Archive

Archive for the ‘Ciso series page’ Category

Zero Trust Deployment Guide for devices

May 26th, 2020 No comments

The modern enterprise has an incredible diversity of endpoints accessing their data. This creates a massive attack surface, and as a result, endpoints can easily become the weakest link in your Zero Trust security strategy.

Whether a device is a personally owned BYOD device or a corporate-owned and fully managed device, we want to have visibility into the endpoints accessing our network, and ensure we’re only allowing healthy and compliant devices to access corporate resources. Likewise, we are concerned about the health and trustworthiness of mobile and desktop apps that run on those endpoints. We want to ensure those apps are also healthy and compliant and that they prevent corporate data from leaking to consumer apps or services through malicious intent or accidental means.

Get visibility into device health and compliance

Gaining visibility into the endpoints accessing your corporate resources is the first step in your Zero Trust device strategy. Typically, companies are proactive in protecting PCs from vulnerabilities and attacks, while mobile devices often go unmonitored and without protections. To help limit risk exposure, we need to monitor every endpoint to ensure it has a trusted identity, has security policies applied, and the risk level for things like malware or data exfiltration has been measured, remediated, or deemed acceptable. For example, if a personal device is jailbroken, we can block access to ensure that enterprise applications are not exposed to known vulnerabilities.

  1. To ensure you have a trusted identity for an endpoint, register your devices with Azure Active Directory (Azure AD). Devices registered in Azure AD can be managed using tools like Microsoft Endpoint Manager, Microsoft Intune, System Center Configuration Manager, Group Policy (hybrid Azure AD join), or other supported third-party tools (using the Intune Compliance API + Intune license). Once you’ve configured your policy, share the following guidance to help users get their devices registered—new Windows 10 devices, existing Windows 10 devices, and personal devices.
  2. Once we have identities for all the devices accessing corporate resources, we want to ensure that they meet the minimum security requirements set by your organization before access is granted. With Microsoft Intune, we can set compliance rules for devices before granting access to corporate resources. We also recommend setting remediation actions for noncompliant devices, such as blocking a noncompliant device or offering the user a grace period to get compliant.

Restricting access from vulnerable and compromised devices

Once we know the health and compliance status of an endpoint through Intune enrollment, we can use Azure AD Conditional Access to enforce more granular, risk-based access policies. For example, we can ensure that no vulnerable devices (like devices with malware) are allowed access until remediated, or ensure logins from unmanaged devices only receive limited access to corporate resources, and so on.

  1. To get started, we recommend only allowing access to your cloud apps from Intune-managed, domain-joined, and/or compliant devices. These are baseline security requirements that every device will have to meet before access is granted.
  2. Next, we can configure device-based Conditional Access policies in Intune to enforce restrictions based on device health and compliance. This will allow us to enforce more granular access decisions and fine-tune the Conditional Access policies based on your organization’s risk appetite. For example, we might want to exclude certain device platforms from accessing specific apps.
  3. Finally, we want to ensure that your endpoints and apps are protected from malicious threats. This will help ensure your data is better-protected and users are at less risk of getting denied access due to device health and/or compliance issues. We can integrate data from Microsoft Defender Advanced Threat Protection (ATP), or other Mobile Threat Defense (MTD) vendors, as an information source for device compliance policies and device Conditional Access rules. Options below:

Enforcing security policies on mobile devices and apps

We have two options for enforcing security policies on mobile devices: Intune Mobile Device Management (MDM) and Intune Mobile Application Management (MAM). In both cases, once data access is granted, we want to control what the user does with the data. For example, if a user accesses a document with a corporate identity, we want to prevent that document from being saved in an unprotected consumer storage location or from being shared with a consumer communication or chat app. With Intune MAM policies in place, they can only transfer or copy data within trusted apps such as Office 365 or Adobe Acrobat Reader, and only save it to trusted locations such as OneDrive or SharePoint.

Intune ensures that the device configuration aspects of the endpoint are centrally managed and controlled. Device management through Intune enables endpoint provisioning, configuration, automatic updates, device wipe, or other remote actions. Device management requires the endpoint to be enrolled with an organizational account and allows for greater control over things like disk encryption, camera usage, network connectivity, certificate deployment, and so on.

Mobile Device Management (MDM)

  1. First, using Intune, let’s apply Microsoft’s recommended security settings to Windows 10 devices to protect corporate data (Windows 10 1809 or later required).
  2. Ensure your devices are patched and up to date using Intune—check out our guidance for Windows 10 and iOS.
  3. Finally, we recommend ensuring your devices are encrypted to protect data at rest. Intune can manage a device’s built-in disk encryption across both macOS and Windows 10.

Meanwhile, Intune MAM is concerned with management of the mobile and desktop apps that run on endpoints. Where user privacy is a higher priority, or the device is not owned by the company, app management makes it possible to apply security controls (such as Intune app protection policies) at the app level on non-enrolled devices. The organization can ensure that only apps that comply with their security controls, and running on approved devices, can be used to access emails or files or browse the web.

With Intune, MAM is possible for both managed and unmanaged devices. For example, a user’s personal phone (which is not MDM-enrolled) may have apps that receive Intune app protection policies to contain and protect corporate data after it has been accessed. Those same app protection policies can be applied to apps on a corporate-owned and enrolled tablet. In that case, the app-level protections complement the device-level protections. If the device is also managed and enrolled with Intune MDM, you can choose not to require a separate app-level PIN if a device-level PIN is set, as part of the Intune MAM policy configuration.

Mobile Application Management (MAM)

  1. To protect your corporate data at the application level, configure Intune MAM policies for corporate apps. MAM policies offer several ways to control access to your organizational data from within apps:
    • Configure data relocation policies like save-as restrictions for saving organization data or restrict actions like cut, copy, and paste outside of organizational apps.
    • Configure access policy settings like requiring simple PIN for access or blocking managed apps from running on jailbroken or rooted devices.
    • Configure automatic selective wipe of corporate data for noncompliant devices using MAM conditional launch actions.
    • If needed, create exceptions to the MAM data transfer policy to and from approved third-party apps.
  2. Next, we want to set up app-based Conditional Access policies to ensure only approved corporate apps access corporate data.
  3. Finally, using app configuration (appconfig) policies, Intune can help eliminate app setup complexity or issues, make it easier for end users to get going, and ensure better consistency in your security policies. Check out our guidance on assigning configuration settings.

Conclusion

We hope the above helps you deploy and successfully incorporate devices into your Zero Trust strategy. Make sure to check out the other deployment guides in the series by following the Microsoft Security blog. For more information on Microsoft Security Solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zero Trust Deployment Guide for devices appeared first on Microsoft Security.

Operational resilience in a remote work world

May 18th, 2020 No comments

Microsoft CEO Satya Nadella recently said, “We have seen two years’ worth of digital transformation in two months.” This is a result of many organizations having to adapt to the new world of document sharing and video conferencing as they become distributed organizations overnight.

At Microsoft, we understand that while the current health crisis we face together has served as this forcing function, some organizations might not have been ready for this new world of remote work, financially or organizationally. Just last summer, a simple lightning strike caused the U.K.’s National Grid to suffer the biggest blackout in decades. It affected homes across the country, shut down traffic signals, and closed some of the busiest train stations in the middle of the Friday evening rush hour. Trains needed to be manually rebooted causing delays and disruptions. And, when malware shut down the cranes and security gates at Maersk shipping terminals, as well as most of the company’s IT network—from the booking site to systems handling cargo manifests, it took two months to rebuild all the software systems, and three months before all cargo in transit was tracked down—with recovery dependent on a single server having been accidentally offline during the attack due to the power being cut off.

Cybersecurity provides the underpinning to operationally resiliency as more organizations adapt to enabling secure remote work options, whether in the short or long term. And, whether natural or manmade, the difference between success or struggle to any type of disruption requires a strategic combination of planning, response, and recovery. To maintain cyber resilience, one should be regularly evaluating their risk threshold and an organization’s ability to operationally execute the processes through a combination of human efforts and technology products and services.

While my advice is often a three-pronged approach of turning on multi-factor authentication (MFA)—100 percent of your employees, 100 percent of the time—using Secure Score to increase an organization’s security posture and having a mature patching program that includes containment and isolation of devices that cannot be patched, we must also understand that not every organization’s cybersecurity team may be as mature as another.

Organizations must now be able to provide their people with the right resources so they are able to securely access data, from anywhere, 100 percent of the time. Every person with corporate network access, including full-time employees, consultants, and contractors, should be regularly trained to develop a cyber-resilient mindset. They shouldn’t just adhere to a set of IT security policies around identity-based access control, but they should also be alerting IT to suspicious events and infections as soon as possible to help minimize time to remediation.

Our new normal means that risks are no longer limited to commonly recognized sources such as cybercriminals, malware, or even targeted attacks. Moving to secure remote work environment, without a resilience plan in place that does not include cyber resilience increases an organization’s risk.

Before COVID, we knew that while a majority of firms have a disaster recovery plan on paper, nearly a quarter never test that, and only 42 percent of global executives are confident their organization could recover from a major cyber event without it affecting their business.

Operational resilience cannot be achieved without a true commitment to, and investment in, cyber resilience. We want to help empower every organization on the planet by continuing to share our learnings to help you reach the state where core operations and services won’t be disrupted by geopolitical or socioeconomic events, natural disasters, or even cyber events.

Learn more about our guidance related to COVID-19 here, and bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Operational resilience in a remote work world appeared first on Microsoft Security.

CISO stress-busters: post #1 overcoming obstacles

May 11th, 2020 No comments

As part of the launch of the U.S. space program’s moon shot, President Kennedy famously said we do these things “not because they are easy, but because they are hard.” The same can be said for the people responsible for security at their organizations; it is not a job one takes because it is easy. But it is critically important to keep our digital lives and work safe. And for the CISOs and leaders of the world, it is a job that is more than worth the hardships.

Recent research from Nominet paints a concerning picture of a few of those hardships. Forty-eight percent of CISO respondents indicated work stress had negatively impacted their mental health, this is almost double the number from last year’s survey. Thirty-one percent reported job stress had negatively impacted their physical health and 40 percent have seen their job stress impacting their personal lives. Add a fairly rapid churn rate (26 months on average) to all that stress and it’s clear CISOs are managing a tremendous amount of stress every day. And when crises hit, from incident response after a breach to a suddenly remote workforce after COVID-19, that stress only shoots higher.

Which is why we’re starting this new blog series called “CISO stress-busters.” In the words of CISOs from around the globe, we’ll be sharing insights, guidance, and support from peers on the front lines of the cyber workforce. Kicking us off—the main challenges that CISOs face and how they turn those obstacles into opportunity. The goal of the series is to be a bit of chicken (or chik’n for those vegans out there) soup for the CISO’s soul.

Today’s post features wisdom from three CISOs/Security Leaders:

  • TM Ching, Security CTO at DXC Technology
  • Jim Eckart, (former) CISO at Coca-Cola
  • Jason Golden, CISO at Mainstay Technologies

Clarifying contribution

Ask five different CEOs what their CISOs do and after the high level “manage security” answer you’ll probably get five very different explanations. This is partly because CISO responsibility can vary widely from company to company. So, it’s no surprise that many of the CISOs we interviewed touched on this point.

TM Ching summed it up this way, “Demonstrating my role to the organization can be a challenge—a role like mine may be perceived as symbolic” or that security is just here to “slow things down.” For Jason, “making sure that business leaders understand the difference between IT Operations, Cybersecurity, and InfoSec” can be difficult because execs “often think all of those disciplines are the same thing” and that since IT Ops has the products and solutions, they own security. Jim also bumped up against confusion about the security role with multiple stakeholders pushing and pulling in different directions like “a CIO who says ‘here is your budget,’ a CFO who says ‘why are you so expensive?’ and a general counsel who says ‘we could be leaking information everywhere.’”

What works:

  • Educate Execs—about the role of a CISO. Helping them “understand that it takes a program, that it’s a discipline.” One inflection point is after a breach, “you may be sitting there with an executive, the insurance company, their attorneys, maybe a forensics company and it always looks the same. The executive is looking down the table at the wide-eyed IT person saying ‘What happened?’” It’s a opportunity to educate, to help “make sure the execs understand the purpose of risk management.”—Jason Golden.   To see how to do this watch Microsoft CISO Series Episode 2 Part 1:  Security is everyone’s Business
  • Show Don’t Tell—“It is important to constantly demonstrate that I am here to help them succeed, and not to impose onerous compliance requirements that stall their projects.”—TM Ching
  • Accountability Awareness—CISOs do a lot, but one thing they shouldn’t do is to make risk decisions for the business in a vacuum. That’s why it’s critical to align “all stakeholders (IT, privacy, legal, financial, security, etc.) around the fact that cybersecurity and compliance are business risk issues and not IT issues. IT motions are (and should be) purely in response to the business’ decision around risk tolerance.”—Jim Eckart

Exerting influence

Fans of Boehm’s curve know that the earlier security can be introduced into a process, the less expensive it is to fix defects and flaws. But it’s not always easy for CISOs to get security a seat at the table whether it’s early in the ideation process for a new customer facing application or during financial negotiations to move critical workloads to the cloud. As TM put it, “Exerting influence to ensure that projects are secured at Day 0. This is possibly the hardest thing to do.” And because “some business owners do not take negative news very well” telling them their new app baby is “security ugly” the day before launch can be a gruesome task. And as Jason pointed out, “it’s one thing to talk hypothetically about things like configuration management and change management and here are the things that you need to do to meet those controls so you can keep your contract. It’s a different thing to get that embedded in operations so that IT and HR all the way through finance are following the rules for change management and configuration management.”

What Works:

  • Negotiate engagement—To avoid the last minute “gotchas” or bolting on security after a project has deployed, get into the conversation as early as possible. This isn’t easy, but as TM explains, it can be done. “It takes a lot of negotiations to convince stakeholders why it will be beneficial for them in the long run to take a pause and put the security controls in place, before continuing with their projects.”
  • Follow frameworks—Well-known frameworks like the NIST Cybersecurity Framework, NIST SP800-53, and SP800-37 can help CISOs “take things from strategy to operations” by providing baselines and best practices for building security into the entire organization and systems lifecycle. And that will pay off in the long run; “when the auditors come calling, they’re looking for evidence that you’re following your security model and embedding that throughout the organization.” —Jason

Cultivating culture

Wouldn’t it be wonderful if every company had a security mindset and understood the benefits of having a mature, well-funded security and risk management program? If every employee understood what a phish looks like and why they should report it? Unfortunately, most companies aren’t laser focused on security, leaving that education work up to the CISO and their team. And having those conversations with stakeholders that sometimes have conflicting agendas requires technical depth and robust communication skills. That’s not easy. As Jim points out, “it’s a daunting scope of topics to be proficient in at all levels.

What works:

  • Human firewalls—All the tech controls in the world won’t stop 100 percent of attacks, people need to be part of the solution too. “We can address administrative controls, technical controls, physical controls, but you also need to address the culture and human behavior, or the human firewalls. You know you’re only going to be marginally successful if you don’t engage employees too.” —Jason
  • Know your audience—CISOs need to cultivate “depth and breadth. On any given day, I needed to move from board-level conversations (where participants barely understand security) all the way to the depths of zero day vulnerabilities, patching, security architecture.” —Jim

Did you find these insights helpful? What would you tell your fellow CISOs about overcoming obstacles? What works for you? Please reach out to me on LinkedIn and let me know what you thought of this article and if you’re interested in being interviewed for one of our upcoming posts.

The post CISO stress-busters: post #1 overcoming obstacles appeared first on Microsoft Security.

Afternoon Cyber Tea: Building operational resilience in a digital world

April 13th, 2020 No comments

Operational resiliency is a topic of rising importance in the security community. Unplanned events, much like the one we are facing today, are reminders of how organizations can be prepared to respond to a cyberattack. Ian Coldwell and I explored a variety of options in my episode of Afternoon Cyber Tea with Ann Johnson.

Ian Coldwell is a Kubernetes containers and cloud infrastructure specialist with a background in penetration testing and DevOps. In their role as a consultant, Ian has helped companies bridge the gaps between security and DevOps. It was a real pleasure to discuss what Ian has learned in these roles, and I think you’ll find our discussion valuable.

During our conversation, Ian and I talked about threat modeling and how to best protect your crown jewels. We also explored what it means to bring security into DevOps. Hint: it’s about more than just new tooling. And, we demystified Kubernetes. Do you wonder which projects are a good fit for Kubernetes, and which are not? Are you concerned about how to keep Kubernetes containers secure? Take a listen to Building operational resiliency in a digital work on Afternoon Cyber Tea with Ann Johnson for actionable advice that you can apply to your own SecDevOps organization.

What’s next

In this important cyber series, I talk with cybersecurity influencers about trends shaping the threat landscape in these unprecedented times, and explore the risk and promise of systems powered by artificial intelligence (AI), Internet of Things (IoT), and other emerging tech.

You can listen to Afternoon Cyber Tea with Ann Johnson on:

  • Apple Podcasts—You can also download the episode by clicking the Episode Website link.
  • Podcast One—Includes option to subscribe, so you’re notified as soon as new episodes are available.
  • CISO Spotlight page—Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Building operational resilience in a digital world appeared first on Microsoft Security.

Turning collaboration and customer engagement up with a strong identity approach

April 6th, 2020 No comments

In these challenging times, it’s even more apparent that modern companies are managing a blended workforce that encompasses not only their full-time staff and customers but also their contractors, consultants, subsidiaries, suppliers, partners, and soon-to-be customers. Balancing friction-less collaboration and highly targeted engagement with privacy and security is not easy, but you don’t have to go it alone.

Now more than ever, reusing rather reinventing is critical. When it comes to connecting to business partners or your customers, consumers, or citizens, you don’t need to create an identity management solution from scratch—you can leverage cloud based identity and access management (IAM) and customer IAM (CIAM) for better engagement with all of your cohorts.

The new world of work

Even before workers transitioned home in large numbers, IT leaders were facing rapidly transitioning work models fueled by an increase in remote working, freelancer exchanges and platforms, and a geographically-distributed workforce—trends that are only accelerated today by the uncommon circumstances imposed by COVID-19. Concurrently, interconnected and complex supply chain bring partners and suppliers directly into the business, where closer coordination is more important than ever. To get an idea for just how “into the business” that means, according to February 2020 Microsoft research, powered by Pulse, IT executives reported that 55 percent of external users outside their organizations belong to other businesses—for example, commercial customers, partners, and suppliers. And 98 percent of those respondents agreed that deepening collaboration and engagement with customers and business partners is how their company will be successful.

The net is that with all these entities logging into multiple corporate networks and segments, for many CISOs, “insider risk” includes a much broader set of actors than just the full-time workforce. And those CISOs are very concerned about insider risk—with 97 percent recently reporting that as their top concern. That’s why a flexible IAM solution is so important right now, because implemented properly, it allows companies to engage and interact effectively with all cohorts while also keeping organizations and data private and secure. Let’s take a closer look at how.

Turning external collaboration up

There are many benefits of using a trusted CIAM solution, here’s a short list of the ones I’ve heard from CISOs are the most valuable.

  • Persistent identities—Almost everyone already has a digital presence and at least one associated ID from Google, Facebook, or Microsoft. Using persistent IDs means that customers and partners can re-use their exiting identity and don’t have to worry about creating an entirely new login and password. This reduces friction and improves security.
  • Data transparency—When people use the same ID across multiple business and organizational systems, both they and the company have a more efficient method for reporting on data use and access. It also means that when a user request that their history be wiped or corrected, they can easily confirm that appropriate action has been taken.
  • Better audit trails—Using those same IDs also supports compliance reporting, audit trails, and forensic investigations. Rather than having to stitch together multiple IDs to determine the path of an incident, like a data exfiltration event, security professionals can follow activity of a single target ID. This also streamlines compliance reporting activity reducing burdens on already overworked staff.
  • Improved security—Allowing partners and customers to bring their own ID also means that robust, enterprise-ready security can be brought along. Advanced technologies like multi-factor authentication (MFA) and conditional access with step-up authentication can be applied to all users, even those that don’t work for large companies with mature identity programs.
  • Enhanced experience—The best security professionals know that technology that makes users’ lives easier is the most effective. All of the above directly impact security, but if customers and partners aren’t excited about using a solution, they’ll go around it. Make sure low friction end-user experiences are supported across varied experiences from artificial intelligence (AI)-led guidance to new product and service recommendations.

In the coming days, we will share more guidance on how to collaborate securely with your business partners and other external users. Learn more about how security professionals can adapt to the increasing usage of collaboration applications and leverage risk-based Conditional Access for real-time deflection of dynamic attacks today. We hope these recommendations will help you enable uninterrupted operations for your organization in these challenging times. Stay safe and be well.

The post Turning collaboration and customer engagement up with a strong identity approach appeared first on Microsoft Security.

Zero Trust framework to enable remote work

April 2nd, 2020 No comments

Zero Trust Assessment tool now live!

With such a large influx of employees working remotely, many of the traditional network-based security controls are unable to protect the organization. For many organizations, there are two options: route all remote traffic through a strained legacy network architecture, resulting in poor performance and user productivity; or relax restrictions and risk losing protection, control, and visibility. Many organizations are turning to Zero Trust security framework to better support remote work and manage risk.

The Zero Trust security framework helps organizations effectively meet these challenges by gating access to resources individually using granular access policies that take advantage of dynamic user and device risk signals and other telemetry to make more adaptive access decisions.

Support for your Zero Trust journey

Getting started on your Zero Trust journey can be daunting, but we’re here to help. We’ve created the Microsoft Zero Trust Assessment tool to help you determine where you are in your Zero Trust journey. Our assessment tool will help you assess your readiness across identities, devices, apps, infrastructure, network and data, and then provide go-dos and deployment guidance to help you reach key milestones.

 

Every company is at a different stage of their Zero Trust journey. Given the current situation with remote work, maybe you are working to unify your identity management to enable single sign-on (SSO), or you are digging into projects like multi-factor authentication (MFA) or desktop virtualization. Maybe identity and device management are your top priorities right now. Every IT leader needs to define the priorities to enable productivity from anywhere across their organization’s workforce depending on the situation. We understand and we’re here to help.

We recently published Microsoft Zero Trust Maturity Model vision paper detailing the core principles of Zero Trust, along with our maturity model, which breaks down the top level requirements across each of the six foundational elements.

Upcoming, we’ll be publishing deployment guides for each of the foundational elements. Look out for additional guides in the Microsoft Security blog.

Learn more about Zero Trust and Microsoft Security.

Also, bookmark the Security blog to keep up with our expert coverage on security matters. And follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zero Trust framework to enable remote work appeared first on Microsoft Security.

Welcoming a more diverse workforce into cybersecurity: expanding the pipeline

March 31st, 2020 No comments

Despite much focus on increasing the number of women in cybersecurity, as an industry we are still falling short. For many companies the problem starts with the tech pipeline—there just aren’t enough resumes from qualified female candidates. But I think the real problem is that our definition of qualified is too narrow. It’s so narrow that many women and people from other underrepresented backgrounds don’t identify with cybersecurity. And it limits our ability to evaluate potential defenders. Hiring managers too often reject excellent candidates who don’t check all the boxes. At Fortalice, we do things differently, and as a result nearly 40 percent of our team are women.

During Women in Cybersecurity month, Microsoft is publishing blogs by female cybersecurity leaders who have advice on how to increase the number of women in the field. Last week, Diana Kelley wrote about how to create a culture that helps people of all of backgrounds thrive. In this post, I’ll share four tips for recruiting more women.

It starts with commitment

Increasing diversity requires focus and attention. If you sit back and passively wait for the right resumes to land in your inbox, nothing will change. Much of this starts with the executive team making a concerted effort to take a stand and ask themselves and their organization why they don’t have more women on their teams. Diana’s blog does a great job of walking through some of the cultural aspects that make it hard for diversity to thrive. With the right commitment, you can put structures in place to find the people that you want.

With the coronavirus outbreak around the world, pay attention to your commitment to allow flexible schedules and the flexibility to work from home. Your female employee may be a caregiver to a parent or might be working from home while her children are remote schooling.

Expand the criteria

Cybersecurity is noble work. Every day we defend privacy and protect identities. We use creative problem-solving skills to outwit our adversaries and help people. It’s technical and analytical, yes, but it also takes interpersonal skills. Yet this isn’t how the public envisions cybersecurity. Most imagine a young white guy with poor social skills sitting in the dark, surrounded by more of the same—usually all wearing hoodies. It sounds boring, right? Is it any wonder that so many people opt out?

The stereotype discourages more diverse candidates from seeking us out, but we compound the problem with ridged job requirements. Many hiring managers are leaving women and minority candidates on the sidelines by chasing the same resumes, the same degrees, and the same alphabet soup of certifications. While these are some of the indicators of a successful hire, they aren’t the only ones.

Expand your criteria. The best cybersecurity professionals are insatiable learners and highly skilled problem solvers who think about the user while never underestimating the adversary. Take a chance on people outside cybersecurity or who don’t have a college degree and invest in cross training. Some of my team members started out in a different field. Now they are among the best, most well-rounded defenders in the industry.

Start young

I went to high school at Marine Corps Base Quantico, which mandated a class in computer programming. Thanks to that class I discovered that I have an aptitude and passion for technology. I might not have ended up in cybersecurity if it weren’t for that class. I’m so grateful that the U.S. Marine Corps and the Department of Defense saw the value in us learning new technologies and made this non-negotiable. We need to take this lesson and apply it more broadly. Women who don’t start developing technical skills early are at a great disadvantage when they compete against others who learned to code when they were young.

One way to do this is with training programs for kids. I partnered with another cybersecurity female leader from Cisco and members of FBI InfraGard to found the InfraGard CyberCamp in North Carolina. The program provides security training, security tools training, forensic analysis, and other activities and is hosted at Microsoft’s Charlotte campus. To get the diversity we want, we go directly to the organizations that know girls, kids of color, LGBTQ youth, and economically disadvantaged kids and ask them to apply. The extra effort works; each year, the camp graduates 30 kids from all walks of life—male, female, and economically disadvantaged students included. As more security conferences look to create “hackathons” for middle and high school students, as well as scholarship programs for college students, they must deliberately foster diversity.

Provide a platform for your cybersecurity women

Many young women are looking for role models. They want to feel connected with their coworkers. Send women from your organization to recruiting events on college campus so prospective candidates can get to know your team. Elevate the female leaders at your company with articles or speaking roles at conferences.

As people see more women and other underrepresented groups in cybersecurity, stereotypes will be tested. This will encourage a diverse group of people to apply. We need them! Diversity will make us better at solving the complex problems inherent in cybersecurity.

Learn more

Fortalice started a group called Help a Sister Up on LinkedIn, #hasu. This space is dedicated to advancing women in technology and serves as a rallying point for them and their male advocates. We post job openings, articles, and avenues for discussion. Please join Help a Sister Up.

Theresa Payton is CEO and President of Fortalice—a group of “former White House cyber operatives and national security veterans who have honed our craft protecting people, business, and nations for decades.” Theresa was the first female CIO for the White House and was named One of the 7 Women at the Top of their Game by Meeting Magazines.

The post Welcoming a more diverse workforce into cybersecurity: expanding the pipeline appeared first on Microsoft Security.

Welcoming and retaining diversity in cybersecurity

March 24th, 2020 No comments

I doubt I’d be in the role I am now if leaders at one of my first jobs hadn’t taken an interest in my career. Although I taught myself to code when I was young, I graduated from college with a degree in English Literature and began my post-college career in editorial. I worked my way up to Assistant Editor at a math and science college textbook publisher located in Boston, Massachusetts. I was responsible for acquisitions and training on the software that that the company distributed with its textbooks. The senior editors sent me to a conference in Florida to train the sales team on how to present the software to professors. This is where I met Jennifer. Jennifer headed up the network and IT support for our California parent company, and because we shared a room at the conference hotel, we got to know each other, and she saw me present. This interaction proved pivotal. When the publisher created a new position to support a network of AS/400s, Jennifer talked me into applying—and yes, she did have to talk me into it! Like a lot of young professionals, I was intimidated to take on such a different role. But I’m so glad she was looking out for me. It was the start of my career in technology, which ultimately led me to Microsoft.

My experience is a great example of how individuals and company culture can influence the trajectory of someone’s career. To celebrate Women in Cybersecurity month, Microsoft is exploring tactics to increase diversity in the tech industry. In the first post in the series, Ann Johnson wrote about mentorship. In this post, I share some ideas for cultivating the diverse talent that already work at your company to build a strong and diverse leadership team.

Retention is as important as recruitment

When we talk about the lack of diversity in tech, much of the conversation focuses around hiring. And it’s true that we need to dramatically increase the number of women, non-binary, and people of color that we recruit. But if we want to create more diverse technology teams, we also need to address the talent drain. Too often smart technologists with nontraditional backgrounds drop out of STEM careers. Studies have shown that up to 52 percent of women leave technology fields. This is nearly double the percentage of men who quit tech. And for those who think it’s because women don’t enjoy technology, 80+ percent of women in STEM say they love their work. The problem often comes down to culture. Which means it’s something we can fix! I’ve worked with and managed many neuro-diverse teams and here’s what I’ve seen work.

People aren’t books

One of the most famous pictures of Einstein shows him with his hair in disarray, sticking his tongue out. If you didn’t know he was one of the greatest thinkers in the world, you might assume he wasn’t the fastest electron in the universe. Or what does it say that many of us didn’t discover Katharine Johnson, another brilliant physicist, until 2017 when the movie “Hidden Figures” was released.

Our collective mental model for what an engineer or scientist is supposed to look and act like doesn’t reflect reality. Some people have purple hair, some like to work in yoga pants, some listen to loud music on headphones all day, or have creative face tattoos. And many are women or LGBTQ or people of color or disabled. People’s race, gender, appearance and work styles have no bearing on whether they are a hard worker or a valuable contributor. We know this, but often we don’t realize we’ve made a judgement based on unconscious biases.

How to address: Don’t judge people by their “covers.” This starts by acknowledging that your biases may not be explicit or intentional, but they still exist. Listen to what people say. Evaluate the work they produce. Observe how they collaborate with others. These are the indicators of the value they bring. And keep in mind that people who’ve been conditioned to believe that technology isn’t for them, may not exhibit the level of confidence you expect. It doesn’t mean they can’t do it. They may just need a little more encouragement (thank you, Jennifer!).

Women often leave jobs because they feel stalled in their careers. In one study, 27 percent of U.S. women said they feel stalled and 32 percent were considering quitting in the next year. For a variety of reasons, unconscious bias results in straight white men getting more opportunities on high profile projects, more ideas greenlit, and faster promotions. As a result, women get discouraged, do not feel supported and look for other opportunities. That is why in the previous blog, we focused on mentorship.

How to address: Be a champion for women and other underrepresented groups in your company. My relationship with Jennifer is a great example of this. She took an interest in my career, identified an opportunity and helped me get to the next rung. Our relationship was informal, but you can also create a structured sponsorship program. The goal is to go beyond mentorship and become an advocate for promising women, people of color, and other underrepresented groups. Use your influence to get them the right projects, the right advice, and the right exposure to help them advance their careers.

Nurture unique thinkers

Back when I was a manager at KPMG, we used to try to hire people who “think outside the box.” But the tricky part about hiring out of the box thinkers is that their ideas are, well, outside the box. Organizations often think they want people to shake things up but in practice many are uncomfortable being challenged. This leads them to quickly shut down bold new ideas. When original thinkers don’t feel valued, they take all that innovation and creativity elsewhere.

How to address: Build a culture of inclusion where everyone has a chance to share. Not every idea is great; in my career I’ve had more than my share of bad ones! But you should listen to and consider all opinions—even if they seem a little off the wall. It doesn’t mean you have to move them all forward, but sometimes an idea that sounds outlandish one day starts to make sense after a good night’s sleep. Or take a page from the women in the Obama administration and amplify ideas that have been overlooked.

Respect the hours

Not everyone can commit to a regular eight in the morning to six in the evening work week. Many people care for children, sick spouses, and elderly parents—being a caretaker is a skill in and of itself! In fact, this quality of being a caretaker is something that in most technology roles can be a valued asset. In addition to being a caretaker, others can’t work “regular” weeks because they’re finishing degrees or have other time challenges and commitments.

Varied approaches to time also apply to project milestones. People deal with deadlines differently—some get stressed if the deadline is too close (like me!) and do their work in advance, others need that adrenaline pump and wait until (almost) the last minute to deliver.

How to address: Institute and support flexible work hours, job sharing (two people share the same job, both doing it half-time), or three weeks on/one week off work schedules that enable people to contribute without requiring them to keep the same hours as everyone else. Trust that people can be productive even if they don’t work the same way or at the same time as your typical employee.

To build a diverse, experienced team of leaders, you need an environment that supports and accepts differences of all kinds. Don’t let bias about gender, appearance, or the hours someone can work get in the way of nurturing all those great hires into the next generation of great leaders. Our senior director for our cybersecurity operations team, Kristina, looks for diversity as this helps with managing the diversity of threats. Listen to her thoughts on diversity in our CISO Spotlight Episode 7.

What’s next

For those interested in how to find more diverse talent, next week Theresa Payton will share ideas from her experience recruiting girls, women, and other people with differing backgrounds into technology.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. To learn more about our Security solutions visit our website. Or reach out to me on LinkedIn or Twitter.

The post Welcoming and retaining diversity in cybersecurity appeared first on Microsoft Security.

Welcoming more women into cybersecurity: the power of mentorships

March 19th, 2020 No comments

From the way our industry tackles cyber threats, to the language we have developed to describe these attacks, I’ve long been a proponent to challenging traditional schools of thought—traditional cyber-norms—and encouraging our industry to get outside its comfort zones. It’s important to expand our thinking in how we address the evolving threat landscape. That’s why I’m not a big fan of stereotypes; looking at someone and saying they “fit the mold.” Looking at my CV, one would think I wanted to study law, or politics, not become a cybersecurity professional. These biases and unconscious biases shackle our progression. The scale of our industry challenges is too great, and if we don’t push boundaries, we miss out on the insights that differences in race, gender, ethnicity, sexuality, neurology, ability, and degrees can bring.

As we seek to diversify the talent pool, a key focus needs to be on nurturing female talent. Microsoft has hired many women in security, and we will always focus on keeping a diverse workforce. That’s why as we celebrate Women in Cybersecurity Month and International Women’s Day, the security blog will feature a few women cybersecurity leaders who have been implementing some of their great ideas for how to increase the number of women in this critical field. I’ll kick it off the series with some thoughts on how we can build strong mentoring relationships and networks that encourage women to pursue careers in cybersecurity.

There are many women at Microsoft who lead our security efforts. I’m incredibly proud to be among these women, like Joy Chik, Corporate Vice President of Identity, who is pushing the boundaries on how the tech industry is thinking about going passwordless, and Valecia Maclin, General Manager of Security Engineering, who is challenging us to think outside the box when it comes to our security solutions. On my own team, I think of the many accomplishments of  Ping Look, who co-founded Black Hat and now leads our Detection and Response Team (DART), Sian John, MBE, who was recently recognized as one of the top 50 influencers in cybersecurity in the U.K., and Diana Kelley, Microsoft CTO, who tirelessly travels to the globe to share how we are empowering our customers through cybersecurity—just to name a few. It’s important we continue to highlight women like these, including our female cybersecurity professionals at Microsoft who made the Top 100 Cybersecurity list in 2019. The inspiration from their accomplishments goes far beyond our Microsoft campus. These women represent the many Microsoft women in our talented security team. This month, you’ll also hear from some of them in subsequent blog posts on how to keep the diverse talent you already have employed. And to conclude the month, Theresa Payton, CEO at Fortalice Solutions, LLC., and the host of our CISO Spotlight series will share tips from her successful experience recruiting talented women into IT and cybersecurity.

Our cyber teams must be as diverse as the problems we are trying to solve

You’ve heard me say this many times, and I truly believe this: As an industry, we’ve already acknowledged the power of diversity—in artificial intelligence (AI). We have clear evidence that a variety of data across multiple sources and platforms enhances and improves AI and machine learning models. Why wouldn’t we apply that same advantage to our teams? This is one of several reasons why we need to take diversity and inclusion seriously:

  • Diverse teams make better and faster decisions 87 percent of the time compared with all male teams, yet the actual number of women in our field fluctuates between 10 and 20 percent. What ideas have we missed by not including more women?
  • With an estimated shortfall of 3.5 million security professionals by 2021, the current tech talent pipeline needs to expand—urgently.
  • Cyber criminals will continue to exploit the unconscious bias inherent in the industry by understanding and circumventing the homogeneity of our methods. If we are to win the cyber wars through the element of surprise, we need to make our strategy less predictable.

Mentoring networks must start early

Mentorship can be a powerful tool for increasing the number of women in cybersecurity. People select careers that they can imagine themselves doing. This process starts young. Recently a colleague’s pre-teen daughter signed up for an after-school robotics class. When she showed up at the class, only two other girls were in the room. Girls are opting out of STEM before they can (legally) opt into a PG-13 movie. But we can change this. By exposing girls to technology earlier, we can reduce the intimidation factor and get them excited. One group that is doing this is the Security Advisor Alliance. Get involved in organizations like this to reach girls and other underrepresented groups before they decide cybersecurity is not for them.

Building a strong network

Mentoring young people is important, but to solve the diversity challenges, we also need to bring in people who started on a different career path or who don’t have STEM degrees. You simply won’t find the talent you need through the anemic pipeline of college-polished STEM graduates. I recently spoke with Mari Galloway, a senior security architect in the gaming industry and CEO of the Women’s Society of Cyberjutsu (WSC) about this very topic in my podcast. She agreed on the importance of finding a mentor, and being a mentee.

Those seeking to get into cybersecurity need a network that provides the encouragement and constructive feedback that will help them grow. I have mentored several non-technical women who have gone on to have successful roles in cybersecurity. These relationships have been very rewarding for me and my mentees, which is why I advocate that everybody should become a mentor and a mentee.

If you haven’t broken into cybersecurity yet, or if you are in the field and want to grow your career, here are a few tips:

  • Close the skills gap through training and certificate programs offered by organizations like Sans Institute and ISC2. I am especially excited about Girls Go Cyberstart, a program for young people that Microsoft is working on with Sans Institute.
  • Build up your advocate bench with the following types of mentors:
    • Career advocate: Someone who helps you with your career inside your company or the one you want to enter.
    • Coach: Someone outside your organization who brings a different perspective to troubleshooting day-to-day problems.
    • Senior advisor: Someone inside or outside your organization who looks out for the next step in your career.
  • Use social media to engage in online forums, find local events, and reach experts. Several of my mentees use LinkedIn to start the conversation.
  • When you introduce yourself to someone online be clear that you are interested in their cumulative experience not just their job status.

For those already in cybersecurity, be open to those from the outside seeking guidance, especially if they don’t align with traditional expectations of who a cybersecurity professional is.

Mentorship relationships that yield results

A mentorship is only going to be effective if the mentee gets valuable feedback and direction from the relationship. This requires courageous conversations. It’s easy to celebrate a mentee’s visible wins. However, those moments are the result of unseen trench work that consists of course correcting and holding each other accountable to agreed upon actions. Be prepared to give and receive constructive, actionable feedback.

Creating inclusive cultures

More women and diverse talent should be hired in security not only because it is the right thing to do, but because gaining the advantage in fighting cybercrime depends on it. ​Mentorship is one strategy to include girls before they opt out of tech, and to recruit people from non-STEM backgrounds.

What’s next

Watch for Diana Kelley’s blog about how to create a culture that keeps women in the field.

Learn more about Girls Go Cyberstart.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter.

The post Welcoming more women into cybersecurity: the power of mentorships appeared first on Microsoft Security.

Work remotely, stay secure—guidance for CISOs

March 12th, 2020 No comments

With many employees suddenly working from home, there are things an organization and employees can do to help remain productive without increasing cybersecurity risk.

While employees in this new remote work situation will be thinking about how to stay in touch with colleagues and coworkers using chat applications, shared documents, and replacing planned meetings with conference calls, they may not be thinking about cyberattacks. CISOs and admins need to look urgently at new scenarios and new threat vectors as their organizations become a distributed organization overnight, with less time to make detailed plans or run pilots.

Based on our experiences working with customers who have had to pivot to new working environments quickly, I want to share some of those best practices that help ensure the best protection.

What to do in the short—and longer—term

Enabling official chat tools helps employees know where to congregate for work. If you’re taking advantage of the six months of free premium Microsoft Teams or the removed limits on how many users can join a team or schedule video calls using the “freemium” version, follow these steps for supporting remote work with Teams. The Open for Business Hub lists tools from various vendors that are free to small businesses during the outbreak. Whichever software you pick, provision it to users with Azure Active Directory (Azure AD) and set up single-sign-on, and you won’t have to worry about download links getting emailed around, which could lead to users falling for phishing emails.

You can secure access to cloud applications with Azure AD Conditional Access, protecting those sign-ins with security defaults. Remember to look at any policies you have set already, to make sure they don’t block access for users working from home. For secure collaboration with partners and suppliers, look at Azure AD B2B.

Azure AD Application Proxy publishes on-premises apps for remote availability, and if you use a managed gateway, today we support several partner solutions with secure hybrid access for Azure AD.

While many employees have work laptops they use at home, it’s likely organizations will see an increase in the use of personal devices accessing company data. Using Azure AD Conditional Access and Microsoft Intune app protection policies together helps manage and secure corporate data in approved apps on these personal devices, so employees can remain productive.

Intune automatically discovers new devices as users connect with them, prompting them to register the device and sign in with their company credentials. You could manage more device options, like turning on BitLocker or enforcing password length, without interfering with users’ personal data, like family photos; but be sensitive about these changes and make sure there’s a real risk you’re addressing rather than setting policies just because they’re available.

Read more in Tech Community on ways Azure AD can enable remote work.

You’ve heard me say it time and again when it comes to multi-factor authentication (MFA): 100 percent of your employees, 100 percent of the time. The single best thing you can do to improve security for employees working from home is to turn on MFA. If you don’t already have processes in place, treat this as an emergency pilot and make sure you have support folks ready to help employees who get stuck. As you probably can’t distribute hardware security devices, use Windows Hello biometrics and smartphone authentication apps like Microsoft Authenticator.

Longer term, I recommend security admins consider a program to find and label the most critical data, like Azure Information Protection, so you can track and audit usage when employees work from home. We must not assume that all networks are secure, or that all employees are in fact working from home when working remotely.

Track your Microsoft Secure Score to see how remote working affects your compliance and risk surface. Use Microsoft Defender Advanced Threat Protection (ATP) to look for attackers masquerading as employees working from home, but be aware that access policies looking for changes in user routines may flag legitimate logons from home and coffee shops.

How to help employees

As more organizations adapt to remote work options, supporting employees will require more than just providing tools and enforcing policies. It will be a combination of tools, transparency, and timeliness.

Remote workers have access to data, information, and your network. This increases the temptation for bad actors. Warn your employees to expect more phishing attempts, including targeted spear phishing aimed at high profile credentials. Now is a good time to be diligent, so watch out for urgent requests that break company policy, use emotive language and have details that are slightly wrong—and provide guidance on where to report those suspicious messages.

Establishing a clear communications policy helps employees recognize official messages. For example, video is harder to spoof than email: an official channel like Microsoft Stream could reduce the chance of phishing while making people feel connected. Streaming videos they can view at a convenient time will also help employees juggling personal responsibilities, like school closures or travel schedule changes.

Transparency is key. Some of our most successful customers are also some of our most transparent ones. Employee trust is built on transparency. By providing clear and basic information, including how to protect their devices, will help you and employees stay ahead of threats.

For example, help employees understand why downloading and using consumer or free VPNs is a bad idea. These connections can extract sensitive information from your network without employees realizing. Instead, offer guidance on how to leverage your VPN and how it’s routed through a secure VPN connection.

Employees need a basic understanding of conditional access policies and what their devices need to connect to the corporate network, like up-to-date anti-malware protection. This way employees understand if their access is blocked and how to get the support they need.

Working from home doesn’t mean being isolated. Reassure employees they can be social, stay in touch with colleagues, and still help keep the business secure. Read more about staying productive while working remotely on the Microsoft 365 blog.

The post Work remotely, stay secure—guidance for CISOs appeared first on Microsoft Security.

Threat hunting: Part 1—Why your SOC needs a proactive hunting team

March 10th, 2020 No comments

Cybersecurity can often feel like a game of whack-a-mole. As our tools get better at stopping one type of attack, our adversaries innovate new tactics. Sophisticated cybercriminals burrow their way into network caverns, avoiding detection for weeks or even months, as they gather information and escalate privileges. If you wait until these advanced persistent threats (APT) become visible, it can be costly and time-consuming to address. It’s crucial to augment reactive approaches to cybersecurity with proactive ones. Human-led threat hunting, supported by machine-learning-powered tools like Azure Sentinel, can help you root out infiltrators before they access sensitive data.

This threat hunting blog series will dig into all aspects of threat hunting, including how to apply these techniques to your security operations center (SOC). Today’s post delves into what threat hunting is, why it’s important, and how Azure Sentinel can support your defenders. Future posts will examine how you can use other Microsoft solutions for proactive hunting.

Assume breach and be proactive

Traditional cybersecurity is reactive. Endpoint detection tools identify potential incidents, blocking some and handing off others to people to investigate and mitigate. This works for many of the routine, automated, and well-known attacks—of which there are many. However, our most sophisticated adversaries understand how these security solutions work and continuously evolve their tactics to get around them. The goal of the attackers is to remain undetected so they can gain access to your most sensitive information. To stop them, first you must find them.

Threat hunting is a proactive approach to cybersecurity, predicated on an “assume breach” mindset. Just because a breach isn’t visible via traditional security tools and detection mechanisms doesn’t mean it hasn’t occurred. Your threat hunting team doesn’t react to a known attack, but rather tries to uncover indications of attack (IOA) that have yet to be detected. Their job is to outthink the attacker.

Invest in people

Because threat hunting is concerned with emerging threats rather than known attack methods, people take the lead. It’s therefore important that they have the time and authority to research and pursue hypotheses. This isn’t possible if they are bogged down with security alerts. Many SOCs, including those at Microsoft, establish a three-tier model to address known and unknown threats. Tier 1 and Tier 2 analysts respond to alerts. Tier 3 analysts conduct research focused on revealing undiscovered adversaries. You can learn more about how Microsoft organizes its SOC in Lessons learned from the Microsoft SOC—Part 2a: Organizing people.

 

Figure 1. SOC using a three-tier approach: Tier 1 addresses high speed remediation, Tier 2 performs deeper analysis and remediation, and Tier 3 conducts proactive hunts.

Develop an informed hypothesis

Threat hunting starts with a hypothesis. Threat hunters may generate a hypothesis based on external information, such as threat reports, blogs, and social media. For example, your team may learn about a new form of malware in an industry blog and hypothesize that an adversary has used that malware in an attack against your organization. Internal data and intelligence from past incidents also inform hypothesis development.

Once the team has a hypothesis, they examine various techniques and tactics to uncover artifacts that were left behind. A great tool for helping with hypothesis development and research is the MITRE ATT&CK™ (adversarial tactics, techniques, and common knowledge) framework. These adversary tactics and techniques are grouped within a matrix and include the following categories:

  • Initial access—Techniques used by the adversary to obtain a foothold within a network, such as targeted spear-phishing, exploiting vulnerabilities or configuration weaknesses in public-facing systems.
  • Execution—Techniques that result in an adversary running their code on a target system. For example, an attacker may run a PowerShell script to download additional attacker tools and/or scan other systems.
  • Persistence—Techniques that allow an adversary to maintain access to a target system, even following reboots and credential changes. An example of a persistence technique would be an attacker creating a scheduled task that runs their code at a specific time or on reboot.
  • Privilege escalation—Techniques leveraged by an adversary to gain higher-level privileges on a system, such as local administrator or root.
  • Defense evasion—Techniques used by attackers to avoid detection. Evasion techniques include hiding malicious code within trusted processes and folders, encrypting or obfuscating adversary code, or disabling security software.
  • Credential access—Techniques deployed on systems and networks to steal usernames and credentials for re-use.
  • Discovery—Techniques used by adversaries to obtain information about systems and networks that they are looking to exploit or use for their tactical advantage.
  • Lateral movement—Techniques that allow an attacker to move from one system to another within a network. Common techniques include “Pass-the-Hash” methods of authenticating users and the abuse of the remote desktop protocol.
  • Collection—Techniques used by an adversary to gather and consolidate the information they were targeting as part of their objectives.
  • Command and control—Techniques leveraged by an attacker to communicate with a system under their control. One example is that an attacker may communicate with a system over an uncommon or high-numbered port to evade detection by security appliances or proxies.
  • Exfiltration—Techniques used to move data from the compromised network to a system or network fully under control of the attacker.
  • Impact—Techniques used by an attacker to impact the availability of systems, networks, and data. Methods in this category would include denial of service attacks and disk- or data-wiping software.

Conduct investigation with Azure Sentinel

Although threat hunting starts with a human generated hypothesis, threat protection tools, like Azure Sentinel, make investigation faster and easier. Azure Sentinel is a next-generation, cloud-based SIEM that uses machine learning and artificial intelligence (AI) to help security professionals detect previously unknown incidents, investigate suspicious activity and threats, and respond quickly to an incident. It’s an invaluable tool for threat hunting. Azure Sentinel’s built-in hunting queries help teams ask the right questions to find issues in the data already on your network. Within Azure Sentinel, an analyst can create a new query; modify existing queries; bookmark, annotate, and tag interesting findings; and launch a more detailed investigation.

Figure 2: Azure Sentinel Hunting Dashboard: The dashboard includes menus to create new queries, run all queries, and bookmark data. The dashboard also shows the number of hunting queries that exist and a pane that shows the actual Kusto Query Language for each query.

Azure Sentinel ships with built-in hunting queries that have been written and tested by Microsoft security researchers and engineers. The following 16 hunting queries were provided by Microsoft:

  • Anomalous Azure Active Directory apps based on authentication location
  • Base64-encoded Windows executables in process command lines
  • Process executed from binary hidden in Base64-encoded file
  • Enumeration of users and groups
  • Summary of failed user log-ins by reason of failure
  • Host with new log-ins
  • Malware in recycle bin
  • Masquerading files
  • Azure Active Directory sign-ins from new locations
  • New processes observed in last 24 hours
  • Summary of users created using uncommon and undocumented command line switches
  • Powershell downloads
  • Cscript daily summary breakdown
  • New user agents associated with clientIP for SharePoint uploads and downloads
  • Uncommon processes—bottom 5 percent
  • Summary of user log-ins by log-in type

Threat hunters can also leverage a Github repository of hunting queries provided by Microsoft researchers, internal security teams, and partners. Azure Sentinel also makes it easy for your threat hunters to select a MITRE ATT&CK framework tactic that they want to query. Despite the mountains of data your team must parse in their investigation, Azure Sentinel improves the odds they will pursue the right leads.

Learn more

Effective cybersecurity requires several complementary approaches. You need to be alert to the incidents that your threat detection tools uncover. You also need to proactively hunt for threats that lurk in the shadows. Adding threat hunting capabilities to your SOC can reduce your risk from hidden adversaries. I hope this blog helps you see ways to apply these tactics in your organization. Stay tuned for future posts in this series, where I’ll walk you through practical examples of threat hunting using Azure Sentinel, as well as demonstrate how to use other Microsoft tools for such activities.

In the meantime, learn more about Azure Sentinel. For getting the best use out of Azure Sentinel, see Microsoft Azure Sentinel: Planning and implementing Microsofts cloud-native SIEM solution (IT Best Practices—Microsoft Press).

Bookmark the Security blog to keep up with our expert coverage on security matters and visit our website at https://www.microsoft.com/security/business. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Threat hunting: Part 1—Why your SOC needs a proactive hunting team appeared first on Microsoft Security.

Categories: CISO series, Ciso series page Tags:

Azure Sphere—Microsoft’s answer to escalating IoT threats—reaches general availability

February 24th, 2020 No comments

Today Azure Sphere—Microsoft’s integrated security solution for IoT devices and equipment—is widely available for the development and deployment of secure, connected devices. Azure Sphere’s general availability milestone couldn’t be timelier. From consumer device hacking and botnets to nation state driven cyberterrorism, the complexity of the landscape is accelerating. And as we expand our reliance on IoT devices at home, in our businesses and even in the infrastructure that supports transit and utilities, cybersecurity threats are increasingly real to individuals, businesses and society at large.

From its inception in Microsoft Research to general availability today, Azure Sphere is Microsoft’s answer to these escalating IoT threats. Azure Sphere delivers quick and cost-effective device security for OEMs and organizations to protect the products they sell and the critical equipment that they rely on to drive new business value.

To mark today’s general availability milestone, I sat down with Galen Hunt, distinguished engineer and product leader of Azure Sphere to discuss the world of cybersecurity, the threat landscape that businesses and governments are operating in, and how Microsoft and Azure Sphere are helping organizations confidently and securely take advantage of the opportunities enabled by IoT.

 

ANN JOHNSON: Let me start by asking about a comment I once heard you make, where you refer to the internet as “a cauldron of evil.” Can you give us a little insight into what you mean?

GALEN HUNT: Well, I actually quote James Mickens. James is a former colleague at Microsoft Research, and he’s now a professor at Harvard. Those are his words, the idea of the internet being a cauldron of evil. But I love it, because what it really captures is what the internet really is.

The internet is a place of limitless potential, but when you connect a device to the internet, you’re also creating a two-way street; anybody can come in off the internet and try to attack you.

Everything from nation states to petty criminals to organized crime is out there, operating on the internet. As we think about IoT—which is my favorite topic—being aware of the dangers is the first step to being prepared to address them.

ANN JOHNSON: When you’re thinking about folks that are in charge of security organizations, or even folks who have to secure the environment for themselves, what do you view as the biggest threats, and also the biggest opportunities for companies like Microsoft to address those threats?

GALEN HUNT: I think the biggest threat is—and I’m coming at this from the IoT side of things—as we’re able to connect every single device in an enterprise or every single device in a home to the internet, there’s real risk. By compromising those devices, someone can invade our privacy, they can have access to our data, they can manipulate our environment. Those are real risks.

In the traditional internet, the non-Internet-of-Things internet, the damage that could be done was purely digital. But in a connected IoT environment, remote actors are able to affect or monitor not just the digital environment but also the actual physical environment. So that creates all sorts of risks that need to be addressed.

In response, the power that a company like Microsoft can bring is our deep experience in internet security. We’ve been doing it for years. We can help other organizations leverage that experience. That’s a tremendous opportunity we have to help.

ANN JOHNSON: So, with that, walk us through what Azure Sphere is—how do you see our customers and our partners leveraging the technology?

GALEN HUNT: There are four components to Azure Sphere: three of them are powered by technology and one of them is powered by people. Those components combine to form an end-to-end solution that allows any organization that’s building or connecting devices to have the very best of what we know about making internet-connected devices secure.

Let’s talk about the four components.

The first of the three technical components is the certified chips that are built by our silicon partners, they have the hardware root of trust that Microsoft created. These are chips that provide a foundation of security, starting in the silicon itself, and provide connectivity and compute power for these devices.

The second technical component of Azure Sphere is the Azure Sphere operating system. This runs on the chips and creates a secure software environment.

The third technical component is the cloud-based Azure Sphere security service. The security service connects with every single Azure Sphere chip, with every single Azure Sphere operating system, and works with the operating system and the chip to keep the device secured throughout its lifetime.

ANN JOHNSON: So, you’ve got hardware, software, and the cloud, all working together. What about the human component?

GALEN HUNT: The fourth component of Azure Sphere is our people and all their security expertise. Our team provides ongoing security monitoring of Azure Sphere devices and, actually, of the full ecosystem. As we identify new types of attacks and new emerging security vulnerabilities, we will upgrade our operating system and the cloud services to mitigate against those new kinds of attacks. Then we will deploy updates to every Azure Sphere-based device, globally. So, we’re providing ongoing support, and ongoing security improvements for those devices.

ANN JOHNSON: I want to make this real for folks. Walk me through a use case; where would somebody actually implement and use Azure Sphere? How does their infrastructure or architecture fit in?

GALEN HUNT: Okay, let’s start with a device manufacturer. They say, okay we’re going to create a new device, and we want to have that device be an IoT device. We want it to connect to the internet, so it can be integrated into an organization’s digital feedback loop. And so, they will buy a chip, an Azure Sphere-based microcontroller or SoC, which will serve as the primary processing component, and they build that into their device. The Azure Sphere chip provides the compute power and secured connectivity.

Now, of course not everybody is building a brand-new device from scratch. There are a lot of existing devices out there that are very valuable. Sometimes they’re too valuable to take on the risk of connecting them and exposing them to the internet. One of the things we’ve developed during the Azure Sphere preview period is a new class of device that we call a “guardian module.” The guardian module is a very small device—no larger than the size of a deck of cards—built around an Azure Sphere chip. An organization interested in connecting existing devices can connect through the guardian module and pull data from that existing device and securely connect it to the cloud. The guardian modules, powered by Azure Sphere, are a way to add highly secure connectivity—even to existing devices—that’s protected by Microsoft.

ANN JOHNSON: Interesting, it solves a pretty big problem with device security, especially as we continue to see a massive proliferation of devices in our environment, most of which are unmanaged. What do you think is slowing the broad adoption of security related to connected devices?

GALEN HUNT: Well, there are a couple of things. I think the biggest barrier, up until now, has been the lack of an end-to-end solution. For companies that have had aspirations to build or to buy highly secured devices, each device has been a one-off. Customers have had to completely build a unique solution for each device, and that just takes an incredible amount of expertise and hard work.

The other obstacle I’ve found is that organizations realize that they need secure devices, but they just don’t know where to begin. They don’t know what they should be looking for, from a device security perspective. There’s a bit of a temptation to look for a security feature checklist instead of really understanding what’s required to have a device that’s highly secured.

ANN JOHNSON: I know you’ve given this a lot of consideration and your background gives you a deeper view into what it takes to secure devices. You wrote a paper on the seven properties of highly secure devices, based on a lot of research you’ve done on the topic. How did you coalesce on the seven properties and how customers can implement them securely?

GALEN HUNT: Yes, I’m a computer scientist, and for over 15 years I ran operating systems research in Microsoft Research. About five years ago, someone walked into my office with a schematic, or a floor map, of a brand new—actually, still under development—microcontroller. This was actually the very first of a new class of a microcontroller.

A microcontroller, for anybody who is not familiar, is a single-chip computer that has processer, and storage, memory, and IoT capabilities. Microcontrollers are used in everything from toys, to appliances, even industrial equipment. Well, this was the first time I had seen a microcontroller, a programmable microcontroller, with the physical capabilities required to be able to connect to the internet—built in—and at a price point that was just a couple of dollars.

When I looked at this thing, I realized that for the price of a cup of coffee, anything on the planet that had electricity could be turned into an internet device. I realized I was looking at the fifth generation of computing, and that was a terribly exciting thought. But the person who had come into my office was asking, what kind of code should we run on this so that it would be secure if we did want to build internet-connected devices with it?

And what I realized, really quickly, was that even though it had some great security features, it lacked much of what was required to build a secure device from a software perspective, and that set me off on journey. I imagined this dystopian future where there are nine billion new insecure devices being added to the world’s population, every year.

ANN JOHNSON: Sure, the physical risks of device hacking make nine billion insecure IoT devices a daunting thought.

GALEN HUNT: Well for me, that was a really scary thought. And as a scientist, I said, well we know that Microsoft and our peer companies have built devices that have been out on the internet. They’ve been connected for at least a five-year period and have withstood relentless attacks from hackers and other ne’er-do-wells. The driving question of our next phase of work was: why are some devices highly secure, and what is it that separates them?

And we did a very scientific study of finding these secure devices and trying to figure out the qualities and the properties that they had in common, and this led to our list of these seven properties. We published that paper, which then led to more experiments.

Now, the devices we found that had these seven properties were devices that had hundreds of dollars in electronics in them, and, you know, that’s not going to scale to every device on the planet. You’re not going to be able to add hundreds of dollars of electronics to every device on the planet, like a light bulb, in order to get security.

Then we wondered if we could build a very, very small and a very, very economical solution that contained all seven properties. And that’s what ultimately led us to Azure Sphere. It’s a solution that, really, for just a few dollars, any company can build a device that is highly secured.

ANN JOHNSON: So, the device itself is highly secured; it has all these built-in capabilities, but one of the biggest problems our customers face is fundamentally a talent shortage, right? Is there something that we’re inherently doing here, with Azure Sphere, that could make it easier for customers?

GALEN HUNT: Yes. Fundamentally what we’re trying to do is create a scalable solution, and it is Microsoft talent that helps these companies create these highly secure devices. There’s something like a million-plus openings in the field of security professionals. Globally there’s a huge talent shortage.

With Azure Sphere we allow a company that doesn’t have really deep security expertise to draft off of our security talent. There are a few areas of expertise that one has to have in order to build a highly-secure device with similar capabilities to Azure Sphere.

Sometimes I’ll use the words technology, talent, and tactics. You have to have the technical expertise to actually build a device that has a high degree of security in it. Not just a device with a checklist of features, but with true integration across all components for gap-free security. Then, once the device is built and deployed out into the wild, you need the talent to fight the ongoing security battle. That talent is watching for and detecting emerging security threats and coding up mitigations to address them. And finally, you’ll have to scale out those updates to every device. That’s a really deep set of expertise, talent, and tactics and, for the most part, it’s very much outside of what many companies know how to do.

When building on top of Azure Sphere, instead of staffing or developing all of this expertise outside of their core business, organizations can instead outsource that to Microsoft.

ANN JOHNSON: That’s a really great way to put it. It also gives you that end-to-end security integration, right? Because I would imagine Azure Sphere is going to integrate with all of Microsoft’s infrastructure and services?

GALEN HUNT: In building Azure Sphere, we leveraged pretty deeply a lot of expertise and a lot of talent that we have at Microsoft. Take, for example, the infrastructure that we use to scale out the deployment of new updates. We leveraged the infrastructure that Microsoft created for the Windows update service—and, our operating system is much, much smaller than Windows. So now we have the capability to update billions of devices, globally, per hour. We also have a place where we can tie Azure Sphere into the Azure Security Center for IoT.

We also really drew on all of the expertise around Visual Studios for very scalable software development. We brought that power even to the smaller microcontroller class devices.

And the hardware root of trust that we put inside of every single Azure Sphere chip. That hardware root of trust is not something that we just created, just woke up one day and said, hey, let’s build a hardware root of trust from scratch. We actually built it based on our learning from the Xbox console.

The Xbox console, over 15 years has made three huge generational leaps. Those consoles can live in hostile environments—from a digital security perspective and a physical security perspective. So, we’ve taken everything we’ve learned about how to make those devices highly secured and applied it to building the hardware root of trust inside Azure Sphere. These are some of the ways that we’re really leveraging a lot of Microsoft’s deep expertise.

ANN JOHNSON: Today, marks the general availability of Azure Sphere—which I’m super excited about, by the way! But I know you’ve been thinking for a long time about how we solve some of these bigger problems, particularly the explosion of IoT, and how customers are going to have to think about that within the next two, to three, to five, to ten years from now. What are the challenges you see ahead for us, and what are the benefits our customers will be able to realize?

GALEN HUNT: We’re excited as well—it’s a huge milestone for the team. Even at this point, at GA, we’re only at the beginning of our real journey with our customers. One of our immediate next steps is scaling out the silicon ecosystem. MediaTek is our first silicon partner. Their MT3620 chip is available in volume today, and it’s the perfect chip, especially for guardian modules and adding secure connectivity to many, many devices.

With microcontrollers, there are many, many verticals. They range in everything from toys to home appliances, to big industrial equipment. And no single chip scales across that entire ecosystem effectively, so we’ve engaged other silicon partners. In June, NXP, the world’s number one microcontroller manufacturer, announced their timeline for their very first Azure Sphere chip. And that chip will add much larger compute capabilities. For example, they’ll do AI, and vision, and graphics, and more sophisticated user interfaces. And then in October, Qualcomm announced that they’ll build the very first cellular native Azure Sphere chip.

The other place we see ourselves growing is in adding more enterprise readiness features. As we’ve engaged with some of our early partners, for example, Starbucks, and have helped them deploy Azure Sphere across their stores in North America, we’ve realized that there’s a lot we can do to really help integrate Azure Sphere better with existing enterprise systems to make that very, very smooth.

ANN JOHNSON: There’s a lot of noise about tech regulations, certainly about IoT and different device manufacturing procedures. How are we thinking about innovation in the context of balancing it with regulation?

GALEN HUNT: So, let’s talk about innovation and regulation. There are times when you want to step out of the way and just let people innovate as much as possible. And then there are times as an industry, or as a society we want to make sure we establish a baseline.

Take food safety, for example. The science of food safety is very well established. Having regulations makes sure that no one cuts corners on safety for the sake of economic expediency. Most countries have embraced some kind of regulations around food safety.

IoT is another industry where it’s in everybody’s favor that all devices be secure. If consumers and enterprises can know that every device has a strong foundation of security and trustworthiness, then they’ll be more likely to buy devices, and build devices, and deploy devices.

And so I really see it as an opportunity whereby collectively and, with governments encouraging baseline levels of security, agreeing on a strong foundation of security we’ll all feel confident in our environment, and that’s really a positive thing for everybody.

ANN JOHNSON: That’s really a great perspective, and I think that we’ve always been that way at Microsoft, right? We view regulation in a positive way and thinking that it needs to be the right regulation across a wide variety of things that we’re doing, whether it be AI, just making sure that it’s being used for ethical use cases.

Which brings me to that last-wrap question, what’s next, what are your next big plans, what’s your next big security disruption?

GALEN HUNT: We recently announced new chips from NXP and Qualcomm, we’ll continue our focus on expanding our silicon and hardware ecosystem to deliver more choice for our customers. And then beyond that, our next big plan is to take Azure Sphere everywhere. We’ve demonstrated it’s possible, but I think we’re just starting to scratch the surface of secured IoT. There’s so much ability for innovation, and the devices that people are building, and the way that we’re using devices. When we’re really able to close this digital feedback loop and really interact between the digital world and the physical world, it’s just a tremendous opportunity, and so that’s where I’m going.

ANN JOHNSON: Excellent, well, I really appreciate the conversation. Azure Sphere is a great example of the notion that while cybersecurity is complex, it does not have to be complicated. Azure Sphere helps our customers overcome today’s complicated IoT security challenges. Thank you, Galen, for some great insights into the current IoT security landscape and how Microsoft and Azure Sphere are advancing IoT device security with the broad availability of Azure Sphere today.

 

If you are interested in learning more about how Azure Sphere can help you securely fast track your next IoT innovation.

 

About Ann Johnson and Galen Hunt

Ann Johnson is the Corporate Vice President of the Cybersecurity Solutions Group at Microsoft where she oversees the go-to-market strategies of cybersecurity solutions. As part of this charter, she leads and drives the evolution and implementation of Microsoft’s short- and long-term security, compliance, and identity solutions roadmap with alignment across the marketing, engineering, and product teams.

Prior to joining Microsoft, her executive leadership roles included Chief Executive Officer of Boundless Spatial, President and Chief Operating Officer of vulnerability management pioneer Qualys, Inc., and Vice President of World Wide Identity and Fraud Sales at RSA Security, a subsidiary of EMC Corporation.

Dr. Galen Hunt founded and leads the Microsoft team responsible for Azure Sphere. His team’s mission is to ensure that every IoT device on the planet is secure and trustworthy. Previously, Dr. Hunt pioneered technologies ranging from confidential cloud computing to light-weight container virtualization, type-safe operating systems, and video streaming. Dr. Hunt was a member of Microsoft’s founding cloud computing team.

Dr. Hunt holds over 100 patents, a B.S. degree in Physics from University of Utah and Ph.D. and M.S. degrees in Computer Science from the University of Rochester.

The post Azure Sphere—Microsoft’s answer to escalating IoT threats—reaches general availability appeared first on Microsoft Security.

Afternoon Cyber Tea—The State of Cybersecurity: How did we get here? What does it mean?

January 29th, 2020 No comments

Every year the number and scale of cyberattacks grows. Marc Goodman, a global security strategist, futurist, and author of the book, Future Crimes: Everything is Connected, Everyone is Vulnerable, and What We Can Do About It, thinks a lot about how we got here and what it means, which is why he was invited to be the first guest on my podcast series, Afternoon Cyber Tea with Ann Johnson.

Marc has a long history in law enforcement, starting as a police officer in Los Angeles and more recently as a consultant to Interpol, The United Nations, NATO, the U.S. Federal Government, and local U.S. law enforcement. His background and experience give him a shrewd perspective on the threats that governments and businesses face now and in the future.

In our conversation, Marc and I discussed what drives cyberattack numbers to climb every year and why data is a risk factor. We also peered into the future and examined some of the threats that businesses and governments should begin preparing for now. Did you know that today the average household has at least 15 connected devices? That number is expected to rapidly grow to 50. We talked about what a truly connected world means for defenders. I really appreciate the way Marc was able to humanize the risks associated with the Internet of Things (IoT).

Most importantly we identified steps, such as Multi-Factor Authentication (MFA) and passwordless technology, that organizations can take to mitigate these threats. I hope you will take a moment to listen in on our conversation. Listen to the first episode of Afternoon Cyber Tea with Ann Johnson on Apple Podcasts or Podcast One.

What’s next

In this important cyber series, I’ll talk with cybersecurity influencers about trends shaping the threat landscape and explore the risk and promise of systems powered by artificial intelligence (AI), IoT, and other emerging tech.

You can listen to Afternoon Cyber Tea with Ann Johnson on:

  • Apple Podcasts—You can also download the episode by clicking the Episode Website link.
  • Podcast One—Includes option to subscribe, so you’re notified as soon as new episodes are available.
  • CISO Spotlight page—Listen alongside our CISO Spotlight episodes where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

Also bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea—The State of Cybersecurity: How did we get here? What does it mean? appeared first on Microsoft Security.

How to implement Multi-Factor Authentication (MFA)

January 15th, 2020 No comments

Another day, another data breach. If the regular drumbeat of leaked and phished accounts hasn’t persuaded you to switch to Multi-Factor Authentication (MFA) already, maybe the usual January rush of ‘back to work’ password reset requests is making you reconsider. When such an effective option for protecting accounts is available, why wouldn’t you deploy it straight away?

The problem is that deploying MFA at scale is not always straightforward. There are technical issues that may hold you up, but the people side is where you have to start. The eventual goal of an MFA implementation is to enable it for all your users on all of your systems all of the time, but you won’t be able to do that on day one.

To successfully roll out MFA, start by being clear about what you’re going to protect, decide what MFA technology you’re going to use, and understand what the impact on employees is going to be. Otherwise, your MFA deployment might grind to a halt amid complaints from users who run into problems while trying to get their job done.

Before you start on the technical side, remember that delivering MFA across a business is a job for the entire organization, from the security team to business stakeholders to IT departments to HR and to corporate communications and beyond, because it has to support all the business applications, systems, networks and processes without affecting workflow.

Campaign and train

Treat the transition to MFA like a marketing campaign where you need to sell employees on the idea—as well as provide training opportunities along the way. It’s important for staff to understand that MFA is there to support them and protect their accounts and all the their data, because that may not be their first thought when met with changes to the way they sign in to the tools they use every day. If you run an effective internal communications campaign that makes it clear to users what they need to do and, more importantly, why they need to do it, you’ll avoid them seeing MFA as a nuisance or misunderstanding it as ‘big brother’ company tracking.

The key is focusing on awareness: in addition to sending emails—put up posters in the elevator, hang banner ads in your buildings, all explaining why you’re making the transition to MFA. Focus on informing your users, explaining why you’re making this change—making it very clear what they will need to do and where they can find instructions, documentation, and support.

Also, provide FAQs and training videos, along with optional training sessions or opportunities to opt in to an early pilot group (especially if you can offer them early access to a new software version that will give them features they need). Recognize that MFA is more work for them than just using a password, and that they will very likely be inconvenienced. Unless you are able to use biometrics on every device they will have to get used to carrying a security key or a device with an authenticator app with them all the time, so you need them to understand why MFA is so important.

It’s not surprising that users can be concerned about a move to MFA. After all, MFA has sometimes been done badly in the consumer space. They’ll have seen stories about social networks abusing phone numbers entered for security purposes for marketing or of users locked out of their accounts if they’re travelling and unable to get a text message. You’ll need to reassure users who have had bad experiences with consumer MFA and be open to feedback from employees about the impact of MFA policies. Like all tech rollouts, this is a process.

If you’re part of an international business you have more to do, as you need to account for global operations. That needs wider buy-in and a bigger budget, including language support if you must translate training and support documentation. If you don’t know where to start, Microsoft provides communication templates and user documentation you can customize for your organization.

Start with admin accounts

At a minimum, you want to use MFA for all your admins, so start with privileged users. Administrative accounts are your highest value targets and the most urgent to secure, but you can also treat them as a proof of concept for wider adoption. Review who these users are and what privileges they have—there are probably more accounts than you expect with far more privileges than are really needed.

At the same time, look at key business roles where losing access to email—or having unauthorized emails sent—will have a major security impact. Your CEO, CFO, and other senior leaders need to move to MFA to protect business communications.

Use what you’ve learned to roll out MFA to high value groups to plan a pilot deployment—which includes employees from across the business who require different levels of security access—so your final MFA deployment is optimized for mainstream employees without hampering the productivity of those working with more sensitive information, whether that’s the finance team handling payroll or developers with commit rights. Consider how you will cover contractors and partners who need access as well.

Plan for wider deployment

Start by looking at what systems you have that users need to sign in to that you can secure with MFA. Remember that includes on-premises systems—you can incorporate MFA into your existing remote access options, using Active Directory Federation Services (AD FS), or Network Policy Server and use Azure Active Directory (Azure AD) Application Proxy to publish applications for cloud access.

Concentrate on finding any networks or systems where deploying MFA will take more work (for example, if SAML authentication is used) and especially on discovering vulnerable apps that don’t support anything except passwords because they use legacy or basic authentication. This includes older email systems using MAPI, EWS, IMAP4, POP3, SMTP, internal line of business applications, and elderly client applications. Upgrade or update these to support modern authentication and MFA where you can. Where this isn’t possible, you’ll need to restrict them to use on the corporate network until you can replace them, because critical systems that use legacy authentication will block your MFA deployment.

Be prepared to choose which applications to prioritize. As well as an inventory of applications and networks (including remote access options), look at processes like employee onboarding and approval of new applications. Test how applications work with MFA, even when you expect the impact to be minimal. Create a new user without admin access, use that account to sign in with MFA and go through the process of configuring and using the standard set of applications staff will use to see if there are issues. Look at how users will register for MFA and choose which methods and factors to use, and how you will track and audit registrations. You may be able to combine MFA registration with self-service password reset (SSPR) in a ‘one stop shop,’ but it’s important to get users to register quickly so that attackers can’t take over their account by registering for MFA, especially if it’s for a high-value application they don’t use frequently. For new employees, you should make MFA registration part of the onboarding process.

Make MFA easier on employees

MFA is always going to be an extra step, but you can choose MFA options with less friction, like using biometrics in devices or FIDO2 compliant factors such as Feitan or Yubico security keys. Avoid using SMS if possible. Phone-based authentication apps like the Microsoft Authenticator App are an option, and they don’t require a user to hand over control of their personal device. But if you have employees who travel to locations where they may not have connectivity, choose OATH verification codes, which are automatically generated rather than push notifications that are usually convenient but require the user to be online. You can even use automated voice calls: letting users press a button on the phone keypad is less intrusive than giving them a passcode to type in on screen.

Offer a choice of alternative factors so people can pick the one that best suits them. Biometrics are extremely convenient, but some employees may be uncomfortable using their fingerprint or face for corporate sign-ins and may prefer receiving an automated voice call.

Make sure that you include mobile devices in your MFA solution, managing them through Mobile Device Management (MDM), so you can use conditional and contextual factors for additional security.

Avoid making MFA onerous; choose when the extra authentication is needed to protect sensitive data and critical systems rather than applying it to every single interaction. Consider using conditional access policies and Azure AD Identity Protection, which allows for triggering two-step verification based on risk detections, as well as pass-through authentication and single-sign-on (SSO).

If MFA means that a user accessing a non-critical file share or calendar on the corporate network from a known device that has all the current OS and antimalware updates sees fewer challenges—and no longer faces the burden of 90-day password resets—then you can actually improve the user experience with MFA.

Have a support plan

Spend some time planning how you will handle failed sign-ins and account lockouts. Even with training, some failed sign-ins will be legitimate users getting it wrong and you need to make it easy for them to get help.

Similarly, have a plan for lost devices. If a security key is lost, the process for reporting that needs to be easy and blame free, so that employees will notify you immediately so you can expire their sessions and block the security key, and audit the behavior of their account (going back to before they notified you of the loss). Security keys that use biometrics may be a little more expensive, but if they’re lost or stolen, an attacker can’t use them. If possible, make it a simple, automated workflow, using your service desk tools.

You also need to quickly get them connected another way so they can get back to work. Automatically enrolling employees with a second factor can help. Make that second factor convenient enough to use that they’re not unable to do their job, but not so convenient that they keep using it and don’t report the loss: one easy option is allowing one-time bypasses. Similarly, make sure you’re set up to automatically deprovision entitlements and factors when employees change roles or leave the organization.

Measure and monitor

As you deploy MFA, monitor the rollout to see what impact it has on both security and productivity and be prepared to make changes to policies or invest in better hardware to make it successful. Track security metrics for failed login attempts, credential phishing that gets blocked and privilege escalations that are denied.

Your MFA marketing campaign also needs to continue during and after deployment, actively reaching out to staff and asking them to take back in polls or feedback sessions. Start that with the pilot group and continue it once everyone is using MFA.

Even when you ask for it, don’t rely on user feedback to tell you about problems. Check helpdesk tickets, logs, and audit options to see if it’s taking users longer to get into systems, or if they’re postponing key tasks because they’re finding MFA difficult, or if security devices are failing or breaking more than expected. New applications and new teams in the business will also mean that MFA deployment needs to be ongoing, and you’ll need to test software updates to see if they break MFA; you have to make it part of the regular IT process.

Continue to educate users about the importance of MFA, including running phishing training and phishing your own employees (with more training for those who are tricked into clicking through to fake links).

MFA isn’t a switch you flip; it’s part of a move to continuous security and assessment that will take time and commitment to implement. But if you approach it in the right way, it’s also the single most effective step you can take to improve security.

About the authors

Ann Johnson is the Corporate Vice President for Cybersecurity Solutions Group for Microsoft. She is a member of the board of advisors for FS-ISAC (The Financial Services Information Sharing and Analysis Center), an advisory board member for EWF (Executive Women’s Forum on Information Security, Risk Management & Privacy), and an advisory board member for HYPR Corp. Ann recently joined the board of advisors for Cybersecurity Ventures

Christina Morillo is a Senior Program Manager on the Azure Identity Engineering Product team at Microsoft. She is an information security and technology professional with a background in cloud technologies, enterprise security, and identity and access. Christina advocates and is passionate about making technology less scary and more approachable for the masses. When she is not at work, or spending time with her family, you can find her co-leading Women in Security and Privacy’s NYC chapter and supporting others as an advisor and mentor. She lives in New York City with her husband and children.

Learn more

To find out more about Microsoft’s Cybersecurity Solutions, visit the Microsoft Security site, or follow Microsoft Security on Twitter at Microsoft Security Twitter or Microsoft WDSecurity Twitter.

To learn more about Microsoft Azure Identity Management solutions, visit this Microsoft overview page and follow our Identity blog. You can also follow us @AzureAD on Twitter.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How to implement Multi-Factor Authentication (MFA) appeared first on Microsoft Security.

CISO series: Lessons learned from the Microsoft SOC—Part 3b: A day in the life

December 23rd, 2019 No comments

The Lessons learned from the Microsoft SOC blog series is designed to share our approach and experience with security operations center (SOC) operations. We share strategies and learnings from our SOC, which protects Microsoft, and our Detection and Response Team (DART), who helps our customers address security incidents. For a visual depiction of our SOC philosophy, download our Minutes Matter poster.

For the next two installments in the series, we’ll take you on a virtual shadow session of a SOC analyst, so you can see how we use security technology. You’ll get to virtually experience a day in the life of these professionals and see how Microsoft security tools support the processes and metrics we discussed earlier. We’ll primarily focus on the experience of the Investigation team (Tier 2) as the Triage team (Tier 1) is a streamlined subset of this process. Threat hunting will be covered separately.

Image of security workers in an office.

General impressions

Newcomers to the facility often remark on how calm and quiet our SOC physical space is. It looks and sounds like a “normal” office with people going about their job in a calm professional manner. This is in sharp contrast to the dramatic moments in TV shows that use operations centers to build tension/drama in a noisy space.

Nature doesn’t have edges

We have learned that the real world is often “messy” and unpredictable, and the SOC tends to reflect that reality. What comes into the SOC doesn’t always fit into the nice neat boxes, but a lot of it follows predictable patterns that have been forged into standard processes, automation, and (in many cases) features of Microsoft tooling.

Routine front door incidents

The most common attack patterns we see are phishing and stolen credentials attacks (or minor variations on them):

  • Phishing email → Host infection → Identity pivot:

Infographic indicating: Phishing email, Host infection, and Identity pivot

  • Stolen credentials → Identity pivot → Host infection:

Infographic indicating: Stolen credentials, Identity pivot, and Host infection

While these aren’t the only ways attackers gain access to organizations, they’re the most prevalent methods mastered by most attackers. Just as martial artists start by mastering basic common blocks, punches, and kicks, SOC analysts and teams must build a strong foundation by learning to respond rapidly to these common attack methods.

As we mentioned earlier in the series, it’s been over two years since network-based detection has been the primary method for detecting an attack. We attribute this primarily to investments that improved our ability to rapidly remediate attacks early with host/email/identity detections. There are also fundamental challenges with network-based detections (they are noisy and have limited native context for filtering true vs. false positives).

Analyst investigation process

Once an analyst settles into the analyst pod on the watch floor for their shift, they start checking the queue of our case management system for incidents (not entirely unlike phone support or help desk analysts would).

While anything might show up in the queue, the process for investigating common front door incidents includes:

  1. Alert appears in the queue—After a threat detection tool detects a likely attack, an incident is automatically created in our case management system. The Mean Time to Acknowledge (MTTA) measurement of SOC responsiveness begins with this timestamp. See Part 1: Organization for more information on key SOC metrics.

Basic threat hunting helps keep a queue clean and tidy

Require a 90 percent true positive rate for alert sources (e.g., detection tools and types) before allowing them to generate incidents in the analyst queue. This quality requirement reduces the volume of false positive alerts, which can lead to frustration and wasted time. To implement, you’ll need to measure and refine the quality of alert sources and create a basic threat hunting process. A basic threat hunting process leverages experienced analysts to comb through alert sources that don’t meet this quality bar to identify interesting alerts that are worth investigating. This review (without requiring full investigation of each one) helps ensure that real incident detections are not lost in the high volume of noisy alerts. It can be a simple part time process, but it does require skilled analysts that can apply their experience to the task.

  1. Own and orient—The analyst on shift begins by taking ownership of the case and reading through the information available in the case management tool. The timestamp for this is the end of the MTTA responsiveness measurement and begins the Mean Time to Remediate (MTTR) measurement.

Experience matters

A SOC is dependent on the knowledge, skills, and expertise of the analysts on the team. The attack operators and malware authors you defend against are often adaptable and skilled humans, so no prescriptive textbook or playbook on response will stay current for very long. We work hard to take good care of our people—giving them time to decompress and learn, recruiting them from diverse backgrounds that can bring fresh perspectives, and creating a career path and shadowing programs that encourage them to learn and grow.

  1. Check out the host—Typically, the first priority is to identify affected endpoints so analysts can rapidly get deep insight. Our SOC relies on the Endpoint Detection and Response (EDR) functionality in Microsoft Defender Advanced Threat Protection (ATP) for this.

Why endpoint is important

Our analysts have a strong preference to start with the endpoint because:

  • Endpoints are involved in most attacks—Malware on an endpoint represents the sole delivery vehicle of most commodity attacks, and most attack operators still rely on malware on at least one endpoint to achieve their objective. We’ve also found the EDR capabilities detect advanced attackers that are “living off the land” (using tools deployed by the enterprise to navigate). The EDR functionality in Microsoft Defender ATP provides visibility into normal behavior that helps detect unusual command lines and process creation events.
  • Endpoint offers powerful insights—Malware and its behavior (whether automated or manual actions) on the endpoint often provides rich detailed insight into the attacker’s identity, skills, capabilities, and intentions, so it’s a key element that our analysts always check for.

Identifying the endpoints affected by this incident is easy for alerts raised by the Microsoft Defender ATP EDR, but may take a few pivots on an email or identity sourced alert, which makes integration between these tools crucial.

  1. Scope out and fill in the timeline—The analyst then builds a full picture and timeline of the related chain of events that led to the alert (which may be an adversary’s attack operation or false alarm positive) by following leads from the first host alert. The analyst travels along the timeline:
  • Backward in time—Track backward to identify the entry point in the environment.
  • Forward in time—Follow leads to any devices/assets an attacker may have accessed (or attempted to access).

Our analysts typically build this picture using the MITRE ATT&CK™ model (though some also adhere to the classic Lockheed Martin Cyber Kill Chain®).

True or false? Art or science?

The process of investigation is partly a science and partly an art. The analyst is ultimately building a storyline of what happened to determine whether this chain of events is the result of a malicious actor (often attempting to mask their actions/nature), a normal business/technical process, an innocent mistake, or something else.

This investigation is a repetitive process. Analysts identify potential leads based on the information in the original report, follow those leads, and evaluate if the results contribute to the investigation.

Analysts often contact users to identify whether they performed an anomalous action intentionally, accidentally, or was not done by them at all.

Running down the leads with automation

Much like analyzing physical evidence in a criminal investigation, cybersecurity investigations involve iteratively digging through potential evidence, which can be tedious work. Another parallel between cybersecurity and traditional forensic investigations is that popular TV and movie depictions are often much more exciting and faster than the real world.

One significant advantage of investigating cyberattacks is that the relevant data is already electronic, making it easier to automate investigation. For many incidents, our SOC takes advantage of security orchestration, automation, and remediation (SOAR) technology to automate investigation (and remediation) of routine incidents. Our SOC relies heavily on the AutoIR functionality in Microsoft Threat Protection tools like Microsoft Defender ATP and Office 365 ATP to reduce analyst workload. In our current configuration, some remediations are fully automatic and some are semi-automatic (where analysts review the automated investigations and propose remediation before approving execution of it).

Document, document, document

As the analyst builds this understanding, they must capture a complete record with their conclusions and reasoning/evidence for future use (case reviews, analyst self-education, re-opening cases that are later linked to active attacks, etc.).

As our analyst develops information on an incident, they capture the common, most relevant details quickly into the case such as:

  • Alert info: Alert links and Alert timeline
  • Machine info: Name and ID
  • User info
  • Event info
  • Detection source
  • Download source
  • File creation info
  • Process creation
  • Installation/Persistence method(s)
  • Network communication
  • Dropped files

Fusion and integration avoid wasting analyst time

Each minute an analyst wastes on manual effort is another minute the attacker has to spread, infect, and do damage during an attack operation. Repetitive manual activity also creates analyst toil, increases frustration, and can drive interest in finding a new job or career.

We learned that several technologies are key to reducing toil (in addition to automation):

  • Fusion—Adversary attack operations frequently trip multiple alerts in multiple tools, and these must be correlated and linked to avoid duplication of effort. Our SOC has found significant value from technologies that automatically find and fuse these alerts together into a single incident. Azure Security Center and Microsoft Threat Protection include these natively.
  • Integration—Few things are more frustrating and time consuming than having to switch consoles and tools to follow a lead (a.k.a., swivel chair analytics). Switching consoles interrupts their thought process and often requires manual tasks to copy/paste information between tools to continue their work. Our analysts are extremely appreciative of the work our engineering teams have done to bring threat intelligence natively into Microsoft’s threat detection tools and link together the consoles for Microsoft Defender ATP, Office 365 ATP, and Azure ATP. They’re also looking forward to (and starting to test) the Microsoft Threat Protection Console and Azure Sentinel updates that will continue to reduce the swivel chair analytics.

Stay tuned for the next segment in the series, where we’ll conclude our investigation, remediate the incident, and take part in some continuous improvement activities.

Learn more

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

To learn more about SOCs, read previous posts in the Lessons learned from the Microsoft SOC series, including:

Watch the CISO Spotlight Series: Passwordless: What’s It Worth.

Also, see our full CISO series and download our Minutes Matter poster for a visual depiction of our SOC philosophy.

The post CISO series: Lessons learned from the Microsoft SOC—Part 3b: A day in the life appeared first on Microsoft Security.

Spear phishing campaigns—they’re sharper than you think

December 2nd, 2019 No comments

Even your most security-savvy users may have difficulty identifying honed spear phishing campaigns. Unlike traditional phishing campaigns that are blasted to a large email list in hopes that just one person will bite, advanced spear phishing campaigns are highly targeted and personal. They are so targeted, in fact, that we sometimes refer to them as “laser” phishing. And because these attacks are so focused, even tech-savvy executives and other senior managers have been duped into handing over money and sensitive files by a well-targeted email. That’s how good they are.

Even though spear phishing campaigns can be highly effective, they aren’t foolproof. If you understand how they work, you can put measures in place to reduce their power. Today, we provide an overview of how these campaigns work and steps you can take to better protect your organization and users.

Figure 1. Percentage of inbound emails associated with phishing on average increased in the past year, according to Microsoft security research (source: Microsoft Security Intelligence Report).

Step 1: Select the victims

To illustrate how clever some of these campaigns are, imagine a busy recruiter who is responsible for filling several IT positions. The IT director is under a deadline and desperate for good candidates. The recruiter posts the open roles on their social networks asking people to refer leads. A few days later they receive an email from a prospective candidate who describes the role in the email. The recruiter opens the attached resume and inadvertently infects their computer with malware. They have just been duped by a spear phisher.

How did it happen?

In a spear phishing campaign, the first thing an attacker needs to do is identify the victims. These are typically individuals who have access to the data the attacker wants. In this instance, the attackers want to infiltrate the human resources department because they want to exfiltrate employee social security numbers. To identify potential candidates they conduct extensive research, such as:

  • Review corporate websites to gain insight into processes, departments, and locations.
  • Use scripts to harvest email addresses.
  • Follow company social media accounts to understand company roles and the relationships between different people and departments.

In our example, the attackers learned by browsing the website that the convention for emails is first.last@company.com. They browsed the website, social media, and other digital sources for human resources professionals and potential hooks. It didn’t take long to notice several job openings. Once the recruiter shared details of jobs online, would-be attackers had everything they needed.

Why it might work: In this instance it would be logical for the victim to open the attachment. One of their job responsibilities is to collect resumes from people they don’t know.

Figure 2. Research and the attack are the first steps in a longer strategy to exfiltrate sensitive data.

Step 2: Identify the credible source

Now let’s consider a new executive who receives an email late at night from their boss, the CEO. The CEO is on a trip to China meeting with a vendor, and in the email, the CEO references the city they’re in and requests that the executive immediately wire $10,000 to pay the vendor. The executive wants to impress the new boss, so they jump on the request right away.

How did it happen?

In spear phishing schemes, the attacker needs to identify a credible source whose emails the victim will open and act on. This could be someone who appears to be internal to the company, a friend, or someone from a partner organization. Research into the victim’s relationships informs this selection. In the first example, we imagined a would-be job seeker that the victim doesn’t know. However, in many spear phishing campaigns, such as with our executive, the credible source is someone the victim knows.

To execute the spear phishing campaign against the executive, the attackers uncovered the following information:

  • Identified senior leaders at the company who have authority to sign off on large sums of money.
  • Selected the CEO as the credible source who is most likely to ask for the money.
  • Discovered details about the CEO’s upcoming trip based on social media posts.

Why it might work: Targeting executives by impersonating the CEO is increasingly common—some refer to it as whale phishing. Executives have more authority and access to information and resources than the average employee. People are inclined to respond quickly when the boss emails—especially if they say it’s urgent. This scenario takes advantage of those human power dynamics.

Figure 3. The more targeted the campaign, the bigger the potential payoff.

Step 3: Victim acts on the request

The final step in the process is for the victim to act on the request. In our first example, the human resources recruiter could have initiated a payload that would take over his computer or provide a tunnel for the attacker to access information. In our second scenario, the victim could have wired large sums of money to a fraudulent actor. If the victim does accidentally open the spear phishing email and respond to the call to action, open a malicious attachment, or visit an infected webpage, the following could happen:

  • The machine could be infected with malware.
  • Confidential information could be shared with an adversary.
  • A fraudulent payment could be made to an adversary.

Catch more phishy emails

Attackers have improved their phishing campaigns to better target your users, but there are steps you can take to reduce the odds that employees will respond to the call to action. We recommend that you do the following:

  • Educate users on how to detect phishing emails—Spear phishing emails do a great job of effectively impersonating a credible source; however, there are often small details that can give them away. Help users identify phish using training tools that simulate a real phish. Here are a few tells that are found in some phish that you can incorporate into your training:
    • An incorrect email address or one that resembles what you expect but is slightly off.
    • A sense of urgency coupled with a request to break company policy. For example, fast tracking payments without the usual checks and procedures.
    • Emotive language to evoke sympathy or fear. For example, the impersonated CEO might say you’re letting them down if you do not make the urgent payment.
    • Inconsistent wording or terminology. Does the business lingo align with company conventions? Does the source typically use those words?

  • Encourage users to communicate potential phishing emails—It’s important that users flag phishing emails to the proper team. This can be done natively within many enterprise email systems. It can also be helpful if users talk with their peers about the phishing emails they receive. Spear phishers typically don’t send blast emails; however, they may select several people from the same department or with business relationships. Talking will alert other users to be on the lookout for phishy emails.

Figure 4. Enhanced anti-phishing capabilities are available in Microsoft Office 365.

  • Deploy technology designed to block phishing emails—If users don’t receive the phishing email, they can’t act on it! Deploy technology that can help you catch phishing emails before they land in someone’s inbox. For instance, Office 365, one of the world’s largest email providers, offers a variety of protection against phishing attacks by default and through additional offerings such as Microsoft Advanced Threat Protection (ATP) anti-phishing. Importantly, Microsoft has both been advancing the anti-phishing capabilities of Office 365 (see Figure 4 above) and improving catch rates of phishing emails.

Get in touch

Reach out to Diana Kelley on LinkedIn or Twitter or Seema Kathuria on LinkedIn or Twitter and let them know what you’d like to see us cover as they talk about new security products and capabilities.

Also, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Spear phishing campaigns—they’re sharper than you think appeared first on Microsoft Security.

Rethinking cyber learning—consider gamification

November 25th, 2019 No comments

As promised, I’m back with a follow-up to my recent post, Rethinking how we learn security, on how we need modernize the learning experience for cybersecurity professionals by gamifying training to make learning fun. Some of you may have attended the recent Microsoft Ignite events in Orlando and Paris. I missed the conferences (ironically, due to attending a cybersecurity certification boot camp) but heard great things about the Microsoft/Circadence joint Into the Breach capture the flag exercise.

If you missed Ignite, we’re planning several additional Microsoft Ignite The Tour events around the world, where you’ll be able to try your hand at this capture the flag experience. Look for me at the Washington, DC event in early February.

In the meantime, due to the great feedback I received from my previous blog—which I do really appreciate, especially if you have ideas for how we should tackle the shortage of cyber professionals—I’ll be digging deeper into the mechanics of learning to understand what it really takes to learn cyber in today’s evolving landscape.

Today, I want to address the important questions of how a new employee could actually ramp up their learning, and how employers can prepare employees for success and track the efficacy of the learning curriculum. Once again, I’m pleased to share this post with Keenan Skelly, chief evangelist at Boulder, Colorado-based Circadence.

Here are some of some of her recommendations from our Q&A:

Q: Keenan, in our last blog, you discussed Circadence’s “Project Ares” cyber learning platform. How do new cyber practitioners get started on Project Ares?

A: The way that Project Ares is set up allows for a user to acquire a variety of different skill levels when launched. It’s important to understand what kind of work roles you’re looking to learn about as a user as well as what kinds of tools you’re looking to understand better before you get started on Project Ares. For example, if I were to take some of my Girls Who Code or Cyber Patriot students and put them into the platform, I would probably have them start in the Battle School. This is where they’re going to learn about basic cybersecurity fundamentals such as ports and protocols, regular expressions, and the cyber kill chain. Then they can transition into Battle Rooms, where they’ll start to learn about very specific tools, tactics, and procedures or TTPs, for a variety of different work roles. If you’re a much more skilled cyber ninja, however, you can probably go ahead and get right into Missions, but we do recommend that everyone who comes into Project Ares does some work in the Battle Rooms first, specifically if they are trying to learn a tool or a skill for their work role.

Project Ares also has a couple of different routes that an expert or an enterprising cybersecurity professional can come into that’s really focused more on their role. For example, we have an assessments area based entirely on the work role. This aligns to the NIST framework and the NICE cybersecurity work roles. For example, if you’re a network defender, you can come into that assessment pathway and have steps laid out before you to identify your skill level in that role as you see below:

Assessment pathway.

Q: What areas within Project Ares do you recommend for enterprise cyber professionals to train against role-based job functions and prepare for cyber certifications?

A: You might start with something simple like understanding very basic things about your work role through a questionnaire in the Battle School arena as seen in the illustrations below. You may then move into a couple of Battle Rooms that tease out very detailed skills in tools that you would be using for that role. And then eventually you’ll get to go into a mission by yourself, and potentially a mission with your entire team to really certify that you are capable in that work role. All this practice helps prepare professionals to take official cyber certifications and exams.

Battle School questionnaire.

Battle School mission.

Q: Describe some of the gamification elements in Project Ares and share how it enhances cyber learning.

A: One of the best things about Project Ares is gamification. Everyone loves to play games, whether it’s on your phone playing Angry Birds, or on your computer or gaming console. So we really tried to put a lot of gaming elements inside Project Ares. Since everything is scored within Project Ares, everything you do from learning about ports and protocols, to battle rooms and missions, gives you experience points. Experience points add up to skill badges. All these things make learning more fun for the user. For example, if you’re a defender, you might have skill badges in infrastructure, network design, network defense, etc. And the way Project Ares is set up, once you have a certain combination of those skill badges you can earn a work role achievement certificate within Project Ares.

This kind of thing is taken very much from Call of Duty and other types of games where you can really build up your skills by doing a very specific skill-based activity and earn points towards badges. One of the other things that is great about Project Ares is it’s quite immersive. For example, Missions allows a user to come into a specific cyber situation or cyber response situation (e.g., water treatment plant cyberattack) and have multimedia effects that demonstrate what is going—very much reflective of that cool guy video look. Being able to talk through challenges in the exercises with our in-game advisor, Athena, adds another element to the learning experience as shown in the illustration below.

Athena was inspired by the trends of personal assistants like Cortana and other such AI-bots, which have been integrated into games. So things like chat bots, narrative storylines, and skill badges are super important for really immersing the individual in the process. It’s so much more fun, and easier to learn things in this way, as opposed to sitting through a static presentation or watching someone on a video and trying to learn the skill passively.

Athena—the in-game advisor.

Q: What kinds of insights and reporting capability can Project Ares deliver to cyber team supervisors and C-Suite leaders to help them assessing cyber readiness?

A: Project Ares offers a couple great features that are good for managers, all the way up to the C-Suite, who are trying to understand how their cybersecurity team is doing. The first one is called Project Ares Trainer View. This is where a supervisor or manager can jump into the Project Ares environment, with the students or with the enterprise team members, and observe in a couple of different ways.

The instructor or the manager can jump into the environment as Athena, so the user doesn’t know that they are there. They can then provide additional insight or help that is needed to a student. A supervisor or leader can also jump in as the opponent, which gives them the ability to see someone who is just breezing by everything and maybe make it a little more challenging. Or they can just observe and leave comments for the individuals. This piece is really helpful when we’re talking about managers who are looking to understand their team’s skill level in much more detail.

The other piece of this is a product we have coming out soon called Dendrite—an analytics tool that looks at everything that happens at Project Ares. We record all the key strokes and chats a user had with Athena or any with other team members while in a mission or battle room. Cyber team leads can then see what’s going on. Users can see what they’re doing well, and not doing well. This feedback can be provided up to the manager level, the senior manager level, and even to the C-Suite level to demonstrate exactly where that individual is in their particular skill path. It helps the cyber team leads understand what tools are being used appropriately and which tools are not being used appropriately.

For example, if you’re a financial institution and you paid quite a bit of money for Tanium, but upon viewing tool use in Dendrite, you find that no one is using it. It might prompt you to rethink your strategy on how to use tools in your organization or look at how you train your folks to use those tools. These types of insights are absolutely critical if you want to understand the best way to grow the individual in cybersecurity and make sure they’re really on top of their game.

The Dendrite assessment and analysis solution.

Q: How can non-technical employees improve their cyber readiness?

A: At Circadence, we don’t just provide learning capabilities for advanced cyber warriors. For mid-range people just coming into the technical side of cybersecurity, we have an entire learning path that starts with a product called inCyt. Now, inCyt is a very fun browser-based game of strategy where players have some hackable devices they must protect—like operating systems and phones. Meanwhile, your opponent has the same objective: protect their devices from attacks. Players continually hack each other by gathering intel on their opponent and then launching different cyberattacks. While they’re doing this, players get a fundamental understanding of the cyber kill chain. They learn things like what reconnaissance means to a hacker, what weaponizing means to a hacker, what deploying that weapon means to a hacker, so they can start to recognize that behavior in their everyday interactions online.

Some people ask why this is important and I always say, “I used to be a bomb technician, and there is no possible way I could defuse an IED or nuclear weapon without understanding how those things are put together.” It’s the same kind of concept.

It’s impossible to assume that someone is going to learn cyber awareness by answering some questions or watching a five-minute phishing tutorial after they have already clicked a link in a suspicious email. Those are very reactive ways of learning cyber. inCyt is very proactive. And we want to teach you in-depth understanding of what to look for, not just for phishing but for all the attacks we’re susceptible to. inCyt is also being used by some of our customers as a preliminary gate track for those who are interested in cybersecurity. So if you demonstrate a very high aptitude within inCyt, we would send you over to our CyberBridge portal where you can start learning some of the basics of cybersecurity to see if it might be the right field for you. Within our CyberBridge access management portal, you can then go into Project Ares Academy, which is just a lighter version of Project Ares.

Professional and Enterprise licenses in Project Ares pave more intricate learning pathways for people to advance in learning, from novice to expert cyber defender. You’ll be able to track all metrics of where you started, how far you came, what kind of skill path you’re on, and what kind of skill path you want to be on. Very crucial items for your own work role pathway.

How to close the cybersecurity talent gap

Keenan’s perspective and the solution offered by Project Ares really helps to understand how to train security professionals and give them the hands-on experience they require and want. We’re in interesting times, right? With innovations in machine learning and artificial intelligence (AI), we’re increasingly able to pivot from reactive cyber defense to get more predictive. Still, right now we’re facing a cybersecurity talent gap of up to 4 million people, depending on which analyst group you follow. The only way that we’re going to get folks interested in cybersecurity is to make it exactly what we have been talking about: a career-long opportunity to learn.

Make it something that they can attain, they can grow in, and see themselves going from a novice to a leader in an organization. This is tough right now because there are relatively few cybersecurity operators compared to demand, and the operators on the front lines are subject to burnout. With uncertain and undefined career paths beyond tactical SecOps, what is there to look forward to?

We need to get better as a community in cybersecurity, not only protect the cybersecurity defenders that we have already, but also help to bring in new cybersecurity defenders and offenders who are really going to push the boundaries of where we’re at today. This is where we have an excellent and transformational opportunity to introduce more immersive and gamified learning to improve the learning experience and put our people in a position to succeed.

Learn more

To learn more about how to close the cybersecurity talent gap, read the e-book: CISO essentials: How to optimize recruiting while strengthening cybersecurity. For more information on Microsoft intelligence security solutions, see Achieve an optimal state of Zero Trust.

You can also watch my full interview with Keenan.

Bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Rethinking cyber learning—consider gamification appeared first on Microsoft Security.

Zero Trust strategy—what good looks like

November 11th, 2019 No comments

Zero Trust has managed to both inspire and confuse the cybersecurity industry at the same time. A significant reason for the confusion is that Zero Trust isn’t a specific technology, but a security strategy (and arguably the first formal strategy, as I recently heard Dr. Chase Cunningham, Principal Analyst at Forrester, aptly point out).

Microsoft believes that the Zero Trust strategy should be woven throughout your organization’s architectures, technology selections, operational processes, as well as the throughout the culture of your organization and mindset of your people.

Zero Trust will build on many of your existing security investments, so you may already have made progress on this journey. Microsoft is publishing learnings and guidance from many perspectives to help organizations understand, anticipate, and manage the implications of this new strategy. This guidance will continue to grow as we learn more. A few highlights include:

In previous posts of this series, we described Microsoft’s vision for an optimal Zero Trust model and the journey of our own IT organization from a classic enterprise security to Zero Trust. Today, we focus on what a good strategy looks like and recommended prioritization (with a bit of history for context).

Zero Trust security continuously validates trustworthiness of each entity in your enterprise (identities, applications and services, devices) starting each with a trust level of zero.

Evolution of security strategy

The central challenge of cybersecurity is that the IT environment we defend is highly complex, leading security departments (often with limited budgets/resources) to find efficient ways to mitigate risk of advanced, intelligent, and continuously evolving attackers.

Most enterprises started with the use of a “trusted enterprise network,” but have since found fundamental limitations of that broad trust approach. This creates a natural pressure to remove the “shortcut” of a trusted enterprise network and do the hard work of measuring and acting on the trustworthiness of each entity.

Network or identity? Both (and more)!

The earliest coherent descriptions of the Zero Trust idea can be traced to proposals in the wake of the major wave of cybersecurity attacks. Beginning in the early 2000s, businesses and IT organizations were rocked by worms like ILOVEYOU, Nimda, and SQL Slammer. While painful, these experiences were a catalyst for positive security initiatives like Microsoft’s Security Development Lifecycle (SDL) and began serious discussions on improving computer security. The strategy discussions during this timeframe formed into two main schools of thought—network and identity:

  • Network—This school of thought doubled down on using network controls for security by creating smaller network segments and measuring trust of devices before network controls allow access to resources. While promising, this approach was highly complex and saw limited uptake outside a few bright spots like Google’s BeyondCorp.
  • Identity—Another approach, advocated by the Jericho Forum, pushed to move away from network security controls entirely with a “de-perimeterisation” approach. This approach was largely beyond the reach of technology available at the time but planted important seeds for the Zero Trust of today.

Microsoft ultimately recommends an approach that includes both schools of thought that leverage the transformation of the cloud to mitigate risk spanning the modern assets and (multiple generations of) legacy technology in most enterprises.

Prioritizing and planning Zero Trust

Microsoft recommends rigorous prioritization of Zero Trust efforts to maximize security return on investment (ROI). This default prioritization is based on learnings from our experience, our customers, and others in the industry.

  1. Align strategies and teams—Your first priority should be to get all the technical teams on the same page and establish a single enterprise segmentation strategy aligned to business needs. We often find that network, identity, and application teams each have different approaches of logically dividing up the enterprise that are incompatible with each other, creating confusion and conflict. See the CISO workshop video, Module 3 Part 3: Strategy and Priorities, for more discussion of this topic.
  2. Build identity-based perimeter—Starting immediately (in parallel to priority #1), your organization should adopt identity controls like Multi-Factor Authentication (MFA) and passwordless to better protect your identities. You should quickly grow this into a phased plan that measures (and enforces) trustworthiness of users and devices accessing resources, and eventually validating trust of each resource being accessed. See the CISO workshop video, Module 3 Part 6: Build an Identity Perimeter, for more information on identity perimeters.
  3. Refine network perimeter—The next priority is to refine your network security strategy. Depending on your current segmentation and security posture, this could include:
    • Basic segmentation/alignment—Adopt a clear enterprise segmentation model (built in #1) from a “flat network” or fragmented/non-aligned segmentation strategy. Implementing this is often a significant undertaking that requires extensive discovery of assets and communication patterns to limit operational downtime. It’s often easier to do this as you migrate to the cloud (which naturally includes this discovery) than it is to retrofit to an existing on-premises environment.
    • Micro-segmenting datacenter—Implement increasingly granular controls on your datacenter network to increase attacker cost. This requires detailed knowledge of applications in the datacenter to avoid operational downtime. Like basic segmentation, this can be added during a cloud migration or a net new cloud deployment easier than retrofitting to an on-premises datacenter.
    • Internet first clients—A simple but significant shift is when you move client endpoints from being on the internet part-time to full-time (versus sometimes on corporate network and sometimes remote). This is a straightforward concept, but it requires having already established a strong identity perimeter, strong endpoint security and management over the internet, publishing legacy applications to your internet clients, dedicated administrative workstations, and potentially other initiatives before “rolling back” the firewalls from clients.

What good looks like

Zero Trust is a model that will ultimately be infused throughout your enterprise and should inform virtually all access decisions and interactions between systems.

Expanding on the three principles of Zero Trust from the Zero Trust vision paper—Verify Explicitly, Least Privilege Access, and Assume Breach—the hallmarks of a good enterprise Zero Trust strategy include:

  • Continuously measure trust and risk—Ensure all users and devices attempting to access resources are validated as trustworthy enough to access the target resource (based on sensitivity of target resource). As technology becomes available to do it, you should also validate the trustworthiness of the target resources.
  • Enterprise-wide consistency—Ensure that you have a single Zero Trust policy engine to consistently apply your organizations policy to all of your resources (versus multiple engines whose configuration could diverge). Most organizations shouldn’t expect to cover all resources immediately but should invest in technology that can apply policy to all modern and legacy assets.
  • Enable productivity—For successful adoption and usage, ensure that the both security and business productivity goals are appropriately represented in the policy. Make sure to include all relevant business, IT, and security stakeholders in policy design and refine the policy as the needs of the organization and threat landscape evolve. For more information, see Meet Productivity and Security Goals.
  • Maximize signal to increase cost of attack—The more measurements you include in a trust decision—which reflect good/normal behavior—the more difficult/expensive it is for attackers to mimic legitimate sign-ins and activities, deterring or degrading an attacker’s ability to damage your organization.
  • Fail safe—The system operation should always stay in a safe state, even after a failed/incorrect decision (for example, preserve life/safety and business value via confidentiality, integrity, and availability assurances). Consider the possible and likely failures (for example, mobile device unavailable or biometrics unsuccessful) and design fallbacks to safely handle failures for both:
    • Security (for example, detection and response processes).
    • Productivity (remediation mechanisms via helpdesk/support systems).
  • Contain risk of attacker movement into smaller zones—This is particularly important when you’re reliant on legacy/static controls that cannot dynamically measure and enforce trustworthiness of inbound access attempts (for example, static network controls for legacy applications/servers/devices).

Into the future

Over time, we expect Zero Trust will become accepted and commonplace where people simply learn it in “Security 101” (much like the least privilege principle today). Zero Trust is expected to evolve as we all become more comfortable with what this new normal entails and have ideas on how to optimize efficiency and address the attackers’ ongoing attempts to find a chink in the new armor.

Zero Trust

Reach the optimal state in your Zero Trust journey.


Learn more

Our next blog will discuss how to make Zero Trust real in your enterprise starting with technology available today, which you may already have deployed or have access to! In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zero Trust strategy—what good looks like appeared first on Microsoft Security.

How to balance compliance and security with limited resources

November 5th, 2019 No comments

Today, many organizations still struggle to adhere to General Data Protection Regulation (GDPR) mandates even though this landmark regulation took effect nearly two years ago. A key learning for some: being compliant does not always mean you are secure. Shifting privacy regulations, combined with limited resources like budgets and talent shortages, add to today’s business complexities. I hear this concern time and again as I travel around the world meeting with our customers to share how Microsoft can empower organizations successfully through these challenges.

Most recently, I sat down with Emma Smith, Global Security Director at Vodafone Group to talk about their own best practices when navigating the regulatory environment. Vodafone Group is a global company with mobile operations in 24 countries and partnerships that extend to 42 more. The company also operates fixed broadband operations in 19 markets, with about 700 million customers. This global reach means they must protect a significant amount of data while adhering to multiple requirements.

Emma and her team have put a lot of time and effort into the strategies and tactics that keep Vodafone and its customers compliant no matter where they are in the world. They’ve learned a lot in this process, and she shared these learnings with me as we discussed the need for organizations to be both secure and compliant, in order to best serve our customers and maintain their trust. You can watch our conversation and hear more in our CISO Spotlight episode.

Cybersecurity enables privacy compliance

As you work to balance compliance with security keep in mind that, as Emma said, “There is no privacy without security.” If you have separate teams for privacy and security, it’s important that they’re strategically aligned. People only use technology and services they trust, which is why privacy and security go hand in hand.

Vodafone did a security and privacy assessment across all their big data stores to understand where the high-risk data lives and how to protect it. They were then able to implement the same controls for privacy and security. It’s also important to recognize that you will never be immune from an attack, but you can reduce the damage.

Emma offered three recommendations for balancing security with privacy compliance:

  • Develop a risk framework so you can prioritize your efforts.
  • Communicate regularly with the board and executive team to align on risk appetite.
  • Establish the right security capabilities internally and/or through a mix of partners and third parties.

I couldn’t agree more, as these are also important building blocks for any organization as they work to become operationally resilient.

I also asked Emma for her top five steps for becoming compliant with privacy regulations:

  • Comply with international standards first, then address local rules.
  • Develop a clear, board-approved strategy.
  • Measure progress against your strategy.
  • Develop a prioritized program of work with clear outcomes.
  • Stay abreast of new technologies and new threats.

The simplest way to manage your risk is to minimize the amount of data that you store. Privacy assessments will help you know where the data is and how to protect it. Regional and local laws can provide tools to guide your standards. Protecting online privacy and personal data is a big responsibility, but with a risk management approach, you can go beyond the “letter of the law” to better safeguard data and support online privacy as a human right.

Learn more

Watch my conversation with Emma about balancing security with privacy compliance. To learn more about compliance and GDPR, read Microsoft Cloud safeguards individual privacy.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

CISO Spotlight Series

Address cybersecurity challenges head-on with 10-minute video episodes that discuss cybersecurity problems and solutions from AI to Zero Trust.


Watch today

The post How to balance compliance and security with limited resources appeared first on Microsoft Security.

Microsoft’s 4 principles for an effective security operations center

October 15th, 2019 No comments

The Microsoft Cyber Defense Operations Center (CDOC) fields trillions of security signals every day. How do we identify and respond to the right threats? One thing that won’t surprise you: we leverage artificial intelligence (AI), machine learning, and automation to narrow the focus. But technology is not enough. Our people, culture, and process are just as critical.

You may not have trillions of signals to manage, but I bet you will still get a lot of value from a behind-the-scenes look at the CDOC. Even the small companies that I’ve worked with have improved the effectiveness of their security operations centers (SOCs) based on learnings from Microsoft.

Watch the operations episode of the CISO Spotlight Series—The people behind the cloud to get my take and a sneak peek at our team in action. In the video, I walk you through four principles:

  1. It starts with assessment.
  2. Invest in the right technology.
  3. Hire a diverse group of people.
  4. Foster an innovative culture.

It starts with assessment

Before you make any changes, it helps to identify the gaps in your current security system. Take a look at your most recent attacks to see if you have the right detections in place. Offense should drive your defenses. For example:

  • Has your organization been victim to password spray attacks?
  • Have there been brute force attacks against endpoints exposed to the internet?
  • Have you uncovered advanced persistent threats?

Understanding where your organization is vulnerable will help you determine what technology you need. If you need further help, I would suggest using the MITRE ATT&CK Framework.

Invest in the right technology

As you evaluate technology solutions, think of your security operations as a funnel. At the very top are countless threat signals. There is no way your team can address all of them. This leads to employee burnout and puts the organization at risk. Aim for automation to handle 20-25 percent of incoming events. AI and machine learning can correlate signals, enrich them with other data, and resolve known incidents.

Invest in good endpoint detection, network telemetry, a flexible security incident and event management system (SIEM) like Azure Sentinel, and cloud workload protection solutions. The right technology will reduce the volume of signals that filter down to your people, empowering them to focus on the problems that machines can’t solve.

Hire a diverse group of people

The people you hire matter. I attribute much of our success to the fact that we hire people who love to solve problems. You can model this approach in your SOC. Look for computer scientists, security professionals, and data scientists—but also try to find people with nontraditional backgrounds like military intelligence, law enforcement, and liberal arts. People with a different perspective can introduce creative ways of looking at a problem. For example, Microsoft has had a lot of success with veterans from the military.

I also recommend organizing your SOC into specialized, tiered teams. It gives employees a growth path and allows them to focus on areas of expertise. Microsoft uses a three-tiered approach:

  • Tier 1 analysts—These analysts are the front line. They manage the alerts generated by our SIEM and focus on high-speed remediation over a large number of events.
  • Tier 2 analysts—This team tackles alerts that require a deeper level of analysis. Many of these events have been escalated up from Tier 1, but Tier 2 analysts also monitor alerts to identify and triage the complex cases.
  • Tier 3 analysts—These are the threat hunters. They use sophisticated tools to proactively uncover advanced threats and hidden adversaries.

For a more detailed look at how Microsoft has structured our team, read Lessons learned from the Microsoft SOC—Part 2a: Organizing people

Foster an innovative culture

Culture influences SOC performance by guiding how people treat each other and approach their work. Well-defined career paths and roles are one way to influence your culture. People want to know how their work matters and contributes to the organization. As you build your processes and team, consider how you can encourage innovation, diversity, and teamwork.

Read how the CDOC creates culture in Lessons learned from the Microsoft SOC—Part 1.

Learn more

To learn more about how to run an effective SOC:

The post Microsoft’s 4 principles for an effective security operations center appeared first on Microsoft Security.