Step 4. Set conditional access policies: top 10 actions to secure your environment

January 30th, 2019 No comments

The Top 10 actions to secure your environment series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In Step 4. Set conditional access policies, youll learn how to control access to your apps and corporate resources using conditional access policies, and how these policies can block legacy authentication methods and control access to SaaS apps.

In todays workplace, users can work from anywhere, on any device. Whether using a company-provided laptop at the office, working from home, traveling for business, or using a personal mobile phone, employees expect to seamlessly access what they need to get work done. While the need for productivity may not change with circumstances, the level of risk of each sign-in does. Not all devices, apps, or networks are equally secure, and hackers will exploit any vulnerability that will give them access to your users and resources. It is critical to safeguard your identities, but it is not enough. You also need flexible security policies that are responsive to conditions.

Set up Azure Active Directory (Azure AD) conditional access policies

Azure AD conditional access lets you apply security policies that are triggered automatically when certain conditions are met. You can block access if the data suggests the user has been compromised or if its highly unlikely that the user would sign in under those conditions. You can enforce additional authentication requirements when the system detects a medium risk based on the sign-in conditions (see “Sign-in risk” below).

We recommend that you apply polices that are appropriate for your organization for the following conditions:

  • Users and user groups: To reduce the risk that sensitive data is leaked, define which users or user groups can access which applications or resources, paying careful attention to sources of highly sensitive information such as human resources or financial data.
  • Sign-in risk: Azure AD machine learning algorithms evaluate every sign-in and give it a risk score of low, medium, or high depending on how likely it is that someone other than the legitimate owner of the account is attempting to sign in. Anyone with a medium risk should be challenged with Multi-Factor Authentication (MFA) at sign-in. If the sign-in is a high risk, access should be blocked. This condition requires Azure AD Identity Protection, which you can read about in Step 3. Protect your identities.
  • Location: A location can be risky if its in a country with limited security policies or if the wireless network is unsecure or simply because its not a location where the organization typically does business. You can modify access requirements for sign-ins from locations that are not on an IP safe list or that are risky for other reasons. Users accessing a service when they’re off the corporate network should be required to use MFA.
  • Device platform: For this condition, define a policy for each device platform that either blocks access, requires compliance with Microsoft Intune policies, or requires the device be domain joined.
  • Device state: Use this condition to define policies for unmanaged devices.
  • Client apps: Users can access many cloud apps using different app types such as web-based apps, mobile apps, or desktop apps. You can apply security policies if an access attempt is performed using a client app type that causes known issues, or you can require that only managed devices access certain app types.
  • Cloud apps: This condition specifies unique policies for sensitive apps. For example, you can require that HR apps like Workday are blocked if Azure AD detects a risky sign-in or if a user tries to access it with an unmanaged device.

When a condition is met, you can choose what policy Azure AD will enforce:

  • Require MFA to prove identity.
  • Change the actions the user can take in cloud apps.
  • Restrict access to sensitive data (for example: limit downloads or sharing functionality).
  • Require a password reset.
  • Block access.

Once set, these policies will apply automatically without any manual intervention (Figure 1).

Figure 1. Azure AD automatically applies the policies you set based on condition.

Block legacy authentication and control access to highly privileged accounts

Old apps that use a legacy authentication method, such as POP3, IMAP4, or SMTP clients, can increase your risk because they prevent Azure AD from doing an advanced security assessment and dont allow more modern forms of authentication, such as MFA. We recommend you use client application conditional access rules (Figure 2) to block these apps entirely.

Figure 2. Apply conditional access rules to block client apps using legacy authentication methods.

You can also use conditional access rules to reduce the risk that highly privileged accounts or service accounts are compromised. For example, if your HR system uses a service account to access the email account, you can make sure it can only run against the service from a specific IP at the appropriate time of day.

Enhance conditional access with Intune and Microsoft Cloud App Security

Azure AD integrates with Intune, so that conditional access policies can consider the Intune device state as part of the policy, letting you set access controls for devices that have old operating systems or other security vulnerabilities. You can also use conditional access in Intune to make sure that only apps managed by Intune can access corporate email or other Office 365 services. Azure AD will enforce these rules.

Cloud App Security Conditional Access App Control extends conditional access to your SaaS apps. You can block downloads from apps, limit activities in the app, monitor risky users, or block access to the app entirely.

Once you have policies in place, we recommend that you use the Azure AD What If tool to simulate possible sign-in scenarios that your users may confront. The What If tool allows you to select a user, the app that user is trying to access, and the conditions of that sign-in to see which policies will apply. (Figure 3.) This step will give you a better sense of how your policies will impact your users. You can also check what policies do not apply to a specific scenario.

One final precaution: Be sure to set up an exception group for each conditional access policy, so you dont lock yourself out.

Figure 3. The Azure AD What If tool gives you a better sense of how your policies will impact your users.

Learn more

Check back in a few weeks for our next blog post, Step 5. Set up mobile device management, where well dive into how to plan your Intune deployment and set up mobile device management as part of your Unified Endpoint Management strategy.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

The post Step 4. Set conditional access policies: top 10 actions to secure your environment appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Step 4. Set conditional access policies: top 10 actions to secure your environment

January 30th, 2019 No comments

The Top 10 actions to secure your environment series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In Step 4. Set conditional access policies, youll learn how to control access to your apps and corporate resources using conditional access policies, and how these policies can block legacy authentication methods and control access to SaaS apps.

In todays workplace, users can work from anywhere, on any device. Whether using a company-provided laptop at the office, working from home, traveling for business, or using a personal mobile phone, employees expect to seamlessly access what they need to get work done. While the need for productivity may not change with circumstances, the level of risk of each sign-in does. Not all devices, apps, or networks are equally secure, and hackers will exploit any vulnerability that will give them access to your users and resources. It is critical to safeguard your identities, but it is not enough. You also need flexible security policies that are responsive to conditions.

Set up Azure Active Directory (Azure AD) conditional access policies

Azure AD conditional access lets you apply security policies that are triggered automatically when certain conditions are met. You can block access if the data suggests the user has been compromised or if its highly unlikely that the user would sign in under those conditions. You can enforce additional authentication requirements when the system detects a medium risk based on the sign-in conditions (see “Sign-in risk” below).

We recommend that you apply polices that are appropriate for your organization for the following conditions:

  • Users and user groups: To reduce the risk that sensitive data is leaked, define which users or user groups can access which applications or resources, paying careful attention to sources of highly sensitive information such as human resources or financial data.
  • Sign-in risk: Azure AD machine learning algorithms evaluate every sign-in and give it a risk score of low, medium, or high depending on how likely it is that someone other than the legitimate owner of the account is attempting to sign in. Anyone with a medium risk should be challenged with Multi-Factor Authentication (MFA) at sign-in. If the sign-in is a high risk, access should be blocked. This condition requires Azure AD Identity Protection, which you can read about in Step 3. Protect your identities.
  • Location: A location can be risky if its in a country with limited security policies or if the wireless network is unsecure or simply because its not a location where the organization typically does business. You can modify access requirements for sign-ins from locations that are not on an IP safe list or that are risky for other reasons. Users accessing a service when they’re off the corporate network should be required to use MFA.
  • Device platform: For this condition, define a policy for each device platform that either blocks access, requires compliance with Microsoft Intune policies, or requires the device be domain joined.
  • Device state: Use this condition to define policies for unmanaged devices.
  • Client apps: Users can access many cloud apps using different app types such as web-based apps, mobile apps, or desktop apps. You can apply security policies if an access attempt is performed using a client app type that causes known issues, or you can require that only managed devices access certain app types.
  • Cloud apps: This condition specifies unique policies for sensitive apps. For example, you can require that HR apps like Workday are blocked if Azure AD detects a risky sign-in or if a user tries to access it with an unmanaged device.

When a condition is met, you can choose what policy Azure AD will enforce:

  • Require MFA to prove identity.
  • Change the actions the user can take in cloud apps.
  • Restrict access to sensitive data (for example: limit downloads or sharing functionality).
  • Require a password reset.
  • Block access.

Once set, these policies will apply automatically without any manual intervention (Figure 1).

Figure 1. Azure AD automatically applies the policies you set based on condition.

Block legacy authentication and control access to highly privileged accounts

Old apps that use a legacy authentication method, such as POP3, IMAP4, or SMTP clients, can increase your risk because they prevent Azure AD from doing an advanced security assessment and dont allow more modern forms of authentication, such as MFA. We recommend you use client application conditional access rules (Figure 2) to block these apps entirely.

Figure 2. Apply conditional access rules to block client apps using legacy authentication methods.

You can also use conditional access rules to reduce the risk that highly privileged accounts or service accounts are compromised. For example, if your HR system uses a service account to access the email account, you can make sure it can only run against the service from a specific IP at the appropriate time of day.

Enhance conditional access with Intune and Microsoft Cloud App Security

Azure AD integrates with Intune, so that conditional access policies can consider the Intune device state as part of the policy, letting you set access controls for devices that have old operating systems or other security vulnerabilities. You can also use conditional access in Intune to make sure that only apps managed by Intune can access corporate email or other Office 365 services. Azure AD will enforce these rules.

Cloud App Security Conditional Access App Control extends conditional access to your SaaS apps. You can block downloads from apps, limit activities in the app, monitor risky users, or block access to the app entirely.

Once you have policies in place, we recommend that you use the Azure AD What If tool to simulate possible sign-in scenarios that your users may confront. The What If tool allows you to select a user, the app that user is trying to access, and the conditions of that sign-in to see which policies will apply. (Figure 3.) This step will give you a better sense of how your policies will impact your users. You can also check what policies do not apply to a specific scenario.

One final precaution: Be sure to set up an exception group for each conditional access policy, so you dont lock yourself out.

Figure 3. The Azure AD What If tool gives you a better sense of how your policies will impact your users.

Learn more

Check back in a few weeks for our next blog post, Step 5. Set up mobile device management, where well dive into how to plan your Intune deployment and set up mobile device management as part of your Unified Endpoint Management strategy.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

The post Step 4. Set conditional access policies: top 10 actions to secure your environment appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Voice of the Customer: Azure AD helps lululemon enable productivity and security all at once for its employees

January 23rd, 2019 No comments

Todays post was written by Sue Bohn, Director of Program Management at Microsoft, and Simon Cheng, who is responsible for Identity and Access Management at lululemon.

Happy New Year and welcome to the next installment of the Voice of the Customer blog series. My name is Sue Bohn and I am the director of Program Management for Identity and Access Management. Im really excited about our next blog in this series. Last time, we featured The Walsh Group. Today, I am sharing a story from lululemon, who really inspired me to think more broadly about what you can achieve when you step back and look at where you want to go.

Simon Cheng, responsible for Identity and Access Management at lululemon, is today a strong believer that every step towards cloud Identity and Access Management makes you more secure, but that wasnt always the case. Read on to learn more about lululemons experience implementing Azure Active Directory (Azure AD).

Too many apps, too many passwords

At lululemon, our journey to Azure AD began with two overarching business requirements: 1. Secure all our apps and 2. Simplify user access. We knew, based on the typical behavior weve seen in the past, that most of our users were likely using the same corporate password across all the apps they use, including the ones we dont manage. This meant that if even just one of these apps had security vulnerabilities, a hacker could exploit the vulnerability to get into our corporate resources. And we would have no idea! Our security is only as strong as the weakest app being accessed, and so if you can imagine the challenge was that we had over 300+ applications! To protect our corporate resources, we needed to ensure that the authentication process for each app was secure.

Our shadow IT environment wasnt just a security challenge, it also frustrated our users. Over and over we heard there are too many portals and too many passwords. This sentiment drove our second business requirement, which we boiled down to an overriding principle: Not another portal, not another password. So, our solution needed to address security and simplify user access without reducing business flexibility. The obvious answer was to consolidate identities, and this quickly led us to Azure AD and Microsoft Enterprise Mobility + Security (EMS). As an Office 365 customer, our users were comfortable and familiar with the Office 365 sign-in experience, and so it was an easy decision. Once we had chosen a solution, our next big task was rolling it out without disrupting our users, which is really where my concern waswould our users embrace it?

Single Sign On (SSO) sells itself

When we began the rollout of Azure AD, our top concern was whether our employees would comply. As it turns out I completely underestimated our users, and my concerns were really nothing. Within three months of the Azure AD rollout, our users loved the SSO experience so much that the business units came to us requesting that additional apps get rolled on. Even risk-based Multi-Factor Authentication (MFA) enforced by Azure AD conditional access policy feature went smoother than I expected. We hardly heard any complaints and even fewer calls on how to set it up. For highly sensitive apps, such as our financial and HR apps, we followed a recommended approach to enforce MFA at every sign-in. For several other less sensitive apps, we were able to prioritize user experience and protect them with risk-based conditional access rules.

In 2013, we had two apps onboarded: ServiceNow and Workday; now we have over 200! And every single one of our 18,000 users are protected by conditional access and MFA. I am really proud of this accomplishment as it has enabled higher productivity for our organization while maintaining stronger security because our employees are using it! This experience taught me not to underestimate our users, and I think this is because they are familiar with security measures, having already learned to do so through consumer services such as social media. Had I known this when we started, I would have deployed Azure AD much sooner.

The cloud allowed us to implement more security features faster than we ever could on-premises

Once we had Azure AD deployed, our next project was to implement Azure AD Privileged Identity Management (PIM). Azure AD PIM allows us to enable just in time administrative access, which significantly reduces the possibility that our administrative accounts will get compromised. Launching PIM was an eye-opening experience! This is a capability that is very labor intensive and time consuming to operate typically.

I am constantly delighted with how fast I can deploy services in the cloud, Azure AD PIM being a prime example. More often than not, the trap Ive seen organizations fall into is that they plan based on capabilities that exist within solutions rather than whats needed to secure their users. This is exactly where Azure AD and cloud wins over on-premises solutions. My takeaway has been that it is better to step back and plan what needs to be done for my organization and then just let the cloud services roll in almost automagically. Of course, where there are gaps, I work directly with the Azure AD engineering team!

Just in the last year, we have deployed, from pilot to production:

  1. Azure AD Connect implementation and Self Service Password Reset (SSPR) migration from the old tool (6 weeks)
  2. MFA registration, Azure AD conditional access, and Azure AD Identity Protection (7 weeks)
  3. Microsoft Advanced Threat Analytics (3 weeks)
  4. Group-based licensing (3 days)
  5. Azure Information Protection (8 weeks)
  6. Azure AD Privileged Identity Management (3 days!)
  7. Countless apps (each in a matter of hours!)

Learnings from lululemon

A big thanks to Simon! It is always great to learn from our customers’ deployments. In lululemons case, the need to take a step back and develop a plan based on the security goals, rather than a set of capabilities, really hits home. We can always plan something in the confines of what we currently have, but the fact is that new features get rolled out at cloud speed. It is great to see customers like lululemon deploy services in the cloud so quickly and benefit from them. Come back to our Secure blog to check in on our next customer blog and also read some other articles around Identity and Access Management and Zero Trust Networks.

The post Voice of the Customer: Azure AD helps lululemon enable productivity and security all at once for its employees appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Voice of the Customer: Azure AD helps lululemon enable productivity and security all at once for its employees

January 23rd, 2019 No comments

Todays post was written by Sue Bohn, Director of Program Management at Microsoft, and Simon Cheng, who is responsible for Identity and Access Management at lululemon.

Happy New Year and welcome to the next installment of the Voice of the Customer blog series. My name is Sue Bohn and I am the director of Program Management for Identity and Access Management. Im really excited about our next blog in this series. Last time, we featured The Walsh Group. Today, I am sharing a story from lululemon, who really inspired me to think more broadly about what you can achieve when you step back and look at where you want to go.

Simon Cheng, responsible for Identity and Access Management at lululemon, is today a strong believer that every step towards cloud Identity and Access Management makes you more secure, but that wasnt always the case. Read on to learn more about lululemons experience implementing Azure Active Directory (Azure AD).

Too many apps, too many passwords

At lululemon, our journey to Azure AD began with two overarching business requirements: 1. Secure all our apps and 2. Simplify user access. We knew, based on the typical behavior weve seen in the past, that most of our users were likely using the same corporate password across all the apps they use, including the ones we dont manage. This meant that if even just one of these apps had security vulnerabilities, a hacker could exploit the vulnerability to get into our corporate resources. And we would have no idea! Our security is only as strong as the weakest app being accessed, and so if you can imagine the challenge was that we had over 300+ applications! To protect our corporate resources, we needed to ensure that the authentication process for each app was secure.

Our shadow IT environment wasnt just a security challenge, it also frustrated our users. Over and over we heard there are too many portals and too many passwords. This sentiment drove our second business requirement, which we boiled down to an overriding principle: Not another portal, not another password. So, our solution needed to address security and simplify user access without reducing business flexibility. The obvious answer was to consolidate identities, and this quickly led us to Azure AD and Microsoft Enterprise Mobility + Security (EMS). As an Office 365 customer, our users were comfortable and familiar with the Office 365 sign-in experience, and so it was an easy decision. Once we had chosen a solution, our next big task was rolling it out without disrupting our users, which is really where my concern waswould our users embrace it?

Single Sign On (SSO) sells itself

When we began the rollout of Azure AD, our top concern was whether our employees would comply. As it turns out I completely underestimated our users, and my concerns were really nothing. Within three months of the Azure AD rollout, our users loved the SSO experience so much that the business units came to us requesting that additional apps get rolled on. Even risk-based Multi-Factor Authentication (MFA) enforced by Azure AD conditional access policy feature went smoother than I expected. We hardly heard any complaints and even fewer calls on how to set it up. For highly sensitive apps, such as our financial and HR apps, we followed a recommended approach to enforce MFA at every sign-in. For several other less sensitive apps, we were able to prioritize user experience and protect them with risk-based conditional access rules.

In 2013, we had two apps onboarded: ServiceNow and Workday; now we have over 200! And every single one of our 18,000 users are protected by conditional access and MFA. I am really proud of this accomplishment as it has enabled higher productivity for our organization while maintaining stronger security because our employees are using it! This experience taught me not to underestimate our users, and I think this is because they are familiar with security measures, having already learned to do so through consumer services such as social media. Had I known this when we started, I would have deployed Azure AD much sooner.

The cloud allowed us to implement more security features faster than we ever could on-premises

Once we had Azure AD deployed, our next project was to implement Azure AD Privileged Identity Management (PIM). Azure AD PIM allows us to enable just in time administrative access, which significantly reduces the possibility that our administrative accounts will get compromised. Launching PIM was an eye-opening experience! This is a capability that is very labor intensive and time consuming to operate typically.

I am constantly delighted with how fast I can deploy services in the cloud, Azure AD PIM being a prime example. More often than not, the trap Ive seen organizations fall into is that they plan based on capabilities that exist within solutions rather than whats needed to secure their users. This is exactly where Azure AD and cloud wins over on-premises solutions. My takeaway has been that it is better to step back and plan what needs to be done for my organization and then just let the cloud services roll in almost automagically. Of course, where there are gaps, I work directly with the Azure AD engineering team!

Just in the last year, we have deployed, from pilot to production:

  1. Azure AD Connect implementation and Self Service Password Reset (SSPR) migration from the old tool (6 weeks)
  2. MFA registration, Azure AD conditional access, and Azure AD Identity Protection (7 weeks)
  3. Microsoft Advanced Threat Analytics (3 weeks)
  4. Group-based licensing (3 days)
  5. Azure Information Protection (8 weeks)
  6. Azure AD Privileged Identity Management (3 days!)
  7. Countless apps (each in a matter of hours!)

Learnings from lululemon

A big thanks to Simon! It is always great to learn from our customers’ deployments. In lululemons case, the need to take a step back and develop a plan based on the security goals, rather than a set of capabilities, really hits home. We can always plan something in the confines of what we currently have, but the fact is that new features get rolled out at cloud speed. It is great to see customers like lululemon deploy services in the cloud so quickly and benefit from them. Come back to our Secure blog to check in on our next customer blog and also read some other articles around Identity and Access Management and Zero Trust Networks.

The post Voice of the Customer: Azure AD helps lululemon enable productivity and security all at once for its employees appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Windows Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices

Digital transformation and the transition to a modern workplace encourage employee engagement, productivity, and collaboration. This transition poses major challenges in protecting sensitive information. In the modern workplace, the perimeter between the corporate network and the cloud are fading. Sensitive data constantly travels between different locations and is often shared with others both inside and outside the organization. This significantly increases the attack surface and makes identifying, protecting, and monitoring sensitive data challenging.

Additionally, the threat landscape is evolving. External adversaries and insider threats are becoming more sophisticated and dangerous. Data breaches are at an all-time high in terms of both the number of breaches and the overall severity and business impact. As a result, governments and regulators are instituting stricter regulations with unprecedented fines for not properly protecting and governing sensitive information.

Traditional solutions that put walls around your network perimeter do not suffice. You are at risk of over-protecting where you shouldnt, degrading employee productivity by interrupting legitimate workflows, and under-protecting where you should when sensitive data is being exfiltrated.

Consider the following principles when shaping your information protection strategy:

  1. Visibility You cant protect what you cant see. Strive to achieve complete visibility into sensitive data across all repositories.
  2. Data-centric protection Protect your data, not your perimeter. Apply information protection capabilities that are content-aware to improve protection coverage and reduce end-user friction due to unnecessary interruptions. Make sure sensitive data stays protected wherever it goes; this is especially important in a modern workplace, where data is constantly on the move.
  3. Assume breach Sophisticated attackers, external adversaries, or insider threats will find a way around any wall you put in front of them. Implement post-breach techniques that constantly monitor sensitive data usage in your organization, correlate this data to other suspicious behaviors, and allow you to respond and mitigate risks.

The endpoint is a key point of control when implementing an effective information protection strategy based on these principles. Endpoints are often the entry for sophisticated attacks conducted by an external adversary or an insider threat. Combine it with the fact that endpoints are usually the darkest spot in the enterprise for security and compliance teams, and you end up with a critical weakness in the enterprise information security posture.

Windows Defender Advanced Threat Protection (Windows Defender ATP), Microsofts endpoint protection platform, addresses this challenge by integrating with Azure Information Protection, Microsofts data classification, labeling, and protection solution. This integration empowers Windows to natively understand Azure Information Protection sensitivity labels, to provide visibility into sensitive data on endpoints, to protect sensitive data based on its content, and to detect and respond to post-breach malicious activity that involves or affects sensitive data.

Windows Defender ATP is built into the OS, removing the need for deployment and agent maintenance, ensuring that end-user experience is not impacted when performing legitimate business workflows. No on-premises infrastructure or endpoint agents are required. The seamless integration with Azure Information Protection reporting and management experience ensures that data administrators can continue to leverage their existing Azure Information Protection experience to manage these new capabilities.

Discover sensitive documents on Windows devices

Windows Defender ATPs built-in sensors discovers labeled data on all devices monitored by the Windows Defender ATP service. This data is then seamlessly plugged into the Azure Information Protection reporting experience and enriched with labeled documents discovered on Windows devices. This allows existing Azure Information Protection customers to get instant visibility into sensitive data on devices using the same dashboard and analytics tools they use today.

Figure 1. Azure Information Protection Data discovery dashboard shows data discovered by both Windows Defender ATP and Azure Information Protection

It doesnt end there. Being an endpoint protection suite, Windows Defender ATP monitors and calculates device machine risk level an aggregated indicator of active security threats on each device. This data is also shared with Azure Information Protection reports, allowing data administrators to proactively understand whether sensitive corporate data resides on any compromised devices. To understand why the device is compromised, all it takes is a single click in the Azure Information Protection dashboard to be directed to that devices record in Windows Defender ATP, where the administrator can investigate and mitigate detected security threats.

Figure 2. Azure Information Protection Data discovery dashboard shows device risk calculation

Turning on this integration is a matter of a single flip of a switch in the advanced features settings page in Windows Defender Security Center. Windows endpoints will start discovering labeled documents immediately.

Figure 3. Windows Defender Security Center Settings page

Figure 3. Windows Defender Security Center Settings page

Prevent sensitive data leaks from Windows devices

Windows Defender ATP can further protect sensitive data by providing data loss prevention (DLP) functionality. Built using the combined Windows Defender ATP native OS sensors and its advanced cloud-based analytics, Windows Defender ATP can help detect and mitigate data leak risks, ranging from accidental end-user mistake to a sophisticated malicious attack.

It all starts from the Office 365 Security and Compliance Center (SCC), Microsofts unified management console for information protection, where you can manage information protection configuration settings on Windows devices. As part of the label policy, you can define whether files with a specific label applied will be protected by Windows Defender ATP.

Figure 4. Office Security & Compliance Center  Endpoint data loss prevention configuration page

Figure 4. Office Security & Compliance Center Endpoint data loss prevention configuration page

Once that policy is in place, Windows Defender ATP will start protecting documents with a matching label. Protection is applied by automatically enabling Windows Information Protection, which prevents unallowed client apps, cloud apps, and network locations from accessing protected files and their content, reducing the risk of data leak.

In addition, Windows Defender ATP integrates sensitive data awareness into Windows Defender Security Center. Each incident or alert raised in Windows Defender Security Center includes a data sensitivity attribute that is generated by aggregating the sensitivity of all the labeled files discovered on devices that are affected by the incident. This allows security analysts to prioritize incident response based on data sensitivity. When investigating an incident, security analysts can use data sensitivity context across the entire investigation from the incident dashboard, through analyzing sensitive data exposure of specific machines, all the way to Advanced hunting.

Figure 5. Windows Defender Security Center Incident queue, sorted by data sensitivity

Conclusion

Protecting sensitive data requires a comprehensive approach. Sensitive data stored on devices that are constantly on the move presents its own unique challenges. Windows Defender ATP and Azure Information Protection work together to effectively reduce the possibility of losing sensitive data. Together, these solutions provide discovery and protection capabilities required to govern and protect sensitive data, enforce compliance, and proactively mitigate risks.

These are just the first few steps weve taken to enhance the information protection capabilities. Stay tuned for more upcoming features built into Windows 10.

Start here to learn how you can leverage of this capability.

 

 

 

Omri Amdursky
Windows Defender ATP team

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

The post Windows Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices appeared first on Microsoft Secure.

Windows Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices

Digital transformation and the transition to a modern workplace encourage employee engagement, productivity, and collaboration. This transition poses major challenges in protecting sensitive information. In the modern workplace, the perimeter between the corporate network and the cloud are fading. Sensitive data constantly travels between different locations and is often shared with others both inside and outside the organization. This significantly increases the attack surface and makes identifying, protecting, and monitoring sensitive data challenging.

Additionally, the threat landscape is evolving. External adversaries and insider threats are becoming more sophisticated and dangerous. Data breaches are at an all-time high in terms of both the number of breaches and the overall severity and business impact. As a result, governments and regulators are instituting stricter regulations with unprecedented fines for not properly protecting and governing sensitive information.

Traditional solutions that put walls around your network perimeter do not suffice. You are at risk of over-protecting where you shouldnt, degrading employee productivity by interrupting legitimate workflows, and under-protecting where you should when sensitive data is being exfiltrated.

Consider the following principles when shaping your information protection strategy:

  1. Visibility You cant protect what you cant see. Strive to achieve complete visibility into sensitive data across all repositories.
  2. Data-centric protection Protect your data, not your perimeter. Apply information protection capabilities that are content-aware to improve protection coverage and reduce end-user friction due to unnecessary interruptions. Make sure sensitive data stays protected wherever it goes; this is especially important in a modern workplace, where data is constantly on the move.
  3. Assume breach Sophisticated attackers, external adversaries, or insider threats will find a way around any wall you put in front of them. Implement post-breach techniques that constantly monitor sensitive data usage in your organization, correlate this data to other suspicious behaviors, and allow you to respond and mitigate risks.

The endpoint is a key point of control when implementing an effective information protection strategy based on these principles. Endpoints are often the entry for sophisticated attacks conducted by an external adversary or an insider threat. Combine it with the fact that endpoints are usually the darkest spot in the enterprise for security and compliance teams, and you end up with a critical weakness in the enterprise information security posture.

Windows Defender Advanced Threat Protection (Windows Defender ATP), Microsofts endpoint protection platform, addresses this challenge by integrating with Azure Information Protection, Microsofts data classification, labeling, and protection solution. This integration empowers Windows to natively understand Azure Information Protection sensitivity labels, to provide visibility into sensitive data on endpoints, to protect sensitive data based on its content, and to detect and respond to post-breach malicious activity that involves or affects sensitive data.

Windows Defender ATP is built into the OS, removing the need for deployment and agent maintenance, ensuring that end-user experience is not impacted when performing legitimate business workflows. No on-premises infrastructure or endpoint agents are required. The seamless integration with Azure Information Protection reporting and management experience ensures that data administrators can continue to leverage their existing Azure Information Protection experience to manage these new capabilities.

Discover sensitive documents on Windows devices

Windows Defender ATPs built-in sensors discovers labeled data on all devices monitored by the Windows Defender ATP service. This data is then seamlessly plugged into the Azure Information Protection reporting experience and enriched with labeled documents discovered on Windows devices. This allows existing Azure Information Protection customers to get instant visibility into sensitive data on devices using the same dashboard and analytics tools they use today.

Figure 1. Azure Information Protection Data discovery dashboard shows data discovered by both Windows Defender ATP and Azure Information Protection

It doesnt end there. Being an endpoint protection suite, Windows Defender ATP monitors and calculates device machine risk level an aggregated indicator of active security threats on each device. This data is also shared with Azure Information Protection reports, allowing data administrators to proactively understand whether sensitive corporate data resides on any compromised devices. To understand why the device is compromised, all it takes is a single click in the Azure Information Protection dashboard to be directed to that devices record in Windows Defender ATP, where the administrator can investigate and mitigate detected security threats.

Figure 2. Azure Information Protection Data discovery dashboard shows device risk calculation

Turning on this integration is a matter of a single flip of a switch in the advanced features settings page in Windows Defender Security Center. Windows endpoints will start discovering labeled documents immediately.

Figure 3. Windows Defender Security Center Settings page

Figure 3. Windows Defender Security Center Settings page

Prevent sensitive data leaks from Windows devices

Windows Defender ATP can further protect sensitive data by providing data loss prevention (DLP) functionality. Built using the combined Windows Defender ATP native OS sensors and its advanced cloud-based analytics, Windows Defender ATP can help detect and mitigate data leak risks, ranging from accidental end-user mistake to a sophisticated malicious attack.

It all starts from the Office 365 Security and Compliance Center (SCC), Microsofts unified management console for information protection, where you can manage information protection configuration settings on Windows devices. As part of the label policy, you can define whether files with a specific label applied will be protected by Windows Defender ATP.

Figure 4. Office Security & Compliance Center  Endpoint data loss prevention configuration page

Figure 4. Office Security & Compliance Center Endpoint data loss prevention configuration page

Once that policy is in place, Windows Defender ATP will start protecting documents with a matching label. Protection is applied by automatically enabling Windows Information Protection, which prevents unallowed client apps, cloud apps, and network locations from accessing protected files and their content, reducing the risk of data leak.

In addition, Windows Defender ATP integrates sensitive data awareness into Windows Defender Security Center. Each incident or alert raised in Windows Defender Security Center includes a data sensitivity attribute that is generated by aggregating the sensitivity of all the labeled files discovered on devices that are affected by the incident. This allows security analysts to prioritize incident response based on data sensitivity. When investigating an incident, security analysts can use data sensitivity context across the entire investigation from the incident dashboard, through analyzing sensitive data exposure of specific machines, all the way to Advanced hunting.

Figure 5. Windows Defender Security Center Incident queue, sorted by data sensitivity

Conclusion

Protecting sensitive data requires a comprehensive approach. Sensitive data stored on devices that are constantly on the move presents its own unique challenges. Windows Defender ATP and Azure Information Protection work together to effectively reduce the possibility of losing sensitive data. Together, these solutions provide discovery and protection capabilities required to govern and protect sensitive data, enforce compliance, and proactively mitigate risks.

These are just the first few steps weve taken to enhance the information protection capabilities. Stay tuned for more upcoming features built into Windows 10.

Start here to learn how you can leverage of this capability.

 

 

 

Omri Amdursky
Windows Defender ATP team

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

The post Windows Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices appeared first on Microsoft Secure.

Step 3. Protect your identities: top 10 actions to secure your environment

January 16th, 2019 No comments

The Top 10 actions to secure your environment series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In Step 3. Protect your identities, youll learn how to define security policies to protect individual user identities against account compromise and protect your administrative accounts.

Whether or not you have experienced a security incident in the past, you probably know that its not a matter of if an attacker will successfully compromise your corporate resources, but when. This is what is meant by an assume breach mindset. Preventative measures are critical, but in an assume breach” world, so are detection and rapid response. Azure Active Directory (Azure AD) Identity Protection can help you rapidly uncover anomalies or suspicious incidents and configure policies that will automate a response. With Azure AD Privileged Identity Management (PIM), you can protect your administrative accounts. The faster you discover a hacker and take back control, the less damage that attacker can do, saving you time, money, and reputation.

Reduce the time an attacker has access to your network

Most breaches begin with stolen or guessed user credentials. Once hackers gain access, they attempt to escalate those privileges, or they exploit their access to discover and target administrative users with access to valuable data. Rapid detection of a compromised accountno matter its access levelis critical. This can be challenging in a large enterprise with thousands of users.

Azure AD uses machine learning to analyze every sign-in to uncover anomalies or suspicious incidents. It then assigns a risk level of low, medium, or high to indicate how likely it is that the sign-in was not performed by the user. This is called a risk event. Azure AD also analyzes risk events for each user and calculates a risk level of low, medium, or high to indicate how likely it is that a user has been compromised. Azure AD Identity Protection uses this data to generate reports and alerts that can be viewed from a dashboard (Figure 1) in the Azure portal or by enabling daily or weekly emails.

Figure 1. Azure AD Identity Protection reports users who are likely compromised.

Automate response with Azure AD risk-based conditional access policies

In addition to reporting, Azure AD Identity Protection also lets you configure policies to automate a response based on conditions you define. A sign-in risk policy is a conditional access policy that you can configure based on the risk level assigned to a sign-in (Figure 2). A user risk policy is a conditional access policy that you can configure based on the likelihood that a user has been compromised. For example, we recommend that you create a sign-in risk policy that forces all medium-risk sign-ins to use Multi-Factor Authentication (MFA). We also recommend users with a high-risk level be required to safely change their password after verifying their identity using MFA. In both instances, these policies will be enforced automatically without any intervention by an administrator. (Well go into more details about Azure AD conditional access policies in our next blog.)

Figure 2. Apply a policy that blocks or flags risky sign-ins.

Protect your administrative accounts with Azure AD PIM

Even with good detection and response tools, there is still a chance that a hacker will make it through your defenses. In those instances, you need to minimize the likelihood that a compromised account can operate with a privileged role. Azure AD PIM gives you visibility into the users assigned to administrative roles and allows you to establish rules and policies that govern those accounts. Once youve identified the users, you can remove users who dont need privileged access and move remaining user permissions set from permanent to eligible (Figure 3). A user who is eligible for administrative access must request access every time they wish to perform a privileged task. We recommend that you enable MFA for all privileged roles, so you can verify their identity. We also recommend that you establish time limits for administrator access. Users should only have access long enough to complete the privileged task. These steps will make it much more difficult for a hacker to gain access to your most valuable data and resources.

Figure 3. Protect administrative roles by setting users to “Eligible.”

Learn more

Check back in a few weeks for our next blog post, Step 4. Set conditional access policies, where well dive into additional conditional access policies you can apply to your identities to ensure that only authorized people access the appropriate data and apps.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

The post Step 3. Protect your identities: top 10 actions to secure your environment appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Step 3. Protect your identities: top 10 actions to secure your environment

January 16th, 2019 No comments

The Top 10 actions to secure your environment series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In Step 3. Protect your identities, youll learn how to define security policies to protect individual user identities against account compromise and protect your administrative accounts.

Whether or not you have experienced a security incident in the past, you probably know that its not a matter of if an attacker will successfully compromise your corporate resources, but when. This is what is meant by an assume breach mindset. Preventative measures are critical, but in an assume breach” world, so are detection and rapid response. Azure Active Directory (Azure AD) Identity Protection can help you rapidly uncover anomalies or suspicious incidents and configure policies that will automate a response. With Azure AD Privileged Identity Management (PIM), you can protect your administrative accounts. The faster you discover a hacker and take back control, the less damage that attacker can do, saving you time, money, and reputation.

Reduce the time an attacker has access to your network

Most breaches begin with stolen or guessed user credentials. Once hackers gain access, they attempt to escalate those privileges, or they exploit their access to discover and target administrative users with access to valuable data. Rapid detection of a compromised accountno matter its access levelis critical. This can be challenging in a large enterprise with thousands of users.

Azure AD uses machine learning to analyze every sign-in to uncover anomalies or suspicious incidents. It then assigns a risk level of low, medium, or high to indicate how likely it is that the sign-in was not performed by the user. This is called a risk event. Azure AD also analyzes risk events for each user and calculates a risk level of low, medium, or high to indicate how likely it is that a user has been compromised. Azure AD Identity Protection uses this data to generate reports and alerts that can be viewed from a dashboard (Figure 1) in the Azure portal or by enabling daily or weekly emails.

Figure 1. Azure AD Identity Protection reports users who are likely compromised.

Automate response with Azure AD risk-based conditional access policies

In addition to reporting, Azure AD Identity Protection also lets you configure policies to automate a response based on conditions you define. A sign-in risk policy is a conditional access policy that you can configure based on the risk level assigned to a sign-in (Figure 2). A user risk policy is a conditional access policy that you can configure based on the likelihood that a user has been compromised. For example, we recommend that you create a sign-in risk policy that forces all medium-risk sign-ins to use Multi-Factor Authentication (MFA). We also recommend users with a high-risk level be required to safely change their password after verifying their identity using MFA. In both instances, these policies will be enforced automatically without any intervention by an administrator. (Well go into more details about Azure AD conditional access policies in our next blog.)

Figure 2. Apply a policy that blocks or flags risky sign-ins.

Protect your administrative accounts with Azure AD PIM

Even with good detection and response tools, there is still a chance that a hacker will make it through your defenses. In those instances, you need to minimize the likelihood that a compromised account can operate with a privileged role. Azure AD PIM gives you visibility into the users assigned to administrative roles and allows you to establish rules and policies that govern those accounts. Once youve identified the users, you can remove users who dont need privileged access and move remaining user permissions set from permanent to eligible (Figure 3). A user who is eligible for administrative access must request access every time they wish to perform a privileged task. We recommend that you enable MFA for all privileged roles, so you can verify their identity. We also recommend that you establish time limits for administrator access. Users should only have access long enough to complete the privileged task. These steps will make it much more difficult for a hacker to gain access to your most valuable data and resources.

Figure 3. Protect administrative roles by setting users to “Eligible.”

Learn more

Check back in a few weeks for our next blog post, Step 4. Set conditional access policies, where well dive into additional conditional access policies you can apply to your identities to ensure that only authorized people access the appropriate data and apps.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

The post Step 3. Protect your identities: top 10 actions to secure your environment appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

The evolution of Microsoft Threat Protection, January update

January 16th, 2019 No comments

As the new year begins, progress with Microsoft Threat Protection continues. It remains one of the only solutions available in market, providing comprehensive, end-to-end security for the modern workplace. Microsoft Threat Protection helps users gain optimal security from the moment they sign in to their laptops or mobile devices, check their email or begin work on their documents, or utilize the many cloud applications common in the modern workplace. IT administrators benefit from minimal complexity in staying ahead of the threat landscape, gaining visibility and control over the expanding attack surface, and reducing the time, cost, and effort needed to understand and take action on the trillions of threat signals observed from their IT environment.

In previous posts, we provided examples of how Microsoft Threat Protection helps secure across identities, endpoints, email and data, apps, and infrastructure. We also highlighted how Microsoft Threat Protection quickly and efficiently handled the Tropic Trooper attack campaign. Today, we highlight examples of automation and seamless integration which are core differentiators for Microsoft Threat Protection. We first discuss new automation capabilities that improve security for your apps ecosystem. Next, we share results from the MITRE evaluation that exemplifies how signal sharing across integrated security services helps provide impressive threat detection capabilities for endpoints.

Simplifying the life of SecOps with automated security workflows

Automation is a key attribute of Microsoft Threat Protection. While it comes in many forms, the intent is always to help reduce the burden on security teams tasked with handling the myriad and frequent threats modern organizations deal with. Automation can address basic security needs, enabling security teams to focus on the more challenging security problems. This ultimately helps make organizations less susceptible to threats.

The following example demonstrates how our automation capabilities can simplify the oversight for cloud apps and services. Microsoft Threat Protection helps secure cloud apps and services with Microsoft Cloud App Security, a premier Cloud Access Security Broker (CASB) service. It gives visibility into cloud apps and services, provides sophisticated analytics to identify and combat cyberthreats, and enables control over data travel. Leading organizations such as Accenture leverage the monitoring capabilities of Cloud App Security to detect anomalous behavior in their SaaS and cloud apps. Now imagine adding the benefit of automated workflows to this already powerful service. We have heard feedback in countless discussions with Security Operations (SecOps) professionals that solutions enabling automated processes would help significantly by reducing the number of incidents requiring direct oversight.

To serve this customer need, were excited to announce the integration of Microsoft Flow with Cloud App Security (Figure 1). This new integration supports a series of powerful use cases to enable centralized alert automation and orchestration by leveraging out-of-the-box and custom workflow playbooks that work with the systems of your choice. Microsoft Flow leverages an ecosystem of connectors from over 100 third-party services including ServiceNow, Jira, and SAP. The combination of Cloud App Security and Microsoft Flow will enable security specialists to create playbooks that work with systems of their choice, existing in-house processes, and automating the triage of alerts. Learn more about the detailed use cases and exciting capabilities this integration facilitates.

Figure 1. Microsoft Cloud App Security + Microsoft Flow integration schematic.

Demonstrating industry leading optics and detection for endpoint security

The Microsoft Intelligent Security Graph is the foundational element of Microsoft Threat Protection powering every service in the solution, providing a blend of deep and broad threat signals, and leveraging machine learning for intelligent signal correlation. The Intelligent Security Graph seamlessly integrates all Microsoft Threat Protection services, enabling each to share signal.

For example, Windows Defender Advanced Threat Protection (ATP) correlates signals across endpoints and identities by leveraging signal from Azure ATP (identity security). MITRE recently evaluated Windows Defender ATPs ability to detect techniques used by the attack group APT3 (also known as Boron or UPS). Windows Defender ATPs exceptional capabilities registered the best optics and top detection coverage across the attacker kill chain. Seamless integration is a tenet of Microsoft Threat Protection and the results from the MITRE evaluation provide another example of how seamless integration across different security services leads to exceptional security gains.

It is important to note that MITRE evaluates detection capabilities only. Windows Defender ATP also provides protection and response to threats. In a customer environment, Windows Defender ATP would have blocked many of the attack techniques at onset by leveraging attack surface reduction and next-gen protection capabilities. In addition, investigation and hunting features enable security operations personnel to correlate alerts and incidents, enabling holistic response actions.

To learn more about Microsofts MITRE results, read Insights from the MITRE ATT&CK-based evaluation of Windows Defender ATP and visit the MITRE website. Please reach out to your Microsoft rep to walk through the full details of the results.

Experience the evolution of Microsoft Threat Protection

Take a moment to learn more about Microsoft Threat Protection and read our previous monthly updates. Organizations have already transitioned to Microsoft Threat Protection and partners are leveraging its powerful capabilities.

Begin trials of the Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.

The post The evolution of Microsoft Threat Protection, January update appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

The evolution of Microsoft Threat Protection, January update

January 16th, 2019 No comments

As the new year begins, progress with Microsoft Threat Protection continues. It remains one of the only solutions available in market, providing comprehensive, end-to-end security for the modern workplace. Microsoft Threat Protection helps users gain optimal security from the moment they sign in to their laptops or mobile devices, check their email or begin work on their documents, or utilize the many cloud applications common in the modern workplace. IT administrators benefit from minimal complexity in staying ahead of the threat landscape, gaining visibility and control over the expanding attack surface, and reducing the time, cost, and effort needed to understand and take action on the trillions of threat signals observed from their IT environment.

In previous posts, we provided examples of how Microsoft Threat Protection helps secure across identities, endpoints, email and data, apps, and infrastructure. We also highlighted how Microsoft Threat Protection quickly and efficiently handled the Tropic Trooper attack campaign. Today, we highlight examples of automation and seamless integration which are core differentiators for Microsoft Threat Protection. We first discuss new automation capabilities that improve security for your apps ecosystem. Next, we share results from the MITRE evaluation that exemplifies how signal sharing across integrated security services helps provide impressive threat detection capabilities for endpoints.

Simplifying the life of SecOps with automated security workflows

Automation is a key attribute of Microsoft Threat Protection. While it comes in many forms, the intent is always to help reduce the burden on security teams tasked with handling the myriad and frequent threats modern organizations deal with. Automation can address basic security needs, enabling security teams to focus on the more challenging security problems. This ultimately helps make organizations less susceptible to threats.

The following example demonstrates how our automation capabilities can simplify the oversight for cloud apps and services. Microsoft Threat Protection helps secure cloud apps and services with Microsoft Cloud App Security, a premier Cloud Access Security Broker (CASB) service. It gives visibility into cloud apps and services, provides sophisticated analytics to identify and combat cyberthreats, and enables control over data travel. Leading organizations such as Accenture leverage the monitoring capabilities of Cloud App Security to detect anomalous behavior in their SaaS and cloud apps. Now imagine adding the benefit of automated workflows to this already powerful service. We have heard feedback in countless discussions with Security Operations (SecOps) professionals that solutions enabling automated processes would help significantly by reducing the number of incidents requiring direct oversight.

To serve this customer need, were excited to announce the integration of Microsoft Flow with Cloud App Security (Figure 1). This new integration supports a series of powerful use cases to enable centralized alert automation and orchestration by leveraging out-of-the-box and custom workflow playbooks that work with the systems of your choice. Microsoft Flow leverages an ecosystem of connectors from over 100 third-party services including ServiceNow, Jira, and SAP. The combination of Cloud App Security and Microsoft Flow will enable security specialists to create playbooks that work with systems of their choice, existing in-house processes, and automating the triage of alerts. Learn more about the detailed use cases and exciting capabilities this integration facilitates.

Figure 1. Microsoft Cloud App Security + Microsoft Flow integration schematic.

Demonstrating industry leading optics and detection for endpoint security

The Microsoft Intelligent Security Graph is the foundational element of Microsoft Threat Protection powering every service in the solution, providing a blend of deep and broad threat signals, and leveraging machine learning for intelligent signal correlation. The Intelligent Security Graph seamlessly integrates all Microsoft Threat Protection services, enabling each to share signal.

For example, Windows Defender Advanced Threat Protection (ATP) correlates signals across endpoints and identities by leveraging signal from Azure ATP (identity security). MITRE recently evaluated Windows Defender ATPs ability to detect techniques used by the attack group APT3 (also known as Boron or UPS). Windows Defender ATPs exceptional capabilities registered the best optics and top detection coverage across the attacker kill chain. Seamless integration is a tenet of Microsoft Threat Protection and the results from the MITRE evaluation provide another example of how seamless integration across different security services leads to exceptional security gains.

It is important to note that MITRE evaluates detection capabilities only. Windows Defender ATP also provides protection and response to threats. In a customer environment, Windows Defender ATP would have blocked many of the attack techniques at onset by leveraging attack surface reduction and next-gen protection capabilities. In addition, investigation and hunting features enable security operations personnel to correlate alerts and incidents, enabling holistic response actions.

To learn more about Microsofts MITRE results, read Insights from the MITRE ATT&CK-based evaluation of Windows Defender ATP and visit the MITRE website. Please reach out to your Microsoft rep to walk through the full details of the results.

Experience the evolution of Microsoft Threat Protection

Take a moment to learn more about Microsoft Threat Protection and read our previous monthly updates. Organizations have already transitioned to Microsoft Threat Protection and partners are leveraging its powerful capabilities.

Begin trials of the Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.

The post The evolution of Microsoft Threat Protection, January update appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Microsoft gains strong customer and analyst momentum in the Cloud Access Security Brokers (CASB) market

January 15th, 2019 No comments

After a strong year of product updates and innovations, were excited to so see that Microsoft jumped into the Challenger position in Gartners 2018 Magic Quadrant for Cloud Access Security Brokers (CASB) and solidified its leadership position in KuppingerColes 2018 Leadership Compass in the same product category, backed by strong customer adoption rates.

CASBs give organizations the ability to securely embrace the possibilities of their cloud apps and services and they can be crucial in driving a successful cloud security strategy.

While the market for CASB is still relatively young, analyst firm Gartner, Inc. predicts that 60 percent of large enterprises will be using CASB technologies by 2020, with independent forecasts expecting to reach a total addressable market of $7.5 billion in the same timeframe.

We have seen a steep increase in the adoption of Microsoft Cloud App Security across all customer segments, ranging from large enterprises such as global energy leader BP, to smaller organizations such as Affinity Workforce. Our internal estimates show that Microsoft Cloud App Security has a current market share of more than 30 percent in the CASB space. This provides us with insights from billions of signals every dayand direct input from the many organizations that we work withallowing us to continuously improve the product and react to what were seeing in the market.

By integrating with leading security, identity, and productivity solutions across Microsoft 365, Microsoft Cloud App Security is uniquely positioned to drive innovation in the CASB space. Recent additions include our native integration with Windows Defender Advanced Threat Protection and our consistent labeling experience via Azure Information Protection. Among many others, these help organizations gain visibility into their cloud apps and services, provide sophisticated analytics to identify and combat cyber threats, and control the travel of sensitive information to equally support Microsofts native cloud services, as well as numerous third-party cloud apps and services, such as Dropbox, Salesforce, and others.

Microsoft Cloud App Securitys portfolio of native product integrations.

2018 analyst momentum

In Gartners 2018 report, we significantly improved our positioning and moved along both axes, Completeness of Vision as well as Ability to Execute, up from a Niche Player to a Challenger position. We see the substantial improvement as a testimony to our strong ability to execute against our feature roadmap and the momentum we are gaining with customers.

Magic Quadrant for CASB. Source: Gartner (October 2018)*

In its 2018 report, analyst firm KuppingerCole positions Microsoft as a Leader for the second year in a row. This further emphasizes the strength of our native integrations across Microsoft 365, including Azure Active Directory (Azure AD), Office 365, and Azure Security Center, and the significant customer base of Microsoft Cloud App Security.

Leadership Compass for CASB. Source: KuppingerCole (October 2018)

This years results confirm Microsofts strong commitment and rapid progress in this spaceand with the progress of the overall market, the importance for organizations to start considering the use of a CASB continues to increase.

Learn more

We made both these 2018 analyst reports available for review. Download the Gartner Magic Quadrant 2018 for CASBs report and the KuppingerCole Leadership Compass 2018 report.

If youre not using Microsoft Cloud App Security, start a free trial today and learn how to get started with our detailed technical documentation.

If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

To stay up to date with our latest product innovations, follow our product blog.

 

*This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartners research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post Microsoft gains strong customer and analyst momentum in the Cloud Access Security Brokers (CASB) market appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Microsoft gains strong customer and analyst momentum in the Cloud Access Security Brokers (CASB) market

January 15th, 2019 No comments

After a strong year of product updates and innovations, were excited to so see that Microsoft jumped into the Challenger position in Gartners 2018 Magic Quadrant for Cloud Access Security Brokers (CASB) and solidified its leadership position in KuppingerColes 2018 Leadership Compass in the same product category, backed by strong customer adoption rates.

CASBs give organizations the ability to securely embrace the possibilities of their cloud apps and services and they can be crucial in driving a successful cloud security strategy.

While the market for CASB is still relatively young, analyst firm Gartner, Inc. predicts that 60 percent of large enterprises will be using CASB technologies by 2020, with independent forecasts expecting to reach a total addressable market of $7.5 billion in the same timeframe.

We have seen a steep increase in the adoption of Microsoft Cloud App Security across all customer segments, ranging from large enterprises such as global energy leader BP, to smaller organizations such as Affinity Workforce. Our internal estimates show that Microsoft Cloud App Security has a current market share of more than 30 percent in the CASB space. This provides us with insights from billions of signals every dayand direct input from the many organizations that we work withallowing us to continuously improve the product and react to what were seeing in the market.

By integrating with leading security, identity, and productivity solutions across Microsoft 365, Microsoft Cloud App Security is uniquely positioned to drive innovation in the CASB space. Recent additions include our native integration with Windows Defender Advanced Threat Protection and our consistent labeling experience via Azure Information Protection. Among many others, these help organizations gain visibility into their cloud apps and services, provide sophisticated analytics to identify and combat cyber threats, and control the travel of sensitive information to equally support Microsofts native cloud services, as well as numerous third-party cloud apps and services, such as Dropbox, Salesforce, and others.

Microsoft Cloud App Securitys portfolio of native product integrations.

2018 analyst momentum

In Gartners 2018 report, we significantly improved our positioning and moved along both axes, Completeness of Vision as well as Ability to Execute, up from a Niche Player to a Challenger position. We see the substantial improvement as a testimony to our strong ability to execute against our feature roadmap and the momentum we are gaining with customers.

Magic Quadrant for CASB. Source: Gartner (October 2018)*

In its 2018 report, analyst firm KuppingerCole positions Microsoft as a Leader for the second year in a row. This further emphasizes the strength of our native integrations across Microsoft 365, including Azure Active Directory (Azure AD), Office 365, and Azure Security Center, and the significant customer base of Microsoft Cloud App Security.

Leadership Compass for CASB. Source: KuppingerCole (October 2018)

This years results confirm Microsofts strong commitment and rapid progress in this spaceand with the progress of the overall market, the importance for organizations to start considering the use of a CASB continues to increase.

Learn more

We made both these 2018 analyst reports available for review. Download the Gartner Magic Quadrant 2018 for CASBs report and the KuppingerCole Leadership Compass 2018 report.

If youre not using Microsoft Cloud App Security, start a free trial today and learn how to get started with our detailed technical documentation.

If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

To stay up to date with our latest product innovations, follow our product blog.

 

*This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartners research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post Microsoft gains strong customer and analyst momentum in the Cloud Access Security Brokers (CASB) market appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Best practices for securely using Microsoft 365—the CIS Microsoft 365 Foundations Benchmark now available

Were excited to announce the availability of the Center for Internet Securitys (CIS) Microsoft 365 Foundations Benchmarkdeveloped by CIS in partnership with Microsoftto provide prescriptive guidance for establishing a secure baseline configuration for Microsoft 365. CIS is a nonprofit entity focused on developing global standards and recognized best practices for securing IT systems and data against the most pervasive attacks.

Microsoft 365 provides powerful online cloud services that enable collaboration, security, and compliance, mobility, intelligence, and analytics. Adopting cloud technologies requires a shared responsibility model for security, with Microsoft responsible for certain controls and the customer responsible for others, depending on the service delivery model chosen. To ensure that a customers cloud workloads are protected, it is important that they carefully consider and implement the appropriate architecture and enable the right set of configuration settings.

The CIS Microsoft 365 Foundations Benchmark is designed to assist organizations in establishing the foundation level of security for anyone adopting Microsoft 365. The benchmark should not be considered as an exhaustive list of all possible security configurations and architecture but as a starting point. Each organization must still evaluate their specific situation, workloads, and compliance requirements and tailor their environment accordingly.

The CIS benchmark contains two levels, each with slightly different technical specifications:

  • Level 1Recommended minimum security settings that should be configured on any system and should cause little or no interruption of service or reduced functionality.
  • Level 2Recommended security settings for highly secure environments and could result in some reduced functionality.

The CIS Microsoft 365 Security Benchmark is divided into the following sections:

Section Description # of recommended controls
Account/Authentication policies Recommendations related to setting the appropriate account and authentication policies. 8
Application permissions Recommendations related to the configuration of application permissions within Microsoft 365. 4
Data management Recommendations for setting data management policies. 6
Email security/Exchange Online Recommendations related to the configuration of Exchange Online and email security. 13
Auditing policies Recommendations for setting auditing policies on your Microsoft 365 tenant. 14
Storage policies Recommendations for securely configuring storage policies. 2
Mobile device management Recommendations for managing devices connecting to Microsoft 365. 13
Total recommendations 60

Each recommendation contains several sections, including a recommendation identification number, title, and description; level or profile applicability; rationale; instructions for auditing the control; remediation steps; impact of implementing the control; default value; and references. For example, the first control contained in the benchmark is under the Account/Authentication policies section and is titled: 1.1 (L1) Ensure multifactor authentication is enabled for all users in administrative roles (Scored).

A control is marked as Scored or Not Scored based on whether it can be programmatically tested. In this case, recommendation 1.1 can be audited leveraging the Microsoft Graph and PowerShell cmdlet. The specific steps for auditing the control are contained in the Audit section for this specific recommendation. This recommendation is listed as a Level 1 control because it is only applied to Microsoft 365 administrative users and would not have a company-wide impact or produce less functionality for users. The rationale for recommendation 1.1 is that Microsoft 365 administrative accounts need to be protected due to their powerful privileges and with Multiple Factor Authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk to the Azure tenant.

Download the benchmark and provide your feedback

The CIS Microsoft 365 Security Benchmark is freely available for download in PDF format on the CIS website. In the continuity of their mission, feedback provided by those entrenched in using and implementing the benchmarks provides us the opportunity for continuous improvement of our products. Feedback can be made visible to CIS by creating a discussion thread or ticket within the CIS Microsoft 365 Foundations Benchmark community. In addition, Microsoft has developed a set of Office 365 security guidelines and best practices for our customers to follow. These guides can be found in Office 365 Security and Compliance documentation.

The post Best practices for securely using Microsoft 365—the CIS Microsoft 365 Foundations Benchmark now available appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Best practices for securely using Microsoft 365—the CIS Microsoft 365 Foundations Benchmark now available

Were excited to announce the availability of the Center for Internet Securitys (CIS) Microsoft 365 Foundations Benchmarkdeveloped by CIS in partnership with Microsoftto provide prescriptive guidance for establishing a secure baseline configuration for Microsoft 365. CIS is a nonprofit entity focused on developing global standards and recognized best practices for securing IT systems and data against the most pervasive attacks.

Microsoft 365 provides powerful online cloud services that enable collaboration, security, and compliance, mobility, intelligence, and analytics. Adopting cloud technologies requires a shared responsibility model for security, with Microsoft responsible for certain controls and the customer responsible for others, depending on the service delivery model chosen. To ensure that a customers cloud workloads are protected, it is important that they carefully consider and implement the appropriate architecture and enable the right set of configuration settings.

The CIS Microsoft 365 Foundations Benchmark is designed to assist organizations in establishing the foundation level of security for anyone adopting Microsoft 365. The benchmark should not be considered as an exhaustive list of all possible security configurations and architecture but as a starting point. Each organization must still evaluate their specific situation, workloads, and compliance requirements and tailor their environment accordingly.

The CIS benchmark contains two levels, each with slightly different technical specifications:

  • Level 1Recommended minimum security settings that should be configured on any system and should cause little or no interruption of service or reduced functionality.
  • Level 2Recommended security settings for highly secure environments and could result in some reduced functionality.

The CIS Microsoft 365 Security Benchmark is divided into the following sections:

Section Description # of recommended controls
Account/Authentication policies Recommendations related to setting the appropriate account and authentication policies. 8
Application permissions Recommendations related to the configuration of application permissions within Microsoft 365. 4
Data management Recommendations for setting data management policies. 6
Email security/Exchange Online Recommendations related to the configuration of Exchange Online and email security. 13
Auditing policies Recommendations for setting auditing policies on your Microsoft 365 tenant. 14
Storage policies Recommendations for securely configuring storage policies. 2
Mobile device management Recommendations for managing devices connecting to Microsoft 365. 13
Total recommendations 60

Each recommendation contains several sections, including a recommendation identification number, title, and description; level or profile applicability; rationale; instructions for auditing the control; remediation steps; impact of implementing the control; default value; and references. For example, the first control contained in the benchmark is under the Account/Authentication policies section and is titled: 1.1 (L1) Ensure multifactor authentication is enabled for all users in administrative roles (Scored).

A control is marked as Scored or Not Scored based on whether it can be programmatically tested. In this case, recommendation 1.1 can be audited leveraging the Microsoft Graph and PowerShell cmdlet. The specific steps for auditing the control are contained in the Audit section for this specific recommendation. This recommendation is listed as a Level 1 control because it is only applied to Microsoft 365 administrative users and would not have a company-wide impact or produce less functionality for users. The rationale for recommendation 1.1 is that Microsoft 365 administrative accounts need to be protected due to their powerful privileges and with Multiple Factor Authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk to the Azure tenant.

Download the benchmark and provide your feedback

The CIS Microsoft 365 Security Benchmark is freely available for download in PDF format on the CIS website. In the continuity of their mission, feedback provided by those entrenched in using and implementing the benchmarks provides us the opportunity for continuous improvement of our products. Feedback can be made visible to CIS by creating a discussion thread or ticket within the CIS Microsoft 365 Foundations Benchmark community. In addition, Microsoft has developed a set of Office 365 security guidelines and best practices for our customers to follow. These guides can be found in Office 365 Security and Compliance documentation.

The post Best practices for securely using Microsoft 365—the CIS Microsoft 365 Foundations Benchmark now available appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Visual Studio Code Updates for Java Developers: Rename, Logpoints, TestNG and More

December 14th, 2018 No comments

As we seek to continually improve the Visual Studio Code experience for Java developers, we’d like to share couple new features we’ve just released. Thanks for your great feedback over the year, we’re heading into the holidays with great new features we hope you’ll love. Here’s to a great 2019!

Rename

With the new release of the Eclipse JDT Language Server, we’re removing the friction some developers experienced in ensuring renamed Java classes perpetuate into the underlying file in Visual Studio Code. With the update, when a symbol is renamed the corresponding source file on disk is automatically renamed, along with all the references.

Debugger

VS Code Logpoints is now supported in the Java Debugger. Logpoints allow you to inspect the state and send output to debug console without changing the source code and explicitly adding logging statements. Unlike breakpoints, logpoints don’t stop the execution flow of your application.

To make debugging even easier, you can now skip editing the “launch.json” file by either clicking the CodeLens on top of the “main” function or using the F5 shortcut to debug the current file in Visual Studio Code.

TestNG support

TestNG support was added to the newest version of the Java Test Runner. With the new release, we’ve also updated the UI’s of the test explorer and the test report. See how you can work with TestNG in Visual Studio Code.

We’ve also enhanced our JUnit 5 support with new annotations, such as @DisplayName and @ParameterizedTest.

Another notable improvement in the Test Runner is that we’re no longer loading all test cases during startup. Instead, the loading now only happens when necessary, e.g. when you expand a project to see the test classes in the Test viewlet. This should reduce the resource needed on your environment and enhance the overall performance of the tool.

Updated Java Language Pack

We’ve included the recently released Java Dependency Viewer to the Java Extension Pack as more and more developers are asking for the package view, dependency management and project creation capability provided by this extension. The viewer also provides a hierarchy view of the package structure.

Additional language support – Chinese

As the user base of Java developers using Visual Studio Code is expanding around the world, we decided to make our tool even easier to use for our users internationally by offering translated UI elements. Chinese localization is now available for Maven and Debugger, it will soon be available for other extensions as well. We’d also like to welcome contributions from community for localization as well.

IntelliCode and Live Share

During last week’s Microsoft Connect() event, we shared updates on the popular Visual Studio Live Share and Visual Studio IntelliCode features. The new IDE capabilities – all of which support Java – provide you with even better productivity with enhanced collaboration and coding experience that you can try now in Visual Studio Code.

Just download the extensions for Live Share and IntelliCode to experience those new features with your friends and co-workers. Happy coding and happy collaborating!

Attach missing sources

When you navigate to a class in some libraries without source code, you can now attach the missing source zip/jar using the context menu “Attach Source”.

We love your feedback

Your feedback and suggestions are especially important to us and will help shaping our products in future. Please help us by taking this survey to share your thoughts!

Try it out

Please don’t hesitate to try Visual Studio Code for your Java development and let us know your thoughts! Visual Studio Code is a lightweight and performant code editor and our goal is to make it great for the entire Java community.

Xiaokai He, Program Manager
@XiaokaiHeXiaokai is a program manager working on Java tools and services. He’s currently focusing on making Visual Studio Code great for Java developers, as well as supporting Java in various of Azure services.

 

Get to code: How we designed the new Visual Studio start window

December 13th, 2018 No comments

By now, many of you may have noticed a very prominent change to the launch of Visual Studio in Visual Studio 2019 Preview 1. Our goal with this new experience is to provide rapid access to the most common ways that developers get to their code: whether it’s cloning from an online repository or opening an existing project.

New start window in Visual Studio 2019

A month ago, we shared a sneak peek of the experience (in the blog post A preview of UX and UI changes) and mentioned the research and observation that we used as input into the design and development. This is the story about how we got there.

How & why we began this journey

Two years ago, we reinvented the Visual Studio installation experience to offer developers the ability to install exactly what they need and reduce the installation footprint of Visual Studio. We broke Visual Studio down into smaller packages and components and then grouped them together into development-focused workloads (which are bundles of packages and components). We quickly realized that the installation was just one piece of the journey our users take when they are getting started with Visual Studio.

We began to think more broadly – beyond just the installation of the bits, to explore the developer journey of getting to code. This journey starts from the moment you think about that great idea for an app all the way to writing your first lines of code, and integrating Visual Studio into your daily routine. To help us understand what developers were doing throughout their first launch, we built a data informed model of the customer journey.

Our Visual Studio Customer Journey

These insights helped improve installation success rates and address common failures but lacked the ability to answer questions around why some users drop off from one step to the next and how do we make sure Visual Studio meets the need of millions of developers? Some of you may even be trying to better understand how to make your own consumer or business customers more successful with your products.

So, from there we turned to existing mechanisms like surveys, interviews, social media (blogs), and A/B experimentation to help us understand where and how to improve these experiences. The surveys received an overwhelming number of responses (thank you to those of you who contributed!) and provided us with a foundation of anecdotes that helped us understand our individual users even more. They helped us recognize the different types of users coming into our “front door”, which is to say the first place they learn about Visual Studio and decide to download it. We identified through early cohort analysis, that almost half (50%) of users downloading were brand new to Visual Studio (but not necessarily new to coding) and only some of those users came back to Visual Studio for a second time. This was a surprising moment for us as we had no idea why this was happening!

Going beyond the data

We knew we needed deeper insights into how we could help new users be successful with their first time in Visual Studio and assist them in making the best choices along their journey. Fundamentally, we wanted to identify what the “Magic Moment” would be for them in Visual Studio. The “Magic Moment” is a phrase commonly used by product teams that maps a set of events or an experience a user has with a product that transforms them from a casual user trying something out to an avid, loyal user who finds success and even promotes the product. This moment is at the very core of identifying patterns to indicate users who will integrate a product or tool into their daily routine. We didn’t know what our Magic Moment was just yet, but we had a lot of ideas on what we believed it might be, so we asked ourselves:

Is there something new Visual Studio users do in the IDE that indicates they will return or abandon after 5 minutes?

We set out to answer this question by:

  1. Observing developers, both brand new to Visual Studio and seasoned, as they find Visual Studio to download, configure, and start writing code.
  2. Identifying the problems that they encountered throughout their journey to code.
  3. Building hypotheses and concepts around getting to a “Magic Moment.”
  4. Validating the hypotheses and concepts via an iterative process of weekly testing and experimentation.

Our iterative process from interns to external users

We started by asking our summer interns to install and use Visual Studio for the first time in our user experience (UX) lab and document their journey. We were surprised at how long and difficult the journey from download to writing and running code was for them. We also gained insights into their expectations for Visual Studio based on other editors and IDEs they had previous experience with.

Our first step was simple: we gave participants a clean virtual machine with only Windows 10 installed and asked them to find, install, use Visual Studio, and “do whatever is natural to you to get started.”

We then just watched…

One of our participants in the User Experience lab

Turns out even students think the 40 year-old concept of writing a “hello world” app is a great starting place. What also became extremely clear to us was that moment when users were writing and running code – we saw them become more engaged with Visual Studio and having fun. We saw an emotional change when they wrote their own code, compiled it, fixed some things, and ran it. We had a strong inkling that we were even closer to the “Magic Moment.”

We then scaled up our research to bring in more new and experienced developers every week. We tested out many ideas using low fidelity mockups built in PowerPoint and eventually moved to higher fidelity prototypes. We tried variations of tasks and UIs as we tested our assumptions. There were multiple problems to solve but one of the most significant became clear when we saw new Visual Studio developers struggle when trying to open code or create a new project. The first view of Visual Studio was overwhelming with no clear guidance of what they should do first. So, we set out to focus on that stage of the journey in our designs and storyboards for Visual Studio 2019. The design process looked a little something like this:

Visualizing the friction points in the customer journey

Evolution of our start window designs

Bringing all our insights into Visual Studio 2019

From all the design explorations, experiments, and observations, evolved an idea of the start window which would offer a focused experience to quickly get you to writing those first lines of code. Given our insights, we wanted to ensure users, especially those new to Visual Studio (some who are already experienced in other development tools), could quickly experience that “Magic Moment” of writing their first lines of code and successfully run it each and every time.

The start window would support new Visual Studio users by:

  1. Highlighting the choices, they must make during the early, crucial steps of getting started with Visual Studio.
  2. Removing distractions and providing suggestions for the best path forward.
  3. Enabling a search and filter focused experience for creating a new project.
  4. Promoting a streamlined online repository-first workflow.

Developers who are already well-versed and experienced with Visual Studio might be wondering what’s in it for them. What we’ve heard from experienced developers is that onboarding junior developers is very challenging, so we believe the new start window is a step towards ensuring they are more successful in getting to their code each time they open the IDE. We will also continue to preserve and enable existing workflows in the start window to support the muscle memory that experienced users have established with Visual Studio. Lastly, seasoned developers in the user experience lab were delighted by the new “Clone and check out code” experience which brings your online repositories right to your fingertips on launch.

Anatomy of the start window

We know the list of recent projects and solutions is one of the most common ways developers open code, so it was very important that we maintain this list in the most prominent part of the start window. We also knew it was VERY important to not break existing flows where developers open projects/solutions from the desktop (by double-clicking) – so the start window will never show in this flow, as your code will always take priority and open immediately.

Bringing a more focused, source-first experience of clone and check out code (like the Start Page had) to the forefront of Visual Studio was an opportunity to not only show new users the power of source providers like GitHub and Azure DevOps. We have also heard from our research with developers that this action is a more prominent part of a their daily workflow.

Opening a project or solution brings forward the concept of Visual Studio project and solution files that you can click on to open your entire codebase if you have an MSBuild-based solution. But if you use a non-MSBuild build system, such as CMake, then we would recommend opening a local folder instead. We’ve been investing in support to allow you to browse, edit, build, and debug any code without a .sln or project file. You can learn more about Open Folder, including how to configure a different build system to work with it, in our documentation. In addition, if you want to browse loose files in Visual Studio, you can just open the containing folder and pick up the file from the folder view of Solution Explorer.

Creating a new project is a big part of getting to your code in Visual Studio even when it’s prototyping some throwaway code in a simple template (like the Console App) or trying out the capabilities of a new platform or language for the first time. Based on the workloads you install, you’ll always see the most commonly used templates first. We’ve observed that developers first think about the kind of application they want to build (a mobile app, a website, etc.) and not the language – so we removed the language centric tree hierarchy and have improved searching and filtering to help you get to the right template more quickly. You’ll also find a more prominent list of recently used templates so you can quickly get back to your favorite template with a single click.

Lastly, continue without code offers developers a one-time escape from the window for the times when a different action is needed to start work (like joining a Live Share collaboration session, or attaching to a process). Alternatively, hitting the ESC key will also dismiss the window and immediately bring up the IDE. If there are other scenarios that you perform frequently and think should have a home on the start window (like for example attaching to a debugger), please upvote or create a suggestion in our Developer Community.

What’s next for this experience

In just a week, after releasing Visual Studio 2019 Preview 1, we’ve heard developers tell us the start window provides a “focused way to get to the most common things.” We’re already working on some of your feedback, such as support for Team Foundation Version Control and better scan ability in the recent solutions/projects list.

The start window experience is just one part of the journey we’re on to continue to streamline the onboarding experience to Visual Studio. Our longer-term vision includes improvements like reducing the number of choices required to download and install and offering relevant samples and tutorials to assist when learning a new language or platform.

Tell us what you think

As you can tell from the journey we’ve taken to get here, your feedback is essential to making this experience better. We’d love to have you try it out for a few hours in your everyday work. If it still doesn’t jive with you, then you can revert to the previous Visual Studio ‘start’ behavior. Go to Tools > Options and search for ‘Preview Features’ which will allow you to configure this setting along with a few other preview features. Alternatively, you can find the option in Tools > Options | Environment | Startup.

Tools | Options settings for Preview Features

After you’ve experienced Visual Studio 2019 Preview 1, please help us make this the best Visual Studio yet by letting us know what you like or tell us what is not working well for you. And of course, if you run into any issues, please let us know by using the Report a Problem tool in Visual Studio. You can also head over to the Visual Studio Developer Community to track your issue or, even better, suggest a feature, ask questions, and find answers from other developers.

Cathy Sullivan, Principal Program Manager, Visual Studio Platform
@cathysull

Cathy Sullivan is a Principal Program Manager on the Visual Studio Acquisition team focused on ensuring developers have a smooth onboarding experience for the first time and every time with Visual Studio. She has worked on many Visual Studio Platform teams building C#/VB language features, core UI/Shell features such as Solution Explorer and designed the beloved dark theme used by many developers.

Categories: Visual Studio, Visual Studio 2019 Tags:

New Azure DevOps Work Item Experience in Visual Studio 2019

December 12th, 2018 No comments

In previous versions of Visual Studio, the work item experience was centered around queries, which need to be created and managed to find the right work items. In Visual Studio 2019, we have removed queries and added a new view for work items centered at the developer. This allows the developer to quickly find the work they need and associate them to their pending changes. Removing the need for queries.

For those users who use Visual Studio for work item planning and triage, we encourage you to do so from Azure Boards. Azure Boards is the central place to manage your backlog, triage work, and plan your sprints.

Be sure to read the full documentation on how to use the new Azure Boards work item experience in Visual Studio 2019.

Work Items Hub

The Work Items Hub in Visual Studio 2019 has many of the same views found in the Work Items Hub in Azure Boards. It is where developers can quickly find the work items that are important to them. Filters and views can provide specific lists of work items such as Assigned to Me, Following, Mentioned, and My Activity. From any these views you can do quick do inline edits, assign work, create branches, and associate work to pending changes.

Create branches and relate work

Create a branch directly from a work item. This will automatically associate that work item to any current changes. Alternatively, you can relate a work item to a current set of changes already in progress. You can associate as many work items to a commit as you would like.

#Mention in commit message

Search and select work items directly from the commit message. Associate as many work items to the commit as you would like.

We need your help

We want to make the best experience for developers who use Azure Boards in Visual Studio. Please provide your feedback by sending us bugs and suggestions. You can contact us on Twitter at @danhellem or @AzureDevOps..

Dan Hellem, Program Manager, Azure DevOps
@danhellem

Dan is a Program Manager with Microsoft’s Azure DevOps on the Azure Boards team. Before coming to Microsoft in 2012, Dan spent his career building applications using Microsoft technologies and assembling Agile teams centered on delivering high quality software to users.

A Year of Q#

December 11th, 2018 No comments

The Quantum Architecture and Computation group launched Q#, our quantum computing programming language, a year ago on December 11th, 2017.

Q# 0.1 was the result of a lot of hard work from a small, dedicated team of developers, researchers, and program managers. We had made the decision to build a domain-specific language for quantum computing about six months before we launched, so we were on a very tight schedule. We were lucky to have a great team of people who all pitched in and did what needed to be done so that we could meet our extremely aggressive timetable.

Start!

Inside the team, we speculated on what level of interest Q# would attract. We hoped that we might receive a few hundred downloads, but we were blown away when we crossed 1,000 users by about 9 hours after launch. That said, with so many users installing the Quantum Development Kit and trying to write simple programs in it, bugs started popping up. In order to deliver the best experience for our users, we released a patch in January that addressed issues like floating-point literals that were handled incorrectly in certain locales, and allowed the simulator to run on older machines without vector instructions support.

We also addressed portability feature requests in our 0.2 release in February 2018, which saw us move from the .NET Framework to the open-source, cross-platform .NET Core. This allowed us to easily support macOS and Linux as well as Windows for building and running Q# code. We also added support for VS Code on all platforms (the 0.1 release was limited to Visual Studio on Windows). As part of the 0.2 release, we were able to make the majority of our libraries and samples available under an MIT license.

Long Hot Summer

We decided to take advantage of one of our team members’ expertise in organizing coding competitions and run a Q# coding competition to engage non-quantum developers with Q# and quantum computing. After a couple of months of preparation, we ran the Q# Coding Contest in early July. Again, the results exceeded our expectations: 514 participants in the warmup round, and 389 in the actual contest. 100 participants solved all the problems, and a lot of them even asked for more challenging ones!

To help make Q# and quantum computing more accessible to the public, we also launched self-paced programming tutorials: the Quantum Katas. We’re up to 10 katas already, and more are coming!

Spring, Summer, Autumn

We started planning the next major release in the spring of 2018, after shipping our 0.2 release: we wanted to rebuild our compiler to work as a language server, to give Q# developers the same interactive error checking and IntelliSense features they’re used to for languages like C# and F#. We knew this would be a huge amount of work and would require a significant re-architecture of the compiler in order to work incrementally. We didn’t want to wait longer to do this work, though, because we wanted to give our users the kind of modern programming environment they’re used to.

We spent the spring and summer re-architecting and rewriting the Q# compiler and shipped the new Q# compiler as our 0.3 release at the end of October.

The 0.3 release also includes a new, open source quantum chemistry library. This library integrates with NWChem, a powerful and popular open source computational chemistry package. The integration is based on the open source Broombridge schema.

Whatever Next

What’s next for Q#? No spoilers (yet!).

The last blog post of the calendar, scheduled for December 24th, will look at some of the things we’re considering for Q# in the coming year.

Until then, enjoy the holidays!

Congratulations to everyone who can figure out what the section titles have in common…

Alan Geller, Software Architect, Quantum Software and Applications
@ageller

Alan Geller is a software architect in the Quantum Architectures and Computation group at Microsoft. He is responsible for the overall software architecture for Q# and the Microsoft Quantum Development Kit, as well as other aspects of the Microsoft Quantum software program.

Categories: Q#, Quantum, Visual Studio Tags:

New Benefits in Visual Studio Subscriptions

December 11th, 2018 No comments

Last week at Microsoft Connect();, we announced two new benefits to assist cloud migration for our users who have Visual Studio Subscriptions. If you missed the event or want to watch the on-demand trainings, check out the Connect(); event page. If you’re a current Visual Studio subscriber, activate your new benefits to get started right away. To learn more about our developer subscriptions and programs visit the Visual Studio website.

Here are more details on the two new benefits:

CAST Highlight

Developers need critical insights on their software when migrating to the cloud. With CAST Highlight, Visual Studio Enterprise subscribers can rapidly scan their application source code to identify the cloud readiness of their applications for migration to Microsoft Azure and monitor progress of their app both during and after a migration. Check out this video from CAST to see it in action.

Visual Studio Enterprise subscribers can get a free, full-featured one-month subscription to CAST Highlight for up to five apps per subscriber.

UnifyCloud’s CloudPilot

Developers also need solutions that enable quick and easy app migration to the cloud. CloudPilot helps move apps to Microsoft Azure in a few easy steps, including identifying all required changes down to the line of code for successful migration to containers, virtual machines, App Service, Azure SQL, and SQL Managed Instance. See this video from UnifyCloud to learn more about CloudPilot.

Visual Studio Enterprise subscribers are eligible for two 90-day free licenses to the full-featured CloudPilot, while Visual Studio Professional subscribers can take advantage of one 30-day license to scan apps and databases of millions of lines of code in minutes.

Log into the Visual Studio Subscriptions portal at https://my.visualstudio.com today to get your new benefits.

Let us know what you want to see with the Visual Studio Subscriptions by sharing your feedback, suggestions, thoughts, and ideas in the comments below!

Lan Kaim, Director of Product Marketing

Lan is a Director on the Azure marketing team where she is responsible for the developer subscription business.

New Preview label for Visual Studio extensions

December 7th, 2018 No comments

Visual Studio extensions can now be marked with a Preview label which is shown very clearly on the Visual Studio Marketplace. This gives your customers clear expectations that this version could contain issues as you are actively developing new features. You can get feedback from your users earlier, test out new code changes to improve your extension, and continue to provide a stable version for your users that may require it.

Determining the quality of an extension is today an exercise left to the extension user. If an extension isn’t recommended by a friend, coworker or other trusted person, all we can do is to look at the number of downloads, the star rating, and reviews to determine if we perceive the quality to be high enough for us to try out the extension.

The new preview label explicitly communicates some important details to the consumer about what to expect from the extension. This helps them to understand that the extension may not be feature complete and may contain bugs. It can also help to communicate to them that feedback is welcome to improve the extension before its final release and the preview label removed.

If the version of your extension is less than one (i.e. v0.5) then it will likely benefit from adding the preview label.

Add the preview label

In your extension’s .vsixmanifest file, add the new <Preview> element to the <Metadata> node.

<Metadata>
  <Identity Id="[guid]" Version="0.8" Language="en-US" Publisher="My name" />
  <DisplayName>Extension name</DisplayName>
  <Description>Extension description.</Description>
  <Icon>Resources\Icon.png</Icon>
  <Preview>true</Preview>
</Metadata>

Now upload your extension to the Visual Studio Marketplace to see the new preview label show up. If your extension isn’t uploaded but referenced by a link, then there is a checkbox you can check to add the preview label when you edit your linked extension on the Marketplace.

It’s important to note that the extension will not change behavior in any way due to the addition of the preview label.

Try it out

If you have any applicable extensions, then use the preview label to better communicate the right expectations to your users and get a better chance at higher ratings.

Mads Kristensen, Senior Program Manager
@mkristensen

Mads Kristensen is a senior program manager on the Visual Studio Extensibility team. He is passionate about extension authoring, and over the years, he’s written some of the most popular ones with millions of downloads.