Archive

Archive for the ‘Zero Trust’ Category

Microsoft and NIST collaborate on EO to drive Zero Trust adoption

August 17th, 2021 No comments

2020’s Nobelium attack sent shock waves through both government and private sectors. 2021 has already seen large-scale nation-state attacks such as Hafnium1 alongside major ransomware attacks2 on critical infrastructure. The breadth and boldness of these attacks show that, far from being deterred, bad actors are becoming more brazen and sophisticated. To help protect US national security, the White House on May 12, 2021, issued Presidential Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity3. This EO mandates “significant investments” to help protect against malicious cyber threats:

“The Federal Government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid…security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)).”

Executive Order 14028 also states the “private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.”

Section 3 of the EO required federal agencies to develop a plan to adopt a Zero Trust Architecture. This blog post will discuss how Microsoft is continuing to help with the implementation of Zero Trust to fulfill these directives.

How is Microsoft helping to implement EO 14028?

The National Institute of Standards and Technology (NIST) is one of the agencies chartered with creating the cybersecurity standards and requirements outlined in Executive Order 14028. Microsoft is working with NIST’s National Cybersecurity Center of Excellence (NCCoE) on the Implementing a Zero Trust Architecture Project to develop practical, interoperable approaches to designing and building Zero Trust architectures that align with the tenets and principles documented in NIST SP 800-207, Zero Trust Architecture. The NCCoE public-private partnership applies standards and best practices to develop modular, easily adaptable examples of cybersecurity solutions by using commercially available technology.

Much of the technology required to execute the roadmap is already in place at many agencies—they simply need to activate and fine-tune existing capabilities. To this end, Microsoft has identified five of the most impactful scenarios agencies should build towards EO 14028. These reference architectures are mapped against key NIST requirements for Zero Trust while including other EO priorities, such as endpoint detection and response (EDR), multifactor authentication, and continuous monitoring.

  • Scenario 1: Cloud-ready authentication apps: Many agencies are already on their way toward secure baselines for software as a service (SaaS) using best-practice approaches around ID configuration for Office 365, implementing strong multifactor authentication, and enforcing requirements with Conditional Access policies. This work can be easily extended to other SaaS applications and custom claims-based applications.
  • Scenario 2: Web apps with legacy authentication: For applications that can’t be easily rewritten for modern authentication, agencies can use the Azure Active Directory (Azure AD) Application Proxy. This architecture builds on the Azure AD foundation to extend Zero Trust to legacy systems. Application Proxy also provides outbound-only connectivity and much more restrictive access than a VPN solution.
  • Scenario 3: Remote server administration: Simplify secure remote administration by layering with a strongly authenticated administrator account and privileged-access workstation. This reduces the attack surface area, preventing unsanctioned server-to-server management by requiring multifactor authentication and allow-listed admin devices for server administration via Azure AD Conditional Access. The result is a high level of assurance for multi-cloud and hybrid server administration.
  • Scenario 4: Segment cloud administration: This design pattern allows agencies to administer Microsoft and non-Microsoft workloads from isolated, dedicated, and segmented administrator accounts. Once this pattern is implemented, auditing controls should also be introduced to ensure that privilege segmentation remains in effect.
  • Scenario 5: Network micro-segmentation: Agencies must establish multiple levels of segmentation to achieve both secure control and data planes. Azure native capabilities allow agencies to apply a consistent micro-segmentation strategy to protect against threats, implement defense in-depth, and achieve policy-enforced continuous monitoring at a granular level.

What is Zero Trust’s role in EO 10428?

Vasu Jakkal, Microsoft’s Corporate Vice President of Security, Compliance, and Identity, recently outlined The critical role of Zero Trust in securing our world. In her blog post, she mentions Section 3 of EO 14028 calling for “decisive steps” for the federal government “to modernize its approach to cybersecurity” by accelerating the move to secure cloud services and Zero Trust implementation—including a mandate of multifactor authentication and end-to-end encryption of data.

Section 3(b)(ii) of EO 14028 outlines that agencies should “develop a plan to implement Zero Trust Architecture, which shall incorporate, as appropriate, the migration steps that the National Institute of Standards and Technology (NIST) within the Department of Commerce has outlined in standards and guidance, describe any such steps that have already been completed, identify activities that will have the most immediate security impact, and include a schedule to implement them.”

Microsoft applauds this recognition of the Zero Trust strategy as a cybersecurity best practice, as well as the White House encouragement of the private sector to take “ambitious measures” in the same direction as the EO guidelines.

What can we expect from NCCoE?

“The telework tidal wave and increasing cybersecurity breaches and ransomware attacks have made implementing a Zero Trust architecture a federal mandate and a business imperative. We look forward to working with our project collaborators, such as Microsoft, to deliver timely, informed technical ‘how-to’ guidance and example implementations of Zero Trust architectures to assist federal agencies and other industry sectors with their Zero Trust journeys.”—Kevin Stine, Chief of the Applied Cybersecurity Division in the National Institute of Standards and Technology’s Information Technology Laboratory (ITL)

The proposed example solutions will integrate commercial and open-source products to showcase the robust security features of Zero Trust architecture when applied to common enterprise IT use cases.* The goal of this NCCoE project is to build several examples of a Zero Trust architecture—applied to a conventional, general-purpose enterprise IT infrastructure—that are designed and deployed using commercially available technology, and that are aligned with the concepts and tenets documented in NIST SP 800-207, Zero Trust Architecture.

The example solutions will be shared publicly in a NIST Special Publication (SP) 1800 series document. Each SP 1800 series publication generally serves as a “how-to” guide to implement and apply standards-based cybersecurity technologies in the real world. The guides are designed to help organizations gain efficiencies in implementing cybersecurity technologies while saving them research and proof-of-concept costs.

This SP 1800 series of publications will provide:

  • Detailed example solutions and capabilities.
  • Demonstrated how-to approaches using multiple products to achieve the same end result.
  • Modular guidance on the implementation of capabilities to organizations of all sizes
  • All necessary components, along with installation, configuration, and integration information, so organizations can easily replicate solutions.

Additional resources

As part of our continuing support for federal agencies, Microsoft’s Chief Technology Officer, Jason Payne, has outlined recommended next steps for federal agencies. We also provide a downloadable PDF of key Zero Trust Scenario Architectures mapped to NIST standards, as well as a downloadable PDF Zero Trust Rapid Modernization Plan. These resources provide concrete steps to help agencies meet aggressive EO timelines, as well as improve their baseline cybersecurity posture. For a quick overview of the NCCoE Zero Trust architecture project, organizations can download the Implementing a Zero Trust Architecture Project Factsheet.

Other Microsoft resources include:

  • Downloadable Zero Trust Maturity Model: details how Microsoft defines Zero Trust and breaks down solutions across identities, endpoints, applications, networks, infrastructure, and data.
  • Zero Trust Assessment tool: helps evaluate your organization’s progress in the Zero Trust journey and offers suggestions for next steps.
  • Zero Trust Guidance Center: offers step-by-step guidance on implementing Zero Trust principles, as well as technical guidance on deployment, integration, and development.

Watch for ongoing updates from Microsoft on EO 14028. Follow @NIST and @NISTCyber on Twitter and LinkedIn.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 


1New nation-state cyberattacks, Tom Burt, Microsoft Security, 2 March 2021.

2Turning Up The Heat: A Ransomware Attack on Critical Infrastructure Is a Nightmare Scenario, Richard Tracy, Forbes Technology Council, Forbes, 20 July 2021.

3President Signs Executive Order Charting New Course to Improve the Nation’s Cybersecurity and Protect Federal Government Networks, The White House, 12 May 2021.

*NIST does not evaluate commercial products under this consortium and does not endorse any product or service used. Additional information on this consortium can be found here.

The post Microsoft and NIST collaborate on EO to drive Zero Trust adoption appeared first on Microsoft Security Blog.

Categories: cybersecurity, Zero Trust Tags:

Zero Trust Adoption Report: How does your organization compare?

July 28th, 2021 No comments

From the wide adoption of cloud-based services to the proliferation of mobile devices. From the emergence of advanced new cyberthreats to the recent sudden shift to remote work. The last decade has been full of disruptions that have required organizations to adapt and accelerate their security transformation. And as we look forward to the next major disruption—the move to hybrid work—one thing is clear: the pace of change isn’t slowing down.

In the face of this rapid change, Zero Trust has risen as a guiding cybersecurity strategy for organizations around the globe. A Zero Trust security model assumes breach and explicitly verifies the security status of identity, endpoint, network, and other resources based on all available signals and data. It relies on contextual real-time policy enforcement to achieve least privileged access and minimize risks. Automation and machine learning are used to enable rapid detection, prevention, and remediation of attacks using behavior analytics and large datasets.

Early adopters are seeing the benefits—organizations operating with a Zero Trust mindset across their environments are more resilient, responsive, and protected than those with traditional perimeter-based security models.

Zero Trust adoption is accelerating

Today, we are publishing our Zero Trust Adoption Report 2021. In this report, we surveyed or interviewed more than 1,200 security decision-makers over a 12-month timeframe about their Zero Trust adoption journey. Highlights from our research include:

Zero Trust Adoption Report cover image with three overlapping colored circles.

  1. Zero Trust is now the top security priority. 96 percent of security decision-makers state that Zero Trust is critical to their organization’s success. Now that it’s been proven, the future of security firmly includes an emphasis on Zero Trust. When asked for top reasons of Zero Trust adoption, organizations cite increased security and compliance agility, speed of threat detection and remediation, and simplicity and availability of security analytics.
  2. Familiarity and adoption are growing rapidly. 90 percent of the security decision-makers we surveyed are familiar with Zero Trust and 76 percent are in the process of implementation—an increase from the last year of 20 percent and 6 percent, respectively.
  3. Hybrid work is driving adoption. The shift to hybrid work, accelerated by COVID-19, is also driving the move towards broader adoption of Zero Trust with 81 percent of organizations having already begun the move toward a hybrid workplace. Zero Trust will be critical to help maintain security amid the IT complexity that comes with hybrid work.
  4. More than half believe they’re ahead of their peers. 52 percent say that they are ahead of where they planned to be in their Zero Trust adoption, and 57 percent believe they are ahead of other organizations. It’s clear that the last 18 months have had a significant impact on adoption and organizations are getting more confident and efficient in their efforts.
  5. Zero Trust will remain a top priority with additional budget expected. More than half of respondents expect the relative importance of their Zero Trust strategy to increase by 2023. And not surprisingly, 73 percent expect their Zero Trust budget to increase. As organizations realize the additional benefits of Zero Trust and leaders continue to pull ahead, we expect to see an increase in these numbers.

This report showcases the Zero Trust adoption progress for organizations across diverse markets and industries. We hope that this research can help you accelerate your own Zero Trust adoption strategy, uncover the collective progress and prioritizations of your peers, and gain insights into the future state of this rapidly evolving space.

Read the full Microsoft Zero Trust Adoption Report for full details.

Additional resources

For an in-depth look at our latest updates that will help accelerate your Zero Trust journey, check out Vasu Jakkal’s blog, How to secure your hybrid work world with a Zero Trust approach, from earlier this month.

For technical guidance, visit our Zero Trust Guidance Center, a repository of information that provides specific guidance on implementing Zero Trust principles across their identities, endpoints, data, applications, networks, and infrastructure.

Check out the Microsoft Zero Trust Assessment tool to help you determine where you are in your Zero Trust implementation journey and offer action items to help reach key milestones.

For more information about Microsoft Zero Trust, please visit our website, and check out our deployment guides for step-by-step technical guidance.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zero Trust Adoption Report: How does your organization compare? appeared first on Microsoft Security Blog.

Categories: cybersecurity, Zero Trust Tags:

How Microsoft Security empowers partners to build customer trust

July 14th, 2021 No comments

As I reflect on my first year at Microsoft, it was both challenging and exceptional: from my remote onboarding in the middle of a pandemic to dramatic changes in the cyber landscape, to Microsoft’s critical role as a frontline responder in some of the most sophisticated cyberattacks in history and leading the security industry.

Our world is changing, and Microsoft Security is rising to the challenges of a new normal. I am thrilled and humbled by the milestones we achieved this past year. We surpassed $10 billion in security business revenue, representing more than 40 percent year-over-year growth, and were recognized as a leader in five Gartner Magic Quadrants and seven Forrester Waves. This not only demonstrates our commitment to providing best-in-class security solutions but also underscored the trust our customers have placed in Microsoft and our partners.

We believe in times of uncertainty, customer trust is more important than ever. Today, I want to share more about how we are empowering our partners to be successful in building trust with customers and enabling business growth.

Significant partner opportunity expansion

Our partner community plays an essential role in our own growth strategy, and we are dedicated to empowering your success. Recently, we commissioned Forrester Consulting to investigate the partner opportunity around Microsoft Security and found that for 2021, partners reported up to 130 percent increase in business year-over-year (YoY) when selling Microsoft Security solutions. We believe the significant growth in partner revenue opportunity speaks to the comprehensive Microsoft Security portfolio and what it can do to transform your business and help secure your customers. Learn more in the Forrester Total Economic Impact study.

In addition to product portfolio investments, we continue to make investments to help partners better capture new revenue streams. We have heard from our partners about the challenges in managing customers’ environments as the number of customers increases. Today, we are excited to announce Microsoft 365 Lighthouse Preview. Microsoft 365 Lighthouse is currently available as a public preview and provides managed service providers with one central location and standard security configuration templates to secure devices, data, and users for small and medium business customers using Microsoft Business Premium. Specifically, Microsoft 365 Lighthouse empowers partners to quickly identify and act on threats, anomalous sign-in, and device compliance alerts. Reducing management complexity as our partners scale and driving standardization across customers will allow partners to proactively manage risks and improve the security posture for the customers. Learn more about Microsoft 365 Lighthouse in today’s blog post and on the Microsoft 365 Lighthouse website.

Additionally, this year, we are making an unprecedented 400 percent increase in our partner program funding to help you succeed, including expansion of the Microsoft Intelligent Security Association (MISA) and more skilling resources such as security workshops, practice playbooks, and a new advanced specialization for security.

Zero Trust principles help to shape the journey

We believe Zero Trust is the cornerstone of effective security. The key principles behind a Zero Trust framework—verify explicitly, grant least privileged access, and assume breach—are relevant to every organization, even if your customers use a different framework for their security strategy. Partners who help their customers embrace Zero Trust can count on Microsoft to deliver solutions across six pillars: identity, endpoints, data, applications, network, and infrastructure.

Identity and endpoints

Identity and endpoints are the foundation for building a strong security posture and partners can play a critical role in helping customers ensure identities are verified and endpoints are healthy and protected before granting further access.

  • We are excited to extend the scope of protection of Microsoft Azure Active Directory B2C (Azure AD B2C) to include fraudulent activities by integrating Dynamics 365 Fraud Protection with Azure AD B2C. By combining the power of Azure AD Identity Protection and Dynamics Fraud Protection’s account protection capabilities, customers can help protect end customers from account abuse, thus protecting their own business. Read the blog Fraud trends part 4: balancing identity authentication with user experience to learn more.
  • The pandemic and growth in hybrid work means that an increasingly diverse portfolio of devices is in use by employees. We continue to expand Microsoft Defender for Endpoint’s unique capabilities to additional platforms to strengthen customers’ abilities to monitor and improve their security posture.
    • Recently, we announced that threat and vulnerability management capabilities are now generally available for Linux operating systems, in addition to existing support for macOS and Windows. Read the announcement.
    • We also made Microsoft Tunnel VPN support on Android devices generally available, enabling organizations to deliver both mobile threat defense and access to on-premises resources within a unified experience in a single security app. Read the announcement.

Data and applications

Data is one of the most important assets of any organization, and applications shape the way people interact with data. Partners can help customers govern application access based on users and the devices they are on as well as protect sensitive data both in transit and at rest.

  • The growing number of cloud apps makes it challenging to gain deeper insights across all apps. To help solve this problem, we have built the app governance add-on feature to Microsoft Cloud App Security, now available as a public preview today. App governance can be used to monitor, protect, and govern Microsoft 365 apps and quickly identify, alert, and prevent risky app behaviors. Learn more in the recent app governance blog post.
  • A comprehensive security approach is not just about defending against external attacks but also about addressing insider risks. Previously, we introduced the capability to identify risk activities for users with critical positions. Today, we are extending the priority user group capability in Insider Risk Management to include fine-grained role-based access control (RBAC), now available as a public preview. It adds permissions to priority user groups to further limit alerts and cases to specific individuals instead of the whole group. Learn more in today’s insider risk blog post.
  • Compliance Manager simplifies compliance and helps reduces risks by enabling organizations to assess, monitor, and improve their compliance posture for their Microsoft 365 data. Today, we are releasing universal regulatory assessment templates for non-Microsoft clouds, such as Salesforce and SAP in Compliance Manager. There are more than 300 templates available now for managing customers’ compliance posture across different clouds and apps. Learn more in today’s Compliance Manager blog post.

Network and infrastructure

Within network and infrastructure, cloud security is the number one planned priority for investment for chief information security officers (CISOs) in the next 12 months. Earlier this week we announced the intention to acquire RiskIQ, a leader in global threat intelligence and attack surface management, to further accelerate cloud security. RiskIQ helps customers discover and assess the security of their entire enterprise attack surface—in Microsoft Cloud, AWS and other clouds, on-premises, and from their supply chain. Learn more from our announcement blog.

Earlier this year, we announced the general availability of multi-cloud support for both Azure Security Center and Azure Defender, further enabling partners to support customers’ multi-cloud digital transformation strategy and simplify the tools needed to manage multi-cloud. Azure Security Center and Azure Defender enable partners to strengthen a customer’s cloud security posture and provide extended detection and response across their hybrid cloud workloads. Read the blog Protecting multi-cloud environments with Azure Security Center to learn more.

Holistic protection

With the acceleration of digital transformation and the increase in volume and sophistication of threats, customers are increasingly looking for better solutions to protect themselves and their ecosystem. Microsoft is the only security company to deliver both cloud-native SIEM (Azure Sentinel) and integrated XDR (Microsoft Defender). Our partners around the world have responded by building managed detection and response offerings using these tools. Only SIEM and XDR together deliver true end-to-end visibility with clear prioritization. Earlier this year, we went further with incident sharing between our SIEM and XDR to deliver a significant productivity benefit over legacy tools. At RSA Conference 2021, we introduced new customizable anomaly rules based on machine learning for Azure Sentinel and more third-party connectors to take us to over 150 new connectors this year alone. We also announced the public preview of Azure Sentinel solutions, including an SAP threat monitoring solution. The release of solutions makes it easier than ever for customers to immediately benefit from integrations with our technology partners and provides discoverability through the new solutions blade in the Azure Sentinel interface. Learn more about how partners can leverage Azure Sentinel solutions in today’s blog post.

Closing the security skills gap

Customers rely on partners’ security expertise and skills to secure their digital transformation. With the increasing security demand from customers, the shortfall in security professionals means partners’ ability to develop and retain talent will become a competitive advantage. We strive to ensure partners have the skilling and training resources needed to be successful. I hope you had a chance to explore the four new security, compliance, and identity certifications we announced in May 2021. In addition, I would also like to encourage you to explore the Microsoft Security Technical Content Library, a one-stop-shop offering Microsoft Security learning paths, interactive guides, and video resources to build and grow your skills. Use it to access content that best suits your needs today.

Enabling digital sovereignty

Data is the lifeblood of any organization, and it is growing exponentially as more organizations take a cloud-first posture. Our customers are now challenged to properly contextualize their data and make the best use of it. We want to empower our partners to help customers build sovereignty over their data to further enhance customer trust. At Microsoft, we are committed to building solutions that help customers to extract maximum insights so their data can be their competitive advantage.

Our mission, together

We often say that security is a team sport, and Microsoft has never been more committed to working with our partners to protect customers and create a more secure world for all.

I am grateful to be on this journey with you, our partner community, and I am inspired by the work you do every day. Through this mission, we have the power to shape the world in positive and profound ways, with customer trust at the heart of everything we do.

Together, we can build technologies that enable a more inclusive, equitable, and sustainable world. I encourage you to tune in to our Inspire 2021 sessions to learn more about partner opportunities and how we can collectively create a safer and better future for all. Learn more from our Microsoft Partner blog.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How Microsoft Security empowers partners to build customer trust appeared first on Microsoft Security Blog.

Categories: cybersecurity, Zero Trust Tags:

The critical role of Zero Trust in securing our world

June 30th, 2021 No comments

We are operating in the most complex cybersecurity landscape that we’ve ever seen. While our current ability to detect and respond to attacks has matured incredibly quickly in recent years, bad actors haven’t been standing still. Large-scale attacks like those pursued by Nobelium1 and Hafnium, alongside ransomware attacks on critical infrastructure indicate that attackers have become increasingly sophisticated and coordinated. It is abundantly clear that the work of cybersecurity and IT departments are critical to our national and global security.

Microsoft has a unique level of access to data on cyber threats and attacks globally, and we are committed to sharing this information and insights for the greater good. As illustrated by recent attacks, we collaborate across the public and private sectors, as well as with our industry peers and partners, to create a stronger, more intelligent cybersecurity community for the protection of all.

This collaborative relationship includes the United States government, and we celebrate the fast-approaching milestones of the US Cybersecurity Executive Order2 (EO). The EO specifies concrete actions to strengthen national cybersecurity and address increasingly sophisticated threats across federal agencies and the entire digital ecosystem. This order directs agencies and their suppliers to improve capabilities and coordination on information sharing, incident detection, incident response, software supply chain security, and IT modernization, which we support wholeheartedly.

With these national actions set in motion and a call for all businesses to enhance cybersecurity postures, Microsoft and our extensive partner ecosystem stand ready to help protect our world. The modern framework for protecting critical infrastructure, minimizing future incidents, and creating a safer world already exists: Zero Trust. We have helped many public and private organizations to establish and implement a Zero Trust approach, especially in the wake of the remote and hybrid work tidal wave of 2020-2021. And Microsoft remains committed to delivering comprehensive, integrated security solutions at scale and supporting customers on every step of their security journey, including detailed guidance for Zero Trust deployment.

Zero Trust’s critical role in helping secure our world

The evidence is clear—the old security paradigm of building an impenetrable fortress around your resources and data is simply not viable against today’s challenges. Remote and hybrid work realities mean people move fluidly between work and personal lives, across multiple devices, and with increased collaboration both inside and outside of organizational boundaries. Entry points for attacks—identities, devices, apps, networks, infrastructure, and data—live outside the protections of traditional perimeters. The modern digital estate is distributed, diverse, and complex.

This new reality requires a Zero Trust approach.

Section 3 of the EO calls for “decisive steps” for the federal government “to modernize its approach to cybersecurity” by accelerating the move to secure cloud services and Zero Trust implementation, including a mandate of multifactor authentication and end-to-end encryption of data. We applaud this recognition of the Zero Trust strategy as a cybersecurity best practice, as well as the White House encouragement of the private sector to take “ambitious measures” in the same direction as the EO guidelines.

Per Section 3, federal standards and guidance for Zero Trust are developed by the National Institute of Standards and Technology (NIST) of the US Department of Commerce, similar to other industry and scientific innovation measurements. NIST has defined Zero Trust in terms of several basic tenets:

  • All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
  • Access to trust in the requester is evaluated before the access is granted. Access should also be granted with the least privileges needed to complete the task.
  • Assets should always act as if an attacker is present on the enterprise network.

At Microsoft, we have distilled these Zero Trust tenets into three principles: verify explicitly, use least privileged access, and assume breach. We use these principles for our strategic guidance to customers, software development, and global security posture.

Microsoft Security's three Zero Trust principles: verify explicitly, use least privileged access, and assume breach.

Organizations that operate with a Zero Trust mentality are more resilient, consistent, and responsive to new attacks. A true end-to-end Zero Trust strategy not only makes it harder for attackers to get into the network but also minimizes potential blast radius by preventing lateral movement.

While preventing bad actors from gaining access is critical, it’s only part of the Zero Trust equation. Being able to detect a sophisticated actor inside your environment is key to minimizing the impact of a breach. Sophisticated threat intelligence and analytics are critical for a rapid assessment of an attacker’s behavior, eviction, and remediation.

Resources for strengthening national security in the public and private sectors

We believe President Biden’s EO is a timely call-to-action, not only for government agencies but as a model for all businesses looking to become resilient in the face of cyber threats. The heightened focus on incident response, data handling, collaboration, and implementation of Zero Trust should be a call-to-action for every organization—public and private—in the mission to better secure our global supply chain, infrastructure resources, information, and progress towards a better future.

Microsoft is committed to supporting federal agencies in answering the nation’s call to strengthen inter- and intra-agency capabilities unlocking the government’s full cyber capabilities. Recommended next steps for federal agencies have been outlined by my colleague Jason Payne, Chief Technology Officer of Microsoft Federal. As part of this responsibility, we have provided Federal agencies with key Zero Trust Scenario Architectures mapped to NIST standards, as well as a Zero Trust Rapid Modernization Plan.

Microsoft is also committed to supporting customers in staying up to date with the latest security trends and developing the next generation of security professionals. We have developed a set of skilling resources to train teams on the capabilities identified in the EO and be ready to build a more secure, agile environment that supports every mission.

In addition to EO resources for federal government agencies, we are continuing to publish guidance, share learnings, develop resources, and invest in new capabilities to help organizations accelerate their Zero Trust adoption and meet their cybersecurity requirements.

Here are our top recommended Zero Trust resources:

  • For details on how Microsoft defines Zero Trust and breaks down solutions across identities, endpoints, apps, networks, infrastructure, and data, download the Zero Trust Maturity Model.
  • To assess your organization’s progress in the Zero Trust journey and receive suggestions for technical next steps, use our Zero Trust Assessment tool.
  • For technical guidance on deployment, integration, and development, visit our Zero Trust Guidance Center for step-by-step guidance on implementing Zero Trust principles.
  • If you’d like to learn from our own Zero Trust deployment journey at Microsoft, our Chief Information Security Officer Bret Arsenault and team share their stories at Microsoft Digital Inside Track.

Tackling sophisticated cyber threats together

The EO is an opportunity for all organizations to improve cybersecurity postures and act rapidly to implement Zero Trust, including multifactor authentication and end-to-end encryption. The White House has provided clear direction on what is required, and the Zero Trust framework can also be used as a model for private sector businesses, state and local governments, and organizations around the world.

We can only win as a team against these malicious attackers and significant challenges. Every step your organization takes in advancing a Zero Trust architecture not only secures your assets but also contributes to a safer world for all. We applaud organizations of every size for embracing Zero Trust, and we stand committed to partnering with you all on this journey.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 


1Nobelium Resource Center, Microsoft Security Response Center. 04 March 2021.

2President Signs Executive Order Charting New Course to Improve the Nation’s Cybersecurity and Protect Federal Government Networks, The White House, 12 May 2021.

The post The critical role of Zero Trust in securing our world appeared first on Microsoft Security Blog.

Categories: cybersecurity, Zero Trust Tags:

Resources for accelerating your Zero Trust journey

May 24th, 2021 No comments

For many organizations, 2020 was the year that finally saw remote work become a reality on a global scale. As many people begin transitioning back to the office, many organizations are thinking about how they can transition from a remote workforce to a more permanent hybrid workplace. We recently conducted a study with over 900 chief information security officers (CISOs) on the state of Zero Trust and found that 81 percent say their organization has started or currently has a hybrid work environment in place and that 91 percent plan for their organization to be fully transitioned to hybrid work within the next five years. The era of hybrid work is here to stay. Learn more about our perspective and security efforts in Vasu Jakkal’s blog, Securing a new world of hybrid work: What to know and what to do, posted earlier this month.

However, as recent events have shown us, the cybersecurity landscape continues to evolve. Bad actors are getting more sophisticated and the need for a stronger security model has never been more important. Zero Trust is no longer an option, it’s now imperative for organizations that want to protect themselves while providing employees the flexibility they need to be productive.

Accelerating your hybrid work readiness with Zero Trust

Implementing a Zero Trust model means transitioning from implicit trust—where everything inside a corporate network is assumed to be safe—to a model that assumes breach and explicitly verifies the security status of identity, endpoint, network, and other resources based on all available signal and data. A contextual, real-time policy helps enforce least-privileged access principles and minimize risks. Zero Trust not only strengthens security but also enables the transformation needed to embrace hybrid work.

Screenshot of Microsoft's Zero Trust Maturity model whitepaper

I often hear from customers that implementing a Zero Trust security framework can be daunting and that they’re looking for help in creating a roadmap with the right prioritized milestones to maximize investments and positively impact their users. In this post, I’d like to provide an overview of the resources available to help accelerate your Zero Trust readiness and provide actionable guidance.

If you haven’t already, I suggest starting with our Zero Trust Maturity Model whitepaper, which breaks down Zero Trust requirements across identities, endpoints, apps, networks, infrastructure, and data. This paper provides a strong starting point to assess your current Zero Trust maturity, prioritize security efforts to maximize impact, and get a foundational understanding of overall capabilities and requirements.

My colleague, Mark Simos, also posted a blog, Zero Trust Strategy—what good looks like, based on his experience helping customers transform their security strategies that expands on many of the concepts in the maturity model.

Assess your Zero Trust maturity and plan the next steps in your journey with the updated assessment tool

We created the Microsoft Zero Trust Assessment tool to help you determine where you are in your Zero Trust implementation journey and provide to-dos and deployment guidance to help reach key milestones. This month, we released an updated version that provides more targeted guidance and a curated list of resources to help you better prioritize milestones based on your current progress. Now, when a gap is identified in your Zero Trust readiness, you’ll see which specific capabilities you need, the Microsoft products and services that can provide those and step-by-step guidance on implementation.

The Zero Trust Assessment tool gives you specific instructions for next steps in your Zero Trust adoption.

Get specific suggestions for next steps in your Zero Trust adoption with the assessment tool.

Get up to speed on the essentials of Zero Trust

This month, we’re kicking off our new Microsoft Mechanics video series focused on Zero Trust. In this series, Jeremy Chapman, Director of Microsoft 365, provides a breakdown of how you can adopt a Zero Trust approach across the six layers of defense—identities, endpoints, apps, networks, infrastructure, and data. This series will share tips and provide hands-on demonstrations of the tools for implementing the Zero Trust security model.

Our first two videos are out now:

Screen grab of YouTube video series, Microsoft Mechanics, featuring Microsoft 365 Director, Jeremy Chapman.

Watch our new video series, starting with Microsoft Mechanics Zero Trust Essentials.

Other resources

Here are some of the other resources we’ve put together as a result of our efforts helping customers, managing our own Zero Trust deployment, and listening to all of you:

  • For an in-depth look at our latest updates that will help accelerate your Zero Trust journey, check out Vasu Jakkal’s blog, How to secure your hybrid work world with a Zero Trust approach, from earlier this month.
  • For technical guidance, visit our Zero Trust Resource Center—A repository of information that provides specific guidance on implementing Zero Trust principles across their identities, endpoints, data, applications, networks, and infrastructure.
  • If you’d like to learn from our own Zero Trust deployment journey at Microsoft, our CISO Bret Arsenault and team share their stories at Microsoft Digital Inside Track.
  • To hear from leaders who sponsored, guided, and oversaw the adoption of Zero Trust within organizations, check out the Zero Trust Business Plan.
  • Learn how to get buy-in for Zero Trust in a recent webcast with Microsoft Corporate Vice President, Microsoft Identity, Alex Simons.
  • If you’re into podcasts, please check out Episode 3 of the Strengthen and Streamline Your Security podcast to hear discussion on the steps leading organizations are taking and get recommendations to reduce your risk and enable employee productivity.
  • Lastly, Examining Zero Trust is an executive roundtable discussion with 10 security leaders sharing their own experiences and real-life examples of adopting the fundamentals of Zero Trust.

Learn more

For more information about Microsoft Zero Trust, please visit our website and keep up-to-date with product announcements, technical guidance, planning resources, and more in our Zero Trust blogs.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Resources for accelerating your Zero Trust journey appeared first on Microsoft Security.

Categories: cybersecurity, Zero Trust Tags:

How to secure your hybrid work world with a Zero Trust approach

May 12th, 2021 No comments

We are operating in the most complex cybersecurity landscape we’ve ever seen. Sophisticated and determined attackers are the norm. And we all are preparing for the next great disruption—hybrid work.

Security has never been more important, and as I shared in another Security blog today, it’s clearer than ever that a Zero Trust approach, which basically means you have to assume breach, will be critical to success. We’ve been listening and working closely with our customers around the world and rapidly innovating to help you to secure and protect your organizations. Today, I’d like to share some of our latest updates across security, compliance, identity, and management in response to that feedback to help you in your Zero Trust journey.

Strengthening your Zero Trust approach across your environment

The hybrid work environment, with some users working remotely and others in group office settings, introduces more digital attack surfaces, complexity, and risk as perimeters are now increasingly fluid. As such, a Zero Trust strategy will be top of mind for many organizations because its principles—verify explicitly, grant least privileged access, and assume breach—help maintain security amid the IT complexity that comes with hybrid work.

Verify explicitly

One of the most important first steps in a Zero Trust journey is to establish strong authentication. As Bret Arsenault, Microsoft’s CISO would say, “Hackers don’t break in. They log in.” Regardless of length or complexity, passwords alone won’t protect your account in the majority of attacks. Monitoring logins for suspicious activity and limiting or blocking access until additional proof of identity is presented drastically reduces the chances of a breach. Modern multifactor authentication (MFA) doesn’t have to be complicated for the user. We recently announced passwordless authentication and Temporary Access Pass in Azure Active Directory (Azure AD), our cloud identity solution, to help customers strengthen their access controls and simplify the user experience.

Verifying explicitly requires the ability to make real-time access decisions based on all available information for any user trying to access any resource. For us, Azure AD Conditional Access is this real-time access policy engine, which looks at all the data and signals related to the user gaining access, and today we’re announcing powerful new features that give admins more granular access controls while making it easier to control a growing list of policies. The GPS-based named locations and filters for devices enable a new set of scenarios, such as restricting access from specific countries or regions based on GPS location and securing the use of devices from Surface Hubs to privileged access workstations.

Additionally, to empower security for all, you need to be able to verify explicitly for all. We are expanding granular adaptive access controls to all users with the general availability of Azure AD Conditional Access and Identity Protection for business-to-consumer (B2C) apps and users. And we’ve made it easier to manage all your new policies with new search, sort, and filter capabilities, as well as enhanced audit logs to track recent policy changes. You can learn more on the Azure Active Directory Identity blog.

We also believe that for comprehensive protection through Zero Trust, we need to have end-to-end integration across device management and identity. New today, we are announcing the preview of filters for devices in Microsoft Endpoint Manager. These unique integrated capabilities between Microsoft Endpoint Manager (which brings together Configuration Manager and Intune) and Azure AD Conditional Access create even more granular controls. With device filters, administrators can target policies and applications to users on specific devices. For example, you can assign a filter so that a policy restriction is only applied to Surface Pro devices. You can learn more in today’s Tech Community blog.

Healthy devices and unified device management across platforms continue to be anchors of Zero trust, and to help protect data from potential leakage on mobile devices; we are introducing new conditional launch settings with App Protection Policies in Microsoft Endpoint Manager. These controls can block access or wipe data based on conditions such as maximum OS version, jailbroken or rooted devices, or require Android devices to pass SafetyNet attestation.

In addition, we are making it easier for you to manage your devices, regardless of the operating system. First, you can configure Android Enterprise-enrolled devices with Azure AD shared device mode in Microsoft Endpoint Manager. This new capability is now generally available and provides a simplified and more secure experience on devices shared across multiple users. With single sign-in, single sign-out, and data clearing across applications, shared device mode increases privacy between users and reduces the number of steps a frontline worker needs to take to access their work apps.

Then to make it easier to manage and secure your Apple devices, we recently released a Microsoft Endpoint Manager preview of the Setup Assistant for iOS, iPadOS, and macOS automated device enrollment. Based on customer feedback, you can now allow users to start using their iPadOS device immediately after enrollment without waiting for the Company Portal to install on a locked-down device. You can also configure a Conditional Access policy to require multifactor authentication either during enrollment in the Setup Assistant or upon authentication in the Company Portal. Learn more about the administrator and user experiences for shared devices and Setup Assistance in this Tech Community blog.

Finally, we continue to invest in BitLocker, which helps you to protect data at rest. BitLocker now has several enhancements, such as comprehensive modern management with Microsoft Endpoint Manager, role-based access controls for BitLocker recovery passwords, recovery password search, and recovery password auditing. Check out our BitLocker series that explains how to manage BitLocker in Microsoft Endpoint Manager, such as enabling silent encryption.

Grant least privileged access

As we have entered into new hybrid work environments, businesses need to think about how they will proactively protect their organizations from the influx of new or “bring your own” (BYO) connected devices—or even new apps that have helped people to work in new ways. This new normal has exposed the most challenging cybersecurity landscape we’ve ever encountered, and the least privileged access ensures that only what must be shared is.

To help, we recently added the ability to discover and secure unmanaged endpoints and network devices to Microsoft Defender for Endpoint. Once network devices are discovered, security administrators will receive the latest security recommendations and vulnerabilities on them. Discovered endpoints (such as workstations, servers, and mobile devices) can be onboarded to Microsoft Defender for Endpoints, allowing all its deep protection capabilities. You can learn more in the Microsoft Security blog, Secure unmanaged devices with Microsoft Defender for Endpoint now.

The early detection of vulnerabilities and misconfiguration is critical to an organization’s overall security posture, and to prevent those weaknesses from being exploited. With our commitment to support multi-platform, the threat and vulnerability management capabilities in Microsoft Defender for Endpoint now also support Linux OS, giving organizations the ability to view discovered vulnerabilities, assess the latest security recommendations, and issue remediation tasks for Linux devices. With the addition of Linux, threat and vulnerability management now covers all major platforms, including Windows and macOS.

Assume breach

Comprehensive security that is multi-platform and multi-cloud with simplification front and center is going to be important for the “assume breach” approach. With that in mind, today we are announcing the general availability of the converged portal for Microsoft 365 Defender, which unifies and simplifies XDR capabilities for endpoints, email, and collaboration. For Azure Sentinel, we are announcing solutions, which is a simplified means to deploy connectors, detections, playbooks, and workloads for both first and third-party integrations, all together as one package. To simplify team communications in the Security Operations Center, we now have built-in integration of Microsoft Teams into Azure Sentinel, so now you can create a Teams call directly from an incident.

With threats continuing to get more sophisticated, it is important to have the latest AI and machine learning capabilities at hand to separate important incidents from noise. Customers using Azure Sentinel consistently tell us how useful it is when incidents we raise are closed directly in the product. This quarter, more than 92 percent of incidents produced by Azure Sentinel’s AI were reported as useful by security professionals, which is dramatically higher than industry standards and enables you to focus on what’s important. Today we are adding new anomaly detections, including User and Entity Behavioral Analytics (UEBA) to Azure Sentinel that are powered by configurable machine learning. These anomalies can be used to provide additional context while hunting or fused with incidents. What’s powerful is that you can configure the variables for the machine learning driven anomalies with just a few clicks to customize for your specific environment.

Today’s hybrid work environment spans multiple platforms, multiple clouds, and on-premises. We recently extended the multi-cloud support in Azure Defender to include not just servers and SQL but also Kubernetes, all using Azure Arc. Azure Security Center remains the only security portal from a cloud vendor with multi-cloud support, including Azure, Amazon Web Services, and Google Cloud Platform. Today we are announcing that we are extending protection to the application level with the preview of the SAP threat monitoring solution for Azure Sentinel. This supports SAP running in any cloud or on-premises and includes continuous monitoring of SAP with built-in detections and can be customized to your specific SAP environment. You can learn more about this and the rest of Azure Sentinel’s announcements in the Tech Community blog post.

Enabling a secure way to access cloud apps while protecting your resources in this hybrid work environment is critical. New enhancements to Microsoft Cloud App Security will help protect against recent cloud-based attack types by detecting suspicious app activity and data exfiltration attempts from cloud services. Over the next few weeks, the general availability of the integration between Microsoft Information Protection and Cloud App Security will also be available. This integrated information protection policy management from the Cloud App Security portal enables greater visibility, control, and protection for your sensitive data in the cloud.

With over 90 percent of threats surfacing through email, it’s critical that organizations can configure security tools in a way that works for their environment. Over time, settings can age, new attack scenarios develop, and new security controls are available, necessitating regular review, upkeep, modifications, and even removal of old configurations. We’ve been on a journey to make it easier for customers to understand configuration gaps in their environment with recently launched features like preset security policies, Configuration Analyzer, and override alerts in Microsoft Defender for Office 365. Essentially, when Microsoft is confident that an email contains malicious content, we will not deliver the message to users, regardless of tenant configuration. We also recently announced our Secure by Default capabilities that eliminate the risks posed by legacy configurations. You can learn more in today’s Tech Community blog post.

But “assuming breach” isn’t just about external threats—you also have to be thoughtful about protecting your organization from the inside out. We released new capabilities today in our Insider Risk Management solution to help you to address insider risk in a holistic, collaborative way. Today’s Tech Community blog has more details.

For investigations, eDiscovery is critical. Today we’re announcing that eDiscovery support for Microsoft Graph connectors will be available in Summer 2021 as a developer preview. With Microsoft Graph connectors, investigators can query across more than 130 systems—directly from Microsoft 365 and our partners. Use the same eDiscovery tools in Microsoft 365 to search for content in third-party systems connected to Microsoft Search as used to search for content in Microsoft 365 apps and services. You can learn more in today’s Tech Community blog post.

Your Zero Trust journey

In a risk landscape as complex as today’s, your adoption of a Zero Trust approach won’t happen overnight. It’s important to value progress over perfection and to enlist help when you need it. Microsoft and its partners are committed to helping you on this journey. To chart out your path, or assess your progress, enable a remote workforce by embracing Zero Trust security.

Thank you for being part of our community and doing your part to build a safer world.

Learn more about Microsoft Security

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How to secure your hybrid work world with a Zero Trust approach appeared first on Microsoft Security.

How to apply a Zero Trust approach to your IoT solutions

May 5th, 2021 No comments

For many, 2020 was a year of survival as they rapidly transformed their businesses in response to a new normal. From enabling new remote and hybrid work models to implementing new technology to help optimize operations, the last year has seen a significant uptick in the proliferation and role of IoT devices. Many organizations have suddenly found themselves facing an expanded attack surface area with new security challenges they were not fully prepared for.

IoT solutions need to be secured end-to-end, all the way from the device to the cloud or hybrid service that the data is processed in. Securing IoT devices presents a couple of additional layers of complexity because of the incredible diversity in design, hardware, operating systems, deployment locations, and more. For example, many are “user-less” and run automated workloads, presenting challenges when integrating into existing identity and access management tools. Many IoT devices have also been deployed using infrastructure and equipment not originally designed for a connected world or have limited capabilities and connectivity, making them challenging to secure. And because IoT devices are typically deployed in diverse environments—ranging from inside factories or office buildings to remote worksites or critical infrastructure—they’re exposed in unique ways and can offer high-value targets to attackers.

Graphic depicting the technical characteristics of IoT and their unique challenges. Characteristics include running automated workloads, aging infrastructure, and limited connectivity.

Figure 1: Technical characteristics of IoT and their challenges.

Embracing Zero Trust for your IoT solutions

As organizations continue to drive their digital transformation efforts, especially through the increased deployment of IoT solutions, it quickly becomes clear that the current approach to securing and managing these devices needs to be adapted to the reality of their environment. Enter Zero Trust, the security model that assumes breach and treats every access attempt as if it originates from an open network.

In October 2019, we published a whitepaper with our official guidance on implementing a Zero Trust security model, which breaks down Zero Trust requirements across identities, endpoints, apps, networks, infrastructure, and data. This paper provides a strong starting point to assess your current Zero Trust maturity, prioritize security efforts to maximize impact, and get a foundational understanding of overall capabilities and requirements. If you haven’t read it, we highly recommend starting there as everything we discuss from here on will build on the requirements in that model.

A practical approach for implementing Zero Trust for IoT

Securing IoT solutions with a Zero Trust security model starts with non-IoT specific requirements—specifically ensuring you have implemented the basics to securing identities, their devices, and limit their access. These include explicitly verifying users, having visibility into the devices they’re bringing on to the network, and being able to make dynamic access decisions using real-time risk detections. This helps limit the potential blast radius of users gaining unauthorized access to IoT services and data in the cloud or on-premises, which can lead to both mass information disclosure (like leaked production data of a factory) and potential elevation of privilege for command and control of cyber-physical systems (like stopping a factory production line).

Once those requirements are met, we can shift our focus to the specific Zero Trust requirements for IoT solutions:

  • Strong identity to authenticate devices. Register devices, issue renewable credentials, employ passwordless authentication, and use a hardware root of trust to ensure you can trust its identity before making decisions.
  • Least privileged access to mitigate blast radius. Implement device and workload access control to limit any potential blast radius from authenticated identities that may have been compromised or running unapproved workloads.
  • Device health to gate access or flag devices for remediation. Check security configuration, assess for vulnerabilities and insecure passwords, and monitor for active threats and anomalous behavioral alerts to build ongoing risk profiles.
  • Continual updates to keep devices healthy. Utilize a centralized configuration and compliance management solution and a robust update mechanism to ensure devices are up to date and in a healthy state.
  • Security monitoring and response to detect and respond to emerging threats. Employ proactive monitoring to rapidly identify unauthorized or compromised devices.

Cover preview of the new Zero Trust Cybersecurity for the Internet of Things whitepaper. Includes faded image of a factory worker walking across factory floor. Today, we’re publishing a new whitepaper on how to apply a Zero Trust approach to your IoT solutions based on our experience helping other customers and securing our own environment. In this whitepaper, we break down the requirements above in more detail as well as provide guidance on applying Zero Trust to your existing IoT infrastructure. Finally, we’ve also included criteria to help select IoT devices and services for a Zero Trust environment.

Read the Zero Trust Cybersecurity for the Internet of Things whitepaper for full details.

Additional resources:

Watch The IoT Show: Zero Trust for IoT for a Channel9 interview where I explain the key capabilities of Zero Trust for IoT and how Microsoft solutions enable your journey.

Watch the playback of this week’s Azure IoT Security Summit for an overview of our IoT Security solutions and guidance on how to prevent security breaches, address weak spots, and monitor the health of your IoT devices in near real-time to find and eliminate threats.   

For more information about Microsoft Zero Trust please visit our website. Check out our deployment guides for step-by-step technical guidance.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How to apply a Zero Trust approach to your IoT solutions appeared first on Microsoft Security.

Categories: cybersecurity, IoT, Zero Trust Tags:

Protect your business from email phishing with multi-factor authentication

April 5th, 2021 No comments

Cybersecurity has been in the news far more often in the past 12 months than in previous years, as cybercriminals escalated their activity during the COVID-19 pandemic quarantine. The seismic shift of hundreds of millions of people connecting and working from home every day presented cybercriminals with greater opportunities to attack and new threat vectors to exploit, as was detailed in the Microsoft 2020 Digital Defense Report.

Cybercrime is a large and flourishing enterprise, unfortunately. Like in any business, innovation fuels success and profit.

Business email compromise is on the rise

Even the oldest tricks of cybercriminals are constantly evolving in techniques to bring more revenue from nefarious customers. Email phishing—when individuals or organizations receive a fraudulent email encouraging them to click on a link, giving the cybercriminal access to a device or personal information—has become a dominant vector to attack enterprise digital estates. Known as business email compromise (BEC), cybercriminals have responded to technical advancements in detection by developing fast-moving phishing scams that can victimize even the savviest professionals.

BEC criminals know that email is today’s de facto method of communication. People have been encouraged to “go paperless” by companies, and most feel confident they can spot a spam email. But they also inherently trust those they work with and are more likely to respond to requests from their company’s executives, as well as their trusted suppliers and business partners. A real but compromised account anywhere in the communication stream can lead to disastrous results.

Cybercriminals bank, quite literally, on these human, socially reinforced patterns. And it’s not surprising that cybercriminals succeed with schemes that appear, at least in retrospect, unbelievably primitive and transparent. In fact, one quite well-known BEC scam that used keylogger malware to fine-tune email access—and operated without detection for six months in 2015—redirected invoice payments totaling $75 million to cybercriminal bank accounts. In hindsight, one might expect that someone would notice, given the vast amount of money involved. But no one did.

As severe as the consequences of BEC can be, they are unfortunately also quite frequent. Since 2009, 17 percent of the cyber incidents reported to Chubb have stemmed from social engineering. And the risk is only increasing—the scale and threat of email phishing attacks are growing.

Take action: Reduce email phishing attacks with MFA

Enabling multi-factor authentication (MFA) can be one of the quickest and most impactful ways to protect user identities, and an effective means to reduce the threat and potential impact of BEC. MFA has been available for all Microsoft Office 365 users since 2014, yet many small- to mid-sized business system administrators have not enabled it for their users.

In a joint white paper co-written by Microsoft and Chubb, the world’s largest publicly traded insurance provider, we explain how multi-factor authentication foils fraud, and how implementing MFA may be much easier and painless for your users than you may think. It’s a simple yet effective means to reduce the threat and potential impact of BEC.

The paper is available for download on Chubb’s website.

Embrace Zero Trust to protect your complex digital estate

Beyond the benefits of multi-factor authentication, the move toward Zero Trust security can enable and secure your remote workforce, increase the speed of threat detection and remediation, mitigate the impact of potential breaches, and make it harder for cybercriminals to make money.

The business of cybercrime will continue to grow. However, by increasing the complexity and cost of perpetrating that crime, businesses can disincentivize the criminals to the point where they move on toward easier targets.

Learn more

To learn more about email phishing and how to protect your organization, read these blogs:

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Protect your business from email phishing with multi-factor authentication appeared first on Microsoft Security.

Zero Trust: 7 adoption strategies from security leaders

March 31st, 2021 No comments

Microsoft considers Zero Trust an essential component of any organization’s security plan. We have partnered with Cloud Security Alliance, a not-for-profit organization that promotes cloud computing best practices, to bring together executive security leaders to discuss and share insights about their Zero Trust journeys.

In our first discussion, we sat down with 10 executive security leaders from prominent energy, finance, insurance, and manufacturing companies in a virtual roundtable, to understand what has worked and discover where they needed to adjust their Zero Trust security model. Our collective goal was to learn from one another and then share what we’ve learned with other organizations. Discussions like these give us valuable opportunities to grow and led us to publish an eBook to share those conversations with other cybersecurity professionals.

Today, we are publishing the “Examining Zero Trust: An executive roundtable discussion” eBook as a result of those conversations. The eBook describes how the Zero Trust security model involves thinking beyond perimeter security and moving to a more holistic security approach. The eBook complements other resources we have published to help organizations expedite their journeys in this critical area, such as the Microsoft Zero Trust Maturity Model and adoption guidance in the Zero Trust Deployment Center. Zero Trust assumes breach and verifies each request as if it originates from an uncontrolled network. If Zero Trust had a motto, it would be: never trust, always verify. That means never trusting anyone or anything—inside or outside the firewall, on the endpoint, on the server, or in the cloud.

Zero Trust strategies

Introducing Zero Trust into your organization requires implementing controls and technologies across all foundational elements: identities, devices, applications, data, infrastructure, and networks. Roundtable participants offered successful Zero Trust strategies that respect the value of each of these foundational elements.

Strategy #1 – Use identities to control access

Identities—representing people, services, and IoT devices—are the common denominator across networks, endpoints, and applications. In a Zero Trust security model, they function as a powerful, flexible, and granular way to control access to data. Or, as one participant explained it, “The new perimeter is identity, and you need a strong identity that is validated.”

When any identity attempts to access any resource, security controls should verify the identity with strong authentication, ensure access is compliant and typical for that identity, and confirm that the identity follows least privilege access principles.

Strategy #2 – Elevate authentication

Incorporating multifactor authentication or continuous authentication into your identity management strategy can substantially improve your organization’s information security posture. One roundtable participant shared that by extending identity management with continuous authentication capabilities, their organization can now validate identity when a user’s IP address or routine behavior pattern changes.

“Zero Trust will only work if it is transparent to the end-user,” said a participant. “You have to make it easy and transparent. If you want to authenticate every five minutes or every second, that’s fine, as long as the end-user doesn’t have to do anything—as long as you can validate through other methods. For example, the endpoint can be one of the factors for multifactor authentication.”

Strategy #3 – Incorporate passwordless authentication

Passwordless authentication replaces the traditional password with two or more verification factors secured with a cryptographic key pair. When registered, the device creates a public and private key. The private key can be unlocked using a local gesture, such as a PIN or biometric authentication (fingerprint scan, facial recognition, or iris recognition).

Strategy #4 – Segment your corporate network

Network segmentation can be a pain point for business IT because firewalls represent early segmentation, and this can complicate development and testing. Ultimately, the IT team relies more on security teams to fix networking connectivity and access issues.

However, segmenting networks and conducting deeper in-network micro-segmentation is important for Zero Trust because in a mobile- and cloud-first world, all business-critical data is accessed over network infrastructure. Networking controls provide critical functionality to enhance visibility and help prevent attackers from moving laterally across the network.

Strategy #5 – Secure your devices

With the Zero Trust model, the same security policies are applied whether the device is corporately owned or a personally owned phone or tablet, also called a “bring your own device” (BYOD). Corporate, contractor, partner, and guest devices are treated the same whether the device is fully managed by IT or only the apps and data are secured. And this is true whether these endpoints—PC, Mac, smartphone, tablet, wearable, or IoT device—are connected using the secure corporate network, home broadband, or public internet.

“In a BYOD world, the device is the explosive piece,” said one participant. “If you allow unpatched devices to connect to your network, it is, in essence, walking into your base with live ordinance, and it can go bad quickly. Why wouldn’t you test outside to begin with?”

Strategy #6 – Segment your applications

Benefitting fully from cloud apps and services requires finding the right balance between providing access and maintaining control to ensure that apps, and the data they contain, are protected. Apply controls and technologies to discover shadow IT, ensure appropriate in-app permissions, gate access based on real-time analytics, monitor for abnormal behavior, restrict user actions, and validate secure configuration options.

“It is becoming easier and more achievable to have segmentation between the applications,” said a participant. “Being able to provide excessive privileges/role-based access is becoming part of the policy engine. The application piece of the puzzle seems to be solving itself more intelligently as time goes on. This approach gets validated every time I hear an end-user is able to dial in on the problem.”

Strategy #7 – Define roles and access controls

With the rapid rise in remote work, organizations must consider alternative ways of achieving modern security controls. It’s useful to operationalize roles and tie them to a policy as part of authorization, single sign-on, passwordless access, and segmentation. However, each role defined must be managed now and, in the future, so be selective about how many roles you create so there aren’t management challenges later.

“If you create a thousand roles in your organization to be that granular, you will have problems with management down the road,” said a participant. “You’re going to end up with massive amounts of accounts that are not updated, and that’s where you have breaches.”

The journey toward Zero Trust

The foundational focus of organizations varies as they start their Zero Trust journey. Some of the organizations represented by roundtable participants began their Zero Trust journey with user identity and access management, while others started with network macro- and micro-segmentations or application sides. These leaders agreed that developing a holistic strategy to address Zero Trust is critical and that you should start small and build confidence before rolling out Zero Trust across your organization.

That usually means taking a phased approach that targets specific areas based on the organization’s Zero Trust maturity, available resources, and priorities. For example, you could start with a new greenfield project in the cloud or experiment in a developer and test environment. Once you’ve built confidence, we recommend extending the Zero Trust model throughout the entire digital estate, while embracing it as an integrated security philosophy and end-to-end strategy moving forward. You’re not alone in this journey. Successful organizations have walked this path, and Microsoft is happy to be with you every step of the way.

Learn more

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zero Trust: 7 adoption strategies from security leaders appeared first on Microsoft Security.

Categories: CISO, cybersecurity, Zero Trust Tags:

Identity at Microsoft Ignite: Strengthening Zero Trust defenses in the era of hybrid work

March 2nd, 2021 No comments

We’re now a year into our new reality, and two trends stand out. First, people need even more flexibility as we work, learn, and collaborate in a world without perimeters. And second, bad actors are getting even more sophisticated. They’re adding new attack vectors and combining them in new creative ways, as we just saw with Solorigate.

In January, I shared our top five identity priorities for 2021 to help you strengthen security and accelerate your transition to the new hybrid work era. More than ever, organizations need to strengthen their defenses to give employees, partners, and customers the flexibility to work from anywhere using apps that live inside and outside the traditional corporate network perimeter. That’s why Zero Trust, a security strategy that combines maximum flexibility with maximum security, is so crucial.

For IT pros and security professionals, the implementation of Zero Trust should be simple and straightforward. For users, it should never get in the way, and it should fit into familiar workflows and habits. This week, on the virtual Microsoft Ignite stage, I’m announcing several Azure Active Directory (Azure AD) innovations that will help make life easier for you and your employees now—and help you stay prepared for whatever comes next.

Give your employees a secure and seamless user experience

As part of our commitment to making security as seamless as possible, passwordless authentication is now generally available for organizations to deploy at scale. Your IT admins, employees, and partners can benefit from increased security and simplicity. We’ve made it easy to roll out passwordless at scale with expanded policies that define which authentication methods specific users or groups can use. New reporting capabilities allow you to see the usage and adoption of passwordless authentication methods across your organization. To help you simplify and secure remote access, we’ve also released the preview of Temporary Access Pass, a time-limited code used to set up and recover a passwordless credential.

Azure AD Temporary Access Pass

Microsoft already has more than 200 million passwordless users across our consumer and enterprise services. We’re excited to see even more customers adopting passwordless each day. Axiata Group is the first company in Southeast Asia to eliminate passwords for their employees. They went passwordless using Windows Hello for Business and the Microsoft Authenticator app. Abid Adam, group chief risk and compliance officer at Axiata Group said, “Rather than make their lives miserable with long passwords that create risk for the organization, we turned to biometrics. Now with Windows Hello, security is baked into our ecosystem, and we have better access to information with greater barriers to bad actors. It’s a win-win for our security team, our employees, and the company.” Similarly, in Europe, Umeå municipality wanted to strengthen security and eliminate the use of passwords. With help from Onevinn and Yubico partners, they were able to roll out their first passwordless deployment in less than 10 days. Watch my interview on Microsoft Mechanics to see passwordless in action.

Going passwordless not only simplifies the user experience but also strengthens your security posture. And thanks to Azure AD Conditional Access, you no longer need to request multifactor authentication every time someone accesses an app that touches sensitive data. Instead, you can step up authentication based on what the user is trying to do within the app—for example, downloading a highly confidential document. With Azure AD Conditional Access authentication context, now in preview, you can move away from one-size-fits-all security and adopt more granular policies that protect resources with the right level of controls based on user actions or the data they are trying to access.

Azure AD Conditional Access authentication context

Announcements:

  • General availability of passwordless authentication.
  • Preview of Temporary Access Pass.
  • Preview of Azure AD Conditional Access authentication context.

Secure access to all apps

Most of you manage multi-cloud environments. Your developers are building apps that are distributed across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform. They need to sign in to each cloud with only one set of credentials. So that you can quickly configure single-sign-on (SSO) and user provisioning, we’re constantly expanding the Azure AD app gallery with as many pre-integrations as possible—even with our competitors.

AWS Single Sign-On app is now pre-integrated with Azure AD and available in the app gallery. This integration lets you connect Azure AD to AWS SSO, a cloud-based service that simplifies SSO access across multiple AWS accounts and resources. You can centralize management of user access to AWS, while your employees can gain access using their Azure AD credentials.

AWS SSO pre-integrated with Azure AD

During the past year, many organizations have relied on our Azure AD App Proxy service to help employees secure remote access to on-premises apps. Usage grew more than 100 percent last year, helping organizations move away from VPN solutions. Today, we’re adding two new features to help you get the most out of App Proxy. First, native support for header-based authentication with App Proxy is now generally available. Second, traffic optimization by region for App Proxy is now in preview. This new feature lets you designate which region your App Proxy service connector group should use and select the same region as your apps. This new feature helps reduce latency and improve performance.

Azure AD App Proxy support for header-based authentication apps

To protect your legacy, on-premises applications, we’re expanding the list of our secure hybrid access partnerships to include Datawiza, Perimeter 81, Silverfort, and Strata. In addition to connecting your on-premises apps, partners like Datawiza, Strata, and Silverfort can help you discover and prioritize apps and resources to migrate to Azure AD. “Silverfort is thrilled to be able to collaborate with Azure AD to enable unified secure access to legacy, on-premises apps, and resources,” said Ron Rasin, vice president of product and strategic alliances at Silverfort. “Identity has become the primary security control plane making it critical that organizations can discover, prioritize, and migrate the apps and resources to a central identity solution like Azure AD.”

Solorigate taught us that in many cases, cloud environments are more secure than on-premises. To strengthen your defenses, it’s critical to minimize your on-premises footprint and manage all your apps from the cloud. The process of discovering applications across different environments and prioritizing them for cloud modernization can be daunting, however. To make it easier, we’re announcing the general availability of Active Directory Federation Services (AD FS) activity and insights report. This report assesses all AD FS applications for compatibility with Azure AD, checks for any issues, and provides guidance on preparing individual applications for migration to Azure AD.

AD FS activity and insights report

Announcements:

  • AWS Single Sign-On now available in Azure AD app gallery.
  • General availability of AD FS activity and insights report.
  • New secure hybrid access partnerships with Datawiza, Perimeter 81, Silverfort, and Strata.
  • General availability of Azure AD App Proxy support for header-based authentication apps.
  • Preview of Azure AD App Proxy support for traffic optimization by region.

Secure your customers and partners

A strong Zero Trust approach requires that we treat access requests from customers, partners, and vendors just like requests from employees: verify every request, allow users to access the data they need only when they need it, and don’t let guests overstay their welcome. With Azure AD, you can apply consistent access policies to all types of external users.

Generally available starting this month, Azure AD External Identities is a set of capabilities for securing and managing identity and access for customers and partners. Self-service sign-up user flows in Azure AD apps make it easy to create, manage, and customize onboarding experiences for external users, with little to no application code. You can integrate support for sign-in using Google and Facebook IDs and extend the flow with powerful API connectors. Using Azure AD Identity Protection, you can protect your business-to-business (B2B) and business-to-consumer (B2C) apps and users with adaptive, machine learning–driven security.

Azure AD External Identities admin portal and user experience

With automated guest access reviews for Microsoft Teams and Microsoft 365 groups, now generally available, Azure AD will prompt you to review and update access permissions for all guests added to new or existing Teams or groups on a regular schedule. The process of cleaning up access to sensitive resources that your guest users no longer need will become less manual—and less neglected.

Announcements:

  • General availability of Azure AD External Identities.
  • General availability of Azure AD access reviews for all guests in Teams and Microsoft 365 groups.

The future of identity is bright

While 2020 was a challenging year, we have much to look forward to in 2021, with innovations that will deliver more security, transparency, and privacy for users. Last Microsoft Ignite, I talked about verifiable credentials and our commitment to empowering every person to own their own identity thanks to decentralized identifiers. I’m happy to share that Azure AD verifiable credentials is entering preview in just a few weeks. Developers will get an SDK, with quick-start guides, for building apps that request and verify credentials, just like they do with usernames and passwords. I’m also excited to announce that we are partnering with some of the leading ID verification partners—Acuant, Au10tix, Idemia, Jumio, Socure, Onfido, Vu Security—to improve verifiability and secure information exchange.

Verifiable credentials let organizations confirm information about someone—like their education and professional certifications—without collecting and storing their personal data. This will revolutionize the way we grant permissions to access our information. Organizations will be able to issue digital versions of a variety of credentials such as physical badges, loyalty cards, and government-issued paper documents based on open standards. Because the digital information is verified by a known party, it’s more trustworthy, and verification will only take minutes instead of days or weeks.

Azure AD verifiable credentials

Individuals get more control over what information they share with whom, and they can restrict access to that shared information at any time. They only have to verify a credential once to use it everywhere. To manage their credentials, they can use the Microsoft Authenticator app and other wallet apps that support open standards, such as the pilot application built by Keio University for their students.

Announcement:

  • Preview of Azure AD verifiable credentials.

And finally, I’m happy to share that we’re releasing a new Microsoft Identity and Access Administrator Certification, which you can find at the Microsoft Security Resources portal. This training helps admins design, implement, and operate Azure AD as the organization’s security control plane.

Announcement:

  • Release of the Microsoft Identity and Access Administrator Certification.

The new features announced at Microsoft Ignite will make it easier to provide seamless user experiences in the hybrid workplace and to strengthen your defenses against attacks that are increasingly sophisticated. As you try these new tools, please send us your feedback so we can continue to build advancements that help you keep your employees secure, connected, and productive.

Let’s make 2021 the Year of Passwordless!

To see these features in action when I take the Microsoft Ignite stage tomorrow, register for free at Microsoft Ignite and watch my session starting at 5 PM Pacific Time. Follow Microsoft Identity at @AzureAD on Twitter for more news and best practices.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security Blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Identity at Microsoft Ignite: Strengthening Zero Trust defenses in the era of hybrid work appeared first on Microsoft Security.

4 ways Microsoft is delivering security for all in a Zero Trust world

March 2nd, 2021 No comments

If there’s one thing the dawning of 2021 has shown, it’s that security isn’t getting any easier. Recent high-profile breach activity has underscored the growing sophistication of today’s threat actors and the complexity of managing business risk in an increasingly connected world. It’s a struggle for organizations of every size and for the public and private sector alike. As we move into this next phase of digital transformation, with technology increasingly woven into our most basic human activities, the questions that we as security defenders must ask ourselves are these: How do we help people to have confidence in the security of their devices, their data, and their actions online? How do we protect people, so they have peace of mind and are empowered to innovate and grow their future? How do we foster trust in a Zero Trust world?

As defenders ourselves, we are passionate proponents of a Zero Trust mindset, encompassing all types of threats—both outside in and inside out. We believe the right approach is to address security, compliance, identity, and device management as an interdependent whole and to extend protection to all data, devices, identities, platforms, and clouds—whether those things are from Microsoft or not.

You may have heard us talk about our commitment to security for all, and that’s at the heart of it. We are deeply inspired to empower people everywhere to do the important work of defending their communities and their organizations in an ever-evolving threat landscape.

With that approach in mind, today I’m excited to share several additional innovations across four key areas with you—identity, security, compliance, and skilling—to give you the holistic security protection you need to meet today’s most challenging security demands.

1. Identity: The starting point of a Zero Trust approach

Adopting a Zero Trust strategy is a journey. Every single step you take will make you more secure. In today’s world, with disappearing corporate network perimeters, identity is your first line of defense. While your Zero Trust journey will be unique, if you are wondering where to start, our recommendation is to start with a strong cloud identity foundation. The most fundamental steps like strong authentication, protecting user credentials, and protecting devices are the most essential.

Today we are announcing new ways that Azure Active Directory (Azure AD), the cloud identity solution of choice for more than 425 million users, can help you on your Zero Trust journey:

  • Passwordless authentication, which eliminates one of the weakest links in security today, is now generally available for cloud and hybrid environments. Now you can create end-to-end experiences for all employees, so they no longer need passwords to sign in to the network. Instead, Azure AD now lets them sign in with biometrics or a tap using Windows Hello for Business, the Microsoft Authenticator app, or a compatible FIDO2 security key from Microsoft Intelligent Security Association partners such as Yubico, Feitian, and AuthenTrend. With Temporary Access Pass, now in preview, you can generate a time-limited code to set up or recover a passwordless credential.
  • Azure AD Conditional Access, the policy engine at the heart of our Zero Trust solution, now uses authentication context to enforce even more granular policies based on user actions within the app they are using or sensitivity of data they are trying to access. This helps you appropriately protect important information without unduly restricting access to less sensitive content.
  • Azure AD verifiable credentials is entering preview in just a few weeks. Verifiable credentials let organizations confirm information—like their education or the professional certifications someone provides—without collecting and storing their personal data, thereby improving security and privacy. In addition, new partnerships integrating Azure AD verifiable credentials with leading identity verification providers like Onfido, Socure, and others will improve verifiability and secure information exchange. Customers such as Keio University, the government of Flanders, and the National Health Service in the UK are already piloting verifiable credentials.

Learn more about our Azure AD announcements in today’s blog post by Joy Chik.

2. Security: Simplifying the “assume breach” toolset

In today’s landscape, your security approach should start with the key Zero Trust principle of assume breach. But too often, complexity and fragmentation stand in the way. It is our commitment to helping you solve this, as we build security for all, delivered from the cloud.

This begins with integrated solutions that let you focus on what matters and deliver visibility across all your platforms and all your clouds. Some vendors deliver endpoint or email protection, while others deliver Security Information and Event Management (SIEM) tools, and integrating those pieces together can be a time-consuming challenge. Microsoft takes a holistic approach that combines best-of-breed SIEM and extended detection and response (XDR) tools built from the ground up in the cloud to improve your posture, protection, and response. This gives you the best-of-breed combined with the best-of-integration so you don’t have to compromise.

Today we are making the following announcements to simplify the experience for defenders with modern and integrated capabilities:

  • Microsoft Defender for Endpoint and Defender for Office 365 customers can now investigate and remediate threats from the Microsoft 365 Defender portal. It provides unified alerts, user and investigation pages for deep, automated analysis and simple visualization, and a new Learning Hub where customers can leverage instructional resources with best practices and how-tos.
  • Incidents, schema, and user experiences are now common between Microsoft 365 Defender and Azure Sentinel. We also continue to expand connectors for Azure Sentinel and work to simplify data ingestion and automation.
  • The new Threat Analytics provides a set of reports from expert Microsoft security researchers that help you understand, prevent, and mitigate active threats, like the Solorigate attacks, directly within Microsoft 365 Defender.
  • We are bringing Secured-core to Windows Server and edge devices to help minimize risk from firmware vulnerabilities and advanced malware in IoT and hybrid cloud environments.

Learn more about our threat protection announcements in today’s blog post by Rob Lefferts and Eric Doerr. Learn more about our Secured-core announcements in today’s blog post by David Weston. You can also learn more about new security features in Microsoft Teams in today’s blog post by Jared Spataro.

Today’s announcements continue, and strengthen, our commitment to deliver best-of-breed protection, detection, and response for all clouds and all platforms with solutions like Defender for Endpoint—a leader in the Gartner Magic Quadrant, available for Android, iOS, macOS, Linux, and Windows; and Azure Sentinel—which looks across your multi-cloud environments, including AWS, Google Cloud Platform, Salesforce service cloud, VMware, and Cisco Umbrella.

3. Compliance: Protection from the inside out

At Microsoft, we think of Zero Trust as not only the practice of protecting against outside-in threats, but also protecting from the inside out. For us, addressing the area of compliance includes managing risks related to data.

And that isn’t just the data stored in the Microsoft cloud, but across the breadth of clouds and platforms you use. We’ve invested in creating that inside-out protection by extending our capabilities to third parties to help you reduce risk across your entire digital estate.

Today we are announcing these new innovations in compliance:

  • Co-authoring of documents protected with Microsoft Information Protection. This enables multiple users to work simultaneously on protected documents while taking advantage of the intelligent, unified, and extensible protection for documents and emails across Microsoft 365 apps.
  • Microsoft 365 Insider Risk Management Analytics, which can identify potential insider risk activity within an organization and help inform policy configurations. With one click, customers can have the system run a daily scan of their tenant audit logs, including historical activity, and leverage Microsoft 365’s Insider Risk Management machine learning engine to identify potential risky activity with privacy built-in by design.
  • Microsoft 365 now offers data loss prevention (DLP) for Chrome browsers and on-premises server-based environments such as file shares and SharePoint Server.
  • Azure Purview is integrated with Microsoft Information Protection, enabling you to apply the same sensitivity labels defined in Microsoft 365 Compliance Center to data residing in other clouds or on-premises. With Azure Purview, a unified data governance solution for on-premises, multi-cloud, and software as a service (SaaS) data, you can scan and classify data residing in AWS Simple Storage Services (S3), SAP ECC, SAP S4/HANA, and Oracle Database.

Learn more about our compliance announcements in today’s blog post by Alym Rayani.

4. Skilling: Power your future through security skilling

We know that many of you continue to struggle to fill the security skills gap with an estimated shortfall of 3.5 million security professionals by 2021. That’s why we strive to ensure you have the skilling and learning resources you need to keep up in our world of complex cybersecurity attacks. We are excited to announce two different ways Microsoft is supporting skilling cybersecurity professionals.

First, Microsoft has four new security, compliance, and identity certifications tailored to your roles and needs, regardless of where you are in your skilling journey. To learn more about these new certifications, please visit our resource page for Microsoft Certifications.

  • Security, Compliance, and Identity Fundamentals certification will help individuals get familiar with the fundamentals of security, compliance, and identity across cloud-based and related Microsoft services.
  • Information Protection Administrator Associate certification focuses on planning and implementing controls that meet organizational compliance needs.
  • Security Operations Analyst Associate certification helps security operational professionals design threat protection and response systems.
  • Identity and Access Administrator Associate certification help individuals design, implement and operate an organization’s identity and access management systems by using Azure Active Directory.

We also recognize that the world we live in is complex but growing your skills shouldn’t be. The Microsoft Security Technical Content Library will help you find content relevant to your needs. Use it to access content based on your own needs today.

You can also learn more on today’s Tech Community blog post.

Security for all

We at Microsoft Security are committed to helping build a safer world for all. Every day, we are inspired by the work of our defenders and we are focused on delivering innovations, expertise, and resources that tip the scale in favor of defenders everywhere because the work you do matters. Security is a team sport, and we’re all in this together.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 4 ways Microsoft is delivering security for all in a Zero Trust world appeared first on Microsoft Security.

Categories: cybersecurity, Zero Trust Tags:

Why threat protection is critical to your Zero Trust security strategy

February 8th, 2021 No comments

The corporate network perimeter has been completely redefined. Many IT leaders are adopting a Zero Trust security model where identities play a critical role in helping act as the foundation of their modern cybersecurity strategy. As a result, cybercriminals have shifted their focus and identities are increasingly under attack.

In this infographic, we explore how this shift is affecting IT leaders and how Microsoft can help apply threat protection to proactively prevent identity compromise and reduce alert fatigue.

  1. There’s been a significant increase in identity-based attacks. As IT leaders rely more heavily on identity in their security strategies, cybercriminals have increased their efforts on this threat vector. And with the shift to remote work in response to COVID-19, we’ve seen a notable number of pandemic-related phishing attacks.
  2. IT leaders need more visibility and protection. With the increase in threats, security professionals and admins are being overwhelmed with alerts. IT leaders are looking for more effective ways to manage alerts and better tools to proactively prevent attackers from being able to compromise accounts.
  3. Preventing identity compromise is more critical than ever. As IT leaders evolve their security strategies, people increasingly working remotely, and the number of identity-based attacks are rising, it’s vital for organizations to implement real-time, AI-based protections that prevent identity compromise.

Check out the infographic for more details.

If you’re interested in how Microsoft can help, see how Azure Active Directory (Azure AD) Identity Protection and Microsoft 365 Defender use real-time, cloud-based AI to proactively prevent identity compromise. Also check out our Security Unlocked podcast with Data Scientist Lead for Microsoft’s Identity Security and Protection team, Maria Peurtas Calvo, to hear how AI is being used to protect identities inside Microsoft products and services.

Visit our Zero Trust page to stay up-to-date on how the latest Microsoft products, features, and resources that can help you implement Zero Trust principles in your organization.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Why threat protection is critical to your Zero Trust security strategy appeared first on Microsoft Security.

Modernizing your network security strategy

February 4th, 2021 No comments

From the global pandemic to recent cyberattacks, our world has faced many challenges during the past 12 months. Some of these challenges we can’t change. However, I’m pleased about the ones we can, and are changing across the cybersecurity landscape. For example, to facilitate remote work and maintain business continuity, organizations are moving more of their apps to the cloud and delivering SaaS experiences.

We know, however, that cybercriminals are taking advantage of this shift. We have seen them increase DDoS attacks, ransomware, and phishing campaigns. So how do you, as a cybersecurity professional help your organization facilitate remote work while strengthening security, reliability, and performance?

The first step is to examine your organization’s security strategy and adopt a Zero Trust approach.

Join me and Sinead O’Donovan, Director of Program Management for Azure Security, in the next Azure Security Experts Series on February 18, 2021, from 10:00 AM to 11:00 AM Pacific Time, as we’re going to focus on another important aspect of Zero Trust network security.

There, we’ll step through three strategies using the cloud-native network security services like Azure Front Door and Azure Firewall to perform:

  • Segmentation: This includes apps and virtual network segmentation which aims to reduce the attack surface and prevent attackers from moving laterally.
  • Encryption: Enforcing encryption on the communication channel between user-to-app or app-to-app with industry standards like TLS/SSL.
  • Threat protection: Employing threat intelligence to help minimize risk from the most sophisticated attacks like bots and malware.

You’ll have the opportunity to take deep dives and see demos on how to use Azure network security cloud-native services for:

  • Application security and acceleration: Utilize new integrated services like Azure Web Application Firewall and CDN technology to provide app security, scalability, and resiliency.
  • Advanced cloud network threat protection: Apply advanced firewall capabilities for highly sensitive and regulated environments.

In just one hour, you’ll learn new networking strategies, improve your app security and performance, use cutting-edge network threat protection, and stay ahead of a constantly evolving threat landscape.

Register now.

Learn more

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Modernizing your network security strategy appeared first on Microsoft Security.

Why operational resilience will be key in 2021, and how this impacts cybersecurity

January 28th, 2021 No comments

The lessons we have learned during the past 12 months have demonstrated that the ability to respond to and bounce back from adversity in general, can impact the short-and long-term success of any organization. It can even dictate the leaders and laggards in any industry.

When we take into consideration that as security threats also become more daunting, with many organizations remaining in a remote work environment, global organizations must reach a state where their core operations and services are not disrupted by unexpected changes.

The key to success in surviving any unforeseen circumstances in 2021, will be operational resiliency. Operational resilience is the ability to sustain business operations during any major event, including a cyberattack. It requires a strategic and holistic view of what could go wrong and how an organization will respond. Consider the risk and response for a utility company, for example, an organization that relies on IoT data, or a manufacturer of medical supplies. While their approach may differ, the impact would be equally as devastating should their operational continuity be halted. In today’s digital world, preparing for cyber threats must be a strategic part of that plan just like any other form of continuity and disaster recovery.

Speaking with customers globally, we know they are not fully prepared to withstand a major cyber event. Whilst many firms have a disaster recovery plan on paper, nearly a quarter have never tested that plan and only 42 percent of global executives are confident their organization could recover from a major cyber event without it affecting their business.

It begins with Zero Trust. Zero Trust is based on three principles, verify explicitly, use least privilege access, and assume breach.

Verify explicitly

Rather than trust users or devices implicitly because they’re on the corporate network or VPN’ed into it, it is critical to assume zero trust and verify each transaction explicitly. This means enabling strong authentication and authorization based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.

This starts with strong user authentication. Multi-factor authentication (MFA) is essential, but it’s time to move away from passwords plus SMS and voice calls as authentication factors. Bad actors are getting more sophisticated all the time, and they have found a number of ways to exploit the publicly switched telephone networks (PSTN) that SMS and voice calls use as well as some social engineering methods for getting these codes from users.

For most users on their mobile devices, we believe the right answer is passwordless with app-based authentication, like Microsoft Authenticator, or a hardware key combined with biometrics.

Least privileged access

Least privileged access means that when we do grant access, we grant the minimum level of access the user needs to complete their task, and only for the amount of time they need it. Think about it this way, you can let someone into your building, but only during work hours, and you don’t let them into every lab and office.

Identity Governance allows you to balance your organization’s need for security and employee productivity with the right processes and visibility. It provides you with the capabilities to ensure that the right people have the right access to the right resources.

Assume breach

Finally, operate with the expectation of a breach, and apply techniques such as micro-segmentation and real-time analytics to detect attacks more quickly.

In a Zero Trust model, identities—whether they represent people, services, or IoT devices—define the control plane in which access decisions are made. Digital identities, such as transport layer security (TLS) and code signing certificates, SSH keys, secrets, and other cryptographic assets are critical to authentication, signing, and encryption.

That’s why having a strong identity is the critical first step to the success of a Zero Trust security approach.

Embracing Zero Trust allows organizations to harden their defenses while providing employees access to critical data, even during a cyber event. That’s because identity is the foundation of any Zero Trust security strategy because it automatically blocks attacks through adaptive security policies; across users and the accounts, devices, apps, and networks they are using. Identity is the only system that connects all security solutions together so we have end-to-end visibility to prevent, detect, and respond to distributed and sophisticated attacks thanks to cloud technology.

In a Zero Trust model, identities—whether they represent people, services, or IoT devices—define the control plane in which access decisions are made. Digital identities, such as TLS and code signing certificates, SSH keys, secrets, and other cryptographic assets are critical to authentication, signing, and encryption.

“Human identities” such as passwords, biometrics, and other MFA are critical to identifying and authenticate humans. Being a Zero Trust organization also means pervasive use of multi-factor authentication—which we know prevents 99 percent of credential theft and other intelligent authentication methods that make accessing apps easier and more secure than traditional passwords.

Identity is both the foundation for Zero Trust and acts as a catalyst for digital transformation. It automatically blocks attacks through adaptive security policies. It lets people work whenever and wherever they want, using their favorite devices and applications.

That’s because Zero Trust security relies heavily on pervasive threat signals and insights. It is essential to connect the dots and provide greater visibility to prevent, detect and respond to distributed and sophisticated attacks.

Future-proofing your security posture

As security threats become more daunting and many organizations remain in a remote work environment, global organizations must reach a state where their core operations and services will not be disrupted by unexpected global changes.

To maintain operational resilience, organizations should be regularly evaluating their risk threshold. When we talk about risk, this should include an evaluation of an organization’s ability to effectively respond to changes in the crypto landscape, such as a CA compromise, algorithm deprecation, or quantum threats on the horizon.

Bottom line: organizations must have the ability to operationally execute the processes through a combination of human efforts and technology products and services. The ability to do something as simple as restoring from recent backups will be tested in every ransomware attack, and many organizations will fail this test—not because they are not backing up their systems, but because they haven’t tested the quality of their backup procedures or practiced for a cyber event.

Operational resilience guidelines call for demonstrating that concrete measures are in place to deliver resilient services and that both incident management and contingency plans have been tested. Our new normal means that risks are no longer limited to commonly recognized sources such as cybercriminals, malware, or even targeted attacks. Operational resilience is the necessary framework we must have in place in order to maintain business continuity during any unforeseen circumstances in the year ahead.

We want to help empower every organization on the planet by continuing to share our learnings to help you reach the state where core operations and services won’t be disrupted by geopolitical or socioeconomic events, natural disasters, or even cyber events.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Why operational resilience will be key in 2021, and how this impacts cybersecurity appeared first on Microsoft Security.

5 identity priorities for 2021—strengthening security for the hybrid work era and beyond

January 28th, 2021 No comments

When I outlined the five identity priorities for 2020, the world was a very different place. Since then, the COVID-19 pandemic has forever changed how organizations run their businesses. It’s also changed the way we work, learn, and collaborate. What hasn’t changed is the critical role identity plays in helping organizations to be secure and productive.

Yesterday, we shared the progress we’ve made with our integrated security, compliance, identity, and management solutions. Identity alone has grown at an unprecedented pace—from 300 million monthly active users (MAU) in March 2020 to 425 million today. Organizations around the world have accelerated the adoption of security and collaboration apps. But behind these numbers are stories of customers like you, working tirelessly to help your organizations stay ahead.

As I prepare for our traditional customer co-innovation week and reflect on our customers’ challenges and business goals, I want to share our five identity priorities for this year. Many of the recommendations I outlined last year still apply. In fact, they’re even more relevant as organizations accept the new normal of flexible work while bad actors continue to master sophisticated cyber attack techniques. Our 2021 recommendations will help you strengthen your identity and security foundations for the long term, so you can be ready for whatever comes next.

1. Trust in Zero Trust

Zero Trust is back this year, but this time it’s at the top of the list. The “assume breach” mentality of Zero Trust has become a business imperative. Organizations need to harden their defenses to give employees the flexibility to work from anywhere, using applications that live outside of traditional corporate network protections. When the pandemic hit last year, we worked side by side with many of you. We noticed that organizations already on their Zero Trust journey had an easier time transitioning to remote work and strengthening their ability to fend off sophisticated attacks.

The good news is that 94 percent of the security leaders we polled last July told us they had already embarked on a Zero Trust journey. Wherever you are on your journey, we recommend making identity the foundation of your approach. You can protect against credentials compromise with essential tools like multifactor authentication (MFA) and benefit from innovations like risk assessment in Identity Protection, continuous access evaluation, Intune app-protection policies, as well as Microsoft Azure Active Directory (Azure AD) Application Proxy and Microsoft Tunnel.

Looking ahead, as more services act like people by running applications (via API calls or automation) and accessing or changing data, secure them using the same principles: make sure they only get access to the data they need, when they need it, and protect their credentials from misuse.

Where to start: Take the Zero Trust assessment and visit our Deployment Center for deployment guidelines.

2. Secure access to all apps

This was our top recommendation last year, and it couldn’t be more critical today. The growth in app usage with Azure AD shows that organizations are connecting more apps to single sign-on. While this provides seamless and secure access to more apps, the best experience will come from connecting all apps to Azure AD so people can complete all work-related tasks from home and stay safer during the pandemic. Connecting all apps to Azure AD also simplifies the identity lifecycle, tightens controls, and minimizes the use of weak passwords. The result is stronger security at a lower cost: Forrester estimates that such a move can save an average enterprise almost USD 2 million over three years.

Azure AD app gallery includes thousands of pre-integrated apps that simplify deployment of single sign-on and user provisioning. If you want to extend MFA and Conditional Access to legacy on-premises apps, including header-based apps, use Azure AD Application Proxy or an integrated solution from one of our secure hybrid access partners. With our migration tools, you can modernize authentication of all apps and retire your ADFS implementation. This will help prevent attacks that are particularly difficult to detect in on-premises identity systems.

It’s also important to limit the number of admins who can manage apps across your organization, to protect privileged accounts with MFA and Conditional Access, and to require just-in-time (JIT) elevation into admin roles with Privileged Identity Management.

Where to start: Learn how to use Azure AD to connect your workforce to all the apps they need.

3. Go passwordless

We’ll keep repeating the mantra “Go passwordless” as long as passwords remain difficult for people to remember and easy for hackers to guess or steal. Since last year we’ve seen great progress: in May, we shared that over 150 million users across Azure AD and Microsoft consumer accounts were using passwordless authentication. By November, passwordless usage in Azure AD alone had grown by more than 50 percent year-over-year across Windows Hello for Business, Microsoft Authenticator, and FIDO2 security keys from partners like AuthenTrend, Feitian, or Yubico.

Passwordless authentication can minimize or eliminate many identity attack vectors, including those exploited in the most sophisticated cyberattacks. At a minimum, going passwordless should be non-negotiable for admin-level accounts. Moreover, providing employees with a fast, easy sign-in experience saves time and reduces frustration. Forrester estimates that consolidating to a single identity solution and providing one set of credentials saves each employee 10 minutes a week on average, or more than 40 hours a year. Imagine additional savings from not having to reset passwords or mitigate phishing attacks.

Where to start: Read the Forrester Report, “The Total Economic Impact™ Of Securing Apps With Microsoft Azure Active Directory.”

4. Choose and build secure-by-design apps

Because attacks on applications are growing, it’s important to go a step beyond integrating apps with Azure AD to deploying apps that are secure by design. Build secure authentication into the apps you write yourself using the Microsoft Authentication Library (MSAL). Ideally, apps should go passwordless too, so ensure they’re using strong credentials like certificates. If your apps interact with other Microsoft services, take advantage of the identity APIs in Microsoft Graph. Whenever possible, choose third-party apps from verified publishers. Since publisher verification badges make it easier to determine whether an app comes from an authentic source, encourage your ISV partners to become verified publishers if they haven’t already.

Since most apps ask to access company data, administrators may choose to review consent requests before granting permissions. While neglecting to review requests is a security risk, doing it for every single app used by every single employee takes too much time and costs too much. Fortunately, new features like app consent policies and admin consent workflow help avoid the extreme choices of reviewing all requests or delegating full responsibility to employees. Regularly review your apps portfolio and take action on overprivileged, suspicious, or inactive apps.

Where to start: Update your applications to use Microsoft Authentication Library and Microsoft Graph API, adopt app consent policies and publisher verification practices, and follow identity platform best practices.

5. Break collaboration boundaries

We know that partners, customers, and frontline workers are essential to your business. They, too, need simple and secure access to apps and resources, so they can collaborate and be productive, while administrators need visibility and controls to protect sensitive data.

Simplify collaboration for external users with intuitive self-service sign-up flows and the convenience of using their existing email or social account. For frontline workers, Azure AD offers simple access, through sign-in with a one-time SMS passcode, which eliminates the need to remember new credentials. For frontline managers, the My Staff portal makes it easy to set up SMS sign-in, to reset passwords, and to grant access to resources and shared devices without relying on help desk or IT.

Visibility and control are easier to achieve when managing all identities using a common toolset. You can apply the same Conditional Access policies for fine-grained access control to services, resources, and apps. By setting up access review campaigns, or using automated access reviews for all guest users in Microsoft Teams and Microsoft 365 groups, you can ensure that external guests don’t overstay their welcome and only access resources they need.

Where to start: Learn more about Azure AD External Identities and using Azure AD to empower frontline workers.

Get started on the future now: Explore verifiable credentials

During the pandemic, you’ve had to support not only remote work but also remote recruiting. People usually show up to an interview with documentation in hand that confirms their identity and qualifications. It’s more complicated to vet candidates remotely, especially when hiring needs to happen quickly—for example, in the case of essential workers.

Microsoft and industry-leading ID verification partners are pushing the frontier of identity by transforming existing ID verification practices with open standards for verifiable credentials and decentralized identifiers. Verifiable credentials are the digital equivalent of documents like driver’s licenses, passports, and diplomas. In this paradigm, individuals can verify a credential with an ID verification partner once, then add it to Microsoft Authenticator (and other compatible wallets) and use it everywhere in a trustworthy manner. For example, a gig worker can verify their driver’s license and picture digitally, and then use it to get hired by a ride-sharing service and a food delivery company.

Such an approach can improve verification while protecting privacy across the identity lifecycle: onboarding, activating credentials, securing access to apps and services, and recovering lost or forgotten credentials. We’re piloting this technology with customers like the National Health Service in the UK and MilGears, a program of the United States Department of Defense that helps service members and veterans enroll in higher education and jumpstart their civilian careers.

Where to start: Watch our Microsoft Ignite session on Decentralized Identity and join the Decentralized Identity Foundation.

Whether your top priority is modernizing your infrastructure and apps or implementing a Zero Trust security strategy, we are committed to helping you every step of the way. Please send us your feedback so we know what identity innovations you need to keep moving forward on your digital transformation journey.

The post 5 identity priorities for 2021—strengthening security for the hybrid work era and beyond appeared first on Microsoft Security.

Microsoft surpasses $10 billion in security business revenue, more than 40 percent year-over-year growth

January 27th, 2021 No comments

I joined Microsoft a little more than six months ago—amid a global pandemic and a new norm of remote work, as well as one of the most rapidly evolving threat landscapes in history. We’ve witnessed more sophisticated attacks, like the recent SolarWinds incident, as well as an increase in attack surfaces as devices and online experiences have become more central to the way we work, learn, and live.

In solving these complex challenges alongside our customers and partners, Microsoft takes cybersecurity out of a place of fear and makes it about innovation and empowerment. Every single day, I am inspired by the team here, by their great wisdom, resilience, expertise, and by their commitment to living the mission we espouse.

Yesterday, Satya shared an important milestone for our security business: $10 billion in revenue in the past 12 months representing more than 40 percent year-over-year growth. A number inclusive of our security, compliance, identity and management businesses, and a testament to the trust our customers have placed in us.

What drives us now is creating a true Zero Trust mindset, which we believe is the cornerstone of effective protection, the foundation for organizational resilience, and the future of security. As part of that, I want to explain more about the work we do to help keep our customers secure, what makes us unique and a look at some of our latest innovations.

What makes us different

Our approach to security is unique in the industry. Microsoft has two security superpowers—an integrated approach and our incredible AI and automation. We tackle security from all angles—inside-out and outside-in. It’s why we combine security, compliance, identity, and management as an interdependent whole. In security, a silo is an opportunity for an exploit. No one else brings these critical parts of risk management together, not as a suite but as an approach that solves problems for customers on their terms across clouds and platforms.

Given Microsoft’s footprint across so many technologies, we’ve been in a unique position to think holistically about the core aspects of security: stretching from identity and access management; through endpoint, email, and application security; to data loss prevention and into cloud security and SIEM. We have an approach that is truly end-to-end, and it is notable in how deeply this is embedded in our culture. Microsoft’s security organization is an intense, massive collaboration that drives services, intelligence, technologies, and people—all coming together as one humming machine with a singular mission.

Next, consider the tremendous number of signals we take in across our platforms and services, over eight trillion security signals every 24 hours. Using the latest in machine learning and artificial intelligence techniques—plus the power of smart humans—we put these signals to work on behalf of our customers. In 2020 alone, almost six billion malware threats were blocked on endpoints protected by Microsoft Defender.

Infographic that describes how Microsoft protects devices, secures identities, ensures compliance, and detects threats.

Today we help secure more than 400,000 customers across 120 countries. These range from small businesses to large enterprises, with 90 of the Fortune 100 using four or more of our security, compliance, identity, and management solutions.

Protecting our customers

Today’s world of security is really a cat and mouse game. You have to know what the adversaries and threat actors are up to every single day. However, a cyber-attack is ultimately about safety, a fundamental human need. We’ve seen what happens to people as they’re going through attacks, and it’s not pleasant. So, when we’re talking to customers around the world, our mission is really to give them peace of mind.

We can secure our customers best when we invest in these areas:

  • All clouds, all platforms: We believe that anything less than comprehensive security is no security at all. That’s why our security, compliance, identity, and management solutions work seamlessly across platforms and we strive to extend to all clouds and all apps, whether or not Microsoft is being used throughout the computing environment. A great example of this is Azure Sentinel, our cloud-based SIEM, which in less than a year, is now helping over 9,000 customers protect their cloud workloads. Our commitment to comprehensive security is so absolute that we are empowering our customers to protect their cloud workloads wherever they are hosted, including Amazon Web Services and Google Cloud Platform. And likewise, Microsoft Defender now protects iOS, Android, macOS, and Linux.
  • Simplicity in the face of complexity: In my first customer meeting at Microsoft, on which Satya joined me, a customer told me she just wanted a simple button that would make everything work—could Microsoft help? That really stuck with me. Our customers want to be enablers of innovation in their organizations, and they know that effective security is critical to that work. We must make it easier for them. We hear from our global user community that they want best-in-breed combined with best-in-integration. When faced with complexity, they want greater simplicity. It’s our mission to deliver that and help our customers adapt quickly to a changing world.
  • A vibrant ecosystem: Microsoft welcomes and encourages an industry of strong competition that makes us all better. The Microsoft Intelligent Security Association is a community of more than 175 partner companies who have created over 250 integrations with Microsoft products and services, helping organizations close the gaps between fragmented security solutions and minimize risk. In addition, we delivered an industry record of $13.7 million in bug bounty awards to 327 researchers from more than 55 countries in fiscal year 2020, to help find and address potential vulnerabilities in our products and services before they can be weaponized by malicious actors.

Some new multi-cloud, multi-platform solutions and a look ahead

In addition to our financial news, today we are pleased to share a bit of product news.

Azure Security Center multi-cloud support is now available, including a unified view of security alerts from Amazon Web Services and Google Cloud, as well as enhancements to Azure Defender to protect multi-cloud virtual machines. Today, we are also announcing the availability of Azure Defender for IoT, which adds a critical layer of agentless security for Operational Technology (OT) networks in industrial and critical infrastructure organizations; as well as Application Guard for Office, which opens documents in a container to protect users from malicious content. These new solutions help protect users and businesses across devices, platforms, and clouds.

According to the Microsoft identity 2020 app trends report, out today, providing secure remote access to resources, apps and data became the top challenge for business leaders in the past year. With Azure Active Directory (Azure AD), our cloud identity solution that provides secure and seamless access to 425 million users, organizations can choose from thousands of pre-integrated apps within the Azure AD app gallery, or bring their own apps. Microsoft Cloud App Security helps protect users, ensuring apps like Salesforce, Workday, and ServiceNow can be quickly adopted and safely managed. The enthusiasm we are seeing for both Azure AD and MCAS truly show the importance our customers are placing on secured third party applications.

Our work to make the world more secure for all really does extend to all—from the largest Fortune 100 companies and world governments to individuals. Last week we began rolling out new security features for Microsoft Edge including password generator and Password Monitor, as well as easier to understand options for managing data collection and privacy. We continue to invest in building solutions to help consumers stay more secure and look forward to sharing more in the future.

The milestones and announcements we have today give us an opportunity to celebrate the work of defenders around the world.

As we look to meet the challenges of the future, we’ll continue to invest in a vibrant ecosystem of partners and in building a competitive and cooperative industry that makes us all better. And we are laser-focused on delivering simplicity in face of complexity, so everything works, and our defender community is empowered to do more.

Ultimately security is about people, protecting people, bringing people together, sharing knowledge and tools to collectively strengthen our defenses. We look forward to sharing more in the coming months about new areas of focus and investment as we continue our commitment is to serve this community. We are for defenders, with defenders, and we are defenders ourselves. The fundamental ethos of our efforts is to make the world a safer place for all.

To learn more about Microsoft Security solutions visit our website and watch our webcast to learn how to streamline and strengthen your security.

Bookmark the Security blog to keep up with expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft surpasses $10 billion in security business revenue, more than 40 percent year-over-year growth appeared first on Microsoft Security.

How companies are securing devices with Zero Trust practices

January 25th, 2021 No comments

Organizations are seeing a substantial increase in the diversity of devices accessing their networks. With employees using personal devices and accessing corporate resources from new locations in record numbers, IT leaders are seeing an increase in their attack surface area. They’re turning to Zero Trust security models to ensure they have the visibility they need, and their data is protected as its accessed from outside the corporate network using a wider variety of devices.

We surveyed IT leaders around the world to determine how they’re using Zero Trust practices to protect their devices and enable access to the corporate network from unsecured devices.

A clickable link to the full PDF infographic to the Zero Trust whitepaper

  1. More personal devices are accessing corporate resources than ever. In response to the substantial shift to remote work, IT leaders report seeing more of their employees using personal devices to access their networks. As a result, they’re prioritizing device management solutions to improve security and control on personal devices.
  2. Devices accessing the network are monitored but often left out of access decisions. While most IT leaders report that they’re monitoring device health and compliance, the majority aren’t currently using that status in their access decision making. Preventing unauthorized and risky devices is critical to protecting corporate data in a modern environment.
  3. Personal devices are widely agreed to increase risk exposure. Over 92 percent of IT leaders agree that a proliferation of personal devices is increasing their attack surface area. However, much less say they’re prepared for managing access from unsecured devices.

Check out the infographic for more details.

If you’re looking at how to help prevent devices from being the weakest link in your security strategy, check out our Zero Trust deployment guidance for endpoints.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How companies are securing devices with Zero Trust practices appeared first on Microsoft Security.

Using Zero Trust principles to protect against sophisticated attacks like Solorigate

January 19th, 2021 No comments

The Solorigate supply chain attack has captured the focus of the world over the last month. This attack was simultaneously sophisticated and ordinary. The actor demonstrated sophistication in the breadth of tactics used to penetrate, expand across, and persist in affected infrastructure, but many of the tactics, techniques, and procedures (TTPs) were individually ordinary.

Companies operating with a Zero Trust mentality across their entire environment are more resilient, consistent, and responsive to new attacks—Solorigate is no different. As threats increase in sophistication, Zero Trust matters more than ever, but gaps in the application of the principles—such as unprotected devices, weak passwords, and gaps in multi-factor authentication (MFA) coverage can be exploited by actors.

Zero Trust Principles

Applying Zero Trust

Zero Trust in practical terms is a transition from implicit trust—assuming that everything inside a corporate network is safe—to the model that assumes breach and explicitly verifies the security status of identity, endpoint, network, and other resources based on all available signals and data. It relies on contextual real-time policy enforcement to achieve least privileged access and minimize risks. Automation and Machine Learning are used to enable rapid detection, prevention, and remediation of attacks using behavior analytics and large datasets.

Zero Trust Policy

Verify explicitly

To verify explicitly means we should examine all pertinent aspects of access requests instead of assuming trust based on a weak assurance like network location. Examine the identity, endpoint, network, and resource then apply threat intelligence and analytics to assess the context of each access request.

When we look at how attackers compromised identity environments with Solorigate, there were three major vectors: compromised user accounts, compromised vendor accounts, and compromised vendor software. In each of these cases, we can clearly see where the attacker exploited gaps in explicit verification.

  • Where user accounts were compromised, known techniques like password spray, phishing, or malware were used to compromise user credentials and gave the attacker critical access to the customer network. On-premises identity systems are more vulnerable to these common attacks because they lack cloud-powered protections like password protection, recent advances in password spray detection, or enhanced AI for account compromise prevention.
  • Again, in cases where the actor succeeded, highly privileged vendor accounts lacked protections such as MFA, IP range restrictions, device compliance, or access reviews. In other cases, user accounts designated for use with vendor software were configured without MFA or policy restrictions. Vendor accounts should be configured and managed with the same rigor as used for the accounts which belong to the organization.
  • Even in the worst case of SAML token forgery, excessive user permissions and missing device and network policy restrictions allowed the attacks to progress. The first principle of Zero Trust is to verify explicitly—be sure you extend this verification to all access requests, even those from vendors and especially those from on-premises environments.

Cloud identity, like Azure Active Directory (Azure AD), is simpler and safer than federating with on-premises identity. Not only is it easier to maintain (fewer moving parts for attackers to exploit), your Zero Trust policy should be informed by cloud intelligence. Our ability to reason over more than eight trillion signals a day across the Microsoft estate coupled with advanced analytics allows for the detection of anomalies that are very subtle and only detectable in very large data sets. User history, organization history, threat intelligence, and real-time observations are an essential mechanism in a modern defense strategy. Enhance this signal with endpoint health and compliance, device compliance policies, app protection policies, session monitoring, and control, and resource sensitivity to get to a Zero Trust verification posture.

For customers that use federation services today, we continue to develop tools to simplify migration to Azure AD. Start by discovering the apps that you have and analyzing migration work using Azure AD Connect health and activity reports.

Least privileged access

Zero Trust: Microsoft Step by Step

Least privileged access helps ensure that permissions are only granted to meet specific business goals from the appropriate environment and on appropriate devices. This minimizes the attacker’s opportunities for lateral movement by granting access in the appropriate security context and after applying the correct controls—including strong authentication, session limitations, or human approvals and processes. The goal is to compartmentalize attacks by limiting how much any compromised resource (user, device, or network) can access others in the environment.

With Solorigate, the attackers took advantage of broad role assignments, permissions that exceeded role requirements, and in some cases abandoned accounts and applications which should have had no permissions at all. Conversely, customers with good least-privileged access policies such as using Privileged Access Workstations (PAW) devices were able to protect key resources even in the face of initial network access by the attackers.

Assume breach

Our final principle is to Assume Breach, building our processes and systems assuming that a breach has already happened or soon will. This means using redundant security mechanisms, collecting system telemetry, using it to detect anomalies, and wherever possible, connecting that insight to automation to allow you to prevent, respond and remediate in near-real-time.

Sophisticated analysis of anomalies in customer environments was key to detecting this complex attack. Customers that used rich cloud analytics and automation capabilities, such as those provided in Microsoft 365 Defender, were able to rapidly assess attacker behavior and begin their eviction and remediation procedures.

Importantly, organizations such as Microsoft who do not model “security through obscurity” but instead model as though the attacker is already observing them are able to have more confidence that mitigations are already in place because threat models assume attacker intrusions.

Summary and recommendations

It bears repeating that Solorigate is a truly significant and advanced attack. However ultimately, the attacker techniques observed in this incident can be significantly reduced in risk or mitigated by the application of known security best practices. For organizations—including Microsoft—thorough application of a Zero Trust security model provided meaningful protection against even this advanced attacker.

To apply the lessons from the Solorigate attack and the principles of Zero Trust that can help protect and defend, get started with these recommendations:

  1. More than any other single step, enable MFA to reduce account compromise probability by more than 99.9 percent. This is so important, we made Azure AD MFA free for any Microsoft customer using a subscription of a commercial online service.
  2. Configure for Zero Trust using our Zero Trust Deployment Guides.
  3. Look at our Identity workbook for Solorigate.

Stay safe out there.

Alex Weinert

For more information about Microsoft Zero Trust please visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Using Zero Trust principles to protect against sophisticated attacks like Solorigate appeared first on Microsoft Security.

How IT leaders are securing identities with Zero Trust

January 19th, 2021 No comments

The past twelve months have been a remarkable time of digital transformation as organizations, and especially digital security teams, adapt to working remotely and shifting business operations. IT leaders everywhere turned to Zero Trust approaches to alleviate the challenges of enabling and securing remote work. Using Zero Trust to secure users, data, and devices (wherever they may be) has changed from optional to a business imperative overnight.

In this short report, we surveyed IT leaders around the world to determine how they’re implementing Zero Trust practices to protect their identities and ensure their employees have secure access to resources.A clickable link to the full PDF infographic to the Zero Trust whitepaper

  1. Most IT leaders are already using Zero Trust practices with their identity management solutions. While the majority of IT leaders have already implemented Zero Trust practices into their identity and access solution, only a monitory have moved on to more advanced controls that utilize automation and AI-based threat analysis.
  2. Multi-factor authentication (MFA) and Single Sign-On (SSO) are the most common. Additionally, a majority are analyzing risk before granting access—a critical proactive step to preventing unauthorized access to corporate resources.
  3. Identities and devices are the top priority for most organizations. With employees working outside the corporate network and increasingly using personal devices, this is no surprise. However, surprisingly, the majority of IT leaders do not rate identities as the most mature component in their Zero Trust strategy.
  4. Zero Trust is still in infancy. Despite substantial growth in Zero Trust efforts over the past twelve months, only one in ten IT leaders report feeling very confident in their Zero Trust identity management roadmap.

Read the full report for more details.

If you’re looking for how to help prevent endpoints from being the weakest link in your security strategy, check out our Zero Trust deployment guidance for identities.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How IT leaders are securing identities with Zero Trust appeared first on Microsoft Security.

Building a Zero Trust business plan

December 9th, 2020 No comments

These past six months have been a remarkable time of transformation for many IT organizations. With the forced shift to remote work, IT professionals have had to act quickly to ensure people continue working productively from home—in some cases bringing entire organizations online over a weekend. While most started by scaling existing approaches, many organizations are now turning to Zero Trust approaches to rapidly enable and secure their remote workforce.

We are committed to helping customers plan and deploy Zero Trust. Last month, we announced our Zero Trust Deployment Center, a repository of resources to help accelerate the deployment of Zero Trust across data, applications, network, identity, infrastructure, and devices.

This month, we’re excited to share the release of our Zero Trust Business Plan. This document captures lessons learned from leaders who sponsored, guided, and oversaw the adoption of Zero Trust within customers’ organizations. This document will provide guidance across the full lifecycle of your Zero Trust initiative:

  • Plan: Build a business case focused on the outcomes that are most closely aligned with your organization’s risks and strategic goals.
  • Implement: Create a multi-year strategy for your Zero Trust deployment and prioritize early actions based on business needs.
  • Measure: Track the success of your Zero Trust deployment to provide confidence that the implementation of Zero Trust provides measurable improvements.

Placeholder

Other resources

Check out our growing repository of resources ready to help you with Zero Trust—regardless of where you are in your journey. Our Zero Trust assessment tool is a great way to measure your overall maturity and progress to Zero Trust (including your existing capabilities). This new business plan provides a practical guide to implementing a Zero Trust framework. Our Zero Trust deployment guidance provides clear technical implementation guidance. Visit our Zero Trust page to stay up-to-date on how the latest Microsoft products, features, and resources that can help you implement Zero Trust principles in your organization.

Bookmark the Security blog to keep up with our expert coverage on security matters. And follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Building a Zero Trust business plan appeared first on Microsoft Security.

Categories: cybersecurity, Zero Trust Tags: