Archive

Archive for January, 2019

CISO series: Talking cybersecurity with the board of directors

January 31st, 2019 No comments

In todays threat landscape, boards of directors are more interested than ever before in their company’s cybersecurity strategy. If you want to maintain a boards confidence, you cant wait until after an attack to start talking to them about how you are securing the enterprise. You need to engage them in your strategy early and oftenwith the right level of technical detail, packaged in a way that gives the board exactly what they need to know, when they need to know it.

Cyberattacks have increased in frequency and size over the years, making cybersecurity as fundamental to the overall health of the business as financial and operational controls. Todays boards of directors know this, and they are asking their executive teams to provide more transparency on how their company manages cybersecurity risks. If you are a technology leader responsible for security, achieving your goals often includes building alignment with the board.

Bret Arsenault, corporate vice president and chief information security officer (CISO) for Microsoft, was a recent guest on our CISO Spotlight Series, where he shared several of his learnings on building a relationship with the board of directors. Weve distilled them down to the following three best practices:

  • Use the boards time effectively.
  • Keep the board educated on the state of cybersecurity.
  • Speak to the boards top concerns.

Use the boards time effectively

Members of your board come from a variety of different backgrounds, and they are responsible for all aspects of risk management for the business, not just security. Some board members may track the latest trends in security, but many wont. When its time to share your security update, you need to cut through all the other distractions and land your message. This means you will want to think almost as much about how you are going to share your information as what you are going to share, keeping in mind the following tips:

  • Be concise.
  • Avoid technical jargon.
  • Provide regular updates.

This doesnt mean you should dumb down your report or avoid important technical information. It means you need to adequately prepare. It may take several weeks to analyze internal security data, understand key trends, and distill it down to a 10-page report that can be presented in 30 to 60 minutes. Quarterly updates will help you learn what should be included in those 10 pages, and it will give you the opportunity to build on prior reports as the board gets more familiar with your strategy. No matter what, adequate planning can make a big difference in how your report is received.

Keep the board educated on the state of cybersecurity

Stories about security breaches get a lot of attention, and your board may hope you can prevent an attack from ever happening. A key aspect of your role is educating them on the reasons why no company will ever be 100 percent secure. The real differentiation is how effectively a company responds to and recovers from an inevitable incident.

You can also help your board understand the security landscape better with analysis of the latest security incidents and updates on cybersecurity regulations and legislation. Understanding these trends will help you align resources to best protect the company and stay compliant with regional security laws.

Speak to the boards top concerns

As you develop your content, keep in mind that the best way to get the boards attention is by aligning your messages to their top concerns. Many boards are focused on the following key questions:

  • How well is the company managing their risk posture?
  • What is the governance structure?
  • How is the company preparing for the future?

To address these questions, Bret sticks to the following talking points:

  • Technical debtAn ongoing analysis of legacy systems and technologies and their security vulnerabilities.
  • GovernanceAn accounting of how security practices and tools measure up against the security model the company is benchmarked against.
  • Accrued liabilityA strategy to future-proof the company to avoid additional debts and deficits.

When it comes to effectively working with the board and other executives across your organization, a CISO should focus on four primary functions: manage risk, oversee technical architecture, implement operational efficiency, and most importantly, enable the business. In the past, CISOs were completely focused on technical architecture. Good CISOs today, and those who want to be successful in the future, understand that they need to balance all four responsibilities.

Learn more

Be sure to check out the interview with Bret in Part 1 of the CISO Spotlight Series, Security is Everyones Business, to hear firsthand his recommendations for talking to the board. And in Part 2, Bret walks through how to talk about security attacks and risk management with the board.

The National Institute of Standards and Technology (NIST)Cybersecurity Framework is a great reference if you are searching for a benchmark model.

To read more blogs from the series, visit theCISO series page.

The post CISO series: Talking cybersecurity with the board of directors appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

CISO series: Talking cybersecurity with the board of directors

January 31st, 2019 No comments

In todays threat landscape, boards of directors are more interested than ever before in their company’s cybersecurity strategy. If you want to maintain a boards confidence, you cant wait until after an attack to start talking to them about how you are securing the enterprise. You need to engage them in your strategy early and oftenwith the right level of technical detail, packaged in a way that gives the board exactly what they need to know, when they need to know it.

Cyberattacks have increased in frequency and size over the years, making cybersecurity as fundamental to the overall health of the business as financial and operational controls. Todays boards of directors know this, and they are asking their executive teams to provide more transparency on how their company manages cybersecurity risks. If you are a technology leader responsible for security, achieving your goals often includes building alignment with the board.

Bret Arsenault, corporate vice president and chief information security officer (CISO) for Microsoft, was a recent guest on our CISO Spotlight Series, where he shared several of his learnings on building a relationship with the board of directors. Weve distilled them down to the following three best practices:

  • Use the boards time effectively.
  • Keep the board educated on the state of cybersecurity.
  • Speak to the boards top concerns.

Use the boards time effectively

Members of your board come from a variety of different backgrounds, and they are responsible for all aspects of risk management for the business, not just security. Some board members may track the latest trends in security, but many wont. When its time to share your security update, you need to cut through all the other distractions and land your message. This means you will want to think almost as much about how you are going to share your information as what you are going to share, keeping in mind the following tips:

  • Be concise.
  • Avoid technical jargon.
  • Provide regular updates.

This doesnt mean you should dumb down your report or avoid important technical information. It means you need to adequately prepare. It may take several weeks to analyze internal security data, understand key trends, and distill it down to a 10-page report that can be presented in 30 to 60 minutes. Quarterly updates will help you learn what should be included in those 10 pages, and it will give you the opportunity to build on prior reports as the board gets more familiar with your strategy. No matter what, adequate planning can make a big difference in how your report is received.

Keep the board educated on the state of cybersecurity

Stories about security breaches get a lot of attention, and your board may hope you can prevent an attack from ever happening. A key aspect of your role is educating them on the reasons why no company will ever be 100 percent secure. The real differentiation is how effectively a company responds to and recovers from an inevitable incident.

You can also help your board understand the security landscape better with analysis of the latest security incidents and updates on cybersecurity regulations and legislation. Understanding these trends will help you align resources to best protect the company and stay compliant with regional security laws.

Speak to the boards top concerns

As you develop your content, keep in mind that the best way to get the boards attention is by aligning your messages to their top concerns. Many boards are focused on the following key questions:

  • How well is the company managing their risk posture?
  • What is the governance structure?
  • How is the company preparing for the future?

To address these questions, Bret sticks to the following talking points:

  • Technical debtAn ongoing analysis of legacy systems and technologies and their security vulnerabilities.
  • GovernanceAn accounting of how security practices and tools measure up against the security model the company is benchmarked against.
  • Accrued liabilityA strategy to future-proof the company to avoid additional debts and deficits.

When it comes to effectively working with the board and other executives across your organization, a CISO should focus on four primary functions: manage risk, oversee technical architecture, implement operational efficiency, and most importantly, enable the business. In the past, CISOs were completely focused on technical architecture. Good CISOs today, and those who want to be successful in the future, understand that they need to balance all four responsibilities.

Learn more

Be sure to check out the interview with Bret in Part 1 of the CISO Spotlight Series, Security is Everyones Business, to hear firsthand his recommendations for talking to the board. And in Part 2, Bret walks through how to talk about security attacks and risk management with the board.

The National Institute of Standards and Technology (NIST)Cybersecurity Framework is a great reference if you are searching for a benchmark model.

To read more blogs from the series, visit theCISO series page.

The post CISO series: Talking cybersecurity with the board of directors appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Step 4. Set conditional access policies: top 10 actions to secure your environment

January 30th, 2019 No comments

The Top 10 actions to secure your environment series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In Step 4. Set conditional access policies, youll learn how to control access to your apps and corporate resources using conditional access policies, and how these policies can block legacy authentication methods and control access to SaaS apps.

In todays workplace, users can work from anywhere, on any device. Whether using a company-provided laptop at the office, working from home, traveling for business, or using a personal mobile phone, employees expect to seamlessly access what they need to get work done. While the need for productivity may not change with circumstances, the level of risk of each sign-in does. Not all devices, apps, or networks are equally secure, and hackers will exploit any vulnerability that will give them access to your users and resources. It is critical to safeguard your identities, but it is not enough. You also need flexible security policies that are responsive to conditions.

Set up Azure Active Directory (Azure AD) conditional access policies

Azure AD conditional access lets you apply security policies that are triggered automatically when certain conditions are met. You can block access if the data suggests the user has been compromised or if its highly unlikely that the user would sign in under those conditions. You can enforce additional authentication requirements when the system detects a medium risk based on the sign-in conditions (see “Sign-in risk” below).

We recommend that you apply polices that are appropriate for your organization for the following conditions:

  • Users and user groups: To reduce the risk that sensitive data is leaked, define which users or user groups can access which applications or resources, paying careful attention to sources of highly sensitive information such as human resources or financial data.
  • Sign-in risk: Azure AD machine learning algorithms evaluate every sign-in and give it a risk score of low, medium, or high depending on how likely it is that someone other than the legitimate owner of the account is attempting to sign in. Anyone with a medium risk should be challenged with Multi-Factor Authentication (MFA) at sign-in. If the sign-in is a high risk, access should be blocked. This condition requires Azure AD Identity Protection, which you can read about in Step 3. Protect your identities.
  • Location: A location can be risky if its in a country with limited security policies or if the wireless network is unsecure or simply because its not a location where the organization typically does business. You can modify access requirements for sign-ins from locations that are not on an IP safe list or that are risky for other reasons. Users accessing a service when they’re off the corporate network should be required to use MFA.
  • Device platform: For this condition, define a policy for each device platform that either blocks access, requires compliance with Microsoft Intune policies, or requires the device be domain joined.
  • Device state: Use this condition to define policies for unmanaged devices.
  • Client apps: Users can access many cloud apps using different app types such as web-based apps, mobile apps, or desktop apps. You can apply security policies if an access attempt is performed using a client app type that causes known issues, or you can require that only managed devices access certain app types.
  • Cloud apps: This condition specifies unique policies for sensitive apps. For example, you can require that HR apps like Workday are blocked if Azure AD detects a risky sign-in or if a user tries to access it with an unmanaged device.

When a condition is met, you can choose what policy Azure AD will enforce:

  • Require MFA to prove identity.
  • Change the actions the user can take in cloud apps.
  • Restrict access to sensitive data (for example: limit downloads or sharing functionality).
  • Require a password reset.
  • Block access.

Once set, these policies will apply automatically without any manual intervention (Figure 1).

Figure 1. Azure AD automatically applies the policies you set based on condition.

Block legacy authentication and control access to highly privileged accounts

Old apps that use a legacy authentication method, such as POP3, IMAP4, or SMTP clients, can increase your risk because they prevent Azure AD from doing an advanced security assessment and dont allow more modern forms of authentication, such as MFA. We recommend you use client application conditional access rules (Figure 2) to block these apps entirely.

Figure 2. Apply conditional access rules to block client apps using legacy authentication methods.

You can also use conditional access rules to reduce the risk that highly privileged accounts or service accounts are compromised. For example, if your HR system uses a service account to access the email account, you can make sure it can only run against the service from a specific IP at the appropriate time of day.

Enhance conditional access with Intune and Microsoft Cloud App Security

Azure AD integrates with Intune, so that conditional access policies can consider the Intune device state as part of the policy, letting you set access controls for devices that have old operating systems or other security vulnerabilities. You can also use conditional access in Intune to make sure that only apps managed by Intune can access corporate email or other Office 365 services. Azure AD will enforce these rules.

Cloud App Security Conditional Access App Control extends conditional access to your SaaS apps. You can block downloads from apps, limit activities in the app, monitor risky users, or block access to the app entirely.

Once you have policies in place, we recommend that you use the Azure AD What If tool to simulate possible sign-in scenarios that your users may confront. The What If tool allows you to select a user, the app that user is trying to access, and the conditions of that sign-in to see which policies will apply. (Figure 3.) This step will give you a better sense of how your policies will impact your users. You can also check what policies do not apply to a specific scenario.

One final precaution: Be sure to set up an exception group for each conditional access policy, so you dont lock yourself out.

Figure 3. The Azure AD What If tool gives you a better sense of how your policies will impact your users.

Learn more

Check back in a few weeks for our next blog post, Step 5. Set up mobile device management, where well dive into how to plan your Intune deployment and set up mobile device management as part of your Unified Endpoint Management strategy.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

The post Step 4. Set conditional access policies: top 10 actions to secure your environment appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Step 4. Set conditional access policies: top 10 actions to secure your environment

January 30th, 2019 No comments

The Top 10 actions to secure your environment series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In Step 4. Set conditional access policies, youll learn how to control access to your apps and corporate resources using conditional access policies, and how these policies can block legacy authentication methods and control access to SaaS apps.

In todays workplace, users can work from anywhere, on any device. Whether using a company-provided laptop at the office, working from home, traveling for business, or using a personal mobile phone, employees expect to seamlessly access what they need to get work done. While the need for productivity may not change with circumstances, the level of risk of each sign-in does. Not all devices, apps, or networks are equally secure, and hackers will exploit any vulnerability that will give them access to your users and resources. It is critical to safeguard your identities, but it is not enough. You also need flexible security policies that are responsive to conditions.

Set up Azure Active Directory (Azure AD) conditional access policies

Azure AD conditional access lets you apply security policies that are triggered automatically when certain conditions are met. You can block access if the data suggests the user has been compromised or if its highly unlikely that the user would sign in under those conditions. You can enforce additional authentication requirements when the system detects a medium risk based on the sign-in conditions (see “Sign-in risk” below).

We recommend that you apply polices that are appropriate for your organization for the following conditions:

  • Users and user groups: To reduce the risk that sensitive data is leaked, define which users or user groups can access which applications or resources, paying careful attention to sources of highly sensitive information such as human resources or financial data.
  • Sign-in risk: Azure AD machine learning algorithms evaluate every sign-in and give it a risk score of low, medium, or high depending on how likely it is that someone other than the legitimate owner of the account is attempting to sign in. Anyone with a medium risk should be challenged with Multi-Factor Authentication (MFA) at sign-in. If the sign-in is a high risk, access should be blocked. This condition requires Azure AD Identity Protection, which you can read about in Step 3. Protect your identities.
  • Location: A location can be risky if its in a country with limited security policies or if the wireless network is unsecure or simply because its not a location where the organization typically does business. You can modify access requirements for sign-ins from locations that are not on an IP safe list or that are risky for other reasons. Users accessing a service when they’re off the corporate network should be required to use MFA.
  • Device platform: For this condition, define a policy for each device platform that either blocks access, requires compliance with Microsoft Intune policies, or requires the device be domain joined.
  • Device state: Use this condition to define policies for unmanaged devices.
  • Client apps: Users can access many cloud apps using different app types such as web-based apps, mobile apps, or desktop apps. You can apply security policies if an access attempt is performed using a client app type that causes known issues, or you can require that only managed devices access certain app types.
  • Cloud apps: This condition specifies unique policies for sensitive apps. For example, you can require that HR apps like Workday are blocked if Azure AD detects a risky sign-in or if a user tries to access it with an unmanaged device.

When a condition is met, you can choose what policy Azure AD will enforce:

  • Require MFA to prove identity.
  • Change the actions the user can take in cloud apps.
  • Restrict access to sensitive data (for example: limit downloads or sharing functionality).
  • Require a password reset.
  • Block access.

Once set, these policies will apply automatically without any manual intervention (Figure 1).

Figure 1. Azure AD automatically applies the policies you set based on condition.

Block legacy authentication and control access to highly privileged accounts

Old apps that use a legacy authentication method, such as POP3, IMAP4, or SMTP clients, can increase your risk because they prevent Azure AD from doing an advanced security assessment and dont allow more modern forms of authentication, such as MFA. We recommend you use client application conditional access rules (Figure 2) to block these apps entirely.

Figure 2. Apply conditional access rules to block client apps using legacy authentication methods.

You can also use conditional access rules to reduce the risk that highly privileged accounts or service accounts are compromised. For example, if your HR system uses a service account to access the email account, you can make sure it can only run against the service from a specific IP at the appropriate time of day.

Enhance conditional access with Intune and Microsoft Cloud App Security

Azure AD integrates with Intune, so that conditional access policies can consider the Intune device state as part of the policy, letting you set access controls for devices that have old operating systems or other security vulnerabilities. You can also use conditional access in Intune to make sure that only apps managed by Intune can access corporate email or other Office 365 services. Azure AD will enforce these rules.

Cloud App Security Conditional Access App Control extends conditional access to your SaaS apps. You can block downloads from apps, limit activities in the app, monitor risky users, or block access to the app entirely.

Once you have policies in place, we recommend that you use the Azure AD What If tool to simulate possible sign-in scenarios that your users may confront. The What If tool allows you to select a user, the app that user is trying to access, and the conditions of that sign-in to see which policies will apply. (Figure 3.) This step will give you a better sense of how your policies will impact your users. You can also check what policies do not apply to a specific scenario.

One final precaution: Be sure to set up an exception group for each conditional access policy, so you dont lock yourself out.

Figure 3. The Azure AD What If tool gives you a better sense of how your policies will impact your users.

Learn more

Check back in a few weeks for our next blog post, Step 5. Set up mobile device management, where well dive into how to plan your Intune deployment and set up mobile device management as part of your Unified Endpoint Management strategy.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

The post Step 4. Set conditional access policies: top 10 actions to secure your environment appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Voice of the Customer: Azure AD helps lululemon enable productivity and security all at once for its employees

January 23rd, 2019 No comments

Todays post was written by Sue Bohn, Director of Program Management at Microsoft, and Simon Cheng, who is responsible for Identity and Access Management at lululemon.

Happy New Year and welcome to the next installment of the Voice of the Customer blog series. My name is Sue Bohn and I am the director of Program Management for Identity and Access Management. Im really excited about our next blog in this series. Last time, we featured The Walsh Group. Today, I am sharing a story from lululemon, who really inspired me to think more broadly about what you can achieve when you step back and look at where you want to go.

Simon Cheng, responsible for Identity and Access Management at lululemon, is today a strong believer that every step towards cloud Identity and Access Management makes you more secure, but that wasnt always the case. Read on to learn more about lululemons experience implementing Azure Active Directory (Azure AD).

Too many apps, too many passwords

At lululemon, our journey to Azure AD began with two overarching business requirements: 1. Secure all our apps and 2. Simplify user access. We knew, based on the typical behavior weve seen in the past, that most of our users were likely using the same corporate password across all the apps they use, including the ones we dont manage. This meant that if even just one of these apps had security vulnerabilities, a hacker could exploit the vulnerability to get into our corporate resources. And we would have no idea! Our security is only as strong as the weakest app being accessed, and so if you can imagine the challenge was that we had over 300+ applications! To protect our corporate resources, we needed to ensure that the authentication process for each app was secure.

Our shadow IT environment wasnt just a security challenge, it also frustrated our users. Over and over we heard there are too many portals and too many passwords. This sentiment drove our second business requirement, which we boiled down to an overriding principle: Not another portal, not another password. So, our solution needed to address security and simplify user access without reducing business flexibility. The obvious answer was to consolidate identities, and this quickly led us to Azure AD and Microsoft Enterprise Mobility + Security (EMS). As an Office 365 customer, our users were comfortable and familiar with the Office 365 sign-in experience, and so it was an easy decision. Once we had chosen a solution, our next big task was rolling it out without disrupting our users, which is really where my concern waswould our users embrace it?

Single Sign On (SSO) sells itself

When we began the rollout of Azure AD, our top concern was whether our employees would comply. As it turns out I completely underestimated our users, and my concerns were really nothing. Within three months of the Azure AD rollout, our users loved the SSO experience so much that the business units came to us requesting that additional apps get rolled on. Even risk-based Multi-Factor Authentication (MFA) enforced by Azure AD conditional access policy feature went smoother than I expected. We hardly heard any complaints and even fewer calls on how to set it up. For highly sensitive apps, such as our financial and HR apps, we followed a recommended approach to enforce MFA at every sign-in. For several other less sensitive apps, we were able to prioritize user experience and protect them with risk-based conditional access rules.

In 2013, we had two apps onboarded: ServiceNow and Workday; now we have over 200! And every single one of our 18,000 users are protected by conditional access and MFA. I am really proud of this accomplishment as it has enabled higher productivity for our organization while maintaining stronger security because our employees are using it! This experience taught me not to underestimate our users, and I think this is because they are familiar with security measures, having already learned to do so through consumer services such as social media. Had I known this when we started, I would have deployed Azure AD much sooner.

The cloud allowed us to implement more security features faster than we ever could on-premises

Once we had Azure AD deployed, our next project was to implement Azure AD Privileged Identity Management (PIM). Azure AD PIM allows us to enable just in time administrative access, which significantly reduces the possibility that our administrative accounts will get compromised. Launching PIM was an eye-opening experience! This is a capability that is very labor intensive and time consuming to operate typically.

I am constantly delighted with how fast I can deploy services in the cloud, Azure AD PIM being a prime example. More often than not, the trap Ive seen organizations fall into is that they plan based on capabilities that exist within solutions rather than whats needed to secure their users. This is exactly where Azure AD and cloud wins over on-premises solutions. My takeaway has been that it is better to step back and plan what needs to be done for my organization and then just let the cloud services roll in almost automagically. Of course, where there are gaps, I work directly with the Azure AD engineering team!

Just in the last year, we have deployed, from pilot to production:

  1. Azure AD Connect implementation and Self Service Password Reset (SSPR) migration from the old tool (6 weeks)
  2. MFA registration, Azure AD conditional access, and Azure AD Identity Protection (7 weeks)
  3. Microsoft Advanced Threat Analytics (3 weeks)
  4. Group-based licensing (3 days)
  5. Azure Information Protection (8 weeks)
  6. Azure AD Privileged Identity Management (3 days!)
  7. Countless apps (each in a matter of hours!)

Learnings from lululemon

A big thanks to Simon! It is always great to learn from our customers’ deployments. In lululemons case, the need to take a step back and develop a plan based on the security goals, rather than a set of capabilities, really hits home. We can always plan something in the confines of what we currently have, but the fact is that new features get rolled out at cloud speed. It is great to see customers like lululemon deploy services in the cloud so quickly and benefit from them. Come back to our Secure blog to check in on our next customer blog and also read some other articles around Identity and Access Management and Zero Trust Networks.

The post Voice of the Customer: Azure AD helps lululemon enable productivity and security all at once for its employees appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Voice of the Customer: Azure AD helps lululemon enable productivity and security all at once for its employees

January 23rd, 2019 No comments

Todays post was written by Sue Bohn, Director of Program Management at Microsoft, and Simon Cheng, who is responsible for Identity and Access Management at lululemon.

Happy New Year and welcome to the next installment of the Voice of the Customer blog series. My name is Sue Bohn and I am the director of Program Management for Identity and Access Management. Im really excited about our next blog in this series. Last time, we featured The Walsh Group. Today, I am sharing a story from lululemon, who really inspired me to think more broadly about what you can achieve when you step back and look at where you want to go.

Simon Cheng, responsible for Identity and Access Management at lululemon, is today a strong believer that every step towards cloud Identity and Access Management makes you more secure, but that wasnt always the case. Read on to learn more about lululemons experience implementing Azure Active Directory (Azure AD).

Too many apps, too many passwords

At lululemon, our journey to Azure AD began with two overarching business requirements: 1. Secure all our apps and 2. Simplify user access. We knew, based on the typical behavior weve seen in the past, that most of our users were likely using the same corporate password across all the apps they use, including the ones we dont manage. This meant that if even just one of these apps had security vulnerabilities, a hacker could exploit the vulnerability to get into our corporate resources. And we would have no idea! Our security is only as strong as the weakest app being accessed, and so if you can imagine the challenge was that we had over 300+ applications! To protect our corporate resources, we needed to ensure that the authentication process for each app was secure.

Our shadow IT environment wasnt just a security challenge, it also frustrated our users. Over and over we heard there are too many portals and too many passwords. This sentiment drove our second business requirement, which we boiled down to an overriding principle: Not another portal, not another password. So, our solution needed to address security and simplify user access without reducing business flexibility. The obvious answer was to consolidate identities, and this quickly led us to Azure AD and Microsoft Enterprise Mobility + Security (EMS). As an Office 365 customer, our users were comfortable and familiar with the Office 365 sign-in experience, and so it was an easy decision. Once we had chosen a solution, our next big task was rolling it out without disrupting our users, which is really where my concern waswould our users embrace it?

Single Sign On (SSO) sells itself

When we began the rollout of Azure AD, our top concern was whether our employees would comply. As it turns out I completely underestimated our users, and my concerns were really nothing. Within three months of the Azure AD rollout, our users loved the SSO experience so much that the business units came to us requesting that additional apps get rolled on. Even risk-based Multi-Factor Authentication (MFA) enforced by Azure AD conditional access policy feature went smoother than I expected. We hardly heard any complaints and even fewer calls on how to set it up. For highly sensitive apps, such as our financial and HR apps, we followed a recommended approach to enforce MFA at every sign-in. For several other less sensitive apps, we were able to prioritize user experience and protect them with risk-based conditional access rules.

In 2013, we had two apps onboarded: ServiceNow and Workday; now we have over 200! And every single one of our 18,000 users are protected by conditional access and MFA. I am really proud of this accomplishment as it has enabled higher productivity for our organization while maintaining stronger security because our employees are using it! This experience taught me not to underestimate our users, and I think this is because they are familiar with security measures, having already learned to do so through consumer services such as social media. Had I known this when we started, I would have deployed Azure AD much sooner.

The cloud allowed us to implement more security features faster than we ever could on-premises

Once we had Azure AD deployed, our next project was to implement Azure AD Privileged Identity Management (PIM). Azure AD PIM allows us to enable just in time administrative access, which significantly reduces the possibility that our administrative accounts will get compromised. Launching PIM was an eye-opening experience! This is a capability that is very labor intensive and time consuming to operate typically.

I am constantly delighted with how fast I can deploy services in the cloud, Azure AD PIM being a prime example. More often than not, the trap Ive seen organizations fall into is that they plan based on capabilities that exist within solutions rather than whats needed to secure their users. This is exactly where Azure AD and cloud wins over on-premises solutions. My takeaway has been that it is better to step back and plan what needs to be done for my organization and then just let the cloud services roll in almost automagically. Of course, where there are gaps, I work directly with the Azure AD engineering team!

Just in the last year, we have deployed, from pilot to production:

  1. Azure AD Connect implementation and Self Service Password Reset (SSPR) migration from the old tool (6 weeks)
  2. MFA registration, Azure AD conditional access, and Azure AD Identity Protection (7 weeks)
  3. Microsoft Advanced Threat Analytics (3 weeks)
  4. Group-based licensing (3 days)
  5. Azure Information Protection (8 weeks)
  6. Azure AD Privileged Identity Management (3 days!)
  7. Countless apps (each in a matter of hours!)

Learnings from lululemon

A big thanks to Simon! It is always great to learn from our customers’ deployments. In lululemons case, the need to take a step back and develop a plan based on the security goals, rather than a set of capabilities, really hits home. We can always plan something in the confines of what we currently have, but the fact is that new features get rolled out at cloud speed. It is great to see customers like lululemon deploy services in the cloud so quickly and benefit from them. Come back to our Secure blog to check in on our next customer blog and also read some other articles around Identity and Access Management and Zero Trust Networks.

The post Voice of the Customer: Azure AD helps lululemon enable productivity and security all at once for its employees appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Windows Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices

Digital transformation and the transition to a modern workplace encourage employee engagement, productivity, and collaboration. This transition poses major challenges in protecting sensitive information. In the modern workplace, the perimeter between the corporate network and the cloud are fading. Sensitive data constantly travels between different locations and is often shared with others both inside and outside the organization. This significantly increases the attack surface and makes identifying, protecting, and monitoring sensitive data challenging.

Additionally, the threat landscape is evolving. External adversaries and insider threats are becoming more sophisticated and dangerous. Data breaches are at an all-time high in terms of both the number of breaches and the overall severity and business impact. As a result, governments and regulators are instituting stricter regulations with unprecedented fines for not properly protecting and governing sensitive information.

Traditional solutions that put walls around your network perimeter do not suffice. You are at risk of over-protecting where you shouldnt, degrading employee productivity by interrupting legitimate workflows, and under-protecting where you should when sensitive data is being exfiltrated.

Consider the following principles when shaping your information protection strategy:

  1. Visibility You cant protect what you cant see. Strive to achieve complete visibility into sensitive data across all repositories.
  2. Data-centric protection Protect your data, not your perimeter. Apply information protection capabilities that are content-aware to improve protection coverage and reduce end-user friction due to unnecessary interruptions. Make sure sensitive data stays protected wherever it goes; this is especially important in a modern workplace, where data is constantly on the move.
  3. Assume breach Sophisticated attackers, external adversaries, or insider threats will find a way around any wall you put in front of them. Implement post-breach techniques that constantly monitor sensitive data usage in your organization, correlate this data to other suspicious behaviors, and allow you to respond and mitigate risks.

The endpoint is a key point of control when implementing an effective information protection strategy based on these principles. Endpoints are often the entry for sophisticated attacks conducted by an external adversary or an insider threat. Combine it with the fact that endpoints are usually the darkest spot in the enterprise for security and compliance teams, and you end up with a critical weakness in the enterprise information security posture.

Windows Defender Advanced Threat Protection (Windows Defender ATP), Microsofts endpoint protection platform, addresses this challenge by integrating with Azure Information Protection, Microsofts data classification, labeling, and protection solution. This integration empowers Windows to natively understand Azure Information Protection sensitivity labels, to provide visibility into sensitive data on endpoints, to protect sensitive data based on its content, and to detect and respond to post-breach malicious activity that involves or affects sensitive data.

Windows Defender ATP is built into the OS, removing the need for deployment and agent maintenance, ensuring that end-user experience is not impacted when performing legitimate business workflows. No on-premises infrastructure or endpoint agents are required. The seamless integration with Azure Information Protection reporting and management experience ensures that data administrators can continue to leverage their existing Azure Information Protection experience to manage these new capabilities.

Discover sensitive documents on Windows devices

Windows Defender ATPs built-in sensors discovers labeled data on all devices monitored by the Windows Defender ATP service. This data is then seamlessly plugged into the Azure Information Protection reporting experience and enriched with labeled documents discovered on Windows devices. This allows existing Azure Information Protection customers to get instant visibility into sensitive data on devices using the same dashboard and analytics tools they use today.

Figure 1. Azure Information Protection Data discovery dashboard shows data discovered by both Windows Defender ATP and Azure Information Protection

It doesnt end there. Being an endpoint protection suite, Windows Defender ATP monitors and calculates device machine risk level an aggregated indicator of active security threats on each device. This data is also shared with Azure Information Protection reports, allowing data administrators to proactively understand whether sensitive corporate data resides on any compromised devices. To understand why the device is compromised, all it takes is a single click in the Azure Information Protection dashboard to be directed to that devices record in Windows Defender ATP, where the administrator can investigate and mitigate detected security threats.

Figure 2. Azure Information Protection Data discovery dashboard shows device risk calculation

Turning on this integration is a matter of a single flip of a switch in the advanced features settings page in Windows Defender Security Center. Windows endpoints will start discovering labeled documents immediately.

Figure 3. Windows Defender Security Center Settings page

Figure 3. Windows Defender Security Center Settings page

Prevent sensitive data leaks from Windows devices

Windows Defender ATP can further protect sensitive data by providing data loss prevention (DLP) functionality. Built using the combined Windows Defender ATP native OS sensors and its advanced cloud-based analytics, Windows Defender ATP can help detect and mitigate data leak risks, ranging from accidental end-user mistake to a sophisticated malicious attack.

It all starts from the Office 365 Security and Compliance Center (SCC), Microsofts unified management console for information protection, where you can manage information protection configuration settings on Windows devices. As part of the label policy, you can define whether files with a specific label applied will be protected by Windows Defender ATP.

Figure 4. Office Security & Compliance Center  Endpoint data loss prevention configuration page

Figure 4. Office Security & Compliance Center Endpoint data loss prevention configuration page

Once that policy is in place, Windows Defender ATP will start protecting documents with a matching label. Protection is applied by automatically enabling Windows Information Protection, which prevents unallowed client apps, cloud apps, and network locations from accessing protected files and their content, reducing the risk of data leak.

In addition, Windows Defender ATP integrates sensitive data awareness into Windows Defender Security Center. Each incident or alert raised in Windows Defender Security Center includes a data sensitivity attribute that is generated by aggregating the sensitivity of all the labeled files discovered on devices that are affected by the incident. This allows security analysts to prioritize incident response based on data sensitivity. When investigating an incident, security analysts can use data sensitivity context across the entire investigation from the incident dashboard, through analyzing sensitive data exposure of specific machines, all the way to Advanced hunting.

Figure 5. Windows Defender Security Center Incident queue, sorted by data sensitivity

Conclusion

Protecting sensitive data requires a comprehensive approach. Sensitive data stored on devices that are constantly on the move presents its own unique challenges. Windows Defender ATP and Azure Information Protection work together to effectively reduce the possibility of losing sensitive data. Together, these solutions provide discovery and protection capabilities required to govern and protect sensitive data, enforce compliance, and proactively mitigate risks.

These are just the first few steps weve taken to enhance the information protection capabilities. Stay tuned for more upcoming features built into Windows 10.

Start here to learn how you can leverage of this capability.

 

 

 

Omri Amdursky
Windows Defender ATP team

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

The post Windows Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices appeared first on Microsoft Secure.

Windows Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices

Digital transformation and the transition to a modern workplace encourage employee engagement, productivity, and collaboration. This transition poses major challenges in protecting sensitive information. In the modern workplace, the perimeter between the corporate network and the cloud are fading. Sensitive data constantly travels between different locations and is often shared with others both inside and outside the organization. This significantly increases the attack surface and makes identifying, protecting, and monitoring sensitive data challenging.

Additionally, the threat landscape is evolving. External adversaries and insider threats are becoming more sophisticated and dangerous. Data breaches are at an all-time high in terms of both the number of breaches and the overall severity and business impact. As a result, governments and regulators are instituting stricter regulations with unprecedented fines for not properly protecting and governing sensitive information.

Traditional solutions that put walls around your network perimeter do not suffice. You are at risk of over-protecting where you shouldnt, degrading employee productivity by interrupting legitimate workflows, and under-protecting where you should when sensitive data is being exfiltrated.

Consider the following principles when shaping your information protection strategy:

  1. Visibility You cant protect what you cant see. Strive to achieve complete visibility into sensitive data across all repositories.
  2. Data-centric protection Protect your data, not your perimeter. Apply information protection capabilities that are content-aware to improve protection coverage and reduce end-user friction due to unnecessary interruptions. Make sure sensitive data stays protected wherever it goes; this is especially important in a modern workplace, where data is constantly on the move.
  3. Assume breach Sophisticated attackers, external adversaries, or insider threats will find a way around any wall you put in front of them. Implement post-breach techniques that constantly monitor sensitive data usage in your organization, correlate this data to other suspicious behaviors, and allow you to respond and mitigate risks.

The endpoint is a key point of control when implementing an effective information protection strategy based on these principles. Endpoints are often the entry for sophisticated attacks conducted by an external adversary or an insider threat. Combine it with the fact that endpoints are usually the darkest spot in the enterprise for security and compliance teams, and you end up with a critical weakness in the enterprise information security posture.

Windows Defender Advanced Threat Protection (Windows Defender ATP), Microsofts endpoint protection platform, addresses this challenge by integrating with Azure Information Protection, Microsofts data classification, labeling, and protection solution. This integration empowers Windows to natively understand Azure Information Protection sensitivity labels, to provide visibility into sensitive data on endpoints, to protect sensitive data based on its content, and to detect and respond to post-breach malicious activity that involves or affects sensitive data.

Windows Defender ATP is built into the OS, removing the need for deployment and agent maintenance, ensuring that end-user experience is not impacted when performing legitimate business workflows. No on-premises infrastructure or endpoint agents are required. The seamless integration with Azure Information Protection reporting and management experience ensures that data administrators can continue to leverage their existing Azure Information Protection experience to manage these new capabilities.

Discover sensitive documents on Windows devices

Windows Defender ATPs built-in sensors discovers labeled data on all devices monitored by the Windows Defender ATP service. This data is then seamlessly plugged into the Azure Information Protection reporting experience and enriched with labeled documents discovered on Windows devices. This allows existing Azure Information Protection customers to get instant visibility into sensitive data on devices using the same dashboard and analytics tools they use today.

Figure 1. Azure Information Protection Data discovery dashboard shows data discovered by both Windows Defender ATP and Azure Information Protection

It doesnt end there. Being an endpoint protection suite, Windows Defender ATP monitors and calculates device machine risk level an aggregated indicator of active security threats on each device. This data is also shared with Azure Information Protection reports, allowing data administrators to proactively understand whether sensitive corporate data resides on any compromised devices. To understand why the device is compromised, all it takes is a single click in the Azure Information Protection dashboard to be directed to that devices record in Windows Defender ATP, where the administrator can investigate and mitigate detected security threats.

Figure 2. Azure Information Protection Data discovery dashboard shows device risk calculation

Turning on this integration is a matter of a single flip of a switch in the advanced features settings page in Windows Defender Security Center. Windows endpoints will start discovering labeled documents immediately.

Figure 3. Windows Defender Security Center Settings page

Figure 3. Windows Defender Security Center Settings page

Prevent sensitive data leaks from Windows devices

Windows Defender ATP can further protect sensitive data by providing data loss prevention (DLP) functionality. Built using the combined Windows Defender ATP native OS sensors and its advanced cloud-based analytics, Windows Defender ATP can help detect and mitigate data leak risks, ranging from accidental end-user mistake to a sophisticated malicious attack.

It all starts from the Office 365 Security and Compliance Center (SCC), Microsofts unified management console for information protection, where you can manage information protection configuration settings on Windows devices. As part of the label policy, you can define whether files with a specific label applied will be protected by Windows Defender ATP.

Figure 4. Office Security & Compliance Center  Endpoint data loss prevention configuration page

Figure 4. Office Security & Compliance Center Endpoint data loss prevention configuration page

Once that policy is in place, Windows Defender ATP will start protecting documents with a matching label. Protection is applied by automatically enabling Windows Information Protection, which prevents unallowed client apps, cloud apps, and network locations from accessing protected files and their content, reducing the risk of data leak.

In addition, Windows Defender ATP integrates sensitive data awareness into Windows Defender Security Center. Each incident or alert raised in Windows Defender Security Center includes a data sensitivity attribute that is generated by aggregating the sensitivity of all the labeled files discovered on devices that are affected by the incident. This allows security analysts to prioritize incident response based on data sensitivity. When investigating an incident, security analysts can use data sensitivity context across the entire investigation from the incident dashboard, through analyzing sensitive data exposure of specific machines, all the way to Advanced hunting.

Figure 5. Windows Defender Security Center Incident queue, sorted by data sensitivity

Conclusion

Protecting sensitive data requires a comprehensive approach. Sensitive data stored on devices that are constantly on the move presents its own unique challenges. Windows Defender ATP and Azure Information Protection work together to effectively reduce the possibility of losing sensitive data. Together, these solutions provide discovery and protection capabilities required to govern and protect sensitive data, enforce compliance, and proactively mitigate risks.

These are just the first few steps weve taken to enhance the information protection capabilities. Stay tuned for more upcoming features built into Windows 10.

Start here to learn how you can leverage of this capability.

 

 

 

Omri Amdursky
Windows Defender ATP team

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

The post Windows Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices appeared first on Microsoft Secure.

Step 3. Protect your identities: top 10 actions to secure your environment

January 16th, 2019 No comments

The Top 10 actions to secure your environment series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In Step 3. Protect your identities, youll learn how to define security policies to protect individual user identities against account compromise and protect your administrative accounts.

Whether or not you have experienced a security incident in the past, you probably know that its not a matter of if an attacker will successfully compromise your corporate resources, but when. This is what is meant by an assume breach mindset. Preventative measures are critical, but in an assume breach” world, so are detection and rapid response. Azure Active Directory (Azure AD) Identity Protection can help you rapidly uncover anomalies or suspicious incidents and configure policies that will automate a response. With Azure AD Privileged Identity Management (PIM), you can protect your administrative accounts. The faster you discover a hacker and take back control, the less damage that attacker can do, saving you time, money, and reputation.

Reduce the time an attacker has access to your network

Most breaches begin with stolen or guessed user credentials. Once hackers gain access, they attempt to escalate those privileges, or they exploit their access to discover and target administrative users with access to valuable data. Rapid detection of a compromised accountno matter its access levelis critical. This can be challenging in a large enterprise with thousands of users.

Azure AD uses machine learning to analyze every sign-in to uncover anomalies or suspicious incidents. It then assigns a risk level of low, medium, or high to indicate how likely it is that the sign-in was not performed by the user. This is called a risk event. Azure AD also analyzes risk events for each user and calculates a risk level of low, medium, or high to indicate how likely it is that a user has been compromised. Azure AD Identity Protection uses this data to generate reports and alerts that can be viewed from a dashboard (Figure 1) in the Azure portal or by enabling daily or weekly emails.

Figure 1. Azure AD Identity Protection reports users who are likely compromised.

Automate response with Azure AD risk-based conditional access policies

In addition to reporting, Azure AD Identity Protection also lets you configure policies to automate a response based on conditions you define. A sign-in risk policy is a conditional access policy that you can configure based on the risk level assigned to a sign-in (Figure 2). A user risk policy is a conditional access policy that you can configure based on the likelihood that a user has been compromised. For example, we recommend that you create a sign-in risk policy that forces all medium-risk sign-ins to use Multi-Factor Authentication (MFA). We also recommend users with a high-risk level be required to safely change their password after verifying their identity using MFA. In both instances, these policies will be enforced automatically without any intervention by an administrator. (Well go into more details about Azure AD conditional access policies in our next blog.)

Figure 2. Apply a policy that blocks or flags risky sign-ins.

Protect your administrative accounts with Azure AD PIM

Even with good detection and response tools, there is still a chance that a hacker will make it through your defenses. In those instances, you need to minimize the likelihood that a compromised account can operate with a privileged role. Azure AD PIM gives you visibility into the users assigned to administrative roles and allows you to establish rules and policies that govern those accounts. Once youve identified the users, you can remove users who dont need privileged access and move remaining user permissions set from permanent to eligible (Figure 3). A user who is eligible for administrative access must request access every time they wish to perform a privileged task. We recommend that you enable MFA for all privileged roles, so you can verify their identity. We also recommend that you establish time limits for administrator access. Users should only have access long enough to complete the privileged task. These steps will make it much more difficult for a hacker to gain access to your most valuable data and resources.

Figure 3. Protect administrative roles by setting users to “Eligible.”

Learn more

Check back in a few weeks for our next blog post, Step 4. Set conditional access policies, where well dive into additional conditional access policies you can apply to your identities to ensure that only authorized people access the appropriate data and apps.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

The post Step 3. Protect your identities: top 10 actions to secure your environment appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Step 3. Protect your identities: top 10 actions to secure your environment

January 16th, 2019 No comments

The Top 10 actions to secure your environment series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In Step 3. Protect your identities, youll learn how to define security policies to protect individual user identities against account compromise and protect your administrative accounts.

Whether or not you have experienced a security incident in the past, you probably know that its not a matter of if an attacker will successfully compromise your corporate resources, but when. This is what is meant by an assume breach mindset. Preventative measures are critical, but in an assume breach” world, so are detection and rapid response. Azure Active Directory (Azure AD) Identity Protection can help you rapidly uncover anomalies or suspicious incidents and configure policies that will automate a response. With Azure AD Privileged Identity Management (PIM), you can protect your administrative accounts. The faster you discover a hacker and take back control, the less damage that attacker can do, saving you time, money, and reputation.

Reduce the time an attacker has access to your network

Most breaches begin with stolen or guessed user credentials. Once hackers gain access, they attempt to escalate those privileges, or they exploit their access to discover and target administrative users with access to valuable data. Rapid detection of a compromised accountno matter its access levelis critical. This can be challenging in a large enterprise with thousands of users.

Azure AD uses machine learning to analyze every sign-in to uncover anomalies or suspicious incidents. It then assigns a risk level of low, medium, or high to indicate how likely it is that the sign-in was not performed by the user. This is called a risk event. Azure AD also analyzes risk events for each user and calculates a risk level of low, medium, or high to indicate how likely it is that a user has been compromised. Azure AD Identity Protection uses this data to generate reports and alerts that can be viewed from a dashboard (Figure 1) in the Azure portal or by enabling daily or weekly emails.

Figure 1. Azure AD Identity Protection reports users who are likely compromised.

Automate response with Azure AD risk-based conditional access policies

In addition to reporting, Azure AD Identity Protection also lets you configure policies to automate a response based on conditions you define. A sign-in risk policy is a conditional access policy that you can configure based on the risk level assigned to a sign-in (Figure 2). A user risk policy is a conditional access policy that you can configure based on the likelihood that a user has been compromised. For example, we recommend that you create a sign-in risk policy that forces all medium-risk sign-ins to use Multi-Factor Authentication (MFA). We also recommend users with a high-risk level be required to safely change their password after verifying their identity using MFA. In both instances, these policies will be enforced automatically without any intervention by an administrator. (Well go into more details about Azure AD conditional access policies in our next blog.)

Figure 2. Apply a policy that blocks or flags risky sign-ins.

Protect your administrative accounts with Azure AD PIM

Even with good detection and response tools, there is still a chance that a hacker will make it through your defenses. In those instances, you need to minimize the likelihood that a compromised account can operate with a privileged role. Azure AD PIM gives you visibility into the users assigned to administrative roles and allows you to establish rules and policies that govern those accounts. Once youve identified the users, you can remove users who dont need privileged access and move remaining user permissions set from permanent to eligible (Figure 3). A user who is eligible for administrative access must request access every time they wish to perform a privileged task. We recommend that you enable MFA for all privileged roles, so you can verify their identity. We also recommend that you establish time limits for administrator access. Users should only have access long enough to complete the privileged task. These steps will make it much more difficult for a hacker to gain access to your most valuable data and resources.

Figure 3. Protect administrative roles by setting users to “Eligible.”

Learn more

Check back in a few weeks for our next blog post, Step 4. Set conditional access policies, where well dive into additional conditional access policies you can apply to your identities to ensure that only authorized people access the appropriate data and apps.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

The post Step 3. Protect your identities: top 10 actions to secure your environment appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

The evolution of Microsoft Threat Protection, January update

January 16th, 2019 No comments

As the new year begins, progress with Microsoft Threat Protection continues. It remains one of the only solutions available in market, providing comprehensive, end-to-end security for the modern workplace. Microsoft Threat Protection helps users gain optimal security from the moment they sign in to their laptops or mobile devices, check their email or begin work on their documents, or utilize the many cloud applications common in the modern workplace. IT administrators benefit from minimal complexity in staying ahead of the threat landscape, gaining visibility and control over the expanding attack surface, and reducing the time, cost, and effort needed to understand and take action on the trillions of threat signals observed from their IT environment.

In previous posts, we provided examples of how Microsoft Threat Protection helps secure across identities, endpoints, email and data, apps, and infrastructure. We also highlighted how Microsoft Threat Protection quickly and efficiently handled the Tropic Trooper attack campaign. Today, we highlight examples of automation and seamless integration which are core differentiators for Microsoft Threat Protection. We first discuss new automation capabilities that improve security for your apps ecosystem. Next, we share results from the MITRE evaluation that exemplifies how signal sharing across integrated security services helps provide impressive threat detection capabilities for endpoints.

Simplifying the life of SecOps with automated security workflows

Automation is a key attribute of Microsoft Threat Protection. While it comes in many forms, the intent is always to help reduce the burden on security teams tasked with handling the myriad and frequent threats modern organizations deal with. Automation can address basic security needs, enabling security teams to focus on the more challenging security problems. This ultimately helps make organizations less susceptible to threats.

The following example demonstrates how our automation capabilities can simplify the oversight for cloud apps and services. Microsoft Threat Protection helps secure cloud apps and services with Microsoft Cloud App Security, a premier Cloud Access Security Broker (CASB) service. It gives visibility into cloud apps and services, provides sophisticated analytics to identify and combat cyberthreats, and enables control over data travel. Leading organizations such as Accenture leverage the monitoring capabilities of Cloud App Security to detect anomalous behavior in their SaaS and cloud apps. Now imagine adding the benefit of automated workflows to this already powerful service. We have heard feedback in countless discussions with Security Operations (SecOps) professionals that solutions enabling automated processes would help significantly by reducing the number of incidents requiring direct oversight.

To serve this customer need, were excited to announce the integration of Microsoft Flow with Cloud App Security (Figure 1). This new integration supports a series of powerful use cases to enable centralized alert automation and orchestration by leveraging out-of-the-box and custom workflow playbooks that work with the systems of your choice. Microsoft Flow leverages an ecosystem of connectors from over 100 third-party services including ServiceNow, Jira, and SAP. The combination of Cloud App Security and Microsoft Flow will enable security specialists to create playbooks that work with systems of their choice, existing in-house processes, and automating the triage of alerts. Learn more about the detailed use cases and exciting capabilities this integration facilitates.

Figure 1. Microsoft Cloud App Security + Microsoft Flow integration schematic.

Demonstrating industry leading optics and detection for endpoint security

The Microsoft Intelligent Security Graph is the foundational element of Microsoft Threat Protection powering every service in the solution, providing a blend of deep and broad threat signals, and leveraging machine learning for intelligent signal correlation. The Intelligent Security Graph seamlessly integrates all Microsoft Threat Protection services, enabling each to share signal.

For example, Windows Defender Advanced Threat Protection (ATP) correlates signals across endpoints and identities by leveraging signal from Azure ATP (identity security). MITRE recently evaluated Windows Defender ATPs ability to detect techniques used by the attack group APT3 (also known as Boron or UPS). Windows Defender ATPs exceptional capabilities registered the best optics and top detection coverage across the attacker kill chain. Seamless integration is a tenet of Microsoft Threat Protection and the results from the MITRE evaluation provide another example of how seamless integration across different security services leads to exceptional security gains.

It is important to note that MITRE evaluates detection capabilities only. Windows Defender ATP also provides protection and response to threats. In a customer environment, Windows Defender ATP would have blocked many of the attack techniques at onset by leveraging attack surface reduction and next-gen protection capabilities. In addition, investigation and hunting features enable security operations personnel to correlate alerts and incidents, enabling holistic response actions.

To learn more about Microsofts MITRE results, read Insights from the MITRE ATT&CK-based evaluation of Windows Defender ATP and visit the MITRE website. Please reach out to your Microsoft rep to walk through the full details of the results.

Experience the evolution of Microsoft Threat Protection

Take a moment to learn more about Microsoft Threat Protection and read our previous monthly updates. Organizations have already transitioned to Microsoft Threat Protection and partners are leveraging its powerful capabilities.

Begin trials of the Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.

The post The evolution of Microsoft Threat Protection, January update appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

The evolution of Microsoft Threat Protection, January update

January 16th, 2019 No comments

As the new year begins, progress with Microsoft Threat Protection continues. It remains one of the only solutions available in market, providing comprehensive, end-to-end security for the modern workplace. Microsoft Threat Protection helps users gain optimal security from the moment they sign in to their laptops or mobile devices, check their email or begin work on their documents, or utilize the many cloud applications common in the modern workplace. IT administrators benefit from minimal complexity in staying ahead of the threat landscape, gaining visibility and control over the expanding attack surface, and reducing the time, cost, and effort needed to understand and take action on the trillions of threat signals observed from their IT environment.

In previous posts, we provided examples of how Microsoft Threat Protection helps secure across identities, endpoints, email and data, apps, and infrastructure. We also highlighted how Microsoft Threat Protection quickly and efficiently handled the Tropic Trooper attack campaign. Today, we highlight examples of automation and seamless integration which are core differentiators for Microsoft Threat Protection. We first discuss new automation capabilities that improve security for your apps ecosystem. Next, we share results from the MITRE evaluation that exemplifies how signal sharing across integrated security services helps provide impressive threat detection capabilities for endpoints.

Simplifying the life of SecOps with automated security workflows

Automation is a key attribute of Microsoft Threat Protection. While it comes in many forms, the intent is always to help reduce the burden on security teams tasked with handling the myriad and frequent threats modern organizations deal with. Automation can address basic security needs, enabling security teams to focus on the more challenging security problems. This ultimately helps make organizations less susceptible to threats.

The following example demonstrates how our automation capabilities can simplify the oversight for cloud apps and services. Microsoft Threat Protection helps secure cloud apps and services with Microsoft Cloud App Security, a premier Cloud Access Security Broker (CASB) service. It gives visibility into cloud apps and services, provides sophisticated analytics to identify and combat cyberthreats, and enables control over data travel. Leading organizations such as Accenture leverage the monitoring capabilities of Cloud App Security to detect anomalous behavior in their SaaS and cloud apps. Now imagine adding the benefit of automated workflows to this already powerful service. We have heard feedback in countless discussions with Security Operations (SecOps) professionals that solutions enabling automated processes would help significantly by reducing the number of incidents requiring direct oversight.

To serve this customer need, were excited to announce the integration of Microsoft Flow with Cloud App Security (Figure 1). This new integration supports a series of powerful use cases to enable centralized alert automation and orchestration by leveraging out-of-the-box and custom workflow playbooks that work with the systems of your choice. Microsoft Flow leverages an ecosystem of connectors from over 100 third-party services including ServiceNow, Jira, and SAP. The combination of Cloud App Security and Microsoft Flow will enable security specialists to create playbooks that work with systems of their choice, existing in-house processes, and automating the triage of alerts. Learn more about the detailed use cases and exciting capabilities this integration facilitates.

Figure 1. Microsoft Cloud App Security + Microsoft Flow integration schematic.

Demonstrating industry leading optics and detection for endpoint security

The Microsoft Intelligent Security Graph is the foundational element of Microsoft Threat Protection powering every service in the solution, providing a blend of deep and broad threat signals, and leveraging machine learning for intelligent signal correlation. The Intelligent Security Graph seamlessly integrates all Microsoft Threat Protection services, enabling each to share signal.

For example, Windows Defender Advanced Threat Protection (ATP) correlates signals across endpoints and identities by leveraging signal from Azure ATP (identity security). MITRE recently evaluated Windows Defender ATPs ability to detect techniques used by the attack group APT3 (also known as Boron or UPS). Windows Defender ATPs exceptional capabilities registered the best optics and top detection coverage across the attacker kill chain. Seamless integration is a tenet of Microsoft Threat Protection and the results from the MITRE evaluation provide another example of how seamless integration across different security services leads to exceptional security gains.

It is important to note that MITRE evaluates detection capabilities only. Windows Defender ATP also provides protection and response to threats. In a customer environment, Windows Defender ATP would have blocked many of the attack techniques at onset by leveraging attack surface reduction and next-gen protection capabilities. In addition, investigation and hunting features enable security operations personnel to correlate alerts and incidents, enabling holistic response actions.

To learn more about Microsofts MITRE results, read Insights from the MITRE ATT&CK-based evaluation of Windows Defender ATP and visit the MITRE website. Please reach out to your Microsoft rep to walk through the full details of the results.

Experience the evolution of Microsoft Threat Protection

Take a moment to learn more about Microsoft Threat Protection and read our previous monthly updates. Organizations have already transitioned to Microsoft Threat Protection and partners are leveraging its powerful capabilities.

Begin trials of the Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.

The post The evolution of Microsoft Threat Protection, January update appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Microsoft gains strong customer and analyst momentum in the Cloud Access Security Brokers (CASB) market

January 15th, 2019 No comments

After a strong year of product updates and innovations, were excited to so see that Microsoft jumped into the Challenger position in Gartners 2018 Magic Quadrant for Cloud Access Security Brokers (CASB) and solidified its leadership position in KuppingerColes 2018 Leadership Compass in the same product category, backed by strong customer adoption rates.

CASBs give organizations the ability to securely embrace the possibilities of their cloud apps and services and they can be crucial in driving a successful cloud security strategy.

While the market for CASB is still relatively young, analyst firm Gartner, Inc. predicts that 60 percent of large enterprises will be using CASB technologies by 2020, with independent forecasts expecting to reach a total addressable market of $7.5 billion in the same timeframe.

We have seen a steep increase in the adoption of Microsoft Cloud App Security across all customer segments, ranging from large enterprises such as global energy leader BP, to smaller organizations such as Affinity Workforce. Our internal estimates show that Microsoft Cloud App Security has a current market share of more than 30 percent in the CASB space. This provides us with insights from billions of signals every dayand direct input from the many organizations that we work withallowing us to continuously improve the product and react to what were seeing in the market.

By integrating with leading security, identity, and productivity solutions across Microsoft 365, Microsoft Cloud App Security is uniquely positioned to drive innovation in the CASB space. Recent additions include our native integration with Windows Defender Advanced Threat Protection and our consistent labeling experience via Azure Information Protection. Among many others, these help organizations gain visibility into their cloud apps and services, provide sophisticated analytics to identify and combat cyber threats, and control the travel of sensitive information to equally support Microsofts native cloud services, as well as numerous third-party cloud apps and services, such as Dropbox, Salesforce, and others.

Microsoft Cloud App Securitys portfolio of native product integrations.

2018 analyst momentum

In Gartners 2018 report, we significantly improved our positioning and moved along both axes, Completeness of Vision as well as Ability to Execute, up from a Niche Player to a Challenger position. We see the substantial improvement as a testimony to our strong ability to execute against our feature roadmap and the momentum we are gaining with customers.

Magic Quadrant for CASB. Source: Gartner (October 2018)*

In its 2018 report, analyst firm KuppingerCole positions Microsoft as a Leader for the second year in a row. This further emphasizes the strength of our native integrations across Microsoft 365, including Azure Active Directory (Azure AD), Office 365, and Azure Security Center, and the significant customer base of Microsoft Cloud App Security.

Leadership Compass for CASB. Source: KuppingerCole (October 2018)

This years results confirm Microsofts strong commitment and rapid progress in this spaceand with the progress of the overall market, the importance for organizations to start considering the use of a CASB continues to increase.

Learn more

We made both these 2018 analyst reports available for review. Download the Gartner Magic Quadrant 2018 for CASBs report and the KuppingerCole Leadership Compass 2018 report.

If youre not using Microsoft Cloud App Security, start a free trial today and learn how to get started with our detailed technical documentation.

If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

To stay up to date with our latest product innovations, follow our product blog.

 

*This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartners research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post Microsoft gains strong customer and analyst momentum in the Cloud Access Security Brokers (CASB) market appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Microsoft gains strong customer and analyst momentum in the Cloud Access Security Brokers (CASB) market

January 15th, 2019 No comments

After a strong year of product updates and innovations, were excited to so see that Microsoft jumped into the Challenger position in Gartners 2018 Magic Quadrant for Cloud Access Security Brokers (CASB) and solidified its leadership position in KuppingerColes 2018 Leadership Compass in the same product category, backed by strong customer adoption rates.

CASBs give organizations the ability to securely embrace the possibilities of their cloud apps and services and they can be crucial in driving a successful cloud security strategy.

While the market for CASB is still relatively young, analyst firm Gartner, Inc. predicts that 60 percent of large enterprises will be using CASB technologies by 2020, with independent forecasts expecting to reach a total addressable market of $7.5 billion in the same timeframe.

We have seen a steep increase in the adoption of Microsoft Cloud App Security across all customer segments, ranging from large enterprises such as global energy leader BP, to smaller organizations such as Affinity Workforce. Our internal estimates show that Microsoft Cloud App Security has a current market share of more than 30 percent in the CASB space. This provides us with insights from billions of signals every dayand direct input from the many organizations that we work withallowing us to continuously improve the product and react to what were seeing in the market.

By integrating with leading security, identity, and productivity solutions across Microsoft 365, Microsoft Cloud App Security is uniquely positioned to drive innovation in the CASB space. Recent additions include our native integration with Windows Defender Advanced Threat Protection and our consistent labeling experience via Azure Information Protection. Among many others, these help organizations gain visibility into their cloud apps and services, provide sophisticated analytics to identify and combat cyber threats, and control the travel of sensitive information to equally support Microsofts native cloud services, as well as numerous third-party cloud apps and services, such as Dropbox, Salesforce, and others.

Microsoft Cloud App Securitys portfolio of native product integrations.

2018 analyst momentum

In Gartners 2018 report, we significantly improved our positioning and moved along both axes, Completeness of Vision as well as Ability to Execute, up from a Niche Player to a Challenger position. We see the substantial improvement as a testimony to our strong ability to execute against our feature roadmap and the momentum we are gaining with customers.

Magic Quadrant for CASB. Source: Gartner (October 2018)*

In its 2018 report, analyst firm KuppingerCole positions Microsoft as a Leader for the second year in a row. This further emphasizes the strength of our native integrations across Microsoft 365, including Azure Active Directory (Azure AD), Office 365, and Azure Security Center, and the significant customer base of Microsoft Cloud App Security.

Leadership Compass for CASB. Source: KuppingerCole (October 2018)

This years results confirm Microsofts strong commitment and rapid progress in this spaceand with the progress of the overall market, the importance for organizations to start considering the use of a CASB continues to increase.

Learn more

We made both these 2018 analyst reports available for review. Download the Gartner Magic Quadrant 2018 for CASBs report and the KuppingerCole Leadership Compass 2018 report.

If youre not using Microsoft Cloud App Security, start a free trial today and learn how to get started with our detailed technical documentation.

If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

To stay up to date with our latest product innovations, follow our product blog.

 

*This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartners research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post Microsoft gains strong customer and analyst momentum in the Cloud Access Security Brokers (CASB) market appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Best practices for securely using Microsoft 365—the CIS Microsoft 365 Foundations Benchmark now available

Were excited to announce the availability of the Center for Internet Securitys (CIS) Microsoft 365 Foundations Benchmarkdeveloped by CIS in partnership with Microsoftto provide prescriptive guidance for establishing a secure baseline configuration for Microsoft 365. CIS is a nonprofit entity focused on developing global standards and recognized best practices for securing IT systems and data against the most pervasive attacks.

Microsoft 365 provides powerful online cloud services that enable collaboration, security, and compliance, mobility, intelligence, and analytics. Adopting cloud technologies requires a shared responsibility model for security, with Microsoft responsible for certain controls and the customer responsible for others, depending on the service delivery model chosen. To ensure that a customers cloud workloads are protected, it is important that they carefully consider and implement the appropriate architecture and enable the right set of configuration settings.

The CIS Microsoft 365 Foundations Benchmark is designed to assist organizations in establishing the foundation level of security for anyone adopting Microsoft 365. The benchmark should not be considered as an exhaustive list of all possible security configurations and architecture but as a starting point. Each organization must still evaluate their specific situation, workloads, and compliance requirements and tailor their environment accordingly.

The CIS benchmark contains two levels, each with slightly different technical specifications:

  • Level 1Recommended minimum security settings that should be configured on any system and should cause little or no interruption of service or reduced functionality.
  • Level 2Recommended security settings for highly secure environments and could result in some reduced functionality.

The CIS Microsoft 365 Security Benchmark is divided into the following sections:

Section Description # of recommended controls
Account/Authentication policies Recommendations related to setting the appropriate account and authentication policies. 8
Application permissions Recommendations related to the configuration of application permissions within Microsoft 365. 4
Data management Recommendations for setting data management policies. 6
Email security/Exchange Online Recommendations related to the configuration of Exchange Online and email security. 13
Auditing policies Recommendations for setting auditing policies on your Microsoft 365 tenant. 14
Storage policies Recommendations for securely configuring storage policies. 2
Mobile device management Recommendations for managing devices connecting to Microsoft 365. 13
Total recommendations 60

Each recommendation contains several sections, including a recommendation identification number, title, and description; level or profile applicability; rationale; instructions for auditing the control; remediation steps; impact of implementing the control; default value; and references. For example, the first control contained in the benchmark is under the Account/Authentication policies section and is titled: 1.1 (L1) Ensure multifactor authentication is enabled for all users in administrative roles (Scored).

A control is marked as Scored or Not Scored based on whether it can be programmatically tested. In this case, recommendation 1.1 can be audited leveraging the Microsoft Graph and PowerShell cmdlet. The specific steps for auditing the control are contained in the Audit section for this specific recommendation. This recommendation is listed as a Level 1 control because it is only applied to Microsoft 365 administrative users and would not have a company-wide impact or produce less functionality for users. The rationale for recommendation 1.1 is that Microsoft 365 administrative accounts need to be protected due to their powerful privileges and with Multiple Factor Authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk to the Azure tenant.

Download the benchmark and provide your feedback

The CIS Microsoft 365 Security Benchmark is freely available for download in PDF format on the CIS website. In the continuity of their mission, feedback provided by those entrenched in using and implementing the benchmarks provides us the opportunity for continuous improvement of our products. Feedback can be made visible to CIS by creating a discussion thread or ticket within the CIS Microsoft 365 Foundations Benchmark community. In addition, Microsoft has developed a set of Office 365 security guidelines and best practices for our customers to follow. These guides can be found in Office 365 Security and Compliance documentation.

The post Best practices for securely using Microsoft 365—the CIS Microsoft 365 Foundations Benchmark now available appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Best practices for securely using Microsoft 365—the CIS Microsoft 365 Foundations Benchmark now available

Were excited to announce the availability of the Center for Internet Securitys (CIS) Microsoft 365 Foundations Benchmarkdeveloped by CIS in partnership with Microsoftto provide prescriptive guidance for establishing a secure baseline configuration for Microsoft 365. CIS is a nonprofit entity focused on developing global standards and recognized best practices for securing IT systems and data against the most pervasive attacks.

Microsoft 365 provides powerful online cloud services that enable collaboration, security, and compliance, mobility, intelligence, and analytics. Adopting cloud technologies requires a shared responsibility model for security, with Microsoft responsible for certain controls and the customer responsible for others, depending on the service delivery model chosen. To ensure that a customers cloud workloads are protected, it is important that they carefully consider and implement the appropriate architecture and enable the right set of configuration settings.

The CIS Microsoft 365 Foundations Benchmark is designed to assist organizations in establishing the foundation level of security for anyone adopting Microsoft 365. The benchmark should not be considered as an exhaustive list of all possible security configurations and architecture but as a starting point. Each organization must still evaluate their specific situation, workloads, and compliance requirements and tailor their environment accordingly.

The CIS benchmark contains two levels, each with slightly different technical specifications:

  • Level 1Recommended minimum security settings that should be configured on any system and should cause little or no interruption of service or reduced functionality.
  • Level 2Recommended security settings for highly secure environments and could result in some reduced functionality.

The CIS Microsoft 365 Security Benchmark is divided into the following sections:

Section Description # of recommended controls
Account/Authentication policies Recommendations related to setting the appropriate account and authentication policies. 8
Application permissions Recommendations related to the configuration of application permissions within Microsoft 365. 4
Data management Recommendations for setting data management policies. 6
Email security/Exchange Online Recommendations related to the configuration of Exchange Online and email security. 13
Auditing policies Recommendations for setting auditing policies on your Microsoft 365 tenant. 14
Storage policies Recommendations for securely configuring storage policies. 2
Mobile device management Recommendations for managing devices connecting to Microsoft 365. 13
Total recommendations 60

Each recommendation contains several sections, including a recommendation identification number, title, and description; level or profile applicability; rationale; instructions for auditing the control; remediation steps; impact of implementing the control; default value; and references. For example, the first control contained in the benchmark is under the Account/Authentication policies section and is titled: 1.1 (L1) Ensure multifactor authentication is enabled for all users in administrative roles (Scored).

A control is marked as Scored or Not Scored based on whether it can be programmatically tested. In this case, recommendation 1.1 can be audited leveraging the Microsoft Graph and PowerShell cmdlet. The specific steps for auditing the control are contained in the Audit section for this specific recommendation. This recommendation is listed as a Level 1 control because it is only applied to Microsoft 365 administrative users and would not have a company-wide impact or produce less functionality for users. The rationale for recommendation 1.1 is that Microsoft 365 administrative accounts need to be protected due to their powerful privileges and with Multiple Factor Authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk to the Azure tenant.

Download the benchmark and provide your feedback

The CIS Microsoft 365 Security Benchmark is freely available for download in PDF format on the CIS website. In the continuity of their mission, feedback provided by those entrenched in using and implementing the benchmarks provides us the opportunity for continuous improvement of our products. Feedback can be made visible to CIS by creating a discussion thread or ticket within the CIS Microsoft 365 Foundations Benchmark community. In addition, Microsoft has developed a set of Office 365 security guidelines and best practices for our customers to follow. These guides can be found in Office 365 Security and Compliance documentation.

The post Best practices for securely using Microsoft 365—the CIS Microsoft 365 Foundations Benchmark now available appeared first on Microsoft Secure.

Categories: cybersecurity Tags: