical to keep in mind that:

  • Cybersecurity is still relatively new: Unlike responding to natural disasters or economic downturns with decades of historical data and analysis, cybersecurity is an emerging and rapidly evolving discipline. Our understanding of the risks and how to manage them must evolve with every innovation in technology and every shift in attacker techniques.
  • Cybersecurity is about human conflict: While managing cyber threats may be relatively new, human conflict has been around as long as there have been humans. Much can be learned by adapting existing knowledge on war, crime, economics, psychology, and sociology. Cybersecurity is also tied to the global economic, social, and political environments and can’t be separated from those.
  • Cybersecurity evolves fast (and has no boundaries): Once a technology infrastructure is in place, there are few limits on the velocity of scaling an idea or software into a global presence (whether helpful or malicious), mirroring the history of rail and road infrastructures. While infrastructure enables commerce and productivity, it also enables criminal or malicious elements to leverage the same scale and speed in their actions. These bad actors don’t face the many constraints of legitimate useage, including regulations, legality, or morality in the pursuit of their illicit goals. These low barriers to entry on the internet help to increase the volume, speed, and sophistication of cyberattack techniques soon after they are conceived and proven. This puts us in the position of continuously playing catch up to their latest ideas.
  • Cybersecurity requires asset maintenance: The most important and overlooked aspect of cybersecurity is the need to invest in ‘hygiene’ tasks to ensure consistent application of critically important practices.
    One aspect that surprises many people is that software ‘ages’ differently than other assets and equipment, silently accumulating security issues with time. Like a brittle metal, these silent issues suddenly become massive failures when attackers find them. This makes it critical for proactive business leadership to proactively support ongoing technology maintenance (despite no previous visible signs of failure).

Stay pragmatic

In an interconnected world, a certain amount of playing catch-up is inevitable, but we should minimize the impact and probabilities of business impact events with a proactive stance.

Organizations should build and adapt their risk and resilience strategy, including:

  1. Keeping threats in perspective: Ensuring stakeholders are thinking holistically in the context of business priorities, realistic threat scenarios, and reasonable evaluation of potential impact.
  2. Building trust and relationships: We’ve learned that the most important cybersecurity approach for organizations is to think and act symbiotically—working in unison with a shared vision and goal.
    Like any other critical resource, trust and relationships can be strained in a crisis. It’s critical to invest in building strong and collaborative relationships between security and business stakeholders who have to make difficult decisions in a complex environment with incomplete information that is continuously changing.
  3. Modernizing security to protect business operations wherever they are: This approach is often referred to as Zero Trust and helps security enable the business, particularly digital transformation initiatives (including remote work during COVID-19) versus the traditional role as an inflexible quality function.

One organization, one vision

As organizations become digital, they effectively become technology companies and inherit both the natural advantages (customer engagement, rapid scale) and difficulties (maintenance and patching, cyberattack). We must accept this and learn to manage this risk as a team, sharing the challenges and adapting to the continuous evolution.

In the coming blogs, we will explore these topics from the perspective of business leaders and from cybersecurity leaders, sharing lessons learned on framing, prioritizing, and managing risk to stay resilient against cyberattacks.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Becoming resilient by understanding cybersecurity risks: Part 1 appeared first on Microsoft Security.

Enable secure remote work, address regulations and uncover new risks with Microsoft Compliance

September 22nd, 2020 No comments

As we talk with a broad range of customers in the current environment, we hear some consistent challenges businesses are facing. With so many remote workers, people are creating, sharing, and storing data in new ways, which fosters productivity, but can also introduce new risks. A recent Microsoft poll of Chief Information Security Officers (CISOs) revealed that providing secure remote access to resources, apps, and data is their top concern.

To help companies better protect their data, mitigate risk, and address compliance regulations, especially in this time of flexible work, we are announcing several new capabilities across Microsoft Compliance, including:

  • General availability of Microsoft Compliance Manager to address industry regulations and custom requirements.
  • New connectors and APIs to help you to extend Microsoft compliance capabilities to third-party apps.
  • Ability to protect native and third-party cloud apps through unified data loss prevention (DLP), now extended to Microsoft Cloud App Security (MCAS) in public preview.
  • Expanded security and compliance capabilities built directly into Microsoft Teams.

Read on to learn more about these and additional features beginning to roll out today in Microsoft 365 Compliance. You can also check out what Jeff Teper, Corporate Vice President for Microsoft 365, has to say about Microsoft Compliance.

Addressing the complexity of data regulations with Microsoft Compliance Manager

In addition to the talent shortage and complexity of compliance management, customers also face the need to comply with an increased volume and frequency of regulations, with hundreds of updates a day globally to thousands of industry and regional regulations. Additionally, the complexity of regulations makes it challenging for organizations to know specific actions to take and their impact.

Compliance Manager offers a vast library of assessments for expanded regulatory coverage, built-in automation to detect tenant settings, and step-by-step guidance to help you manage risk. Compliance Manager translates complex regulatory requirements to specific technical controls, and through compliance score, provides a quantifiable measure of risk assessment. Generally available today, Compliance Manager brings together the existing Compliance Manager and Compliance Score solutions in the Microsoft 365 compliance center.

Now, with more than 150 out-of-the-box and scalable assessments in Compliance Manager, you can address industry- and region-specific requirements, while also meeting multiple requirements through a single action.

The flexibility of custom assessments also allows you to extend compliance and risk management beyond Microsoft 365 to meet your specific business needs. For example, if you are currently tracking compliance of your SAP data in an Excel file, you can bring that into Compliance Manager.

You can learn more about Compliance Manager on Tech Community. Check out Frost Bank’s experience with Compliance Manager on the Microsoft Customer site.

Extending compliance capabilities to manage data risk beyond Microsoft 365

To provide greater visibility into your data, wherever it lives, we are making new connectors available that can pull data from other apps into Microsoft Compliance (including Microsoft Information Protection, Insider Risk Management, Communication Compliance, and eDiscovery) to help you to reason over, protect, and govern that data. These new connectors – available in partnership with Globanet and Telemessage – include SMS/text connectors for various telecom operators (e.g., AT&T, Verizon, T-Mobile, etc.), WhatsApp, Zoom, and Slack.

A key ask from our partners and customers is the ability to access Microsoft Compliance solutions and integrate them with existing applications and services that are part of broader compliance, security, and operations (SecOps) ecosystems, including Symantec, McAfee, and Relativity.

To help, we are announcing new APIs, which are part of the broader Microsoft Graph ecosystem:

  • Teams Data Loss Prevention (DLP) API: Allows third-party products to integrate and enable data loss prevention capabilities for Microsoft Teams.
  • eDiscovery API: Allows the automation of Advanced eDiscovery processes, including case creation and the entire legal hold notification workflow to communicate with custodians involved in a case.
  • Teams Export API: Allows the export of Teams Messages (1:1 and group chat) along with attachments (file links and sticker), emojis, GIFs, and user @Mentions. This API supports polling daily Teams messages and allows archiving of deleted messages up to 30 days.

An image showing the Microsft 365 Compliance ecosystem.

Figure 1: Extending compliance beyond Microsoft 365 — We have partnered with Globanet and Telemessage to deliver ready-to-use connectors. All Microsoft and ​third-party built connectors are now available in a single catalog.

You can learn more in the Tech Community blog.

Extending unified data loss prevention to Microsoft Cloud App Security (MCAS)

Having the right data protection and governance approach is critical to not only addressing regulatory compliance but also to mitigating risks around data leakage.

Microsoft Information Protection helps you to identify your data and ensure you have the right data classification in place to properly protect and govern that data, which enables you to apply data loss prevention (DLP) to enforce policies against that data. In July, we announced the public preview of Microsoft Endpoint Data Loss Prevention (DLP), which builds on the labeling and classification in Microsoft Information Protection. Endpoint DLP extends the existing DLP capabilities in Microsoft 365, helping you to meet compliance requirements and protect sensitive information on devices by restricting what data apps can access. Endpoint DLP is also natively integrated with the new Microsoft Edge browser, providing additional policy options to restrict the flow of data when accessing web sites.

Today we announce the extension of Microsoft data loss prevention solutions to Microsoft Cloud App Security. This new capability, now in public preview, extends the integration for DLP policy-based content inspection across connected applications such as Dropbox, Box, Google Drive, Webex, One Drive, SharePoint, and others. This extension of Microsoft data loss prevention solutions to MCAS helps users remain continuously compliant when using popular native and third-party cloud apps and helps to ensure sensitive content is not accidentally or inappropriately shared. MCAS uses the same policy framework and more than 150 sensitive information types that is common across all Microsoft data loss prevention solutions, to provide a familiar, consistent, and seamless experience.

You can learn more about our unified approach to data loss prevention on Tech Community.

Additional security and compliance features, including Advanced eDiscovery, being added to Microsoft Teams

As Microsoft Teams usage has grown with the shift to remote work, organizations are looking for seamless integration in order to keep their data and employees secure and compliant.

With the volume of business conversations happening now in Microsoft Teams, we are also adding additional security and compliance features, including:

  • Advanced eDiscovery now supports live documents and links shared in Microsoft Teams. Advanced eDiscovery automatically collects documents from a storage location, such as SharePoint or OneDrive, to pull the content into an eDiscovery case. The attachments are collected, reviewed, and exported along with the Teams conversations so customers don’t need to manually find and collect the documents one by one.
  • Auto-apply retention policies for Microsoft Teams meeting recording allow you to retain and delete recordings with in-place governance, which means the retention policies apply wherever the recordings are saved without the need to export elsewhere. When the rollout for this begins in October, we will provide guidance on how you can leverage Keyword Query Languages to create retention policies for Teams meeting recordings.
  • We now include Teams-specific actions in Compliance Manager, which provide guidance around improvement and implementation of actions you can take to help to align with protection regulations and standards.
  • We are also announcing Customer Key support for Teams. Microsoft helps keep Teams data safe by encrypting it while at rest in Microsoft datacenters. Now we are extending this capability to enable customers to add a layer of encryption using their own keys for Teams, similar to Exchange Online, SharePoint Online, and OneDrive.  
  • Insider Risk Management now offers native integration with Microsoft Teams to securely coordinate, collaborate, and communicate on a case with relevant stakeholders in the organization. When an Insider Risk management case is created, a private Microsoft Teams team will also be created and bound to the case for its duration. This Microsoft Teams team will, by default, include insider risk management analysts and investigators, and additional contributors such as HR and Legal, can be added as appropriate. With Teams integration, stakeholders can:
    • Use channel conversations to coordinate and track review/response activities.
    • Share, store, and review relevant files and associate evidence. 

Additional new capabilities coming to Microsoft Compliance

While I’ve discussed some of the biggest areas of investment for us in Microsoft Compliance, there are many additional new capabilities we’re excited to bring to you today:

  • Microsoft Information Protection now includes more than 150 sensitive data types, improvements to Exact Data Match, the general availability of automatic labeling in Office apps, and more.
  • Microsoft Information Governance and Records Management include new in-place retention and deletion policies for Yammer messages (rolling out now in public preview), as well as integration with the new SharePoint Syntex.
  • Insider Risk Management now integrates with Power Automate, provides a richer investigation experience, and includes expanded signal visibility to badging systems for building security.
  • Communication Compliance now provides enhanced visibility across a variety of communication channels and integration with Power Automate.
  • Advanced eDiscovery now has improved workflows, support for linked content in emails or chat messages, and enhanced collection experience.
  • Advanced Audit now includes two new audit events to help with forensic investigations and the ability to add 10-year audit log retention.

Remote and hybrid work scenarios have demonstrated that there has never been a more important time to invest in security and compliance. Get started today with Microsoft 365. To learn more about Microsoft Compliance and gain more technical training, visit the Virtual Hub today.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Enable secure remote work, address regulations and uncover new risks with Microsoft Compliance appeared first on Microsoft Security.

Microsoft Security: Use baseline default tools to accelerate your security career

September 14th, 2020 No comments

I wrote a series of blogs last year on how gamified learning through cyber ranges can create more realistic and impactful cybersecurity learning experiences and help attract tomorrow’s security workforce. With the global talent shortage in this field, we need to work harder to bring people into the field. This blog is for new cyber professionals or perhaps younger aspirants considering getting into cyber. From an employee’s perspective, it can seem daunting to know where to start, especially when you’re entering an organization with established technology investments, priorities, and practices. Having come to this field later in my career than others, I say from experience that we need to do a better job collectively in providing realistic and interesting role-based learning, paths toward the right certifications and endorsements, and more definitive opportunities to advance one’s career.

I’m still a big fan of gamified learning, but if gaming isn’t your thing, then another way to acquire important baseline learning is to look at simpler, more proactive management tools that up-level different tasks and make your work more efficient. Microsoft has recently released two important cloud security posture management tools that can help a newer employee quickly grasp basic yet critically important security concepts AND show immediate value to your employer. They’re intuitive to learn and deserve more attention.  I’m talking about Azure Security Defaults and Microsoft Secure Score (also including Azure Secure Score). While tools like these don’t typically roll off the tongue, and your experience won’t grab you like an immersive gaming UI, their purpose-built capabilities that focus on commonly-accepted cyber hygiene best practices reinforce solid foundational practices that are no less important than SecOps, incident response, or forensics and hunting. Learning how to use these tools can make you a champion and influencer, and we encourage you to learn more below. These capabilities are also built directly into our larger Azure and M365 services, so by using built-in tools, you’ll help your organization maximize its investments in our technologies and help save money and reduce complexity in your environment.

Azure Security Defaults is named for what it does—setting often overlooked defaults. With one click, you automatically enable several foundational security controls that if left unaddressed are convenient and time-tested targets for attackers to go after your organization. One question that I frequently receive is why Microsoft doesn’t simply pre-configure these settings by default and force customers to turn them off. Several large, high-threat customers have asked specifically that we do that. It’s tempting, but until or unless we make such a move, this is a great self-service add-on. As explained in this blog, ASD does the following:

  • Requires all users to register for Azure Multi-Factor Authentication.
  • Requires admins to perform MFA.
  • Blocks legacy authentication protocols.
  • Requires users to perform MFA when necessary.
  • Protects privileged activities to access the Azure Portal.

A recent important addition to ASD is that Microsoft announced on August 12th that ASD is now also available through Azure Security Center. This is an important and beneficial addition in that it adds another opportunity for your IT organization—whether identity and access management, or security operations—to implement the defaults. I’ve noticed on several occasions when briefing or providing a demo on Azure Security Center to a CISO team that a challenge in effectively using this service may come down to organizational issues, specifically, Who OWNS it?  Is ASC a CISO tool? Regardless of who may own the responsibility, we want to provide the capability upfront.

MICROSOFT SECURE SCORE is a relatively new feature that is designed to quantify your security posture based on how you configure your Microsoft resources. What’s cool and impactful about it is that it provides in a convenient top-down meu approach the relative approach your organization has taken compared (anonymously) with your industry segment’s peers (given in many cases similar reference architectures), and provides clear recommendations for what you can do to improve your score. From a Microsoft perspective, this is what we’d say all carrot and no stick. Though as covered above we provide Azure Security Defaults, customers are still on point to make a proactive decision to implement controls based on your particular work culture, compliance requirements, priorities, and business needs. Take a look at how it works:

This convenient landing page provides an all-up view into the current state of your organization’s security posture, with specific recommendations to improve certain configuration settings based on an art-of-the-possible. In this demo example, if you were to turn enable every security control to its highest level, your score would be 124, as opposed to the current score of 32, for a percentage of 25.81. Looking to the right of the screen, you get a sense of comparison against peer organizations. You can further break down your score by categories such as identity, data, device, apps, and infrastructure; this in turn gives a security or compliance team the opportunity to collaborate with hands-on teams that control those specific resources and who might be operating in silos, not necessarily focused on security postures of their counterparts.

An image of Microsoft Secure Score.

 

Azure Secure Score

You’ll also find Secure Score in the Azure Security Center blade where it provides recommendations front and center, and a color-coded circular graph on important hybrid infrastructure configurations and hygiene.

An image of Secure Score in the Azure Security Center.

Drilling deeper, here we see a variety of recommendations to address specific findings.  For example, the top line item is advice to ‘remediate vulnerabilities’, indicating that 35 of 59 resources that ASC is monitoring are in some way not optimized for security. optimized for security.

An image of variety of recommendations to address specific findings.

Going a level further into the ‘secure management ports’ finding, we see a sub-heading list of actions you can take specific to these resources’ settings. Fortunately, in this case, the administrator has addressed previously-discovered findings, leaving just three to-do’s under the third subheading. For added convenience, the red/green color-coding on the far right draws your attention.

An image of the ‘secure management ports’ finding.

Clicking on the third item above shows you a description of what ASC has found, along with remediation steps.  You have two options to remediate:  more broadly enable and require ‘just in time’ VM access; or, manually enable JIT for each resource. Again, Microsoft wants to incentivize and make it easier for your organization to take more holisitic and proactive steps across your resources such as enabling important settings by default; but we in no way penalize you for the security settings that you implement.

An image of a description of what ASC has found, along with remediation steps.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Security: Use baseline default tools to accelerate your security career appeared first on Microsoft Security.

3 ways Microsoft 365 can help you reduce helpdesk costs

September 3rd, 2020 No comments

With more people than ever working remotely, organizations must maximize employee productivity while protecting an ever-growing digital footprint. Many have stitched together specialized security solutions from different vendors to improve their cybersecurity posture, but this approach is expensive and can result in gaps in coverage and a fragmented user experience. With Microsoft’s integrated security solutions, you can enhance security and user productivity more cost-effectively.

Focusing a lens on the helpdesk illuminates how consolidating with Microsoft helps streamline and strengthen your security posture. Your helpdesk plays an important role in enabling employees to be more effective, but it can also reveal organization-wide productivity challenges. Productivity matters because if security controls are too cumbersome, employees will find workarounds. In this blog, I’ll highlight three examples of how Microsoft 365 can help you reduce costs while strengthening cybersecurity.

1. Reduce password reset calls by 75 percent

One of the most common reasons that employees call the helpdesk is to reset their password. These calls result in a loss of productivity for employees who are locked out of their accounts. They also require employees and helpdesk analysts to take time out of their busy days to work through steps to reset the password. With a high volume of calls, the costs add up.

The best way to reduce password reset calls is to eliminate passwords entirely. Microsoft has built in support for passwordless authentication methods such as biometrics, FIDO-2 security keys, and PINs into all our products and services. Because they are encrypted and stored locally on your users devices, these methods are more secure than passwords and easier for employees—and they can reduce your costs. When Microsoft rolled out passwordless to our employees the hard and soft costs of supporting passwords fell by 87 percent.

Deploying passwordless is a phased journey and not everyone is ready to start that process now, so it’s important to also improve productivity for password users. Azure Active Directory (Azure AD) is an identity and access management solution that allows users to sign in to all their on-premises and cloud apps with one set of credentials—whether they use passwords or passwordless methods. With single sign-on employees will have far fewer passwords to remember; however, sometimes they may still forget or Azure AD may force them to reset a password if an account appears compromised. In either case, Azure AD self-service password reset lets employees unblock their accounts, on their time, via an online portal.

According to a new study, The Total Economic Impact™ of Securing Apps with Microsoft Azure Active Directory, Azure AD self-service password reset can reduce the number of password reset calls per month by 75 percent. In this commissioned study, Forrester Consulting developed a composite organization based on interviews with four customers in different industries who have used Azure AD for years. Deploying Azure AD self-service password reset resulted in a return on investment of USD 1.7 million over three years.

 

2. Streamline Windows 10 upgrade path

Twice a year Microsoft releases new features and security capabilities for Windows 10. Typically, users are able to download the new operating system and quickly get back to work—but if you use a non-Microsoft product for endpoint detection or antivirus, it can complicate the process.

When a non-Microsoft vendor’s security product is not compatible with a new version of Windows 10, it prevents users from upgrading. This can be confusing for employees, who call the helpdesk for assistance. In addition to facilitating these calls, your team must also run software compatibility testing once a new version of the security software is released. Meanwhile, your company can’t take advantage of the productivity and security features available in the latest version of Windows 10.

To reduce dependencies without compromising security, turn on Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). Microsoft Defender ATP helps you protect, detect, and respond to advanced attacks against all your endpoints. Microsoft Defender Antivirus, a Microsoft Defender ATP capability, uses artificial intelligence and machine learning to find and block malware and other viruses. Both solutions are designed to work together and are integrated with Windows 10, which reduces the likelihood of helpdesk calls during the upgrade process.

An image of Microsoft Defender ATP.

3. Empower uses to manage their devices

A third driver of helpdesk calls is device management. Any time an employee needs help with a device, such as when they start a new job or want to use a personal device to access email, a helpdesk analyst is often involved. The analyst sets up devices with the appropriate applications and permissions and troubleshoots challenges with access.

As the way we work has changed, people no longer access corporate resources solely from the office using company-provided devices. Reading emails from a coffee shop on a personal phone or reviewing presentations from a tablet makes working more convenient, but it can also introduce security challenges. Employees may not upgrade their devices or apply security patches in a timely manner. They sometimes, unknowingly, download apps with security flaws. Attackers leverage these vulnerabilities to gain access to sensitive company resources.

An image showing how Attackers leverage use vulnerabilities to gain access to sensitive company resources.

Microsoft Endpoint Manager makes it easier to provision, update, and manage personal and business laptops and mobile devices with support for Windows, MacOS, iOS, and Android Enterprise. Integration with Azure AD enables employees to use Microsoft Intune Portal to enroll both corporate-owned and personal devices without helpdesk intervention. Intune automatically installs appropriate apps, or you can allow employees to choose apps through the portal.

With Microsoft Endpoint Manager, you can also enforce security policies on all enrolled devices. For example, you can require that employees use the most current operating system to access corporate resources. You can define PIN requirements or install threat protection software. If users don’t want to enroll their device, mobile app management capabilities let you isolate organizational data from personal data. These policies are defined globally and automatically applied when users register devices, streamlining the process for everyone.

An image showing how Microsoft 365 security solutions work across identities, endpoints, emails, apps, data, clouds, networks, and IOT devices

Microsoft 365 security solutions work across identities, endpoints, emails, apps, data, clouds, networks, and IoT devices to detect, block, and elevate threats. Consolidate with Microsoft to strengthen security, simplify the user experience, and reduce helpdesk costs.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 3 ways Microsoft 365 can help you reduce helpdesk costs appeared first on Microsoft Security.

Microsoft Security: How to cultivate a diverse cybersecurity team

August 31st, 2020 No comments

Boost creative problem solving with a diverse cybersecurity team

In cybersecurity, whether we are talking about cryptocurrency mining, supply chain attacks, attacks against IoT, or COVID-19-related phishing lures, we know that gaining the advantage over our adversaries requires greater diversity of data to improve our threat intelligence. If we are to future proof bias in tech however, our teams must also be as diverse, as the problems we are trying to solve.

Unfortunately, our cybersecurity teams don’t reflect this reality. A 2019 report by (ISC)2 found that less than 25 percent of cybersecurity professionals are women. People of color and women aren’t paid as well as white men and are underrepresented in management. Time and again, studies have found that gender-diverse teams make better business decisions 73 percent of the time. What’s more, teams that are also diverse in age and geographic location make better decisions 87 percent of the time. With a talent shortfall estimated between 1.5 million and 3.5 million, we must recruit, train, and retain cyber talent from a wide variety of backgrounds in order to maintain our advantage.

Diversity fuels innovation

You can see the evidence that diversity drives innovation when you look at artificial intelligence (AI) and machine learning. The AI capabilities built into Microsoft Security solutions are trained on 8 trillion daily threat signals from a wide variety of products, services, and feeds from around the globe (see Figure 1). Because the data is diverse, AI and machine learning algorithms can detect threats in milliseconds.

A graph showing Microsoft Intelligent Security.

Figure 1: Trillions of signals from around the globe allow Microsoft Security solutions to rapidly detect and respond to threats.

Just last year, the World Economic Forum complied several studies that provide further evidence that diversity sparks innovation. Cities with large immigration populations tend to have higher economic performance. Businesses with more diverse management teams have higher revenues. A C-suite with more women is likely to be more profitable. When people with different backgrounds and experiences collaborate, unique ideas can flourish. What’s more, if you want to build technology solutions that are inclusive of everyone, diverse teams help avoid bias and develop features that meet the needs of more people.

So how do you increase the diversity of your team? Expand the pipeline. Invest in your team. And create an inclusive culture.

Expand the pipeline

To recruit the very best people from all backgrounds, start by prioritizing unique perspectives. Machine learning, artificial intelligence, and quantum computing hold promise for addressing cyber threats; however, technology is not enough. Some problems can only be solved by people. You need teams that can anticipate what’s next and respond quickly in high-stress situations.

If everybody on the team has similar skills and backgrounds, you risk group think and a lack of creativity. It’s why diverse teams make better decisions than individuals 87 percent of the time (all-male teams only make better decisions than individuals 58 percent of the time).

To attract the diverse talent you need, expand your criteria. Look beyond the typical degrees, experience level, and certifications that you typically recruit for. Leverage training programs that help people acquire the technical skills you need. For example, BlackHoodie is a reverse engineering program for women. Consider people without college degrees, veterans, and people looking to switch careers. Work with colleges and other groups that represent disadvantaged communities, such as historically black colleges and universities.

Invest in your team

Cybersecurity teams around the globe are understaffed, while the amount of work continues to grow. Security operation center (SOC) analysts suffer from alert fatigue because they must monitor thousands of alerts—many of them false positives. Stress levels are high, and individuals work long hours. These work conditions can lead to burnout, which makes people less effective.

Reduce routine tasks with AI, machine learning, and automation. AI, machine learning, and automation can empower your team by reducing the noise, so people can focus on challenging threats that are, frankly, more fun. Azure Sentinel is a cloud-native SIEM that uses state of the art, scalable machine learning algorithms to correlate millions of low fidelity anomalies to present a few high-fidelity security incidents to analysts. Our research has shown that customers who use Azure Sentinel achieved a 90 percent reduction in alert fatigue.

: Azure Sentinel makes it easy to collect security data across your entire hybrid organization from devices, to users, to apps, to servers on any cloud.An image showing how Figure 2: Azure Sentinel makes it easy to collect security data across your entire hybrid organization from devices, to users, to apps, to servers on any cloud.

Provide growth opportunities and training. The threat landscape changes rapidly requiring security professionals to continuously upgrade their skills. Human beings also need new challenges to stay engaged. Provide opportunities for everyone to use creative problem-solving skills. Encourage individuals to learn from each other, such as through an apprenticeship program. Offer regular training for people at all levels of your organization. The Microsoft SOC focuses its training programs on three key areas:

  • Technical tools/capabilities.
  • Our organization (mission and assets being protected).
  • Attackers (motivations, tools, techniques, habits, etc.).

Take care of employees’ mental health. Stress is driving too many people to leave cybersecurity. In fact, stress has motivated 66 percent of IT professionals to look for a new job. Fifty-one percent would be willing to take a pay cut for less stress. Late nights and high-pressure incident response take a toll on employees. In these circumstances, it’s important to respect time off. People should be able to enjoy their days off without worrying about work. A collaborative culture that is forgiving of mistakes can also reduce the pressure. Ask your team how they are doing and really listen when they tell you. Their answers may trigger a great idea for alleviating stress.

Create an inclusive culture

People go where they are invited, but they stay where they are welcome. As you bring new people into your security organization, foster an environment where everybody feels accepted. All ideas should be listened to and considered. People who express ideas that challenge old methods can lead to breakthroughs and creativity. Here are a few ideas for making sure everyone feels included:

  • Solicit input from everybody, so you don’t just hear from those that are comfortable speaking up.
  • Provide mentorship and sponsorship programs for women and other underrepresented groups to help prepare them for advancement
  • Expand your definition of diversity to include neuro atypical, nonbinary, LGBTQ, religious affiliation, and education level in addition to race and gender.
  • Make a conscious effort to evaluate performance, not communication or presentation style.
  • Hold leadership and vendors accountable for diversity metrics.

As we look past the COVID-19 pandemic, we can expect that cybersecurity challenges will continue to evolve. AI, machine learning, and quantum computing will shape our response, but technology will not be enough. We need creative people to build our products, design our security programs, and respond to threats. We need teams that are diverse as the problems we face.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Security: How to cultivate a diverse cybersecurity team appeared first on Microsoft Security.

Microsoft Security: What cybersecurity skills do I need to become a CISO?

August 31st, 2020 No comments

Build the business skills you need to advance to Chief Information Security Officer

For many cybersecurity professionals, the ultimate career goal is to land a chief information security officer (CISO) job. A CISO is an executive-level position responsible for cyber risk management and operations. But cybersecurity is transforming. Today, a good CISO also must have strong communication skills and a deep understanding of the business. To gain the necessary experience to be considered for a CISO job, you need to understand how the role is evolving and the skills required to excel.

Long before I became a Security Advisor at Microsoft, I started my career as an IT System Administrator. Over time I learned security and worked my way up to CISO and, have served as a CISO in a variety of companies and industries. I’ve mentored several people interested in accelerating their careers in cybersecurity, and one of the biggest mistakes that you can make in your career in IT and Security is ignoring businesspeople. The more you advance, the more you will need to understand and work with the business. In this blog, I’ll provide tips for helping you get more comfortable in that role.

From technologist and guardian to strategist and advisor

As organizations digitize their products, services, and operations to take advantage of the cloud, their ability to effectively leverage technology has become integral to their success. It has also created more opportunities for cybercriminals. Companies of all sizes have been forced to pay fines, suffered reputational harm, and expended significant resources recovering from an attack. A cyber incident isn’t just a technology risk; it’s a business risk. When making decisions, boards and executive teams now need to evaluate the likelihood of a data breach in addition to financial loss or operational risks. A good CISO helps them do this.

According to research by Deloitte, there are four facets of a CISO: the technologist, the guardian, the strategist, and the advisor. You are probably already familiar with the technologist and guardian roles. As a technologist, the CISO is responsible for guiding the deployment and management of security technology and standards. In the guardian role, the CISO monitors and adjusts programs and controls to continuously improve security.

But technical controls and standards will not eliminate cyberattacks and the CISO does not have control over all the decisions that increase the likelihood of a breach. Therefore the roles of strategist and advisor have taken on greater importance. As a strategist, the CISO needs to align security with business strategy to determine how security investments can bring value to the organization. As an advisor, the CISO helps business owners and the executive team understand cybersecurity risks so that they can make informed decisions. To excel at these roles, it’s important to get knowledgeable about the business, understand risk management, and improve your communication skills.

A graphic showing how to understand risk management, and improve your communication skills.

Acquiring the skills to become a good strategist and advisor

If you are already in the cybersecurity profession and interested in growing into a CISO role, you are probably most comfortable with the technologist and guardian roles. You can elevate your technical skills by trying to get experience and certifications in a variety of areas, so that you understand threat analysis, threat hunting, compliance, ethical hacking, and system auditing, but also find time to work on the following leadership skills.

  • Understand the business: The most important step you can take to prepare yourself for an executive-level role is to learn to think like a businessperson. Who are your customers? What are the big opportunities and challenges in your industry? What makes your company unique? What are its weaknesses? What business strategies drive your organization? Pay attention to corporate communications and annual reports to discover what leadership prioritizes and why they have made certain decisions. Read articles about your industry to get a broader perspective about the business environment and how your company fits in. This research will help you make smarter decisions about how to allocate limited resources to protect company assets. It will also help you frame your arguments in a way the business can hear. For example, if you want to convince your organization to upgrade the firewall, they will be more convinced if you can explain how a security incident will affect the company’s relationship with customers or investors.
  • Learn risk management: Smart companies routinely take strategic risks to advance their goals. Businesses seize opportunities to launch new products or acquire a competitor that will make them more valuable in the market. But these decisions can result in failure or huge losses. They can also put the company at risk of a cyberattack.Risk management is a discipline that seeks to understand the upsides and downsides of action and eliminate or mitigate risks if possible. By comparing the likelihood of various options, the return on investment if the venture is successful, and the potential loss if it fails, managers can make informed decisions. CISOs help identify and quantify the cybersecurity risks that should be considered alongside financial and operational risks.
  • Improve your communication skills: To be a good advisor and strategist, you will need to communicate effectively with people with a variety of agendas and backgrounds. One day you’ll need to coach a very technical member of your team, the next you may need to participate in a business decision at the executive level or even be asked to present to the board of directors.A communication plan can help you refine your messages for your audience. To begin practicing these skills now, try to understand the goals of the people you talk to on a regular basis. What are their obstacles? Can you frame security communications in terms that will help them overcome those challenges? Take a moment to put yourself in someone else’s shoes before meetings, hallway conversations, emails, and chats. It can make a real difference!

A good communication plan delivers targeted security messages:A chart showing a good communication plan.
In recent years, the role of the CISOs has been elevated to a senior executive that the board counts on for strategic security advice. In fact, we should rename the position, Chief Influencer Security Officer! Building leadership skills like risk management and communication will help you step into this increasingly important role.

As you embark on the career journey of CISO, it is always good to get a perspective from other CISOs in the Industry and lessons they have learned.   Please feel free to listen to the podcast on my journey from System Administrator to CISO and watch our CISO spotlight episodes where our Microsoft CISO talks about how to present to the board of directors along with other tips and lessons learned.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 

The post Microsoft Security: What cybersecurity skills do I need to become a CISO? appeared first on Microsoft Security.

Rethinking IoT/OT Security to Mitigate Cyberthreats

August 26th, 2020 No comments

We live in an exciting time. We’re in the midst of the fourth industrial revolution—first steam, followed by electricity, then computers, and, now, the Internet of Things.

A few years ago, IoT seemed like a futuristic concept that was on the distant horizon. The idea that your fridge would be connected to the internet, constantly uploading and downloading data and ordering things on its own, like new filters or groceries, seemed laughable. Why would anyone want or need such a thing?

Now, IoT and other embedded and operational technologies (OT) are far more pervasive in our lives than anyone could have imagined. Robotics, chemical and pharmaceutical production, power generation, oil production, transportation, mining, healthcare devices, building management systems, and seemingly everything else is becoming part of a smart, interconnected, machine-learning powered system. Machines can now monitor themselves, diagnose problems, and then reconfigure and improve based on the data.

The threat is real

It’s an exciting time, but it’s also an alarming time, especially for CISOs (Chief Information Security Officers) working diligently to employ risk mitigation and keep their companies secure from cyberthreats. Billions of new IoT devices go online each year, and as these environments become more connected with digitization initiatives, their attack surfaces grow.

From consumer goods to manufacturing systems to municipal operations like the power grid, it all needs data protection. The threat is very real. Take the Mirai botnet hack, for example. 150,000 cameras hacked and turned into a botnet that blocked internet access for large portions of the US. We have also seen destructive and rapidly spreading ransomware attacks, like NotPetya, cripple manufacturing and port operations around the globe.  However, existing IT security solutions cannot solve those problems due to the lack of standardized network protocols for such devices and the inability to certify device-specific products and deploy them without impacting critical operations.  So, what exactly is the solution? What do people need to do to resolve the IoT security problem?

Working to solve this problem is why Microsoft has joined industry partners to create the Open Source Security Foundation as well as acquired IoT/OT security leader CyberX. This integration between CyberX’s IoT/OT-aware behavioral analytics platform and Azure unlocks the potential of unified security across converged IT and industrial networks. And, as a complement to the embedded, proactive IoT device security of Microsoft Azure Sphere, CyberX IoT/OT provides monitoring and threat detection for devices that have not yet upgraded to Azure Sphere security. Used together, CyberX and Azure Sphere can give you visibility to what’s happening in your environment while actively preventing exploitation of your connected equipment. The goal is to achieve the mission of securing every unmanaged device to help protect critical operations.

Both Microsoft and CyberX have managed to help protect a large number of enterprises around the world—including leading organizations in manufacturing, pharmaceuticals and healthcare, power utilities, oil and gas companies, data centers, and more, at a global scale.

This success is due to taking a completely different approach, an innovative solution that prioritizes ease of deployment and use—to provide a security solution custom-built for OT and industrial control systems. So, what do you need to do that?

Let’s sit in a plant. Imagine that the process keeps on running, so from an operational perspective, all is fine. But even if operations are moving smoothly, you don’t know if someone is trying to hack your systems, steal your IP, or disrupt your day-to-day processes—you wouldn’t know that until the processes are disrupted, and by then, it’s too late.

To catch these threats, you need to understand what you have, understand the process interaction, validate access to the resources, and understand root cause analysis from other breaches. From a technology perspective, to gain this level of understanding, you need automated and intelligent asset visibility, behavioral analytics capable of understanding OT/IoT behavior, vulnerability management, and threat hunting. To defend against these threats, you will want to deploy an IoT device security solution that implements critical security properties, including defense in-depth, error reporting, and renewable security, that will help keep your connected devices and equipment protected over time.

Where to go from here

For any business looking to learn more about IoT/OT security, a good place to start is by downloading CyberX’s global IoT/ICS risk report. This free report provides a data-driven analysis of vulnerabilities in our Internet of Things (IoT) and industrial control systems (ICS) infrastructure.

Based on data collected in the past 12 months from 1,821 production IoT/ICS networks—across a diverse mix of industries worldwide—the analysis was performed using passive, agentless monitoring with patented deep packet inspection (DPI) and Network Traffic Analysis (NTA). The data shows that IoT/ICS environments continue to be soft targets for adversaries, with security gaps in key areas such as:

  • Outdated operating systems
  • Unencrypted passwords
  • Remotely accessible devices
  • Unseen indicators of threats
  • Direct internet connections

To learn more about protecting your critical equipment and devices with layered and renewable security, we recommend reading The seven properties of highly secured devices. To understand how these properties are implemented in Azure Sphere, you can download The 19 best practices for Azure Sphere.

These are key resources for any businesses looking to increase their IoT security and help mitigate cyberthreats to their organization’s systems and data.

Learn more

Tackling the IoT security threat is a big, daunting project, but Microsoft is committed to helping solve them through innovation and development efforts that empower businesses across the globe to operate more safely and securely.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

To learn more about protecting your critical equipment and devices with layered and renewable security, reach out to your Microsoft account team and we recommend reading The seven properties of highly secured devices.

The post Rethinking IoT/OT Security to Mitigate Cyberthreats appeared first on Microsoft Security.

How do I implement a Zero Trust security model for my Microsoft remote workforce?

August 24th, 2020 No comments

Digital empathy should guide your Zero Trust implementation

Zero Trust has always been key to maintaining business continuity. And now, it’s become even more important during the COVID-19 pandemic to helping enable the largest remote workforce in history. While organizations are empowering people to work securely when, where, and how they want, we have found the most successful are the ones who are also empathetic to the end-user experience. At Microsoft, we refer to this approach as digital empathy. As you take steps to protect a mobile workforce, a Zero Trust strategy grounded in digital empathy will help enhance cybersecurity, along with productivity and collaboration too.

This was one of a few important topics that I recently discussed during a cybersecurity fireside chat with industry thought leader, Kelly Bissell, Global Managing Director of Security Accenture. Accenture, one of Microsoft’s most strategic partners, helps clients use Microsoft 365 to implement a Zero Trust strategy that is inclusive of everyone. “How do we make working from home both convenient and secure for employees during this time of constant change and disruption,” has become a common question both Kelly and I hear from organizations as we discuss the challenges of maintaining business continuity while adapting to this new world—and beyond. I encourage everyone to explore these points more deeply by watching my entire conversation with Kelly.

Our long-term Microsoft-Accenture security relationship helps customers navigate the current environment and emerge even stronger as we look past the pandemic. The following are some of the key steps shared during our conversation that you can take to begin applying digital empathy and Zero Trust to your organization.

Protect your identities with Azure Active Directory

Zero Trust is an “assume breach” security posture that treats each request for access as a unique risk to be evaluated and verified. This starts with strong identity authentication. Azure Active Directory (Azure AD) is an identity and secure access management (IAM) solution that you can connect to all your apps including Microsoft apps, non-Microsoft cloud apps, and on-premises apps. Employees sign in once using a single set of credentials, simplifying access. To make it even easier for users, deploy Azure AD solutions like passwordless authentication, which eliminates the need for users to memorize passwords. Multi-factor authentication (MFA) is one of the most important things you can do to help secure employee accounts, so implement MFA for 100 percent of your users, 100 percent of the time.

According to a new Forrester report, The Total Economic Impact™ of Securing Apps with Microsoft Azure Active Directory, customers who secure apps with Microsoft Azure Active Directory can improve user productivity, reduce costs, and gain IT efficiencies to generate a 123 % return on investment.

Secure employee devices

Devices present another opportunity for bad actors to infiltrate your organization. Employees may run old operating systems or download vulnerable apps on their personal devices. With Microsoft Endpoint Manager, you can guide employees to keep their devices updated. Conditional Access policies allow you to limit or block access to devices that are unknown or don’t comply with your security policies.

An endpoint detection and response (EDR) solution like Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) can help you detect attacks and automatically block sophisticated malware. Each Microsoft Defender ATP license covers up to five devices per user.

Discover and manage cloud apps

Cloud apps have proliferated in today’s workplace. They are so easy to use that IT departments are often not aware of which cloud apps their employees access. Microsoft Cloud App Security is a cloud app security broker (CASB) that allows you to discover all the apps used in your network. Cloud App Security’s risk catalog includes over 16,000 apps that are assessed using over 80 risk factors. Once you understand the risk profile of the apps in your network, you can decide whether to allow access, block access, or onboard it on to Azure AD.

Employees are busy in the best of times. Today, with many working from home for the first time—often in a full house—their stress may be compounded. By simplifying the sign-in process and protecting data on apps and devices, Microsoft 356 security solutions like Azure AD, Microsoft Defender ATP, and Cloud App Security, make it easier for employees to work remotely while improving security for the organization.

Digital empathy and Zero Trust are also two of the five security paradigm shifts that will lead to more inclusive user experiences. Next month, I will provide more details about two additional paradigm shifts, the diversity of data, and integrated security solutions.

CTA: To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Follow Ann Johnson @ajohnsocyber for Microsoft’s latest cybersecurity investments and @MSFTSecurity for the latest news and updates on cybersecurity.

The post How do I implement a Zero Trust security model for my Microsoft remote workforce? appeared first on Microsoft Security.

How do I implement a Zero Trust security model for my Microsoft remote workforce?

August 24th, 2020 No comments

Digital empathy should guide your Zero Trust implementation

Zero Trust has always been key to maintaining business continuity. And now, it’s become even more important during the COVID-19 pandemic to helping enable the largest remote workforce in history. While organizations are empowering people to work securely when, where, and how they want, we have found the most successful are the ones who are also empathetic to the end-user experience. At Microsoft, we refer to this approach as digital empathy. As you take steps to protect a mobile workforce, a Zero Trust strategy grounded in digital empathy will help enhance cybersecurity, along with productivity and collaboration too.

This was one of a few important topics that I recently discussed during a cybersecurity fireside chat with industry thought leader, Kelly Bissell, Global Managing Director of Security Accenture. Accenture, one of Microsoft’s most strategic partners, helps clients use Microsoft 365 to implement a Zero Trust strategy that is inclusive of everyone. “How do we make working from home both convenient and secure for employees during this time of constant change and disruption,” has become a common question both Kelly and I hear from organizations as we discuss the challenges of maintaining business continuity while adapting to this new world—and beyond. I encourage everyone to explore these points more deeply by watching my entire conversation with Kelly.

Our long-term Microsoft-Accenture security relationship helps customers navigate the current environment and emerge even stronger as we look past the pandemic. The following are some of the key steps shared during our conversation that you can take to begin applying digital empathy and Zero Trust to your organization.

Protect your identities with Azure Active Directory

Zero Trust is an “assume breach” security posture that treats each request for access as a unique risk to be evaluated and verified. This starts with strong identity authentication. Azure Active Directory (Azure AD) is an identity and secure access management (IAM) solution that you can connect to all your apps including Microsoft apps, non-Microsoft cloud apps, and on-premises apps. Employees sign in once using a single set of credentials, simplifying access. To make it even easier for users, deploy Azure AD solutions like passwordless authentication, which eliminates the need for users to memorize passwords. Multi-factor authentication (MFA) is one of the most important things you can do to help secure employee accounts, so implement MFA for 100 percent of your users, 100 percent of the time.

According to a new Forrester report, The Total Economic Impact™ of Securing Apps with Microsoft Azure Active Directory, customers who secure apps with Microsoft Azure Active Directory can improve user productivity, reduce costs, and gain IT efficiencies to generate a 123 % return on investment.

Secure employee devices

Devices present another opportunity for bad actors to infiltrate your organization. Employees may run old operating systems or download vulnerable apps on their personal devices. With Microsoft Endpoint Manager, you can guide employees to keep their devices updated. Conditional Access policies allow you to limit or block access to devices that are unknown or don’t comply with your security policies.

An endpoint detection and response (EDR) solution like Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) can help you detect attacks and automatically block sophisticated malware. Each Microsoft Defender ATP license covers up to five devices per user.

Discover and manage cloud apps

Cloud apps have proliferated in today’s workplace. They are so easy to use that IT departments are often not aware of which cloud apps their employees access. Microsoft Cloud App Security is a cloud app security broker (CASB) that allows you to discover all the apps used in your network. Cloud App Security’s risk catalog includes over 16,000 apps that are assessed using over 80 risk factors. Once you understand the risk profile of the apps in your network, you can decide whether to allow access, block access, or onboard it on to Azure AD.

Employees are busy in the best of times. Today, with many working from home for the first time—often in a full house—their stress may be compounded. By simplifying the sign-in process and protecting data on apps and devices, Microsoft 356 security solutions like Azure AD, Microsoft Defender ATP, and Cloud App Security, make it easier for employees to work remotely while improving security for the organization.

Digital empathy and Zero Trust are also two of the five security paradigm shifts that will lead to more inclusive user experiences. Next month, I will provide more details about two additional paradigm shifts, the diversity of data, and integrated security solutions.

CTA: To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Follow Ann Johnson @ajohnsocyber for Microsoft’s latest cybersecurity investments and @MSFTSecurity for the latest news and updates on cybersecurity.

The post How do I implement a Zero Trust security model for my Microsoft remote workforce? appeared first on Microsoft Security.

How do I implement a Zero Trust security model for my Microsoft remote workforce?

August 24th, 2020 No comments

Digital empathy should guide your Zero Trust implementation

Zero Trust has always been key to maintaining business continuity. And now, it’s become even more important during the COVID-19 pandemic to helping enable the largest remote workforce in history. While organizations are empowering people to work securely when, where, and how they want, we have found the most successful are the ones who are also empathetic to the end-user experience. At Microsoft, we refer to this approach as digital empathy. As you take steps to protect a mobile workforce, a Zero Trust strategy grounded in digital empathy will help enhance cybersecurity, along with productivity and collaboration too.

This was one of a few important topics that I recently discussed during a cybersecurity fireside chat with industry thought leader, Kelly Bissell, Global Managing Director of Security Accenture. Accenture, one of Microsoft’s most strategic partners, helps clients use Microsoft 365 to implement a Zero Trust strategy that is inclusive of everyone. “How do we make working from home both convenient and secure for employees during this time of constant change and disruption,” has become a common question both Kelly and I hear from organizations as we discuss the challenges of maintaining business continuity while adapting to this new world—and beyond. I encourage everyone to explore these points more deeply by watching my entire conversation with Kelly.

Our long-term Microsoft-Accenture security relationship helps customers navigate the current environment and emerge even stronger as we look past the pandemic. The following are some of the key steps shared during our conversation that you can take to begin applying digital empathy and Zero Trust to your organization.

Protect your identities with Azure Active Directory

Zero Trust is an “assume breach” security posture that treats each request for access as a unique risk to be evaluated and verified. This starts with strong identity authentication. Azure Active Directory (Azure AD) is an identity and secure access management (IAM) solution that you can connect to all your apps including Microsoft apps, non-Microsoft cloud apps, and on-premises apps. Employees sign in once using a single set of credentials, simplifying access. To make it even easier for users, deploy Azure AD solutions like passwordless authentication, which eliminates the need for users to memorize passwords. Multi-factor authentication (MFA) is one of the most important things you can do to help secure employee accounts, so implement MFA for 100 percent of your users, 100 percent of the time.

According to a new Forrester report, The Total Economic Impact™ of Securing Apps with Microsoft Azure Active Directory, customers who secure apps with Microsoft Azure Active Directory can improve user productivity, reduce costs, and gain IT efficiencies to generate a 123 % return on investment.

Secure employee devices

Devices present another opportunity for bad actors to infiltrate your organization. Employees may run old operating systems or download vulnerable apps on their personal devices. With Microsoft Endpoint Manager, you can guide employees to keep their devices updated. Conditional Access policies allow you to limit or block access to devices that are unknown or don’t comply with your security policies.

An endpoint detection and response (EDR) solution like Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) can help you detect attacks and automatically block sophisticated malware. Each Microsoft Defender ATP license covers up to five devices per user.

Discover and manage cloud apps

Cloud apps have proliferated in today’s workplace. They are so easy to use that IT departments are often not aware of which cloud apps their employees access. Microsoft Cloud App Security is a cloud app security broker (CASB) that allows you to discover all the apps used in your network. Cloud App Security’s risk catalog includes over 16,000 apps that are assessed using over 80 risk factors. Once you understand the risk profile of the apps in your network, you can decide whether to allow access, block access, or onboard it on to Azure AD.

Employees are busy in the best of times. Today, with many working from home for the first time—often in a full house—their stress may be compounded. By simplifying the sign-in process and protecting data on apps and devices, Microsoft 356 security solutions like Azure AD, Microsoft Defender ATP, and Cloud App Security, make it easier for employees to work remotely while improving security for the organization.

Digital empathy and Zero Trust are also two of the five security paradigm shifts that will lead to more inclusive user experiences. Next month, I will provide more details about two additional paradigm shifts, the diversity of data, and integrated security solutions.

CTA: To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Follow Ann Johnson @ajohnsocyber for Microsoft’s latest cybersecurity investments and @MSFTSecurity for the latest news and updates on cybersecurity.

The post How do I implement a Zero Trust security model for my Microsoft remote workforce? appeared first on Microsoft Security.