Archive for the ‘Microsoft 365’ Category

New research shows IoT and OT innovation is critical to business but comes with significant risks

December 8th, 2021 No comments

The need for much improved IoT and operational technology (OT) cybersecurity became clearer this year with recent attacks on network devices,1 surveillance systems,2 an oil pipeline,3 and a water treatment facility,4 to name a few examples.

To better understand the challenges customers are facing, Microsoft partnered with the Ponemon Institute to produce empirical data to help us better understand the state of IoT and OT security from a customer’s perspective. With this data, we hope to better target our cybersecurity investments and to improve the efficacy within Microsoft Defender for IoT, and our other IoT-related products. Ponemon conducted the research by surveying 615 IT, IT security, and OT security practitioners across the United States.

To get an overview of the key findings from the 2021 The State of IoT and OT Cybersecurity in the Enterprise, download the full report.

IoT adoption is critical despite significant security challenges

The research showed that a large majority of respondents believe that IoT and OT adoption is critical to future business success. As a result, they are advancing IoT and OT projects as a key priority.

  • 68 percent of respondents say senior management believes IoT and OT are critical to supporting business innovation and other strategic goals.
  • 65 percent of respondents say senior management has made it a priority for IT and OT security practitioners to plan, develop, or deploy IoT and OT projects to advance business interests.

Within this group, only a small minority of organizations slowed, limited, or stopped IoT and OT projects even though a majority believe that generally these types of devices are not built with security in mind and that they represent one of the least secured aspects of their IT and OT infrastructure.

  • 31 percent of IT security practitioners have slowed, limited, or stopped the adoption of IoT and OT projects due to security concerns.
  • 55 percent of respondents do not believe IoT and OT devices have been designed with security in mind.
  • 60 percent of respondents say IoT and OT security is one of the least secured aspects of their IT and OT infrastructure.

Based on the data, it appears that business interests are currently taking priority over the increased security risks that organizations assume, as they advance their IoT and OT projects. This puts security and risk leaders in a difficult place and explains why IoT and cyber-physical systems security has become their top concern for the next three to five years.5

“We believe this unique research highlights the obstacles organizations face as they use IoT and OT to drive business innovation with technologies that are more easily compromised than traditional endpoints,” said Dr. Larry Ponemon, Chairman and Founder of Ponemon Institute. “On a positive note, a vast majority of security and risk leaders recognize the threat and have made shoring up their IoT and OT defenses a top priority for the next 12 to 24 months.”

Outdated IoT and OT assumptions are putting organizations at risk

In the past, there was a common assumption about IoT and OT devices that is no longer true. It was assumed that IoT and OT devices were typically segmented from traditional endpoints (workstations, servers, and mobile) or that they were deployed within separate air-gapped networks. The research confirmed that devices on IT and OT networks are frequently connected directly or indirectly to the internet, making them targets that can be breached from outside of the organization. The latest evolution to the Mozi attack1 is a great example of how a business network can be breached through network gear running on the edge of business networks.

  • 51 percent of OT networks are connected to corporate IT (business) networks, like SAP and remote access.
  • 88 percent of respondents say their enterprise IoT devices are connected to the internet—for instance, for cloud printing services.
  • 56 percent of respondents say devices on their OT network are connected to the internet for scenarios like remote access.

It’s critical that these dated assumptions are removed from organizational thinking so that proper mitigations can be put in place.

Key security challenges for IoT and OT devices

When it comes to securing IoT and OT devices, the top challenge is related to visibility. Per the research, only a small subset of respondents shared that they had a complete view of all their IoT and OT asset inventory.

  • 29 percent of respondents mentioned that their organizations have a complete inventory of IoT and OT devices. Among them, they have an average of 9,685 devices.

But visibility isn’t just about building a complete asset inventory. It’s also about gaining visibility into the security posture of each IoT and OT device. Questions like “Is the device optimally configured for security,” “Are there any known vulnerabilities in the device’s firmware,” “Is the device communicating or connected directly to the internet,” and “Is the device patched with the latest firmware build?” are some of the questions that organizations need answers to but struggle with for their IoT and OT devices.

  • 42 percent of respondents claimed they lack the ability to detect vulnerabilities on IoT and OT devices.
  • 64 percent of respondents have low or average confidence that IoT devices are patched and up to date.

Another dimension of visibility that customers are seeking solutions for is related to the ability for organizations to become aware of IoT and OT devices that are involved in attacks. Most of the survey respondents have low to average confidence that the tools they have deployed will be successful in detecting compromised devices.

  • 61 percent have low or average confidence in the ability to identify whether IoT devices are compromised.

Another important aspect of visibility worth mentioning is that customers struggle with the ability to efficiently determine how compromised IoT and OT devices are part of broader end-to-end incidents. To resolve attacks completely and decisively, organizations frequently use manual investigation processes to correlate and make sense of the end-to-end attack. Meanwhile, attackers use this time to broaden the attack and get closer to the end goal.

  • 47 percent of respondents say their organizations are primarily using manual processes to identify and correlate impacted IoT and OT devices.

IoT and OT attacks are not hypothetical

The Ponemon research shows us that a good percentage of the surveyed respondents are encountering IoT and OT attacks. Nearly 40 percent of respondents told us that they’ve experienced attacks where the IoT and OT devices were either the actual target of the attack (for example, to halt production using human-operated ransomware) or were used to conduct broader attacks (such as lateral movement, evade detection, and persist). Most respondents felt these types of attacks will increase in the years to come.

  • 39 percent of respondents experienced a cyber incident in the past two years where an IoT or OT device was the target of the attack.
  • 35 percent of respondents say in the past two years their organizations experienced a cyber incident where an IoT device was used by an attacker to conduct a broader attack.
  • 63 percent of respondents say the volume of attacks will significantly increase.

One thing to keep in mind with these last three statistics is that the study also showed that customers have low to average confidence in their ability to detect when IoT and OT devices have been compromised. Based on this, it’s likely that the real numbers are higher.

The new Microsoft Defender for IoT is available now for your feedback

Last month at Ignite, we announced that Microsoft Defender for IoT, formerly Azure Defender for IoT, is adding agentless monitoring capabilities to help secure enterprise IoT devices connected to IT networks such as Voice over Internet Protocol (VoIP), printers, and smart TVs. This complements the product’s existing support for industrial systems and critical infrastructure like ICS/SCADA. Additionally, we announced that Defender for IoT is part of the Microsoft SIEM and XDR offering bringing its AI, automation, and expertise to complex multistage attacks that involve IoT and OT devices.

An open investigation dashboard for P L C programming and related alerts.

Figure 1. Deep contextual telemetry (like asset and connection details) combined with threat intelligence (like analytics rules, SOAR playbooks, and dashboards) from Section 52 helps analysts perform high-efficiency incident responses.

Microsoft Security would now like to invite you to try out the new public preview of the integrated solution that addresses the challenges surfaced in the Ponemon research, such as complete asset inventory, vulnerability management, threat detection, and correlation. Try the public preview functionality within the Microsoft 365 Defender console or within the Microsoft Defender for IoT experiences. We look forward to hearing and integrating your feedback for the new Microsoft Defender for IoT.

More details on the public preview and roadmap can be viewed in our Ignite session.

Video with link to the Accelerate digital transformation by securing your Enterprise I o T devices with Microsoft Defender for I o T session with Nir Krumer, Principal P M Manager, and Chris Hallum, Senior Product Marketing Manager.

Figure 2. Nir Krumer, Principal Program Manager, and Chris Hallum, Senior Product Marketing Manager, discuss securing your Enterprise IoT devices with Microsoft Defender for IoT.

Learn more

More information on the current release of Microsoft Defender for IoT, which offers OT security, can be found in the following resources:

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1This is why the Mozi botnet will linger on, Charlie Osborne, ZDNet. 1 September 2021.

2‘Thousands’ of Verkada Cameras Affected by Hacking Breach, IFSEC Global Staff, Dark Reading. 10 March 2021.

3Hackers Breached Colonial Pipeline Using Compromised Password, William Turton, Kartikay Mehrotra, Bloomberg. 4 June 2021.

4‘Dangerous Stuff’: Hackers Tried to Poison Water Supply of Florida Town, Frances Robles, Nicole Perlroth, New York Times. 8 February 2021.

5Develop a Security Strategy for Cyber-Physical Systems, Susan Moore, Gartner. 13 April 2021.

The post New research shows IoT and OT innovation is critical to business but comes with significant risks appeared first on Microsoft Security Blog.

Privacy compliance for smart meter infrastructure with Microsoft Information Protection and Azure Purview

June 2nd, 2021 No comments

Smart meters and smart grid infrastructure have been deployed in many of the world’s electric distribution grids. They promise energy conservation, better grid management for utilities, electricity theft reduction, and a host of value-added services for consumers. To deliver on this promise, they need to collect granular electric usage data and make this available to the stakeholders who need it. This has created consumer privacy concerns which are being addressed with security and governance programs, like Microsoft Information Protection and Azure Purview, and with regulation by the government. The ability to protect and govern smart meter data is critical to addressing consumer privacy. It’s also critical to making the data available to realize the return on investment in terms of environment, safety, savings, and enhanced services to consumers.

Smart grid data contains private information

Smart meter data is personally identifiable information (PII). Information potentially available through the smart grid includes:

NISTIR 7628, Guidelines for Smart Grid Cybersecurity volume 2, Table 5-1. Information Potentially Available Through the Smart Grid.

Figure 1: Information potentially available through the smart grid.1

This gives rise to a range of privacy concerns from personal data exposure for embarrassment or extortion, determination of behavior patterns for unwanted marketing, by criminals who might be casing a premises or seeking to exploit children, or inappropriate uses by government.

Depending on the granularity and character of data collected, smart meter data can be disaggregated to reveal private information:

NISTIR 7628, Guidelines for Smart Grid Cybersecurity volume 2, Figure 5-2. Using Hidden Markov Models to Produce an Appliance Disaggregation.

Figure 2: Using hidden Markov models to produce an appliance disaggregation.2

Electric meter data was generally not a focus of privacy concern prior to smart meters. With smart meters, there is the potential for the data to be near real-time and with a frequency and granularity not previously available. The potential value of smart meter data for demand management programs, time of use pricing, outage management, grid optimization, energy theft reduction, unlocking the value of smart cities, and other uses increases as does the frequency and granularity of the data.

Utilities and other stakeholders need to do a privacy impact assessment (PIA) for the use of this data. Part of this process is to set out the controls that will be used to govern the data.

Many of the same regulations and standards that cover PII in general apply to smart meter information. These include General Data Protection Regulation (GDPR), California Consumer Privacy Act, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), Brazil’s General Data Protection Act (LGPD), and many other established and emerging privacy regimes. A geographic summary of privacy regulations is provided by the global law firm DLA Piper.

Where is PII from smart meters located?

Smart meter data is in the meters themselves and the backhaul infrastructure, potentially passing through range extenders, connected grid routers on its way to the head end. From here it is made available to the utility departments and other organizations as permitted in databases and data reservoirs to derive value from the data.

Conceptual Reference Diagram for Smart Grid Information Networks. Ref NIST Special Publication 1108R2, Figure 3-2.

Figure 3: Conceptual reference diagram for smart grid information networks.3

With the range of stakeholders that need access to the data, there will be a variety of technologies and architectures that must be governed. Broadly, there will be PII in structured resources like SQL or SAP S/4HANA databases, and unstructured like desktop application files and email or data repositories like Azure Blob, Data Lake Storage, or Amazon S3.

The data should be governed during its full lifecycle from collection through to secure auditable disposal—both inside the utility’s environment and outside as third parties access the data for permitted uses.

Protect and governing PII from smart meters

The Microsoft Information Protection and Governance framework protects and governs Microsoft 365 data, including desktop applications, email, on-premises repositories, and with Microsoft Cloud App Security, both in our own- and third-party clouds and on Windows 10 endpoints like laptops.

Most impactful for smart meter data, we now have Azure Purview (now in preview) for structured and unstructured data outside of Microsoft 365, such as in databases, data lakes, SAP, and a range of other environments where smart meter data is stored and used to extract value.

Microsoft Information Protection and Governance framework.

Figure 4: Microsoft Information Protection and Governance.

To properly protect and govern PII in smart grid data, we need to identify and inventory this data across our cloud and on-premises environment. We need to protect this data with durable security policies that stay with the data throughout its lifecycle. We need to implement Data Loss Prevention (DLP) to keep the information from traveling to places it should not go and we need to dispose of data when it’s no longer needed for business purposes. The deletion should be permanent and auditable.

Microsoft Information Protection as part of Microsoft 365 provides the tools to know your data, protect your data, and prevent data loss. It provides users with a native experience in their documents and emails, providing automation to recognize PII and either recommend the user apply a sensitivity label with the option to override this suggestion with auditable justification to enforce the application of the label.

Microsoft Information Protection provides real time assistance to users with a native experience while they work. Users receive suggestions and can automatically label data or override the suggestion with auditable justification if configured by the administrator.

Figure 5: Microsoft Information Protection provides real-time assistance to users with a native experience while they work.

The sensitivity label can enforce encryption, scoping the document to be consumed only by the intended organization, teams, or individuals. It can enforce watermarking, disable cut and paste, and a range of other security policies for the life of the document, even when it leaves the sender’s environment.

PII such as credit card numbers can be recognized as out-of-box sensitive information types and then be tuned to reduce false positives. Custom sensitive information types can be informed by keywords, keyword dictionaries, or regular expressions which are particularly useful for recognizing utility account numbers or smart meter numbers. Machine learning can be used to recognize documents by using trainable classifiers to reason over a sample of relevant documents to recognize documents that are like these.

Sensitive data can be identified, inventoried, and protected as it is created, in the cloud with Microsoft Cloud App Security (MCAS) or with on-premises resources using the Azure Information Protection (AIP) scanner.

These sensitivity labels and sensitive information types can trigger DLP policies across email, desktop applications, SharePoint sites, OneDrive, Windows 10 devices, Teams, and third-party clouds. The policies are managed with a unified experience across Office 365, cloud, on-premises, and endpoint locations.

Data loss prevention policies can be triggered by sensitivity labels or sensitive information types. These policies can be administered for email, SharePoint, OneDrive, Teams, endpoints, on premises repositories and third party clouds from a single admin interface.

Figure 6: Selections of locations to apply policy.

Files and emails can be tagged with retention labels as well as sensitivity labels. Like sensitivity labels in Microsoft Information Protection, they can be applied manually or in an automated way based on out-of-box, custom information types, or machine learning with trainable classifiers.

Retention labels can enforce auditable retention, deletion and disposition review of documents and emails in the Microsoft 365 tenant.

Figure 7: Records management.

Retention labels can enforce auditable retention, deletion, and disposition review of documents and emails in the Microsoft 365 tenant.

This can facilitate compliance with privacy regulations, but also regulations that require retention for discovery purposes such as utility commissions or Freedom of Information (FOI) requests.

Visualization and reporting for sensitive data, including smart meter PII as well as the retention labels and policies applied, are available from the compliance portal so that sensitive data can be inventoried, managed, and reported on.

Azure Purview

Azure Purview is a unified data governance service that helps you manage and govern your on-premises, multi-cloud, and software as a service (SaaS) data. We’ll focus on PII data discovery in this post.

Azure Purview Data Map captures metadata across a wide range of data sources and file types with automated data discovery and sensitive data classification. Azure Purview extends our information protection and governance capabilities beyond Microsoft 365.

Among the broad list of data sources, you’ll be able to scan SQL databases, Azure Blob Storage, Azure Data Lake Storage, Azure Cosmos DB, AWS S3 buckets, Oracle databases, SAP ECC, and SAP S/4HANA.

Azure Purview creates a data map for a broad list of sources including but not limited to SQL databases, Azure Blob Storage, Azure Data Lake Storage, Azure Cosmos DB, AWS S3 buckets, Oracle databases, SAP ECC, and SAP S/4HANA.

Figure 8: Metadata map.

The data in these sources can be classified and labeled by out-of-box and custom sensitive information types, including those defined for smart grid PII.

The data in the sources connected to Azure Purview can be classified and labelled by out of the box and custom sensitive information types, including those defined for smart grid PII.

Figure 9: Microsoft Azure Purview classification rules.

The sensitive information types and sensitivity labels are made available to Azure Purview from the Microsoft 365 Compliance Center, the same place the Microsoft Information Protection rules are managed, creating a unified experience for the administrators.

The sensitive information types and sensitivity labels are made available to Azure Purview from the Microsoft 365 Compliance Center, the same place the Microsoft Information Protection rules are managed, creating a unified experience for the administrators.

Figure 10: How to edit label sensitivity.

Custom classifications and rules to identify custom sensitive data types or keywords can be created in the Azure Purview solution.

Azure Purview provides reporting that shows where sensitive data such as PII is located across an organization’s data estate. Sensitivity labels with security policy can be applied to this data. The repositories where sensitive data is located can have additional security added or the data can be removed from locations where it does not belong.

Azure Purview provides reporting that shows where sensitive data such as PII is located across an organization’s data estate. Sensitivity labels with security policy can be applied to this data.

Figure 11: Azure Purview showing locations where sensitive data exists.

Azure Purview can validate that the Data Privacy Impact Assessment (DPIA) and controls undertaken by an organization around sensitive smart grid data are being enforced. This reporting can provide evidence to a regulator that an organization’s commitments to security and privacy that enabled the use of customer’s private data have been upheld.

Azure Purview does not move or store customer data outside of the geographic region in which it is deployed so data residency requirements can be met.

In addition to helping protect sensitive data, Microsoft also offers agentless, security monitoring for industrial control system (ICS) and operational technology (OT) networks to rapidly detect and respond to anomalous or unauthorized activities in control networks. Azure Defender for IoT integrates with existing security operations center (SOC) tools (like Azure Sentinel, Splunk, IBM QRadar, and ServiceNow), is broadly deployed in production across power distribution and generation sites worldwide, and is available for both on-premises and cloud-connected environments.

Microsoft 365 Information Protection and Governance and Azure Purview together provide tools to protect and govern smart meter data and other sensitive data for utilities. The more effectively we can implement protection and governance of this data, the more we can make use of it and derive value for the ratepayers who have invested in the smart grid.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

1NISTIR 7628, Guidelines for Smart Grid Cybersecurity volume 2, Table 5-1.

2NISTIR 7628, Guidelines for Smart Grid Cybersecurity volume 2.

3NIST Special Publication 1108R2.

The post Privacy compliance for smart meter infrastructure with Microsoft Information Protection and Azure Purview appeared first on Microsoft Security.

Meet critical infrastructure security compliance requirements with Microsoft 365

April 27th, 2021 No comments

Critical infrastructure operators face a hostile cyber threat environment and a complex compliance landscape. Every operator of an industrial control system also operates an IT network to service its productivity needs. A supervisory control and data acquisition (SCADA) system operator of a power grid or chemical plant needs email, databases, and business applications to support it, much like any enterprise.

IT environments, with their large attack surface, can be the entryway to attack critical infrastructure even where those IT systems are not critical infrastructure themselves. Security and compliance failures may include life safety, environmental, or national security consequences—a different risk management challenge from other enterprise IT systems.

Ransomware, thought more of as an IT problem as opposed to an industrial control system (ICS) one, has been used to attack critical infrastructure operators Norsk Hydro, Brazilian utilities Electrobras and Copel, as well as Reading Municipal Light Department and Lansing Board of Water and Light among other US utilities. Dragos and IBM X-Force identified 194 ransomware attacks against industrial entities between 2018 and 2020, including ICS-specific strains like EKANS.

The range of threats to our increasingly converged IT and ICS environments highlights the need for a combined approach to IT and ICS security.

Azure Defender for IoT is the cornerstone of security for on-premises, cloud, and hybrid ICS. In addition to the anti-malware features of Microsoft 365, the integration of Advanced Threat Protection (ATP) and Microsoft Compliance Manager to manage, visualize, and report on standards-based compliance are also foundational.

Complex compliance landscape

As the cyber threat landscape to ICS has grown more hostile and publicized, the compliance responsibilities of critical infrastructure operators have increased as well. In the US and Canada, Bulk Electric System (BES) participants need to comply with the North American Electric Reliability Corporation Critical Infrastructure Protection Standards (NERC CIP), as well as using NIST 800-53 as the basis for their organizational security policies and benchmarking to the National Institute of Standards and Technology (NIST) Cybersecurity Framework. They may also be architecting their ICS to IEC62443/ISA 99. Many forward-looking utilities are increasing their use of the cloud through infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS) like Microsoft 365 with Zero Trust architecture.

While NERC CIP standards were written around on-premises systems, NERC has become more open to Registered Entities’ use of the cloud for Bulk Electric System Cyber System Information (BCSI). This includes NERC’s Order on Virtualization and Cloud Computing Services and their Technical Rationale for Reliability Standard CIP-011-3, where they discuss risk assessment of a cloud services provider. This risk assessment will include the ongoing standards-based assessment of the cloud service provider.

Comprehensive and efficient compliance

As an organization moves workloads to the cloud, they move responsibility for a portion of the security controls to the cloud service provider.

The shared responsibility model for cloud security. As cloud service provider takes responsibility for controls, the cloud customer can use their resources to focus on the controls for which they remain responsible.

The organization can thus focus its resources on the remaining security controls and on vetting how the cloud service provider manages the security controls for which it is responsible.

With Office 365, customers dramatically reduce the number of NIST 800-53 controls they are responsible for as opposed to an on premises deployment.

When customers use Office 365, Microsoft helps them manage 79 percent of the 1,021 NIST 800-53 controls, so customers need only focus on implementing and maintaining the remaining 21 percent of the controls. By using the shared responsibility model, these customer resources are made available to further secure their systems. Customers that are using on-premises infrastructure to provide those functions need to implement and maintain all 1,021 controls.

Tools for comprehensive and efficient compliance

Microsoft Compliance Manager is a feature in Microsoft 365 compliance center. It uses signals from the customer’s Microsoft 365 tenant, Microsoft’s compliance program, and workflows completed by the customer to manage and report compliance against regulatory and industry-standard templates. These templates include NERC CIP, NIST Cybersecurity Framework (CSF), NIST 800-53, and the US Protecting and Securing Chemical Facilities from Terrorist Attacks Act (H.R. 4007), as well as more than 330 standards-based assessments globally. You can also create custom templates based on other standards or mapped to your own policies and control set.

With each Compliance Manager assessment template, you get simplified guidance on “what to do” to meet the regulatory requirements. In this regard, you get to understand what controls are Microsoft’s responsibility as your cloud service provider and what controls are your responsibility. Furthermore, for each of the controls that are your responsibility, we break down actions that you need to take to meet these control requirements. These actions can be procedural, documentation, or technical.

For technical actions, you get step-by-step guidance on how to use Microsoft security, compliance, identity, or management solutions to implement and test technical actions. With this detailed information, you can efficiently implement, test, and demonstrate your compliance against regulations as per your industry and region. This information also helps you to draw maximum benefits from your Microsoft 365 security and compliance solutions. Once you create assessments within Compliance Manager, we make it very easy for you to understand what solutions you can use to implement and test technical actions on Compliance Manager.

The Microsoft 365 Compliance Manager Solutions page, showing how the various solutions contribute to Compliance Score and compliance posture.

You can use the custom assessment feature to “extend” Compliance Manager assessment templates to track compliance against any non-Microsoft 365 assets as well. With this functionality, Compliance Manager helps you to track and manage compliance across all your assets.

There are different template sets available for the different license levels.

Microsoft updates the assessment templates when the standards change, relieving the customer of this responsibility. The changes are called out to the customer and the option to update the assessment is provided.

Compliance Manager tracks, reports, and provides visualizations for:

  • Microsoft-managed controls: these are controls for Microsoft cloud services, for which Microsoft is responsible for implementing.
  • Your controls: these are controls implemented and managed by your organization, sometimes referred to as “customer-managed controls.”
  • Shared controls: these are controls that both your organization and Microsoft share responsibility for implementing.

The assessments are provided with visualizations that allow the user to drill down into the individual control status and view evidence. High impact improvement actions are suggested.

Microsoft 365 Compliance Manager NIST Cybersecurity Framework assessment dashboard.

Microsoft 365 Compliance Manager NIST Cybersecurity Framework controls view with benchmark visualization.

Compliance Manager covers both the Microsoft and customer-managed controls as part of the shared cloud security and compliance responsibility model. Automated workflows and evidence repositories are provided for customer-managed and shared controls.

Microsoft 365 customer control workflow. Assign a control to a team member to provide input and upload evidence on a schedule to support customer's compliance program.

You can assign a stakeholder and an automated message with instructions and upload link is provided on a schedule to remind them of the compliance activity required, report status, and upload evidence. This provides an efficient and defensible system to respond to auditors and benchmark compliance programs.

Many of the controls that enable compliance for critical infrastructure operators are common across the standards, so implementing a control once enables compliance across multiple standards.

Mapping controls across standards such as:

NIST CSF Category NIST CSF Subcategory NIST 800-53 Rev. 4 Control ISO 27001 Control NERC CIP Control
Access Control (PR.AC): Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions. PR.AC-1: Identities and credentials are managed for authorized devices and users. NIST SP 800-53 Rev. 4 AC-2, IA Family ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3 CIP-004-6 – Access Management Program, parts 4 and 5

This crosswalk across standards is part of the Compliance Manager and populated automatically across a customer’s assessments.

Microsoft 365 Compliance Manager, control mapped across multiple standards. New standards based assessments in Compliance Manager are automatically populated with controls that have been implemented.

The level of effort to benchmark and report compliance with a new standards regime is dramatically reduced.

IT and ICS convergence is a continuing trend for critical infrastructure operators. Attack methodologies, surfaces, and threat actors are crossing over to put our most critical resources at risk. Compliance regimes must be efficiently met in an auditable way to protect the availability of our systems. Microsoft provides the range of tools described above to help you manage across the IT and ICS environments.

Learn more

Learn more about Microsoft Compliance Manager and how it helps simplify compliance and reduce risk.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Meet critical infrastructure security compliance requirements with Microsoft 365 appeared first on Microsoft Security.

Privacy breaches: Using Microsoft 365 Advanced Audit and Advanced eDiscovery to minimize impact

January 6th, 2021 No comments

GDPR, HIPPA, GLBA, all 50 U.S. States, and many countries have privacy breach reporting requirements. If an organization experiences a breach of customer or employee personal information, they must report it within the required time frame. The size and scope of this reporting effort can be massive. Using Microsoft 365 Advanced Audit and Advanced eDiscovery to better understand the scope of the breach can minimize the burden on customers as well as the financial and reputational cost to the organization.

A changing privacy landscape

In 2005 ChoicePoint, a Georgia-based financial data aggregator had a data breach of 145,000 of its customers. There were multiple security lapses and resulting penalties, but initially, only ChoicePoint’s California-based customers were required to be notified because, at the time, California, with California Senate Bill 1386, was the only state that had a mandatory privacy breach notification law.

Since that time, all 50 U.S. States have put in place mandatory privacy breach notification laws. Countries in the Americas, the Middle East, Europe, and Asia have adopted privacy standards including mandatory breach notification. Broader regulations that address this issue include California Consumer Privacy Act, China’s Personal Information Security Specification, Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD), and the European General Data Protection Regulation (GDPR). Given how often these laws are added or updated, it’s challenging for any organization to keep up. As one solution, Microsoft 365 Compliance Manager provides a set of continually updated assessments (174 and growing) to assist our customers with these standards.

A board-level business risk

The reputational and financial risk to a company from a privacy breach can be massive. For example, under California Civil Code 1798.80, which deals with the breach of personal health information, there is a penalty of up to $25,000 per patient record breached. For many standards, there are not only regulatory penalties imposed, but also the right of private action by those whose records have been breached (such as, those who have had their records breached can sue for damages, creating financial liability for a company beyond the regulatory penalties).

There are timeframes under which notification must be made. The California Code requires notification to the regulator within 15 days after unauthorized disclosure is detected. Article 33 of GDPR requires notification to the regulator within 72 hours after the organization becomes aware of the breach.

According to a list compiled by the Infosec Institute, the average cost of a data breach in 2019 was $3.9 million but can range as high as $2 billion in cases like the Equifax breach of 2017.

The reputational damage associated with a breach of customer, employee, or other stakeholders’ personal or business information can substantially reduce a company’s value.

The scope of notification (if any is needed at all) and remediation depends on understanding the scope of the breach in a timely fashion. In the absence of reliable information, companies need to make worst-case assumptions that may result in larger notifications, higher costs, and unnecessary hardship for customers and other stakeholders.

Preparation for breach

As security and compliance professionals, our priority is to avoid breaches with a defense in depth strategy including Zero Trust architecture.

Microsoft has comprehensive security solutions for Microsoft 365, as well as compliance and risk management solutions that enable our compliance pillar framework:

But we also must prepare for breaches even as we defend against them. Part of that preparation is putting our organization in a position to scope a breach and limit its impact. This means ensuring we have the data governance and signal in place before the breach happens. Security professionals know that they have to deploy solutions like Data Loss Prevention, firewalls, and encryption to defend against attacks, but they may not focus as much on having the right audit data available and retained, and visualizations and playbooks in place beforehand to scope a future breach.

Use Microsoft 365 Advanced Audit and Advanced eDiscovery to investigate compromised accounts

The Microsoft 365 Advanced Audit solution makes a range of data available that is focused on what will be useful to respond to crucial events and forensic investigations. It retains this data for one year (rather than the standard 90-day retention), with an option to extend the retention to ten years. This keeps the audit logs available to long-running investigations and to respond to regulatory and legal obligations.

These crucial events can help you investigate possible breaches and determine the scope of compromise. Advanced Audit provides the following crucial events:

There are built-in default alert policies that use the Advanced Audit data to provide situational awareness either through Microsoft 365’s own security and compliance portal, through Microsoft’s Azure Sentinel cloud-native SIEM, or through a customer’s third-party SIEM. A customer can create customized alerts to use the audit data as well.

Let’s look at how a customer might use Advanced Audit to investigate a compromised account and scope the extent of a data breach:

In an account takeover, an attacker uses a compromised user account to gain access and operate as a user. The attacker may or may not have intended to access the user’s email. If they intend to access the user’s email, they may or may not have had the chance to do so. This is especially true if the defense in-depth and situational awareness discussed above is in place. The attack may have been detected, password changed, account locked, and more.

If the user’s email has confidential information of customers or other stakeholders, we need to know if this email was accessed. We need to separate legitimate access by the mailbox owner during the account takeover from access by the attacker.

With Advanced Audit, we have this ability. Without it, a customer will have to assume all information in the user’s mailbox is now in the hands of the attacker and proceed with reporting and remediation on this basis.

The MailItemsAccessed audit data item will indicate if a mailbox item has been accessed by a mail protocol. It covers mail accessed by both sync and bind. In the case of sync access, the mail was accessed by a desktop version of the Outlook client for Windows or Mac. In bind access, the InternetMessageId of the individual message will be recorded in the audit record.

We have the ability to forensically analyze mail access via a desktop client or via Outlook Web Access.

We also need to differentiate between the mailbox owner’s legitimate access to a mail item during the attack time period and access by the attacker. We can do this by examining the audit records to see the context of the access, including the session ID and IP address used for access. We match these with other audit records and known good access by the user.

Advanced Audit retains other events like Teams Joins, File Accessed, Messages Sent, Searches Queries, and many others that can support a breach analysis.

When we’ve properly scoped the data that the attacker has had access to, we want to deep dive and inspect the content.

With Advanced eDiscovery we can collect all emails, documents, Microsoft Teams, and Yammer interactions of the account that was taken over. We can search for confidential information and metadata to identify the material in question:

There is metadata for each item which, for emails, includes InternetMessageID as well as many other items such as from, to, and when it was sent, and any Microsoft Information Protection sensitivity label.

Advanced Audit and Advanced eDiscovery are an important part of an effective security risk and compliance strategy. These Microsoft 365 native tools allow our customers to understand the true scope of a breach. It has the potential to substantially reduce or eliminate the reporting requirements stemming from a compromised account. Advanced Audit can reduce the financial and reputational damage to a company, its customers, employees, partners, and other stakeholders.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This document is not intended to communicate legal advice or a legal or regulatory compliance opinion. Each customer’s situation is unique, and legal and regulatory compliance should be assessed in consultation with their legal counsel.

The post Privacy breaches: Using Microsoft 365 Advanced Audit and Advanced eDiscovery to minimize impact appeared first on Microsoft Security.

Microsoft recognized as a Leader in the 2020 Gartner Magic Quadrant for Enterprise Information Archiving

November 5th, 2020 No comments

Organizations face an increasing volume of data generated daily and ever-evolving regulations around how that data is managed. To help navigate this complex information landscape, we are focused on delivering integrated, intelligent, and user-centric solutions. 

Over the past few years, we significantly increased our investment in building risk management and compliance solutions, inclusive of information archiving and management. We delivered new solutions, such as records management, insider risk management, communication compliance, and new product features, including trainable classifiersthe “know your data” dashboard, and Microsoft Teams conversations reconstruction, to name a few. Additionally, we invested in extending the Microsoft compliance ecosystem to be beyond Microsoft 365 with 30+ pre-built data connectorsMicrosoft Graph eDiscovery API, and workflow customizations in communication compliance. 

In recognition of these investments, I am delighted to announce that Gartner has listed Microsoft as a Leader in its 2020 Magic Quadrant for Enterprise Information Archiving. This is the third consecutive year that Microsoft has been recognized as a Leader in this critical space. To us, this recognition reinforces our leadership in innovative data governance, archiving, eDiscovery, and compliance solutions.  

According to Gartner, “Leaders have the highest combined measures of ability to execute and completeness of vision. They may have the most comprehensive and scalable products. They have a proven track record of financial performance and an established market presence. In terms of vision, they are perceived to be thought leaders, with well-articulated plans for ease of use, product breadth, and how to address scalability. For vendors to have long-term success, they must plan to address the expanded market requirements for EIA, including support for multiple content types; support for the cloud; solid, relevant e-discovery functionality; and a seamless user experience.” Further, vendors in this report “are incorporating their own migration products and services to accelerate the adoption of new archiving platforms, rather than relying on third-party engagements.” 

We continue to work closely with our customers to gather feedback to help us build better products. Your input provides critical insights as we strive to create solutions to help you on your journey in managing information, compliance, and risk. 

For more details about our information archiving solution, visit our website and stay updated with our blogs

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartners research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

To learn more about Microsoft Security solutions, visit our  website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. 

The post Microsoft recognized as a Leader in the 2020 Gartner Magic Quadrant for Enterprise Information Archiving appeared first on Microsoft Security.

Enable secure remote work, address regulations and uncover new risks with Microsoft Compliance

September 22nd, 2020 No comments

As we talk with a broad range of customers in the current environment, we hear some consistent challenges businesses are facing. With so many remote workers, people are creating, sharing, and storing data in new ways, which fosters productivity, but can also introduce new risks. A recent Microsoft poll of Chief Information Security Officers (CISOs) revealed that providing secure remote access to resources, apps, and data is their top concern.

To help companies better protect their data, mitigate risk, and address compliance regulations, especially in this time of flexible work, we are announcing several new capabilities across Microsoft Compliance, including:

  • General availability of Microsoft Compliance Manager to address industry regulations and custom requirements.
  • New connectors and APIs to help you to extend Microsoft compliance capabilities to third-party apps.
  • Ability to protect native and third-party cloud apps through unified data loss prevention (DLP), now extended to Microsoft Cloud App Security (MCAS) in public preview.
  • Expanded security and compliance capabilities built directly into Microsoft Teams.

Read on to learn more about these and additional features beginning to roll out today in Microsoft 365 Compliance. You can also check out what Jeff Teper, Corporate Vice President for Microsoft 365, has to say about Microsoft Compliance.

Addressing the complexity of data regulations with Microsoft Compliance Manager

In addition to the talent shortage and complexity of compliance management, customers also face the need to comply with an increased volume and frequency of regulations, with hundreds of updates a day globally to thousands of industry and regional regulations. Additionally, the complexity of regulations makes it challenging for organizations to know specific actions to take and their impact.

Compliance Manager offers a vast library of assessments for expanded regulatory coverage, built-in automation to detect tenant settings, and step-by-step guidance to help you manage risk. Compliance Manager translates complex regulatory requirements to specific technical controls, and through compliance score, provides a quantifiable measure of risk assessment. Generally available today, Compliance Manager brings together the existing Compliance Manager and Compliance Score solutions in the Microsoft 365 compliance center.

Now, with more than 150 out-of-the-box and scalable assessments in Compliance Manager, you can address industry- and region-specific requirements, while also meeting multiple requirements through a single action.

The flexibility of custom assessments also allows you to extend compliance and risk management beyond Microsoft 365 to meet your specific business needs. For example, if you are currently tracking compliance of your SAP data in an Excel file, you can bring that into Compliance Manager.

You can learn more about Compliance Manager on Tech Community. Check out Frost Bank’s experience with Compliance Manager on the Microsoft Customer site.

Extending compliance capabilities to manage data risk beyond Microsoft 365

To provide greater visibility into your data, wherever it lives, we are making new connectors available that can pull data from other apps into Microsoft Compliance (including Microsoft Information Protection, Insider Risk Management, Communication Compliance, and eDiscovery) to help you to reason over, protect, and govern that data. These new connectors – available in partnership with Globanet and Telemessage – include SMS/text connectors for various telecom operators (e.g., AT&T, Verizon, T-Mobile, etc.), WhatsApp, Zoom, and Slack.

A key ask from our partners and customers is the ability to access Microsoft Compliance solutions and integrate them with existing applications and services that are part of broader compliance, security, and operations (SecOps) ecosystems, including Symantec, McAfee, and Relativity.

To help, we are announcing new APIs, which are part of the broader Microsoft Graph ecosystem:

  • Teams Data Loss Prevention (DLP) API: Allows third-party products to integrate and enable data loss prevention capabilities for Microsoft Teams.
  • eDiscovery API: Allows the automation of Advanced eDiscovery processes, including case creation and the entire legal hold notification workflow to communicate with custodians involved in a case.
  • Teams Export API: Allows the export of Teams Messages (1:1 and group chat) along with attachments (file links and sticker), emojis, GIFs, and user @Mentions. This API supports polling daily Teams messages and allows archiving of deleted messages up to 30 days.

An image showing the Microsft 365 Compliance ecosystem.

Figure 1: Extending compliance beyond Microsoft 365 — We have partnered with Globanet and Telemessage to deliver ready-to-use connectors. All Microsoft and ​third-party built connectors are now available in a single catalog.

You can learn more in the Tech Community blog.

Extending unified data loss prevention to Microsoft Cloud App Security (MCAS)

Having the right data protection and governance approach is critical to not only addressing regulatory compliance but also to mitigating risks around data leakage.

Microsoft Information Protection helps you to identify your data and ensure you have the right data classification in place to properly protect and govern that data, which enables you to apply data loss prevention (DLP) to enforce policies against that data. In July, we announced the public preview of Microsoft Endpoint Data Loss Prevention (DLP), which builds on the labeling and classification in Microsoft Information Protection. Endpoint DLP extends the existing DLP capabilities in Microsoft 365, helping you to meet compliance requirements and protect sensitive information on devices by restricting what data apps can access. Endpoint DLP is also natively integrated with the new Microsoft Edge browser, providing additional policy options to restrict the flow of data when accessing web sites.

Today we announce the extension of Microsoft data loss prevention solutions to Microsoft Cloud App Security. This new capability, now in public preview, extends the integration for DLP policy-based content inspection across connected applications such as Dropbox, Box, Google Drive, Webex, One Drive, SharePoint, and others. This extension of Microsoft data loss prevention solutions to MCAS helps users remain continuously compliant when using popular native and third-party cloud apps and helps to ensure sensitive content is not accidentally or inappropriately shared. MCAS uses the same policy framework and more than 150 sensitive information types that is common across all Microsoft data loss prevention solutions, to provide a familiar, consistent, and seamless experience.

You can learn more about our unified approach to data loss prevention on Tech Community.

Additional security and compliance features, including Advanced eDiscovery, being added to Microsoft Teams

As Microsoft Teams usage has grown with the shift to remote work, organizations are looking for seamless integration in order to keep their data and employees secure and compliant.

With the volume of business conversations happening now in Microsoft Teams, we are also adding additional security and compliance features, including:

  • Advanced eDiscovery now supports live documents and links shared in Microsoft Teams. Advanced eDiscovery automatically collects documents from a storage location, such as SharePoint or OneDrive, to pull the content into an eDiscovery case. The attachments are collected, reviewed, and exported along with the Teams conversations so customers don’t need to manually find and collect the documents one by one.
  • Auto-apply retention policies for Microsoft Teams meeting recording allow you to retain and delete recordings with in-place governance, which means the retention policies apply wherever the recordings are saved without the need to export elsewhere. When the rollout for this begins in October, we will provide guidance on how you can leverage Keyword Query Languages to create retention policies for Teams meeting recordings.
  • We now include Teams-specific actions in Compliance Manager, which provide guidance around improvement and implementation of actions you can take to help to align with protection regulations and standards.
  • We are also announcing Customer Key support for Teams. Microsoft helps keep Teams data safe by encrypting it while at rest in Microsoft datacenters. Now we are extending this capability to enable customers to add a layer of encryption using their own keys for Teams, similar to Exchange Online, SharePoint Online, and OneDrive.  
  • Insider Risk Management now offers native integration with Microsoft Teams to securely coordinate, collaborate, and communicate on a case with relevant stakeholders in the organization. When an Insider Risk management case is created, a private Microsoft Teams team will also be created and bound to the case for its duration. This Microsoft Teams team will, by default, include insider risk management analysts and investigators, and additional contributors such as HR and Legal, can be added as appropriate. With Teams integration, stakeholders can:
    • Use channel conversations to coordinate and track review/response activities.
    • Share, store, and review relevant files and associate evidence. 

Additional new capabilities coming to Microsoft Compliance

While I’ve discussed some of the biggest areas of investment for us in Microsoft Compliance, there are many additional new capabilities we’re excited to bring to you today:

  • Microsoft Information Protection now includes more than 150 sensitive data types, improvements to Exact Data Match, the general availability of automatic labeling in Office apps, and more.
  • Microsoft Information Governance and Records Management include new in-place retention and deletion policies for Yammer messages (rolling out now in public preview), as well as integration with the new SharePoint Syntex.
  • Insider Risk Management now integrates with Power Automate, provides a richer investigation experience, and includes expanded signal visibility to badging systems for building security.
  • Communication Compliance now provides enhanced visibility across a variety of communication channels and integration with Power Automate.
  • Advanced eDiscovery now has improved workflows, support for linked content in emails or chat messages, and enhanced collection experience.
  • Advanced Audit now includes two new audit events to help with forensic investigations and the ability to add 10-year audit log retention.

Remote and hybrid work scenarios have demonstrated that there has never been a more important time to invest in security and compliance. Get started today with Microsoft 365. To learn more about Microsoft Compliance and gain more technical training, visit the Virtual Hub today.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Enable secure remote work, address regulations and uncover new risks with Microsoft Compliance appeared first on Microsoft Security.

What’s new in Microsoft 365 Compliance and Risk Management

June 11th, 2020 No comments

The world has dramatically changed over the past three months. As Satya shared in our recent quarterly earnings, we have seen two years’ worth of digital transformation in two months. With that significant amount of rapid change, it’s more important than ever to make sure your business-critical data is kept private and secure while ensuring you remain compliant with privacy laws and regulations.

As the world continues to adjust, many of the customers I’ve been talking with lately have started to focus on cost optimization—how to do more with what they already have or even consolidate the number of systems they have to maintain.

Within Microsoft 365 Compliance, we have been working alongside many of you to help you through the crisis, as well as continue to evaluate the implications of tech decisions on security, privacy, and compliance. With that in mind, here’s a summary of some of the investments we’ve made in the last two months in Microsoft 365 Compliance to help you to get the most out of Microsoft 365 and take a more integrated approach to secure, protect, and manage your data, while mitigating risk.

Data protection

With Microsoft Information Protection (MIP), we are building a unified set of capabilities for classification, labeling, and protection not only in Office apps, but also in other popular productivity services where information resides (e.g., OneDrive, SharePoint, and Exchange). For example, to help you to have a more holistic understanding of the sensitive data in your digital estate, we recently announced the general availability of the data classification capabilities in the Microsoft 365 compliance center. These capabilities enable you to discover, classify, review, and monitor your data and establish appropriate policies to better protect and govern critical data (e.g., by applying sensitivity and retention labels or data loss prevention policies).

Another core component of Microsoft Information Protection is the ability to apply sensitivity labels. You can apply a sensitivity label to important documents or emails and associate it with protection policies and actions like encryption and visual marking. You can also be assured that the protection will persist with the document throughout its lifecycle. You can also apply sensitivity labels to a Microsoft Teams site, SharePoint site, or Microsoft 365 group and help to ensure appropriate device and privacy settings.

Since labeling can help you to protect your data, you need a method that will scale with the vast amount of data you have. To help you achieve that scale, we are announcing general availability for automatic classification with sensitivity labels for documents stored on OneDrive and SharePoint, and for emails in transit in Exchange.

Users can also manually classify emails and documents by applying these labels based on their assessment of the content and their interpretation of the organizational guidelines. In fact, we recently announced the general availability of sensitivity labels with protection for Office files in SharePoint and OneDrive. Now your users can apply sensitivity labels, with protection policies, not just in Office apps on Windows, Mac, iOS, and Android but also in Office on the web. For files labeled and protected with encryption and stored in SharePoint and OneDrive, your users can search for content within these documents, coauthor using Office web apps, and be assured that the protection will persist even after the document is downloaded.

We have also worked with other productivity tools like Microsoft Power BI to make it easy to apply a sensitivity label to Power BI artifacts—including dashboards and reports that are created from a single or multiple data sources. This helps to ensure the persistent protection of the data—even if exported to a file format such as Excel, as the exported file inherits the sensitivity label and associated protection settings. Now generally available, when you connect to a Power BI dataset from Excel, that dataset’s sensitivity label will be inherited and applied to the Excel file and all associated outcomes like headers, footers, and encryption.

Data governance

The increased volume of information and multiple collaboration tools can create complexity for managing business records with serious cost and risk implications. As organizations across a variety of industries face ever-increasing regulations, many companies move data to different systems of record to manage them and comply with regulations. However, moving content to a different system, instead of managing it in place, can increase the risk of missing records or not declaring them properly.

We have also worked with other productivity tools like Microsoft Power BI to make it easy to apply Microsoft Information Protection’s sensitivity label to Power BI artifacts – including dashboards, datasets, dataflows and reports. Now generally available, this ensures the persistent protection of the data – even if exported to a file format such as Excel, as the exported file inherits the sensitivity label and associated protection settings. Rolling out soon is the persistence of label and protection when you embed a Power BI report in Microsoft Teams or when you maintain a live connection between an Excel file and a labeled Power BI data set.

Compliance and security in Microsoft Teams

With the move to remote work, many companies are operating solely in platforms like Microsoft Teams to stay connected, productive, and collaborative and keep their businesses moving forward. However, the move to remote work only seems to amplify the need for security, privacy, and compliance. We built Teams with that mind. Data in Teams is encrypted at rest and in transport, and uses secure real-time protocol for video, audio, and desktop sharing.

Last month, we shared that there are also several tools that help you remain in control and protect sensitive documents and data in Microsoft 365. For example, you can restrict Teams experiences for guests and people outside of your organization. You can also govern the apps to which each user has access. Setting up DLP policies in Teams can protect your data and take specific actions when sensitive information is shared.

There’s so much more. Read the Microsoft 365 blog for details.

Managing insider risk and maintaining your culture

We also know that stressful events contribute to the likelihood of insider risks, such as leakages, IP theft, or data harassment. Insider Risk Management looks at activity from across Microsoft 365, including Teams, to identify potential suspicious activity early.

Communication Compliance, part of the new Insider Risk Management solution set in Microsoft 365, leverages machine learning to quickly identify and take action on code of conduct policy violations in company communications channels, including Teams. Communication Compliance reasons over language used in Teams—and now also Yammer—which may indicate issues related to threats (harm to oneself or others). Detecting this type of language in a timely manner not only minimizes the impact of internal risk, but also can help to support employee mental health in uncertain times like this.

Commitment to continued investment

This new remote work world makes data protection, governance, and security arguably more important than ever. We continue to innovate across Microsoft 365 Compliance to ensure you have the tools you need to help keep your data safe while addressing compliance and proper risk management.

The post What’s new in Microsoft 365 Compliance and Risk Management appeared first on Microsoft Security.

Categories: Compliance, cybersecurity, Microsoft 365 Tags:

Data governance matters now more than ever

April 30th, 2020 No comments

Knowing, protecting, and governing your organizational data is critical to adhere to regulations and meet security and privacy needs. Arguably, that’s never been truer than it is today as we face these unprecedented health and economic circumstances. To help organizations to navigate privacy during this challenging time, Microsoft Chief Privacy Officer Julie Brill shared seven privacy principles to consider as we all collectively move forward in addressing the pandemic.

Organizations are also evaluating security and data governance more than ever before as they try to maintain business continuity amid the crisis. According to a new Harvard Business Review (HBR) research report released today commissioned by Microsoft, 61 percent of organizations struggle to effectively develop strong data security, privacy, and risk capabilities. Together with HBR, we surveyed close to 500 global business leaders across industries, including financial services, tech, healthcare, and manufacturing. The study found that 77 percent of organizations say an effective security, risk, and compliance strategy is essential for business success. However, 82 percent say that securing and governing data is becoming more difficult because of new risks and data management complexities brought on by digital transformation.

In a world in which remote work is the new normal, securing, and governing your company’s most critical data becomes more important than ever before. The increased volume of information and multiple collaboration systems create complexity for managing business records with serious cost and risk implications. As organizations across a variety of industries face ever-increasing regulations, many companies move data to different systems of record to manage them and comply with regulations. However, moving content to a different system, instead of managing it in place, can increase the risk of missing records or not declaring them properly. 

General availability of Microsoft 365 Records Management

Today, we are excited to announce the general availability of Microsoft 365 Records Management to provide you with significantly greater depth in protecting and governing critical data. With Records Management, you can:

  • Classify, retain, review, dispose, and manage content without compromising productivity or data security.
  • Leverage machine learning capabilities to identify and classify regulatory, legal, and business critical records at scale.
  • Help demonstrate compliance with regulations through defensible audit trails and proof of destruction.

You can now access Records Management in the compliance center in Microsoft 365.

Data governance matters now more than ever

Striking the right balance between data governance and productivity: Records Management is built into the Microsoft 365 productivity stack and existing customer workflows, easing the friction that often occurs between enforcing governance controls and user productivity. For example, say your team is working on a contract. Thanks to built-in retention policies embedded in the tools people use every day, they can continue to be productive while collaborating on a contract that has been declared a record—such as sharing, coauthoring, and accessing the record through mobile devices. We have also integrated our disposition process natively into the tools you use every day, including SharePoint and Outlook. Records versioning also makes collaboration on record-declared documents better, so you can track when edits are made to the contract. It allows users to unlock a document with a record label to make edits to it with all records safely retained and audit trails maintained. With Records Management, you can balance rigorous enforcement of data controls with allowing your organization to be fully productive.

Building trust, transparency, and defensibility: Building trust and providing transparency is crucial to managing records. In addition to continuing to audit all events surrounding a record in our audit log, we’re excited to announce the ability to obtain proof of disposal and see all items automatically disposed as part of a record label. Proof of disposal helps provide you with the defensibility you need, particularly to meet legal and regulatory requirements. Learn more in this Microsoft docs page.

Leveraging machine learning for scale: Records Management leverages our broader investments in machine learning across information protection and governance, such as trainable classifiers. With trainable classifiers, you can train the classification engine to recognize data that is unique to your organization. Once you define a record or retention label, you can apply the label to all content that matches a trainable classifier that was previously defined. So, for example, any document that appears to be a contract or have contract-related content will be marked accordingly and automatically classified as a record. For more information on creating trainable classifiers, please see this documentation. Apart from using trainable classifiers, you can also choose to auto-apply retention labels either by matching keywords on the content, its metadata, sensitive information it contains, or as the default for a particular location or folder. These different auto classification methods provide the flexibility you need to manage the constantly increasing volume of data.

Please visit this portal to learn more about Records Management.

Importance of information protection and governance

There’s never been a more important time to ensure your data, especially your most critical data, is protected and governed efficiently and effectively. Records Management is generally available worldwide today, and you can learn even more in our post on Tech Community. Eligible Microsoft 365 E5 customers can start using Records Management in the Compliance Center or learn how to try or buy a Microsoft 365 subscription.

Lastly, as you navigate this challenging time, we have additional resources to help. For more information about securing your organization in this time of crisis, you can visit our Remote Work site. We’re here to help in any way we can.

The post Data governance matters now more than ever appeared first on Microsoft Security.

Protecting your data and maintaining compliance in a remote work environment

April 6th, 2020 No comments

In this difficult time, remote work is becoming the new normal for many companies around the world. Employees are using tools like Microsoft Teams to collaborate, chat, and connect in new ways to try to keep their businesses moving forward amidst the challenging global health crisis. I sincerely hope you and your families are staying safe and healthy.

I have been talking with many of you about the impact today’s environment is having on your organizations. Business continuity is an imperative, and you must rely on your employees to stay connected and productive outside of the traditional digital borders of business. In doing so, identifying and managing potential risks within the organization is critical to safeguarding your data and intellectual property (IP), while supporting a positive company culture.

Because many of you have been asking, here is some guidance for things you can do to take advantage of these capabilities. I’ll focus a lot of the examples on Teams, but many of these features are relevant across Microsoft 365.

Staying secure and compliant

First, knowing where your data resides while employees are working remotely is a vital question, especially for your risk management-focused departments. Data in Teams is encrypted at rest and in transport, and uses secure real-time protocol for video, audio, and desktop sharing.

There are also several tools that help you remain in control and protect sensitive documents and data in Microsoft 365. For example, you can restrict Teams experiences for guests and people outside of your organization. You can also govern the apps to which each user has access.

In addition, we’ve made sure that the Teams service is compliant: to help you answer questions from your auditors, we publish auditor reports on the Service Trust Portal. And we help our customers keep up with evolving regulations and standards with a robust compliance controls framework, which meets some of the most rigorous industry and countries’ regulations requirements.

Applying data loss prevention in Teams

Data loss prevention (DLP) addresses concerns around sensitive information in messages or documents. Setting up DLP policies in Teams can protect your data and take specific actions when sensitive information is shared. For example, suppose that someone attempts to share a document with guests in a Teams channel or chat, and the document contains sensitive information. If you have a DLP policy defined to prevent this, the document won’t open for those users. Note that in this case, your DLP policy must include SharePoint and OneDrive for the protection to be in place.

Applying sensitivity labeling to protect sensitive data

You can also apply a sensitivity label to important documents and associate it with protection policies and actions like encryption, visual marking, and access controls and be assured that the protection will persist with the document throughout its lifecycle, as it is shared among users who are internal or external to your organization.

You can start by allowing users to manually classify emails and documents by applying sensitivity labels based on their assessment of the content and their interpretation of the organizational guidelines. However, users also forget or inaccurately apply labels, especially in these stressful times, so you need a method that will scale to the vast amount of data you have.

To help you to achieve that scale, we are announcing the public preview of automatic classification with sensitivity labels for documents stored on SharePoint Online and OneDrive for Business, and for emails in transit in Exchange Online. The public preview will begin rolling out over the next week. Like with manual classification, you can now set up sensitivity labels to automatically apply to Office files (e.g., PowerPoint, Excel, Word, etc.) and emails based upon organizational policies. In addition to having users manually label files, you can configure auto classification policies in Microsoft 365 services like SharePoint Online, OneDrive, and Exchange Online. These policies can automatically label files at rest and in motion based on the rules you’ve set. Those classifications also apply when those documents are shared via Teams.

Minimize insider risk

We also know that stressful events contribute to the likelihood of insider risks, such as leakages, IP theft, or data harassment. Insider Risk Management looks at activity from across Microsoft 365, including Teams, to identify potential suspicious activity early.

Communication Compliance, part of the new Insider Risk Management solution set in Microsoft 365, leverages machine learning to quickly identify and take action on code of conduct policy violations in company communications channels, including Teams. Communication Compliance reasons over language used in Teams which may indicate issues related to threats (harm to oneself or others). Detecting this type of language in a timely manner not only minimizes the impact of internal risk, but also can go a long way in supporting employee mental health in uncertain times like this.

Enabling simple retention policies

To comply with your organization’s internal policies, industry regulations, or legal needs, all your company information should be properly governed. That means ensuring that all required information is kept, while the data that’s considered a liability and that you’re no longer required to keep is deleted.

You can set up Teams retention policies for chat and channel messages, and you can apply a Teams retention policy to your entire organization or to specific users and teams. When data is subject to a retention policy, users can continue to work with it because the data is retained in place, in its original location. If a user edits or deletes data that’s subject to the retention policy, a copy is saved to a secure location where it’s retained while the policy is in effect.

All data is retained for compliance reasons and is available for eDiscovery until the retention period expires, after which your policy indicates whether to do nothing or delete the data. With a Teams retention policy, when you delete data, it’s permanently deleted from all storage locations on the Teams service.

Staying productive while minimizing risk

Working remotely helps your employees stay healthy, productive, and connected, and you can keep them productive without increasing risk or compromising compliance. For more guidance around supporting a remote work environment in today’s challenging climate, check out our Remote Work or Remote Work Tech Community sites.

The post Protecting your data and maintaining compliance in a remote work environment appeared first on Microsoft Security.

Human-operated ransomware attacks: A preventable disaster

March 5th, 2020 No comments

Human-operated ransomware campaigns pose a significant and growing threat to businesses and represent one of the most impactful trends in cyberattacks today. In these hands-on-keyboard attacks, which are different from auto-spreading ransomware like WannaCry or NotPetya, adversaries employ credential theft and lateral movement methods traditionally associated with targeted attacks like those from nation-state actors. They exhibit extensive knowledge of systems administration and common network security misconfigurations, perform thorough reconnaissance, and adapt to what they discover in a compromised network.

These attacks are known to take advantage of network configuration weaknesses and vulnerable services to deploy devastating ransomware payloads. And while ransomware is the very visible action taken in these attacks, human operators also deliver other malicious payloads, steal credentials, and access and exfiltrate data from compromised networks.

News about ransomware attacks often focus on the downtimes they cause, the ransom payments, and the details of the ransomware payload, leaving out details of the oftentimes long-running campaigns and preventable domain compromise that allow these human-operated attacks to succeed.

Based on our investigations, these campaigns appear unconcerned with stealth and have shown that they could operate unfettered in networks. Human operators compromise accounts with higher privileges, escalate privilege, or use credential dumping techniques to establish a foothold on machines and continue unabated in infiltrating target environments.

Human-operated ransomware campaigns often start with “commodity malware” like banking Trojans or “unsophisticated” attack vectors that typically trigger multiple detection alerts; however, these tend to be triaged as unimportant and therefore not thoroughly investigated and remediated. In addition, the initial payloads are frequently stopped by antivirus solutions, but attackers just deploy a different payload or use administrative access to disable the antivirus without attracting the attention of incident responders or security operations centers (SOCs).

Some well-known human-operated ransomware campaigns include REvil, Samas, Bitpaymer, and Ryuk. Microsoft actively monitors these and other long-running human-operated ransomware campaigns, which have overlapping attack patterns. They take advantage of similar security weaknesses, highlighting a few key lessons in security, notably that these attacks are often preventable and detectable.

Combating and preventing attacks of this nature requires a shift in mindset, one that focuses on comprehensive protection required to slow and stop attackers before they can succeed. Human-operated attacks will continue to take advantage of security weaknesses to deploy destructive attacks until defenders consistently and aggressively apply security best practices to their networks. In this blog, we will highlight case studies of human-operated ransomware campaigns that use different entrance vectors and post-exploitation techniques but have overwhelming overlap in the security misconfigurations they abuse and the devastating impact they have on organizations.

PARINACOTA group: Smash-and-grab monetization campaigns

One actor that has emerged in this trend of human-operated attacks is an active, highly adaptive group that frequently drops Wadhrama as payload. Microsoft has been tracking this group for some time, but now refers to them as PARINACOTA, using our new naming designation for digital crime actors based on global volcanoes.

PARINACOTA impacts three to four organizations every week and appears quite resourceful: during the 18 months that we have been monitoring it, we have observed the group change tactics to match its needs and use compromised machines for various purposes, including cryptocurrency mining, sending spam emails, or proxying for other attacks. The group’s goals and payloads have shifted over time, influenced by the type of compromised infrastructure, but in recent months, they have mostly deployed the Wadhrama ransomware.

The group most often employs a smash-and-grab method, whereby they attempt to infiltrate a machine in a network and proceed with subsequent ransom in less than an hour. There are outlier campaigns in which they attempt reconnaissance and lateral movement, typically when they land on a machine and network that allows them to quickly and easily move throughout the environment.

PARINACOTA’s attacks typically brute forces their way into servers that have Remote Desktop Protocol (RDP) exposed to the internet, with the goal of moving laterally inside a network or performing further brute-force activities against targets outside the network. This allows the group to expand compromised infrastructure under their control. Frequently, the group targets built-in local administrator accounts or a list of common account names. In other instances, the group targets Active Directory (AD) accounts that they compromised or have prior knowledge of, such as service accounts of known vendors.

The group adopted the RDP brute force technique that the older ransomware called Samas (also known as SamSam) infamously used. Other malware families like GandCrab, MegaCortext, LockerGoga, Hermes, and RobbinHood have also used this method in targeted ransomware attacks. PARINACOTA, however, has also been observed to adapt to any path of least resistance they can utilize. For instance, they sometimes discover unpatched systems and use disclosed vulnerabilities to gain initial access or elevate privileges.

Wadhrama PARINACOTA attack chain

Figure 1. PARINACOTA infection chain

We gained insight into these attacks by investigating compromised infrastructure that the group often utilizes to proxy attacks onto their next targets. To find targets, the group scans the internet for machines that listen on RDP port 3389. The attackers do this from compromised machines using tools like Masscan.exe, which can find vulnerable machines on the entire internet in under six minutes.

Once a vulnerable target is found, the group proceeds with a brute force attack using tools like NLbrute.exe or ForcerX, starting with common usernames like ‘admin’, ‘administrator’, ‘guest’, or ‘test’. After successfully gaining access to a network, the group tests the compromised machine for internet connectivity and processing capacity. They determine if the machine meets certain requirements before using it to conduct subsequent RDP brute force attacks against other targets. This tactic, which has not been observed being used by similar ransomware operators, gives them access to additional infrastructure that is less likely to be blocked. In fact, the group has been observed leaving their tools running on compromised machines for months on end.

On machines that the group doesn’t use for subsequent RDP brute-force attacks, they proceed with a separate set of actions. This technique helps the attackers evade reputation-based detection, which may block their scanning boxes; it also preserves their command-and-control (C2) infrastructure. In addition, PARINACOTA utilizes administrative privileges gained via stolen credentials to turn off or stop any running services that might lead to their detection. Tamper protection in Microsoft Defender ATP prevents malicious and unauthorized to settings, including antivirus solutions and cloud-based detection capabilities.

After disabling security solutions, the group often downloads a ZIP archive that contains dozens of well-known attacker tools and batch files for credential theft, persistence, reconnaissance, and other activities without fear of the next stages of the attack being prevented. With these tools and batch files, the group clears event logs using wevutil.exe, as well as conducts extensive reconnaissance on the machine and the network, typically looking for opportunities to move laterally using common network scanning tools. When necessary, the group elevates privileges from local administrator to SYSTEM using accessibility features in conjunction with a batch file or exploit-laden files named after the specific CVEs they impact, also known as the “Sticky Keys” attack.

The group dumps credentials from the LSASS process, using tools like Mimikatz and ProcDump, to gain access to matching local administrator passwords or service accounts with high privileges that may be used to start as a scheduled task or service, or even used interactively. PARINACOTA then uses the same remote desktop session to exfiltrate acquired credentials. The group also attempts to get credentials for specific banking or financial websites, using findstr.exe to check for cookies associated with these sites.

Microsoft Defender ATP alert for credential theft

Figure 2. Microsoft Defender ATP alert for credential theft

With credentials on hand, PARINACOTA establishes persistence using various methods, including:

  • Registry modifications using .bat or .reg files to allow RDP connections
  • Setting up access through existing remote assistance apps or installing a backdoor
  • Creating new local accounts and adding them to the local administrators group

To determine the type of payload to deploy, PARINACOTA uses tools like Process Hacker to identify active processes. The attackers don’t always install ransomware immediately; they have been observed installing coin miners and using massmail.exe to run spam campaigns, essentially using corporate networks as distributed computing infrastructure for profit. The group, however, eventually returns to the same machines after a few weeks to install ransomware.

The group performs the same general activities to deliver the ransomware payload:

  • Plants a malicious HTA file (hta in many instances) using various autostart extensibility points (ASEPs), but often the registry Run keys or the Startup folder. The HTA file displays ransom payment instructions.
  • Deletes local backups using tools like exe to stifle recovery of ransomed files.
  • Stops active services that might interfere with encryption using exe, net.exe, or other tools.

Figure 3. PARINACOTA stopping services and processes

  • Drops an array of malware executables, often naming the files based on their intended behavior. If previous attempts to stop antivirus software have been unsuccessful, the group simply drops multiple variants of a malware until they manage to execute one that is not detected, indicating that even when detections and alerts are occurring, network admins are either not seeing them or not reacting to them.

As mentioned, PARINACOTA has recently mostly dropped the Wadhrama ransomware, which leaves the following ransom note after encrypting target files:

Figure 4. Wadhrama ransom note

In several observed cases, targeted organizations that were able to resolve ransomware infections were unable to fully remove persistence mechanisms, allowing the group to come back and deploy ransomware again.

Figure 5. Microsoft Defender ATP machine view showing reinfection by Wadhrama

PARINACOTA routinely uses Monero coin miners on compromised machines, allowing them to collect uniform returns regardless of the type of machine they access. Monero is popular among cybercriminals for its privacy benefits: Monero not only restricts access to wallet balances, but also mixes in coins from other transactions to help hide the specifics of each transaction, resulting in transactions that aren’t as easily traceable by amount as other digital currencies.

As for the ransomware component, we have seen reports of the group charging anywhere from .5 to 2 Bitcoins per compromised machine. This varies depending on what the attackers know about the organization and the assets that they have compromised. The ransom amount is adjusted based on the likelihood the organization will pay due to impact to their company or the perceived importance of the target.

Doppelpaymer: Ransomware follows Dridex

Doppelpaymer ransomware recently caused havoc in several highly publicized attacks against various organizations around the world. Some of these attacks involved large ransom demands, with attackers asking for millions of dollars in some cases.

Doppelpaymer ransomware, like Wadhrama, Samas, LockerGoga, and Bitpaymer before it, does not have inherent worm capabilities. Human operators manually spread it within compromised networks using stolen credentials for privileged accounts along with common tools like PsExec and Group Policy. They often abuse service accounts, including accounts used to manage security products, that have domain admin privileges to run native commands, often stopping antivirus software and other security controls.

The presence of banking Trojans like Dridex on machines compromised by Doppelpaymer point to the possibility that Dridex (or other malware) is introduced during earlier attack stages through fake updaters, malicious documents in phishing email, or even by being delivered via the Emotet botnet.

While Dridex is likely used as initial access for delivering Doppelpaymer on machines in affected networks, most of the same networks contain artifacts indicating RDP brute force. This is in addition to numerous indicators of credential theft and the use of reconnaissance tools. Investigators have in fact found artifacts indicating that affected networks have been compromised in some manner by various attackers for several months before the ransomware is deployed, showing that these attacks (and others) are successful and unresolved in networks where diligence in security controls and monitoring is not applied.

The use of numerous attack methods reflects how attackers freely operate without disruption – even when available endpoint detection and response (EDR) and endpoint protection platform (EPP) sensors already detect their activities. In many cases, some machines run without standard safeguards, like security updates and cloud-delivered antivirus protection. There is also the lack of credential hygiene, over-privileged accounts, predictable local administrator and RDP passwords, and unattended EDR alerts for suspicious activities.

Figure 6. Sample Microsoft Defender ATP alert

The success of attacks relies on whether campaign operators manage to gain control over domain accounts with elevated privileges after establishing initial access. Attackers utilize various methods to gain access to privileged accounts, including common credential theft tools like Mimikatz and LaZange. Microsoft has also observed the use of the Sysinternals tool ProcDump to obtain credentials from LSASS process memory. Attackers might also use LSASecretsView or a similar tool to access credentials stored in the LSA secrets portion of the registry. Accessible to local admins, this portion of the registry can reveal credentials for domain accounts used to run scheduled tasks and services.

Figure 7. Doppelpaymer infection chain

Campaign operators continually steal credentials, progressively gaining higher privileges until they control a domain administrator-level account. In some cases, operators create new accounts and grant Remote Desktop privileges to those accounts.

Apart from securing privileged accounts, attackers use other ways of establishing persistent access to compromised systems. In several cases, affected machines are observed launching a base64-encoded PowerShell Empire script that connects to a C2 server, providing attackers with persistent control over the machines. Limited evidence suggests that attackers set up WMI persistence mechanisms, possibly during earlier breaches, to launch PowerShell Empire.

After obtaining adequate credentials, attackers perform extensive reconnaissance of machines and running software to identify targets for ransomware delivery. They use the built-in command qwinsta to check for active RDP sessions, run tools that query Active Directory or LDAP, and ping multiple machines. In some cases, the attackers target high-impact machines, such as machines running systems management software. Attackers also identify machines that they could use to stay persistent on the networks after deploying ransomware.

Attackers use various protocols or system frameworks (WMI, WinRM, RDP, and SMB) in conjunction with PsExec to move laterally and distribute ransomware. Upon reaching a new device through lateral movement, attackers attempt to stop services that can prevent or stifle successful ransomware distribution and execution. As in other ransomware campaigns, the attackers use native commands to stop Exchange Server, SQL Server, and similar services that can lock certain files and disrupt attempts to encrypt them. They also stop antivirus software right before dropping the ransomware file itself.

Attempts to bypass antivirus protection and deploy ransomware are particularly successful in cases where:

  • Attackers already have domain admin privileges
  • Tamper protection is off
  • Cloud-delivered protection is off
  • Antivirus software is not properly managed or is not in a healthy state

Microsoft Defender ATP generates alerts for many activities associated with these attacks. However, in many of these cases, affected network segments and their associated alerts are not actively being monitored or responded to.

Attackers also employ a few other techniques to bypass protections and run ransomware code. In some cases, we found artifacts indicating that they introduce a legitimate binary and use Alternate Data Streams to masquerade the execution of the ransomware binary as legitimate binary.

Command prmpt dump output of the Alternate Data Stream

Figure 8. Command prompt dump output of the Alternate Data Stream

The Doppelpaymer ransomware binary used in many attacks are signed using what appears to be stolen certificates from OFFERS CLOUD LTD, which might be trusted by various security solutions.

Doppelpaymer encrypts various files and displays a ransom note. In observed cases, it uses a custom extension name for encrypted files using information about the affected environment. For example, it has used l33tspeak versions of company names and company phone numbers.

Notably, Doppelpaymer campaigns do not fully infect compromised networks with ransomware. Only a subset of the machines have the malware binary and a slightly smaller subset have their files encrypted. The attackers maintain persistence on machines that don’t have the ransomware and appear intent to use these machines to come back to networks that pay the ransom or do not perform a full incident response and recovery.

Ryuk: Human-operated ransomware initiated from Trickbot infections

Ryuk is another active human-operated ransomware campaign that wreaks havoc on organizations, from corporate entities to local governments to non-profits by disrupting businesses and demanding massive ransom. Ryuk originated as a ransomware payload distributed over email, and but it has since been adopted by human operated ransomware operators.

Like Doppelpaymer, Ryuk is one of possible eventual payloads delivered by human operators that enter networks via banking Trojan infections, in this case Trickbot. At the beginning of a Ryuk infection, an existing Trickbot implant downloads a new payload, often Cobalt Strike or PowerShell Empire, and begins to move laterally across a network, activating the Trickbot infection for ransomware deployment. The use of Cobalt Strike beacon or a PowerShell Empire payload gives operators more maneuverability and options for lateral movement on a network. Based on our investigation, in some networks, this may also provide the added benefit to the attackers of blending in with red team activities and tools.

In our investigations, we found that this activation occurs on Trickbot implants of varying ages, indicating that the human operators behind Ryuk likely have some sort of list of check-ins and targets for deployment of the ransomware. In many cases, however, this activation phase comes well after the initial Trickbot infection, and the eventual deployment of a ransomware payload may happen weeks or even months after the initial infection.

In many networks, Trickbot, which can be distributed directly via email or as a second-stage payload to other Trojans like Emotet, is often considered a low-priority threat, and not remediated and isolated with the same degree of scrutiny as other, more high-profile malware. This works in favor of attackers, allowing them to have long-running persistence on a wide variety of networks. Trickbot, and the Ryuk operators, also take advantage of users running as local administrators in environments and use these permissions to disable security tools that would otherwise impede their actions.

Figure 9. Ryuk infection chain

Once the operators have activated on a network, they utilize their Cobalt Strike or PowerShell tools to initiate reconnaissance and lateral movement on a network. Their initial steps are usually to use built-in commands such as net group to enumerate group membership of high-value groups like domain administrators and enterprise administrators, and to identify targets for credential theft.

Ryuk operators then use a variety of techniques to steal credentials, including the LaZagne credential theft tool. The attackers also save various registry hives to extract credentials from Local Accounts and the LSA Secrets portion of the registry that stores passwords of service accounts, as well as Scheduled Tasks configured to auto start with a defined account. In many cases, services like security and systems management software are configured with privileged accounts, such as domain administrator; this makes it easy for Ryuk operators to migrate from an initial desktop to server-class systems and domain controllers. In addition, in many environments successfully compromised by Ryuk, operators are able to utilize the built-in administrator account to move laterally, as these passwords are matching and not randomized.

Once they have performed initial basic reconnaissance and credential theft, the attackers in some cases utilize the open source security audit tool known as BloodHound to gather detailed information about the Active Directory environment and probable attack paths. This data and associated stolen credentials are accessed by the attacker and likely retained, even after the ransomware portion is ended.

The attackers then continue to move laterally to higher value systems, inspecting and enumerating files of interest to them as they go, possibly exfiltrating this data. The attackers then elevate to domain administrator and utilize these permissions to deploy the Ryuk payload.

The ransomware deployment often occurs weeks or even months after the attackers begin activity on a network. The Ryuk operators use stolen Domain Admin credentials, often from an interactive logon session on a domain controller, to distribute the Ryuk payload. They have been seen doing this via Group Policies, setting a startup item in the SYSVOL share, or, most commonly in recent attacks, via PsExec sessions emanating from the domain controller itself.

Improving defenses to stop human-operated ransomware

In human-operated ransomware campaigns, even if the ransom is paid, some attackers remain active on affected networks with persistence via PowerShell Empire and other malware on machines that may seem unrelated to ransomware activities. To fully recover from human-powered ransomware attacks, comprehensive incident response procedures and subsequent network hardening need to be performed.

As we have learned from the adaptability and resourcefulness of attackers, human-operated campaigns are intent on circumventing protections and cleverly use what’s available to them to achieve their goal, motivated by profit. The techniques and methods used by the human-operated ransomware attacks we discussed in this blog highlight these important lessons in security:

  1. IT pros play an important role in security

Some of the most successful human-operated ransomware campaigns have been against servers that have antivirus software and other security intentionally disabled, which admins may do to improve performance. Many of the observed attacks leverage malware and tools that are already detected by antivirus. The same servers also often lack firewall protection and MFA, have weak domain credentials, and use non-randomized local admin passwords. Oftentimes these protections are not deployed because there is a fear that security controls will disrupt operations or impact performance. IT pros can help with determining the true impact of these settings and collaborate with security teams on mitigations.

Attackers are preying on settings and configurations that many IT admins manage and control. Given the key role they play, IT pros should be part of security teams.

  1. Seemingly rare, isolated, or commodity malware alerts can indicate new attacks unfolding and offer the best chance to prevent larger damage

Human-operated attacks involve a fairly lengthy and complex attack chain before the ransomware payload is deployed. The earlier steps involve activities like commodity malware infections and credential theft that Microsoft Defender ATP detects and raises alerts on. If these alerts are immediately prioritized, security operations teams can better mitigate attacks and prevent the ransomware payload. Commodity malware infections like Emotet, Dridex, and Trickbot should be remediated and treated as a potential full compromise of the system, including any credentials present on it.

  1. Truly mitigating modern attacks requires addressing the infrastructure weakness that let attackers in

Human-operated ransomware groups routinely hit the same targets multiple times. This is typically due to failure to eliminate persistence mechanisms, which allow the operators to go back and deploy succeeding rounds of payloads, as targeted organizations focus on working to resolve the ransomware infections.

Organizations should focus less on resolving alerts in the shortest possible time and more on investigating the attack surface that allowed the alert to happen. This requires understanding the entire attack chain, but more importantly, identifying and fixing the weaknesses in the infrastructure to keep attackers out.

While Wadhrama, Doppelpaymer, Ryuk, Samas, REvil, and other human-operated attacks require a shift in mindset, the challenges they pose are hardly unique.

Removing the ability of attackers to move laterally from one machine to another in a network would make the impact of human-operated ransomware attacks less devastating and make the network more resilient against all kinds of cyberattacks. The top recommendations for mitigating ransomware and other human-operated campaigns are to practice credential hygiene and stop unnecessary communication between endpoints.

Here are relevant mitigation actions that enterprises can apply to build better security posture and be more resistant against cyberattacks in general:

  • Harden internet-facing assets and ensure they have the latest security updates. Use threat and vulnerability management to audit these assets regularly for vulnerabilities, misconfigurations, and suspicious activity.
  • Secure Remote Desktop Gateway using solutions like Azure Multi-Factor Authentication (MFA). If you don’t have an MFA gateway, enable network-level authentication (NLA).
  • Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Enforce strong randomized, just-in-time local administrator passwords. Use tools like LAPS.
  • Monitor for brute-force attempts. Check excessive failed authentication attempts (Windows security event ID 4625).
  • Monitor for clearing of Event Logs, especially the Security Event log and PowerShell Operational logs. Microsoft Defender ATP raises the alert “Event log was cleared” and Windows generates an Event ID 1102 when this occurs.
  • Turn on tamper protection features to prevent attackers from stopping security services.
  • Determine where highly privileged accounts are logging on and exposing credentials. Monitor and investigate logon events (event ID 4624) for logon type attributes. Domain admin accounts and other accounts with high privilege should not be present on workstations.
  • Turn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
  • Turn on attack surface reduction rules, including rules that block credential theft, ransomware activity, and suspicious use of PsExec and WMI. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications Other. To assess the impact of these rules, deploy them in audit mode.
  • Turn on AMSI for Office VBA if you have Office 365.
  • Utilize the Windows Defender Firewall and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.

Figure 10. Improving defenses against human-operated ransomware

How Microsoft empowers customers to combat human-operated attacks

The rise of adaptable, resourceful, and persistent human-operated attacks characterizes the need for advanced protection on multiple attack surfaces. Microsoft Threat Protection delivers comprehensive protection for identities, endpoints, data, apps, and infrastructure. Through built-intelligence, automation, and integration, Microsoft Threat Protection combines and orchestrates into a single solution the capabilities of Microsoft Defender Advanced Threat Protection (ATP), Office 365 ATP, Azure ATP, and Microsoft Cloud App Security, providing customers integrated security and unparalleled visibility across attack vectors.

Building an optimal organizational security posture is key to defending networks against human-operated attacks and other sophisticated threats. Microsoft Secure Score assesses and measures an organization’s security posture and provides recommended improvement actions, guidance, and control. Using a centralized dashboard in Microsoft 365 security center, organizations can compare their security posture with benchmarks and establish key performance indicators (KPIs).

On endpoints, Microsoft Defender ATP provides unified protection, investigation, and response capabilities. Durable machine learning and behavior-based protections detect human-operated campaigns at multiple points in the attack chain, before the ransomware payload is deployed. These advanced detections raise alerts on the Microsoft Defender Security Center, enabling security operations teams to immediately respond to attacks using the rich capabilities in Microsoft Defender ATP.

The Threat and Vulnerability Management capability uses a risk-based approach to the discovery, prioritization, and remediation of misconfigurations and vulnerabilities on endpoints. Notably, it allows security administrators and IT administrators to collaborate seamlessly to remediate issues. For example, through Microsoft Defender ATP’s integration with Microsoft Intune and System Center Configuration Manager (SCCM), security administrators can create a remediation task in Microsoft Intune with one click.

Microsoft experts have been tracking multiple human operated ransomware groups. To further help customers, we released a Microsoft Defender ATP Threat Analytics report on the campaigns and mitigations against the attack. Through Threat Analytics, customers can see indicators of Wadhrama, Doppelpaymer, Samas, and other campaign activities in their environments and get details and recommendations that are designed to help security operations teams to investigate and respond to attacks. The reports also include relevant advanced hunting queries that can further help security teams look for signs of attacks in their network.

Customers subscribed to Microsoft Threat Experts, the managed threat hunting service in Microsoft Defender ATP, get targeted attack notification on emerging ransomware campaigns that our experts find during threat hunting. The email notifications are designed to inform customers about threats that they need to prioritize, as well as critical information like timeline of events, affected machines, and indicators of compromise, which help in investigating and mitigating attacks. Additionally, with experts on demand, customers can engage directly with Microsoft security analysts to get guidance and insights to better understand, prevent, and respond to human-operated attacks and other complex threats.


Microsoft Threat Protection Intelligence Team


The post Human-operated ransomware attacks: A preventable disaster appeared first on Microsoft Security.

New Microsoft Security innovations and partnerships

February 20th, 2020 No comments

Today on the Official Microsoft Blog, Ann Johnson, Corporate Vice President of the Cybersecurity Solutions Group, shared how Microsoft is helping turn the tide in cybersecurity by putting artificial intelligence (AI) in the hands of defenders. She announced the general availability of Microsoft Threat Protection, new platforms supported by Microsoft Defender Advanced Threat Protection (ATP), new capabilities in Azure Sentinel, and the general availability of Insider Risk Management in Microsoft 365.

Today, we’re also announcing:

  • An expanded public preview of FIDO2 security key support in Azure Active Directory (AD) to encompass hybrid environments. Workers can now sign in to work-owned Windows 10 devices with their Azure AD accounts using a FIDO2 security key instead of a password and automatically get single sign-on (SSO) to both on-premises and cloud resources.
  • New integration between Microsoft Cloud App Security and Microsoft Defender ATP that enables endpoint-based control of unsanctioned cloud applications. Administrators can now control the unauthorized use of cloud apps with protection built right into the endpoint.
  • Azure Security Center for IoT now supports a broader range of devices including Azure RTOS OS, Linux specifically Ubuntu and Debian, and Windows 10 IoT core. SecOps professionals can now reason over signals in an experience that combines IT and OT into a single view.
  • Two new features of Office 365 Advanced Threat Protection (ATP), campaign views and compromise detection and response, are now generally available. Campaign views gives security teams a complete view of email attack campaigns and makes it easier to address vulnerable users and configuration issues. Compromise detection and response speeds the detection of compromised users and is critical to ensuring that attacks are blocked early, and the impact of a breach is minimized.
  • In partnership with Terranova, we will offer customized user learning paths in Office 365 ATP later this year. User education needs to be part of every organization’s security strategy and we are investing to raise security awareness training efficacy.

These innovations are just a part of our commitment to built-in and cross-platform security that embraces AI and is deeply integrated together.

This integration also spans a broad ecosystem of security vendors to help solve for our customers’ security and compliance needs. We now have more than 100 members in the Microsoft Intelligent Security Association, including new members such as ServiceNow, Thales, and Trend Micro, and new IoT security solution providers like Attivo Networks, CyberMDX, CyberX, and Firedome to alleviate the integration challenges enterprises face.

To recognize outstanding efforts across the security ecosystem, on February 23, 2020—the night before the RSA Conference begins—we’ll host our inaugural security partner awards event, Microsoft Security 20/20, to celebrate our partners.

Good people, supported by AI and automation, have the advantage in the ongoing cybersecurity battle. That’s why we continue to innovate with new security and compliance solutions to help our customers in this challenge.

The post New Microsoft Security innovations and partnerships appeared first on Microsoft Security.

Microsoft Insider Risk Management and Communication Compliance in Microsoft 365 now generally available

February 20th, 2020 No comments

Microsoft Insider Risk Management and Communication Compliance in Microsoft 365—now generally available—help organizations address internal risks, such as IP theft or code of conduct policy violations. The new Microsoft Insider Risk Management solution helps to quickly identify, detect, and act on insider threats. The solution leverages Microsoft Graph and other services to analyze real-time native signals across Microsoft 365 and third-party applications—including file activity, communications sentiment, abnormal user behaviors, and HR events. Communication Compliance in Microsoft 365 leverages machine learning to quickly identify and help you act on code of conduct policy violations in company communications channels, while also helping regulated organizations meet specific supervisory compliance requirements.

To learn more, read Leverage AI and machine learning to address insider risks.

The post Microsoft Insider Risk Management and Communication Compliance in Microsoft 365 now generally available appeared first on Microsoft Security.

Categories: Microsoft 365 Tags:

Building on secure productivity

February 12th, 2020 No comments

Among the most common and powerful attack vectors we have seen are those that exploit the daily tradeoff users make between security and productivity. Often, this can be as simple as a document hiding an exploit or a malicious link.

As an industry, we’re used to thinking of security and productivity in tension with each other. Security teams focus on blocking capabilities and reducing access to limit risk; users create workarounds or ignore policies to get their jobs done. Organizations may respond to increasing security threats by layering multiple security point solutions on top of each other, often increasing the complexity security teams manage while encouraging users to look for even more workarounds.

We don’t think this has to be the case.

Today, we‘re announcing two new Microsoft 365 capabilities that will help organizations stay both secure and productive at the same time. The power of these capabilities comes from the seamless integration between Windows 10, Office 365 ProPlus, and Microsoft Defender Advanced Threat Protection (ATP). We previously gave a “sneak peak” at Ignite and are excited to share publicly now.

Safe Documents is now available in public preview, rolling out over the next few days

With Safe Documents, we’re bringing the power of the Intelligent Security Graph down to the desktop to verify that documents are safe at the endpoint itself.

Although Protected View helps secure documents originating outside the organization, too often users would exit this sandbox without great consideration and leave their networks vulnerable. Bringing a minimal trust approach to the Office 365 ProPlus clients, Safe Documents automatically checks the document against known risks and threat profiles before allowing to open. Users are not asked to decide on their own whether a document can be trusted; they can simply focus on the work to be done. This seamless connection between the desktop and the cloud both simplifies the user workflow and helps to keep the network more secure.

Application Guard integration with Office 365 ProPlus is significantly expanding its private preview

With Application Guard, we created a micro-VM based on the same technology that powers the Azure cloud and brought it down to the desktop. We first introduced Application Guard in Edge, bringing hardware-level containerization to the browser.

Now integrated with Office 365 ProPlus, Application Guard provides an upgrade to Protected View that helps desktop users to stay safer and more productive with container-based isolation for Office applications. Application Guard’s enforcement—with a new instance of Windows 10 and separate copy of the kernel—completely blocks access to memory, local storage, installed applications, corporate network endpoints, or any other resources of interest to the attacker.

That means Office users will be able to open an untrusted Word, Excel, or PowerPoint file in a virtualized container. Users can stay productive—make edits, print, and save changes—all while protected with hardware-level security. If the untrusted file is malicious, the attack is contained while user data and identity remains untouched. When a user wants to trust a document to save on the network or start collaborating in real-time, Safe Documents will first check to help ensure the document is safe.

Moreover, both Safe Documents and Application Guard connect to the Microsoft Security Center, providing admins with advanced visibility and response capabilities including alerts, logs, confirmation the attack was contained, and the ability to see and act on similar threats across the enterprise.

Truly Microsoft 365 capabilities

With these new capabilities, we brought together some of the best of Windows 10, Office 365 ProPlus, and Microsoft Defender ATP to help organizations stay both secure and productive. This integration also means that organizations can deploy these features with the change of a setting and manage with existing tools. And with every malicious attack contained, the entire Intelligent Security Graph becomes stronger, benefiting everyone.

Both Safe Documents and Application Guard will be available to customers with Microsoft 365 E5 and E5 Security. We encourage customers to start testing Safe Documents in their environment as it comes available (initially available for tenants in the U.S., U.K., and European Union), and to learn more about Safe Documents and Application Guard.

The post Building on secure productivity appeared first on Microsoft Security.

Visionary security partners to be honored at the very first Microsoft Security 20/20 event

February 6th, 2020 No comments

Microsoft Security 20/20 is nearly here and our team is putting the final touches on what we think will be a memorable event. Microsoft Security 20/20 will put the spotlight on companies and individuals with a clear-eyed view of the security challenges we face and smart solutions to help solve them. By working together, we advance the vision of what’s possible—and our joint customers’ security is stronger because of it.

“Solving our mutual customers’ security challenges is very much a team sport. I’m excited to recognize these leaders in the ecosystem at Microsoft’s inaugural security awards.”
—Andrew Conway, General Manager, Security Product Marketing

About the event

At the inaugural Microsoft Security 20/20 partner awards, we’ll celebrate finalists in 16 award categories that span security integration partners, system integrators, and managed security service providers. The awards gala will take place February 23, 2020—the Sunday before the RSA Conference in San Francisco. All finalists have been invited to attend this private event. Opening remarks from Ann Johnson, Corporate Vice President of the Cybersecurity Solutions Group, will center around Microsoft’s vision for the security ecosystem and how—together—we’ll help our customers get clarity on security.

“The themes for Microsoft Security 20/20 are vision and clarity. Microsoft is focused on protecting our customers and there is no vision for the future that doesn’t involve security partners. We’re hosting the first Microsoft Security 20/20 partner awards gala to honor security partners that are making an impact through technology development and customer enablement.”
—Rob Lefferts, Corporate Vice President, Microsoft Threat Protection

Better together

I passionately believe that the security ecosystem must work together to realize a future where people, information, and companies are safer. Microsoft Security 20/20 honors partners that have developed and delivered exceptional Microsoft-based solutions and services during the past year that put us on the path toward that vision.

The award categories and finalists were selected by a cross functional group within Microsoft. These finalists were chosen among a global field of top Microsoft partners for demonstrating excellence in innovation, integration, and customer implementation. Winners will be chosen based on a vote from a broad swath of Microsoft Security experts, which includes engineers, marketers, partners, managers, security architects, and more.

This blog would not be complete without showcasing each and every one of these amazing companies and visionary industry leaders, because in a kaleidoscope of security threats and news, these finalists offer an inspiring vision for the future.

ISV Partner of the Year

Software vendors that have shown innovation and the ability to drive revenue.

Emerging ISV Disruptor

Partners who show growth potential and have innovative emerging capabilities.

Most Prolific Integration Partner

Partners with numerous integrations across Azure and Microsoft 365 security.

Customer Impact

Independent software vendors (ISVs) that have driven a significant number of customers wins.

Identity Trailblazer

Partners that are driving major identity-related initiatives and educating the market on how to be protect identities.

Security Trailblazer

Partners that are driving major security-related initiatives and educating the market on how to be more secure.

Security Workshop Partner of the Year

Service partners that are driving the most high-quality security workshops.

Azure Security Deployment Partner of the Year

Service providers that are increasing usage and adoption rates for Azure security products.

Microsoft 365 Security Deployment Partner of the Year

Service providers that are increasing usage and adoption rates for Microsoft 365 security products.

Security System Integrator of the Year

System Integrators that are working closely with the Cybersecurity Solutions Group to close deals and integrate Microsoft into customers’ environments.

Security Advisory of the Year

Security advisory firms that are building core competencies on top of Microsoft Security solutions and working closely with the Cybersecurity Solutions Group to act as a trusted advisor to Microsoft customers.

Top Managed SOC/MDR

Security operations centers that are supporting the largest customers in the world and building strong intellectual property that layers on top of Microsoft Security solutions.

MSSP/TDR Disrupter

Threat, detection, and response experts that are changing the game for managed security services.

Top Github Contributor

With input from the GitHub team, we identified individuals who are going above and beyond to support the open source community with their GitHub contributions.

Industry Changemaker

Individuals who are making a standout contribution to improving the security community.

Election Security Partner of the Year

Organizations that are effecting change for one of our most critical global security challenges—election security.

Learn more

To learn more about Microsoft Security partners, see our partners page. To find out more about what Microsoft’s up to at RSA Conference 2020, read this blog.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Visionary security partners to be honored at the very first Microsoft Security 20/20 event appeared first on Microsoft Security.

New capabilities for eDiscovery now available

February 3rd, 2020 No comments

With the exponential growth of data, there is a pressing need for broader visibility into ever-increasing case activities that require eDiscovery to extend to chat-based communication and collaboration tools.

New capabilities help you manage eDiscovery in Microsoft Teams including the ability to apply legal hold to files and messages in private Teams channels. In addition, eDiscovery for Yammer is generally available today, while Advanced eDiscovery for Yammer is now available in public preview.

To learn more about all the new updates for eDiscovery in Microsoft 365, read Managing eDiscovery for modern collaboration.

The post New capabilities for eDiscovery now available appeared first on Microsoft Security.

Categories: Microsoft 365 Tags:

How companies can prepare for a heightened threat environment

January 20th, 2020 No comments

With high levels of political unrest in various parts of the world, it’s no surprise we’re also in a period of increased cyber threats. In the past, a company’s name, political affiliations, or religious affiliations might push the risk needle higher. However, in the current environment any company could be a potential target for a cyberattack. Companies of all shapes, sizes, and varying security maturity are asking what they could and should be doing to ensure their safeguards are primed and ready. To help answer these questions, I created a list of actions companies can take and controls they can validate in light of the current level of threats—and during any period of heightened risk—through the Microsoft lens:

  • Implement Multi-Factor Authentication (MFA)—It simply cannot be said enough—companies need MFA. The security posture at many companies is hanging by the thread of passwords that are weak, shared across social media, or already for sale. MFA is now the standard authentication baseline and is critical to basic cyber hygiene. If real estate is “location, location, location,” then cybersecurity is “MFA, MFA, MFA.” To learn more, read How to implement Multi-Factor Authentication (MFA).
  • Update patching—Check your current patch status across all environments. Make every attempt to patch all vulnerabilities and focus on those with medium or higher risk if you must prioritize. Patching is critically important as the window between discovery and exploit of vulnerabilities has shortened dramatically. Patching is perhaps your most important defense and one that, for the most part, you control. (Most attacks utilize known vulnerabilities.)
  • Manage your security posture—Check your Secure Score and Compliance Score for Office 365, Microsoft 365, and Azure. Also, take steps to resolve all open recommendations. These scores will help you to quickly assess and manage your configurations. See “Resources and information for detection and mitigation strategies” below for additional information. (Manage your scores over time and use them as a monitoring tool for unexpected consequences from changes in your environment.)
  • Evaluate threat detection and incident response—Increase your threat monitoring and anomaly detection activities. Evaluate your incident response from an attacker’s perspective. For example, attackers often target credentials. Is your team prepared for this type of attack? Are you able to engage left of impact? Consider conducting a tabletop exercise to consider how your organization might be targeted specifically.
  • Resolve testing issues—Review recent penetration test findings and validate that all issues were closed.
  • Validate distributed denial of service (DDoS) protection—Does your organization have the protection you need or stable access to your applications during a DDoS attack? These attacks have continued to grow in frequency, size, sophistication, and impact. They often are utilized as a “cyber smoke screen” to mask infiltration attacks. Your DDoS protection should be always on, automated for network layer mitigation, and capable of near real-time alerting and telemetry.
  • Test your resilience—Validate your backup strategies and plans, ensuring offline copies are available. Review your most recent test results and conduct additional testing if needed. If you’re attacked, your offline backups may be your strongest or only lifeline. (Our incident response teams often find companies are surprised to discover their backup copies were accessible online and were either encrypted or destroyed by the attacker.)
  • Prepare for incident response assistance—Validate you have completed any necessary due diligence and have appropriate plans to secure third-party assistance with responding to an incident/attack. (Do you have a contract ready to be signed? Do you know who to call? Is it clear who will decide help is necessary?)
  • Train your workforce—Provide a new/specific round of training and awareness information for your employees. Make sure they’re vigilant to not click unusual links in emails and messages or go to unusual or risky URLs/websites, and that they have strong passwords. Emphasize protecting your company contributes to the protection of the financial economy and is a matter of national security.
  • Evaluate physical security—Step up validation of physical IDs at entry points. Ensure physical reviews of your external perimeter at key offices and datacenters are being carried out and are alert to unusual indicators of access attempts or physical attacks. (The “see something/say something” rule is critically important.)
  • Coordinate with law enforcement—Verify you have the necessary contact information for your local law enforcement, as well as for your local FBI office/agent (federal law enforcement). (Knowing who to call and how to reach them is a huge help in a crisis.)

The hope, of course, is there will not be any action against any company. Taking the actions noted above is good advice for any threat climate—but particularly in times of increased risk. Consider creating a checklist template you can edit as you learn new ways to lower your risk and tighten your security. Be sure to share your checklist with industry organizations such as FS-ISAC. Finally, if you have any questions, be sure to reach out to your account team at Microsoft.

Resources and information for detection and mitigation strategies

In addition, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

About the author

Lisa Lee is a former U.S. banking regulator who helped financial institutions of all sizes prepare their defenses against cyberattacks and reduce their threat landscape. In her current role with Microsoft, she advises Chief Information Security Officers (CISOs) and other senior executives at large financial services companies on cybersecurity, compliance, and identity. She utilizes her unique background to share insights about preparing for the current cyber threat landscape.

The post How companies can prepare for a heightened threat environment appeared first on Microsoft Security.

Microsoft 365 helps governments adopt a Zero Trust security model

January 8th, 2020 No comments

For governments to function, the flow of data on a massive scale is required—including sensitive information about critical infrastructure, citizens, and public safety and security. The security of government information systems is subject to constant attempted attacks and in need of a modern approach to cybersecurity.

Microsoft 365 provides best-in-class productivity apps while protecting identities, devices, applications, networks, and data. With Microsoft 365 security services, governments can take confident steps to adopt a Zero Trust security model where all users and devices—both inside and outside the network—are deemed untrustworthy by default and the same security checks are applied to all users, devices, applications, and data.

To learn more, read Government data protection—earning and retaining the public’s trust with Microsoft 365.

The post Microsoft 365 helps governments adopt a Zero Trust security model appeared first on Microsoft Security.

Categories: Microsoft 365, Zero Trust Tags:

Data governance and retention in your Microsoft 365 tenant—a secure and highly capable solution

December 18th, 2019 No comments

Data governance has relied on transferring data to a third-party for hosting an archive service. Emails, documents, chat logs, and third-party data (Bloomberg, Facebook, LinkedIn, etc.) must be saved in a way that it can’t be changed and won’t be lost. Data governance is part of IT at the enterprise level. It serves regulatory compliance, can facilitate eDiscovery, and is part of a business strategy to protect the integrity of the data estate.

However, there are downsides.

In addition to acquisition costs, the archive is one more system that needs ongoing maintenance. When data is moved to another system, the risk footprint is increased, and data can be compromised in transit. An at-rest archive can become another target of attack.

When you take the data to the archive, you miss the opportunity to reason over it with machine learning to extract additional business value and insights to improve the governance program.

The game changer is to have reliable, auditable retention inside the Microsoft 365 tenant. This way, all the security controls and visibility in Microsoft 365 and Azure remain in effect. There is no additional archive to be attacked, protected, or monitored. In addition, there is no third-party archiving system to be purchased or maintained.

All the machine learning and correlation tools—always on and native to Microsoft 365—are reasoning over your data estate. Dark data can be illuminated.

Microsoft 365 tenant dashboards

Microsoft 365 dashboards are created automatically. Tiles allow you to drill down to the file level and locate sensitive data. Retention, disposition review, and deletion policies can be visualized, and compliance verified. Audit-ready governance reports can be generated.

Screenshot of label analytics in the Microsoft 365 compliance tenant dashboard.

Your data governance program becomes measurable, manageable, and useable. It adds value to your business rather than being just a compliance tool.

Data governance is more than retention for Microsoft 365. Businesses rely on non-Microsoft solutions as well. There are built-in connectors for Bloomberg, Facebook, LinkedIn, and other popular third-party applications that allow this data to be brought into Microsoft 365 for retention.

Screenshot of a connector being added in the Office 365 Security & Compliance dashboard.

Where we don’t yet have a connector for your solution, Microsoft Partners can provide a wide range of pre-built connectors or the ability to build custom connectors using our software development toolkit. To learn more, read Work with a partner to archive third-party data in Office 365.

In some cases, particularly where regulatory compliance—such as with the CFTC Rule 1.31(c)-(d), FINRA Rule 4511, and SEC Rule 17a-4—is needed, immutability of records must be maintained. These rules have specific requirements for electronic data storage, including many aspects of records management, such as the duration, format, quality, availability, and accountability of records retention. Microsoft provides the admin this ability in the Label settings. To do this, under Classify content as a “Record” with this label, select the Yes, classify as a regulatory “Record” dropdown option, and then under Retain this content, set the duration.

Screenshot of a label setting in the Office 365 Security & Compliance dashboard.

Once set, this option cannot be changed. Even admins are not able to change or delete the records.

Microsoft engaged Cohasset Associates to review this capability and provide an assessment document for consideration of our customers and their regulators. The assessment is available at: Data Protection Resources. Currently the assessment includes Exchange Online and will be extended to include SharePoint Online in mid-2020.

The ability to archive data inside the Microsoft 365 tenant with security controls intact and all the visibility and machine learning features of Microsoft 365 available is an advantage that many organizations can use, some with their existing licenses.

Learn more

To find out more about other advanced compliance features, check out Microsoft 365 compliance documentation. Also, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Data governance and retention in your Microsoft 365 tenant—a secure and highly capable solution appeared first on Microsoft Security.

Categories: data governance, Microsoft 365 Tags: