Archive

Archive for the ‘cybersecurity’ Category

Recommendations for deploying the latest Attack surface reduction rules for maximum impact

The keystone to good security hygiene is limiting your attack surface. Attack surface reduction is a technique to remove or constrain exploitable behaviors in your systems. In this blog, we discuss the two attack surface reduction rules introduced in the most recent release of Windows and cover suggested deployment methods and best practices.

Software applications may use known, insecure methods, or methods later identified as useful for malware exploits. For example, macros are an old and powerful tool for task automation. However, macros can spawn child processes, invoke the Windows API, and perform other tasks which render them exploitable by malware.

Windows Defender Advanced Threat Protection (Windows Defender ATP) enables you to take advantage of attack surface reduction rules that allow you to control exploitable threat vectors in a simple and customizable manner. In previous releases of Windows we launched rules that let customers disallow remote process creation through WMI or PSExec and block Office applications from creating executable content. Other rules include the ability to disable scripts from creating executable content or blocking file executions unless age and prevalence criteria are met.

The latest attack surface reduction rules in Windows Defender ATP in latest re based on system and application vulnerabilities uncovered by Microsoft and other security companies. Below we describe that these rules do. More importantly, we outline recommendations for deploying these rules in enterprise environments.

Block Office communication apps from creating child processes

The Block Office Communication Applications from Creating Child Processes rule protects against attacks that attempt to abuse the Outlook email client. For example, in late 2017 Sensepost demonstrated the DDEAUTO attack, which was later discovered to be applicable to Outlook as well. In this case, this attack surface reduction rule disables the creation of another process from Outlook this means that DDE still works and data can be exchanged by two running applications, but new processes cannot be created. It is important to note that DDE, and DDEAUTO, are legacy, inter-process communication features available since 1987. Many line-of-business applications rely on this capability. If, for example, DDE is not used in your organization, or if you want to restrict the capability of DDE to already running processes, this can be configured by using the AllowDDE registry key for Office.

While rare, if your organizations applications utilize creating child processes from within Office communication applications, this attack surface reduction rule provides protection by allowing legitimate processes with exclusions. By limiting child processes that can be launched by Outlook to only processes with well-defined functionality, this attack surface reduction rule confines a potential exploit or a social engineering threat from further infecting or compromising the system.

Block Adobe Reader from creating child processes

The second rule weve introduced, Block Adobe Reader from Creating Child Processes limits the ability of a threat in a malicious PDF file from launching additional payloads, either embedded in a PDF file or downloaded by a threat, irrespective of how the malicious code in the PDF gained code execution either by social engineering or by exploiting an unknown vulnerability.

While there may be legitimate business reasons for a business PDF file to create a child process through scripting, this is a behavior that should be discouraged as it is prone to misuse. Our data indicates few legitimate applications utilize this technique. The Block Adobe Reader from Creating Child Processes rule disables child process creation in PDF content except for those files excluded by the IT administrator.

Recommendations on exclusions and deployment

Attack surface reduction rules close frequently used and exploitable behaviors in the operating system and in apps. However, legitimate line-of-business and commercial applications have been written utilizing these same behaviors. To enable non-malicious applications critical to your business, exclusions can be used if they are flagged as violating an attack surface reduction rule. Core Microsoft components, such as operating system files or Office applications, reside in a global exclusion list maintained as part of Defender. These do not need exclusions.

Exclusions, when applied, are honored by other Windows Defender ATP exploit mitigation features including Controlled folder access and Network protection, in addition to attack surface reduction rules. This simplifies exclusion management and standardizes application behavior.

Attack surface reduction rules have three settings: off, audit, and block. Our recommended practice to deploy attack surface reduction rules is to first implement the rule in audit mode.

Audit mode will identify exploitable behavior use but will not block the behavior. With audit, if you have a line of business application utilizing a behavior that is exploitable, the invoking application can be identified, and an exclusion added.

Rules can be enabled in audit with Group Policy, SCCM, or PowerShell. You can review the audited events with Advanced hunting and Alert investigation in Windows Defender Security Center; by creating a custom view in Windows Event Viewer; or using automated log aggregation tools like SIEM.

When audit telemetry reveals that line-of-business applications are no longer being impacted by the attack surface reduction rule, the attack surface reduction rule setting can be switched to block. This will protect against malware exploitation of the behavior.

For larger enterprises, Microsoft recommends deploying attack surface reduction rules in rings. Rings are groups of machines radiating outward like non-overlapping tree rings. When the inner ring is successfully deployed with required exclusions, the next ring can be deployed. One of the ways you can create a ring process is by creating specific groups of users or devices in Intune or with a Group Policy management tool.

Monitor attack surface reduction event telemetry

Once a rule is deployed in block mode, it is important to monitor corresponding event telemetry. This data contains important information. For example, an application update may now require an exclusion or multiple alerts from a user clicking on email executable attachments can indicate additional training is required. Attack surface reduction rule events may be from a single, random malware breach, or your organization may be the object of a new, persistent attack attempting to utilize a vector covered by attack surface reduction rules suddenly producing a large increase in related attack surface reduction-rule block events.

Where to get more information and support

If you havent deployed any attack surface reduction rules, take a look at our documentation and discover how you can better protect your enterprise.

Minimizing your attack surface can yield large paybacks in decreased threat vulnerability and in allowing the security operations team to focus on other threat vectors.

As with all security features, enable attack surface reduction rules in a methodical, controlled manner that allows legitimate business applications to be excluded from analysis.

 

 

Peter Thayer and Iaan DSouza-Wiltshire (@IaanMSFT)
Windows Defender ATP

 

 

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

The post Recommendations for deploying the latest Attack surface reduction rules for maximum impact appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Recommendations for deploying the latest Attack surface reduction rules for maximum impact

The keystone to good security hygiene is limiting your attack surface. Attack surface reduction is a technique to remove or constrain exploitable behaviors in your systems. In this blog, we discuss the two attack surface reduction rules introduced in the most recent release of Windows and cover suggested deployment methods and best practices.

Software applications may use known, insecure methods, or methods later identified as useful for malware exploits. For example, macros are an old and powerful tool for task automation. However, macros can spawn child processes, invoke the Windows API, and perform other tasks which render them exploitable by malware.

Windows Defender Advanced Threat Protection (Windows Defender ATP) enables you to take advantage of attack surface reduction rules that allow you to control exploitable threat vectors in a simple and customizable manner. In previous releases of Windows we launched rules that let customers disallow remote process creation through WMI or PSExec and block Office applications from creating executable content. Other rules include the ability to disable scripts from creating executable content or blocking file executions unless age and prevalence criteria are met.

The latest attack surface reduction rules in Windows Defender ATP in latest re based on system and application vulnerabilities uncovered by Microsoft and other security companies. Below we describe that these rules do. More importantly, we outline recommendations for deploying these rules in enterprise environments.

Block Office communication apps from creating child processes

The Block Office Communication Applications from Creating Child Processes rule protects against attacks that attempt to abuse the Outlook email client. For example, in late 2017 Sensepost demonstrated the DDEAUTO attack, which was later discovered to be applicable to Outlook as well. In this case, this attack surface reduction rule disables the creation of another process from Outlook this means that DDE still works and data can be exchanged by two running applications, but new processes cannot be created. It is important to note that DDE, and DDEAUTO, are legacy, inter-process communication features available since 1987. Many line-of-business applications rely on this capability. If, for example, DDE is not used in your organization, or if you want to restrict the capability of DDE to already running processes, this can be configured by using the AllowDDE registry key for Office.

While rare, if your organizations applications utilize creating child processes from within Office communication applications, this attack surface reduction rule provides protection by allowing legitimate processes with exclusions. By limiting child processes that can be launched by Outlook to only processes with well-defined functionality, this attack surface reduction rule confines a potential exploit or a social engineering threat from further infecting or compromising the system.

Block Adobe Reader from creating child processes

The second rule weve introduced, Block Adobe Reader from Creating Child Processes limits the ability of a threat in a malicious PDF file from launching additional payloads, either embedded in a PDF file or downloaded by a threat, irrespective of how the malicious code in the PDF gained code execution either by social engineering or by exploiting an unknown vulnerability.

While there may be legitimate business reasons for a business PDF file to create a child process through scripting, this is a behavior that should be discouraged as it is prone to misuse. Our data indicates few legitimate applications utilize this technique. The Block Adobe Reader from Creating Child Processes rule disables child process creation in PDF content except for those files excluded by the IT administrator.

Recommendations on exclusions and deployment

Attack surface reduction rules close frequently used and exploitable behaviors in the operating system and in apps. However, legitimate line-of-business and commercial applications have been written utilizing these same behaviors. To enable non-malicious applications critical to your business, exclusions can be used if they are flagged as violating an attack surface reduction rule. Core Microsoft components, such as operating system files or Office applications, reside in a global exclusion list maintained as part of Defender. These do not need exclusions.

Exclusions, when applied, are honored by other Windows Defender ATP exploit mitigation features including Controlled folder access and Network protection, in addition to attack surface reduction rules. This simplifies exclusion management and standardizes application behavior.

Attack surface reduction rules have three settings: off, audit, and block. Our recommended practice to deploy attack surface reduction rules is to first implement the rule in audit mode.

Audit mode will identify exploitable behavior use but will not block the behavior. With audit, if you have a line of business application utilizing a behavior that is exploitable, the invoking application can be identified, and an exclusion added.

Rules can be enabled in audit with Group Policy, SCCM, or PowerShell. You can review the audited events with Advanced hunting and Alert investigation in Windows Defender Security Center; by creating a custom view in Windows Event Viewer; or using automated log aggregation tools like SIEM.

When audit telemetry reveals that line-of-business applications are no longer being impacted by the attack surface reduction rule, the attack surface reduction rule setting can be switched to block. This will protect against malware exploitation of the behavior.

For larger enterprises, Microsoft recommends deploying attack surface reduction rules in rings. Rings are groups of machines radiating outward like non-overlapping tree rings. When the inner ring is successfully deployed with required exclusions, the next ring can be deployed. One of the ways you can create a ring process is by creating specific groups of users or devices in Intune or with a Group Policy management tool.

Monitor attack surface reduction event telemetry

Once a rule is deployed in block mode, it is important to monitor corresponding event telemetry. This data contains important information. For example, an application update may now require an exclusion or multiple alerts from a user clicking on email executable attachments can indicate additional training is required. Attack surface reduction rule events may be from a single, random malware breach, or your organization may be the object of a new, persistent attack attempting to utilize a vector covered by attack surface reduction rules suddenly producing a large increase in related attack surface reduction-rule block events.

Where to get more information and support

If you havent deployed any attack surface reduction rules, take a look at our documentation and discover how you can better protect your enterprise.

Minimizing your attack surface can yield large paybacks in decreased threat vulnerability and in allowing the security operations team to focus on other threat vectors.

As with all security features, enable attack surface reduction rules in a methodical, controlled manner that allows legitimate business applications to be excluded from analysis.

 

 

Peter Thayer and Iaan DSouza-Wiltshire (@IaanMSFT)
Windows Defender ATP

 

 

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

The post Recommendations for deploying the latest Attack surface reduction rules for maximum impact appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Lessons learned from the Microsoft SOC—Part 1: Organization

Were frequently asked how we operate our Security Operations Center (SOC) at Microsoft (particularly as organizations are integrating cloud into their enterprise estate). This is the first in a three part blog series designed to share our approach and experience, so you can use what we learned to improve your SOC.

In Part 1: Organization, we start with the critical organizational aspects (organizational purpose, culture, and metrics). In Part 2: People, we cover how we manage our most valuable resourcehuman talent. And finally Part 3: Technology, covers the technology that enables these people to accomplish their mission.

Overall SOC model

Microsoft has multiple security operations teams that each have specialized knowledge to protect the different technical environments at Microsoft. We use a “fusion center” model with a shared operating floor, which we call our Cyber Defense Operations Center (CDOC), to increase collaboration and facilitate rapid communication among these teams. Each team manages to the specific needs of their environment.

In this three part series, we focus on the operation of our corporate IT SOC team as they most closely reflect the challenges and approaches of our customershaving many users and endpoints, email attack vectors, and a hybrid of on-premises and cloud assets. In addition, we include a few lessons learned from the other SOCs and our Detection and Response Team (DART) that helps our customers respond to major incidents.

This SOC operates with three tiers of analysts plus automation as seen in Figure 1 below. (Well provide more details in Part 2: People.)

Figure 1. SOC analyst tiers plus automation.

Figure 1. SOC analyst tiers plus automation.

The tooling in the SOC (Figure 2) is a mixture of centralized breadth capabilities and specialized tools to enable high quality alerts and an end-to-end investigation and remediation experience. (Part 3: Technology will provide more details.)

Figure 2. SOC tooling.

Figure 2. SOC tooling.

Like all things in security, our SOC has evolved considerably over the years to its current state and will continue to evolve. We recently noticed that our SOC had sustained a 100+ percent growth in incidents handled over the past three years with a nearly flat staffing level. While we dont know if we can expect this astounding trend to continue in the future, it validates that we are on the right track and should share our learnings.

SOC organizational purpose

The first element we cover is the value of the SOC in the context of the overall mission and risk of the organization. Like the traditional incarnations of crime and espionage, we dont expect there will be a straightforward solution to cyberattacks. A SOC is often a crucial risk mitigation investment for an enterprise as it is core to limiting how much time and access attackers have in the organization. This ultimately increases the attackers cost and decreases the benefit, which damages their return on investment (ROI) and motivation for attacking your organization. Everything in the SOC should be oriented toward limiting the time and access attackers can gain to the organizations assets in an attack to mitigate business risk.

At Microsoft, our SOCs bear not just the responsibility of reducing risk to our employees and investors, but also the weight of the trust that millions of customers accessing our cloud services and products put in us.

Weve learned that the SOC has four primary functional integration points with the business:

  • Business context (to the SOC)The SOC needs to understand what is most important to the organization so the team can apply that context to fluid real-time security situations. What would have the most negative impact on the business? Downtime of critical systems? A loss of reputation and customer trust? Disclosure of sensitive data? Tampering with critical data or systems? Weve learned its critical that key leaders and staff in the SOC understand this context as they wade through the continuous flood of information and triage incidents and prioritize their time, attention, and effort.
  • Joint practice exercises (with the SOC)Business leaders should regularly join the SOC in practicing response to major incidents. This builds the muscle memory and relationships that are critical to fast and effective decision making in the high pressure of real incidents, reducing organizational risk. This practice also reduces risk by exposing gaps and assumptions in the process that can be fixed prior to a real incident.
  • Major incidents updates (from the SOC)The SOC should provide updates to business stakeholders for major incidents as they happen. This allows business leaders to understand their risk and take both proactive and reactive steps to manage that risk. For more learnings on major incidents by our DART team, see the incident response reference guide.
  • Business intelligence (from the SOC)Sometimes the SOC finds that adversaries are targeting a system or data set that isnt expected. As the SOC discovers the targets of attacks, they should share these with business leaders as these signals may trigger insight for business leaders (outside awareness of a secret business initiative, relative value of an overlooked data set, etc.).

SOC culture

If you take one thing away from this post, its that the SOC culture is just as important as the individuals you hire and the tools you use. Culture guides countless decisions each day by establishing what the right answer looks and feels like in ambiguous situations, which are plentiful in a SOC.

Our cultural elements are very much focused on people, teamwork, and continuous learning and include these learnings:

  • Use your human talent wiselyOur people are the most valuable asset we have in the SOC and we cant afford to waste their time on repetitive thoughtless tasks that can be automated. To combat the human threats we face, we need knowledgeable and well-equipped humans that can apply expertise, judgement, and creative thinking. This human factor affects almost every aspect of SOC operations including the role of tools and automation to empower humans to do more (versus replacing them) and in reducing toil on our analysts. (More on this topic in Part 2: People.)
  • TeamworkWeve learned that we cant tolerate the lone hero mindset in the SOC, nobody is as smart as all of us together. Teamwork makes a high-pressure working environment like the SOC much more fun, enjoyable, and productive when everyone knows theyre on the same team and everyone has each others back. We design our processes and tools to divide up tasks into specialties and to encourage people to share insights, coordinate and check each others work, and constantly learn from each other.
  • Shift left mindsetTo get and stay ahead of cybercriminals and hackers who constantly evolve their techniques, we must continuously improve and shift our activities left in the attack timeline. We focus on speed and efficiency to try and get faster than the speed of attack by looking at ways we could have detected attacks earlier and responded more quickly. This principle is effectively an application of a continuous learning growth mindset that keeps the team laser focused on reducing risk for our organization and our customers.

SOC metrics

The final organizational element is how we measure success, a critical element to get right. Metrics translate culture into clear measurable objectives and have a powerful influence on shaping peoples behavior. Weve learned that its critical to consider both what you measure, as well as the way that you focus on and enforce those metrics. We measure several indicators of success in the SOC, but we always recognize that the SOCs job is to manage significant variables that are out of our direct control (attacks, attackers, etc.). We view deviations primarily as a learning opportunity for process or tool improvement rather than a failing on the part of the SOC to meet a goal.

These are the metrics we track, trend, and report on:

  • Time to acknowledge (TTA)Responsiveness is one of the few elements the SOC has direct control over. We measure the time between an alert being raised (light starts to blink) and when an analyst acknowledges that alert and begins the investigation. Improving this responsiveness requires that analysts dont waste time investigating false positives while another true positive alert sits waiting. We achieve this with ruthless prioritization. Any alert that requires an analyst response must have a track record of 90 percent true positive. Well talk more about the technology we use in Part 3: Technology and will describe our use of cold path activities like proactive hunting to supplement the hot path of alerts in Part 2: People.
  • Time to remediate (TTR)Much like many SOCs, we track the time to remediatean incident to ensure were limiting the time attackers have access to our environment, which drive effectiveness and efficiencies in our SOC processes and tools.
  • Incidents remediated (manually/with automation)We measure how many incidents are remediated manually and how many are resolved with automation. This ensures our staffing levels are appropriate and measures the effectiveness of our automation technology.
  • Escalations between each tierWe track how many incidents escalated between tiers to ensure we accurately capture the workload for each tier. For example, we need to ensure that Tier 1 work on an escalated incident isnt fully attributed to Tier 2.

Get started

Our biggest recommendation for the SOC organization is to define the culture you want to inculcate. This will shape your team and attract the talent you want. In the coming weeks, well share our philosophy on managing people, career paths, skills, and readiness, and what tools we use to enable our people to accomplish their mission. In the meantime, head over to CISO seriesto learn more.

The post Lessons learned from the Microsoft SOC—Part 1: Organization appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Lessons learned from the Microsoft SOC—Part 1: Organization

Were frequently asked how we operate our Security Operations Center (SOC) at Microsoft (particularly as organizations are integrating cloud into their enterprise estate). This is the first in a three part blog series designed to share our approach and experience, so you can use what we learned to improve your SOC.

In Part 1: Organization, we start with the critical organizational aspects (organizational purpose, culture, and metrics). In Part 2: People, we cover how we manage our most valuable resourcehuman talent. And finally Part 3: Technology, covers the technology that enables these people to accomplish their mission.

Overall SOC model

Microsoft has multiple security operations teams that each have specialized knowledge to protect the different technical environments at Microsoft. We use a “fusion center” model with a shared operating floor, which we call our Cyber Defense Operations Center (CDOC), to increase collaboration and facilitate rapid communication among these teams. Each team manages to the specific needs of their environment.

In this three part series, we focus on the operation of our corporate IT SOC team as they most closely reflect the challenges and approaches of our customershaving many users and endpoints, email attack vectors, and a hybrid of on-premises and cloud assets. In addition, we include a few lessons learned from the other SOCs and our Detection and Response Team (DART) that helps our customers respond to major incidents.

This SOC operates with three tiers of analysts plus automation as seen in Figure 1 below. (Well provide more details in Part 2: People.)

Figure 1. SOC analyst tiers plus automation.

Figure 1. SOC analyst tiers plus automation.

The tooling in the SOC (Figure 2) is a mixture of centralized breadth capabilities and specialized tools to enable high quality alerts and an end-to-end investigation and remediation experience. (Part 3: Technology will provide more details.)

Figure 2. SOC tooling.

Figure 2. SOC tooling.

Like all things in security, our SOC has evolved considerably over the years to its current state and will continue to evolve. We recently noticed that our SOC had sustained a 100+ percent growth in incidents handled over the past three years with a nearly flat staffing level. While we dont know if we can expect this astounding trend to continue in the future, it validates that we are on the right track and should share our learnings.

SOC organizational purpose

The first element we cover is the value of the SOC in the context of the overall mission and risk of the organization. Like the traditional incarnations of crime and espionage, we dont expect there will be a straightforward solution to cyberattacks. A SOC is often a crucial risk mitigation investment for an enterprise as it is core to limiting how much time and access attackers have in the organization. This ultimately increases the attackers cost and decreases the benefit, which damages their return on investment (ROI) and motivation for attacking your organization. Everything in the SOC should be oriented toward limiting the time and access attackers can gain to the organizations assets in an attack to mitigate business risk.

At Microsoft, our SOCs bear not just the responsibility of reducing risk to our employees and investors, but also the weight of the trust that millions of customers accessing our cloud services and products put in us.

Weve learned that the SOC has four primary functional integration points with the business:

  • Business context (to the SOC)The SOC needs to understand what is most important to the organization so the team can apply that context to fluid real-time security situations. What would have the most negative impact on the business? Downtime of critical systems? A loss of reputation and customer trust? Disclosure of sensitive data? Tampering with critical data or systems? Weve learned its critical that key leaders and staff in the SOC understand this context as they wade through the continuous flood of information and triage incidents and prioritize their time, attention, and effort.
  • Joint practice exercises (with the SOC)Business leaders should regularly join the SOC in practicing response to major incidents. This builds the muscle memory and relationships that are critical to fast and effective decision making in the high pressure of real incidents, reducing organizational risk. This practice also reduces risk by exposing gaps and assumptions in the process that can be fixed prior to a real incident.
  • Major incidents updates (from the SOC)The SOC should provide updates to business stakeholders for major incidents as they happen. This allows business leaders to understand their risk and take both proactive and reactive steps to manage that risk. For more learnings on major incidents by our DART team, see the incident response reference guide.
  • Business intelligence (from the SOC)Sometimes the SOC finds that adversaries are targeting a system or data set that isnt expected. As the SOC discovers the targets of attacks, they should share these with business leaders as these signals may trigger insight for business leaders (outside awareness of a secret business initiative, relative value of an overlooked data set, etc.).

SOC culture

If you take one thing away from this post, its that the SOC culture is just as important as the individuals you hire and the tools you use. Culture guides countless decisions each day by establishing what the right answer looks and feels like in ambiguous situations, which are plentiful in a SOC.

Our cultural elements are very much focused on people, teamwork, and continuous learning and include these learnings:

  • Use your human talent wiselyOur people are the most valuable asset we have in the SOC and we cant afford to waste their time on repetitive thoughtless tasks that can be automated. To combat the human threats we face, we need knowledgeable and well-equipped humans that can apply expertise, judgement, and creative thinking. This human factor affects almost every aspect of SOC operations including the role of tools and automation to empower humans to do more (versus replacing them) and in reducing toil on our analysts. (More on this topic in Part 2: People.)
  • TeamworkWeve learned that we cant tolerate the lone hero mindset in the SOC, nobody is as smart as all of us together. Teamwork makes a high-pressure working environment like the SOC much more fun, enjoyable, and productive when everyone knows theyre on the same team and everyone has each others back. We design our processes and tools to divide up tasks into specialties and to encourage people to share insights, coordinate and check each others work, and constantly learn from each other.
  • Shift left mindsetTo get and stay ahead of cybercriminals and hackers who constantly evolve their techniques, we must continuously improve and shift our activities left in the attack timeline. We focus on speed and efficiency to try and get faster than the speed of attack by looking at ways we could have detected attacks earlier and responded more quickly. This principle is effectively an application of a continuous learning growth mindset that keeps the team laser focused on reducing risk for our organization and our customers.

SOC metrics

The final organizational element is how we measure success, a critical element to get right. Metrics translate culture into clear measurable objectives and have a powerful influence on shaping peoples behavior. Weve learned that its critical to consider both what you measure, as well as the way that you focus on and enforce those metrics. We measure several indicators of success in the SOC, but we always recognize that the SOCs job is to manage significant variables that are out of our direct control (attacks, attackers, etc.). We view deviations primarily as a learning opportunity for process or tool improvement rather than a failing on the part of the SOC to meet a goal.

These are the metrics we track, trend, and report on:

  • Time to acknowledge (TTA)Responsiveness is one of the few elements the SOC has direct control over. We measure the time between an alert being raised (light starts to blink) and when an analyst acknowledges that alert and begins the investigation. Improving this responsiveness requires that analysts dont waste time investigating false positives while another true positive alert sits waiting. We achieve this with ruthless prioritization. Any alert that requires an analyst response must have a track record of 90 percent true positive. Well talk more about the technology we use in Part 3: Technology and will describe our use of cold path activities like proactive hunting to supplement the hot path of alerts in Part 2: People.
  • Time to remediate (TTR)Much like many SOCs, we track the time to remediatean incident to ensure were limiting the time attackers have access to our environment, which drive effectiveness and efficiencies in our SOC processes and tools.
  • Incidents remediated (manually/with automation)We measure how many incidents are remediated manually and how many are resolved with automation. This ensures our staffing levels are appropriate and measures the effectiveness of our automation technology.
  • Escalations between each tierWe track how many incidents escalated between tiers to ensure we accurately capture the workload for each tier. For example, we need to ensure that Tier 1 work on an escalated incident isnt fully attributed to Tier 2.

Get started

Our biggest recommendation for the SOC organization is to define the culture you want to inculcate. This will shape your team and attract the talent you want. In the coming weeks, well share our philosophy on managing people, career paths, skills, and readiness, and what tools we use to enable our people to accomplish their mission. In the meantime, head over to CISO seriesto learn more.

The post Lessons learned from the Microsoft SOC—Part 1: Organization appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Why the Pipeline Cybersecurity Initiative is a critical step

February 21st, 2019 No comments

Its well known by now that pipeline attacks and attacks on utilities of all kinds have been an unfortunately well-trodden path by cyber-adversaries in numerous countries for a few years now. These types of attacks are not theoretical, and the damage done to dateas well as the potential damageis significant.

With this backdrop, it was encouraging to see a few months ago that that the U.S. Government was working in a coordinated fashion to push for a more coordinated effort around pipeline security. As part of the annual Cybersecurity Awareness Month each October, the U.S. Department of Energy (DOE) and Department of Homeland Security (DHS) met with the Oil and Natural Gas Subsector Coordinating Council (ONG SCC) to discuss ongoing threats having to do with pipeline security, resulting in the Pipeline Cybersecurity Initiative.

According to Hunton Andrews Kurth, the Pipeline Cybersecurity Initiative will harness DHSs cybersecurity resources, DOEs energy sector expertise, and the Transportation Security Administrations (TSA) assessment of pipeline security to provide intelligence to natural gas companies and support ONG SCC’s efforts.

And even though the Pipeline Cybersecurity Initiative is in its earliest stages, its worth discussing the key items that it relates to and how it might impact better cybersecurity hygiene going forward across the industry as a whole:

  • TimingThe timing for this initiative is important. No longer can industry observers and experts claim that pipeline, energy, and utility security is not an issue. As indicated above, this is a genuine problem that has real-world implications. Moreover, we know that this issue has occurred in a number of different countries.
  • Industrial Internet of Things (IIoT)IIoT is a topic that continues to be raised in meetings with customers and partners around the world. Some of those customers are in financial services (think ATMs) while others are in healthcare (think imaging machines) and yet others are of course in energy (think pipelines, pumping stations, etc.). My point is that across unrelated industries, this topic is a very real area that companies are increasingly taking seriously. Utility Dive summarizes this well, With the prevalence of automation and digital sensors, pipelines moving a physical commodity, like oil or natural gas, are vulnerable to cyber-intrusions, just as a transmission line or power plant.
  • Public-private partnershipThe public-private nature of this partnership makes good sense and is great to see. For instance, it was important to see this mentioned so openly by the TSA in one of the accompanying statements and is a clear indication that this is a complex issue that requires broader coordination and partnership. The TSA is committed to the mission of securing the nations natural gas and oil pipelines, and values longstanding relationships with pipeline operators across this great nation, said TSA Administrator David Pekoske. This also builds on some of the past few years of efforts in this realm in the U.S. specifically.
  • An international issueBeyond the U.S., other countries working on similar initiatives should be mentioned. While not a comprehensive list, it would be remiss not to mention other parts of the world that also either suffer from or worry about this issue, including the U.K., Denmark, and Australia.

To those of us in the cybersecurity world, energy security as it relates to cyberthreats has been a concern for a while. The known attacks have been disconcerting and people beyond the energy industry have recognized this. Practitioners and defenders have been doing fabulous work, and the Pipeline Cybersecurity Initiative will help ensure that additional resources, information-sharing, and coordination will help mitigate additional cyber-related risks against the U.S. energy industry in the coming years. For more information on infrastructure security, read Defending critical infrastructure is imperative and listen to the Cybersecurity Tech Accord web seminar, Cyberattacks on infrastructure.

The post Why the Pipeline Cybersecurity Initiative is a critical step appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Why the Pipeline Cybersecurity Initiative is a critical step

February 21st, 2019 No comments

Its well known by now that pipeline attacks and attacks on utilities of all kinds have been an unfortunately well-trodden path by cyber-adversaries in numerous countries for a few years now. These types of attacks are not theoretical, and the damage done to dateas well as the potential damageis significant.

With this backdrop, it was encouraging to see a few months ago that that the U.S. Government was working in a coordinated fashion to push for a more coordinated effort around pipeline security. As part of the annual Cybersecurity Awareness Month each October, the U.S. Department of Energy (DOE) and Department of Homeland Security (DHS) met with the Oil and Natural Gas Subsector Coordinating Council (ONG SCC) to discuss ongoing threats having to do with pipeline security, resulting in the Pipeline Cybersecurity Initiative.

According to Hunton Andrews Kurth, the Pipeline Cybersecurity Initiative will harness DHSs cybersecurity resources, DOEs energy sector expertise, and the Transportation Security Administrations (TSA) assessment of pipeline security to provide intelligence to natural gas companies and support ONG SCC’s efforts.

And even though the Pipeline Cybersecurity Initiative is in its earliest stages, its worth discussing the key items that it relates to and how it might impact better cybersecurity hygiene going forward across the industry as a whole:

  • TimingThe timing for this initiative is important. No longer can industry observers and experts claim that pipeline, energy, and utility security is not an issue. As indicated above, this is a genuine problem that has real-world implications. Moreover, we know that this issue has occurred in a number of different countries.
  • Industrial Internet of Things (IIoT)IIoT is a topic that continues to be raised in meetings with customers and partners around the world. Some of those customers are in financial services (think ATMs) while others are in healthcare (think imaging machines) and yet others are of course in energy (think pipelines, pumping stations, etc.). My point is that across unrelated industries, this topic is a very real area that companies are increasingly taking seriously. Utility Dive summarizes this well, With the prevalence of automation and digital sensors, pipelines moving a physical commodity, like oil or natural gas, are vulnerable to cyber-intrusions, just as a transmission line or power plant.
  • Public-private partnershipThe public-private nature of this partnership makes good sense and is great to see. For instance, it was important to see this mentioned so openly by the TSA in one of the accompanying statements and is a clear indication that this is a complex issue that requires broader coordination and partnership. The TSA is committed to the mission of securing the nations natural gas and oil pipelines, and values longstanding relationships with pipeline operators across this great nation, said TSA Administrator David Pekoske. This also builds on some of the past few years of efforts in this realm in the U.S. specifically.
  • An international issueBeyond the U.S., other countries working on similar initiatives should be mentioned. While not a comprehensive list, it would be remiss not to mention other parts of the world that also either suffer from or worry about this issue, including the U.K., Denmark, and Australia.

To those of us in the cybersecurity world, energy security as it relates to cyberthreats has been a concern for a while. The known attacks have been disconcerting and people beyond the energy industry have recognized this. Practitioners and defenders have been doing fabulous work, and the Pipeline Cybersecurity Initiative will help ensure that additional resources, information-sharing, and coordination will help mitigate additional cyber-related risks against the U.S. energy industry in the coming years. For more information on infrastructure security, read Defending critical infrastructure is imperative and listen to the Cybersecurity Tech Accord web seminar, Cyberattacks on infrastructure.

The post Why the Pipeline Cybersecurity Initiative is a critical step appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Step 5. Set up mobile device management: top 10 actions to secure your environment

February 14th, 2019 No comments

The Top 10 actions to secure your environment series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In Step 5. Set up mobile device management, youll learn how to plan your Microsoft Intune deployment and set up Mobile Device Management (MDM) as part of your unified endpoint management (UEM) strategy.

In Steps 1-4 of the series, we provided tips for securing identities with Azure Active Directory (Azure AD). In the next two posts (Step 5 and Step 6), we introduce you to ContosoCars to illustrate how you can deploy Microsoft Intune as part of your UEM strategy for securing company data on devices and applications.

ContosoCars is an automotive company with 1,000 employees that work in the corporate headquarters, and 4,000 that work in several branches across the U.S. Another 2,000 service centers are owned by franchises. To stay competitive, IT needs to support a fleet of cloud-connected devices for secure, remote access to Office 365 and SaaS apps and sensitive customer data. With their expanding business, franchise sales staff need access to ContosoCars customer data as well, but ContosoCars does not own those devices.

They have defined the following goals:

  • Deliver the best Windows 10 experience for all their corporate PCs.
  • Allow employees to use personal devices and mobile phones at work.
  • Protect the network from unknown or compromised users and devices.
  • Secure data on tablet devices shared by several shop floor workers that are often left in public areas of the shop.
  • Prevent employees from accessing and maintaining corporate data if they leave the company.

Plan your Intune deployment

Once ContosoCars defines their goals, they can begin to set up use-case scenarios to align their goals with user types and user groups (Figure 1). ContosoCars wants to provide corporate devices for their employees at headquarters and branches. They will not supply devices to their franchise sales staff, but they need to make sure staff-owned tablets can use Office 365 apps to securely access company data.

Graph showing ContosoCars locations, device ownership, groups, platforms, and requirements. All part of their use-case management plan.

Figure 1. ContosoCars’ defined Intune use-case scenarios and requirements.

You can find more information on setting goals, use-case scenarios, and requirements in the Intune deployment planning, design, and implementation guide. The guide also includes recommendations for a design plan that integrates well with existing systems, a communication plan that takes into account the different channels your audience uses to receive information, a rollout plan, and a support plan.

Set up Mobile Device Management (MDM)

Once planning is complete, ContosoCars can move onto implementing their Intune plan. ContosoCars uses Azure AD to fully leverage Office 365 cloud services and get the benefits of identity-driven security (see Step 1. Identify users). Before employees can enroll their devices to be managed by Intune, IT admins will need to set MDM authority to Intune in the Azure portal.

In order to manage the devices, ContosoCars can add and deploy configuration policies to enable and disable settings and features such as software delivery, endpoint protection, identity protection, and email. ContosoCars can also use configuration policies to deploy Windows Defender Advanced Threat Protection (ATP), which provides instant detection and blocking of advanced threats. Once IT admins set up Intune, users can enroll devices by signing in with their work or school account to automatically receive the right configuration profiles for their device.

ContosoCars can configure devices to meet business requirements and enable security features, such as Windows Hello, which allows users to sign in to their computer using a combination of biometrics and a PIN.

Manage personal devices

Next on the rollout plan are the personal iPhones and Android phones used by the staff to keep up with work email and data. ContosoCars will manage these devices by requiring employees to enroll their devices with Intune before allowing access to work apps, company data, or email using enrollment requirements guidance. ContosoCars can set up configuration policies for these devices just as they did the Windows 10 PCs, and they can add additional security controls by setting up device compliance policies. Using Azure AD you can allow or block users in real-time if their compliance state changes. These policies ensure only known and healthy devices enter the network.

Some examples include:

  • Require users to set a password to access devices; password must be of certain complexity.
  • Require users to set a PIN to encrypt the device; PIN must be of certain complexity.
  • Deny access to jail-broken or rooted devices, as they may have unknown apps installed.
  • Require a minimum OS version to ensure security patch level is met.
  • Require the device to be at, or under, the acceptable device-risk level.

With Windows 10, conditional access policies are integrated with Windows Defender ATP. Microsoft works with leading mobile threat defense technology partners to provide comprehensive device-risk assessment on all platforms.

Learn more

Check back in a few weeks for our next blog post, Step 6. Manage mobile apps, where we explore the use of Intune app protection policies to allow only approved applications to access work email and data. We will also learn how ContosoCars keeps sensitive customer data secure on shared franchise devices on the shop floor.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

The post Step 5. Set up mobile device management: top 10 actions to secure your environment appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Step 5. Set up mobile device management: top 10 actions to secure your environment

February 14th, 2019 No comments

The Top 10 actions to secure your environment series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In Step 5. Set up mobile device management, youll learn how to plan your Microsoft Intune deployment and set up Mobile Device Management (MDM) as part of your unified endpoint management (UEM) strategy.

In Steps 1-4 of the series, we provided tips for securing identities with Azure Active Directory (Azure AD). In the next two posts (Step 5 and Step 6), we introduce you to ContosoCars to illustrate how you can deploy Microsoft Intune as part of your UEM strategy for securing company data on devices and applications.

ContosoCars is an automotive company with 1,000 employees that work in the corporate headquarters, and 4,000 that work in several branches across the U.S. Another 2,000 service centers are owned by franchises. To stay competitive, IT needs to support a fleet of cloud-connected devices for secure, remote access to Office 365 and SaaS apps and sensitive customer data. With their expanding business, franchise sales staff need access to ContosoCars customer data as well, but ContosoCars does not own those devices.

They have defined the following goals:

  • Deliver the best Windows 10 experience for all their corporate PCs.
  • Allow employees to use personal devices and mobile phones at work.
  • Protect the network from unknown or compromised users and devices.
  • Secure data on tablet devices shared by several shop floor workers that are often left in public areas of the shop.
  • Prevent employees from accessing and maintaining corporate data if they leave the company.

Plan your Intune deployment

Once ContosoCars defines their goals, they can begin to set up use-case scenarios to align their goals with user types and user groups (Figure 1). ContosoCars wants to provide corporate devices for their employees at headquarters and branches. They will not supply devices to their franchise sales staff, but they need to make sure staff-owned tablets can use Office 365 apps to securely access company data.

Graph showing ContosoCars locations, device ownership, groups, platforms, and requirements. All part of their use-case management plan.

Figure 1. ContosoCars’ defined Intune use-case scenarios and requirements.

You can find more information on setting goals, use-case scenarios, and requirements in the Intune deployment planning, design, and implementation guide. The guide also includes recommendations for a design plan that integrates well with existing systems, a communication plan that takes into account the different channels your audience uses to receive information, a rollout plan, and a support plan.

Set up Mobile Device Management (MDM)

Once planning is complete, ContosoCars can move onto implementing their Intune plan. ContosoCars uses Azure AD to fully leverage Office 365 cloud services and get the benefits of identity-driven security (see Step 1. Identify users). Before employees can enroll their devices to be managed by Intune, IT admins will need to set MDM authority to Intune in the Azure portal.

In order to manage the devices, ContosoCars can add and deploy configuration policies to enable and disable settings and features such as software delivery, endpoint protection, identity protection, and email. ContosoCars can also use configuration policies to deploy Windows Defender Advanced Threat Protection (ATP), which provides instant detection and blocking of advanced threats. Once IT admins set up Intune, users can enroll devices by signing in with their work or school account to automatically receive the right configuration profiles for their device.

ContosoCars can configure devices to meet business requirements and enable security features, such as Windows Hello, which allows users to sign in to their computer using a combination of biometrics and a PIN.

Manage personal devices

Next on the rollout plan are the personal iPhones and Android phones used by the staff to keep up with work email and data. ContosoCars will manage these devices by requiring employees to enroll their devices with Intune before allowing access to work apps, company data, or email using enrollment requirements guidance. ContosoCars can set up configuration policies for these devices just as they did the Windows 10 PCs, and they can add additional security controls by setting up device compliance policies. Using Azure AD you can allow or block users in real-time if their compliance state changes. These policies ensure only known and healthy devices enter the network.

Some examples include:

  • Require users to set a password to access devices; password must be of certain complexity.
  • Require users to set a PIN to encrypt the device; PIN must be of certain complexity.
  • Deny access to jail-broken or rooted devices, as they may have unknown apps installed.
  • Require a minimum OS version to ensure security patch level is met.
  • Require the device to be at, or under, the acceptable device-risk level.

With Windows 10, conditional access policies are integrated with Windows Defender ATP. Microsoft works with leading mobile threat defense technology partners to provide comprehensive device-risk assessment on all platforms.

Learn more

Check back in a few weeks for our next blog post, Step 6. Manage mobile apps, where we explore the use of Intune app protection policies to allow only approved applications to access work email and data. We will also learn how ContosoCars keeps sensitive customer data secure on shared franchise devices on the shop floor.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

The post Step 5. Set up mobile device management: top 10 actions to secure your environment appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

The evolution of Microsoft Threat Protection, February update

February 13th, 2019 No comments

February is an exciting month of enhancements for Microsoft Threat Protection. For those who have followed our monthly updates (November, December, and January), youre aware that Microsoft Threat Protection helps provide users optimal security from the moment they sign in, use email, work on documents, or utilize cloud applications. IT administrators benefit from minimal complexity while staying ahead of threats to their organization. Microsoft Threat Protection is one of the few available services helping provide comprehensive security across multiple attack vectors. This month, we share enhancements to identity protection, the launch of the Microsoft 365 security center, and another example of Microsoft Threat Protection mitigating a real-world attack.

Enhancing identity protection

Currently, 81 percent of all cyberattacks are due to weak or compromised credentials. Weak identity protection exposes all other attack surfaces to cyberthreats. With this in mind, Microsoft has invested heavily in identity protectionensuring it continues as one of our fundamental strengths and differentiators. Microsoft Threat Protection leverages Azure Active Directory (Azure AD) Identity Protection, to provide comprehensive, industry leading identity protection for hundreds of millions of users. This month, were excited to announce enhancements to our identity protection capabilities with the following updates to Azure AD Identity Protection:

  • An intuitive and integrated UX for Azure AD Identity Protectionincluding security insights, recommendations, sign-ins report integration, and the ability to filter, sort, and perform bulk operations (Figure 1).
  • Powerful APIs that allow you to integrate all levels of risk data with ticketing or SIEM systems.
  • Improved risk assessment based on continuously tuning our heuristic and machine learning systems to bring you even more accurate risk analysis to drive your prevention and remediation strategy.
  • Service-wide alignmentacross risky users and risky sign-ins.

Screenshot of the new Azure AD Identity Protection Security Overview dashboard.

Figure 1. The new Azure AD Identity Protection Security – Overview dashboard.

Each of these updates is based on customer feedback and our deep domain expertise. With these updates, we continue to improve and build on securing identities for thousands of customers. In fact, several customers such as The Walsh Group, Abtis, Identity Experts, and BDO Netherlands have already experienced the benefits of these new enhancements. We hope you try the refreshed Azure AD Identity Protection. Get the full details of these updates in our blog postand please share your thoughts via the in-product prompts.

Reducing complexity with the Microsoft 365 security center

Microsoft Threat Protection is built on the Microsoft Intelligent Security Graph, which provides a deep and broad threat signal and leverages machine learning for intelligent signal correlation. Many of our customers have often asked us to provide a “single pane of glass” that provides a centralized experience across their Microsoft security services and helps correlate signals from disparate sources, to provide richer insights that lead to intelligent security decisions.

To address this critical customer ask, we recently launched the Microsoft 365 security center (Figure 2), which helps surface much of these correlated signals in a detailed and elegant user interface, helping reduce the complexity of an organizations security environment. The new Microsoft 365 security center (which can be accessed at security.microsoft.com) provides security administrators (SecAdmins) a centralized hub and specialized workspace to manage and take full advantage of most Microsoft Threat Protection services. Admins will gain the visibility, control, and guidance necessary to understand and act on the threats currently impacting their organization, as well as information on past and future threats.

Screenshot of the new Microsoft 365 security center.

Figure 2. The new Microsoft 365 security center (security.microsoft.com).

The Microsoft 365 security center also provides experiences for security operators (SecOps) through the integration of incident response capabilities such as a centralized alert view and powerful hunting capabilities enabling ad-hoc investigations. Well be making continuous enhancements to the Microsoft 365 security center and providing updates on its progress.

Microsoft Threat Protection secures think tanks, non-profits, and the public sector from unidentified attackers

While our updates on new features and enhancements hopefully convey our focus and investment in providing best-in-class security, Microsoft Threat Protections ability to stop real-world threats is ultimately the truest test. Recently, Microsoft Threat Protection helped secure several public sector institutions and non-governmental organizations like think tanks, research centers, educational institutions, private-sector corporations in the oil and gas, chemical, and hospitality industries from a very aggressive cyberattack. Some third-party security researchers have attributed the attack to CozyBear, though Microsoft does not believe there is yet enough evidence to attribute the attack to CozyBear. Figure 3 shows the full attack chain.

Graph of the attack chain of a recent threat to public sector and other non-government agencies by unidentified attacker.

Figure 3. Attack chain of recent threat to public sector and other non-government agencies by unidentified attacker.

Customers using the completeMicrosoft Threat Protectionsolution were secured from the attack. Behavior-based protections in multiple Microsoft Threat Protection components blocked malicious activities and exposed the attack at its early stages.Office 365 Advanced Threat Protection detected emails with malicious URLs, blocking them, including samples which had never been seen before. Meanwhile, numerous alerts inWindows Defender Advanced Threat Protection (ATP)exposed the attacker techniques across the attack chain.

Due to the nature of the victims, and because the campaign features characteristics of previously observed nation-state attacks, Microsoft took the added step of notifying thousands of individual recipients in hundreds of targeted organizations. As part of theDefending Democracy Program, Microsoft encourages eligible organizations to participate inMicrosoft AccountGuard, a service designed to help these highly targeted customers protect themselves from cybersecurity threats. Learn about the full analysis in our recent blog.

Experience the evolution of Microsoft Threat Protection

Take a moment to learn more about Microsoft Threat Protection, read our previous monthly updates, and visit Integrated and automated security. Organizations have already transitioned to Microsoft Threat Protection and partners are leveraging its powerful capabilities.

Begin trials of the Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.

The post The evolution of Microsoft Threat Protection, February update appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

The evolution of Microsoft Threat Protection, February update

February 13th, 2019 No comments

February is an exciting month of enhancements for Microsoft Threat Protection. For those who have followed our monthly updates (November, December, and January), youre aware that Microsoft Threat Protection helps provide users optimal security from the moment they sign in, use email, work on documents, or utilize cloud applications. IT administrators benefit from minimal complexity while staying ahead of threats to their organization. Microsoft Threat Protection is one of the few available services helping provide comprehensive security across multiple attack vectors. This month, we share enhancements to identity protection, the launch of the Microsoft 365 security center, and another example of Microsoft Threat Protection mitigating a real-world attack.

Enhancing identity protection

Currently, 81 percent of all cyberattacks are due to weak or compromised credentials. Weak identity protection exposes all other attack surfaces to cyberthreats. With this in mind, Microsoft has invested heavily in identity protectionensuring it continues as one of our fundamental strengths and differentiators. Microsoft Threat Protection leverages Azure Active Directory (Azure AD) Identity Protection, to provide comprehensive, industry leading identity protection for hundreds of millions of users. This month, were excited to announce enhancements to our identity protection capabilities with the following updates to Azure AD Identity Protection:

  • An intuitive and integrated UX for Azure AD Identity Protectionincluding security insights, recommendations, sign-ins report integration, and the ability to filter, sort, and perform bulk operations (Figure 1).
  • Powerful APIs that allow you to integrate all levels of risk data with ticketing or SIEM systems.
  • Improved risk assessment based on continuously tuning our heuristic and machine learning systems to bring you even more accurate risk analysis to drive your prevention and remediation strategy.
  • Service-wide alignmentacross risky users and risky sign-ins.

Screenshot of the new Azure AD Identity Protection Security Overview dashboard.

Figure 1. The new Azure AD Identity Protection Security – Overview dashboard.

Each of these updates is based on customer feedback and our deep domain expertise. With these updates, we continue to improve and build on securing identities for thousands of customers. In fact, several customers such as The Walsh Group, Abtis, Identity Experts, and BDO Netherlands have already experienced the benefits of these new enhancements. We hope you try the refreshed Azure AD Identity Protection. Get the full details of these updates in our blog postand please share your thoughts via the in-product prompts.

Reducing complexity with the Microsoft 365 security center

Microsoft Threat Protection is built on the Microsoft Intelligent Security Graph, which provides a deep and broad threat signal and leverages machine learning for intelligent signal correlation. Many of our customers have often asked us to provide a “single pane of glass” that provides a centralized experience across their Microsoft security services and helps correlate signals from disparate sources, to provide richer insights that lead to intelligent security decisions.

To address this critical customer ask, we recently launched the Microsoft 365 security center (Figure 2), which helps surface much of these correlated signals in a detailed and elegant user interface, helping reduce the complexity of an organizations security environment. The new Microsoft 365 security center (which can be accessed at security.microsoft.com) provides security administrators (SecAdmins) a centralized hub and specialized workspace to manage and take full advantage of most Microsoft Threat Protection services. Admins will gain the visibility, control, and guidance necessary to understand and act on the threats currently impacting their organization, as well as information on past and future threats.

Screenshot of the new Microsoft 365 security center.

Figure 2. The new Microsoft 365 security center (security.microsoft.com).

The Microsoft 365 security center also provides experiences for security operators (SecOps) through the integration of incident response capabilities such as a centralized alert view and powerful hunting capabilities enabling ad-hoc investigations. Well be making continuous enhancements to the Microsoft 365 security center and providing updates on its progress.

Microsoft Threat Protection secures think tanks, non-profits, and the public sector from unidentified attackers

While our updates on new features and enhancements hopefully convey our focus and investment in providing best-in-class security, Microsoft Threat Protections ability to stop real-world threats is ultimately the truest test. Recently, Microsoft Threat Protection helped secure several public sector institutions and non-governmental organizations like think tanks, research centers, educational institutions, private-sector corporations in the oil and gas, chemical, and hospitality industries from a very aggressive cyberattack. Some third-party security researchers have attributed the attack to CozyBear, though Microsoft does not believe there is yet enough evidence to attribute the attack to CozyBear. Figure 3 shows the full attack chain.

Graph of the attack chain of a recent threat to public sector and other non-government agencies by unidentified attacker.

Figure 3. Attack chain of recent threat to public sector and other non-government agencies by unidentified attacker.

Customers using the completeMicrosoft Threat Protectionsolution were secured from the attack. Behavior-based protections in multiple Microsoft Threat Protection components blocked malicious activities and exposed the attack at its early stages.Office 365 Advanced Threat Protection detected emails with malicious URLs, blocking them, including samples which had never been seen before. Meanwhile, numerous alerts inWindows Defender Advanced Threat Protection (ATP)exposed the attacker techniques across the attack chain.

Due to the nature of the victims, and because the campaign features characteristics of previously observed nation-state attacks, Microsoft took the added step of notifying thousands of individual recipients in hundreds of targeted organizations. As part of theDefending Democracy Program, Microsoft encourages eligible organizations to participate inMicrosoft AccountGuard, a service designed to help these highly targeted customers protect themselves from cybersecurity threats. Learn about the full analysis in our recent blog.

Experience the evolution of Microsoft Threat Protection

Take a moment to learn more about Microsoft Threat Protection, read our previous monthly updates, and visit Integrated and automated security. Organizations have already transitioned to Microsoft Threat Protection and partners are leveraging its powerful capabilities.

Begin trials of the Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.

The post The evolution of Microsoft Threat Protection, February update appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Solving the TLS 1.0 problem

February 11th, 2019 No comments

The use of Transport Layer Security (TLS) encryption for data in transit is a common way to help ensure the confidentiality and integrity of data transmitted between devices, such as a web server and a computer. However, in recent years older versions of the protocol have been shown to have vulnerabilities, and therefore their use should be deprecated.

We have been recommending the use of TLS 1.2 and above for some time. To help provide guidance, we are pleased to announce the release of the Solving the TLS 1.0 Problem, 2nd Edition white paper. The goal of this document is to provide the latest recommendations that can help remove technical blockers to disabling TLS 1.0 while at the same timeincreasing visibility intothe impact of this change to your own customers.Completing such investigations can help reduce thebusinessimpact of the next security vulnerability in TLS 1.0.

In the second edition update we added the following:

  • Updates covering all of the new products and features Microsoft has shipped since the first version of the white paper, including IIS custom logging fields for weak TLS detection, TLS 1.2 backports to legacy OSes, and more.
  • Introduction of the Office 365 Secure Score Customer Reporting Portal to help Office 365 tenant admins quantify their customers own weak TLS usage.
  • Much more detail on .NET recommendations and best practices to ensure the usage of TLS 1.2+.
  • Pointers to DevSkim rules for detection and prevention of TLS hardcoding.
  • Tips for using PowerShell with TLS 1.2.

Read the Solving the TLS 1.0 Problem, 2nd Edition white paper to learn more.

The post Solving the TLS 1.0 problem appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Solving the TLS 1.0 problem

February 11th, 2019 No comments

The use of Transport Layer Security (TLS) encryption for data in transit is a common way to help ensure the confidentiality and integrity of data transmitted between devices, such as a web server and a computer. However, in recent years older versions of the protocol have been shown to have vulnerabilities, and therefore their use should be deprecated.

We have been recommending the use of TLS 1.2 and above for some time. To help provide guidance, we are pleased to announce the release of the Solving the TLS 1.0 Problem, 2nd Edition white paper. The goal of this document is to provide the latest recommendations that can help remove technical blockers to disabling TLS 1.0 while at the same timeincreasing visibility intothe impact of this change to your own customers.Completing such investigations can help reduce thebusinessimpact of the next security vulnerability in TLS 1.0.

In the second edition update we added the following:

  • Updates covering all of the new products and features Microsoft has shipped since the first version of the white paper, including IIS custom logging fields for weak TLS detection, TLS 1.2 backports to legacy OSes, and more.
  • Introduction of the Office 365 Secure Score Customer Reporting Portal to help Office 365 tenant admins quantify their customers own weak TLS usage.
  • Much more detail on .NET recommendations and best practices to ensure the usage of TLS 1.2+.
  • Pointers to DevSkim rules for detection and prevention of TLS hardcoding.
  • Tips for using PowerShell with TLS 1.2.

Read the Solving the TLS 1.0 Problem, 2nd Edition white paper to learn more.

The post Solving the TLS 1.0 problem appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Securing the future of AI and machine learning at Microsoft

February 7th, 2019 No comments

Artificial intelligence (AI) and machine learning are making a big impact on how people work, socialize, and live their lives. As consumption of products and services built around AI and machine learning increases, specialized actions must be undertaken to safeguard not only your customers and their data, but also to protect your AI and algorithms from abuse, trolling, and extraction.

We are pleased to announce the release of a research paper, Securing the Future of Artificial Intelligence and Machine Learning at Microsoft, focused on net-new security engineering challenges in the AI and machine learning space, with a strong focus on protecting algorithms, data, and services. This content was developed in partnership with Microsofts AI and Research group.Its referenced in The Future Computed: Artificial Intelligence and its role in society by Brad Smith and Harry Shum, as well as cited in the Responsible bots: 10 guidelines for developers of conversational AI.

This document focuses entirely on security engineering issues unique to the AI and machine learning space, but due to the expansive nature of the InfoSec domain, its understood that issues and findings discussed here will overlap to a degree with the domains of privacy and ethics. As this document highlights challenges of strategic importance to the tech industry, the target audience for this document is security engineering leadership industry-wide.

Our early findings suggest that:

  1. Secure development and operations foundations must incorporate the concepts of Resilience and Discretion when protecting AI and the data under its control.

  • AI-specific pivots are required in many traditional security domains such as Authentication, Authorization, Input Validation, and Denial of Service mitigation.
  • Without investments in these areas, AI/machine learning services will continue to fight an uphill battle against adversaries of all skill levels.

  1. Machine learning models are largely unable to discern between malicious input and benign anomalous data. A significant source of training data is derived from un-curated, unmoderated public datasets that may be open to third-party contributions.

  • Attackers dont need to compromise datasets when they are free to contribute to them. Such dataset poisoning attacks can go unnoticed while model performance inexplicably degrades.
  • Over time, low-confidence malicious data becomes high-confidence trusted data, provided that the data structure/formatting remains correct and the quantity of malicious data points is sufficiently high.

  1. Given the great number of layers of hidden classifiers/neurons that can be leveraged in a deep learning model, too much trust is placed on the output of AI/machine learning decision-making processes and algorithms without a critical understanding of how these decisions were reached.

  • AI/machine learning is increasingly used in support of high-value decision-making processes in medicine and other industries where the wrong decision may result in serious injury or death.
  • AI must have built-in forensic capabilities. This enables enterprises to provide customers with transparency and accountability of their AI, ensuring its actions are not only verifiably correct but also legally defensible.
  • When combined with data provenance/lineage tools, these capabilities can also function as an early form of AI intrusion detection, allowing engineers to determine the exact point in time that a decision was made by a classifier, what data influenced it, and whether or not that data was trustworthy.

Our goal is to bring awareness and energy to the issues highlighted in this paper while driving new research investigations and product security investments across Microsoft.Read the Securing the Future of Artificial Intelligence and Machine Learning at Microsoft paper to learn more.

The post Securing the future of AI and machine learning at Microsoft appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Securing the future of AI and machine learning at Microsoft

February 7th, 2019 No comments

Artificial intelligence (AI) and machine learning are making a big impact on how people work, socialize, and live their lives. As consumption of products and services built around AI and machine learning increases, specialized actions must be undertaken to safeguard not only your customers and their data, but also to protect your AI and algorithms from abuse, trolling, and extraction.

We are pleased to announce the release of a research paper, Securing the Future of Artificial Intelligence and Machine Learning at Microsoft, focused on net-new security engineering challenges in the AI and machine learning space, with a strong focus on protecting algorithms, data, and services. This content was developed in partnership with Microsofts AI and Research group.Its referenced in The Future Computed: Artificial Intelligence and its role in society by Brad Smith and Harry Shum, as well as cited in the Responsible bots: 10 guidelines for developers of conversational AI.

This document focuses entirely on security engineering issues unique to the AI and machine learning space, but due to the expansive nature of the InfoSec domain, its understood that issues and findings discussed here will overlap to a degree with the domains of privacy and ethics. As this document highlights challenges of strategic importance to the tech industry, the target audience for this document is security engineering leadership industry-wide.

Our early findings suggest that:

  1. Secure development and operations foundations must incorporate the concepts of Resilience and Discretion when protecting AI and the data under its control.

  • AI-specific pivots are required in many traditional security domains such as Authentication, Authorization, Input Validation, and Denial of Service mitigation.
  • Without investments in these areas, AI/machine learning services will continue to fight an uphill battle against adversaries of all skill levels.

  1. Machine learning models are largely unable to discern between malicious input and benign anomalous data. A significant source of training data is derived from un-curated, unmoderated public datasets that may be open to third-party contributions.

  • Attackers dont need to compromise datasets when they are free to contribute to them. Such dataset poisoning attacks can go unnoticed while model performance inexplicably degrades.
  • Over time, low-confidence malicious data becomes high-confidence trusted data, provided that the data structure/formatting remains correct and the quantity of malicious data points is sufficiently high.

  1. Given the great number of layers of hidden classifiers/neurons that can be leveraged in a deep learning model, too much trust is placed on the output of AI/machine learning decision-making processes and algorithms without a critical understanding of how these decisions were reached.

  • AI/machine learning is increasingly used in support of high-value decision-making processes in medicine and other industries where the wrong decision may result in serious injury or death.
  • AI must have built-in forensic capabilities. This enables enterprises to provide customers with transparency and accountability of their AI, ensuring its actions are not only verifiably correct but also legally defensible.
  • When combined with data provenance/lineage tools, these capabilities can also function as an early form of AI intrusion detection, allowing engineers to determine the exact point in time that a decision was made by a classifier, what data influenced it, and whether or not that data was trustworthy.

Our goal is to bring awareness and energy to the issues highlighted in this paper while driving new research investigations and product security investments across Microsoft.Read the Securing the Future of Artificial Intelligence and Machine Learning at Microsoft paper to learn more.

The post Securing the future of AI and machine learning at Microsoft appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Announcing the new Security Engineering website

February 4th, 2019 No comments

To meet users expectations for security when using a product or cloud service, security must be an integral part of all aspects of the lifecycle. We all know this, and yet time has proven that this is far easier said than done because there is no single approach nor silver bullet that works in every situation. However, Microsofts long commitment to security has demonstrated that there are a number of security practices that have survived the passage of time, and when applied flexibly in harmony with many approaches, will improve the security of products or cloud services.

We are sharing the results of our experiences through our new Security Engineering website, which includes updated Microsoft Security Development Lifecycle (SDL) practices that focus on development teams and what we believe to be the basic minimum steps for addressing security concerns when using open source. Additionally, weve included more specific Operational Security Assurance (OSA) practices, aligned with the operational lifecycle of cloud services, and we touch on how these can be brought together to deliver Secure DevOps.

There are four main sections to the new site:

Security Development Lifecycle (SDL)

The new The Security Development Lifecycle (SDL) site offers updated practices that should be used during the development process, to build more secure software by reducing the number and severity of vulnerabilities accidentally introduced into software. The practices cover a broad range of topics, from training and threat modeling, to managing the security risk of using third-party components, and security testing.

Operational Security Assurance (OSA)

The Operational Security Assurance (OSA) section outlines aligned practices to apply during the operational lifecycle of cloud services, making them more resilient to attack from real and potential cybersecurity threats. These include elements such as using Multi-Factor Authentication (MFA), protecting secrets, protecting against DDOS attacks, and penetration testing.

Secure DevOps

The Secure DevOps model provides a great foundation to improve security. SDL and OSA practices aligned with automation, monitoring, collaboration, and fast and early feedback provide a great opportunity to improve security. Practices outlined here include tooling and automation and continuous learning and monitoring.

Open Source Security

The Open Source Security section outlines the minimum steps necessary to begin to address security concerns when using open source components. Here the practices cover topics such as inventorying open source, updating components, and aligning security response processes, and aligns with the SDL practice of managing the security risk of using third-party components.

Throughout the site you will find useful references and resources to help. There are even consulting services offerings if you need them. See our Security documentation, where many of these resources can be found along with other useful security research papers, guides, and references. We hope you find the new Security Engineering site useful and encourage you to explore and share with your development and operations teams.

The post Announcing the new Security Engineering website appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Announcing the new Security Engineering website

February 4th, 2019 No comments

To meet users expectations for security when using a product or cloud service, security must be an integral part of all aspects of the lifecycle. We all know this, and yet time has proven that this is far easier said than done because there is no single approach nor silver bullet that works in every situation. However, Microsofts long commitment to security has demonstrated that there are a number of security practices that have survived the passage of time, and when applied flexibly in harmony with many approaches, will improve the security of products or cloud services.

We are sharing the results of our experiences through our new Security Engineering website, which includes updated Microsoft Security Development Lifecycle (SDL) practices that focus on development teams and what we believe to be the basic minimum steps for addressing security concerns when using open source. Additionally, weve included more specific Operational Security Assurance (OSA) practices, aligned with the operational lifecycle of cloud services, and we touch on how these can be brought together to deliver Secure DevOps.

There are four main sections to the new site:

Security Development Lifecycle (SDL)

The new The Security Development Lifecycle (SDL) site offers updated practices that should be used during the development process, to build more secure software by reducing the number and severity of vulnerabilities accidentally introduced into software. The practices cover a broad range of topics, from training and threat modeling, to managing the security risk of using third-party components, and security testing.

Operational Security Assurance (OSA)

The Operational Security Assurance (OSA) section outlines aligned practices to apply during the operational lifecycle of cloud services, making them more resilient to attack from real and potential cybersecurity threats. These include elements such as using Multi-Factor Authentication (MFA), protecting secrets, protecting against DDOS attacks, and penetration testing.

Secure DevOps

The Secure DevOps model provides a great foundation to improve security. SDL and OSA practices aligned with automation, monitoring, collaboration, and fast and early feedback provide a great opportunity to improve security. Practices outlined here include tooling and automation and continuous learning and monitoring.

Open Source Security

The Open Source Security section outlines the minimum steps necessary to begin to address security concerns when using open source components. Here the practices cover topics such as inventorying open source, updating components, and aligning security response processes, and aligns with the SDL practice of managing the security risk of using third-party components.

Throughout the site you will find useful references and resources to help. There are even consulting services offerings if you need them. See our Security documentation, where many of these resources can be found along with other useful security research papers, guides, and references. We hope you find the new Security Engineering site useful and encourage you to explore and share with your development and operations teams.

The post Announcing the new Security Engineering website appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Defending critical infrastructure is imperative

February 1st, 2019 No comments

The Cybersecurity Tech Accords upcoming webinar and the importance of public-private partnership

Today, cyberattacks from increasingly sophisticated actors threaten organizations across every sector, and whether a Fortune 500 company or a local bakery, organizations of all sizes need to take steps to limit the dangers posed by these threats. This is the core of cybersecurity risk managementunderstanding potential threats and actively working to mitigate them. But while organizations large and small should protect themselves against such threats, the owners and operators of critical infrastructure have a unique additional obligation to understand risks and improve their cyber resilience in the interests of the communities, and even whole societies, that rely on their industries.

Critical Infrastructure refers to the industries and institutions whose continued operation is necessary for the security and stability of a society. Energy, water, and healthcare sectors are often deemed critical infrastructure, as are essential government organizations, transportation sectors, and even entire elections systems. The organizations that own and operate this infrastructure have a responsibility to keep it up and, running in the face of any challenge, require even more careful attention to security, particularly cybersecurity.

It is with this responsibility in mind that we are excited for the upcoming webinar from the senior malware researcher at the IT security firm, ESET, on the latest and most potent cyberthreats to critical infrastructure. The webinar is free to attend and will be hosted by the Cybersecurity Tech Accord on February 4, 2019.

As a signatory to the Cybersecurity Tech Accord, Microsoft is glad to see this diverse coalition of technology companies taking time to address this important issue and highlight the most significant cyberthreats to critical infrastructure. These are the types of challenges that the tech industry should be working collaboratively to address. In fact, Microsoft recently published a white paper titled Risk Management for Cybersecurity: Security Baselines on how policies can improve critical infrastructure protection by establishing outcome-focused security baselines. Such policies mandate how secure critical infrastructure systems must be while allowing industry to innovate and evolve their approaches as necessary to achieve those goals.

Critical infrastructure protection requires cooperation between the public and private sectors because, while the resilience of these sectors is a national security priority, the critical infrastructure itself is most often owned and operated by private industry and dependent on the technologies that are developed and maintained by private companies. In this dynamic, governments play an indispensable role in identifying security needs and standards for success, while industry understands its own technology and how to best meet security objectives.

The benefits of this collaboration are highlighted in the recently published report by the Organization of American States (OAS), developed in partnership with Microsoft, Critical Infrastructure Protection in Latin America and the Caribbean 2018. The report is a tremendous resource for policymakers in the region, as OAS was able to acutely identify the cybersecurity priorities and challenges of its Latin American and the Caribbean member states, while Microsoft was able to provide technical insights on how to best enable critical infrastructure owners and operators to protect their systems based on those priorities.

The upcoming webinar from ESET will doubtlessly shed additional light on the ever-changing nature of cybersecurity threats, especially as they relate to critical infrastructure, further underscoring the importance of cooperative relationships between sectors moving forward. We invite you to attend the live event; and for those who cannot attend on February 4, 2019, the webinar will be recorded and made available on the Cybersecurity Tech Accord website in the days that follow.

For a full list of upcoming webinars, and to access previous sessions on demand, visit the Cybersecurity Tech Accord website.

The post Defending critical infrastructure is imperative appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Defending critical infrastructure is imperative

February 1st, 2019 No comments

The Cybersecurity Tech Accords upcoming webinar and the importance of public-private partnership

Today, cyberattacks from increasingly sophisticated actors threaten organizations across every sector, and whether a Fortune 500 company or a local bakery, organizations of all sizes need to take steps to limit the dangers posed by these threats. This is the core of cybersecurity risk managementunderstanding potential threats and actively working to mitigate them. But while organizations large and small should protect themselves against such threats, the owners and operators of critical infrastructure have a unique additional obligation to understand risks and improve their cyber resilience in the interests of the communities, and even whole societies, that rely on their industries.

Critical Infrastructure refers to the industries and institutions whose continued operation is necessary for the security and stability of a society. Energy, water, and healthcare sectors are often deemed critical infrastructure, as are essential government organizations, transportation sectors, and even entire elections systems. The organizations that own and operate this infrastructure have a responsibility to keep it up and, running in the face of any challenge, require even more careful attention to security, particularly cybersecurity.

It is with this responsibility in mind that we are excited for the upcoming webinar from the senior malware researcher at the IT security firm, ESET, on the latest and most potent cyberthreats to critical infrastructure. The webinar is free to attend and will be hosted by the Cybersecurity Tech Accord on February 4, 2019.

As a signatory to the Cybersecurity Tech Accord, Microsoft is glad to see this diverse coalition of technology companies taking time to address this important issue and highlight the most significant cyberthreats to critical infrastructure. These are the types of challenges that the tech industry should be working collaboratively to address. In fact, Microsoft recently published a white paper titled Risk Management for Cybersecurity: Security Baselines on how policies can improve critical infrastructure protection by establishing outcome-focused security baselines. Such policies mandate how secure critical infrastructure systems must be while allowing industry to innovate and evolve their approaches as necessary to achieve those goals.

Critical infrastructure protection requires cooperation between the public and private sectors because, while the resilience of these sectors is a national security priority, the critical infrastructure itself is most often owned and operated by private industry and dependent on the technologies that are developed and maintained by private companies. In this dynamic, governments play an indispensable role in identifying security needs and standards for success, while industry understands its own technology and how to best meet security objectives.

The benefits of this collaboration are highlighted in the recently published report by the Organization of American States (OAS), developed in partnership with Microsoft, Critical Infrastructure Protection in Latin America and the Caribbean 2018. The report is a tremendous resource for policymakers in the region, as OAS was able to acutely identify the cybersecurity priorities and challenges of its Latin American and the Caribbean member states, while Microsoft was able to provide technical insights on how to best enable critical infrastructure owners and operators to protect their systems based on those priorities.

The upcoming webinar from ESET will doubtlessly shed additional light on the ever-changing nature of cybersecurity threats, especially as they relate to critical infrastructure, further underscoring the importance of cooperative relationships between sectors moving forward. We invite you to attend the live event; and for those who cannot attend on February 4, 2019, the webinar will be recorded and made available on the Cybersecurity Tech Accord website in the days that follow.

For a full list of upcoming webinars, and to access previous sessions on demand, visit the Cybersecurity Tech Accord website.

The post Defending critical infrastructure is imperative appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

CISO series: Talking cybersecurity with the board of directors

January 31st, 2019 No comments

In todays threat landscape, boards of directors are more interested than ever before in their company’s cybersecurity strategy. If you want to maintain a boards confidence, you cant wait until after an attack to start talking to them about how you are securing the enterprise. You need to engage them in your strategy early and oftenwith the right level of technical detail, packaged in a way that gives the board exactly what they need to know, when they need to know it.

Cyberattacks have increased in frequency and size over the years, making cybersecurity as fundamental to the overall health of the business as financial and operational controls. Todays boards of directors know this, and they are asking their executive teams to provide more transparency on how their company manages cybersecurity risks. If you are a technology leader responsible for security, achieving your goals often includes building alignment with the board.

Bret Arsenault, corporate vice president and chief information security officer (CISO) for Microsoft, was a recent guest on our CISO Spotlight Series, where he shared several of his learnings on building a relationship with the board of directors. Weve distilled them down to the following three best practices:

  • Use the boards time effectively.
  • Keep the board educated on the state of cybersecurity.
  • Speak to the boards top concerns.

Use the boards time effectively

Members of your board come from a variety of different backgrounds, and they are responsible for all aspects of risk management for the business, not just security. Some board members may track the latest trends in security, but many wont. When its time to share your security update, you need to cut through all the other distractions and land your message. This means you will want to think almost as much about how you are going to share your information as what you are going to share, keeping in mind the following tips:

  • Be concise.
  • Avoid technical jargon.
  • Provide regular updates.

This doesnt mean you should dumb down your report or avoid important technical information. It means you need to adequately prepare. It may take several weeks to analyze internal security data, understand key trends, and distill it down to a 10-page report that can be presented in 30 to 60 minutes. Quarterly updates will help you learn what should be included in those 10 pages, and it will give you the opportunity to build on prior reports as the board gets more familiar with your strategy. No matter what, adequate planning can make a big difference in how your report is received.

Keep the board educated on the state of cybersecurity

Stories about security breaches get a lot of attention, and your board may hope you can prevent an attack from ever happening. A key aspect of your role is educating them on the reasons why no company will ever be 100 percent secure. The real differentiation is how effectively a company responds to and recovers from an inevitable incident.

You can also help your board understand the security landscape better with analysis of the latest security incidents and updates on cybersecurity regulations and legislation. Understanding these trends will help you align resources to best protect the company and stay compliant with regional security laws.

Speak to the boards top concerns

As you develop your content, keep in mind that the best way to get the boards attention is by aligning your messages to their top concerns. Many boards are focused on the following key questions:

  • How well is the company managing their risk posture?
  • What is the governance structure?
  • How is the company preparing for the future?

To address these questions, Bret sticks to the following talking points:

  • Technical debtAn ongoing analysis of legacy systems and technologies and their security vulnerabilities.
  • GovernanceAn accounting of how security practices and tools measure up against the security model the company is benchmarked against.
  • Accrued liabilityA strategy to future-proof the company to avoid additional debts and deficits.

When it comes to effectively working with the board and other executives across your organization, a CISO should focus on four primary functions: manage risk, oversee technical architecture, implement operational efficiency, and most importantly, enable the business. In the past, CISOs were completely focused on technical architecture. Good CISOs today, and those who want to be successful in the future, understand that they need to balance all four responsibilities.

Learn more

Be sure to check out the interview with Bret in Part 1 of the CISO Spotlight Series, Security is Everyones Business, to hear firsthand his recommendations for talking to the board. And in Part 2, Bret walks through how to talk about security attacks and risk management with the board.

The National Institute of Standards and Technology (NIST)Cybersecurity Framework is a great reference if you are searching for a benchmark model.

To read more blogs from the series, visit theCISO series page.

The post CISO series: Talking cybersecurity with the board of directors appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

CISO series: Talking cybersecurity with the board of directors

January 31st, 2019 No comments

In todays threat landscape, boards of directors are more interested than ever before in their company’s cybersecurity strategy. If you want to maintain a boards confidence, you cant wait until after an attack to start talking to them about how you are securing the enterprise. You need to engage them in your strategy early and oftenwith the right level of technical detail, packaged in a way that gives the board exactly what they need to know, when they need to know it.

Cyberattacks have increased in frequency and size over the years, making cybersecurity as fundamental to the overall health of the business as financial and operational controls. Todays boards of directors know this, and they are asking their executive teams to provide more transparency on how their company manages cybersecurity risks. If you are a technology leader responsible for security, achieving your goals often includes building alignment with the board.

Bret Arsenault, corporate vice president and chief information security officer (CISO) for Microsoft, was a recent guest on our CISO Spotlight Series, where he shared several of his learnings on building a relationship with the board of directors. Weve distilled them down to the following three best practices:

  • Use the boards time effectively.
  • Keep the board educated on the state of cybersecurity.
  • Speak to the boards top concerns.

Use the boards time effectively

Members of your board come from a variety of different backgrounds, and they are responsible for all aspects of risk management for the business, not just security. Some board members may track the latest trends in security, but many wont. When its time to share your security update, you need to cut through all the other distractions and land your message. This means you will want to think almost as much about how you are going to share your information as what you are going to share, keeping in mind the following tips:

  • Be concise.
  • Avoid technical jargon.
  • Provide regular updates.

This doesnt mean you should dumb down your report or avoid important technical information. It means you need to adequately prepare. It may take several weeks to analyze internal security data, understand key trends, and distill it down to a 10-page report that can be presented in 30 to 60 minutes. Quarterly updates will help you learn what should be included in those 10 pages, and it will give you the opportunity to build on prior reports as the board gets more familiar with your strategy. No matter what, adequate planning can make a big difference in how your report is received.

Keep the board educated on the state of cybersecurity

Stories about security breaches get a lot of attention, and your board may hope you can prevent an attack from ever happening. A key aspect of your role is educating them on the reasons why no company will ever be 100 percent secure. The real differentiation is how effectively a company responds to and recovers from an inevitable incident.

You can also help your board understand the security landscape better with analysis of the latest security incidents and updates on cybersecurity regulations and legislation. Understanding these trends will help you align resources to best protect the company and stay compliant with regional security laws.

Speak to the boards top concerns

As you develop your content, keep in mind that the best way to get the boards attention is by aligning your messages to their top concerns. Many boards are focused on the following key questions:

  • How well is the company managing their risk posture?
  • What is the governance structure?
  • How is the company preparing for the future?

To address these questions, Bret sticks to the following talking points:

  • Technical debtAn ongoing analysis of legacy systems and technologies and their security vulnerabilities.
  • GovernanceAn accounting of how security practices and tools measure up against the security model the company is benchmarked against.
  • Accrued liabilityA strategy to future-proof the company to avoid additional debts and deficits.

When it comes to effectively working with the board and other executives across your organization, a CISO should focus on four primary functions: manage risk, oversee technical architecture, implement operational efficiency, and most importantly, enable the business. In the past, CISOs were completely focused on technical architecture. Good CISOs today, and those who want to be successful in the future, understand that they need to balance all four responsibilities.

Learn more

Be sure to check out the interview with Bret in Part 1 of the CISO Spotlight Series, Security is Everyones Business, to hear firsthand his recommendations for talking to the board. And in Part 2, Bret walks through how to talk about security attacks and risk management with the board.

The National Institute of Standards and Technology (NIST)Cybersecurity Framework is a great reference if you are searching for a benchmark model.

To read more blogs from the series, visit theCISO series page.

The post CISO series: Talking cybersecurity with the board of directors appeared first on Microsoft Secure.

Categories: cybersecurity Tags: