Why a proactive detection and incident response plan is crucial for your organization

The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. In the latest post of our Community Voices blog series, Microsoft Security Senior Product Marketing Manager Brooke Lynn Weenig talks with Matt Suiche, Director of Research and Development for Memory Analysis and Incident Response for Magnet Forensics. The thoughts below reflect Matt’s views, not the views of Matt’s employer or Microsoft, and are not legal advice. In this blog post, Matt talks about incident response.

Brooke: What are the top threats impacting organizations?

Matt: One of the big threats is business email compromise, with all the phishing happening of organizations and billions of dollars being stolen because of invoices being modified after attackers access the mailboxes of key employees.

Another threat is info-stealers. Essentially, ransomware involved criminal groups breaching organizations’ infrastructure, encrypting their files, and asking for ransom. Now, because more organizations are aware of that threat, they have become more proactive, and use backups. This is why criminal groups are switching to info-stealers, where they steal that sensitive information rather than randomly encrypting files. They are more strategic with the data they are stealing, so they can monetize the information. Ransomware actors even buy the credentials of companies on different forums or from other criminal groups.

Brooke: How can organizations reduce the risk of threats?

Matt: Reducing your risk is a continuous process because threats today are different from a few years ago and they are different from what they will be in one to three years.

Organizations must understand that there will never be zero risk. That is why it is important to be proactive when it comes to detection as well as have a strong, quick, and efficient incident response plan in place. We enable our users to proactively hunt for threats not only after breaches but also as a routine exercise as sometimes actors can be present in your network for months before they take any visible actions.

This plan should also include digital forensics—uncovering root causes and working those learnings back into the rest of the organization to remediate vulnerabilities, as well as improve the overall incident response plan, which is another strong way to reduce the risk of attack through similar methods.

Microsoft Incident Response

Your first call before, during, and after a cybersecurity incident.

Microsoft Cyber Defense Operations Center.

Brooke: How do you get leadership buy-in to build an incident response team?

Matt: To get budget, the chief information security officer needs to convince upper management of being prepared for a cyber breach, as it is inevitable. At organizations that understand the security risk, it may be easier to get budget, but then it is about how you deploy that budget. That comes down to the organization and leadership prioritizing what they want to focus on based on the actual threat model of the organization and areas where they know they are weak and want to improve.

The answer is going to differ from one organization to another, but the main thing is to make sure that leadership understands the risk of poor cybersecurity and a lack of preparedness for when a breach occurs. Fortunately, in 2023, there are enough stories in the press, movies, TV shows, and books to do the job for people.

Brooke: How does an organization develop an efficient incident response process?

Matt: First, each organization needs to understand its threat model, because each organization has different risks. The issues of a healthcare company and a financial institution are going to be completely different, and even the people targeting you would have different attack strategies.

Microsoft Extended Detection and Response


Learn more 

Organizations need to focus on both detection and response capabilities. Detection involves being proactive, making sure you have visibility of your network and understand what is happening. If there is a threat, you detect it. The response part is why you have an incident response plan and digital forensics capabilities in place. If something is happening, you need to be able to investigate it immediately and thoroughly.

Organizations also need to understand their threat model and the profile of people that may be going after them. Based on that information, focus on a strategy for detection and a strategy for incident response. Threat intelligence is a component of both.

Everyone also needs to have a backup plan internally whenever they investigate because detection is great but not perfect.

Brooke: What do we need to know about incident response to protect ourselves?

Matt: Unfortunately, a lot of security processes involve humans, so if you are a large organization, automate as much as you can to avoid security people experiencing burnout and so your company can be more efficient.

If you are an organization developing software, make sure you have proper application security people in place. If you are handling data, make sure you have good controls in place. If you are a financial institution, you are going to need all of the above, so it really depends on the profile of the organization. It is about people being logical and not only relying on security products.

Brooke: Why is multifactor authentication so important?

Matt: With identity, we are talking about control. Multifactor authentication is great because it adds a layer to authentication. As long as we depend on passwords for authentication, multifactor authentication is a must because of the issues happening with spear phishing, business email compromise, and databases containing passwords being leaked.

Passwordless is the future of authentication. Until we move toward the direction of passwordless authentication, two-factor authentication is going to be a must.

Brooke: How do you sift through information about a threat effectively without burnout?

Matt: AI is good if you know and understand the data you have, which is not often the case. Information triage is always required. Organizations need to understand their needs properly and not simply be driven by checkbooks or just check boxes because of compliance.

A good first step is what we call a priority intelligence requirement. Data is always about context. You need to understand what type of data you have to categorize it and then that can be efficient. If you have a lot of information, it is good, but if you have data with no context, it is useless. That is why you need to always make sure you have the right context, and that what you are collecting is responding to your intelligence requirements.

Brooke: What is the best way to monitor tenant administrator accounts?

Matt: This goes back to building a proper threat model so organizations can identify potential infection vectors and how administrative accounts are being used. In a lot of cases, you may have administrative accounts that are completely forgotten or hidden somewhere. For example, an employee left, and that account was not disabled.

That is why I like authentication. More organizations are using single sign-on (SSO) technologies in addition to multifactor authentication. Another great way to do this is to avoid multiple accounts and centralize identity and control so it is easier to monitor. It is a difficult exercise because you may have multiple Microsoft Azure Active Directory accounts, multiple cloud providers, different accounts for accounting, or other things not inside the SSO. If you do a threat model, you can list all the ways of authentication that would require monitoring in the first place.

Brooke: What is your advice for incident response teams, whether one person or more?

Matt: Whether one person handles incident response, or you have a team of 10 people, you must understand what you do well but also your limitations. Understanding your limitations is often quite tricky because people do not like the exercise of discovering what is missing or requires improvement.

Sometimes, the security approach is generic and aligned with compliance checkboxes when it should be more practical. The more practical it is, the easier it is to make decisions. Understand your current capabilities and weaknesses, then focus on where you have gaps. Start with creating an incident response plan and aligning your internal stakeholders around it. Ensure it includes steps for what happens during and immediately after the breach and post-incident so that you can learn from the incident and come out stronger. If you just spend your time filtering and doing triage of data and information, it is like running in the sand backward.

Learn more

Learn more about Microsoft Incident Response.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Why a proactive detection and incident response plan is crucial for your organization appeared first on Microsoft Security Blog.

Categories: Security strategies Tags:

Security baseline for Microsoft Edge version 114

June 5th, 2023 No comments

We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 114!


 


We have reviewed the settings in Microsoft Edge version 114 and updated our guidance with the removal of two settings. A new Microsoft Edge security baseline package was just released to the Download Center. You can download the new package from the Security Compliance Toolkit.


 


Microsoft Edge’s Password Manager (Removed)


This release also brings some exciting password management changes that we have been discussing for quite some time.


 


Previously, the Microsoft Edge security baseline has called for disabling the built-in password manager (Enable saving passwords to the password manager). We are now removing that recommendation and moving this setting to Not Configured based on the availability of several new features that alter the security tradeoffs introduced by Microsoft Edge’s improved Password Manager. Each organization needs to make an informed decision about how they configure the password manager based on their specific environment.


By default, Microsoft Edge’s Password Manager is enabled. We will highlight what we feel are compelling reasons for Enterprises to consider leaving the Password Manager enabled and configuring additional settings that increase the security value of the Password Manager.


 


Note: Enhanced password management features do require connectivity, meaning an Azure Active Directory (AAD) or Microsoft Account (MSA) must be used. Two existing settings, “Browser sign-in settings” and “Force synchronization of browser data and do not show the sync consent prompt”, allow you to control whether users are signed into the browser and able to benefit from improvements to the password manager that require sync.


 


The Password Monitor (Allow users to be alerted if their passwords are found to be unsafe) introduced in version 88 monitors for the compromise of users’ credentials. More details on password monitoring can be found here. Note: If your organization supports MSA users and they are allowed to sync data then this feature will be enabled automatically. This setting does require end-user consent, so even if set to Enabled the end user must acknowledge its use before the setting goes into effect.


Rick_Munck_0-1685969827411.png


 


 


The Password Generator (Allow users to get a strong password suggestion whenever they are creating an account online), also introduced in Microsoft Edge 88, helps generate strong passwords on the user’s behalf. Further details can be found here. By default, password generation is available.


Rick_Munck_1-1685969827415.png


 


 


The Require Authentication Before Autofill option (Configures a setting that asks users to enter their device password while using password autofill) helps prevent misuse of passwords by other users with access to an unlocked PC. When enabled, passwords will not autofill until the user proves their identity using their fingerprint, facial recognition, PIN, or password. By default, when set to either a customer primary password or the device password, the user will be prompted to enter this before the first password is filled in each browsing session. Further details can be found here. This setting is not enabled by default.


Rick_Munck_2-1685969827417.png


 


 


Password Reuse Detection (Configure password protection warning trigger) detects when a user enters a password for one site on another site. It has two dependent settings; “Configure the change password URL” and “Configure the list of enterprise login URLs where the password protection service should capture salted hashes of a password” that will need to be configured to properly identify password reuse.


 


With the introduction of these password manager enhancements, we believe that many organizations will now find that their environments are more secure when the password manager is left enabled.


Lastly, because we know there will be questions about the security trade-offs in using the password manager, we cover the details in the password manager documentation.


 


Minimum TLS version enabled (Removed)


This is a cleanup item. In version 98, Microsoft Edge removed the ability for a user to “click through” to a HTTPS page that was secured by the now obsolete TLS 1.0 and 1.1 protocols. Now that support for TLS 1.0 and TLS 1.1 has been fully removed, this policy is now obsolete.


 


Microsoft Edge version 114 introduces 5 new computer settings and 5 new user settings. We have included a spreadsheet listing the new settings in the release to make it easier for you to find them.


 


As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here.


 


Please continue to give us feedback through the Security Baseline Community or in comments on this post.


 

Categories: Uncategorized Tags:

XDR meets IAM: Comprehensive identity threat detection and response with Microsoft

Identity has become the corporate security perimeter. The average organization used 130 different cloud applications in 2022. That’s up 18 percent from 2021 alone.1 And as organizations continue to embrace digital transformation and enable remote work, they look to identity and access management solutions to ensure that the right people have access to the files, data, and apps they need to do their job without putting those same resources at risk.

As you might imagine, the more identities become integral to how we work, the more they become a target. With just a single compromised account, attackers can quickly bypass existing security protocols and move laterally to increasingly sensitive accounts or resources. Privilege misuse and credential compromise have been two of the most common and damaging attack vectors organizations face, but identity threats are becoming increasingly sophisticated. Cybercriminals have evolved from brute force and password spray tactics to targeting the underlying identity infrastructure in an effort to slip through even the smallest gaps in protection.

Beyond the complexity of these attacks is their sheer volume. It’s estimated that more than 80 percent of breaches can be attributed to identity-based attacks, and as more and more cybercrime groups join nation-state actors in executing these types of attacks, that number is only going to grow.2 To counter these ever-growing identity threats, a new security category has emerged: identity threat detection and response (ITDR).

What is ITDR?

At Microsoft, we see ITDR as an integrated partnership between two historically separate, but critically important, disciplines: identity and access management (IAM) and extended detection and response (XDR).

IAM is a foundational element of any organization’s security strategy, providing a baseline for identity security and helping IT departments control what company resources users can and cannot access. By using IAM best practices such as strong authentication, Conditional Access, and identity governance, organizations can reduce their overall attack surface area while also providing the information and context needed to detect breaches.

Microsoft 365 Defender


Learn more 

XDR solutions are designed to deliver a holistic, simplified, and efficient approach to protect organizations against advanced attacks. These solutions correlate identity signals with telemetry from other domains like endpoints, cloud applications, and collaboration tools, giving security operations center (SOC) teams a more complete view of the cyberattack kill chain. With this enhanced visibility, they can more effectively investigate threats and provide automated remediation across multiple domains using vast sets of intelligence and built-in AI.

IAM and XDR each provide immense benefits to organizations, but when working together in concert, they provide a robust and comprehensive ITDR solution.

Diagram showing how the convergence of identity and access management and extended detection and response create identity threat detection and response.

Whether you are just starting on your ITDR journey or are already well on your way, Microsoft can help. In this blog post, we’ll talk through the critical areas of ITDR and bring insights from our leadership in both identity and security.

Microsoft Identity Threat Detection and Response

See how identity and access management and extended detection and response work together to improve your security strategy.

Person scanning badge to obtain physical access to building.

Prevent identity attacks before they happen with secure adaptive access

The best-case scenario in any attack is that the bad actors are stopped before they can breach your security. When working with customers, we recommend they implement granular Conditional Access policies as a powerful first step in thwarting cybercriminals and keeping their organization safe.

Multifactor authentication, for instance, has been shown to reduce the risk of compromise from identity attacks by 99.9 percent. This is one of the most important steps and organization can take. Attackers are constantly evolving their tactics, looking for the smallest crack they can exploit, whether that be a human or workload identity they can compromise or misconfigured policies and identity infrastructure that let them gain even more control. That’s why we recommend you also use Conditional Access policies to protect non-human identities, whether applications, services, or containers. It’s critical to create more secure access policies and manage the lifecycles of different workload identities to prevent an attack.  

Microsoft Azure Active Directory


Learn more 

IT and identity practitioners need to analyze relevant risk signals from across their unique landscape and enforce universal Conditional Access policies in real time. The deep integration of our IAM and XDR platforms helps organizations do just that. Leveraging insights from the more than 65 trillion signals daily across Microsoft’s ecosystem, our identity protection capabilities detect things like atypical travel, unfamiliar sign-in properties, and leaked credentials. These capabilities then assign each sign-in attempt a risk score, which in turn can trigger pre-defined remediation efforts or block access entirely until an administrator can review. 

Detect advanced attacks with threat-level intelligence.

A robust identity posture is the first step toward identity security, helping to thwart the majority of attacks. Effective breach detection and response completes the story. Ever-evolving attack strategies and the impact of human error from multifactor authentication fatigue or social engineering attacks mean we must always “assume breach.” A recent survey found that 76 percent of businesses expect a successful attack to be executed within the next 12 months, highlighting why it is imperative to detect a breach quickly and accurately.3 To do this, you need powerful detections both at the identity level and across the entire cyber kill chain.

Our customers benefit from robust identity detections out of the box, each prioritized by potential impact and augmented with additional signals and insights into the latest attack strategies. By ingesting signals from on-premises Active Directory, Microsoft Azure Active Directory, and other third-party identity providers as well as the underlying identity infrastructure, like Active Directory Federation Services and Active Directory Certificate Services, SOC teams gain a comprehensive view of their identity landscape, user activities, and risk.

Microsoft Defender for Identity


Learn more 

We help you harness the power of our best-of-breed identity detections by integrating our identity security capabilities directly into our XDR platform so SOC teams can see identity alerts and data within the context of broader security incidents. By correlating identity data with signals from across other security domains, not only is each individual alert increasingly more accurate but analysts also gain unprecedented insight into the entirety of an attack and its progression. 

Learn more about how to empower your SOC team to spot even the most advanced identity attacks.

Respond and remediate attacks faster with automatic attack disruption

Detecting a breach and remediating an attack are two very different things. The final piece of a successful ITDR strategy is the ability to stop in-progress attacks and limit lateral movement. At Microsoft, we have infused AI and machine learning into our security capabilities to help empower the SOC with intelligent automation that can disrupt attacks at machine speed.  

Analysts can confidently automate workflows and remediation tactics thanks to the high level of accuracy our correlated incidents provide. This effectively shifts the response time from hours or days to minutes or seconds. When a breach occurs, every second matters, and costs can soar to 80 percent higher when security AI and automation aren’t fully deployed.4

Human efficiency is also critical, so we have designed our portals with the needs of each unique persona in mind while enabling a seamless flow of information and workflow processes. By prioritizing everything from alerts to configurations and posture management, users can focus better on what is most important to them.

Find out how to stop advanced attacks at machine speed.  

Get started today

As the sophistication and prevalence of identity-based attacks continue to grow, identity protection and ITDR are becoming increasingly critical to modern cybersecurity. Partner with a proven leader in both identity and security to streamline your identity protection and deploy a successful ITDR strategy.

Learn more about Microsoft’s Identity Threat Detection and Response solution.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.


12023 State of SaaSOps study, BetterCloud. 2023.

2Verizon Data Breach Investigation Report, Verizon. 2022.

3Cyber Risk Index (CRI), Trend Micro. 2023.

4Cost of a Data Breach Report, Ponemon Institute. 2021.

The post XDR meets IAM: Comprehensive identity threat detection and response with Microsoft appeared first on Microsoft Security Blog.

Categories: Security strategies Tags:

New macOS vulnerability, Migraine, could bypass System Integrity Protection

A new vulnerability, which we refer to as “Migraine” for its involvement with macOS migration, could allow an attacker with root access to automatically bypass System Integrity Protection (SIP) in macOS and perform arbitrary operations on a device. We shared these findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). A fix for this vulnerability, now identified as CVE-2023-32369, was included in the security updates released by Apple on May 18, 2023.

SIP is a security technology in macOS that restricts a root user from performing operations that may compromise system integrity. Bypassing SIP could lead to serious consequences, such as increasing the potential for attackers and malware authors to successfully install rootkits, create persistent malware, and expand the attack surface for additional techniques and exploits. The technique uncovered in this blog post was discovered during routine malware hunting and is similar to the one used in the Shrootless vulnerability (CVE-2021-30892) that we published in 2021. By focusing on system processes that are signed by Apple and have the com.apple.rootless.install.heritable entitlement, we found two child processes that could be tampered with to gain arbitrary code execution in a security context that bypasses SIP checks.

In this blog post, we share some information about the relationship between SIP and entitlements, and we detail how the “Migraine” vulnerability could be exploited to bypass the SIP security enforcements. We’re sharing this research with the larger security community to emphasize the importance of collaboration in the effort to secure platforms and devices.

SIP and entitlements

As previously covered in our Shrootless vulnerability blog post, System Integrity Protection (SIP)—also known as “rootless”—was first introduced by Apple in macOS Yosemite. SIP essentially locks down the system from root by leveraging the Apple sandbox to protect the entire platform, conceptually similar to how SELinux protects Linux systems. One of the most dominant features of SIP is the filesystem restriction capability, which protects entire files and directories from being overridden. The files and directories that are protected by SIP by default are commonly ones that are related to the system’s integrity.

There is no way to turn off SIP on a live system—the user must use the recovery OS, which requires physical access to the device. A SIP bypass is a vulnerability that bypasses SIP restrictions, for example, bypassing restrictions to write to SIP-protected directories or create a SIP-protected file.

Another important macOS concept is entitlements. According to documentation, “an entitlement is a right or privilege that grants an executable particular capabilities”. As entitlements take part in the app signing process, there is no legitimate way of forging them. Apple uses entitlements extensively to enforce security on macOS, and Apple grants internal entitlements to very specific processes. Specifically, certain processes are assigned entitlements that allow the process to bypass System Integrity Protection checks by design. One particularly interesting entitlement is the com.apple.rootless.install.heritable entitlement that allows the process and the entire process tree rooted under it to bypass filesystem-based System Integrity Protection security enforcements.

Discovering a SIP bypass by design

Our research team regularly looks for malware and suspicious activity. During a routine malware hunt, we discovered the execution of a binary called drop_sip using the below advanced hunting query in Microsoft 365 Defender:

DeviceProcessEvents
| where FileName =~ "drop_sip"
| project InitiatingProcessFileName, ProcessCommandLine, SHA256

Thinking that we found an exploit in the wild, we found that it’s an Apple-signed binary that resides natively under the /System/Library/PrivateFrameworks/SystemMigrationUtils.framework/Resources/Tools/drop_sip path.

Upon analysis, the file appears to invoke the csops system call (undocumented, but available here) and starts a child process. The operation flag for the csops call is 12 (CS_OPS_CLEARINSTALLER), which re-enables SIP checks by clearing codesigning flags, specifically the CS_EXEC_INHERIT_SIP flag:

Code displaying drop_sip’s functionality
Figure 1. drop_sip’s functionality is to change the code signing flags and execute a child process
Code displaying re-enabling SIP
Figure 2. Modification of the p_csflags member as a result of the csops system call – re-enables SIP

Because of this behavior, we concluded the drop_sip process assumes it can bypass SIP. However, since drop_sip is not entitled with any SIP-bypassing entitlements, we concluded that it must inherit that capability. We discovered its parent process is systemmigrationd, which is a daemon designed to handle migration scenarios, but most importantly, it’s entitled with the com.apple.rootless.install.heritable entitlement that allows its child processes to bypass SIP security checks:

Code displaying systemmigrationd entitlements
Figure 3. systemmigrationd entitled with SIP-bypassing capabilities

Developing a “Migraine”

After discovering the parent process of drop_sip, we wondered if there are any other child processes of systemmigrationd. Just as before, we used the below advanced hunting query in Microsoft 365 Defender:

DeviceProcessEvents
| where InitiatingProcessFileName =~ "systemmigrationd"
| summarize Hits=count(), Cmdline=any(ProcessCommandLine) by FileName

We found two interesting child processes of systemmigrationd:

FileName Hits Cmdline
bash 498 /bin/bash /System/Library/PrivateFrameworks/SystemMigration.framework/Resources/MigrationData/Scripts/firstbootDirectoryServer
perl 171 /usr/bin/perl /usr/libexec/migrateLocalKDC –source “/Volumes/REDACTED/Backups.backupdb/REDACTED/Macintosh HD – Data” –source-REDACTED

The bash and perl binaries are interesting because they are both interpreters. Similar to how we tampered with the zsh codeflow back in 2021, we found similar ways to tamper with the code flow of bash and perl:

Code displaying running arbitrary commands in bash instances
Figure 4. The bash manual page states BASH_ENV as a way to run arbitrary commands in bash instances
Code displaying running arbitrary commands in perl instances
Figure 5. The “perlrun” manual page states PERL5OPT as a way to run arbitrary commands in perl instances

Assuming an attacker first gains code execution capabilities as root, setting environment variables that affect systemmigrationd and its child processes is straightforward using the launchctl utility. For instance, to make perl run our arbitrary code that resides under /private/tmp/migraine.sh, we use:

launchctl setenv PERL5OPT '-Mwarnings;system("/private/tmp/migraine.sh")'

And indeed, after triggering systemmigrationd to run perl, we were able to bypass SIP:

Code displaying SIP protections making a file undeletable
Figure 6. Creating an undeletable file due to its SIP protection.

Exploitation approach

Triggering migration normally requires using the Migration Assistant utility, which involves a complete sign-out from the system. While this works well for attackers with physical access (hands-on-keyboard), we wished to demonstrate that remote attackers can achieve a SIP bypass using this exploit. Therefore, we decided to research the migration flow and the interplay between the Migration Assistant and systemmigrationd.

Migration is a complicated procedure that involves several components. Here is the flow of key events:

  1. Migration Assistant uses a utility called Setup Assistant to help start migration. However, it does so indirectly by using XPC between itself and another process called MBSystemAdministration. It also signs out by invoking a method named SACLOStartLogoutWithOptions.
  2. The MBSystemAdministration utility proxies requests from Migration Assistant to Setup Assistant and also verifies that the caller (Migration Assistant) has the com.apple.private.mbsystemadministration entitlement. Otherwise, it refuses serving migration requests. Additionally, MBSystemAdministration runs as the hidden user _mbsetupuser, which allows migration to perform GUI interactions after sign out.
  3. Setup Assistant gets requests through MBSystemAdministration and performs XPC to several Mach services that are served by the launch daemon systemmigrationd. The systemmigrationd daemon enforces that the caller (Setup Assistant) has the com.apple.private.systemmigration.daemonclient entitlement. Otherwise, it refuses serving migration requests. The systemmigrationd daemon uses the private framework SystemMigration.framework and listens to new migration requests by invoking a method called startListeningForConnections. Interestingly, the daemon examines the contents of the directory /Library/SystemMigration/Queue (which is protected by SIP)—requests appear as files in that directory. Once a file is dropped, systemmigrationd renames the file to “In-Flight” and serves it, including running required scripts, which can cause perl or bash to run.

This complex flow can be illustrated with the following schematic:

Flow diagram of macOS migration
Figure 7. Flow diagram of the macOS migration
Code displaying systemmigrationd listening to incoming connections
Figure 8. systemmigrationd using the private SystemMigration framework to listen to incoming connections

Our first attempt at automating the exploit focused on patching Migration Assistant to prevent user sign-out:

Code displaying SACLOStartLogoutWithOptions
Figure 9. Reverse engineering the Migration Assistant reveals the SACLOStartLogoutWithOptions function,c which signs out

Simply patching Migration Assistant does not work due to codesign failure. Stripping the binary of signing information results in error (Figure 10) due to a kernel feature related to Pointer Authentication Codes (PAC) that’s available for the latest Apple Silicone architecture. If an arm64e binary with pointer authentication is not a code-signed platform binary, the kernel prevents execution, as shown in Figure 9. Extracting, stripping, and patching the x64 portion of the multiarchitecture binary avoids the arm64e issue, but it’s not functional due to losing the required entitlement (com.apple.private.mbsystemadministration).

Code displaying PAC requirements
Figure 10. Pointer Authentication Code requirements
Code displaying the failed patch and run attempt of the Migration Assistant
Figure 11. Attempting to patch and run the Migration Assistant fails

After reaching an impasse with patching Migration Assistant, we wondered if we could initiate later stages in the flow diagram, thus avoiding user sign-out. We continued to map and reverse-engineer the system behavior, including using an in-house researcher tool which leverages the Endpoint Security Framework that logs all relevant process and file events during migration, inspired by Patrick Wardle’s FileMonitor and ProcessMonitor tools for investigating system behaviors.

While mapping the sequence of events for Migration Assistant, MBSystemAdministration, Setup Assistant, and systemmigrationd, we noticed xpcproxy executing Setup Assistant with the argument ‑MiniBuddyYes.

Running Setup Assistant with that argument had no effect on the UI layout or its functionality, but it did highlight the usage of arguments within Setup Assistant. Closely examining Setup Assistant, we discovered other interesting command-line arguments:

Code displaying Setup Assistant's usage of -MiniBuddyYes
Figure 12. Setup Assistant’s usage of -MiniBuddyYes within useDebugParameters

Additionally, we discovered a function called useDebugParameters that parses an interesting command-line parameter ‑MBDebug.

Code displaying Setup Assistant –MBDebug
Figure 13. Setup Assistant –MBDebug

Running the Setup Assistant with the ‑MBDebug parameter results in a successful migration with no sign out. We further used the -ResumeBuddyYes parameter in conjunction with ‑MBDebug to automatically skip a few welcome screens.

Successful migration run without signing out
Figure 14. Running a migration without signing out

Since performing migration requires UI interaction, but no sign-out, we used AppleScript to automate the exploit.

Our final exploit does the following:

  1. Prepares a small 1GB Time Machine backup and attaches it with hdiutil.
  2. Prepares an arbitrary payload that is designed to run without SIP filesystem restrictions.
  3. Sets the environment variable PERL5OPT using launchctl to run the payload once perl starts.
  4. Runs Setup Assistant with the -MBDebug and -ResumeBuddyYes command-line flags.
  5. Uses AppleScript to automate the Setup Assistant screens to migrate “From a Mac, Time Machine backup or Startup disk”, followed by automatically clicking “continue”.

Implications of arbitrary SIP bypasses

The implications of arbitrary SIP bypasses are serious, as the potential for malware authors is significant. Code that maliciously bypasses SIP could have considerable consequences, such as:

  1. Create undeletable malware: The most straight-forward implication of a SIP bypass is that, by assigning files with the com.apple.rootless extended attribute (or overriding existing ones), an attacker can create files that are protected by SIP and therefore undeletable by ordinary means. This is quite important for security solutions, such as Microsoft Defender for Endpoint, that are required to quarantine malware but cannot quarantine files protected by SIP.
  2. Expand the attack surface for userland and kernel attacker techniques: As pointed out by Mickey Jin’s blog post on a different SIP bypass, it’s possible for attackers to gain arbitrary kernel code execution. As Apple slowly disallows third party kernel extensions and transitions the Mac ecosystem towards their Endpoint Security framework, security solutions will no longer be able to monitor the kernel for malicious activity, including malicious code executions.
  3. Tamper with the integrity of the system, effectively enabling rootkits: This is a derivation of arbitrary kernel code execution—once kernel code execution is established by an attacker, certain rootkit techniques are possible, such as hiding processes or files from all monitoring tools. These techniques might also include bypassing tamper protection, which is important for Microsoft Defender for Endpoint to protect against threats.
  4. Full TCC bypass: As pointed out by Mickey Jin’s blog post on a different SIP bypass, attackers could replace databases that control Transparency, Consent, and Control (TCC) policies (TCC.db), effectively granting arbitrary applications access to private data and peripherals. For further explanation about the implications, we’ve demonstrated a TCC bypass in the past called “Powerdir”.

Hardening device security through collaboration and research-driven protection

Attackers continue to seek new footholds into increasingly secure devices and networks, oftentimes by leveraging unpatched vulnerabilities and misconfigurations to access valuable systems and data. Gaining the ability to bypass SIP and similar security technology in macOS devices can be an attractive and even necessary capability for adversaries. Given SIP’s position as both a device’s built-in baseline protection and the last line of defense against malware and other threats, bypassing SIP can have considerable consequences for users. As such, it’s crucial that we strive to enrich our protection technologies across platforms against such issues through research-driven protection and collaboration with partners, customers, and industry experts.

This case displays how collaborative research and responsible vulnerability disclosure informs our comprehensive protection capabilities across platforms to provide organizations a complete picture of their security posture. Microsoft Defender Vulnerability Management quickly discovers and remediates such vulnerabilities while Microsoft Defender for Endpoint detects and alerts on anomalous device activities, including setting perl and bash environment variables through the launchctl utility, as shown below in Figure 15. Additionally, Defender for Endpoint has similar detections for sensitive file access, including system launch daemons, various sensitive configuration files, and many more.

Microsoft Defender for Endpoint detecting the PERL5OPT environment variable being suspiciously set
Figure 15. Microsoft Defender for Endpoint detecting the PERL5OPT environment variable being suspiciously set

This case further emphasizes the need for responsible vulnerability disclosures and expert cross-platform collaboration to mitigate issues such as CVE-2023-32369, regardless of the vulnerable device or platform in use. We wish to thank the Apple product security team again for their efforts and responsiveness in addressing the issue.

Defending against the evolving threat landscape requires the ability to protect and secure users’ computing experiences, whatever the platform. As cross-platform threats continue to grow, we will continue to share vulnerability discoveries and threat intelligence in addition to working with the security community to improve upon solutions that protect users and organizations each day.

Jonathan Bar Or, Michael Pearse, Anurag Bohra

Microsoft Threat Intelligence Community

References   

The post New macOS vulnerability, Migraine, could bypass System Integrity Protection appeared first on Microsoft Security Blog.

Categories: Uncategorized Tags:

Volt Typhoon targets US critical infrastructure with living-off-the-land techniques

Microsoft has uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States. The attack is carried out by Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering. Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.

Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States. In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible.

To achieve their objective, the threat actor puts strong emphasis on stealth in this campaign, relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity. They issue commands via the command line to (1) collect data, including credentials from local and network systems, (2) put the data into an archive file to stage it for exfiltration, and then (3) use the stolen valid credentials to maintain persistence. In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.

In this blog post, we share information on Volt Typhoon, their campaign targeting critical infrastructure providers, and their tactics for achieving and maintaining unauthorized access to target networks. Because this activity relies on valid accounts and living-off-the-land binaries (LOLBins), detecting and mitigating this attack could be challenging. Compromised accounts must be closed or changed. At the end of this blog post, we share more mitigation steps and best practices, as well as provide details on how Microsoft 365 Defender detects malicious and suspicious activity to protect organizations from such stealthy attacks. The National Security Agency (NSA) has also published a Cybersecurity Advisory [PDF] which contains a hunting guide for the tactics, techniques, and procedures (TTPs) discussed in this blog.

As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments. To learn about Microsoft’s approach to threat actor tracking, read Microsoft shifts to a new threat actor naming taxonomy.

Figure 1. Volt Typhoon attack diagram

Initial access

Volt Typhoon achieves initial access to targeted organizations through internet-facing Fortinet FortiGuard devices. Microsoft continues to investigate Volt Typhoon’s methods for gaining access to these devices.

The threat actor attempts to leverage any privileges afforded by the Fortinet device, extracts credentials to an Active Directory account used by the device, and then attempts to authenticate to other devices on the network with those credentials.

Volt Typhoon proxies all its network traffic to its targets through compromised SOHO network edge devices (including routers). Microsoft has confirmed that many of the devices, which include those manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel, allow the owner to expose HTTP or SSH management interfaces to the internet. Owners of network edge devices should ensure that management interfaces are not exposed to the public internet in order to reduce their attack surface. By proxying through these devices, Volt Typhoon enhances the stealth of their operations and lowers overhead costs for acquiring infrastructure.

Post-compromise activity

Once Volt Typhoon gains access to a target environment, they begin conducting hands-on-keyboard activity via the command line. Some of these commands appear to be exploratory or experimental, as the operators adjust and repeat them multiple times.

Volt Typhoon rarely uses malware in their post-compromise activity. Instead, they rely on living-off-the-land commands to find information on the system, discover additional devices on the network, and exfiltrate data. We describe their activities in the following sections, including the most impactful actions that relate to credential access.

Credential access

If the account that Volt Typhoon compromises from the Fortinet device has privileged access, they use that account to perform the following credential access activities.

Microsoft has observed Volt Typhoon attempting to dump credentials through the Local Security Authority Subsystem Service (LSASS). The LSASS process memory space contains hashes for the current user’s operating system (OS) credentials.

text
Figure 2. Volt Typhoon command to dump LSASS process memory, encoded in Base64
Figure 3. Decoded Base64 of Volt Typhoon command to dump LSASS process memory

Volt Typhoon also frequently attempts to use the command-line tool Ntdsutil.exe to create installation media from domain controllers, either remotely or locally. These media are intended to be used in the installation of new domain controllers. The files in the installation media contain usernames and password hashes that the threat actors can crack offline, giving them valid domain account credentials that they could use to regain access to a compromised organization if they lose access.

Figure 4. Volt Typhoon command to remotely create domain controller installation media
Figure 5. Volt Typhoon command to locally create domain controller installation media

Discovery

Microsoft has observed Volt Typhoon discovering system information, including file system types; drive names, size, and free space; running processes; and open networks. They also attempt to discover other systems on the compromised network using PowerShell, Windows Management Instrumentation Command-line (WMIC), and the ping command. In a small number of cases, the threat actors run system checks to determine if they are operating within a virtualized environment.

Collection

In addition to operating system and domain credentials, Volt Typhoon dumps information from local web browser applications. Microsoft has also observed the threat actors staging collected data in password-protected archives.

Command and control

In most cases, Volt Typhoon accesses compromised systems by signing in with valid credentials, the same way authorized users do. However, in a small number of cases, Microsoft has observed Volt Typhoon operators creating proxies on compromised systems to facilitate access. They accomplish this with the built-in netsh portproxy command.

a screen shot of a computer
Figure 6. Volt Typhoon commands creating and later deleting a port proxy on a compromised system

In rare cases, they also use custom versions of open-source tools Impacket and Fast Reverse Proxy (FRP) to establish a C2 channel over proxy.

Compromised organizations will observe C2 access in the form of successful sign-ins from unusual IP addresses. The same user account used for these sign-ins may be linked to command-line activity conducting further credential access. Microsoft will continue to monitor Volt Typhoon and track changes in their activity and tooling.

Mitigation and protection guidance

Mitigating risk from adversaries like Volt Typhoon that rely on valid accounts and living-off-the-land binaries (LOLBins) is particularly challenging. Detecting activity that uses normal sign-in channels and system binaries requires behavioral monitoring. Remediation requires closing or changing credentials for compromised accounts.

What to do now if you’re affected

  • Close or change credentials for all compromised accounts. Depending on the level of collection activity, many accounts may be affected. Identify LSASS dumping and domain controller installation media creation to identify affected accounts.
  • Examine the activity of compromised accounts for any malicious actions or exposed data.

Defending against this campaign

  • Mitigate the risk of compromised valid accounts by enforcing strong multi-factor authentication (MFA) policies using hardware security keys or Microsoft Authenticator. Passwordless sign-in, password expiration rules, and deactivating unused accounts can also help mitigate risk from this access method.
  • Reduce the attack surface. Microsoft customers can turn on the following attack surface reduction rules to block or audit some observed activity associated with this threat:
    • Block credential stealing from the Windows local security authority subsystem (lsass.exe).Block process creations originating from PSExec and WMI commands. Some organizations may experience compatibility issues with this rule on certain server systems but should deploy it to other systems to prevent lateral movement originating from PsExec and WMI.
  • Harden the LSASS process by enabling Protective Process Light (PPL) for LSASS on Windows 11 devices. New, enterprise-joined Windows 11 (22H2 update) installs have this feature enabled by default. In addition, enable Windows Defender Credential Guard, which is also turned on by default for organizations using the Enterprise edition of Windows 11.
  • Turn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools, techniques, and behaviors such as those exhibited by Volt Typhoon.
  • Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat, or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-compromise.

Detection details and hunting queries

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects attempted post-compromise activity. Note, however, that these alerts can also be triggered by threat activity unrelated to Volt Typhoon. Turn on cloud-delivered protection to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block most new and unknown threats.

  • Behavior:Win32/SuspNtdsUtilUsage.A
  • Behavior:Win32/SuspPowershellExec.E
  • Behavior:Win32/SuspRemoteCmdCommandParent.A
  • Behavior:Win32/UNCFilePathOperation
  • Behavior:Win32/VSSAmsiCaller.A
  • Behavior:Win32/WinrsCommand.A
  • Behavior:Win32/WmiSuspProcExec.J!se
  • Behavior:Win32/WmicRemote.A
  • Behavior:Win32/WmiprvseRemoteProc.B

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint alerts with the following titles can indicate possible presence of Volt Typhoon activity.

  • Volt Typhoon threat actor detected

The following alerts may also be associated with Volt Typhoon activity. Note, however, that these alerts can also be triggered by threat activity unrelated to Volt Typhoon.

  • A machine was configured to forward traffic to a non-local address
  • Ntdsutil collecting Active Directory information
  • Password hashes dumped from LSASS memory
  • Suspicious use of wmic.exe to execute code
  • Impacket toolkit

Hunting queries

Microsoft 365 Defender

Volt Typhoon’s post-compromise activity usually includes distinctive commands. Searching for these can help to determine the scope and impact of an incident.

Find commands creating domain controller installation media

This query can identify domain controller installation media creation commands similar to those used by Volt Typhoon.

DeviceProcessEvents
| where ProcessCommandLine has_all ("ntdsutil", "create full", "pro")

Find commands establishing internal proxies

This query can identify commands that establish internal proxies similar to those used by Volt Typhoon.

DeviceProcessEvents
| where ProcessCommandLine has_all ("portproxy", "netsh", "wmic", "process call create", "v4tov4")

Find detections of custom FRP executables

This query can identify alerts on files that match the SHA-256 hashes of known Volt Typhoon custom FRP binaries.

AlertEvidence
| where SHA256 in 
('baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c', 
'b4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d4130cc74', 
'4b0c4170601d6e922cf23b1caf096bba2fade3dfcf92f0ab895a5f0b9a310349', 
'c0fc29a52ec3202f71f6378d9f7f9a8a3a10eb19acb8765152d758aded98c76d', 
'd6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af', 
'9dd101caee49c692e5df193b236f8d52a07a2030eed9bd858ed3aaccb406401a', 
'450437d49a7e5530c6fb04df2e56c3ab1553ada3712fab02bd1eeb1f1adbc267', 
'93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066', 
'7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5', 
'389a497f27e1dd7484325e8e02bbdf656d53d5cf2601514e9b8d8974befddf61', 
'c4b185dbca490a7f93bc96eefb9a597684fdf532d5a04aa4d9b4d4b1552c283b', 
'e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95', 
'6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff', 
'cd69e8a25a07318b153e01bba74a1ae60f8fc28eb3d56078f448461400baa984', 
'17506c2246551d401c43726bdaec800f8d41595d01311cf38a19140ad32da2f4', 
'8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2', 
'd17317e1d5716b09cee904b8463a203dc6900d78ee2053276cc948e4f41c8295', 
'472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d', 
'3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642')

Microsoft Sentinel

Below are some suggested queries to assist Microsoft Sentinel customers in identifying Volt Typhoon activity in their environment:

Microsoft customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious hash indicators (related to the custom Fast Reverse Proxy binaries) mentioned in this blog post. These analytics are part of the Threat Intelligence solution and can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.

Indicators of compromise (IOCs)

The below list provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protection to identify past related activity and prevent future attacks against their systems.

Volt Typhoon custom FRP executable (SHA-256):

  • baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c
  • b4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d4130cc74
  • 4b0c4170601d6e922cf23b1caf096bba2fade3dfcf92f0ab895a5f0b9a310349
  • c0fc29a52ec3202f71f6378d9f7f9a8a3a10eb19acb8765152d758aded98c76d
  • d6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af
  • 9dd101caee49c692e5df193b236f8d52a07a2030eed9bd858ed3aaccb406401a
  • 450437d49a7e5530c6fb04df2e56c3ab1553ada3712fab02bd1eeb1f1adbc267
  • 93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066
  • 7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5
  • 389a497f27e1dd7484325e8e02bbdf656d53d5cf2601514e9b8d8974befddf61
  • c4b185dbca490a7f93bc96eefb9a597684fdf532d5a04aa4d9b4d4b1552c283b
  • e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95
  • 6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff
  • cd69e8a25a07318b153e01bba74a1ae60f8fc28eb3d56078f448461400baa984
  • 17506c2246551d401c43726bdaec800f8d41595d01311cf38a19140ad32da2f4
  • 8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2
  • d17317e1d5716b09cee904b8463a203dc6900d78ee2053276cc948e4f41c8295
  • 472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d
  • 3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642

The post Volt Typhoon targets US critical infrastructure with living-off-the-land techniques appeared first on Microsoft Security Blog.

Categories: Uncategorized Tags:

Microsoft Build 2023: Announcing new identity, compliance, and security features from Microsoft Security

May 23rd, 2023 No comments

At Microsoft Build 2023—an event for developers by developers—we’re going to announce exciting new features and technologies, share ideas, and help everyone boost their skills so we can all build a more secure future together. This year’s Microsoft Build offers a full program, both online and in-person, to suit every attendee, whether you’re a professional developer, data pro, or a brand-new coder. Not only is Microsoft Build a great opportunity to gain new knowledge and skills, but it’s also the place to meet and learn from other developers. If you haven’t registered yet, I invite you to visit the Microsoft Build event page.

Microsoft Build 2023

Browse virtual and in-person security sessions at Microsoft Build.

logo

Below is a quick tour of a few security-related sessions and the new features and technologies they highlight.

New identity and access features in Microsoft Entra

Graphic showing how Microsoft Entra External ID helps personalize and secure access to any application for customers and partners with a complete customer identity and access management solution.

Welcome to modern identity and access management with Microsoft Entra

Developers are in the business of building app features and capabilities. Most developers are not—and don’t want to be—identity security experts.

At Microsoft Build, we’re announcing the next generation customer identity access management platform: Microsoft Entra External ID, now in preview. Microsoft Entra External ID was purpose-built to personalize and secure access to applications while protecting any external identity and effectively controlling which resources they can access. It delivers a flexible, unified identity platform, personalized customer experiences, adaptive access policies, and built-in identity governance. In the session “Explore CIAM capabilities with External Identities in Microsoft Entra,” Yoel Horvitz, Senior Program Manager, Microsoft Azure Active Directory (Azure AD), and Namita Singh, Senior Software Engineer at Cloud Data Center Cybersecurity, Microsoft, will explore how easily you can create branded sign-up and sign-in app experiences. No more trade-offs between great security and great customer experiences. You’ll see how quickly you can add a strong sign-up or sign-in experience plus comprehensive onboarding flows that capture and validate customer information.

Partner identity scenarios (B2B Collaboration) remain in the same location on the Microsoft Entra admin portal within the Workforce tenant. Please note that there is no action for our current Azure AD business-to-consumer (B2C) customers required at this time as the next generation platform is currently in early preview only. We remain fully committed to support the current Azure AD B2C solution, and there are no requirements for B2C customers to migrate at this time and no plans to discontinue the current B2C service.

This next-generation expanded solution for customer and partner identities marks the next chapter in our customer identity solution, addressing critical customer feedback and building on top of our existing capabilities.

External ID now combines familiar B2B collaboration functionality in Microsoft Entra (generally available) with evolved and unified customer identity (CIAM) capabilities, targeting customer-facing applications, now in preview. Help us shape the future of this new platform with your participation in our preview.

Microsoft Entra Verified ID digital wallet SDK

Microsoft Entra Verified ID


Learn more 

Microsoft Entra Verified ID is an open standards-based verifiable credentials service that customers can use to automate the identity validation process while enabling privacy-protected interactions between organizations and users. You can integrate the upcoming release of the Verified ID Wallet Library into your mobile apps to store and share digital Verified ID cards. This allows you to issue verifiable credentials for dozens of use cases, such as reducing the risk for fraud and account takeovers, streamlining app sign-ins, creating self-service account recovery and helpdesk flows, and enabling rich partner rewards ecosystems. Be sure to check out the “Reduce fraud and improve engagement using Digital Wallets” session by Christer Ljung, Principal Program Manager, Microsoft, and Sydney Morton, Software Engineer, Microsoft, to learn more about Verified ID’s open source digital wallet SDK.

New capabilities for compliance and data automation in Microsoft Purview

General availability of machine learning-enabled source code classifier

Microsoft purview information protection


Learn more 

Microsoft Purview Information Protection helps organizations automate data classification, labeling, and protection across multiple platforms. More than 35 pre-trained classifiers help quickly identify and protect some of the most sensitive data, such as intellectual property and trade secrets, material non-public information, sensitive health and medical files, business sensitive financial information, and personally identifiable information for General Data Protection Regulation (GDPR) compliance. Plus, an improved ready-to-use source code classifier that supports more than 70 file extensions and 23 programming languages can detect embedded and partial source code.  

New APIs available to help automate compliance workflows

Microsoft Purview ediscovery


Learn more 

You can take advantage of new Microsoft Graph APIs built specifically for Microsoft Purview eDiscovery and compliance scenarios to help organizations automate their litigation and investigation workflows. Join us for “Streamline eDiscovery with new innovations, including Microsoft Graph APIs,” a sequel to Microsoft Senior Product Marketing Manager Caitlin Fitzgerald’s Microsoft Build 2022 session, which will share recent examples of using APIs to ensure repeatable and predictable management of time-sensitive compliance processes.

Explore built-in security features in these Microsoft Build sessions

Unlocking the Power of Azure Security: Conversations with Experts, Q&A

In this Q&A session, Richard Diver, Technical Story Design Lead, Microsoft, will moderate a panel of experts who help secure the software supply chain within Microsoft Azure and other platforms. The session is based on a four-part blog series that includes Microsoft Azure’s defense-in-depth approach to cloud vulnerabilities and Cloud Variant Hunting. The panel will share Microsoft security best practices and how we’re enhancing our response process, extending our internal security research, and continually improving how we secure multitenant services.

Next-Level DevSecOps: Secure Supply Chain Consumption Framework, Q&A

The Secure Software Supply Chain Framework (S2C2F) is designed from the ground up to protect developers from accidentally consuming malicious and compromised packages. In this Q&A session, Mia Reyes, Director, Foundational Security—Cybersecurity, Microsoft, will moderate a panel of leads from our Secure Software Supply Chain team, including Adrian Diglio, Principal Product Marketing Manager, Microsoft, and Jasmine Wang, Product Manager, Microsoft, as they share the Secure Supply Chain Consumption Framework S2C2F. Learn how to patch your vulnerable components faster to prevent consumption of malicious or compromised packages. Download the Secure Supply Chain Consumption Framework Simplified Requirements guide to learn how you can improve your open source software (OSS) consumption practices.

According to Sonatype’s 2022 State of the Software Supply Chain report, supply chain attacks targeting OSS have increased by an average of 742 percent each year for the past three years.1

Microsoft Build 2023

Join us in Seattle for Microsoft Build from May 23 to 25, 2023. We’ll stream online sessions May 23 and 24, 2023 during Pacific Time hours. Register now to reserve your spot and visit the Microsoft Build 2023 website to explore the session catalog and plan your experience. We look forward to connecting with you!

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.


18th Annual State of the Software Supply Chain Report, Sonatype.

The post Microsoft Build 2023: Announcing new identity, compliance, and security features from Microsoft Security appeared first on Microsoft Security Blog.

Categories: Uncategorized Tags:

Cyber Signals: Shifting tactics fuel surge in business email compromise

May 19th, 2023 No comments

Today we released the fourth edition of Cyber Signals highlighting a surge in cybercriminal activity around business email compromise (BEC). Microsoft has observed a 38 percent increase in cybercrime as a service (CaaS) targeting business email between 2019 and 2022.1

Successful BEC attacks cost organizations hundreds of millions of dollars annually. In 2022, the FBI’s Recovery Asset Team (RAT) initiated the Financial Fraud Kill Chain (FFKC) on 2,838 BEC complaints involving domestic transactions with potential losses of more than USD590 million.2  

BEC attacks stand apart in the cybercrime industry for their emphasis on social engineering and the art of deception. Between April 2022 and April 2023, Microsoft Threat Intelligence detected and investigated 35 million BEC attempts with an adjusted average of 156,000 attempts daily. 

Cyber Signals

Microsoft’s Digital Crimes Unit has observed a 38 percent increase in cybercrime as a service targeting business email between 2019 and 2022.

graphical user interface, application

Common BEC tactics

Threat actors’ BEC attempts can take many forms—including via phone calls, text messages, emails, or social media. Spoofing authentication request messages and impersonating individuals and companies are also common tactics. 

Instead of exploiting vulnerabilities in unpatched devices, BEC operators seek to exploit the daily sea of email traffic and other messages to lure victims into providing financial information, or taking direct action like unknowingly sending funds to money mule accounts that help criminals perform fraudulent money transfers.  

Unlike a “noisy” ransomware attack featuring disruptive extortion messages, BEC operators play a quiet confidence game using contrived deadlines and urgency to spur recipients who may be distracted or accustomed to these types of urgent requests. Instead of novel malware, BEC adversaries align their tactics to focus on tools improving the scale, plausibility, and in-box success rate of malicious messages. 

Microsoft observes a significant trend in attackers’ use of platforms like BulletProftLink, a popular service for creating industrial-scale malicious mail campaigns, which sells an end-to-end service including templates, hosting, and automated services for BEC. Adversaries using this CaaS are also provided with IP addresses to help guide BEC targeting.   

BulletProftLink’s decentralized gateway design, which includes Internet Computer blockchain nodes to host phishing and BEC sites, creates an even more sophisticated decentralized web offering that’s much harder to disrupt. Distributing these sites’ infrastructure across the complexity and evolving growth of public blockchains makes identifying them, and aligning takedown actions, more complex.  

While there have been several high-profile attacks that take advantage of residential IP addresses, Microsoft shares law enforcement and other organizations’ concern that this trend can be rapidly scaled, making it difficult to detect activity with traditional alarms or notifications.  

Although, threat actors have created specialized tools to facilitate BEC, including phishing kits and lists of verified email addresses targeting C-suite leaders, accounts payable leads, and other specific roles, there are methods that enterprises can employ to preempt attacks and mitigate risk.  

BEC attacks offer a great example of why cyber risk needs to be addressed in a cross-functional way with IT, compliance, and cyber risk officers at the table alongside executives and leaders, finance employees, human resource managers, and others with access to employee records like social security numbers, tax statements, contact information, and schedules.   

Recommendations to combat BEC

  • Use a secure email solution: Today’s cloud platforms for email use AI capabilities like machine learning to enhance defenses, adding advanced phishing protection and suspicious forwarding detection. Cloud apps for email and productivity also offer the advantages of continuous, automatic software updates and centralized management of security policies.  
  • Secure Identities to prohibit lateral movement: Protecting identities is a key pillar to combating BEC. Control access to apps and data with Zero Trust and automated identity governance.  
  • Adopt a secure payment platform: Consider switching from emailed invoices to a system specifically designed to authenticate payments.  

Learn more

Read the fourth edition of Cyber Signals today.

For more threat intelligence insights and guidance including past issues of Cyber Signals, visit Security Insider

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.


End notes

1Cyber Signals, Microsoft.

2Internet Crime Complaint Center Releases 2022 Statistics, FBI.

The post Cyber Signals: Shifting tactics fuel surge in business email compromise appeared first on Microsoft Security Blog.

Announcing The BlueHat Podcast: Listen and Subscribe Now!

Available today on all major podcast platforms is The BlueHat Podcast, a new series of security research focused conversations, continuing the themes from the BlueHat 2023 conference (session recordings available to watch here).
Since 2005, BlueHat has been where the security research community, and Microsoft, come together as peers: to debate, discuss, share, challenge, celebrate and learn.

Categories: Uncategorized Tags:

Microsoft Security highlights from RSA Conference 2023

May 15th, 2023 No comments

The RSA Conference (RSAC) gave us an incredible opportunity to meet with security professionals from around the world, learn about exciting advances in the world of cybersecurity, and share our own security innovations. Defenders everywhere serve an important mission of protecting our world, and RSAC is a special time to connect with the defender community and support each other in our collective mission.

I had the honor of representing Microsoft at our RSA keynote, “Defending at Machine Speed: Technology’s New Frontier.” AI is having a profound impact in our world, and I believe security is going to be one of AI’s most important use cases. During this session, I shared how AI is causing a paradigm shift, augmenting the essential power of human intuition and expertise and reshaping the future of cybersecurity. For details, watch the full keynote here (video courtesy of RSA Conference).

RSAC is the largest and most important cybersecurity conference in the industry—we value every opportunity to learn directly from our customers, partners, and community, and share how Microsoft Security is empowering our customers to protect everything.

Let’s walk through some of the most memorable moments from RSAC.

Vasu Jakkal, Corporate Vice President, Microsoft Security, speaking at RSAC 2023.

Pre-Day with Microsoft

Microsoft Security opened RSAC with the Pre-Day event and reception on Sunday, April 23. Pre-Day was an expansion of our presence at RSAC and amplification of the announcements we made at Microsoft Secure. The presentations helped attendees gain a deeper understanding of what an AI-powered future means for cybersecurity. They also shared comprehensive strategies to help organizations protect everything, highlighted the latest announcements in Threat Intelligence, which is critical to defending against an evolving threat landscape, and gave customers a chance to interact with Microsoft Security business and engineering leaders, as well as network with their peers during an evening reception. I was very pleased to share the stage with Charlie Bell, Executive Vice President, Microsoft Security; Bret Arsenault, CVP, Microsoft Security and Chief Information Security Officer; Kelly Bissell, CVP, Microsoft Security; Andy Elder, CVP, Microsoft Security Solution Area; Jeremy Dallman, Principal Research Director, Microsoft Threat Intelligence; Holly Stewart, Principal Research Director, Microsoft Threat Intelligence; and engineering leaders.

From left to right, Vasu Jakkal, Bret Arsenault, Any Elder, and Charlie Bell speaking at Pre-Day with Microsoft event.

Major product announcements

Microsoft Security Copilot, Microsoft’s new generative AI solution, garnered plenty of buzz during the conference. First announced at Microsoft Secure, Security Copilot combines the latest Open AI large language model with Microsoft’s unique security specific model powered by 65 trillion signals, human intelligence, and cyberskills to help defenders move at the speed and scale of AI. It was wonderful to see the interest from our customers and partners for Security Copilot.

Now in private preview, this groundbreaking technology serves as a true copilot to defenders. It augments a security analyst’s work, continually learning from users and letting them provide feedback and inform future interactions. The AI capabilities you gain include ongoing access to the most advanced OpenAI models, integration with Microsoft’s end-to-end security portfolio, and visibility and evergreen threat intelligence powered by your organization’s security products and the 65 trillion threat signals received by Microsoft every day. Importantly, Security Copilot is built with privacy at its heart. This means your data remains your data, and it is not used to train or enrich foundation AI models. Further, Security Copilot runs on our security and privacy-compliant Azure Cloud hyperscale infrastructure, enabling organizations to truly defend at machine speed.

In other threat intelligence news, Microsoft Defender Threat Intelligence is now available to licensed customers directly within Microsoft 365 Defender. It’s already integrated with Microsoft Sentinel and now has an application programming interface (API) to help enrich incidents, automate incident response, and work with a broad ecosystem of security tools. With this advancement, you get one of the world’s best threat intelligence, integrated with the tools you use every day.

Specific capabilities available as part of a Microsoft Sentinel solutions package—generally available beginning in July—are:

  • Microsoft Defender Threat Intelligence enrichment playbooks: Defender Threat Intelligence integrates with all security information and event management (SIEMS) via an API, but playbooks in the Microsoft Sentinel Content hub are available to enrich incidents with reputation data to add context and triage them automatically.
  • Microsoft Defender Threat Intelligence data connector: Microsoft threat researchers add indicators of compromise (IOCs) from finished intelligence to the threat intelligence (TI) blade to add massive value to Microsoft Sentinel users by adding critical context and enhancing detections and investigations.
  • Microsoft Defender Threat Intelligence analytics rules: This built-in rule takes URLs, domains, and internet protocols (IPs) from a customer environment via log data and checks them against known bad IOCs from Defender Threat Intelligence, creating incidents when there’s a match.

At RSAC, we also had several other major product announcements.

Security researchers and customers are confronted with an overwhelming amount of threat intelligence data—and we want to help by giving them better clarity. Our new threat actor naming taxonomy will offer a more organized, articulate, and easy way to reference adversary groups so that organizations can better prioritize threats and protect against attacks. Microsoft Security also is rolling out a new icon system to make it even easier to identify and remember threat actors. Each icon represents a unique family name and will accompany the threat actor names as a visual aid. 

A person touching a globe.
To demonstrate these changes, we showcased the Microsoft Threat Intelligence Interactive Experience at our booth and Microsoft Security Hub.

Microsoft Defender for API is a new offering focused on threat protection for APIs—built for organizations that provide cross-organizational visibility of the Azure API Management inventory, data classification, and coverage to detect exploits of API risks. Classify and understand the API security posture based on cloud security insights and sensitive data exposure. Harden API configuration and prioritize API risk remediation by monitoring for security best practices in a full lifecycle approach, across infrastructure as code templates and runtime environments. Detect and respond to active runtime threats within minutes—using machine learning powered anomalous and suspicious API usage detections. 

Microsoft Defender External Attack Surface Management (MDEASM)—Data Connector provides automated export of attack surface details, updates, and findings to Kusto or Microsoft Sentinel Log Analytics, giving customers the ability to analyze, report, and correlate attack surface information against other data sources and use additional tooling such as Power BI to customize analysis to their organization’s needs. 

Now in general availability as part of the Microsoft Intune Suite and as a standalone add-on, Microsoft Intune Endpoint Privilege Management is a feature that enables admins to set policies that allow standard users to perform tasks normally reserved for an administrator. The feature supports automatic and user-confirmed workflows for elevation as well as insights and reporting. 

RSA Conference highlights

Highlights of our sessions included:

Microsoft Security Hub sessions and activities

A room full of people communicating.

Living up to its name, the Microsoft Security Hub was a hubbub of activity throughout RSA Conference. Held at the Ecosystem Coworking Space, the private and semi-private meeting rooms provided fantastic opportunity for us to meet with customers and partners, and there were multiple learning opportunities and networking events.

Microsoft sessions and experiences

People speaking around a globe.
Two people smiling
  • During our session “AI: Shaping Security Today and Into the Future”, Microsoft’s Scott Woodgate discussed how AI is an integral part of Microsoft’s security strategy, helping drive security operations center efficiency with Microsoft Sentinel and Microsoft 365 Defender and now taking it to the next level with Microsoft Security Copilot.
  • The Microsoft Threat Intelligence Interactive Experience wowed attendees throughout the conference. The experience invited hundreds of people to explore our unparalleled, 360-degree view of the threat landscape. The 3D-touchscreen globe was unlike anything found at the conference. Customers explored the new threat actor taxonomy with stunning visuals, an interactive quiz to test their cybersecurity knowledge, and attack chain case studies to explore the tactics, techniques, and procedures (TTPs) of threat actors. The experience wowed customers, “This is something only Microsoft would do, this is amazing,” and was moving to others, “This just means a lot being able to see the stuff I work with every day visualized like this.”
  • Another popular event was our Threat Intelligence Happy Hour, hosted by Microsoft Security Experts, on April 25. This networking event allowed customers and partners to connect with the many, varied experts from Microsoft Security to talk shop, score swag, and learn more about the new threat actor taxonomy in a casual setting that included drinks aligned to the new weather-themed taxonomy.  
  • We kicked off the first day of RSAC with the Diversity Executive Women’s Lunch, where I joined Aarti Borkar, Ann Johnson, Tanya Janca, and Lynn Dohm to discuss what industry, academia, government, and not-for-profits can do together as a community to nurture more women into successful careers in cybersecurity. With an audience of security leaders, not-for-profit representatives, community college students, and educators, this session welcomed an inspiring reflection on the importance of diversity for building a strong workforce, provided calls to action to make real difference, and enabled a great networking moment.
Five women speaking on a panel celebrating women and diversity in cybersecurity
Celebrating women in cybersecurity with presenters (pictured from left to right): Ann Johnson, CVP, Microsoft Security, Lynn Dohm, Executive Director, Women in Cybersecurity, Vasu Jakkal, Tanya Janca, Founder and Chief Executive Officer, We Hack Purple, and Aarti Borkar, Vice President, Customer Success, Microsoft Security.

RSA Conference ancillary events

4 people posing with a trophy at an awards ceremony.

Microsoft Security Excellence Awards (MISA) members gathered on April 24 at The Fairmont Hotel to honor award winners in 11 security categories at the Microsoft Security Excellence Awards. The fourth annual awards give us an opportunity to recognize outstanding contributions of partners in our MISA organization. MISA is a coalition of Microsoft leaders and subject matter experts, independent software vendors, and managed security service providers working together to defend organizations around the world from increasing threats. Watch the awards yourself to see all the excitement!

Two nights later, Microsoft sponsored the 13th Annual Executive Dinner, hosted by Forgepoint Capital and PwC. The event’s theme was “Working Together in the New Era of Transparency and Resilience.” Guests enjoyed dinner, cocktails, and conversation about cybersecurity.

If you attended RSAC and engaged with Microsoft, please take a few minutes to respond to our RSAC 2023 survey so we can continue to improve your experience. My thanks to everyone who attended, and we’ll see you next year!   

Join us for Microsoft Build

We relish any opportunity to connect with customers and partners and hear your stories of how you’re innovating with technology. Thankfully, we don’t have long to wait. Join us in Seattle for Microsoft Build, including pre-day workshops on May 22, 2023, and keynotes, Expert Meet-ups, sessions, demos, and skill labs May 23 to 25, 2023. If you can’t attend in-person, consider attending virtually May 23 to 24, 2023. Register today to reserve your spot.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft Security highlights from RSA Conference 2023 appeared first on Microsoft Security Blog.

Categories: Microsoft Security Insights Tags:

Microsoft Security highlights from RSA Conference 2023

May 15th, 2023 No comments

The RSA Conference (RSAC) gave us an incredible opportunity to meet with security professionals from around the world, learn about exciting advances in the world of cybersecurity, and share our own security innovations. Defenders everywhere serve an important mission of protecting our world, and RSAC is a special time to connect with the defender community and support each other in our collective mission.

I had the honor of representing Microsoft at our RSA keynote, “Defending at Machine Speed: Technology’s New Frontier.” AI is having a profound impact in our world, and I believe security is going to be one of AI’s most important use cases. During this session, I shared how AI is causing a paradigm shift, augmenting the essential power of human intuition and expertise and reshaping the future of cybersecurity. For details, watch the full keynote here (video courtesy of RSA Conference).

RSAC is the largest and most important cybersecurity conference in the industry—we value every opportunity to learn directly from our customers, partners, and community, and share how Microsoft Security is empowering our customers to protect everything.

Let’s walk through some of the most memorable moments from RSAC.

Vasu Jakkal, Corporate Vice President, Microsoft Security, speaking at RSAC 2023.

Pre-Day with Microsoft

Microsoft Security opened RSAC with the Pre-Day event and reception on Sunday, April 23. Pre-Day was an expansion of our presence at RSAC and amplification of the announcements we made at Microsoft Secure. The presentations helped attendees gain a deeper understanding of what an AI-powered future means for cybersecurity. They also shared comprehensive strategies to help organizations protect everything, highlighted the latest announcements in Threat Intelligence, which is critical to defending against an evolving threat landscape, and gave customers a chance to interact with Microsoft Security business and engineering leaders, as well as network with their peers during an evening reception. I was very pleased to share the stage with Charlie Bell, Executive Vice President, Microsoft Security; Bret Arsenault, CVP, Microsoft Security and Chief Information Security Officer; Kelly Bissell, CVP, Microsoft Security; Andy Elder, CVP, Microsoft Security Solution Area; Jeremy Dallman, Principal Research Director, Microsoft Threat Intelligence; Holly Stewart, Principal Research Director, Microsoft Threat Intelligence; and engineering leaders.

From left to right, Vasu Jakkal, Bret Arsenault, Any Elder, and Charlie Bell speaking at Pre-Day with Microsoft event.

Major product announcements

Microsoft Security Copilot, Microsoft’s new generative AI solution, garnered plenty of buzz during the conference. First announced at Microsoft Secure, Security Copilot combines the latest Open AI large language model with Microsoft’s unique security specific model powered by 65 trillion signals, human intelligence, and cyberskills to help defenders move at the speed and scale of AI. It was wonderful to see the interest from our customers and partners for Security Copilot.

Now in private preview, this groundbreaking technology serves as a true copilot to defenders. It augments a security analyst’s work, continually learning from users and letting them provide feedback and inform future interactions. The AI capabilities you gain include ongoing access to the most advanced OpenAI models, integration with Microsoft’s end-to-end security portfolio, and visibility and evergreen threat intelligence powered by your organization’s security products and the 65 trillion threat signals received by Microsoft every day. Importantly, Security Copilot is built with privacy at its heart. This means your data remains your data, and it is not used to train or enrich foundation AI models. Further, Security Copilot runs on our security and privacy-compliant Azure Cloud hyperscale infrastructure, enabling organizations to truly defend at machine speed.

In other threat intelligence news, Microsoft Defender Threat Intelligence is now available to licensed customers directly within Microsoft 365 Defender. It’s already integrated with Microsoft Sentinel and now has an application programming interface (API) to help enrich incidents, automate incident response, and work with a broad ecosystem of security tools. With this advancement, you get one of the world’s best threat intelligence, integrated with the tools you use every day.

Specific capabilities available as part of a Microsoft Sentinel solutions package—generally available beginning in July—are:

  • Microsoft Defender Threat Intelligence enrichment playbooks: Defender Threat Intelligence integrates with all security information and event management (SIEMS) via an API, but playbooks in the Microsoft Sentinel Content hub are available to enrich incidents with reputation data to add context and triage them automatically.
  • Microsoft Defender Threat Intelligence data connector: Microsoft threat researchers add indicators of compromise (IOCs) from finished intelligence to the threat intelligence (TI) blade to add massive value to Microsoft Sentinel users by adding critical context and enhancing detections and investigations.
  • Microsoft Defender Threat Intelligence analytics rules: This built-in rule takes URLs, domains, and internet protocols (IPs) from a customer environment via log data and checks them against known bad IOCs from Defender Threat Intelligence, creating incidents when there’s a match.

At RSAC, we also had several other major product announcements.

Security researchers and customers are confronted with an overwhelming amount of threat intelligence data—and we want to help by giving them better clarity. Our new threat actor naming taxonomy will offer a more organized, articulate, and easy way to reference adversary groups so that organizations can better prioritize threats and protect against attacks. Microsoft Security also is rolling out a new icon system to make it even easier to identify and remember threat actors. Each icon represents a unique family name and will accompany the threat actor names as a visual aid. 

A person touching a globe.
To demonstrate these changes, we showcased the Microsoft Threat Intelligence Interactive Experience at our booth and Microsoft Security Hub.

Microsoft Defender for API is a new offering focused on threat protection for APIs—built for organizations that provide cross-organizational visibility of the Azure API Management inventory, data classification, and coverage to detect exploits of API risks. Classify and understand the API security posture based on cloud security insights and sensitive data exposure. Harden API configuration and prioritize API risk remediation by monitoring for security best practices in a full lifecycle approach, across infrastructure as code templates and runtime environments. Detect and respond to active runtime threats within minutes—using machine learning powered anomalous and suspicious API usage detections. 

Microsoft Defender External Attack Surface Management (MDEASM)—Data Connector provides automated export of attack surface details, updates, and findings to Kusto or Microsoft Sentinel Log Analytics, giving customers the ability to analyze, report, and correlate attack surface information against other data sources and use additional tooling such as Power BI to customize analysis to their organization’s needs. 

Now in general availability as part of the Microsoft Intune Suite and as a standalone add-on, Microsoft Intune Endpoint Privilege Management is a feature that enables admins to set policies that allow standard users to perform tasks normally reserved for an administrator. The feature supports automatic and user-confirmed workflows for elevation as well as insights and reporting. 

RSA Conference highlights

Highlights of our sessions included:

Microsoft Security Hub sessions and activities

A room full of people communicating.

Living up to its name, the Microsoft Security Hub was a hubbub of activity throughout RSA Conference. Held at the Ecosystem Coworking Space, the private and semi-private meeting rooms provided fantastic opportunity for us to meet with customers and partners, and there were multiple learning opportunities and networking events.

Microsoft sessions and experiences

People speaking around a globe.
Two people smiling
  • During our session “AI: Shaping Security Today and Into the Future”, Microsoft’s Scott Woodgate discussed how AI is an integral part of Microsoft’s security strategy, helping drive security operations center efficiency with Microsoft Sentinel and Microsoft 365 Defender and now taking it to the next level with Microsoft Security Copilot.
  • The Microsoft Threat Intelligence Interactive Experience wowed attendees throughout the conference. The experience invited hundreds of people to explore our unparalleled, 360-degree view of the threat landscape. The 3D-touchscreen globe was unlike anything found at the conference. Customers explored the new threat actor taxonomy with stunning visuals, an interactive quiz to test their cybersecurity knowledge, and attack chain case studies to explore the tactics, techniques, and procedures (TTPs) of threat actors. The experience wowed customers, “This is something only Microsoft would do, this is amazing,” and was moving to others, “This just means a lot being able to see the stuff I work with every day visualized like this.”
  • Another popular event was our Threat Intelligence Happy Hour, hosted by Microsoft Security Experts, on April 25. This networking event allowed customers and partners to connect with the many, varied experts from Microsoft Security to talk shop, score swag, and learn more about the new threat actor taxonomy in a casual setting that included drinks aligned to the new weather-themed taxonomy.  
  • We kicked off the first day of RSAC with the Diversity Executive Women’s Lunch, where I joined Aarti Borkar, Ann Johnson, Tanya Janca, and Lynn Dohm to discuss what industry, academia, government, and not-for-profits can do together as a community to nurture more women into successful careers in cybersecurity. With an audience of security leaders, not-for-profit representatives, community college students, and educators, this session welcomed an inspiring reflection on the importance of diversity for building a strong workforce, provided calls to action to make real difference, and enabled a great networking moment.
Five women speaking on a panel celebrating women and diversity in cybersecurity
Celebrating women in cybersecurity with presenters (pictured from left to right): Ann Johnson, CVP, Microsoft Security, Lynn Dohm, Executive Director, Women in Cybersecurity, Vasu Jakkal, Tanya Janca, Founder and Chief Executive Officer, We Hack Purple, and Aarti Borkar, Vice President, Customer Success, Microsoft Security.

RSA Conference ancillary events

4 people posing with a trophy at an awards ceremony.

Microsoft Security Excellence Awards (MISA) members gathered on April 24 at The Fairmont Hotel to honor award winners in 11 security categories at the Microsoft Security Excellence Awards. The fourth annual awards give us an opportunity to recognize outstanding contributions of partners in our MISA organization. MISA is a coalition of Microsoft leaders and subject matter experts, independent software vendors, and managed security service providers working together to defend organizations around the world from increasing threats. Watch the awards yourself to see all the excitement!

Two nights later, Microsoft sponsored the 13th Annual Executive Dinner, hosted by Forgepoint Capital and PwC. The event’s theme was “Working Together in the New Era of Transparency and Resilience.” Guests enjoyed dinner, cocktails, and conversation about cybersecurity.

Join us for Microsoft Build

We relish any opportunity to connect with customers and partners and hear your stories of how you’re innovating with technology. Thankfully, we don’t have long to wait. Join us in Seattle for Microsoft Build, including pre-day workshops on May 22 and keynotes, Expert Meet-ups, sessions, demos, and skill labs May 23 to 25. If you can’t attend in-person, consider attending virtually May 23 to 24. Register today to reserve your spot.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft Security highlights from RSA Conference 2023 appeared first on Microsoft Security Blog.

Categories: cybersecurity, Security management Tags:

CVE-2023-24932 に関連するセキュア ブート マネージャーの変更に関するガイダンス

本ブログは、Guidance related to Secure Boot Manager changes associated with CVE-2023-24932 の抄訳版です。最新の情報は原文を参照してください。 概要

Categories: Uncategorized Tags:

2023 年 5 月のセキュリティ更新プログラム (月例)

Categories: Uncategorized Tags:

Guidance related to Secure Boot Manager changes associated with CVE-2023-24932

Summary Summary Today, Microsoft is releasing CVE-2023-24932, and associated configuration guidance, to address a Secure Boot bypass vulnerability used by the BlackLotus bootkit to exploit CVE-2022-21894. Customers will need to closely follow the configuration guidance to fully protect against this vulnerability.
This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled.

Categories: Uncategorized Tags:

Security baseline for Microsoft Edge version 113

May 6th, 2023 No comments

We are pleased to announce the security review for Microsoft Edge, version 113!


 


We have reviewed the new settings in Microsoft Edge version 113 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 112 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit.


 


Microsoft Edge version 113 introduced 3 new computer settings and 3 new user settings. We have included a spreadsheet listing the new settings in the release to make it easier for you to find them.


 


As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here.


 


Please continue to give us feedback through the Security Baselines Discussion site or this post.

Categories: Uncategorized Tags:

How Microsoft can help you go passwordless this World Password Day

May 4th, 2023 No comments

It’s that time of year again. World Password Day is May 4, 2023.1 There’s a reason it’s still going strong 10 years after being created by cybersecurity professionals. A recent study that analyzed more than 15 billion passwords found that the top 10 most popular passwords still include easy-to-crack combinations like “123456” and “qwerty.”2 With that level of security, many organizations are essentially leaving the front door open. Sharing your password for a streaming service may seem harmless (their accountants might disagree), but this behavior sometimes bleeds into the workplace, where weak or shared employee passwords often become one of the largest security threat vectors that companies face.

In 2022, Microsoft tracked 1,287 password attacks every second (more than 111 million per day).3 Phishing is an increasingly favored attack method, up 61 percent from 2021 to 2022.4 And our data for 2023 shows that this trend is continuing. Passwords should play no part in a future-looking credential strategy. That’s why you don’t need a password for Microsoft Accounts—hundreds of thousands of people have deleted their passwords completely.5

For stronger, streamlined security, Microsoft passwordless authentication can help your organization eliminate password vulnerabilities while providing simplified access across your entire enterprise. In honor of World Password Day, this blog will help you make the case to your organization that when it’s time to “verify explicitly” as part of a Zero Trust strategy, modern strong authentication using phishing-resistant passwordless credentials provide the best security and an excellent return on investment (ROI).

Go passwordless for simplicity, security, and savings

If you’ve read my blog on why no passwords are good passwords, you know my feelings on this subject. To quote myself: “Your password isn’t terrible. It’s definitely terrible, given the likelihood that it gets guessed, intercepted, phished, or reused.” As Microsoft Chief Information Security Officer Bret Arsenault likes to say, “Hackers don’t break in—they log in.”

Passwords alone are simply not sufficient protection. Old-fashioned multifactor authentication bolts a second factor onto a password to add a layer of protection, but the most popular of these—telephony—is also the most problematic (see my blog about hanging up on phone transports to understand why telephony is a poor option for multifactor authentication). Even with strong methods, like using Microsoft Authenticator to augment a password, you still have the vulnerability of the password itself. The best password is no password—and you can get there today with Windows Hello, security keys, or, my favorite, Microsoft Authenticator.

Graphic showing a range of identity protection methods, going from bad to best. The first column on the left shows bad passwords; the second column shows good password; the third column shows better passwords; and the fourth column shows best passwords.

Figure 1. Identity protection methods are not made equal; certain protections are far more secure than others.

In 2022, Microsoft committed to the next step of making passwords a thing of the past by joining with the FIDO Alliance and other major platforms in supporting passkeys as a common passwordless sign-in method. Passkeys aim to not only replace passwords with something more cryptographically sound, but that’s also as easy and intuitive to use as a password. Passwordless technology, such as Windows Hello, that’s based on the Fast Identity Online (FIDO) standards, strengthens security by doing the verification on the device, rather than passing user credentials through an (often vulnerable) online connection. It also provides a simplified user experience, which can help boost productivity as well.

That was the goal when longtime Microsoft collaborator Accenture decided to simplify their user experience by removing the requirement for password authentication. With 738,000 employees spread across 49 countries, the company decided it was in its best interest to make their identity and access management (IAM) automated and easy. Accenture chose the Microsoft Authenticator app, Windows Hello for Business, and FIDO2 security keys as its passwordless authentication solutions. As described in their case study, the results are already being felt: “The adoption of passwordless has led to faster login times, more reliable experience, fewer failed authentications, and improved overall security posture.”6

Whether you’re part of a global organization like Accenture or a small startup, the authentication methods policy in Microsoft Azure Active Directory (Azure AD)—now part of Microsoft Entra—allows your IAM team to easily manage passwordless authentication for all users from a single pane of glass. Even better, a recent Forrester Consulting study found that a composite organization based on interviewed customers securing its business apps with Azure AD benefited from a three-year 240 percent ROI (a net present value of USD8.5 million over three years) while reducing the number of password reset requests to its help desk by a significant 75 percent annually.7

Multifactor authentication can’t do it all

A 2021 report by the Ponemon Institute found that phishing attacks were costing large United States-based companies an average of USD14.8 million annually.8 That’s way up from 2015’s figure of USD3.8 million. Microsoft alone blocked 70 billion email and identity attacks in 2022. But on the positive side, multifactor authentication has been shown to reduce the risk of compromise by 99.9 percent for identity attacks.9 That’s a pretty stellar statistic, but it’s not bulletproof; especially when considering that SMS is 40 percent less effective than stronger authentication methods.10 Attackers are always learning and improvising, as shown in the rise of multifactor authentication fatigue attacks. In this type of cyberattack:

  1. The threat actor uses compromised credentials (often obtained through a phishing attack) to initiate an access attempt to a user’s account.
  2. The attempt triggers a multifactor authentication push notification to the user’s device, such as “Did you just try to sign in? Yes or no.”
  3. If the targeted person doesn’t accept, the attacker keeps at it—flooding the target with repeated prompts.
  4. The victim becomes so overwhelmed or distracted, they finally click “yes.” Sometimes the attacker will also use social engineering, contacting the target through email, messaging, or phone pretending to be a member of the IT team.

One widely publicized multifactor authentication fatigue attack happened in September 2022, when an 18-year-old hacker used the compromised credentials of a contractor to gain access to a major rideshare company’s internal networks. Once inside, he was able to access tokens for the company’s cloud infrastructure and critical IAM service. Our research was ahead of this type of attack back in 2021 when we built multifactor authentication defenses into the Authenticator app, including number matching and additional context. To learn more, be sure to read my blog post: Defend your users from multifactor authentication fatigue attacks.

All identity protection rests on Zero Trust

Zero Trust is just another way of describing proactive security. Meaning, it’s the measures you should take before bad things happen, and it’s based on one simple principle: “Never trust; always verify.” In today’s decentralized, bring-your-own-device (BYOD), hybrid and remote workplace, Zero Trust provides a strong foundation for security based on three pillars:

  • Verify explicitly: Authenticate every user based on all available data points—identity, location, device health, service or workload, data classification, and anomalies.
  • Use least-privilege access: This means limiting access according to the user’s specific role and task. You should also apply risk-based policies and adaptive protection to help secure your data without hindering productivity.
  • Assume breach: This allows your security team to minimize the blast radius and prevent lateral movement if a breach occurs. Maintaining end-to-end encryption and using analytics will also strengthen threat detection and improve your defenses.

And when it comes to “verify explicitly” as part of Zero Trust, no investment in the field of credentials is better than a passwordless journey; it literally moves the goalposts on the attackers.

May the Fourth be with you all!

Security year round

At Microsoft Security, we believe security is about people. Empowering users with strong, streamlined access from anywhere, anytime, on any device is part of that mission. Learn more about Microsoft passwordless authentication and how it can help your organization eliminate vulnerabilities while providing fast, safe access across your entire enterprise.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.


1World Password Day, National Day Calendar.

2Most common passwords: latest 2023 statistics, Paulius Masiliauskas. April 20, 2023.

3Microsoft Entra: 5 identity priorities for 2023, Joy Chik. January 9, 2023.

4Over 255m phishing attacks in 2022 so far, Security Magazine. October 26, 2022.

5The passwordless future is here for your Microsoft account, Vasu Jakkal. September 15, 2021.

6A passwordless enterprise journey, Accenture.

7The Total Economic Impact™ of Microsoft Entra, a commissioned study conducted by Forrester Consulting. March 2023.

8New Ponemon Institute Study Reveals Average Phishing Costs Soar to $14.8M Annually, Nearly Quadrupling Since 2015, GlobeNewswire. August 17, 2021.

917 Essential multi-factor authentication (mfa) statistics [2023], Jack Flynn. February 6, 2023.

10How effective is multifactor authentication at deterring cyberattacks? Lucas Meyer, et al. May 1, 2023.

The post How Microsoft can help you go passwordless this World Password Day appeared first on Microsoft Security Blog.

Categories: Security strategies Tags:

How Microsoft can help you go passwordless this World Password Day

It’s that time of year again. World Password Day is May 4, 2023.1 There’s a reason it’s still going strong 10 years after being created by cybersecurity professionals. A recent study that analyzed more than 15 billion passwords found that the top 10 most popular passwords still include easy-to-crack combinations like “123456” and “qwerty.”2 With that level of security, many organizations are essentially leaving the front door open. Sharing your password for a streaming service may seem harmless (their accountants might disagree), but this behavior sometimes bleeds into the workplace, where weak or shared employee passwords often become one of the largest security threat vectors that companies face.

In 2022, Microsoft tracked 1,287 password attacks every second (more than 111 million per day).3 Phishing is an increasingly favored attack method, up 61 percent from 2021 to 2022.4 And our data for 2023 shows that this trend is continuing. Passwords should play no part in a future-looking credential strategy. That’s why you don’t need a password for Microsoft Accounts—hundreds of thousands of people have deleted their passwords completely.5

For stronger, streamlined security, Microsoft passwordless authentication can help your organization eliminate password vulnerabilities while providing simplified access across your entire enterprise. In honor of World Password Day, this blog will help you make the case to your organization that when it’s time to “verify explicitly” as part of a Zero Trust strategy, modern strong authentication using phishing-resistant passwordless credentials provide the best security and an excellent return on investment (ROI).

Go passwordless for simplicity, security, and savings

If you’ve read my blog on why no passwords are good passwords, you know my feelings on this subject. To quote myself: “Your password isn’t terrible. It’s definitely terrible, given the likelihood that it gets guessed, intercepted, phished, or reused.” As Microsoft Chief Information Security Officer Bret Arsenault likes to say, “Hackers don’t break in—they log in.”

Passwords alone are simply not sufficient protection. Old-fashioned multifactor authentication bolts a second factor onto a password to add a layer of protection, but the most popular of these—telephony—is also the most problematic (see my blog about hanging up on phone transports to understand why telephony is a poor option for multifactor authentication). Even with strong methods, like using Microsoft Authenticator to augment a password, you still have the vulnerability of the password itself. The best password is no password—and you can get there today with Windows Hello, security keys, or, my favorite, Microsoft Authenticator.

Graphic showing a range of identity protection methods, going from bad to best. The first column on the left shows bad passwords; the second column shows good password; the third column shows better passwords; and the fourth column shows best passwords.

Figure 1. Identity protection methods are not made equal; certain protections are far more secure than others.

In 2022, Microsoft committed to the next step of making passwords a thing of the past by joining with the FIDO Alliance and other major platforms in supporting passkeys as a common passwordless sign-in method. Passkeys aim to not only replace passwords with something more cryptographically sound, but that’s also as easy and intuitive to use as a password. Passwordless technology, such as Windows Hello, that’s based on the Fast Identity Online (FIDO) standards, strengthens security by doing the verification on the device, rather than passing user credentials through an (often vulnerable) online connection. It also provides a simplified user experience, which can help boost productivity as well.

That was the goal when longtime Microsoft collaborator Accenture decided to simplify their user experience by removing the requirement for password authentication. With 738,000 employees spread across 49 countries, the company decided it was in its best interest to make their identity and access management (IAM) automated and easy. Accenture chose the Microsoft Authenticator app, Windows Hello for Business, and FIDO2 security keys as its passwordless authentication solutions. As described in their case study, the results are already being felt: “The adoption of passwordless has led to faster login times, more reliable experience, fewer failed authentications, and improved overall security posture.”6

Whether you’re part of a global organization like Accenture or a small startup, the authentication methods policy in Microsoft Azure Active Directory (Azure AD)—now part of Microsoft Entra—allows your IAM team to easily manage passwordless authentication for all users from a single pane of glass. Even better, a recent Forrester Consulting study found that a composite organization based on interviewed customers securing its business apps with Azure AD benefited from a three-year 240 percent ROI (a net present value of USD8.5 million over three years) while reducing the number of password reset requests to its help desk by a significant 75 percent annually.7

Multifactor authentication can’t do it all

A 2021 report by the Ponemon Institute found that phishing attacks were costing large United States-based companies an average of USD14.8 million annually.8 That’s way up from 2015’s figure of USD3.8 million. Microsoft alone blocked 70 billion email and identity attacks in 2022. But on the positive side, multifactor authentication has been shown to reduce the risk of compromise by 99.9 percent for identity attacks.9 That’s a pretty stellar statistic, but it’s not bulletproof; especially when considering that SMS is 40 percent less effective than stronger authentication methods.10 Attackers are always learning and improvising, as shown in the rise of multifactor authentication fatigue attacks. In this type of cyberattack:

  1. The threat actor uses compromised credentials (often obtained through a phishing attack) to initiate an access attempt to a user’s account.
  2. The attempt triggers a multifactor authentication push notification to the user’s device, such as “Did you just try to sign in? Yes or no.”
  3. If the targeted person doesn’t accept, the attacker keeps at it—flooding the target with repeated prompts.
  4. The victim becomes so overwhelmed or distracted, they finally click “yes.” Sometimes the attacker will also use social engineering, contacting the target through email, messaging, or phone pretending to be a member of the IT team.

One widely publicized multifactor authentication fatigue attack happened in September 2022, when an 18-year-old hacker used the compromised credentials of a contractor to gain access to a major rideshare company’s internal networks. Once inside, he was able to access tokens for the company’s cloud infrastructure and critical IAM service. Our research was ahead of this type of attack back in 2021 when we built multifactor authentication defenses into the Authenticator app, including number matching and additional context. To learn more, be sure to read my blog post: Defend your users from multifactor authentication fatigue attacks.

All identity protection rests on Zero Trust

Zero Trust is just another way of describing proactive security. Meaning, it’s the measures you should take before bad things happen, and it’s based on one simple principle: “Never trust; always verify.” In today’s decentralized, bring-your-own-device (BYOD), hybrid and remote workplace, Zero Trust provides a strong foundation for security based on three pillars:

  • Verify explicitly: Authenticate every user based on all available data points—identity, location, device health, service or workload, data classification, and anomalies.
  • Use least-privilege access: This means limiting access according to the user’s specific role and task. You should also apply risk-based policies and adaptive protection to help secure your data without hindering productivity.
  • Assume breach: This allows your security team to minimize the blast radius and prevent lateral movement if a breach occurs. Maintaining end-to-end encryption and using analytics will also strengthen threat detection and improve your defenses.

And when it comes to “verify explicitly” as part of Zero Trust, no investment in the field of credentials is better than a passwordless journey; it literally moves the goalposts on the attackers.

May the Fourth be with you all!

Security year round

At Microsoft Security, we believe security is about people. Empowering users with strong, streamlined access from anywhere, anytime, on any device is part of that mission. Learn more about Microsoft passwordless authentication and how it can help your organization eliminate vulnerabilities while providing fast, safe access across your entire enterprise.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.


1World Password Day, National Day Calendar.

2Most common passwords: latest 2023 statistics, Paulius Masiliauskas. April 20, 2023.

3Microsoft Entra: 5 identity priorities for 2023, Joy Chik. January 9, 2023.

4Over 255m phishing attacks in 2022 so far, Security Magazine. October 26, 2022.

5The passwordless future is here for your Microsoft account, Vasu Jakkal. September 15, 2021.

6A passwordless enterprise journey, Accenture.

7The Total Economic Impact™ of Microsoft Entra, a commissioned study conducted by Forrester Consulting. March 2023.

8New Ponemon Institute Study Reveals Average Phishing Costs Soar to $14.8M Annually, Nearly Quadrupling Since 2015, GlobeNewswire. August 17, 2021.

917 Essential multi-factor authentication (mfa) statistics [2023], Jack Flynn. February 6, 2023.

10How effective is multifactor authentication at deterring cyberattacks? Lucas Meyer, et al. May 1, 2023.

The post How Microsoft can help you go passwordless this World Password Day appeared first on Microsoft Security Blog.

Forrester names Microsoft a Leader in 2023 Infrastructure-as-a-Service Platform Native Security report

May 3rd, 2023 No comments

As we continue to drive toward making the world safer and more productive for all, it is vital we empower our customers to secure every aspect of their organization. Each day we are seeing more advanced security threats as bad actors develop new tactics that aim to take advantage of businesses as they digitally transform and adopt a multicloud infrastructure. At Microsoft, we understand cloud security is a problem you manage, not a problem you solve, so we are constantly working to use data, intelligence, AI, and automation to provide a comprehensive solution that helps us all respond faster and even stay one step ahead of bad actors and events.

Core to this approach is our ability to help customers do more with the security of Microsoft Azure that’s built-in, embedded, and out of the box, and extending that protection to multicloud infrastructures. We are honored to be recognized as a Leader in The Forrester Wave™: Infrastructure-as-a-Service Platform Native Security (IPNS), Q2 2023 report. The IPNS category compares public clouds and highlights the native security provided to customers on public cloud platforms. This includes capabilities for storage and data security, identity and access management (IAM), network security, and hardware and hypervisor security. In the report, it is great to see Forrester recognize the continued progress we have made, noting “Microsoft provides strong CSPM and CIEM [cloud security posture management and cloud infrastructure entitlement management] capabilities. It has made significant investments in CSPM and CWP [cloud workload protection]. The vendor sports a strong vision for IPNS offerings, and its execution roadmap and market approach are ahead of the competition.”

Graphic of the Forrester Wave results showing Microsoft as a leader in infrastructure-as-a-service platform native security.

Additionally, Microsoft received a top score from Forrester in the current IPNS offering category and had the highest possible score in the data centers, security certifications, roadmap, market approach, innovation, and seven other criteria. The report states, “Microsoft offers strong admin IAM management, above-par CSPM and CIEM capabilities, and broad coverage guest OS [operating system] security. Network security capabilities and multicloud support are ahead of others evaluated as well.”

Microsoft is committed to continual innovation and investment in cloud security. In Azure, our security approach focuses on defense in depth, with layers of protection built throughout all phases of design, development, and deployment of our platforms and technologies.

In a constantly changing world, we work hard to release features that help our customers strengthen their security posture, accelerate protection against modern threats, and reduce risk throughout the cloud application lifecycle. Microsoft Defender for Cloud is a critical component of that strategy. Natively available in Azure, it helps protect multicloud and hybrid environments end-to-end, from development to runtime as a comprehensive cloud-native application protection platform (CNAPP). Our multicloud approach means customers get the protection they expect from Microsoft—not only in Azure—but also by centralizing and unifying their security needs on other public clouds as well.

Customers like VECOZO choose integrated security from Microsoft across Defender for Cloud, network security, and identity to combine their various security layers and functionalities into an easy-to-deploy, easy-to-manage, highly secure environment. Igor van Haren, Lead Architect, VECOZO, said “There’s always security work to be done, but with Azure, we’ve gained improved visibility, removed some of the most tedious work from our administrators’ agendas, and adopted a number of solutions that aid our Zero Trust security approach.” Read more about VECOZO’s experience in their customer story.

Over the last several months we have also announced new feature releases across Defender for Cloud, network security, and other services that continue to build on our vision for a comprehensive, intelligent cloud platform. These include:

Microsoft Defender Cloud Security Posture Management is now generally available to help organizations get an end-to-end view of risks and prioritize remediation across their multicloud environments with contextual cloud security. And now, new integrated data-aware security posture capabilities allow teams to automatically discover their data estate, assess threats to their most critical assets and sensitive data, and proactively prevent breaches along potential attack paths.

Microsoft Defender for Storage now offers sensitive data discovery and malware scanning to address threats to critical storage resources in the cloud. New scanning capabilities prevent infiltration attempts with near real-time detection of metamorphic and polymorphic malware across cloud data.

Microsoft Defender for APIs is in preview. A new offering as part of Defender for Cloud, Defender for APIs helps organizations gain visibility into business-critical Azure APIs, understand their security posture, prioritize vulnerability fixes, and detect and respond to active runtime threats within minutes. For more information on future Defender for Cloud releases, our roadmap showcases a comprehensive list of information about new features.

Microsoft Azure Firewall Basic, a new SKU of Azure Firewall, delivers an enterprise-grade network firewall to small and medium businesses (SMBs) at an affordable price point. You get essential network firewall capabilities, like filtering of east-west and north-south traffic with built-in threat intelligence to block malicious traffic. As a cloud-native service, Azure Firewall is easy to set up, configure, and manage, and requires zero maintenance.

Microsoft Azure DDoS IP Protection, a new SKU of Azure DDoS Protection, is designed with SMBs in mind and delivers enterprise-grade, cost-effective DDoS protection. You can defend against the most sophisticated DDoS attacks with always-on monitoring and adaptive threat intelligence that is tuned to your normal traffic volume. Customers have the flexibility to apply protection on individual public IP resources.

These innovations highlight how Microsoft is committed to solving some of the toughest security challenges we all face today. By continually improving the platform, tools, and intelligence our customers need, we can help drive meaningful change in how we protect the world around us.

 We invite you to read the full Forrester report here.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Forrester names Microsoft a Leader in 2023 Infrastructure-as-a-Service Platform Native Security report appeared first on Microsoft Security Blog.

Categories: Uncategorized Tags:

Forrester names Microsoft a Leader in 2023 Infrastructure-as-a-Service Platform Native Security report

As we continue to drive toward making the world safer and more productive for all, it is vital we empower our customers to secure every aspect of their organization. Each day we are seeing more advanced security threats as bad actors develop new tactics that aim to take advantage of businesses as they digitally transform and adopt a multicloud infrastructure. At Microsoft, we understand cloud security is a problem you manage, not a problem you solve, so we are constantly working to use data, intelligence, AI, and automation to provide a comprehensive solution that helps us all respond faster and even stay one step ahead of bad actors and events.

Core to this approach is our ability to help customers do more with the security of Microsoft Azure that’s built-in, embedded, and out of the box, and extending that protection to multicloud infrastructures. We are honored to be recognized as a Leader in The Forrester Wave™: Infrastructure-as-a-Service Platform Native Security (IPNS), Q2 2023 report. The IPNS category compares public clouds and highlights the native security provided to customers on public cloud platforms. This includes capabilities for storage and data security, identity and access management (IAM), network security, and hardware and hypervisor security. In the report, it is great to see Forrester recognize the continued progress we have made, noting “Microsoft provides strong CSPM and CIEM [cloud security posture management and cloud infrastructure entitlement management] capabilities. It has made significant investments in CSPM and CWP [cloud workload protection]. The vendor sports a strong vision for IPNS offerings, and its execution roadmap and market approach are ahead of the competition.”

Graphic of the Forrester Wave results showing Microsoft as a leader in infrastructure-as-a-service platform native security.

Additionally, Microsoft received a top score from Forrester in the current IPNS offering category and had the highest possible score in the data centers, security certifications, roadmap, market approach, innovation, and seven other criteria. The report states, “Microsoft offers strong admin IAM management, above-par CSPM and CIEM capabilities, and broad coverage guest OS [operating system] security. Network security capabilities and multicloud support are ahead of others evaluated as well.”

Microsoft is committed to continual innovation and investment in cloud security. In Azure, our security approach focuses on defense in depth, with layers of protection built throughout all phases of design, development, and deployment of our platforms and technologies.

In a constantly changing world, we work hard to release features that help our customers strengthen their security posture, accelerate protection against modern threats, and reduce risk throughout the cloud application lifecycle. Microsoft Defender for Cloud is a critical component of that strategy. Natively available in Azure, it helps protect multicloud and hybrid environments end-to-end, from development to runtime as a comprehensive cloud-native application protection platform (CNAPP). Our multicloud approach means customers get the protection they expect from Microsoft—not only in Azure—but also by centralizing and unifying their security needs on other public clouds as well.

Customers like VECOZO choose integrated security from Microsoft across Defender for Cloud, network security, and identity to combine their various security layers and functionalities into an easy-to-deploy, easy-to-manage, highly secure environment. Igor van Haren, Lead Architect, VECOZO, said “There’s always security work to be done, but with Azure, we’ve gained improved visibility, removed some of the most tedious work from our administrators’ agendas, and adopted a number of solutions that aid our Zero Trust security approach.” Read more about VECOZO’s experience in their customer story.

Over the last several months we have also announced new feature releases across Defender for Cloud, network security, and other services that continue to build on our vision for a comprehensive, intelligent cloud platform. These include:

Microsoft Defender Cloud Security Posture Management is now generally available to help organizations get an end-to-end view of risks and prioritize remediation across their multicloud environments with contextual cloud security. And now, new integrated data-aware security posture capabilities allow teams to automatically discover their data estate, assess threats to their most critical assets and sensitive data, and proactively prevent breaches along potential attack paths.

Microsoft Defender for Storage now offers sensitive data discovery and malware scanning to address threats to critical storage resources in the cloud. New scanning capabilities prevent infiltration attempts with near real-time detection of metamorphic and polymorphic malware across cloud data.

Microsoft Defender for APIs is in preview. A new offering as part of Defender for Cloud, Defender for APIs helps organizations gain visibility into business-critical Azure APIs, understand their security posture, prioritize vulnerability fixes, and detect and respond to active runtime threats within minutes. For more information on future Defender for Cloud releases, our roadmap showcases a comprehensive list of information about new features.

Microsoft Azure Firewall Basic, a new SKU of Azure Firewall, delivers an enterprise-grade network firewall to small and medium businesses (SMBs) at an affordable price point. You get essential network firewall capabilities, like filtering of east-west and north-south traffic with built-in threat intelligence to block malicious traffic. As a cloud-native service, Azure Firewall is easy to set up, configure, and manage, and requires zero maintenance.

Microsoft Azure DDoS IP Protection, a new SKU of Azure DDoS Protection, is designed with SMBs in mind and delivers enterprise-grade, cost-effective DDoS protection. You can defend against the most sophisticated DDoS attacks with always-on monitoring and adaptive threat intelligence that is tuned to your normal traffic volume. Customers have the flexibility to apply protection on individual public IP resources.

These innovations highlight how Microsoft is committed to solving some of the toughest security challenges we all face today. By continually improving the platform, tools, and intelligence our customers need, we can help drive meaningful change in how we protect the world around us.

 We invite you to read the full Forrester report here.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Forrester names Microsoft a Leader in 2023 Infrastructure-as-a-Service Platform Native Security report appeared first on Microsoft Security Blog.

Categories: cybersecurity Tags:

Why you should practice rollbacks to prevent data loss in a ransomware attack

The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. In the latest post of our Community Voices blog series, Microsoft Security Senior Product Marketing Manager Brooke Lynn Weenig talks with Tanya Janca, Founder and Chief Executive Officer (CEO) of We Hack Purple, who is known as SheHacksPurple and is the best-selling author of Alice and Bob Learn Application Security. The thoughts below reflect Tanya’s views, not the views of Tanya’s employer or Microsoft, and are not legal advice. In this blog post, Tanya talks about how to address ransomware attacks and the importance of security in development.

Brooke: You are known as SheHacksPurple. How did you become interested in hacking?

Tanya: I started coding as a teenager. Both of my aunts and three of my uncles are computer scientists, so learning to code did not seem out of place. I thought, “Every woman codes. Isn’t that the way?”

At college, I studied computer science and then was a software developer until around 2015, when I switched full time to security. I became more obsessed with security and software during my last two years in software development. I wanted to fix the bug and work with the penetration tester. I hustled my security team where I worked and after a year, one of them said, “We are posting a job for a security person and the job is for you. It was never for anyone else.” I joined that team.

I started speaking at conferences because you get in free, and when working for the federal government, they did not have a ton of money to fly me to another country for some cool training as part of a conference. I started getting plane tickets sent from all around the world and I flew everywhere.

Microsoft reached out and said, “We want to hire a developer advocate who understands security,” and I said, “Is this a prank call? Come on, that’s not a real job. You don’t get paid to do my hobby.” And they are like, “Yes, you do.”

Brooke: How valuable are information security certifications or any other certifications?

Tanya: Certifications have value depending on where you are in your career and the types of jobs you are looking for. There are not many application security certifications. There is one from my company, We Hack Purple. It is not widely recognized.

If you want a specific type of job, studying for a certification will teach you a lot. If you are new in your career, it shows evidence that you know something. One of the problems when you get a job in information security is that there is no clear career path and the people hiring you do not have the technical expertise to know what to ask you.

I have no certifications except for the ones from We Hack Purple. I have a college diploma and I took courses from the University of Maryland. The work I got was based on experience and mentors vouching for me. When people ask “Should I get one?” I say that if you have an active GitHub where you find bugs and fix all of them, that is evidence of skill. Sometimes, a certification helps with that, but they are not all created equal, and it costs a lot of money.

Brooke: What can companies do to protect themselves from ransomware attacks?

Tanya: Every IT department, even if you are not afraid of ransomware, should do backups and practice rollbacks. I worked somewhere once, and we had a glitch where 2,000 people lost all their work for the day. We still had copies of everything from the day before on our local machines, but a backup had not been done the night before. The backup team said it would take a month to replace that one day of work. And they said, “We don’t even know if it will work and it will copy over everything you have done in the meantime, so let’s not bother.”

I said to my boss, “We are going to save so much money because clearly we do not need them. They never practice the backup. Think of how many more developers we can hire.” Doing backups is good, but even better is practicing rollbacks so you can roll back in a reasonable amount of time and roll back more than just files. We need to roll back everything.

At We Hack Purple, we back up my machine in a special backup that no one else is in because I’m the CEO and I create most of the content. We also have a backup in the cloud and another physical backup in a different location that we do every week. If ransomware happens, I have everything backed up. There are companies that get hit with ransomware and just think, “Go away” and then they just roll everything back in an hour.

It is important to ensure that your backups are not attached to your network. Everyone has their fancy backup drive still connected to their computer and the ransomware is like “Excellent. I shall now encrypt your backup.”

About 60 percent of small businesses go out of business in the month after a cyberattack.1 Because we are such a small company, if we lose one of our people, that is a huge enough risk. But imagine we lose all their work. That is even worse.

Brooke: How can tech leaders limit the frequency and severity of a ransomware attack?

Tanya: Get training for your company on what ransomware looks like and how to defend yourselves. For instance, do not save to your local computer. Save to the cloud like everyone else. You can download local copies to your machine but emphasize what it is like to lose your work and how bad it would be.

I am getting everyone to turn on multifactor authentication because it is extra defense and could block an attack from being successful. I am a huge fan of password managers. At my company, everyone must use a password manager. They make up unique, long, and random passwords that human beings would never guess, and that computers have trouble guessing.

Helping employees protect themselves in their private life gives them even more practice using the password manager.

Brooke: At what part of a development cycle does security come in?

Tanya: We used to bring security in at the end and they would do a penetration test and it would be like shooting fish in a barrel. They would tell you all the things you have done wrong, but because it is close to go-time, they would fix one or two things, put a big bandage on it, and send it out the door.

For a long time, I would give conference talks, write blog articles, and say, “We need to shift security left,” and by left, I mean earlier in the system development lifecycle. It is cheaper, faster, and easier to fix security problems there, whether it be a design flaw or a security bug. But marketing teams got a hold of that and there are all sorts of products that have the word “shift” in the name. What they meant is buy our product, put it in your continuous integration/continuous deployment (CI/CD) pipeline, and all your dreams will come true. The term got co-opted.

Brooke: If you could impact one thing in security, what would it be and why?

Tanya: On a professional level, it would be that more universities and colleges start teaching secure coding. If they are going to work in information security, one of the classes should be about application security. I wrote my book “Alice and Bob Learn Application Security” hoping universities would teach it and they only want to teach it in cybersecurity programs. I am happy about that, but 100 percent of them refused to teach it to the computer science students and I said, “But they are the ones making all the bad code.”

On a personal level, I want information security to be inclusive of everyone. I want all the LGBTQIA people to show up. I want all the women to show up. I want people of every race and religion to show up. I want disabled people to show up. Everyone can contribute effectively, but there must be space for them.

Learn more

If you’re attending the RSA Conference, do not miss Tanya’s sessions: “Adding SAST to CI/CD, without losing any friends” on April 26, 2023, “DevSecOps worst practices” on April 27, 2023, and “Creating a great DevSecOps culture” on April 27, 2023. And to learn more about Microsoft’s DevSecOps and shift left security solutions, visit the DevSecOps tools and DevSecOps services and Microsoft Defender for DevOps pages.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.


160 Percent of Companies Fail in 6 Months Because of This (It’s Not What You Think), Thomas Koulopoulos. May 11, 2017.

The post Why you should practice rollbacks to prevent data loss in a ransomware attack appeared first on Microsoft Security Blog.

Why you should practice rollbacks to prevent data loss in a ransomware attack

April 27th, 2023 No comments

The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. In the latest post of our Community Voices blog series, Microsoft Security Senior Product Marketing Manager Brooke Lynn Weenig talks with Tanya Janca, Founder and Chief Executive Officer (CEO) of We Hack Purple, who is known as SheHacksPurple and is the best-selling author of Alice and Bob Learn Application Security. The thoughts below reflect Tanya’s views, not the views of Tanya’s employer or Microsoft, and are not legal advice. In this blog post, Tanya talks about how to address ransomware attacks and the importance of security in development.

Brooke: You are known as SheHacksPurple. How did you become interested in hacking?

Tanya: I started coding as a teenager. Both of my aunts and three of my uncles are computer scientists, so learning to code did not seem out of place. I thought, “Every woman codes. Isn’t that the way?”

At college, I studied computer science and then was a software developer until around 2015, when I switched full time to security. I became more obsessed with security and software during my last two years in software development. I wanted to fix the bug and work with the penetration tester. I hustled my security team where I worked and after a year, one of them said, “We are posting a job for a security person and the job is for you. It was never for anyone else.” I joined that team.

I started speaking at conferences because you get in free, and when working for the federal government, they did not have a ton of money to fly me to another country for some cool training as part of a conference. I started getting plane tickets sent from all around the world and I flew everywhere.

Microsoft reached out and said, “We want to hire a developer advocate who understands security,” and I said, “Is this a prank call? Come on, that’s not a real job. You don’t get paid to do my hobby.” And they are like, “Yes, you do.”

Brooke: How valuable are information security certifications or any other certifications?

Tanya: Certifications have value depending on where you are in your career and the types of jobs you are looking for. There are not many application security certifications. There is one from my company, We Hack Purple. It is not widely recognized.

If you want a specific type of job, studying for a certification will teach you a lot. If you are new in your career, it shows evidence that you know something. One of the problems when you get a job in information security is that there is no clear career path and the people hiring you do not have the technical expertise to know what to ask you.

I have no certifications except for the ones from We Hack Purple. I have a college diploma and I took courses from the University of Maryland. The work I got was based on experience and mentors vouching for me. When people ask “Should I get one?” I say that if you have an active GitHub where you find bugs and fix all of them, that is evidence of skill. Sometimes, a certification helps with that, but they are not all created equal, and it costs a lot of money.

Brooke: What can companies do to protect themselves from ransomware attacks?

Tanya: Every IT department, even if you are not afraid of ransomware, should do backups and practice rollbacks. I worked somewhere once, and we had a glitch where 2,000 people lost all their work for the day. We still had copies of everything from the day before on our local machines, but a backup had not been done the night before. The backup team said it would take a month to replace that one day of work. And they said, “We don’t even know if it will work and it will copy over everything you have done in the meantime, so let’s not bother.”

I said to my boss, “We are going to save so much money because clearly we do not need them. They never practice the backup. Think of how many more developers we can hire.” Doing backups is good, but even better is practicing rollbacks so you can roll back in a reasonable amount of time and roll back more than just files. We need to roll back everything.

At We Hack Purple, we back up my machine in a special backup that no one else is in because I’m the CEO and I create most of the content. We also have a backup in the cloud and another physical backup in a different location that we do every week. If ransomware happens, I have everything backed up. There are companies that get hit with ransomware and just think, “Go away” and then they just roll everything back in an hour.

It is important to ensure that your backups are not attached to your network. Everyone has their fancy backup drive still connected to their computer and the ransomware is like “Excellent. I shall now encrypt your backup.”

About 60 percent of small businesses go out of business in the month after a cyberattack.1 Because we are such a small company, if we lose one of our people, that is a huge enough risk. But imagine we lose all their work. That is even worse.

Brooke: How can tech leaders limit the frequency and severity of a ransomware attack?

Tanya: Get training for your company on what ransomware looks like and how to defend yourselves. For instance, do not save to your local computer. Save to the cloud like everyone else. You can download local copies to your machine but emphasize what it is like to lose your work and how bad it would be.

I am getting everyone to turn on multifactor authentication because it is extra defense and could block an attack from being successful. I am a huge fan of password managers. At my company, everyone must use a password manager. They make up unique, long, and random passwords that human beings would never guess, and that computers have trouble guessing.

Helping employees protect themselves in their private life gives them even more practice using the password manager.

Brooke: At what part of a development cycle does security come in?

Tanya: We used to bring security in at the end and they would do a penetration test and it would be like shooting fish in a barrel. They would tell you all the things you have done wrong, but because it is close to go-time, they would fix one or two things, put a big bandage on it, and send it out the door.

For a long time, I would give conference talks, write blog articles, and say, “We need to shift security left,” and by left, I mean earlier in the system development lifecycle. It is cheaper, faster, and easier to fix security problems there, whether it be a design flaw or a security bug. But marketing teams got a hold of that and there are all sorts of products that have the word “shift” in the name. What they meant is buy our product, put it in your continuous integration/continuous deployment (CI/CD) pipeline, and all your dreams will come true. The term got co-opted.

Brooke: If you could impact one thing in security, what would it be and why?

Tanya: On a professional level, it would be that more universities and colleges start teaching secure coding. If they are going to work in information security, one of the classes should be about application security. I wrote my book “Alice and Bob Learn Application Security” hoping universities would teach it and they only want to teach it in cybersecurity programs. I am happy about that, but 100 percent of them refused to teach it to the computer science students and I said, “But they are the ones making all the bad code.”

On a personal level, I want information security to be inclusive of everyone. I want all the LGBTQIA people to show up. I want all the women to show up. I want people of every race and religion to show up. I want disabled people to show up. Everyone can contribute effectively, but there must be space for them.

Learn more

If you’re attending the RSA Conference, do not miss Tanya’s sessions: “Adding SAST to CI/CD, without losing any friends” on April 26, 2023, “DevSecOps worst practices” on April 27, 2023, and “Creating a great DevSecOps culture” on April 27, 2023. And to learn more about Microsoft’s DevSecOps and shift left security solutions, visit the DevSecOps tools and DevSecOps services and Microsoft Defender for DevOps pages.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.


160 Percent of Companies Fail in 6 Months Because of This (It’s Not What You Think), Thomas Koulopoulos. May 11, 2017.

The post Why you should practice rollbacks to prevent data loss in a ransomware attack appeared first on Microsoft Security Blog.

Categories: cybersecurity Tags: