Archive

Archive for the ‘Ciso series page’ Category

Afternoon Cyber Tea: Learn how to stop misinformation threats from nation-state bad actors

September 13th, 2021 No comments

Information has long been wielded as an instrument of national power and influence. In today’s digital world, misinformation can also be just as powerful.

On a special episode of Afternoon Cyber Tea with Ann Johnson, Sandra Joyce, Executive Vice President and Head of Mandiant Intelligence at FireEye joined me to talk about threat attribution and accountability when it comes to the use of technology by bad actors to help spread misinformation.

As a US Air Force Reserve officer and faculty member at the National Intelligence University with four master’s degrees in cyber policy, international affairs, science and technology intelligence, and military operational art and science, Sandra is an expert in understanding how nation-state actors leverage traditional and social media channels to erode confidence in free and fair elections. Sometimes, those bad actors will use these core values, such as freedom of speech, against us, according to Sandra. For instance, she recounts the story of a foreign group that used those values against the US by fabricating letters from concerned citizens to be published in US newspapers.

In this powerful episode, Sandra discusses how threat actors are adopting new threat techniques—shifting from signature malware to commodity malware—and pivoting to smaller malware families that they hope will be overlooked by cybersecurity professionals. That combination will make it harder to detect threats amid the noise. She recommends that organizations research threats and undertake a threat profile on themselves to learn their vulnerabilities and the biggest threats that could target them. That can shape priorities. Using the metaphor of bank robbers, she says it’s not so hard to rush the guards in a building but is hard to learn the location of the safe, get the combination to the safe, and escape undetected. The latter is where the bulk of business intrusion happens. Companies need to root out threats in that lateral stage.

During our conversation, we also spoke about threat intelligence and what’s involved in threat actor attribution. After recognizing a cluster of threat activity, there’s a lot of work required to identify which organization or country is behind the threat. It usually takes months to collect information about the threat’s techniques, infrastructure, and command and control (C2) channel, which is the channel a threat actor uses to commandeer an individual host or to control a botnet of millions of machines. For years, FireEye’s Mandiant Threat Intelligence team has been tracking financial crime group Fin11, which deploys point-of-sale malware targeting the financial, retail, restaurant, and pharmaceutical industries. Both technical indicators and the targeting information prove useful in these investigations, in part as you learn about the bad actors’ intentions. To learn what organizations can do to combat threats, listen to Afternoon Cyber Tea with Ann Johnson: Taking a “when, not if” approach to cybersecurity on Apple Podcasts or PodcastOne.

What’s next

A new season of Afternoon Cyber Tea with Ann Johnson launches this October 2021 on The CyberWire! In this important cyber series, I talk with cybersecurity influencers about trends shaping the threat landscape and explore the risk and promise of systems powered by AI, IoT, and other emerging tech.

You can listen to Afternoon Cyber Tea with Ann Johnson on:

  • Apple Podcasts: You can also download the episode by clicking the Episode Website link.
  • PodcastOne: Includes the option to subscribe, so you’re notified as soon as new episodes are available.
  • CISO Spotlight page: Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Learn how to stop misinformation threats from nation-state bad actors appeared first on Microsoft Security Blog.

Categories: CISO, Ciso series page, cybersecurity Tags:

Why diversity is important for a strong cybersecurity team

September 9th, 2021 No comments

Medicine. Aeronautics. Academia. When you’re a cybersecurity professional, the colleague next to you could have started in one of these industries—or just about any other you can imagine. The backgrounds of cybersecurity professionals are more diverse than those of professionals in other industries. And because cybersecurity as an industry is so new, these professionals likely didn’t study security in school either. That includes LinkedIn’s Chief Information Security Officer (CISO) Geoff Belknap, who graduated college with a business degree. I hosted Geoff on a recent episode of Security Unlocked with Bret Arsenault to talk about strategies for recruiting cybersecurity talent and for solving the cybersecurity skills gap.

Strengthen your cybersecurity team through diversity

Geoff, who joined LinkedIn in 2019, leads the organization’s internal security teams in building a safe, trusted, and professional platform. He brings more than 22 years of experience in network architecture and security leadership to his role at LinkedIn. He previously was the CISO at Slack, where he built the security organization from the ground up, including laying the groundwork for Slack’s production incident management process. He earned a Bachelor of Science degree in Business Management at Western Governors University. One of his favorite things about cybersecurity is that it’s a multi-disciplinary and inter-disciplinary practice where people from different specialties, including business and other non-technical backgrounds, can contribute.

One of cybersecurity’s much-discussed biggest challenges is the skills gap. The cybersecurity industry is projected to triple year-over-year through 2022, but the shortage of cybersecurity professionals is in the millions globally, according to an article in The CyberWire1. The skills gap is caused, in part, because the industry is relatively new and people don’t receive training on how to work in cybersecurity, according to Geoff. If a company wants to interview 10 candidates with 20 years of experience for a cloud security engineer role, it could be waiting for a very long time.

He recommends that organizations expand their idea of the right person for an open cybersecurity position. Stop thinking that the only person that is right for a role in cybersecurity majored in cybersecurity in college and that a principal-level network security cloud architect will be an expert in all three cloud platforms. Instead, consider people who can process and analyze a collection of information, understand your company’s technology, and understand what the organization is trying to accomplish and the tools available. Inquisitive people who are passionate about problem-solving can grow into a cybersecurity position and become effective contributors to the organization. By investing in people with useful raw skills and developing their cybersecurity skills, organizations fill roles and add valuable diverse perspectives to their cybersecurity teams.

Once you fill those cybersecurity roles, retaining employees is critical. The secret to that is always company culture, Geoff said. Compassion and empathy are not only good traits to adopt but also essentials for an organization wanting to attract and retain the best talent. Authentic organizations care about their people and recognize that they need time outside work. After all, psychologically healthy people are the best asset for any organization.

During our conversation, Geoff also shared his appreciation for the Zero Trust approach because it reinforces the idea that there is no safe haven. Security is a thought process rather than an end goal you can attain. Acknowledging that there is no castle where you can lock away your data and keep it safe makes you rethink your production environment and your risk assessment. That’s a powerful realization because it puts you on a path to explore why things aren’t as secure as they should be, according to Geoff. To learn why he thinks cybersecurity professionals from nontraditional career paths can be especially successful in a Zero Trust environment, listen to Building a Stronger Security Team on The CyberWire.

What’s next

In this important cyber series, I talk with cybersecurity peers and Microsoft leaders about today’s biggest challenges in cybersecurity and practical guidance for security practitioners.

You can listen to Security Unlocked with Bret Arsenault on:

  • Apple Podcasts, Amazon Music, Google Podcasts, and Spotify. You can also download the episode by clicking The CyberWire link below.
  • The CyberWire: Includes the option to subscribe, so you’re notified as soon as new episodes are available.
  • CISO Spotlight page: Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics, such as building a security team and securing hybrid work.

To learn more, visit our website. In the meantime, bookmark the Security blog to keep up with our coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 


1Understanding the cybersecurity skills gap and how education can solve it, Ingrid Toppelberg, The CyberWire, 19 April 2021.

The post Why diversity is important for a strong cybersecurity team appeared first on Microsoft Security Blog.

Categories: CISO, Ciso series page, cybersecurity Tags:

How Vodafone Global Security Director creates an inclusive and secure workplace

August 23rd, 2021 No comments

Moving to more flexible remote work policies has caused telecommunications giant Vodafone to rethink cybersecurity and the potential friction to users. Instead of relying on physical security controls in the office, the company has embraced a Zero Trust strategy that requires authenticating everyone before granting access. I hosted Emma Smith on a recent episode of Security Unlocked: CISO Series with Bret Arsenault to talk about Vodafone’s cybersecurity approach and the importance of workplace inclusion.

The importance of employee inclusion and security

When employees don’t feel included, they’re not going to do their best work, according to Emma, who is Vodafone’s Global Cybersecurity Director. She believes it’s up to managers, supervisors, and global security directors to create a workplace where everyone feels heard.

Emma recalls attending her first industry event after taking over as Chief Information Security Officer at Royal Bank of Scotland in 2011. She was one of only six women out of 120 people in the room. That experience made her personally aware of how important it is to feel included and she said workplace inclusion is a subject she holds close to her heart. Vodafone focuses on diversity and inclusion and on how to hire, retain, and progress people of different backgrounds, ethnicities, genders, and ages.

Besides looking out for employees on the issue of inclusion, companies should protect them from security threats. One consistent cybersecurity message from employees—as well as from customers and security teams—is that passwords are extremely frustrating, according to Emma. Because of people’s strong views on passwords, Vodafone has been on a mission to remove them from its environments entirely and instead use secure, simple multifactor authentication. It’s an objective that also comes from knowing there’s one group that loves passwords: cybercriminals. Switching to multifactor authentication can help remove them from the equation by eliminating a favorite way to sneak into a network.

To fight cyber threats, it’s important that threat intelligence teams collaborate with colleagues from different companies to share information on threats and prevention strategies. Fighting as one security community is far more powerful than trying to do it on our own, Emma explains.

During our conversation, Emma also shared her thoughts on the benefits of cloud and secure developer operations (DevSecOps) in cybersecurity and offered four cybersecurity strategies that security practitioners should implement immediately to secure employees, data, and devices. One of them? Don’t get so distracted by new and shiny cybersecurity techniques that you forget security basics. To hear details of this strategy and learn about the other three strategies, listen to Leading an Inclusive Workforce on The CyberWire.

Guest bio

Emma Smith is Global Cybersecurity Director at Vodafone. She began her career in auditing. She worked for two years at Royal Bank of Scotland as Head of Internal Audit, Technology, before taking roles at the bank as Head of Group Information Security, Records and Payments Security, Chief Information Security Officer, and Director of Security and Resilience.

Bret Arsenault bio

Bret Arsenault is Corporate and Chief Information Security Officer at Microsoft, where he’s responsible for enterprise-wide information security, compliance, and business continuity efforts. He has more than 25 years of cybersecurity experience. He is Chairman of Microsoft’s Information Risk Management Council and hosts Microsoft’s Security Council.

What’s next

In this podcast series, I talk with cybersecurity peers and Microsoft leaders about today’s biggest challenges in cybersecurity and practical guidance for security practitioners. To learn more, visit our website. In the meantime, bookmark the Security blog to keep up with our coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

You can listen to “Security Unlocked: CISO Series with Bret Arsenault” on:

The post How Vodafone Global Security Director creates an inclusive and secure workplace appeared first on Microsoft Security Blog.

Categories: CISO, Ciso series page, cybersecurity Tags:

Afternoon Cyber Tea: Microsoft’s cybersecurity response to COVID-19

June 15th, 2021 No comments

On February 25, 2020, Microsoft Chief Information Security Officer (CISO) Bret Arsenault was attending the RSA Conference in San Francisco when the city declared a state of emergency because of COVID-19. Shortly after flying back to Seattle, Bret learned of the first death from the coronavirus in Washington state. He and other members of Microsoft’s Risk Management Council worked on the company’s crisis response. To kick off National Cybersecurity Awareness Month, I spoke with Bret Arsenault on a recent episode of Afternoon Cyber Tea with Ann Johnson.

As CISO, Bret is responsible for disaster recovery at the enterprise level. He is the chair of Microsoft’s Risk Management Council and has directed Microsoft’s crisis management in the wake of COVID-19. It responds to 30 crises a year, with life safety the highest priority, followed by customers and Microsoft. The council focuses on preparation for four types of disaster and crisis recovery: planned acts (such as weather storms), unplanned acts (such as natural disasters), illegal attacks, and pandemics. Cyberattacks typically fall under illegal attacks. Certain events, such as the Olympics and elections, tend to draw out opportunistic bad actors more than others because people are more vulnerable to social engineering attacks.

Similarly, the pandemic and the social unrest in the United States have made people more susceptible to phishing scams and other cyberattacks. Before the pandemic, cybersecurity incidences had doubled every year for five years. During the pandemic, opportunistic campaigns, including a huge increase in human-operated ransomware attacks, have emerged because of people’s social engineering vulnerability. The number of phishing scams hasn’t changed much, however, the approach has shifted to mimicking health information sites and other pandemic-related schemes. Because more people are working from home, there’s been a big increase in bad actor campaigns targeting desktop protocol.

During our conversation, we also spoke about how to build a disaster recovery program and how moving to a Zero Trust security model helped Microsoft respond more agilely to the new security threats created by the pandemic. Over the past year, that approach has meant making sure all devices are managed, requiring multifactor authentication, figuring out how productivity apps work in a distributed way, and moving all meetings to Microsoft Teams. Microsoft also prioritized service monitoring and user identity and access.

Despite all the planning, there have been surprises, such as realizing that eight-hour all-hands meetings aren’t effective when online and that moving all meetings online creates a level playing field for employees. To learn what cybersecurity steps to take when your entire workforce is remote, listen to Afternoon Cyber Tea with Ann Johnson: Working Through It: Operational Resilience in the Face of Disaster on Apple Podcasts or PodcastOne.

What’s next

A new season of Afternoon Cyber Tea with Ann Johnson launches today featuring Admiral (RET) Mike Rogers, Former Head of United States Cyber Command, discussing the recent cyberattacks on the US supply chain and what we can do to stop them! Check out new episodes every Tuesday. In this important cyber series, Ann will talk with cybersecurity influencers about trends shaping the threat landscape and explore the risk and promise of systems powered by AI, IoT, and other emerging tech.

“It isn’t just about technology. Never forget the human dynamic in all this. Again, I used to say this to our nation’s leadership, “Sir, you can write the biggest check in the world and it still won’t be enough. We can’t solve this by just throwing money at the problem.” Put another way, we can have the greatest technology with the highest level of investment, but if we don’t have a smart user community, that makes smart choices, that’s part of our strategy…. It’ll be totally undermined everyday by bad choices that our users are making.” – Admiral (RET) Michael Rogers, Former Head of United States Cyber Command

You can listen to Afternoon Cyber Tea with Ann Johnson on:

  • Apple Podcasts: You can also download the episode by clicking the Episode Website link.
  • PodcastOne: Includes the option to subscribe, so you’re notified as soon as new episodes are available.
  • CISO Spotlight page: Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Microsoft’s cybersecurity response to COVID-19 appeared first on Microsoft Security Blog.

Categories: CISO, Ciso series page, cybersecurity Tags:

Afternoon Cyber Tea: Microsoft’s cybersecurity response to COVID-19

June 15th, 2021 No comments

On February 25, 2020, Microsoft Chief Information Security Officer (CISO) Bret Arsenault was attending the RSA Conference in San Francisco when the city declared a state of emergency because of COVID-19. Shortly after flying back to Seattle, Bret learned of the first death from the coronavirus in Washington state. He and other members of Microsoft’s Risk Management Council worked on the company’s crisis response. To kick off National Cybersecurity Awareness Month, I spoke with Bret Arsenault on a recent episode of Afternoon Cyber Tea with Ann Johnson.

As CISO, Bret is responsible for disaster recovery at the enterprise level. He is the chair of Microsoft’s Risk Management Council and has directed Microsoft’s crisis management in the wake of COVID-19. It responds to 30 crises a year, with life safety the highest priority, followed by customers and Microsoft. The council focuses on preparation for four types of disaster and crisis recovery: planned acts (such as weather storms), unplanned acts (such as natural disasters), illegal attacks, and pandemics. Cyberattacks typically fall under illegal attacks. Certain events, such as the Olympics and elections, tend to draw out opportunistic bad actors more than others because people are more vulnerable to social engineering attacks.

Similarly, the pandemic and the social unrest in the United States have made people more susceptible to phishing scams and other cyberattacks. Before the pandemic, cybersecurity incidences had doubled every year for five years. During the pandemic, opportunistic campaigns, including a huge increase in human-operated ransomware attacks, have emerged because of people’s social engineering vulnerability. The number of phishing scams hasn’t changed much, however, the approach has shifted to mimicking health information sites and other pandemic-related schemes. Because more people are working from home, there’s been a big increase in bad actor campaigns targeting desktop protocol.

During our conversation, we also spoke about how to build a disaster recovery program and how moving to a Zero Trust security model helped Microsoft respond more agilely to the new security threats created by the pandemic. Over the past year, that approach has meant making sure all devices are managed, requiring multifactor authentication, figuring out how productivity apps work in a distributed way, and moving all meetings to Microsoft Teams. Microsoft also prioritized service monitoring and user identity and access.

Despite all the planning, there have been surprises, such as realizing that eight-hour all-hands meetings aren’t effective when online and that moving all meetings online creates a level playing field for employees. To learn what cybersecurity steps to take when your entire workforce is remote, listen to Afternoon Cyber Tea with Ann Johnson: Working Through It: Operational Resilience in the Face of Disaster on Apple Podcasts or PodcastOne.

What’s next

A new season of Afternoon Cyber Tea with Ann Johnson launches today featuring Admiral (RET) Mike Rogers, Former Head of United States Cyber Command, discussing the recent cyberattacks on the US supply chain and what we can do to stop them! Check out new episodes every Tuesday. In this important cyber series, Ann will talk with cybersecurity influencers about trends shaping the threat landscape and explore the risk and promise of systems powered by AI, IoT, and other emerging tech.

“It isn’t just about technology. Never forget the human dynamic in all this. Again, I used to say this to our nation’s leadership, “Sir, you can write the biggest check in the world and it still won’t be enough. We can’t solve this by just throwing money at the problem.” Put another way, we can have the greatest technology with the highest level of investment, but if we don’t have a smart user community, that makes smart choices, that’s part of our strategy…. It’ll be totally undermined everyday by bad choices that our users are making.” – Admiral (RET) Michael Rogers, Former Head of United States Cyber Command

You can listen to Afternoon Cyber Tea with Ann Johnson on:

  • Apple Podcasts: You can also download the episode by clicking the Episode Website link.
  • PodcastOne: Includes the option to subscribe, so you’re notified as soon as new episodes are available.
  • CISO Spotlight page: Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Microsoft’s cybersecurity response to COVID-19 appeared first on Microsoft Security Blog.

Categories: CISO, Ciso series page, cybersecurity Tags:

Afternoon Cyber Tea: Cybersecurity challenged to meet diversity goals

June 3rd, 2021 No comments

Organizations often know they need to identify and address their cybersecurity blind spots. They also know the technology exists to help them do that. However, they don’t often understand how to communicate this need within their organization to justify the expense, nor do they know how to share with employees how they may be impacted.

When I spoke with Jules Okafor on an episode of Afternoon Cyber Tea with Ann Johnson, she shared how she has seen many cybersecurity projects fail not because of the technology put in place, but rather, the organization’s inability to communicate responsibilities or the expected results. One of the biggest pitfalls is the result of a very good intention when a new technology is excitedly implemented before developing a process.

Jules Okafor, JD, is the Founder and CEO of RevolutionCyber, a full-service privacy information security awareness and marketing communications firm, and the former Senior Vice President of Global Security Solutions for Fortress Information Security. Jules also advocates for greater diversity and inclusion in the cybersecurity industry. During our discussion, she shared how she believes the industry has been insulated from discussions about race because the focus has been on protecting companies from cyberattacks without the lens of futureproofing against biases. Companies can and should be doing more, including sharing examples of technology bias with the public, assessing their own practices to check for unintended bias, and listening when employees approach management and human resources with concerns. Many accomplished women and people of color are leaving the industry because they don’t feel heard.

In the real world, bias and racism are costing people their lives. In the online world, bias in technologies, like facial recognition software, can be detrimental. While on a recent Slack channel conversation where a participant mentioned a product that promised to let you undertake diversity and inclusion work via text message, she thought, “This is the problem.” This experience suggests that people are trying to automate complex, multi-generational problems to satisfy compliance. Until his death, civil rights activist and leader John Lewis was all-in when it came to fighting racial injustice and bias. Until people in the cybersecurity industry are all-in to that extent, there won’t be much change.

During our conversation, we also spoke about how a Craigslist post started her cybersecurity career and strategies to effectively sell cybersecurity solutions. One aspect of her job she especially enjoys is making the technical understandable to non-technical people. This can be a missing piece for some technology companies, too. Many are overly focused on building tools rather than on addressing business challenges. Most successful cybersecurity is invisible to most people, so purchasing technology becomes a tangible way to justify their role. To learn steps to take that show your company cares about becoming more diverse and solving business problems, listen to Afternoon Cyber Tea with Ann Johnson: Fortifying security strategies with a cyber mindset on Apple Podcasts or Podcast One.

What’s next

A new season of Afternoon Cyber Tea with Ann Johnson will launch on June 15, 2021. In this important cyber series, I talk with cybersecurity influencers about trends shaping the threat landscape and explore the risk and promise of systems powered by AI, IoT, and other emerging tech.

You can listen to Afternoon Cyber Tea with Ann Johnson on:

  • Apple Podcasts: You can also download the episode by clicking the Episode Website link.
  • Podcast One: Includes the option to subscribe, so you’re notified as soon as new episodes are available.
  • CISO Spotlight page: Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Cybersecurity challenged to meet diversity goals appeared first on Microsoft Security.

Categories: CISO, Ciso series page, cybersecurity Tags:

Becoming resilient by understanding cybersecurity risks: Part 3—a security pro’s perspective

February 24th, 2021 No comments

In part two of this blog series on aligning security with business objectives and risk, we explored the importance of thinking and acting holistically, using the example of human-operated ransomware, which threatens every organization in every industry. As we exited 2020, the Solorigate attack highlighted how attackers are continuously evolving. These nation-state threat actors used an organization’s software supply chain against them, with the attackers compromising legitimate software and applications with malware that installed into target organizations.

In part three of this series, we will further explore what it takes for security leaders to pivot their program from looking at their mission as purely defending against technical attacks to one that focuses on protecting valuable business assets, data, and applications. This pivot will enable business and cybersecurity leaders to remain better aligned and more resilient to a broader spectrum of attack vectors and attacker motivations.

What problem do we face?

First, let’s set a quick baseline on the characteristics of human-operated cyberattacks.

This diagram depicts commonalities and differences between for-profit ransomware and espionage campaigns:

diagram showing commonalities and differences between for-profit ransomware and espionage campaigns

Figure 1: Comparison of human-operated attack campaigns.

Typically, the attackers are:

  • Flexible: Utilize more than one attack vector to gain entry to the network.
  • Objective driven: Achieve a defined purpose from accessing your environment. This could be specific to your people, data, or applications, but you may also just fit a class of targets like “a profitable company that is likely to pay to restore access to their data and systems.”
  • Stealthy: Take precautions to remove evidence or obfuscate their tracks (though at different investment and priority levels, see figure one)
  • Patient: Take time to perform reconnaissance to understand the infrastructure and business environment.
  • Well-resourced and skilled in the technologies they are targeting (though the depth of skill can vary).
  • Experienced: They use established techniques and tools to gain elevated privileges to access or control different aspects of the estate (which grants them the privileges they need to fulfill their objective).

There are variations in the attack style depending on the motivation and objective, but the core methodology is the same. In some ways, this is analogous to the difference between a modern electric car versus a “Mad Max” style vehicle assembled from whatever spare parts were readily and cheaply available.

What to do about it?

Because human attackers are adaptable, a static technology-focused strategy won’t provide the flexibility and agility you need to keep up with (and get ahead of) these attacks. Historically, cybersecurity has tended to focus on the infrastructure, networks, and devices—without necessarily understanding how these technical elements correlate to business objectives and risk.

By understanding the value of information as a business asset, we can take concerted action to prevent compromise and limit risk exposure. Take email, for example, every employee in the company typically uses it, and the majority of communications have limited value to attackers. However, it also contains potentially highly sensitive and legally privileged information (which is why email is often the ultimate target of many sophisticated attacks). Categorizing email through only a technical lens would incorrectly categorize email as either a high-value asset (correct for those few very important items, but impossible to scale) or a low-value asset (correct for most items, but misses the “crown” jewels in email).

Business-centric security.

Figure 2: Business-centric security.

Security leaders must step back from the technical lens, learn what assets and data are important to business leaders, and prioritize how teams spend their time, attention, and budget through the lens of business importance. The technical lens will be re-applied as the security, and IT teams work through solutions, but looking at this only as a technology problem runs a high risk of solving the wrong problems.

It is a journey to fully understand how business value translates to technical assets, but it’s critical to get started and make this a top priority to end the eternal game of ‘whack-a-mole’ that security plays today.

Security leaders should focus on enabling this transformation by:

  1. Aligning the business in a two-way relationship:
  • Communicate in their language: explain security threats in business-friendly language and terminology that helps to quantify the risk and impact to the overall business strategy and mission.
  • Participate in active listening and learning: talk to people across the business to understand the important business services and information and the impact if that were compromised or breached. This will provide clear insight into prioritizing the investment in policies, standards, training, and security controls.
  1. Translating learnings about business priorities and risks into concrete and sustainable actions:
  • Short term focus on dealing with burning priorities:
    • Protecting critical assets and high-value information with appropriate security controls (that increases security while enabling business productivity)
    • Focus on immediate and emerging threats that are most likely to cause business impact.
    • Monitoring changes in business strategies and initiatives to stay in alignment.
  • Long term set direction and priorities to make steady progress over time, to improve overall security posture:
    • Zero Trust: Create a clear vision, strategy, plan, and architecture for reducing risks in your organization aligned to the zero trust principles of assuming breach, least privilege, and explicit verification. Adopting these principles shifts from static controls to more dynamic risk-based decisions that are based on real-time detections of anomalous behavior irrespective of where the threat derived.
    • Burndown technical debt as a consistent strategy by operating security best practices across the organization such as replacing password-based authentication with passwordless and multi-factor authentication (MFA), applying security patches, and retiring (or isolating) legacy systems. Just like paying off a mortgage, you need to make steady payments to realize the full benefit and value of your investments.
    • Apply data classifications, sensitivity labels, and role-based access controls to protect data from loss or compromise throughout its lifecycle. While these can’t completely capture the dynamic nature and richness of business context and insight, they are key enablers to guide information protection and governance, limiting the potential impact of an attack.
  1. Establishing a healthy security culture by explicitly practicing, communicating, and publicly modeling the right behavior. The culture should focus on open collaboration between business, IT, and security colleagues and applying a ‘growth mindset’ of continuous learning. Culture changes should be focused on removing siloes from security, IT, and the larger business organization to achieve greater knowledge sharing and resilience levels.

You can read more on Microsoft’s recommendations for security strategy and culture here.

In the next blog of the series, we will explore the most common attack vectors, how and why they work so effectively, and the strategies to mitigate evolving cybersecurity threats.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Becoming resilient by understanding cybersecurity risks: Part 3—a security pro’s perspective appeared first on Microsoft Security.

Afternoon Cyber Tea: Evaluating individual and organizational cyber risk in a pandemic

February 16th, 2021 No comments

Cybersecurity professionals find themselves in high demand as organizations worldwide continue to grapple with how to secure millions of remote workers. James Turner is an industry analyst at CISO Lens and served as an adjudicator from 2017 to 2019 for the Australian government’s cyber war games: Operation Tsunami. In this episode of Afternoon Cyber Tea, James and I talk about how the COVID-19 pandemic has accelerated the critical need for cooperation across the cybersecurity industry, as well as the need for strengthening communication between governments and private organizations.

Our discussion really examines how the pandemic has pushed organizations toward greater cost efficiencies and a new mainstreaming of cybersecurity—democratizing the language and tools to make it part of everyone’s “9 to 5” experience.

“Everyone has a plan until they get hit in the face,” as James puts it. “Ransomware is off the hook—one organization just got hit with a 10 million dollar ransom. That’s more than the average Australian or New Zealand organization spends on security in a year.”

If the old saying that every crisis presents an opportunity holds true, James sees the pandemic as a tremendous catalyst for better information sharing amid budget cuts and a fragmented workforce. “The security operating centers at large banks are on speed-dial with each other because the attack against Company A hits Company B the next day. No organization, or even an entire country, can do it all by themselves.”

During our talk, we also touch on how the pandemic has pushed security professionals to look at new ways of optimizing delivery, such as utilizing an integrated security solution rather than an expensive niche product. “It’s given businesses a new appreciation for automatic patching,” James recounts. “My group of CISOs is discussing installing agents on personal devices; the legalities and logistics around that. Budgets are becoming an issue; so, I’m encouraging them to think like startups—get creative.”

James and I also examine how security professionals need to do a better job of evangelizing across the entire IT sector, including developing a ground-level understanding of your own organization’s business units. Cybersecurity will only be truly effective when it’s no longer part of an org chart but simply part of everyone’s job.

To hear my complete conversation with James Turner, listen to the full episode.

What’s next

In this ongoing podcast series, I talk with cybersecurity influencers about the evolving threat landscape and explore the promise of systems powered by AI, IoT, and other emerging tech. In every episode, we’ll look at empowering people and organizations to create a more secure, productive digital environment.

Listen to Afternoon Cyber Tea with Ann Johnson on:

  • Apple Podcasts: You can also download the episode by clicking the Episode Website link.
  • Podcast One: Includes the option to subscribe, so you’re notified as soon as new episodes are available.
  • CISO Spotlight page: Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Evaluating individual and organizational cyber risk in a pandemic appeared first on Microsoft Security.

Why threat protection is critical to your Zero Trust security strategy

February 8th, 2021 No comments

The corporate network perimeter has been completely redefined. Many IT leaders are adopting a Zero Trust security model where identities play a critical role in helping act as the foundation of their modern cybersecurity strategy. As a result, cybercriminals have shifted their focus and identities are increasingly under attack.

In this infographic, we explore how this shift is affecting IT leaders and how Microsoft can help apply threat protection to proactively prevent identity compromise and reduce alert fatigue.

  1. There’s been a significant increase in identity-based attacks. As IT leaders rely more heavily on identity in their security strategies, cybercriminals have increased their efforts on this threat vector. And with the shift to remote work in response to COVID-19, we’ve seen a notable number of pandemic-related phishing attacks.
  2. IT leaders need more visibility and protection. With the increase in threats, security professionals and admins are being overwhelmed with alerts. IT leaders are looking for more effective ways to manage alerts and better tools to proactively prevent attackers from being able to compromise accounts.
  3. Preventing identity compromise is more critical than ever. As IT leaders evolve their security strategies, people increasingly working remotely, and the number of identity-based attacks are rising, it’s vital for organizations to implement real-time, AI-based protections that prevent identity compromise.

Check out the infographic for more details.

If you’re interested in how Microsoft can help, see how Azure Active Directory (Azure AD) Identity Protection and Microsoft 365 Defender use real-time, cloud-based AI to proactively prevent identity compromise. Also check out our Security Unlocked podcast with Data Scientist Lead for Microsoft’s Identity Security and Protection team, Maria Peurtas Calvo, to hear how AI is being used to protect identities inside Microsoft products and services.

Visit our Zero Trust page to stay up-to-date on how the latest Microsoft products, features, and resources that can help you implement Zero Trust principles in your organization.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Why threat protection is critical to your Zero Trust security strategy appeared first on Microsoft Security.

Afternoon Cyber Tea: Privacy, the pandemic, and protecting our cyber future

February 3rd, 2021 No comments

Much of our everyday life has moved online with the pandemic continuing to play a role in how we work and communicate with others. This migration has meant that security and privacy continue to remain top-of-mind for both security professionals and those who may not have given these cyber issues a second thought once before.

In this episode of Afternoon Cyber Tea, I had a chance to talk about this impact with cybersecurity expert Theresa Payton, CEO of Fortalice Solutions and co-founder of Dark Cubed.

In our discussion, we focus on Theresa’s experience with election security, social engineering, and about her book “Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth.” We also look at how the cyber operatives behind misinformation campaigns choose their targets, and how digital empathy and human-centered design can help combat cybercrime.

“Nation-state hackers invade social issues—such as fracking, elections, or vaccinations—all while posing as Americans,” Theresa explains. She recounts how, in researching her book, she found herself speaking to a group of Macedonian hackers who targeted the 2016 election, only to discover the hackers were apolitical. “We’re pro-capitalism,” they told her, explaining how they’d created detailed models that showed how much revenue they could earn by pushing certain candidates rather than others.

“Microsoft was one of the early leaders in offering free tools to help states improve their voting technology. They looked at something that could be a revenue generator, then chose to make it about the public good instead.”—Theresa Payton, CEO of Fortalice Solutions and co-founder of Dark Cubed

During our conversation, we talk about how social engineering attacks are often made easier by our own trusting natures, with vacation photos, birthdays, and other personal content providing the raw data hackers rely on. Since privacy settings for social media usually require users to opt-in, many users are unknowingly laying their online life out like a buffet for hackers. And, since many people don’t read the terms of service, they often have no idea what data is being collected, or what it’s being used for. Theresa mentions a study done by MIT researchers that found even anonymized data grabbed from phone records, credit card transactions, and mobile apps can be easily cross-referenced by zip code and gender to narrow the user’s identity to within just five people.

Theresa and I agree that people cannot be expected to be experts on cybersecurity or system designs, which is where digital empathy comes into play. As we get better at building security into systems, employees can be free to do what they were hired to do. “Microsoft has been leading the way in going passwordless,” Theresa says. “I’m excited that technology has finally caught up to our needs. Now we’ll only be limited by our own creative minds.”

Find out how Theresa went from working as a bank manager to handling cybersecurity at the George W. Bush White House and get some tips on how to protect yourself from social engineering schemes—listen to the full episode.

What’s next

In this ongoing podcast series, I talk with cybersecurity influencers about the evolving threat landscape and explore the promise of systems powered by AI, IoT) and other emerging tech. In every episode, we’ll look at how to empower people and organizations to create a more secure, productive digital environment.

Listen to Afternoon Cyber Tea with Ann Johnson on:

  • Apple Podcasts: You can also download the episode by clicking the Episode Website link.
  • Podcast One: Includes the option to subscribe—so you’re notified as soon as new episodes are available.
  • CISO Spotlight page: Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Privacy, the pandemic, and protecting our cyber future appeared first on Microsoft Security.

Why operational resilience will be key in 2021, and how this impacts cybersecurity

January 28th, 2021 No comments

The lessons we have learned during the past 12 months have demonstrated that the ability to respond to and bounce back from adversity in general, can impact the short-and long-term success of any organization. It can even dictate the leaders and laggards in any industry.

When we take into consideration that as security threats also become more daunting, with many organizations remaining in a remote work environment, global organizations must reach a state where their core operations and services are not disrupted by unexpected changes.

The key to success in surviving any unforeseen circumstances in 2021, will be operational resiliency. Operational resilience is the ability to sustain business operations during any major event, including a cyberattack. It requires a strategic and holistic view of what could go wrong and how an organization will respond. Consider the risk and response for a utility company, for example, an organization that relies on IoT data, or a manufacturer of medical supplies. While their approach may differ, the impact would be equally as devastating should their operational continuity be halted. In today’s digital world, preparing for cyber threats must be a strategic part of that plan just like any other form of continuity and disaster recovery.

Speaking with customers globally, we know they are not fully prepared to withstand a major cyber event. Whilst many firms have a disaster recovery plan on paper, nearly a quarter have never tested that plan and only 42 percent of global executives are confident their organization could recover from a major cyber event without it affecting their business.

It begins with Zero Trust. Zero Trust is based on three principles, verify explicitly, use least privilege access, and assume breach.

Verify explicitly

Rather than trust users or devices implicitly because they’re on the corporate network or VPN’ed into it, it is critical to assume zero trust and verify each transaction explicitly. This means enabling strong authentication and authorization based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.

This starts with strong user authentication. Multi-factor authentication (MFA) is essential, but it’s time to move away from passwords plus SMS and voice calls as authentication factors. Bad actors are getting more sophisticated all the time, and they have found a number of ways to exploit the publicly switched telephone networks (PSTN) that SMS and voice calls use as well as some social engineering methods for getting these codes from users.

For most users on their mobile devices, we believe the right answer is passwordless with app-based authentication, like Microsoft Authenticator, or a hardware key combined with biometrics.

Least privileged access

Least privileged access means that when we do grant access, we grant the minimum level of access the user needs to complete their task, and only for the amount of time they need it. Think about it this way, you can let someone into your building, but only during work hours, and you don’t let them into every lab and office.

Identity Governance allows you to balance your organization’s need for security and employee productivity with the right processes and visibility. It provides you with the capabilities to ensure that the right people have the right access to the right resources.

Assume breach

Finally, operate with the expectation of a breach, and apply techniques such as micro-segmentation and real-time analytics to detect attacks more quickly.

In a Zero Trust model, identities—whether they represent people, services, or IoT devices—define the control plane in which access decisions are made. Digital identities, such as transport layer security (TLS) and code signing certificates, SSH keys, secrets, and other cryptographic assets are critical to authentication, signing, and encryption.

That’s why having a strong identity is the critical first step to the success of a Zero Trust security approach.

Embracing Zero Trust allows organizations to harden their defenses while providing employees access to critical data, even during a cyber event. That’s because identity is the foundation of any Zero Trust security strategy because it automatically blocks attacks through adaptive security policies; across users and the accounts, devices, apps, and networks they are using. Identity is the only system that connects all security solutions together so we have end-to-end visibility to prevent, detect, and respond to distributed and sophisticated attacks thanks to cloud technology.

In a Zero Trust model, identities—whether they represent people, services, or IoT devices—define the control plane in which access decisions are made. Digital identities, such as TLS and code signing certificates, SSH keys, secrets, and other cryptographic assets are critical to authentication, signing, and encryption.

“Human identities” such as passwords, biometrics, and other MFA are critical to identifying and authenticate humans. Being a Zero Trust organization also means pervasive use of multi-factor authentication—which we know prevents 99 percent of credential theft and other intelligent authentication methods that make accessing apps easier and more secure than traditional passwords.

Identity is both the foundation for Zero Trust and acts as a catalyst for digital transformation. It automatically blocks attacks through adaptive security policies. It lets people work whenever and wherever they want, using their favorite devices and applications.

That’s because Zero Trust security relies heavily on pervasive threat signals and insights. It is essential to connect the dots and provide greater visibility to prevent, detect and respond to distributed and sophisticated attacks.

Future-proofing your security posture

As security threats become more daunting and many organizations remain in a remote work environment, global organizations must reach a state where their core operations and services will not be disrupted by unexpected global changes.

To maintain operational resilience, organizations should be regularly evaluating their risk threshold. When we talk about risk, this should include an evaluation of an organization’s ability to effectively respond to changes in the crypto landscape, such as a CA compromise, algorithm deprecation, or quantum threats on the horizon.

Bottom line: organizations must have the ability to operationally execute the processes through a combination of human efforts and technology products and services. The ability to do something as simple as restoring from recent backups will be tested in every ransomware attack, and many organizations will fail this test—not because they are not backing up their systems, but because they haven’t tested the quality of their backup procedures or practiced for a cyber event.

Operational resilience guidelines call for demonstrating that concrete measures are in place to deliver resilient services and that both incident management and contingency plans have been tested. Our new normal means that risks are no longer limited to commonly recognized sources such as cybercriminals, malware, or even targeted attacks. Operational resilience is the necessary framework we must have in place in order to maintain business continuity during any unforeseen circumstances in the year ahead.

We want to help empower every organization on the planet by continuing to share our learnings to help you reach the state where core operations and services won’t be disrupted by geopolitical or socioeconomic events, natural disasters, or even cyber events.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Why operational resilience will be key in 2021, and how this impacts cybersecurity appeared first on Microsoft Security.

Microsoft surpasses $10 billion in security business revenue, more than 40 percent year-over-year growth

January 27th, 2021 No comments

I joined Microsoft a little more than six months ago—amid a global pandemic and a new norm of remote work, as well as one of the most rapidly evolving threat landscapes in history. We’ve witnessed more sophisticated attacks, like the recent SolarWinds incident, as well as an increase in attack surfaces as devices and online experiences have become more central to the way we work, learn, and live.

In solving these complex challenges alongside our customers and partners, Microsoft takes cybersecurity out of a place of fear and makes it about innovation and empowerment. Every single day, I am inspired by the team here, by their great wisdom, resilience, expertise, and by their commitment to living the mission we espouse.

Yesterday, Satya shared an important milestone for our security business: $10 billion in revenue in the past 12 months representing more than 40 percent year-over-year growth. A number inclusive of our security, compliance, identity and management businesses, and a testament to the trust our customers have placed in us.

What drives us now is creating a true Zero Trust mindset, which we believe is the cornerstone of effective protection, the foundation for organizational resilience, and the future of security. As part of that, I want to explain more about the work we do to help keep our customers secure, what makes us unique and a look at some of our latest innovations.

What makes us different

Our approach to security is unique in the industry. Microsoft has two security superpowers—an integrated approach and our incredible AI and automation. We tackle security from all angles—inside-out and outside-in. It’s why we combine security, compliance, identity, and management as an interdependent whole. In security, a silo is an opportunity for an exploit. No one else brings these critical parts of risk management together, not as a suite but as an approach that solves problems for customers on their terms across clouds and platforms.

Given Microsoft’s footprint across so many technologies, we’ve been in a unique position to think holistically about the core aspects of security: stretching from identity and access management; through endpoint, email, and application security; to data loss prevention and into cloud security and SIEM. We have an approach that is truly end-to-end, and it is notable in how deeply this is embedded in our culture. Microsoft’s security organization is an intense, massive collaboration that drives services, intelligence, technologies, and people—all coming together as one humming machine with a singular mission.

Next, consider the tremendous number of signals we take in across our platforms and services, over eight trillion security signals every 24 hours. Using the latest in machine learning and artificial intelligence techniques—plus the power of smart humans—we put these signals to work on behalf of our customers. In 2020 alone, almost six billion malware threats were blocked on endpoints protected by Microsoft Defender.

Infographic that describes how Microsoft protects devices, secures identities, ensures compliance, and detects threats.

Today we help secure more than 400,000 customers across 120 countries. These range from small businesses to large enterprises, with 90 of the Fortune 100 using four or more of our security, compliance, identity, and management solutions.

Protecting our customers

Today’s world of security is really a cat and mouse game. You have to know what the adversaries and threat actors are up to every single day. However, a cyber-attack is ultimately about safety, a fundamental human need. We’ve seen what happens to people as they’re going through attacks, and it’s not pleasant. So, when we’re talking to customers around the world, our mission is really to give them peace of mind.

We can secure our customers best when we invest in these areas:

  • All clouds, all platforms: We believe that anything less than comprehensive security is no security at all. That’s why our security, compliance, identity, and management solutions work seamlessly across platforms and we strive to extend to all clouds and all apps, whether or not Microsoft is being used throughout the computing environment. A great example of this is Azure Sentinel, our cloud-based SIEM, which in less than a year, is now helping over 9,000 customers protect their cloud workloads. Our commitment to comprehensive security is so absolute that we are empowering our customers to protect their cloud workloads wherever they are hosted, including Amazon Web Services and Google Cloud Platform. And likewise, Microsoft Defender now protects iOS, Android, macOS, and Linux.
  • Simplicity in the face of complexity: In my first customer meeting at Microsoft, on which Satya joined me, a customer told me she just wanted a simple button that would make everything work—could Microsoft help? That really stuck with me. Our customers want to be enablers of innovation in their organizations, and they know that effective security is critical to that work. We must make it easier for them. We hear from our global user community that they want best-in-breed combined with best-in-integration. When faced with complexity, they want greater simplicity. It’s our mission to deliver that and help our customers adapt quickly to a changing world.
  • A vibrant ecosystem: Microsoft welcomes and encourages an industry of strong competition that makes us all better. The Microsoft Intelligent Security Association is a community of more than 175 partner companies who have created over 250 integrations with Microsoft products and services, helping organizations close the gaps between fragmented security solutions and minimize risk. In addition, we delivered an industry record of $13.7 million in bug bounty awards to 327 researchers from more than 55 countries in fiscal year 2020, to help find and address potential vulnerabilities in our products and services before they can be weaponized by malicious actors.

Some new multi-cloud, multi-platform solutions and a look ahead

In addition to our financial news, today we are pleased to share a bit of product news.

Azure Security Center multi-cloud support is now available, including a unified view of security alerts from Amazon Web Services and Google Cloud, as well as enhancements to Azure Defender to protect multi-cloud virtual machines. Today, we are also announcing the availability of Azure Defender for IoT, which adds a critical layer of agentless security for Operational Technology (OT) networks in industrial and critical infrastructure organizations; as well as Application Guard for Office, which opens documents in a container to protect users from malicious content. These new solutions help protect users and businesses across devices, platforms, and clouds.

According to the Microsoft identity 2020 app trends report, out today, providing secure remote access to resources, apps and data became the top challenge for business leaders in the past year. With Azure Active Directory (Azure AD), our cloud identity solution that provides secure and seamless access to 425 million users, organizations can choose from thousands of pre-integrated apps within the Azure AD app gallery, or bring their own apps. Microsoft Cloud App Security helps protect users, ensuring apps like Salesforce, Workday, and ServiceNow can be quickly adopted and safely managed. The enthusiasm we are seeing for both Azure AD and MCAS truly show the importance our customers are placing on secured third party applications.

Our work to make the world more secure for all really does extend to all—from the largest Fortune 100 companies and world governments to individuals. Last week we began rolling out new security features for Microsoft Edge including password generator and Password Monitor, as well as easier to understand options for managing data collection and privacy. We continue to invest in building solutions to help consumers stay more secure and look forward to sharing more in the future.

The milestones and announcements we have today give us an opportunity to celebrate the work of defenders around the world.

As we look to meet the challenges of the future, we’ll continue to invest in a vibrant ecosystem of partners and in building a competitive and cooperative industry that makes us all better. And we are laser-focused on delivering simplicity in face of complexity, so everything works, and our defender community is empowered to do more.

Ultimately security is about people, protecting people, bringing people together, sharing knowledge and tools to collectively strengthen our defenses. We look forward to sharing more in the coming months about new areas of focus and investment as we continue our commitment is to serve this community. We are for defenders, with defenders, and we are defenders ourselves. The fundamental ethos of our efforts is to make the world a safer place for all.

To learn more about Microsoft Security solutions visit our website and watch our webcast to learn how to streamline and strengthen your security.

Bookmark the Security blog to keep up with expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft surpasses $10 billion in security business revenue, more than 40 percent year-over-year growth appeared first on Microsoft Security.

How companies are securing devices with Zero Trust practices

January 25th, 2021 No comments

Organizations are seeing a substantial increase in the diversity of devices accessing their networks. With employees using personal devices and accessing corporate resources from new locations in record numbers, IT leaders are seeing an increase in their attack surface area. They’re turning to Zero Trust security models to ensure they have the visibility they need, and their data is protected as its accessed from outside the corporate network using a wider variety of devices.

We surveyed IT leaders around the world to determine how they’re using Zero Trust practices to protect their devices and enable access to the corporate network from unsecured devices.

A clickable link to the full PDF infographic to the Zero Trust whitepaper

  1. More personal devices are accessing corporate resources than ever. In response to the substantial shift to remote work, IT leaders report seeing more of their employees using personal devices to access their networks. As a result, they’re prioritizing device management solutions to improve security and control on personal devices.
  2. Devices accessing the network are monitored but often left out of access decisions. While most IT leaders report that they’re monitoring device health and compliance, the majority aren’t currently using that status in their access decision making. Preventing unauthorized and risky devices is critical to protecting corporate data in a modern environment.
  3. Personal devices are widely agreed to increase risk exposure. Over 92 percent of IT leaders agree that a proliferation of personal devices is increasing their attack surface area. However, much less say they’re prepared for managing access from unsecured devices.

Check out the infographic for more details.

If you’re looking at how to help prevent devices from being the weakest link in your security strategy, check out our Zero Trust deployment guidance for endpoints.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How companies are securing devices with Zero Trust practices appeared first on Microsoft Security.

How IT leaders are securing identities with Zero Trust

January 19th, 2021 No comments

The past twelve months have been a remarkable time of digital transformation as organizations, and especially digital security teams, adapt to working remotely and shifting business operations. IT leaders everywhere turned to Zero Trust approaches to alleviate the challenges of enabling and securing remote work. Using Zero Trust to secure users, data, and devices (wherever they may be) has changed from optional to a business imperative overnight.

In this short report, we surveyed IT leaders around the world to determine how they’re implementing Zero Trust practices to protect their identities and ensure their employees have secure access to resources.A clickable link to the full PDF infographic to the Zero Trust whitepaper

  1. Most IT leaders are already using Zero Trust practices with their identity management solutions. While the majority of IT leaders have already implemented Zero Trust practices into their identity and access solution, only a monitory have moved on to more advanced controls that utilize automation and AI-based threat analysis.
  2. Multi-factor authentication (MFA) and Single Sign-On (SSO) are the most common. Additionally, a majority are analyzing risk before granting access—a critical proactive step to preventing unauthorized access to corporate resources.
  3. Identities and devices are the top priority for most organizations. With employees working outside the corporate network and increasingly using personal devices, this is no surprise. However, surprisingly, the majority of IT leaders do not rate identities as the most mature component in their Zero Trust strategy.
  4. Zero Trust is still in infancy. Despite substantial growth in Zero Trust efforts over the past twelve months, only one in ten IT leaders report feeling very confident in their Zero Trust identity management roadmap.

Read the full report for more details.

If you’re looking for how to help prevent endpoints from being the weakest link in your security strategy, check out our Zero Trust deployment guidance for identities.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How IT leaders are securing identities with Zero Trust appeared first on Microsoft Security.

Simplify compliance and manage risk with Microsoft Compliance Manager

January 14th, 2021 No comments

The cost of non-compliance is more than twice that of compliance costs. Non-compliance with the ever-increasing and changing regulatory requirements can have a significant impact on your organization’s brand, reputation, and revenue. According to a study by the Ponemon Institute and Globalscape, being compliant will cost you less compared to business disruptions, loss of revenue, and hefty fines.

Data explosion and regulatory environment

As organizations go through digital transformation, they are generating and consuming much more data than in the past to help them gain an edge over their competitors. This data is necessary to continue to stay relevant by empowering employees, engaging customers, and optimizing operations. Managing this data and the variety of devices on which it is created can be complicated, especially when it comes to ensuring compliance.

Not only is the amount of data IT must manage exploding, regulations on how that data can and should be handled are also increasing. Collecting customer and citizen data is often an integral part of how public and private sector organizations function. While there has been progress over the last few years, the challenge of maintaining and protecting personal data continues. Regulations are creating a need for the responsible usage of personal data, and the stakes are high. Not complying with regulations can result in significant fines and reduced credibility with regulators, customers, and citizens.

Manage compliance challenges

According to a recent report about the cost of compliance, there were more than 215 regulation updates a day from over 1,000 regulatory bodies all over the world, a slight decrease from the previous year. For example, enforcement of the California Consumer Privacy Act (CCPA), Brazil’s Lei Geral de Proteção de Dados (LGPD), and Thailand’s Personal Data Protection Act (PDPA) began in 2020.

Organizations face all kinds of risks, including financial, legal, people, IT, and cybersecurity risks. Below are some of the challenges we are seeing due to the dynamic nature of the compliance landscape.

  • Keeping up with constantly changing regulations is a struggle. With all the regulatory and standards bodies creating new or revising existing requirements and guidelines, keeping up to date is time and resource-intensive.
  • Point-in-time assessments create a digital blind spot. Many organizations rely on point-in-time assessments, like annual audits. Unfortunately, they can go out of date quickly and expose the organization to potential risks until the next assessment is done. Organizations are looking for ways to improve integration and create near real-time assessments to control risks caused by digital assets.
  • Inefficient collaboration and siloed knowledge lead to duplication of effort. Organizations are often challenged due to siloed knowledge concerning IT risk management. IT and security admins know the technology solutions but find regulations difficult to understand. Contrast that with compliance, privacy, and legal teams who tend to be familiar with the regulations but are not experts in the technology available to help them comply. In addition, many organizations start their compliance journey using general-purpose tools like Microsoft Excel and try to track compliance manually, but quickly outgrow this approach because of the complexities of managing compliance activities.
  • Complexity across IT environments hinders adoption. Understanding how to integrate the many solutions available and configure each one to minimize compliance risks can be difficult. This is especially true in organizations with solutions sourced from multiple vendors that often have overlapping functionality. Decision-makers want simple step-by-step guidance on how to make the tools work for the industry standards and regulations they are subject to.

Simplify compliance with Microsoft Compliance Manager

Microsoft Compliance Manager is the end-to-end compliance management solution included in the Microsoft 365 compliance center. It empowers organizations to simplify compliance, reduce risk, and meet global, industry, and regional compliance regulations and standards. Compliance Manager translates complicated regulations, standards, company policies, and other desired control frameworks into simple language, maps regulatory controls and recommended improvement actions, and provides step-by-step guidance on how to implement those actions to meet regulatory requirements. Compliance Manager helps customers prioritize work by associating a score with each action, which accrues to an overall compliance score. Compliance Manager provides the following benefits:

  • Pre-built assessments for common industry and regional standards and regulations, and custom assessments to meet your unique compliance needs. Assessments are available depending on your licensing agreement.
  • Workflow functionality to help you efficiently complete risk assessments.
  • Detailed guidance on actions you can take to improve your level of compliance with the standards and regulations most relevant for your organization.
  • Risk-based compliance score to help you understand your compliance posture by measuring your progress completing improvement actions.

Shared responsibility

For organizations running their workloads only on-premises, they are 100 percent responsible for implementing the controls necessary to comply with standards and regulations. With cloud-based services, such as Microsoft 365, that responsibility becomes shared between your organization and the cloud provider, although is ultimately responsible for the security and compliance of their data.

Microsoft manages controls relating to physical infrastructure, security, and networking with a software as a service (SaaS) offering like Microsoft 365. Organizations no longer need to spend resources building datacenters or setting up network controls. With this model, organizations manage the risk for data classification and accountability. And risk management is shared in certain areas like identity and access management. The chart below is an example of how responsibility is shared between the cloud customer and cloud provider with various on-premises and online services models.

shows the Shared responsibility model

Figure 1: Shared responsibility model

Apply a shared responsibility model

Because responsibility is shared, transitioning your IT infrastructure from on-premises to a cloud-based service like Microsoft 365 significantly reduces your burden of complying with regulations. Take the United States National Institute of Standards and Technology’s NIST 800-53 regulation as an example. It is one of the largest and most stringent security and data protection control frameworks used by the United States government and large organizations. If your organization were adhering to this standard and using Microsoft 365, Microsoft would be responsible for managing more than 75 percent of the 500 plus controls. You would only need to focus on implementing and maintaining the controls not managed by Microsoft. Contrast that situation with one where your organization was running 100 percent on-premises. In that case, your organization would need to implement and maintain all the NIST 800-53 controls on your own. The time and cost savings managing your IT portfolio under the shared responsibility model can be substantial.

shows the NIST examples of shared responsibilities

Figure 2: NIST examples of shared responsibilities

Assess your compliance with a compliance score

Compliance Manager helps you prioritize which actions to focus on to improve your overall compliance posture by calculating your compliance score. The extent to which an improvement action impacts your compliance score depends on the relative risk it represents. Points are awarded based on whether the action risk level has been identified as a combination of the following action characteristics:

  • Mandatory or discretionary.
  • Preventative, detective, or corrective.

Your compliance score measures your progress towards completing recommended actions that help reduce risks around data protection and regulatory standards. Your initial score is based on the Data Protection Baseline, which includes controls common to many industry regulations and standards. While the Data Protection Baseline is a good starting point for assessing your compliance posture, a compliance score becomes more valuable once you add assessments relevant to the specific requirements of your organization. You can also use filters to view the portion of your compliance score based on criteria that includes one or more solutions, assessments, and regulations. More on that later.

The image below is an example of the Overall compliance score section of the Compliance Manager dashboard. Notice that even though the number under Your points achieved is zero, the Compliance Score is 75 percent. This demonstrates the value of the shared responsibility model. Since Microsoft has already implemented all the actions it is responsible for, a substantial portion of what is recommended to achieve compliance is already complete even though you have yet to take any action.

Shows the Compliance Score from Microsoft Compliance Manager

Figure 3: Compliance Score from Microsoft Compliance Manager

For more information on Microsoft Compliance Manager, please visit the Microsoft Compliance Manager documentation. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Simplify compliance and manage risk with Microsoft Compliance Manager appeared first on Microsoft Security.

Siemens USA CISO: 3 essentials to look for in a cloud provider

December 14th, 2020 No comments

In the latest episode of my series, The Shiproom, I spoke with Kurt John, Chief Cybersecurity Officer (CISO) at Siemens USA. Kurt is listed in Security Magazine’s Top 10 most influential cybersecurity leaders, and he also serves on a special cybersecurity committee organized by the Under-Secretary-General of the United Nations.

As CISO for Siemens USA, Kurt describes his job as “leveraging cybersecurity through our value chain to protect the trust society has in us to solve the world’s most complex problems.” Siemens has embraced industry 4.0 and IoT, leading the way in automation for operational technology (OT). The company has been operating in the United States for 160 years and today has 50,000 employees. The responsibility to protect all the people, devices, and intellectual property (IP) rests on Kurt’s shoulders.

“I think movement to the cloud is inevitable,” Kurt tells me in our discussion. “It’s just way too cost-effective. You can scale quickly. But not all cloud providers are created equal.” According to Kurt, a good cloud provider should deliver three things: flexibility, control, and visibility. “You need to have your eyes on everything happening in the cloud. Whether it’s changing business conditions or a threat from an adversary; you need to be able to adjust.”

At one point, a scientist from the future interrupts our conversation (you had to be there) to ask Kurt about the challenges of balancing on-premises data vs. cloud storage: “You want the relationship between the cloud and the enterprise to be as seamless as possible,” Kurt replies. “What’s most important—how well does the cloud provider deploy security controls? I need to be able to wrap my hands around any incident through good protection and detective mechanisms, and good reporting.”

We also touched on how a diverse security team offers better protection against today’s diverse cyber threats. “Diversity in the team immediately skyrockets creativity. With a team that’s physically and cognitively diverse. It’s a wonder what we can accomplish together.”

Talking about building a strong security team lead to how mentorship can play a role, Kurt himself mentors college students who are considering a career in tech. “There’s a myth that working in cybersecurity requires you to be incredibly technical. That’s just not the case. Cybersecurity is as big as you make it.”

Watch the whole discussion on The Shiproom: Siemens USA.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Siemens USA CISO: 3 essentials to look for in a cloud provider appeared first on Microsoft Security.

Understanding influences shaping the cybersecurity landscape, enabling digital transformation, and helping to protect our planet

December 3rd, 2020 No comments

The accelerated rate of digital transformation we have seen this past year presents both challenges and endless opportunities for individuals, organizations, businesses, and governments around the world. Cybersecurity is the underpinning of helping protect these opportunities. By examining the influences that are shaping the cyber landscape, and hearing from security experts, industry thought leaders, our customers, and partners—we help strengthen how Microsoft can protect these opportunities.

This month we wrapped season three of Afternoon Cyber Tea with Ann Johnson where Sandra Joyce, a threat intelligence expert joined me for the concluding episode to talk about election security and protecting ourselves against misinformation. Our discussion was incredibly illuminating, and it is a perfect example of the ground we continue to cover in these thoughtful conversations.

Each episode has surfaced perspectives on how our collective approach to cybersecurity ties directly to some of society’s most pressing issues, including the need for more diverse voices in the industry, the impact of a global health emergency, and the urgent need to reframe how we think about security.

The impact of a pandemic on global operations

James Turner, an industry analyst who works to support chief information security officers (CISOs) and strengthen the resilience of the economies for Australia and New Zealand shared his insights in this season’s first episode. He reminded us of that cybersecurity is everyone’s business, using the banking industry to emphasize collaboration between organizations on matters of security, even if those organizations are competitors. “The security operating centers at large banks are on speed dial with each other all the time because the attack against Company A hits Company B the next day.” 

Even during a global pandemic, which James has seen as a tremendous catalyst for information-sharing amid budget cuts and workforce impact, he says simply reaching out to peers remains critical to understanding and preventing threats.

For Microsoft’s Chief Information Security Officer, Bret Arsenault, the pandemic has also reinforced the importance of planning and testing emergency scenarios to combat bad actors who attempt to exploit human vulnerabilities and new realities of life and work online.

“We’ve seen a really big increase in ransomware and a lot of activity against Remote Desktop Protocol because so many people are remoting in. When you see broad usage, you will see broad bad actor campaigns against those things.”—Microsoft’s Chief Information Security Officer, Bret Arsenault, Microsoft

So as companies advance their digital transformation, the best way to enable a productive workforce is to secure it with a solid strategy to mitigate opportunism. And while a little digital empathy goes a long way, getting employees to think responsibly about their own security can help remote workforces avoid risk, too.

Reframing cybersecurity as a business imperative

The human side of cybersecurity remains one of the trickiest but most critical areas to tackle in the industry. Many guests said it’s integral to how they advise organizations on threat prevention and mitigation.

Jules Okafor, CEO and founder of RevolutionCyber, built her entire company on the premise of transforming institutional cyber mindset to drive behavior change among employees after seeing too many organizations focused on selling security products instead of solving problems.

That’s not a cyber mindset. It’s more about how do you surround people with cybersecurity in a way that helps them understand it will make them do their jobs better? Cybersecurity has to be better at aligning with the way people think.”—Jules Okafor, CEO and founder, RevolutionCyber

And I think all of my guests would agree cybersecurity should be prioritized throughout all levels and departments of an organization. Some companies are innovating how they do just that.

“Honestly, some of the most successful cybersecurity internal departments I’ve seen have reported out of risk or finance, not technology.”Tarah Wheeler, Security Researcher and Fulbright Scholar

Defining cybersecurity as one of the pillars of a business Tarah says, demonstrates that it is critical to your success and more than just an afterthought.

This prioritization reflects a level of understanding that Sandra, my most recent guest, said has become paramount in today’s threat landscape.

As the head of Mandiant Intelligence at FireEye, Sandra discourages a prevention-only mindset. Instead, she advises organizations to assume attacks will happen and to conduct threat profiles that help them strategize how to mitigate the damage when breaches occur.

“If you can understand where you sit in the ecosystem, you can prioritize more and, at the very least, get more efficient” she says. “Don’t just look at the initial intrusion. Don’t let the first day of an attack be the day you determine how to manage it.”

But these steps are not limited to organizations. Theresa Payton, CEO of Fortalice Solutions, and author of Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth, also offered individuals advice on how to guard against the influence of misinformation campaigns. Our conversation touched on the personal data collected by our devices, too, and what we trade for convenience and insights about the patterns of our lives.

That ubiquitous nature of technology in our lives right now really does have an implication on both privacy but also the risk-versus-reward tradeoff when that data could be really helpful,” she said.

While AI-enabled voice assistants, intelligent appliances, and more can benefit users—think, for example, of discovering an underlying health condition revealed by data collected by your smartwatch—Theresa cautioned against the innumerable unknowns about how that data could be used. And she called on organizations and governing bodies to build security into design and guardrails that prevent helpful technology from hurting us.

The pressing need for more diverse voices in cybersecurity

I am grateful for the chance to talk with guests of unique backgrounds and experiences to hear what inspires them and how they are shaking up the white, male-dominated cybersecurity industry. It became clear that promoting diverse voices goes beyond tapping into a cultural moment—it’s about strengthening the entire industry.

Camille Stewart, head of security policy and election integrity for Android and Google Play, may have put it best when she said, “Racism is inherently a cybersecurity issue because people are at the core of how security controls are adopted and how technology is used. If we do not address issues of systemic racism, the processes and institutions that we are building security into are inherently vulnerable.”

In other words, diversity is threat mitigation, in and of itself.

That is why Camille’s collaboration with Lauren Zabierek, executive director of the Cyber Project at Harvard Kennedy School’s Belfer Center for Science and International Affairs is so compelling. Together, they launched the #ShareTheMicInCyber campaign to amplify diverse, expert voices in cybersecurity and share insights to help organizations identify blind spots.

It is an important reminder that the cybersecurity industry is a community and that our ability to protect against threats is only as strong as our ability to identify them—together.

This is something I have so valued this season. The diversity of expertise, experiences, and backgrounds reflected in these episodes are, on a grander scale, helping to shape and improve our collective understanding of cybersecurity. I hope you will find useful takeaways from these leaders who are at the fore of securing and strengthening our industry.

Thank you to all who listened to season three of Afternoon Cyber Tea. All episodes are available to stream and download on PodcastOne, Spotify, and Apple Podcasts.

To learn more about Microsoft Security solutions visit our website. To learn more about CISO topics and solutions, watch the Microsoft CISO Spotlight Series with our host Theresa Payton. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Understanding influences shaping the cybersecurity landscape, enabling digital transformation, and helping to protect our planet appeared first on Microsoft Security.

Enable secure remote work, address regulations and uncover new risks with Microsoft Compliance

September 22nd, 2020 No comments

As we talk with a broad range of customers in the current environment, we hear some consistent challenges businesses are facing. With so many remote workers, people are creating, sharing, and storing data in new ways, which fosters productivity, but can also introduce new risks. A recent Microsoft poll of Chief Information Security Officers (CISOs) revealed that providing secure remote access to resources, apps, and data is their top concern.

To help companies better protect their data, mitigate risk, and address compliance regulations, especially in this time of flexible work, we are announcing several new capabilities across Microsoft Compliance, including:

  • General availability of Microsoft Compliance Manager to address industry regulations and custom requirements.
  • New connectors and APIs to help you to extend Microsoft compliance capabilities to third-party apps.
  • Ability to protect native and third-party cloud apps through unified data loss prevention (DLP), now extended to Microsoft Cloud App Security (MCAS) in public preview.
  • Expanded security and compliance capabilities built directly into Microsoft Teams.

Read on to learn more about these and additional features beginning to roll out today in Microsoft 365 Compliance. You can also check out what Jeff Teper, Corporate Vice President for Microsoft 365, has to say about Microsoft Compliance.

Addressing the complexity of data regulations with Microsoft Compliance Manager

In addition to the talent shortage and complexity of compliance management, customers also face the need to comply with an increased volume and frequency of regulations, with hundreds of updates a day globally to thousands of industry and regional regulations. Additionally, the complexity of regulations makes it challenging for organizations to know specific actions to take and their impact.

Compliance Manager offers a vast library of assessments for expanded regulatory coverage, built-in automation to detect tenant settings, and step-by-step guidance to help you manage risk. Compliance Manager translates complex regulatory requirements to specific technical controls, and through compliance score, provides a quantifiable measure of risk assessment. Generally available today, Compliance Manager brings together the existing Compliance Manager and Compliance Score solutions in the Microsoft 365 compliance center.

Now, with more than 150 out-of-the-box and scalable assessments in Compliance Manager, you can address industry- and region-specific requirements, while also meeting multiple requirements through a single action.

The flexibility of custom assessments also allows you to extend compliance and risk management beyond Microsoft 365 to meet your specific business needs. For example, if you are currently tracking compliance of your SAP data in an Excel file, you can bring that into Compliance Manager.

You can learn more about Compliance Manager on Tech Community. Check out Frost Bank’s experience with Compliance Manager on the Microsoft Customer site.

Extending compliance capabilities to manage data risk beyond Microsoft 365

To provide greater visibility into your data, wherever it lives, we are making new connectors available that can pull data from other apps into Microsoft Compliance (including Microsoft Information Protection, Insider Risk Management, Communication Compliance, and eDiscovery) to help you to reason over, protect, and govern that data. These new connectors – available in partnership with Globanet and Telemessage – include SMS/text connectors for various telecom operators (e.g., AT&T, Verizon, T-Mobile, etc.), WhatsApp, Zoom, and Slack.

A key ask from our partners and customers is the ability to access Microsoft Compliance solutions and integrate them with existing applications and services that are part of broader compliance, security, and operations (SecOps) ecosystems, including Symantec, McAfee, and Relativity.

To help, we are announcing new APIs, which are part of the broader Microsoft Graph ecosystem:

  • Teams Data Loss Prevention (DLP) API: Allows third-party products to integrate and enable data loss prevention capabilities for Microsoft Teams.
  • eDiscovery API: Allows the automation of Advanced eDiscovery processes, including case creation and the entire legal hold notification workflow to communicate with custodians involved in a case.
  • Teams Export API: Allows the export of Teams Messages (1:1 and group chat) along with attachments (file links and sticker), emojis, GIFs, and user @Mentions. This API supports polling daily Teams messages and allows archiving of deleted messages up to 30 days.

An image showing the Microsft 365 Compliance ecosystem.

Figure 1: Extending compliance beyond Microsoft 365 — We have partnered with Globanet and Telemessage to deliver ready-to-use connectors. All Microsoft and ​third-party built connectors are now available in a single catalog.

You can learn more in the Tech Community blog.

Extending unified data loss prevention to Microsoft Cloud App Security (MCAS)

Having the right data protection and governance approach is critical to not only addressing regulatory compliance but also to mitigating risks around data leakage.

Microsoft Information Protection helps you to identify your data and ensure you have the right data classification in place to properly protect and govern that data, which enables you to apply data loss prevention (DLP) to enforce policies against that data. In July, we announced the public preview of Microsoft Endpoint Data Loss Prevention (DLP), which builds on the labeling and classification in Microsoft Information Protection. Endpoint DLP extends the existing DLP capabilities in Microsoft 365, helping you to meet compliance requirements and protect sensitive information on devices by restricting what data apps can access. Endpoint DLP is also natively integrated with the new Microsoft Edge browser, providing additional policy options to restrict the flow of data when accessing web sites.

Today we announce the extension of Microsoft data loss prevention solutions to Microsoft Cloud App Security. This new capability, now in public preview, extends the integration for DLP policy-based content inspection across connected applications such as Dropbox, Box, Google Drive, Webex, One Drive, SharePoint, and others. This extension of Microsoft data loss prevention solutions to MCAS helps users remain continuously compliant when using popular native and third-party cloud apps and helps to ensure sensitive content is not accidentally or inappropriately shared. MCAS uses the same policy framework and more than 150 sensitive information types that is common across all Microsoft data loss prevention solutions, to provide a familiar, consistent, and seamless experience.

You can learn more about our unified approach to data loss prevention on Tech Community.

Additional security and compliance features, including Advanced eDiscovery, being added to Microsoft Teams

As Microsoft Teams usage has grown with the shift to remote work, organizations are looking for seamless integration in order to keep their data and employees secure and compliant.

With the volume of business conversations happening now in Microsoft Teams, we are also adding additional security and compliance features, including:

  • Advanced eDiscovery now supports live documents and links shared in Microsoft Teams. Advanced eDiscovery automatically collects documents from a storage location, such as SharePoint or OneDrive, to pull the content into an eDiscovery case. The attachments are collected, reviewed, and exported along with the Teams conversations so customers don’t need to manually find and collect the documents one by one.
  • Auto-apply retention policies for Microsoft Teams meeting recording allow you to retain and delete recordings with in-place governance, which means the retention policies apply wherever the recordings are saved without the need to export elsewhere. When the rollout for this begins in October, we will provide guidance on how you can leverage Keyword Query Languages to create retention policies for Teams meeting recordings.
  • We now include Teams-specific actions in Compliance Manager, which provide guidance around improvement and implementation of actions you can take to help to align with protection regulations and standards.
  • We are also announcing Customer Key support for Teams. Microsoft helps keep Teams data safe by encrypting it while at rest in Microsoft datacenters. Now we are extending this capability to enable customers to add a layer of encryption using their own keys for Teams, similar to Exchange Online, SharePoint Online, and OneDrive.  
  • Insider Risk Management now offers native integration with Microsoft Teams to securely coordinate, collaborate, and communicate on a case with relevant stakeholders in the organization. When an Insider Risk management case is created, a private Microsoft Teams team will also be created and bound to the case for its duration. This Microsoft Teams team will, by default, include insider risk management analysts and investigators, and additional contributors such as HR and Legal, can be added as appropriate. With Teams integration, stakeholders can:
    • Use channel conversations to coordinate and track review/response activities.
    • Share, store, and review relevant files and associate evidence. 

Additional new capabilities coming to Microsoft Compliance

While I’ve discussed some of the biggest areas of investment for us in Microsoft Compliance, there are many additional new capabilities we’re excited to bring to you today:

  • Microsoft Information Protection now includes more than 150 sensitive data types, improvements to Exact Data Match, the general availability of automatic labeling in Office apps, and more.
  • Microsoft Information Governance and Records Management include new in-place retention and deletion policies for Yammer messages (rolling out now in public preview), as well as integration with the new SharePoint Syntex.
  • Insider Risk Management now integrates with Power Automate, provides a richer investigation experience, and includes expanded signal visibility to badging systems for building security.
  • Communication Compliance now provides enhanced visibility across a variety of communication channels and integration with Power Automate.
  • Advanced eDiscovery now has improved workflows, support for linked content in emails or chat messages, and enhanced collection experience.
  • Advanced Audit now includes two new audit events to help with forensic investigations and the ability to add 10-year audit log retention.

Remote and hybrid work scenarios have demonstrated that there has never been a more important time to invest in security and compliance. Get started today with Microsoft 365. To learn more about Microsoft Compliance and gain more technical training, visit the Virtual Hub today.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Enable secure remote work, address regulations and uncover new risks with Microsoft Compliance appeared first on Microsoft Security.

Microsoft Security: Use baseline default tools to accelerate your security career

September 14th, 2020 No comments

I wrote a series of blogs last year on how gamified learning through cyber ranges can create more realistic and impactful cybersecurity learning experiences and help attract tomorrow’s security workforce. With the global talent shortage in this field, we need to work harder to bring people into the field. This blog is for new cyber professionals or perhaps younger aspirants considering getting into cyber. From an employee’s perspective, it can seem daunting to know where to start, especially when you’re entering an organization with established technology investments, priorities, and practices. Having come to this field later in my career than others, I say from experience that we need to do a better job collectively in providing realistic and interesting role-based learning, paths toward the right certifications and endorsements, and more definitive opportunities to advance one’s career.

I’m still a big fan of gamified learning, but if gaming isn’t your thing, then another way to acquire important baseline learning is to look at simpler, more proactive management tools that up-level different tasks and make your work more efficient. Microsoft has recently released two important cloud security posture management tools that can help a newer employee quickly grasp basic yet critically important security concepts AND show immediate value to your employer. They’re intuitive to learn and deserve more attention.  I’m talking about Azure Security Defaults and Microsoft Secure Score (also including Azure Secure Score). While tools like these don’t typically roll off the tongue, and your experience won’t grab you like an immersive gaming UI, their purpose-built capabilities that focus on commonly-accepted cyber hygiene best practices reinforce solid foundational practices that are no less important than SecOps, incident response, or forensics and hunting. Learning how to use these tools can make you a champion and influencer, and we encourage you to learn more below. These capabilities are also built directly into our larger Azure and M365 services, so by using built-in tools, you’ll help your organization maximize its investments in our technologies and help save money and reduce complexity in your environment.

Azure Security Defaults is named for what it does—setting often overlooked defaults. With one click, you automatically enable several foundational security controls that if left unaddressed are convenient and time-tested targets for attackers to go after your organization. One question that I frequently receive is why Microsoft doesn’t simply pre-configure these settings by default and force customers to turn them off. Several large, high-threat customers have asked specifically that we do that. It’s tempting, but until or unless we make such a move, this is a great self-service add-on. As explained in this blog, ASD does the following:

  • Requires all users to register for Azure Multi-Factor Authentication.
  • Requires admins to perform MFA.
  • Blocks legacy authentication protocols.
  • Requires users to perform MFA when necessary.
  • Protects privileged activities to access the Azure Portal.

A recent important addition to ASD is that Microsoft announced on August 12th that ASD is now also available through Azure Security Center. This is an important and beneficial addition in that it adds another opportunity for your IT organization—whether identity and access management, or security operations—to implement the defaults. I’ve noticed on several occasions when briefing or providing a demo on Azure Security Center to a CISO team that a challenge in effectively using this service may come down to organizational issues, specifically, Who OWNS it?  Is ASC a CISO tool? Regardless of who may own the responsibility, we want to provide the capability upfront.

MICROSOFT SECURE SCORE is a relatively new feature that is designed to quantify your security posture based on how you configure your Microsoft resources. What’s cool and impactful about it is that it provides in a convenient top-down meu approach the relative approach your organization has taken compared (anonymously) with your industry segment’s peers (given in many cases similar reference architectures), and provides clear recommendations for what you can do to improve your score. From a Microsoft perspective, this is what we’d say all carrot and no stick. Though as covered above we provide Azure Security Defaults, customers are still on point to make a proactive decision to implement controls based on your particular work culture, compliance requirements, priorities, and business needs. Take a look at how it works:

This convenient landing page provides an all-up view into the current state of your organization’s security posture, with specific recommendations to improve certain configuration settings based on an art-of-the-possible. In this demo example, if you were to turn enable every security control to its highest level, your score would be 124, as opposed to the current score of 32, for a percentage of 25.81. Looking to the right of the screen, you get a sense of comparison against peer organizations. You can further break down your score by categories such as identity, data, device, apps, and infrastructure; this in turn gives a security or compliance team the opportunity to collaborate with hands-on teams that control those specific resources and who might be operating in silos, not necessarily focused on security postures of their counterparts.

An image of Microsoft Secure Score.

 

Azure Secure Score

You’ll also find Secure Score in the Azure Security Center blade where it provides recommendations front and center, and a color-coded circular graph on important hybrid infrastructure configurations and hygiene.

An image of Secure Score in the Azure Security Center.

Drilling deeper, here we see a variety of recommendations to address specific findings.  For example, the top line item is advice to ‘remediate vulnerabilities’, indicating that 35 of 59 resources that ASC is monitoring are in some way not optimized for security. optimized for security.

An image of variety of recommendations to address specific findings.

Going a level further into the ‘secure management ports’ finding, we see a sub-heading list of actions you can take specific to these resources’ settings. Fortunately, in this case, the administrator has addressed previously-discovered findings, leaving just three to-do’s under the third subheading. For added convenience, the red/green color-coding on the far right draws your attention.

An image of the ‘secure management ports’ finding.

Clicking on the third item above shows you a description of what ASC has found, along with remediation steps.  You have two options to remediate:  more broadly enable and require ‘just in time’ VM access; or, manually enable JIT for each resource. Again, Microsoft wants to incentivize and make it easier for your organization to take more holisitic and proactive steps across your resources such as enabling important settings by default; but we in no way penalize you for the security settings that you implement.

An image of a description of what ASC has found, along with remediation steps.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Security: Use baseline default tools to accelerate your security career appeared first on Microsoft Security.

3 ways Microsoft 365 can help you reduce helpdesk costs

September 3rd, 2020 No comments

With more people than ever working remotely, organizations must maximize employee productivity while protecting an ever-growing digital footprint. Many have stitched together specialized security solutions from different vendors to improve their cybersecurity posture, but this approach is expensive and can result in gaps in coverage and a fragmented user experience. With Microsoft’s integrated security solutions, you can enhance security and user productivity more cost-effectively.

Focusing a lens on the helpdesk illuminates how consolidating with Microsoft helps streamline and strengthen your security posture. Your helpdesk plays an important role in enabling employees to be more effective, but it can also reveal organization-wide productivity challenges. Productivity matters because if security controls are too cumbersome, employees will find workarounds. In this blog, I’ll highlight three examples of how Microsoft 365 can help you reduce costs while strengthening cybersecurity.

1. Reduce password reset calls by 75 percent

One of the most common reasons that employees call the helpdesk is to reset their password. These calls result in a loss of productivity for employees who are locked out of their accounts. They also require employees and helpdesk analysts to take time out of their busy days to work through steps to reset the password. With a high volume of calls, the costs add up.

The best way to reduce password reset calls is to eliminate passwords entirely. Microsoft has built in support for passwordless authentication methods such as biometrics, FIDO-2 security keys, and PINs into all our products and services. Because they are encrypted and stored locally on your users devices, these methods are more secure than passwords and easier for employees—and they can reduce your costs. When Microsoft rolled out passwordless to our employees the hard and soft costs of supporting passwords fell by 87 percent.

Deploying passwordless is a phased journey and not everyone is ready to start that process now, so it’s important to also improve productivity for password users. Azure Active Directory (Azure AD) is an identity and access management solution that allows users to sign in to all their on-premises and cloud apps with one set of credentials—whether they use passwords or passwordless methods. With single sign-on employees will have far fewer passwords to remember; however, sometimes they may still forget or Azure AD may force them to reset a password if an account appears compromised. In either case, Azure AD self-service password reset lets employees unblock their accounts, on their time, via an online portal.

According to a new study, The Total Economic Impact™ of Securing Apps with Microsoft Azure Active Directory, Azure AD self-service password reset can reduce the number of password reset calls per month by 75 percent. In this commissioned study, Forrester Consulting developed a composite organization based on interviews with four customers in different industries who have used Azure AD for years. Deploying Azure AD self-service password reset resulted in a return on investment of USD 1.7 million over three years.

 

2. Streamline Windows 10 upgrade path

Twice a year Microsoft releases new features and security capabilities for Windows 10. Typically, users are able to download the new operating system and quickly get back to work—but if you use a non-Microsoft product for endpoint detection or antivirus, it can complicate the process.

When a non-Microsoft vendor’s security product is not compatible with a new version of Windows 10, it prevents users from upgrading. This can be confusing for employees, who call the helpdesk for assistance. In addition to facilitating these calls, your team must also run software compatibility testing once a new version of the security software is released. Meanwhile, your company can’t take advantage of the productivity and security features available in the latest version of Windows 10.

To reduce dependencies without compromising security, turn on Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). Microsoft Defender ATP helps you protect, detect, and respond to advanced attacks against all your endpoints. Microsoft Defender Antivirus, a Microsoft Defender ATP capability, uses artificial intelligence and machine learning to find and block malware and other viruses. Both solutions are designed to work together and are integrated with Windows 10, which reduces the likelihood of helpdesk calls during the upgrade process.

An image of Microsoft Defender ATP.

3. Empower uses to manage their devices

A third driver of helpdesk calls is device management. Any time an employee needs help with a device, such as when they start a new job or want to use a personal device to access email, a helpdesk analyst is often involved. The analyst sets up devices with the appropriate applications and permissions and troubleshoots challenges with access.

As the way we work has changed, people no longer access corporate resources solely from the office using company-provided devices. Reading emails from a coffee shop on a personal phone or reviewing presentations from a tablet makes working more convenient, but it can also introduce security challenges. Employees may not upgrade their devices or apply security patches in a timely manner. They sometimes, unknowingly, download apps with security flaws. Attackers leverage these vulnerabilities to gain access to sensitive company resources.

An image showing how Attackers leverage use vulnerabilities to gain access to sensitive company resources.

Microsoft Endpoint Manager makes it easier to provision, update, and manage personal and business laptops and mobile devices with support for Windows, MacOS, iOS, and Android Enterprise. Integration with Azure AD enables employees to use Microsoft Intune Portal to enroll both corporate-owned and personal devices without helpdesk intervention. Intune automatically installs appropriate apps, or you can allow employees to choose apps through the portal.

With Microsoft Endpoint Manager, you can also enforce security policies on all enrolled devices. For example, you can require that employees use the most current operating system to access corporate resources. You can define PIN requirements or install threat protection software. If users don’t want to enroll their device, mobile app management capabilities let you isolate organizational data from personal data. These policies are defined globally and automatically applied when users register devices, streamlining the process for everyone.

An image showing how Microsoft 365 security solutions work across identities, endpoints, emails, apps, data, clouds, networks, and IOT devices

Microsoft 365 security solutions work across identities, endpoints, emails, apps, data, clouds, networks, and IoT devices to detect, block, and elevate threats. Consolidate with Microsoft to strengthen security, simplify the user experience, and reduce helpdesk costs.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 3 ways Microsoft 365 can help you reduce helpdesk costs appeared first on Microsoft Security.