Archive

Archive for the ‘MISA’ Category

Automating and operationalizing data protection with Dataguise and Microsoft Information Protection

February 4th, 2021 No comments

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA

In technical literature, the terms data discovery, classification, and tagging are sometimes used interchangeably, but there are real differences in what they actually mean—and each plays a critical role in an enterprise data protection strategy.

Data discovery is the process of reporting information about the sensitivity of a data object. The granularity of reporting typically includes what type of sensitive information is found, exactly where it is found, along with the exact cardinality of sensitive data elements. Data classification is the association of a label, which typically has some business value, to an object (file or a table). Classification is often stored as metadata in a separate system or an external data catalog and enables downstream usage of a data object based on security or privacy policies. Data tagging (labeling) is the application of an actual label (or classification) to the associated object.

The important thing to note here is that data discovery is always foundational to a data protection strategy. Classification and tagging depend on accurate discovery to drive the appropriate method of protection, which will ultimately depend on the consumption or utilization and privacy requirements for the data. The more comprehensive and efficient (automated and integrated) the data discovery, the more effective and cost-effective the data protection.

Dataguise and Microsoft Information Protection: Better together

 Now, you probably know that Microsoft Information Protection is a comprehensive suite of services and features that Microsoft offers for its customers to classify, label, and protect data. Microsoft Information Protection forms the core of many enterprise data protection strategies.

Dataguise is a sensitive data discovery and protection software that now integrates with Microsoft Information Protection. More specifically, it performs context-aware discovery of structured, unstructured, and semi-structured data, and can use the results of that discovery to report on data classification, tag data with Microsoft Information Protection-readable labels, and protect sensitive data either natively—via innumerable methods of masking, encryption, and monitoring—or by integrating with Microsoft Information Protection or a third-party data protection solution. It’s a highly scalable solution that relies on machine learning and other heuristics to allow for efficient, accurate data discovery in multi-petabyte, hybrid environments.

With Dataguise, discovery can be done at several levels to meet various risk, compliance, or data governance goals; but there are two kinds of discovery that are of particular interest here, and it’s important to distinguish them:

  1. Discovery of personal information and other sensitive data: This is the process of finding and reporting data governed by PII, PCI, PHI, and any similar policy, where all sensitive data needs to be discovered but not associated with an individual. Such requirements are typically driven by industry security standards or regulations.
  2. Identity-based data discovery: This is the process of finding and reporting data specifically related to an individual. The contents of the report may or may not be useful for directly identifying the associated individual, but the entirety of a report constitutes the breadth of information that an enterprise possesses about the given data subject. Identity-based discovery is typically driven by recent data privacy laws like GDPR in the EU, CCPA in California, and LGPD in Brazil.

A data protection strategy that takes both types of discovery into account and incorporates technologies to perform them accurately, efficiently, and comprehensively—can add value not only for information security or privacy teams but for risk, compliance, governance, analytics, marketing, and IT operations teams as well. When you think of all the ways an organization collects, uses, shares, and stores data across the enterprise, more granular visibility leads to more precise control and, therefore, greater business flexibility and agility to maximize data value.

Ultimately, Dataguise complements Microsoft Information Protection capabilities, making the combination extremely useful for the customer.

The discovery synergy: Dataguise augments Microsoft Information Protection scanning capabilities

Dataguise’s real strength lies in the fact that it can discover and report sensitive and personal data across relational databases, NoSQL databases, Hadoop, file shares, cloud stores like ADLS, S3, and GCS, and over 200 different cloud-based applications. Therefore, Dataguise primarily can extend Microsoft Information Protection’s scanning coverage to structured and unstructured data stored outside Microsoft products to the ones mentioned above. This is a game-changer, as Microsoft Information Protection can now be used to tag all co-located sensitive and personal data on all co-located platforms.

The protection synergy: Dataguise enhances downstream data protection capabilities for Microsoft Information Protection

 Dataguise uses Microsoft Information Protection’s SDK to seamlessly integrate discovery with Microsoft Information Protection’s tagging capability. Whether the tags power DLP, access control, or encryption and decryption solutions, Dataguise can either natively or by leveraging a third-party solution, team up with Microsoft Information Protection to create an end-to-end data protection strategy and automated implementation.

So how does this all work?

The integration is seamless and starts with defining the tags in Microsoft Information Protection. Then, there is a mapping of these tags to one or a combination of sensitive elements, out-of-the-box or custom in Dataguise. As Dataguise runs its discovery scans, it is using that mapping to report tags corresponding to each file that it has scanned. Now, using the Microsoft Information Protection SDK, these tags are applied to the corresponding file. Dataguise discovery uses context-aware discovery based on machine learning, which benefits Microsoft Information Protection by tagging files accurately and at scale. The figure below shows the flow:

An infographic that shows the flow of context-aware discovery based on machine learning.

Dataguise and Microsoft Information Protection bring a powerful combination of capabilities to any data protection strategy and implementation. The joint value of this integration lies in the fact that Dataguise can cover a broad range of platforms for discovery, and then leverage Microsoft Information Protection labeling to enable downstream data protection. Intelligent and context-aware data discovery is foundational to data protection, and with accurate optics, enterprise-wide implementation of comprehensive and automated data protection policies can be achieved.

For more information about the Dataguise Sensitive Data Discovery and Protection solution, please visit www.dataguise.com. You can also find Dataguise on the Azure Marketplace.

Learn more

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

For more information about Microsoft Security Solutions, visit the Microsoft Security website. Bookmark the Security blog to keep up with our expert coverage of security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Automating and operationalizing data protection with Dataguise and Microsoft Information Protection appeared first on Microsoft Security.

Blue Cedar partners with Microsoft to combat BYOD issues

January 21st, 2021 No comments

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA.  

Bring Your Own Device (BYOD) has been a divisive topic within corporations for years. Employees wanted the convenience of working on their own smart devices, and business decision-makers recognized the cost and productivity benefits. IT teams knew unmanaged devices would result in more work and security holes. 

As you know, the business side won out. The line-of-business (LOB) mobile app market exploded, and BYOD became the rule rather than the exception. Today, corporate IT teams manage hundreds of mobile LOBs ranging from apps developed in house to Microsoft 365, with more on the horizon. There is one thing that everyone can agree on, however: Employers should not manage their employees’ personal devices. 

Establishing data boundaries

IT teams constantly struggle to walk the delicate line of managing corporate data without impinging on personal data. The Microsoft Intune and Microsoft Office 365 teams set out to solve the problem together. The teams worked together to develop app protection policies (APPs) for what would become Microsoft Endpoint Manager (MEM). The APP places restrictions on how Office 365 data can be used on a completely managed or completely unmanaged device. Specifically:  

  • Data can only be shared between managed Office 365 apps. 
  • Users cannot forward it or save it to a non-Office 365 resource. 

Blue Cedar’s solution for Microsoft

IT and security teams have been searching for a solution to accommodate BYOD that won’t compromise network security. The Blue Cedar Platform is a no-code Integration service that enables new capabilities to be added to Mobile apps post-build without requiring a developer. With a couple of clicks, you can add Intune MAM, Azure Active Directory Authentication, and other SDKs into your compiled mobile app. The platform works with native apps or apps written using a mobile framework and integrates into your existing app delivery workflow. Built-in integrations with GitHub and the Intune cloud allow you to build seamless workflows that add new app capabilities and skip manual operations.  

Feature highlights: 

  • Add Microsoft Endpoint Manager App Protection Policy capabilities.  
  • Add new app authentication flows include the use of the Microsoft authenticator app. 
  • Keep corporate data separate from personal data. 
  • Allow users to BYOD without creating security vulnerabilities. 
  • Maintains end-user privacy. 

Secure VPN connections to on-premises resources

There is one last thing I’d like to tell you about today—and it’s a potential gamechanger for many organizations. Many companies still maintain critical data on-prem, meaning employees can’t easily access it from their mobile devices. Utilizing our patented No-code integration technology, VPN capabilities can be added to mobile apps allowing them to attach to the corporate network. 

Our in-app VPN functionality enables users to automatically connect to on-premises and in-cloud networks without requiring device management or complex VPN configuration. Our VPN connectivity is transparent and secured via a multi-factor authentication backed by Azure AD 

Infographic showing Secure VPN connections to on-premises resources using Blue Cedar

Secure VPN feature highlights: 

  • Extends network availability to on-prem networks. 
  • Permits login with Azure AD credentials. 
  • Separates corporate data from personal data.
  • Improves productivity. 

The Blue Cedar platform is also the only way to securely connect Intune-enabled apps to both cloud and on-premises databases for a single sign-on (SSO) experience without bringing the devices under management. 

Better BYOD for your organization

BYOD is here to stay; the Blue Cedar collaboration with Microsoft will save you time, resources, and budget while providing secure mobile access to your on-prem or cloud-based resources.  

To learn more about Blue Cedar Platform, visit the Blue Cedar listing in the Azure Marketplace or visit our web page about Blue Cedar’s no-code integration service. 

To learn more about the Microsoft Intelligent Security Association (MISA), visit the MISA website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.  

For more information about Microsoft Security Solutions, visit the Microsoft Security website. Bookmark the Security blog to keep up with our expert coverage of security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.  

The post Blue Cedar partners with Microsoft to combat BYOD issues appeared first on Microsoft Security.

Forcepoint and Microsoft: Risk-based access control for the remote workforce

January 4th, 2021 No comments

This blog post is part of the Microsoft Intelligence Security Association (MISA) guest blog series. Learn more about MISA here.

Adopting cloud-based services as part of an organization’s digital transformation strategy is no longer optional, it’s a necessity. Last year, only 18 percent of the workforce worked remotely full-time. Today, companies have been forced to accelerate their digital transformation efforts to ensure the safety and well-being of employees. At the same time, organizations cannot afford to sacrifice productivity for the sake of security. With the massive move to online experiences and remote working, comes a new set of challenges—how do you ensure your data, your network, and your employees stay secure, wherever they are?

Forcepoint has integrated with Azure Active Directory (Azure AD) to enhance existing Conditional Access capabilities by orchestrating change in authentication policies dynamically so that every user authenticates with steps aligned to their risk score. Active sessions can be terminated upon risk score increase so that users must re-authenticate using an enhanced sequence of challenges, and users can be temporarily blocked in the case of high risk. Forcepoint risk scores, combined with Azure AD risk, are calculated based on the user’s context, such as location or IP, to help automatically and accurately prioritize the riskiest users. The joint solution enables administrators to protect critical data and leverage the power of automation to prevent data compromise and exfiltration from occurring. By combining the power of Azure AD with Forcepoint security solutions, organizations can scale a risk-adaptive approach to identity and access management and cloud application access without changing their existing infrastructure.

People are the perimeter

Before COVID-19, in our 2020 Forcepoint Cybersecurity Predictions and Trends report, we detailed the shifting emphasis to a “cloud-first” posture by public and private sector organizations alike. There was, and still is, a clear need for organizations to expand their view of network security and begin to understand that their people are the new perimeter. Today, more than ever, it is imperative for businesses to comprehend and to manage the interaction between their two most valuable assets—their people and their data.

Human-centric cybersecurity is about focusing on not just individuals, but how their behaviors evolve over time. Forcepoint risk scores are designed to continuously calculate the level of risk associated with individual behavior in the past, present, and future. Most organizations today will adopt blanket policies to improve their security posture. Even though policies for individuals may have some level of flexibility, most tend to apply policies to all users within a group—regardless of the individual risk profile. This results in unnecessarily complicated steps for low-risk users accessing common applications, and weak authentication challenges for privileged users logging into critical systems. In short, these implementations are likely frustrating your low-risk users by creating barriers to productivity and allowing high-risk users to fly under the radar.

Forcepoint’s mission is to provide enterprises with the tools needed to understand and quickly assess the risk levels of human behavior across their networks and endpoints and take automated action by implementing risk adaptive protection. We offer a portfolio of security solutions designed to quickly and continuously assess the potential of compromised user risk and automatically apply the appropriate protective measures.

Forcepoint + Azure Active Directory = Better together

Forcepoint has partnered with the Azure Active Directory team on a series of integrations designed to provide remote workers secure access to their cloud and legacy on-premise applications. Together, our integrated solutions combine the risk score calculated by Forcepoint’s Cloud Access Security Broker (CASB)—with Azure AD—to apply the appropriate conditional access policies tailored to each individual user risk.

integrated solutions combine the risk score calculated by Forcepoint’s CASB - with Azure AD- to apply the appropriate conditional access policies tailored to each individual user risk.

Learn more about the Forcepoint products that integrate with Microsoft Azure, including the technical implementation and demonstrations of how Forcepoint risk adaptive protection influences the conditional access policies of a potentially compromised user:

Give your organization the control it needs to protect critical assets and data by combining Forcepoint with the power of Azure AD today.

About Forcepoint

Forcepoint is a leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with networks, data, and systems. Forcepoint provides secure access solutions without compromising employee productivity. For more information, visit forcepoint.com.

Forcepoint is a member of the Microsoft Intelligent Security Association.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

For more information about Microsoft Security Solutions, visit the Microsoft Security website. Bookmark the Security blog to keep up with our expert coverage of security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Forcepoint and Microsoft: Risk-based access control for the remote workforce appeared first on Microsoft Security.

A breakthrough year for passwordless technology

December 17th, 2020 No comments

As 2020 draws to a close, most of us are looking forward to putting this year in the rearview mirror. Since we depend even more on getting online for everything in our lives, we’re more than ready to be done with passwords. Passwords are a hassle to use, and they present security risks for users and organizations of all sizes, with an average of one in every 250 corporate accounts compromised each month. According to the Gartner Group, 20 to 50 percent of all help desk calls are for password resets. The World Economic Forum (WEF) estimates that cybercrime costs the global economy $2.9 million every minute, with roughly 80 percent of those attacks directed at passwords.

In November 2019 at Microsoft Ignite, we shared that more than 100 million people were already using Microsoft’s passwordless sign-in each month. In May of 2020, just in time for World Password Day, that number had already grown to more than 150 million people, and the use of biometrics to access work accounts is now almost double what it was then. We’ve drawn strength from our customers’ determination this year and are set to make passwordless access a reality for all our customers in 2021.

2020: A banner year for passwordless technology

Infograph describing the passwordless technology achievements in 2020

February: We announced a preview of Azure Active Directory support for FIDO2 security keys in hybrid environments. The Fast Identity Online (FIDO) Alliance is a “cross-industry consortia providing standards, certifications, and market adoption programs to replace passwords with simpler, stronger authentication.” Following the latest FIDO spec, FIDO2, we enabled users with security keys to access their Hybrid Azure Active Directory (Azure AD) Windows 10 devices with seamless sign-in, providing secure access to on-premises and cloud resources using a strong hardware-backed public and private-key credential. This expansion of Microsoft’s passwordless capabilities followed 2019’s preview of FIDO2 support for Azure Active Directory joined devices and browser sign-ins.

June: I gave a keynote speech at Identiverse Virtual 2020 where I got to talk about how Microsoft’s FIDO2 implementation highlights the importance of industry standards in implementing Zero Trust security and is crucial to enabling secure ongoing remote work across industries. Nitika Gupta, Principal Program Manager of Identity Security in our team, showed how Zero Trust is more important than ever for securing data and resources and provided actionable steps that organizations can take to start their Zero Trust journey.

September: At Microsoft Ignite, the company revealed the new passwordless wizard available through the Microsoft 365 Admin Center. Delivering a streamlined user sign-in experience in Windows 10, Windows Hello for Business replaces passwords by combining strong MFA for an enrolled device with a PIN or user biometric (fingerprint or facial recognition). This approach gives you, our customers, the ability to deliver great user experiences for your employees, customers, and partners without compromising your security posture.

November: Authenticate 2020, “the first conference dedicated to who, what, why and how of user authentication,” featured my boss, Joy Chik, CVP of Identity at Microsoft, as the keynote speaker. Joy talked about how FIDO2 is a critical part of Microsoft’s passwordless vision, and the importance of the whole industry working toward great user experiences, interoperability, and having apps everywhere support passwordless authentication. November also saw Microsoft once again recognized by Gartner as a “Leader” in identity and access management (IAM).

MISA members lead the way

The Microsoft Intelligent Security Association (MISA) is an ecosystem of security partners who have integrated their solutions with Microsoft to better defend against increasingly sophisticated cyber threats. Four MISA members—YubiKey, HID Global, Trustkey, and AuthenTrend—stood out this year for their efforts in driving passwordless technology adoption across industries.

Yubico created the passwordless YubiKey hardware to help businesses achieve the highest level of security at scale.

“We’re providing users with a convenient, simple, authentication solution for Azure Active Directory.”—Derek Hanson, VP of Solutions Architecture and Alliances, Yubico

HID Global engineered the HID Crescendo family of FIDO-enabled smart cards and USB keys to streamline access for IT and physical workspaces—enabling passwordless authentication anywhere.

“Organizations can now secure access to laptops and cloud apps with the same credentials employees use to open the door to their office.”—Julian Lovelock, VP of Global Business Segment Identity and Access Management Solutions, HID

TrustKey provides FIDO2 hardware and software solutions for enterprises who want to deploy passwordless authentication with Azure Active Directory because: “Users often find innovative ways to circumvent difficult policies,” comments Andrew Jun, VP of Product Development at TrustKey, “which inadvertently creates security holes.”

AuthenTrend applied fingerprint-authentication technology to the FIDO2 security key and aspires to replace all passwords with biometrics to help people take back ownership of their credentials.

Next steps for passwordless in 2021

Our team has been working hard this year to join these partners in making passwords a thing of the past. Along with new UX and APIs for managing FIDO2 security keys enabling customers to develop custom solutions and tools, we plan to release a converged registration portal in 2021, where all users can seamlessly manage passwordless credentials via the My Apps portal.

We’re excited about the metrics we tracked in 2020, which show a growing acceptance of passwordless among organizations and users:

  • Passwordless usage in Azure Active Directory is up by more than 50 percent for Windows Hello for Business, passwordless phone sign-in with Microsoft Authenticator, and FIDO2 security keys.
  • More than 150 million total passwordless users across Azure Active Directory and Microsoft consumer accounts.
  • The number of consumers using Windows Hello to sign in to Windows 10 devices instead of a password grew to 84.7 percent from 69.4 percent in 2019.

We’re all hoping the coming year will bring a return to normal and that passwordless access will at least make our online lives a little easier.

Learn more about Microsoft’s passwordless story. To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post A breakthrough year for passwordless technology appeared first on Microsoft Security.

Digital Defense integrates with Microsoft to detect attacks missed by traditional endpoint security

December 8th, 2020 No comments

This blog post is part of the Microsoft Intelligent Security Association (MISA) guest blog series. You can learn more about MISA here

Cybercriminals have ramped up their initial compromises through phishing and pharming attacks using a variety of tools and tactics that, while numerous, are simple and often go undetected. One technique that attackers continue to leverage to obfuscate their activity and remain undetected is dwell time.

Dwell is the time between the initial compromise and the point when the attack campaign is identified. While industry reports offer differing averages for dwell time, I have yet to see reporting that presents an average below the 50 to 60-day range. Read more about advanced endpoint protection and dwell time.

Bolster Your Advanced Endpoint Protection (AEP)

Download the Digital Defense white paper here.

While dwell times have slightly decreased as attackers become less patient, they are still significant enough to evade the plethora of security tools that exist today. The challenge with these tools is their inability to piece together attacker activity over long periods. By the time enough indicators of compromise (IoC) reveal themselves to be detected, it is often too late to prevent a breach. Most monitoring solutions look for attacker activity to identify a potential indicator of compromise. However, the best way to combat dwell time is to identify and eradicate dormant or nascent malware that stays well-hidden before they periodically activate.

A layered Solution

Frontline Active Threat Sweep™ (Frontline ATS™), integrated with Microsoft Defender for Endpoint, identifies malware designed to actively evade EDR solutions. Frontline ATS™ is part of the Digital Defense Frontline.Cloud platform providing on-demand agentless threat detection that proactively analyzes assets for indications of a malware infection before other agent-based security tools can be deployed. When integrated, Frontline ATS augments Defender for Endpoint’s capabilities by identifying hidden IoCs without adding agents.

Placeholder

The ability to stay undetected for long periods of time is one of the most common and challenging tactics that attackers use to execute a successful breach. In addition, even when a security team using monitoring tools or an incident response (IR) service is able to detect a threat and clean up an infection, it is common to see it repeatedly resurface. This is because even though all active indicators of the threat have been investigated and addressed, if the initial, and often inactive, installation of malware is not discovered due to inactivity, it can later be re-activated to re-spark an infection. With Frontline ATS and Defender for Endpoint, security teams can find any source, artifact, or inactive remnants of malware that could restart the attack campaign. Defender for Endpoint and Frontline ATS provides comprehensive and unobtrusive advanced endpoint detection, protection, and response for drastically improving the security operations team’s effectiveness at preventing breaches.

To learn about the Digital Defense Frontline ATS integration with Microsoft Defender for Endpoint, please visit our listing in the Microsoft Azure Marketplace or visit Digital Defense to learn more.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

For more information about Microsoft Security Solutions, visit the Microsoft Security website. Bookmark the Security blog to keep up with our expert coverage of security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Digital Defense integrates with Microsoft to detect attacks missed by traditional endpoint security appeared first on Microsoft Security.

Key layers for developing a smarter SOC with CyberProof-managed Microsoft Azure security services

November 17th, 2020 No comments

This blog post is part of the Microsoft Intelligent Security Association (MISA) guest blog series. Learn more about MISA here 

Security teams are struggling to reduce the time to detect and respond to threats due to the complexity and volume of alerts being generated from multiple security technologies.

With more workloads being migrated to the cloud, this brings an additional perimeter, which requires constant vigilance for early signs of a cyber-attack. New security challenges also emerge due to its elastic nature and the constant provisioning of new services.

How CyberProof is working with Microsoft to solve these challenges

CyberProof partnered with Microsoft to provide customers with cloud-scalable security monitoring, detection, and response services across the endpoint, network, identities, SaaS applications, and Azure cloud infrastructure.

With the CyberProof Defense Center (CDC) service delivery platform pre-integrated with Microsoft’s cloud-native SIEM, Azure Sentinel, CyberProof’s built-in virtual analyst, SeeMo, automates up to 80 percent of tier one and two activities such as monitoring, enrichment, incident handling, and remediation. This frees up your team to focus on the most critical business issues.

Key Layers to Building a Smarter SOC

We recommend that security operations center teams implement the following three key layers of a smarter system on a chip (SOC) architecture when looking to generate continuous value from your Azure security stack with managed security services.

Each layer includes the integrations between Microsoft and CyberProof that help facilitate this architecture. For more information, check out our on-demand webinar—which we ran in collaboration with Microsoft’s Chief Security Advisor EMEA, Cyril Voisin.

1. Data collection and integration layer—enrichment of security data from multiple sources

This is particularly useful for enterprise-grade SOCs that collect and parse relevant data from multiple business units before going into a data lake. Organizing and classifying all of this data will save time and money when you start introducing integration and automation technologies, as the information will already be structured in an optimum way. Here’s how log collection, normalization, and analysis work:

  1. Integration: An organization identifies the assets, tools, technologies, and applications that need to be integrated.
  2. Data normalization: Enterprise SOCs need to parse data before it enters the data lake—to tag and filter it—so the right information is being fed into the SOC in the most efficient way.
  3. Data collection and analysis: Using a solution such as Microsoft’s Azure Monitor Log Analytics and scalable storage such as Azure Data Lake, terabytes of data can be ingested in order to query and manage at scale. Machine learning can be used for the identification of anomalies and monitoring whether log sources are operating correctly, as well as to support threat hunting.

At CyberProof, we leverage Azure Monitor Log Analytics and CyberProof Log Collection (CLC) SaaS technology to pull logs from all sources of data. These include a customer’s existing Microsoft investments—including on-premises, SaaS, and Azure assets—and existing Microsoft security controls that generate alerts across identities, endpoints, data, and email, and cloud apps.

2. Security analytics layer—generating contextual alerts and minimizing false positives

The traditional on-premises SIEM architecture has limited scalability—such as, infrastructure costs are incurred up-front, based on peak requirements rather than on-demand provisioning that scales with current demand and growth over time. Also, effectively mapping logs from all ecosystems can be a time-consuming endeavor when having to correlate rules and create clear reporting.

The world of security data collection has evolved. It is no longer a single query or rule that triggers the discovery of an incident. Typically, security monitoring identifies the proverbial “needle in the haystack”—and to do this type of threat detection requires broad visibility across the enterprise. This requires more processing power and data collection, in order to establish what the baseline really looks like. These are attributes are best accomplished by implementing security in the cloud.

That’s where Azure Sentinel comes in, supplying correlation and analytics rules and filtering massive volumes of events to obtain high-context alerts. Azure Sentinel uses machine learning to proactively find anomalies hidden within acceptable user behavior and generate alerts.

Microsoft Azure Sentinel is fully integrated with CyberProof CDC platform, so customers can work from a single console to manage high-context alerts, carry out investigations, and handle incidents.

3. Orchestration, automation, and collaboration layer—facilitating faster threat detection and response

Forrester’s recent assessment of midsized MSSPs notes that orchestration and security automation plays a vital role for overburdened SOC staff.

By automating tier one and two activities like monitoring, enrichment, investigation, and incident handling, our CDC platform takes much of the strain out of the process. Essentially, the CDC platform provides our IP as a service—helping customers avoid the expenditure necessary to develop their own IP for a next-generation SOC.

The CDC platform gives customers a “single pane of glass” view from which to manage high context alerts, incidents, and report generation for stakeholders. It integrates the functionality of Azure Sentinel as well as other security investments.

The CDC platform’s benefits include:

  • Orchestration: Integrates external intelligence sources, enrichment sources, the IT service management system, and more into a single view.
  • Automation: Leverages CyberProof virtual analyst, SeeMo, who uses our Use Case Factory—a catalog of attack uses cases consisting of prevention, detection rules, and response playbooks all aligned to the MITRE ATT&CK framework—to continuously update playbooks.
  • Collaboration: Facilitates real-time communication with our nation-state level analysts to help remediate incidents.
  • Hybrid engagement: Supports collaboration of CyberProof experts with the customer’s team to remediate incidents and upskill the customer’s team.

Customers can start benefiting now

CyberProof solution, used in tandem with Azure Sentinel provides 24/7 security monitoring, which frees up SOC teams to focus on critical incidents.

The platform’s use of machine learning and behavioral analysis can reduce alert fatigue and false positives by up to 90 percent. It offers large-scale collection and correlation of data from the endpoint, cloud network, and users—facilitating high-context alerts.

These capabilities, as well as the platform’s high-level collaboration abilities and up-to-date response playbooks, contribute to greater efficiency in threat detection and in responding to validated incidents.

Yet, it doesn’t take a lot of time to transition to CyberProof solution. CyberProof has a defined onboarding process that’s based on each customer’s requirements.

As a managed service provider, we find that we can help customers get through the transition much more quickly than they would have on their own—accelerating the process and shortening the time needed to start reaping the benefits of the solutions.

Want more information? Check out our Azure Security Services page and the CDC platform from CyberProof. Or contact us to learn more about how we can help you transition to a smarter SOC.

To learn more about the Microsoft Intelligent Security Association (MISA), visit the Microsoft Intelligent Security Association website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

For more information about Microsoft Security Solutions, visit the Microsoft Security website. Bookmark the Security blog to keep up with our expert coverage of security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Key layers for developing a smarter SOC with CyberProof-managed Microsoft Azure security services appeared first on Microsoft Security.

Advanced protection for web applications in Azure with Radware’s Microsoft Security integration

October 12th, 2020 No comments

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA here.

The state of application security

Companies face a wide range of security challenges, such as Open Source Foundation for Application Security Project (OWASP) vulnerabilities, advanced BOT threats and the need to manage BOTs, securing APIs, and protecting against volumetric and non-volumetric DDoS attacks. Advanced threats mean that application security solutions must do much more. Organizations require a synchronized attack-mitigation system that provides advanced application protection against all the above threats, across all platforms and environments at all times; providing comprehensive security and a single view of application security events for quick incident response and a minimum impact on business.

Customers are increasingly requesting, if not requiring, a fully managed service option for security elements. Beyond the obvious complexity of managing the positive and negative security model rules, today’s attacks are dynamic and evolving. Teams managing application security are stressed by the rapid pace of new application development and application changes, all of which require vulnerability assessment and remediation in the form of automated continuous and consistent security policies.

Cloud is disrupting technology and security is the biggest challenge for customers around the world. Radware is embracing this shift by focusing on ‘Strength in Security’ with Microsoft Azure and is focused on helping Microsoft Azure customers secure their workloads and applications. Radware works closely with Microsoft’s engineering teams to create new and innovative solutions in Azure that benefit from Microsoft’s unique cloud capabilities and services like Azure DDoS Protection and Microsoft Azure Sentinel to build a more secure digital infrastructure, enabling customers to overcome security challenges. Radware Security for Azure provides local availability and easy deployment capabilities across any Azure region, enabling organizations to move to Azure with the knowledge that their applications, networks, and data will be secure around the world.

The application threat landscape

Application vulnerabilities are now the fastest-growing cybersecurity threat to organizations, according to a year-over-year comparison of Radware’s annual Global Application & Network Security Report. Applications, and the APIs they leverage, must be protected against an expanding variety of attack methods. In addition, DevOps and Agile development practices mean that applications are in a state of constant flux, and security policies must adapt to keep pace. Web application security solutions must be smarter and address a broad spectrum of vulnerability exploitation scenarios and attack types and vectors. On top of protecting the application from these common vulnerabilities, they have to protect APIs and mitigate denial-of-service (DoS) attacks, manage bot traffic, and make a distinction between legitimate bots and malicious bots.

Web applications are a critical part of most modern businesses, but many organizations continue to overlook web application security, despite escalating threats. According to a recent Gartner report, by 2023, more than 30 percent of public-facing web applications will be protected by cloud web application and API protection services that combine DDoS protection, bot mitigation, API protection, and web application firewalls (WAFs).

Cloud web application and API security and integrated BOT and DDoS protection is the evolution of cloud-delivered WAF services. Comprehensive cloud-delivered managed security services is a more comprehensive runtime protection successor to WAF appliances. It is faster to deploy and easier for organizations to maintain. Customers want to consume security products without managing the underlying infrastructure which is a big benefit that a product like Radware Security for Azure brings to customers in Azure.

Radware Security for Azure is a managed service that provides network and application security protection against small-scale to even the most sophisticated large-scale attacks ensuring applications are protected from malicious DDoS attacks and zero-day web attacks and common vulnerabilities.

By leveraging the global scale of the Microsoft network and integrating with Azure DDoS Protection, Radware Security for Azure provides enhanced Layer 3 – Layer 7 DDoS mitigation capabilities tuned for applications and resources deployed in virtual networks backed by an industry-leading service level agreement (SLA) and 24/7 incident response team.

Six steps on how to neutralize the application threat

Radware provides advanced protection for web applications in Azure with an integrated application and API security service. Radware Security for Azure provides:

Details on security solutions offered by Radware Security for Azure

To learn more about Radware Security for Azure, visit our listing in the Azure Marketplace or visit Radware.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

For more information about Microsoft Security Solutions, visit the Microsoft Security website. Bookmark the Security blog to keep up with our expert coverage of security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Advanced protection for web applications in Azure with Radware’s Microsoft Security integration appeared first on Microsoft Security.

Vectra and Microsoft join forces to step up detection and response

September 21st, 2020 No comments

This blog post is part of the Microsoft Intelligence Security Association (MISA) guest blog series. Click here to learn more about MISA.

Traditional security operations center (SOC) processes typically involve a wide variety of disparate event notification tools that force overworked analysts to battle massive amounts of inbound alerts. This often leads to missed signals and incorrect alert prioritization.

The move to cloud, hybrid environments, and IoT further exacerbates the situation as the attack surface is distributed, boundless, and ever-changing. Perimeter defenses, although necessary, are insufficient.

To address these challenges, SOCs today are focusing on continuous real-time detection and response capabilities that are based on three tightly integrated vantage points and solutions – network detection and response (NDR), endpoint detection and response (EDR), and security information and event management (SIEM).

Gartner calls this approach the SOC visibility triad. It combines the widespread visibility of NDR with the deep process-level insight of EDR, and couples them together with log and security analytics from a variety of sources in the SIEM.

Using these three components in a deeply integrated solution gives security professionals the tools and visibility into modern networking environments and allows them to detect and stop attacks that evade perimeter defenses.

The Cognito® platform from Vectra® delivers high-fidelity NDR by keeping a watchful eye on hidden attacker behaviors in workloads in the cloud and hybrid cloud as well as on-premises enterprise networks.

By combining security research with data science, Vectra AI-derived machine learning algorithms automatically detect and prioritize the highest-risk attacker behaviors in cloud/SaaS and data center workloads as well as user and IoT devices.

As a result, Vectra enables security professionals to reduce the SOC workload, instantly get deep insights and context about every attack, and respond faster to encroaching threats with surgical precision.

An image of the SOC Vectra Triad.

The deep native integrations between Vectra (NDR), Microsoft Defender ATP (EDR) and Microsoft Azure Sentinel (SIEM) make the SOC triad fully operational for customers, enabling them to use tools they are already familiar with.

This SOC triad brings together context from each data source, creating an extraordinary solution that is greater than the sum of its parts.

In addition to enriching Vectra detections with contextual endpoint data from Microsoft Defender ATP, this solution automatically shows attacker detections in the Microsoft Azure Sentinel dashboard, where SOC teams can conduct conclusive investigations.

The SOC visibility triad further helps drive integrated enforcement actions like disabling compromised accounts and isolating hosts that an attacker is using. This allows SOCs to deliver well-coordinated responses, enhance efficiency, and reduce attacker dwell-times.

The Host Lockdown feature from Vectra is a perfect example of this. When a high-risk attack is detected by the Cognito platform, SOC teams can respond quickly and accurately to lockdown Microsoft Defender ATP hosts from the Cognito dashboard.

This can be performed manually with a button-click or configured for automated enforcement that triggers when host threat, certainty, and observed-privilege scores exceed SOC-defined thresholds.

In summary, together with Microsoft Defender ATP, Vectra enables SOC teams to:

  • Combine the Vectra 360-degree aerial view of interactions on cloud and data center workloads with the in-depth ground-level view from Microsoft Defender ATP.
  • Enrich high-fidelity Vectra detections with deep process-level host-context from Microsoft Defender ATP.
  • Take precise and immediate enforcement actions from Vectra closer to the source using Microsoft Defender ATP.

And together with Microsoft Azure Sentinel, Vectra enables SOCs to:

  • Bring Vectra high-certainty behavior-based detections straight to Microsoft Azure Sentinel workbooks for immediate attention.
  • Automate incidents in Microsoft Azure Sentinel based on configurable threat and certainty score thresholds from Vectra.
  • Perform forensic analysis on incidents to identify involved devices, accounts, and attackers.

With these deep integrations between NDR, EDR, and SIEM that Vectra and Microsoft have collaborated on, we are able to realize the SOC visibility triad, ultimately allowing customers to elevate SOC visibility and prevent attackers from establishing footholds across cloud, data center, IoT, and enterprise networks.

For more details, check out the Cognito platform from Vectra and our integration with Microsoft Defender ATP and Microsoft Azure Sentinel.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our web site where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

For more information about Microsoft security solutions, visit the Microsoft security web site. Bookmark the security blog to keep up with our expert coverage of security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Vectra and Microsoft join forces to step up detection and response appeared first on Microsoft Security.

Microsoft and Corrata integrate to extend cloud app security to mobile endpoints

August 24th, 2020 No comments

This blog post is part of the Microsoft Intelligence Security Association guest blog series. To learn more about MISA, go here.

The growth of mobile and remote work and the emergence of the “post perimeter” world has made keeping track of shadow IT a huge challenge for enterprise IT teams. What makes this problem particularly difficult for infosec teams is a parallel development. Not only are your apps leaving the data-center, but your employees are leaving the building. In the good old days, you might have used firewalls or secure web gateways to give you visibility. On top of that, risky or unsanctioned apps could be blocked with a firewall script or added to a blacklist.

But with employees working from home, the network perimeter has disappeared. In this new world, how can you have any idea what’s going on, let alone impose control?

The growth of SaaS

The rapid adoption of SaaS services has driven cloud computing and digital transformation for many organizations. File storage, CRM, and ERP systems are now commonly delivered on a SaaS basis. Services based on the SaaS model offer fantastic advantages. For a start, they do not require in-house infrastructure. In addition, they have rich out of the box feature sets and deliver across both web and mobile platforms. Finally, their low upfront commitment and automatic version updates make them easy to adopt. Their advantages are endless…

…and of Shadow IT

Research by Microsoft shows that on average enterprises use more than 1,000 SaaS applications and that IT are unaware of more than 60% of these applications (so-called ‘shadow IT’). As a result, corporate data can easily slip beyond the control of the company’s ‘gatekeeper’. Once your CRM is in the cloud, your visibility is limited – it’s more challenging to see when a soon to depart salesperson has downloaded the contact details of your entire customer base. Or, imagine that highly- sensitive network diagrams are leaked online leaving your company vulnerable to spoofing or Man-in-the-Middle attacks.

Discovery and control

It is on foot of these trends that the ability to discover and control cloud app usage across organizations has become critical. New SaaS apps need to be quickly identified and risk assessed. Approved apps can be integrated with existing identity and security processes while risky and unsanctioned apps can be blocked. Robust mechanisms for discovering cloud app usage and blocking unapproved apps are important. Remote and mobile work scenarios present particular challenges because they are beyond the network perimeter. For instance, mobile app usage has doubled since organizations migrated to remote working. As a result, companies have no way of knowing what SaaS services their employees are engaging with. For example, an employee might use unsanctioned cloud storage apps for uploading client data or use unapproved marketing automation tools. This is why cloud app security and visibility is critical.

Why endpoint makes sense

The answer to this is what the industry calls “endpoint cloud application discovery and control”. What does this clunky phrase refer to, you ask? It refers to the use of endpoint security solutions, such as Corrata or Microsoft Defender ATP, to identify cloud app usage and to block risky or unsanctioned apps.

The endpoint security solution collects traffic information to discover what apps are in use, uploading this information to a cloud access security broker (CASB) solution such as Microsoft Cloud App Security. The IT admin uses the CASB portal to specify which apps are to be blocked. The CASB then automatically forwards these instructions to the endpoint security solution which enforces the block on the endpoint.

At Ignite 2019, Microsoft Cloud App Security announced an integration with Microsoft Defender ATP to bring endpoint-based cloud discovery and control to Windows devices. Now Corrata’s integration with Microsoft Cloud App Security means that Microsoft customers can extend the same discovery and control to phones and tablets. This means that you can automatically detect the cloud apps your employees are using on mobile devices and take the appropriate security actions. Namely, Corrata acts as a firewall on your unmanaged mobile and tablet devices.

How does it work?

Corrata and Microsoft have worked together to ensure that the integration of the Corrata solution with Microsoft Cloud App Security is simple and easy to implement.

A graphic showing how Corrata and Microsoft have worked together to ensure that the integration of the Corrata solution with Microsoft Cloud App Security is simple and easy to implement.

Traffic information from smartphones and tablets running Corrata is uploaded for analysis to Microsoft Cloud App Security on a continuous basis. Cloud app usage information collected by Corrata is visible to admins via the Microsoft Cloud App Security console. This provides an integrated view of an organization’s cloud app usage and one-click enforcement of app usage policies across iOS, Android, and Windows devices.

App designated as risky or unsanctioned within the Cloud App Security portal are automatically blocked by Corrata on the mobile endpoint. This capability is delivered using Corrata’s patented SafePathML technology which uses Machine Learning to accurately assess the probability of a domain being unsafe. With SafePathML, Corrata can block threats even before the wider cyber security community has identified them.

If you’re an existing or prospective Corrata or Microsoft Cloud App Security customer, you can learn more here about how to harness the advantages of endpoint-based discovery and control for cloud apps.

Corrata is a member of the Microsoft Intelligent Security Association.

Find the Corrata Microsoft Cloud App Security Solution on the Azure Marketplace here.

To learn more about the Microsoft Intelligent Security Association (MISA) #MISA, visit our website where you can learn more about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn more about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft and Corrata integrate to extend cloud app security to mobile endpoints appeared first on Microsoft Security.

How to gain 24/7 detection and response coverage with Microsoft Defender ATP

May 6th, 2020 No comments

This blog post is part of the Microsoft Intelligence Security Association guest blog series. To learn more about MISA, go here.

Whether you’re a security team of one or a dozen, detecting and stopping threats around the clock is a challenge. Security incidents don’t happen exclusively during business hours: attackers often wait until the late hours of the night to breach an environment.

At Red Canary, we work with security teams of all shapes and sizes to improve detection and response capabilities. Our Security Operations Team investigates threats in customer environments 24/7/365, removes false positives, and delivers confirmed threats with context. We’ve seen teams run into a wide range of issues when trying to establish after-hours coverage on their own, including:

  • For global enterprises, around-the-clock monitoring can significantly increase the pressure on a U.S.–based security team. If you have personnel around the world, a security team in a single time zone isn’t sufficient to cover the times that computing assets are used in those environments.
  • In smaller companies that don’t have global operations, the security team is more likely to be understaffed and unable to handle 24/7 security monitoring without stressful on-call schedules.
  • For the security teams of one, being “out of office” is a foreign concept. You’re always on. And you need to set up some way to monitor the enterprise while you’re away.

Microsoft Defender Advanced Threat Protection (ATP) is an industry leading endpoint security solution that’s built into Windows with extended capabilities to Mac and Linux servers. Red Canary unlocks the telemetry delivered from Microsoft Defender ATP and investigates every alert, enabling you to immediately increase your detection coverage and waste no time with false positives.

Here’s how those who haven’t started with Red Canary yet can answer the question, “How can I support my 24/7 security needs with Microsoft Defender ATP?”

No matter how big your security team is, the most important first step is notifying the right people based on an on-call schedule. In this post, we’ll describe two different ways of getting Microsoft Defender ATP alerts to your team 24×7 and how Red Canary has implemented this for our customers.

Basic 24/7 via email

Microsoft Defender Security Center allows you to send all Microsoft Defender ATP alerts to an email address. You can set up email alerts under Settings → Alert notifications.

MISA1

Email notification settings in Microsoft Defender Security Center.

These emails will be sent to your team and should be monitored for high severity situations after-hours.

If sent to a ticketing system, these emails can trigger tickets or after-hours pages to be created for your security team. We recommend limiting the alerts to medium and high severity so that you won’t be bothered for informational or low alerts.

MISA2

Setting up alert emails in Microsoft Defender ATP to be sent to a ticketing system.

Now any future alerts will create a new ticket in your ticketing system where you can assign security team members to on-call rotations and notify on-call personnel of new alerts (if supported). Once the notification is received by on-call personnel, they would then log into Microsoft Defender’s Security Center for further investigation and triage. 

Enhanced 24/7 via APIs

What if you want to ingest alerts to a system that doesn’t use email? You can do this by using the Microsoft Defender ATP APIs. First, you’ll need to have an authentication token. You can get the token like we do here:

MISA3

API call to retrieve authentication token.

Once you’ve stored the authentication token you can use it to poll the Microsoft Defender ATP API and retrieve alerts from Microsoft Defender ATP. Here’s an example of the code to pull new alerts.

MISA4

API call to retrieve alerts from Microsoft Defender ATP.

The API only returns a subset of the data associated with each alert. Here’s an example of what you might receive.

MISA5

Example of a Microsoft Defender ATP alert returned from the API.

You can then take this data and ingest it into any of your internal tools. You can learn more about how to access Microsoft Defender ATP APIs in the documentation. Please note, the limited information included in an alert email or API response is not enough to triage the behavior. You will still need to log into the Microsoft Defender Security Center to find out what happened and take appropriate action.

24/7 with Red Canary

By enabling Red Canary, you supercharge your Microsoft Defender ATP deployment by adding a proven 24×7 security operations team who are masters at finding and stopping threats, and an automation platform to quickly remediate and get back to business.

Red Canary continuously ingests all of the raw telemetry generated from your instance of Microsoft Defender ATP as the foundation for our service. We also ingest and monitor Microsoft Defender ATP alerts. We then apply thousands of our own proprietary analytics to identify potential threats that are sent 24/7 to a Red Canary detection engineer for review.

Here’s an overview of the process (to go behind the scenes of these operations check out our detection engineering blog series):

MISA6

Managed detection and response with Red Canary.

Red Canary is monitoring your Microsoft Defender ATP telemetry and alerts. If anything is a confirmed threat, our team creates a detection and sends it to you using a built-in automation framework that supports email, SMS, phone, Microsoft Teams/Slack, and more. Below is an example of what one of those detections might look like.

MISA7

Red Canary confirms threats and prioritizes them so you know what to focus on.

At the top of the detection timeline you’ll receive a short description of what happened. The threat has already been examined by a team of detection engineers from Red Canary’s Cyber Incident Response Team (CIRT), so you don’t have to worry about triage or investigation. As you scroll down, you can quickly see the results of the investigation that Red Canary’s senior detection engineers have done on your behalf, including detailed notes that provide context to what’s happening in your environment:

MISA8

Notes from Red Canary senior detection engineers (in light blue) provide valuable context.

You’re only notified of true threats and not false positives. This means you can focus on responding rather than digging through data to figure out what happened.

What if you don’t want to be woken up, you’re truly unavailable, or you just want bad stuff immediately dealt with? Use Red Canary’s automation to handle remediation on the fly. You and your team can create playbooks in your Red Canary portal to respond to threats immediately, even if you’re unavailable.

MISA9

Red Canary automation playbook.

This playbook allows you to isolate the endpoint (using the Machine Action resource type in the Microsoft Defender ATP APIs) if Red Canary identifies suspicious activity. You also have the option to set up Automate playbooks that depend on an hourly schedule. For example, you may want to approve endpoint isolation during normal work hours, but use automatic isolation overnight:

MISA10

Red Canary Automate playbook to automatically remediate a detection.

Getting started with Red Canary

Whether you’ve been using Microsoft Defender ATP since it’s preview releases or if you’re just getting started, Red Canary is the fastest way to accelerate your security operations program. Immediate onboarding, increased detection coverage, and a 24/7 CIRT team are all at your fingertips.

Terence Jackson, CISO at Thycotic and Microsoft Defender ATP user, describes what it’s like working with Red Canary:

“I have a small team that has to protect a pretty large footprint. I know the importance of detecting, preventing, and stopping problems at the entry point, which is typically the endpoint. We have our corporate users but then we also have SaaS customers we have to protect. Currently my team tackles both, so for me it’s simply having a trusted partner that can take the day-to-day hunting/triage/elimination of false positives and only provide actionable alerts/intel, which frees my team up to do other critical stuff.”

Red Canary is the fastest way to enhance your detection coverage from Microsoft Defender ATP so you know exactly when and where to respond.

Contact us to see a demo and learn more.

The post How to gain 24/7 detection and response coverage with Microsoft Defender ATP appeared first on Microsoft Security.