Archive

Archive for July, 2020

Black Hat 2020: See you in the Cloud!

July 30th, 2020 No comments

It hardly feels like summer without the annual trip to Las Vegas for Black Hat USA. With this year’s event being totally cloud based, we won’t have the chance to catch up with security researchers, industry partners, and customers in person, an opportunity we look forward to every year. We’ll still be there though, and …

Black Hat 2020: See you in the Cloud! Read More »

The post Black Hat 2020: See you in the Cloud! appeared first on Microsoft Security Response Center.

Inside Microsoft Threat Protection: Solving cross-domain security incidents through the power of correlation analytics

July 29th, 2020 No comments

In theory, a cyberattack can be disrupted at every phase of the attack chain. In reality, however, defense stack boundaries should overlap in order to be effective. When a threat comes via email, for example, even with good security solutions in place, organizations must assume that the threat may slip past email defenses, reach the target recipient, and further compromise endpoints and identities. While defenses on endpoints and identities could successfully tackle the attack in isolation, coordinating signals across protection components significantly increases the ability of these solutions to block and mitigate.

Microsoft Threat Protection takes this approach and delivers coordinated defense that binds together multiple solutions in the Microsoft 365 security portfolio. Microsoft Threat Protection continuously and seamlessly scours endpoints, email and docs, cloud app, and identity activities for suspicious signals. Through deep correlation logic, Microsoft Threat Protection automatically finds links between related signals across domains. It connects related existing alerts and generates additional alerts where suspicious events that could otherwise be missed can be detected. We call these correlated entities incidents.

How Microsoft Threat Protection’s advanced correlation make SOC analysts’ work easier and more efficient

Microsoft Threat Protection’s incident creation logic combines AI technology and our security experts’ collective domain knowledge, and builds on broad optics to provide comprehensive coverage. These correlations align with the MITRE ATT&CK framework over a unified schema of attack entities, enabling Microsoft Threat Protection to automatically connect the dots between seemingly unrelated signals.

Incidents ensure that elements otherwise spread across various portals and queues are presented in a single coherent view, helping security operations centers (SOC) in important ways. First, they reduce the SOC’s workload: incidents automatically collect and correlate isolated alerts and other related security events, so analysts have fewer, more comprehensive work items in their queue. Second, SOC analysts can analyze related alerts, affected assets, and other evidence together, reducing the need for manual correlation and making it easier and faster to understand the complete attack story and take informed actions.

Attack sprawl illustrated

The level of sophistication of today’s threats, including nation-state level attacks and human operated ransomware, highlight why coordinated defense is critical in ensuring that organizations are protected.

To illustrate how Microsoft Threat Protection protects against such sophisticated attacks, we asked our security research team to simulate an end-to-end attack chain across multiple domains, based on techniques we observed in actual investigations.

Their attack starts with a spear-phishing email targeting a specific user. The email contains a link that, when clicked, leads to the download of a malicious .lnk file that stages the Meterpreter payload. With their malicious code running on the target device, the attackers perform reconnaissance to understand which users have signed into the device and which other devices these users have access to. For example, in this case, they find the credentials of an IT helpdesk team member. Impersonating this IT helpdesk team member via overpass-the-hash, the attackers are able to move laterally to a second device.

On the second device, they steal the user’s web credentials, which they use to remotely access the user’s cloud apps like OneDrive or SharePoint. This allows the attackers to insert a malicious macro into an existing online Word document, which they then deploy in a lateral phishing attack by distributing links to the malicious document to other users in the organization.

Diagram showing an attack chain involving attack sprawl and techniques like overpass-the-hash

Figure 1. Our attack case scenario showing the initial access through spear-phishing and lateral movement through overpass-the-hash attack

When we ran this attack in our simulation environment, Microsoft Threat Protection was able to track attacker activities as they accessed the target organization, established foothold, and moved across the network. Then, invoking advanced correlation, Microsoft Threat Protection automatically collected all signals, alerts, and relevant entities into a single comprehensive incident representing the whole attack:

Screenshot of the incidents view in Microsoft security center

Figure 2. Incident showing the full attack chain and affected entities

Initial access: Correlating email, identity, and endpoint signals

Let’s look behind the scenes to understand how Microsoft Threat Protection connects the dots in such an attack.

When the target of the initial spear-phishing email clicks the URL in the email, a malicious .lnk file is downloaded and run on the device. In such a scenario, Office 365 Advanced Threat Protection (ATP) flags both the email and the URL as malicious and raises an alert. Normally, SOC analysts would analyze this alert, extract attacker indicators such as the malicious URL, manually search for all devices where this malicious URL was clicked, then take remediation actions on those devices.

Microsoft Threat Protection automates this process and saves time. The intelligence behind Microsoft Threat Protection correlations combines Office 365 ATP signals, Microsoft Defender ATP events, and Azure Active Directory (Azure AD) identity data to find the relevant malicious URL click activity on affected devices, even before SOC analysts starts looking at the alert. The automatic correlation of email, identity, and endpoint signals across on-premises and cloud entities raises the alert “Suspicious URL clicked”. Through this correlation-driven alert, Microsoft Threat Protection helps the SOC to expand their understanding of the attack using all relevant pieces of evidence and automate the search for compromised devices.

Screenshot of Microsoft security center showing list of alerts and highlighting the correlation-driven alert "Suspicious URL clicked"

Figure 3. Microsoft Threat Protection correlation-driven alert “Suspicious URL clicked”

Lateral movement: Correlating overpass-the-hash attack on one device and suspicious sign-in on another

So we’ve seen how automatic correlation allows Microsoft Threat Protection to uncover attacker activity related to initial access. The same capability exposes the next stages in the attack chain: credential theft and lateral movement.

Diagram showing an attack chain and showing correlation of cross-domain signals

Figure 4. Attack scenario showing alerts raised by correlation of cross-domain signals

In the next stage, the attackers use the overpass-the-hash method, a well-known impersonation technique. They control one device in the network where a domain user, like the IT helpdesk team member, is currently signed in. They then harvest NTLM credentials stored on the device to obtain a Kerberos ticket on the user’s behalf. The Kerberos ticket is a valid ticket that’s encrypted with the credentials of the domain user, allowing the attackers to pretend to be that user and access all resources that the user can access. Once attackers obtain credentials for a user with high privileges, they use the stolen credentials to sign in to other devices and move laterally.

In such cases, Azure ATP raises an alert on the suspicious Kerberos ticket, pointing to a potential overpass-the-hash attack. What would SOC analysts do at this point when investigating an overpass-the-hash alert? They would probably start enumerating all the users who signed in to the compromised device. They would also enumerate all other sign-ins for these users and further activities propagating to other devices in the network, all while mentally building an attack graph.

Saving precious time and eliminating manual work, Microsoft Threat Protection determines that the lateral movement activity is related to the earlier initial access. As a result, Microsoft Threat Protection correlates this activity, as well as users and devices involved, into the same incident, exposing other related activities and surfacing them as additional alerts in the same incident.

Screenshot of Microsoft security center showing list of alerts and highlighting the correlation-driven alert "Successful logon using potentially stolen credentials"

Figure 5. Correlating the overpass-the-hash alert

Microsoft Threat Protection also finds related sign-in events following the overpass-the-hash attack to trace the footprint of the impersonated user and surfaces alerts for malicious sign-ins made by the attacker. This allows Microsoft Threat Protection to elevate a series of raw sign-in events (which, when considered on their own, may lack context for detection) to alerts. The correlation-driven alert “Successful logon using potentially stolen credentials” instantly flags the compromised endpoints and pinpoints the start of the malicious activity in the timeline.

Screenshot of Microsoft security center showing correlation-driven alerts that determine that start of the attack

Figure 6. Correlation-driven alert can help determine the start of the attack

Lateral phishing: Correlating email, cloud, and device data

Using the breadth and depth of information available from the incident, SOC analysts can further expand their investigation. The Go hunt action allows SOC analysts to run an exhaustive, predefined query to hunt for relevant or similar threats and malicious activities from endpoints to the cloud, whether issued from inside the network or outside organizational boundaries.

Screenshot of Microsoft security center showing the Go hunt action

Figure 7. Generating a hunting query with a single click

 In this attack scenario, the query that Go hunt auto-generates instantly reveals suspicious OneDrive activity: while the user is operating from Great Britain, somebody from Sweden with the same account name seems to have downloaded a .docx file and replaced it with a similar file with .doc extension, indicating the insertion of the malicious macro.

Screenshot of Microsoft security center showing results of the Go hunt query, which reveals additional suspicious acitivity

Figure  8. “Go hunt” on the compromised user reveals suspicious activity

SOCs can further follow the propagation of the replaced file using an additional hunting query that combines email, OneDrive, and device data to find more affected users and devices, allowing SOC analysts to assess if additional compromise occurred and to take remediation actions. In our next blog post, we’ll provide more details about the investigation and hunting aspects of this scenario.

Conclusion: Connecting the dots and enriching incidents with more signals that tell the story

In this blog we demonstrated Microsoft Threat Protection’s unique ability to correlate signals across email and docs, devices, identities, and cloud apps, and present attack evidence in a unified form. Incidents significantly improve SOC efficiency by eliminating the need to use different portals and manually finding and connecting events, as well as enabling investigation and comprehensive response to attacks. The incident view shows alerts, affected entities, and related activities from across Microsoft 365 security solutions in a unified view.

Automatic correlations enrich incidents by consolidating relevant events and raising new alerts on malicious activities that couldn’t be flagged by any individual product on its own. These correlations paint a seamless attack story across perimeters by building an attack graph that SOC analysts can follow, starting with the earliest initial access.

Diagram showing automatic correlation of signals and alerts across domains

Figure 9. Automatic correlation across domains

Microsoft Threat Protection harnesses the power of Microsoft 365 security products to deliver unparalleled coordinated defense that detects, correlates, blocks, remediates, and prevents attacks across an organization’s Microsoft 365 environment. Existing Microsoft 365 licenses provide access to Microsoft Threat Protection features in Microsoft 365 security center without additional cost. To start using Microsoft Threat Protection, go to security.microsoft.com.

Learn how Microsoft Threat Protection can help your organization to stop attacks with coordinated defense. Read these blog posts in the Inside Microsoft Threat Protection series:

 

Stefan Sellmer, Tali Ash, Tal Maor

Microsoft Threat Protection Team

 

The post Inside Microsoft Threat Protection: Solving cross-domain security incidents through the power of correlation analytics appeared first on Microsoft Security.

Empower your analysts to reduce burnout in your security operations center

July 28th, 2020 No comments

Effective cybersecurity starts with a skilled and empowered team. In a world with more remote workers and an evolving threat landscape, you need creative problem solvers defending your organization. Unfortunately, many traditional security organizations operate in a way that discourages growth, leading to burnout and high turnover.

Sixty-six percent of IT professionals say they have considered finding a new job with less stress. Fifty-one percent are even willing to take a pay cut. And the average tenure of a cybersecurity analyst is only one to three years. Even if stressed employees don’t quit, they may become cynical or lose focus, putting your organization at risk. Given the huge talent shortage—estimated between one and three million cybersecurity professionals—it’s critical to understand some of the factors that lead to burnout, so you can grow and retain your team. In this blog, I’ll provide insights into what drives burnout and walk through recommendations for using automation, training, and metrics to build a more effective security organization.

Burnout in the security operations center

Burnout starts with a vicious cycle. Because management has a limited budget, they staff many of their positions with entry-level roles. Security organizations are inherently risk-averse, so managers are reticent to give low-skilled roles decision-making authority. Security professionals in such an environment have few opportunities to use creative problem-solving skills, limiting the opportunity for them to grow their skills. If their skills don’t grow, they don’t advance and neither does the organization.

This cycle was documented in 2015, when Usenix studied burnout in a security operations center (SOC). By embedding an anthropologically trained computer science graduate in a SOC for 6 months, researchers identified four key areas that interact with each other to contribute to job satisfaction:

  • Skills: To effectively do their job, people need to know how to use security tools where they work. They also need to understand the security landscape and how it is changing.
  • Empowerment: Autonomy plays a major role in boosting morale.
  • Creativity: People often confront challenges that they haven’t seen before or that don’t map onto the SOC playbook. To uncover novel approaches they need to think outside the box, but creativity suffers when there is a lack of variation in operational tasks.
  • Growth: Growth is when a security analyst gains intellectual capacity. There is a strong connection between creativity and growth.

Image of the Human Capital Cycle

Graphic from A Human Capital Model for Mitigating Security Analyst Burnout, USENIX Association, 2015.

To combat the vicious cycle of burnout, you need to create a positive connection between these four areas and turn it into a virtuous cycle. Strategic investments in growth, automation, and metrics can make a real difference without requiring you to rewrite roles. Many of these recommendations have been implemented in the Microsoft SOC, resulting in a high-performing culture. I also believe you can expand these learnings to your entire security organization, who may also be dealing with stress related to remote work and COVID-19.

Create a continuous learning culture

Managers are understandably wary about giving too much decision-making authority to junior employees with limited skills, but if you give them no opportunities to try new ideas they won’t improve. Look for lower-risk opportunities for Tier One analysts to think outside set procedures. They may periodically make mistakes, but if you foster a culture of continuous learning and a growth mindset they will gain new skills from the experience.

To advance skills on your team, it’s also important to invest in training. The threat landscape changes so rapidly that even your most senior analysts will need to dedicate time to stay up to date. The Microsoft SOC focuses its training on the following competencies:

  • Technical tools/capabilities.
  • Our organization (mission and assets being protected).
  • Attackers (motivations, tools, techniques, habits, etc.).

Not all training should be formal. Most managers hire junior employees with the hope that they will learn on the job, but you need to create an environment that facilitates that. An apprenticeship model provides growth opportunities for both junior and senior members of your team.

Support operational efficiency with automation

At Microsoft, we believe the best use of artificial intelligence and automation is to support humans—not replace them. In the SOC, technology can reduce repetitive tasks so that people can focus on more complex threats and analysis. This allows defenders to use human intelligence to proactively hunt for adversaries that got past the first line of defense. Your organization will be more secure, and analysts can engage in interesting challenges.

Solutions like Microsoft Threat Protection can reduce some of the tedium involved in correlating threats across domains. Microsoft Threat Protection orchestrates across emails, endpoints, identity, and applications to automatically block attacks or prioritize incidents for analysts to pursue.

Azure Sentinel, a cloud-native SIEM, uses machine learning algorithms to reduce alert fatigue. Azure Sentinel can help identify complex, multi-stage attacks by using a probabilistic kill chain to combine low fidelity signals into a few actionable alerts.

It isn’t enough to apply machine learning to today’s monotonous challenges. Engage your team in active reflection and continuous improvement so they can finetune automation, playbooks, and other operations as circumstances change.

Track metrics that encourage growth

Every good SOC needs to track its progress to prove its value to the organization, make necessary improvements, and build the case for budgets. But don’t let your metrics become just another checklist. Measure data that is motivational to analysts and reflects the successes of the SOC. It’s also important to allocate the tracking of metrics to the right team members. For example, managers rather than analysts should be responsible for mapping metrics to budgets.

The Microsoft SOC tracks the following metrics:

Time to acknowledgment: For any alert that has a track record of 90 percent true positive, Microsoft tracks how long between when an alert starts “blinking” and when an analyst starts the investigation.

Time to remediate: Microsoft tracks how long it takes to remediate an incident, so we can determine if we are reducing the time that attackers have access to our environment.

Incidents remediated manually and via automation: To evaluate the effectiveness of our automation technology and to ensure we are appropriately staffed, we track how many incidents we remediate via automation versus manual effort.

Escalations between tiers: We also track issues that are remediated through tiers to accurately capture the amount of work that is happening at each tier. For example, if an incident gets escalated from Tier One to Tier Two, we don’t want to fully attribute the work to Tier Two or we may end up understaffing Tier One.

As organizations continue to confront the COVID-19 pandemic and eventually move beyond it, many security teams will be asked to do more with less. A continuous learning culture that uses automation and metrics to encourage growth will help you build a creative, problem-solving culture that is able to master new skills.

Read more about Microsoft Threat Protection.

Find out about Azure Sentinel.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Empower your analysts to reduce burnout in your security operations center appeared first on Microsoft Security.

Guiding principles of our identity strategy: staying ahead of evolving customer needs

July 27th, 2020 No comments

Last June, when I shared the 5 principles driving a customer-obsessed identity strategy at Microsoft, many of you had embraced the idea of a boundaryless environment, but relatively few had implemented it in practice. A global pandemic made remote access essential and forced many of you to accelerate your digital transformation plans.

The new reality requires not only supporting secure remote productivity and collaboration, but also other remote operations, such as onboarding, offboarding, and training employees. And this reality will continue for the near future. According to our most recent Work Life Index, 71 percent of employees and managers (Information Workers) reported a desire to continue working from home at least part-time post-pandemic.

Your experiences and insights have helped shape the investments we’re making in our identity services for the coming year and beyond. Today, I’m sharing with you the updated set of guiding principles we’re following to deliver a secure and scalable identity solution that’s seamless for your end-users.

Secure adaptive access

An identity system that is secure from the ground up continues to drive our product investments. In a recent survey of over 500 security executives, achieving a high level of protection without impeding user productivity was rated the number one challenge. Using risk-based Conditional Access policies in Azure AD, you can protect sensitive data with minimal friction to your end-users. This combines the power of Identity Protection with Conditional Access to only prompt users when the sign-in is considered risky. 

To enhance identity security, we’re investing in compromise prevention technologies such as security defaults, attack blocking, and password protection, as well as reputation and anti-abuse systems. Security mechanisms like end-user notifications and in-line interrupts can help everyone defend themselves from malicious actors. Every day, our data scientists and investigators evaluate the threat and log data to gather real-world insights, so they can adjust our machine learning algorithms to recognize and protect our customers from the latest threats.   

Our product and ecosystem investments are guided by embracing Zero Trust security strategy as our worldview. We build Azure AD on the principles of Zero Trust to make implementing this model across your entire digital estate achievable at scale. 

Seamless user experiences

When your employees need to get things done, delivering a great user experience is essential. Employees who interact directly with customers, patients, and citizens need tools that are simple to learn and use. Because an easy, fast sign-in experience can make all the difference for your users—and your Help Desk—we’re continuing our investments in Firstline Worker scenarios to address the challenges they face, for example, by providing seamless handoffs of shared mobile devices and enhancing tools and workflows for managers. 

We’ve seen more interest than ever in minimizing the use of passwords and eliminating them completely. We continue our commitment to identity standards that help scale the technology and make it more useful and accessible for everyone. We’re also developing easy-to-use self-service options for end-users, such as managing security information, requesting access to apps and groups, and getting automatic recommendations for approved applications based on what peers are using most.  

Your customers, business partners, and suppliers also deserve a great, consumer-grade sign-in and collaboration experience. With the External Identities feature in Azure AD, we are investing in making it easier for organizations and developers to secure, manage, and build apps that connect with different users outside your organization.  

We’re also looking ahead to technologies that respect everyone’s privacy, such as decentralized identity systems and verifiable credentials, that can verify information about an individual without requiring another username and password. Verifiable credentials are based on open standards from W3C and leverage the OIDC protocol, so you will be able to incorporate them into your existing systems. 

Unified identity management

It’s hard to scale and manage security when you have overlapping products from multiple vendors that need to work together. You have a portfolio of on-premises and cloud-based applications that you need to manage and provide secure access to your users. We are simplifying these experiences in Azure AD, making it easier to manage all your applications for all your users in a single place. We’re also consolidating our APIs into Microsoft Graph to unify programmatic access to and management of data across workloads in Microsoft 365, including Azure AD. 

By embracing open standards, we can help you more easily manage and secure your hybrid environment. We’re working with partners like Box and Workday to further deepen our product integrations and streamline identity processes. Azure AD is pre-integrated with thousands of SaaS applications, and more to come, so you can provide users one set of credentials for secure access to any applicationWe are continuing to extend capabilities in Azure AD so that you can migrate access for all your applications to be managed the cloud. 

Simplified identity governance

While having the ability to control access requests, approvals, and privileges in a timely and efficient manner is key, traditional identity governance and privileged access management solutions can be cumbersome and inflexible. This is true particularly now that these workflows are more often done remotely than in person. Providing every user access to the apps and files they need should be as simple as defining access packages and group assignments upfront. Onboarding and offboarding employees then become easy with an automated solution connected to your HR system. 

We want to help more companies adopt these scenarios and incorporate our machine learning technology in Azure AD to provide better recommendations and alerts in response to unusual behavior or too many unnecessary privileges. Our goal is for these capabilities to span both employee and external identity scenarios, built in the cloud for maximum benefit. This will help strengthen your overall security, efficiency, and compliance.  

The last several months have been a whirlwind for all of us. We’re in it with you, committed to helping you on your digital transformation journey. Whatever happens, you can be sure that we’ll continue to listen to your feedback and input, so we can evolve our engineering priorities and principles to help you stay ahead and prepare for what comes next. Thank you for your continued trust!   

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Guiding principles of our identity strategy: staying ahead of evolving customer needs appeared first on Microsoft Security.

Updates to the Windows Insider Preview Bounty Program

July 24th, 2020 No comments

Partnering with the research community is an important part of Microsoft’s holistic approach to defending against security threats. Bounty programs are one part of this partnership, designed to encourage and reward vulnerability research focused on the highest impact to customer security. The Windows Insider Preview (WIP) Bounty Program is a key program for Microsoft and …

Updates to the Windows Insider Preview Bounty Program Read More »

The post Updates to the Windows Insider Preview Bounty Program appeared first on Microsoft Security Response Center.

Afternoon Cyber Tea: Peak, Plateau, or Plummet? Cyber security trends that are here to stay and how to detect and recover from ransomware attacks

July 23rd, 2020 No comments

The rapidity of change in the cyberthreat landscape can be daunting for today’s cyber defense teams. Just as they perfect the ability to block one attack method, adversaries change their approach. Tools like artificial intelligence and machine learning allow us to pivot quickly, however, knowing what cyber trends are real and which are hype can be the difference between success or struggle. To help you figure where to focus your resources, Kevin Beaumont joined me on Afternoon Cyber Tea.

Kevin is a thought leader on incident detection and response. His experience running Security Operations Centers (SOC) has given him great insight into both the tactics used by attackers and how to create effective cyber teams. While our discussion took place before he joined Microsoft, his insights remain of great value as we look at how current cyber trends will evolve past the pandemic.

In this episode, he shares his cyber experience on everything from the role ransomware plays in the monetization of cybercrime, to what attack vectors may Peak, Plateau, or Plummet, and which trends that are here to stay.

What’s next

In this important cyber series, I talk with cybersecurity influencers about trends shaping the threat landscape and explore the risk and promise of systems powered by AI, Internet of Things (IoT), and other emerging tech. As we work on how to help empower every person and organization on the planet achieve more, we must look at how we combine our security learnings with examining how today’s cybersecurity investments will shape our industry and impact tomorrow’s cybersecurity reality.

You can listen to Afternoon Cyber Tea with Ann Johnson on:

  • Apple Podcasts—You can also download the episode by clicking the Episode Website link.
  • Podcast One—Includes the option to subscribe, so you’re notified as soon as new episodes are available.
  • CISO Spotlight page—Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Peak, Plateau, or Plummet? Cyber security trends that are here to stay and how to detect and recover from ransomware attacks appeared first on Microsoft Security.

Seeing the big picture: Deep learning-based fusion of behavior signals for threat detection

July 23rd, 2020 No comments

The application of deep learning and other machine learning methods to threat detection on endpoints, email and docs, apps, and identities drives a significant piece of the coordinated defense delivered by Microsoft Threat Protection. Within each domain as well as across domains, machine learning plays a critical role in analyzing and correlating massive amounts of data to detect increasingly evasive threats and build a complete picture of attacks.

On endpoints, Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) detects malware and malicious activities using various types of signals that span endpoint and network behaviors. Signals are aggregated and processed by heuristics and machine learning models in the cloud. In many cases, the detection of a particular type of behavior, such as registry modification or a PowerShell command, by a single heuristic or machine learning model is sufficient to create an alert.

Detecting more sophisticated threats and malicious behaviors considers a broader view and is significantly enhanced by fusion of signals occurring at different times. For example, an isolated event of file creation is generally not a very good indication of malicious activity, but when augmented with an observation that a scheduled task is created with the same dropped file, and combined with other signals, the file creation event becomes a significant indicator of malicious activity. To build a layer for these kinds of abstractions, Microsoft researchers instrumented new types of signals that aggregate individual signals and create behavior-based detections that can expose more advanced malicious behavior.

In this blog, we describe an application of deep learning, a category of machine learning algorithms, to the fusion of various behavior detections into a decision-making model. Since its deployment, this deep learning model has contributed to the detection of many sophisticated attacks and malware campaigns. As an example, the model uncovered a new variant of the Bondat worm that attempts to turn affected machines into zombies for a botnet. Bondat is known for using its network of zombie machines to hack websites or even perform cryptocurrency mining. This new version spreads using USB devices and then, once on a machine, achieves a fileless persistence. We share more technical details about this attack in latter sections, but first we describe the detection technology that caught it.

Powerful, high-precision classification model for wide-ranging data

Identifying and detecting malicious activities within massive amounts of data processed by Microsoft Defender ATP require smart automation methods and AI. Machine learning classifiers digest large volumes of historical data and apply automatically extracted insights to score each new data point as malicious or benign. Machine learning-based models may look at, for example, registry activity and produce a probability score, which indicates the probability of the registry write being associated with malicious activity. To tie everything together, behaviors are structured into virtual process trees, and all signals associated with each process tree are aggregated and used for detecting malicious activity.

With virtual process trees and signals of different types associated to these trees, there’s still large amounts of data and noisy signals to sift through. Since each signal occurs in the context of a process tree, it’s necessary to fuse these signals in the chronological order of execution within the process tree. Data ordered this way requires a powerful model to classify malicious vs. benign trees.

Our solution comprises several deep learning building blocks such as Convolutional Neural Networks (CNNs) and Long Short-Term Memory Recurrent Neural Networks (LSTM-RNN). The neural network can take behavior signals that occur chronologically in the process tree and treat each batch of signals as a sequence of events. These sequences can be collected and classified by the neural network with high precision and detection coverage.

Behavior-based and machine learning-based signals

Microsoft Defender ATP researchers instrument a wide range of behavior-based signals. For example, a signal can be for creating an entry in the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

A folder and executable file name added to this location automatically runs after the machine starts. This generates persistence on the machine and hence can be considered an indicator of compromise (IoC). Nevertheless, this IoC is generally not enough to generate detection because legitimate programs also use this mechanism.

Another example of behavior-based signal is service start activity. A program that starts a service through the command line using legitimate tools like net.exe is not considered a suspicious activity. However, starting a service created earlier by the same process tree to obtain persistence is an IoC.

On the other hand, machine learning-based models look at and produce signals on different pivots of a possible attack vector. For example, a machine learning model trained on historical data to discern between benign and malicious command lines will produce a score for each processed command line.

Consider the following command line:

 cmd /c taskkill /f /im someprocess.exe

This line implies that taskill.exe is evoked by cmd.exe to terminate a process with a particular name. While the command itself is not necessarily malicious, the machine learning model may be able to recognize suspicious patterns in the name of the process being terminated, and provide a maliciousness probability, which is aggregated with other signals in the process tree. The result is a sequence of events during a certain period of time for each virtual process tree.

The next step is to use a machine learning model to classify this sequence of events.

Data modeling

The sequences of events described in the previous sections can be represented in several different ways to then be fed into machine learning models.

The first and simple way is to construct a “dictionary” of all possible events, and to assign a unique identifier (index) to each event in the dictionary. This way, a sequence of events is represented by a vector, where each slot constitutes the number of occurrences (or other related measure) for an event type in the sequence.

For example, if all possible events in the system are X,Y, and Z, a sequence of events “X,Z,X,X” is represented by the vector [3, 0, 1], implying that it contains three events of type X, no events of type Y, and a single event of type Z. This representation scheme, widely known as “bag-of-words”,  is suitable for traditional machine learning models and has been used for a long time by machine learning practitioners. A limitation of the bag-of-words representation is that any information about the order of events in the sequence is lost.

The second representation scheme is chronological. Figure 1 shows a typical process tree: Process A raises an event X at time t1, Process B raises an event Z at time t2, D raises X at time t3, and E raises X at time t4. Now the entire sequence “X,Z,X,X”  (or [1,3,1,1] replacing events by their dictionary indices) is given to the machine learning model.

Diagram showing process tree

Figure 1. Sample process tree

In threat detection, the order of occurrence of different events is important information for the accurate detection of malicious activity. Therefore, it’s desirable to employ a representation scheme that preserves the order of events, as well as machine learning models that are capable of consuming such ordered data. This capability can be found in the deep learning models described in the next section.

Deep CNN-BiLSTM

Deep learning has shown great promise in sequential tasks in natural language processing like sentiment analysis and speech recognition. Microsoft Defender ATP uses deep learning for detecting various attacker techniques, including malicious PowerShell.

For the classification of signal sequences, we use a Deep Neural Network that combines two types of building blocks (layers): Convolutional Neural Networks (CNN) and Bidirectional Long Short-Term Memory Recurrent Neural Networks (BiLSTM-RNN).

CNNs are used in many tasks relating to spatial inputs such as images, audio, and natural language. A key property of CNNs is the ability to compress a wide-field view of the input into high-level features.  When using CNNs in image classification, high-level features mean parts of or entire objects that the network can recognize. In our use case, we want to model long sequences of signals within the process tree to create high-level and localized features for the next layer of the network. These features could represent sequences of signals that appear together within the data, for example, create and run a file, or save a file and create a registry entry to run the file the next time the machine starts. Features created by the CNN layers are easier to digest for the ensuing LSTM layer because of this compression and featurization.

LSTM deep learning layers are famous for results in sentence classification, translation, speech recognition, sentiment analysis, and other sequence modeling tasks. Bidirectional LSTM combine two layers of LSTMs that process the sequence in opposite directions.

The combination of the two types of neural networks stacked one on top of the other has shown to be very effective and can classify long sequences of hundreds of items and more. The final model is a combination of several layers: one embedding layer, two CNNs, and a single BiLSTM. The input to this model is a sequence of hundreds of integers representing the signals associated with a single process tree during a unit of time. Figure 2 shows the architecture of our model.

Diagram showing layers of the CNN BiLSTM model

Figure 2. CNN-BiLSTM model

Since the number of possible signals in the system is very high, input sequences are passed through an embedding layer that compresses high-dimensional inputs into low-dimensional vectors that can be processed by the network. In addition, similar signals get a similar vector in lower dimensional space, which helps with the final classification.

Initial layers of the network create increasingly high-level features, and the final layer performs sequence classification. The output of the final layer is a score between 0 and 1 that indicates the probability of the sequence of signals being malicious. This score is used in combination with other models to predict if the process tree is malicious.

Catching real-world threats

Microsoft Defender ATP’s endpoint detection and response capabilities use this Deep CNN-BiLSTM model to catch and raise alerts on real-world threats. As mentioned, one notable attack that this model uncovered is a new variant of the Bondat worm, which was seen propagating in several organizations through USB devices.

Diagram showing the Bondat attack chain

Figure 3. Bondat malware attack chain

Even with an arguably inefficient propagation method, the malware could persist in an organization as users continue to use infected USB devices. For example, the malware was observed in hundreds of machines in one organization. Although we detected the attack during the infection period, it continued spreading until all malicious USB drives were collected. Figure 4 shows the infection timeline.

Column chart showing daily encounters of the Bondat malware in one organization

Figure 4. Timeline of encounters within a single organization within a period of 5 months showing reinfection through USB devices

The attack drops a JavaScript payload, which it runs directly in memory using wscript.exe. The JavaScript payload uses a randomly generated filename as a way to evade detections. However, Antimalware Scan Interface (AMSI) exposes malicious script behaviors.

To spread via USB devices, the malware leverages WMI to query the machine’s disks by calling “SELECT * FROM Win32_DiskDrive”. When it finds a match for “/usb” (see Figure 5), it copies the JavaScript payload to the USB device and creates a batch file on the USB device’s root folder. The said batch file contains the execution command for the payload. As part of its social engineering technique to trick users into running the malware in the removable device, it creates a LNK file on the USB pointing to the batch file.

Screenshot of malware code showing infection technique

Figure 5. Infection technique

The malware terminates processes related to antivirus software or debugging tools. For Microsoft Defender ATP customers, tamper protection prevents the malware from doing this. Notably, after terminating a process, the malware pops up a window that imitates a Windows error message to make it appear like the process crashed (See figure 6).

Screenshot of malware code showing infection technique

Figure 6. Evasion technique

The malware communicates with a remote command-and-control (C2) server by implementing a web client (MSXML). Each request is encrypted with RC4 using a randomly generated key, which is sent within the “PHPSESSID” cookie value to allow attackers to decrypt the payload within the POST body.

Every request sends information about the machine and its state following the output of the previously executed command. The response is saved to disk and then parsed to extract commands within an HTML comment tag. The first five characters from the payload are used as key to decrypt the data, and the commands are executed using the eval() method. Figures 7 and 8 show the C2 communication and HTML comment eval technique.

Once the command is parsed and evaluated by the JavaScript engine, any code can be executed on an affected machine, for example, download other payloads, steal sensitive info, and exfiltrate stolen data. For this Bondat campaign, the malware runs coin mining or coordinated distributed denial of service (DDoS) attacks.

Figure 7. C2 communication

Figure 8. Eval technique (parsing commands from html comment)

The malware’s activities triggered several signals throughout the attack chain. The deep learning model inspected these signals and the sequence with which they occurred, and determined that the process tree was malicious, raising an alert:

  1. Persistence – The malware copies itself into the Startup folder and drops a .lnk file pointing to the malware copy that opens when the computer starts
  2. Renaming a known operating system tool – The malware renames exe into a random filename
  3. Dropping a file with the same filename as legitimate tools – The malware impersonates legitimate system tools by dropping a file with a similar name to a known tool.
  4. Suspicious command line – The malware tries to delete itself from previous location using a command line executed by a process spawned by exe
  5. Suspicious script content – Obfuscated JavaScript payload used to hide the attacker’s intentions
  6. Suspicious network communication – The malware connects to the domain legitville[.]com

Conclusion

Modeling a process tree, given different signals that happen at different times, is a complex task. It requires powerful models that can remember long sequences and still be able to generalize well enough to churn out high-quality detections. The Deep CNN-BiLSTM model we discussed in this blog is a powerful technology that helps Microsoft Defender ATP achieve this task. Today, this deep learning-based solution contributes to Microsoft Defender ATP’s capability to detect evolving threats like Bondat.

Microsoft Defender ATP raises alerts for these deep learning-driven detections, enabling security operations teams to respond to attacks using Microsoft Defender ATP’s other capabilities, like threat and vulnerability management, attack surface reduction, next-generation protection, automated investigation and response, and Microsoft Threat Experts. Notably, these alerts inform behavioral blocking and containment capabilities, which add another layer of protection by blocking threats if they somehow manage to start running on machines.

The impact of deep learning-based protections on endpoints accrues to the broader Microsoft Threat Protection (MTP), which combines endpoint signals with threat data from email and docs, identities, and apps to provide cross-domain visibility. MTP harnesses the power of Microsoft 365 security products to deliver unparalleled coordinated defense that detects, blocks, remediates, and prevents attacks across an organization’s Microsoft 365 environment. Through machine learning and AI technologies like the deep-learning model we discussed in this blog, MTP automatically analyzes cross-domain data to build a complete picture of each attack, eliminating the need for security operations centers (SOC) to manually build and track the end-to-end attack chain and relevant details. MTP correlates and consolidates attack evidence into incidents, so SOCs can save time and focus on critical tasks like expanding investigations and proacting threat hunting.

 

Arie Agranonik, Shay Kels, Guy Arazi

Microsoft Defender ATP Research Team

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Threat Protection and Microsoft Defender ATP tech communities.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

The post Seeing the big picture: Deep learning-based fusion of behavior signals for threat detection appeared first on Microsoft Security.

Preventing data loss and mitigating risk in today’s remote work environment

July 21st, 2020 No comments

The shift to remote work over the past few months has increased the need for organizations to re-evaluate their security and risk management practices. With employees accessing corporate data at times on home computers or sharing and collaborating in new ways, organizations could be at greater risk for data leak or other risks.

To help companies with the visibility they need and better protect their data, we are announcing several new capabilities across Microsoft 365 and Azure, including:

  • New Microsoft Endpoint Data Loss Prevention solution in public preview.
  • New features in public preview for Insider Risk Management and Communication Compliance in Microsoft 365.
  • New third-party data connectors in Microsoft Azure Sentinel.
  • New Double Key Encryption for Microsoft 365 in public preview.

Read on to get more information about all these new security and compliance features rolling out starting today.

Announcing Microsoft Endpoint Data Loss Prevention (DLP)

Having the right data protection and governance approach is critical to not only addressing regulatory compliance and privacy, but also to mitigating data leak and risk. Microsoft Information Protection helps you to identify your data and ensure you have the right data classification in place to properly protect and govern that data, which enables you to apply data loss prevention (DLP) to enforce policies against that data. Data Loss Prevention solutions help prevent data leaks and provide context-based policy enforcement for data at rest, in use, and in motion on-premises and in the cloud. Microsoft 365 already includes built-in data loss prevention capabilities in Microsoft Teams, SharePoint, Exchange, and OneDrive, as well as for third-party cloud apps with Microsoft Cloud App Security.

Today we are excited to announce that we are now extending data loss prevention to the endpoint with the public preview of the new Microsoft Endpoint Data Loss Prevention (DLP). Endpoint DLP builds on the labeling and classification in Microsoft Information Protection and extends the existing DLP capabilities in Microsoft 365, helping you to meet compliance requirements and protect sensitive information on endpoints.

Built into Windows 10, Microsoft Edge, and the Office apps, Endpoint DLP provides data-centric protection for sensitive information without the need for an additional agent, enabling you to prevent risky or inappropriate sharing, transfer, or use of sensitive data in accordance with your organization’s policies. For example, organizations can now prevent copying sensitive content to USB drives or print sensitive documents.  The sensitive content labeling integration ensures consistency across all data types and reduces false positive and false negatives within DLP. Microsoft Edge works with Endpoint DLP to extend visibility and control into third-party cloud apps and services. Also, because Endpoint DLP builds on the existing DLP capabilities in Microsoft 365, you immediately get insights when sensitive data is accessed and shared directly from the Activity Explorer in the Microsoft 365 compliance center.

An image showing how you can manage your data loss prevention policies across Microsoft 365 from one location – the Microsoft 365 compliance center.

Figure 1: You can manage your data loss prevention policies across Microsoft 365 from one location – the Microsoft 365 compliance center.

The Microsoft 365 Compliance Center also now provides a single, integrated console to manage DLP policies across Microsoft 365, including endpoints.  The public preview of Endpoint DLP will begin rolling out today. For more information, check out the Tech Community blog.

New features to help you to address insider risk and code of conduct violations

Remote work, while keeping employees healthy during this time, also increases the distractions end users face, such as shared home workspaces and remote learning for children. According to the SEI CERT institute, user distractions are the cause for many accidental and non-malicious insider risks. The current environment has also significantly increased stressors such as potential job loss or safety concerns, creating the potential for increased inadvertent or malicious leaks.

Today we are pleased to announce the public preview of several new features that further enhance the rich set of detection and remediation capabilities available in Insider Risk Management and Communication Compliance in Microsoft 365.

Insider Risk Management

While having broad visibility into signals from end-user activities, actions, or communications are important, when it comes to effectively identifying the risks, the quality of signals also matters. In this release, we are significantly expanding the quality of signals that Insider Risk Management reasons over to intelligently flag potentially risky behavior. New categories include expanded Windows 10 signals (e.g., files copied to a USB or transferred to a network share), integration with Microsoft Defender ATP for endpoint security signals, more native signals from across Microsoft 365 (including Microsoft Teams, SharePoint, and Exchange), and enhancements to our native HR connector.

We are also introducing new security policy violation and data leak policy templates to help you to get started quickly and identify an even broader variety of risks.

Finally, we are also increasing integration to help you to take more action on the risks you identify. For example, integration with ServiceNow’s solution provides the ability for Insider Risk Management case managers to directly create ServiceNow tickets for incident managers. In addition, we are also onboarding Insider Risk Management alerts to the Office 365 Activity Management API, which contains information such as alert severity and status (active, investigating, resolved, dismissed). These alerts can then be consumed by security incident event management (SIEM) systems like Azure Sentinel to take further actions such as disabling user access or linking back to Insider Risk Management for further investigation.

For more information on these new features, check out the Tech Community blog.

Communication Compliance

As we embraced the shift to remote work, the volume of communications sent over collaboration platforms has reached an all-time high. Diversity, equity, and inclusion are now center stage. These new scenarios not only heighten a company’s risk exposure from insiders, but also highlight the need to support employees in these challenging times.

Communication Compliance in Microsoft 365 helps organizations to intelligently detect regulatory compliance and code of conduct violations within an organization’s communications, such as workplace threats and harassment, and take quick remediation efforts on policy violations.

Starting to roll out today, Communication Compliance will introduce enhanced insights to make the review process simpler and less time consuming, through intelligent pattern detection to prioritize alerts of repeat offenders, through a global feedback loop to improve our detection algorithms, and through rich reporting capabilities. New features also include additional third-party connectors to extend the capabilities to sources like Bloomberg Message data, ICE Chat data, and more. Additionally, the solution will see improved remediation actions through Microsoft Teams integration, such as the ability to remove messages from the Teams channel.

You can find more information about these new features in the Tech Community blog.

New partner connectors in Microsoft Azure Sentinel

Microsoft Azure Sentinel is a powerful Security Incident and Event Management (SIEM) solution that can help you collect security data across your entire hybrid organization from devices, users, apps, servers, and any cloud. Using these data sources you can build a more complete picture of the threats that your organization faces, conduct deep threat hunts across your environment, and use the power of automation and orchestration in the cloud to help free up your security analysts to focus on their highest-value tasks.

Today we are announcing several new third-party connectors across Azure Sentinel to simplify getting security insights across many leading solutions and partners, including networks, firewalls, endpoint protection, and vulnerability management.

These connectors, which offer sample queries and dashboards, will help collect security data easily and provide security insights immediately.

An image of new partner connectors provide greater visibility into external threats.

Figure 2: New partner connectors provide greater visibility into external threats.

Some of the new partner connectors include Symantec, Qualys, and Perimeter 81. You can see the full list of new connectors and learn more in our Tech Community blog.

Introducing Double Key Encryption for Microsoft 365

In today’s environment, the success of any organization is contingent upon its ability to drive productivity through information sharing while maintaining data privacy and regulatory compliance. Regulations, particularly in the financial services sector, often contain specialized requirements for certain data, which specifies that an organization must control their encryption key.  Typically, a very small percentage of a customer’s data falls into this category, but it is important for our customers to care for that specific data correctly.

To address that regulatory and unique need for some organizations, today we are pleased to announce the public preview of Double Key Encryption for Microsoft 365, which allows you to protect your most confidential data while maintaining full control of your encryption key. Double Key Encryption for Microsoft 365 uses two keys to protect your data, with one key in your control and the second in Microsoft’s control. To view the data, one must have access to both keys. Since Microsoft can access only one key, your data and key are unavailable to Microsoft, helping to ensure the privacy and security of your data.

With Double Key Encryption for Microsoft 365, you not only hold your own key, but this capability also helps you to address many regulatory compliance requirements, easily deploy the reference implementation, and enjoy a consistent labeling experience across your data estate. For more information, check out the Tech Community blog.

Get started today

Endpoint Data Loss Prevention, Insider Risk Management, Communication Compliance, and Double Key Encryption are rolling out in public preview starting today and are a part of Microsoft 365 E5. If you don’t have Microsoft 365 E5, you can get started with a trial today.

In addition, to learn more about the rest of the Microsoft 365 product updates being announced today, check out the Microsoft 365 blog from Jared Spataro.

You can also learn more about how you can modernize your SIEM with Azure Sentinel. 

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Preventing data loss and mitigating risk in today’s remote work environment appeared first on Microsoft Security.

Hello open source security! Managing risk with software composition analysis

July 20th, 2020 No comments

When first learning to code many people start with a rudimentary “Hello World” program. Building the program teaches developers the basics of a language as they write the code required to display “Hello World” on a screen. As developers get more skilled, the complexity of the programs they build increases.

But building a complex app entirely from scratch these days is not the norm because there are so many fantastic services and functions available to developers via libraries, plug-ins, and APIs that developers can consume as part of their solution. If you were building a website to show off your amazing nail art or community farm you wouldn’t build your own mapping tool for directions, you’d plug in a map tool service like Bing Maps. And if another developer has already built out a robust, well-vetted open-source cryptographic library, you’re better off using that rather than trying to roll your own.

Today’s apps are rich composites of components and services—many of which are open source. Just how many? Well, the Synopsis 2020 Open Source Security and Risk Analysis Report found that “open source components and libraries are the foundation of literally every application in every industry.” But just like any other software, open-source components must be assessed and managed to ensure that the final product is secure. So how can you take advantage of the benefits of open source without increasing risk? Software Composition Analysis (SCA)!

SCA Explained

SCA is a lifecycle management approach to tracking and governing the open source components in use in an organization. SCA provides insight into which components are being used, where they are being used, and if there are any security concerns or updates required. This approach provides the following benefits:

  • Quickly respond to vulnerabilities: Understanding which components you are using will allow you to take action when you learn of a security vulnerability. This is critical when components are re-used in a number of places. For example, the infamous “heartbleed” vulnerability in the popular OpenSSL library affected hundreds of thousands of web servers. When the ASN1 parsing issue was announced, attackers immediately began trying to exploit it. Organizations with an SCA program were better able to rapidly and completely replace or patch their systems, reducing their risk.
  • Provide guidance to your developers: Developers usually work under a deadline and need ways to build great apps quickly. If they don’t have a process for finding the right open source component, they may select one that’s risky. An approved repository of open source components and a process for getting new components into the repository can go a long way to support the development teams’ need for speed, in a secure way.

Define your strategy

A strong SCA program starts with a vision. If you document your strategy, developers and managers alike will understand your organization’s approach to open source. This will guide decision-making during open-source selection and contribution. Consider the following:

  • Licensing: Not all open source projects document their licensing, but if there isn’t a license, it’s technically not open source and is subject to copyright laws. Some licenses are very permissive and will let you do whatever you want with the code as long as you acknowledge the author. Other licenses, often referred to as copyleft licenses require that any derivative code be released with the same open source license. You also need to be aware of licenses that restrict patenting. Your strategy should outline the licensing that is appropriate for your business.
  • Supportability: What is your philosophy on support? If you have the right skills, you can choose to support the software yourself. Some open-source companies include support subscriptions that you can purchase. You can also hire third-party organizations to provide support. Make sure your team understands your support policy.
  • Security: There are several approaches that you can use to vet third-party code. Developers can evaluate public resources to uncover vulnerabilities. You can also require that they perform static analysis to uncover unreported security issues. If you want to be more comprehensive add dynamic analysis, code review, and security configuration review.

Establish governance

Your strategy will help you align on objectives and guidelines, but to put it in action, you’ll need to define processes and responsibilities.

  • Approved open source projects: Are there open source projects that are well-aligned with your organization that you’d like developers to consider first? How about open source software that is banned?
  • Approval process: Determine how you will engage legal experts to review licenses, how developers should request approvals, and who makes the final decision.
  • Security response: Document how you will respond and who is responsible if a security vulnerability is reported.
  • Support: Determine how you will engage support when non-security bugs are identified.

Create a toolkit

To manage your open source software, you need to track the components and open-source licenses that are currently in use. It’s also important to scan software for vulnerabilities. Open source and commercial tools are available and can be integrated into your continuous integration/continuous deployment process.

Microsoft Application Inspector is a static analysis tool that you can use to detect poor programming practices and other interesting characteristics in the code. It can help you identify unexpected features that require additional scrutiny.

Build engagement

Building consensus for the open-source security program is just as important as the program components. Make sure all your resources, approved open source licenses, and processes are easily accessible. When you roll out the program, clearly communicate why it’s important. Train your developers in the process and the tools they will use and provide regular updates as things change.

Open Source is a vibrant and valuable part of the development process. With the right program and tools in place, it can also be a well-governed and risk-managed process that helps developers deliver more secure software faster.

Read Microsoft’s guidance for managing third part components.

Find advice for selecting and gaining approval for open source in your organization.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter.

The post Hello open source security! Managing risk with software composition analysis appeared first on Microsoft Security.

5 cybersecurity paradigm shifts that will lead to more inclusive digital experiences

July 16th, 2020 No comments

Whether responding to a natural disaster, defending against a cyberattack, or meeting the unprecedented demands to enable the largest workforce in history to work remotely, we amplify our human capacity through technology. At Microsoft, cybersecurity is the underpinning to helping organizations maintain business continuity during times of change.

As we look past the pandemic and prepare to implement the lessons we’ve learned during this time of disruption, we are reminded that security technology is also about improving productivity and collaboration through inclusive user experiences. In an industry that has traditionally expected people to adjust their behavior to conform to security policies, this is a transformative idea.

My team and I share this transformative idea when we work with organizations from around the world who need to enable people to work productively and securely and from a variety of non-traditional locations. Through these interactions, we’ve learned a lot about the role that cybersecurity plays in helping organizations maintain business continuity as we adapt to this new world. As I result, I anticipate five cybersecurity paradigm shifts that will support the evolution of work in a way that centers around the inclusivity of people and data.

1. The rise of digital empathy

To say that we are living in unprecedented times, is quite frankly, an understatement. Each and EVERY one of us has been impacted—in one way or another—by current events. We’ve had to adapt to new ways of life, in our homes, and our workplaces. And the pace of change has been at a rate none of us have seen before. At times like these, we need empathy more than ever.

“We have seen two years’ worth of digital transformation in just two months.” – Satya Nadella, President & CEO, Microsoft

Empathy is the ability to understand the feelings and thoughts of another person. To walk in their shoes. During times of constant disruption and change, empathy can reduce stress and bring people together. We saw empathy at work in the nightly cheers for healthcare workers as they came home from a long day at the hospital in New York and other cities.

But empathy isn’t just for in-person interactions. By applying empathy to digital solutions, we can make them more inclusive. In cybersecurity that means building tools that can accommodate a diverse group of people’s ever-changing circumstances. It also means developing technology that can forgive mistakes.

Securing cloud apps offers a great example. There is a good reason that cloud apps have proliferated in enterprises. If you have a challenge, there is probably an app available to solve it. They are easy to access and many are free. But they also pose a security risk. Individuals may share privileged data through apps with security vulnerabilities, not because they don’t care, but because they are too busy to stay up to date on the intricacies of an organization’s data privacy policies.

Our security tools can empower people to work when, where, and how they need, and use the devices and apps that maximize their productivity. Solutions like Microsoft Cloud App Security and Azure Information Protection accommodate how people want to work, with controls that make organizations more secure. The Microsoft Identity platform already adds security like multi-factor authentication (MFA) to 1.4 million unique apps (up 117 %YoY) including brands like ServiceNow, GoogleApps, and Salesforce.

2. The Zero Trust journey has begun

In the first 10 days of the pandemic, it became clear that companies that relied on traditional security methods—things like firewalls—were at a disadvantage. Not only did they have trouble meeting the needs of a new remote workforce, but they were also more susceptible to COVID-19 themed threats. Overnight, Zero Trust shifted from a business option to a business imperative.

Zero Trust is an “assume breach” security posture that treats each step across the network and each request for access to resources as a unique risk to be evaluated and verified. This model starts with strong identity authentication everywhere. MFA—which we know prevents 99 percent of credential theft—and other intelligent authentication methods make accessing apps easier and more secure than traditional passwords.

As we look past the pandemic to a time when workforces and budgets rebound, Zero Trust will become the biggest area of investment for cybersecurity. This means, that right now, every one of us is on a Zero Trust journey—whether we know it, or not.

3. Diversity of data matters

It wasn’t just individuals, businesses, schools, and governments that rapidly responded to the pandemic, our adversaries also quickly pivoted. Because Microsoft tracks more than 8 trillion daily signals from a diverse set of products, services, and feeds around the globe, we were able to identify new COVID-19 themed threats—sometimes in a fraction of a second—before they reached customers. This is just one example of how the power and scale of the cloud has a clear advantage when it comes to combating threats.

Our diversity of data also allowed us to understand COVID-19 themed attacks in a broader context. Microsoft cyber defenders determined that adversaries were primarily adding new pandemic themed lures to familiar malware. Of the millions of targeted messages Microsoft caught every day, less than 2 percent included COVID-19 related malicious attachments or URLs. Since mid-March when COVID-19 attacks peaked, they’ve decreased to a slightly elevated “new normal” (See Figure 1). Although the drop off tracks closely to the news, it also coincides with when defenders began increasing phishing awareness training in enterprises. This is a great example of how insights based on good data help us raise the cost of attacks for our adversaries.

A graph showing the trend of COVID-19 themed attacks.

Figure 1: Trend of COVID-19 themed attacks.

Cybercriminals are adept at changing their tactics to take advantage of global or local events to lure new victims. Insights based on more diverse data sets can offer real-time protection as tactics shift. As a result of their experiences navigating COVID-19 related threats, more enterprises are likely to embrace cloud-based protection and threat insights.

4. Cyber resilience is fundamental to business operations

One thing we’ve learned from the COVID-19 pandemic is to expect the unexpected. We can’t predict what the next disruption to business continuity will be—whether natural or manmade—but we do know organizations will confront other crises that require a rapid response.

Today’s businesses are more reliant than ever on cloud technology, and so a comprehensive approach to operational resiliency must include cyber resilience.  At Microsoft, we benefited from a strategy that focused on four basic threat scenarios: Planful events like weather incidents, unplanned events such as earthquakes, legal events like cyber-attacks, and pandemics like COVID-19.  From there, Microsoft set clear priorities around putting life safety above all else, protecting customers, and protecting the company. This allowed us to build out more specific response plans that leverage the flexibility of cloud technology and Zero Trust architecture. We also prepared employees and leadership with drills and table-top exercises.

Cloud technology helps organizations develop a comprehensive cyber resilience strategy and makes preparing for a wide range of contingencies less complicated due to its scalability.

5. A greater focus on integrated security

The COVID-19 outbreak has brought into stark reality of how agile and callous our adversaries can be. To uncover shifting attacker techniques and stop them before they do real damage, organizations need to be able to see across their apps, endpoints, network, and users. Solutions like Microsoft 365 Security, that provide a more integrated view, can help ensure that the next shift won’t be into their blind spot.

Facing a new economic reality, organizations will also be driven to reduce costs by adopting more of the security capabilities built into their cloud and productivity platforms of choice.  This is why digital empathy is so critical to how we move forward as an industry. Whether it’s an organization—or an individual—our ability to be empathetic helps us understand and adapt to the needs of others during times of disruption.

While digital acceleration will continue to influence the paradigm shifts that shape our industry, one thing remains the same; security technology is fundamentally about improving productivity and collaboration through secure, inclusive user experiences.

Dig into more data about how attackers exploited the COVID-19 crises.

Read Ann’s blog post, Operational resilience in a remote work world.

Get advice on implementing Zero Trust.

Read Ann’s advice for CISOs on enabling secure remote work.

For more information on Microsoft Security Solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 5 cybersecurity paradigm shifts that will lead to more inclusive digital experiences appeared first on Microsoft Security.

Security baseline for Microsoft Edge v84

July 16th, 2020 No comments

Security baseline for Microsoft Edge version 84


 


We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 84!


 


We have reviewed the new settings in Microsoft Edge version 84 and determined that there are no additional security settings that require enforcement. The recommended settings from Microsoft Edge version 80 continue to be our recommended settings for Microsoft Edge version 84. That baseline package can be downloaded from the Security Compliance Toolkit.


 


Microsoft Edge version 84 introduced 18 new computer settings and 15 new user settings. We have attached a spreadsheet listing the new settings to make it easier for you to find them.


 


We are still seeking feedback on how often we should update the baseline package on the Download Center for Microsoft Edge if new security settings have not been added. Your feedback so far has been extremely helpful, and we are taking all that feedback into account.


 


As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here.


 


Please continue to give us feedback through the Security Baselines Discussion site and via this post!

Categories: Uncategorized Tags:

Prevent and detect more identity-based attacks with Azure Active Directory

July 15th, 2020 No comments

Security incidents often start with just one compromised account. Once an attacker gets their foot in the door, they can escalate privileges or gather intelligence that helps them reach their goals. This is why we say that identity is the new security perimeter. To reduce the risk of a data breach, it’s important to make it harder for attackers to steal identities while arming yourself with tools that make it easier to detect accounts that do get compromised.

Over the years the Microsoft Security Operations Center (SOC) has learned a lot about how identity-based attacks work and how to reduce them. We’ve leveraged these insights to refine our processes, and we’ve worked with the Azure AD product group to improve Microsoft identity solutions for our customers. At the RSA Conference 2020, we provided an inside look into how the Microsoft SOC helps protect Microsoft from identity compromise. Today, we are sharing best practices that you can implement in your own organization to help decrease the number of successful identity-based attacks.

Increase the cost of compromising an identity

One reason that identity-based attacks work is because passwords are hard for busy people, but they can be an easy target for attackers. People struggle to memorize unique and complex passwords for hundreds of work and personal applications. Instead, they reuse passwords across different applications or pick something that is easy to remember—sports teams, for example: Seahawks2020!

Bad actors exploit this reality with techniques like phishing campaigns to trick users into providing credentials. They also try to guess passwords or buy them on the dark web. In password spray, attackers test commonly used passwords against several accounts—all they need is one.

To make it harder for bad actors to acquire and use stolen credentials, implement the following technical controls:

Ban common passwords: Start by banning the most common passwords. Azure Active Directory (Azure AD) can automatically prevent users from creating popular passwords, such as password1234! You can also customize the banned password list with words specific to your region or company.

Enforce multi-factor authentication (MFA): MFA requires that people sign in using two or more forms of authentication, such as a password and the Microsoft Authenticator app. This makes it much harder for an attacker with a stolen password to gain access. In fact, this one control can block over 99.9 percent of account compromise attacks.

Block legacy authentication: Authentication protocols like POP, SMTP, IMAP, and MAPI can’t enforce MFA, which makes them an ideal target for bad actors. According to an analysis of Azure AD, over 99 percent of password spray attacks use legacy authentication. Blocking these apps eliminates a common access point for attackers. If teams are currently using apps with legacy authentication, this takes careful planning and a phased process, but tools in Azure AD can help you limit your risk as you migrate to apps with more modern authentication protocols.

Protect your privileged identities: Users with administrative privileges are often targeted by cybercriminals because they have access to valuable resources and information. To reduce the likelihood that these accounts will be compromised, they should only be used when people are conducting administrative tasks. When users are doing other work, like answering emails, they should use an account with reduced access. Just-in-time privileges can further protect administrative identities, by requiring that individuals receive approval before accessing sensitive resources and time-bounding how long they have access.

Detect threats through user behavior anomalies

Strong technical controls will reduce the risk of a breach, but with determined adversaries, they may not be totally preventable. Once attackers get in, they want to avoid detection for as long as possible. They build hidden tunnels and back doors to hide their tracks. Some lay low for thirty or more days on the assumption that log files will be deleted during that time. To discover threats inside your organization, you need the right data and tools to uncover patterns across different data sets and timeframes.

Event logging and data retention: Capturing and saving data can be tricky. Privacy regulations put restrictions on how long and what types of data you can save. Storing large amounts of information can get expensive. However, you’ll need to see across login events, user permissions, and applications to spot anomalous behavior. Data from months or even years ago may help you spot patterns in more recent behavior. Once you understand your contractual and legal obligations related to data, decide which events your organization should store and then decide how long to keep them.

Leverage User and Entities Behavioral Analytics (UEBA): People tend to sign in and access resources in consistent ways over time. For example, a lot of employees check email as soon as they sign in. On the other hand, if someone’s account immediately starts downloading files from a SharePoint site, it may mean the account has been compromised. To identify anomalous behavior, UEBA uses artificial intelligence and machine learning to model how users and devices typically behave. It then compares future behavior against the baseline to create a risk score. This allows you to analyze large data sets and elevate the highest-priority alerts.

Assess your identity risk

As you are making decisions about what controls and actions to prioritize, it helps to understand current risks. Penetration tests can help you uncover vulnerabilities. You can also run password spray tests to generate a list of easily guessable passwords. Or send a phishing email to your company to see how many people respond. The SOC can use these findings to test detections. They will also help you prepare training materials and build awareness with employees. Tools such as Azure AD Identity Protection can help you discover current users at risk and monitor risky behavior as your controls mature.

Learn more

Many of the technical controls we’ve outlined are also best practices in a Zero Trust security strategy. Instead of assuming that everything behind the corporate network is safe, the Zero Trust model assumes breach and verifies each access request. Learn more about Zero Trust.

One way to reduce the likelihood that a password will be stolen is to eliminate passwords entirely. Read more about passwordless authentication.

Watch our RASC 2020 presentation: Cloud-powered compromise blast analysis: In the trenches with Microsoft IT.

For more information on Microsoft Security Solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Prevent and detect more identity-based attacks with Azure Active Directory appeared first on Microsoft Security.

Top MSRC 2020 Q2 Security Researchers Announced – Congratulations!

July 15th, 2020 No comments

We are excited to announce the top contributing researchers for the 2020 Second Quarter (Q2)! Congratulations to all the researchers who continue to rock the leaderboard, and a big thank you to everyone for your contribution to securing our customers and the ecosystem. The top three researchers of the 2020 Second Quarter (Q2) Security Researcher …

Top MSRC 2020 Q2 Security Researchers Announced – Congratulations! Read More »

The post Top MSRC 2020 Q2 Security Researchers Announced – Congratulations! appeared first on Microsoft Security Response Center.

CISO Stressbusters Post #3: 3 ways to share accountability for security risk management

July 15th, 2020 No comments

Jim Eckart, former Chief Information Security Officer (CISO) of The Coca-Cola Company and current Chief Security Advisor at Microsoft shares his advice for relieving stress in today’s CISO Stressbuster post.

If you are a CISO, it can feel like the responsibility for keeping the company secure rests solely on your shoulders. This may be an attitude that’s shared by your organization or a mindset based on your own sense of duty, but either way, it can cause a tremendous amount of stress—and it may not make your organization more secure.

Although I currently work as a Chief Security Advisor at Microsoft, I’ve spent the last decade of my career as a CISO in companies like Eli Lilly and Coca-Cola. I know first-hand how stressful this role can be. Distributing accountability can alleviate some of the pressure. It can also help you bring in new ideas and build a security culture. For the third blog in the CISO stressbusters series, here are three tips for sharing security accountability within and outside your organization.

1. Establish a cyber risk management governance committee

After a series of well-published breaches at big brands, most boards and executive teams have acknowledged that a security incident isn’t just a technology risk, it’s a business risk. But often security is still treated as something that gets bolted on at the end. This can result in risky decisions that may be hard to fix later.

To effectively manage cyber risk, organizations need to evaluate the security risks of all major initiatives from the very beginning. For each project, people need to understand the risk tolerance of the company, the potential upsides of the project, and the risks in order to make smart decisions. This requires participation of business owners, security experts, and IT.

When I was hired at Coca-Cola, one of the first things I did was re-assemble the cyber risk management committee. This is a cross-functional stakeholder group responsible for making risk decisions on behalf of the entire enterprise. By including people from across the organization, we were able to align IT projects to business risk-based decisions. It took several meetings of this committee to get the business representation right and executives working effectively together, but it was worth the time. Now people across the organization have a stake in security.

2. Bring in third party expertise

One of the toughest jobs of the CISO is influencing a culture shift. Whether you’re trying to get funding for your cybersecurity strategy or convince employees not to click on links in unknown emails, you need to persuade others to take security seriously. This can be a long process that requires regular communication, but a cybersecurity consulting company can help smooth the road.

An outside consultant can bring expertise and perspective that you and your team don’t have. They also aren’t restrained by the culture and internal politics in the same way that you might be. Most importantly, a third party can help you validate ideas and provide credibility. At Coca-Cola, I hired an external firm to do a top-to-bottom, independent security assessment, whose findings they ultimately presented to our Board. This drove proper strategic alignment and funding priorities for the implementation of my cybersecurity program.

3. Join an external cybersecurity group

To stay up to date, compare notes, or get advice, it can be really valuable to talk to CISOs at other companies with similar challenges. This can be tricky when much of our work is highly confidential. I joined two groups that are governed by confidentiality agreements. The Gartner Information Risk Management Research Board is a collection of 35-40 Fortune 500 CISOs. I was also a member of the CIO Strategy Exchange (CIOSE). With these groups, I developed long-standing and highly trusted relationships with peers in companies as large as mine. 

Looking ahead

As a CISO you are under a lot of pressure. Even with a good support network, this is a stressful job. As you build and manage your security operation, look for ways to share accountability with others. It will help you sleep better at night, and it will strengthen your security culture. In the meantime, stay tuned for the next CISO Stressbuster post for more advice from others in the trenches.

Did you find these insights helpful? What would you tell your fellow CISOs about overcoming obstacles?  What works for you? Please reach out to Diana Kelley on LinkedIn if you’re interested in being interviewed for one of our upcoming posts.

For more information about Microsoft security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 

The post CISO Stressbusters Post #3: 3 ways to share accountability for security risk management appeared first on Microsoft Security.

July 2020 Security Update: CVE-2020-1350 Vulnerability in Windows Domain Name System (DNS) Server

July 14th, 2020 No comments

Today we released an update for CVE-2020-1350, a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a ‘wormable’ vulnerability and has a CVSS base score of 10.0. This issue results from a flaw in Microsoft’s DNS server role implementation and affects all Windows Server versions. Non-Microsoft DNS Servers are not affected. Wormable vulnerabilities have the potential to spread via malware between vulnerable computers without user interaction. Windows DNS Server is a core networking component. While this …

July 2020 Security Update: CVE-2020-1350 Vulnerability in Windows Domain Name System (DNS) Server Read More »

The post July 2020 Security Update: CVE-2020-1350 Vulnerability in Windows Domain Name System (DNS) Server appeared first on Microsoft Security Response Center.

Categories: DNS, Windows, worm Tags:

Microsoft Intelligent Security Association expands to include managed security service providers

July 14th, 2020 No comments

We’d planned a splashy party at Microsoft Inspire to announce our newest Microsoft Intelligent Security Association (MISA) members and introduce them to association members, but given our world today, I am instead picturing you reading this announcement curled up in a chair with a cup of coffee. Almost as satisfying, right?

Welcoming Managed Security Service Providers to MISA

Two years ago, we launched MISA to offer our customers holistic solutions that help them better defend against a world of increasing threats. Our vision was to build a robust security ecosystem that included leading security technology companies that provide value to our joint customers. We began by partnering with independent software vendors that have integrated their solutions with Microsoft. Since launch, MISA has expanded significantly—in just the last year, membership increased from 57 members to 133!

Through MISA, we’ve been able to collaborate with some of the most innovative security companies in the world, but our joint customers also need security services that are deeply interwoven with MISA software solutions. To meet this demand, MISA is launching an invitation-only pilot program in July 2020 for select managed security service providers (MSSPs).

Today we’re happy to bring a win-win-win offering by enabling MSSPs and managed detection and response partners to sell and deploy not just Microsoft’s security solutions but more importantly our joint solutions with our independent software vendor partners.”  – Eran Barak, Principle PM Manager, Microsoft Threat Protection.

By including MSSPs in the program, our joint customers will benefit from security consultants with deep expertise in MISA solutions, enabling them to get the most out of their investments. The expansion also creates more opportunities for security organizations to work together on the creative solutions we will need to confront an evolving threat landscape.

“MISA members are the cybersecurity industry leaders, unified by the common goal of helping secure our customers by offering their own valuable expertise and making the association more effective as it expands.”– Mandana Javaheri, Global Director of Cybersecurity Solutions Group at Microsoft Corp.

I am proud of the work that MISA has accomplished to date and look forward to partnering with our newest members to help our joint customers better safeguard their organizations. Please join me in welcoming the following MSSPs to MISA:

Accenture

MISA service offering: Azure Sentinel

Accenture Security helps organizations prepare, protect, detect, respond and recover along across the entire Microsoft Security portfolio across the full security lifecycle. Learn more.

AscentSolutions

MISA service offering: Azure Sentinel, Azure Security Center

Ascent Solutions’ risk-based defense strategy aligns your priorities with the right technology, processes, and route map to make your business more secure today. And because cybersecurity is at the heart of everything we do, we also help you defend against the right attack vectors and combat malicious actors to better protect your businesses into the future. Learn more.

Avanade

MISA service offering: Azure Sentinel

From enabling a modern workplace, to protecting your applications in the cloud, Avanade provides a holistic approach to security at every step. Learn more. 

BlueVoyant

MISA service offering: Azure Sentinel, Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)

BlueVoyant provides managed detection and response (MDR) services utilizing Azure Sentinel, a cloud-native security information and event manager (SIEM), and Microsoft Threat Protection, an integrated platform that unifies best-in-class products that include Microsoft Defender ATP, Office 365 Advanced Threat Protection, Azure Advanced Threat Protection, and Microsoft Cloud Application Security. Learn more.

Born in the Cloud

MISA service offering: Azure Sentinel, Azure Security Center

Born In The Cloud leverages Azure Security services including Azure Sentinel and machine learning algorithms to monitor your environment and make sense of the data faster than any human can, allowing us to respond to threats quickly. We also manage Windows 10, Office 365, Microsoft Defender ATP and Microsoft Endpoint Manager for you, to help keep devices, data, and identities safe. All built on Azure Cloud. Learn more.

BT

MISA service offering: Azure Sentinel

One of the few local service providers in managed security services, BT Consulting uses cutting edge technology to monitor firewalls and manage endpoint security. Learn more.

Critical Start

MISA service offering: Microsoft Defender ATP, Azure Sentinel

CRITICALSTART enables customers to centralize, ingest, and correlate their logs to ensure their environment is secure. CRITICALSTART’s MDR utilizes a Trusted Behavior Registry to investigate every alert generated until they are classified as a known good and can be safely resolved. Customers see every action our CYBERSOC analysts take since our platform provides transparency across the entire process. Learn more.

Cyberproof

MISA service offering: Azure Sentinel

Cyberproof monitors your security alerts and suspicious events, collected from multiple internal and external customer data sources including Microsoft Azure Sentinel SIEM. Threats are detected as they emerge in critical cloud and on-premises infrastructure. Learn more.

Dell

MISA service offering: Microsoft Defender ATP, Azure ATP

At Dell, security is a priority – a part of every conversation; it connects our team members, customers, processes and technologies. Dell’s Security and Trust Center provides easy access to resources and solutions to help you quickly find answers to your security questions. Learn more.

Expel

MISA service offering: Microsoft Defender ATP, Azure Sentinel

The combination of the Expel Workbench™ and Expel analysts monitor your environment 24×7 to provide transparent managed security that finds attackers and gives you the answers to help you kick them out and keep them out. Learn more.

EY

MISA service offering: Microsoft Defender ATP, Azure Security Center

EY provides day-to-day resilience as well as a proactive, pragmatic, and strategic approach that considers risk and security from the onset. This is Security by Design. Rather than avoiding risk altogether, Security by Design is about enabling trust in systems, designs, and data so that organizations can take on more risk, lead transformational change, and innovate with confidence. EY Next-generation security operations and response teams can provide organizations with the right amount of support to help them manage leading-class security operations in a programmatic way.  Learn more.

FishTech

MISA service offering: Microsoft Defender ATP

Fishtech is the leading current generation cybersecurity services provider for enabling secure and successful business transformation. Data-driven and born in the cloud, Fishtech provides the people, processes, and technology to minimize risk, maintain compliance, and increase business efficiency. Our human-led, machine-driven security-as-a-service division, CYDERES, helps organizations manage cybersecurity risks, detect threats, and respond to security incidents in real-time. Learn more.

Infosys

MISA service offering: Azure Active Directory, Azure Sentinel

Infosys CyberSecurity offers a flexible managed security services model that empowers organizations with people, processes, and technology to secure their critical assets and data. With our quality services, we help protect your data and infrastructure with the latest technology and certified professionals, while adhering to the latest industry-specific compliance standards. Learn more.

Insight

MISA service offering: Azure Sentinel

Insight Services for Azure Sentinel help you take advantage of cutting-edge technology from Microsoft to strengthen and simplify your security environment. During an engagement, our consultants address all major areas of your SOC, including new tools or processes that would be beneficial to adopt. Learn more.

Inspark

MISA service offering: Azure Sentinel

The new Azure Sentinel and the Fusion capabilities empower Inspark to help keep our customers safe for the future. Our Cloud Security Center incorporates Azure Sentinel and the Microsoft Security Graph into our solution to better protect our customers. Learn more.

KPMG (US & EMEA)

MISA service offering: Azure Sentinel

The KPMG + Azure Sentinel solution has been designed to help businesses improve their security monitoring and incident response capabilities by combining KPMG’s cybersecurity, incident response, and industry experience with Microsoft’s advanced cybersecurity technologies. Learn more.

Open Systems

MISA service offering: Azure Sentinel

Open Systems designed a scalable MDR platform that helps detect threats early to limit the damage. It combines human knowhow, advanced automated threat detection, and the best sensor technology. In addition, a cloud-scale SIEM built on Microsoft Azure Sentinel ensures smooth logfile integration from your existing security controls and other sources of relevant data. Learn more.

Optiv Security

MISA service offering: Microsoft Defender ATP, Azure Sentinel, Azure Active Directory

Optiv Security is a security solutions integrator that enables clients to reduce risk by taking a strategic approach to cybersecurity. Align your security program to achieve specific business outcomes with our full suite of service capabilities, from strategy to technology—and everything in between. Our managed security services provide vetted on-staff vulnerability and security researchers and multiple operations centers to support your organization every moment, of every day, so you can refocus your existing IT staff on core business needs. Learn more.

Truesec

MISA service offering: Microsoft Defender ATP

As a leading cybersecurity consulting company, Truesec offers a wide range of services including security health checks, security engineering, and penetration testing, all provided by cyber security specialists. Our managed service will give your organization the capability to detect and respond quickly to cyberattacks. Our success is based on a combination of extraordinary cyber experts, the most advanced tools in the market today, and by investing in truly understanding the specifics of our client’s IT environments. Learn more.

Trustwave

MISA service offering:  Microsoft Defender ATP, Azure Sentinel

Trustwave Threat Detection and Response Services for Microsoft Azure uses Microsoft Security Graph API to ingest data from Microsoft Azure Sentinel and Microsoft Defender ATP to provide real-time triage, analysis, investigation, response, and remediation of security threats. Learn more.

Wipro

MISA service offering: Azure Active Directory, Azure Sentinel

Wipro provides end-to-end security solutions and services for business to enterprise, partners and consumers through Microsoft security stacks. Learn more

For more information

To learn more about the Microsoft Intelligent Security Association watch this video or visit the webpage.  To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Intelligent Security Association expands to include managed security service providers appeared first on Microsoft Security.

Microsoft Intelligent Security Association expands to include managed security service providers

July 14th, 2020 No comments

We’d planned a splashy party at Microsoft Inspire to announce our newest Microsoft Intelligent Security Association (MISA) members and introduce them to association members, but given our world today, I am instead picturing you reading this announcement curled up in a chair with a cup of coffee. Almost as satisfying, right?

Welcoming Managed Security Service Providers to MISA

Two years ago, we launched MISA to offer our customers holistic solutions that help them better defend against a world of increasing threats. Our vision was to build a robust security ecosystem that included leading security technology companies that provide value to our joint customers. We began by partnering with independent software vendors that have integrated their solutions with Microsoft. Since launch, MISA has expanded significantly—in just the last year, membership increased from 57 members to 133!

Through MISA, we’ve been able to collaborate with some of the most innovative security companies in the world, but our joint customers also need security services that are deeply interwoven with MISA software solutions. To meet this demand, MISA is launching an invitation-only pilot program in July 2020 for select managed security service providers (MSSPs).

Today we’re happy to bring a win-win-win offering by enabling MSSPs and managed detection and response partners to sell and deploy not just Microsoft’s security solutions but more importantly our joint solutions with our independent software vendor partners.”  – Eran Barak, Principle PM Manager, Microsoft Threat Protection.

By including MSSPs in the program, our joint customers will benefit from security consultants with deep expertise in MISA solutions, enabling them to get the most out of their investments. The expansion also creates more opportunities for security organizations to work together on the creative solutions we will need to confront an evolving threat landscape.

“MISA members are the cybersecurity industry leaders, unified by the common goal of helping secure our customers by offering their own valuable expertise and making the association more effective as it expands.”– Mandana Javaheri, Global Director of Cybersecurity Solutions Group at Microsoft Corp.

I am proud of the work that MISA has accomplished to date and look forward to partnering with our newest members to help our joint customers better safeguard their organizations. Please join me in welcoming the following MSSPs to MISA:

Accenture

MISA service offering: Azure Sentinel

Accenture Security helps organizations prepare, protect, detect, respond and recover along across the entire Microsoft Security portfolio across the full security lifecycle. Learn more.

AscentSolutions

MISA service offering: Azure Sentinel, Azure Security Center

Ascent Solutions’ risk-based defense strategy aligns your priorities with the right technology, processes, and route map to make your business more secure today. And because cybersecurity is at the heart of everything we do, we also help you defend against the right attack vectors and combat malicious actors to better protect your businesses into the future. Learn more.

Avanade

MISA service offering: Azure Sentinel

From enabling a modern workplace, to protecting your applications in the cloud, Avanade provides a holistic approach to security at every step. Learn more. 

BlueVoyant

MISA service offering: Azure Sentinel, Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)

BlueVoyant provides managed detection and response (MDR) services utilizing Azure Sentinel, a cloud-native security information and event manager (SIEM), and Microsoft Threat Protection, an integrated platform that unifies best-in-class products that include Microsoft Defender ATP, Office 365 Advanced Threat Protection, Azure Advanced Threat Protection, and Microsoft Cloud Application Security. Learn more.

Born in the Cloud

MISA service offering: Azure Sentinel, Azure Security Center

Born In The Cloud leverages Azure Security services including Azure Sentinel and machine learning algorithms to monitor your environment and make sense of the data faster than any human can, allowing us to respond to threats quickly. We also manage Windows 10, Office 365, Microsoft Defender ATP and Microsoft Endpoint Manager for you, to help keep devices, data, and identities safe. All built on Azure Cloud. Learn more.

BT

MISA service offering: Azure Sentinel

One of the few local service providers in managed security services, BT Consulting uses cutting edge technology to monitor firewalls and manage endpoint security. Learn more.

Critical Start

MISA service offering: Microsoft Defender ATP, Azure Sentinel

CRITICALSTART enables customers to centralize, ingest, and correlate their logs to ensure their environment is secure. CRITICALSTART’s MDR utilizes a Trusted Behavior Registry to investigate every alert generated until they are classified as a known good and can be safely resolved. Customers see every action our CYBERSOC analysts take since our platform provides transparency across the entire process. Learn more.

Cyberproof

MISA service offering: Azure Sentinel

Cyberproof monitors your security alerts and suspicious events, collected from multiple internal and external customer data sources including Microsoft Azure Sentinel SIEM. Threats are detected as they emerge in critical cloud and on-premises infrastructure. Learn more.

Dell

MISA service offering: Microsoft Defender ATP, Azure ATP

At Dell, security is a priority – a part of every conversation; it connects our team members, customers, processes and technologies. Dell’s Security and Trust Center provides easy access to resources and solutions to help you quickly find answers to your security questions. Learn more.

Expel

MISA service offering: Microsoft Defender ATP, Azure Sentinel

The combination of the Expel Workbench™ and Expel analysts monitor your environment 24×7 to provide transparent managed security that finds attackers and gives you the answers to help you kick them out and keep them out. Learn more.

EY

MISA service offering: Microsoft Defender ATP, Azure Security Center

EY provides day-to-day resilience as well as a proactive, pragmatic, and strategic approach that considers risk and security from the onset. This is Security by Design. Rather than avoiding risk altogether, Security by Design is about enabling trust in systems, designs, and data so that organizations can take on more risk, lead transformational change, and innovate with confidence. EY Next-generation security operations and response teams can provide organizations with the right amount of support to help them manage leading-class security operations in a programmatic way.  Learn more.

FishTech

MISA service offering: Microsoft Defender ATP

Fishtech is the leading current generation cybersecurity services provider for enabling secure and successful business transformation. Data-driven and born in the cloud, Fishtech provides the people, processes, and technology to minimize risk, maintain compliance, and increase business efficiency. Our human-led, machine-driven security-as-a-service division, CYDERES, helps organizations manage cybersecurity risks, detect threats, and respond to security incidents in real-time. Learn more.

Infosys

MISA service offering: Azure Active Directory, Azure Sentinel

Infosys CyberSecurity offers a flexible managed security services model that empowers organizations with people, processes, and technology to secure their critical assets and data. With our quality services, we help protect your data and infrastructure with the latest technology and certified professionals, while adhering to the latest industry-specific compliance standards. Learn more.

Insight

MISA service offering: Azure Sentinel

Insight Services for Azure Sentinel help you take advantage of cutting-edge technology from Microsoft to strengthen and simplify your security environment. During an engagement, our consultants address all major areas of your SOC, including new tools or processes that would be beneficial to adopt. Learn more.

Inspark

MISA service offering: Azure Sentinel

The new Azure Sentinel and the Fusion capabilities empower Inspark to help keep our customers safe for the future. Our Cloud Security Center incorporates Azure Sentinel and the Microsoft Security Graph into our solution to better protect our customers. Learn more.

KPMG (US & EMEA)

MISA service offering: Azure Sentinel

The KPMG + Azure Sentinel solution has been designed to help businesses improve their security monitoring and incident response capabilities by combining KPMG’s cybersecurity, incident response, and industry experience with Microsoft’s advanced cybersecurity technologies. Learn more.

Open Systems

MISA service offering: Azure Sentinel

Open Systems designed a scalable MDR platform that helps detect threats early to limit the damage. It combines human knowhow, advanced automated threat detection, and the best sensor technology. In addition, a cloud-scale SIEM built on Microsoft Azure Sentinel ensures smooth logfile integration from your existing security controls and other sources of relevant data. Learn more.

Optiv Security

MISA service offering: Microsoft Defender ATP, Azure Sentinel, Azure Active Directory

Optiv Security is a security solutions integrator that enables clients to reduce risk by taking a strategic approach to cybersecurity. Align your security program to achieve specific business outcomes with our full suite of service capabilities, from strategy to technology—and everything in between. Our managed security services provide vetted on-staff vulnerability and security researchers and multiple operations centers to support your organization every moment, of every day, so you can refocus your existing IT staff on core business needs. Learn more.

Truesec

MISA service offering: Microsoft Defender ATP

As a leading cybersecurity consulting company, Truesec offers a wide range of services including security health checks, security engineering, and penetration testing, all provided by cyber security specialists. Our managed service will give your organization the capability to detect and respond quickly to cyberattacks. Our success is based on a combination of extraordinary cyber experts, the most advanced tools in the market today, and by investing in truly understanding the specifics of our client’s IT environments. Learn more.

Trustwave

MISA service offering:  Microsoft Defender ATP, Azure Sentinel

Trustwave Threat Detection and Response Services for Microsoft Azure uses Microsoft Security Graph API to ingest data from Microsoft Azure Sentinel and Microsoft Defender ATP to provide real-time triage, analysis, investigation, response, and remediation of security threats. Learn more.

Wipro

MISA service offering: Azure Active Directory, Azure Sentinel

Wipro provides end-to-end security solutions and services for business to enterprise, partners and consumers through Microsoft security stacks. Learn more

For more information

To learn more about the Microsoft Intelligent Security Association watch this video or visit the webpage.  To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Intelligent Security Association expands to include managed security service providers appeared first on Microsoft Security.

Microsoft Intelligent Security Association expands to include managed security service providers

July 14th, 2020 No comments

We’d planned a splashy party at Microsoft Inspire to announce our newest Microsoft Intelligent Security Association (MISA) members and introduce them to association members, but given our world today, I am instead picturing you reading this announcement curled up in a chair with a cup of coffee. Almost as satisfying, right?

Welcoming Managed Security Service Providers to MISA

Two years ago, we launched MISA to offer our customers holistic solutions that help them better defend against a world of increasing threats. Our vision was to build a robust security ecosystem that included leading security technology companies that provide value to our joint customers. We began by partnering with independent software vendors that have integrated their solutions with Microsoft. Since launch, MISA has expanded significantly—in just the last year, membership increased from 57 members to 133!

Through MISA, we’ve been able to collaborate with some of the most innovative security companies in the world, but our joint customers also need security services that are deeply interwoven with MISA software solutions. To meet this demand, MISA is launching an invitation-only pilot program in July 2020 for select managed security service providers (MSSPs).

Today we’re happy to bring a win-win-win offering by enabling MSSPs and managed detection and response partners to sell and deploy not just Microsoft’s security solutions but more importantly our joint solutions with our independent software vendor partners.”  – Eran Barak, Principle PM Manager, Microsoft Threat Protection.

By including MSSPs in the program, our joint customers will benefit from security consultants with deep expertise in MISA solutions, enabling them to get the most out of their investments. The expansion also creates more opportunities for security organizations to work together on the creative solutions we will need to confront an evolving threat landscape.

“MISA members are the cybersecurity industry leaders, unified by the common goal of helping secure our customers by offering their own valuable expertise and making the association more effective as it expands.”– Mandana Javaheri, Global Director of Cybersecurity Solutions Group at Microsoft Corp.

I am proud of the work that MISA has accomplished to date and look forward to partnering with our newest members to help our joint customers better safeguard their organizations. Please join me in welcoming the following MSSPs to MISA:

Accenture

MISA service offering: Azure Sentinel

Accenture Security helps organizations prepare, protect, detect, respond and recover along across the entire Microsoft Security portfolio across the full security lifecycle. Learn more.

AscentSolutions

MISA service offering: Azure Sentinel, Azure Security Center

Ascent Solutions’ risk-based defense strategy aligns your priorities with the right technology, processes, and route map to make your business more secure today. And because cybersecurity is at the heart of everything we do, we also help you defend against the right attack vectors and combat malicious actors to better protect your businesses into the future. Learn more.

Avanade

MISA service offering: Azure Sentinel

From enabling a modern workplace, to protecting your applications in the cloud, Avanade provides a holistic approach to security at every step. Learn more. 

BlueVoyant

MISA service offering: Azure Sentinel, Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)

BlueVoyant provides managed detection and response (MDR) services utilizing Azure Sentinel, a cloud-native security information and event manager (SIEM), and Microsoft Threat Protection, an integrated platform that unifies best-in-class products that include Microsoft Defender ATP, Office 365 Advanced Threat Protection, Azure Advanced Threat Protection, and Microsoft Cloud Application Security. Learn more.

Born in the Cloud

MISA service offering: Azure Sentinel, Azure Security Center

Born In The Cloud leverages Azure Security services including Azure Sentinel and machine learning algorithms to monitor your environment and make sense of the data faster than any human can, allowing us to respond to threats quickly. We also manage Windows 10, Office 365, Microsoft Defender ATP and Microsoft Endpoint Manager for you, to help keep devices, data, and identities safe. All built on Azure Cloud. Learn more.

BT

MISA service offering: Azure Sentinel

One of the few local service providers in managed security services, BT Consulting uses cutting edge technology to monitor firewalls and manage endpoint security. Learn more.

Critical Start

MISA service offering: Microsoft Defender ATP, Azure Sentinel

CRITICALSTART enables customers to centralize, ingest, and correlate their logs to ensure their environment is secure. CRITICALSTART’s MDR utilizes a Trusted Behavior Registry to investigate every alert generated until they are classified as a known good and can be safely resolved. Customers see every action our CYBERSOC analysts take since our platform provides transparency across the entire process. Learn more.

Cyberproof

MISA service offering: Azure Sentinel

Cyberproof monitors your security alerts and suspicious events, collected from multiple internal and external customer data sources including Microsoft Azure Sentinel SIEM. Threats are detected as they emerge in critical cloud and on-premises infrastructure. Learn more.

Dell

MISA service offering: Microsoft Defender ATP, Azure ATP

At Dell, security is a priority – a part of every conversation; it connects our team members, customers, processes and technologies. Dell’s Security and Trust Center provides easy access to resources and solutions to help you quickly find answers to your security questions. Learn more.

Expel

MISA service offering: Microsoft Defender ATP, Azure Sentinel

The combination of the Expel Workbench™ and Expel analysts monitor your environment 24×7 to provide transparent managed security that finds attackers and gives you the answers to help you kick them out and keep them out. Learn more.

EY

MISA service offering: Microsoft Defender ATP, Azure Security Center

EY provides day-to-day resilience as well as a proactive, pragmatic, and strategic approach that considers risk and security from the onset. This is Security by Design. Rather than avoiding risk altogether, Security by Design is about enabling trust in systems, designs, and data so that organizations can take on more risk, lead transformational change, and innovate with confidence. EY Next-generation security operations and response teams can provide organizations with the right amount of support to help them manage leading-class security operations in a programmatic way.  Learn more.

FishTech

MISA service offering: Microsoft Defender ATP

Fishtech is the leading current generation cybersecurity services provider for enabling secure and successful business transformation. Data-driven and born in the cloud, Fishtech provides the people, processes, and technology to minimize risk, maintain compliance, and increase business efficiency. Our human-led, machine-driven security-as-a-service division, CYDERES, helps organizations manage cybersecurity risks, detect threats, and respond to security incidents in real-time. Learn more.

Infosys

MISA service offering: Azure Active Directory, Azure Sentinel

Infosys CyberSecurity offers a flexible managed security services model that empowers organizations with people, processes, and technology to secure their critical assets and data. With our quality services, we help protect your data and infrastructure with the latest technology and certified professionals, while adhering to the latest industry-specific compliance standards. Learn more.

Insight

MISA service offering: Azure Sentinel

Insight Services for Azure Sentinel help you take advantage of cutting-edge technology from Microsoft to strengthen and simplify your security environment. During an engagement, our consultants address all major areas of your SOC, including new tools or processes that would be beneficial to adopt. Learn more.

Inspark

MISA service offering: Azure Sentinel

The new Azure Sentinel and the Fusion capabilities empower Inspark to help keep our customers safe for the future. Our Cloud Security Center incorporates Azure Sentinel and the Microsoft Security Graph into our solution to better protect our customers. Learn more.

KPMG (US & EMEA)

MISA service offering: Azure Sentinel

The KPMG + Azure Sentinel solution has been designed to help businesses improve their security monitoring and incident response capabilities by combining KPMG’s cybersecurity, incident response, and industry experience with Microsoft’s advanced cybersecurity technologies. Learn more.

Open Systems

MISA service offering: Azure Sentinel

Open Systems designed a scalable MDR platform that helps detect threats early to limit the damage. It combines human knowhow, advanced automated threat detection, and the best sensor technology. In addition, a cloud-scale SIEM built on Microsoft Azure Sentinel ensures smooth logfile integration from your existing security controls and other sources of relevant data. Learn more.

Optiv Security

MISA service offering: Microsoft Defender ATP, Azure Sentinel, Azure Active Directory

Optiv Security is a security solutions integrator that enables clients to reduce risk by taking a strategic approach to cybersecurity. Align your security program to achieve specific business outcomes with our full suite of service capabilities, from strategy to technology—and everything in between. Our managed security services provide vetted on-staff vulnerability and security researchers and multiple operations centers to support your organization every moment, of every day, so you can refocus your existing IT staff on core business needs. Learn more.

Truesec

MISA service offering: Microsoft Defender ATP

As a leading cybersecurity consulting company, Truesec offers a wide range of services including security health checks, security engineering, and penetration testing, all provided by cyber security specialists. Our managed service will give your organization the capability to detect and respond quickly to cyberattacks. Our success is based on a combination of extraordinary cyber experts, the most advanced tools in the market today, and by investing in truly understanding the specifics of our client’s IT environments. Learn more.

Trustwave

MISA service offering:  Microsoft Defender ATP, Azure Sentinel

Trustwave Threat Detection and Response Services for Microsoft Azure uses Microsoft Security Graph API to ingest data from Microsoft Azure Sentinel and Microsoft Defender ATP to provide real-time triage, analysis, investigation, response, and remediation of security threats. Learn more.

Wipro

MISA service offering: Azure Active Directory, Azure Sentinel

Wipro provides end-to-end security solutions and services for business to enterprise, partners and consumers through Microsoft security stacks. Learn more

For more information

To learn more about the Microsoft Intelligent Security Association watch this video or visit the webpage.  To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Intelligent Security Association expands to include managed security service providers appeared first on Microsoft Security.

Microsoft Intelligent Security Association expands to include managed security service providers

July 14th, 2020 No comments

We’d planned a splashy party at Microsoft Inspire to announce our newest Microsoft Intelligent Security Association (MISA) members and introduce them to association members, but given our world today, I am instead picturing you reading this announcement curled up in a chair with a cup of coffee. Almost as satisfying, right?

Welcoming Managed Security Service Providers to MISA

Two years ago, we launched MISA to offer our customers holistic solutions that help them better defend against a world of increasing threats. Our vision was to build a robust security ecosystem that included leading security technology companies that provide value to our joint customers. We began by partnering with independent software vendors that have integrated their solutions with Microsoft. Since launch, MISA has expanded significantly—in just the last year, membership increased from 57 members to 133!

Through MISA, we’ve been able to collaborate with some of the most innovative security companies in the world, but our joint customers also need security services that are deeply interwoven with MISA software solutions. To meet this demand, MISA is launching an invitation-only pilot program in July 2020 for select managed security service providers (MSSPs).

Today we’re happy to bring a win-win-win offering by enabling MSSPs and managed detection and response partners to sell and deploy not just Microsoft’s security solutions but more importantly our joint solutions with our independent software vendor partners.”  – Eran Barak, Principle PM Manager, Microsoft Threat Protection.

By including MSSPs in the program, our joint customers will benefit from security consultants with deep expertise in MISA solutions, enabling them to get the most out of their investments. The expansion also creates more opportunities for security organizations to work together on the creative solutions we will need to confront an evolving threat landscape.

“MISA members are the cybersecurity industry leaders, unified by the common goal of helping secure our customers by offering their own valuable expertise and making the association more effective as it expands.”– Mandana Javaheri, Global Director of Cybersecurity Solutions Group at Microsoft Corp.

I am proud of the work that MISA has accomplished to date and look forward to partnering with our newest members to help our joint customers better safeguard their organizations. Please join me in welcoming the following MSSPs to MISA:

Accenture

MISA service offering: Azure Sentinel

Accenture Security helps organizations prepare, protect, detect, respond and recover along across the entire Microsoft Security portfolio across the full security lifecycle. Learn more.

AscentSolutions

MISA service offering: Azure Sentinel, Azure Security Center

Ascent Solutions’ risk-based defense strategy aligns your priorities with the right technology, processes, and route map to make your business more secure today. And because cybersecurity is at the heart of everything we do, we also help you defend against the right attack vectors and combat malicious actors to better protect your businesses into the future. Learn more.

Avanade

MISA service offering: Azure Sentinel

From enabling a modern workplace, to protecting your applications in the cloud, Avanade provides a holistic approach to security at every step. Learn more. 

BlueVoyant

MISA service offering: Azure Sentinel, Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)

BlueVoyant provides managed detection and response (MDR) services utilizing Azure Sentinel, a cloud-native security information and event manager (SIEM), and Microsoft Threat Protection, an integrated platform that unifies best-in-class products that include Microsoft Defender ATP, Office 365 Advanced Threat Protection, Azure Advanced Threat Protection, and Microsoft Cloud Application Security. Learn more.

Born in the Cloud

MISA service offering: Azure Sentinel, Azure Security Center

Born In The Cloud leverages Azure Security services including Azure Sentinel and machine learning algorithms to monitor your environment and make sense of the data faster than any human can, allowing us to respond to threats quickly. We also manage Windows 10, Office 365, Microsoft Defender ATP and Microsoft Endpoint Manager for you, to help keep devices, data, and identities safe. All built on Azure Cloud. Learn more.

BT

MISA service offering: Azure Sentinel

One of the few local service providers in managed security services, BT Consulting uses cutting edge technology to monitor firewalls and manage endpoint security. Learn more.

Critical Start

MISA service offering: Microsoft Defender ATP, Azure Sentinel

CRITICALSTART enables customers to centralize, ingest, and correlate their logs to ensure their environment is secure. CRITICALSTART’s MDR utilizes a Trusted Behavior Registry to investigate every alert generated until they are classified as a known good and can be safely resolved. Customers see every action our CYBERSOC analysts take since our platform provides transparency across the entire process. Learn more.

Cyberproof

MISA service offering: Azure Sentinel

Cyberproof monitors your security alerts and suspicious events, collected from multiple internal and external customer data sources including Microsoft Azure Sentinel SIEM. Threats are detected as they emerge in critical cloud and on-premises infrastructure. Learn more.

Dell

MISA service offering: Microsoft Defender ATP, Azure ATP

At Dell, security is a priority – a part of every conversation; it connects our team members, customers, processes and technologies. Dell’s Security and Trust Center provides easy access to resources and solutions to help you quickly find answers to your security questions. Learn more.

Expel

MISA service offering: Microsoft Defender ATP, Azure Sentinel

The combination of the Expel Workbench™ and Expel analysts monitor your environment 24×7 to provide transparent managed security that finds attackers and gives you the answers to help you kick them out and keep them out. Learn more.

EY

MISA service offering: Microsoft Defender ATP, Azure Security Center

EY provides day-to-day resilience as well as a proactive, pragmatic, and strategic approach that considers risk and security from the onset. This is Security by Design. Rather than avoiding risk altogether, Security by Design is about enabling trust in systems, designs, and data so that organizations can take on more risk, lead transformational change, and innovate with confidence. EY Next-generation security operations and response teams can provide organizations with the right amount of support to help them manage leading-class security operations in a programmatic way.  Learn more.

FishTech

MISA service offering: Microsoft Defender ATP

Fishtech is the leading current generation cybersecurity services provider for enabling secure and successful business transformation. Data-driven and born in the cloud, Fishtech provides the people, processes, and technology to minimize risk, maintain compliance, and increase business efficiency. Our human-led, machine-driven security-as-a-service division, CYDERES, helps organizations manage cybersecurity risks, detect threats, and respond to security incidents in real-time. Learn more.

Infosys

MISA service offering: Azure Active Directory, Azure Sentinel

Infosys CyberSecurity offers a flexible managed security services model that empowers organizations with people, processes, and technology to secure their critical assets and data. With our quality services, we help protect your data and infrastructure with the latest technology and certified professionals, while adhering to the latest industry-specific compliance standards. Learn more.

Insight

MISA service offering: Azure Sentinel

Insight Services for Azure Sentinel help you take advantage of cutting-edge technology from Microsoft to strengthen and simplify your security environment. During an engagement, our consultants address all major areas of your SOC, including new tools or processes that would be beneficial to adopt. Learn more.

Inspark

MISA service offering: Azure Sentinel

The new Azure Sentinel and the Fusion capabilities empower Inspark to help keep our customers safe for the future. Our Cloud Security Center incorporates Azure Sentinel and the Microsoft Security Graph into our solution to better protect our customers. Learn more.

KPMG (US & EMEA)

MISA service offering: Azure Sentinel

The KPMG + Azure Sentinel solution has been designed to help businesses improve their security monitoring and incident response capabilities by combining KPMG’s cybersecurity, incident response, and industry experience with Microsoft’s advanced cybersecurity technologies. Learn more.

Open Systems

MISA service offering: Azure Sentinel

Open Systems designed a scalable MDR platform that helps detect threats early to limit the damage. It combines human knowhow, advanced automated threat detection, and the best sensor technology. In addition, a cloud-scale SIEM built on Microsoft Azure Sentinel ensures smooth logfile integration from your existing security controls and other sources of relevant data. Learn more.

Optiv Security

MISA service offering: Microsoft Defender ATP, Azure Sentinel, Azure Active Directory

Optiv Security is a security solutions integrator that enables clients to reduce risk by taking a strategic approach to cybersecurity. Align your security program to achieve specific business outcomes with our full suite of service capabilities, from strategy to technology—and everything in between. Our managed security services provide vetted on-staff vulnerability and security researchers and multiple operations centers to support your organization every moment, of every day, so you can refocus your existing IT staff on core business needs. Learn more.

Truesec

MISA service offering: Microsoft Defender ATP

As a leading cybersecurity consulting company, Truesec offers a wide range of services including security health checks, security engineering, and penetration testing, all provided by cyber security specialists. Our managed service will give your organization the capability to detect and respond quickly to cyberattacks. Our success is based on a combination of extraordinary cyber experts, the most advanced tools in the market today, and by investing in truly understanding the specifics of our client’s IT environments. Learn more.

Trustwave

MISA service offering:  Microsoft Defender ATP, Azure Sentinel

Trustwave Threat Detection and Response Services for Microsoft Azure uses Microsoft Security Graph API to ingest data from Microsoft Azure Sentinel and Microsoft Defender ATP to provide real-time triage, analysis, investigation, response, and remediation of security threats. Learn more.

Wipro

MISA service offering: Azure Active Directory, Azure Sentinel

Wipro provides end-to-end security solutions and services for business to enterprise, partners and consumers through Microsoft security stacks. Learn more

For more information

To learn more about the Microsoft Intelligent Security Association watch this video or visit the webpage.  To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Intelligent Security Association expands to include managed security service providers appeared first on Microsoft Security.

Making Azure Sentinel work for you

July 9th, 2020 No comments

Microsoft Azure Sentinel is the first Security Incident and Event Management (SIEM) solution built into a major public cloud platform that delivers intelligent security analytics across enterprise environments and offers automatic scalability to meet changing needs. This new white paper outlines best practice recommendations for configuring data sources for Azure Sentinel, using Azure Sentinel during incident response, and proactively hunting for threats using Azure Sentinel.

Research shows that, on average, 44% of security alerts that are raised by security solutions go uninvestigated. Organizations simply lack the time, tools, and talent to investigate and correlate every single alert. In many cases this results in a focus on alerts that are flagged as “critical” or “very important” and lower severity alerts are ignored. However, experience shows that investigating those lower severity alerts – and how they may be correlated to show more worrying combinations of actions – can reveal attacker behaviors that would otherwise fly under the radar.

Azure Sentinel is an incredibly powerful tool that can help you collect security data across your entire hybrid organization from devices, users, apps, servers, and any cloud. Using these data sources you can build a more complete picture of the threats that your organization faces, conduct deep threat hunts across your environment, and use the power of automation and orchestration in the cloud to help free up your security analysts to focus on their highest-value tasks.

Traditional SIEMs have proven to be expensive to own and operate, often requiring you to commit up front and incur high cost for infrastructure maintenance and data ingestion. Azure Sentinel provides you with SIEM-as-a-service and SOAR-as-a-service for the SOC: your birds-eye view across the enterprise; putting the cloud and large-scale intelligence from decades of Microsoft security experience to work. Following the best practices outlined within this white paper will help you eliminate security infrastructure setup and maintenance and provide you with scalability to meet your security needs— all while reducing costs and increasing visibility and control. 

For more information on Microsoft Security Solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Making Azure Sentinel work for you appeared first on Microsoft Security.