Archive for the ‘Azure Security’ Category

Azure Active Directory empowers frontline workers with simplified and secure access

January 13th, 2021 No comments

Howdy folks,

The past year has shown us all just how critical frontline workers are to our communities and our economy. They’re the people behind the counter, in the call centers, in hospital ICUs, on the supermarket floor—doing the critical work that makes the difference in feeding our families, caring for the sick, and driving the long-tail economy. Frontline workers account for over 80 percent of the global workforce—two billion people worldwide. Yet because of high scale, rapid turnover, and fragmented processes, frontline workers often lack the tools to make their demanding jobs a little easier.

We believe identity is at the center of digital transformation and the key to democratizing technology for the entire frontline workforce including managers, frontline workers, operations, and IT. This week at the National Retail Federation (NRF) tradeshow, we announced several new features for frontline workers. Building on this announcement, I’m excited to dive into three generally available Azure Active Directory features that empower frontline workers:

1. Streamline common IT tasks with My Staff

Azure Active Directory provides the ability to delegate user management to frontline managers through the My Staff portal, helping save valuable time and reduce security risks. By enabling simplified password resets and phone management directly from the store or factory floor, managers can grant access to employees without routing the request through the helpdesk, IT, or operations.

Delegated user management in the My Staff portal

Figure 1: Delegated user management in the My Staff portal

2. Accelerate onboarding with simplified authentication

My Staff also enables frontline managers to register their team members’ phone numbers for SMS sign-in. In many verticals, frontline workers maintain a local username and password—a cumbersome, expensive, and error-prone solution. When IT enables authentication using SMS sign-in, frontline workers can log in with single sign-on (SSO) for Microsoft Teams and other apps using just their phone number and a one-time passcode (OTP) sent via SMS. This makes signing in for frontline workers simple and secure, delivering quick access to the apps they need most.

Showing SMS sign-in on two devices

Figure 2: SMS sign-in

Additional layers of Conditional Access enable you to control who is signing in using SMS, allowing for a balance of security and ease of use.

3. Improve security for shared devices

Many companies use shared devices so frontline workers can do inventory management and point-of-sale transactions—without the IT burden of provisioning and tracking individual devices. With shared device sign out, it’s easy for a firstline worker to securely sign out of all apps and web browsers on any shared device before handing it back to a hub or passing it off to a teammate on the next shift. You can choose to integrate this capability into all your line-of-business iOS and Android apps using the Microsoft Authentication Library.

Shared device sign-out screen

Figure 3: Shared device sign-out screen

Additionally, you can use Microsoft Endpoint Manager to set up and customize how frontline workers use shared devices, with three new preview features for provisioning, setting up device-based Conditional Access policies, and customizing the sign-in experience with Managed Home Screen.

Looking ahead

Working in partnership with our customers, we’re committed to bringing you purpose-built frontline capabilities that deliver secure identity and access that is tailored to your needs and environment. We’ll continue to innovate in 2021, adding features that simplify work, bring people together, and help organizations of all sizes achieve more.

To learn more about Microsoft Identity solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @AzureAD and @MSFTSecurity for the latest news and updates on cybersecurity.

The post Azure Active Directory empowers frontline workers with simplified and secure access appeared first on Microsoft Security.

Categories: Azure Security, cybersecurity Tags:

Forcepoint and Microsoft: Risk-based access control for the remote workforce

January 4th, 2021 No comments

This blog post is part of the Microsoft Intelligence Security Association (MISA) guest blog series. Learn more about MISA here.

Adopting cloud-based services as part of an organization’s digital transformation strategy is no longer optional, it’s a necessity. Last year, only 18 percent of the workforce worked remotely full-time. Today, companies have been forced to accelerate their digital transformation efforts to ensure the safety and well-being of employees. At the same time, organizations cannot afford to sacrifice productivity for the sake of security. With the massive move to online experiences and remote working, comes a new set of challenges—how do you ensure your data, your network, and your employees stay secure, wherever they are?

Forcepoint has integrated with Azure Active Directory (Azure AD) to enhance existing Conditional Access capabilities by orchestrating change in authentication policies dynamically so that every user authenticates with steps aligned to their risk score. Active sessions can be terminated upon risk score increase so that users must re-authenticate using an enhanced sequence of challenges, and users can be temporarily blocked in the case of high risk. Forcepoint risk scores, combined with Azure AD risk, are calculated based on the user’s context, such as location or IP, to help automatically and accurately prioritize the riskiest users. The joint solution enables administrators to protect critical data and leverage the power of automation to prevent data compromise and exfiltration from occurring. By combining the power of Azure AD with Forcepoint security solutions, organizations can scale a risk-adaptive approach to identity and access management and cloud application access without changing their existing infrastructure.

People are the perimeter

Before COVID-19, in our 2020 Forcepoint Cybersecurity Predictions and Trends report, we detailed the shifting emphasis to a “cloud-first” posture by public and private sector organizations alike. There was, and still is, a clear need for organizations to expand their view of network security and begin to understand that their people are the new perimeter. Today, more than ever, it is imperative for businesses to comprehend and to manage the interaction between their two most valuable assets—their people and their data.

Human-centric cybersecurity is about focusing on not just individuals, but how their behaviors evolve over time. Forcepoint risk scores are designed to continuously calculate the level of risk associated with individual behavior in the past, present, and future. Most organizations today will adopt blanket policies to improve their security posture. Even though policies for individuals may have some level of flexibility, most tend to apply policies to all users within a group—regardless of the individual risk profile. This results in unnecessarily complicated steps for low-risk users accessing common applications, and weak authentication challenges for privileged users logging into critical systems. In short, these implementations are likely frustrating your low-risk users by creating barriers to productivity and allowing high-risk users to fly under the radar.

Forcepoint’s mission is to provide enterprises with the tools needed to understand and quickly assess the risk levels of human behavior across their networks and endpoints and take automated action by implementing risk adaptive protection. We offer a portfolio of security solutions designed to quickly and continuously assess the potential of compromised user risk and automatically apply the appropriate protective measures.

Forcepoint + Azure Active Directory = Better together

Forcepoint has partnered with the Azure Active Directory team on a series of integrations designed to provide remote workers secure access to their cloud and legacy on-premise applications. Together, our integrated solutions combine the risk score calculated by Forcepoint’s Cloud Access Security Broker (CASB)—with Azure AD—to apply the appropriate conditional access policies tailored to each individual user risk.

integrated solutions combine the risk score calculated by Forcepoint’s CASB - with Azure AD- to apply the appropriate conditional access policies tailored to each individual user risk.

Learn more about the Forcepoint products that integrate with Microsoft Azure, including the technical implementation and demonstrations of how Forcepoint risk adaptive protection influences the conditional access policies of a potentially compromised user:

Give your organization the control it needs to protect critical assets and data by combining Forcepoint with the power of Azure AD today.

About Forcepoint

Forcepoint is a leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with networks, data, and systems. Forcepoint provides secure access solutions without compromising employee productivity. For more information, visit

Forcepoint is a member of the Microsoft Intelligent Security Association.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

For more information about Microsoft Security Solutions, visit the Microsoft Security website. Bookmark the Security blog to keep up with our expert coverage of security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Forcepoint and Microsoft: Risk-based access control for the remote workforce appeared first on Microsoft Security.

A “quick wins” approach to securing Azure Active Directory and Office 365 and improving your security posture

December 17th, 2020 No comments

In the last post, we discussed Office 365 and how enabling certain features without understanding all the components can lead to a false sense of security. We demonstrated how implementing a break glass account, multi-factor authentication (MFA), and the removal of legacy authentication can help secure your users and point your organization’s security posture in the right direction. While implementing those controls is an excellent start to hardening your environment, it is just the beginning. Read that blog here.

Security is critical, and any way that we can expedite threat prevention is highly welcomed. What if there was a way to get into a more secure state quickly.  How much time would this give you back to focus your attention on other tasks like actual customers (user base, clients)?

Do you wish there was a quick approach for security configurations in Azure Active Directory (Azure AD) and Office 365? I know I do, and thankfully we have some options here, and they are Secure Score and security defaults. Many of our customers are not aware that these features exist, or if they are aware, they fail to take advantage of using them.

“This blog post will provide an overview of Microsoft Secure Score and security defaults—two features that are easy to utilize and can significantly improve your security in Azure AD and Office 365 configurations.” 

What is Microsoft Secure Score? I am glad you asked

Microsoft Secure Score is a measurement developed to help organizations understand where they are now and the steps needed to improve their security posture. Microsoft Secure Score summarizes the different security features and capabilities currently enabled and provides you with the ability to compare your Score with other companies like yours and identify recommendations for areas of improvement.

Microsoft Secure Score screen image

Figure 1: Microsoft Secure Score screen image

How does Secure Score help organizations?

Secure Score provides recommendations for protecting your organization from threats. Secure Score will:

  • Objectively measure your identity security posture.
  • Plan for security improvements.
  • Review the success of your improvements.
  • The Score can also reflect third-party solutions that have been implemented and have addressed recommended actions.
  • The Secure Score reflects new services, thus keeping you up to date with new features and security settings that should be reviewed and if action on your part.

How is the Score determined?

Secure Score compares your organization’s configuration against anonymous data from other organizations with similar features to your organization, such as company size. Each improvement action is worth ten points or less, and most are scored in a binary fashion. If you implement the improvement action, like require MFA for Global Administrators or create a new policy or turn on a specific setting, you get 100 percent of the points. For other improvement actions, points are given as a percentage of the total configuration.

For example, an improvement action states you get ten points by protecting all your users with multi-factor authentication. You only have 50 of 100 total users protected, so that you would get a partial score of five points.

Additionally, your score will drop if routine security tasks are not completed regularly or when security configurations are changed. It will provide directions to the security team about what has changed and the security implications of those changes.

What are security defaults?

Security defaults, a one-click method for enabling basic identity security in an organization, are pre-configured security settings that help defend organizations against frequent identity-related attacks, such as password spray, replay, and phishing. Some of the critical features of Security Defaults include:

  • Requiring all users to register for Azure AD Multi-Factor Authentication (MFA) using the Microsoft Authenticator app.
  • Requiring administrators to perform multi-factor authentication.
  • Blocking legacy authentication protocols.
  • Requiring users to perform multi-factor authentication when necessary.
  • Protecting privileged activities like access to the Azure portal.

When should you use security defaults?

It would be best if you used security defaults in the following cases:

  • If you want to increase the overall security posture and don’t know how or where to start, security defaults are for you.
  • If you are using the free tier of Azure Active Directory licensing, security defaults are for you.

How is the Score determined?

Microsoft Secure Score has recently added improvement actions to support security defaults in Azure Active Directory, making it easier to help protect your organization with pre-configured security settings for frequent attack vectors.

When you turn on security defaults, you will be awarded full points for the following improvement actions:

  • Ensure all users can complete multi-factor authentication for secure access (nine points).
  • Require MFA for administrative roles (ten points).
  • Enable policy to block legacy authentication (seven points).

Get Started with Microsoft Secure Score and security defaults

Microsoft organizes Secure Score improvement actions into groups to help you focus on what you need to address for your organization:

  • Identity (Azure AD accounts and roles).
  • Data (Microsoft Information Protection).
  • Device (Microsoft Defender ATP, known as Configuration score).
  • Application (email and cloud apps, including Office 365 and Microsoft Cloud App Security).
  • Infrastructure (no improvement actions for now).

Secure Score

  • Start by logging into your Secure Score.
  • View your scores and where you need to improve.
  • Export all recommendations for your organization and turn this into an attack plan.
  • Prioritize the recommendations you will implement over the next 30, 60, 90, and 180 days.
  • Pick the tasks that are priorities for your organization and work these into your change control processes.

Security defaults

  • Start by logging in to your  Azure portal as a security administrator, Conditional Access administrator, or global administrator.
  • Browse to Azure Active Directory, and then Properties.
  • Select Manage security defaults.
  • Set the Enable security defaults, then toggle to Yes.
  • Select Save.

Enabling security defaults

Figure 2:  Enabling security defaults

There are many security enhancements that keep coming to Microsoft’s Cloud stack, so be sure you check your secure Score weekly. As the days go by and new security settings appear, your secure Score will reflect these changes. It is critical to check back often to ensure you are addressing any further recommendations.

Bumps in the road

Microsoft Secure Score and security defaults are straight forward ways to evaluate and improve your Azure AD and Office 365 configurations’ security. Security defaults help implement industry recommended practices, while Microsoft Secure Score creates a hands-on interface that simplifies the ongoing process of security assessment and improvement.

Our upcoming blog will explore the necessary built-in Azure tooling and open-source options that an organization can employ during investigative scenarios.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post A “quick wins” approach to securing Azure Active Directory and Office 365 and improving your security posture appeared first on Microsoft Security.

New cloud-native breadth threat protection capabilities in Azure Defender

December 10th, 2020 No comments

As the world adapts to working remotely, the threat landscape is constantly evolving, and security teams struggle to protect workloads with multiple solutions that are often not well integrated nor comprehensive enough. This results in serious threats avoiding detection, as well as security teams suffering from alert fatigue.

Azure Defender helps security professionals with an integrated experience to meet your cloud workload protection needs spanning virtual machines, SQL, storage, containers, IoT, Azure network layer, Azure Key Vault, and more.

Today we are excited to announce we are adding two new protections with the preview of Azure Defender for Resource Manager and Azure Defender for DNS, cloud-native breadth threat protection solutions. These new protections continue to improve your resiliency against attacks from bad actors and increase the number of Azure resources protected by Azure Defender significantly.

Azure Defender for Resource Manager

Azure Resource Manager is the deployment and management service for Azure. It enables the creation and updating of all resources in your Azure account, with features, like access control, locks, and tags.

The cloud management layer is a crucial service-connected to all your cloud resources. Because of this, it is also a potential target for attackers. Consequently, we recommend security operations teams monitor the Resource Manager layer closely.

Azure Defender for Resource Manager will automatically monitor all resource management operations performed in your organization whether they are performed through the Azure portal, Azure REST APIs, Azure CLI, or other Azure programmatic clients. Defender runs advanced security analytics to detect threats and alert you when suspicious activity occurs.

Azure Defender for Resource Manager monitors resource management operations to protect your Azure environment.

Figure 1: Azure Defender for Resource Manager monitors resource management operations to protect your Azure environment.

Azure Defender for Resource Manager protects against issues including:

  • Suspicious resource management operations, such as operations from suspicious IP addresses, disabling antimalware and suspicious scripts running in virtual machine extensions.
  • Use of exploitation toolkits like Microburst or PowerZure.
  • Lateral movement from the Azure management layer to the Azure resources data plane.

Learn more about Azure Defender for Resource Manager.

Azure Defender for DNS

Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources and runs advanced security analytics to alert you when suspicious activity is detected.

Azure Defender for DNS protects against issues including:

  • Data exfiltration from your Azure resources using DNS tunneling.
  • Malware communicating with command and control server.
  • Communication with malicious domains as phishing and crypto mining.
  • DNS attacks—communication with malicious DNS resolvers.

Learn more about Azure Defender for DNS.

Get started for free today

Protect your entire Azure environment with a few clicks and enable Azure Defender for Resource Manager and Azure Defender for DNS. Both offerings are free during the preview period. Turn Azure Defender on now.

To learn more about Microsoft Security solutions and our Integrated Threat protection solution visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post New cloud-native breadth threat protection capabilities in Azure Defender appeared first on Microsoft Security.

Deliver productive and seamless users experiences with Azure Active Directory

December 7th, 2020 No comments

Several months into the COVID-19 pandemic, many of us are still working remotely, and our organizations are still adjusting. Top of mind for every IT leader in this current landscape is meeting users’ needs for seamless access to resources while safeguarding the business from cyber threats. The highest priority for identity decision-makers, according to a recent study commissioned by Microsoft, is enabling highly productive user experiences.

I recently participated in a webcast on this topic with Rob O’Regan, global content director of IDG, and Bob Bragdon, senior vice president and managing director at CSO. We discussed the security perimeter of remote work and how a security strategy with identity at its foundation both reduces risk and improves productivity. You can watch the full webcast here. I’ve summarized my takeaways from the discussion below.

Identity is the foundation for your Zero Trust security strategy

Even before so many people started working from home earlier this year, the traditional corporate network perimeter had disappeared. People were already getting their work done using a variety of devices and software as a solution (SaaS) applications. Boundaries hindering digital collaboration were falling away. During this shift, identity became the control plane for security, because it provides effective access control to all digital resources for all users, including users who may be partners, customers, or even devices or bots. Identity solutions also give IT managers visibility into their entire digital estate.

In our interconnected world, relying on the old paradigm of corporate firewalls and VPNs isn’t an effective approach to enabling and securing remote work. That’s why many organizations accelerated their digital transformation plans once COVID hit. For organizations like these, Zero Trust—with identity as the foundation—represents a stronger security strategy, as well as a worldview more in line with current times. It replaces the assumption that everything behind the corporate firewall is safe and trustworthy with three simple principles: verify explicitly, use least-privileged access, and assume breach. A Zero Trust approach validates all touchpoints in a system—identities, devices, and services—before considering them trustworthy.

Seamless access to applications improves employee productivity

A good first step away from traditional perimeter-based defenses and toward an identity-based security framework is connecting all your apps to a single cloud identity solution like Azure Active Directory (Azure AD). This allows your employees to sign in to all their work apps with one set of credentials using single sign-on (SSO). Through centralized experiences like the My Apps portal, they can easily discover and access all the applications they need, including Office 365 apps; SaaS apps, including Adobe, Service Now, Workday; on-premises apps; and even custom-built lines of business apps.

Getting secure access to apps doesn’t have to be a cumbersome experience that sacrifices workforce productivity. Take passwords, one of the biggest roadblocks to secure and productive access. For years, the security community has told users to create a unique and complex password for each account—and to change their passwords frequently. But, to make their lives easier, people often reuse passwords or choose ones that are easy to remember, which makes them easy for attackers to guess. Passwordless technology is more user friendly and secure than traditional account access models.

Unifying access management with a single cloud identity solution reduces costs

Companies dealing with pandemic-induced budget constraints are seeking efficiencies. A survey we ran earlier this year found that customers have, on average, up to nine identity solutions, all from separate vendors. As you can imagine, running multiple disparate solutions is not only complicated but also expensive.

Earlier this year, we commissioned a study with Forrester to analyze the economic benefits of securing all users, devices, and apps using a single identity solution. The results: customers who secure all their apps with Azure AD can achieve an ROI of 123 percent by retiring on-premises infrastructure, preventing data breaches, and reducing helpdesk costs.

Users also benefit since they no longer have to navigate different identity systems or sign-in separately to every application. In fact, Forrester estimated that using a single identity solution saves each employee 10 minutes a week on average, which amounts to almost nine hours a year per employee.

A cloud-based identity solution offers unique security benefits

When you use a cloud-based identity solution, cloud-based intelligence helps protect your users against account compromise. Every day, Microsoft machine learning algorithms work behind the scenes to identify risky activities and compromised users by combing through over 170 terabytes of data, including signals from billions of monthly authentications across Azure AD and Microsoft accounts.

Our Azure AD Identity Protection solution, with real-time continuous detection, can alert you to suspicious sign-in behavior and automatically respond to prevent the abuse of compromised identities. For example, it detects “impossible travel,” which happens when the same user account attempts to sign-in from different physical locations in a time period too short to accommodate physical travel from one location to the other. Depending on the policy you set, the system can invoke a password reset or require multifactor authentication, and revoke all existing access tokens. But you can only strengthen your security posture with these detections and automated remediations—especially as the threat landscape evolves—if your identities are in the cloud.

Watch the full webcast with IDG

To learn more about how an identity-based framework reduces risk and improves productivity, be sure to watch the full webcast, then visit our secure access webpage to get started.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Deliver productive and seamless users experiences with Azure Active Directory appeared first on Microsoft Security.

Azure Sentinel achieves a Leader placement in Forrester Wave, with top ranking in Strategy

December 1st, 2020 No comments

I’m thrilled to announce Forrester Research has named Microsoft Azure Sentinel as a “Leader” in The Forrester Wave™: Security Analytics Platform Providers, Q4 2020. When we released Azure Sentinel almost a year ago—the industry’s first cloud-native SIEM on a major public cloud—our goal was to provide a new, innovative approach to help organizations modernize security operations. We’ve been excited and humbled to see enthusiastic adoption across verticals like IT, financial services, e-commerce, big data, and other industries. It’s been particularly fulfilling to work alongside many of you to see the unique ways that Azure Sentinel can improve your security operations.

The Forrester Wave, Security Analytics Platforms

Today—and this year more than ever—security operations centers (SOCs) are being asked to do more with less, all while protecting a decentralized digital estate. We’re honored that in this time of transformative change, Azure Sentinel can help security teams achieve this goal.

The Azure Sentinel vision

We are especially honored to see that Azure Sentinel received the top ranking in the “Strategy” category because one of our core values is to enable SecOps teams to do more with less by offering a different path forward than traditional, on-premises SIEMs. The key lies in Azure Sentinel’s cloud-native nature. For many of our customers, moving to the cloud has been a transformative change. At Avanade, for example, moving to Azure Sentinel enabled the security team to shift their focus from on-premises management and instead spend time on strategic work to make their organization safer. As a cloud-native SIEM, Azure Sentinel makes it easy to deploy, scale, and use. You can collect, correlate, and analyze data across users, devices, applications, and infrastructure at cloud scale—on premises and in multiple clouds. And instead of investing time and money into inflexible infrastructure, you only pay for the resources you need.

Most importantly, by eliminating the infrastructure and maintenance of an on-premises SIEM, you empower your team to focus on what’s most important: protecting your organization.

Azure Sentinel helps you detect and investigate threats more efficiently by harnessing AI. Azure Sentinel uses a technique called Fusion to find threats that fly under the radar by combining low fidelity, “yellow” anomalous activities into high fidelity “red” incidents. Fusion combines data from disparate data sets across both Microsoft and partner data sources, then uses graph-based machine learning and a probabilistic kill chain to produce high-fidelity alerts. This process reduces alert fatigue by 90 percent, ensuring that SecOps teams are only spending time on real, actionable alerts. And with integrated automation, it further optimizes your team’s time by automating responses to common tasks.

With these innovations, we’ve helped our customers protect their organizations more efficiently—like at ASOS, where the SecOps team cut issue resolution times in half, or at ABM Industries, where the security team reduced the number of alerts they analyze by 50 percent.

Our goals are not just limited to transforming the SIEM market. In September, we shared our vision for how organizations can get fight threats in today’s complex landscape with integrated SIEM and Extended Detection and Response (XDR) from a single vendor. With this combination, you get the best of both worlds—end-to-end threat visibility across all your resources; correlated, prioritized alerts based on Microsoft’s deep understanding of specific resources with AI that stitches that signal together; and coordinated action across the organization. That’s why we’ve optimized Azure Sentinel for ease of integration across Microsoft products, provide many sources of Microsoft 365 data ingestion for free, and have recently launched a Microsoft 365 data grant benefit to help you realize even more value from integrated security.

Just getting started

We’re constantly working with partners and customers on ways to improve Azure Sentinel—and we’re only just getting started. Here are just a few of the innovations we announced at Microsoft Ignite 2020:

  • User and Entity Behavioral Analytics (UEBA), to pinpoint unknown and insider threats.
  • The ability to build your own ML models.
  • Threat Intelligence improvements, including threat indicator management.
  • Watchlists to eliminate time-consuming manual analysis of external data sources, enabling you to correlate security events with other non-security data sources.
  • Many new connectors to simplify data collection.

We have no plans to slow down. With innovations still to come, the best days of Azure Sentinel are still ahead of us.

In the meantime, Azure Sentinel’s performance in the Forrester Wave is an encouraging sign that we’re on the right track with our journey to streamline and strengthen your security—eliminating the complexity of an on-premises infrastructure, saving costs, and enabling SecOps to be more efficient than ever.

To all our customers, thanks for coming with us on this journey. Keep the feedback coming—Eric

Click here to read a courtesy copy of The Forrester Wave™: Security Analytics Platform Providers, Q4 2020.

If you’re ready to get started with Azure Sentinel, we invite you to sign up for a trial today.

With integrated SIEM and XDR, you get the best of both worlds. To help you take advantage of this integrated security approach, Microsoft is currently running an Azure Sentinel benefit for Microsoft 365 E5 customers.

From November 1, 2020, through May 1, 2021, Microsoft 365 E5 and Microsoft 365 E5 Security customers can get Azure credits for the cost of up to 100MB per user per month of included Microsoft 365 data ingestion into Azure Sentinel. Data sources included in this benefit include:

  • Azure Active Directory (Azure AD) sign-in and audit logs.
  • Microsoft Cloud App Security shadow IT discovery logs.
  • Microsoft Information Protection logs.
  • Microsoft 365 advanced hunting data (including Microsoft Defender for Endpoint logs).

With these credits, a standard 3,500 seat deployment can see estimated savings of up to $1,500 per month. This offer is available to new and existing customers who have Enterprise (EA) or Enterprise Subscription (EAS) Agreements and Enrollments, and you can begin accruing credits in your first month of eligibility. You can learn more about the offer here.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester’s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave™. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

The post Azure Sentinel achieves a Leader placement in Forrester Wave, with top ranking in Strategy appeared first on Microsoft Security.

Go inside the new Azure Defender for IoT including CyberX

November 25th, 2020 No comments

In 2020, the move toward digital transformation and Industry 4.0 took on new urgency with manufacturing and other critical infrastructure sectors under pressure to increase operational efficiency and reduce costs. But the cybersecurity model for operational technology (OT) was already shown to be lacking before the pandemic. A series of major cyberattacks across industries served as a wake-up call that the traditional “air-gapped” model for OT cybersecurity had become outdated in the era of IT/OT convergence and initiatives such as Smart Manufacturing and Smart Buildings. And the IoT and Industrial Internet of things (IIoT) are only getting bigger. Analysts predict we’ll have billions of IoT devices connected worldwide in a few years, drastically increasing the surface area for attacks.

Company boards and management teams are understandably concerned about increased safety and corporate liability risks as well as the financial impact of crippling downtime posed by IoT/OT breaches. They’re also concerned about losing sensitive IP such as proprietary formulas and product designs, since manufacturers are eight times more likely to be attacked for cyberespionage than other sectors, according to the 2020 Verizon DBIR.1

In my recent Microsoft Ignite presentation, Azure Defender for IoT including CyberX, I was joined by Nir Krumer, Principal PM Manager at Microsoft, to examine how the new Azure Defender for IoT incorporates CyberX’s agentless technology and IoT/OT-aware behavioral analytics, minimizing those risks by providing IT teams with continuous IoT/OT visibility into their industrial and critical infrastructure networks. You’re invited to view the full presentation and review some highlights below.

IT versus OT

Unlike information technology (IT) security, OT security is focused on securing physical processes and assets rather than digital assets like containers and SQL databases. Physical assets include devices like turbines, mixing tanks, HVAC systems in smart buildings and data centers, factory-floor machines, and more. In OT, the top focus is always on safety and availability. Availability means that your production facilities must be resilient and keep operating, because that’s where the revenue comes from. However, the biggest difference from IT security is that most chief information security officers (CISOs) and SOC teams today have little or no visibility into their OT risk, because they don’t have the multiple layers of controls and telemetry as we have in IT environments. And OT risk translates directly into business risk.

As recent history shows, attacks on OT are already underway. The TRITON attack on the safety controllers in a Middle East petrochemical facility was intended to cause major structural damage to the facility and possible loss of life. The attackers got their initial foothold in the IT network but subsequently used living-off-the-land (LOTL) tactics to gain remote access to the OT network, where they deployed their purpose-built malware. As this attack demonstrated, increased connectivity between IT and OT networks gives adversaries new ways of compromising unmanaged OT devices, which historically haven’t supported agents and are typically invisible to IT teams.

Purdue Model traversal in TRITON attack

Figure 1: Purdue Model traversal in TRITON attack.

How Azure Defender for IoT works for you

By incorporating agentless technology from Microsoft’s recent acquisition of CyberX, Azure Defender for IoT enables IT and OT teams to identify critical vulnerabilities and detect threats using IoT/OT-aware behavioral analytics and machine learning—all without impacting availability or performance.

In our Ignite presentation, we broke down five key capabilities provided by the product’s agentless security for unmanaged IoT/OT devices:

  • Asset discovery: Because you cannot protect what you do not know you have, Azure Defender tells you what IoT/OT devices are in your network and how they’re communicating with each other. Also, if you’re implementing a Zero Trust policy, you need to know how these devices are connected so you can segment them onto their own network and manage granular access to them.
  • Risk and vulnerability management: Azure Defender helps you identify vulnerabilities such as unauthorized devices, unpatched systems, unauthorized internet connections, and devices with unused open ports—so you can take a prioritized approach to mitigating IoT/OT risk for your crown jewel assets. These are the critical devices whose compromise would have a major impact on your organization, such as a safety incident, loss of revenue, or theft of sensitive IP.
  • Continuous IoT threat monitoring and response: Azure Defender continuously monitors the OT network using Layer 7 Deep Packet Inspection (DPI), informing you immediately when there has been unusual or unauthorized behavior, and empowering you to mitigate an attack before it causes a production failure or safety incident. It incorporates a deep understanding of all major industrial protocols (including Modbus, DNP3, Siemens S7, Ethernet/IP CIP, GE-SRTP, and Yokogawa) and patented, IoT/OT-aware behavioral analytics to detect threats faster and more accurately, with a far shorter learning period than generic baselining algorithms.
  • Operational efficiency: When you have malfunctioning or misconfigured equipment, you need to quickly figure out what went wrong. By providing deep visibility into what’s going on in the network—such as a misconfigured engineering workstation that’s constantly scanning the network—you can help your IoT/OT engineers quickly identify and address the root cause of those issues.
  • Unified IT/OT security monitoring and governance: Azure Defender for IoT is deeply integrated with Azure Sentinel and also supports third-party tools such as Splunk, IBM QRadar, and ServiceNow. This helps break down silos that slow communication between IT and OT teams, and creates a common language between them to quickly resolve issues. It also enables you to quickly address attacks that cross IT/OT boundaries (like TRITON), as well as leverage the workflows and training you spent years building in your security operations center (SOC)—so you can apply them to IoT and OT security as well.

Deployment Architecture

So, how does this system get deployed? Azure Defender for IoT uses a network sensor to capture a copy of the network traffic through the switch port analyzer (SPAN). It uses a technique called passive monitoring or network traffic analysis (NTA) to identify assets, vulnerabilities, and threats without impacting the performance or reliability of the IoT/OT network. The solution can be 100 percent on-premises, connected to Azure, or a hybrid of the two (for example, by forwarding alerts to Azure Sentinel).

Azure Defender for IoT uses an on-premises network sensor to capture and analyze all OT traffic. The solution can be deployed on-premises, connected to Azure, or in hybrid environments where the SIEM is cloud-based, as with Azure Sentinel.

Figure 2: Azure Defender for IoT uses an on-premises network sensor to capture and analyze all IoT/OT traffic. The solution can be deployed fully on-premises, or connected to Azure, or in hybrid environments where the SIEM is cloud-based, as with Azure Sentinel.

Azure Sentinel integration

To enable rapid detection and response for attacks that cross IT/OT boundaries, Azure Defender is deeply integrated with Azure Sentinel—Microsoft’s cloud-native SIEM/SOAR platform. As a SaaS-based solution, Azure Sentinel delivers reduced complexity, built-in scalability, lower total cost of ownership (TCO), and continuous threat intelligence and software updates. It also provides built-in IoT/OT security capabilities, including:

  • Deep integration with Azure Defender for IoT: Azure Sentinel provides rich contextual information about specialized OT devices and behaviors detected by Azure Defender—enabling your SOC teams to correlate and detect modern kill-chains that move laterally across IT/OT boundaries.
  • IoT/OT-specific SOAR playbooks: Sample playbooks enable automated actions to swiftly remediate IoT/OT threats.
  • IoT/OT-specific threat intelligence: In addition to the trillions of signals collected daily, Azure Sentinel now incorporates IoT/OT-specific threat intelligence provided by Section 52, our specialized security research team focused on IoT/OT malware, campaigns, and adversaries.

You are invited to watch our Microsoft Ignite presentation to learn more about Azure Defender for IoT, including a live demo of how deep integration with Azure Sentinel can be used to investigate multistage IT/OT attacks like TRITON.

Visit the Azure Defender for IoT website to learn more and try it for free during Public Preview. You can also learn more about Microsoft Security solutions by visiting our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1 2020 Verizon DBIR, pages 36 and 59.

The post Go inside the new Azure Defender for IoT including CyberX appeared first on Microsoft Security.

Microsoft Azure Active Directory again a “Leader” in Gartner Magic Quadrant for Access Management

November 24th, 2020 No comments

Howdy folks,

I’m proud to announce that for the fourth year in a row, Microsoft Azure Active Directory (Azure AD) has been recognized as a “Leader” in Gartner Magic Quadrant for Access Management, Worldwide.

Earlier this year, my boss, Joy Chik, CVP of Identity Engineering shared Microsoft’s guiding principles of our identity and access management (IAM) strategy, emphasizing our commitment to delivering a secure and scalable identity solution. Azure AD safeguards access to your apps by enforcing strong authentication and adaptive risk-based access policies, providing seamless user access with single sign-on (SSO) and reduced IT costs. We envision Azure AD as the key to embracing a Zero Trust security model, enabling secure application access and greater productivity across users, apps, and devices.

Consistently landing in Gartner Magic Quadrant for the past four years tells us that we’re executing on our vision and making a difference for you, our customers.

We’ve learned from your resilience in adapting to remote work over the past year, and your direct feedback has shaped our advancements in several areas:

  • Adaptive security: Azure AD natively offers comprehensive logging, dashboard, and reporting capabilities, as well as identity analytics with Azure AD Identity Protection.
  • Secure application access: Azure AD supports out-of-the-box single sign-on (SSO) and provisioning connectors to thousands of SaaS apps, as well as authentication for legacy on-premises applications through App Proxy and secure hybrid-access partnerships.
  • Report-only mode: The report-only (or audit-only) mode enables administrators to evaluate the impact of Conditional Access policies before enabling them for users.
  • Web Content Accessibility Guidelines: We’re proud of our commitment to inclusion and accessibility by design, which goes beyond meeting Web Content Accessibility Guidelines (WCAG) compliance to providing a positive experience for all users.
  • API access control: We offer built-in centralized policy management, management of security tokens, token translation, and developer self-service support. In addition, Azure AD offers native integration with the Azure API Management service or with third-party API gateway products for more advanced API security.
  • Open standards: Azure AD offers support for all major identity standards, including SAML 2.0, WS-Fed, OIDC, OAuth 2.0, and password vaulting with JavaScript-based login form filling.

We’re honored to place this well for the fourth time and believe it reflects the energy and passion we’ve put into partnering with our customers to help them successfully digital transform their businesses. That said, there’s lots more work to do, and we look forward to continuing to partner with you, our customers, to assure the products we build keep your organizations secure and productive. We’re grateful for your trust, and I look forward to seeing what we can accomplish together in the coming year.

To learn more about Microsoft Identity solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @AzureAD and @MSFTSecurity for the latest news and updates on identity and cybersecurity.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post Microsoft Azure Active Directory again a “Leader” in Gartner Magic Quadrant for Access Management appeared first on Microsoft Security.

Key layers for developing a smarter SOC with CyberProof-managed Microsoft Azure security services

November 17th, 2020 No comments

This blog post is part of the Microsoft Intelligent Security Association (MISA) guest blog series. Learn more about MISA here 

Security teams are struggling to reduce the time to detect and respond to threats due to the complexity and volume of alerts being generated from multiple security technologies.

With more workloads being migrated to the cloud, this brings an additional perimeter, which requires constant vigilance for early signs of a cyber-attack. New security challenges also emerge due to its elastic nature and the constant provisioning of new services.

How CyberProof is working with Microsoft to solve these challenges

CyberProof partnered with Microsoft to provide customers with cloud-scalable security monitoring, detection, and response services across the endpoint, network, identities, SaaS applications, and Azure cloud infrastructure.

With the CyberProof Defense Center (CDC) service delivery platform pre-integrated with Microsoft’s cloud-native SIEM, Azure Sentinel, CyberProof’s built-in virtual analyst, SeeMo, automates up to 80 percent of tier one and two activities such as monitoring, enrichment, incident handling, and remediation. This frees up your team to focus on the most critical business issues.

Key Layers to Building a Smarter SOC

We recommend that security operations center teams implement the following three key layers of a smarter system on a chip (SOC) architecture when looking to generate continuous value from your Azure security stack with managed security services.

Each layer includes the integrations between Microsoft and CyberProof that help facilitate this architecture. For more information, check out our on-demand webinar—which we ran in collaboration with Microsoft’s Chief Security Advisor EMEA, Cyril Voisin.

1. Data collection and integration layer—enrichment of security data from multiple sources

This is particularly useful for enterprise-grade SOCs that collect and parse relevant data from multiple business units before going into a data lake. Organizing and classifying all of this data will save time and money when you start introducing integration and automation technologies, as the information will already be structured in an optimum way. Here’s how log collection, normalization, and analysis work:

  1. Integration: An organization identifies the assets, tools, technologies, and applications that need to be integrated.
  2. Data normalization: Enterprise SOCs need to parse data before it enters the data lake—to tag and filter it—so the right information is being fed into the SOC in the most efficient way.
  3. Data collection and analysis: Using a solution such as Microsoft’s Azure Monitor Log Analytics and scalable storage such as Azure Data Lake, terabytes of data can be ingested in order to query and manage at scale. Machine learning can be used for the identification of anomalies and monitoring whether log sources are operating correctly, as well as to support threat hunting.

At CyberProof, we leverage Azure Monitor Log Analytics and CyberProof Log Collection (CLC) SaaS technology to pull logs from all sources of data. These include a customer’s existing Microsoft investments—including on-premises, SaaS, and Azure assets—and existing Microsoft security controls that generate alerts across identities, endpoints, data, and email, and cloud apps.

2. Security analytics layer—generating contextual alerts and minimizing false positives

The traditional on-premises SIEM architecture has limited scalability—such as, infrastructure costs are incurred up-front, based on peak requirements rather than on-demand provisioning that scales with current demand and growth over time. Also, effectively mapping logs from all ecosystems can be a time-consuming endeavor when having to correlate rules and create clear reporting.

The world of security data collection has evolved. It is no longer a single query or rule that triggers the discovery of an incident. Typically, security monitoring identifies the proverbial “needle in the haystack”—and to do this type of threat detection requires broad visibility across the enterprise. This requires more processing power and data collection, in order to establish what the baseline really looks like. These are attributes are best accomplished by implementing security in the cloud.

That’s where Azure Sentinel comes in, supplying correlation and analytics rules and filtering massive volumes of events to obtain high-context alerts. Azure Sentinel uses machine learning to proactively find anomalies hidden within acceptable user behavior and generate alerts.

Microsoft Azure Sentinel is fully integrated with CyberProof CDC platform, so customers can work from a single console to manage high-context alerts, carry out investigations, and handle incidents.

3. Orchestration, automation, and collaboration layer—facilitating faster threat detection and response

Forrester’s recent assessment of midsized MSSPs notes that orchestration and security automation plays a vital role for overburdened SOC staff.

By automating tier one and two activities like monitoring, enrichment, investigation, and incident handling, our CDC platform takes much of the strain out of the process. Essentially, the CDC platform provides our IP as a service—helping customers avoid the expenditure necessary to develop their own IP for a next-generation SOC.

The CDC platform gives customers a “single pane of glass” view from which to manage high context alerts, incidents, and report generation for stakeholders. It integrates the functionality of Azure Sentinel as well as other security investments.

The CDC platform’s benefits include:

  • Orchestration: Integrates external intelligence sources, enrichment sources, the IT service management system, and more into a single view.
  • Automation: Leverages CyberProof virtual analyst, SeeMo, who uses our Use Case Factory—a catalog of attack uses cases consisting of prevention, detection rules, and response playbooks all aligned to the MITRE ATT&CK framework—to continuously update playbooks.
  • Collaboration: Facilitates real-time communication with our nation-state level analysts to help remediate incidents.
  • Hybrid engagement: Supports collaboration of CyberProof experts with the customer’s team to remediate incidents and upskill the customer’s team.

Customers can start benefiting now

CyberProof solution, used in tandem with Azure Sentinel provides 24/7 security monitoring, which frees up SOC teams to focus on critical incidents.

The platform’s use of machine learning and behavioral analysis can reduce alert fatigue and false positives by up to 90 percent. It offers large-scale collection and correlation of data from the endpoint, cloud network, and users—facilitating high-context alerts.

These capabilities, as well as the platform’s high-level collaboration abilities and up-to-date response playbooks, contribute to greater efficiency in threat detection and in responding to validated incidents.

Yet, it doesn’t take a lot of time to transition to CyberProof solution. CyberProof has a defined onboarding process that’s based on each customer’s requirements.

As a managed service provider, we find that we can help customers get through the transition much more quickly than they would have on their own—accelerating the process and shortening the time needed to start reaping the benefits of the solutions.

Want more information? Check out our Azure Security Services page and the CDC platform from CyberProof. Or contact us to learn more about how we can help you transition to a smarter SOC.

To learn more about the Microsoft Intelligent Security Association (MISA), visit the Microsoft Intelligent Security Association website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

For more information about Microsoft Security Solutions, visit the Microsoft Security website. Bookmark the Security blog to keep up with our expert coverage of security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Key layers for developing a smarter SOC with CyberProof-managed Microsoft Azure security services appeared first on Microsoft Security.

Advanced protection for web applications in Azure with Radware’s Microsoft Security integration

October 12th, 2020 No comments

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA here.

The state of application security

Companies face a wide range of security challenges, such as Open Source Foundation for Application Security Project (OWASP) vulnerabilities, advanced BOT threats and the need to manage BOTs, securing APIs, and protecting against volumetric and non-volumetric DDoS attacks. Advanced threats mean that application security solutions must do much more. Organizations require a synchronized attack-mitigation system that provides advanced application protection against all the above threats, across all platforms and environments at all times; providing comprehensive security and a single view of application security events for quick incident response and a minimum impact on business.

Customers are increasingly requesting, if not requiring, a fully managed service option for security elements. Beyond the obvious complexity of managing the positive and negative security model rules, today’s attacks are dynamic and evolving. Teams managing application security are stressed by the rapid pace of new application development and application changes, all of which require vulnerability assessment and remediation in the form of automated continuous and consistent security policies.

Cloud is disrupting technology and security is the biggest challenge for customers around the world. Radware is embracing this shift by focusing on ‘Strength in Security’ with Microsoft Azure and is focused on helping Microsoft Azure customers secure their workloads and applications. Radware works closely with Microsoft’s engineering teams to create new and innovative solutions in Azure that benefit from Microsoft’s unique cloud capabilities and services like Azure DDoS Protection and Microsoft Azure Sentinel to build a more secure digital infrastructure, enabling customers to overcome security challenges. Radware Security for Azure provides local availability and easy deployment capabilities across any Azure region, enabling organizations to move to Azure with the knowledge that their applications, networks, and data will be secure around the world.

The application threat landscape

Application vulnerabilities are now the fastest-growing cybersecurity threat to organizations, according to a year-over-year comparison of Radware’s annual Global Application & Network Security Report. Applications, and the APIs they leverage, must be protected against an expanding variety of attack methods. In addition, DevOps and Agile development practices mean that applications are in a state of constant flux, and security policies must adapt to keep pace. Web application security solutions must be smarter and address a broad spectrum of vulnerability exploitation scenarios and attack types and vectors. On top of protecting the application from these common vulnerabilities, they have to protect APIs and mitigate denial-of-service (DoS) attacks, manage bot traffic, and make a distinction between legitimate bots and malicious bots.

Web applications are a critical part of most modern businesses, but many organizations continue to overlook web application security, despite escalating threats. According to a recent Gartner report, by 2023, more than 30 percent of public-facing web applications will be protected by cloud web application and API protection services that combine DDoS protection, bot mitigation, API protection, and web application firewalls (WAFs).

Cloud web application and API security and integrated BOT and DDoS protection is the evolution of cloud-delivered WAF services. Comprehensive cloud-delivered managed security services is a more comprehensive runtime protection successor to WAF appliances. It is faster to deploy and easier for organizations to maintain. Customers want to consume security products without managing the underlying infrastructure which is a big benefit that a product like Radware Security for Azure brings to customers in Azure.

Radware Security for Azure is a managed service that provides network and application security protection against small-scale to even the most sophisticated large-scale attacks ensuring applications are protected from malicious DDoS attacks and zero-day web attacks and common vulnerabilities.

By leveraging the global scale of the Microsoft network and integrating with Azure DDoS Protection, Radware Security for Azure provides enhanced Layer 3 – Layer 7 DDoS mitigation capabilities tuned for applications and resources deployed in virtual networks backed by an industry-leading service level agreement (SLA) and 24/7 incident response team.

Six steps on how to neutralize the application threat

Radware provides advanced protection for web applications in Azure with an integrated application and API security service. Radware Security for Azure provides:

Details on security solutions offered by Radware Security for Azure

To learn more about Radware Security for Azure, visit our listing in the Azure Marketplace or visit Radware.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

For more information about Microsoft Security Solutions, visit the Microsoft Security website. Bookmark the Security blog to keep up with our expert coverage of security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Advanced protection for web applications in Azure with Radware’s Microsoft Security integration appeared first on Microsoft Security.

Best practices for defending Azure Virtual Machines

October 7th, 2020 No comments

One of the things that our Detection and Response Team (DART) and Customer Service and Support (CSS) security teams see frequently during investigation of customer incidents are attacks on virtual machines from the internet.

This is one area in the cloud security shared responsibility model where customer tenants are responsible for security. Security is a shared responsibility between Microsoft and the customer and as soon as you put just one virtual machine on Azure or any cloud you need to ensure you apply the right security controls.

The diagram below illustrates the layers of security responsibilities:

Image of the shared responsibility model showing customer, service, and cloud responsibilities

Fortunately, with Azure, we have a set of best practices that are designed to help protect your workloads including virtual machines to keep them safe from constantly evolving threats. This blog will share the most important security best practices to help protect your virtual machines.

The areas of the shared responsibility model we will touch on in this blog are as follows:

  • Tools
  • Identity and directory infrastructure
  • Applications
  • Network Controls
  • Operating System

We will refer to the Azure Security Top 10 best practices as applicable for each:

Best practices

1. Use Azure Secure Score in Azure Security Center as your guide

Secure Score within Azure Security Center is a numeric view of your security posture. If it is at 100 percent, you are following best practices. Otherwise, work on the highest priority items to improve the current security posture. Many of the recommendations below are included in Azure Secure Score.

2. Isolate management ports on virtual machines from the Internet and open them only when required

The Remote Desktop Protocol (RDP) is a remote access solution that is very popular with Windows administrators. Because of its popularity, it’s a very attractive target for threat actors. Do not be fooled into thinking that changing the default port for RDP serves any real purpose. Attackers are always scanning the entire range of ports, and it is trivial to figure out that you changed from 3389 to 4389, for example.

If you are already allowing RDP access to your Azure VMs from the internet, you should check the configuration of your Network Security Groups. Find any rule that is publishing RDP and look to see if the Source IP Address is a wildcard (*). If that is the case, you should be concerned, and it’s quite possible that the VM could be under brute force attack right now.

It is relatively easy to determine if your VMs are under a brute force attack, and there are at least two methods we will discuss below:

  • Azure Defender (formerly Azure Security Center Standard) will alert you if your VM is under a brute force attack.
  • If you are not using Security Center Standard tier open the Windows Event Viewer and find the Windows Security Event Log. Filter for Event ID 4625 (an account failed to log on). If you see many such events occurring in quick succession (seconds or minutes apart), then it means you are under brute force attack.

Other commonly attacked ports would include: SSH (22), FTP (21), Telnet (23), HTTP (80), HTTPS (443), SQL (1433), LDAP 389. This is just a partial list of commonly published ports. You should always be cautious about allowing inbound network traffic from unlimited source IP address ranges unless it is necessary for the business needs of that machine.

A couple of methods for managing inbound access to Azure VMs:

Just-in-time will allow you to reduce your attack service while also allowing legitimate users to access virtual machines when necessary.

Network security groups contain rules that allow or deny traffic inbound to, or outbound traffic from several types of Azure resources including VMs. There are limits to the number of rules and they can become difficult to manage if many users from various network locations need to access your VMs.

For more information, see this top Azure Security Best Practice:

3. Use complexity for passwords and user account names

If you are required to allow inbound traffic to your VMs for business reasons, this next area is of critical importance. Do you have complete confidence that any user account that would be allowed to access this machine is using a complex username/password combination? What if this VM is also domain joined? It’s one thing to worry about local accounts, but now you must worry about any account in the domain that would have the right to log on to that Virtual Machine.

For more information, see this top Azure Security Best Practice:

4. Keep the operating system patched

Vulnerabilities of the operating system are particularly worrisome when they are also combined with a port and service that is more likely to be published. A good example is the recent vulnerabilities affecting the Remote Desktop Protocol called “BlueKeep.” A consistent patch management strategy will go a long way towards improving your overall security posture.

5. Keep third-party applications current and patched

Applications are another often overlooked area, especially third-party applications installed on your Azure VMs. Whenever possible use the most current version available and patch for any known vulnerabilities. An example is an IIS Server using a third-party Content Management Systems (CMS) application with known vulnerabilities. A quick search of the Internet for CMS vulnerabilities will reveal many that are exploitable.

For more information, see this top Azure Security Best Practice:

6. Actively monitor for threats

Utilize the Azure Security Center Standard tier to ensure you are actively monitoring for threats. Security Center uses machine learning to analyze signals across Microsoft systems and services to alert you to threats to your environment. One such example is remote desktop protocol (RDP) brute-force attacks.

For more information, see this top Azure Security Best Practice:

7. Azure Backup Service

In addition to turning on security, it’s always a good idea to have a backup. Mistakes happen and unless you tell Azure to backup your virtual machine there isn’t an automatic backup. Fortunately, it’s just a few clicks to turn on.

Next steps

Equipped with the knowledge contained in this article, we believe you will be less likely to experience a compromised VM in Azure. Security is most effective when you use a layered (defense in depth) approach and do not rely on one method to completely protect your environment. Azure has many different solutions available that can help you apply this layered approach.

If you found this information helpful, please drop us a note at

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Best practices for defending Azure Virtual Machines appeared first on Microsoft Security.

Why we invite security researchers to hack Azure Sphere

October 6th, 2020 No comments

Fighting the security battle so our customers don’t have to

IoT devices are becoming more prevalent in almost every aspect of our lives—we will rely on them in our homes, our businesses, as well as our infrastructure. In February, Microsoft announced the general availability of Azure Sphere, an integrated security solution for IoT devices and equipment. General availability means that we are ready to provide OEMs and organizations with quick and cost-effective device security at scale. However, securing those devices does not stop once we put them into the hands of our customers. It is only the start of a continual battle between the attackers and the defenders.

Building a solution that customers can trust requires investments before and after deployment by complementing up-front technical measures with ongoing practices to find and mitigate risks. In April, we highlighted Azure Sphere’s approach to risk management and why securing IoT is not a one-and-done. Products improve over time, but so do hackers, as well as their skills and tools. New security threats continue to evolve, and hackers invent new ways to attack devices. So, what does it take to stay ahead?

As a Microsoft security product team, we believe in finding and fixing vulnerabilities before the bad guys do. While Azure Sphere continuously invests in code improvements, fuzzing, and other processes of quality control, it often requires the creative mindset of an attacker to expose a potential weakness that otherwise might be missed. Better than trying to think like a hacker is working with them. This is why we operate an ongoing program of red team exercises with security researchers and the hacker community: to benefit from their unique expertise and skill set. That includes being able to test our security promise not just against yesterday’s and today’s, but against even tomorrow’s attacks on IoT devices before they become known more broadly. Our recent Azure Sphere Security Research Challenge, which concluded on August 31, is a reflection of this commitment.

Partnering with MSRC to design a unique challenge

Our goal with the three-month Azure Sphere Security Research Challenge was twofold: to drive new high-impact security research, and to validate Azure Sphere’s security promise against the best challengers in their field. To do so, we partnered with the Microsoft Security Response Center (MSRC) and invited some of the world’s best researchers and security vendors to try to break our device by using the same kinds of attacks as any malicious actor might. To make sure participants had everything they needed to be successful, we provided each researcher with a dev kit, a direct line to our OS Security Engineering Team, access to weekly office hours, and email support in addition to our publicly available operating system kernel source code.

Our goal was to focus the research on the highest impact on customer security, which is why we provided six research scenarios with additional rewards of up to 20 percent on top of the Azure Bounty (up to $40,000), as well as $100,000 for two high-priority scenarios proving the ability to execute code in Microsoft Pluton or in Secure World. We received more than 3,500 applications, which is a testament to the strong interest of the research community in securing IoT. More information on the design of the challenge and our collaboration with MSRC can be found here on their blog post.

Researchers identify high impact vulnerabilities before hackers

The quality of submissions from participants in the challenge far exceeded our expectations. Several participants helped us find multiple potentially high impact vulnerabilities in Azure Sphere. The quality is a testament to the expertise, determination, and the diligence of the participants. Over the course of the challenge, we received a total of 40 submissions, of which 30 led to improvements in our product. Sixteen were bounty-eligible; adding up to a total of $374,300 in bounties awarded. The other 10 submissions identified known areas where potential risk is specifically mitigated in another part of the system—something often referred to in the field as “by design.” The high ratio of valid submissions to total submissions speaks to the extremely high quality of the research demonstrated by the participants.

Graph showing the submission breakdown and the total amount of money eligible to be received through the bounty system.

Jewell Seay, Azure Sphere Operating System Platform Security Lead, has shared detailed information of many of the cases in three recent blog posts describing the security improvements delivered in our 20.07, 20.08, and 20.09 releases. Cisco Talos and McAfee Advanced Threat Research (ATR), in particular, found several important vulnerabilities, and one particular attack chain is highlighted in Jewell’s 20.07 blog.

While the described attack required physical access to a device and could not be executed remotely, it exposed potential weaknesses spanning both cloud and device components of our product. The attack included a potential zero-day exploit in the Linux kernel to escape root privileges. The vulnerability was reported to the Linux kernel security team, leading to a fix for the larger open source community which was shared with the Linux community. If you would like to learn more and get an inside view of the challenge from one of our research partners, we highly recommend McAfee ATR’s blog post.

What it takes to provide renewable and improving security

With Azure Sphere, we provide our customers with a robust defense based on the Seven Properties of Highly Secured Devices. One of the properties, renewable security, ensures that a device can update to a more secure state—even if it has been compromised. While this is essential, it is not sufficient on its own. An organization must be equipped with the resources, people, and processes that allow for a quick resolution before vulnerabilities impact customers. Azure Sphere customers know that they have the strong commitment of our Azure Sphere Engineering team—that our team is searching for and addressing potential vulnerabilities, even from the most recently invented attack techniques.

We take this commitment to heart, as evidenced by all the fixes that went into our 20.07, 20.08, and 20.09 releases. In less than 30 days of McAfee reporting the attack chain to us, we shipped a fix to all of our customers, without the need for them to take any action due to how Azure Sphere manages updates. Although we received a high number of submissions throughout multiple release cycles, we prioritized analyzing every single report as soon as we received it. The success of our challenge should not just be measured by the number and quality of the reports, but also by how quickly reported vulnerabilities were fixed in the product. When it came to fixing the found vulnerabilities, there was no distinction made between the ones that were proven to be exploited or the ones that were only theoretical. Attackers get creative, and hope is not part of our risk assessment or our commitment to our customers.

Our engagement with the security research community

On behalf of the entire team and our customers, we would like to thank all participants for their help in making Azure Sphere more secure! We were genuinely impressed by the quality and number of high impact vulnerabilities that they found. In addition, we would also like to thank the MSRC team for partnering with us on this challenge.

Our goal is to continue to engage with this community on behalf of our customers going forward, and we will continue to review every potential vulnerability report for Azure Sphere for eligibility under the Azure Bounty Program awards.

Our team learned a lot throughout this challenge, and we will explore and announce additional opportunities to collaborate with the security research community in the future. Protecting our platform and the devices our customers build and deploy on it is a key priority for us. Working with the best security researchers in the field, we will continue to invest in finding potential vulnerabilities before the bad guys do—so you don’t have to!

If you are interested in learning more about how Azure Sphere can help you securely unlock your next IoT innovation:

The post Why we invite security researchers to hack Azure Sphere appeared first on Microsoft Security.

Microsoft Advanced Compliance Solutions in Zero Trust Architecture

September 29th, 2020 No comments

Zero Trust revolves around three key principles:  verify explicitly, use least privileged access, and assume breach.  Microsoft’s Advanced Compliance Solutions are an important part of Zero Trust.

This post applies a Zero Trust lens to protecting an organization’s sensitive data and maintaining compliance with relevant standards. Ultimately, Zero Trust architecture is a modern approach to security that focuses on security and compliance for assets regardless of their physical or network location, which contrasts with classic approaches that attempt to force all assets on a ‘secure’ and compliant network.

A Zero Trust strategy should start with Identity and Access Management.  Microsoft built Azure Active Directory (AAD) to enable rapid Zero Trust adoption:

An image of the workflows and visualizations to manage cases.

Architects focus on applying the Zero Trust principles to protect and monitor six technical pillars of the enterprise including:

  • Identity
  • Devices
  • Applications and APIs
  • Data
  • Infrastructure
  • Networks

In an integrated Microsoft Zero Trust solution, AAD and Microsoft Defender for Identity provide protection, monitoring, and trust insights in the User/Identity Pillar. Microsoft Defender for Endpoints and Intune protect and manage the Device.  Azure Security Center and Azure Sentinel monitor, report and provide automated playbooks to deal with events.

Microsoft’s Advanced Compliance solutions are foundational to Zero Trust as well, particularly when implemented to support Microsoft 365.

Microsoft’s Advanced Compliance solutions are foundational to Zero Trust as well, particularly when implemented to support Microsoft 365.

Microsoft Information Protection, Insider Risk Management and Microsoft Cloud App Security are all part of a complete Zero Trust architecture.

Advanced Auditing can increase the visibility around insider or bad actor’s activities with sensitive data like documents and emails as well as increasing the period over which audit data is available for review.

Let’s look closer at these solutions:

  • Microsoft Information Protection: Allows policy enforcement at the document level based on AAD identity.  This protection is resident with the document throughout its lifecycle.  It controls the identities, groups or organizations that can access the document, expires access to the document and controls what authorized users can do with the document e.g. view, print, cut and paste as well as other controls like enforced watermarking.  These controls can be mandatory or can support users with suggested protection.  The policy can be informed by machine learning, standard sensitivity data types (like social security numbers), regular expressions, keywords or exact data match.  When users elect to apply different protection than recommended, their actions are tracked for later review.  Documents can thus be protected throughout their lifecycle, wherever they may travel and to whomever they may be transmitted.

Microsoft Information Protection sensitivity labels are fully integrated with our data loss prevention solution, preventing movement of sensitive information at the boundary of the cloud, between Microsoft and third-party clouds, and at the device endpoint (e.g. laptop).

  • Insider Risk Management: Applies machine learning to the signals available from Microsoft O365 tenant logs, integration with Microsoft Defender Advanced Threat Protection and an increasing number of Microsoft and third party relevant signals to alert on insiders such as employees or contractors who are misusing their access. Default policies are provided, and enterprises can customize policies to meet their needs including for specific projects or scoped to users deemed to be at high risk.   These policies allow you to identify risky activities and mitigate these risks.  Current areas of focus for the solution are:
    • Leaks of sensitive data and data spillage
    • Confidentiality violations
    • Intellectual property (IP) theft
    • Fraud
    • Insider trading
    • Regulatory compliance violations

These signals are visualized and actioned by other Microsoft solutions.  Insider Risk Management uses its specialized algorithms and machine learning to correlate signal and expose Insider Risks in context.  It also provides workflows and visualizations to manage cases.

Insider Risk Management is integrated with AAD and acts on signals from Microsoft Information Protection.

Insider Risk Management is integrated with AAD and acts on signals from Microsoft Information Protection as well as others in the tenant, providing additional security value from the systems already in place.  The alerts generated by the system can be managed with the native case management features or surfaced to Azure Sentinel or third-party systems through the API.

  • Microsoft Cloud App Security: Is a Cloud Access Security Broker that supports various deployment modes including log collection, API connectors, and reverse proxy. It provides rich visibility, granular control over data travel, and sophisticated analytics to identify and combat cyber threats across all Microsoft and third-party cloud services. It controls shadow IT.  It can be used to govern the use of Microsoft and third-party clouds and the sensitive information placed there.

An image of advanced Auditing for M365.

  • Advanced Auditing for M365: Advanced Audit retains all Exchange, SharePoint, and Azure Active Directory audit records for a default of one year.  You can retain audit logs for up to ten years.  Crucial events for investigations, such as whether an attacker has accessed a mail message, whether a sensitive document is re-labelled and many other new log data types are part of this solution.  Investigation playbooks will also shortly be part of this solution.

These Advanced Compliance solutions have native visibility into AAD, the Microsoft Tenant, and into each other.  For example, Insider Risk Management has visibility into Microsoft Information Protection sensitivity labels.  Microsoft Cloud App Security has visibility into and can act on sensitivity labels.

This visibility and machine learning run through the Microsoft Security and Advanced Compliance solutions, making them particularly well suited to a holistic Zero Trust architecture.

The post Microsoft Advanced Compliance Solutions in Zero Trust Architecture appeared first on Microsoft Security.

Microsoft Security: 6 tips for enabling people-centric cybersecurity with security training

September 24th, 2020 No comments

Everyone knows about phishing scams, and most of us think we’re too smart to take the bait. Our confidence often reaches superhero levels when we’re logged onto a company network. As Chief Security Advisor for Microsoft, and previously at telco Swisscom, it’s my business to understand how well employees adapt security training into their daily routines. Years of experience have taught me there are commonalities in human behavior that cut across all levels of an organization. Above all, people want to trust the company they work for and the communications they receive. It’s our task to help them understand that yes, their employer is looking out for them, but they also need to be vigilant to protect themselves and their company’s private data.

Tip #1: Make it fun. That means creating training modules that people will actually want to watch. Think of your favorite TV shows. There’s a reason you want to binge every episode. You care about the characters, or you’re at least interested in how their dilemmas work out. A good example is the Fox TV show 24; every episode was one hour in an unfolding storyline with high stakes. Your training program doesn’t need life-or-death consequences, but it should give people a reason to watch beyond just checking a box for compliance.

Tip #2: Make it easy. Your end-user is your customer; so, you need them to buy-in. When investigating new security solutions, I ask: “Could you explain how this works to my mother in thirty minutes or less?” If not, it’s probably not a user-friendly solution. Asking people to create a password with 20 characters consisting of random symbols, cases, and numbers (that they shouldn’t write down) is not easy. For a better option, try passwordless authentication options for Azure Active Directory. If your organization has  Microsoft Defender for Office 365 Plan 2, which includes Threat Investigation and Response capabilities, you can employ Attack Simulator in the Security & Compliance Center to run realistic scenarios. These simulated attacks can help you easily identify vulnerable users before a real attacker comes knocking.

Tip #3: Focus on your highest risk. Nearly one in three security breaches starts with a phishing attack costing the affected organization an average of USD1.4 million. Even after security training, employees still click on phishing links at an average rate of 20 – 30 percent. With the rise in people working from home, new forms, such as consent phishing, have cropped up to take advantage of new vulnerabilities. Direct your resources to where the people in your organization can see the risk is real, and you’ll generate positive engagement.

Tip #4: Be transparent about breaches. No organization can claim 100 percent invulnerability. Let people know they are the first line of defense. Communicating with staff when a successful attack occurs will help them remain alert. It’s okay to provide examples as long as you don’t reveal so much information that it’s obvious who clicked on that fake Zoom invitation. Be careful not to treat employees like children. They need to own their own actions, but shaming won’t make your organization safer.

Tip #5: Avoid a compliance only mindset. Yes, that once-a-year cybersecurity training your people dutifully click through meets the organizational requirement. But gaining employee buy-in means doing more than just checking the box. Schedule a refresher course after a breach, even if the victim happens to be another company. Creating a security program that’s fun and engaging will probably cost more, but ask yourself how high the costs from downtime and lost productivity from a major breach would run. Better to invest those funds in protection upfront.

Tip #6: Communicate and educate continuously. Make security news part of your normal staff communications. Talk to your people about the headline-making hacks that target large corporations and government agencies, as well as the smaller identity theft and payment-app scams we all contend with. Talk about supply chain security and the dangers of using unauthorized devices and shadow IT. Cybersecurity threats can feel overwhelming and scary. Communication helps demystify those threats and makes employees feel empowered to protect themselves and their organizations.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Security: 6 tips for enabling people-centric cybersecurity with security training appeared first on Microsoft Security.

Categories: Azure Security, cybersecurity, phishing Tags:

Microsoft delivers unified SIEM and XDR to modernize security operations

September 22nd, 2020 No comments

The threat landscape continues to increase in both complexity and the level of sophistication of the attacks we observe. Attackers target the most vulnerable resources in an organization and then traverse laterally to target high-value assets. No longer can you expect to stay safe by protecting individual areas such as email or endpoints. Extended detection and response (XDR) is a new approach defined by industry analysts that are designed to deliver intelligent, automated, and integrated security across domains to help defenders connect seemingly disparate alerts and get ahead of attackers.

At today’s virtual Ignite conference, Microsoft is announcing a unique approach that empowers security professionals to get ahead of today’s complex threat landscape with integrated SIEM and XDR tools from a single vendor so you get the best of both worlds – end-to-end threat visibility across all of your resources; correlated, prioritized alerts based on the deep understanding Microsoft has of specific resources and AI that stitches that signal together; and coordinated action across the organization. With the combination of SIEM and XDR, defenders are now armed with more context and automation than ever and can leverage the time saved to apply their unique expertise within their own environment to proactively hunt and implement threat preventions.

As part of this announcement, we are unifying all XDR technologies under the Microsoft Defender brand. The new Microsoft Defender is the most comprehensive XDR in the market today and prevents, detects, and responds to threats across identities, endpoints, applications, email, IoT, infrastructure, and cloud platforms. With Microsoft Defender we are both rebranding our existing threat protection portfolio and adding new capabilities, including additional multi-cloud (Google Cloud and AWS) and multi-platform (Windows, Mac, Linux, Android, and iOS) support.

Microsoft Defender is delivered in two tailored experiences, Microsoft 365 Defender for end-user environments and Azure Defender for cloud and hybrid infrastructure.

Microsoft 365 Defender

Microsoft 365 Defender delivers XDR capabilities for identities, endpoints, cloud apps, email and documents. It uses artificial intelligence to reduce the SOC’s work items, and in a recent test we consolidated 1,000 alerts to just 40 high-priority incidents. Built-in self-healing technology fully automates remediation more than 70% of the time, ensuring defenders can focus on other tasks that better leverage their knowledge and expertise.

Today, we are making the following branding changes to unify the Microsoft 365 Defender technologies:

  • Microsoft 365 Defender (previously Microsoft Threat Protection).
  • Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection).
  • Microsoft Defender for Office 365 (previously Office 365 Advanced Threat Protection).
  • Microsoft Defender for Identity (previously Azure Advanced Threat Protection).

New features within Microsoft 365 Defender will also be available:

  • Extending mobile threat defense capabilities in Microsoft Defender for Endpoint to iOS (now in Preview) and Android support now moves to GA. As a result, Microsoft now delivers endpoint protection across all major OS platforms. Learn more about the latest in our endpoint security journey.
  • Extension of current macOS support with the addition of threat and vulnerability management. You can learn more here.
  • Priority account protection in Microsoft Defender for Office 365 will help security teams focus on protection from phishing attacks for users who have access to the most critical and privileged information. Customers can customize prioritized account workflows to offer these users an added layer of protection. Learn more here.

An image of the Microsoft 365 Defender dashboard.

Microsoft 365 Defender

Azure Defender

Azure Defender delivers XDR left capabilities to protect multi-cloud and hybrid workloads, including virtual machines, databases, containers, IoT, and more. Azure Defender is an evolution of the Azure Security Center threat protection capabilities and is accessed from within Azure Security Center.

Aligned with the Microsoft 365 brand changes, today we are announcing brand changes for these capabilities under Azure Defender, for example:

  • Azure Defender for Servers (previously Azure Security Center Standard Edition).
  • Azure Defender for IoT (previously Azure Security Center for IoT).
  • Azure Defender for SQL (previously Advanced Threat Protection for SQL).

We are also announcing new features will also be available within Azure Defender:

  • To help defenders identify and mitigate unprotected resources we are delivering a new unified experience for Azure Defender that makes it easy to see which resources are protected and which need protection. This updated experience can be accessed here and will be made broadly available later this month.
  • Added protection for SQL servers on-premises and in multi-cloud environments as well as virtual machines in other clouds, and improved protections for containers, including Kubernetes-level policy management and continuous scanning of container images in container registries.
  • Support for operational technology networks with the integration of CyberX into Azure Defender for IoT.

An image of Defender.


Azure Sentinel

The XDR capabilities of Microsoft Defender delivered through Azure Defender and Microsoft 365 Defender provides rich insights and prioritized alerts, but to gain visibility across your entire environment and include data from other security solutions such as firewalls and existing security tools, we connect Microsoft Defender to Azure Sentinel, our cloud-native SIEM.

Azure Sentinel is deeply integrated with Microsoft Defender so you can integrate your XDR data in only a few clicks and combine it with all your security data from across your entire enterprise.

Today, we are announcing new features within Azure Sentinel:

  • The new entity behavior analytics view makes it easier to diagnose compromised accounts or malicious insiders.
  • Simplify management of threat intelligence by including the ability to search, add, and track threat indictors, perform threat intelligence lookups, and create watchlists. To learn more about these in detail, check out the Azure Sentinel blog.

An image of Azure Sentinel.

Azure Sentinel

Modernize your security operations

Some vendors deliver XDR, some deliver SIEM. Microsoft believes that defenders can benefit from using deeply integrated SIEM and XDR for end-to-end visibility and prioritized actionable insights across all your enterprise assets. We are committed to delivering the best-integrated experience with the broadest coverage of resources to help simplify your world.

Thank you for your continued partnership and invaluable input on this journey to deliver the most comprehensive threat protection to our global customers.

Infographic of Microsoft 365 Defender and Azure Defender

YouTube video: Microsoft Defender, Extended Detection and Response (XDR) | Microsoft Ignite 2020

Stay healthy. Stay safe.

-Rob & our entire Microsoft Security Team

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft delivers unified SIEM and XDR to modernize security operations appeared first on Microsoft Security.

Microsoft announces new Project OneFuzz framework, an open source developer tool to find and fix bugs at scale

September 15th, 2020 No comments

Microsoft is dedicated to working with the community and our customers to continuously improve and tune our platform and products to help defend against the dynamic and sophisticated threat landscape. Earlier this year, we announced that we would replace the existing software testing experience known as Microsoft Security and Risk Detection with an automated, open-source tool as the industry moved toward this model. Today, we’re excited to release this new tool called Project OneFuzz, an extensible fuzz testing framework for Azure. Available through GitHub as an open-source tool, the testing framework used by Microsoft Edge, Windows, and teams across Microsoft is now available to developers around the world.

Fuzz testing is a highly effective method for increasing the security and reliability of native code—it is the gold standard for finding and removing costly, exploitable security flaws. Traditionally, fuzz testing has been a double-edged sword for developers: mandated by the software-development lifecycle, highly effective in finding actionable flaws, yet very complicated to harness, execute, and extract information from. That complexity required dedicated security engineering teams to build and operate fuzz testing capabilities making it very useful but expensive. Enabling developers to perform fuzz testing shifts the discovery of vulnerabilities to earlier in the development lifecycle and simultaneously frees security engineering teams to pursue proactive work.

Microsoft’s goal of enabling developers to easily and continuously fuzz test their code prior to release is core to our mission of empowerment. The global release of Project OneFuzz is intended to help harden the platforms and tools that power our daily work and personal lives to make an attacker’s job more difficult.

Recent advancements in the compiler world, open-sourced in LLVM and pioneered by Google, have transformed the security engineering tasks involved in fuzz testing native code. What was once attached—at great expense—can now be baked into continuous build systems through:

  • Crash detection, once attached via tools such as Electric Fence, can be baked in with asan.
  • Coverage tracking, once attached via tools such as iDNA, Dynamo Rio, and Pin can be baked in with sancov.
  • Input harnessing, once accomplished via custom I/O harnesses, can be baked in with libfuzzer’s LLVMFuzzerTestOneInput function prototype.

These advances allow developers to create unit test binaries with a modern fuzzing lab compiled in: highly reliable test invocation, input generation, coverage, and error detection in a single executable. Experimental support for these features is growing in Microsoft’s Visual Studio. Once these test binaries can be built by a compiler, today’s developers are left with the challenge of building them into a CI/CD pipeline and scaling fuzzing workloads in the cloud.

Project OneFuzz has already enabled continuous developer-driven fuzzing of Windows that has allowed Microsoft to proactively harden the Windows platform prior to shipment of the latest OS builds. With a single command line (baked into the build system!) developers can launch fuzz jobs ranging in size from a few virtual machines to thousands of cores. Project OneFuzz enables:

  • Composable fuzzing workflows: Open source allows users to onboard their own fuzzers, swap instrumentation, and manage seed inputs.
  • Built-in ensemble fuzzing: By default, fuzzers work as a team to share strengths, swapping inputs of interest between fuzzing technologies.
  • Programmatic triage and result deduplication: It provides unique flaw cases that always reproduce.
  • On-demand live-debugging of found crashes: It lets you summon a live debugging session on-demand or from your build system.
  • Observable and Debug-able: Transparent design allows introspection into every stage.
  • Fuzz on Windows and Linux OSes: Multi-platform by design. Fuzz using your own OS build, kernel, or nested hypervisor.
  • Crash reporting notification callbacks: Currently supporting Azure DevOps Work Items and Microsoft Teams messages

Project OneFuzz is available now on GitHub under an MIT license. It is updated by contributions from Microsoft Research & Security Groups across Windows and by more teams as we grow our partnership and expand fuzzing coverage across the company to continuously improve the security of all Microsoft platforms and products. Microsoft will continue to maintain and expand Project OneFuzz, releasing updates to the open-source community as they occur. Contributions from the community are welcomed. Share questions, comments, and feedback with us:

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft announces new Project OneFuzz framework, an open source developer tool to find and fix bugs at scale appeared first on Microsoft Security.

Microsoft Security: Use baseline default tools to accelerate your security career

September 14th, 2020 No comments

I wrote a series of blogs last year on how gamified learning through cyber ranges can create more realistic and impactful cybersecurity learning experiences and help attract tomorrow’s security workforce. With the global talent shortage in this field, we need to work harder to bring people into the field. This blog is for new cyber professionals or perhaps younger aspirants considering getting into cyber. From an employee’s perspective, it can seem daunting to know where to start, especially when you’re entering an organization with established technology investments, priorities, and practices. Having come to this field later in my career than others, I say from experience that we need to do a better job collectively in providing realistic and interesting role-based learning, paths toward the right certifications and endorsements, and more definitive opportunities to advance one’s career.

I’m still a big fan of gamified learning, but if gaming isn’t your thing, then another way to acquire important baseline learning is to look at simpler, more proactive management tools that up-level different tasks and make your work more efficient. Microsoft has recently released two important cloud security posture management tools that can help a newer employee quickly grasp basic yet critically important security concepts AND show immediate value to your employer. They’re intuitive to learn and deserve more attention.  I’m talking about Azure Security Defaults and Microsoft Secure Score (also including Azure Secure Score). While tools like these don’t typically roll off the tongue, and your experience won’t grab you like an immersive gaming UI, their purpose-built capabilities that focus on commonly-accepted cyber hygiene best practices reinforce solid foundational practices that are no less important than SecOps, incident response, or forensics and hunting. Learning how to use these tools can make you a champion and influencer, and we encourage you to learn more below. These capabilities are also built directly into our larger Azure and M365 services, so by using built-in tools, you’ll help your organization maximize its investments in our technologies and help save money and reduce complexity in your environment.

Azure Security Defaults is named for what it does—setting often overlooked defaults. With one click, you automatically enable several foundational security controls that if left unaddressed are convenient and time-tested targets for attackers to go after your organization. One question that I frequently receive is why Microsoft doesn’t simply pre-configure these settings by default and force customers to turn them off. Several large, high-threat customers have asked specifically that we do that. It’s tempting, but until or unless we make such a move, this is a great self-service add-on. As explained in this blog, ASD does the following:

  • Requires all users to register for Azure Multi-Factor Authentication.
  • Requires admins to perform MFA.
  • Blocks legacy authentication protocols.
  • Requires users to perform MFA when necessary.
  • Protects privileged activities to access the Azure Portal.

A recent important addition to ASD is that Microsoft announced on August 12th that ASD is now also available through Azure Security Center. This is an important and beneficial addition in that it adds another opportunity for your IT organization—whether identity and access management, or security operations—to implement the defaults. I’ve noticed on several occasions when briefing or providing a demo on Azure Security Center to a CISO team that a challenge in effectively using this service may come down to organizational issues, specifically, Who OWNS it?  Is ASC a CISO tool? Regardless of who may own the responsibility, we want to provide the capability upfront.

MICROSOFT SECURE SCORE is a relatively new feature that is designed to quantify your security posture based on how you configure your Microsoft resources. What’s cool and impactful about it is that it provides in a convenient top-down meu approach the relative approach your organization has taken compared (anonymously) with your industry segment’s peers (given in many cases similar reference architectures), and provides clear recommendations for what you can do to improve your score. From a Microsoft perspective, this is what we’d say all carrot and no stick. Though as covered above we provide Azure Security Defaults, customers are still on point to make a proactive decision to implement controls based on your particular work culture, compliance requirements, priorities, and business needs. Take a look at how it works:

This convenient landing page provides an all-up view into the current state of your organization’s security posture, with specific recommendations to improve certain configuration settings based on an art-of-the-possible. In this demo example, if you were to turn enable every security control to its highest level, your score would be 124, as opposed to the current score of 32, for a percentage of 25.81. Looking to the right of the screen, you get a sense of comparison against peer organizations. You can further break down your score by categories such as identity, data, device, apps, and infrastructure; this in turn gives a security or compliance team the opportunity to collaborate with hands-on teams that control those specific resources and who might be operating in silos, not necessarily focused on security postures of their counterparts.

An image of Microsoft Secure Score.


Azure Secure Score

You’ll also find Secure Score in the Azure Security Center blade where it provides recommendations front and center, and a color-coded circular graph on important hybrid infrastructure configurations and hygiene.

An image of Secure Score in the Azure Security Center.

Drilling deeper, here we see a variety of recommendations to address specific findings.  For example, the top line item is advice to ‘remediate vulnerabilities’, indicating that 35 of 59 resources that ASC is monitoring are in some way not optimized for security. optimized for security.

An image of variety of recommendations to address specific findings.

Going a level further into the ‘secure management ports’ finding, we see a sub-heading list of actions you can take specific to these resources’ settings. Fortunately, in this case, the administrator has addressed previously-discovered findings, leaving just three to-do’s under the third subheading. For added convenience, the red/green color-coding on the far right draws your attention.

An image of the ‘secure management ports’ finding.

Clicking on the third item above shows you a description of what ASC has found, along with remediation steps.  You have two options to remediate:  more broadly enable and require ‘just in time’ VM access; or, manually enable JIT for each resource. Again, Microsoft wants to incentivize and make it easier for your organization to take more holisitic and proactive steps across your resources such as enabling important settings by default; but we in no way penalize you for the security settings that you implement.

An image of a description of what ASC has found, along with remediation steps.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Security: Use baseline default tools to accelerate your security career appeared first on Microsoft Security.

Accelerate your adoption of SIEM using Azure Sentinel and a new offer from Microsoft

September 8th, 2020 No comments

Take advantage of the efficiency benefits of Cloud-native SIEM using Azure Sentinel

Today, security needs are evolving faster than ever—and the importance of being agile and cost-effective has never been clearer. Security teams need to get more done, faster, with less budget. On-premises security information and event management (SIEM) solutions can’t keep up with these demands and are expensive to maintain. By embracing a cloud-native SIEM like Azure Sentinel, you can save money and enable your security operations team to be more effective.

According to an IDG survey of IT leaders, cloud-based SIEM solutions cost 11 percent less to support than on-premises solutions, since they drastically reduce infrastructure, licensing, and labor costs. Plus, that same survey found that cloud-based SIEM users missed fewer threats—only 43 percent of cloud SIEM users reported concerns about missed threats, compared to 66 percent of traditional SIEM users. This is likely because cloud adopters were twice as likely to utilize automation.

We know that right now, security operations teams need these cost savings and efficiency benefits more than ever. To help accelerate your move to the cloud, we’re pleased to announce an Azure Credit offer from Microsoft. For a limited time, get $25,000 of Azure credits when you ingest an average of 50GB/day into Azure Sentinel for three consecutive months.

This offer allows you to experience the benefits of the cloud firsthand by scaling up your Azure Sentinel deployment or accelerating your migration from an on-premises SIEM. With Azure Sentinel, you can get enterprise-wide intelligent security analytics, eliminate security infrastructure setup and maintenance, and elastically scale to meet your security needs – all while reducing IT costs.

Details of the $25,000 Azure Credit Offer

This offer is available for qualified customers starting September 1, for a limited time.

Customers must fulfill all the requirements below to be eligible for inclusion into the program:

  • Must have a Microsoft Enterprise Agreement
  • Must be a new Azure Sentinel customer or an existing customer ingesting less than an average of 5 GB of data per day over the last 6 months
  • Must have access to a minimum of 10 E5 security suite licenses or component licenses. Qualifying products include:
    • Microsoft 365 E5
    • Microsoft 365 E5 security
    • Standalone products including Microsoft Defender Advanced Threat Protection, Office Advanced Threat Protection, Azure Advanced Threat Protection, Microsoft Cloud App Security (MCAS), Azure Active Directory P2, Advanced Threat Protection Plan 1, Advanced Threat Protection Plan 2
    • Other suites that include some of the standalone components above, such as Office 365 E5, Windows E5, Enterprise Mobility and Security E5

In order to qualify for the $25,000 Azure Credit Offer, customers must ingest an average of 50GB per day or more into Azure Sentinel for three consecutive full months (measured out of the previous four months to accommodate billing cycle alignment) following their inclusion into the program. This consumption excludes data consumption from other free offers, such as trials, Azure Pass, Azure Access Sponsorship, or ACO, as well as the free data sources offered in Sentinel.

Once a customer’s eligibility to receive the offer has been verified, the customer will receive the Azure credits within two billing cycles. The Azure credits will be available until either the next enrollment anniversary or the end of the customer’s EA term – whichever comes first.

Get started today

Contact your Microsoft representative to learn more about the qualification criteria and how to take advantage of this offer. Or, if you don’t have a Microsoft representative, reach out to sales to learn more about Azure Sentinel.

Visit our website to learn more about Azure Sentinel or Microsoft Security solutions. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Accelerate your adoption of SIEM using Azure Sentinel and a new offer from Microsoft appeared first on Microsoft Security.

3 ways Microsoft 365 can help you reduce helpdesk costs

September 3rd, 2020 No comments

With more people than ever working remotely, organizations must maximize employee productivity while protecting an ever-growing digital footprint. Many have stitched together specialized security solutions from different vendors to improve their cybersecurity posture, but this approach is expensive and can result in gaps in coverage and a fragmented user experience. With Microsoft’s integrated security solutions, you can enhance security and user productivity more cost-effectively.

Focusing a lens on the helpdesk illuminates how consolidating with Microsoft helps streamline and strengthen your security posture. Your helpdesk plays an important role in enabling employees to be more effective, but it can also reveal organization-wide productivity challenges. Productivity matters because if security controls are too cumbersome, employees will find workarounds. In this blog, I’ll highlight three examples of how Microsoft 365 can help you reduce costs while strengthening cybersecurity.

1. Reduce password reset calls by 75 percent

One of the most common reasons that employees call the helpdesk is to reset their password. These calls result in a loss of productivity for employees who are locked out of their accounts. They also require employees and helpdesk analysts to take time out of their busy days to work through steps to reset the password. With a high volume of calls, the costs add up.

The best way to reduce password reset calls is to eliminate passwords entirely. Microsoft has built in support for passwordless authentication methods such as biometrics, FIDO-2 security keys, and PINs into all our products and services. Because they are encrypted and stored locally on your users devices, these methods are more secure than passwords and easier for employees—and they can reduce your costs. When Microsoft rolled out passwordless to our employees the hard and soft costs of supporting passwords fell by 87 percent.

Deploying passwordless is a phased journey and not everyone is ready to start that process now, so it’s important to also improve productivity for password users. Azure Active Directory (Azure AD) is an identity and access management solution that allows users to sign in to all their on-premises and cloud apps with one set of credentials—whether they use passwords or passwordless methods. With single sign-on employees will have far fewer passwords to remember; however, sometimes they may still forget or Azure AD may force them to reset a password if an account appears compromised. In either case, Azure AD self-service password reset lets employees unblock their accounts, on their time, via an online portal.

According to a new study, The Total Economic Impact™ of Securing Apps with Microsoft Azure Active Directory, Azure AD self-service password reset can reduce the number of password reset calls per month by 75 percent. In this commissioned study, Forrester Consulting developed a composite organization based on interviews with four customers in different industries who have used Azure AD for years. Deploying Azure AD self-service password reset resulted in a return on investment of USD 1.7 million over three years.


2. Streamline Windows 10 upgrade path

Twice a year Microsoft releases new features and security capabilities for Windows 10. Typically, users are able to download the new operating system and quickly get back to work—but if you use a non-Microsoft product for endpoint detection or antivirus, it can complicate the process.

When a non-Microsoft vendor’s security product is not compatible with a new version of Windows 10, it prevents users from upgrading. This can be confusing for employees, who call the helpdesk for assistance. In addition to facilitating these calls, your team must also run software compatibility testing once a new version of the security software is released. Meanwhile, your company can’t take advantage of the productivity and security features available in the latest version of Windows 10.

To reduce dependencies without compromising security, turn on Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). Microsoft Defender ATP helps you protect, detect, and respond to advanced attacks against all your endpoints. Microsoft Defender Antivirus, a Microsoft Defender ATP capability, uses artificial intelligence and machine learning to find and block malware and other viruses. Both solutions are designed to work together and are integrated with Windows 10, which reduces the likelihood of helpdesk calls during the upgrade process.

An image of Microsoft Defender ATP.

3. Empower uses to manage their devices

A third driver of helpdesk calls is device management. Any time an employee needs help with a device, such as when they start a new job or want to use a personal device to access email, a helpdesk analyst is often involved. The analyst sets up devices with the appropriate applications and permissions and troubleshoots challenges with access.

As the way we work has changed, people no longer access corporate resources solely from the office using company-provided devices. Reading emails from a coffee shop on a personal phone or reviewing presentations from a tablet makes working more convenient, but it can also introduce security challenges. Employees may not upgrade their devices or apply security patches in a timely manner. They sometimes, unknowingly, download apps with security flaws. Attackers leverage these vulnerabilities to gain access to sensitive company resources.

An image showing how Attackers leverage use vulnerabilities to gain access to sensitive company resources.

Microsoft Endpoint Manager makes it easier to provision, update, and manage personal and business laptops and mobile devices with support for Windows, MacOS, iOS, and Android Enterprise. Integration with Azure AD enables employees to use Microsoft Intune Portal to enroll both corporate-owned and personal devices without helpdesk intervention. Intune automatically installs appropriate apps, or you can allow employees to choose apps through the portal.

With Microsoft Endpoint Manager, you can also enforce security policies on all enrolled devices. For example, you can require that employees use the most current operating system to access corporate resources. You can define PIN requirements or install threat protection software. If users don’t want to enroll their device, mobile app management capabilities let you isolate organizational data from personal data. These policies are defined globally and automatically applied when users register devices, streamlining the process for everyone.

An image showing how Microsoft 365 security solutions work across identities, endpoints, emails, apps, data, clouds, networks, and IOT devices

Microsoft 365 security solutions work across identities, endpoints, emails, apps, data, clouds, networks, and IoT devices to detect, block, and elevate threats. Consolidate with Microsoft to strengthen security, simplify the user experience, and reduce helpdesk costs.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 3 ways Microsoft 365 can help you reduce helpdesk costs appeared first on Microsoft Security.

New Forrester study shows customers who deploy Microsoft Azure AD benefit from 123% ROI.

August 13th, 2020 No comments

Over the past six months, organizations around the world have accelerated digital transformation efforts to rapidly enable a remote workforce. As more employees than ever access apps via their home networks, the corporate network perimeter has truly disappeared, making identity the control plane for effective and secure access across all users and digital resources.

Businesses have responded to the pandemic by increasing budgets, adding staff, and accelerating deployment of cloud-based security technologies to stay ahead of phishing scams and to enable Zero Trust architectures. But the pressure to reduce costs is also real. Given COVID-19 and uncertain economic conditions, many of you are prioritizing security investments. But how should you allocate them? According to a new study, The Total Economic Impact™ of Securing Apps with Microsoft Azure Active Directory, investing in identity can not only help you accelerate your Zero Trust journey, it can also save you money and deliver more value. In this commissioned study, Forrester Consulting interviewed four customers in different industries who have used Azure AD for years. Forrester used these interviews to develop a composite organization. They found that customers securing apps with Azure AD can benefit from a 123 percent return on investment over three years in a payback period of six months.

An image showing the total econmic impact of securing apps with Microsoft Azure AD.

The customers interviewed improved user productivity, reduced costs, and gained IT efficiencies in the following areas[1]:

Increased worker productivity with secure and seamless access to all apps

Employees expect to collaborate on any project from anywhere using any app—especially now, when so many are working from home. But they find signing into multiple applications throughout the day frustrating and time-consuming. When you connect all your apps to Azure AD, employees sign in once using single sign-on (SSO). From there, they can easily access Microsoft apps like Microsoft Teams, software as a service (SaaS) apps like Box, on-premises apps like SAP Hana, and various custom line-of-business apps. Forrester estimates that consolidating to a single identity and access management solution and providing one set of credentials saves each employee 10 minutes a week on average, valued at USD 7.1 million over three years.

“Our CIO really didn’t like that anybody onboarding with our company was receiving—and this is not an exaggeration—two dozen credentials. In the executive branch, they took up to two weeks to get a new hire on their feet.” –Director of workplace technology, Electronics

Reduced costs by reducing the risk of a data breach

A data breach can be incredibly expensive for victims, who must recover not only their environments but also their reputations. Breaches often start with a compromised account, which is why it’s so important to protect your identities.

With Azure AD, you can secure all your applications and make it harder for attackers to acquire and use stolen credentials. You can ban common passwords, block legacy authentication, and protect your privileged identities. You can implement adaptive risk-based policies and enforce multi-factor authentication to ensure that only the right users have the right access. Forrester found that using these Azure AD features can help organizations reduce the risk of a data breach, saving them an estimated USD 2.2 million over a three-year period.

“Conditional Access was non-negotiable as we moved to the cloud. We had to be able to apply policies that scoped applications, users, devices, and risk states. You can’t let a compromised user walk into a cloud app anymore. It’s unacceptable.” –Information security services, manufacturing

Empowered workers to reset their own passwords

If you have a help desk, your employees likely make thousands of password reset requests per month. Locked out users can’t be productive, and their pleas for help eat up valuable time help desk workers could spend on other priority tasks. One organization told Forrester it costs them between USD500,000 and USD700,000 per year just to reset passwords.

With Azure AD Self-Service Password Reset, employees can reset their own passwords without help desk intervention. Forrester estimates that with this feature, customers can decrease the number of password reset calls per month by 75 percent, yielding a three-year adjusted present value of USD 1.7 million.

Unlocked efficiency gains by consolidating their identity infrastructure

Many enterprises use several solutions to manage identity and access management: an on-premises solution for legacy applications, a SaaS-based solution for modern cloud applications, and Azure AD for Microsoft applications. Maintaining this complex infrastructure requires multiple servers and licenses, not to mention people who understand the various systems. Migrating authentication for all your apps to Azure AD can significantly reduce hardware and licensing fees. Forrester estimates savings at a three-year adjusted present value of USD 1.9 million.

Consolidating your identity infrastructure to Azure AD gives you the benefits of cloud-based identity and access management solutions and frees your team to focus on other priorities. IT and identity teams in the study reduced time and effort spent provisioning/deprovisioning accounts, integrating new applications, and addressing issues related to IAM infrastructure. They also experienced less system downtime. Forrester estimated the value of IT efficiency gains at USD 3.0 million over three years.

Integrating with Azure AD also benefits software vendors

As part of the TEI, Forrester interviewed two Independent Software Vendors (ISVs), Zscaler and Workplace from Facebook. They documented their findings in the spotlight, Software Vendors Boost Adoption by Integrating Their Apps with Microsoft Azure Active Directory. Integrating their applications with Azure AD helped the two ISVs interviewed accelerate their sales cycles, as well as product adoption. Seamless integration with Azure AD helps ISVs reach the more than 200,000 organizations that use Azure AD. ISVs can easily give their customers and prospects single sign-on, automated user provisioning, and enhanced security through the security features built into Azure AD, while focusing their energies on enhancing their own solution.

“There is a shorter sales cycle for our platform. Many of our customers are already AD FS-based users, and our integration with Azure AD makes the case for our services that much more compelling. It also allows us to be more agile in helping customers get things implemented more quickly. Essentially, there’re fewer barriers to entry for customers.” – Vice President, product management, Zscaler

“We have a strong mutual customer base with Microsoft, which is why we’ve built such a great partnership with them over the years. Obviously, Azure AD is widely used by our customers, so it makes sense to leverage it.” – Platform Partnerships Manager, Workplace from Facebook

Learn more

COVID-19 has ushered in a new normal of remote work and conservative budgets, but that doesn’t mean you have to sacrifice security or the user experience. By integrating all your apps with Azure AD you can add value—like giving your employees a more convenient and secure work from home experience—while preserving valuable resources.

Find out how Azure AD can help secure all your apps and read the full Forrester Consulting study, The Total Economic Impact™ of securing apps with Microsoft Azure Active Directory and Software vendors boost adoption by integrating their apps with Microsoft Azure Active spotlight.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

[1] Forrester based all savings estimates on the composite organization developed for its TEI study.

The post New Forrester study shows customers who deploy Microsoft Azure AD benefit from 123% ROI. appeared first on Microsoft Security.