Archive

Archive for February, 2017

What’s new in Microsoft’s SDL

This post is authored by Andrew Marshall, Principal Security Program Manager, Security Engineering.

For well over a decade, Microsoft has been committed to designing, developing, and testing software in a secure and trustworthy manner and sharing the Security Development Lifecyle (SDL) methodology and resources with the software development community. We are continuing to make investments into the evolution of the SDL and resources we provide to enable the ecosystem to adapt to new technology and the ever-changing threat landscape.

Today, we’re announcing an important new round of updates and technical content additions to the SDL website. These updates are rolled out to provide up to date guidance and best practices that evolve with the Security Development Lifecycle. We’ve made updates to security tooling guidance, compiler and cryptographic recommendations, and the SDL Developer Starter Kit.

The SDL represents our strategic investment in improving security across the ecosystem and over the next few months we will make additional changes to the Security Development Lifecycle website. Check back for new content detailing how you can implement SDL in the world of Continuous Release/Continuous Development and Dev Ops.

Categories: Uncategorized Tags:

MS16-155 – Important: Security Update for .NET Framework (3205640) – Version: 2.1

Severity Rating: Important
Revision Note: V2.1 (February 23, 2017): Revised bulletin to announce a detection logic change to Monthly Rollup Release KB3205403 and Monthly Rollup Release KB3205404. This is an informational change only. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a vulnerability in Microsoft .NET 4.6.2 Framework’s Data Provider for SQL Server. A security vulnerability exists in Microsoft .NET Framework 4.6.2 that could allow an attacker to access information that is defended by the Always Encrypted feature.

Categories: Uncategorized Tags:

MS16-155 – Important: Security Update for .NET Framework (3205640) – Version: 2.1

Severity Rating: Important
Revision Note: V2.1 (February 23, 2017): Revised bulletin to announce a detection logic change to Monthly Rollup Release KB3205403 and Monthly Rollup Release KB3205404. This is an informational change only. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a vulnerability in Microsoft .NET 4.6.2 Framework’s Data Provider for SQL Server. A security vulnerability exists in Microsoft .NET Framework 4.6.2 that could allow an attacker to access information that is defended by the Always Encrypted feature.

Categories: Uncategorized Tags:

MS17-FEB – Microsoft Security Bulletin Summary for February 2017 – Version: 1.0

Categories: Uncategorized Tags:

MS17-005 – Critical: Security Update for Adobe Flash Player (4010250) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (February 21, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

Categories: Uncategorized Tags:

MS17-FEB – Microsoft Security Bulletin Summary for February 2017 – Version: 1.0

Categories: Uncategorized Tags:

MS17-005 – Critical: Security Update for Adobe Flash Player (4010250) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (February 21, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

Categories: Uncategorized Tags:

How to create an effective cyber hygiene program

This post is authored by Ann Johnson, Vice-President, Enterprise Cybersecurity Group.


As noted in the 2016 Verizon Data Breach Incident Report, 63% of confirmed breaches involved leveraging weak, default or stolen passwords, 30% of phishing messages were opened in 2015, and 12% of targets clicked on the malicious attachment or link. Given this, organizations of all types can make significant gains in their security posture by educating their user base on best practices for digital engagement and cyber hygiene.

Yet, headlines like this recent story in Dark Reading, The Sorry State Of Cybersecurity Awareness Training, speak to the reality that user education is one of the most under-invested and under-appreciated aspects of cybersecurity. Many organizations require an annual online training program to meet compliance requirements, but rarely invest in broad, robust, ongoing training that contemplates the changing threat landscape and the vastly differing roles of end users.

I’ve seen these same organizations invest heavily in tools to defend and detect within their environment, all the while overlooking the most vulnerable part of the security infrastructure – the end user. Forbes reported “more than 209,000 cybersecurity jobs in the U.S. are unfilled, and postings are up 74% over the past five years according to a 2015 analysis of numbers from the Bureau of Labor Statistics by Peninsula Press” (January, 2016).  Therefore, organizations cannot rely solely on technology or security professionals to keep their data and infrastructure safe and secure. Threats are evolving, spear phishing is increasing, and users are being specifically targeted. It is incumbent upon the industry to also change the way we approach user education.

There are several aspects to consider to educate users:

  • Where do you focus your efforts?
  • What is the risk profile of your user population? Have you classified your users much like you do your data?
  • Is your directory up to date? Are your privileges appropriate?
  • Who is the population, i.e. are they computer literate?
  • What is the user accessing, i.e. classified, sensitive of confidential data?
  • What systems are they using, i.e. company issued, BYOD, managed, unmanaged?
  • How does your team learn best and how do you reinforce learnings?
  • How do you make complex security concepts consumable?

Create an effective cyber hygiene awareness program

  1. Lead by example
    To create a program takes focus, effort and commitment at the executive level to take cybersecurity education seriously. Internal stakeholders can cite numerous studies and use the wide range of industry data points to provide a business case and justification for the training. The average cost of each lost or stolen record containing sensitive information has reached $158USD according to the Ponemon Institute. And this figure does not include loss of business and customer loyalty from damage to the brand. Justifying the benefits of cybersecurity awareness is straightforward. Getting support and buy-in at the highest levels of an organization though more challenging, is key for setting the tone both for adherence to the effort as well as continued investment in it.
  2. Keep it top of mind
    An annual program may be a good start but the lessons learned are too soon forgotten and are not likely to turn into good habits. To truly create a sustainable program, training needs to be ongoing, not just annual. It must be flexible enough to accommodate learnings from new security events and attack types. Outside of the standard red/blue teaming efforts, web based training, employee awareness posters, and scenario drills for the average user are all good methods for staying in the forefront of end users’ minds and practice. In addition, put in place an outspoken executive sponsor for security awareness. It takes someone with enough credibility to foster trust and ongoing dialogue with the CISO as well as employees, on the impact of best practices. Taking it a step further for larger organizations, I recommend creating cyber security champions at the department level to maintain the culture throughout the company’s end user populations and geolocations. If you want to start small, something as simple as requiring privacy screens for anyone handling sensitive data is a good way to raise awareness and encourage employees to educate one another on best practices.
  3. Make it compulsory not perfunctory
    For many employees, online training is a time investment not well spent that takes away from bigger priorities. However, the task of completing frequent security training needs to become a vital job requirement, and viewed as critically important. This can potentially be accomplished by communicating broadly on the number of persons trained and sharing metrics about the security posture of each department, month to month, as well as reporting your security program’s relative standing compared to other training programs in the organization.
  4. Keep it simple
    If a full-blown program is not within reach right away, you can still make significant gains with awareness of the top three security risks. Weak passwords, phishing and thoughtless clicking on attachments, against better judgement, are still the primary ways in for attackers. Remind users of best practices to avoid becoming a victim, and explore ways to automate enforcement so that you can limit the risk to others from infected devices.

There is no silver bullet to addressing rapidly increasing threats. The combination of risk based policies, technology controls, solid audits and user education can go a long way at mitigating your organization’s risk.

Categories: Uncategorized Tags:

Sharing Microsoft learnings from major cybersecurity incidents

This post is authored by Mark Simos, Director of Business Development and Strategy, Enterprise Cybersecurity Group

Microsoft has assisted customers with investigation of, and recovery from cybersecurity attacks for well over a decade. This effort began informally when our IT department and product groups came to the aid of customers encountering attacks in their environment. Since those early days, the volume and complexity of incidents has required Microsoft to scale up its efforts to include full-time professional investigation and recovery teams. These teams are typically engaged on one or more major investigations on any given week throughout the year. If you are experiencing a targeted attack, you can rapidly engage our Global Incident Response and Recovery teams through Microsoft Premier Support.

Incident Response Reference Guide

Because the challenges that our customers face during incident response and recovery are both technical and non-technical, we recently embarked upon an effort with partner organizations, to provide our customers comprehensive incident management guidance.

The results of this effort have been compiled into an Incident Response Reference Guide. It is available for download, and we are distributing a printed version at the Microsoft booth during the RSA conference in San Francisco, this week.

This guidance describes the learnings and recommendations that our organizations have made along the technical, operations, legal, and communications dimensions. It is designed to help you prepare for and meet critical needs during a major cybersecurity incident, as well as to avoid common errors.

The recommendations in this guide can help organizations prepare for, and address many severities of security incidents, though it is primarily focused on major incidents where administrative access has been compromised.

This guidance is designed to enable you to:

  1. Prepare for a crisis by reducing risk to your organization
  2.  Better manage a crisis, whether or not you have made prior preparations

The tips and guidance in this document are designed to provide insights to organizations facing their first incident, as well as seasoned professionals that manage persistent adversary operations regularly. It is based on our collective experiences across a wide range of Fortune 1000® companies and government agencies. We would love to hear your feedback on how this document helped you and how to improve it. You can reach us at CyberDocFeedback@microsoft.com.

Beyond the Guide

As our teams travel the globe helping customers and fighting cybercrime, the learnings from this work continuously influences Microsoft products, public guidance, and how we help future customers. Several key pieces of guidance we published have been informed by this experience including, Versions 1 and 2 of Mitigating Pass-the-Hash and Other Credential Theft, Best Practices for Securing Active Directory, and a new type of guidance that outlines a prioritized security strategy for these attacks, Securing Privileged Access (SPA) roadmap (online SPA training available here). Microsoft has also contributed to efforts like the NIST 800-184 Guide for Cybersecurity Event Recovery to share our lessons learned.

Additionally, many of our products and features have been directly influenced by our incident response and recovery experience. These include Windows Defender Advanced Threat Protection (ATP), Advanced Threat Analytics (ATA), Windows Server 2016 Shielded VMs, Virtualization Based Security (VBS) in Windows 10 that includes Credential Guard, Microsoft Identity Manager’s Privileged Access Management Capability (MIM-PAM), and many others.

The measure of what causes an incident to have a major impact to an organization varies, depending on the business or missions. However, we have found most major incidents involve the compromise of administrative access to most or all enterprise IT systems (as happens in targeted attacks frequently reported in the press). Based on the prevalence of credential theft techniques that lead to compromise of administrative rights, Microsoft has open sourced the build instructions for building privileged access workstations (PAWs) that our cybersecurity professional services personnel deliver. This architecture is based on learnings from attacks on our customers as well as experience deploying secure access workstations internally for administrators of our own IT systems.

Learn from over a decade of experience helping our customers recover from major incidents by downloading the Incident Response Reference Guide today.

Categories: Uncategorized Tags:

Upgraded Microsoft Trust Center adds rich new content

This post is authored by David Burt, Senior Product Manager, Cloud Platform Marketing

A little over a year ago, we launched the Microsoft Trust Center at www.microsoft.com/trustcenter, which unified trust-related resources across our enterprise cloud services.  This week, we launched a completely redesigned and greatly expanded site with new content including EU General Data Protection Regulation (GDPR) guidance, audit reports, and security assessments.

The Trust Center is an important part of the Microsoft Trusted Cloud initiative and provides support and resources for information professionals, as well as the legal and compliance community.  The Trust Center offers a rich set of resources, including in-depth information about security, privacy, and compliance offerings, policies, features, and practices across our cloud products, including Azure, Dynamics 365, Office 365, Power BI, Visual Studio Team Services, and Windows Server 2016.  Each content area is supplemented by a curated collection of hundreds of the most applicable and widely-used resources for each topic.

New enhancements to the Trust Center include:

We are committed to providing you with guidance, documentation, and support you need to meet your security, privacy, and compliance goals. We will continuously improve the Trust Center to help make your job easier.

Visit http://www.microsoft.com/TrustCenter

Categories: Uncategorized Tags:

Detecting Cyber Threats

This post is authored by Joe Faulhaber, Senior Consultant ECG

In today’s cyber threat landscape, it’s not a question of if an attack will occur, but who will attack and when. To keep enterprise data safe against global threats that include attackers as technically sophisticated as any defender, enterprises need to have world-class cyber defenses. This requires strong execution of security fundamentals, in-depth knowledge of the enterprise environment, and working with experts to be ready to detect attacks when they occur.

World-class attackers, your enterprise

Protecting the modern enterprise is challenging because it’s an incredibly dynamic problem. Configurations are in constant flux, hardware is being cycled, software is updating, workloads are moving to the cloud, and users are bringing devices in and out of the network. At the same time, random attacks are entering the system, and there is danger of well-funded, determined external attackers trying to steal valuable data from enterprises as well. Even insiders can be threats, and what an attack looks like can change every day. Cybersecurity is an arms race, with attackers and defenders responding to each other constantly.

Detection in Depth

Protection in depth is the best enterprise defense, because defending just at the host, network edge, or the cloud isn’t sufficient. Similarly, threats that cause damage or pose danger need to be detected in depth as well. When threats or attacks are detected, an appropriate effective response is required. The three pillars of security; Protect, Detect, and Respond are key to a secure enterprise.

Detection in depth means taking a layered approach to find threats all over the enterprise with redundant detection mechanisms, even where there are no protective defenses. It also means verifying the output of detective sensors to build trust in signals.

Some threats are not complicated to detect. Out-of-date software, missing or stale anti-malware protection, and misconfigured policies are all threats that can lead to successful attacks. These threats can be detected easily and are among the fundamental requirements to stay secure.

Other threats are tougher to detect, such as attacks against network infrastructure or insider attacks, and detection often depends on collecting numerous logs and performing analysis. Software supply chain attacks may be particularly successful, especially if users go looking for software on the Internet on their own, and require different detection methods. Knowing your environment well makes it much easier to know if something is out of place or missing.

Even in a well-protected network, there will be successful attacks. Some of them are quite easy to identify – a new variant of an existing and common commodity malware evading anti-malware detection isn’t that hard to find if you know where to look. Even if you’re not familiar with an attack, being curious and knowledgeable enough to think “that’s weird” is often the start of detecting something new. Another key to good detection and analysis is the knowledge and resources to understand the tactics, techniques, and procedures used in today’s attacks. Even the biggest organizations need help to see parts of attacks that happen beyond systems in their control.

Determined Human Adversaries

The most dangerous attacks are targeted and perpetrated by determined human adversaries. These have been called “Advanced Persistent Attacks”, though they may not be particularly advanced or even well targeted. But they are especially perilous because they attack the enterprise, not an individual or computer, and are driven by humans who may have incredible determination and goals only known to the attackers. The adversary may come after what they think an enterprise has, not what it possesses.

Differentiating between a targeted attack and a random commodity attack can be quite difficult, since what works to compromise an organization does not depend on the attacker’s motivations. An expected penetration test and a real attack can look the same or completely different when it comes to detection. Different attacks may use similar methods and a seemingly random attack may turn out to be a determined adversary. This makes knowing previous adversary behavior incredibly important. The first encounter with a new threat can be very confusing, with time wasted chasing irrelevant details or false leads. This confusion is often compounded by the human impact of being targeted, which can bring the emotional impact of a physical attack.

In the worst case of having a determined human adversary attacking your enterprise for the first time, it is essential to have help from those who have detected these types of threats before, and a response plan on how to deal with the attacker.

Becoming World-Class

Detecting cyber threats can seem overwhelming when new threats are constantly making news and older threats are still capable of causing big problems. However, identifying threats can be made much easier by implementing protection and detection in depth. Executing the fundamentals of security daily, knowing what is normal for your enterprise environment, and having expert help in identifying the latest attack methods is key. Solid protection and rapid response capability are tied together by detection and intelligence, and the Microsoft Enterprise Threat Detection (ETD) service enables detection in depth with cybersecurity experts and global intelligence for your enterprise.

Read more at Microsoft Enterprise Threat Detection blog.

 

Categories: Uncategorized Tags:

Join us at RSA Conference. Here’s your event guide for connecting with Microsoft

The RSA Conference is fast approaching and the agenda is packed with the latest technology, trends, and people that help protect our digital data. We’ll be there sharing our unique perspective through keynotes, deep-dive sessions, and on the expo floor.

Since planning your itinerary is a must to get the most out of RSA, here’s a preview of where and when you can learn about how Microsoft can help you be more secure.

Keynote Address by Brad Smith

Protecting and defending against cyber threats in uncertain times | Tuesday, February 14th, 8:35 a.m.
While many cyber attacks are the work of criminals seeking financial gain, new threats continue to emerge targeting civilians, businesses and governments. Microsoft President Brad Smith will share our perspective on what’s needed to protect and defend this critical infrastructure.

Microsoft in North Expo Hall, booth 3501

Come chat with the Microsoft Secure team in the North Expo. We’ll be there throughout the conference to show you how our $1 billion annual investment in security R&D helps organizations secure their environment and protect their customers.

Microsoft sessions at RSA Conference 2017

Tuesday, February 14th

A Vision for Shared, Central Intelligence to Ebb the Growing Torrent of Alerts | 1:15 p.m.– 2:00 p.m.
Despite the positive advancements in machine learning and intelligence, security professionals remain overwhelmed. How is it that we keep wasting time and energy on analyzing and assembling the information presented by our supposedly “intelligent” solutions? This session will explore a conjoint approach that would help our industry climb out of the sea of data that is most certainly going to drown us.

How to Go from Responding to Hunting with Sysinternals Sysmon | 1:15 p.m.–2:00 p.m.
Sysinternals Sysmon can help you precisely detect and track an attacker’s movement inside your Windows networks, but only if you know how to use it effectively. Get a deep dive from Sysmon’s author on its design, capabilities, latest enhancements, and guidance for collecting and alerting on its rich forensic data with popular log analytics services.

Advances in Cloud-Scale Machine Learning for Cyber-Defense | 3:45 p.m.–4:30 p.m.
Picking an attacker’s signals out of billions of log events in near real time from petabyte scale storage is a daunting task, but Microsoft has been using security data science at cloud scale to successfully disrupt attacker. This session presents the latest frameworks, techniques and the unconventional machine learning algorithms that Microsoft uses to protect its infrastructure and customers.

Wednesday, February 15th

Learnings from the Cloud: What to Watch When Watching for a Breach | 2:45 p.m.–3:30 p.m.
Protecting against account breach and misuse when using a cloud service can be challenging, as the cloud service decides what tooling is available, and control may be limited. This session will share learnings and best practices from the Office 365 engineering team: from the patterns observed, what are best practices to protect against account breach?

Securing the Making of the Next Hollywood Blockbuster | 1:30 PM–2:15 PM
Get a look behind the scenes at New Regency, the company that produced the Oscar-winning movie The Revenant to hear how employees collaborate and keep production secrets safe.

Friday, February 17th

Critical Hygiene for Preventing Major Breaches | 10:15 a.m.–11:00 a.m.
Microsoft’s Incident Response teams investigate major breaches week after week and almost always see the exact same pattern of attacks and customer vulnerabilities. Microsoft and the Center for Internet Security (CIS) will share step by step recommendations to defend against these attacks, including information on cybersecurity solutions that Microsoft has open-sourced to protect our customers.

Choose from nearly 40 theater sessions

Attend one of the 20-minute theater sessions in the Expo hall to learn more about a variety of topics including NextGen SOC, Risk Based Identity Protection, Office 365 Threat Intelligence, Detecting Threats from Enterprise Telemetry, Taking Ransomware to Task with Windows 10, and Security in Industrial IoT. Stop by booth #N3501

Explore more about our unique approach to security at Microsoft Secure.

Categories: Uncategorized Tags:

Stopping Cyberthreats in a new era

The explosive growth in the scale and sophistication of cyberthreats is remaking the security landscape. Today, it’s not a matter of if your organization’s data will be compromised, but a matter of when. Having a proactive protection strategy that includes pre- and post-breach components is critical to addressing advanced attacks.

Fortunately, Windows 10 has comprehensive pre-breach solutions and with Windows Defender Advanced Threat Protection (ATP) we added a post-breach layer to the Windows Security stack. And the best part? Windows Defender ATP is built in to Windows 10 and designed to provide the best performance experience on your machine. It doesn’t require any additional software deployment and management.

So do you want the good news or the bad news?

Well, here’s the outcome: New hacking techniques are multiplying exponentially and old pre-breach detection techniques can’t keep up. The numbers are alarming—on average it takes an attacker minutes to get in, and security teams more than 140 days to discover it.

With the release of Windows 10 Anniversary Update, Microsoft offers Windows Defender ATP to complement the existing endpoint security stack of Windows Defender, SmartScreen, and various OS hardening features. The new service, purposely built to detect and respond to advanced attacks, leverages a deep behavioral sensor integrated into Windows 10 combined with a powerful security analytics cloud back end to enable enterprises to detect, investigate, and respond to targeted and sophisticated advanced attacks on their networks.

Next-level protection: Post-breach detection and response

Windows Defender ATP goes wide and deep, working to cover all your bases, with a focus on post-breach challenges. It’s like having a black belt team of security defense experts supporting every machine running Windows 10.

Advanced attack detection. Microsoft makes the most of its strong security analytics and rich intelligence capabilities to provide visibility into anomalies and threats from a broad base of sources. We also leverage the Microsoft Security Intelligence Graph to cull data from Windows updates and search engine results that index billions of URLs to generate potential hack alerts immediately.

Investigation and response. The portal gives SecOps tools and capabilities to investigate and respond to threats on their endpoints. You can also proactively explore your network for signs of attacks, perform forensics on specific machines, track attacker actions across machines in your network, get a detailed file footprint across your organization, submit a file for deep analysis, and with the Creators Update isolate machines, kill processes, or ban files from your network.

Threat intelligence. Get internal and external reports and indicators for known attackers and of prominent attacks (Strontium, for example), validated and enriched by an internal team of security black belts and third-party feeds. With the Creators Update, you can add your own TI to define alerts unique to your environment within Windows Defender ATP, based on IOCs.

Windows 10 and Windows Defender ATP helpgs give you the best defense and offense when it comes to potential and actual data breaches. Learn more by downloading the ebook now.

Discover more about how this new strategic approach can make a real difference at Microsoft Secure.

Categories: Uncategorized Tags: