Archive

Archive for the ‘Security strategies’ Category

Managing cybersecurity like a business risks: Part 1—Modeling opportunities and threats

May 28th, 2020 No comments

In recent years, cybersecurity has been elevated to a C-suite and board-level concern. This is appropriate given the stakes. Data breaches can have significant impact on a company’s reputation and profits. But, although businesses now consider cyberattacks a business risk, management of cyber risks is still siloed in technology and often not assessed in terms of other business drivers. To properly manage cybersecurity as a business risk, we need to rethink how we define and report on them.

The blog series, “Managing cybersecurity like a business risk,” will dig into how to update the cybersecurity risk definition, reporting, and management to align with business drivers. In today’s post, I’ll talk about why we need to model both opportunities as well as threats when we evaluate cyber risks. In future blogs, I’ll dig into some reporting tools that businesses can use to keep business leaders informed.

Digital transformation brings both opportunities and threats

Technology innovations such as artificial intelligence (AI), the cloud, and the internet of things (IoT) have disrupted many industries. Much of this disruption has been positive for businesses and consumers alike. Organizations can better tailor products and services to targeted segments of the population, and businesses have seized on these opportunities to create new business categories or reinvent old ones.

These same technologies have also introduced new threats. Legacy companies risk losing loyal customers by exploiting new markets. Digital transformation can result in a financial loss if big bets don’t pay off. And of course, as those of us in cybersecurity know well, cybercriminals and other adversaries have exploited the expanded attack surface and the mountains of data we collect.

The threats and opportunities of technology decisions are intertwined, and increasingly they impact not just operations but the core business. Too often decisions about digital transformation are made without evaluating cyber risks. Security is brought in at the very end to protect assets that are exposed. Cyber risks are typically managed from a standpoint of loss aversion without accounting for the possible gains of new opportunities. This approach can result in companies being either too cautious or not cautious enough. To maximize digital transformation opportunities, companies need good information that helps them take calculated risks.

It starts with a SWOT analysis

Threats and opportunities are external forces that may be factors for a company and all its competitors. One way to determine how your company should respond is by also understanding your weaknesses and strengths, which are internal factors.

  • Strengths: Characteristics or aspects of the organization or product that give it a competitive edge.
  • Weaknesses: Characteristics or aspects of the organization or product that puts it at a disadvantage compared to the competition.
  • Opportunities: Market conditions that could be exploited for benefit.
  • Threats: Market conditions that could cause damage or harm.

To crystallize these concepts, let’s consider a hypothetical brick and mortar retailer in the U.K. that sells stylish maternity clothes at an affordable price. In Europe, online retail is big business. Companies like ASOS and Zalando are disrupting traditional fashion. If we apply a SWOT analysis to them, it might look something like this.

  • Strength: Stylish maternity clothes sold at an affordable price, loyal referral-based clientele.
  • Weakness: Only available through brick and mortar stores, lack technology infrastructure to quickly go online, and lack security controls.
  • Opportunity: There is a market for these clothes beyond the U.K.
  • Threats: Retailers are a target for cyberattacks, customers trends indicate they will shop less frequently at brick and mortar stores in the future.

For this company, there isn’t an obvious choice. The retailer needs to figure out a way to maintain the loyalty of its current customers while preparing for a world where in-person shopping decreases. Ideally the company can use its strengths to overcome its weaknesses and confront threats. For example, the company’s loyal clients that already refer a lot of business could be incented to refer business via online channels to grow business. The company may also recognize that building security controls into an online business from the ground up is critical and take advantage of its steady customer base to buy some time and do it right.

Threat modeling and opportunity modeling paired together can help better define the potential gains and losses of different approaches.

Opportunity and threat modeling

Many cybersecurity professionals are familiar with threat modeling, which essentially poses the following questions, as recommended by the Electronic Frontier Foundation.

  • What do you want to protect?
  • Who do you want to protect it from?
  • How likely is it that you will need to protect it?
  • How bad are the consequences if you fail?
  • How much trouble are you willing to go through in order to try to prevent those?

But once we’ve begun to consider not just the threats but the opportunities available in each business decision, it becomes clear that this approach misses half the equation. Missed opportunity is a risk that isn’t captured in threat modeling. This is where opportunity modeling becomes valuable. Some of my thinking around opportunity modeling was inspired by a talk by John Sherwood at SABSA, and he suggested the following questions to effectively model opportunity:

  • What is the value of the asset you want to protect?
  • What is the potential gain of the opportunity?
  • How likely is it that the opportunity will be realized?
  • How likely is it that a strength be exploited?

This gives us a framework to consider the risk from both a threat and opportunity standpoint. Our hypothetical retailer knows it wants to protect the revenue generated by the current customers and referral model, which is the first question on each model. The other questions help quantify the potential loss if threats materialize and the potential gains of opportunities are realized. The company can use this information to better understand the ratio of risk to reward.

It’s never easy to make big decisions in light of potential risks, but when decisions are informed by considering both the potential gains and potential losses, you can also better define a risk management strategy, including the types of controls you will need to mitigate your risk.

In my next post in the “Managing cybersecurity like a business risk” series, I’ll review some qualitative and quantitative tools you can use to manage risk.

Read more about risk management from SABSA.  To learn more about Microsoft security solutions visit our website. In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Managing cybersecurity like a business risks: Part 1—Modeling opportunities and threats appeared first on Microsoft Security.

Protect your accounts with smarter ways to sign in on World Passwordless Day

May 7th, 2020 No comments

As the world continues to grapple with COVID-19, our lives have become increasingly dependent on digital interactions. Operating at home, we’ve had to rely on e-commerce, telehealth, and e-government to manage the everyday business of life. Our daily online usage has increased by over 20 percent. And if we’re fortunate enough to have a job that we can do from home, we’re accessing corporate apps from outside the company firewall.

Whether we’re signing into social media, mobile banking, or our workplace, we’re connecting via online accounts that require a username and password. The more we do online, the more accounts we have. It becomes a hassle to constantly create new passwords and remember them. So, we take shortcuts. According to a Ponemon Institute study, people reuse an average of five total passwords, both business and personal. This is one aspect of human nature that hackers bet on. If they get hold of one password, they know they can use it pry open more of our digital lives. A single compromised password, then, can create a chain reaction of liability.

No matter how strong or complex a password is, it’s useless if a bad actor can socially engineer it away from us or find it on the dark web. Plus, passwords are inconvenient and a drain on productivity. People spend hours each year signing into applications and recovering or resetting forgotten usernames and passwords. This activity doesn’t make things more secure. It only drives up the costs of service desks.

People today are done with passwords

Users want something easier and more convenient. Administrators want something more secure. We don’t think anyone finds passwords a cause to celebrate. That’s why we’re helping organizations find smarter ways to sign in that users will love and hackers will hate. Our hope is that instead of World Password Day, we’ll start celebrating World Passwordless Day.

Passwordless Day Infographic

  • People reuse an average of five passwords across their accounts, both business and personal (Ponemon Institute survey/Yubico).
  • Average person has 90 accounts (Thycotic).
  • Fifty-five percent would prefer a method of protecting accounts that doesn’t involve passwords (Ponemon Institute survey/Yubico).
  • Sixty-seven percent of American consumers surveyed by Visa have used biometric authentication and prefer it to passwords.
  • One-hundred million to 150 million people using a passwordless method each month (Microsoft research, April 2020).

Since an average of one in every 250 corporate accounts is compromised each month, we know that relying on passwords isn’t a good enterprise defense strategy. As companies continue to add more business applications to their portfolios, the cost of passwords only goes up. In fact, companies are dedicating 30 to 60 percent of their support desk calls to password resets. Given how ineffective passwords can be, it’s surprising how many companies haven’t turned on multi-factor authentication (MFA) for their customers or employees.

Passwordless technology is here—and users are adopting it as the best experience for strong authentication. Last November at Microsoft Ignite, we shared that more than 100 million people were already signing in using passwordless methods each month. That number has now reached over 150 million people. According to our recent survey, the use of biometrics

We now have the momentum to push forward initiatives that increase security and reduce cost. New passwordless technologies give users the benefits of MFA in one gesture. To sign in securely with Windows Hello, all you have to do is show your face or press your finger. Microsoft has built support for passwordless authentication into our products and services, including Office, Azure, Xbox, and Github. You don’t even need to create a username anymore—you can use your phone number instead. Administrators can use single sign-on in Azure Active Directory (Azure AD) to enable passwordless authentication for an unlimited number of apps through native functionality in Windows Hello, the phone-as-a-token capabilities in the Microsoft Authenticator app, or security keys built using the FIDO2 open standards.

Of course, we would never advise our customers to try anything we haven’t tried ourselves. We’re always our own first customer. Microsoft’s IT team switched to passwordless authentication and now 90 percent of Microsoft employees sign in without entering a password. As a result, hard and soft costs of supporting passwords fell by 87 percent. We expect other customers will experience similar benefits in employee productivity improvements, lower IT costs, and a stronger security posture. To learn more about our approach, watch the CISO spotlight episode with Bret Arsenault (Microsoft CISO) and myself. By taking this approach 18 months ago, we were better set up for seamless secure remote work during COVID 19.

For many of us, working from home will be a new norm for the foreseeable future. We see many opportunities for using passwordless methods to better secure digital accounts that people rely on every day. Whether you’re protecting an organization or your own digital life, every step towards passwordless is a step towards improving your security posture. Now let’s embrace the world of passwordless!

Related articles

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Protect your accounts with smarter ways to sign in on World Passwordless Day appeared first on Microsoft Security.

How to gain 24/7 detection and response coverage with Microsoft Defender ATP

May 6th, 2020 No comments

This blog post is part of the Microsoft Intelligence Security Association guest blog series. To learn more about MISA, go here.

Whether you’re a security team of one or a dozen, detecting and stopping threats around the clock is a challenge. Security incidents don’t happen exclusively during business hours: attackers often wait until the late hours of the night to breach an environment.

At Red Canary, we work with security teams of all shapes and sizes to improve detection and response capabilities. Our Security Operations Team investigates threats in customer environments 24/7/365, removes false positives, and delivers confirmed threats with context. We’ve seen teams run into a wide range of issues when trying to establish after-hours coverage on their own, including:

  • For global enterprises, around-the-clock monitoring can significantly increase the pressure on a U.S.–based security team. If you have personnel around the world, a security team in a single time zone isn’t sufficient to cover the times that computing assets are used in those environments.
  • In smaller companies that don’t have global operations, the security team is more likely to be understaffed and unable to handle 24/7 security monitoring without stressful on-call schedules.
  • For the security teams of one, being “out of office” is a foreign concept. You’re always on. And you need to set up some way to monitor the enterprise while you’re away.

Microsoft Defender Advanced Threat Protection (ATP) is an industry leading endpoint security solution that’s built into Windows with extended capabilities to Mac and Linux servers. Red Canary unlocks the telemetry delivered from Microsoft Defender ATP and investigates every alert, enabling you to immediately increase your detection coverage and waste no time with false positives.

Here’s how those who haven’t started with Red Canary yet can answer the question, “How can I support my 24/7 security needs with Microsoft Defender ATP?”

No matter how big your security team is, the most important first step is notifying the right people based on an on-call schedule. In this post, we’ll describe two different ways of getting Microsoft Defender ATP alerts to your team 24×7 and how Red Canary has implemented this for our customers.

Basic 24/7 via email

Microsoft Defender Security Center allows you to send all Microsoft Defender ATP alerts to an email address. You can set up email alerts under Settings → Alert notifications.

MISA1

Email notification settings in Microsoft Defender Security Center.

These emails will be sent to your team and should be monitored for high severity situations after-hours.

If sent to a ticketing system, these emails can trigger tickets or after-hours pages to be created for your security team. We recommend limiting the alerts to medium and high severity so that you won’t be bothered for informational or low alerts.

MISA2

Setting up alert emails in Microsoft Defender ATP to be sent to a ticketing system.

Now any future alerts will create a new ticket in your ticketing system where you can assign security team members to on-call rotations and notify on-call personnel of new alerts (if supported). Once the notification is received by on-call personnel, they would then log into Microsoft Defender’s Security Center for further investigation and triage. 

Enhanced 24/7 via APIs

What if you want to ingest alerts to a system that doesn’t use email? You can do this by using the Microsoft Defender ATP APIs. First, you’ll need to have an authentication token. You can get the token like we do here:

MISA3

API call to retrieve authentication token.

Once you’ve stored the authentication token you can use it to poll the Microsoft Defender ATP API and retrieve alerts from Microsoft Defender ATP. Here’s an example of the code to pull new alerts.

MISA4

API call to retrieve alerts from Microsoft Defender ATP.

The API only returns a subset of the data associated with each alert. Here’s an example of what you might receive.

MISA5

Example of a Microsoft Defender ATP alert returned from the API.

You can then take this data and ingest it into any of your internal tools. You can learn more about how to access Microsoft Defender ATP APIs in the documentation. Please note, the limited information included in an alert email or API response is not enough to triage the behavior. You will still need to log into the Microsoft Defender Security Center to find out what happened and take appropriate action.

24/7 with Red Canary

By enabling Red Canary, you supercharge your Microsoft Defender ATP deployment by adding a proven 24×7 security operations team who are masters at finding and stopping threats, and an automation platform to quickly remediate and get back to business.

Red Canary continuously ingests all of the raw telemetry generated from your instance of Microsoft Defender ATP as the foundation for our service. We also ingest and monitor Microsoft Defender ATP alerts. We then apply thousands of our own proprietary analytics to identify potential threats that are sent 24/7 to a Red Canary detection engineer for review.

Here’s an overview of the process (to go behind the scenes of these operations check out our detection engineering blog series):

MISA6

Managed detection and response with Red Canary.

Red Canary is monitoring your Microsoft Defender ATP telemetry and alerts. If anything is a confirmed threat, our team creates a detection and sends it to you using a built-in automation framework that supports email, SMS, phone, Microsoft Teams/Slack, and more. Below is an example of what one of those detections might look like.

MISA7

Red Canary confirms threats and prioritizes them so you know what to focus on.

At the top of the detection timeline you’ll receive a short description of what happened. The threat has already been examined by a team of detection engineers from Red Canary’s Cyber Incident Response Team (CIRT), so you don’t have to worry about triage or investigation. As you scroll down, you can quickly see the results of the investigation that Red Canary’s senior detection engineers have done on your behalf, including detailed notes that provide context to what’s happening in your environment:

MISA8

Notes from Red Canary senior detection engineers (in light blue) provide valuable context.

You’re only notified of true threats and not false positives. This means you can focus on responding rather than digging through data to figure out what happened.

What if you don’t want to be woken up, you’re truly unavailable, or you just want bad stuff immediately dealt with? Use Red Canary’s automation to handle remediation on the fly. You and your team can create playbooks in your Red Canary portal to respond to threats immediately, even if you’re unavailable.

MISA9

Red Canary automation playbook.

This playbook allows you to isolate the endpoint (using the Machine Action resource type in the Microsoft Defender ATP APIs) if Red Canary identifies suspicious activity. You also have the option to set up Automate playbooks that depend on an hourly schedule. For example, you may want to approve endpoint isolation during normal work hours, but use automatic isolation overnight:

MISA10

Red Canary Automate playbook to automatically remediate a detection.

Getting started with Red Canary

Whether you’ve been using Microsoft Defender ATP since it’s preview releases or if you’re just getting started, Red Canary is the fastest way to accelerate your security operations program. Immediate onboarding, increased detection coverage, and a 24/7 CIRT team are all at your fingertips.

Terence Jackson, CISO at Thycotic and Microsoft Defender ATP user, describes what it’s like working with Red Canary:

“I have a small team that has to protect a pretty large footprint. I know the importance of detecting, preventing, and stopping problems at the entry point, which is typically the endpoint. We have our corporate users but then we also have SaaS customers we have to protect. Currently my team tackles both, so for me it’s simply having a trusted partner that can take the day-to-day hunting/triage/elimination of false positives and only provide actionable alerts/intel, which frees my team up to do other critical stuff.”

Red Canary is the fastest way to enhance your detection coverage from Microsoft Defender ATP so you know exactly when and where to respond.

Contact us to see a demo and learn more.

The post How to gain 24/7 detection and response coverage with Microsoft Defender ATP appeared first on Microsoft Security.

Protecting your organization against password spray attacks

April 23rd, 2020 No comments

When hackers plan an attack, they often engage in a numbers game. They can invest significant time pursing a single, high-value target—someone in the C-suite for example and do “spear phishing.” Or if they just need low-level access to gain a foothold in an organization or do reconnaissance, they target a huge volume of people and spend less time on each one which is called “password spray.” Last December Seema Kathuria and I described an example of the first approach in Spear phishing campaigns—they’re sharper than you think! Today, I want to talk about a high-volume tactic: password spray.

In a password spray attack, adversaries “spray” passwords at a large volume of usernames. When I talk to security professionals in the field, I often compare password spray to a brute force attack. Brute force is targeted. The hacker goes after specific users and cycles through as many passwords as possible using either a full dictionary or one that’s edited to common passwords. An even more targeted password guessing attack is when the hacker selects a person and conducts research to see if they can guess the user’s password—discovering family names through social media posts, for example. And then trying those variants against an account to gain access. Password spray is the opposite. Adversaries acquire a list of accounts and attempt to sign into all of them using a small subset of the most popular, or most likely, passwords. Until they get a hit. This blog describes the steps adversaries use to conduct these attacks and how you can reduce the risk to your organization.

Three steps to a successful password spray attack

Step 1: Acquire a list of usernames

It starts with a list of accounts. This is easier than it sounds. Most organizations have a formal convention for emails, such as firstname.lastname@company.com. This allows adversaries to construct usernames from a list of employees. If the bad actor has already compromised an account, they may try to enumerate usernames against the domain controller. Or, they find or buy usernames online. Data can be compiled from past security breaches, online profiles, etc. The adversary might even get some verified profiles for free!

Step 2: Spray passwords

Finding a list of common passwords is even easier. A Bing search reveals that publications list the most common passwords each year. 123456, password, and qwerty are typically near the top. Wikipedia lists the top 10,000 passwords. There are regional differences that may be harder to discovery, but many people use a favorite sports teams, their state, or company as a password. For example, Seahawks is a popular password choice in the Seattle area. Once hackers do their research, they carefully select a password and try it against the entire list of accounts as shown in Figure 1. If the attack is not successful, they wait 30 minutes to avoid triggering a timeout, and then try the next password.

Protecting your organization against password spray attacks

Figure 1:  Password spray using one password across multiple accounts.

Step 3: Gain access

Eventually one of the passwords works against one of the accounts. And that’s what makes password spray a popular tactic—attackers only need one successful password + username combination. Once they have it, they can access whatever the user has access to, such as cloud resources on OneDrive. Or use the exploited account to do internal reconnaissance on the target network and get deeper into the systems via elevation of privilege.

Even if the vast majority of your employees don’t use popular passwords, there is a risk that hackers will find the ones that do. The trick is to reduce the number of guessable passwords used at your organization.

Configure Azure Active Directory (Azure AD) Password Protection

Azure AD Password Protection allows you to eliminate easily guessed passwords and customize lockout settings for your environment. This capability includes a globally banned password list that Microsoft maintains and updates. You can also block a custom list of passwords that are relevant to your region or company. Once enabled, users won’t be able to choose a password on either of these lists, making it significantly less likely that an adversary can guess a user’s password. You can also use this feature to define how many sign-in attempts will trigger a lockout and how long the lockout will last.

Simulate attacks with Office 365 Advanced Threat Protection (Office 365 ATP)

Attack Simulator in Office 365 ATP lets you run realistic, but simulated phishing and password attack campaigns in your organization. Pick a password and then run the campaign against as many users as you want. The results will let you know how many people are using that password. Use the data to train users and build your custom list of banned passwords.

Begin your passwordless journey

The best way to reduce your risk of password spray is to eliminate passwords entirely. Solutions like Windows Hello or FIDO2 security keys let users sign in using biometrics and/or a physical key or device. Get started by enabling Multi-Factor Authentication (MFA) across all your accounts. MFA requires that users sign in with at least two authentication factors: something they know (like a password or PIN), something they are (such as biometrics), and/or something they have (such as a trusted device).

Learn more

We make progress in cybersecurity by increasing how much it costs the adversary to conduct the attack. If we make guessing passwords too hard, hackers will reduce their reliance on password spray.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. For more information about our security solutions visit our website. Or reach out to me on LinkedIn or Twitter.

The post Protecting your organization against password spray attacks appeared first on Microsoft Security.

Defending the power grid against supply chain attacks: Part 3 – Risk management strategies for the utilities industry

April 22nd, 2020 No comments

Over the last fifteen years, attacks against critical infrastructure (figure1) have steadily increased in both volume and sophistication. Because of the strategic importance of this industry to national security and economic stability, these organizations are targeted by sophisticated, patient, and well-funded adversaries.  Adversaries often target the utility supply chain to insert malware into devices destined for the power grid. As modern infrastructure becomes more reliant on connected devices, the power industry must continue to come together to improve security at every step of the process.

Aerial view of port and freeways leading to downtown Singapore.

Figure 1: Increased attacks on critical infrastructure

This is the third and final post in the “Defending the power grid against supply chain attacks” series. In the first blog I described the nature of the risk. Last month I outlined how utility suppliers can better secure the devices they manufacture. Today’s advice is directed at the utilities. There are actions you can take as individual companies and as an industry to reduce risk.

Implement operational technology security best practices

According to Verizon’s 2019 Data Breach Investigations Report, 80 percent of hacking-related breaches are the result of weak or compromised passwords. If you haven’t implemented multi-factor authentication (MFA) for all your user accounts, make it a priority. MFA can significantly reduce the likelihood that a user with a stolen password can access your company assets. I also recommend you take these additional steps to protect administrator accounts:

  • Separate administrative accounts from the accounts that IT professionals use to conduct routine business. While administrators are answering emails or conducting other productivity tasks, they may be targeted by a phishing campaign. You don’t want them signed into a privileged account when this happens.
  • Apply just-in-time privileges to your administrator accounts. Just-in-time privileges require that administrators only sign into a privileged account when they need to perform a specific administrative task. These sign-ins go through an approval process and have a time limit. This will reduce the possibility that someone is unnecessarily signed into an administrative account.

 

Image 2

Figure 2: A “blue” path depicts how a standard user account is used for non-privileged access to resources like email and web browsing and day-to-day work. A “red” path shows how privileged access occurs on a hardened device to reduce the risk of phishing and other web and email attacks. 

  • You also don’t want the occasional security mistake like clicking on a link when administrators are tired or distracted to compromise the workstation that has direct access to these critical systems.  Set up privileged access workstations for administrative work. A privileged access workstation provides a dedicated operating system with the strongest security controls for sensitive tasks. This protects these activities and accounts from the internet. To encourage administrators to follow security practices, make sure they have easy access to a standard workstation for other more routine tasks.

The following security best practices will also reduce your risk:

  • Whitelist approved applications. Define the list of software applications and executables that are approved to be on your networks. Block everything else. Your organization should especially target systems that are internet facing as well as Human-Machine Interface (HMI) systems that play the critical role of managing generation, transmission, or distribution of electricity
  • Regularly patch software and operating systems. Implement a monthly practice to apply security patches to software on all your systems. This includes applications and Operating Systems on servers, desktop computers, mobile devices, network devices (routers, switches, firewalls, etc.), as well as Internet of Thing (IoT) and Industrial Internet of Thing (IIoT) devices. Attackers frequently target known security vulnerabilities.
  • Protect legacy systems. Segment legacy systems that can no longer be patched by using firewalls to filter out unnecessary traffic. Limit access to only those who need it by using Just In Time and Just Enough Access principles and requiring MFA. Once you set up these subnets, firewalls, and firewall rules to protect the isolated systems, you must continually audit and test these controls for inadvertent changes, and validate with penetration testing and red teaming to identify rogue bridging endpoint and design/implementation weaknesses.
  • Segment your networks. If you are attacked, it’s important to limit the damage. By segmenting your network, you make it harder for an attacker to compromise more than one critical site. Maintain your corporate network on its own network with limited to no connection to critical sites like generation and transmission networks. Run each generating site on its own network with no connection to other generating sites. This will ensure that should a generating site become compromised, attackers can’t easily traverse to other sites and have a greater impact.
  • Turn off all unnecessary services. Confirm that none of your software has automatically enabled a service you don’t need. You may also discover that there are services running that you no longer use. If the business doesn’t need a service, turn it off.
  • Deploy threat protection solutions. Services like Microsoft Threat Protection help you automatically detect, respond to, and correlate incidents across domains.
  • Implement an incident response plan: When an attack happens, you need to respond quickly to reduce the damage and get your organization back up and running. Refer to Microsoft’s Incident Response Reference Guide for more details.

Speak with one voice

Power grids are interconnected systems of generating plants, wires, transformers, and substations. Regional electrical companies work together to efficiently balance the supply and demand for electricity across the nation. These same organizations have also come together to protect the grid from attack. As an industry, working through organizations like the Edison Electric Institute (EEI), utilities can define security standards and hold manufacturers accountable to those requirements.

It may also be useful to work with The Federal Energy Regulatory Committee (FERC), The North American Electric Reliability Corporation (NERC), or The United States Nuclear Regulatory Commission (U.S. NRC) to better regulate the security requirements of products manufactured for the electrical grid.

Apply extra scrutiny to IoT devices

As you purchase and deploy IoT devices, prioritize security. Be careful about purchasing products from countries that are motivated to infiltrate critical infrastructure. Conduct penetration tests against all new IoT and IIoT devices before you connect them to the network. When you place sensors on the grid, you’ll need to protect them from both cyberattacks and physical attacks. Make them hard to reach and tamper-proof.

Collaborate on solutions

Reducing the risk of a destabilizing power grid attack will require everyone in the utility industry to play a role. By working with manufacturers, trade organizations, and governments, electricity organizations can lead the effort to improve security across the industry. For utilities in the United States, several public-private programs are in place to enhance the utility industry capabilities to defend its infrastructure and respond to threats:

Read Part 1 in the series: “Defending the power grid against cyberattacks

Read “Defending the power grid against supply chain attacks: Part 2 – Securing hardware and software

Read how Microsoft Threat Protection can help you better secure your endpoints.

Learn how MSRC developed an incident response plan

Bookmark the Security blog to keep up with our expert coverage on security matters. For more information about our security solutions visit our website. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Defending the power grid against supply chain attacks: Part 3 – Risk management strategies for the utilities industry appeared first on Microsoft Security.

How companies can prepare for a heightened threat environment

January 20th, 2020 No comments

With high levels of political unrest in various parts of the world, it’s no surprise we’re also in a period of increased cyber threats. In the past, a company’s name, political affiliations, or religious affiliations might push the risk needle higher. However, in the current environment any company could be a potential target for a cyberattack. Companies of all shapes, sizes, and varying security maturity are asking what they could and should be doing to ensure their safeguards are primed and ready. To help answer these questions, I created a list of actions companies can take and controls they can validate in light of the current level of threats—and during any period of heightened risk—through the Microsoft lens:

  • Implement Multi-Factor Authentication (MFA)—It simply cannot be said enough—companies need MFA. The security posture at many companies is hanging by the thread of passwords that are weak, shared across social media, or already for sale. MFA is now the standard authentication baseline and is critical to basic cyber hygiene. If real estate is “location, location, location,” then cybersecurity is “MFA, MFA, MFA.” To learn more, read How to implement Multi-Factor Authentication (MFA).
  • Update patching—Check your current patch status across all environments. Make every attempt to patch all vulnerabilities and focus on those with medium or higher risk if you must prioritize. Patching is critically important as the window between discovery and exploit of vulnerabilities has shortened dramatically. Patching is perhaps your most important defense and one that, for the most part, you control. (Most attacks utilize known vulnerabilities.)
  • Manage your security posture—Check your Secure Score and Compliance Score for Office 365, Microsoft 365, and Azure. Also, take steps to resolve all open recommendations. These scores will help you to quickly assess and manage your configurations. See “Resources and information for detection and mitigation strategies” below for additional information. (Manage your scores over time and use them as a monitoring tool for unexpected consequences from changes in your environment.)
  • Evaluate threat detection and incident response—Increase your threat monitoring and anomaly detection activities. Evaluate your incident response from an attacker’s perspective. For example, attackers often target credentials. Is your team prepared for this type of attack? Are you able to engage left of impact? Consider conducting a tabletop exercise to consider how your organization might be targeted specifically.
  • Resolve testing issues—Review recent penetration test findings and validate that all issues were closed.
  • Validate distributed denial of service (DDoS) protection—Does your organization have the protection you need or stable access to your applications during a DDoS attack? These attacks have continued to grow in frequency, size, sophistication, and impact. They often are utilized as a “cyber smoke screen” to mask infiltration attacks. Your DDoS protection should be always on, automated for network layer mitigation, and capable of near real-time alerting and telemetry.
  • Test your resilience—Validate your backup strategies and plans, ensuring offline copies are available. Review your most recent test results and conduct additional testing if needed. If you’re attacked, your offline backups may be your strongest or only lifeline. (Our incident response teams often find companies are surprised to discover their backup copies were accessible online and were either encrypted or destroyed by the attacker.)
  • Prepare for incident response assistance—Validate you have completed any necessary due diligence and have appropriate plans to secure third-party assistance with responding to an incident/attack. (Do you have a contract ready to be signed? Do you know who to call? Is it clear who will decide help is necessary?)
  • Train your workforce—Provide a new/specific round of training and awareness information for your employees. Make sure they’re vigilant to not click unusual links in emails and messages or go to unusual or risky URLs/websites, and that they have strong passwords. Emphasize protecting your company contributes to the protection of the financial economy and is a matter of national security.
  • Evaluate physical security—Step up validation of physical IDs at entry points. Ensure physical reviews of your external perimeter at key offices and datacenters are being carried out and are alert to unusual indicators of access attempts or physical attacks. (The “see something/say something” rule is critically important.)
  • Coordinate with law enforcement—Verify you have the necessary contact information for your local law enforcement, as well as for your local FBI office/agent (federal law enforcement). (Knowing who to call and how to reach them is a huge help in a crisis.)

The hope, of course, is there will not be any action against any company. Taking the actions noted above is good advice for any threat climate—but particularly in times of increased risk. Consider creating a checklist template you can edit as you learn new ways to lower your risk and tighten your security. Be sure to share your checklist with industry organizations such as FS-ISAC. Finally, if you have any questions, be sure to reach out to your account team at Microsoft.

Resources and information for detection and mitigation strategies

In addition, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

About the author

Lisa Lee is a former U.S. banking regulator who helped financial institutions of all sizes prepare their defenses against cyberattacks and reduce their threat landscape. In her current role with Microsoft, she advises Chief Information Security Officers (CISOs) and other senior executives at large financial services companies on cybersecurity, compliance, and identity. She utilizes her unique background to share insights about preparing for the current cyber threat landscape.

The post How companies can prepare for a heightened threat environment appeared first on Microsoft Security.

How to balance compliance and security with limited resources

November 5th, 2019 No comments

Today, many organizations still struggle to adhere to General Data Protection Regulation (GDPR) mandates even though this landmark regulation took effect nearly two years ago. A key learning for some: being compliant does not always mean you are secure. Shifting privacy regulations, combined with limited resources like budgets and talent shortages, add to today’s business complexities. I hear this concern time and again as I travel around the world meeting with our customers to share how Microsoft can empower organizations successfully through these challenges.

Most recently, I sat down with Emma Smith, Global Security Director at Vodafone Group to talk about their own best practices when navigating the regulatory environment. Vodafone Group is a global company with mobile operations in 24 countries and partnerships that extend to 42 more. The company also operates fixed broadband operations in 19 markets, with about 700 million customers. This global reach means they must protect a significant amount of data while adhering to multiple requirements.

Emma and her team have put a lot of time and effort into the strategies and tactics that keep Vodafone and its customers compliant no matter where they are in the world. They’ve learned a lot in this process, and she shared these learnings with me as we discussed the need for organizations to be both secure and compliant, in order to best serve our customers and maintain their trust. You can watch our conversation and hear more in our CISO Spotlight episode.

Cybersecurity enables privacy compliance

As you work to balance compliance with security keep in mind that, as Emma said, “There is no privacy without security.” If you have separate teams for privacy and security, it’s important that they’re strategically aligned. People only use technology and services they trust, which is why privacy and security go hand in hand.

Vodafone did a security and privacy assessment across all their big data stores to understand where the high-risk data lives and how to protect it. They were then able to implement the same controls for privacy and security. It’s also important to recognize that you will never be immune from an attack, but you can reduce the damage.

Emma offered three recommendations for balancing security with privacy compliance:

  • Develop a risk framework so you can prioritize your efforts.
  • Communicate regularly with the board and executive team to align on risk appetite.
  • Establish the right security capabilities internally and/or through a mix of partners and third parties.

I couldn’t agree more, as these are also important building blocks for any organization as they work to become operationally resilient.

I also asked Emma for her top five steps for becoming compliant with privacy regulations:

  • Comply with international standards first, then address local rules.
  • Develop a clear, board-approved strategy.
  • Measure progress against your strategy.
  • Develop a prioritized program of work with clear outcomes.
  • Stay abreast of new technologies and new threats.

The simplest way to manage your risk is to minimize the amount of data that you store. Privacy assessments will help you know where the data is and how to protect it. Regional and local laws can provide tools to guide your standards. Protecting online privacy and personal data is a big responsibility, but with a risk management approach, you can go beyond the “letter of the law” to better safeguard data and support online privacy as a human right.

Learn more

Watch my conversation with Emma about balancing security with privacy compliance. To learn more about compliance and GDPR, read Microsoft Cloud safeguards individual privacy.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

CISO Spotlight Series

Address cybersecurity challenges head-on with 10-minute video episodes that discuss cybersecurity problems and solutions from AI to Zero Trust.


Watch today

The post How to balance compliance and security with limited resources appeared first on Microsoft Security.