Archive

Archive for November, 2019

Gartner Names Microsoft a Leader in the 2019 Enterprise Information Archiving (EIA) Magic Quadrant

November 26th, 2019 No comments

We often hear from customers about the explosion of data, and the challenge this presents for organizations in remaining compliant and protecting their information. We’ve invested in capabilities across the landscape of information protection and information governance, inclusive of archiving, retention, eDiscovery and communications supervision. In Gartner’s annual Magic Quadrant for Enterprise Information Archiving (EIA), Microsoft was named a Leader again in 2019.

According to Gartner, “Leaders have the highest combined measures of Ability to Execute and Completeness of Vision. They may have the most comprehensive and scalable products. In terms of vision, they are perceived to be thought leaders, with well-articulated plans for ease of use, product breadth and how to address scalability.” We believe this recognition represents our ability to provide best-in-class protection and deliver on innovations that keep pace with today’s compliance needs.

This recognition comes at a great point in our product journey. We are continuing to invest in solutions that are integrated into Office 365 and address information protection and information governance needs of customers. Earlier this month, at our Ignite 2019 conference, we announced updates to our compliance portfolio including new data connectors, machine learning powered governance, retention, discovery and supervision – and innovative capabilities such as threading Microsoft Teams or Yammer messages into conversations, allowing you to efficiently review and export complete dialogues with context, not just individual messages. In customer conversations, many of them say these are the types of advancements that are helping them be more efficient with their compliance requirements, without impacting end-user productivity.

Learn more

Read the complimentary report for the analysis behind Microsoft’s position as a Leader.

For more information about our Information Archiving solution, visit our website and stay up to date with our blog.

Gartner Magic Quadrant for Enterprise Information Archiving, Julian Tirsu, Michael Hoeck, 20 November 2019.

*This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.

The post Gartner Names Microsoft a Leader in the 2019 Enterprise Information Archiving (EIA) Magic Quadrant appeared first on Microsoft Security.

Categories: cybersecurity Tags:

Insights from one year of tracking a polymorphic threat

November 26th, 2019 No comments

A little over a year ago, in October 2018, our polymorphic outbreak monitoring system detected a large surge in reports, indicating that a large-scale campaign was unfolding. We observed as the new threat attempted to deploy files that changed every 20-30 minutes on thousands of devices. We gave the threat the name “Dexphot,” based on certain characteristics of the malware code.

The Dexphot attack used a variety of sophisticated methods to evade security solutions. Layers of obfuscation, encryption, and the use of randomized file names hid the installation process. Dexphot then used fileless techniques to run malicious code directly in memory, leaving only a few traces that can be used for forensics. It hijacked legitimate system processes to disguise malicious activity. If not stopped, Dexphot ultimately ran a cryptocurrency miner on the device, with monitoring services and scheduled tasks triggering re-infection when defenders attempt to remove the malware.

In the months that followed, we closely tracked the threat and witnessed the attackers upgrade the malware, target new processes, and work around defensive measures:

Timeline of evolution of Dexphot malware

While Microsoft Defender Advanced Threat Protection’s pre-execution detection engines blocked Dexphot in most cases, behavior-based machine learning models provided protection for cases where the threat slipped through. Given the threat’s persistence mechanisms, polymorphism, and use of fileless techniques, behavior-based detection was a critical component of the comprehensive protection against this malware and other threats that exhibit similar malicious behaviors.

Microsoft Defender ATP data shows the effectiveness of behavioral blocking and containment capabilities in stopping the Dexphot campaign. Over time, Dexphot-related malicious behavior reports dropped to a low hum, as the threat lost steam.

Number of machines that encountered Dexphot over time

Our close monitoring of Dexphot helped us ensure that our customers were protected from the evolving threat. More importantly, one year’s worth of intelligence helped us gain insight not only into the goals and motivations of Dexphot’s authors, but of cybercriminals in general.

Complex attack chain

The early stages of a Dexphot infection involves numerous files and processes. During the execution stage, Dexphot writes five key files to disk:

  1. An installer with two URLs
  2. An MSI package file downloaded from one of the URLs
  3. A password-protected ZIP archive
  4. A loader DLL, which is extracted from the archive
  5. An encrypted data file that holds three additional executables that are loaded into system processes via process hollowing

Except for the installer, the other processes that run during execution are legitimate system processes. This can make detection and remediation more difficult. These legitimate system processes include msiexec.exe (for installing MSI packages), unzip.exe (for extracting files from the password-protected ZIP archive), rundll32.exe (for loading the loader DLL), schtasks.exe (for scheduled tasks), powershell.exe (for forced updates). In later stages, Dexphot targets a few other system processes for process hollowing: svchost.exe, tracert.exe, and setup.exe.

Dexphot attack chain

Multiple layers of security evasion

Based on Microsoft Defender ATP signals, SoftwareBundler:Win32/ICLoader and its variants are primarily used to drop and run the Dexphot installer. The installer uses two URLs to download malicious payloads. These are the same two URLs that Dexphot use later to establish persistence, update the malware, and re-infect the device.

The installer downloads an MSI package from one of the two URLs, and then launches msiexec.exe to perform a silent install. This is the first of several instances of Dexphot employing living-off-the-land techniques, the use of legitimate system processes for nefarious purposes.

Dexphot’s package often contains an obfuscated batch script. If the package contains this file, the script is the first thing that msiexec.exe runs when it begins the installation process. The said obfuscated script is designed to check for antivirus products. Dexphot halts the infection process immediately if an antivirus product is found running.

When we first began our research, the batch script only checked for antivirus products from Avast and AVG. Later, Windows Defender Antivirus was added to the checklist.

If the process is not halted, Dexphot decompresses the password-protected ZIP archive from the MSI package. The password to this archive is within the MSI package. Along with the password, the malware’s authors also include a clean version of unzip.exe so that they don’t have to rely on the target system having a ZIP utility. The unzip.exe file in the package is usually named various things, such as z.exe or ex.exe, to avoid scrutiny.

The ZIP archive usually contains three files: the loader DLL, an encrypted data file (usually named bin.dat), and, often, one clean unrelated DLL, which is likely included to mislead detection.

Dexphot usually extracts the decompressed files to the target system’s Favorites folder. The files are given new, random names, which are generated by concatenating words and numbers based on the time of execution (for example, C:\Users\<user>\Favorites\\Res.Center.ponse\<numbers>). The commands to generate the new names are also obfuscated, for example:

Msiexec.exe next calls rundll32.exe, specifying loader DLL (urlmon.7z in the example above) in order to decrypt the data file. The decryption process involves ADD and XOR operations, using a key hardcoded in the binary.

The decrypted data contains three executables. Unlike the files described earlier, these executables are never written to the filesystem. Instead, they exist only in memory, and Dexphot runs them by loading them into other system processes via process hollowing.

Stealthy execution through fileless techniques

Process hollowing is a technique that can hide malware within a legitimate system process. It replaces the contents of the legitimate process with malicious code. Detecting malicious code hidden using this method is not trivial, so process hollowing has become a prevalent technique used by malware today.

This method has the additional benefit of being fileless: the code can be run without actually being saved on the file system. Not only is it harder to detect the malicious code while it’s running, it’s harder to find useful forensics after the process has stopped.

To initiate process hollowing, the loader DLL targets two legitimate system processes, for example svchost.exe or nslookup.exe, and spawns them in a suspended state. The loader DLL replaces the contents of these processes with the first and second decrypted executables. These executables are monitoring services for maintaining Dexphot’s components. The now-malicious processes are released from suspension and run.

Next, the loader DLL targets the setup.exe file in SysWoW64. It removes setup.exe’s contents and replaces them with the third decrypted executable, a cryptocurrency miner. Although Dexphot always uses a cryptocurrency miner of some kind, it’s not always the same miner. It used different programs like XMRig and JCE Miner over the course of our research.

Persistence through regularly scheduled malware updates

The two monitoring services simultaneously check the status of all three malicious processes. Having dual monitoring services provides redundancy in case one of the monitoring processes is halted. If any of the processes are terminated, the monitors immediately identify the situation, terminate all remaining malicious processes, and re-infect the device. This forced update/re-infection process is started by a PowerShell command similar to the one below:

The monitoring components also detect freshly launched cmd.exe processes and terminate them promptly. As a final fail-safe, Dexphot uses schtasks.exe to create scheduled tasks, with the command below.

This persistence technique is interesting, because it employs two distinct MITRE ATT&CK techniques: Scheduled Task and Signed Binary Proxy Execution.

The scheduled tasks call msiexec.exe as a proxy to run the malicious code, much like how msiexec.exe was used during installation. Using msiexec.exe, a legitimate system process, can make it harder to trace the source of malicious activity.

Furthermore, the tasks allow Dexphot to conveniently update the payload from the web every time the tasks run. They automatically update all of Dexphot’s components, both upon system reboot as well as every 90 or 110 minutes while the system is running.

Dexphot also generates the names for the tasks at runtime, which means a simple block list of hardcoded task names will not be effective in preventing them from running. The names are usually in a GUID format, although after we released our first round of Dexphot-blocking protections, the threat authors began to use random strings.

The threat authors have one more evasion technique for these scheduled tasks: some Dexphot variants copy msiexec.exe to an arbitrary location and give it a random name, such as %AppData%\<random>.exe. This makes the system process running malicious code a literal moving target.

Polymorphism

Dexphot exhibits multiple layers of polymorphism across the binaries it distributes. For example, the MSI package used in the campaign contains different files, as shown in the table below. The MSI packages generally include a clean version of unzip.exe, a password-protected ZIP file, and a batch file that checks for currently installed antivirus products. However, the batch file is not always present, and the names of the ZIP files and Loader DLLs, as well as the password for extracting the ZIP file, all change from one package to the next.

In addition, the contents of each Loader DLL differs from package to package, as does the encrypted data included in the ZIP file. This leads to the generation of a different ZIP archive and, in turn, a unique MSI package, each time the attacker bundles the files together. Because of these carefully designed layers of polymorphism, a traditional file-based detection approach wouldn’t be effective against Dexphot.

 

MSI package ID MSI package contents Password for ZIP file Contents of encrypted ZIP
Unzip.exe name ZIP file name Batch file name Loader DLL file name Encrypted data name
MSI-1 ex.exe webUI.r0_ f.bat kjfhwehjkf IECache.dll bin.dat
MSI-2 ex.exe analog.tv f.bat ZvDagW kernel32.bin bin.dat
MSI-3 z.exe yandex.zip f.bat jeremy SetupUi.dll bin.dat
MSI-4 unzip.exe ERDNT.LOC.zip iso100 ERDNT.LOC data.bin
MSI-5 pck.exe mse.zip kika _steam.dll bin.dat
MSI-6 z.exe msi.zip arima ic64.dll bin.dat
MSI-7 z.exe mse.zip f.bat kika _steam.dll bin.dat
MSI-8 z.exe mse.zip kika _steam.dll bin.dat
MSI-9 z.exe yandex.zip f.bat jeremy SetupUi.dll bin.dat
MSI-10 hf.exe update.dat f.bat namr x32Frame.dll data.bin
MSI-11 z.exe yandex.zip f.bat jeremy SetupUi.dll bin.dat
MSI-12 unzip.exe PkgMgr.iso.zip pack PkgMgr.iso data.bin
MSI-13 ex.exe analog.tv f.bat kjfhwefkjwehjkf urlmon.7z bin.dat
MSI-14 ex.exe icon.ico f.bat ZDADW default.ocx bin.dat
MSI-15 hf.exe update.dat namr AvastFileRep.dll data.bin
MSI-16 pck.exe mse.zip f.bat kika _steam.dll bin.dat
MSI-17 z.exe mse.zip f.bat joft win2k.wim bin.dat
MSI-18 ex.exe plugin.cx f.bat ZDW _setup.ini bin.dat
MSI-19 hf.exe update.dat namr AvastFileRep.dll data.bin
MSI-20 ex.exe installers.msu f.bat 000cehjkf MSE.Engine.dll bin.dat
MSI-21 z.exe msi.zip f.bat arima ic64.dll bin.dat
MSI-22 z.exe archive00.x f.bat 00Jmsjeh20 chrome_watcher.dll bin.dat

A multitude of payload hosts

Besides tracking the files and processes that Dexphot uses to execute an attack, we have also been monitoring the domains used to host malicious payloads. The URLs used for hosting all follow a similar pattern. The domain address usually ends in a .info or .net TLD, while the file name for the actual payload consists of random characters, similar to the randomness previously seen being used to generate file names and scheduled tasks. Some examples from our research are shown in the table below.

 

Scheduled task name Download URL
hboavboja https://supe********709.info/xoslqzu.pdi
{C0B15B19-AB02-0A10-259B-1789B8BD78D6} https://fa*****r.com/jz5jmdouv4js.uoe
ytiazuceqeif https://supe********709.info/spkfuvjwadou.bbo
beoxlwayou https://rb*****.info/xgvylniu.feo
{F1B4C720-5A8B-8E97-8949-696A113E8BA5} https://emp*******winc.com/f85kr64p1s5k.naj
gxcxhbvlkie https://gu*****me.net/ssitocdfsiu.pef
{BE7FFC87-6635-429F-9F2D-CD3FD0E6DA51} https://sy*****.info/pasuuy/xqeilinooyesejou.oew
{0575F553-1277-FB0F-AF67-EB649EE04B39} https://sumb*******on.info/gbzycb.kiz
gposiiobhkwz https://gu*****me.net/uyuvmueie.hui
{EAABDEAC-2258-1340-6375-5D5C1B7CEA7F} https://refr*******r711.info/3WIfUntot.1Mb
zsayuuec https://gu*****me.net/dexaeuioiexpyva.dil
njibqhcq https://supe********709.info/aodoweuvmnamugu.fux
{22D36F35-F5C2-29D3-1CF1-C51AC19564A4} https://pr*****.info/ppaorpbafeualuwfx/hix.ayk
qeubpmnu https://gu*****me.net/ddssaizauuaxvt.cup
adeuuelv https://supe********709.info/tpneevqlqziee.okn
{0B44027E-7514-5EC6-CE79-26EB87434AEF} https://sy*****.info/huauroxaxhlvyyhp/xho.eqx
{5A29AFD9-63FD-9F5E-F249-5EC1F2238023} https://refr*******r711rb.info/s28ZXoDH4.78y
{C5C1D86D-44BB-8EAA-5CDC-26B37F92E411} https://fa*****r.com/rbvelfbflyvf.rws

Many of the URLs listed were in use for an extended period. However, the MSI packages hosted at each URL are frequently changed or updated. In addition, every few days more domains are generated to host more payloads. After a few months of monitoring, we were able to identify around 200 unique Dexphot domains.

Conclusion: Dynamic, comprehensive protection against increasingly complex everyday threats

Dexphot is not the type of attack that generates mainstream media attention; it’s one of the countless malware campaigns that are active at any given time. Its goal is a very common one in cybercriminal circles — to install a coin miner that silently steals computer resources and generates revenue for the attackers — yet Dexphot exemplifies the level of complexity and rate of evolution of even everyday threats, intent on evading protections and motivated to fly under the radar for the prospect of profit.

To combat threats, several next-generation protection engines in Microsoft Defender Advanced Threat Protection’s antivirus component detect and stop malicious techniques at multiple points along the attack chain. For Dexphot, machine learning-based detections in the cloud recognize and block the DLLs loaded by rundll32.exe, stopping the attack chain in its early stages. Memory scans detect and terminate the loading of malicious code hidden by process hollowing — including the monitoring processes that attempt to update the malware code and re-infect the machine via PowerShell commands.

Behavioral blocking and containment capabilities are especially effective in defeating Dexphot’s fileless techniques, detection evasion, and persistence mechanisms, including the periodic and boot-time attempts to update the malware via scheduled tasks. As mentioned, given the complexity of the attack chain and of Dexphot’s persistence methods, we released a remediation solution that prevents re-infection by removing artifacts.

Microsoft Defender ATP solutions for Dexphot attack

The detection, blocking, and remediation of Dexphot on endpoints are exposed in Microsoft Defender Security Center, where Microsoft Defender ATP’s rich capabilities like endpoint detection and response, automated investigation and remediation, and others enable security operations teams to investigate and remediate attacks in enterprise environments. With these capabilities, Microsoft Defender ATP provides comprehensive protection against Dexphot and the countless other complex and evolving threats that we face every day.

 

Sample indicators of compromise (IoCs)

Installer (SHA-256):
72acaf9ff8a43c68416884a3fff3b23e749b4bb8fb39e16f9976643360ed391f

MSI files (SHA-256):
22beffb61cbdc2e0c3eefaf068b498b63a193b239500dab25d03790c467379e3
65eac7f9b67ff69cefed288f563b4d77917c94c410c6c6c4e4390db66305ca2a
ba9467e0d63ba65bf10650a3c8d36cd292b3f846983032a44a835e5966bc7e88

Loader DLLs  (SHA-256):
537d7fe3b426827e40bbdd1d127ddb59effe1e9b3c160804df8922f92e0b366e
504cc403e0b83233f8d20c0c86b0611facc040b868964b4afbda3214a2c8e1c5
aa5c56fe01af091f07c56ac7cbd240948ea6482b6146e0d3848d450977dff152

 

 

 

Hazel Kim

Microsoft Defender ATP Research Team

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

 

The post Insights from one year of tracking a polymorphic threat appeared first on Microsoft Security.

Going in-depth on the Windows 10 random number generation infrastructure

November 25th, 2019 No comments

Throughout the years, we’ve had ongoing conversations with researchers, developers, and customers around our implementation of certain security features within the Windows operating system. Most recently, we have open-sourced our cryptography libraries as a way to contribute and show our continued support to the security community

For our most recent contribution, we have decided to go in-depth on our implementation of pseudo-random number generation in Windows 10.

We are happy to release to the public The Windows 10 random number generation infrastructure white paper.

This whitepaper explores details about the Windows 10 pseudo-random number generator (PRNG) infrastructure, and lists the primary RNG APIs. The whitepaper also explains how the entropy system works, what the entropy sources are, and how initial seeding works.

We expect academic and security researchers, as well as operating system developers and people with an in-depth understanding of random number generation, to get the most value out of this whitepaper. Note: Some of the terminology used in this whitepaper assumes prior knowledge of random number generators and entropy collection terms.

We welcome and look forward to your feedback on this whitepaper and the technologies it describes in the comments below. We also appreciate any reports of security vulnerabilities that you may find in our implementation.

 

The post Going in-depth on the Windows 10 random number generation infrastructure appeared first on Microsoft Security.

Rethinking cyber learning—consider gamification

November 25th, 2019 No comments

As promised, I’m back with a follow-up to my recent post, Rethinking how we learn security, on how we need modernize the learning experience for cybersecurity professionals by gamifying training to make learning fun. Some of you may have attended the recent Microsoft Ignite events in Orlando and Paris. I missed the conferences (ironically, due to attending a cybersecurity certification boot camp) but heard great things about the Microsoft/Circadence joint Into the Breach capture the flag exercise.

If you missed Ignite, we’re planning several additional Microsoft Ignite The Tour events around the world, where you’ll be able to try your hand at this capture the flag experience. Look for me at the Washington, DC event in early February.

In the meantime, due to the great feedback I received from my previous blog—which I do really appreciate, especially if you have ideas for how we should tackle the shortage of cyber professionals—I’ll be digging deeper into the mechanics of learning to understand what it really takes to learn cyber in today’s evolving landscape.

Today, I want to address the important questions of how a new employee could actually ramp up their learning, and how employers can prepare employees for success and track the efficacy of the learning curriculum. Once again, I’m pleased to share this post with Keenan Skelly, chief evangelist at Boulder, Colorado-based Circadence.

Here are some of some of her recommendations from our Q&A:

Q: Keenan, in our last blog, you discussed Circadence’s “Project Ares” cyber learning platform. How do new cyber practitioners get started on Project Ares?

A: The way that Project Ares is set up allows for a user to acquire a variety of different skill levels when launched. It’s important to understand what kind of work roles you’re looking to learn about as a user as well as what kinds of tools you’re looking to understand better before you get started on Project Ares. For example, if I were to take some of my Girls Who Code or Cyber Patriot students and put them into the platform, I would probably have them start in the Battle School. This is where they’re going to learn about basic cybersecurity fundamentals such as ports and protocols, regular expressions, and the cyber kill chain. Then they can transition into Battle Rooms, where they’ll start to learn about very specific tools, tactics, and procedures or TTPs, for a variety of different work roles. If you’re a much more skilled cyber ninja, however, you can probably go ahead and get right into Missions, but we do recommend that everyone who comes into Project Ares does some work in the Battle Rooms first, specifically if they are trying to learn a tool or a skill for their work role.

Project Ares also has a couple of different routes that an expert or an enterprising cybersecurity professional can come into that’s really focused more on their role. For example, we have an assessments area based entirely on the work role. This aligns to the NIST framework and the NICE cybersecurity work roles. For example, if you’re a network defender, you can come into that assessment pathway and have steps laid out before you to identify your skill level in that role as you see below:

Assessment pathway.

Q: What areas within Project Ares do you recommend for enterprise cyber professionals to train against role-based job functions and prepare for cyber certifications?

A: You might start with something simple like understanding very basic things about your work role through a questionnaire in the Battle School arena as seen in the illustrations below. You may then move into a couple of Battle Rooms that tease out very detailed skills in tools that you would be using for that role. And then eventually you’ll get to go into a mission by yourself, and potentially a mission with your entire team to really certify that you are capable in that work role. All this practice helps prepare professionals to take official cyber certifications and exams.

Battle School questionnaire.

Battle School mission.

Q: Describe some of the gamification elements in Project Ares and share how it enhances cyber learning.

A: One of the best things about Project Ares is gamification. Everyone loves to play games, whether it’s on your phone playing Angry Birds, or on your computer or gaming console. So we really tried to put a lot of gaming elements inside Project Ares. Since everything is scored within Project Ares, everything you do from learning about ports and protocols, to battle rooms and missions, gives you experience points. Experience points add up to skill badges. All these things make learning more fun for the user. For example, if you’re a defender, you might have skill badges in infrastructure, network design, network defense, etc. And the way Project Ares is set up, once you have a certain combination of those skill badges you can earn a work role achievement certificate within Project Ares.

This kind of thing is taken very much from Call of Duty and other types of games where you can really build up your skills by doing a very specific skill-based activity and earn points towards badges. One of the other things that is great about Project Ares is it’s quite immersive. For example, Missions allows a user to come into a specific cyber situation or cyber response situation (e.g., water treatment plant cyberattack) and have multimedia effects that demonstrate what is going—very much reflective of that cool guy video look. Being able to talk through challenges in the exercises with our in-game advisor, Athena, adds another element to the learning experience as shown in the illustration below.

Athena was inspired by the trends of personal assistants like Cortana and other such AI-bots, which have been integrated into games. So things like chat bots, narrative storylines, and skill badges are super important for really immersing the individual in the process. It’s so much more fun, and easier to learn things in this way, as opposed to sitting through a static presentation or watching someone on a video and trying to learn the skill passively.

Athena—the in-game advisor.

Q: What kinds of insights and reporting capability can Project Ares deliver to cyber team supervisors and C-Suite leaders to help them assessing cyber readiness?

A: Project Ares offers a couple great features that are good for managers, all the way up to the C-Suite, who are trying to understand how their cybersecurity team is doing. The first one is called Project Ares Trainer View. This is where a supervisor or manager can jump into the Project Ares environment, with the students or with the enterprise team members, and observe in a couple of different ways.

The instructor or the manager can jump into the environment as Athena, so the user doesn’t know that they are there. They can then provide additional insight or help that is needed to a student. A supervisor or leader can also jump in as the opponent, which gives them the ability to see someone who is just breezing by everything and maybe make it a little more challenging. Or they can just observe and leave comments for the individuals. This piece is really helpful when we’re talking about managers who are looking to understand their team’s skill level in much more detail.

The other piece of this is a product we have coming out soon called Dendrite—an analytics tool that looks at everything that happens at Project Ares. We record all the key strokes and chats a user had with Athena or any with other team members while in a mission or battle room. Cyber team leads can then see what’s going on. Users can see what they’re doing well, and not doing well. This feedback can be provided up to the manager level, the senior manager level, and even to the C-Suite level to demonstrate exactly where that individual is in their particular skill path. It helps the cyber team leads understand what tools are being used appropriately and which tools are not being used appropriately.

For example, if you’re a financial institution and you paid quite a bit of money for Tanium, but upon viewing tool use in Dendrite, you find that no one is using it. It might prompt you to rethink your strategy on how to use tools in your organization or look at how you train your folks to use those tools. These types of insights are absolutely critical if you want to understand the best way to grow the individual in cybersecurity and make sure they’re really on top of their game.

The Dendrite assessment and analysis solution.

Q: How can non-technical employees improve their cyber readiness?

A: At Circadence, we don’t just provide learning capabilities for advanced cyber warriors. For mid-range people just coming into the technical side of cybersecurity, we have an entire learning path that starts with a product called inCyt. Now, inCyt is a very fun browser-based game of strategy where players have some hackable devices they must protect—like operating systems and phones. Meanwhile, your opponent has the same objective: protect their devices from attacks. Players continually hack each other by gathering intel on their opponent and then launching different cyberattacks. While they’re doing this, players get a fundamental understanding of the cyber kill chain. They learn things like what reconnaissance means to a hacker, what weaponizing means to a hacker, what deploying that weapon means to a hacker, so they can start to recognize that behavior in their everyday interactions online.

Some people ask why this is important and I always say, “I used to be a bomb technician, and there is no possible way I could defuse an IED or nuclear weapon without understanding how those things are put together.” It’s the same kind of concept.

It’s impossible to assume that someone is going to learn cyber awareness by answering some questions or watching a five-minute phishing tutorial after they have already clicked a link in a suspicious email. Those are very reactive ways of learning cyber. inCyt is very proactive. And we want to teach you in-depth understanding of what to look for, not just for phishing but for all the attacks we’re susceptible to. inCyt is also being used by some of our customers as a preliminary gate track for those who are interested in cybersecurity. So if you demonstrate a very high aptitude within inCyt, we would send you over to our CyberBridge portal where you can start learning some of the basics of cybersecurity to see if it might be the right field for you. Within our CyberBridge access management portal, you can then go into Project Ares Academy, which is just a lighter version of Project Ares.

Professional and Enterprise licenses in Project Ares pave more intricate learning pathways for people to advance in learning, from novice to expert cyber defender. You’ll be able to track all metrics of where you started, how far you came, what kind of skill path you’re on, and what kind of skill path you want to be on. Very crucial items for your own work role pathway.

How to close the cybersecurity talent gap

Keenan’s perspective and the solution offered by Project Ares really helps to understand how to train security professionals and give them the hands-on experience they require and want. We’re in interesting times, right? With innovations in machine learning and artificial intelligence (AI), we’re increasingly able to pivot from reactive cyber defense to get more predictive. Still, right now we’re facing a cybersecurity talent gap of up to 4 million people, depending on which analyst group you follow. The only way that we’re going to get folks interested in cybersecurity is to make it exactly what we have been talking about: a career-long opportunity to learn.

Make it something that they can attain, they can grow in, and see themselves going from a novice to a leader in an organization. This is tough right now because there are relatively few cybersecurity operators compared to demand, and the operators on the front lines are subject to burnout. With uncertain and undefined career paths beyond tactical SecOps, what is there to look forward to?

We need to get better as a community in cybersecurity, not only protect the cybersecurity defenders that we have already, but also help to bring in new cybersecurity defenders and offenders who are really going to push the boundaries of where we’re at today. This is where we have an excellent and transformational opportunity to introduce more immersive and gamified learning to improve the learning experience and put our people in a position to succeed.

Learn more

To learn more about how to close the cybersecurity talent gap, read the e-book: CISO essentials: How to optimize recruiting while strengthening cybersecurity. For more information on Microsoft intelligence security solutions, see Achieve an optimal state of Zero Trust.

You can also watch my full interview with Keenan.

Bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Rethinking cyber learning—consider gamification appeared first on Microsoft Security.

Customer Guidance for the Dopplepaymer Ransomware

November 20th, 2019 No comments

Microsoft has been investigating recent attacks by malicious actors using the Dopplepaymer ransomware. There is misleading information circulating about Microsoft Teams, along with references to RDP (BlueKeep), as ways in which this malware spreads. Our security research teams have investigated and found no evidence to support these claims. In our investigations we found that the …

Customer Guidance for the Dopplepaymer Ransomware Read More »

The post Customer Guidance for the Dopplepaymer Ransomware appeared first on Microsoft Security Response Center.

Security baseline (FINAL) for Windows 10 v1909 and Windows Server v1909

November 20th, 2019 No comments

Microsoft is pleased to announce the final release of the security configuration baseline settings for Windows 10 version 1909 (a.k.a., “19H2”), and for Windows Server version 1909. Note that Windows Server version 1909 is Server Core only and does not offer a Desktop Experience (a.k.a., “full”) server installation option.


 


Download the content from the Microsoft Security Compliance Toolkit (click Download and select “Windows 10 Version 1909 and Windows Server Version 1909 Security Baseline.zip”).


 


This new Windows Feature Update brings very few new Group Policy settings, which we list in the accompanying documentation. None of them meet the criteria for inclusion in the baseline (which are reiterated below), but customers interested in controlling the use of USB drives and other devices should be interested in the new and very granular device installation restrictions. More about that later in this post.


 


The few changes we are making in the baseline since the September update to the version 1903 baselines are to remove a few settings that we have reevaluated: the restrictions on Thunderbolt devices in the BitLocker GPO, the enforcement of the default machine account password expiration for domain-joined systems, and the removal of the previously-recommended Exploit Protection settings.


 


Baseline criteria


 


To reiterate, we follow a streamlined and efficient approach to baseline definition when compared with the baselines we published before Windows 10. The foundation of that approach is essentially this:


 



  • The baselines are designed for well-managed, security-conscious organizations in which standard end users do not have administrative rights.

  • A baseline enforces a setting only if it mitigates a contemporary security threat and does not cause operational issues that are worse than the risks they mitigate.

  • A baseline enforces a default only if it is otherwise likely to be set to an insecure state by an authorized user:


    • If a non-administrator can set an insecure state, enforce the default.

    • If setting an insecure state requires administrative rights, enforce the default only if it is likely that a misinformed administrator will otherwise choose poorly.



For further illustration, see the “Why aren’t we enforcing more defaults?” section in this blog post.


 


Thunderbolt devices


 


First published in 2011, Microsoft Knowledge Base article 2516445 describes device installation restrictions for certain types of devices to mitigate DMA threats to BitLocker, including Thunderbolt devices. The BitLocker GPOs in our baselines have included these restrictions. Because Thunderbolt is popular, and newer computers can now mitigate that threat with kernel DMA protection – also in our baseline – we are removing the Thunderbolt restriction from our baseline. Customers on platforms that do not support kernel DMA protection can choose to continue blocking Thunderbolt, but we are no longer including it in our broad recommendations for all customers. For more information, see the KB article linked above and the articles to which it links.


 


Machine account password expiration


 


In Active Directory, each domain-joined computer has an Active Directory account with a strong, randomly-generated password. By default, these machine account passwords have a 30-day expiration, and computers automatically change their own passwords without any user involvement. Our baselines have always enforced these defaults. Note that reducing the expiration period will result in additional replication traffic. Also note that unlike with user account passwords, AD doesn’t actually enforce password expiration for computer accounts. Password expiration and change is driven entirely by client systems. The password remains valid until it gets changed, irrespective of how “Domain member: Maximum machine account password age” is configured.


 


A problem that occasionally crops up is that when a domain-joined virtual machine is reverted to an earlier state that is prior to its most recent password change, the older password is no longer recognized by the domain controller, the computer has no way to authenticate to the domain, and it thus loses domain trust. Domain accounts cannot authenticate to it remotely, and interactive logon with a domain account works only if the computer has a cached credential verifier for the account and the person logging in remembers which password was used when its verifier was cached. Typically when this happens, a LAPS-managed local account cannot be used either, as the local account password will also have been reverted and not match the newer one stored in Active Directory.


 


Non-persistent VDI implementations and devices with write filters that disallow permanent changes to the OS volume are also examples of scenarios where machine account password expiration is problematic. When such systems change their passwords in Active Directory and then revert to their previous passwords, they can no longer authenticate.


 


In the absence of issues such as these, we recommend leaving the default 30-day expiration in place. But following the baseline criteria stated above, we are removing the explicit enforcement of those defaults from our baselines. Situations that necessitate disabling machine account password expiration can now be handled without being out of compliance with our baselines.


 


The risks of turning off machine account password expiration are relatively low. To steal a computer account password, you must first have already gained full administrative control of the computer. Having a computer account’s password gives you only the ability to act as that computer on the network from other systems. For example, if Mary gets administrative control of CONTOSO\COMPUTER_ONE and extracts its domain account password (which is stored as an LSA secret), she can then connect to domain resources from CONTOSO\COMPUTER_TEN but pretending to be CONTOSO\COMPUTER_ONE. Default password expiration policy would limit her ability to do so to a maximum of 30 days. However, given that she had full control of COMPUTER_ONE, she could presumably go back in and retrieve its new password, or have applied nefarious techniques to disable password change, keeping the password valid indefinitely.


 


Exploit Protection


 


Because of reported compatibility issues with the Exploit Protection settings that we began incorporating with the Windows 10 v1709 baselines, we have elected to remove the settings from the baseline and to provide a script for removing the settings from machines that have had those settings applied. (See Remove-EPBaselineSettings.ps1 in the download package’s Scripts folder.)


 


New device installation restrictions available


 


For many years, Windows has enabled administrators to allow or block devices such as external USB drives based on attributes such as vendor and product IDs. Windows now also enables control at a far more granular level: device instance IDs. For example, you could have ten identical thumb drives of the same brand, model, and capacity, pick two of them, and create a policy that allows just those to be mounted; the others would be blocked.


 


Because the way these settings would be configured are always specific to each customer’s situation, we don’t configure them in our baselines. But we wanted to highlight their availability as a major improvement in Windows’ device control.


 


You can configure the new “Allow installation of devices that match any of these device instance IDs” and “Prevent installation of devices that match any of these device instance IDs” Group Policy settings in Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions. For more information, also see How to control USB devices and other removable media using Microsoft Defender ATP.

Categories: Uncategorized Tags:

Changing security incident response by utilizing the power of the cloud—DART tools, techniques, and procedures: part 1

November 14th, 2019 No comments

This is the first in a blog series discussing the tools, techniques, and procedures that the Microsoft Detection and Response Team (DART) use to investigate cybersecurity incidents at our customer organizations. Today, we introduce the team and give a brief overview of each of the tools that utilize the power of the cloud. In upcoming posts, we’ll cover each tool in-depth and elaborate on techniques and procedures used by the team.

Key lessons learned from DART’s investigation evolution

DART’s investigation procedures and technology have evolved over 14 years of assisting our customers during some of the worst hack attacks on record. Tools have evolved from primarily bespoke (custom) tools into a blend of commercially available Microsoft detection solutions plus bespoke tools, most of which extend the core Microsoft detection capabilities. The team contributes knowledge and technology back to the product groups, who leverage that experience into our products, so our customers can benefit from our (hard-won) lessons learned during our investigations.

This experience means that DART’s tooling and communication requirements during incident investigations tend to be a bit more demanding than most in-house teams, given we’re often working with complex global environments. It’s not uncommon that an organization’s ability to detect and respond to security incidents is inadequate to cope with skilled attackers who will spend days and weeks profiling the organization and its employees. Consequently, we help organizations across many different industry verticals and from those experiences we have collated some key lessons:

  • Detection is critical (and weak)—One of the first priorities when the team engages to assist with an incident investigation at a customer site is to increase the detection capability of that organization. Over the years, we’ve seen that industry-wide detection has stayed the weakest of the Protect, Detect, Respond triad. While the average dwell time numbers are trending downward, it’s still measured in days (usually double digit numbers) and days of access to your systems is plenty of time to do massive damage.
  • Inadequate auditing—More often than not, DART finds that organizations don’t turn on auditing or have misconfigured auditing with the result that there is not a full record of attacker activities. See auditing best practices for Active Directory and Office 365. In addition, given the current prolific use of weaponized PowerShell scripts by attackers, we strongly recommend implementing PowerShell auditing.
  • Static plus active containment—Static containment (protection) controls can never be 100 percent successful against skilled human attackers, so we need to add in an active containment component that can detect and contain those attackers at the edge and as they move around the environment. This second part is crucial—as they move around the environment—we need to move away from the traditional mindset of “Time to Detect” and implement a “Time to Remediate” approach with active containment procedures to disrupt attackers’ abilities to realize their objective once in the environment. Of course, attackers that have been in the organization for a very long time require more involved investigation and planning for an eviction event to be successful and lessen any potential impact to the organization.

These lessons have significantly influenced the methodology and toolsets we use in DART as we engage with our customers. In this blog series, we’ll share lessons learned and best practices of organizations and incident responders to help ensure readiness.

Observe-Orient-Decide-Act (OODA) framework

Before we can act in any meaningful way, we need to observe attacker activities, so we can orient ourselves and decide what to do. Orientation is the most critical step in the Observe-Orient-Decide-Act (OODA) framework developed by John Boyd and overviewed in this OODA article. Wherever possible, the team will light up several tools in the organization, installing the Microsoft Management Agent (MMA) and trial versions of the Microsoft Threat Protection suite, which includes Microsoft Defender ATP, Azure ATP, Office 365 ATP, and Microsoft Cloud App Security (our Cloud Access Security Broker (CASB) solution named illustrated in Figure 1). Why? Because these technologies were developed specifically to form an end-to-end picture across the attacker cyber kill-chain framework (reference Lockheed Martin) and together work swiftly to gather indicators of anomaly, attack, and compromise necessary for successful blocking of the attacker.

The Microsoft ATP platform of tools are used extensively by the Microsoft Corporate IT security operations center (SOC) in our Cyber Defence Operations Center (CDOC), whose slogan is “Minutes Matter.” Using these technologies, the CDOC has dropped their time to remediate incidents from hours to minutes—a game changer we’ve replicated at many of our customers.

Microsoft Threat Protection

The Microsoft Threat Protection platform includes Microsoft Defender ATP, Azure ATP, Office 365 ATP, as well as additional services that strengthen security for specific attack vectors, while adding security for attack vectors that would not be covered by the ATP solutions alone. Read Announcing Microsoft Threat Protection for more information. In this blog, we focus on the tools that give DART a high return on investment in terms of speed to implement versus visibility gained.

Infographic showing maximum detection during attack stages, with Office 365 ATP, Azure AD Identity Protection, and Cloud App Security.

Figure 1. Microsoft Threat Protection and the cyber kill-chain.

Although the blog series discusses Microsoft technologies preferentially, the intent here is not to replicate data or signals—the team uses what the customer has—but to close gaps where the organization might be missing signal. With that in mind, let’s move on to a brief discussion of the tools.

Horizontal tools: Visibility across the cyber kill-chain

Horizonal tools include Azure Sentinel and Azure Security Center:

  • Azure Sentinel—New to DART’s arsenal is Azure Sentinel—the first cloud-native SIEM (security investigation and event management). Over the past few months, DART has deployed Azure Sentinel as a mechanism to combine the different signal sets in what we refer to as a SIEM and SOAR as a service. SOAR, which stands for security orchestration and automation, is indispensable in its capability to respond to attacker actions with speed and accuracy. Our intention is not to replicate a customer SIEM but to use the power of the cloud and machine learning to quickly combine alerts across the cyber kill-chain in a fusion model to lessen the time it takes an investigator to understand what the attacker is doing.

Importantly, machine learning gives DART the ability to aggregate diverse signals and get an end-to-end picture of what is going on quickly and to act on that information. In this way, information important to the investigation can be forwarded to the existing SIEM, allowing for efficient and speedy analysis utilizing the power of the cloud.

  • Azure Security Center—DART also onboards the organization into Azure Security Center, if not already enabled for the organization. This tool significantly adds to our ability to investigate and pivot across the infrastructure, especially given the fact that many organizations don’t yet have Windows 10 devices deployed throughout. Security Center also does much more with machine learning for next-generation detection and simplifying security management across clouds and platforms (Windows/Linux).

DART’s focus for the tool is primarily on the log analytics capabilities that allow us to pivot our investigation and, furthermore, utilize the recommended hardening suggestions during our rapid recovery work. We also recommend the implementation of Security Center proactively, as it gives clear security recommendations that an organization can implement to secure their on-premises and cloud infrastructures. See Azure Security Center FAQs for more information.

Vertical tools: Depth visibility in designated areas of the cyber kill-chain

Vertical tools include Azure ATP, Office 365 ATP, Microsoft Defender ATP, Cloud App Security, and custom tooling:

  • Azure ATP—The Verizon Data Breach Report of 2018 reported that 81 percent of breaches are caused by compromised credentials. Every incident that DART has responded to over the last few years has had some component of credential theft; consequently Azure ATP is one of the first tools we implement when we get to a site—before, if possible—to get insight into what users and entities are doing in the environment. This allows us to utilize built-in detections to determine suspicious behaviour, such as suspicious changes of identity metadata and user privileges.
  • Office 365 ATP—With approximately 90 percent of all attacks starting with a phishing email, having ways to detect when a phishing email makes it past email perimeter defences is critical. DART investigators are always interested in which mechanism the attacker compromised the environment—simply so we can be sure to block that vector. We use Office 365 ATP capabilities— such as security playbooks and investigation graphs—to investigate and remediate attacks faster.
  • Microsoft Defender ATP—If the organization has Windows 10 devices, we can implement Microsoft Defender ATP (previously Windows Defender ATP)—a cloud-based solution that leverages a built-in agent in Windows 10. Otherwise, we’ll utilize MMA to gather information from older versions of Windows and Linux machines and pull that information into our investigation. This makes it possible to detect attacker activities, aggregate this information, and prioritize the investigation of detected activity.
  • Cloud App SecurityCloud App Security is a multi-mode cloud access security broker that natively integrates with the other tools DART deploys, giving access to sophisticated analytics to identify and combat cyberthreats across the organizations. This allows us to detect any malicious activity using cloud resources that the attacker might be undertaking. Cloud App Security, combined with Azure ATP, allows us to see if the attacker is exfiltrating data from the organization, and also allows organizations to proactively determine and assess any shadow IT they may be unaware of.
  • Custom tooling—Bespoke custom tooling is deployed depending on attacker activities and the software present in the organization. Examples include infrastructure health-check tools, which allow us to check for any modification of Microsoft technologies—such as Active Directory, Microsoft’s public key infrastructure (PKI), and Exchange health (where Office 365 is not in use) as well as tools designed to detect use of specific specialist attack vectors and persistence mechanisms. Where machines are in frame for a deeper investigation, we normally utilize a tool that runs against a live machine to acquire more information about that machine, or even run a full disk acquisition forensic tool, depending on legal requirements.

Together, the vertical tools give us unparalleled view into what is happening in the organization. These signals can be collated and aggregated into both Security Center and Azure Sentinel, where we can pull other data sources as available to the organization’s SOC.

Figure 2 represents how we correlate the signal and utilize machine learning to quickly identify compromised entities inside the organization.

Infographic showing combined signals: Identity, Cloud Apps, Data, and Devices.

Figure 2. Combining signals to identify compromised users and devices.

This gives us a very swift way to bubble up anomalous activity and allows us to rapidly orient ourselves against attacker activity. In many cases, we can then use automated playbooks to block attacker activity once we understand the attacker’s tools, techniques, and procedures; but that will be the subject of another post.

Next up—how Azure Sentinel helps DART

Today, in Part 1 of our blog series, we introduced the suite of tools used by DART and the Microsoft CDOC to rapidly detect attacker activity and actions—because in the case of cyber incident investigations, minutes matter. In our next blog we’ll drill down into Azure Sentinel capabilities to highlight how it helps DART; stay posted!

Azure Sentinel

Intelligent security analytics for your entire enterprise.


Learn more

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Changing security incident response by utilizing the power of the cloud—DART tools, techniques, and procedures: part 1 appeared first on Microsoft Security.

BlueHat Seattle videos are online!

November 13th, 2019 No comments

Were you unable to attend BlueHat Seattle, or wanted to see a session again? We have good news. If you have been waiting for the videos from BlueHat Seattle last month, the wait is over. All videos which the presenter authorized to be recorded are now online and available to anyone. We are also happy …

BlueHat Seattle videos are online! Read More »

The post BlueHat Seattle videos are online! appeared first on Microsoft Security Response Center.

November 2019 security updates are available!

November 12th, 2019 No comments

We have released the November security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s security updates can be found in the Security Update Guide. As a reminder, Windows 7 and Windows Server 2008 R2 will be out of …

November 2019 security updates are available! Read More »

The post November 2019 security updates are available! appeared first on Microsoft Security Response Center.

Categories: Uncategorized Tags:

Zero Trust strategy—what good looks like

November 11th, 2019 No comments

Zero Trust has managed to both inspire and confuse the cybersecurity industry at the same time. A significant reason for the confusion is that Zero Trust isn’t a specific technology, but a security strategy (and arguably the first formal strategy, as I recently heard Dr. Chase Cunningham, Principal Analyst at Forrester, aptly point out).

Microsoft believes that the Zero Trust strategy should be woven throughout your organization’s architectures, technology selections, operational processes, as well as the throughout the culture of your organization and mindset of your people.

Zero Trust will build on many of your existing security investments, so you may already have made progress on this journey. Microsoft is publishing learnings and guidance from many perspectives to help organizations understand, anticipate, and manage the implications of this new strategy. This guidance will continue to grow as we learn more. A few highlights include:

In previous posts of this series, we described Microsoft’s vision for an optimal Zero Trust model and the journey of our own IT organization from a classic enterprise security to Zero Trust. Today, we focus on what a good strategy looks like and recommended prioritization (with a bit of history for context).

Zero Trust security continuously validates trustworthiness of each entity in your enterprise (identities, applications and services, devices) starting each with a trust level of zero.

Evolution of security strategy

The central challenge of cybersecurity is that the IT environment we defend is highly complex, leading security departments (often with limited budgets/resources) to find efficient ways to mitigate risk of advanced, intelligent, and continuously evolving attackers.

Most enterprises started with the use of a “trusted enterprise network,” but have since found fundamental limitations of that broad trust approach. This creates a natural pressure to remove the “shortcut” of a trusted enterprise network and do the hard work of measuring and acting on the trustworthiness of each entity.

Network or identity? Both (and more)!

The earliest coherent descriptions of the Zero Trust idea can be traced to proposals in the wake of the major wave of cybersecurity attacks. Beginning in the early 2000s, businesses and IT organizations were rocked by worms like ILOVEYOU, Nimda, and SQL Slammer. While painful, these experiences were a catalyst for positive security initiatives like Microsoft’s Security Development Lifecycle (SDL) and began serious discussions on improving computer security. The strategy discussions during this timeframe formed into two main schools of thought—network and identity:

  • Network—This school of thought doubled down on using network controls for security by creating smaller network segments and measuring trust of devices before network controls allow access to resources. While promising, this approach was highly complex and saw limited uptake outside a few bright spots like Google’s BeyondCorp.
  • Identity—Another approach, advocated by the Jericho Forum, pushed to move away from network security controls entirely with a “de-perimeterisation” approach. This approach was largely beyond the reach of technology available at the time but planted important seeds for the Zero Trust of today.

Microsoft ultimately recommends an approach that includes both schools of thought that leverage the transformation of the cloud to mitigate risk spanning the modern assets and (multiple generations of) legacy technology in most enterprises.

Prioritizing and planning Zero Trust

Microsoft recommends rigorous prioritization of Zero Trust efforts to maximize security return on investment (ROI). This default prioritization is based on learnings from our experience, our customers, and others in the industry.

  1. Align strategies and teams—Your first priority should be to get all the technical teams on the same page and establish a single enterprise segmentation strategy aligned to business needs. We often find that network, identity, and application teams each have different approaches of logically dividing up the enterprise that are incompatible with each other, creating confusion and conflict. See the CISO workshop video, Module 3 Part 3: Strategy and Priorities, for more discussion of this topic.
  2. Build identity-based perimeter—Starting immediately (in parallel to priority #1), your organization should adopt identity controls like Multi-Factor Authentication (MFA) and passwordless to better protect your identities. You should quickly grow this into a phased plan that measures (and enforces) trustworthiness of users and devices accessing resources, and eventually validating trust of each resource being accessed. See the CISO workshop video, Module 3 Part 6: Build an Identity Perimeter, for more information on identity perimeters.
  3. Refine network perimeter—The next priority is to refine your network security strategy. Depending on your current segmentation and security posture, this could include:
    • Basic segmentation/alignment—Adopt a clear enterprise segmentation model (built in #1) from a “flat network” or fragmented/non-aligned segmentation strategy. Implementing this is often a significant undertaking that requires extensive discovery of assets and communication patterns to limit operational downtime. It’s often easier to do this as you migrate to the cloud (which naturally includes this discovery) than it is to retrofit to an existing on-premises environment.
    • Micro-segmenting datacenter—Implement increasingly granular controls on your datacenter network to increase attacker cost. This requires detailed knowledge of applications in the datacenter to avoid operational downtime. Like basic segmentation, this can be added during a cloud migration or a net new cloud deployment easier than retrofitting to an on-premises datacenter.
    • Internet first clients—A simple but significant shift is when you move client endpoints from being on the internet part-time to full-time (versus sometimes on corporate network and sometimes remote). This is a straightforward concept, but it requires having already established a strong identity perimeter, strong endpoint security and management over the internet, publishing legacy applications to your internet clients, dedicated administrative workstations, and potentially other initiatives before “rolling back” the firewalls from clients.

What good looks like

Zero Trust is a model that will ultimately be infused throughout your enterprise and should inform virtually all access decisions and interactions between systems.

Expanding on the three principles of Zero Trust from the Zero Trust vision paper—Verify Explicitly, Least Privilege Access, and Assume Breach—the hallmarks of a good enterprise Zero Trust strategy include:

  • Continuously measure trust and risk—Ensure all users and devices attempting to access resources are validated as trustworthy enough to access the target resource (based on sensitivity of target resource). As technology becomes available to do it, you should also validate the trustworthiness of the target resources.
  • Enterprise-wide consistency—Ensure that you have a single Zero Trust policy engine to consistently apply your organizations policy to all of your resources (versus multiple engines whose configuration could diverge). Most organizations shouldn’t expect to cover all resources immediately but should invest in technology that can apply policy to all modern and legacy assets.
  • Enable productivity—For successful adoption and usage, ensure that the both security and business productivity goals are appropriately represented in the policy. Make sure to include all relevant business, IT, and security stakeholders in policy design and refine the policy as the needs of the organization and threat landscape evolve. For more information, see Meet Productivity and Security Goals.
  • Maximize signal to increase cost of attack—The more measurements you include in a trust decision—which reflect good/normal behavior—the more difficult/expensive it is for attackers to mimic legitimate sign-ins and activities, deterring or degrading an attacker’s ability to damage your organization.
  • Fail safe—The system operation should always stay in a safe state, even after a failed/incorrect decision (for example, preserve life/safety and business value via confidentiality, integrity, and availability assurances). Consider the possible and likely failures (for example, mobile device unavailable or biometrics unsuccessful) and design fallbacks to safely handle failures for both:
    • Security (for example, detection and response processes).
    • Productivity (remediation mechanisms via helpdesk/support systems).
  • Contain risk of attacker movement into smaller zones—This is particularly important when you’re reliant on legacy/static controls that cannot dynamically measure and enforce trustworthiness of inbound access attempts (for example, static network controls for legacy applications/servers/devices).

Into the future

Over time, we expect Zero Trust will become accepted and commonplace where people simply learn it in “Security 101” (much like the least privilege principle today). Zero Trust is expected to evolve as we all become more comfortable with what this new normal entails and have ideas on how to optimize efficiency and address the attackers’ ongoing attempts to find a chink in the new armor.

Zero Trust

Reach the optimal state in your Zero Trust journey.


Learn more

Our next blog will discuss how to make Zero Trust real in your enterprise starting with technology available today, which you may already have deployed or have access to! In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zero Trust strategy—what good looks like appeared first on Microsoft Security.

The new CVE-2019-0708 RDP exploit attacks, explained

November 7th, 2019 No comments

On November 2, 2019, security researcher Kevin Beaumont reported that his BlueKeep honeypot experienced crashes and was likely being exploited. Microsoft security researchers collaborated with Beaumont as well as another researcher, Marcus Hutchins, to investigate and analyze the crashes and confirm that they were caused by a BlueKeep exploit module for the Metasploit penetration testing framework.

BlueKeep is what researchers and the media call CVE-2019-0708, an unauthenticated remote code execution vulnerability in Remote Desktop Services on Windows 7, Windows Server 2008, and Windows Server 2008 R2. Microsoft released a security fix for the vulnerability on May 14, 2019.

While similar vulnerabilities have been abused by worm malware in the past, initial attempts at exploiting this vulnerability involved human operators aiming to penetrate networks via exposed RDP services.

Microsoft had already deployed a behavioral detection for the BlueKeep Metasploit module in early September, so Microsoft Defender ATP customers had protection from this Metasploit module by the time it was used against Beaumont’s honeypot. The module, which appears to be unstable as evidenced by numerous RDP-related crashes observed on the honeypot, triggered the behavioral detection in Microsoft Defender ATP, resulting in the collection of critical signals used during the investigation.

Microsoft security signals showed an increase in RDP-related crashes that are likely associated with the use of the unstable BlueKeep Metasploit module on certain sets of vulnerable machines. We saw:

  • An increase in RDP service crashes from 10 to 100 daily starting on September 6, 2019, when the Metasploit module was released
  • A similar increase in memory corruption crashes starting on October 9, 2019
  • Crashes on external researcher honeypots starting on October 23, 2019

Figure 1. Increase in RDP-related service crashes when the Metasploit module was released

Coin miner campaign using BlueKeep exploit

After extracting indicators of compromise and pivoting to various related signal intelligence, Microsoft security researchers found that an earlier coin mining campaign in September used a main implant that contacted the same command-and-control infrastructure used during the October BlueKeep Metasploit campaign, which, in cases where the exploit did not cause the system to crash, was also observed installing a coin miner. This indicated that the same attackers were likely responsible for both coin mining campaigns—they have been actively staging coin miner attacks and eventually incorporated the BlueKeep exploit into their arsenal.

Our machine learning models flagged the presence of the coin miner payload used in these attacks on machines in France, Russia, Italy, Spain, Ukraine, Germany, the United Kingdom, and many other countries.

Figure 2. Geographic distribution of coin miner encounters

​These attacks were likely initiated as port scans for machines with vulnerable internet-facing RDP services. Once attackers found such machines, they used the BlueKeep Metasploit module to run a PowerShell script that eventually downloaded and launched several other encoded PowerShell scripts.

Figure 3. Techniques and components used in initial attempts to exploit BlueKeep

We pieced together the behaviors of the PowerShell scripts using mostly memory dumps. The following script activities have also been discussed in external researcher blogs:

  1. Initial script downloaded another encoded PowerShell script from an attacker-controlled remote server (5.135.199.19) hosted somewhere in France via port 443.
  2. The succeeding script downloaded and launched a series of three to four other encoded PowerShell scripts.
  3. The final script eventually downloaded the coin miner payload from another attacker-controlled server (109.176.117.11) hosted in Great Britain.
  4. Apart from downloading the payload, the final script also created a scheduled task to ensure the coin miner stayed persistent.​

Figure 4. Memory dump of a PowerShell script used in the attacks

The final script saved the coin miner as the following file:

C:\Windows\System32\spool\svchost.exe

The coin miner connected to command-and-control infrastructure at 5.100.251.106 hosted in Israel. Other coin miners deployed in earlier campaigns that did not exploit BlueKeep also connected to this same IP address.

Defending enterprises against BlueKeep

Security signals and forensic analysis show that the BlueKeep Metasploit module caused crashes in some cases, but we cannot discount enhancements that will likely result in more effective attacks. In addition, while there have been no other verified attacks involving ransomware or other types of malware as of this writing, the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners.

The new exploit attacks show that BlueKeep will be a threat as long as systems remain unpatched, credential hygiene is not achieved, and overall security posture is not kept in check. Customers are encouraged to identify and update vulnerable systems immediately. Many of these unpatched devices could be unmonitored RDP appliances placed by suppliers and other third-parties to occasionally manage customer systems. Because BlueKeep can be exploited without leaving obvious traces, customers should also thoroughly inspect systems that might already be infected or compromised.

To this end, Microsoft customers can use the rich capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) to gain visibility on exploit activities and defend networks against attacks. On top of the behavior-based antivirus and endpoint detection and response (EDR) detections, we released a threat analytics report to help security operations teams to conduct investigations specific to this threat. We also wrote advanced hunting queries that customers can use to search for multiple components of the attack.

 

The post The new CVE-2019-0708 RDP exploit attacks, explained appeared first on Microsoft Security.

Using Rust in Windows

November 7th, 2019 No comments

This Saturday 9th of November, there will be a keynote from Microsoft engineers Ryan Levick and Sebastian Fernandez at RustFest Barcelona. They will be talking about why Microsoft is exploring Rust adoption, some of the challenges we’ve faced in this process, and the future of Rust adoption in Microsoft. If you want to talk with …

Using Rust in Windows Read More »

The post Using Rust in Windows appeared first on Microsoft Security Response Center.

Vulnerability hunting with Semmle QL: DOM XSS

November 6th, 2019 No comments

In two previous blog posts ( part 1 and part 2), we talked about using Semmle QL in C and C++ codebases to find vulnerabilities such as integer overflow, path traversal, and those leading to memory corruption. In this post, we will explore applying Semmle QL to web security by hunting for one of­­­ the …

Vulnerability hunting with Semmle QL: DOM XSS Read More »

The post Vulnerability hunting with Semmle QL: DOM XSS appeared first on Microsoft Security Response Center.

Microsoft Cloud Security solutions provide comprehensive cross-cloud protection

November 6th, 2019 No comments

The infrastructure, data, and apps built and run in the cloud are the foundational building blocks for a modern business. No matter where you are in your cloud journey, you likely utilize every layer of the cloud—from infrastructure as a service (IaaS) to platform as a service (PaaS) to software as a service (SaaS). You also may take advantage of services from several cloud and app providers. Many organizations operate a cross-cloud environment, but it can complicate security. A fragmented view of your cloud environment limits opportunities to holistically improve your security posture. It can also lead to missed threats and SecOps burnout.

To address these challenges, we provide a set of comprehensive Cloud Security solutions to protect every layer of the cloud—from Amazon Web Services (AWS) to Microsoft Azure (Azure) to Google Cloud Platform (GCP)—from Slack to Salesforce to your line of business apps.

Microsoft is in a unique position as a cloud provider and security vendor. We leverage global cloud-scale, trillions of signals and deep expertise to build industry-leading security solutions to protect cloud resources.

Our Cloud Security solutions can help you:

  • Realize integrated visibility and protection across clouds with Cloud Security Posture Management and Cloud Workload Protection Platform solutions.
  • Develop and secure your custom apps in the cloud with our Application Security services.
  • Monitor and control user activities and data across all your apps with our leading Cloud Access Security Broker (CASB).

Realize integrated visibility and protection across clouds

No matter which cloud services and apps you use, you need an all-inclusive view across all of them to protect your intellectual property and assets. You also need tools to help you block and mitigate threats. Cloud Security Posture Management and Cloud Workload Protection Platform are solutions that give you the visibility and capabilities to understand your cross-cloud environment and better secure it.

Cloud Security Posture Management

Azure Security Center continuously monitors your cross-cloud resources such as virtual machines, networks, applications, and data services. You can quickly assess your security posture with Secure Score, a feature of Security Center. Secure Score provides a numerical value for your current state and recommends actions. This scoring system offers best-practice guidance that can help prevent common misconfigurations—such as exposure of sensitive resources to the internet, lack of encryption, uninstalled updates, or a missing firewall for your cloud workloads.

Key benefits include:

  • A bird’s-eye security posture view.
  • Ability to continuously monitor and protect all your cross-cloud resources.
  • Best practice recommendations.
  • Visibility into the compliance state of your Azure environment.

Cloud Workload Protection Platform

Security Center doesn’t just evaluate your security posture, it also provides tools to help you reduce your attack surface. Using machine learning to process trillions of signals across from around the globe, Security Center alerts you of threats to your environments, such as remote desktop protocol (RDP), brute-force attacks, and SQL injections.

Protect Windows and Linux servers, cloud-native applications, data services, and your Azure IoT solutions from malicious threats. For every attack attempted or carried out, you receive a detailed report and recommendations for remediation.

Key benefits include the ability to:

  • Detect and block advanced malware and threats from Linux and Windows Servers on any cloud.
  • Protect cloud-native services from threats.
  • Protect data services against malicious attacks.

Protect your Azure IoT solution with near real-time monitoring.

Develop and secure your custom apps in the cloud

Application Security services

By uniting previously siloed roles of development, operations, security, and testing, DevOps has enabled faster application development. When you’re moving fast, it can be easy to miss a step that could make your apps vulnerable. Microsoft Application Security services offers operations and development tools that help you identify potential threats before you put your application in production. Best-practices documentation and the Secure DevOps toolkit help you build security into your apps.

Our Application Security services also help you secure your open source apps. GitHub can you help you secure your software supply chain and integrate security into your code-to-cloud workflows.

Key benefits include the ability to:

  • Build secure applications faster.
  • Protect every layer of your application.
  • Receive guidance to help you succeed.
  • Understand and secure your open source software supply chain.
  • Integrate security into your open source code-to-code workflows.

Monitor and control user activities and data across all your apps

Cloud Access Security Broker

Our internal data shows that in the average enterprise, users leverage more than 1,000 cloud apps and services, half of which go unmonitored by IT. The increasing number of apps—and the different ways users can access them—challenge IT departments to ensure secure access and protect the flow of critical data. Cloud Access Security Broker services are a new generation of solutions that give IT department tools to address these challenges.

Our leading Cloud Access Security Broker solution, Microsoft Cloud App Security, provides rich visibility into your shadow IT, enables you to identify and remediate cloud native attacks, and allows you to control how your data travels across all of your cloud apps—whether they’re from Microsoft or third-party applications. The solution integrates natively with other leading Security and Identity solutions from the broader Microsoft portfolio to provide you with the simplest deployment and powerful threat intelligence and powerful User and Entity Behavior Analytics (UEBA) to help you address the most modern attacks.

Key benefits include:

  • Centralized monitoring and control for all apps:
    • Discover and control shadow IT.
    • Identify and remediate cloud-native attacks.
    • Protect your information in real-time with powerful inline controls.
  • Built for a seamless admin and user experience:
    • Customizable automation capabilities.
    • Native integrations.
    • Optimized for a global workforce.

Microsoft Cloud App Security

Elevate your security posture by taking control of your cloud environment.


Start free trial

Learn more

Our Cloud Security solutions enable you to safeguard your cross-cloud resources.

The post Microsoft Cloud Security solutions provide comprehensive cross-cloud protection appeared first on Microsoft Security.

How to balance compliance and security with limited resources

November 5th, 2019 No comments

Today, many organizations still struggle to adhere to General Data Protection Regulation (GDPR) mandates even though this landmark regulation took effect nearly two years ago. A key learning for some: being compliant does not always mean you are secure. Shifting privacy regulations, combined with limited resources like budgets and talent shortages, add to today’s business complexities. I hear this concern time and again as I travel around the world meeting with our customers to share how Microsoft can empower organizations successfully through these challenges.

Most recently, I sat down with Emma Smith, Global Security Director at Vodafone Group to talk about their own best practices when navigating the regulatory environment. Vodafone Group is a global company with mobile operations in 24 countries and partnerships that extend to 42 more. The company also operates fixed broadband operations in 19 markets, with about 700 million customers. This global reach means they must protect a significant amount of data while adhering to multiple requirements.

Emma and her team have put a lot of time and effort into the strategies and tactics that keep Vodafone and its customers compliant no matter where they are in the world. They’ve learned a lot in this process, and she shared these learnings with me as we discussed the need for organizations to be both secure and compliant, in order to best serve our customers and maintain their trust. You can watch our conversation and hear more in our CISO Spotlight episode.

Cybersecurity enables privacy compliance

As you work to balance compliance with security keep in mind that, as Emma said, “There is no privacy without security.” If you have separate teams for privacy and security, it’s important that they’re strategically aligned. People only use technology and services they trust, which is why privacy and security go hand in hand.

Vodafone did a security and privacy assessment across all their big data stores to understand where the high-risk data lives and how to protect it. They were then able to implement the same controls for privacy and security. It’s also important to recognize that you will never be immune from an attack, but you can reduce the damage.

Emma offered three recommendations for balancing security with privacy compliance:

  • Develop a risk framework so you can prioritize your efforts.
  • Communicate regularly with the board and executive team to align on risk appetite.
  • Establish the right security capabilities internally and/or through a mix of partners and third parties.

I couldn’t agree more, as these are also important building blocks for any organization as they work to become operationally resilient.

I also asked Emma for her top five steps for becoming compliant with privacy regulations:

  • Comply with international standards first, then address local rules.
  • Develop a clear, board-approved strategy.
  • Measure progress against your strategy.
  • Develop a prioritized program of work with clear outcomes.
  • Stay abreast of new technologies and new threats.

The simplest way to manage your risk is to minimize the amount of data that you store. Privacy assessments will help you know where the data is and how to protect it. Regional and local laws can provide tools to guide your standards. Protecting online privacy and personal data is a big responsibility, but with a risk management approach, you can go beyond the “letter of the law” to better safeguard data and support online privacy as a human right.

Learn more

Watch my conversation with Emma about balancing security with privacy compliance. To learn more about compliance and GDPR, read Microsoft Cloud safeguards individual privacy.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

CISO Spotlight Series

Address cybersecurity challenges head-on with 10-minute video episodes that discuss cybersecurity problems and solutions from AI to Zero Trust.


Watch today

The post How to balance compliance and security with limited resources appeared first on Microsoft Security.

Azure Sentinel updates: Improve your security operations with innovations from a cloud-native SIEM

November 5th, 2019 No comments

Just a month ago, I communicated the details about Azure Sentinel reaching general availability. Since then, many customers have shared how Azure Sentinel has empowered their teams to be nimble and more efficient. ASOS, one of the largest online fashion retailers, is an excellent example of this. Using Azure Sentinel, ASOS has created a bird’s-eye view of everything it needs to spot threats early, allowing it to safeguard its business and its customers proactively. As a result, it has cut issue resolution times in half.

“Sentinel has helped improve the efficiency of our security operations by allowing us to quickly consolidate a large number of disparate security and contextual data sources.”
—George Mudie, Chief Information Security Officer, ASOS

Learn more about how ASOS has benefitted from Azure Sentinel.

I am thrilled to come back and share new features available in preview starting this week. These new features highlight continued innovation and progress towards our goal of empowering defenders to do more.

Azure Sentinel

Intelligent security analytics for your entire enterprise.


Learn more

Collect data from more sources with built-in connectors

Azure Sentinel enables you to collect security data across different sources, including Azure, on-premises solutions, and across clouds. Many built-in connectors are available to simplify integration, and new ones are being added continually. Connectors recently introduced by Zscaler, F5, Barracuda, Citrix, ExtraHop, One Identity, and Trend Micro make it easy to collect relevant data and use built-in workbooks and queries to gain insight into data from these solutions. Read more information on the Connect data sources page.

Screenshot showing Azure Sentinel data connectors.

Accelerate threat hunting with new capabilities

The work of threat hunters gets much easier with the addition of built-in hunting queries for Linux and network events. These queries, developed by Microsoft security researchers and community experts, provide a starting point to look for suspicious activity. You can customize hunting queries with the help of IntelliSense and bookmark interesting results for further investigation or sharing with fellow analysts. View the bookmarks alongside alerts in the Investigation graph and make them part of an incident.

You can now receive an Azure notification when there are new results on a query using the hunting livestream. Promote the livestream query to an Analytic rule if you want to make it part of your incident response workflow.

Image showing an Azure Sentinel threat hunting dash.

In addition, you can now launch Azure Notebooks directly from Azure Sentinel, making it easy to create and execute Jupyter notebooks to analyze your data. Notebooks combine live code, graphics, visualizations, and text, making them a valuable tool for threat hunters. Choose from a built-in gallery of notebooks developed by Microsoft security researchers or import others from GitHub to get started. These notebooks are the same professional-strength hunting solutions Microsoft’s threat hunters use every day.

Image showing Azure Sentinel notebooks, now in preview.

Connect threat intelligence sources using STIX/TAXII

The existing Threat Intelligence Platforms data connector allows you to integrate threat indicators from a variety of sources for use with Azure Sentinel analytics, hunting, and workbooks. A new Threat Intelligence TAXII connector will add support for threat indicator feeds from open source threat intelligence (OSINT) and threat intelligence platforms supporting this standard protocol and STIX data format. Once your threat intelligence sources are connected, you can:

  • Use built-in analytics or create your own rules to generate alerts and incidents when events match your threat indicators.
  • Track the health of your threat intelligence pipeline and gain insights into alerts generated with threat intelligence using built-in threat intelligence workbooks.
  • Correlate threat intelligence with event data via hunting queries to add contextual insights to your investigations.
  • Investigate anomalies and hunt for malicious behaviors in Azure Notebooks.

Screenshot showing Azure Sentinel data connectors.

Tap into Microsoft threat intelligence

Microsoft has an unparalleled view of the evolving threat landscape informed by analyzing trillions of signals from its cloud customers, services, and infrastructure. And now, Azure Sentinel customers can begin to leverage this intelligence to detect threats in their data. The first of these built-in detections matches Microsoft URL threat intelligence with new CEF logs (for example, from Palo Alto Networks or Zscaler). Retrospective lookbacks that match URL threat intelligence with historical event data will also be coming soon.

When a match is found, an alert is generated and an incident is created to enable further investigation. The matched indicator is also added to the Threat Intelligence Indicator table, which can be used just like any other indicator. Sign up for the Microsoft Cloud + AI Security Preview Program to enable these detections today, and keep an eye out for new matches coming soon.

Image showing phishing threats detected by Azure Sentinel.

Automatically detonate URLs to speed investigation

Azure Sentinel customers can now use the power of URL detonation to enrich alerts and discover threats related to malicious URLs. When creating scheduled alerts, any URL data in the query results can map to a new URL entity type. Whenever an alert containing a URL entity is generated, the mapped URL is automatically detonated, and the investigation graph is immediately enriched with the detonation results. A verdict, final URL, and screenshot (especially useful for identifying phishing) can be used to quickly assess a potential threat. As a quick tip, when ingesting data from an IDS or IPS, enable threat logging to log URL data. You can try this feature during the preview at no cost.

Image showing an investigation conducted using a Palo Alto Alert Rule.

Integrate with ticketing and security management solutions

New Microsoft Graph Security API integrations enable you to sync alerts from Azure Sentinel, as well as other Microsoft solutions, with ticketing and security management solutions such as ServiceNow. You can learn more by reading the Microsoft Graph Security API overview page.

Get started with Azure Sentinel and the new features

It’s easy to get started. You can access the latest public preview features in the Azure Sentinel dashboard today. If you’re not using Azure Sentinel, we welcome you to start a trial.

We collaborated with strategic partners to help you quickly design, implement, and operationalize your security operations using Azure Sentinel.

Partners including Accenture, Avanade, Ascent, DXC Technology, EY Global, KPMG, Infosys, Insight, Optiv, PwC, Trustwave, and Wipro are now offering a variety of services from architecture, deployment, and consultancy to a fully managed security service.

We have a lot of information available to help you, from great documentation to connecting with us via Yammer and email.

Visit us at Microsoft Ignite 2019

I will be joining many of our team members at Microsoft Ignite. Please stop by the Azure Sentinel booth. We would love to meet you.

You can also get more information on SIEM strategies and Azure Sentinel in many of the sessions at Ignite:

Looking forward to meeting you all at Ignite!

Microsoft Ignite

Join us online November 4–8, 2019 to livestream keynotes, watch selected sessions on-demand, and more.


Learn more

The post Azure Sentinel updates: Improve your security operations with innovations from a cloud-native SIEM appeared first on Microsoft Security.

Microsoft Intelligent Security Association grows to more than 80 members

November 5th, 2019 No comments

Sometimes an idea sparks, and it feels so natural, so organic, that it takes on a life of its own and surprises you by how fast it grows. The Microsoft Intelligent Security Association (MISA) was one of these ideas.

It was born out of a desire to be easy to do business with and be a better partner to our security peers—providing a single contact for all products in MISA, which reduces administrative work and serves as a central place for introductions to other engineering teams when you’re ready to build more integrations with Microsoft Security. In the spring of 2018, MISA launched with 26 founding partners, which included pivotal companies like Check Point, Zscaler, and F5. Just a year later, we had more than doubled in size, and as we head into Ignite 2019, the association has grown to 81 members—including new members RSA, eWBM, and ExtraHop.

“RSA is helping organizations secure their digital transformation journeys, addressing the growing number of threats, new digital risks and increasing sophistication of identity attacks in a hyper-connected world. The Microsoft Intelligent Security Association is an extension of our strategic partnership with Microsoft driving the common goal of better, more secure solutions for our customers and partners to enable organizations across the globe to secure their most critical assets.” —Jim Ducharme, Vice President of RSA Identity, Fraud & Risk Intelligence

MISA product updates

Three new products were added to the MISA product integration portfolio: Azure Sentinel, Azure Security Center (ASC), and ASC for IoT Security. The 11 product teams that make up the MISA product portfolio are announcing many product enhancements and partner integrations at Ignite 2019. Here are a few highlights:

Azure Sentinel

Enterprises worldwide can now keep pace with the exponential growth in security data, improve security outcomes and modernize their security operations with Azure Sentinel. As a cloud-native SIEM, Azure Sentinel helps security teams focus on the most important security events and removes the need to invest in infrastructure setup and maintenance. With analytics powered by built-in machine learning and automated playbooks, security teams can quickly detect and respond to previously unknown threats.

Azure Sentinel collects and analyzes security data from all sources across your enterprise—in Azure, on-premises and even other clouds. Azure Sentinel has built-in integrations with a growing list of MISA partners, including new integrations from Zscaler, F5, Barracuda, Citrix, ExtraHop, One Identity, and Trend Micro. These built-in connectors make it easy for the SecOps teams to collect and analyze security data easily while integrating with existing tools and threat intelligence.

Azure Sentinel

Intelligent security analytics for your entire enterprise.


Learn more

Azure Security Center (ASC)

Azure Security Center (ASC) is extending its coverage with a new platform for community and partners to support Security Center’s fast growth in the marketplace and meet our customers’ demands around threat protection, cloud security posture, and enterprise-scale deployment and automation. We’re introducing new import and export API’s that will allow partners to share their recommendations into ASC and get recommendations into their product consoles. Our customers can use Security Center to receive recommendations from Microsoft and solutions from partners such as Check Point, Tenable, and CyberArk.

ASC’s simple onboarding flow can connect our customer’s existing solutions, enabling them to view their security posture recommendations in a single place, run unified reports and leverage all of ASC’s capabilities against both built-in and partner recommendations. Our customers can also export ASC recommendations to partner products.

Furthermore, ASC is opening its gates for the security community to contribute and improve the policies and configurations used in Security Center. You can now use the ASC community menu, the central hub of information for additional scripts, content, and community resources.

Azure Active Directory (Azure AD)

To help customers secure their entire application environment, we partnered with network security vendors—such as Akamai, Citrix, F5 Networks and Zscaler—making it simple to connect and protect your legacy-auth based applications. Integrating with these partners makes it possible for you to seamlessly connect with Azure AD without rewriting your applications that use protocols like header-based and Kerberos authentication.

Over the past few years, Microsoft has worked closely with our identity hardware partners to help drive the future of passwordless login by building integrations with the full suite of FIDO2-enabled Microsoft products including Windows 10 with Azure AD and Microsoft Edge with Microsoft Accounts. Today, MISA member Yubico announced the preview of the YubiKey Bio, which brings strong Windows passwordless login using biometrics for Azure AD users. With support for both biometric and PIN-based logins, the YubiKey Bio will leverage the full range of multi-factor authentication (MFA) capabilities outlined in the FIDO2 and WebAuthn standard specifications.

Microsoft Information Protection (MIP)

Last year at Ignite, we made the Microsoft Information Protection (MIP) SDK; it allowed our ecosystem of partners to participate in building integrations in a truly cross-platform way. Since then, many members of MISA have released in-market solutions that add to the MIP value proposition.

Now, you can use Adobe Acrobat DC and Acrobat Reader DC on the Windows and Mac OS desktop to open files protected with MIP solutions, including Azure Information Protection (AIP) and Information Protection using Office 365. Acrobat Reader DC and Acrobat DC auto-detects a MIP-protected file and prompts you to download the corresponding plugin. Once you download and install the plugin, the protected files open like any other PDF in Acrobat or Reader after authentication. You can also see the label information applied to PDF using Acrobat Reader DC and Acrobat DC.  Download the MIP plugin from this Adobe page.

To learn more about the above announcements, check out these Ignite announcement blogs:

 MISA at Ignite

As security becomes more mainstream, it’s reflected in the content you will see at Ignite. MISA hosted its first members pre-day in conjunction with the inaugural cybersecurity pre-day for Microsoft customers. As part of this event, MISA members shared expert insights and best practices on a range of security topics:

  • Forcepoint—Unify Data Protection in a Hybrid IT World
  • Morphisec—An ATT&CK Tactic Approach to Measuring Security and Risk
  • Palo Alto—SOAR to the Clouds: Tackling Cloud Security in Your SOC
  • Lookout—Mobile Threat Landscape in 2019
  • Feitian—Go Passwordless with Fingerprint Biometrics for More Security

Microsoft Ignite

Join us online November 4–8, 2019 to livestream keynotes, watch selected sessions on-demand, and more.


Learn more

Learn more

To learn more about MISA, watch this two-minute video or visit the MISA webpage. To learn more about association members, visit the member catalog, or view the integration video playlist.

The post Microsoft Intelligent Security Association grows to more than 80 members appeared first on Microsoft Security.

Further enhancing security from Microsoft, not just for Microsoft

November 4th, 2019 No comments

Legacy infrastructure. Bolted-on security solutions. Application sprawl. Multi-cloud environments. Company data stored across devices and apps. IT and security resource constraints. Uncertainty of where and when the next attack or leak will come, including from the inside. These are just a few of the things that keep our customers up at night.

When security is only as strong as your weakest link and your environments continue to expand, there’s little room for error. The challenge is real: in this incredibly complex world, you must prevent every attack, every time. Attackers must only land their exploit once. They have the upper hand. To get that control back, we must pair the power of your defenders and human intuition with artificial intelligence (AI) and machine learning that help cut through the noise, prioritize the work, and help you protect, detect, and respond smarter and faster.

Microsoft Threat Protection brings this level of control and security to the modern workplace by analyzing signal intelligence across identities, endpoints, data, cloud applications, and infrastructure.

Today, at the Microsoft Ignite Conference in Orlando, Florida, I’m thrilled to share the significant progress we’re making on delivering endpoint security from Microsoft, not just for Microsoft. The Microsoft Intelligent Security Association (MISA), formed just last year, has already grown to more than 80 members and climbing! These partnerships along with the invaluable feedback we get from our customers have positioned us as leaders in recent analyst reports, including Gartner’s Endpoint Protection Platform Magic Quadrant, Gartner’s Cloud Access Security Broker (CASB) Magic Quadrant and Forrester’s Endpoint Security Suites Wave and more.

As we continue to focus on delivering security innovation for our customers, we are:

  • Reducing the noise with Azure Sentinel—Generally available now, our cloud-native SIEM, Azure Sentinel, enables customers to proactively hunt for threats using the latest queries, see connections between threats with the investigation graph, and automate incident remediation with playbooks.
  • Discovering and controlling Shadow IT with Microsoft Cloud App Security and Microsoft Defender Advanced Threat Protection (ATP)—With a single click, you can discover cloud apps, detect and block risky apps, and coach users.
  • Enhancing hardware security with our partners—We worked across our partner ecosystem to offer stronger protections built into hardware with Secured-core PCs, available now and this holiday season.
  • Offering Application Guard container protection, coming to Office 365—In limited preview now, we will extend the same protections available in Edge today to Office 365.
  • Building automation into Office 365 Advanced Threat Protection for more proactive protection and increased visibility into the email attacker kill chain—We’re giving SecOps teams increased visibility into the attacker kill chain to better stop the spread of attacks by amplifying your ability to detect breaches through new enhanced compromise detection and response in Office 365 ATP, in public preview now. And later this year, we’re adding campaign views to allow security teams to see the full phish campaign and derive key insights for further protection and hunting.
  • Getting a little help from your friends—Sometimes you need another set of eyes, sometimes you need more advanced investigators. Available now, with the new experts on demand service, you can extend the capabilities of your security operations center (SOC) with additional help through Microsoft Defender ATP.
  • Improving your Secure Score—Back up the strength of your team with numbers. New enhancements in Secure Score will make it easier for you to understand, benchmark, and track your progress. We also added new planning capabilities that help you set goals and predict score improvements, and new CISO Metrics & Trends reports that show the impact your work is having on the health of your organization in real-time.
  • Taking another step in cross-platform protection—This month, we’re expanding our promise to offer protections beyond Windows with Enterprise Detection and Response for Apple Macs and Threat and Vulnerability Management for servers.

Microsoft Ignite

Join us online November 4–8, 2019 to livestream keynotes, watch selected sessions on-demand, and more.


Learn more

Infographic showing the Microsoft Intelligent Security Graph: unique insights, informed by trillions of signals from Outlook, OneDrive, Windows, Bing, Xbox Live, Azure, and Microsoft accounts.

There’s no way one person, or even one team, no matter how large could tackle this volume of alerts on a daily basis. The Microsoft Intelligent Security Graph, the foundation for our security solutions, processes 8.2 trillion signals every day. We ground our solutions in this intelligence and build in protections through automation that’s delivered through our cloud-powered solutions, evolving as the threat landscape does. Only this combination will enable us to take back control and deliver on a Zero Trust network with more intelligent proactive protection.

Here’s a bit more about some of the solutions shared above:

Discovering and controlling cloud apps natively on your endpoints

As the volume of cloud applications continues to grow, security and IT departments need more visibility and control to prevent Shadow IT. At last year’s Ignite, we announced the native integration of Microsoft Cloud App Security and Microsoft Defender ATP, which enables our Cloud Access Security Broker (CASB) to leverage the traffic information collected by the endpoint, regardless of the network from which users are accessing their cloud apps. This seamless integration gives security admins a complete view of cloud application and services usage in their organization.

At this year’s Ignite, we’re extending this capability, now in preview, with native access controls based on Microsoft Defender ATP network protection that allows you to block access to risky and non-complaint cloud apps. We also added the ability to coach users who attempt to access restricted apps and provide guidance on how to use cloud apps securely.

Building stronger protections starting with hardware

As we continue to build in stronger protections at the operating system level, we’ve seen attackers shift their techniques to focus on firmware—a near 5x increase in the last three years. That’s why we worked across our vast silicon and first- and third-party PC manufacturing partner ecosystem to build in stronger protections at the hardware level in what we call Secured-core PCs to protect against these kind of targeted attacks. Secured-core PCs combine identity, virtualization, operating system, hardware, and firmware protection to add another layer of security underneath the operating system.

Application Guard container protections coming to Office 365

Secured-core PCs deliver on the Zero Trust model, and we want to further build on those concepts of isolation and minimizing trust. That’s why I’m thrilled to share that the same hardware-level containerization we brought to the browser with Application Guard integrated with Microsoft Edge will be available for Office 365.

This year at Ignite, we are providing an early view of Application Guard capabilities integrated with Office 365 ProPlus. You will be able to open an untrusted Word, Excel, or PowerPoint file in a virtualized container. View, print, edit, and save changes to untrusted Office documents—all while benefiting from that same hardware-level security. If the untrusted file is malicious, the attack is contained and the host machine untouched. A new container is created every time you log in, providing a clean start as well as peace of mind.

When you want to consider the document “trusted,” files are automatically checked against the Microsoft Defender ATP threat cloud before they’re released. This integration with Microsoft Defender ATP provides admins with advanced visibility and response capabilities—providing alerts, logs, confirmation the attack was contained, and visibility into similar threats across the enterprise. To learn more or participate, see the Limited Preview Sign Up.

Automation and impact analysis reinvent Threat and Vulnerability Management

More than two billion vulnerabilities are detected every day by Microsoft Defender ATP and the included Threat and Vulnerability Management capabilities, and we’re adding even more capabilities to this solution.

Going into public preview this month, we have several enhancements, including: vulnerability assessment support for Windows Server 2008R2 and above; integration with Service Now to further improve the communication across IT and security teams; role-based access controls; advanced hunting across vulnerability data; and automated user impact analysis to give you the ability to simulate and test how a configuration change will impact users.

Automation in Office 365 ATP blocked 13.5 billion malicious emails this year

In September, we announced the general availability of Automated Incident Response, a new capability in Office 365 ATP that enables security teams to efficiently detect, investigate, and respond to security alerts. We’re building on that announcement, using the breadth of signals from the Intelligent Security Graph to amplify your ability to detect breaches through new enhanced compromise user detection and response capabilities in Office 365 ATP.

Now in public preview, the solution leverages the insights from mail flow patterns and Office 365 activities to detect impacted users and alert security teams. Automated playbooks then investigate those alerts, look for possible sources of compromise, assess impact, and make recommendations for remediation.

Campaign detections coming to Office 365 ATP

Attackers think in terms of campaigns. They continuously morph their email exploits by changing attributes like sending domains and IP addresses, payloads (URLs and attachments), and email templates attempting to evade detection. With campaign views in Office 365 ATP, you’ll be able to see the entire scope of the campaign targeted at your organization. This includes deep insights into how the protection stack held up against the attack—including where portions of the campaign might have gotten through due to tenant overrides thereby exposing users. This view helps you quickly identify configuration flaws, targeted users, and potentially comprised users to take corrective action and identify training opportunities. Security researchers will be able to use the full list of indicators of compromise involved in the campaign to go hunt further. This capability will be in preview by the end of the year.

Protection across platforms: enterprise detection and response (EDR) for Mac

Work doesn’t happen in just one place. We know that people use a variety of devices and apps from various locations throughout the day, taking business data with them along the way. That means more complexity and a larger attack surface to protect. Microsoft’s Intelligent Security Graph detects five billion threats on devices every month. To strengthen enterprise detection and response (EDR) capabilities for endpoints, we’re adding EDR capabilities to Microsoft Defender ATP for Mac, entering public preview this week. Moving forward, we plan to offer Microsoft Defender ATP for Linux servers, providing additional protection for our customers’ heterogeneous networks.

We understand the pressure defenders are under to keep pace with these evolving threats. We are grateful for the trust you’re putting in Microsoft to help ease the burdens on your teams and help focus your priority work.

Related links

The post Further enhancing security from Microsoft, not just for Microsoft appeared first on Microsoft Security.

Microsoft announces new innovations in security, compliance, and identity at Ignite

November 4th, 2019 No comments

Today, at the Microsoft Ignite Conference, we’re announcing new innovations designed to help customers across their security, compliance, and identity needs. With so much going on at Ignite this week, I want to highlight the top 10 announcements:

  1. Azure Sentinel—We’re introducing new connectors in Azure Sentinel to help security analysts collect data from a variety of sources, including Zscaler, Barracuda, and Citrix. In addition, we’re releasing new hunting queries and machine learning-based detections to assist analysts in prioritizing the most important events.
  2. Insider Risk Management in Microsoft 365—We’re announcing a new insider risk management solution in Microsoft 365 to help identify and remediate threats stemming from within an organization. Now in private preview, this new solution leverages the Microsoft Graph along with third-party signals, like HR systems, to identify hidden patterns that traditional methods would likely miss.
  3. Microsoft Authenticator—We’re making Microsoft Authenticator available to customers as part of the Azure Active Directory (Azure AD) free plan. Deploying Multi-Factor Authentication (MFA) reduces the risk of phishing and other identity-based attacks by 99.9 percent.
  4. New value in Azure AD—Previewing at the end of November, Azure AD Connect cloud provisioning is a new lightweight agent to move identities from disconnected Active Directory (AD) forests to the cloud. Additionally, we’re announcing secure hybrid access partnerships with F5 Networks, Zscaler, Citrix, and Akamai to simplify access to legacy-auth based applications. Lastly, we’re introducing a re-imagined MyApps portal to help make apps more discoverable for end-users.
  5. Microsoft Defender Advanced Threat Protection (ATP)—We’re extending our endpoint detection and response capability in Microsoft Defender ATP to include MacOS, now in preview. We’re also planning to add support for Linux servers.
  6. Azure Security Center—We’re announcing new capabilities to find misconfigurations and threats for containers and SQL in IaaS while providing rich vulnerability assessment for virtual machines. Azure Security Center also provides integration with security alerts from partners and quick fixes for fast remediation.
  7. Microsoft information protection and governance—The compliance center in Microsoft 365 now provides the ability to view data classifications categorized by sensitive information types or associated with industry regulations. Machine learning also allows you to use your existing data to train classifiers that are unique to your organization, such as customer records, HR data, and contracts.
  8. Microsoft Compliance Score—Now in public preview, Microsoft Compliance Score helps simplify regulatory complexity and reduce risk. It maps your Microsoft 365 configuration settings to common regulations and standards, providing continuous monitoring and recommended actions to improve your compliance posture.  We’re also introducing a new assessment for the California Consumer Privacy Act (CCPA).
  9. Application Guard for Office—Now available in preview, Application Guard for Office provides hardware-level and container-based protection against potentially malicious Word, Excel, and PowerPoint files. It utilizes Microsoft Defender ATP to establish whether a document is either malicious or trusted.
  10. Azure Firewall Manager—Now in public preview, customers can manage multiple firewall instances from a single pane of glass with Azure Firewall Manager. We’re also creating support for new firewall deployment topologies.

It’s a big week of announcements! More information will follow this blog in the next few days, and we’ll update this post with new content the week progresses.

Microsoft Ignite

Join us online November 4–8, 2019 to livestream keynotes, watch selected sessions on-demand, and more.


Learn more

You can see all of our Microsoft Ignite sessions (live streaming or on-demand) and connect with experts on the Microsoft Tech Community.

The post Microsoft announces new innovations in security, compliance, and identity at Ignite appeared first on Microsoft Security.