Archive for October, 2018

How to share content easily and securely

October 31st, 2018 No comments

This is the seventh post in our eight-blog series on deploying Intelligent Security scenarios. To read the previous entries, check out the Deployment series page.

Image taken at the Microsoft Ignite Conference.

Cumbersome restrictions and limitations on mobile devices, apps, and remote access can be taxing from an IT perspective and frustrating for your employees. Your users need to be able to create, access, and share files from anywhere, and IT needs to ensure that these actions wont compromise your companys security.

Microsoft 365 offers security solutions that help secure your collaboration and productivity apps. That way your employees can connect and communicate wherever they are, using tools they are familiar with, as securely as if they were right at their desks.

How can I securely share documents outside my organization?

Classify documents based on content sensitivity

First, classify documents using Azure Information Protection (AIP). With AIP, you can configure policies to classify, label, and protect data based on its sensitivity. Data can be classified according to standards you define for content, context, and source. These classifications can then be applied automatically or manually, or you can prompt your employees to decide what classification to apply with in-product suggestions.

To classify documents using AIP, you must first configure your companys classification policy. Configure the policy by signing in to the Azure portal as an administrator and then select Azure Information Protection in the apps list. All AIP users start with a default policy that you can configure to suit your needs. Once you have created the policy that works best, publish your changes to deploy the policy to all managed apps and devices.

Use email to share files

Your employees can use email file attachments in Microsoft Outlook to share files. With Outlook, users can take files from their business or personal device, attach files to an email, and access a dedicated library where all group files are stored. If your employees need to send a sensitive message to external users, they can increase security by encrypting the message using Office 365 Message Encryption and the message recipient will decrypt the message using the Office 365 Message Encryption viewer.

Enable users to collaborate

To ensure that shared documents are only viewed by the right person, your users can share files with internal or external partners through OneDrive for Business and apply security features such as password protection and Multi-Factor Authentication.

Microsoft Teamsa chat-based workspaceenables teams to be more productive by giving them a single and secure location that brings together everything a team needs all in one hub, including chats, meetings, calls, files, and tools. Azure Active Directory (Azure AD) conditional access policies can be configured to secure the data in Teams. You can deploy Teams through Microsoft System Center Configuration Manager (ConfigMgr) or Microsoft Intune.

Yammer helps your users improve engagement with everyone in your organization through social networking. Use the security features in Yammer to help protect sensitive organizational data. Yammer supports Azure AD single sign-on authentication, allows admins to set password policies, and provides admins with session management tools that let you see the devices users are signed in to. You can manage access and permissions in Yammer by setting up the Yammer network to comply with your organizations standards.

Identify risky applications and shadow IT

Microsoft Cloud App Security allows you to more securely share documents via third-party applications by identifying the cloud apps on your network. By gaining visibility into shadow IT, you can help protect your information using policies for data sharing and data loss prevention.

How can I work on documents across devices securely?

To work more securely across different devices you will need to manage your mobile devices and set app protection policies. You can use Intune to manage your users mobile devices. To help prevent data loss, you will want to protect company data that is accessed from devices that you dont manage. You can apply Intune app protection policies that restrict access to company resources and avoid company and personal data from getting intermingled. Company data can end up in locations like personal storage or transferred to apps beyond your purview and result in data loss. App protection policies can be used to prevent company data from saving to the local storage of an unmanaged device or moving the data to other apps that aren’t protected by app protection policies.

Deployment tips from our experts

Enable security features in Office 365 appsOffice 365 apps like Outlook, OneDrive, Teams, and Yammer all come with built-in features that enable users to more securely share files and be productive. A few simple things you can do include:

Classify and share documents securelyClassify documents in AIP to track and control how information is used. Then share documents securely via third-party applications using Microsoft Cloud App Security to protect your information.

Prevent data loss on mobile devicesManage mobile devices with Intune and through mobile device management. Then implement app-level controls with Intune app protection policies to help prevent data loss.

Plan for success with Microsoft FastTrackFastTrack comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving end-user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.

Want to learn more?

For more information and guidance on this topic, check out the white paper Store and share files inside and outside your organization to work securely across organizational boundaries. You can find additional security resources on

Coming Soon! Using controls for security compliance will be the last installment of our Deploying intelligent scenarios series. In November, we will kick off a new series: Top 10 security deployment actions with Microsoft 365 Security.

More blog posts from this series:

The post How to share content easily and securely appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Windows Defender Antivirus can now run in a sandbox

Windows Defender Antivirus has hit a new milestone: the built-in antivirus capabilities on Windows can now run within a sandbox. With this new development, Windows Defender Antivirus becomes the first complete antivirus solution to have this capability and continues to lead the industry in raising the bar for security.

Putting Windows Defender Antivirus in a restrictive process execution environment is a direct result of feedback that we received from the security industry and the research community. It was a complex undertaking: we had to carefully study the implications of such an enhancement on performance and functionality. More importantly, we had to identify high-risk areas and make sure that sandboxing did not adversely affect the level of security we have been providing.

While it was a tall order, we knew it was the right investment and the next step in our innovation journey. It is available to Windows Insiders today. We encourage researchers and partners to try and examine this feature and give us feedback, so we can fine-tune performance, functionality, and security before we make it broadly available.

Why sandbox? Why now?

From the beginning, we designed and built Windows Defender Antivirus to be resistant to attacks. In order to inspect the whole system for malicious content and artifacts, it runs with high privileges. This makes it a candidate for attacks.

Security researchers both inside and outside of Microsofthave previously identified ways that an attacker can take advantage of vulnerabilities in Windows Defender Antiviruss content parsers that could enable arbitrary code execution. While we havent seen attacks in-the-wild actively targeting Windows Defender Antivirus, we take these reports seriously. We immediately fixed potential problems and ramped up our own research and testing to uncover and resolve other possible issues.

At the same time, we continued hardening Windows 10 in general against attacks. Hardware-based isolation, network protection, controlled folder access, exploit protection, and other technologies reduce the attack surface and increase attacker costs. Notably, escalation of privilege from a sandbox is so much more difficult on the latest versions of Windows 10. Furthermore, the integration of Windows Defender Antivirus and other Windows security technologies into Windows Defender ATPs unified endpoint security platform allows signal-sharing and orchestration of threat detection and remediation across components.

Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the system from harm. This is part of Microsofts continued investment to stay ahead of attackers through security innovations. Windows Defender Antivirus and the rest of the Windows Defender ATP stack now integrate with other security components of Microsoft 365 to form Microsoft Threat Protection. Its more important than ever to elevate security across the board, so this new enhancement in Windows Defender Antivirus couldnt come at a better time.

Implementing a sandbox for Windows Defender Antivirus

Modern antimalware products are required to inspect many inputs, for example, files on disk, streams of data in memory, and behavioral events in real time. Many of these capabilities require full access to the resources in question. The first major sandboxing effort was related to layering Windows Defender Antiviruss inspection capabilities into the components that absolutely must run with full privileges and the components that can be sandboxed. The goal for the sandboxed components was to ensure that they encompassed the highest risk functionality like scanning untrusted input, expanding containers, and so on. At the same time, we had to minimize the number of interactions between the two layers in order to avoid a substantial performance cost.

The ability to gradually deploy this feature was another important design goal. Because we would be enabling this on a wide range of hardware and software configurations, we aimed to have the ability at runtime to decide if and when the sandboxing is enabled. This means that the entire content scanning logic can work both in-proc and out-of-proc, and it cant make any assumptions about running with high privileges.

Performance is often the main concern raised around sandboxing, especially given that antimalware products are in many critical paths like synchronously inspecting file operations and processing and aggregating or matching large numbers of runtime events. To ensure that performance doesnt degrade, we had to minimize the number of interactions between the sandbox and the privileged process, and at the same time, only perform these interactions in key moments where their cost would not be significant, for example, when IO is being performed.

Windows Defender Antivirus makes an orchestrated effort to avoid unnecessary IO, for example, minimizing the amount of data read for every inspected file is paramount in maintaining good performance, especially on older hardware (rotational disk, remote resources). Thus, it was crucial to maintain a model where the sandbox can request data for inspection as needed, instead of passing the entire content. An important note: passing handles to the sandbox (to avoid the cost of passing the actual content) isnt an option because there are many scenarios, such as real-time inspection, AMSI, etc., where theres no sharable handle that can be used by the sandbox without granting significant privileges, which decreases the security.

Resource usage is also another problem that required significant investments: both the privileged process and the sandbox process needed to have access to signatures and other detection and remediation metadata. To avoid duplication and preserve strong security guarantees, i.e., avoid unsafe ways to share state or introducing significant runtime cost of passing data/content between the processes, we used a model where most protection data is hosted in memory-mapped files that are read-only at runtime. This means protection data can be hosted into multiple processes without any overhead.

Another significant concern around sandboxing is related to the inter-process communication mechanism to avoid potential problems like deadlocks and priority inversions. The communication should not introduce any potential bottlenecks, either by throttling the caller or by limiting the number of concurrent requests that can be processed. Moreover, the sandbox process shouldn’t trigger inspection operations by itself. All inspections should happen without triggering additional scans. This requires fully controlling the capabilities of the sandbox and ensuring that no unexpected operations can be triggered. Low-privilege AppContainers are the perfect way to implement strong guarantees because the capabilities-based model will allow fine-grained control on specifying what the sandbox process can do.

Lastly, a significant challenge from the security perspective is related to content remediation or disinfection. Given the sensitive nature of the action (it attempts to restore a binary to the original pre-infection content), we needed to ensure this happens with high privileges in order to mitigate cases in which the content process (sandbox) could be compromised and disinfection could be used to modify the detected binary in unexpected ways.

Once the sandboxing is enabled, customers will see a content process MsMpEngCP.exe running alongside with the antimalware service MsMpEng.exe.

The content processes, which run with low privileges, also aggressively leverage all available mitigation policies to reduce the attack surface. They enable and prevent runtime changes for modern exploit mitigation techniques such as Data Execution Prevention (DEP), Address space layout randomization (ASLR), and Control Flow Guard (CFG). They also disable Win32K system calls and all extensibility points, as well as enforce that only signed and trusted code is loaded. More mitigation policies will be introduced in the future, alongside other techniques that aim to reduce even further the risk of compromise, such as multiple sandbox processes with random assignment, more aggressive recycling of sandbox processes without a predictable schedule, runtime analysis of the sandbox behavior, and others.

How to enable sandboxing for Windows Defender Antivirus today

We’re in the process of gradually enabling this capability for Windows insiders and continuously analyzing feedback to refine the implementation.

Users can also force the sandboxing implementation to be enabled by setting a machine-wide environment variable (setx /M MP_FORCE_USE_SANDBOX 1) and restarting the machine. This is currently supported on Windows 10, version 1703 or later.

Looking ahead: Broader availability and continuous innovation

To implement sandboxing for Windows Defender Antivirus, we took a lot of inputs from the feedback, suggestions, and research from our peers in the industry. From the beginning, we saw this undertaking as the security industry and the research community coming together to elevate security. We now call on researchers to follow through, as we did, and give us feedback on the implementation.

Windows Defender Antivirus is on a path of continuous innovation. Our next-gen antivirus solution, which is powered by artificial intelligence and machine learning and delivered in real-time via the cloud, is affirmed by independent testers, adoption in the enterprise, and customers protected every day from malware campaigns big and small. Were excited to roll out this latest enhancement to the rest of our customers.

And we are committed to continue innovating. Were already working on new anti-tampering defenses for Windows Defender Antivirus. This will further harden our antivirus solution against adversaries. Youll hear about these new efforts soon. Windows Defender Antivirus and the rest of the Windows Defender Advanced Threat Protection will continue to advance and keep on leading the industry in raising the bar for security.



Mady Marinescu
Windows Defender Engineering team
with Eric Avena
Content Experience team



Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

The post Windows Defender Antivirus can now run in a sandbox appeared first on Microsoft Secure.

CISO series: Partnering with the C-Suite on cybersecurity

October 24th, 2018 No comments

In my last blog, we looked at five communication techniques that can help engage business managers in the work of cybersecurity. This week, well look at how to use those techniques to bring the C-Suite into the conversation.

Not too long ago, I was speaking with the CIO of a large company (some details have been changed to protect the innocent) about one of my favorite topics: how to define security policies that balance user productivity and business risk. Before long, the CIO said, Trust me, I know all about that. I stopped talking and started listening. He proceeded to tell me about an incident from a previous November. Apparently, during a small window between meetings, he decided to take advantage of the free time to do some online holiday shopping. Were all crushed for time, he knew exactly what he wanted, it took just a few minutes, and then he was off to his meeting. Only he didnt make it very far before the head of security approached to report a security policy violation. Can you believe it? The CIO said. My online shopping was flagged! I had a feeling I knew where this story was going. I got flagged for violating my own policy! he said.

The CIO then explained, It was the middle of summer, and we had just had a small security scare. At the time, the only thing I cared about was doing everything in our power to prevent a bigger incident from happening. By the time the holidays rolled around, Id forgotten all about it. To balance employee productivity, satisfaction, and corporate risk the company decided to allow access to a few selected shopping sites during November and December.

His story got me thinking. Could the company have established a more flexible policy back in the summer if the policy team had properly explained the pros and cons of the restrictive no shopping ever policy? Maybe. There is no way to know definitively. One things for sure: the experience itself clearly made an impression on the CIO. Im a big believer in learning through experience, but since we cant learn every lesson by living through it, there are opportunities to have productive conversations with executives that can increase engagement and mitigate these sorts of issues.

Five communication strategies for engaging executives and the C-Suite with security

Using the same proven communication strategies to frame up security for business managers that we shared in the last blog, Ill show how you can apply those techniques to your conversations with executives and the C-Suite. Heres a hint: it all starts with the same underlying concept. No matter how high up in the organization she or he is, or how many people or responsibilities they have, your CIO is humanand so is your entire executive team. If you apply communication strategies that have been proven to work outside of cybersecurity, you can get your CIO and other executives more involved in security decision-making.

  • FeelOne thing that my conversation with the CIO demonstrates is the role that emotions play. The original policy to lock down all ecommerce on company devices and networks was driven by fear. Emotions are understandable, but they can also drive us to make rash decisions that we regret later. You can diffuse an emotional situation by listening first. Try to understand where the CIO is coming from before you respond to his or her emotions. And above all, resist the temptation to scare an executive into taking security seriously by throwing scary statistics at them. That will only backfire.
  • FocusCIOs and other executives are bombarded with decisions and issues all day long. It can be challenging to get them to focus on your agenda, but its important if you want them to make smart security decisions. Set a meeting for a quiet period in their calendar or have a planning meeting set aside where its agreed cell phones are off and brains are fully engaged. Its amazing what we can accomplish when were not distracted.
  • Slow downThis goes hand in hand with Focus. The timing of and the amount of time for the discussion can also dictate the outcome. Allow space for questions and thoughtfulness. Ive led Executive Introduction to Threat Modeling classes using implantable medical devices (IMDs) and fitness wearables as examples. In the first five minutes most of the class leans toward thinking the IMDs pose all the risk. But once theyve taken the time to threat model both devices for themselves, they realize fitness wearables can be on-trivial threat vectors.
  • SimplifyTailor your conversation for your audience. Tech speak may resonate with a CIO, but other executives will get lost if you get too techy. And no matter who you are speaking with, its important that you speak in the language of business goals. How do your proposals and ideas best advance the goals of the executive that you are speaking with? And dont be afraid to engage the C-Suite in the activity of simplifying. If you ask the executives to think about how theyd explain ransomware or phishing to a very non-tech savvy relative, theyll be able to connect more closely with the technical risks and also, hopefully, have a bit more empathy for you, the security geek, whos tasked with explaining tough security risks to them.
  • SparkTap into the incredible power of why. Why does your company do what it does? Make sure your security pitch aligns to this overall mission. Explain how your security efforts get the company closer to achieving its vision. Go back to your corporate vision statement and ask the execs if a proposed policy or control ultimately supports that mission. When a CEO participating in an incident response simulation opts to report an incident, not because its legally required, but because our corporate values mean radical transparency with our customers, youve sparked real connection between technical risk management and the business.

Experience is one of our great teachers. As the CIO in this story learned, some security rules look good until they get in the way of executives. And some security measures may seem costly and unnecessary, but when weighed against massive reputational damage or material financial loss, those investments calibrate as frugal and wise. You don’t have to make your CIO a cyber ninja to have a productive conversation. To effect real change, engage executives as human beings in the cybersecurity policy and strategy decision-making process.

The post CISO series: Partnering with the C-Suite on cybersecurity appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Top 10 security steps in Microsoft 365 that political campaigns can take today

October 23rd, 2018 No comments

The increasing frequency of cyberattacks make clear that more must be done to protect key democratic institutions from cyber-enabled interference. Withjust a fewweeks left before theU.S.midtermelections and early voting under way,campaignsmust stay vigilant in protecting against cyberattacks to their online collaboration tools, including email.Microsoft recommendstaking action today to protect against phishing, malware,account compromise, and other threatsseeTop 10 ways to secure Office 365 and Microsoft 365 Business plans from cyberthreats.These recommendations are tailored for small to mid-sized political campaigns and election-focused stakeholders usingOffice 365or Microsoft 365. Any organizationespecially those without full-time IT security staffcan benefit fromtaking these actions.

This guidanceprovidesstep-by-step instructions forusing10 high-impact securitycapabilities.Theseactions help you implement many of the best practicesrecommended intheCybersecurity Campaign Playbook,created by the Defending Digital Democracy program at Harvard Kennedy SchoolsBelferCenter for Science and International Affairs.

Top 10cybersecurityrecommendations:

  1. Setuptwo-stepverification forall staff.
  2. Traincampaign staff to quickly identify phishing attacks.
  3. Use dedicated accountsfor administration.
  4. Raise the level of malware protection in mail.
  5. Protect against ransomware.
  6. Preventemailsauto-forwardingoutside of the campaign.
  7. Increase encryptionfor sensitive emails.
  8. Protect your email from phishing attacks.
  9. Protect against malicious attachments in email.
  10. Protect against phishing attacksthat includemalicious website links in email or other files.

Read Top 10 ways to secure Office 365 and Microsoft 365 Business plans from cyberthreatsfor details on how to implement each action.

These recommendations are provided as part of Microsofts ongoing commitment to theDefending Democracy Program. Qualifying organizations using Office 365 can also take advantage ofMicrosoftAccountGuardfor additional protectionto leverageMicrosoftsstate-of-the-artthreatdetectionand notification in case of targeted nation-state cyberattacks.

The post Top 10 security steps in Microsoft 365 that political campaigns can take today appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Take steps to secure your business and users with our security business assessment

Businesses can no longer afford to take cybersecurity for granted. You cant read the news without seeing a splashy headline about a successful hack or data breach at a well-known company. However, this isnt just a problem for large enterprisesincreasingly small and medium-sized businesses are becoming targets of cybercriminals and need to take steps to improve their security.

Yet it can be hard for small and medium-sized businesses to right size a security strategy for their unique business. We believe a good place to start is by answering these four questions:

  • How secure are your users and accounts?
  • How protected are you from threats?
  • How safe is your data?
  • How effectively are you managing security?

The Microsoft Security Assessment can help you discover where you are vulnerable and provide personalized recommendations to improve your security posture. Keep reading for a peek at some of our key learnings from the assessment.

How secure are your users and accounts?

In todays modern workplace, employees work from anywhere on any number of devices. This has been great for personal productivity, but has also created more possible points of entry for hackers to break in. One of the biggest challenges is to make it easy for your users to connect to the resources they need, from the devices they prefer, while balancing security for your company and its assets.

There are many ways to protect your accounts, but make sure you include Multi-Factor Authentication (MFA), as no password is foolproof. MFA is safer because it requires two forms of authentication to gain access. For example, you can require that users sign in with a password plus either a code generated by an application or a biometric, like fingerprints or facial recognition. Products such as Microsoft 365 Business make it easy to enable MFA for your email, file storage, and productivity apps, adding another layer of defense to your organization’s assets.

How protected are you from threats?

The latest figures show that cybercriminals are increasingly targeting small and medium-sized business alongside big businesses. Forty-one percent of businesses with fewer than 250 employees reported an attack in the last 12 months. Fortunately, there are practical things you can do to reduce your vulnerability, and every step makes a huge difference.

Two recommendations that are low cost, or even free, include maintaining software upgrade cycles and conducting regular employee training. If you dont require that employees keep software updated and patched, consider starting. Whether it is for the operating system, servers, devices, applications, plug-ins, or any other technology, updates will reduce security vulnerabilities. You can also increase your security posture through regular employee security training. The onboarding process is a good opportunity to share cybersecurity practices, but dont stop there. Consider putting a regular security training program in place to remind employees how to detect and report suspicious links, attachments, and emails; avoid malicious websites; and download only verified applications.

How safe is your data?

One of your most valuable assets is your data. Data includes everything from a private document, to personal identifiable information, to sales projections, and more. In all cases, it will be damaging to individuals and your business if it gets into the wrong hands. You need to protect sensitive data where it lives and while it travels.

One way to safeguard critical documents is with encrypted access. Document-level protection helps guarantee that only authorized users can read and inspect privileged data, even when it is sent outside of your organization. This level of protection is available in certain products, such as Microsoft 365 Business, which also includes the ability to notify and educate users when they are working with sensitive data.

How effectively are you managing security?

A strong defense is more than just a set of tools and practices. You need a thoughtful approach to how you manage security. Effective security management will give you visibility into vulnerabilities across all your resources, and it will encourage consistency across your security policies. With a strategic approach you will better understand your current risks and be able to identify opportunities to increase your protection.

A critical component of security management is periodic reviews of user access to data, devices, and networks. People, roles, and responsibilities change over time, which is why its good to know what roles have access to what resources.You can use this review to make sure that users have the right level of access, for the right time period, based on their role. For example, someone in HR might need to access the financial services database during a specific project. You can also make sure those that have left your organization or changed role have been de-provisioned, and you can investigate any suspicious activity that is detected.

Evaluate how well your businesses is protected

Unfortunately, it is not just the big brands that must combat cyberattacks. Small and medium-sized businesses are also at risk. Weve given you a sampling of our recommended security best practices, but there is still more you may want to consider. The security assessment can help you evaluate holistically how strong your current defenses are and provide specific actionable recommendations that you can put in place to increase your confidence and reduce your vulnerabilities.

Take the Microsoft Security Assessment and bookmark the Microsoft Secure blog to read up on the latest steps or deployment tips to keep your business safer.


1SMB ITDM Omnibus Survey

The post Take steps to secure your business and users with our security business assessment appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Voice of the Customer: Walmart embraces the cloud with Azure Active Directory

October 22nd, 2018 No comments

Todays post was written by Sue Bohn, partner director of Program Management and Ben Byford and Gerald Corson, senior directors of Identity and Access Management at Walmart.


Im Sue Bohn, partner director of Program Management at Microsoft. Im an insatiable, lifelong learner and I lead the Customer & Partner Success team for the Identity Division. Im jazzed to introduce the Voice of the Customer blog series.In this series, the best of our customers will present their deployment stories to help you learn how you can get the most out of Azure Active Directory (Azure AD).Today well hear from Walmart. I love the convenience of Walmart; where else can you buy tires, socks, and orange juice in one trip?

Walmart teamed up with Microsoft to digitally transform its operations, empower associates with easy-to-use technology, and make shopping faster and easier for millions of customers around the world. But this strategic partnership didnt just happen overnight. In the beginning, Walmarts cybersecurity team was skeptical about the security of the public cloud and Azure AD. Ben Byford and Gerald Corson, senior directors of Identity and Access Management at Walmart, share their teams journey working with Microsoft to embrace the cloud with Azure AD:

Working closely with our Microsoft account team convinced us we could safely write back to on-premises and enable password hash synch

In the beginning, we were willing to feed to the cloud but at that time not comfortable allowing the syncing of passwords to the cloud or write back to on-premises from cloud. We were skeptical of the security controls. We involved Microsoft in the strategy and planning phases of our initiatives and made slow but steady progress. As we worked with the Microsoft team, representatives were eager to get any and all feedback and to provide it to their product groups. This led to our critical Azure AD enhancement requests being received and solutions were delivered. When we ran into bugs, we were able to troubleshoot issues with the very people who wrote the application code. Our Microsoft account team was right there with us, in the trenches, and they were committed to making sure we were confident in Azure ADs capabilities. Over time, as we learned more about Azure AD and the new security features we were enabling, our trust in Microsofts Azure AD security capabilities grew and many of our security concerns were alleviated.

Given our scale, validating and verifying the security capabilities of Azure AD was key to empowering our users while still protecting the enterprise. Walmart currently has over 2.5 million Azure AD users enrolled, and with that many users we need very granular controls to adequately protect our assets. The entire team, including Microsoft, rolled up our sleeves to figure out how to make it work, and together weve enabled several features that let us apply custom security policies. Azure Information Protection (AIP), an amazing solution that is only possible with Azure AD, allows us to classify and label documents and emails to better protect our data. Azure AD Privileged Identity Management (PIM) gives us more visibility and control over admins. Azure AD dynamic groups lets us automatically enable app access to our users. This is a huge time saver in an environment with over half a million groups. With all of the work we did with Microsoft and our internal security team, we were able to turn on the two features we previously did not think we would be able topassword hash synch and write back from cloud to on-premises. This was critical to our journey as we had never allowed a cloud solution to feed back into our core environment in this manner.

Driving down help desk calls with self-service password reset

One example that shows how much we trust the security of Azure AD and the cloud is self-service password reset (SSPR). The biggest driver of help desk calls at Walmart is people who get locked out of their accounts because of a forgotten password. It wastes a tremendous amount of our help desks time and frustrates associates who lose time sitting on the phone. We believed that letting users reset their passwords and unlock their accounts without help desk involvement would go a long way and improve productivity, but we had always been nervous about giving people who werent on Walmart PCs that kind of access. Another hurdle was ensuring that our hourly associates were only able to utilize this service while they were clocked in for work. Microsoft helped us solve this with the implementation of custom controls.

Our Microsoft team supported us the entire way, and were proud to say that SSPR is being rolled out. When we started this journey, we would never have believed that we would allow people to reset their passwords from a public interface, but here we are, and the user experience is great!

Engage Microsoft early

If there is one thing we would have done differently, it would be to engage Microsoft at a deeper level earlier on in the process. Our public cloud adoption didnt really take off until we brought them in and spent time with their backend product engineering teams. Microsofts commitment to improving security and the cloud is clear. Their work to safeguard data has continuously improved, and while we work closer with them, they also continue to incorporate our feedback into future feature releases. It is the relationship that has allowed us to securely implement Azure AD at our scale.

We look forward to sharing our next big success: implementation of Azure AD B2B.

Voice of the Customer: looking ahead

Many thanks to Ben and Gerald for sharing their journey from on-premises to Azure AD. Our customers have told us how valuable it is to learn from their peers. The Voice of the Customer blog series is designed to share our customers security and implementation insights more broadly. Bookmark the Microsoft Secure blog so you dont miss part 2 in this series. Our next customer will speak to how Azure AD and implementing cloud Identity and Access Management makes them more secure.

The post Voice of the Customer: Walmart embraces the cloud with Azure Active Directory appeared first on Microsoft Secure.

Categories: Cloud Computing, cybersecurity Tags:

CISO series: Building a security-minded culture starts with talking to business managers

October 18th, 2018 No comments

Cybersecurity is everyones business; protecting the company and its users against data leaks is no longer just the responsibility of IT and security operations. Everyone from the board to Firstline Workers has an important role to play. A culture that encourages individuals to believe they have a part in defending the company against malicious behavior requires that each person is aware of the day-to-day risks and knows how their actions and choices can mitigate, or increase, those risks. This is why we will be writing a new series of blog posts for senior security experts and executives called the CISO series to help further discussions from within the organization to the boardroom to the customer and help establish that security culture and mindset.

If you are like many of your peers, one of the initiatives that youve put in place to create a culture where everyone in your organization takes security seriously is a required, annual security training for all employees. And, hopefully, it seems to be working. Feedback from security training indicates that employees have a better understanding of their role in cybersecurity. Even more important, many of your users have begun to take steps to improve their security posture, such as by reporting suspicious emails rather than clicking the links.

There’s just one problem. Today, one of your security operations managers brings to your attention a report showing that the sales division consistently gets low scores on the training. The sales team promotes your business products throughout the worldin Asia, Europe, North America, and South Americaoften accessing company data from overseas via unsecured wireless. If anyone needs to ace this training, its this team. Youre tempted to get on the phone immediately and provide the VP of Sales a litany of scary statistics that prove how critical this training is. But, fortunately, you stop yourself. If you have any hope of increasing compliance, you need this manager engaged in the solution and on your side. Whats more, if you handle the discussion properly, the VP of Sales could give you insights to help you craft a program that his team will embrace more enthusiastically.

Turn business managers into security evangelists

If you have any hope of turning the VP of Sales into an advocate you need to frame security in the language of the business by quantifying business impacts. Youve heard this before, but what does it mean in practice? What if we start with an even more basic truth: The most important thing to remember about the VP of Sales is that he/she is a human being. And so is everyone on the team. In other words, tried and true communication strategies that have been proven to work outside of cybersecurity also work with humans who happen to be business managers.

Five communication strategies proven to work

Take a look at the following communication strategies and see how they can be customized for your conversation with your own VP of Sales:

  • FeelYou probably have a list of statistics that could scare the VP of Sales into compliance, but they also might backfire, causing them to shut down. A more effective approach is to dial down the emotional undercurrent of the conversation and start by listening. You may think you know why the sales team has low training compliance, then again, maybe you dont. The very first step is understanding their side. Dont move on to solutions until you both are confident that you understand why the team has not prioritized the training.
  • FocusEveryone is trying to do 10 things at once, but continuous partial attention means we cant focus on whats important. Once you understand why the sales team has not been scoring high marks on the training, you can engage the business manager (VP of Sales) in a conversation that is laser-focused on their team needs, making it more likely that you both will put your full attention on the issue.
  • Slow downTime limits make us think less strategically. If you need time to gather the data that will support your case, consider calling for a pause, so you can do your due diligence. And make sure you time your conversation with the VP during a quiet time in the quarter. Year end is a hectic time for sales, and the worst time to try and squeeze in a cyber awareness discussion.
  • SimplifyRemember that tech speak is not the right language for this audience. Give some thought to how your security training supports the goals of the sales team. Access to reliable customer data like escalations and licenses is critical to a successful mobile data force. Cybersecurity is about ensuring the sales team has confidential access to that data wherever and whenever they need it. The VP will more likely understand your priorities if they understand how theyre aligned to their priorities.
  • SparkTap into the incredible power of why by explaining why your company needs security compliance. Make sure your security pitch and training align to this overall mission. Explain how your security efforts get the company closer to achieving its vision.

Creating a culture where everyone takes accountability for defending the enterprise against cybercrime will require that we get everyone engaged from the board and C-Suite executive to business managers and Firstline Workers. As you embark on this effort, keep in mind that how you say it is as important as what you say. You can create a path to success if you understand the motivations and goals of the business, and if you dont forget one core truth: Were all human. Please stay tuned for our next blog in this series where I will give you tips for engaging your C-Suite executive team in the cybersecurity conversation.

The post CISO series: Building a security-minded culture starts with talking to business managers appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

How Office 365 learned to reel in phish

October 17th, 2018 No comments

Today’s post was coauthored by Debraj Ghosh, Senior Product Marketing Manager, and Jason Rogers, Principal Group Program Manager at Microsoft.

We recently reported how we measure catch rates of malicious emails for Office 365 Exchange Online Protection (EOP) (available with any Office 365 subscription) and Advanced Threat Protection (ATP) (available as a standalone service or with Office 365 E5).

Today, we’re sharing the results from the enhancements we made to anti-phish capabilities for Office 365 to address impersonation, spoof, and phish content and internal phish emails sent from compromised accounts. Over the last year, Microsofts threat analysts discovered threat actors pivoting from malware to sophisticated, often targeted phishing campaigns. The scale of these attacks and how quickly users click through on malicious links is shown in Figure 1.

Figure 1. Phish email statistics from Office 365 from January 2018 to September 2018.

Understanding the phish landscape

To develop solutions mitigating these modern phishing campaigns, our engineers rigorously analyzed phish emails in Office 365, uncovering a general pattern of phish campaigns following the path shown in Figure 2.

Figure 2. Phish email campaign pathway from initial reconnaissance to data exfiltration.

Additionally, since Office 365 is one of the worlds largest email service providers, Microsoft gains visibility and experience across mostif not alltypes of cyber threats. Every day, Microsoft analyzes 6.5 trillion signals, and each month we analyze 400 billion emails, while detonating 1 billion items in our sandbox. This telemetry helps us understand the full spectrum of phish attacks and the sophisticated and varied methods used by attackers, summarized in Figure 3. With this understanding of the phish landscape, our engineers not only designed new capabilities, but also enhanced existing capabilities to address the phishing emails being launched at customers.

Figure 3. Phish emails attack spectrum and variety of attack methods.

Understanding the situation

When we began our journey of enhancing our anti-phish capabilities, we admittedly were not best of breed at mitigating phish. As we alluded to previously, transparency with customers is a core priority at Microsoft. Figure 4 shows the number of phish emails that Microsoft (Office 365) missed in comparison to several other vendors also protecting email for customers within Office 365.

From November 2017 to January 2018, you see that Office 365 (orange bar in Figure 4) was not the best solution at phish catch. (We previously discussed how we measure phish catch.) The values are based on normalized email volume. As the inset plot shows, the scale of mail volume in Office 365 far exceeds the mail volume of third-party vendors. Fundamentally, this scale is one our differentiators and strengths as it offers us much greater depth and breadth into the threat landscape.

Figure 4. Normalized phish email miss from November 2017 to January 2018 in Office 365 email traffic. Inset shows actual mail flow volume.

Solving the problem with our technology, operations, and partnerships

Leveraging our signal from mail flow, the expertise of 3,500 in-house security professionals, and our annual $1 billion investment in cybersecurity, we strategically addressed the growing wave of phishing campaigns. Our engineers determined four categories of phish emails and designed capabilities addressing each type. Figure 5 summarizes the enhancements made to the anti-phish capabilities in Office 365.

Figure 5. Phish email categories and anti-phish enhancements made in Office 365 to address the categories.

Details on all the anti-phish updates for Office 365 are available in the following posts:

While the enhancements are interesting, ultimately, catch rate is the parameter that counts, and it is important to remember that no solution can ever stop all threats. Sometimes misses occur, and the most effective solution will miss the least. To this end, we are very excited to share our phish miss rate from May 1, 2018 to September 16, 2018. As you can see in Figure 6, today, when compared to the same set of vendors that we compared ourselves to in November to January, we exhibit the lowest miss rate of phish emails in Office 365. Figure 6 is the culmination of the incredible focus, drive, and expertise of Microsoft researchers and engineers working together to push the boundaries of threat research, machine learning, and development of algorithms that together provide customers the most impressive and effective protection against phish emails available for Office 365 today.

Figure 6. Normalized Phish Email Miss Rate in Office 365 from May 1, 2018 to September 16, 2018. Inset is a blowup of the graph from August 1, 2018 to September 16, 2018.

While the graph in Figure 6 is illuminating, we also want to share statistics from Office 365 EOP/ATP related to phish mitigation. Figure 7 is a summary of the remarkable impact these powerful new anti-phish capabilities across EOP/ATP have had with helping secure Office 365 users, and further showcases our tremendous depth and scale into the threat landscape. For those unfamiliar with Office 365 ATP, Safe Links provides time of click protection from malicious links in email where the click triggers several different protection technologies, including URL reputation checks, machine learning capabilities, and link detonation as needed. Recently, Safe Links expanded its capabilities to intra-org emails, making Office 365 ATP the only service to offer this type of protection while ensuring the internal emails remain within the compliance boundary of Office 365. We hope you agree at that the anti-phish capabilities have evolved at a remarkable pace and with amazing results.

Figure 7. The impact to end users from the enhanced anti-phish capabilities in Office 365.

Learn more

We hope this post provides a good overview on how we are helping customers with modern phishing campaigns. Please be sure to check out the Ignite session, Secure enterprise productivity with Office 365 threat protection services including EOP, ATP, and Threat Intelligence, where we give more details. Your feedback enables us to continue improving and adding features that will continue to make ATP the premiere advanced security service for Office 365. If you have not tried Office 365 ATP for your organization yet, you should begin a free Office 365 E5 trial today and start securing your organization from the modern threat landscape.

The post How Office 365 learned to reel in phish appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Secure file storage

October 16th, 2018 No comments

Image taken at the Microsoft Ignite Conference.

This is a blog series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series, youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out Collaborate Securely, the fifth blog in our eight-blog series on deploying intelligent security scenarios.

Employees are often tasked with preparing documents that require them to gather expertise from various people, often both internal and external to their organization. This common practice can expose your company data at unsecured points along the way. To mitigate risk, Microsoft 365 has simplified and secured the process of sharing files so that employees can easily gather data, expert opinions, edits, and responsesfrom only the right people in a single document.


How can I centrally store information, so its discoverable by colleagues but not anyone else?

To answer this question, lets start with storage first, then move to search.

Store securely

To help your employees easily discover relevant data for their projects and keep that data internal and secure, you can build a team site in SharePoint Online. If your employees need to make their notes or informal insights discoverable, but keep the information secure, deploy OneNote and have employees password-protect their notes.

You can deploy OneNote through Microsoft Intune to your Intune-managed employee devices, or have your employees sign in with their Microsoft Azureprovisioned ID and download OneNote to their devices. The owner of the SharePoint library, list, or survey can change permissions to let the right people access the data they need while restricting others. You can also empower your employees to build and maintain their own SharePoint Online team with security safeguards that you have established.

Search securely

Once youve set up your team site, SharePoint Intelligent Search and Discovery allows both you and your employees to discover and organize relevant information from other employees work files across Microsoft 365. It keeps your organizations documents discoverable only within your protected cloud, according to each users permission settings. You can also set permissions, so your employees will see only documents that you have already given them access to.


How do I make use of automation to ensure that employees have the correct permissions?

By enabling a dynamic group in Azure Active Directory (Azure AD), you will ensure that users can be automatically assigned to groups according to attributes that you define. For example, if users move to a new department, when their department name changes in Azure AD, rules will automatically assign them to new security groups defined for their new department. By using these Azure ADbased advanced rules that enable complex, attribute-based, dynamic memberships for groups, you can protect organizational data on several levels.


Deployment tips from our experts

  • Make information discoverable and secure. Help your employees easily discover relevant data for their projects. Start by building a team site in SharePoint Online. Store notes securely in Microsoft OneNote and ensure they discover relevant information across Office 365 with SharePoint Intelligent Search and Discovery.
  • Plan for success with Microsoft FastTrack. FastTrack comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving end-user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.


Want to learn more?

For more information and guidance on this topic, check out the white paper Empower people to discover, share, and edit files and information securely. You can find additional security resources on

Coming Soon! Share files easily and securely is the seventh installment of our Deploying Intelligent Scenarios” series. In November, we will kick off a new series: “Top 10 Security Deployment Actions with Microsoft 365 Security.”


More blog posts from this series

The post Secure file storage appeared first on Microsoft Secure.

Categories: Cloud Computing Tags:

Making it real—harnessing data gravity to build the next gen SOC

October 15th, 2018 No comments

This post was coauthored by Diana Kelley, Cybersecurity Field CTO, andSin John,EMEA Chief Security Advisor, Cybersecurity Solutions Group.

In our first blog, Diana and I talked about the concept of data gravity and how it could, conceptually, help organizations take a more cloud-ready approach to security operations and monitoring. In this post we address the question: How do we make this a reality in the security operations center (SOC) while we are under increased and constant pressure from motivated threat actors?

The answer lies in a new approach to monitoring called Security Orchestration, Automation and Response (SOAR), which is founded upon addressing the challenge of connecting and investigating issues across multiple security platforms. SOAR addresses the challenges of evolving security operations beyond the traditional security information and event management (SIEM) model into one that allows correlation across all the data gravity wells. Core to this is being able to take an event from one system (for example an endpoint like a laptop) and in real-time correlate that across different systemssuch as a mail hygiene gatewayin order to build evidence and apply context needed for a fast and efficient investigation. This is something that analysts have historically done manually to investigate an issue: look across multiple different evidence points to find the information behind an event to determine if its a false positive or if needs further investigation. Historically deciding what incidents need investigation was left to the SIEM model, but as we discussed in the last blog both the difficulties with false positives and the rules of data gravity make this more difficult to achieve.

Lets discuss how this can be achieved using Microsoft as an example.

We have a number of significant areas of data gravity within the technology that Microsoft customers use. These are Office 365, Windows, and Azure, each with a different focus and level of protection, but is what we need bring to together to share insights and events across these technical areas. This is where the Intelligent Security Graph comes into play for us. This is a subset of the Microsoft Graph focused specifically on sharing security information and insights that we see across our infrastructure:

Each of the areas of security products we have integrated with the graph allow us to share insights across different areas and build orchestration capability, context, and automation across systems without necessarily having to pull them all into one single aggregated log store. Analysis is done, as and when required, often driven by the machine learning and behavioral techniques that help to determine what information is needed.

The next step is to make this information available to others and why we released the graph security API. This is an open and free API that allows customers to interrogate Microsoft data in real-time for alerts and context that the Office 365, Windows, and Azure security systems hold. This allows organizations to integrate alerts into their own SOC or build automated playbooks and investigations built across the platform. This isnt just about orchestrating across Microsoft. The law of data gravity says that we must integrate with others and many leading security vendors have also integrated into the API to provide information into our platform for integration, and also to allow them to real-time query Microsoft to provide context in their own platforms.

When insights across multiple data gravity wells can be accessed and correlated in near real-time, the SOC analyst can spend far less time writing SIEM rules and more time tuning orchestration and automation that is focused on improving insight, reducing false positives, and investigating the important information. The capability that SOC vendors should be focusing on is building a real-time investigation platform that enables analysts to investigate security event signal across multiple vendors and investigate in real-time, by respecting the laws of data gravity. Meaningful insights and reducing mean time to identify (MTTI) and mean time to remediate (MTTR) are far better measures of SOC effectiveness than how many events per second (EPS) are processed.

To make the SOC of tomorrow a reality, the question you ask your security vendors needs to change. Instead of asking Can you send all your logs into my SIEM? ask these questions instead:

  • How do you orchestrate events across your own platform?
  • Do you provide APIs for me to query in real-time?
  • How do you integrate with other vendors?
  • What partnerships, orchestration, and automation capabilities do you have?

The SOC of tomorrow must look across multiple data sources, gravity wells, and hybrid clouds to provide a complete look at a company’s security posture. Look for vendors that understand this new architectural approach and are building cloud-aware solutions for tomorrow, not ones that are locked into an on-premises-centric past.

The post Making it real—harnessing data gravity to build the next gen SOC appeared first on Microsoft Secure.

Categories: cybersecurity, Security Response Tags:

Microsoft partners with DigiCert to begin deprecating Symantec TLS certificates

Starting in September 2018, Microsoft began deprecating the SSL/TLS capability of Symantec root certificates due to compliance issues. Google, Mozilla, and Apple have also announced deprecation plans related to Symantec SSL/TLS certificates. Symantec cryptographic certificates are used in critical environments across multiple industries. In 2017, DigiCert acquired Symantecs web security business that included their certificate authority business.

Since the compliance issues were identified, Microsoft has been engaged with Symantec and DigiCert to uphold industry-wide compliance expectations and maintain customer trust. DigiCert created the deprecation schedule below in partnership with Microsoft to maintain trust in the industry while minimizing impact to our mutual customers.

During certificate renewal, customers must now replace their current certificate with one signed by a non-Symantec root. Based on the schedule below, Microsoft Edge and Internet Explorer running on Windows 10/Windows Server 2016 will no longer trust certificates signed by the associated root certificate if issued after the TLS NotBefore Date. Any certificates issued prior to this date will continue to be trusted until the certificates natural expiration. Internet Explorer running on legacy Windows versions will not be impacted.

Customers with questions about their certificates or this deprecation schedule are encouraged to contact DigiCert by visiting SSL Certificate Support.

Name Thumbprint Planned TLS NotBefore Date
Symantec Class 3 Public Primary Certification Authority-G6 26A16C235A2472229B23628025BC8097C88524A1 9/30/2018
thawte Primary Root CA-G2 AADBBC22238FC401A127BB38DDF41DDB089EF012 9/30/2018
GeoTrust Universal CA E621F3354379059A4B68309D8A2F74221587EC79 9/30/2018
Symantec Class 3 Public Primary Certification Authority-G4 58D52DB93301A4FD291A8C9645A08FEE7F529282 1/31/2019
VeriSign Class 3 Public Primary Certification Authority-G4 22D5D8DF8F0231D18DF79DB7CF8A2D64C93F6C3A 1/31/2019
GeoTrust Primary Certification Authority-G2 8D1784D537F3037DEC70FE578B519A99E610D7B0 4/30/2019
VeriSign Universal Root Certification Authority 3679CA35668772304D30A5FB873B0FA77BB70D54 4/30/2019
thawte Primary Root CA-G3 F18B538D1BE903B6A6F056435B171589CAF36BF2 4/30/2019
GeoTrust Primary Certification Authority-G3 039EEDB80BE7A03C6953893B20D2D9323A4C2AFD 4/30/2019
GeoTrust 323C118E1BF7B8B65254E2E2100DD6029037F096 4/30/2019
thawte 91C6D6EE3E8AC86384E548C299295C756C817B81 4/30/2019
VeriSign 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 4/30/2019
GeoTrust Global CA DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212 4/30/2019
VeriSign 132D0D45534B6997CDB2D5C339E25576609B5CC6 4/30/2019


The post Microsoft partners with DigiCert to begin deprecating Symantec TLS certificates appeared first on Microsoft Secure.

Categories: Data Privacy Tags:

Ignite 2018 highlights: passwordless sign-in, confidential computing, new threat protection, and more

What a week it was in Orlando! Ignite is always a biggie, and this one was no exception. For all of us here at Microsoft who get to work on security, spending time with customers to learn how you are using our security products today and to share new innovations to come is a highlight. At this year’s event we put even greater emphasis on providing attendees with access to engineering experts throughout more than one hundred focused sessions, workshops, and hands-on immersion experiences for the latest technologies in security. I was chuffed to see that our security booths at the center of the expo hall were chock-a-block for the whole event. Thank you to everyone who stopped by, attended our social and community events, and connected with our engineers and product managers.

After their security blanket work at the RSA Conference earlier this year, our social team once again took a shot at peak swag. Our Security SOCs were the result, lovingly designed and then crafted from the finest combed cotton, bringing fashion together with a six-month Enterprise Mobility + Security trialquite the combination.

Show us your own fashion moment through social media with #askmeaboutmySOC #showmeyourSOC.

More seriously, if you weren’t able to join us this year, or found yourself trading off between sessions or workshops at the show, don’t worry, our breakout sessions on security are available on-demand. At Ignite 2018, we also brought a deep lineup of new security innovations that I have summarized below, along with some top session recommendations:

Identity and access management

We really dont like passwords, so together we want to help you eliminate their use through simpler, more secure alternatives. New support for passwordless sign-in to Azure Active Directory (Azure AD) connected appsboth cloud and on-premisesthrough the Microsoft Authenticator app can help you replace passwords with a more secure, multi-factor sign-in that can reduce compromise by 99.9 percent and significantly simplify the user experience. Watch the Ignite session: Getting to a world without passwords.

We also announced two powerful new features in our set of identity governance capabilities for Azure AD to help automate the process of granting access to employees and partners: Entitlement Management and My Access. Watch the Ignite session: Govern access to your resources with Azure AD identity governance. And read more about identity and access management announcements.

Information protection

As you move more of your workloads to the cloud, meeting information security and compliance standards needs a new approach. Azure is the first cloud platform to offer confidentiality and integrity of data while in useadding to the protections already in place that help keep your data secure in transit and at rest. Azure confidential computing benefits are available soon on a new DC series of virtual machines in Azure, enabling trusted execution environments using Intel SGX chipsets to protect data while its being computed. Watch the Ignite session: Protection by design: Intel SGX and Azure Confidential Computing.

Weve also rolled out a new unified labeling experience in the Security & Compliance Center in Microsoft 365 that delivers a single, integrated approach to creating data sensitivity and data retention labels. You can preview new labeling capabilities that are built into Office apps across all major platforms and new extensions of labeling and protection capabilities to include PDFs. The Microsoft Information Protection SDK, now generally available, enables other software creators to enhance and build applications that understand, apply, and act on Microsoft sensitivity labels so you can have more cohesive information protection. Read more about the information protection announcements and watch the Ignite session.

Threat protection

Microsoft Threat Protection, announced at Ignite last week, is an integrated experience for detection, investigation, and remediation across endpoints, email, documents, identity, and infrastructure. This new integration in the Microsoft 365 admin console combines signal across all of Office 365 Advanced Threat Protection (ATP), Windows Defender ATP, Microsoft Cloud App Security, Azure AD Identity Protection, and the Azure Security Center to help you secure across your digital estate. The portal not only provides alerts and monitoring of threats, but also gives you the ability to make real-time policy changes to help your security strategy stay ahead of changing threats. Read more about Microsoft Threat Protection or watch the Ignite session.

Microsoft Cloud App Security can now leverage the traffic information collected by Windows Defender Advanced Threat Protection about the cloud apps and services being accessed from IT-managed Windows 10. This native integration provides admins a more complete view of cloud usage in their organization and easier investigative work. Read more about this integration or watch the Ignite session.

Security management

To help you strengthen your security posture, youll want to understand your current position and where to go from there. Microsoft Secure Score is the only dynamic report card for cybersecurity. Organizations that use the Secure Score assessments and recommendations typically reduce their chance of a breach by 30-fold. Microsoft Secure Score provides guidance to improve your security posture. For example, Secure Score can recommend taking steps to secure your admin accounts with Multi-Factor Authentication (MFA), secure users accounts with MFA, and turn off client-side email forwarding rules. Starting today, were expanding Secure Score to cover all of Microsoft 365. We are also introducing Secure Score for hybrid cloud workloads in the Azure Security Center, so you can have full visibility across your organizations entire estate. Read more about Microsoft Secure Score or watch the Ignite session.

Unified endpoint management

Customers using System Center Configuration Manager and Microsoft Intune to manage their existing infrastructure benefit immediately from the scale, reliability, and security of the cloud. We announced new capabilities for unified endpoint management (UEM) at Ignite to empower IT to secure your data across a variety of devices and platforms, and to help you deliver intuitive and native user experiences for Windows 10, iOS, and Android devices. Read more about all the UEM advancements or watch the Ignite session.

Looking ahead

Working closely with customers is at the center of our ability to innovate and evolve our security technologies. Ignite is a top-notch opportunity to build security community. It doesnt stop there though. We are always interested in your feedback as we roll out new capabilitiesdo join us and have your voice heard via the Tech Community.

The post Ignite 2018 highlights: passwordless sign-in, confidential computing, new threat protection, and more appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Collaborate securely

October 1st, 2018 No comments

This is a blog series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out Protecting user identities, the fourth blog in our eight-blog series on deploying Intelligent Security Scenarios.

Image taken at the Microsoft Ignite Conference.

Your users can create, edit, and share a single document securely, even when working with multiple stakeholders, both inside and outside of your company. With Microsoft security solutions, users can identify, classify, track, and protect documents to prevent leaks and block access by unauthorized readers. These security measures travel with the document, making it easy and much less risky for stakeholders to download files.

How can I make it easier for groups of people to securely work on the same document?

Provide a common, secure identity for your employees, by first importing their user identities into Azure Active Directory (Azure AD). Then integrate your on-premises directories with Azure AD using Azure AD Connect, which allows you to create a common, secure identity for your users for Microsoft Office 365, Azure, and thousands of other software as a service (SaaS) applications that are integrated with Azure AD.

To make it easy for your employees to work securely with users from other organizations, enable Azure AD B2B collaboration capabilities. Now you can provide access to documents, resources, and applications to your partners while maintaining complete control over your own corporate data (see Figure 1). For your customers, Azure AD B2C lets you build identities on Windows, Android, and iOS devices, or for the web, and allow your customers’ users to sign in with their existing social accounts or personal emails.

Infographic detailing Azure Active Directory security.

Figure 1. Azure AD B2B collaboration enables organizations using Azure AD to work securely with users from other organizations while maintaining control over their own corporate data.

How can I protect organizational data when my users view, edit, and share documents?

Azure Information Protection enables you to configure policies and label a document to control who can see, edit, or share it. For example, a user could apply a Confidential label to a sensitive document that would then prevent it from being shared externally. You can also track who opened a document and where, and then determine what that person can do with the document after its opened.

With Microsoft Data Loss Prevention (DLP) in Microsoft Exchange, you can take your information protection one step further and create rules that automatically identify sensitive content and apply the appropriate policy. For example, you can identify any document containing a credit card number thats stored in any OneDrive for Business site, or you can monitor just the OneDrive sites of specific people.

In addition to DLP, OneDrive for Business offers its own set of options for protecting and controlling the flow of organizational information. For example, you can block file syncing on unmanaged devices, audit actions on OneDrive for Business files, and use mobile device management policies to manage any device that connects to your organizations OneDrive for Business account. You can control as much or as little of your employee permissions as you need to.

How can I protect email?

The same Microsoft DLP capabilities above can be applied to email on Exchange Online to better control data in email and prevent accidental data leaks. Use Office 365 Message Encryption for email sent via, Yahoo!, Gmail, and other email services. Email message encryption helps you make sure that only intended recipients can view message content. Office 365 administrators can define message flow rules to determine the conditions for encryption. For example, a rule can require the encryption of all messages addressed to a specific recipient.

Deployment tips from our experts

Start by provisioning employee identities in Azure AD. Identity is the foundation for secure collaboration. Your first step is to import employee identities into Azure AD and then integrate your on-premises directories with Azure Active Directory using Azure AD Connect.

Collaborate securely with other organizations. With Azure AD B2B and Azure AD B2C capabilities, you can work securely with customers and partners.

Protect documents and emails. Help protect information through access control, classification, and labeling that extend to shared documents and external stakeholders with Azure Information Protection. Then define message flow rules in Office 365 Message Encryption to determine the conditions for email encryption.

Plan for success with Microsoft FastTrack. FastTrack comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.

Want to learn more?

For more information and guidance on this topic, check out the white paper Collaborate and share documents securely in real-time. You can find additional security resources on

Coming soon! Productive and Secure, the sixth installment of our Deploying Intelligent Scenarios series. In November, we will kick off a new series, Top 10 Security Deployment Actions with Microsoft 365 Security.

More blog posts from this series

The post Collaborate securely appeared first on Microsoft Secure.

Categories: cybersecurity Tags: