Swedish Windows Security User Group

マイクロソフトでは、毎月第二火曜日を月例のセキュリティ更新日とし、さまざまな製品の脆弱性情報を公開し

Today, Microsoft released Azure Sphere into General Availability (GA). Azure Sphere’s mission is to empower every organization on the planet to connect and create secured and trustworthy IoT devices. Azure Sphere is an end-to-end solution for securely connecting existing equipment and for creating new IoT devices with built-in security. The solution includes hardware, OS, and …

Calling for security research in Azure Sphere, now generally available Read More »

The post Calling for security research in Azure Sphere, now generally available appeared first on Microsoft Security Response Center.

Another RSA Conference (RSAC) and another big year for the Microsoft Intelligent Security Association (MISA). MISA was launched at RSAC 2018 with 26 members and a year later we had doubled in size to 53 members. Today, I am excited to share that the association has again doubled in size to 102 members.

New members expand the portfolio of MISA integrations

Our new members include a number of ecosystem partners, like RSA, ServiceNow, and Net Motion, which have developed critical integrations that benefit our shared customers and we look forward to deepening our relationship through MISA engagement.

New MISA member RSA is now using Azure Active Directory’s risky user data and other Microsoft security signals to enrich their risk score engine. Additionally, RSA also leverages the Graph Security API to feed their SIEM solution, RSA NetWitness with alerts from the entire suite of Microsoft Security solutions.

 “RSA is excited to showcase the RSA SecurID and RSA NetWitness integrations with Microsoft Security products. Our integrations with Microsoft Defender ATP, Microsoft Graph Security API, Azure AD, and Microsoft Azure Sentinel, help us to better secure access to our mutual customer’s applications, and detect threats and attacks. We’re excited to formalize the long-standing relationship through RSA Ready and MISA to better defend our customers against a world of increasing threats.”
—Anna Sarnek, Head of Strategic Business Development, Cloud and Identity for RSA

The ServiceNow Security Operations integration with Microsoft Graph Security API enables shared customers to automate incident management and response, leveraging the capabilities of the Now Platform’s single data model to dramatically improve their ability to prioritize and respond to threats generated by all Microsoft Security Solutions and custom alerts from Azure Sentinel.

“ServiceNow is pleased to join the Microsoft Intelligent Security Alliance to accelerate security incident response for our shared customers. The ServiceNow Security Operations integration with Azure Sentinel, via the graph security API, enables shared customers to automate incident management and response, leveraging the capabilities of the Now Platform’s single data model to dramatically improve their ability to prioritize and respond to threats.”
—Lou Fiorello, Head of Security Products for ServiceNow

Microsoft is pleased to welcome NetMotion, a connectivity and security solutions company for the world’s growing mobile workforce, into the security partner program. Using NetMotion’s class-leading VPN, customers not only gain uncompromised connectivity and feature parity, they benefit from a VPN that is compatible with Windows, MacOS, Android and iOS devices. For IT teams, NetMotion delivers visibility and control over the entire connection from endpoint to endpoint, over any network, through integration with Microsoft Endpoint Manager (Microsoft Intune).

“NetMotion is designed from the ground up to protect and enhance the user experience of any mobile device. By delivering plug-and-play integration with Microsoft Endpoint Manager, the mobile workforce can maximize productivity and impact without any disruption to their workflow from day one. For organizations already using or considering Microsoft, the addition of NetMotion’s VPN is an absolute no-brainer.”
—Christopher Kenessey, CEO of NetMotion Software

Expanded partner strategy for Microsoft Defender Advanced Threat Protection (ATP)

The Microsoft Defender ATP team worked with our ecosystem partners to take their rich and complete set of APIs a step further to extend the power of our combined platforms. This helps customers strengthen their network and endpoint security posture, add continuous security validation and attack simulation testing, orchestrate and automate incident correlation and remediation, and add threat intelligence and web content filtering capabilities. Read Extending Microsoft Defender ATP network of partners to learn more about their partner strategy expansion and their open framework philosophy.

New product teams join the association

In addition to growing our membership, MISA expanded to cover 12 of Microsoft’s security solutions, including our latest additions: Azure Security Center for IoT Security and Azure DDoS.

Azure Security Center for IoT Security announces five flagship integration partners

The simple onboarding flow for Azure Security Center for IoT enables you to protect your managed and unmanaged IoT devices, view all security alerts, reduce your attack surface with security posture recommendations, and run unified reports in a single pane of glass.

Through partnering with members like Attivo Networks, CyberMDX, CyberX, Firedome, and SecuriThings, Microsoft is able to leverage their vast knowledge pool to help customers defend against a world of increasing IoT threats in enterprise. These solutions protect managed and unmanaged IoT devices in manufacturing, energy, building management systems, healthcare, transportation, smart cities, smart homes, and more. Read more about IoT security and how these five integration partners are changing IoT security in this blog.

Azure DDoS Protection available to partners to combat DDoS attacks

The first DDoS attack occurred way back on July 22, 1999, when a network of 114 computers infected with a malicious script called Trin00 attacked a computer at the University of Minnesota, according to MIT Technology Review. Even after 20 years DDoS continues to be an ever-growing problem, with the number of DDoS attacks doubling in the last year alone and the types of attacks getting increasingly sophisticated with the explosion of IoT devices.

Azure DDoS Protection provides countermeasures against the most sophisticated DDoS threats. The service provides enhanced DDoS mitigation capabilities for your application and resources deployed in your virtual networks. Technology partners can now protect their customers’ resources natively with Azure DDoS Protection Standard to address the availability and reliability concerns due to DDoS attacks.

“Extending Azure DDoS Protection capabilities to Microsoft Intelligent Security Association will help our shared customers to succeed by leveraging the global scale of Azure Networking to protect their workloads against DDoS attacks”
—Anupam Vij, Principal Product Manager, Azure Networking

Learn more

To see MISA members in action, visit the Microsoft booth at RSA where we have a number of our security partners presenting and demoing throughout the week. To learn more about the Microsoft Intelligent Security Association, visit our webpage or the video playlist of member integrations. For more information on Microsoft security solutions, visit our website.

The post MISA expands with new members and new product additions appeared first on Microsoft Security.

Today Azure Sphere—Microsoft’s integrated security solution for IoT devices and equipment—is widely available for the development and deployment of secure, connected devices. Azure Sphere’s general availability milestone couldn’t be timelier. From consumer device hacking and botnets to nation state driven cyberterrorism, the complexity of the landscape is accelerating. And as we expand our reliance on IoT devices at home, in our businesses and even in the infrastructure that supports transit and utilities, cybersecurity threats are increasingly real to individuals, businesses and society at large.

From its inception in Microsoft Research to general availability today, Azure Sphere is Microsoft’s answer to these escalating IoT threats. Azure Sphere delivers quick and cost-effective device security for OEMs and organizations to protect the products they sell and the critical equipment that they rely on to drive new business value.

To mark today’s general availability milestone, I sat down with Galen Hunt, distinguished engineer and product leader of Azure Sphere to discuss the world of cybersecurity, the threat landscape that businesses and governments are operating in, and how Microsoft and Azure Sphere are helping organizations confidently and securely take advantage of the opportunities enabled by IoT.

 

ANN JOHNSON: Let me start by asking about a comment I once heard you make, where you refer to the internet as “a cauldron of evil.” Can you give us a little insight into what you mean?

GALEN HUNT: Well, I actually quote James Mickens. James is a former colleague at Microsoft Research, and he’s now a professor at Harvard. Those are his words, the idea of the internet being a cauldron of evil. But I love it, because what it really captures is what the internet really is.

The internet is a place of limitless potential, but when you connect a device to the internet, you’re also creating a two-way street; anybody can come in off the internet and try to attack you.

Everything from nation states to petty criminals to organized crime is out there, operating on the internet. As we think about IoT—which is my favorite topic—being aware of the dangers is the first step to being prepared to address them.

ANN JOHNSON: When you’re thinking about folks that are in charge of security organizations, or even folks who have to secure the environment for themselves, what do you view as the biggest threats, and also the biggest opportunities for companies like Microsoft to address those threats?

GALEN HUNT: I think the biggest threat is—and I’m coming at this from the IoT side of things—as we’re able to connect every single device in an enterprise or every single device in a home to the internet, there’s real risk. By compromising those devices, someone can invade our privacy, they can have access to our data, they can manipulate our environment. Those are real risks.

In the traditional internet, the non-Internet-of-Things internet, the damage that could be done was purely digital. But in a connected IoT environment, remote actors are able to affect or monitor not just the digital environment but also the actual physical environment. So that creates all sorts of risks that need to be addressed.

In response, the power that a company like Microsoft can bring is our deep experience in internet security. We’ve been doing it for years. We can help other organizations leverage that experience. That’s a tremendous opportunity we have to help.

ANN JOHNSON: So, with that, walk us through what Azure Sphere is—how do you see our customers and our partners leveraging the technology?

GALEN HUNT: There are four components to Azure Sphere: three of them are powered by technology and one of them is powered by people. Those components combine to form an end-to-end solution that allows any organization that’s building or connecting devices to have the very best of what we know about making internet-connected devices secure.

Let’s talk about the four components.

The first of the three technical components is the certified chips that are built by our silicon partners, they have the hardware root of trust that Microsoft created. These are chips that provide a foundation of security, starting in the silicon itself, and provide connectivity and compute power for these devices.

The second technical component of Azure Sphere is the Azure Sphere operating system. This runs on the chips and creates a secure software environment.

The third technical component is the cloud-based Azure Sphere security service. The security service connects with every single Azure Sphere chip, with every single Azure Sphere operating system, and works with the operating system and the chip to keep the device secured throughout its lifetime.

ANN JOHNSON: So, you’ve got hardware, software, and the cloud, all working together. What about the human component?

GALEN HUNT: The fourth component of Azure Sphere is our people and all their security expertise. Our team provides ongoing security monitoring of Azure Sphere devices and, actually, of the full ecosystem. As we identify new types of attacks and new emerging security vulnerabilities, we will upgrade our operating system and the cloud services to mitigate against those new kinds of attacks. Then we will deploy updates to every Azure Sphere-based device, globally. So, we’re providing ongoing support, and ongoing security improvements for those devices.

ANN JOHNSON: I want to make this real for folks. Walk me through a use case; where would somebody actually implement and use Azure Sphere? How does their infrastructure or architecture fit in?

GALEN HUNT: Okay, let’s start with a device manufacturer. They say, okay we’re going to create a new device, and we want to have that device be an IoT device. We want it to connect to the internet, so it can be integrated into an organization’s digital feedback loop. And so, they will buy a chip, an Azure Sphere-based microcontroller or SoC, which will serve as the primary processing component, and they build that into their device. The Azure Sphere chip provides the compute power and secured connectivity.

Now, of course not everybody is building a brand-new device from scratch. There are a lot of existing devices out there that are very valuable. Sometimes they’re too valuable to take on the risk of connecting them and exposing them to the internet. One of the things we’ve developed during the Azure Sphere preview period is a new class of device that we call a “guardian module.” The guardian module is a very small device—no larger than the size of a deck of cards—built around an Azure Sphere chip. An organization interested in connecting existing devices can connect through the guardian module and pull data from that existing device and securely connect it to the cloud. The guardian modules, powered by Azure Sphere, are a way to add highly secure connectivity—even to existing devices—that’s protected by Microsoft.

ANN JOHNSON: Interesting, it solves a pretty big problem with device security, especially as we continue to see a massive proliferation of devices in our environment, most of which are unmanaged. What do you think is slowing the broad adoption of security related to connected devices?

GALEN HUNT: Well, there are a couple of things. I think the biggest barrier, up until now, has been the lack of an end-to-end solution. For companies that have had aspirations to build or to buy highly secured devices, each device has been a one-off. Customers have had to completely build a unique solution for each device, and that just takes an incredible amount of expertise and hard work.

The other obstacle I’ve found is that organizations realize that they need secure devices, but they just don’t know where to begin. They don’t know what they should be looking for, from a device security perspective. There’s a bit of a temptation to look for a security feature checklist instead of really understanding what’s required to have a device that’s highly secured.

ANN JOHNSON: I know you’ve given this a lot of consideration and your background gives you a deeper view into what it takes to secure devices. You wrote a paper on the seven properties of highly secure devices, based on a lot of research you’ve done on the topic. How did you coalesce on the seven properties and how customers can implement them securely?

GALEN HUNT: Yes, I’m a computer scientist, and for over 15 years I ran operating systems research in Microsoft Research. About five years ago, someone walked into my office with a schematic, or a floor map, of a brand new—actually, still under development—microcontroller. This was actually the very first of a new class of a microcontroller.

A microcontroller, for anybody who is not familiar, is a single-chip computer that has processer, and storage, memory, and IoT capabilities. Microcontrollers are used in everything from toys, to appliances, even industrial equipment. Well, this was the first time I had seen a microcontroller, a programmable microcontroller, with the physical capabilities required to be able to connect to the internet—built in—and at a price point that was just a couple of dollars.

When I looked at this thing, I realized that for the price of a cup of coffee, anything on the planet that had electricity could be turned into an internet device. I realized I was looking at the fifth generation of computing, and that was a terribly exciting thought. But the person who had come into my office was asking, what kind of code should we run on this so that it would be secure if we did want to build internet-connected devices with it?

And what I realized, really quickly, was that even though it had some great security features, it lacked much of what was required to build a secure device from a software perspective, and that set me off on journey. I imagined this dystopian future where there are nine billion new insecure devices being added to the world’s population, every year.

ANN JOHNSON: Sure, the physical risks of device hacking make nine billion insecure IoT devices a daunting thought.

GALEN HUNT: Well for me, that was a really scary thought. And as a scientist, I said, well we know that Microsoft and our peer companies have built devices that have been out on the internet. They’ve been connected for at least a five-year period and have withstood relentless attacks from hackers and other ne’er-do-wells. The driving question of our next phase of work was: why are some devices highly secure, and what is it that separates them?

And we did a very scientific study of finding these secure devices and trying to figure out the qualities and the properties that they had in common, and this led to our list of these seven properties. We published that paper, which then led to more experiments.

Now, the devices we found that had these seven properties were devices that had hundreds of dollars in electronics in them, and, you know, that’s not going to scale to every device on the planet. You’re not going to be able to add hundreds of dollars of electronics to every device on the planet, like a light bulb, in order to get security.

Then we wondered if we could build a very, very small and a very, very economical solution that contained all seven properties. And that’s what ultimately led us to Azure Sphere. It’s a solution that, really, for just a few dollars, any company can build a device that is highly secured.

ANN JOHNSON: So, the device itself is highly secured; it has all these built-in capabilities, but one of the biggest problems our customers face is fundamentally a talent shortage, right? Is there something that we’re inherently doing here, with Azure Sphere, that could make it easier for customers?

GALEN HUNT: Yes. Fundamentally what we’re trying to do is create a scalable solution, and it is Microsoft talent that helps these companies create these highly secure devices. There’s something like a million-plus openings in the field of security professionals. Globally there’s a huge talent shortage.

With Azure Sphere we allow a company that doesn’t have really deep security expertise to draft off of our security talent. There are a few areas of expertise that one has to have in order to build a highly-secure device with similar capabilities to Azure Sphere.

Sometimes I’ll use the words technology, talent, and tactics. You have to have the technical expertise to actually build a device that has a high degree of security in it. Not just a device with a checklist of features, but with true integration across all components for gap-free security. Then, once the device is built and deployed out into the wild, you need the talent to fight the ongoing security battle. That talent is watching for and detecting emerging security threats and coding up mitigations to address them. And finally, you’ll have to scale out those updates to every device. That’s a really deep set of expertise, talent, and tactics and, for the most part, it’s very much outside of what many companies know how to do.

When building on top of Azure Sphere, instead of staffing or developing all of this expertise outside of their core business, organizations can instead outsource that to Microsoft.

ANN JOHNSON: That’s a really great way to put it. It also gives you that end-to-end security integration, right? Because I would imagine Azure Sphere is going to integrate with all of Microsoft’s infrastructure and services?

GALEN HUNT: In building Azure Sphere, we leveraged pretty deeply a lot of expertise and a lot of talent that we have at Microsoft. Take, for example, the infrastructure that we use to scale out the deployment of new updates. We leveraged the infrastructure that Microsoft created for the Windows update service—and, our operating system is much, much smaller than Windows. So now we have the capability to update billions of devices, globally, per hour. We also have a place where we can tie Azure Sphere into the Azure Security Center for IoT.

We also really drew on all of the expertise around Visual Studios for very scalable software development. We brought that power even to the smaller microcontroller class devices.

And the hardware root of trust that we put inside of every single Azure Sphere chip. That hardware root of trust is not something that we just created, just woke up one day and said, hey, let’s build a hardware root of trust from scratch. We actually built it based on our learning from the Xbox console.

The Xbox console, over 15 years has made three huge generational leaps. Those consoles can live in hostile environments—from a digital security perspective and a physical security perspective. So, we’ve taken everything we’ve learned about how to make those devices highly secured and applied it to building the hardware root of trust inside Azure Sphere. These are some of the ways that we’re really leveraging a lot of Microsoft’s deep expertise.

ANN JOHNSON: Today, marks the general availability of Azure Sphere—which I’m super excited about, by the way! But I know you’ve been thinking for a long time about how we solve some of these bigger problems, particularly the explosion of IoT, and how customers are going to have to think about that within the next two, to three, to five, to ten years from now. What are the challenges you see ahead for us, and what are the benefits our customers will be able to realize?

GALEN HUNT: We’re excited as well—it’s a huge milestone for the team. Even at this point, at GA, we’re only at the beginning of our real journey with our customers. One of our immediate next steps is scaling out the silicon ecosystem. MediaTek is our first silicon partner. Their MT3620 chip is available in volume today, and it’s the perfect chip, especially for guardian modules and adding secure connectivity to many, many devices.

With microcontrollers, there are many, many verticals. They range in everything from toys to home appliances, to big industrial equipment. And no single chip scales across that entire ecosystem effectively, so we’ve engaged other silicon partners. In June, NXP, the world’s number one microcontroller manufacturer, announced their timeline for their very first Azure Sphere chip. And that chip will add much larger compute capabilities. For example, they’ll do AI, and vision, and graphics, and more sophisticated user interfaces. And then in October, Qualcomm announced that they’ll build the very first cellular native Azure Sphere chip.

The other place we see ourselves growing is in adding more enterprise readiness features. As we’ve engaged with some of our early partners, for example, Starbucks, and have helped them deploy Azure Sphere across their stores in North America, we’ve realized that there’s a lot we can do to really help integrate Azure Sphere better with existing enterprise systems to make that very, very smooth.

ANN JOHNSON: There’s a lot of noise about tech regulations, certainly about IoT and different device manufacturing procedures. How are we thinking about innovation in the context of balancing it with regulation?

GALEN HUNT: So, let’s talk about innovation and regulation. There are times when you want to step out of the way and just let people innovate as much as possible. And then there are times as an industry, or as a society we want to make sure we establish a baseline.

Take food safety, for example. The science of food safety is very well established. Having regulations makes sure that no one cuts corners on safety for the sake of economic expediency. Most countries have embraced some kind of regulations around food safety.

IoT is another industry where it’s in everybody’s favor that all devices be secure. If consumers and enterprises can know that every device has a strong foundation of security and trustworthiness, then they’ll be more likely to buy devices, and build devices, and deploy devices.

And so I really see it as an opportunity whereby collectively and, with governments encouraging baseline levels of security, agreeing on a strong foundation of security we’ll all feel confident in our environment, and that’s really a positive thing for everybody.

ANN JOHNSON: That’s really a great perspective, and I think that we’ve always been that way at Microsoft, right? We view regulation in a positive way and thinking that it needs to be the right regulation across a wide variety of things that we’re doing, whether it be AI, just making sure that it’s being used for ethical use cases.

Which brings me to that last-wrap question, what’s next, what are your next big plans, what’s your next big security disruption?

GALEN HUNT: We recently announced new chips from NXP and Qualcomm, we’ll continue our focus on expanding our silicon and hardware ecosystem to deliver more choice for our customers. And then beyond that, our next big plan is to take Azure Sphere everywhere. We’ve demonstrated it’s possible, but I think we’re just starting to scratch the surface of secured IoT. There’s so much ability for innovation, and the devices that people are building, and the way that we’re using devices. When we’re really able to close this digital feedback loop and really interact between the digital world and the physical world, it’s just a tremendous opportunity, and so that’s where I’m going.

ANN JOHNSON: Excellent, well, I really appreciate the conversation. Azure Sphere is a great example of the notion that while cybersecurity is complex, it does not have to be complicated. Azure Sphere helps our customers overcome today’s complicated IoT security challenges. Thank you, Galen, for some great insights into the current IoT security landscape and how Microsoft and Azure Sphere are advancing IoT device security with the broad availability of Azure Sphere today.

 

If you are interested in learning more about how Azure Sphere can help you securely fast track your next IoT innovation.

• Visit the Azure Sphere website to learn more.
• See how customers like Starbucks are using Azure Sphere to drive efficiency and consistency in their retail operations.
• Read more about the Seven Properties of Highly Secured Devices.

 

About Ann Johnson and Galen Hunt

Ann Johnson is the Corporate Vice President of the Cybersecurity Solutions Group at Microsoft where she oversees the go-to-market strategies of cybersecurity solutions. As part of this charter, she leads and drives the evolution and implementation of Microsoft’s short- and long-term security, compliance, and identity solutions roadmap with alignment across the marketing, engineering, and product teams.

Prior to joining Microsoft, her executive leadership roles included Chief Executive Officer of Boundless Spatial, President and Chief Operating Officer of vulnerability management pioneer Qualys, Inc., and Vice President of World Wide Identity and Fraud Sales at RSA Security, a subsidiary of EMC Corporation.

Dr. Galen Hunt founded and leads the Microsoft team responsible for Azure Sphere. His team’s mission is to ensure that every IoT device on the planet is secure and trustworthy. Previously, Dr. Hunt pioneered technologies ranging from confidential cloud computing to light-weight container virtualization, type-safe operating systems, and video streaming. Dr. Hunt was a member of Microsoft’s founding cloud computing team.

Dr. Hunt holds over 100 patents, a B.S. degree in Physics from University of Utah and Ph.D. and M.S. degrees in Computer Science from the University of Rochester.

The post Azure Sphere—Microsoft’s answer to escalating IoT threats—reaches general availability appeared first on Microsoft Security.

Today, Microsoft released Azure Sphere into General Availability (GA).
Azure Sphere’s mission is to empower every organization on the planet to connect and create secured and trustworthy IoT devices. Azure Sphere is an end-to-end solution for securely connecting existing equipment and for creating new IoT devices with built-in security. The solution includes hardware, OS, and a cloud service, as well as ongoing security and OS updates to help ensure devices remain secured as threats evolve over time.

Today, Microsoft released Azure Sphere into General Availability (GA).
Azure Sphere’s mission is to empower every organization on the planet to connect and create secured and trustworthy IoT devices. Azure Sphere is an end-to-end solution for securely connecting existing equipment and for creating new IoT devices with built-in security. The solution includes hardware, OS, and a cloud service, as well as ongoing security and OS updates to help ensure devices remain secured as threats evolve over time.

Today on the Official Microsoft Blog, Ann Johnson, Corporate Vice President of the Cybersecurity Solutions Group, shared how Microsoft is helping turn the tide in cybersecurity by putting artificial intelligence (AI) in the hands of defenders. She announced the general availability of Microsoft Threat Protection, new platforms supported by Microsoft Defender Advanced Threat Protection (ATP), new capabilities in Azure Sentinel, and the general availability of Insider Risk Management in Microsoft 365.

Today, we’re also announcing:

• An expanded public preview of FIDO2 security key support in Azure Active Directory (AD) to encompass hybrid environments. Workers can now sign in to work-owned Windows 10 devices with their Azure AD accounts using a FIDO2 security key instead of a password and automatically get single sign-on (SSO) to both on-premises and cloud resources.
• New integration between Microsoft Cloud App Security and Microsoft Defender ATP that enables endpoint-based control of unsanctioned cloud applications. Administrators can now control the unauthorized use of cloud apps with protection built right into the endpoint.
• Azure Security Center for IoT now supports a broader range of devices including Azure RTOS OS, Linux specifically Ubuntu and Debian, and Windows 10 IoT core. SecOps professionals can now reason over signals in an experience that combines IT and OT into a single view.
• Two new features of Office 365 Advanced Threat Protection (ATP), campaign views and compromise detection and response, are now generally available. Campaign views gives security teams a complete view of email attack campaigns and makes it easier to address vulnerable users and configuration issues. Compromise detection and response speeds the detection of compromised users and is critical to ensuring that attacks are blocked early, and the impact of a breach is minimized.
• In partnership with Terranova, we will offer customized user learning paths in Office 365 ATP later this year. User education needs to be part of every organization’s security strategy and we are investing to raise security awareness training efficacy.

These innovations are just a part of our commitment to built-in and cross-platform security that embraces AI and is deeply integrated together.

This integration also spans a broad ecosystem of security vendors to help solve for our customers’ security and compliance needs. We now have more than 100 members in the Microsoft Intelligent Security Association, including new members such as ServiceNow, Thales, and Trend Micro, and new IoT security solution providers like Attivo Networks, CyberMDX, CyberX, and Firedome to alleviate the integration challenges enterprises face.

To recognize outstanding efforts across the security ecosystem, on February 23, 2020—the night before the RSA Conference begins—we’ll host our inaugural security partner awards event, Microsoft Security 20/20, to celebrate our partners.

Good people, supported by AI and automation, have the advantage in the ongoing cybersecurity battle. That’s why we continue to innovate with new security and compliance solutions to help our customers in this challenge.

The post New Microsoft Security innovations and partnerships appeared first on Microsoft Security.

Microsoft Insider Risk Management and Communication Compliance in Microsoft 365—now generally available—help organizations address internal risks, such as IP theft or code of conduct policy violations. The new Microsoft Insider Risk Management solution helps to quickly identify, detect, and act on insider threats. The solution leverages Microsoft Graph and other services to analyze real-time native signals across Microsoft 365 and third-party applications—including file activity, communications sentiment, abnormal user behaviors, and HR events. Communication Compliance in Microsoft 365 leverages machine learning to quickly identify and help you act on code of conduct policy violations in company communications channels, while also helping regulated organizations meet specific supervisory compliance requirements.

To learn more, read Leverage AI and machine learning to address insider risks.

The post Microsoft Insider Risk Management and Communication Compliance in Microsoft 365 now generally available appeared first on Microsoft Security.

SecOps teams are increasingly challenged to protect assets across distributed environments, analyze the growing volume of security data, and prioritize response to real threats.

As a cloud-native SIEM solution (security information and event management), Azure Sentinel uses artificial intelligence (AI) and automation to help address these challenges. Azure Sentinel empowers SecOps teams to be more efficient and effective at responding to threats in the cloud, on-premises, and beyond.

Our innovation continues, and we have some exciting news to share for the RSA 2020 conference including the ability to import AWS CloudTrail data for free through June 2020, opportunities to win up to $1,000 for community contributions, and many other product updates.

Enable unified response across multiple clouds—now with free import of AWS CloudTrail data through June 2020

More than 60 percent of enterprises have a hybrid cloud strategy—a combination of private and multi-cloud deployments. We’re committed to help SecOps teams defend the entire stack, not just Microsoft workloads. That’s why Azure Sentinel includes built-in connectors to bring together data from Microsoft solutions with data from other cloud platforms and security solutions.

You can already ingest data from Azure activity logs, Office 365 audit logs, and alerts from Microsoft 365 security solutions at no additional cost. To further help our customers secure their entire multi-cloud estate, today we’re announcing the ability to import your AWS CloudTrail logs into Azure Sentinel at no additional cost from February 24, 2020 until June 30, 2020.

New and existing customers of Azure Sentinel can take advantage of this offer by using the built-in connector for AWS CloudTrail logs. Data retention charges after 90 days period and other related charges are applicable during this time as per Azure Sentinel terms. Learn more about Azure Sentinel pricing.

Once connected to your AWS CloudTrail logs, you can visualize and get relevant insights using built-in workbooks. You can even customize these dashboards and combine insights from other sources to meet your needs:

Detections and hunting queries developed by Microsoft Security experts will make it easier to identify and respond to potential threats in your AWS environment:

Gain visibility into threats targeting IoT

With the exponential growth in connected devices creating an uptick in attacks targeting IoT, it is critical for enterprise SecOps teams to include IoT data in their scope. A new Azure Security Center for IoT connector makes it easy for customers to onboard data from Azure IoT Hub-managed deployments into Azure Sentinel. Customers can now monitor alerts across all IoT Hub deployments along with other related alerts in Azure Sentinel, inspect and triage IoT incidents, and run investigations to track an attacker’s lateral movement within their enterprise.

With this announcement Azure Sentinel is the first SIEM with native IoT support, allowing SecOps and analysts to identify threats in these complex converged environments.

In addition, Upstream Security, a cloud-based automotive cybersecurity detection and response company, is launching integration with Azure Sentinel. This will enable customers to send threats detected by Upstream Security’s C4 platform to Azure Sentinel for further investigation.

Collect data from additional data sources

We’re continually adding new data connectors from leading security solutions and partners. Each of these data connectors have sample queries and dashboards to help you start working with the data immediately in Azure Sentinel:

• Forcepoint—Three new connectors enable customers to bring in data from Forcepoint NextGen Firewall logs (NGFW), Cloud Access Security Broker (CASB) logs and events, and Data Loss Prevention (DLP) incident data in Azure Sentinel.
• Zimperium—Customers can use the Zimperium Mobile Threat Defense (MTP) connector to get Zimperium threat logs in Azure Sentinel.
• Squadra technologies—Customers can get their Squadra secRMM (security removable media manager) event data for the USB removable devices in Azure Sentinel.

Bring SIGMA detections to Azure Sentinel

The SOC Prime Threat Detection Marketplace—which includes 950+ rules mapped to MITRE ATT&CK to address over 180 attacker techniques—now supports Azure Sentinel analytics rules. The SOC Prime marketplace provides unprecedented access to the latest threat detection content from the SIGMA community, SOC Prime team, and its Threat Bounty Program members. New detection rules are continuously created and updated by security researchers and published daily at the SOC Prime marketplace, helping companies to detect latest threats, vulnerability exploitation attempts and enable TTP-based threat hunting. Once the rules are published, using the Azure Sentinel integration you can instantly deploy them from within TDM to your Azure Sentinel instance with just one click.

Use ReversingLabs threat intelligence to inform threat response

ReversingLabs brings two new integrations to Azure Sentinel, enabling customers to leverage rich ReversingLabs threat intelligence for hunting and investigation in Azure Sentinel. The first integration features an Azure Sentinel Notebooks sample that connects to the Reversing Labs API to enable hunting scenarios that include ReversingLabs threat intelligence data. In addition, a new ReversingLabs TitaniumCloud connector for Azure Logic Apps and sample playbook enable security incident responders to automatically identify key information about file-based threats to rapidly triage incoming alerts.

Detect threats with greater confidence using new machine learning models

Azure Sentinel uses AI-based Fusion technology to stitch together huge volumes of low and medium fidelity alerts across different sources and then elevates the combined incidents to a high priority alert that security professionals can investigate. Learn how Azure Sentinel evaluated nearly 50 million suspicious signals for Microsoft in a single month to create just 23 high confidence incidents for our SecOps team to investigate.

In addition to the existing machine learning detections that look for multi-stage attacks, we are introducing several new scenarios in public preview using Microsoft Defender Advanced Threat Protection (ATP) and Palo Alto logs. These new detections will help SecOps teams to identify attacks that may otherwise be missed and reduce the mean time to remediate threats.

Manage incidents across multiple tenants and workspaces

Managed security service providers and large enterprises often need a central place to manage security incidents across multiple workspaces and tenants. Integration of Azure Sentinel with Azure Lighthouse now lets you view and investigate incidents from different tenants and workspaces in a central pane. This will also help enterprises who need to keep separate workspaces in different regions to meet regulatory requirements while managing incidents in a central place.

Join the Azure Sentinel private preview in Azure Government

Azure Sentinel is now available in private preview in Azure Government, starting with US Gov Virginia region. To join the preview please contact us at sentinelazuregov@microsoft.com.

Azure Sentinel is currently going through the FedRAMP-High certification process, and Microsoft anticipates achieving compliance by the summer of 2020.

Get rewarded up to $1,000 for your contributions to the Azure Sentinel community

Cybersecurity is a community-driven effort with defenders helping each other to scale against sophisticated, rapidly evolving threats. Azure Sentinel has a thriving community of threat hunters that share hunting, detection and investigation queries, automated workflows, visualizations, and much more in the Azure Sentinel GitHub repository.

We’re announcing a special program for our threat hunter community, featuring:

• Rewards from $250 up to $1,000 for a variety of contributions. The first submission that meets the requirements gets the reward. Rewards are subject to Microsoft terms and conditions.
• Recognition of top community contributors on GitHub, in blog posts, and Tweets.

Review the Recognition and Rewards documentation and see our newly redesigned GitHub experience.

Try Azure Sentinel and visit us at the RSA Conference 2020

Since the general availability of Azure Sentinel last September, there are many examples of how Azure Sentinel helps customers like ASOS, Avanade, University of Phoenix, SWC Technology Partners, and RapidDeploy improve their security across diverse environments while reducing costs.

It’s easy to get started. You can access the new features in Azure Sentinel today. If you are not using Azure Sentinel, we welcome you to start a trial.

Our team will be showcasing Azure Sentinel at the RSA Conference next week. Take a look at all the featured sessions, theater sessions and other activities planned across Microsoft Security technologies. We hope to meet you all there.

Also, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Free import of AWS CloudTrail logs through June 2020 and other exciting Azure Sentinel updates appeared first on Microsoft Security.

Cybercrime is as much a people problem as it is a technology problem. To respond effectively, the defender community must harness machine learning to compliment the strengths of people. This is the philosophy that undergirds Azure Sentinel. Azure Sentinel is a cloud-native SIEM that exploits machine learning techniques to empower security analysts, data scientists, and engineers to focus on the threats that matter. You may have heard of similar solutions from other vendors, but the Fusion technology that powers Azure Sentinel sets this SIEM apart for three reasons:

1. Fusion finds threats that fly under the radar, by combining low fidelity, “yellow” anomalous activities into high fidelity “red” incidents.
2. Fusion does this by using machine learning to combine disparate data—network, identity, SaaS, endpoint—from both Microsoft and Partner data sources.
3. Fusion incorporates graph-based machine learning and a probabilistic kill chain to reduce alert fatigue by 90 percent.

You can get a sense of how powerful Fusion is by looking at data from December 2019. During that month, billions of events flowed into Azure Sentinel from thousands of Azure Sentinel customers. Nearly 50 billion anomalous alerts were identified and graphed. After Fusion applied the probabilistic kill chain, the graph was reduced to 110 sub graphs. A second level of machine learning reduced it further to just 25 actionable incidents. This is how Azure Sentinel reduces alert fatigue by 90 percent.

New Fusion scenarios—Microsoft Defender ATP + Palo Alto firewalls

There are currently 35 multi-stage attack scenarios generally available through Fusion machine learning technology in Azure Sentinel. Today, Microsoft has introduced several additional scenarios—in public preview—using Microsoft Defender Advanced Threat Protection (ATP) and Palo Alto logs. This way, you can leverage the power of Sentinel and Microsoft Threat Protection as complementary technologies for the best customer protection.

• Detect otherwise missed attacks—By stitching together disparate datasets using Bayesian methods, Fusion helps to detect attacks that could have been missed.
• Reduce mean time to remediate—Microsoft Threat Protection provides a best in class investigation experience when addressing alerts from Microsoft products. For non-Microsoft datasets, you can leverage hunting and investigation tools in Azure Sentinel.

Here are a few examples:

An endpoint connects to TOR network followed by suspicious activity on the Internal network—Microsoft Defender ATP detects that a user inside the network made a request to a TOR anonymization service. On its own this incident would be a low-level fidelity. It’s suspicious but doesn’t rise to the level of a high-level threat. Palo Alto firewalls registers anomalous activity from the same IP address, but it isn’t risky enough to block. Separately neither of these alerts get elevated, but together they indicate a multi-stage attack. Fusion makes the connection and promotes it to a high-fidelity incident.

A PowerShell program on an endpoint connects to a suspicious IP address, followed by suspicious activity on the Internal network—Microsoft Defender ATP generates an alert when a PowerShell program makes a suspicious network connection. If Palo Alto allows traffic from that IP address back into the network, Fusion ties the two incidents together to create a high-fidelity incident

An endpoint connects to a suspicious IP followed by anomalous activity on the Internal network—If Microsoft Defender ATP detects an outbound connection to an IP with a history of unauthorized access and Palo Alto firewalls allows an inbound request from that same IP address, it’s elevated by Fusion.

How Fusion works

1. Construct graph

The process starts by collecting data from several data sources, such as Microsoft products, Microsoft security partner products, and other cloud providers. Each of those security products output anomalous activity, which together can number in the billions or trillions. Fusion gathers all the low and medium level alerts detected in a 30-day window and creates a graph. The graph is hyperconnected and consists of billions of vertices and edges. Each entity is represented by a vertex (or node). For example, a vertex could be a user, an IP address, a virtual machine (VM), or any other entity within the network. The edges (or links) represent all the activities. If a user accesses company resources with a mobile device, both the device and the user are represented as vertices connected by an edge.

Once the graph is built there are still billions of alerts—far too many for any security operations team to make sense of. However, within those connected alerts there may be a pattern that indicates something more serious. The human brain is just not equipped to quickly remove it. This is where machine learning can make a real difference.

2. Apply probabilistic kill chain

Fusion applies a probabilistic kill chain which acts as a regularizer to the graph. The statistical analysis is based on how real people—Microsoft security experts, vendors, and customers—triage alerts. For example, defenders prioritize kill chains that are time bound. If a kill chain is executed within a day, it will take precedence over one that is enacted over a few days. An even higher priority kill chain is one in which all steps have been completed. This intelligence is encoded into the Fusion machine learning statistical model. Once the probabilistic kill chain is applied, Fusion outputs a smaller number of sub graphs, reducing the number of threats from billions to hundreds.

3. Score the attack

To reduce the noise further, Fusion uses machine learning to apply a final round of scoring. If labeled data exists, Fusion uses random forests. Labeled data for attacks is generated from the extensive Azure red team that execute these scenarios. If labeled data doesn’t exist Fusion uses spectral clustering.

Some of the criteria used to elevate threats include the number of high impact activity in the graph and whether the subgraph connects to another subgraph.

The output of this machine learning process is tens of threats. These are extremely high priority alerts that require immediate action. Without Fusion, these alerts would likely remain hidden from view, since they can only be seen after two or more low level threats are stitched together to shine a light on stealth activities. AI-generated alerts can now be handed off to people who will determine how to respond.

The great promise of AI in cybersecurity is its ability to enable your cybersecurity people to stay one step ahead of the humans on the other side. AI-backed Fusion is just one example of the innovative potential of partnering technology and people to take on the threats of today and tomorrow.

Learn more

Read more about Azure Sentinel and dig into all the Azure Sentinel detection scenarios.

Also, bookmark the Security blog to keep up with our expert coverage on security matters. Follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Azure Sentinel uncovers the real threats hidden in billions of low fidelity signals appeared first on Microsoft Security.

Attackers will cross multiple domains like email, identity, endpoints, and applications to find the point of least resistance. Today’s defense solutions have been designed to protect, detect, and block threats for each domain separately, allowing attackers to exploit the seams and threshold differences between solutions—leaving the business vulnerable to attack. While one facet of an attack may be caught and blocked in email, the same threat actor may have also compromised identities by exploiting weak passwords or leaked credentials, or by fooling people into providing their passwords or authorization tokens. It’s also possible for point solutions to overlook critical signals entirely because, in isolation, they failed to register as significant.

The industry as a whole has struggled to win this battle, but we can turn the tide. The current class of security solutions can do a better job of stopping or even preventing the spread of attacks by looking at the entire security stack as a living organism. We have to force a shift in the protection paradigm by moving from a model of reactive detection and response based on siloed security solutions to proactive protection. We cannot leave security teams to manually coordinate signals across domains to fully understand the breadth of the attack and how to stop it. Threat protection that changes our approach to attacks requires built-in intelligence that can understand how an attack got in, prevent its spread across domains, and automatically heal compromised assets.

Microsoft Threat Protection coordinates defenses to stop attacks from spreading and auto-heal impacted assets

Generally available Microsoft Threat Protection (MTP) provides the built-in intelligence, automation, and integration to coordinate protection, detection, response, and prevention by combining and orchestrating into a single solution the capabilities of Microsoft Defender Advanced Threat Protection (ATP) (endpoints), Office 365 ATP (email), Azure ATP (identity), and Microsoft Cloud App Security (apps).

With MTP, security teams can:

• Automatically block attacks and eliminate their persistence to keep them from starting again. MTP looks across domains to understand the entire chain of events, identify affected assets, and protect your most sensitive resources. When, for example, a compromised user or an at-risk device tries to access confidential information, MTP applies conditional access and blocks the attack, delivering on the Zero Trust model.
• Prioritize incidents for investigation and response. MTP lets you focus on what matters the most by correlating alerts and low-level signals into incidents to determine the full scope of the threat across Microsoft 365 services. Incidents provide a complete picture of the threat in real time and in a single, cohesive console.
• Auto-heal assets. MTP identifies affected assets like users, endpoints, mailboxes, and applications, and returns them to a safe state. Automated healing includes actions like identifying and terminating malicious processes on endpoints and removing mail forwarding rules attackers put in place and marking users as compromised in the directory.
• Focus unique expertise on cross-domain hunting. MTP empowers the security team to be proactive, giving them back the time they need to learn from our insights, harden defenses, and keep out more threats. It also lets them use their unique organizational knowledge like proprietary indicators of compromise, org-specific behavioral patterns, and free-form research to actively hunt for threats across domains with custom queries over raw data.

Microsoft’s protection, detection, and response solutions have consistently achieved leadership placement, including in Gartner’s Endpoint Protection Platform Magic Quadrant, Gartner’s Cloud Access Security Broker (CASB) Magic Quadrant and Forrester’s Endpoint Security Suites Wave. Our world-class security research teams study attacker behaviors within each of these solution domains and, more importantly, how attackers traverse these domains in pursuit of their ultimate objective.

Not only have we embraced the MITRE ATT&CK framework for endpoints, we joined the MITRE Center for Threat Informed Defense as a Founding Research Sponsor to share and grow our understanding of the full scope of cross-domain attacker behaviors. The deep knowledge we have about each of these pillars of protection, combined with the more than 100 members in the Microsoft Intelligent Security Association (MISA), provides our customers with the holistic protection prevention they need to finally get ahead of attacks.

Coordinated defenses to uncover the full attack kill chain can help block nation-state level attacks

Cloud services significantly expand the traditional perimeter that defenders have to monitor and protect, introducing novel attack scenarios. HOLMIUM, a well-known adversary focused on victims mostly in the energy and aerospace sectors where the payouts are massive, has been one of the first to use cloud attack vectors.

In 2019, the Microsoft Threat Intelligence Center notified nearly 10,000 customers targeted by a few nation-state actors, citing HOLMIUM as one of the most active. Sophisticated attacks like this are why MTP was created. A recent HOLMIUM attack pattern demonstrates this: HOLMIUM targets identities in the cloud as a first step. After compromising an identity, the adversary leverages cloud APIs to persist, using a cloud email configuration to run malicious PowerShell on the endpoint every time Outlook is opened by the user. A conventional approach to containing this threat may start with the endpoint; when the PowerShell activity is detected, the SOC remediates the endpoint. However, in this case the attacker is persistent in the cloud and so the endpoint could be immediately compromised again.

MTP looks at the bigger picture and goes beyond simple blocking on the endpoint, putting a compromised organization in a better position to fight the threat. Signs of the attack are detected across the affected domains, including password spraying activity against Azure Active Directory (AD), sign-ins to Office 365 with potentially compromised credentials, and malicious PowerShell executions on endpoints. These detections are correlated into a coherent incident that catalogs the end-to-end attack and all affected assets. MTP intervenes to block the attack, not only stopping the PowerShell activity on the endpoints but also containing the impacted user accounts by marking them as compromised in Azure AD. The Threat Analytics report in MTP provides an exposure view and recommends the customer apply the appropriate Outlook security patch that will prevent this attack from recurring.

MTP extends coordinated protection across platforms with Microsoft Defender ATP for Linux and across domains with Azure Sentinel

Today, we’re announcing another step in our journey to offer security from Microsoft with the public preview of Microsoft Defender ATP for Linux. Extending endpoint threat protection to Linux has been a long-time ask from our customers and we’re excited to be able to deliver on that. We know our customers’ environments are complex and heterogenous. Providing comprehensive protection across multiple platforms through a single solution and streamlined view is more important than ever. Next week at the RSA Conference, we’ll provide a preview of our investments in mobile threat defense with the work we’re doing to bring our solutions to Android and iOS.

Azure Sentinel, Microsoft’s cloud-native security information and event manager (SIEM), further extends the capabilities of MTP by incorporating alerts, threat intelligence, and signals from third-party solutions. MTP shares alerts and threat intelligence with Azure Sentinel so security teams can view and manage threats across Microsoft and third-party security solutions in a single SIEM console.

To learn more about how Microsoft Threat Protection can help you deliver proactive protection and prevention against the spread of attacks, see Microsoft Threat Protection and stop by our booth at the RSA Conference!

Stay tuned for more information on our cross-platform journey from our Tech Community blogs next week!

The post Microsoft Threat Protection stops attack sprawl and auto-heals enterprise assets with built-in intelligence and automation appeared first on Microsoft Security.

The way we work is evolving—technology enables more effective employees by helping them to be productive where and when they choose. Businesses have also been enjoying the productivity benefits of an always-on and always-connected workforce.

While new business applications and device form-factors helped to accelerate these changes, organizations are now discovering the challenges with managing security and compliance policies in the modern workplace. As devices physically leave the corporate campus, administrators need tools to effectively manage end user applications and the corresponding access to company data; this is a particularly complex challenge for businesses who manage mobile devices running a variety of operating systems with significantly different management capabilities.

Mobile devices also introduce new IT challenges that can seriously impact business operations, such as:

• Legacy security infrastructure such as Secure Web Gateways aren’t built for mobile devices, and backhauling traffic isn’t feasible for enforcing acceptable use policies, meaning that inappropriate content could be accessed, or shadow IT tools used, potentially creating legal liability for the business.
• Insecure apps and content risks such as mobile phishing represent new attack vectors; modern app distribution methods and mobile-specific attack vectors (e.g., SMS, WhatsApp, Facebook Messenger) represent significantly expanded surface area that IT teams must now protect.
• Excessive mobile data usage can lead to bill shock and result in unexpected financial risk for businesses of all sizes.

The modern business needs to manage risk in the simplest and most effective way, while simultaneously enabling worker productivity. Embracing tools that meet the needs of mobile work will improve employee and organizational productivity, and ultimately make the business more agile.

Mobility comes in many form factors and OSs, leading to admin complexity

The explosion in the number of iOS and Android smartphones and tablets sold over the last decade is a testament to their revolutionary impact in providing always-on communication, productivity, and organizational tools. Mobility has been great for businesses; according to Frost and Sullivan, portable devices increase productivity on work tasks by 34 percent and save employees 58 minutes per day.

While smartphones have been at the forefront of transforming personal productivity and improving business operations, they are not the only form-factor available for work that is performed on-the-go. Many worker tasks, such as manipulating large data sets or refining high resolution images, require specialized hardware such as a large display or a trackball to optimize the user experience and efficiency. A different type of mobile tool is needed for certain remote workers with job-specific tasks.

Windows devices have long been a key tool for enabling office employees, and in recent years, laptops have become lightweight and highly portable, making them as versatile as mobile devices. Many laptops now also include a physical SIM or eSIM to enable always-on connectivity, and the 2-in-1 form factor is proving to be a popular choice for office workers because of the resulting flexibility in working style.

Challenges managing a diverse mobile workforce go beyond the device

Supporting Windows devices outside of the office creates new challenges for IT teams—principally, how does the admin effectively manage users working remotely? Separate tools exist to manage apps and user access on different operating systems, creating management overhead. Additionally, Windows devices are typically attached to Wi-Fi and other unmetered networks where users are not constrained in how much data they can consume without penalty. As these devices are enabled for mobile data networks, these powerful systems need to be more intelligent in the way they consume data.

The difference in managing apps and data on mobile vs on Windows led to increased complexity for the admin. For example, Microsoft Word may be deployed via an Enterprise Mobility Management (EMM) solution such as Microsoft Intune on mobile, while on Windows, System Center Configuration Manager (SCCM) may be used. The different management infrastructures required for these tools have increased overhead and created challenges for IT teams maintaining more than one service to manage employees that simultaneously use mobile and Windows devices for working.

Any changes to users, such as employees joining or leaving the company, must be replicated across both tools. Additionally, the different tools have disparate controls, meaning that it is impossible to apply consistent security, acceptable use, and Conditional Access policies. Applying policies inconsistently can result in users receiving inappropriate privileges or disparate access to services across different form factors and operating systems. As a result, employees may be drawn to using a corporate-approved app on their Windows device but an unapproved consumer variant on their mobile device, leading to increased risk.

Strategies for effectively enabling a mobile workforce

It is just as important to protect users working remotely as it is to protect users within the network perimeter. Extending security policy in a consistent manner to mobile devices can be achieved with three services: a Unified Endpoint Management (UEM) service such as Microsoft Endpoint Manager, inclusive of both Microsoft Intune and Configuration Manager, an Identity and Access Management (IAM) service such as Azure Active Directory (AD), and a network-based risk management service such as the Wandera Mobile Security Suite that protects against cyber threats and usage risks.

Organizations looking to adopt this suite of services for unified policy should seek solutions that are deeply integrated in order to achieve a fully secure and manageable mobility stack. Wandera and Microsoft have partnered together to offer an integrated secure technology stack:

• UEM services bridge the management gap between Windows and mobile devices. Microsoft Endpoint Manager enables administrators to push applications and configuration profiles to enable homogeneous management across both mobile and Windows devices.
• Pairing Microsoft Endpoint Manager with Azure AD means that the profiles can be managed at a user level, instead of at the device level, further improving management consistency.
• Wandera Mobile Security Suite allows administrators to define security and acceptable use policies at the network level, agnostic to the device that is being used. This means that applications and websites can be whitelisted or blacklisted, preventing users from using dangerous or unapproved services regardless of device type.

For example, a business may choose to use OneDrive for storing files in the cloud and want to prevent other file sharing services from being used. Microsoft Endpoint Manager and Azure AD can be used to push and configure the OneDrive application to the Windows and mobile devices, enabling employees to use this service. Wandera Mobile Security Suite can then be used in tandem to prevent employees from using other services such as Dropbox, preventing the user from accessing shadow IT in the form of application and web browser versions.

Many organizations have found that the lack of consistent controls create new attack surfaces that hackers use to penetrate the organization and mischievous employees abuse to circumvent IT policies. It is not uncommon for users to be blocked by acceptable use policies as they browse to unsanctioned content from a desktop computer, only to enable tethering on a mobile device to circumvent the policy.

Managing different technologies and applying different policies creates undue complexity for admin teams and prevents business flexibility, potentially leading to overlooked security gaps. Wandera Mobile Security Suite’s in-network security technology allows content security policies to be applied consistently across different device types. This means that phishing attacks, which are how 90 percent of data breaches begin, can be prevented regardless of device type. Mobile Security Suite is also able to block spam sites and stop malware communicating with command-and-control (C2) servers.

Mobile data management is another area of disparate control for businesses. The rich set of features in Wandera Mobile Security Suite for managing data usage on mobile devices can help an organization prevent bill shock caused by data overages or roaming on any iOS, Android, or Windows 10 device, with detailed and holistic reporting so businesses can understand how they use data and where risk may enter through mobile usage.

Better together—Microsoft and Wandera

Businesses can benefit from the strong integration between Microsoft Endpoint Manager, Azure AD, and Wandera Mobile Security Suite, making device management processes seamless. The combined solution streamlines device lifecycle management, involves a single source-of-truth for users and roles that is applied consistently between products, and makes security policies more intelligent and effective by ensuring that all components in the solution are sharing intelligence to remediate threat as soon as it’s detected.

Using Azure AD to centrally manage user identities simplifies administration, as credentials do not need to be created across multiple systems. When an employee is added in Azure AD, a profile will automatically be created in Microsoft Endpoint Manager, enabling their devices to be managed. In turn, Wandera Mobile Security Suite can be integrated with Microsoft Endpoint Manager so that the same acceptable use, content security, and data management policies can be applied seamlessly. This workflow functions when an employee leaves the business, unenrolling them from all services, making integration of services an easy way to manage a device’s lifecycle and ensuring that sensitive data remains secure

The integrated solution also enables differentiated access for users through applying policies by role. The three services can be linked directly so that an organization’s directory hierarchy can be shared, and acceptable use policies applied to the user level simply and easily.

Enabling employees is very important for productivity, but equally as important is preventing unwanted parties accessing confidential information and critical systems. Infecting an endpoint is an easy way for malicious parties to infiltrate a businesses’ technology systems.

The integrated solution also incorporates risk signals from a variety of sources to ensure that the user, device, and data are safe. Microsoft Endpoint Manager provides a risk assessment of the device configuration, including whether the lockscreen is configured properly. Azure AD is able to determine when sign-in behavior is anomalous or risky, through signals integration with Azure AD Identity Protection. Wandera Mobile Security Suite provides an added set of security assessments on the device that includes vulnerability scans, app vetting, and Man-in-the-Middle checks. All of these risk signals are brought together through a single Conditional Access policy.

Best practices for mobility management with iOS, Android, and Windows 10 devices

As mobile employees are enabled with mobile iOS, Android, and Windows 10 devices, businesses need to embrace technology that will give admins the necessary controls to effectively manage employee devices consistently. Businesses need to be able to manage productivity tools, by providing access to acceptable applications and blocking unwanted applications. Organizations need to provide strong security across devices to close gaps in their defenses and prevent common threats from impacting business operations. Finally, businesses should ensure that Windows devices do not cause unexpected data charges by employing cost control tools.

To be able to effectively enforce acceptable use, content security, and control costs across a device fleet with many different device types, businesses should utilize integrated solutions that can support consistent management. Microsoft Endpoint Manager, Azure AD, and Wandera Mobile Security Suite provide features that organizations need to embrace a mobile fleet. Bringing these three services together creates a powerful joint solution that can improve businesses’ lifecycle management, policy application, and identity and security management.

Bookmark the Security blog to keep up with our expert coverage on security matters. Check out our security solutions that help to address these issues. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Unifying security policy across all mobile form-factors with Wandera and Microsoft appeared first on Microsoft Security.

Most people don’t think about electricity. If the internet works, their food is refrigerated, and their debit card is approved, why should they? Its ubiquity and reliability render it invisible—a bit of magic that powers much of modern life. That is, until a large storm passes through. Localized outages can be quite disruptive to those impacted, and the utility industry has learned to respond rapidly and effectively to these events. But what happens if service interruptions become more unpredictable and affect large geographical regions with huge populations?

This is a risk that utilities and their supply chain must continue to address. Nation state actors and other adversaries have demonstrated that they possess the ambition and the skills necessary to launch cyberattacks that could cause widescale and continuous power outages. Whether your organization is a utility or a supplier of the industry, you may be vulnerable.

This blog series, “Defending the power grid against supply chain attacks,” analyzes how these attacks are conducted and the steps utilities, device manufacturers, and software providers can take to better secure critical infrastructure.

Why it matters

Modern warfare is no longer conducted exclusively on the battlefield. Nation-state actors also deploy sophisticated cybercampaigns to disrupt daily life or sow confusion. The power grid is one such target. The financial system, sewer and water lines, transportation networks, computers, cellphones, kitchen appliances, and more run on electricity. Several hours of disrupted power can grind economic activity to a halt in the affected areas. An outage of days or weeks could incite greater unrest.

Accelerated adoption of the Internet of Things (IoT) compounds the risk. IoT innovations allow the utility industry to harness the power of the internet, data, and artificial intelligence to optimize its operations and deliver energy more efficiently and reliably to its customers. But these devices can introduce new vulnerabilities. Existing sensors often don’t have security or centralized management built into them. Some devices are so small, it’s difficult to place traditional protections on them. Manufacturers, who feel pressured to deliver solutions quickly, may fail to incorporate critical security controls and safeguards in their products. Bad actors are skilled at uncovering these weaknesses and exploiting them.

How attacks are executed

A typical cyberattack includes lengthy reconnaissance to uncover all the vendors that serve a utility and their vulnerabilities. Bad actors even go after suppliers who exist outside the software and hardware space but have vital access. A few examples:

• Software libraries and frameworks—Modern software relies on open source and industry libraries and frameworks to reduce time to market and take advantage of pre-tested solutions. This is fertile ground for hackers to insert malware that wreaks havoc once the software reaches its destination.
• Digitally signed software—Much software is digitally signed by the vendor to prove its legitimacy. Hackers who break into servers may be able to infect software before it’s digitally signed or spoof the signature after altering the software.
• Software update servers—Bad actors hack into the servers that distribute software updates. This can be very effective since many applications auto-update.
• Hardware interdiction—While hardware and parts are in-transit, a cybercriminal intercepts the shipment and inserts malicious code in the hardware or firmware.
• Hardware seeding—Cybercriminals infect IoT devices, such as phones, cameras, sensors, drones and USB drives, with malware inserted on the manufacturing floor.
• Onsite vendors—Companies that come on site to provide services may not be as security focused as software and hardware companies. Attackers exploit this vulnerability and then use the relationship to gain access to the ultimate target.
• Remote servicing vendors—Bad actors also attack the companies who provide remote support to the systems at the target organization.

Looking ahead

The next two installments of the Defending the power grid against supply chain attacks series will offer practical advice for both the utilities and their vendors.

Stay tuned for:

• Part 2: Secure the hardware and software used by utilities
• Part 3: Risk management strategies for the utilities industry

In the meantime, whether you are a utility or one its suppliers, you can begin to address these risks by inventorying your vendors. Where do you buy software, what processes do you use to select software libraries? Who builds your hardware? Where do your hardware manufacturers source parts?

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Defending the power grid against supply chain attacks—Part 1: The risk defined appeared first on Microsoft Security.

マイクロソフトでは、セキュリティ更新プログラムの適用を、よりシンプルに、より効率よくすることで、更新

You may have heard that identity is the “new” perimeter. Indeed, with the proliferation of phishing attacks over the past few years, one of the best ways to secure data is to ensure that identity—the primary way we access data—can be trusted.

How do we secure identity?

Start by evaluating how users are authenticating to all applications inside and outside the organization. I say all applications, because it doesn’t take much effort for a hacker to pivot from a low-value, non-sensitive application to a high-value and highly-sensitive application, quickly gaining access to confidential or restricted data.

Similarly, Multi-Factor Authentication (MFA) must be enforced for all users as well, not just highly privileged users. Remember that it is simple for bad actors to pass-the-hash, run a Golden Ticket Attack, or use other techniques to elevate their privileges and gain access to sensitive data.

Modern authentication encourages us to reduce vulnerable legacy authentication methods, including Kerberos and NTLM. Additionally, modern authentication requires that we rely on more than one factor of authentication for all users. These factors range from something you know (password or one-time password), something you have (hardware token or soft token), or something you are (biometrics like 3D facial recognition or fingerprint matching).

Start with MFA.

Requiring MFA for all applications, whether on-premises or in the cloud, is a great start. When using MFA, consider enforcing an authenticator app or a one-time password mechanism as they are typically not as susceptible to man-in-the-middle attacks, compared to text-back codes or phone calls that may be intercepted with spoofing.

The least vulnerable MFA mechanisms include FIDO2, which utilizes a biometric device or USB hardware token like YubiKey, and machine learning systems that can provide conditional access based on Zero Trust and time-of-authentication context.

Here is the context commonly evaluated by machine learning authentication systems:

• Can an authentication token be obtained?
• Does the user have a valid username, password, and a second form of authentication (MFA), like a biometric validation (fingerprint or 3D facial recognition) through an authenticator app?
• What is the risk score of the user?
• Is the user authenticating from two places at nearly the same time (Impossible Traveler)?
• Has the user’s password been discovered on the Dark Web because of an account and password database breach?
• Is this a reasonable time for the user to be signed in based upon past behavior?
• Is the user signing-in from an anonymous source like a Tor exit node?
• What is the risk score of the device?
• Has the device experienced unresolved risk in the last several days?
• Has the machine been exposed to malware?
• Is the machine running a high-risk application?
• Are the antimalware signatures up to date?
• Are all the critical and high software patches applied?
• Are there sensitive documents on the device?

With the enforcement of MFA, a single, unified MFA reduces the success of phishing attacks due to password reuse or social engineering. With web-based Authentication-as-a-Service (AaaS) applications, MFA is easy to implement across the enterprise. Modern operating systems now enforce multifactor authentication by default, including Windows 10 Hello, macOS, iOS, and Android. Most modern on-premises and cloud applications should be able to consume SSO authentication standards like SAML or OpenID and OAth2 authorization.

Moving toward a secure SSO posture

Implementing a single identity source for all applications leads the organization to a better and less time-consuming and complicated user experience, and an arguably more secure SSO posture by:

• Reducing the number of passwords that users need to remember or save—quite often insecurely—to access their applications.
• Introducing pass-through authentication and authorization, so that once a user authenticates to an operating system, they have unprompted access to both on-premises and cloud apps, using the same security token created when they signed in to the operating system using MFA.
• Reducing the threat of untimely termination/missed identity decommissioning by decreasing “identity sprawl,” which is what you encounter when your organization has multiple identities in multiple applications per user. That is sometimes the result of non-integrated entities or not yet integrated entities and affiliates. B2B approaches to SSO can be explored to solve the problems associated with not integrating a business unit or operating group into the organization’s core directory.

Considering user satisfaction is critical.

MFA and SSO together increases user satisfaction, making the CISO a business enabler rather than a productivity and collaboration roadblock. Cloud-based MFA and SSOP directory systems have been shown to be more available than on-premises directory or federation services with many cloud providers providing 99.9 percent uptime. A three-nines Service Level Agreement (SLA) is challenging to achieve on-premises with limited IT staff and budget!

Stay tuned

Stay tuned for the next installment of my Changing the Monolith series. In the meantime, check out the first three posts in the series:

• Part 1: Building alliances for a secure culture
• Part 2: Whose support do you need?
• Part 3: What’s your process?

Also, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Changing the Monolith—Part 4: Quick tech wins for a cloud-first world appeared first on Microsoft Security.

Today, we have another interesting story for the Voice of the Customer blog series. Tony Miller and Jon Sider of Mattress Firm deployed Azure Active Directory (Azure AD) to create a secure authentication experience for employees, including their Firstline Workforce. Much like sleep and a good mattress provide the foundation for a productive and enjoyable life, Tony and Jon show how Azure AD provides the secure foundation for a connected omnichannel experience. They were able to cut internal costs, quickly onboard their Firstline Workers, connect their employees to each other, and deliver a better authentication experience.

Read more from Tony and Jon to learn how you can use Azure AD to improve your customer experience.

Azure AD simplifies user provisioning and protects Firstline Workers’ identities

As America’s largest specialty mattress retailer, Mattress Firm aims to deliver a personalized experience to all our customers no matter how they interact with us. An exceptional customer experience requires a connected workplace. When a customer makes a purchase online and then visits a store for a second purchase, our sales associates, or “Firstline Workers,” should understand their full story and total lifetime value. If a customer needs to change the delivery time of a mattress, it should be easy for a customer services rep to contact the driver and reschedule the delivery. These connection points are invisible to the customer but can turn an ordinary interaction into a great one. To help us realize this aspiration, we deployed several Microsoft 365 products—one of which was Azure AD—to securely and simply unite communication across corporate and all the stores.

The foundation of strong cross-company collaboration is secure and simple user authentication. Our sales associates access several different software-as-a-service (SaaS) and on-premises apps to communicate and complete tasks. Many of these apps require a separate account, which meant users signed into multiple accounts throughout the day. We were concerned that some were reusing passwords, opening us up to risk. Our identity team was also overburdened. They were responsible for setting up accounts for each user, updating permissions as needed, and revoking accounts when users left the company. To resolve these challenges, we deployed Azure AD, which allowed us to decrease the size of the identity team, deliver a simpler user access experience to our employees, and gain more visibility into security threats.

Migrated identity and access management from Okta to Azure AD

Before we selected Azure AD, we investigated various identity and access management (IAM) options. We had previously deployed Okta, which fulfilled many of our requirements. However, we were simultaneously increasing our investment in Microsoft 365. We reviewed both Okta and Azure AD and discovered that Azure AD delivers better controls and security for Office 365 and its data than Okta at a much lower cost in addition to single sign-on (SSO) to other applications. At that point it was an easy sell, and we migrated all our users to Azure AD.

Decreased the size of the identity team

We are a large company with over 8,500 employees, stores in 49 states across the country, and 73 distribution centers across the biggest markets. Our physical footprint allows us to deliver a mattress within an hour to 89 percent of the population. Like many retailers we have a lot of employment churn. Each day, we process between 10-100 user identity status changes. Before Azure AD, a team of 12 people were responsible for provisioning the right accounts and access to each user. Twelve people is a large team, but it was required because for each change—whether that was a new hire, a promotion, or someone leaving the company—an identity team member needed to manually grant access or change privileges to them one at a time. This took a lot of time, and it was error prone.

Once we deployed Azure AD and set up automated provisioning, the onboarding process sped up significantly. Today, someone in human resources sets up a new employee in our HR system and within four hours the employee is onboarded to all their accounts. Our Identity Manager was able to redeploy most of the people on the provisioning team to higher priority work. Now there are just two people who manage the environment. We’ve realized a huge costs savings from this transition—about $500,000 per year in hard dollars, but tons of soft costs saved!

Azure AD automated provisioning simplifies the process of provisioning the right access and applications to each user.

Delivered a simpler and more secure user access experience

Our users have also benefited from the rollout of Azure AD and automated provisioning. We enabled SSO so users can sign in once and access all the apps they need for work. We integrated Azure AD with about 40 apps, including Workday, Back Office, Salesforce, our VOIP administrator, Citrix, Tools video, Microsoft Dynamics 365, Concur, Tableau, WebEx, our benefits portal, our 401K provider, and all the Office 365 apps. Our employees love the new process. It is now rare that they must use another account to access work apps.

With Azure AD SSO, users sign in once and have access to all their apps.

Azure AD has also given us peace of mind. Our customers provide a full set of information when they purchase a mattress from us. They trust us to protect their first-party data. Azure AD offers tools to better safeguard our identities. We control access to the first-party data based on employment status. We also enabled Multi-Factor Authentication (MFA) to Workday and off-premises sign-ins. That means whenever a user attempts to sign in to Workday or if they attempt to access any other system from off-site, we force a second form of authentication. Users get a secure code from the Microsoft Authenticator app, which validates their identity with Azure AD. This significantly reduces our security risk, and employees find it easy to use—a win for everybody.

We also enabled conditional access policies to reduce or block access when sign-in circumstances are risky. For example, Azure AD can evaluate the riskiness of a client app or the location of a user trying to gain access. If the risk is high enough, we can block access or force a password reset to confirm identity. Another good example of our conditional access approach is the leave of absence policy. While users are on a leave, we limit the apps they can access to the ones they really need: Workday and our benefits portal. These flexible, customizable policy strike the right balance between enabling productivity while minimizing our exposure.

Azure AD can evaluate user and location, application, device, and real-time risk before allowing access.

Improved threat visibility

Security doesn’t end with our access policies. Azure AD also provides tools that Security Operations (SecOps) use to better understand security incidents. The Azure AD authentication logs and the Office 365 application access information provides useful insights. We now better understand when users try to access applications with VPNs or from unauthorized networks. This intelligence informs our security strategy and policies.

Azure AD has provided the foundation for a secure and connected employee experience. As we operationalize communication tools like Microsoft Teams, we are confident that the information that employees share is less likely to get compromised. Employees are empowered to work together to meet and exceed customer expectations. We rest easy because our customer data is more secure.

Learn more

I hope you’re able to apply Mattress Firm’s learnings to your own organization. For more tips from our customers, take a look at the other stories in the Voice of the Customer blog series. Also, check out the Mattress Firm case study to see how other Microsoft 365 solutions have helped them improve the customer experience.

Here are several additional resources:

• Azure AD automated user provisioning
• Azure AD MFA
• Identity and access management solution

Finally, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Mattress Firm deployed Azure Active Directory to securely connect Firstline Workers to their SaaS apps and to each other appeared first on Microsoft Security.

Today, we have another interesting story for the Voice of the Customer blog series. Tony Miller and Jon Sider of Mattress Firm deployed Azure Active Directory (Azure AD) to create a secure authentication experience for employees, including their Firstline Workforce. Much like sleep and a good mattress provide the foundation for a productive and enjoyable life, Tony and Jon show how Azure AD provides the secure foundation for a connected omnichannel experience. They were able to cut internal costs, quickly onboard their Firstline Workers, connect their employees to each other, and deliver a better authentication experience.

Read more from Tony and Jon to learn how you can use Azure AD to improve your customer experience.

Azure AD simplifies user provisioning and protects Firstline Workers’ identities

As America’s largest specialty mattress retailer, Mattress Firm aims to deliver a personalized experience to all our customers no matter how they interact with us. An exceptional customer experience requires a connected workplace. When a customer makes a purchase online and then visits a store for a second purchase, our sales associates, or “Firstline Workers,” should understand their full story and total lifetime value. If a customer needs to change the delivery time of a mattress, it should be easy for a customer services rep to contact the driver and reschedule the delivery. These connection points are invisible to the customer but can turn an ordinary interaction into a great one. To help us realize this aspiration, we deployed several Microsoft 365 products—one of which was Azure AD—to securely and simply unite communication across corporate and all the stores.

The foundation of strong cross-company collaboration is secure and simple user authentication. Our sales associates access several different software-as-a-service (SaaS) and on-premises apps to communicate and complete tasks. Many of these apps require a separate account, which meant users signed into multiple accounts throughout the day. We were concerned that some were reusing passwords, opening us up to risk. Our identity team was also overburdened. They were responsible for setting up accounts for each user, updating permissions as needed, and revoking accounts when users left the company. To resolve these challenges, we deployed Azure AD, which allowed us to decrease the size of the identity team, deliver a simpler user access experience to our employees, and gain more visibility into security threats.

Migrated identity and access management from Okta to Azure AD

Before we selected Azure AD, we investigated various identity and access management (IAM) options. We had previously deployed Okta, which fulfilled many of our requirements. However, we were simultaneously increasing our investment in Microsoft 365. We reviewed both Okta and Azure AD and discovered that Azure AD delivers better controls and security for Office 365 and its data than Okta at a much lower cost in addition to single sign-on (SSO) to other applications. At that point it was an easy sell, and we migrated all our users to Azure AD.

Decreased the size of the identity team

We are a large company with over 8,500 employees, stores in 49 states across the country, and 73 distribution centers across the biggest markets. Our physical footprint allows us to deliver a mattress within an hour to 89 percent of the population. Like many retailers we have a lot of employment churn. Each day, we process between 10-100 user identity status changes. Before Azure AD, a team of 12 people were responsible for provisioning the right accounts and access to each user. Twelve people is a large team, but it was required because for each change—whether that was a new hire, a promotion, or someone leaving the company—an identity team member needed to manually grant access or change privileges to them one at a time. This took a lot of time, and it was error prone.

Once we deployed Azure AD and set up automated provisioning, the onboarding process sped up significantly. Today, someone in human resources sets up a new employee in our HR system and within four hours the employee is onboarded to all their accounts. Our Identity Manager was able to redeploy most of the people on the provisioning team to higher priority work. Now there are just two people who manage the environment. We’ve realized a huge costs savings from this transition—about $500,000 per year in hard dollars, but tons of soft costs saved!

Azure AD automated provisioning simplifies the process of provisioning the right access and applications to each user.

Delivered a simpler and more secure user access experience

Our users have also benefited from the rollout of Azure AD and automated provisioning. We enabled SSO so users can sign in once and access all the apps they need for work. We integrated Azure AD with about 40 apps, including Workday, Back Office, Salesforce, our VOIP administrator, Citrix, Tools video, Microsoft Dynamics 365, Concur, Tableau, WebEx, our benefits portal, our 401K provider, and all the Office 365 apps. Our employees love the new process. It is now rare that they must use another account to access work apps.

With Azure AD SSO, users sign in once and have access to all their apps.

Azure AD has also given us peace of mind. Our customers provide a full set of information when they purchase a mattress from us. They trust us to protect their first-party data. Azure AD offers tools to better safeguard our identities. We control access to the first-party data based on employment status. We also enabled Multi-Factor Authentication (MFA) to Workday and off-premises sign-ins. That means whenever a user attempts to sign in to Workday or if they attempt to access any other system from off-site, we force a second form of authentication. Users get a secure code from the Microsoft Authenticator app, which validates their identity with Azure AD. This significantly reduces our security risk, and employees find it easy to use—a win for everybody.

We also enabled conditional access policies to reduce or block access when sign-in circumstances are risky. For example, Azure AD can evaluate the riskiness of a client app or the location of a user trying to gain access. If the risk is high enough, we can block access or force a password reset to confirm identity. Another good example of our conditional access approach is the leave of absence policy. While users are on a leave, we limit the apps they can access to the ones they really need: Workday and our benefits portal. These flexible, customizable policy strike the right balance between enabling productivity while minimizing our exposure.

Azure AD can evaluate user and location, application, device, and real-time risk before allowing access.

Improved threat visibility

Security doesn’t end with our access policies. Azure AD also provides tools that Security Operations (SecOps) use to better understand security incidents. The Azure AD authentication logs and the Office 365 application access information provides useful insights. We now better understand when users try to access applications with VPNs or from unauthorized networks. This intelligence informs our security strategy and policies.

Azure AD has provided the foundation for a secure and connected employee experience. As we operationalize communication tools like Microsoft Teams, we are confident that the information that employees share is less likely to get compromised. Employees are empowered to work together to meet and exceed customer expectations. We rest easy because our customer data is more secure.

Learn more

I hope you’re able to apply Mattress Firm’s learnings to your own organization. For more tips from our customers, take a look at the other stories in the Voice of the Customer blog series. Also, check out the Mattress Firm case study to see how other Microsoft 365 solutions have helped them improve the customer experience.

Here are several additional resources:

• Azure AD automated user provisioning
• Azure AD MFA
• Identity and access management solution

Finally, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Mattress Firm deployed Azure Active Directory to securely connect Firstline Workers to their SaaS apps and to each other appeared first on Microsoft Security.

When I did my first North American Electric Reliability Corporation—Critical Infrastructure Protection (NERC CIP) compliance project it was 2009. NERC CIP was at version 3. It was the first mandatory cybersecurity standard that the utility I was working for had to meet. As it does today, the Bulk Electric System (BES) had the responsibility to keep North America powered, productive, and safe with near 100 percent uptime. Critical infrastructure for us is not email and payroll systems, it’s drinking water and hospitals. Leading the way to the cloud was not top of mind. The NERC CIP standards were written for on-premise systems.

NERC CIP compliance was a reason many participants in the BES would not deploy workloads to the cloud. NERC CIP version 6 is now in force. NERC has recognized the change in the technology landscape including the security and operational benefits that well architected use of the cloud has to offer.

Microsoft has made substantial investments in enabling our BES customers to comply with NERC CIP in Azure. Microsoft engaged with NERC to unblock NERC CIP workloads from being deployed in Azure and Azure Government.

All U.S. Azure regions are now approved for FedRAMP High impact level. We use this to establish our compliance to NERC and the Regional Reliability Councils.

In June 2019, NERC Electric Reliability Organization (ERO) conducted an audit of Azure in Redmond, Washington. NERC, NERC regional auditor organizations, and the NERC CIPC (Critical Infrastructure Protection Committee) were represented.

We prepared a NERC CIP compliance guide for Azure, and a Cloud Implementation Guide for NERC Audits, which includes pre-filled Reliability Standard Audit Worksheet (Reliability Standard Audit Worksheet (RSAW)) responses. This will help our customers save time and resources in responding to audits.

NERC’s BES Cyber Asset 15-minute rule is important to deploying appropriate NERC CIP workloads to Azure. This rule sets out requirements for BES Cyber Assets that perform real-time functions for monitoring or controlling the BES under the current set of CIP standards and the NERC Glossary of Terms. BES Cyber Assets, under the 15-minute rule, are those that would affect the reliable operation of the BES within 15 minutes of being impaired.

Under the current rules, BES Cyber Assets—like Supervisory Control and Data Acquisition Systems (SCADA) and Energy Management Systems (EMS)—are not good candidates a for move to the cloud for this reason.

Importantly, the NERC CIP standards also recognize that the needs of Bulk Electric System Cyber System Information (BCSI) are different from BES Cyber Assets. BCSI is information that could be used to gain unauthorized access or pose a security threat to the Bulk Electric Cyber System. BCSI is not subject to the 15-minute rule.

Many of the workloads that will benefit most from the operational, security, and cost savings benefits of the cloud are BCSI.

Machine learning, multiple data replicas across fault domains, active failover, quick deployment, and pay for use benefits are now available for BCSI NERC CIP workloads when they’re moved to or born in Azure.

Examples include:

• Transmission asset status, management, planning, and predictive maintenance.
• Transmission network planning, demand forecasting, and contingency analysis.
• Common Information Model (CIM) modeling and geospatial asset location information.
• Operational equipment data and SCADA Historical Information System.
• Streaming of operational phasor data to the cloud for storage and analytics.
• Artificial intelligence (AI) and Advanced Analytics for forecasting, maintenance, and outage management.
• Internet of Things (IoT) scenarios for transmission line monitoring and maintenance.
• NERC CIP audit evidence, reports, and records.

We can use information retention and protection on confidential documents with BCSI sensitive information. Azure’s machine learning helps us improve smart grid and do predictive maintenance on plant equipment. We can experiment, fail fast, and stand up infrastructure in hours, not months. The powerful tools and agile technologies that other industries rely on are now available for many NERC CIP workloads.

There are currently over 100 U.S. power and utility companies that use Azure. NERC CIP regulated companies can enjoy the benefits of the cloud in Azure.

In my next post, I’ll discuss the use of Azure public cloud and Azure Government for NERC CIP compliance.

Thanks to Larry Cochrane and Stevan Vidich for their excellent work on Microsoft’s NERC CIP compliance viewpoint and architecture. Some of their documents are linked above.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post NERC CIP compliance in Azure appeared first on Microsoft Security.

Among the most common and powerful attack vectors we have seen are those that exploit the daily tradeoff users make between security and productivity. Often, this can be as simple as a document hiding an exploit or a malicious link.

As an industry, we’re used to thinking of security and productivity in tension with each other. Security teams focus on blocking capabilities and reducing access to limit risk; users create workarounds or ignore policies to get their jobs done. Organizations may respond to increasing security threats by layering multiple security point solutions on top of each other, often increasing the complexity security teams manage while encouraging users to look for even more workarounds.

We don’t think this has to be the case.

Today, we‘re announcing two new Microsoft 365 capabilities that will help organizations stay both secure and productive at the same time. The power of these capabilities comes from the seamless integration between Windows 10, Office 365 ProPlus, and Microsoft Defender Advanced Threat Protection (ATP). We previously gave a “sneak peak” at Ignite and are excited to share publicly now.

Safe Documents is now available in public preview, rolling out over the next few days

With Safe Documents, we’re bringing the power of the Intelligent Security Graph down to the desktop to verify that documents are safe at the endpoint itself.

Although Protected View helps secure documents originating outside the organization, too often users would exit this sandbox without great consideration and leave their networks vulnerable. Bringing a minimal trust approach to the Office 365 ProPlus clients, Safe Documents automatically checks the document against known risks and threat profiles before allowing to open. Users are not asked to decide on their own whether a document can be trusted; they can simply focus on the work to be done. This seamless connection between the desktop and the cloud both simplifies the user workflow and helps to keep the network more secure.

Application Guard integration with Office 365 ProPlus is significantly expanding its private preview

With Application Guard, we created a micro-VM based on the same technology that powers the Azure cloud and brought it down to the desktop. We first introduced Application Guard in Edge, bringing hardware-level containerization to the browser.

Now integrated with Office 365 ProPlus, Application Guard provides an upgrade to Protected View that helps desktop users to stay safer and more productive with container-based isolation for Office applications. Application Guard’s enforcement—with a new instance of Windows 10 and separate copy of the kernel—completely blocks access to memory, local storage, installed applications, corporate network endpoints, or any other resources of interest to the attacker.

That means Office users will be able to open an untrusted Word, Excel, or PowerPoint file in a virtualized container. Users can stay productive—make edits, print, and save changes—all while protected with hardware-level security. If the untrusted file is malicious, the attack is contained while user data and identity remains untouched. When a user wants to trust a document to save on the network or start collaborating in real-time, Safe Documents will first check to help ensure the document is safe.

Moreover, both Safe Documents and Application Guard connect to the Microsoft Security Center, providing admins with advanced visibility and response capabilities including alerts, logs, confirmation the attack was contained, and the ability to see and act on similar threats across the enterprise.

Truly Microsoft 365 capabilities

With these new capabilities, we brought together some of the best of Windows 10, Office 365 ProPlus, and Microsoft Defender ATP to help organizations stay both secure and productive. This integration also means that organizations can deploy these features with the change of a setting and manage with existing tools. And with every malicious attack contained, the entire Intelligent Security Graph becomes stronger, benefiting everyone.

Both Safe Documents and Application Guard will be available to customers with Microsoft 365 E5 and E5 Security. We encourage customers to start testing Safe Documents in their environment as it comes available (initially available for tenants in the U.S., U.K., and European Union), and to learn more about Safe Documents and Application Guard.

The post Building on secure productivity appeared first on Microsoft Security.

We have released the February security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s security updates can be found in the Security Update Guide.

The post February 2020 security updates are available appeared first on Microsoft Security Response Center.