Archive

Archive for the ‘Microsoft Intelligent Security Association (MISA)’ Category

Announcing 2022 Microsoft Security Excellence Awards winners

June 6th, 2022 No comments

Spirits soared at the Microsoft Security Excellence Awards on June 5, 2022. And is it any wonder? The celebration marked the first time that Microsoft executives and Microsoft Intelligent Security Association (MISA) members had gathered in person in more than two years so it was a special night for many reasons!

Formerly known as the Microsoft Security 20/20 Awards, the Microsoft Security Excellence Awards recognizes MISA member success across security during the past 12 months. MISA is a coalition of Microsoft leaders and subject matter experts, independent software vendors (ISVs), and managed security service providers (MSSPs) working together to defend against increasing security threats.

Attendees donned their fashionably festive best and gathered at the brightly lit San Francisco Design Center for cocktails, dinner, networking, and awards recognition. They smiled as they caught up with folks they may not have seen in years—and some even made new connections.

The stars of the evening were all the MISA members that work tirelessly to ensure the security of our shared customers. Congratulations to all our award finalists and winners! After cocktails, conversation, and dinner, Microsoft executives Vasu Jakkal, Phil Montgomery, Andrew Conway, Alym Rayani, Irina Nechaeva, Desmond Forbes, Sue Bohn, Mandana Javaheri, Madhu Prasha, and Scott Woodgate handed out the awards. Vasu Jakkal, Corporate Vice President of Microsoft Security, praised the recipients for their achievements.

“I’m so honored to recognize this year’s award winners. MISA members regularly impress us with their shared vision of helping create a more secure world,” Vasu said. “They support this mission through their solutions and services, their dedication to innovation, and their dedication to customers. Security is a team sport, and we are so proud to defend together with our MISA community. Heartiest congratulations to all of this year’s winners.” 

Be fearless with comprehensive security

Microsoft and MISA members share a commitment to supporting customers in their efforts to be fearless. That means ensuring that they have the comprehensive security necessary to help them grow their enterprise securely to match their vision. When we talk about comprehensive security, we’re not referring merely to security coverage, though that’s important. We’re also talking about best-in-breed protection, built-in intelligence, and simplified management.

Being fearless when it comes to cybersecurity comes when companies:

  • Gain confidence that their data and people are more protected—so they can limit nothing.
  • Natively integrate individual layers of protection across clouds, platforms, endpoints, and devices.
  • Get alerts from 24 trillion security signals analyzed every 24 hours.
  • Reduce the risk of data breaches and compliance violations.

Of course, partners are key to giving customers the results that ease their security worries.

Our 2022 Microsoft Security Excellence Awards finalists

A Microsoft cross-functional group decided on this year’s 10 award categories, including 4 categories where MISA members could nominate themselves. We carefully selected these categories to celebrate all the unique ways that MISA members support customers and Microsoft security products. We received hundreds of award nominations and the same panel carefully read each and narrowed the award nominees to three for each category. Microsoft and MISA members then voted on our winners.

Security ISV of the Year

ISVs that are all-around powerhouses, show growth potential and have innovative security solutions that integrate with a MISA-qualifying security product.

Security MSSP of the Year

MSSPs that are all-around powerhouses with strong integration between Microsoft products and ongoing managed security services that drive the end-to-end Microsoft Security stack to our mutual customers.

Security Trailblazer

Partners that are outstanding leaders in accelerating customers’ efforts to mitigate cybersecurity threats and that have developed innovative solutions or services that leverage Microsoft Security products.

Compliance and Privacy Trailblazer

Partners that deliver innovative solutions or services and are distinguished leaders in driving holistic or end-to-end Microsoft compliance or privacy strategy with customers.

Identity Trailblazer

Partners that are leaders in the identity space and have driven identity-related initiatives and delivered innovative solutions or services with Microsoft Azure Active Directory.

Zero Trust Champion

Partners that are dedicated to supporting customers in their Zero Trust journey and that have demonstrated vital integrations with the Microsoft Zero Trust platform.

Security Software Innovator

ISVs that have developed innovative solutions with disruptive and transformative technology in collaboration with Microsoft that makes work easier for our mutual customers.

Security Services Innovator

MSSPs that are exceptional at educating the market on Internet of Things (IoT) and Operational Technology (OT) security-related initiatives and that deliver innovative and transformative security services to customers.

Security Customer Champion

Partners that go above and beyond to drive customer impact and that have a proven track record of customer obsession and success.

Security Changemaker

Individuals within partner organizations who have made a remarkable security contribution to the company or to the larger security community.

Excited for another year of MISA success

Congratulations again to all our finalists and winners! Your innovation and your commitment to helping customers be fearless impresses us every day. We can’t wait to see what exciting accomplishments our partners achieve over the next 12 months and hope to see you at next year’s Microsoft Security Excellence Awards!

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Announcing 2022 Microsoft Security Excellence Awards winners appeared first on Microsoft Security Blog.

Easy authentication and authorization in Azure Active Directory with No-Code Datawiza

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA.

The acceleration of cloud journeys fueled by the pandemic and ever-increasing concerns about data security and information privacy have made access management one of the hottest topics in application security and Zero Trust architecture discussions. Over the last several years, the industry has made tremendous progress on identity and access management, and Microsoft Azure Active Directory (Azure AD), with its focus on Zero Trust comprehensive cloud-based identity services, is a perfect example of this.

Achieving a secure environment is top of mind for both public and private sector organizations, with research firm markets anticipating the global Zero Trust security market will grow from USD19.6 billion in 2020 to USD51.6 billion by 2026. The United States government has mandated a federal Zero Trust architecture strategy, while businesses of every size are working to implement modern identity and access management solutions that support single sign-on (SSO), multifactor authentication, and many other key features, including adaptive and context-aware policies, governance intelligence, and automation.1

To achieve Zero Trust for applications and services, we must ensure people are who they say they are and that only the right people have access to sensitive information. This is the only way to comply with evolving data privacy regulations such as General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Consequently, companies must create a comprehensive, manageable way to authenticate and authorize every attempt to access data—based on a least-privileged access principle—while still providing users with the secure self-service access they need.

Datawiza, a cloud-delivered, no-code platform for easily implementing both authentication and authorization for all types of applications and APIs, works with Azure AD to help IT accelerate this key area of the journey to Zero Trust and get the most value from their hybrid multicloud environments.

As an access management as a service (AMaaS) platform, Datawiza dramatically reduces the time and engineering costs required to integrate applications with Azure AD, eliminating months of development effort thanks to its no-code approach. Developers don’t have to learn complex modern SSO protocols like OpenID Connect (OIDC), OAuth, and Security Assertions Markup Language (SAML), or use different software development kits (such as .NET, Java, and PHP) to write integration code for each application.

Web client diagram utilizing Datawiza and Microsoft Azure Active Directory.

Leveraging Datawiza with Azure AD supports comprehensive SSO and multifactor authentication across applications, with fine-grained access controls. The application types can include:

  • Homegrown applications that are written in different programming languages such as Java, PHP, and Python. These applications can reside in multicloud environments or on-premises.
  • Legacy applications, such as those from Oracle, that were never designed for the cloud and may still rely on a legacy identity solution, such as Symantec SiteMinder, on-premises Lightweight Directory Access Protocol (LDAP), or custom-built basic authentication. In fact, Datawiza can empower companies to retire their legacy identity solutions.
  • Business-to-business (B2B) multi-tenant applications available to customers using Azure AD, as well as other identity platforms.
  • Open-source tools that would otherwise require expensive enterprise license fees from the vendor to use the SSO feature to connect with Azure AD.

Options for integrating homegrown and legacy applications with Azure AD

Integrating homegrown or legacy applications with Azure AD is imperative. Not doing so leads to critical security gaps. It also causes frustration for users who need to sign into multiple applications, as well as administrators who must constantly update user profiles in multiple locations.

Integrating these applications with Azure AD requires coding and security expertise. And whether you use your developer resources or legacy on-premises gateways, as we hear from our customers, it usually takes more time and resources than anticipated—distracting development and DevOps teams from their strategic tasks. If your organization relies on a hybrid multicloud environment, the challenges are even greater. You may also consider using a free open-source software proxy, such as OAuth2-proxy, but this is still time-consuming, providing little benefit compared to the do-it-yourself approach. Further, with each of these approaches, all the effort that goes into integrating a single application must be repeated for each additional application.

How the Datawiza No-Code platform works

The Datawiza No-Code platform offers a new approach, providing authentication and authorization as a service, so it can be implemented quickly, without the need to deploy any hardware or heavyweight enterprise software, or having to rewrite applications or write new code. Datawiza uses a lightweight, cloud-delivered proxy for connecting any application and service to Azure AD, and it can also integrate across other public and private clouds.

Integrating each application takes only minutes, so the more applications you need to integrate, the more time you save—all with a single Datawiza license. And with security expertise built-in, the Datawiza AMaaS platform eliminates the need to hire an expensive new resource or consultant, while also facilitating improved governance by providing policy-defined, URL-level access controls based on detailed user and device attributes, such as group, role, IP, or browser.

How Datawiza and Azure AD work together

  1. When a user attempts to log into any application, Datawiza intercepts the access request and authenticates it using a built-in connection to Azure AD through OIDC or SAML protocols. 
  2. The user signs in through the Azure AD login page, and the OIDC or SAML message exchanges with Azure AD and Datawiza are automatically completed on behalf of the application. 
  3. Datawiza authorizes the request based on the fine-grained access policies configured in the management console and user attributes from Azure AD. 
  4. Datawiza then sends the correct credentials to the application, which uses the fine-grained access policies configured in the management console to display only the appropriate information.
  5. An IT administrator configures the platform, applications, and access policies using the Datawiza management console, instead of having to deal with the configuration files scattered in hybrid multicloud environments. 
Datawiza’s integration with Microsoft Azure Active Directory.

Datawiza, the no-code path to Zero Trust access management

The Datawiza No-Code platform can accelerate your Azure AD journey to Zero Trust for your applications and APIs by eliminating the need for developers to extend controls to support Zero Trust requirements such as SSO and multifactor authentication. Datawiza authenticates and authorizes every employee, customer, contractor, or partner each time they access an application or API—with fine-grained access controls—and supports every type of application in hybrid multicloud environments. With Datawiza, policy administrators can leverage “change once, propagate everywhere” to keep policies, roles, and permissions updated and synced across hundreds or thousands of datasets. And Datawiza maintains the relationships between applications and Azure AD as the applications are updated, future-proofing your environment.

Learn more

Learn more about Microsoft identity and access management.

The Datawiza Platform is available in the Microsoft Azure Marketplace. More information and a free trial are also available on the Datawiza website.

To learn more about MISA, visit our MISA website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products. 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1 Why companies are moving to a ‘zero trust’ model of cyber security, Bob Violino. March 3, 2022.

The post Easy authentication and authorization in Azure Active Directory with No-Code Datawiza appeared first on Microsoft Security Blog.

Automating your Microsoft security suite with D3 XGEN SOAR  

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA.

There are certain pain points in the average security operations center (SOC) that, no matter what else changes in the security landscape, stay among the most entrenched problems. You can probably name them off the top of your head: an overwhelming amount of security alerts; the ongoing shortage of skilled cybersecurity professionals; the inability to detect and respond to increasingly sophisticated attacks; and the proliferation of tools (76 in the average enterprise SOC) that do not always work well together.1 But these challenges have something else in common other than being the primary causes of headaches among security pros: they are all alleviated by security orchestration, automation, and response—better known as SOAR.2 Learn how D3 Security’s XGEN SOAR integrates with Microsoft Sentinel and hundreds of other tools to help customers overcome SOC Analyst fatigue and disparate toolsets in this blog post. 

What is SOAR? 

Let’s start with the basics. SOAR is a category of powerful tools that integrate with other security systems, such as security information and event management (SIEM), endpoint detection and response (EDR), and firewalls, to ingest alerts, enrich them with contextual intelligence, and orchestrate remediation actions across the environment. SOAR tools use playbooks to automate and codify workflows to accelerate mean time to respond (MTTR) and standardize responses to common incident types. 

D3 XGEN SOAR is a fully vendor-agnostic SOAR solution, which means it can maintain dozens of deep integrations with Microsoft tools—including Sentinel—and bring automation to security workflows in any environment. 

How Microsoft Sentinel customers use D3’s Event Pipeline to stay focused on real threats 

What does integrating D3 XGEN SOAR with Microsoft tools mean for customers? Let’s take one narrow example and look at how D3’s Event Pipeline—a unique offering among SOAR platforms—acts on Microsoft Sentinel events to make the lives of security analysts much easier.3 

D3 ingests Microsoft Sentinel events for investigation and response. But as any SIEM operator knows, it is a delicate balance to configure your SIEM, and other alert-generating tools, so that you are capturing all the important incidents without an overwhelming amount of noise. That’s where D3’s Event Pipeline comes in. 

The path of alerts through D3 XGEN SOAR, from the alert source to the incident response phase. D3's Event Pipeline covers the normalization, triage, and dismissal and escalation phases.

When a Microsoft Sentinel event comes into D3, it goes through the Event Pipeline, a global automated playbook that acts on every incoming event or alert from a detection tool. The Event Pipeline works in three stages:

  • First, the data from the incoming event is normalized. The artifacts, such as IP addresses, user IDs, and URLs, are extracted, and metadata tagging is performed. 
  • Next is the triage stage. The event is deduplicated and correlated against other events. The artifacts are checked against integrated threat intelligence sources to determine risk, and MITRE ATT&CK tactic, technique, and procedure (TTP) labels are applied. 
  • In the final stage, the Microsoft Sentinel event is either dismissed as a false positive or escalated and assigned to an analyst. Dismissal and escalation rules are set by the user, based on criteria such as the risk scores from threat intelligence enrichment or the presence of key assets in the artifacts. 

The result of adding D3’s Event Pipeline to Microsoft Sentinel incident investigations is that 90 percent or more of Microsoft Sentinel events can be safely filtered out before they reach a human analyst, allowing the genuine threats to be properly investigated. 

Key Microsoft integrations 

D3’s integration with Microsoft Sentinel is just one of 33 integrations between D3 XGEN SOAR and Microsoft tools. Twenty-two of those integrations are from the Azure suite. Some of the key integrations for common security operations use cases include Microsoft Defender for Endpoint, Microsoft 365, and Azure Active Directory (Azure AD). 

Microsoft Defender for Endpoint 

Microsoft Defender users can orchestrate 26 different actions from D3, including fetching events, enriching incidents with endpoint data, and quarantining infected hosts. This creates an automation-powered process for any endpoint security incident that acts quickly and conclusively before threats get out of control. 

Microsoft 365 

Phishing is still the entry point for most cyberattacks, which makes email a critical part of cybersecurity incident response. When a potential phishing email is detected, D3 can retrieve the email and attachments, parse out the artifacts, check the reputations of the artifacts against threat intelligence and past incidents, and determine if the email is a genuine threat. If it is, D3 can then find other instances of the email across the company’s inboxes and delete them. 

Azure Active Directory 

You may have heard it said that “identity is the new perimeter,” which underscores the importance of being able to act quickly in Azure AD during a security incident. Companies using Azure AD (and on-premises AD) can enrich D3 incidents with user and group information, manage users and groups from D3, and quickly orchestrate remediation actions like forcing a password reset or revoking a sign-in session.  

Security orchestration for MSSPs 

Managed security service providers (MSSPs) get similar benefits from D3 and Microsoft’s joint solutions as SOCs do, but at a greater scale.4 At D3, they have found that MSSPs are not always given direct access to all their clients’ tools, or they may not want to become experts in every single tool their clients use if all they’re doing with those tools is managing alerts. Instead, clients give their MSSP access to D3, from which they can manage the alerts from all their detection tools from a single interface.  

This makes D3 a useful operations hub for MSSPs with clients that rely on Azure systems or other Microsoft tools. The MSSP can leverage D3’s integrations with Microsoft Sentinel, Microsoft Defender for Endpoint, Microsoft 365, and others, to handle alerts and even orchestrate response actions—without needing full access to their clients’ tools.5 The Event Pipeline is also a valuable tool in this scenario, allowing MSSPs to handle a much higher volume of alerts, without adding resources. 

Better together: Use cases for Microsoft and D3 XGEN SOAR 

Use case 1: Investigation and orchestration across hybrid environments 

A diagram of how D3 ingests alerts from cloud or on-premise sources, and orchestrates codeless playbooks across cloud or on-premise tools.

More companies are moving their systems and servers to cloud services like Microsoft Azure, but many retain a hybrid environment, with some systems still hosted on-premises. This hybrid model creates an issue around security because the company is left managing two sets of security tools—one in the cloud and one on-premises. 

D3 can integrate with Microsoft Sentinel, 21 other tools in the Azure stack, and hundreds of on-premise tools to create a single security operations (SecOps) interface for the entire hybrid environment. Joint users of Microsoft Sentinel and D3 can enrich alerts with threat intelligence, identify MITRE ATT&CK techniques, run automation-powered playbooks to respond to incidents, and much more—across cloud and on-premise systems simultaneously. 

For example, in a phishing attack that resulted in a potentially infected endpoint, an analyst using D3 could disable the user’s access in Azure AD, query Microsoft Sentinel for additional data, search across Microsoft 365 mailboxes for more instances of the phishing email and quarantine the affected endpoint using Microsoft Defender for Endpoint.6 

Having D3 SOAR integrated with both your Azure tools and your on-premise tools can reduce your work—and your risk—by half. Because of the ability to monitor and act across your entire hybrid environment, you will not lose sight of incidents that move between environments, and you will always be able to execute your entire response without having to switch between tools. 

Use case 2: Compromised credentials 

A diagram of how D3 ingests leaked credential reports, checks them against Active Directory, and orchestrates the appropriate response.

When an employee’s credentials are compromised, hacked, or leaked, they can turn up on lists provided by threat intelligence platforms. Security teams need ways to streamline their ability to learn of compromised credentials, match the credentials to the employee’s other information, determine which machines the credentials could be used on, and take action to prevent unauthorized access. D3 integrates with AD (Azure or on-premise), threat intelligence platforms, and other tools, to orchestrate this process. 

D3 can ingest lists of leaked credentials from integrated threat intelligence platforms. When an employee’s credentials are included in a list, D3 can query Active Directory to match the credentials to other information related to the employee, including the list of machines to which they have access. D3 can get the user’s login history from Active Directory to look for unusual activity, temporarily deactivate the user if necessary, and orchestrate a password change.  

The sky’s the limit 

These are just a couple of the use cases that D3 users can orchestrate across their Microsoft tools and systems. With more than 30 integrations and hundreds of commands, there is an extremely high ceiling on what sophisticated users can accomplish with D3 and Microsoft’s combined capabilities. Don’t let that intimidate you though. With codeless, out-of-the-box playbooks for common incident types, even less technical users can immediately realize the benefits of the joint solutions.  

About D3 Security 

D3 Security’s XGEN SOAR platform combines automation and orchestration across more than 500 integrated tools with an automated event pipeline that reduces event volume by 90 percent or more.2 D3’s codeless playbooks automate enrichment and remediation tasks while making it easy for anyone to build, modify, and scale workflows for security operations, incident response, and threat hunting. 

With more than 30 Microsoft integrations, D3 Security has been a Microsoft Intelligent Security Association (MISA) member since 2020. Visit the Azure Marketplace page here. You can learn more about how D3 works with Microsoft on D3’s technology partners page.5 

Learn more

To learn more about MISA, visit our MISA website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products. 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1 Security leaders are still in the dark with asset visibility while a lack of insight is driving control failures, Panaseer. 2022.

2 XGEN SOAR platform, D3 Security.

3 XGEN SOAR Event Pipeline, D3 Security.

4 Security Automation and Orchestration for MSSPs, D3 Security.

5 Microsoft Azure Sentinel Integration, D3 Security.

6 D3 XGEN SOAR for Phishing Attacks, D3 Security.

The post Automating your Microsoft security suite with D3 XGEN SOAR   appeared first on Microsoft Security Blog.

Secure your OT and IoT devices with Microsoft Defender for IoT and Quzara Cybertorch™

March 3rd, 2022 No comments

This blog post is part of the Microsoft Intelligent Security Association guest blog seriesLearn more about MISA.

In recent years, malicious actors have started attacking industrial control systems and key sectors of nations’ critical infrastructure to inflict damage that transcends the cyber world and traditional IT assets. The risk to public safety cannot be overstated, as these types of cyberattacks have real-world potential to inflict harm on humans. These “industrial control systems” that control the many facets of our nation’s critical infrastructure are more commonly known as operational technology (OT) devices. The same goes for IoT devices and industrial internet of things (IIoT) devices. IoT is the network of physical objects that contain embedded technology to communicate, sense, or interact with the internal or external state of its environment. The public and private sectors have many OT and IoT devices in industries such as defense, power generation, robotics, chemical and pharmaceutical production, oil production, transportation, and mining—to name a few. OT devices are hardware and software that monitor or control physical equipment, assets, and processes—and they are being compromised at an increasing rate.1

Alarmingly, in 2021 there were two incidents of local water treatment plants in the US being a target of cyberattacks. One cyberattack occurred in the San Francisco Bay area in January 20212 and another occurred in February 2021 in Oldsmar, Florida.3 In the Oldsmar, Florida cyberattack, the malicious actors attempted to increase the amount of sodium hydroxide in the water supply to potentially dangerous levels. Thankfully, the attack was thwarted by a plant supervisor who caught the act in real-time and reverted the changes. These cyberattacks occurred on OT devices used for critical infrastructure at local level, but similar cyberattacks are playing out in the real world on a national level as well.

On May 7, 2021, Colonial Pipeline, an American oil pipeline system responsible for 45 percent of all fuel consumed on the US East Coast, suffered a ransomware cyberattack that crippled all pipeline operations for about six days.4 The aftermath of this attack caused fuel shortages in six US states as well as the US capital, Washington D.C.

These cyberattacks on OT devices may not be new, but they underscore how dangerous the threat is to our critical infrastructure, as well as how great the risk is to our overall public safety.

The US government has taken notice of the increased threat against OT systems and has responded accordingly. Per the President’s Executive Order on Improving the Nation’s Cybersecurity issued on May 12, 2021, “The Federal Government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid.5 The scope of protection and security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)).” The Quzara CybertorchTM solution, in conjunction with Microsoft Defender for IoT and Microsoft Sentinel, help agencies meet compliance with various aspects of this executive order. This includes, but is not limited to, providing agencies a means to monitor IT and OT operations and alerts, respond to attempted and actual cyber incidents, and facilitate logging, log retention, and log management. 

With the threat of cyberattacks impacting OT and IoT devices on the rise, it is important now more than ever for national, state, local governments, and their private sector partners to be vigilant in securing their OT and IoT devices that operate or assist critical infrastructure.

The current state of cybersecurity in OT and IoT environments

While it is encouraging that the US Government is giving greater emphasis to secure OT and IoT infrastructure, they and private corporations with OT and IoT devices face an uphill battle. This is because many OT and IoT environments use outdated (and therefore, unsecure) operating systems and software. A comprehensive report from CyberX (acquired by Microsoft) in June 2020 titled Global IoT and ICS Risk Report was compiled based on data gathered from 1,821 production OT and IoT networks using passive, agentless monitoring with patented deep packet inspection (DPI) and network traffic analysis (NTA) algorithms. These production networks spanned diverse IoT and ICS systems—including robotics, refrigeration, chemical, and pharmaceutical production, power generation, oil production, transportation, mining, and building management systems (heating, ventilation, and air conditioning (HVAC), closed-circuit television (CCTV), and more). These are the findings in the report:

  • 71 percent had outdated or unsupported operating systems.
  • 64 percent had unencrypted passwords.
  • 54 percent were remotely accessible.
  • 22 percent had indicators of threats.
  • 27 percent had direct internet connections.
  • 66 percent had no automatic updates.
Cyber X report high-level findings spanned diverse I o T and I C S systems showing gaps in threat coverage.

Figure 1. CyberX report high-level findings.

Securing and monitoring OT and IoT devices

It is critical for national, state, local governments, and their private sector partners to secure their OT and IoT environments from cyberattacks—but first, security must be made easier to incorporate. To make it easier for these entities to incorporate OT and IoT security, Quzara CybertorchTM, a managed security service provider (MSSP), partnered up with Microsoft to leverage Microsoft Defender for IoT. By leveraging Microsoft Defender for IoT, Quzara CybertorchTM is able to discover all OT and IoT devices in an environment, identify vulnerabilities present on these devices, and provide continuous security monitoring of these devices.

Automated asset inventory

Microsoft Defender for IoT is an agent-less solution that—connecting to a mirroring port on a network’s switch—passively listens to real-time OT and IoT traffic in the industrial network. Quzara CybertorchTM uses this tool to quickly create an “Asset Inventory Map” that shows all assets on the network, identifies which machines are interacting with each other, and at which layer of the Purdue model they operate.6

Auto-generated asset inventory map in purdue model layout displaying all assets on a network, identifying which machines are interacting with each other and at which layer of the Purdue model they operate.

Figure 2. Auto-generated Asset Inventory Map in Purdue model layout.

By identifying which assets communicate with each other in a Purdue model format, valuable information is gathered that depicts which machines can communicate out to the internet from the OT network. These internet-connected machines are the ones we prioritize locking down and monitor more closely for suspicious traffic. Identifying internet-connected assets is just one example of what the Asset Inventory Map can display. The Asset Inventory Map also reveals any shadow devices that are on the OT and IoT network. In other words, by revealing all assets on the OT network, the Asset Inventory Map will identify any IT, OT, and IoT devices that the IT department may not be officially aware of. Furthermore, the Asset Inventory Map helps IT security teams identify “single points of failure” in their environment based on the network topology and architecture. Quzara CybertorchTM encourages hardening these assets that are “single points of failure” and creating redundancy to ensure operations aren’t disrupted if these assets were to ever go down unexpectedly.

Vulnerability management of OT and IoT devices

Quzara CybertorchTM can identify known vulnerabilities on OT and IoT devices by leveraging Microsoft Defender for IoT. Microsoft Defender for IoT proactively identifies vulnerabilities such as unpatched devices, unauthorized Internet connections, and subnet connections. Beyond identifying vulnerabilities, Microsoft Defender for IoT also identifies changes to device configurations, programmable logic controller (PLC) code, and firmware. Quzara CybertorchTM consolidates all this information and generates executive summary reports listing out all the vulnerabilities for all OT and IoT devices in a network—which includes prioritized remediation steps. Prioritized remediation steps may include prioritizing fixes based on risk scoring (for example, through common vulnerability scoring system (CVSS) scores and other factors) and automated threat modeling. These reports contain an overall security score for the OT and IoT devices on the network. As remediation occurs, continuous improvement can be measured by subsequent reports showing the overall security score improving.

Report example showing vulnerabilities present on an O T workstation.

Figure 3. Vulnerabilities present on an OT workstation.

Continuous monitoring for OT and IoT devices

Quzara CybertorchTM is a security operations center as a service that leverages Microsoft Sentinel to continuously monitor IT environments as well as OT and IoT environments. Microsoft Sentinel is a security information and event management (SIEM) tool with security orchestration, automation, and response (SOAR) capabilities. Microsoft Sentinel has native interoperability with Microsoft Defender for IoT and is cloud native. Using Microsoft Sentinel, Quzara CybertorchTM can ingest logs from IT, OT, and IoT devices, creating a unified bird’s-eye view across IT and OT boundaries and empowering our security operations center (SOC) analysts to then analyze for signs of malicious activity.

When using other products, typically a lot of work and expertise is required to create rules that aggregate disparate alerts into consolidated incidents. Quzara CybertorchTM greatly reduces the work that is required to create targeted rules for OT and IoT incidents, as Microsoft Sentinel has pre-built analytics rules for OT and IoT devices when used in conjunction with Microsoft Defender for IoT. Functionality also exists to create custom rules and playbooks from these OT and IoT alerts. This functionality empowers our SOC analysts to help detect, alert, and assist personnel in mitigating vulnerabilities on OT and IoT devices.

View of Microsoft Defender for I o T analytics rules in Microsoft Sentinel.

Figure 4. Microsoft Defender for IoT analytics rules in Microsoft Sentinel.

If your team, company, or clients have an OT or IoT environment and are interested in obtaining an OT or IoT cybersecurity risk assessment, please reach out to Quzara CybertorchTM or by email here.

About Quzara Cybertorch™

Quzara Cybertorch™ is a security operations center as a service and managed detection and response (MDR) purpose-built to meet the needs of U.S. Civilian, Department of Defense (DoD), and Defense Industrial Base (DIB) customers for extended detection and response (XDR), Vulnerability Management, OT and IoT monitoring, and security monitoring needs. Their security operations center as a service, vulnerability management, and XDR capabilities are based on the National Institute of Standards and Technology (NIST) 800-53 FedRAMP HIGH controls. Their entire technology stack leverages FedRAMP HIGH Authorized systems. Quzara Cybertorch’s™ team of Security Analysts are all based and operate within the US, with emphasis on security clearances and government support experience. Explore Quzara Cybertorch ™ and visit the Quzara Cybertorch ™ listing in the Microsoft commercial marketplace.

Learn more

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1Crimes of Opportunity: Increasing Frequency of Low Sophistication Operational Technology Compromises, Mandiant, May 25, 2021.

2Hackers Tried to Poison California Water Supply in Major Cyber Attack, News Week, June 18, 2021.

3The Florida water plant attack signals a new era of digital warfare—it’s time to fight back, Darktrace, February 16, 2021.

4Ransomware Attack Shuts Down A Top U.S. Gasoline Pipeline, NPR, May 9, 2021.

5Executive Order on Improving the Nation’s Cybersecurity, The White House. May 12, 2021.

6The “Purdue Model” is a structural model for industrial control system security concerning physical processes, systems, and the IT machines that manage or interact with them.

The post Secure your OT and IoT devices with Microsoft Defender for IoT and Quzara Cybertorch™ appeared first on Microsoft Security Blog.

How Red Canary and Microsoft can help reduce your alert fatigue

November 29th, 2021 No comments

This blog post is part of the Microsoft Intelligent Security Association guest blog seriesLearn more about MISA.

Security alert fatigue

Organizations often feel overwhelmed by the number of security alerts they receive. Frustrated by alert fatigue, these organizations want a deeper understanding of security threats and extended coverage to protect themselves. Enterprises typically maintain 70 security products from 35 different vendors1 and burnout from alert fatigue can lead to choices that put a company’s security at risk. Prospective customers have told us they mute security alerts or create rules to ignore or turn off alerts. Some security operations leaders have even said that if a security alert isn’t resolved within a week, it’s automatically deleted from the system.

Security alert fatigue happens when employees become desensitized to alerts and alarms from tools and technology because of their frequency. Since 2019, the number of security alerts has increased by 34 percent.2 In fact, 44 percent of alerts go uninvestigated1 because of the high volume and inadequate staff levels.

Red Canary is a security ally for customers

Security alerts lack the context customers need to determine which alerts are a serious threat and which are noise. They also wonder, “If we were attacked, how fast could we contain a security threat?” Security alerts don’t answer this question. That’s why Red Canary, a cybersecurity software as a service (SaaS) company that provides outcome-focused solutions for security operations teams, developed a security operations platform that powers their Managed Detection and Response (MDR) solutions. Red Canary MDR integrates with Microsoft Defender for Endpoint to help customers detect and respond to cybersecurity threats in their environment. Red Canary MDR + Microsoft Defender for Endpoint is a powerful combination for modern security operations teams to protect their organizations.

Founded in 2014, Red Canary is a security ally for customers and an extension of their security teams. Underpinning Red Canary’s MDR solution is its all-day security operations team. These detection engineers provide extended coverage for long-term customer peace of mind. Red Canary is continuously monitoring and reviewing every potential threat—even detections that appear outwardly benign are investigated.

Red Canary’s approach

When its MDR solution detects a security threat for one customer, a logic-based detection engine is strengthened and used to detect similar threats for other customers. Thousands of detectors—a number that is growing all the time—trigger investigations on anything suspicious that’s detected.

Red Canary’s solution supercharges the already powerful Microsoft Defender for Endpoint and also now supports Microsoft Defender for Identity, to help security operations teams protect on-premises identities, and Microsoft Azure Active Directory (Azure AD) Identity Protection, to protect identities and user accounts for Azure AD customers along with recently announced support for publishing confirmed detections into Microsoft Sentinel.

The Red Canary technology is only half the story. Customers also benefit from the deep threat detection expertise with detection engineers and incident handlers available around the clock, serving as an extension of a customer’s security team.

We increase the confirmed detections and tune down the noise of security alerts.”—Cordell BaanHofman, General Manager, Red Canary + Microsoft Security at Red Canary

Red Canary by the numbers: 20,000 endpoints, 51 billion telemetry records, 69,886 tipoffs, 3,943 significant events, 74 detections, and 17 high-severity attacks.

Bridging the expertise and budget gap

Besides alert fatigue, companies also struggle with two other big challenges that restrict their ability to respond to cyberthreats: a lack of cybersecurity expertise and a limited budget. Many organizations lack the in-house expertise to review, investigate, and respond to Microsoft Defender for Endpoint security threats. Often, budget prevents them from hiring people with the expertise to operationalize Microsoft Defender for Endpoint or provide all-day coverage.

Red Canary supports these companies by giving them access to a team of cybersecurity experts and all-day coverage. It offers them an “easy button,” including customizable, automated incident response playbooks which enhance the pre-built automated incident response model of Microsoft Defender for Endpoint. Red Canary’s approach to threat detection continues to effectively protect its customer base from ransomware—like the Conti and REvil families that have been implicated in so many prominent attacks this year—and other high-impact threats.

The company analyzes alerts and raw telemetry through APIs connected to Microsoft Defender for Endpoint. Customers are only notified of confirmed threats—in the middle of the night if it’s a critical threat—and are provided with full threat context to quickly respond to stop it in its tracks. This response is achieved through a combination of automation and incident response experts to neutralize and remove the threat.

Flow chart from Microsoft Defender for Endpoint to Red Canary security operations center to customer security team and back.

After brining in Red Canary, an IT security leader said they felt positively about their security posture for the first time in their 10-year information security career. A security analyst at a different company said the solution results in every detection being actionable and reliable. The security analyst explained: “Red Canary has taken what used to be a daily workload of hours and brought it down to minutes.”

MISA membership

Red Canary is aligned with Microsoft’s security strategy, particularly extended detection and response (XDR) and the Zero Trust approach. Since becoming an inaugural MDR partner in 2019, Red Canary earned IP co-sell incentive status and shared the virtual stage at Microsoft Ignite with Microsoft Corporate Vice President Rob Lefferts during his advanced attack security keynote.

Red Canary was one of the early members of the Microsoft Intelligent Security Association (MISA), joining in January 2019, and has participated in Microsoft webinars, blog posts, and marketing workshops—all made possible by MISA.

Learn more

One of the reasons that Red Canary and Microsoft’s relationship is so strong is the two companies share a similar ethos and objective. Red Canary’s mission is to empower organizations worldwide to make their greatest impact without fear of a cyberattack. Microsoft’s mission is to empower every person and every organization on the planet to achieve more. Reach out for a demonstration of Red Canary MDR + Microsoft Defender for Endpoint.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 


16 strategies to reduce cybersecurity alert fatigue in your SOC, Innocent Wafula, Microsoft. 17 February 2021.

2SOC Teams Burdened by Alert Fatigue Explore XDR, Joan Goodchild, Dark Reading. 14 May 2021.

The post How Red Canary and Microsoft can help reduce your alert fatigue appeared first on Microsoft Security Blog.

How Open Systems uses Microsoft tools to improve security maturity

November 15th, 2021 No comments

This blog post is part of the Microsoft Intelligent Security Association guest blog seriesLearn more about MISA.

We’ve all seen it happen—an organization has all the top-notch security tools in place and still, they get breached. In today’s rapidly evolving threat landscape, complexity leads to vulnerability. With so many tools to monitor, it’s easy for even the best security operations center (SOC) to get overwhelmed by non-actionable alerts1 and hampered by insufficient personnel to secure a growing digital estate. Research on “security tool sprawl” shows that, on average, organizations run 25 to 49 security tools from up to 10 different vendors.2 In a time of rising cyber attacks,3 the gaps left between mismatched or poorly implemented IT and security tools can make it impossible to establish a high-maturity security program.

Managed services to simplify security

Open Systems’ award-winning Managed Detection and Response (MDR) executes repeatable security missions that protect enterprises in real-time and levels up their security posture for tomorrow. The company’s customers are typically mid-market organizations—enterprise or small-to-medium corporations (SMC)—that are looking for all-day threat detection and response but also aspire to improve their security posture and resilience against attack. Open Systems noticed that many of these customers lean heavily on Microsoft for IT and cloud infrastructure, and can unlock the value of these investments to consolidate and operationalize their security tools. Open Systems accomplishes this by providing a Microsoft Azure cloud-native Managed Detection and Response (MDR) service built for Microsoft Sentinel (formerly known as Microsoft Azure Sentinel), Microsoft Security best practices, and Microsoft 365 E5 (M365 E5).

As a six-time Gold Partner, Open Systems enables Microsoft customers to get more insights from their Microsoft Security tools, and to better grasp their attack surface. The company’s use of Microsoft’s cloud native security information event management (SIEM) and security orchestration automated response (SOAR) capabilities help deliver stronger signal fidelity through machine learning threat modeling—delivering the actionable results Open Systems’ customers need to remain confident in their security every day. Even better, customers can often achieve this level of security using the Microsoft investments they’ve already made. And by integrating with Open Systems’ MDR, they get peace of mind by delegating detection and response to Microsoft-certified SOC analysts and threat hunters, helping contain threats early in the kill chain.

Open Systems’ MDR integration with Microsoft.

Figure 1: Open Systems’ MDR integration with Microsoft.

Open Systems’ approach

As a Microsoft Advanced Threat Protection Specialization certified partner, Open Systems focuses on three critical pillars for their MDR solution: mission-driven processes, a mission-ready platform, and Microsoft-certified experts.

Because the stakes are so high, the service is run like NASA Mission Control, using mission-driven processes to deliver repeatable and predictable outcomes that ensure fast detection and remediation of threats. These mission-driven processes have been honed for over 20 years with scientific rigor to bridge IT and security silos for optimal performance and resilience against attack. This allows Open Systems to deliver outcomes not alerts, greater business value, and out-of-this-world customer satisfaction.

Complementing these mature processes is the mission-ready platform at the heart of Open Systems’ services. This cloud-native platform weaves security into the fabric of an organization’s infrastructure, eliminating the need to stitch together multiple-point security products and the associated complexity. Managed from a “single pane of glass,” the platform also helps organizations realize the full value of their Microsoft infrastructure and that of their existing Microsoft security products.

The company’s four globally distributed SOCs follow the sun, with experts working from Europe, the United States, and Asia. Each of Open Systems’ DevSecOps engineers and security analysts has completed 400 hours of hands-on training and passed rigorous certification testing before servicing customers. They are armed with machine learning-powered high fidelity detection leveraging Microsoft Sentinel runbooks to ensure they can detect threats and make critical decisions fast and accurately.

Leveraging Microsoft

Scalability and enabling customers to retain their data are key aspects of the MDR service, both of which are achieved with Microsoft Sentinel and Microsoft Azure Lighthouse. Open Systems engaged with Microsoft in the early days of Microsoft Sentinel, working with their product teams and early customers to create a solution that runs in the customer tenant. Microsoft Defender for Endpoint absorbs signals, then contains threats as part of the automated response. Open Systems also leverages Microsoft Sentinel’s SOAR capabilities by writing managed runbooks that automatically contain and shut down threats early.

The service uses Azure Lighthouse to operate things—run queries, integrate different log sources, and more. Credible threats are inspected by Open Systems’ engineers and co-managed as needed with the customer. In this way, Open Systems’ MDR service and Microsoft Security don’t just integrate, they feed off each other to deliver better results. As one of our customers put it:

“We’re experiencing exceptional support from Open Systems. They not only help us contain costs and manage Azure, but their engineers, adaptable SASE+ platform, and managed runbooks contain threats before they spread throughout the network,” said James Tsang, Systems Manager, College of Southern Nevada.

Managed security leads to $2.5 million in savings

A publicly traded clinical research organization came to Open Systems for help streamlining their security architecture. They wanted to move away from siloed third-party systems that created too much complexity, too many vulnerabilities, and drove up costs. They needed a cloud platform to provide the accessibility and service necessary to protect their offices worldwide and their hybrid and remote workers. Open Systems partnered with Microsoft and demonstrated how Microsoft 365 E5 and Microsoft Sentinel could work together to help improve the company’s compliance, data protection, and security posture.

The Open Systems team also identified opportunities to replace legacy monitoring tools with Microsoft Azure Monitor and consolidate compliance and security data onto Microsoft Azure Log Analytics, helping reduce the number of suppliers and reduce costs. Together with Microsoft, Open Systems performed a cloud readiness and economic assessment using the company’s real-world costs—learning that the Azure implementation would result in $2.5 million annual savings by eliminating existing applications and unnecessary data centers. Moreover, optimizing Microsoft 365 E5 eliminated the need for several of the company’s existing tools, resulting in additional annual savings of $400,000.

The Open Systems and Microsoft monitoring tools’ capabilities.

Figure 2: Azure Monitor.

MISA membership

Cybersecurity is a high-trust business: trust in technology, trust in services, and trust in the partnership you have with your security vendor. Most of Open Systems customers come to the company through word-of-mouth references; many customers have worked with the company for years. Open Systems joined the Microsoft Intelligent Security Association (MISA) in July 2020 as part of the managed security service providers (MSSP) pilot. Being a MISA member gives Open Systems customers trust that the company can integrate its technologies with their existing Microsoft products, both on-premises and in the cloud. Customers want leadership, and alignment with Microsoft solutions they are investing in. Some of the company’s other ‘wow’ moments since joining MISA include:

As Mandana Javaheri, Global Director, Cybersecurity Solutions Group at Microsoft Corp put it in Open Systems’ press release, “MISA members are the cybersecurity industry leaders, unified by the common goal of helping secure our customers by offering their own valuable expertise and making the association more effective as it expands.”

Learn more

Want to learn more? Check out Open Systems’ Managed Detection and Response solution in the Azure Marketplace or visit the Open Systems’ Microsoft Solutions page.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 


16 strategies to reduce cybersecurity alert fatigue in your SOC, Innocent Wafula, Microsoft Security, Microsoft. 17 February 2021.

2Too many security tools can be as bad as too few, Taylor Armerding, Security Boulevard. 14 August 2020.

3Why ransomware attacks are on the rise — and what can be done to stop them, Lynsey Jeffery, Vignesh Ramachandran, PBS. 8 July 2021.

The post How Open Systems uses Microsoft tools to improve security maturity appeared first on Microsoft Security Blog.

Discover what’s new and gain technical expertise from MISA at Ignite

November 4th, 2021 No comments

It’s hard to believe we’re so close to the end of another year, and what a year it’s been. For too brief a time in some places, our masks were tossed away, only to find us digging them out of drawers again not long after. But masked up or not, it’s been good to see local restaurants buzzing with activity again, along with fans enjoying sporting events, concerts, and even some shows on Broadway. There’s a sense of expectation in the air, and I’m excited to see what 2022 has in store for all of us.

That renewed optimism can be seen in the continued growth of the Microsoft Intelligent Security Association (MISA) member base—now reaching 275 partners, with 273 product integrations and 243 managed service offerings. We have high expectations for the remainder of this fiscal year, including doubling our membership to roughly 450 as we continue partnering with even more leading-edge cybersecurity firms. We’re also expanding our product portfolio and are excited to announce that two new products for compliance, risk, and privacy are joining the MISA lineup.

Welcoming new compliance, risk, and privacy solutions

Microsoft compliance helps our customers comply with national, regional, and industry-specific requirements governing the collection and use of data. Through MISA, members get support in building managed services and integrations that help them:

  • Identify and remediate critical risks within your organization.
  • Safeguard sensitive data across clouds, apps, and endpoints.
  • Assess compliance and respond to legal and regulatory requirements.

Advanced Audit in Microsoft 365

With Advanced Audit in Microsoft 365, you can conduct forensic and compliance investigations with visibility into user activities across Microsoft 365 services. Using audit log search in the Microsoft 365 compliance center and the Office 365 Management Activity API, Advanced Audit enables audit logs to be retained for up to 10 years, provides access to crucial events that determine the scope of a compromise, and helps with ongoing regulatory, legal, and internal obligations. Customers can specify how long to retain audit records according to a priority level, ensuring that specific policies take priority over others.

“Joining MISA brings our relationship with Microsoft to the next level, enabling seamless integrations for our joint customers using Office 365 and more,” said John Coyle, Vice President Business Development, Sumo Logic. “Our cloud-native integration with Microsoft Office 365’s Advanced Auditing capabilities enables customers to apply Sumo Logic’s powerful Continuous Intelligence Platform and Cloud SIEM, providing clear, detailed trails for rapid investigation of user activity to quickly identify potential breaches and scope of compromise in Microsoft Office 365 data.”

Privacy Management for Microsoft 365

Privacy Management for Microsoft 365 helps companies safeguard personal data and build a privacy resilient workplace by proactively identifying and protecting against privacy risks, such as data hoarding, data transfers, and data oversharing—empowering information workers to make smart data-handling decisions while automating and managing subject requests at scale. Privacy Management is available within the Microsoft 365 compliance center.

With our new Privacy APIs, we’re enabling a broader partner ecosystem to integrate with Privacy Management for Microsoft 365. This integration enables our partners to build solutions that automate the Microsoft 365 portion of subject rights requests. This helps our joint customers ensure that they are compliant with an ever-growing number of regulations across Microsoft 365, as well as non-Microsoft data sources.

“Joining MISA enhances our relationship with Microsoft and our commitment to providing a unified solution for organizations to automate their data security and privacy operations across all their structured and unstructured data systems,” said Vivek Kokkengada, Vice President of Products, Securiti. “Our new integration with Privacy Management for Microsoft 365 using Microsoft’s new Privacy APIs enables our joint customers to automatically fulfill the Microsoft 365 portion of subject rights requests within Privacy Management and ensure compliance with an ever-growing number of privacy regulations globally. Being a MISA member allows us to work closely with the Microsoft teams and stay on the forefront of new strategic integration opportunities to add value to our joint customers.”

Microsoft investing $20 billion in cybersecurity

During the White House Cybersecurity Summit on August 25, 2021, Microsoft Chairman and Chief Executive Officer Satya Nadella shared that the company will quadruple our cybersecurity investments, investing $20 billion to advance our security solutions over the next five years, and $150 million in technical services to help federal, state, and local governments upgrade their security protection. We will also expand partnerships with community colleges and non-profits for cybersecurity training. As many organizations are facing a shortage of cybersecurity professionals, we want to ensure everyone has and uses the protection available today. Watch chairman and president of Microsoft Brad Smith’s video announcement on CNBC.

Lower marketplace fees spur reseller engagement

As software needs rise, customers need to streamline how they buy and deploy software. With more than 30,000 solutions published, the commercial marketplace—Microsoft AppSource and Microsoft Azure Marketplace—is how we connect our customers and partners. To help drive these customer and partner connections, we’ve reduced fees to just 3 percent—down from an industry standard of 20 percent—for every transactable application published in the commercial marketplace. This reduction enables higher margins for partners while simplifying the fee structure.

Independent software vendors (ISVs) with transactable commercial marketplace offers can now set one price for customers and another price for Microsoft Cloud Solution Provider (CSP) partners. This allows ISVs to provide margin to their CSP partners, while CSP partners can also resell outside the commercial marketplace. This added flexibility can help create stronger connections among partners while incentivizing ISVs to share margins with resellers, making it more profitable for partners to sell Microsoft commercial marketplace offers.

Unlock this opportunity and gain access to millions of customers by publishing a solution and selling with us.

Securing the future with Zero Trust

The recent string of disastrous ransomware attacks has shown all too clearly that traditional perimeter-based security can’t keep up with the complexity of today’s decentralized workplace.1 Shadow IT, hybrid work, and the proliferation of endpoints across IoT leave security teams stretched thin. Zero-day vulnerabilities, also known as unknown weaknesses in a network or software, have been implicated in recent attacks where threat actors breached organizations without being detected, giving them ample time to map internal networks, exfiltrate data, and locate additional attack vectors. At least 66 zero-day attacks have been found this year—almost twice the total of the previous year.2

Zero Trust is the essential security strategy for today’s reality. In 2020, the global pandemic compelled nearly every organization to embrace a Zero Trust strategy as employees went remote, virtual private networks (VPNs) were breached or overwhelmed, and digital transformation became critical to organizational sustainability Even the government and businesses worldwide recognized this imperative. In keeping with Section 3 of Executive Order 14028, Microsoft adheres to federal standards for Zero Trust as developed by the National Institute of Standards and Technology (NIST):

  • All resource authentications are dynamic and strictly enforced before allowing access.
  • Trust is evaluated before access is granted, and then only with the least privilege needed to complete the task.
  • Assets should always act as if an attacker is present on the enterprise network.

At Microsoft, we’ve distilled these tenets into three Zero Trust principles: verify explicitly, use least privileged access, and assume breach. These principles form our strategic guidance toward customers, software development, and our global security posture.

Graphic depicting Microsoft's three principles of Zero Trust: Verify explicitly, use least privileged access, and assume breach.

Learn more

To assess your organization’s progress in the Zero Trust journey, use our Zero Trust Assessment tool. If you’d like to learn from our experience, Chief Information Security Officer Bret Arsenault and his team share insights from Microsoft’s Zero Trust journey over at Microsoft Inside Track. Finally, to understand how ISVs can integrate with Microsoft products to create Zero Trust solutions, see our Zero Trust integration guidance.

To learn more about MISA and other new developments, you can view a list of the Microsoft Ignite on-demand sessions here.

To learn more about upcoming big announcements, visit our latest blog posts:

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 


1What’s Driving the Surge in Ransomware Attacks? Matt Stieb, Intelligencer. 7 September 2021.

22021 has broken the record for zero-day hacking attacks, Patrick Howell O’Neill, MIT Technology Review. 23 September 2021.

The post Discover what’s new and gain technical expertise from MISA at Ignite appeared first on Microsoft Security Blog.

archTIS and Microsoft: Zero Trust information security for Microsoft Teams

October 14th, 2021 No comments

Microsoft Teams has seen a surge in growth during the pandemic with over 115 million daily active users and growing.1 With it, customer imperative for enabling safe and trustworthy online collaboration has also increased significantly. The speed and simplicity of Teams business users creating new teams and channels demands that IT and security groups have advanced tools and controls they might need to ensure business-critical information is properly protected.

archTIS’ NC Protect has integrated with Microsoft Information Protection (MIP) to empower IT and business owners to easily create secure teams and channels and enable guest access, enforcing Zero Trust policies at the file, chat, and message level to prevent accidental sharing, misuse, and data loss.

Human error is a vulnerability to your security

Many organizations struggle to keep track of data and ensure their information security, sharing, and usage policies are being followed. This can pose a serious risk when you consider 63 percent of insider-related incidents are the result of negligence and simple human error, with another 23 percent related to criminal insiders.2

From sharing confidential files or sensitive information with the wrong recipient to including regulated or confidential data in a chat, these costly mistakes are hard to avoid if you rely upon user behavior and training to protect your data. Worse, some organizations try to solve the problem by turning off information sharing and guest access in Teams altogether.

Better together: NC Protect and Microsoft Information Protection

NC Protect leverages Microsoft security investments to further prevent data loss and insider threats with data-centric information security that applies Zero Trust principles to dynamically adjust access and information protection in Microsoft Teams.

By combining MIP sensitivity labels and Microsoft Azure Active Directory (Azure AD) attributes with NC Protect’s dynamic user- and attribute-based policies to control access, usage, and sharing, customers benefit from expanded protection and control over Teams collaboration to:

  • Leverage MIP sensitivity labels in combination with other file and user attributes from Azure AD and Active Directory to dynamically adjust access to and control of what users can see, how they can use and share information, and with whom at the file and chat level.
  • Empower team owners to set team and channel security using custom default rulesets from within the Teams app with just a few clicks, without any IT knowledge or skills to ensure internal and external users can collaborate securely.
  • Gain additional information protection capabilities for Teams including secure personalized watermarks, read-only access through a zero-footprint file viewer, flexible information barriers, and IT-friendly private channels.
  • Extend adaptive access, usage, and sharing policies across other Microsoft 365 apps for granular, dynamic information protection and next-generation data loss prevention (DLP).

Combining the power of MIP with NC Protect ensures granular policy-based control to secure collaboration and allows customers to realize the full value of their existing Microsoft investments.

How it works

NC Protect dynamically adjusts file security based on real-time comparison of user and file attributes to make sure that users view, use, and share files according to an organization’s regulations and policies. NC Protect leverages a file’s MIP sensitivity label as one of the attributes used to determine access and the level of protection needed based on the conditions at the time of access. With NC Protect, dynamically restrict access, usage, and sharing rights based on the file’s classification and the user’s current location, device, and security clearance.

Image demonstrating the integration with NC Protect and Microsoft Information Protection.

Learn more

Learn more about the NC Protect integration with MIP and Teams and other Microsoft 365 apps, including demonstrations of how NC Protect’s dynamic attribute-based access control better protects against insider threats:

About archTIS

archTIS Limited (ASX:AR9) is a global provider of innovative software solutions for the secure collaboration of sensitive information. The company’s award-winning data-centric information security solutions protect the world’s most sensitive content in government, defense, supply chain, enterprises, and regulated industries through attribute-based access and control (ABAC) policies. archTIS products include Kojensi, a multi-government certified platform for the secure access, sharing, and collaboration of sensitive and classified information; and NC Protect for enhanced information protection for file access and sharing, messaging, and emailing of sensitive and classified content across Microsoft 365 apps, Dropbox, Nutanix Files, and Windows file shares. For more information visit the archTIS website or follow archTIS on Twitter.

 


1Watch out Zoom: Microsoft Teams now has more than 115 million daily users, Owen Hughes, TechRepublic. 28 October 2020.

2The Cost of Insider Threats, IBM Security. 2020.

The post archTIS and Microsoft: Zero Trust information security for Microsoft Teams appeared first on Microsoft Security Blog.

Combat attacks with security solutions from Trustwave and Microsoft

September 9th, 2021 No comments

This blog post is part of the Microsoft Intelligent Security Association guest blog seriesLearn more about MISA.

In 2021, cyberattacks and instances of ransomware demands against companies, agencies, and institutions have dominated the headlines. These kinds of attacks are on the rise and often have long-reaching impacts that can spill over across supply chains. In just the first half of the year, there have been several high-profile cyberattacks in the United States including Colonial Pipeline1, JBS (the world’s largest meat supplier)2, the Washington, D.C. Police Department3, and the MTA of New York City4, to name a few.

The SolarWinds cybersecurity breach5 opened US government networks and private companies’ security systems around the world to threat actors in late 2020. This breach allowed access to confidential government data and intel before being discovered. The innovative bad actors attached their malware to a software update from SolarWinds’ Orion software in March through June of 2019, which led to tens of thousands of customers’ security being compromised. SolarWinds serves as an unfortunate example of how organizations around the world operate under the perpetual threat of becoming a target of a cyberattack or the victim of a cybercrime, even from a trusted partner.

Some believe the escalation in attacks and data breaches in the past year likely originated with new remote working environments, which exponentially increased the number of endpoints that required protection putting strain on already over-extended IT resources6.

Take a proactive approach to your security

To identify, contain, and eradicate these relentless threats properly, security operations must include effective platforms, processes, and people. With attacks on the rise and bad actors only becoming more sophisticated, security that meets the minimum is no longer effective, and organizations need to consider a more proactive approach. Microsoft Defender for Endpoint is a holistic, cloud-delivered endpoint security solution that includes risk-based vulnerability management and assessment, attack surface reduction, behavior-based next-generation protection, rich APIs, and unified security management.

Microsoft security solutions have native capability designed to work cohesively to provide integrated threat detection and response capabilities, but technology alone is not enough. The benefits derived from leveraging best-in-breed tools can mean the difference in capturing a threat or letting it linger, unnoticed in your environment indefinitely. Partnering with a Managed Detection and Response (MDR) team/Managed Security Services Provider (MSSP) who is a trusted Microsoft technology partner can help you operationalize these transformations and derive the most value from your existing technology investments.

Trustwave removes the complexity and burden of threat detection and response with an entire portfolio of cybersecurity solutions that work with existing Microsoft investments to fight cybercrime, protect data, and reduce risk. Knowing what to look for in your security partners is crucial, especially among the noise of an industry saturated with providers claiming to be the “best.” Search for partners that can offer:

  • All-day monitoring/notification, incident response, and remediation.
  • Data forensics and investigation response (DFIR).
  • Proactive, human-led threat hunting.

With organizations facing overwhelmed security teams and resource limitations, finding the time and staff to properly protect their environments—on-premises, in the cloud, or a hybrid of both—is a constant challenge. Implementing proactive endpoint detection and response (EDR) and MDR solutions can relieve your teams, prevent breaches, and appease your stakeholders. For real examples of how effective the EDR plus MDR combination can be when aligned to create a layered security posture, view Trustwave’s case study on the GoldenSpy malware or view their industry accolades showcasing the industry expertise their teams have worked to earn for the safety of organizations like yours.

Learn more

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 


1Colonial Pipeline Attack Spotlights the Importance of Ransomware Preparedness, Trustwave, 11 May 2021.

2JBS: Cyber-attack hits world’s largest meat supplier, BBC News, 02 June 2021.

3D.C. Police Department Data Is Leaked in a Cyberattack, The New York Times, 27 April 2021.

4MTA breached by hackers with reported ties to China, Kevin Duggan, MSN, 03 June 2021.

5A ‘Worst Nightmare’ Cyberattack: The Untold Story Of The SolarWinds Hack, Dina Temple-Raston, Monika Evstatieva, NPR, 16 April 2021.

6How Your Security Testing Mindset Should Change After COVID-19, Mark Whitehead, Trustwave, 04 May 2021.

The post Combat attacks with security solutions from Trustwave and Microsoft appeared first on Microsoft Security Blog.

Get free DMARC visibility with Valimail Authenticate and Microsoft Office 365

September 1st, 2021 No comments

This blog post is part of the Microsoft Intelligent Security Association guest blog seriesLearn more about MISA.

Phishing and email spoofing not only erode brand trust but also leave recipients vulnerable to financial loss and serious invasions of privacy. These tactics have been around for years, but their breadth and sophistication today pose a formidable threat. According to the FBI, fraudulent emails sent under the guise of their own domains cost companies over $13 billion between 2016 and 2020.1

Microsoft has industry-leading solutions for protecting customers from such attacks. Recently, Microsoft was named a leader in the 2021 Enterprise Email Security Wave2, with Microsoft Defender for Office 365 receiving the highest possible scores in categories like incident response, threat intelligence, endpoint detection and response (EDR) integration, product strategy, and customer success. This acknowledgment is the latest testament to Microsoft’s continued innovation as a best-of-breed solution for email and collaboration security.

Valimail joined the Microsoft Intelligence Security Association3 (MISA) to transform Domain-based Message Authentication, Reporting, and Conformance (DMARC), one of the most reliable—yet often incredibly complex—ways to successfully strengthen email security. Valimail Authenticate, the first true DMARC-as-a-service offering, gives Microsoft Office 365 users free visibility into every service sending emails under their domains, plus additional tools to achieve DMARC enforcement faster than with any other solution.

Instead of struggling to set up DMARC or hiring expensive consultants to reach enforcement, Microsoft customers can use Valimail Authenticate to automate the process of DMARC enforcement using simple, guided workflows.

The combined power and deep integration of these two technologies is in the results: Microsoft users, such as the MLB, Uber, Citgo, Nestle, and the Department of Transportation currently reduce email fraud, increase deliverability across every domain, and protect their brands’ reputations.

DMARC-as-a-service: A new approach to email security

For those who have only heard of DMARC in passing or not at all, it might sound like just another enterprise email acronym. However, DMARC enforcement has already proven to be a valuable protector of enterprise email. According to Gartner®, DMARC is one of the top 1o security projects4, based on Gartner forecasts and adjusted for the impact of COVID-19. The problem with most approaches to DMARC, however, has been in the tenuous implementation.

Here is some quick context on what DMARC is, and how many cycles IT has had to spend working with it in the past. At its most simple definition, DMARC is a way to tell other email servers that messages coming from your domains are legitimate. Typically, IT would insert a line of code in a text record under DNS settings for each domain, which triggers recipient servers to send a report of every IP address claiming to be valid senders from your organization.

v=DMARC1; p=reject; rua=mailto:dmarc_agg@vali.email

Someone would then need to read through sender lists in XML, confirm that each IP address is connected to an approved service, set up DomainKeys Identified Mail (DKIM) and Send Policy Framework (SPF) individually for each, and check back regularly to see if new suspicious senders have appeared.

This process can be tedious. That’s why many companies are genuinely concerned about email fraud and deliverability never finish the DMARC projects they start. Last year alone 53,000 companies added a DMARC record, with only 10 percent successfully getting themselves to enforcement. Valimail Authenticate removes the significant manual upkeep from email security workflows, making the whole process seamless for Microsoft Office 365 users. Microsoft Office 365 users can get free visibility into their environment and turn on Valimail Authenticate with a single click.

How Microsoft Office 365 and Valimail Authenticate work together

Microsoft launched Office 365 to drive an industry-wide shift toward cloud-based services and API-driven integrations. As cloud became the norm for even the most security-conscious enterprises, companies authorized more and more vendors to send an email on their behalfs—such as Salesforce, Marketo, Splunk, Workday, DocuSign, Twilio SendGrid, and more.

Valimail built Authenticate to address this new, cloud-connected landscape. By automating the identification of email senders and the subsequent policy-setting needed to keep domains protected, Valimail Authenticate offers users a modern, efficient path to DMARC enforcement. Native integration to Microsoft Office 365 ensures Microsoft customers don’t have to worry about configurations, manually identifying senders, or pulling in extra resources to get DMARC done right.

Here’s how Microsoft Office 365 customers can get started with Authenticate and reach DMARC enforcement in just a few minutes:

Image demonstrating process to start utilizing Valimail Authenticate.

Figure 1. Microsoft users can get started with one click. Authenticate configures DNS settings for DKIM and SPF automatically behind the scenes.

You’ll then run through a few steps that help Authenticate enforce your DMARC policy. First, Authenticate will automatically match all your known email senders with its existing catalog—you won’t see IP addresses, you’ll see the names of services you know.

Image demonstrating visibility of services sending email under your domain.

Figure 2. Get free visibility into the services sending email under your domain.

For unrecognizable or possibly fraudulent services, quickly mark them to be blocked or quarantined. You’ll be notified if any new ones are found later, so you’ll never wonder if you’ve caught everything.

Image demonstrating intuitive workflow of Valimail Authenticate’s tasks.

Figure 3. Guided task lists make Authenticate easy for anyone to use; work through each task to authenticate domain services in a simple, intuitive workflow.

Authenticate will ensure your SPF and DKIM records stay up to date. If you ever need to check the logs or do a technical deep-dive, you can access detailed information on your DMARC settings whenever you wish.

Image demonstrating Valimail Authenticate’s ability to display activity in every domain and service at every stage of the process.

Figure 4. Authenticate shows you what’s happening for every domain and service at every stage of the process.

Together, Microsoft’s unparalleled protection through Microsoft 365, coupled with Valimail Authenticate, makes protecting your domain globally as easy as 1, 2, 3. It starts with Microsoft 365 users getting free visibility into DMARC enforcement, plus a free trial of all the features of Valimail Authenticate. Get started today.

About Valimail

Valimail is the global leader in Zero Trust email security. The company’s full line of cloud-native solutions authenticate sender identity to stop phishing, protect brands, and ensure compliance; they are used by organizations ranging from neighborhood shops to some of the world’s largest organizations, including Uber, Splunk, Yelp, Fannie Mae, Mercedes Benz USA, and the US Federal Aviation Administration. Valimail is the fastest-growing DMARC solution with the largest global market share and is the premier DMARC partner for Microsoft 365 environments. For more information visit their website.

Learn more

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 


1Internet Crime Report, Internet Crime Complaint Center (IC3), Federal Bureau of Investigation, 2020.

2Forrester names Microsoft a Leader in the 2021 Enterprise Email Security Wave, Rob Lefferts, Microsoft 365 Security, 6 May 2021.

3Valimail Joins Microsoft Intelligent Security Association, Cision, PR Newswire, 25 September 2018.

4Smarter with Gartner, Gartner Top 10 Security Projects for 2020-2021, Kasey Panetta, September 15, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

The post Get free DMARC visibility with Valimail Authenticate and Microsoft Office 365 appeared first on Microsoft Security Blog.

How to protect your CAD data files with MIP and HALOCAD

July 22nd, 2021 No comments

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA.

Computer-aided design (CAD) files are used by design professionals in the manufacturing, engineering, architecture, surveying, and construction industries. These highly valuable files contain confidential information and form their core intellectual property (IP).

Loss of such proprietary information to an outsider or a competitor can have disastrous effects leading to a loss in sales, market share, and reduced profit margins. However, such industries often collaborate with other design partners or vendors or they share their design parts with smaller manufacturers. Product blueprints and designs are regularly exchanged, both within and outside the organization’s network boundaries. In such cases, there is a high possibility of a data leak.

Data loss or theft can occur in any one of the following ways:

  1. Every time you send a file to another person, a copy is usually made and stored online. Once the file leaves the organization there is no guarantee that it is safe unless it is adequately protected.
  2. Storing and transferring the file to another system.
  3. A malicious insider may have a copy of the file and the ability to share the information with an outsider, even after leaving the organization.

Microsoft Information Protection works where perimeter security fails

Organizations may use encryption programs, secure file transfer protocol, and other access control methods to prevent data leaks and data theft. However, once these files leave their original repository it is very difficult to keep track of their usage.

To solve this problem, organizations have invested in Microsoft Information Protection (MIP) an intelligent, unified, and extensible solution to protect sensitive data across your enterprise—in Microsoft 365 cloud services, on-premises, third-party software as a service (SaaS) applications, and more. MIP provides a unified set of capabilities to know your data, protect your data, and help prevent data loss across Microsoft 365 apps (such as Word, PowerPoint, Excel, and Outlook) and services (such as Teams, SharePoint, and Exchange).

Microsoft Information Protection capabilities.

When you have already invested in an excellent information protection system, it isn’t a prudent decision to go in for another information protection system. But what can be done to solve the above problem?

MIP and HALOCAD for secured digital collaboration at a global scale

SECUDE has integrated their HALOCAD solution with Microsoft’s MIP SDK which extends the data protection beyond the organization’s IT perimeter. HALOCAD not only integrates as a MIP SDK add-in into the content authoring environment but also works as an add-on into the content repository and implements information protection policies across supported repositories.

HALOCAD solution architectural diagram 1

With over two decades of experience in the data security field, SECUDE has a track record of adding value to the MIP capabilities to SAP environments, especially when exporting sensitive information from SAP environments. HALOCAD helps to seamlessly leverage MIP labeling templates for CAD files and does so simply and cost-effectively. It also applies the label to the content repository where the engineering processes for storing and sharing CAD files are kept.

Let us look at a hypothetical scenario on how data collaboration happens between the engineering team and the external third party vendors and suppliers with HALOCAD and MIP:

HALOCAD solution architectural diagram 2

In the above scenario, the design files move seamlessly across the supply chain with MIP sensitivity labels applied automatically and user privileges as defined by the organization.

Scenario 1 (Designer):

The user is the designer who owns the design files. Based on the user privilege defined, the designer can view, edit, copy, print, and export the files

Scenario 2 (Engineer):

The user is an engineer who consumes the design file shared with them by the engineering team. The engineer can view and edit the files. They can make modifications to the original file and share it. They do not have the privilege to copy, print, export, and use the snipping tool to make a copy.

Scenario 3 (Partner who has SECUDE solution):

In a typical manufacturing environment, the CAD drawings are shared with a lot of third-party partners and vendors across the supply chain for day-to-day operations. In this scenario, the partner who has purchased the SECUDE solution can only view the CAD files per the set privilege enforcement.

Scenario 4 (Unauthorized user):

If an unauthorized user outside of the organization tries to open the CAD drawings, the files are encrypted, and he will not be able to open the file.

Benefits of SECUDE’s HALOCAD

  1. HALOCAD extends the security templates provided by MIP to sensitive CAD files throughout the design lifecycle.
  2. HALOCAD applies sensitivity labels automatically during the check-out process without user engagement.
  3. HALOCAD preserves the extension of the file, allowing users to not see the difference and the workflow is not disrupted.
  4. An unauthorized user using an AutoCAD application without the HALOCAD extension tries to open a document, they will not be able to open the file through the extension is *.dwg.
  5. HALOCAD currently supports the following CAD applications:
    • Autodesk Inventor and AutoCAD
    • PTC Creo
    • Siemens NX and Solid Edge
  1. HALOCAD also supports the following PLM applications:
    • PTC Windchill
    • Siemens Teamcenter
    • SAP PLM/ECTR

For more information about the HALOCAD solution, please visit the SECUDE HALOCAD website. You can also find HALOCAD in Azure Marketplace.

Learn more

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Reference

The post How to protect your CAD data files with MIP and HALOCAD appeared first on Microsoft Security Blog.

MISA expands portfolio and looks ahead during Microsoft Inspire

July 14th, 2021 No comments

This blog post is part of the Microsoft Intelligent Security Association (MISA) guest blog seriesLearn more about MISA.

Welcome to fiscal year 2022 (FY22) and my first official blog as the MISA Lead. It’s been a whirlwind couple of months getting up to speed with all things MISA—closing out FY21 while continuing to build on the great foundation my predecessor laid out as I strategize where to go from here. More to come on that, but first let’s take a moment to reflect and celebrate what MISA and our members have accomplished over the past year and take a sneak peek into what’s next.

MISA saw fantastic growth in FY21, having grown to more than 246 member companies, including 176 independent software vendors (ISVs) creating 259 integrations. We expanded to include managed security service providers (MSSPs) and now have 67 MSSP members providing 165 managed service offers. We also expanded the MISA product portfolio to include five new compliance products, increasing our footprint across more Microsoft technologies. And we’re excited to be bringing two more products into our portfolio, which we will discuss a little later in this blog. MISA’s growth is proof of the value we bring in helping customers better defend against increasingly sophisticated threats, and it demonstrates the value Microsoft Security sees in our partner community.

Have you seen the new look and feel of Microsoft Security? No? Yes? Well, be on the lookout—you’ll start to notice that MISA branding will be refreshed to align with the new look of Microsoft Security, emphasizing the strength of integrated solutions for a seamless user experience.

Exciting offer for MISA members

If you missed our last MISA office hours, MISA members can view the recording or the presentation available to the public. MISA members can request exam certification vouchers as part of their member benefits. Vouchers are only redeemable for Security, Compliance, and Identity (SCI) Fundamentals and Advanced Role Based (ARB) exams. MISA members can request vouchers per quarter, totaling four exam requests per Microsoft financial year.

MISA members, please email us for more information. Don’t miss the first quarter request deadline on July 20, 2021.

Bulletproof wins Microsoft Security Partner of the Year Award 2021

We are thrilled to announce that MISA member Bulletproof has been selected as the 2021 Security Partner of the Year. The Security Partner of the Year Award (POTYA) recognizes a partner who is doing an exceptional job of providing customers with end-to-end security solutions (versus one-point solutions) based on Microsoft Security, Compliance, and Identity capabilities in Microsoft 365 and Microsoft Azure Security. With only one Security category for Partner of the Year, Bulletproof rose to the top among a field of more than 160 entries.

Headquartered in Canada, Bulletproof is an award-winning Gold Microsoft Partner with 12 Gold competencies and was recently inducted to MISA. Additionally, Bulletproof has achieved Microsoft’s Advanced Specialization in Threat Protection. The company has offices across Canada, the US, Europe, the Middle East, and Africa (EMEA) with users on six continents who trust Bulletproof to secure their identities, networks, data, and devices.

Bulletproof does an exceptional job of fostering trust in a Zero Trust world by providing customers with end-to-end solutions based on Microsoft security and compliance capabilities in Microsoft 365 and Microsoft Azure. Their family of managed services includes Bulletproof 365 Enterprise (B365E), which combines Microsoft 365 Security, the strength of Azure Security, and Bulletproof’s security pedigree to provide a Zero Trust framework with two levels of all-day monitored security vigilance—proactive protection that stops threats before they happen and responsive security that automatically contains threats when they occur.

B365E enables customers to modernize and improve their security posture with cost-effective, seamless, and intelligent managed security and automated threat containment that doesn’t slow productivity. Bulletproof 365 Workplace integrates the power of Microsoft 365 cloud productivity solutions—wrapped with advanced cloud app security, unmatched employee education, and all-day IT support. The company’s latest addition, Bulletproof 365 Compliance, adds a managed information protection service to the company’s offerings.

A key differentiator for Bulletproof is their Microsoft SWAT Team, experts who meet with customers to directly handle questions about the technical details of proposed products and offerings, accelerating each customer’s journey to improved security. Tight alignment with Microsoft recently helped Bulletproof on a competitive win with a global real estate company looking for a best-of-breed solution.

“We’re still pinching ourselves to be perfectly honest,” said Chris Johnston, Bulletproof CEO. “Being recognized with the Security 2021 Microsoft Partner of the Year Award at the global level is an incredible honor that truly validates the significant impact Bulletproof’s end-to-end security solutions are having in driving value (and peace of mind) for Microsoft customers. Thank you, Microsoft, for your ongoing collaboration, inspiration and support, and this exciting and entirely humbling recognition. And to all the 2021 award winners, finalists, and partners at large who enabled and supported customers through the accelerated digital transformation we have seen this past year, we applaud you.”

Listen to the conversation with Chris Johnston, CEO of Bulletproof, and Phil Montgomery the new General Manager, Microsoft Security GTM.

Expanding the MISA product portfolio

We’re excited to share that we’ll be extending Azure Defender for IoT to include our managed security service providers (MSSPs). We’re also welcoming MSSPs supporting Microsoft Defender for Office 365.

Azure Defender for IoT to include MSSPs

Azure Defender for IoT provides agentless asset discovery, vulnerability management, and threat monitoring for IoT and Operation Technology (OT) environments, with flexible deployment options including fully on-premises, cloud-connected, or hybrid. It is tightly integrated with Azure Sentinel and supports third-party security operation center (SOC) tools including Splunk, IBM QRadar, and ServiceNow.

“Operational Technology is integral to many sectors and critical to those that support public services. By leveraging Defender for IoT and integrating it into the Microsoft Security ecosystem, we’re able to provide threat detection across the IT and OT boundaries without interrupting production systems. Bringing OT into the SOC allows work with our customers to protect their existing OT environments and help them embrace the cloud transformation, knowing that the services are secure and managed end-to-end. We are happy that Azure Defender for IoT has been extended to MSSPs in MISA, so we can gain product insights to extend solution capabilities of our managed services.”—Martin Riley, Director, Managed Security Services, Bridewell Consulting

Microsoft Defender for Office 365 to include MSSPs

Microsoft Defender for Office 365 provides integrated threat protection for all of Office 365, helping protect customers and their email and collaboration tools against advanced threats like business email compromise and credential phishing. MSSPs’ managed services for Microsoft Defender for Office 365 are now supported in MISA, streamlining the involvement of in-house security teams.

“Limited resources and rapidly evolving threats can create operational gaps for our clients. Optiv managed services provide outcome-based services across the security capabilities built into Microsoft 365 to protect vulnerable attack vectors. Incorporating Microsoft Defender for Office 365 in our solutions helps protect against email compromise, credential phishing, and more, so we can protect our clients’ businesses. We are pleased that Defender for Office 365 has joined the MISA family and look forward to increased visibility and co-marketing opportunities for our managed services.”—Justin Staffel, Director, Microsoft Alliance, Optiv Security, Inc.

Security, compliance, and identity at Microsoft Inspire

Microsoft Inspire kicks off today, and the security team will be there in full force. This year’s event will deliver a cross-cloud narrative embracing five themes:

  1. Microsoft cloud enables digital transformation across industries.
  2. Drive business growth with the most partner-focused business platform.
  3. Evolving Microsoft cloud for a new world of work.
  4. Innovate from cloud to edge on your terms.
  5. Build a foundation of trust and security.

Security, compliance, identity, and management will be a key focal point of the event highlighted in the “Build on a foundation of trust and security” theme. Throughout the two-day event, we’ll demonstrate how our partners can grow their business by offering comprehensive solutions and earn customers’ trust by partnering with the leading security company.

Security, compliance, identity, and management sessions:

  • One theme session.
  • Four breakout sessions airing separately in both US and EMEA time zones.
  • Eight “Ask the Experts” sessions are accompanied by a corresponding live Q&A session to be delivered immediately following.
  • Three on-demand sessions: Each will become available July 14, 2021, at 10 AM following the delivery of the Day one keynote and can be watched at any time during or after the event.

Check out Corporate Vice President (CVP) Vasu Jakkal’s security, compliance, and identity blog to find out more.

Be sure to visit the Microsoft Inspire website and bookmark the following sessions:

 

Session ID Session Title Speaker
TS03-R1
Session 1   Session 2
Build on a foundation of trust and security Vasu JakkalCVP, Security, Compliance, and Identity
Rodney ClarkeCVP, Global Channel Sales
Lucas JoppaChief Environmental Officer
Jenny Lay-FlurrieChief Accessibility Officer
BRK121
Session 1   Session 2
Modernize security and defend against threats Scott WoodgateSr. Director, Product Marketing
BRK123
Session 1   Session 2
Accelerate customer transformation with cloud security solutions from Microsoft  Adwait (AJ) JoshiDirector, Product Marketing
BRK124    Session 1   Session 2 Build your business by managing risk and securing customer information Alym RayaniGM SCI Compliance
BRK122
Session 1   Session 2
Identity and endpoint management—a strong foundation for Zero Trust and profitability Irina NechaevaSr. Director, Product Marketing
Gideon BibliowiczDirector of Product Marketing
OD122 Build a business around helping customers drive towards a Zero Trust framework Cedric DepaepeSecurity Architect/Partner Marketing Manager
OD121 Building a business around providing modern security operating center services to customers Mandana JavaheriGlobal Director, SCI Business Development
Mayank KapurSr. Partner Marketing Manager
OD123 Going to market with Microsoft. Learn how to maximize Microsoft’s channel investments this coming year Nomi NazeerSr. Partner Marketing Manager
ATEBRK121-R1 Ask the Experts: Modernize security and defend against threats (R1) Carissa BroadbentProduct Marketing Manager
Jeff ChinIncubation Security Specialist
Cristhofer Romeo MuñozProgram Manager
ATEBRK121   Ask the Experts: Modernize security and defend against threats Zvi Ben ShefferPrincipal PM Manager
Scott WoodgateSr. Director Product Marketing
Nomi NazeerSr. Partner Marketing Manager
ATEBRK123-R1 Ask the Experts: Accelerate customer transformation with cloud security solutions from Microsoft (R1) Albert ChewSr. Product Marketing Manager
Tom JanetscheckSr. Program Manager, Azure Security Center CxE
Adam JungSr. Product Marketing Manager
Nomi NazeerSr. Partner Marketing Manager
John LewisProgram Manager
ATEBRK123   Ask the Experts: Accelerate customer transformation with cloud security solutions from Microsoft Nathalia BittarSr. Product Marketing Manager Yuri DiogenesPrincipal Program Manager Adwait (AJ) JoshiDirector, Product Marketing
Caroline LeeProgram Manager
John LewisProgram Manager
ATEBRK124-R1 Ask the Experts: Build your business by managing risk and securing customer information
Jim BanachArchitect
Shilpa BothraProduct Marketing Manager
Raman KalyanDirector, Product Marketing
Jenny LiProgram Manager
Nomi NazeerSr. Partner Marketing Manager
Eric OuelletSr. Product Marketing Manager
François Van HemertCompliance Architect/Partner
ATEBRK124  Ask the Experts: Build your business by managing risk and securing customer information Shilpa BothraProduct Marketing Manager
Raman KalyanDirector, Product Marketing
Jenny LiProgram Manager
Nomi NazeerSr. Partner Marketing Manager
Eric OuelletSr. Product Marketing Manager
ATEBRK122 Ask the Experts: Identity and endpoint management—a strong foundation for Zero Trust and profitability  Gideon BibliowiczDirector of Product
Cedric DepaepeSecurity Architect/Partner
Adam HarbourProduct marketing Manager
Irina NechaevaSr. Director, Product Marketing
Patrick PayetteSr. Partner Marketing Manager
ATEBRK122-R1 Ask the Experts: Identity and endpoint management—a strong foundation for Zero Trust and profitability (R1) Harish AitharajuPrincipal Program Manager
Cedric DepaepeSecurity Architect/Partner
Adam HarbourProduct Marketing Manager
Gideon BibliowiczDirector of Product Marketing
Irina NechaevaSr. Director, Product Marketing
Patrick PayetteSr. Partner Marketing Manager

Learn more

To learn more about MISA, watch this two-minute video or visit our website where you can find out more about the MISA program, product integrations, and locate MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post MISA expands portfolio and looks ahead during Microsoft Inspire appeared first on Microsoft Security Blog.

Improve your threat detection and response with Microsoft and Wortell

June 17th, 2021 No comments

This blog post is part of the Microsoft Intelligent Security Association (MISA) guest blog seriesLearn more about MISA.

The way of working is changing rapidly. Many workloads are moving to the cloud and the pandemic accelerated organizations to provide infrastructure to aid employees working from anywhere (or mostly from home) at any time and, when possible, from any device (corporate or private). The security team needs to keep up with an increased workload on top of their often already stretched budget, resources, and focus. Working through many alerts from ever-changing situations is challenging: how can they prioritize? And how can they handle them with only a finite number of people?

Keeping up and reviewing these alerts is challenging enough for most security teams let alone investigating and responding to these alerts around the clock. This means that a critical alert can be missed, and incidents can follow soon after disrupting the productivity of a colleague (in a best-case scenario) or disrupting the entire business at great expense (in a worst-case scenario).

Threat actors don’t work standard business hours and often an attack consists of several smaller incidents that can lead up to a major event, such as loss of productivity, data loss with a high cost of recovery, and time lost. To see the bigger picture, you need to make sure you see every piece of the puzzle without creating alert fatigue. This is where Wortell managed services can help.

How Wortell helps reduce alert fatigue

The number of alerts that are generated by an organization depends on multiple factors. These can be the type of organization as well as the number of employees and the complexity of the workloads. If these are not properly triaged, then a lot of time can be spent on false positive alerts that take precious time away from security professionals. In fact, an average of 90 percent of alerts can be resolved automatically, thus reducing the amount of false-positive alerts.

Reducing the number of false-positive alerts is key in effective managed detection and response. Investigating false notifications costs time and money. That is money that your organization could have spent elsewhere. Security, by design, is key in providing cost-effective managed detection and response. By providing the right configuration of tools and workloads, you can reduce the number of alerts. Wortell provides full service from baseline configuration to managed services with their security professionals and Managed Detection and Response (MDR) team.

  1. Baseline configuration: They provide their knowledge and expertise when configuring identity protection as a baseline for security. Then they configure and deploy endpoint security baseline to start detecting.
  2. Automated response: After receiving the first signals from your endpoints they can start setting up automated responses. This is a combination of the experience of Wortell best practices as well as customer-specific use cases.
  3. Managed services: Alerts are monitored and investigated at all times by a dedicated MDR team.

With Wortell MDR services, you as a customer can focus on your main business and they make sure that incidents are stopped before they become a threat.

Wortell provides threat protection with Microsoft Defender and Microsoft Azure Sentinel to collect those individual alerts in a single dashboard. This allows them to get insights across the platform and discover the individual puzzle pieces of an attack before they become a threat.

They provide added value with their Vidara™ platform by providing automation of alerts and triage. The combination of the Microsoft products and the services from Wortell make up their MDR for around-the-clock threat protection.

Managed Detection and Response: The reinvented security operation center

Setting up a security operation center is complex. It requires infrastructure in place and can take up months to get fully deployed. MDR is cloud-native and only takes days to set up instead of months. The benefits don’t stop there. On the detection side, you gain proactive threat hunting and the ability to detect and mitigate zero-day attacks, insider and malware threats where the traditional solution would only have been able to re-actively detect incidents and known vulnerabilities.

This means that the return of investment is result-driven and starts providing value right from the start without a lengthy implementation time and associated costs. The managed part means that you as a customer can pay-per-user and don’t need to make a big investment upfront. Wortell will discuss the key performance indicators and provide you with a service level agreement, and then they are ready to start detecting alerts and keeping your environment safe.

Use case: Crisis averted

To share an example of an anonymous customer scenario, their MDR team detected unusual behavior within the environment of their customer. The behavior alone did not raise any flags, but the combination of alerts showed a different story. A ransomware attack was unfolding and a battle for control started—a worst-case scenario for any organization—that proved a real crisis internally.

“During this crisis, Wortell did not only provide the standard MDR services but also helped us to shape crisis management (such as structuring, setting priorities, take immediate actions based on vigilance). In doing so, they took full responsibility for keeping the environment under control. Wortell is our most crucial security partner. Their around the clock MDR services prevented a ransomware attack last month.”—Anonymous organization in the chemical industry

The security specialists worked closely with the Microsoft DART team and demonstrated excellent performance. Wortell highly appreciates such a partner in their security ecosystem. Because of the early signals and correlations across the different services, the threat was detected before it became a problem and was mitigated before it could enact control over the environment. Crisis averted.

How Wortell works

By defining a solid baseline for security, Wortell can reduce the number of alerts by design. The alerts that are left can largely be automated by defining the right use cases with the customer and providing the insight and experience of the Wortell MDR team. The alerts that are left are triaged by the MDR team and in case of an incident, they provide the customer with the right choices to resolve the incident and mitigate the risk.

By mapping the MITRE ATT&CK Framework to their use cases, they can detect indicators of compromise before they become a threat or automatically isolate those threats for remediation. This allows all their customers to benefit from any new use cases that are added to their platform from day one.

Their security analyst team in the Nederlands then provides around-the-clock coverage with eyes on the screen to provide response on incidents in real-time. The combination of automation, standardization, and the human factor allows for the management of multiple organizations at once and providing scalable and affordable MDR for their customers.

Architectural diagram of Wortell’s Managed Detection and Response for two anonymous customers.

Figure 1: Architectural diagram of Wortell’s MDR for two anonymous customers.

Supercharging with the Vidara™ platform

Every action inside of an IT environment can be logged and can be part of an attack. To discover if an action is part of a larger attack, they need to make sure the right alerts are triaged, explored, and when needed, mitigated.

Wortell uses an in-house developed machine learning-driven platform called Vidara™ to extend the detection possibilities of the Microsoft platform. This neural network can detect and respond to the most complex security incidents at high speed.

Key features of Vidara™ include:

  • Organizational tailored threat intelligence.
  • Extending detection by providing a use case library.
  • Automated responses.

Start detecting today

Eager to find out what Wortell can do for you? They provide a no-cure no-pay solution, where the first month of detection and response is free if they cannot add value to your organization. That is how confident they are in their services.

See why Wortell won the MS@WORK award for inclusion in the workplace.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website, where you can learn about the MISA program, product integrations and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Improve your threat detection and response with Microsoft and Wortell appeared first on Microsoft Security Blog.

Improve your threat detection and response with Microsoft and Wortell

June 17th, 2021 No comments

This blog post is part of the Microsoft Intelligent Security Association (MISA) guest blog seriesLearn more about MISA.

The way of working is changing rapidly. Many workloads are moving to the cloud and the pandemic accelerated organizations to provide infrastructure to aid employees working from anywhere (or mostly from home) at any time and, when possible, from any device (corporate or private). The security team needs to keep up with an increased workload on top of their often already stretched budget, resources, and focus. Working through many alerts from ever-changing situations is challenging: how can they prioritize? And how can they handle them with only a finite number of people?

Keeping up and reviewing these alerts is challenging enough for most security teams let alone investigating and responding to these alerts around the clock. This means that a critical alert can be missed, and incidents can follow soon after disrupting the productivity of a colleague (in a best-case scenario) or disrupting the entire business at great expense (in a worst-case scenario).

Threat actors don’t work standard business hours and often an attack consists of several smaller incidents that can lead up to a major event, such as loss of productivity, data loss with a high cost of recovery, and time lost. To see the bigger picture, you need to make sure you see every piece of the puzzle without creating alert fatigue. This is where Wortell managed services can help.

How Wortell helps reduce alert fatigue

The number of alerts that are generated by an organization depends on multiple factors. These can be the type of organization as well as the number of employees and the complexity of the workloads. If these are not properly triaged, then a lot of time can be spent on false positive alerts that take precious time away from security professionals. In fact, an average of 90 percent of alerts can be resolved automatically, thus reducing the amount of false-positive alerts.

Reducing the number of false-positive alerts is key in effective managed detection and response. Investigating false notifications costs time and money. That is money that your organization could have spent elsewhere. Security, by design, is key in providing cost-effective managed detection and response. By providing the right configuration of tools and workloads, you can reduce the number of alerts. Wortell provides full service from baseline configuration to managed services with their security professionals and Managed Detection and Response (MDR) team.

  1. Baseline configuration: They provide their knowledge and expertise when configuring identity protection as a baseline for security. Then they configure and deploy endpoint security baseline to start detecting.
  2. Automated response: After receiving the first signals from your endpoints they can start setting up automated responses. This is a combination of the experience of Wortell best practices as well as customer-specific use cases.
  3. Managed services: Alerts are monitored and investigated at all times by a dedicated MDR team.

With Wortell MDR services, you as a customer can focus on your main business and they make sure that incidents are stopped before they become a threat.

Wortell provides threat protection with Microsoft Defender and Microsoft Azure Sentinel to collect those individual alerts in a single dashboard. This allows them to get insights across the platform and discover the individual puzzle pieces of an attack before they become a threat.

They provide added value with their Vidara™ platform by providing automation of alerts and triage. The combination of the Microsoft products and the services from Wortell make up their MDR for around-the-clock threat protection.

Managed Detection and Response: The reinvented security operation center

Setting up a security operation center is complex. It requires infrastructure in place and can take up months to get fully deployed. MDR is cloud-native and only takes days to set up instead of months. The benefits don’t stop there. On the detection side, you gain proactive threat hunting and the ability to detect and mitigate zero-day attacks, insider and malware threats where the traditional solution would only have been able to re-actively detect incidents and known vulnerabilities.

This means that the return of investment is result-driven and starts providing value right from the start without a lengthy implementation time and associated costs. The managed part means that you as a customer can pay-per-user and don’t need to make a big investment upfront. Wortell will discuss the key performance indicators and provide you with a service level agreement, and then they are ready to start detecting alerts and keeping your environment safe.

Use case: Crisis averted

To share an example of an anonymous customer scenario, their MDR team detected unusual behavior within the environment of their customer. The behavior alone did not raise any flags, but the combination of alerts showed a different story. A ransomware attack was unfolding and a battle for control started—a worst-case scenario for any organization—that proved a real crisis internally.

“During this crisis, Wortell did not only provide the standard MDR services but also helped us to shape crisis management (such as structuring, setting priorities, take immediate actions based on vigilance). In doing so, they took full responsibility for keeping the environment under control. Wortell is our most crucial security partner. Their around the clock MDR services prevented a ransomware attack last month.”—Anonymous organization in the chemical industry

The security specialists worked closely with the Microsoft DART team and demonstrated excellent performance. Wortell highly appreciates such a partner in their security ecosystem. Because of the early signals and correlations across the different services, the threat was detected before it became a problem and was mitigated before it could enact control over the environment. Crisis averted.

How Wortell works

By defining a solid baseline for security, Wortell can reduce the number of alerts by design. The alerts that are left can largely be automated by defining the right use cases with the customer and providing the insight and experience of the Wortell MDR team. The alerts that are left are triaged by the MDR team and in case of an incident, they provide the customer with the right choices to resolve the incident and mitigate the risk.

By mapping the MITRE ATT&CK Framework to their use cases, they can detect indicators of compromise before they become a threat or automatically isolate those threats for remediation. This allows all their customers to benefit from any new use cases that are added to their platform from day one.

Their security analyst team in the Nederlands then provides around-the-clock coverage with eyes on the screen to provide response on incidents in real-time. The combination of automation, standardization, and the human factor allows for the management of multiple organizations at once and providing scalable and affordable MDR for their customers.

Architectural diagram of Wortell’s Managed Detection and Response for two anonymous customers.

Figure 1: Architectural diagram of Wortell’s MDR for two anonymous customers.

Supercharging with the Vidara™ platform

Every action inside of an IT environment can be logged and can be part of an attack. To discover if an action is part of a larger attack, they need to make sure the right alerts are triaged, explored, and when needed, mitigated.

Wortell uses an in-house developed machine learning-driven platform called Vidara™ to extend the detection possibilities of the Microsoft platform. This neural network can detect and respond to the most complex security incidents at high speed.

Key features of Vidara™ include:

  • Organizational tailored threat intelligence.
  • Extending detection by providing a use case library.
  • Automated responses.

Start detecting today

Eager to find out what Wortell can do for you? They provide a no-cure no-pay solution, where the first month of detection and response is free if they cannot add value to your organization. That is how confident they are in their services.

See why Wortell won the MS@WORK award for inclusion in the workplace.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website, where you can learn about the MISA program, product integrations and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Improve your threat detection and response with Microsoft and Wortell appeared first on Microsoft Security Blog.

odix and Microsoft: Protecting users against malware attacks with free FileWall license

June 2nd, 2021 No comments

This blog post is part of the Microsoft Intelligent Security Association (MISA) guest blog seriesLearn more about MISA.

The fight against malware has become the epic battle of our generation, placing businesses of all sizes against a never-ending stream of hackers and zero-day attacks bent on compromising security perimeters. The recent SolarWinds breach¹ illustrates how much is currently at stake.

According to the Verizon 2020 Data Breach Investigations Report2, an estimated 94 percent of malware is delivered via email with 90 percent of malware hidden in common file types such as PDF, Word, Excel, and Zip.

What is Content Disarm and Reconstruction (CDR)?

CDR describes the process of creating a safe copy of an original file by including only the safe elements from the original file. The process offers a detection-less and streamlined solution that is notably different from common  sandbox-based antimalware tools in the market.

On a granular level, CDR focuses on verifying the validity of the file structure on the binary level and disarms both known and unknown threats.

With CDR, most malware forms–including zero-days, which are maliciously embedded in transit files–are sanitized and purged of malicious content. This ensures the end-user can access only malware-free content, while still maintaining maximum file functionality.

odix, an Israel-based cybersecurity company leading the way in content disarm and reconstruction technology, has developed a range of solutions to fully complement and strengthen existing Microsoft security systems. Through the addition of FileWall, a Microsoft certified Cloud Solution Provider (CSP) can easily improve email security within a few clicks.

FileWall’s granular type filter optimizes administrator’s malware protection capabilities, allowing them to easily ensure only necessary file types can get through to the end-user, according to their varying file access permissions. The FileWall type filter ideally leverages CDR technology to purge embedded and nested files. By adding the CDR process to Microsoft’s existing sandbox-based protections, users are better prepared to defend against the threats of unknown malware.

How FileWall  integrates with Microsoft security technology

odix’s FileWall solution was created from square one to fully integrate with the Microsoft Graph Security API, Microsoft Azure Sentinel, and Exchange Online. As a result of odix’s native level integration with many of Microsoft’s core security mechanisms, FileWall’s deep file inspection capabilities don’t impact latency or compromise Microsoft’s native security protection. FileWall’s integration enables simultaneous reporting of malicious events and embedded suspicious content discovered within files to Microsoft Azure Sentinel.

For the user in complex file scenarios, such as nested files, password-protected attachments where traditional sandbox methods could miss or result in lengthy-time delays, and disruption of business processes, FileWall relies upon a detection-less process to remove unknown malware and block malicious elements embedded in files. FileWall provides near-instant sanitization and reconstruction of files with simple click deployment.

FileWall provides maximum security cooperation and allows for greater visibility of incoming files and triggers an automated response from Microsoft Exchange Online to mitigate the impact of malware accordingly.

Microsoft 365 and Exchange Online administrators can get a free license of FileWall here.

Architectural diagram displaying odix integrating with the Graph Security API, Exchange Online, and Microsoft Azure Sentinel.

Protecting emails: FileWall’s granular type filter

The FileWall file type filter allows the Microsoft 365 system admin to define which file types are permitted to enter the organization and which should be blocked. This minimizes the attack surface the organization is exposing via email by eliminating the threat vectors available in certain file types.

Screenshot of FileWall’s Content Disarm Control.

The type filter has three main controls:

  1. On/Off: Enabling or disabling the filter functionality on all file types.
  2. Work mode (Whitelist/Blacklist): The ability to create pre-set lists of permitted and non-permitted file types for specific users within the organization.
  3. Default settings: Suggested default policy by FileWall which includes 204 file types categorized as dangerous [including executable files (exe)], windows batch files (bat), windows links (lnk), and others.

The sandbox can manage executables and active content. This allows the sandbox to work only on files that were not treated by FileWall. As most organizational traffic consists of non-executable documents, this method can reduce sandbox load by 90 to 95 percent, lowering the total costs and improving the average latency.

Screenshot of FileWall’s File Type Filter.

FileWall complements Exchange Online security capabilities

As a native-level security add-on within Microsoft Exchange Online, with no SMTP relay required, FileWall doesn’t harm productivity. Consequently, all FileWall’s settings have been configured to complement existing security protocols. FileWall’s speed in processing files is near-instantaneous for common file types.

Architectural diagram displaying FileWall delivering malware-free attachments.

Learn more

odix is an industry leader in developing and optimizing CDR technology for the enterprise and small and medium business markets. odix’s flagship CDR add-on, FileWall, is available for direct purchase in the Microsoft marketplaces.

FileWall has already proven its worth in the field, providing best-in-class email protection in a broad range of IT and industrial settings. Clariter, a global clean-tech company, was seeking an additional security layer to enhance its email security systems and found FileWall the ideal solution. Read the full case study here.

To learn more about FileWall, visit our listing in the Azure Marketplace.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website, where you can learn about the MISA program, product integrations and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 


¹SolarWinds hack was ‘largest and most sophisticated attack’ ever: Microsoft president, The Associated Press, February 14, 2021.

22020 Data Breach Investigations Report, Verizon Business, May 19, 2020.

The post odix and Microsoft: Protecting users against malware attacks with free FileWall license appeared first on Microsoft Security.

BlueVoyant optimizes customer security with Microsoft security services

April 1st, 2021 No comments

This blog post is part of the Microsoft Intelligent Security Association (MISA) guest blog series. Learn more about MISA.

What a year it has been.

The rapid and unexpected transition to work from home is one of the biggest issues affecting companies of all sizes and industries in 2020. As companies now take a brief pause after the mad rush during the first half of the year, they must take an honest look at their security posture to ensure that their intellectual property, employee and customer data, applications, and infrastructure are all being protected and that plans are in place to continue doing so in the future, given many companies will operate very differently going forward.

Security teams are facing challenges they have never experienced before

The exponential growth in remote users, combined with accelerated digital transformation efforts involving migration of applications and data to the cloud, has changed and expanded the attack surface for today’s organizations. Attacks and breaches have continued to be a danger to companies throughout the pandemic. Security teams are challenged to piece together solutions to detect and eradicate threats across multiple types of environments with solutions made up of technologies from multiple vendors, many of which were only designed to operate in legacy environments preceding the cloud era. Integration complexities, a lack of qualified security resources, and an unrelenting wave of attacks from cybercriminals make securing the organization a seemingly unattainable goal.

Today’s security reality is less than ideal in many cases

BlueVoyant speaks with a lot of companies about their security technology deployment. One of the main trends found is that they have accumulated a bunch of hardware and software over the years and are trying to make use of it somehow, but at the end of the day, they struggle to get it all to work together properly. Research has shown that this situation (commonly known as “tech sprawl”) can oftentimes result in a company being more exposed to attack than it realizes, as failing to correctly integrate various pieces of hardware and software can create gaps that allow cyber attackers to get in.

In addition to dealing with tech sprawl, IT and security teams are being asked to participate in digital transformation initiatives at their companies. These initiatives almost always involve moving large amounts of applications and data to the cloud to reap the benefits of lower infrastructure costs, greater flexibility, and on-demand scalability. Legacy security technologies simply don’t work in these new cloud environments.

How do you solve this problem?

What is the solution to eliminating the pain associated with tech sprawl while also providing the security your company needs in a cloud-first world? We believe that a cloud-native, fully integrated security solution is what companies need to operate safely in today’s dangerous cyber environment. To bring our vision to life, we are adopting Microsoft security technologies to build managed solutions that extend detection and threat eradication capabilities across a customer’s entire ecosystem, leveraging tools and integrations already included with a customer’s Microsoft 365 license. Our Managed Microsoft Security Services combine the design, deployment, 24x7x365 threat detection, and over 500 proprietary detection rules—designed and built on Microsoft-powered security technology—to provide the business and technology outcomes needed by our customers.

How does integrated Microsoft security technology work?

Architectural diagram displaying integrated Microsoft security technology.

Here is an example of the integrated Microsoft security technology working together to successfully detect and eradicate a cyber threat:

  1. A phishing email is received by a user on a managed endpoint.
  2. Office 365 Security and Compliance Center provides visibility into the phishing attempt, and Defender for Office 365 Safe Links evaluates the link at the time-of-delivery to search for malicious or suspicious content. It finds nothing out of the ordinary and allows the message to be delivered to the user’s inbox. The end user opens the email and clicks the link. Defender for Office 365 again scans the link using Safe Links and finds a malicious file on the page that is linked. The user is presented with a webpage, warning them that the site may be malicious.
  3. Since the user believes the email came from someone they know, they bypass the warning message and visit the link where malware gets downloaded to their machine in the background, causing a compromise that allows for elevated access on the endpoint.
  4. Defender for Endpoint detects this and quarantines the file based on zero-day and runtime detections. It surfaces alerts that include insights into the threat and detailed information about events happening on the machine to the security team in the security operations center (SOC) dashboards.
  5. Azure Active Directory Identity Protection sends additional compromise/threat escalation data to Microsoft Cloud App Security. Threat aggregation is calculated against machine learning normalization to assess threat severity.
  6. Azure Sentinel conducts additional correlation analysis and follows a remediation playbook based on severity and aggregated threat calculation.
  7. Remediation workflows revoke the user’s multi-factor authentication (MFA) token, triggering unified endpoint management (UEM) device compliance failure to revoke access grants in Conditional Access.
  8. SOC analysts and end user compute staff confirm remediations before restoring access.

Who is BlueVoyant

BlueVoyant was co-founded in 2017 and is led by several former Fortune 500 executives and government intelligence leaders. We recruit and retain top talent from the FBI, NSA, Unit 8200, GCHQ, and from leading private sector security firms. While we’re still a young company, our expertise in delivering Managed Microsoft Security Services to our customers is already well established. For example, in the recent “Forrester Wave: Midsize Managed Security Services Providers, Q3 2020” report, we were the only company highlighted for our experience in working with Azure Sentinel.

In addition to the existing portfolio of security services we offer today, we are always on the lookout for new ways to provide increased value to our customers who prefer Microsoft-powered security services. We are excited to announce that we acquired Managed Sentinel, a company specializing in Azure Sentinel and Microsoft 365 Defender deployments. By acquiring Managed Sentinel, BlueVoyant strengthens its ability to serve Microsoft customers globally. This allows Managed Sentinel to leverage BlueVoyant’s threat intelligence and managed detection and response (MDR) capabilities, enabling both BlueVoyant and Managed Sentinel to deliver full-service offerings for Microsoft security technologies from customized deployments, ongoing maintenance, to 24/7 security operations.

According to Mandana Javaheri, Director of Business Strategy, CSG Business Development, Microsoft, “The Managed Sentinel acquisition by BlueVoyant further expands their cybersecurity services capabilities to provide customers the consultative, advisory, and implementation expertise needed to fully maximize the value and adoption of Microsoft’s security product portfolio.”

BlueVoyant is an MSSP pilot member of the Microsoft Intelligent Security Association. For more information about our extensive consulting portfolio, implementation, and managed security services, please visit our website.

Learn more

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website, where you can learn about the MISA program, product integrations and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post BlueVoyant optimizes customer security with Microsoft security services appeared first on Microsoft Security.

Finalists announced in second annual Microsoft Security 20/20 awards

March 11th, 2021 No comments

2020 was a transformational year. Seemingly overnight, COVID-19 reshaped our perspective on work, home life, and security. Setting up home offices and powering through online presentations in our pajama bottoms (with cameos by pets and children), our industry rose to the challenge. All that challenging work kept firstline workers, students, medical professionals, and the rest of us connected and secure through a dark year. Now as we approach a full year, we will again celebrate our colleagues in security, compliance, and identity at the second annual Microsoft Security 20/20 awards ceremony on May 12, 2021.

“The past 12 months have reshaped our industry. We’ve all been pushed to reach new heights—creating integrated security, compliance, and identity solutions that work across platforms and cloud environments. We want to recognize the partners who helped get us there by creating their own game-changing Microsoft-based solutions and services.” —Vasu Jakkal, CVP Microsoft Security, Compliance & Identity

Perspective

According to the American Optometric Association: “20/20 vision does not necessarily mean you have perfect vision, it only indicates the sharpness or clarity of vision at a distance.” Last year’s theme of “Vision and Clarity” focused on shaping Microsoft’s vision for the security ecosystem alongside our partners, but the past year has prompted all of us to have a new perspective. The last 12 months have, in a way, forced us all to step back and reexamine the solutions we offer. Our industry burned the midnight oil, retooling products to better support a new remote workplace. The Microsoft Security 20/20 awards ceremony will acknowledge our new reality and shifted viewpoint with the theme of “Perspective—Through the looking glass.”

Unlike the online meetings we all know too well, this awards show will be an immersive, digital experience, ripe with dazzling visuals and soundscapes. We’re going all-in to celebrate our finalists and winners across 18 award categories honoring the best in the security, compliance, and identity ecosystem. We promise to engage all five of your senses to get you out of that office chair (figuratively, anyway), traveling through lush forests, bright meadows, and along a breezy beach.

Everyone is welcome. In this short-but-sweet awards show, we’ll skip the speeches and double down on creativity and fun. You’re invited to watch the 90-minute event and engage with us on social media. Feel free to invite your spouse, fur baby, or favorite houseplant. Just don’t forget to snap a selfie and share it with the hashtag: #MSFTSecurity2020.

Click to register for the Microsoft Security 20/20 awards!

Security for all

Microsoft is committed to building solutions that safeguard your entire organization—delivering integrated security, compliance, identity, and management across platforms and cloud environments. We want to help our customers prioritize risks using unified management tools and strategic guidance that maximize the human experience. The Microsoft Security 20/20 awards honor partners who align with Microsoft’s focus on customer obsession and have developed innovative, integrated solutions during the past year—helping us realize our vision of security for all.

This year’s finalists

The award categories and finalists were selected by a cross-functional group within Microsoft for their excellence in innovation, integration, and customer implementation. This year, winners will be voted on by members of the Microsoft Intelligent Security Association (MISA), making this truly a celebration among peers. Each MISA member company will get one vote and winners will be announced at the event (finalists, you’ll have to watch to find out if you won!).

Security Trailblazer

Partners who drive major security-related initiatives and educate the market on how to be more secure.

Most Transformative Integration Partner

Partners that are actively building integration across the Microsoft Security portfolio, along with demonstrating leadership in driving new, differentiated integrations.

Compliance Trailblazer

Partners who further major compliance-related initiatives and educate the market on compliance risks.

Microsoft Security System Integrator of the Year

System Integrators that work closely with field sellers to close deals, integrate, and deploy Microsoft Security into customers’ environments.

Identity Trailblazer

Partners who drive major identity-related initiatives and educate the market on how to protect identities.

Microsoft Security GTM partner of the Year

Partners who complete the largest number of workshops with the highest degree of excellence.

Microsoft 365 Security Deployment Partner of the Year

Service providers that increase usage and adoption rates for Microsoft 365 security products.

SCI Advisory of the Year

Security advisory firms that are building core competencies on top of Microsoft Security solutions and acting as a trusted advisor to Microsoft customers.

Microsoft Azure Security Deployment Partner of the Year

Service providers that increase usage and adoption rates for Azure security products.

The Security Industry Changemaker

Individuals that make a standout contribution to improve the security community.

Zero Trust Champion – ISV (Independent Software Vendors)

Software vendors that increase usage and adoption rates with solutions aligned with Microsoft’s Zero Trust strategy.

Top MDR (Managed Detection and Response) Team

Managed Detection and Response teams that provide incident responses for the world’s largest customers and partner with Microsoft Security to continually improve customer security.

Zero Trust Champion – SI (Systems Integrators)

System Integrators that accelerate secure remote work and help customers accelerate their Zero Trust strategy.

Top Managed SOC (Security Operations Centers)

Security Operations Centers that provide managed security services to the world’s largest customers and partner with Microsoft to continually improve customer security.

Emerging Security ISV Disruptor

Independent Software Vendors who show growth potential and have innovative emerging capabilities.

Microsoft Security Customer Impact

Partners who have driven a significant number of customers wins and have a proven track record for customer satisfaction.

Compliance Services Innovator of the Year

Service partners that demonstrate leadership and innovation in managed compliance service scenarios.

Security ISV of the Year

Independent Software Vendors that have shown innovation and the ability to drive revenue.

Our partners in the security, compliance, and identity ecosystem continually inspire us to create stronger, more integrated solutions. Please join us in celebrating their achievements at the Microsoft Security 20/20 awards, May 12, 2021—we look forward to seeing you there!

Click to register for the Microsoft Security 20/20 awards!

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Finalists announced in second annual Microsoft Security 20/20 awards appeared first on Microsoft Security.

Compliance joins Microsoft Intelligent Security Association (MISA)

March 3rd, 2021 No comments

Like many of you, I’m thrilled to have my 2020 calendar safely in the recycling pile. During that time though, you too might have noticed how, perhaps unknowingly, you were able to turn some of last year’s lemons into lemonade. Maybe you developed a deeper appreciation for everyday moments and the people in your life, gaining a new perspective on what matters most.

For my team, seeing the Microsoft Intelligent Security Association (MISA) grow to 190 partner companies has been a bright spot in a dark year. To date, MISA members have created 215 product integrations, and I’m pleased to announce that our pilot program for adding managed security service providers (MSSPs) has formally transitioned. MISA now includes 39 MSSP members who have created 76 MSSP offers since the beginning of the fiscal year.

“Microsoft Security integrates with a broad ecosystem of platforms and cloud providers, so they work with the things you already have in your environment; whether those things are from Microsoft, or not. Our partners are key to helping facilitate this integration.”Vasu Jakkal, CVP, Security, Compliance and Identity

“Adding managed security service providers promises to increase the ecosystem’s value even more by offering an extra layer of threat protection—reducing the day-to-day involvement of in-house security teams. It’s another important step in strengthening and simplifying security at a time when risk mitigation is one of IT’s highest priorities.”Shawn O’Grady, Senior Vice President and General Manager, Cloud + Data Center Transformation at Insight

Because Microsoft’s footprint extends across many technologies, we have an advantage in creating holistic solutions that encompass the full breadth of security, compliance, and identity. In keeping with that end-to-end approach, we’ve expanded MISA to include 5 new compliance products, growing the MISA product portfolio to 18.

“The explosion of data from digital transformation and remote work make the integration of security and compliance tools across internal and external ecosystems more critical than ever. Together with the deep expertise of our MISA members, we can help our customers address their complex, evolving security and compliance needs.”Alym Rayani, General Manager, Microsoft Compliance

Compliance comes to MISA

Microsoft compliance products help our customers assess their compliance risk, protect their sensitive data, and govern it according to regulatory requirements. Through MISA, members get support in building managed services and integrations that:

  1. Protect and govern data wherever it lives.
  2. Identify and take actions on critical insider risks.
  3. Simplify compliance and reducing risk.
  4. Investigate and respond with relevant data.

“TeleMessage is excited to bring our Mobile Communication Archiving products to be a part of Microsoft’s security solutions. Being a MISA member allows us to work closely with the Microsoft teams and allows us to provide seamless, secure, and compliant integrations delivering all popular forms of mobile communication.”—Guy Levit, CEO at TeleMessage

Microsoft Information Protection has been part of MISA since the association began in 2018, providing broad coverage across devices, apps, cloud services, and on-premises systems. This year, we’re continuing to develop our holistic partner community across security, compliance, and identity by adding five additional Microsoft compliance products to our portfolio:

  • Microsoft Information Governance: Keep what you need and delete what you don’t. Apply compliance solutions and a deletion workflow for email, documents, instant messages, social media, document collaboration platforms, and more.
  • Microsoft Data Loss Prevention: Help users stay compliant without interrupting their workflow—prevent the accidental sharing of sensitive information across Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, and desktop versions of Excel, PowerPoint, and Microsoft Word.
  • Microsoft 365 Insider Risk Management: Identify critical insider risks and take the appropriate action. With built-in privacy controls, use native and third-party signals to identify, investigate, and remediate malicious and inadvertent activities in your organization.
  • Microsoft Advanced eDiscovery: Gain an end-to-end workflow to collect, analyze, preserve, and export content that’s responsive to your organization’s internal and external investigations. Identify persons of interest and their data sources, then manage the legal-hold communication process.
  • Microsoft Compliance Manager: Get help throughout your compliance journey, from taking inventory of your data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.

“Joining MISA enhances our relationship with Microsoft and our commitment to being an information governance and compliance leader providing solutions for organizations to bring third-party data into Microsoft 365 archive,” said Charles Weeden, Managing Partner of 17a-4, LCC. “DataParser’s connectors will allow Microsoft 365 Compliance users to ingest content from various sources, such as Bloomberg, Slack, Symphony, Webex Teams and many others.”

Connectors and APIs to extend compliance capabilities

Organizations today face an intimidating amount of data to protect across disparate systems, both on-premises and in the cloud. That’s why Microsoft compliance solutions span information protection and governance, data-loss prevention, insider risk, eDiscovery, audit, and compliance management—including your non-Microsoft data.

Microsoft 365 compliance enables organizations to extend, integrate, accelerate, and support their compliance solutions with three key building blocks:

All of these new capabilities exist within Microsoft’s integrated compliance platform. Meaning, customers only need to set compliance policies a single time, regardless of the data source.

“The Veritas Merge1 connector platform integration with M365 allows our joint customers to configure, connect, and capture a vast number of data sources from within the M365 compliance center. The integration makes it easy to quickly identify which data sources need to be captured, to configure connectivity to those data sources and to pull data into M365 all from within the Azure infrastructure. Our development teams have worked closely together for over 12 months to make sure the workflow is simple and the capabilities are robust. With the increase in global regulations over the past several years, our goal is to simplify compliance, and we believe we have achieved that by working together with Microsoft.”David Scott, Sr. Director, Digital Compliance at Veritas Technologies

Microsoft Security lights the way

As the global pandemic forced millions into remote work last year, hackers took advantage and upped their game, as seen with the recent Solorigate attack. Many organizations saw their sensitive data created, viewed, and distributed across multiple fragmented platforms that increased the potential attack surface. Because we view security as part of the common good, we chose to take a proactive approach; shifting cybersecurity away from the shadows and into a place of innovation and empowerment.

“MISA has helped us promote successful integrations with Azure Security Graph API and Azure Active Directory, both now deeply embedded in Barracuda security solutions.”Tim Jefferson, SVP Data, Networking, and Applications, Barracuda Networks

During Microsoft Ignite, March 2-4, 2021, you’ll see added investment in our security, compliance, and identity portfolio as we continue to innovate and create holistic solutions that support cultures of security for our customers and partners, based on four basic principles:

  • Protect everything: Safeguard your entire organization with integrated security, compliance, and identity solutions built to work across platforms and cloud environments.
  • Simplify the complex: Prioritize risks with unified management tools and strategic guidance created to maximize the human expertise inside your company.
  • Catch what others miss: Enable AI, automation, and human expertise to help you detect threats quickly, respond effectively, and fortify your security posture.
  • Grow your future: Gain the peace of mind that comes with a comprehensive security solution, empowering you to grow, create, and innovate across your business.

To learn more about upcoming big announcements at Microsoft Ignite this week, visit our latest blog posts:

To learn more about Microsoft Security solutions, visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Compliance joins Microsoft Intelligent Security Association (MISA) appeared first on Microsoft Security.

What we like about Microsoft Defender for Endpoint

February 22nd, 2021 No comments

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA 

It’s no secret that the security industry generally likes Microsoft Defender for Endpoint. After a few months of using and integrating it with our platform here at Expel, we feel the same.

On Expel’s EXE Blog, we regularly share our thought process on how we think about security operations at scale at Expel and the decision support (or additional context) we provide our analysts through automation.

In short, Defender for Endpoint makes it easy for us to achieve our standard of investigative quality and response time, but it doesn’t require a heavy lift from our analysts. And that’s good news both for our customers and for us.

So, what is Microsoft Defender for Endpoint?

Defender for Endpoint is an enterprise endpoint security product that supports Mac, Linux, and Windows operating systems, along with Android and iOS. There are lots of cool things that Defender for Endpoint does at an administrative level (such as attack surface reduction and configurable remediation). However, from our vantage point, we know it best for its detection and response capabilities.

Defender for Endpoint is unique because not only does it combine an Endpoint Detection and Response (EDR) and AV detection engine into the same product, but for Windows 10 hosts, this functionality is built into the operating system, removing the need to install an endpoint agent.

With an appropriate Microsoft license, Defender for Endpoint and Windows 10 provide out-of-the-box protection without the need to mass-deploy software or provision sensors across your fleet.

How EDR tools help us as an XDR vendor

When we integrate with an EDR product like Defender for Endpoint in support of our customers, our goal is to predict the investigative questions that an analyst will ask and then automate the action of getting the necessary data from that tool.

This frees up our analysts to make the decision—versus making them spend time extracting the right data.

We think Defender for Endpoint provides the right toolset that helps us reach that goal—and removes some burden from our analysts—thanks to its APIs.

Thanks to Defender for Endpoint’s robust APIs, we augmented its capability to provide upfront decision support to our analysts. As a result, we’re able to arm them with the answers to the basic investigative questions we ask ourselves with every alert.

To find these answers, there are a few specific capabilities of Defender for Endpoint we use that allow us to pull this information into each alert:

  • Advanced hunting database.
  • Prevalence information.
  • Detailed process logging.
  • AV actions.

This way, our analysts don’t need to worry about fiddling with the tool but instead focus on analyzing the rich data it provides.

Check out a real-life example of how Expel analysts use Defender for Endpoint to triage an alert on behalf of a customer.

Defender for Endpoint helps reduce our alert-to-fix time

The decision support—or additional context about an alert—that Defender for Endpoint enables us to generate is powerful because it allows us to become specialists at analysis rather than specialists of a specific technology.

Defender for Endpoint provides a platform that allows our analysts to quickly and accurately answer important questions during an investigation.

Most importantly, though, having these capabilities emulated in the API allowed us to build on top of the Defender for Endpoint platform to be more efficient in providing high-quality detection and response.

And that’s a win-win for both Expel and our customers.

Learn more

To learn more about Expel, visit our listing on the Azure Marketplace.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website, where you can learn about the MISA program, product integrations and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post What we like about Microsoft Defender for Endpoint appeared first on Microsoft Security.

Automating and operationalizing data protection with Dataguise and Microsoft Information Protection

February 4th, 2021 No comments

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA

In technical literature, the terms data discovery, classification, and tagging are sometimes used interchangeably, but there are real differences in what they actually mean—and each plays a critical role in an enterprise data protection strategy.

Data discovery is the process of reporting information about the sensitivity of a data object. The granularity of reporting typically includes what type of sensitive information is found, exactly where it is found, along with the exact cardinality of sensitive data elements. Data classification is the association of a label, which typically has some business value, to an object (file or a table). Classification is often stored as metadata in a separate system or an external data catalog and enables downstream usage of a data object based on security or privacy policies. Data tagging (labeling) is the application of an actual label (or classification) to the associated object.

The important thing to note here is that data discovery is always foundational to a data protection strategy. Classification and tagging depend on accurate discovery to drive the appropriate method of protection, which will ultimately depend on the consumption or utilization and privacy requirements for the data. The more comprehensive and efficient (automated and integrated) the data discovery, the more effective and cost-effective the data protection.

Dataguise and Microsoft Information Protection: Better together

 Now, you probably know that Microsoft Information Protection is a comprehensive suite of services and features that Microsoft offers for its customers to classify, label, and protect data. Microsoft Information Protection forms the core of many enterprise data protection strategies.

Dataguise is a sensitive data discovery and protection software that now integrates with Microsoft Information Protection. More specifically, it performs context-aware discovery of structured, unstructured, and semi-structured data, and can use the results of that discovery to report on data classification, tag data with Microsoft Information Protection-readable labels, and protect sensitive data either natively—via innumerable methods of masking, encryption, and monitoring—or by integrating with Microsoft Information Protection or a third-party data protection solution. It’s a highly scalable solution that relies on machine learning and other heuristics to allow for efficient, accurate data discovery in multi-petabyte, hybrid environments.

With Dataguise, discovery can be done at several levels to meet various risk, compliance, or data governance goals; but there are two kinds of discovery that are of particular interest here, and it’s important to distinguish them:

  1. Discovery of personal information and other sensitive data: This is the process of finding and reporting data governed by PII, PCI, PHI, and any similar policy, where all sensitive data needs to be discovered but not associated with an individual. Such requirements are typically driven by industry security standards or regulations.
  2. Identity-based data discovery: This is the process of finding and reporting data specifically related to an individual. The contents of the report may or may not be useful for directly identifying the associated individual, but the entirety of a report constitutes the breadth of information that an enterprise possesses about the given data subject. Identity-based discovery is typically driven by recent data privacy laws like GDPR in the EU, CCPA in California, and LGPD in Brazil.

A data protection strategy that takes both types of discovery into account and incorporates technologies to perform them accurately, efficiently, and comprehensively—can add value not only for information security or privacy teams but for risk, compliance, governance, analytics, marketing, and IT operations teams as well. When you think of all the ways an organization collects, uses, shares, and stores data across the enterprise, more granular visibility leads to more precise control and, therefore, greater business flexibility and agility to maximize data value.

Ultimately, Dataguise complements Microsoft Information Protection capabilities, making the combination extremely useful for the customer.

The discovery synergy: Dataguise augments Microsoft Information Protection scanning capabilities

Dataguise’s real strength lies in the fact that it can discover and report sensitive and personal data across relational databases, NoSQL databases, Hadoop, file shares, cloud stores like ADLS, S3, and GCS, and over 200 different cloud-based applications. Therefore, Dataguise primarily can extend Microsoft Information Protection’s scanning coverage to structured and unstructured data stored outside Microsoft products to the ones mentioned above. This is a game-changer, as Microsoft Information Protection can now be used to tag all co-located sensitive and personal data on all co-located platforms.

The protection synergy: Dataguise enhances downstream data protection capabilities for Microsoft Information Protection

 Dataguise uses Microsoft Information Protection’s SDK to seamlessly integrate discovery with Microsoft Information Protection’s tagging capability. Whether the tags power DLP, access control, or encryption and decryption solutions, Dataguise can either natively or by leveraging a third-party solution, team up with Microsoft Information Protection to create an end-to-end data protection strategy and automated implementation.

So how does this all work?

The integration is seamless and starts with defining the tags in Microsoft Information Protection. Then, there is a mapping of these tags to one or a combination of sensitive elements, out-of-the-box or custom in Dataguise. As Dataguise runs its discovery scans, it is using that mapping to report tags corresponding to each file that it has scanned. Now, using the Microsoft Information Protection SDK, these tags are applied to the corresponding file. Dataguise discovery uses context-aware discovery based on machine learning, which benefits Microsoft Information Protection by tagging files accurately and at scale. The figure below shows the flow:

An infographic that shows the flow of context-aware discovery based on machine learning.

Dataguise and Microsoft Information Protection bring a powerful combination of capabilities to any data protection strategy and implementation. The joint value of this integration lies in the fact that Dataguise can cover a broad range of platforms for discovery, and then leverage Microsoft Information Protection labeling to enable downstream data protection. Intelligent and context-aware data discovery is foundational to data protection, and with accurate optics, enterprise-wide implementation of comprehensive and automated data protection policies can be achieved.

For more information about the Dataguise Sensitive Data Discovery and Protection solution, please visit www.dataguise.com. You can also find Dataguise on the Azure Marketplace.

Learn more

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

For more information about Microsoft Security Solutions, visit the Microsoft Security website. Bookmark the Security blog to keep up with our expert coverage of security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Automating and operationalizing data protection with Dataguise and Microsoft Information Protection appeared first on Microsoft Security.