Archive

Archive for August, 2020

Microsoft Security: How to cultivate a diverse cybersecurity team

August 31st, 2020 No comments

Boost creative problem solving with a diverse cybersecurity team

In cybersecurity, whether we are talking about cryptocurrency mining, supply chain attacks, attacks against IoT, or COVID-19-related phishing lures, we know that gaining the advantage over our adversaries requires greater diversity of data to improve our threat intelligence. If we are to future proof bias in tech however, our teams must also be as diverse, as the problems we are trying to solve.

Unfortunately, our cybersecurity teams don’t reflect this reality. A 2019 report by (ISC)2 found that less than 25 percent of cybersecurity professionals are women. People of color and women aren’t paid as well as white men and are underrepresented in management. Time and again, studies have found that gender-diverse teams make better business decisions 73 percent of the time. What’s more, teams that are also diverse in age and geographic location make better decisions 87 percent of the time. With a talent shortfall estimated between 1.5 million and 3.5 million, we must recruit, train, and retain cyber talent from a wide variety of backgrounds in order to maintain our advantage.

Diversity fuels innovation

You can see the evidence that diversity drives innovation when you look at artificial intelligence (AI) and machine learning. The AI capabilities built into Microsoft Security solutions are trained on 8 trillion daily threat signals from a wide variety of products, services, and feeds from around the globe (see Figure 1). Because the data is diverse, AI and machine learning algorithms can detect threats in milliseconds.

A graph showing Microsoft Intelligent Security.

Figure 1: Trillions of signals from around the globe allow Microsoft Security solutions to rapidly detect and respond to threats.

Just last year, the World Economic Forum complied several studies that provide further evidence that diversity sparks innovation. Cities with large immigration populations tend to have higher economic performance. Businesses with more diverse management teams have higher revenues. A C-suite with more women is likely to be more profitable. When people with different backgrounds and experiences collaborate, unique ideas can flourish. What’s more, if you want to build technology solutions that are inclusive of everyone, diverse teams help avoid bias and develop features that meet the needs of more people.

So how do you increase the diversity of your team? Expand the pipeline. Invest in your team. And create an inclusive culture.

Expand the pipeline

To recruit the very best people from all backgrounds, start by prioritizing unique perspectives. Machine learning, artificial intelligence, and quantum computing hold promise for addressing cyber threats; however, technology is not enough. Some problems can only be solved by people. You need teams that can anticipate what’s next and respond quickly in high-stress situations.

If everybody on the team has similar skills and backgrounds, you risk group think and a lack of creativity. It’s why diverse teams make better decisions than individuals 87 percent of the time (all-male teams only make better decisions than individuals 58 percent of the time).

To attract the diverse talent you need, expand your criteria. Look beyond the typical degrees, experience level, and certifications that you typically recruit for. Leverage training programs that help people acquire the technical skills you need. For example, BlackHoodie is a reverse engineering program for women. Consider people without college degrees, veterans, and people looking to switch careers. Work with colleges and other groups that represent disadvantaged communities, such as historically black colleges and universities.

Invest in your team

Cybersecurity teams around the globe are understaffed, while the amount of work continues to grow. Security operation center (SOC) analysts suffer from alert fatigue because they must monitor thousands of alerts—many of them false positives. Stress levels are high, and individuals work long hours. These work conditions can lead to burnout, which makes people less effective.

Reduce routine tasks with AI, machine learning, and automation. AI, machine learning, and automation can empower your team by reducing the noise, so people can focus on challenging threats that are, frankly, more fun. Azure Sentinel is a cloud-native SIEM that uses state of the art, scalable machine learning algorithms to correlate millions of low fidelity anomalies to present a few high-fidelity security incidents to analysts. Our research has shown that customers who use Azure Sentinel achieved a 90 percent reduction in alert fatigue.

: Azure Sentinel makes it easy to collect security data across your entire hybrid organization from devices, to users, to apps, to servers on any cloud.An image showing how Figure 2: Azure Sentinel makes it easy to collect security data across your entire hybrid organization from devices, to users, to apps, to servers on any cloud.

Provide growth opportunities and training. The threat landscape changes rapidly requiring security professionals to continuously upgrade their skills. Human beings also need new challenges to stay engaged. Provide opportunities for everyone to use creative problem-solving skills. Encourage individuals to learn from each other, such as through an apprenticeship program. Offer regular training for people at all levels of your organization. The Microsoft SOC focuses its training programs on three key areas:

  • Technical tools/capabilities.
  • Our organization (mission and assets being protected).
  • Attackers (motivations, tools, techniques, habits, etc.).

Take care of employees’ mental health. Stress is driving too many people to leave cybersecurity. In fact, stress has motivated 66 percent of IT professionals to look for a new job. Fifty-one percent would be willing to take a pay cut for less stress. Late nights and high-pressure incident response take a toll on employees. In these circumstances, it’s important to respect time off. People should be able to enjoy their days off without worrying about work. A collaborative culture that is forgiving of mistakes can also reduce the pressure. Ask your team how they are doing and really listen when they tell you. Their answers may trigger a great idea for alleviating stress.

Create an inclusive culture

People go where they are invited, but they stay where they are welcome. As you bring new people into your security organization, foster an environment where everybody feels accepted. All ideas should be listened to and considered. People who express ideas that challenge old methods can lead to breakthroughs and creativity. Here are a few ideas for making sure everyone feels included:

  • Solicit input from everybody, so you don’t just hear from those that are comfortable speaking up.
  • Provide mentorship and sponsorship programs for women and other underrepresented groups to help prepare them for advancement
  • Expand your definition of diversity to include neuro atypical, nonbinary, LGBTQ, religious affiliation, and education level in addition to race and gender.
  • Make a conscious effort to evaluate performance, not communication or presentation style.
  • Hold leadership and vendors accountable for diversity metrics.

As we look past the COVID-19 pandemic, we can expect that cybersecurity challenges will continue to evolve. AI, machine learning, and quantum computing will shape our response, but technology will not be enough. We need creative people to build our products, design our security programs, and respond to threats. We need teams that are diverse as the problems we face.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Security: How to cultivate a diverse cybersecurity team appeared first on Microsoft Security.

Microsoft Security: What cybersecurity skills do I need to become a CISO?

August 31st, 2020 No comments

Build the business skills you need to advance to Chief Information Security Officer

For many cybersecurity professionals, the ultimate career goal is to land a chief information security officer (CISO) job. A CISO is an executive-level position responsible for cyber risk management and operations. But cybersecurity is transforming. Today, a good CISO also must have strong communication skills and a deep understanding of the business. To gain the necessary experience to be considered for a CISO job, you need to understand how the role is evolving and the skills required to excel.

Long before I became a Security Advisor at Microsoft, I started my career as an IT System Administrator. Over time I learned security and worked my way up to CISO and, have served as a CISO in a variety of companies and industries. I’ve mentored several people interested in accelerating their careers in cybersecurity, and one of the biggest mistakes that you can make in your career in IT and Security is ignoring businesspeople. The more you advance, the more you will need to understand and work with the business. In this blog, I’ll provide tips for helping you get more comfortable in that role.

From technologist and guardian to strategist and advisor

As organizations digitize their products, services, and operations to take advantage of the cloud, their ability to effectively leverage technology has become integral to their success. It has also created more opportunities for cybercriminals. Companies of all sizes have been forced to pay fines, suffered reputational harm, and expended significant resources recovering from an attack. A cyber incident isn’t just a technology risk; it’s a business risk. When making decisions, boards and executive teams now need to evaluate the likelihood of a data breach in addition to financial loss or operational risks. A good CISO helps them do this.

According to research by Deloitte, there are four facets of a CISO: the technologist, the guardian, the strategist, and the advisor. You are probably already familiar with the technologist and guardian roles. As a technologist, the CISO is responsible for guiding the deployment and management of security technology and standards. In the guardian role, the CISO monitors and adjusts programs and controls to continuously improve security.

But technical controls and standards will not eliminate cyberattacks and the CISO does not have control over all the decisions that increase the likelihood of a breach. Therefore the roles of strategist and advisor have taken on greater importance. As a strategist, the CISO needs to align security with business strategy to determine how security investments can bring value to the organization. As an advisor, the CISO helps business owners and the executive team understand cybersecurity risks so that they can make informed decisions. To excel at these roles, it’s important to get knowledgeable about the business, understand risk management, and improve your communication skills.

A graphic showing how to understand risk management, and improve your communication skills.

Acquiring the skills to become a good strategist and advisor

If you are already in the cybersecurity profession and interested in growing into a CISO role, you are probably most comfortable with the technologist and guardian roles. You can elevate your technical skills by trying to get experience and certifications in a variety of areas, so that you understand threat analysis, threat hunting, compliance, ethical hacking, and system auditing, but also find time to work on the following leadership skills.

  • Understand the business: The most important step you can take to prepare yourself for an executive-level role is to learn to think like a businessperson. Who are your customers? What are the big opportunities and challenges in your industry? What makes your company unique? What are its weaknesses? What business strategies drive your organization? Pay attention to corporate communications and annual reports to discover what leadership prioritizes and why they have made certain decisions. Read articles about your industry to get a broader perspective about the business environment and how your company fits in. This research will help you make smarter decisions about how to allocate limited resources to protect company assets. It will also help you frame your arguments in a way the business can hear. For example, if you want to convince your organization to upgrade the firewall, they will be more convinced if you can explain how a security incident will affect the company’s relationship with customers or investors.
  • Learn risk management: Smart companies routinely take strategic risks to advance their goals. Businesses seize opportunities to launch new products or acquire a competitor that will make them more valuable in the market. But these decisions can result in failure or huge losses. They can also put the company at risk of a cyberattack.Risk management is a discipline that seeks to understand the upsides and downsides of action and eliminate or mitigate risks if possible. By comparing the likelihood of various options, the return on investment if the venture is successful, and the potential loss if it fails, managers can make informed decisions. CISOs help identify and quantify the cybersecurity risks that should be considered alongside financial and operational risks.
  • Improve your communication skills: To be a good advisor and strategist, you will need to communicate effectively with people with a variety of agendas and backgrounds. One day you’ll need to coach a very technical member of your team, the next you may need to participate in a business decision at the executive level or even be asked to present to the board of directors.A communication plan can help you refine your messages for your audience. To begin practicing these skills now, try to understand the goals of the people you talk to on a regular basis. What are their obstacles? Can you frame security communications in terms that will help them overcome those challenges? Take a moment to put yourself in someone else’s shoes before meetings, hallway conversations, emails, and chats. It can make a real difference!

A good communication plan delivers targeted security messages:A chart showing a good communication plan.
In recent years, the role of the CISOs has been elevated to a senior executive that the board counts on for strategic security advice. In fact, we should rename the position, Chief Influencer Security Officer! Building leadership skills like risk management and communication will help you step into this increasingly important role.

As you embark on the career journey of CISO, it is always good to get a perspective from other CISOs in the Industry and lessons they have learned.   Please feel free to listen to the podcast on my journey from System Administrator to CISO and watch our CISO spotlight episodes where our Microsoft CISO talks about how to present to the board of directors along with other tips and lessons learned.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 

The post Microsoft Security: What cybersecurity skills do I need to become a CISO? appeared first on Microsoft Security.

Security baseline for Microsoft Edge version 85

August 28th, 2020 No comments

We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 85!


 


We have reviewed the settings in Microsoft Edge version 85 and updated our guidance with the addition of one setting that we will explain below.  A new Microsoft Edge security baseline package was just released to the Microsoft Download Center.  You can download the version 85 package from the Security Compliance Toolkit.


 


SHA-1


A new (but, ironically, deprecated) setting has been added to version 85: Allow certificates signed using SHA-1 when issued by local trust anchors. While it might seem odd that we are adding a deprecated setting to the baseline, this one is important. Microsoft Edge forbids certificates signed using SHA-1 by default, and the security baseline is enforcing this to ensure Enterprises recognize that allowing SHA-1 chains is not a secure configuration. Should you need to use a SHA-1 chain for compatibility with existing applications that depend on it, moving away from that configuration as soon as possible is critical to the security of your organization. In version 92 of Microsoft Edge (mid-2021) this setting will be removed, and there will be no supported mechanism to allow SHA-1, even for certificates issued by your non-public Certificate Authorities, after that.


 


App protocol prompts


While they may not seem directly related to security, app protocols are something you should be mindful of, as they provide a mechanism for escaping the browser sandbox. New policies to help manage these might therefore be useful in your organization as you strive to balance security and productivity.


 


To make managing app protocols easier, we first added a flag in version 82, exposed a user-facing option in version 84, and have added a policy for the IT Pro to manage them in version 85: Define a list of protocols that can launch an external application from listed origins without prompting the user. For a detail discussion on the topic, we recommend reading Eric Lawrence’s blog here.


 


Commonly seen with applications like Microsoft 365 Apps, Microsoft Teams, Skype, the user is by default prompted to allow the external application to launch as depicted in the below examples.


Rick_Munck_0-1598620693563.png


 


 


Rick_Munck_1-1598620693570.png


 


Leveraging this setting will suppress that prompt and reduce noise to the end user by approving the content at the enterprise level. Reducing end user prompts both improves user productivity and helps them make better decisions when an unexpected request appears by reducing prompt fatigue!


 


While you are at Eric’s blog, be sure to check out his other posts.


 


Baseline Package Refresh


Since a new setting has been added we have updated the security baseline package which will include the usual artifacts, as well as a list of new settings from version 84 to 85 and version 80 to 85.  This way, those that have been keeping up with the blog have a smaller set of settings to review, and those only looking at the actual released package can see all the changes.


 


As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here.


Please continue to give us feedback through the Security Baselines Discussion site and via this post!


 

Categories: Uncategorized Tags:

Zero Trust deployment guide for Microsoft applications

August 27th, 2020 No comments

Introduction

More likely than not, your organization is in the middle of a digital transformation characterized by increased adoption of cloud apps and increased demand for mobility. In the age of remote work, users expect to be able to connect to any resource, on any device, from anywhere in the world. IT admins, in turn, are expected to securely enable their users’ productivity, often without changing the infrastructure of their existing solutions. For many organizations, with resources spread across multiple clouds, as well as on-prem, this means supporting complex hybrid deployments.

In this guide, we will focus on how to deploy and configure Microsoft Cloud App Security to apply Zero Trust principles across the app ecosystem, regardless of where those apps reside. Deploying Cloud App Security can save customers significant time, resources, and of course, improve their security posture. We will simplify this deployment, focusing on a few simple steps to get started, and then stepping through more advanced monitoring and controls. Specifically, we’ll walk through the discovery of Shadow IT, ensuring appropriate in-app permissions are enforced, gating access based on real-time analytics, monitoring for abnormal behavior based on real-time UEBA, controlling user interactions with data, and assessing the cloud security posture of an organization.

Getting started

Your Zero Trust journey for apps starts with understanding the app ecosystem your employees are using, locking down shadow IT, and managing user activities, data, and threats in the business-critical applications that your workforce leverages to be productive.

Discover and control the use of Shadow IT

The total number of apps accessed by employees in the average enterprise exceeds 1,500. That equates to more than 80 GB of data uploaded monthly to various apps, less than 15% of which are managed by their IT department. And as remote work becomes a reality for most, it’s no longer enough to apply access policies to only your network appliance.

To get started discovering and assessing cloud apps, set up Cloud Discovery in Microsoft Cloud App Security, and analyze your traffic logs against a rich cloud app catalog of over 16,000 cloud apps. Apps are ranked and scored based on more than 90 risk factors to help assess the risk Shadow IT poses to your organization.

Once this risk is understood, each individual application can be evaluated, manually or via policy, to determine what action to take. The following decision tree shows potential actions that can be taken, based on whether the applications’ risk is deemed acceptable. Sanctioned applications can then be onboarded with your identity provider to enable centralized management and more granular control, while unsanctioned applications can be blocked by your network appliance or at the machine-level with one-click by leveraging Microsoft Defender ATP.

An image of the management of the lifecycle of a discovered app.

Monitor user activities and data

Once applications are discovered, one of the next steps for sanctioned apps is to connect them via API to gain deep visibility into those applications – after all, these are the apps where your most sensitive data resides. Microsoft Cloud App Security uses enterprise-grade cloud app APIs to provide instant visibility and governance for each cloud app being used.

Connect your business critical cloud applications, ranging from Office 365 to Salesforce, Box, AWS, GCP, and more, to Microsoft Cloud App Security to gain deep visibility into the actions, files, and accounts that your users touch day-in and day-out. Leverage these enterprise-grade API connections to enable the admin to perform governance actions, such as quarantining files or suspending users, as well as mitigate against any flagged risk.

Automate data protection and governance

For an organization that is constantly growing and evolving, the power of automation cannot be overstated. Once your apps are connected to Microsoft Cloud App Security, you can leverage versatile policies to detect risky behavior and violations, and automate actions to remediate those violations.

Microsoft Cloud App Security provides built-in policies for both risky activities and sensitive files, as well as the ability to create custom policies as needed, based on your own environment. For example, if a user forgets to label sensitive data appropriately before uploading it to the cloud, you can automate the application of the correct label by leveraging Microsoft Cloud App Security to scan the file, whether that app is hosted in a Microsoft or non-Microsoft cloud. In addition, more likely than not, guests or partner users are collaborating with you in your sensitive applications. You can set automatic actions to expire a shared link or removing external users while informing the file owner.

Protect against cyber threats and rogue apps

Connecting your apps enables you to automate data and access governance, but it also enables detecting and remediating against cyberthreats and rogue apps. Attackers closely monitor where sensitive information is most likely to end up and develop dedicated and unique attack tools, techniques, and procedures, such as illicit OAuth consent grants and cloud ransomware.

Microsoft Cloud App Security provides rich behavioral analytics and anomaly detections to help organizations securely adopt the cloud by providing malware protection, OAuth app protection, and comprehensive incident investigation and remediation. Because these are already enabled, you do not need to configure them. However, we recommend logging into your Cloud App Security portal to fine-tune them based on your environment (Click on Control, then Policies and select Anomaly detection policy).

Cloud App Security’s user and entity behavioral analytics (UEBA) and machine learning (ML) capabilities are enabled out-of-the-box so that you can immediately detect threats and run advanced threat detection across your cloud environment. Because they’re automatically enabled, new anomaly detection policies provide immediate results by providing immediate detections, targeting numerous security use cases such as impossible travel, suspicious inbox rules and ransomware across your users and the machines and devices connected to your network. In addition, the policies expose more data from the Cloud App Security detection engine and can be refined to help you speed up the investigation process and contain ongoing threats.

Configuring Advanced Controls

You’ve now assessed your cloud environment, unsanctioned dangerous and risky applications, and added automation to protect your sensitive corporate resources in your business-critical applications. Getting advanced means extending those security controls by deploying adaptive access controls that match the risk of each individual session and assessing and patching the security posture of your multi-cloud environments.

Deploy adaptive access and session controls for all apps

In today’s modern and dynamic workplace, it’s not enough to know what’s happening in your cloud environment after the fact. Stopping breaches and leaks in real-time before employees intentionally or inadvertently put data and organizations at risk is key. Simultaneously, it’s business-critical to enable users to securely use their own devices productively.

Enable real-time monitoring and control over access to any of your apps with Microsoft Cloud App Security access and session policies, including cloud and on-prem apps and resources hosted by the Azure AD App Proxy. For example, you can create policies to protect the download of sensitive content when using any unmanaged device. Alternatively, files can be scanned on upload to detect potential malware and block them from entering sensitive cloud environments.

An image displaying how to extend policy enforcement into the session.

Assess the security posture of your cloud environments

Beyond SaaS applications, organizations are heavily investing in IaaS and PaaS services. Microsoft Cloud App Security goes beyond SaaS security to enable organizations to assess and strengthen their security posture and Zero Trust capabilities for major clouds, such as Azure, Amazon Web Services, and Google Cloud Platform. These assessments focus on detailing the security configuration and compliance status across each cloud platform. In turn, you can limit the risk of a security breach, by keeping the cloud platforms compliant with your organizational configuration policy and regulatory compliance, following the CIS benchmark, or the vendor’s best practices for a secure configuration.

Microsoft Cloud App Security’s cloud platform security provides tenant-level visibility into all your Azure subscriptions, AWS accounts, and GCP projects. Getting an overview of the security configuration posture of your multi-cloud platform from a single location enables a comprehensive risk-based investigation across all your resources. The security configuration dashboard can then be used to drive remediation actions and minimize risk across all your cloud environments. View the security configuration assessments for AzureAWS, and GCP recommendations in Cloud App Security to investigate and remediate against any gaps.

More Zero Trust deployment guides to come

We hope this blog helps you deploy and successfully incorporate apps into your Zero Trust strategy. Make sure to check out the other deployment guides in the series by following the Microsoft Security blog to keep up with our expert coverage on security matters. For more information on Microsoft Security Solutions  visit our website. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zero Trust deployment guide for Microsoft applications appeared first on Microsoft Security.

Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning

August 27th, 2020 No comments

When attackers successfully breach a target network, their typical next step is to perform reconnaissance of the network, elevate their privileges, and move laterally to reach specific machines or spread as widely as possible. For these activities, attackers often probe the affected network’s Active Directory, which manages domain authentication and permissions for resources. Attackers take advantage of users’ ability to enumerate and interact with the Active Directory for reconnaissance, which allows lateral movement and privilege escalation. This is a common attack stage in human-operated ransomware campaigns like Ryuk.

These post-exploitation activities largely rely on scripting engines like PowerShell and WMI because scripts provide attackers flexibility and enable them to blend into the normal hum of enterprise endpoint activity. Scripts are lightweight, can be disguised and obfuscated relatively easily, and can be run fileless by loading them directly in memory through command-line or interacting with scripting engines in memory.

Antimalware Scan Interface (AMSI) helps security software to detect such malicious scripts by exposing script content and behavior. AMSI integrates with scripting engines on Windows 10 as well as Office 365 VBA to provide insights into the execution of PowerShell, WMI, VBScript, JavaScript, and Office VBA macros. Behavioral blocking and containment capabilities in Microsoft Defender Advanced Threat Protection (ATP) take full advantage of AMSI’s visibility into scripts and harness the power of machine learning and cloud-delivered protection to detect and stop malicious behavior. In the broader delivery of coordinated defense, the AMSI-driven detection of malicious scripts on endpoints helps Microsoft Threat Protection, which combines signals from Microsoft Defender ATP and other solutions in the Microsoft 365 security portfolio, to detect cross-domain attack chains.

On endpoints, performance-optimized machine learning models inspect script content and behavior through AMSI. When scripts run and malicious or suspicious behavior is detected, features are extracted from the content, including expert features, features selected by machine learning, and fuzzy hashes. The lightweight client machine learning models make inferences on the content. If the content is classified as suspicious, the feature description is sent to the cloud for full real-time classification. In the cloud, heavier counterpart machine learning models analyze the metadata and uses additional signals like file age, prevalence, and other such information to determine whether the script should be blocked or not.

These pairs of AMSI-powered machine learning classifiers, one pair for each scripting engine, allow Microsoft Defender ATP to detect malicious behavior and stop post-exploitation techniques and other script-based attacks, even after they have started running. In this blog, we’ll discuss examples of Active Directory attacks, including fileless threats, foiled by AMSI machine learning.

Diagram showing pairs of machine learning models on the endpoint and in the cloud using AMSI to detect malicious scripts

Figure 1. Pair of AMSI machine learning models on the client and in the cloud

Blocking BloodHound attacks

BloodHound is a popular open-source tool for enumerating and visualizing the domain Active Directory and is used by red teams and attackers as a post-exploitation tool. The enumeration allows a graph of domain devices, users actively signed into devices, and resources along with all their permissions. Attackers can discover and abuse weak permission configurations for privilege escalation by taking over other user accounts or adding themselves to groups with high privileges, or for planning their lateral movement path to their target privileges. Attackers, including those behind human-operated ransomware campaigns such as Ryuk, use BloodHound as part of their attacks.

To work, BloodHound uses a component called SharpHound to enumerate the domain and collect various categories of data: local admin collection, group membership collection, session collection, object property collection, ACL collection, and trust collection. This enumeration would typically then be exfiltrated to be visualized and analysed by the attacker as part of planning their next steps. SharpHound performs the domain enumeration and is officially published as a fileless PowerShell in-memory version, as well as a file-based executable tool version. It is critical to identify the PowerShell fileless variant enumeration if it is active on a network.

Code snippet of the SharpHound ingestor

Figure 2. SharpHound ingestor code snippets

When the SharpHound fileless PowerShell ingestor is run in memory, whether by a pen tester or an attacker, AMSI sees its execution buffer. The machine learning model on the client featurizes this buffer and sends it to the cloud for final classification.

Code snippet of SharpHound ingestor showing featurized details

Figure 3. Sample featurized SharpHound ingestor code

The counterpart machine learning model in the cloud analyzes the metadata, integrates other signals, and returns a verdict. Malicious scripts are detected and stopped on endpoints in real time:

Screenshot of Microsoft Defender Antivirus alert for detection of SharpHound

Figure 4. Microsoft Defender Antivirus detection of SharpHound

Detections are reported in Microsoft Defender Security Center, where SOC analysts can use Microsoft Defender ATP’s rich set of tools to investigate and respond to attacks:

Screenshot of Microsoft Defender Security Center showing detection of SharpHound

Figure 5. Microsoft Defender Security Center alert showing detection of SharpHound

This protection is provided by AI that has learned to identify and block these attacks automatically, and that will continue to adapt and learn new attack methods we observe.

Stopping Kerberoasting

Kerberoasting, like BloodHound attacks, is a technique for stealing credentials used by both red teams and attackers. Kerberoasting attacks abuse the Kerberos Ticket Granting Service (TGS) to gain access to accounts, typically targeting domain accounts for lateral movement.

Kerberoasting attacks involve scanning an Active Directory environment to generate a list of user accounts that have Kerberos Service Principal Name (SPN). Attackers then request these SPN to grant Kerberos Service Tickets to these accounts. The tickets are dumped from memory using various tools like Mimikatz and then exfiltrated for offline brute forcing on the encrypted segment of the tickets. If successful, attackers can identify the passwords associated with the accounts, which they then use to remotely sign into machines or access resources.

All the Kerberoasing attack steps leading to the hash extraction can be accomplished using a single PowerShell (Invoke-Kerberoast.ps1), and has been integrated into popular post-exploitation frameworks like PowerSploit and PowerShell Empire:

Figure 6. Single command line to download and execute Kerberoasting to extract user password hashes

Code snippet of Kerberoasting

Figure 7. Kerberoasting code

Because AMSI has visibility into PowerShell scripts, when the Invoke-Kerberoast.ps1 is run, AMSI allows for inspection of the PowerShell content during runtime. This buffer is featurized and analyzed by client-side machine learning models, and sent to the cloud for real-time ML classification.

Code snippet of Kerberoasting showing featurized details

Figure 8. Sample featurized Kerberoasting code

Microsoft Defender ATP raises an alert for the detection of Invoke-Kerberoast.ps1:

Figure 9. Microsoft Defender Security Center alert showing detection of Invoke-Kerberoast.ps1

Training the machine learning models

To ensure continued high-quality detection of threats, the AMSI machine learning models are trained per scripting engine using real-time protection data and threat investigations.

Featurization is key to machine learning models making intelligent decisions about whether content is malicious or benign. For behavior-based script logs, we extract the set of libraries, COM object, and function names used by the script. Learning the most important features within the script content is performed through a combination of character ngramming the script or behavior log, followed by semi-asynchronous stochastic dual coordinate ascent (SA-SDCA) algorithm with L1 regularization feature trimming to learn and deploy the most important character ngram features.

On top of the same features used to train the client models, other complex features used to train the cloud modes include fuzzy hashes, cluster hashes, partial hashes, and more. In addition, the cloud models have access to other information like age, prevalence, global file information, reputation and others, which allow cloud models to make more accurate decisions for blocking.

Conclusion: Broad visibility informs AI-driven protections

Across Microsoft, AI and machine learning protection technologies use Microsoft’s broad visibility into various surfaces to identify new and unknown threats. Microsoft Threat Protection uses these machine learning-driven protections to detect threats across endpoints, email and data, identities, and apps.

On endpoints, Microsoft Defender ATP uses multiple next-generation protection engines that detect a wide range of threats. One of these engines uses insights from AMSI and pairs of machine learning models on the client and in the cloud working together to detect and stop malicious scripts post-execution.

These pairs of AMSI models, one pair for each scripting engine, are part of the behavior-based blocking and containment capabilities in Microsoft Defender ATP, which are designed to detect and stop threats even after they have started running. When running, threats are exposed and can’t hide behind encryption or obfuscation. This adds another layer of protection for instances where sophisticated threats are able to slip through pre-execution defenses.

Diagram showing different next-generation protection engines on the client and in the cloud

Figure 10. Microsoft Defender ATP next-generation protection engines

In this blog post, we showed how these AMSI-driven behavior-based machine learning protections are critical in detecting and stopping post-exploitation activities like BloodHound-based and Kerberoasting attacks, which employ evasive malicious scripts, including fileless components. With AMSI, script content and behavior are exposed, allowing Microsoft Defender ATP to foil reconnaissance activities and prevent attacks from progressing.

To learn more about behavior-based blocking and containment, read the following blog posts:

 

Ankit Garg and Geoff McDonald

Microsoft Defender ATP Research Team

The post Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning appeared first on Microsoft Security.

Rethinking IoT/OT Security to Mitigate Cyberthreats

August 26th, 2020 No comments

We live in an exciting time. We’re in the midst of the fourth industrial revolution—first steam, followed by electricity, then computers, and, now, the Internet of Things.

A few years ago, IoT seemed like a futuristic concept that was on the distant horizon. The idea that your fridge would be connected to the internet, constantly uploading and downloading data and ordering things on its own, like new filters or groceries, seemed laughable. Why would anyone want or need such a thing?

Now, IoT and other embedded and operational technologies (OT) are far more pervasive in our lives than anyone could have imagined. Robotics, chemical and pharmaceutical production, power generation, oil production, transportation, mining, healthcare devices, building management systems, and seemingly everything else is becoming part of a smart, interconnected, machine-learning powered system. Machines can now monitor themselves, diagnose problems, and then reconfigure and improve based on the data.

The threat is real

It’s an exciting time, but it’s also an alarming time, especially for CISOs (Chief Information Security Officers) working diligently to employ risk mitigation and keep their companies secure from cyberthreats. Billions of new IoT devices go online each year, and as these environments become more connected with digitization initiatives, their attack surfaces grow.

From consumer goods to manufacturing systems to municipal operations like the power grid, it all needs data protection. The threat is very real. Take the Mirai botnet hack, for example. 150,000 cameras hacked and turned into a botnet that blocked internet access for large portions of the US. We have also seen destructive and rapidly spreading ransomware attacks, like NotPetya, cripple manufacturing and port operations around the globe.  However, existing IT security solutions cannot solve those problems due to the lack of standardized network protocols for such devices and the inability to certify device-specific products and deploy them without impacting critical operations.  So, what exactly is the solution? What do people need to do to resolve the IoT security problem?

Working to solve this problem is why Microsoft has joined industry partners to create the Open Source Security Foundation as well as acquired IoT/OT security leader CyberX. This integration between CyberX’s IoT/OT-aware behavioral analytics platform and Azure unlocks the potential of unified security across converged IT and industrial networks. And, as a complement to the embedded, proactive IoT device security of Microsoft Azure Sphere, CyberX IoT/OT provides monitoring and threat detection for devices that have not yet upgraded to Azure Sphere security. Used together, CyberX and Azure Sphere can give you visibility to what’s happening in your environment while actively preventing exploitation of your connected equipment. The goal is to achieve the mission of securing every unmanaged device to help protect critical operations.

Both Microsoft and CyberX have managed to help protect a large number of enterprises around the world—including leading organizations in manufacturing, pharmaceuticals and healthcare, power utilities, oil and gas companies, data centers, and more, at a global scale.

This success is due to taking a completely different approach, an innovative solution that prioritizes ease of deployment and use—to provide a security solution custom-built for OT and industrial control systems. So, what do you need to do that?

Let’s sit in a plant. Imagine that the process keeps on running, so from an operational perspective, all is fine. But even if operations are moving smoothly, you don’t know if someone is trying to hack your systems, steal your IP, or disrupt your day-to-day processes—you wouldn’t know that until the processes are disrupted, and by then, it’s too late.

To catch these threats, you need to understand what you have, understand the process interaction, validate access to the resources, and understand root cause analysis from other breaches. From a technology perspective, to gain this level of understanding, you need automated and intelligent asset visibility, behavioral analytics capable of understanding OT/IoT behavior, vulnerability management, and threat hunting. To defend against these threats, you will want to deploy an IoT device security solution that implements critical security properties, including defense in-depth, error reporting, and renewable security, that will help keep your connected devices and equipment protected over time.

Where to go from here

For any business looking to learn more about IoT/OT security, a good place to start is by downloading CyberX’s global IoT/ICS risk report. This free report provides a data-driven analysis of vulnerabilities in our Internet of Things (IoT) and industrial control systems (ICS) infrastructure.

Based on data collected in the past 12 months from 1,821 production IoT/ICS networks—across a diverse mix of industries worldwide—the analysis was performed using passive, agentless monitoring with patented deep packet inspection (DPI) and Network Traffic Analysis (NTA). The data shows that IoT/ICS environments continue to be soft targets for adversaries, with security gaps in key areas such as:

  • Outdated operating systems
  • Unencrypted passwords
  • Remotely accessible devices
  • Unseen indicators of threats
  • Direct internet connections

To learn more about protecting your critical equipment and devices with layered and renewable security, we recommend reading The seven properties of highly secured devices. To understand how these properties are implemented in Azure Sphere, you can download The 19 best practices for Azure Sphere.

These are key resources for any businesses looking to increase their IoT security and help mitigate cyberthreats to their organization’s systems and data.

Learn more

Tackling the IoT security threat is a big, daunting project, but Microsoft is committed to helping solve them through innovation and development efforts that empower businesses across the globe to operate more safely and securely.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

To learn more about protecting your critical equipment and devices with layered and renewable security, reach out to your Microsoft account team and we recommend reading The seven properties of highly secured devices.

The post Rethinking IoT/OT Security to Mitigate Cyberthreats appeared first on Microsoft Security.

How can Microsoft Threat Protection help reduce the risk from phishing?

August 26th, 2020 No comments

Microsoft Threat Protection can help you reduce the cost of phishing

The true cost of a successful phishing campaign may be higher than you think. Although phishing defenses and user education have become common in many organizations, employees still fall prey to these attacks. This is a problem because phishing is often leveraged as the first step in other cyberattack methods. As a result, its economic impact remains hidden. Understanding how these attacks work is key to mitigating your risk.

One reason phishing is so insidious is that attackers continuously evolve their methods. In this blog, I’ve described why you need to take phishing seriously and how different phishing methods work. You’ll also find links to Microsoft Threat Protection solutions that can help you reduce your risk.

Nearly 1 in 3 attacks involve phishing

According to Accenture’s Ninth Annual Cost of Cybercrime Study, phishing attacks cost the average organization USD1.4 million in 2018, an eight percent rise over 2017. This likely underestimates the cost because the report only considers four major consequences when determining the cost of an attack: business disruption, information loss, revenue loss, and equipment damage. However, phishing is used as the delivery method for several other attacks, including business email compromise, malware, ransomware, and botnet attacks. The 2019 Verizon Data Breach Report finds that almost one in three attacks involved phishing. And according to the 2019 Internet Crime Complaint Center, phishing/vishing/smishing/pharming are the most common methods for scamming individuals online.

Since the costs of other attacks can often be attributed to phishing, a comprehensive cyber risk mitigation strategy should place a high value on phishing defenses and user education.

Phishing campaigns can be well-targeted and sophisticated

As attackers have developed new methods to evade detection by defenders and victims, phishing has transformed. Phishing now uses mediums other than email, including voicemail, instant messaging, and collaboration platforms, as people have enhanced email-based defenses, but may have not considered these other attack vectors. The success of phishing as the delivery of other cyberattacks makes it critically important for defenders to be able to identify the many types of phishing and how to defend against them, including:

  • Mass market phishing: When you think of phishing this is likely what comes to mind. These emails go out to a large group of people and use a generic message to trick users into clicking a link or downloading a file. Attacks often use email spoofing, so that the message appears to come from a legitimate source.
  • Spear phishing: Spear phishing is a more targeted social engineering method. Attackers pick an individual, such as a global administrator or an HR professional, conduct research, and then craft an email that makes use of that research to dupe the victim.
  • Whaling: These emails target someone on the executive team. Like spear phishing, these attacks start with research, which the attacker uses to write an email that appears legitimate.
  • Business-email compromise: In these attacks, adversaries compromise an executive’s account, such as the CEO, and then use that account to ask a direct report to wire money.
  • Clone phishing: Attackers clone a legitimate email and then change the link or attachment.
  • Vishing: Vishing is a phishing attempt using the phone. Victims are asked to call back and enter a PIN number or account number.

Fahmida Y. Rashid provides more details about these type of phishing attacks on CSO.

An emerging phishing method exploits the increase in remote work

Recently, another phishing type was identified called consent phishing. In response to COVID-19, people have increased their usage of cloud apps and mobile devices to facilitate work from home. Bad actors have taken advantage of this shift by leveraging application-based attacks to gain unwarranted access to valuable data in cloud services. By using application prompts similar to that on mobile devices, they trick victims into allowing the malicious applications permission to access services and data (see Figure 2).

An image showing the Microsoft "Permissions requested" dialogue.

Figure 1: Familiar application prompts trick users into giving malicious apps access to services and data.

The following best practices can help you defend against this new threat:

  • Educate your organization on how to identify a consent phishing message. Poor spelling and grammar are two indicators that the request isn’t legitimate. Users may also notice that the URL doesn’t quite look right.
  • Promote and allow access to apps you trust. Use publisher verified to identify apps that have been validated by the Microsoft platform. Configure application consent policies, so employees are guided to applications you trust.
  • Educate your organization on how permissions and consent framework works in the Microsoft platform.

Office 365 Advanced Threat Protection helps prevent and remediate phishing attacks

Office 365 Advanced Threat Protection (Office 365 ATP), natively protects all of Office 365 against advanced attacks. The service leverages industry-leading intelligence fueled by trillions of signals to continuously evolve to prevent emerging threats, like phishing and impersonation attacks. As part of Microsoft Threat Protection, Office 365 ATP provides security teams with the tools to investigate and remediate these threats, and integrates with other Microsoft Threat Protection products like Microsoft Defender Advanced Threat Protection and Azure Advanced Threat Protection to help stop cross-domain attacks spanning email, collaboration tools, endpoints, identities, and cloud apps.

Microsoft Threat Protection increases analyst efficiency

Microsoft Threat Protection stops attacks across Microsoft 365 services and auto-heals affected assets. It leverages the Microsoft 365 security portfolio to automatically analyze threat data across identities, endpoints, cloud applications, and email and docs. By fusing related alerts into incidents, defenders can respond to threats and attacks immediately and in their entirety, saving precious time. (see Figure 3).

The following actions will help you gain greater visibility into attacks to protect your organization.

An image of : Microsoft Threat Protection and Office 365 ATP provide several capabilities to help you protect your organization from phishing attacks.

Figure 2: Microsoft Threat Protection and Office 365 ATP provide several capabilities to help you protect your organization from phishing attacks.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How can Microsoft Threat Protection help reduce the risk from phishing? appeared first on Microsoft Security.

How to detect and mitigate phishing risks with Microsoft and Terranova Security

August 25th, 2020 No comments

Detect, assess, and remediate phishing risks across your organization

A successful phishing attack requires just one person to take the bait. That’s why so many organizations fall victim to these cyber threats. To reduce this human risk, you need a combination of smart technology and people-centric security awareness training. But if you don’t understand your vulnerabilities, it can be difficult to know where to start.  Attack simulation training capabilities in Office 365 Advanced Threat Protection (Office 365 ATP) empower you to detect, assess, and remediate phishing risk through an integrated phish simulation and training experience. And, in October 2020, you can get true phishing clickthrough benchmarks when you register for the Terranova Security Gone Phishing TournamentTM.

Terranova Security is a global leader in cybersecurity awareness training that draws on principles of behavioral science to create training content that changes user behavior. Through a partnership with Microsoft, Terranova Security is able to enrich our training programs with insights from the Microsoft platform, while Microsoft leverages our content and technology in Microsoft Office 365 Advanced Threat Protection (Office 365 ATP).

Today’s blog shares how the Gone Phishing Tournament helps you baseline against your industry and peers, and how Office 365 ATP Attack Simulation training can help you mitigate the risk of a phishing-related data breach.

How does your risk of being phished stack up?

Cybercriminals exploit human psychology to trick users, which is why they introduced COVID-19-themed phishing lures in the early days of the pandemic. Many employees are working from home for the first time and have children and other family members competing for their attention. Bad actors hope to trick employees when they are busy and stressed. Although it’s understandable why people accidentally act on phishing campaigns, there is an opportunity to turn your employees into your first line of defense. When people understand how phishing campaigns work, your organization is more secure.

An image showing typical malware campaigns before and after.

 

The Gone Phishing Tournament will give you valuable insight into how well employees understand phishing. The Gone Phishing Tournament is a free, annual cybersecurity event that takes place in October. The tournament leverages a phishing email based on real-world threats provided by Attack simulation training in Office 365 ATP and localizes it for your audience. After you register, you can select the users you want to include in the phishing simulation. We run the simulation for a set number of days using the same template, so you get an accurate assessment of how you compare to peer organizations. At the end of the tournament, you’ll receive a personalized click report and a global benchmarking report.

Empower employees to defend against phishing threats

Phishing simulations are a great way to educate employees about phishing threats, but to shift behavior you need a regular program that includes targeted education alongside simulations. Terranova Security’s awareness training, which will soon be available in Office 365 ATP, takes a pedagogical approach with gamification and interactive sessions designed to engage adults. It is localized for employees around the world and complies with web content accessibility guidelines (WCAG) 2.0.

Later this year, Office 365 ATP Attack Simulator and Training will launch integrated with Terranova Security awareness training. You’ll be able to take advantage of comprehensive training benefits that will help you measure behavior change and automate design and deployment of an integrated security awareness training program:

  • Simulate real threats: Detect vulnerabilities with real lures and templates for accurate risk assessment. By automatically or manually sending employees the same emails that attackers have used against your organization, you can uncover risk. Then, target users who fall for phish with personalized training content that helps them connect what they learned with real-world campaigns.
  • Remediate intelligently: Quantify social engineering risk across your employees and threat vectors to prioritize remedial training. Track your organization’s progress against a baseline and measure the behavioral impact of training. Using user susceptibility metrics, you can trigger automated repeat offender simulations and training for people who need extra attention.
  • Improve security posture: Reinforce your human firewall with hyper-targeted training designed to change employee behavior. Training can be customized and localized to meet the diverse needs of employees. Tailor simulations to your employee’s contexts—region, industry, function—with granular conditionality on harvesting. You can also cater to diverse learning styles and reinforce awareness with interactive nano learning and microlearning content.

In the new world of remote work, it has become clear that your people are your perimeter. Attack simulation training in Office 365 ATP, delivered in partnership with Terranova Security can help you identify vulnerable users and deliver targeted, engaging education that empowers them to defend against the latest phishing threats.   Look for a future blog from me in the beginning of cybersecurity awareness month that will discuss in more detail how to train your employees on security. In the meantime, register for Terranova Security Gone Phishing Tournament October 2020.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How to detect and mitigate phishing risks with Microsoft and Terranova Security appeared first on Microsoft Security.

How do I implement a Zero Trust security model for my Microsoft remote workforce?

August 24th, 2020 No comments

Digital empathy should guide your Zero Trust implementation

Zero Trust has always been key to maintaining business continuity. And now, it’s become even more important during the COVID-19 pandemic to helping enable the largest remote workforce in history. While organizations are empowering people to work securely when, where, and how they want, we have found the most successful are the ones who are also empathetic to the end-user experience. At Microsoft, we refer to this approach as digital empathy. As you take steps to protect a mobile workforce, a Zero Trust strategy grounded in digital empathy will help enhance cybersecurity, along with productivity and collaboration too.

This was one of a few important topics that I recently discussed during a cybersecurity fireside chat with industry thought leader, Kelly Bissell, Global Managing Director of Security Accenture. Accenture, one of Microsoft’s most strategic partners, helps clients use Microsoft 365 to implement a Zero Trust strategy that is inclusive of everyone. “How do we make working from home both convenient and secure for employees during this time of constant change and disruption,” has become a common question both Kelly and I hear from organizations as we discuss the challenges of maintaining business continuity while adapting to this new world—and beyond. I encourage everyone to explore these points more deeply by watching my entire conversation with Kelly.

Our long-term Microsoft-Accenture security relationship helps customers navigate the current environment and emerge even stronger as we look past the pandemic. The following are some of the key steps shared during our conversation that you can take to begin applying digital empathy and Zero Trust to your organization.

Protect your identities with Azure Active Directory

Zero Trust is an “assume breach” security posture that treats each request for access as a unique risk to be evaluated and verified. This starts with strong identity authentication. Azure Active Directory (Azure AD) is an identity and secure access management (IAM) solution that you can connect to all your apps including Microsoft apps, non-Microsoft cloud apps, and on-premises apps. Employees sign in once using a single set of credentials, simplifying access. To make it even easier for users, deploy Azure AD solutions like passwordless authentication, which eliminates the need for users to memorize passwords. Multi-factor authentication (MFA) is one of the most important things you can do to help secure employee accounts, so implement MFA for 100 percent of your users, 100 percent of the time.

According to a new Forrester report, The Total Economic Impact™ of Securing Apps with Microsoft Azure Active Directory, customers who secure apps with Microsoft Azure Active Directory can improve user productivity, reduce costs, and gain IT efficiencies to generate a 123 % return on investment.

Secure employee devices

Devices present another opportunity for bad actors to infiltrate your organization. Employees may run old operating systems or download vulnerable apps on their personal devices. With Microsoft Endpoint Manager, you can guide employees to keep their devices updated. Conditional Access policies allow you to limit or block access to devices that are unknown or don’t comply with your security policies.

An endpoint detection and response (EDR) solution like Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) can help you detect attacks and automatically block sophisticated malware. Each Microsoft Defender ATP license covers up to five devices per user.

Discover and manage cloud apps

Cloud apps have proliferated in today’s workplace. They are so easy to use that IT departments are often not aware of which cloud apps their employees access. Microsoft Cloud App Security is a cloud app security broker (CASB) that allows you to discover all the apps used in your network. Cloud App Security’s risk catalog includes over 16,000 apps that are assessed using over 80 risk factors. Once you understand the risk profile of the apps in your network, you can decide whether to allow access, block access, or onboard it on to Azure AD.

Employees are busy in the best of times. Today, with many working from home for the first time—often in a full house—their stress may be compounded. By simplifying the sign-in process and protecting data on apps and devices, Microsoft 356 security solutions like Azure AD, Microsoft Defender ATP, and Cloud App Security, make it easier for employees to work remotely while improving security for the organization.

Digital empathy and Zero Trust are also two of the five security paradigm shifts that will lead to more inclusive user experiences. Next month, I will provide more details about two additional paradigm shifts, the diversity of data, and integrated security solutions.

CTA: To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Follow Ann Johnson @ajohnsocyber for Microsoft’s latest cybersecurity investments and @MSFTSecurity for the latest news and updates on cybersecurity.

The post How do I implement a Zero Trust security model for my Microsoft remote workforce? appeared first on Microsoft Security.

How do I implement a Zero Trust security model for my Microsoft remote workforce?

August 24th, 2020 No comments

Digital empathy should guide your Zero Trust implementation

Zero Trust has always been key to maintaining business continuity. And now, it’s become even more important during the COVID-19 pandemic to helping enable the largest remote workforce in history. While organizations are empowering people to work securely when, where, and how they want, we have found the most successful are the ones who are also empathetic to the end-user experience. At Microsoft, we refer to this approach as digital empathy. As you take steps to protect a mobile workforce, a Zero Trust strategy grounded in digital empathy will help enhance cybersecurity, along with productivity and collaboration too.

This was one of a few important topics that I recently discussed during a cybersecurity fireside chat with industry thought leader, Kelly Bissell, Global Managing Director of Security Accenture. Accenture, one of Microsoft’s most strategic partners, helps clients use Microsoft 365 to implement a Zero Trust strategy that is inclusive of everyone. “How do we make working from home both convenient and secure for employees during this time of constant change and disruption,” has become a common question both Kelly and I hear from organizations as we discuss the challenges of maintaining business continuity while adapting to this new world—and beyond. I encourage everyone to explore these points more deeply by watching my entire conversation with Kelly.

Our long-term Microsoft-Accenture security relationship helps customers navigate the current environment and emerge even stronger as we look past the pandemic. The following are some of the key steps shared during our conversation that you can take to begin applying digital empathy and Zero Trust to your organization.

Protect your identities with Azure Active Directory

Zero Trust is an “assume breach” security posture that treats each request for access as a unique risk to be evaluated and verified. This starts with strong identity authentication. Azure Active Directory (Azure AD) is an identity and secure access management (IAM) solution that you can connect to all your apps including Microsoft apps, non-Microsoft cloud apps, and on-premises apps. Employees sign in once using a single set of credentials, simplifying access. To make it even easier for users, deploy Azure AD solutions like passwordless authentication, which eliminates the need for users to memorize passwords. Multi-factor authentication (MFA) is one of the most important things you can do to help secure employee accounts, so implement MFA for 100 percent of your users, 100 percent of the time.

According to a new Forrester report, The Total Economic Impact™ of Securing Apps with Microsoft Azure Active Directory, customers who secure apps with Microsoft Azure Active Directory can improve user productivity, reduce costs, and gain IT efficiencies to generate a 123 % return on investment.

Secure employee devices

Devices present another opportunity for bad actors to infiltrate your organization. Employees may run old operating systems or download vulnerable apps on their personal devices. With Microsoft Endpoint Manager, you can guide employees to keep their devices updated. Conditional Access policies allow you to limit or block access to devices that are unknown or don’t comply with your security policies.

An endpoint detection and response (EDR) solution like Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) can help you detect attacks and automatically block sophisticated malware. Each Microsoft Defender ATP license covers up to five devices per user.

Discover and manage cloud apps

Cloud apps have proliferated in today’s workplace. They are so easy to use that IT departments are often not aware of which cloud apps their employees access. Microsoft Cloud App Security is a cloud app security broker (CASB) that allows you to discover all the apps used in your network. Cloud App Security’s risk catalog includes over 16,000 apps that are assessed using over 80 risk factors. Once you understand the risk profile of the apps in your network, you can decide whether to allow access, block access, or onboard it on to Azure AD.

Employees are busy in the best of times. Today, with many working from home for the first time—often in a full house—their stress may be compounded. By simplifying the sign-in process and protecting data on apps and devices, Microsoft 356 security solutions like Azure AD, Microsoft Defender ATP, and Cloud App Security, make it easier for employees to work remotely while improving security for the organization.

Digital empathy and Zero Trust are also two of the five security paradigm shifts that will lead to more inclusive user experiences. Next month, I will provide more details about two additional paradigm shifts, the diversity of data, and integrated security solutions.

CTA: To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Follow Ann Johnson @ajohnsocyber for Microsoft’s latest cybersecurity investments and @MSFTSecurity for the latest news and updates on cybersecurity.

The post How do I implement a Zero Trust security model for my Microsoft remote workforce? appeared first on Microsoft Security.

How do I implement a Zero Trust security model for my Microsoft remote workforce?

August 24th, 2020 No comments

Digital empathy should guide your Zero Trust implementation

Zero Trust has always been key to maintaining business continuity. And now, it’s become even more important during the COVID-19 pandemic to helping enable the largest remote workforce in history. While organizations are empowering people to work securely when, where, and how they want, we have found the most successful are the ones who are also empathetic to the end-user experience. At Microsoft, we refer to this approach as digital empathy. As you take steps to protect a mobile workforce, a Zero Trust strategy grounded in digital empathy will help enhance cybersecurity, along with productivity and collaboration too.

This was one of a few important topics that I recently discussed during a cybersecurity fireside chat with industry thought leader, Kelly Bissell, Global Managing Director of Security Accenture. Accenture, one of Microsoft’s most strategic partners, helps clients use Microsoft 365 to implement a Zero Trust strategy that is inclusive of everyone. “How do we make working from home both convenient and secure for employees during this time of constant change and disruption,” has become a common question both Kelly and I hear from organizations as we discuss the challenges of maintaining business continuity while adapting to this new world—and beyond. I encourage everyone to explore these points more deeply by watching my entire conversation with Kelly.

Our long-term Microsoft-Accenture security relationship helps customers navigate the current environment and emerge even stronger as we look past the pandemic. The following are some of the key steps shared during our conversation that you can take to begin applying digital empathy and Zero Trust to your organization.

Protect your identities with Azure Active Directory

Zero Trust is an “assume breach” security posture that treats each request for access as a unique risk to be evaluated and verified. This starts with strong identity authentication. Azure Active Directory (Azure AD) is an identity and secure access management (IAM) solution that you can connect to all your apps including Microsoft apps, non-Microsoft cloud apps, and on-premises apps. Employees sign in once using a single set of credentials, simplifying access. To make it even easier for users, deploy Azure AD solutions like passwordless authentication, which eliminates the need for users to memorize passwords. Multi-factor authentication (MFA) is one of the most important things you can do to help secure employee accounts, so implement MFA for 100 percent of your users, 100 percent of the time.

According to a new Forrester report, The Total Economic Impact™ of Securing Apps with Microsoft Azure Active Directory, customers who secure apps with Microsoft Azure Active Directory can improve user productivity, reduce costs, and gain IT efficiencies to generate a 123 % return on investment.

Secure employee devices

Devices present another opportunity for bad actors to infiltrate your organization. Employees may run old operating systems or download vulnerable apps on their personal devices. With Microsoft Endpoint Manager, you can guide employees to keep their devices updated. Conditional Access policies allow you to limit or block access to devices that are unknown or don’t comply with your security policies.

An endpoint detection and response (EDR) solution like Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) can help you detect attacks and automatically block sophisticated malware. Each Microsoft Defender ATP license covers up to five devices per user.

Discover and manage cloud apps

Cloud apps have proliferated in today’s workplace. They are so easy to use that IT departments are often not aware of which cloud apps their employees access. Microsoft Cloud App Security is a cloud app security broker (CASB) that allows you to discover all the apps used in your network. Cloud App Security’s risk catalog includes over 16,000 apps that are assessed using over 80 risk factors. Once you understand the risk profile of the apps in your network, you can decide whether to allow access, block access, or onboard it on to Azure AD.

Employees are busy in the best of times. Today, with many working from home for the first time—often in a full house—their stress may be compounded. By simplifying the sign-in process and protecting data on apps and devices, Microsoft 356 security solutions like Azure AD, Microsoft Defender ATP, and Cloud App Security, make it easier for employees to work remotely while improving security for the organization.

Digital empathy and Zero Trust are also two of the five security paradigm shifts that will lead to more inclusive user experiences. Next month, I will provide more details about two additional paradigm shifts, the diversity of data, and integrated security solutions.

CTA: To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Follow Ann Johnson @ajohnsocyber for Microsoft’s latest cybersecurity investments and @MSFTSecurity for the latest news and updates on cybersecurity.

The post How do I implement a Zero Trust security model for my Microsoft remote workforce? appeared first on Microsoft Security.

How do I implement a Zero Trust security model for my Microsoft remote workforce?

August 24th, 2020 No comments

Digital empathy should guide your Zero Trust implementation

Zero Trust has always been key to maintaining business continuity. And now, it’s become even more important during the COVID-19 pandemic to helping enable the largest remote workforce in history. While organizations are empowering people to work securely when, where, and how they want, we have found the most successful are the ones who are also empathetic to the end-user experience. At Microsoft, we refer to this approach as digital empathy. As you take steps to protect a mobile workforce, a Zero Trust strategy grounded in digital empathy will help enhance cybersecurity, along with productivity and collaboration too.

This was one of a few important topics that I recently discussed during a cybersecurity fireside chat with industry thought leader, Kelly Bissell, Global Managing Director of Security Accenture. Accenture, one of Microsoft’s most strategic partners, helps clients use Microsoft 365 to implement a Zero Trust strategy that is inclusive of everyone. “How do we make working from home both convenient and secure for employees during this time of constant change and disruption,” has become a common question both Kelly and I hear from organizations as we discuss the challenges of maintaining business continuity while adapting to this new world—and beyond. I encourage everyone to explore these points more deeply by watching my entire conversation with Kelly.

Our long-term Microsoft-Accenture security relationship helps customers navigate the current environment and emerge even stronger as we look past the pandemic. The following are some of the key steps shared during our conversation that you can take to begin applying digital empathy and Zero Trust to your organization.

Protect your identities with Azure Active Directory

Zero Trust is an “assume breach” security posture that treats each request for access as a unique risk to be evaluated and verified. This starts with strong identity authentication. Azure Active Directory (Azure AD) is an identity and secure access management (IAM) solution that you can connect to all your apps including Microsoft apps, non-Microsoft cloud apps, and on-premises apps. Employees sign in once using a single set of credentials, simplifying access. To make it even easier for users, deploy Azure AD solutions like passwordless authentication, which eliminates the need for users to memorize passwords. Multi-factor authentication (MFA) is one of the most important things you can do to help secure employee accounts, so implement MFA for 100 percent of your users, 100 percent of the time.

According to a new Forrester report, The Total Economic Impact™ of Securing Apps with Microsoft Azure Active Directory, customers who secure apps with Microsoft Azure Active Directory can improve user productivity, reduce costs, and gain IT efficiencies to generate a 123 % return on investment.

Secure employee devices

Devices present another opportunity for bad actors to infiltrate your organization. Employees may run old operating systems or download vulnerable apps on their personal devices. With Microsoft Endpoint Manager, you can guide employees to keep their devices updated. Conditional Access policies allow you to limit or block access to devices that are unknown or don’t comply with your security policies.

An endpoint detection and response (EDR) solution like Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) can help you detect attacks and automatically block sophisticated malware. Each Microsoft Defender ATP license covers up to five devices per user.

Discover and manage cloud apps

Cloud apps have proliferated in today’s workplace. They are so easy to use that IT departments are often not aware of which cloud apps their employees access. Microsoft Cloud App Security is a cloud app security broker (CASB) that allows you to discover all the apps used in your network. Cloud App Security’s risk catalog includes over 16,000 apps that are assessed using over 80 risk factors. Once you understand the risk profile of the apps in your network, you can decide whether to allow access, block access, or onboard it on to Azure AD.

Employees are busy in the best of times. Today, with many working from home for the first time—often in a full house—their stress may be compounded. By simplifying the sign-in process and protecting data on apps and devices, Microsoft 356 security solutions like Azure AD, Microsoft Defender ATP, and Cloud App Security, make it easier for employees to work remotely while improving security for the organization.

Digital empathy and Zero Trust are also two of the five security paradigm shifts that will lead to more inclusive user experiences. Next month, I will provide more details about two additional paradigm shifts, the diversity of data, and integrated security solutions.

CTA: To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Follow Ann Johnson @ajohnsocyber for Microsoft’s latest cybersecurity investments and @MSFTSecurity for the latest news and updates on cybersecurity.

The post How do I implement a Zero Trust security model for my Microsoft remote workforce? appeared first on Microsoft Security.

How do I implement a Zero Trust security model for my Microsoft remote workforce?

August 24th, 2020 No comments

Digital empathy should guide your Zero Trust implementation

Zero Trust has always been key to maintaining business continuity. And now, it’s become even more important during the COVID-19 pandemic to helping enable the largest remote workforce in history. While organizations are empowering people to work securely when, where, and how they want, we have found the most successful are the ones who are also empathetic to the end-user experience. At Microsoft, we refer to this approach as digital empathy. As you take steps to protect a mobile workforce, a Zero Trust strategy grounded in digital empathy will help enhance cybersecurity, along with productivity and collaboration too.

This was one of a few important topics that I recently discussed during a cybersecurity fireside chat with industry thought leader, Kelly Bissell, Global Managing Director of Security Accenture. Accenture, one of Microsoft’s most strategic partners, helps clients use Microsoft 365 to implement a Zero Trust strategy that is inclusive of everyone. “How do we make working from home both convenient and secure for employees during this time of constant change and disruption,” has become a common question both Kelly and I hear from organizations as we discuss the challenges of maintaining business continuity while adapting to this new world—and beyond. I encourage everyone to explore these points more deeply by watching my entire conversation with Kelly.

Our long-term Microsoft-Accenture security relationship helps customers navigate the current environment and emerge even stronger as we look past the pandemic. The following are some of the key steps shared during our conversation that you can take to begin applying digital empathy and Zero Trust to your organization.

Protect your identities with Azure Active Directory

Zero Trust is an “assume breach” security posture that treats each request for access as a unique risk to be evaluated and verified. This starts with strong identity authentication. Azure Active Directory (Azure AD) is an identity and secure access management (IAM) solution that you can connect to all your apps including Microsoft apps, non-Microsoft cloud apps, and on-premises apps. Employees sign in once using a single set of credentials, simplifying access. To make it even easier for users, deploy Azure AD solutions like passwordless authentication, which eliminates the need for users to memorize passwords. Multi-factor authentication (MFA) is one of the most important things you can do to help secure employee accounts, so implement MFA for 100 percent of your users, 100 percent of the time.

According to a new Forrester report, The Total Economic Impact™ of Securing Apps with Microsoft Azure Active Directory, customers who secure apps with Microsoft Azure Active Directory can improve user productivity, reduce costs, and gain IT efficiencies to generate a 123 % return on investment.

Secure employee devices

Devices present another opportunity for bad actors to infiltrate your organization. Employees may run old operating systems or download vulnerable apps on their personal devices. With Microsoft Endpoint Manager, you can guide employees to keep their devices updated. Conditional Access policies allow you to limit or block access to devices that are unknown or don’t comply with your security policies.

An endpoint detection and response (EDR) solution like Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) can help you detect attacks and automatically block sophisticated malware. Each Microsoft Defender ATP license covers up to five devices per user.

Discover and manage cloud apps

Cloud apps have proliferated in today’s workplace. They are so easy to use that IT departments are often not aware of which cloud apps their employees access. Microsoft Cloud App Security is a cloud app security broker (CASB) that allows you to discover all the apps used in your network. Cloud App Security’s risk catalog includes over 16,000 apps that are assessed using over 80 risk factors. Once you understand the risk profile of the apps in your network, you can decide whether to allow access, block access, or onboard it on to Azure AD.

Employees are busy in the best of times. Today, with many working from home for the first time—often in a full house—their stress may be compounded. By simplifying the sign-in process and protecting data on apps and devices, Microsoft 356 security solutions like Azure AD, Microsoft Defender ATP, and Cloud App Security, make it easier for employees to work remotely while improving security for the organization.

Digital empathy and Zero Trust are also two of the five security paradigm shifts that will lead to more inclusive user experiences. Next month, I will provide more details about two additional paradigm shifts, the diversity of data, and integrated security solutions.

CTA: To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Follow Ann Johnson @ajohnsocyber for Microsoft’s latest cybersecurity investments and @MSFTSecurity for the latest news and updates on cybersecurity.

The post How do I implement a Zero Trust security model for my Microsoft remote workforce? appeared first on Microsoft Security.

Microsoft and Corrata integrate to extend cloud app security to mobile endpoints

August 24th, 2020 No comments

This blog post is part of the Microsoft Intelligence Security Association guest blog series. To learn more about MISA, go here.

The growth of mobile and remote work and the emergence of the “post perimeter” world has made keeping track of shadow IT a huge challenge for enterprise IT teams. What makes this problem particularly difficult for infosec teams is a parallel development. Not only are your apps leaving the data-center, but your employees are leaving the building. In the good old days, you might have used firewalls or secure web gateways to give you visibility. On top of that, risky or unsanctioned apps could be blocked with a firewall script or added to a blacklist.

But with employees working from home, the network perimeter has disappeared. In this new world, how can you have any idea what’s going on, let alone impose control?

The growth of SaaS

The rapid adoption of SaaS services has driven cloud computing and digital transformation for many organizations. File storage, CRM, and ERP systems are now commonly delivered on a SaaS basis. Services based on the SaaS model offer fantastic advantages. For a start, they do not require in-house infrastructure. In addition, they have rich out of the box feature sets and deliver across both web and mobile platforms. Finally, their low upfront commitment and automatic version updates make them easy to adopt. Their advantages are endless…

…and of Shadow IT

Research by Microsoft shows that on average enterprises use more than 1,000 SaaS applications and that IT are unaware of more than 60% of these applications (so-called ‘shadow IT’). As a result, corporate data can easily slip beyond the control of the company’s ‘gatekeeper’. Once your CRM is in the cloud, your visibility is limited – it’s more challenging to see when a soon to depart salesperson has downloaded the contact details of your entire customer base. Or, imagine that highly- sensitive network diagrams are leaked online leaving your company vulnerable to spoofing or Man-in-the-Middle attacks.

Discovery and control

It is on foot of these trends that the ability to discover and control cloud app usage across organizations has become critical. New SaaS apps need to be quickly identified and risk assessed. Approved apps can be integrated with existing identity and security processes while risky and unsanctioned apps can be blocked. Robust mechanisms for discovering cloud app usage and blocking unapproved apps are important. Remote and mobile work scenarios present particular challenges because they are beyond the network perimeter. For instance, mobile app usage has doubled since organizations migrated to remote working. As a result, companies have no way of knowing what SaaS services their employees are engaging with. For example, an employee might use unsanctioned cloud storage apps for uploading client data or use unapproved marketing automation tools. This is why cloud app security and visibility is critical.

Why endpoint makes sense

The answer to this is what the industry calls “endpoint cloud application discovery and control”. What does this clunky phrase refer to, you ask? It refers to the use of endpoint security solutions, such as Corrata or Microsoft Defender ATP, to identify cloud app usage and to block risky or unsanctioned apps.

The endpoint security solution collects traffic information to discover what apps are in use, uploading this information to a cloud access security broker (CASB) solution such as Microsoft Cloud App Security. The IT admin uses the CASB portal to specify which apps are to be blocked. The CASB then automatically forwards these instructions to the endpoint security solution which enforces the block on the endpoint.

At Ignite 2019, Microsoft Cloud App Security announced an integration with Microsoft Defender ATP to bring endpoint-based cloud discovery and control to Windows devices. Now Corrata’s integration with Microsoft Cloud App Security means that Microsoft customers can extend the same discovery and control to phones and tablets. This means that you can automatically detect the cloud apps your employees are using on mobile devices and take the appropriate security actions. Namely, Corrata acts as a firewall on your unmanaged mobile and tablet devices.

How does it work?

Corrata and Microsoft have worked together to ensure that the integration of the Corrata solution with Microsoft Cloud App Security is simple and easy to implement.

A graphic showing how Corrata and Microsoft have worked together to ensure that the integration of the Corrata solution with Microsoft Cloud App Security is simple and easy to implement.

Traffic information from smartphones and tablets running Corrata is uploaded for analysis to Microsoft Cloud App Security on a continuous basis. Cloud app usage information collected by Corrata is visible to admins via the Microsoft Cloud App Security console. This provides an integrated view of an organization’s cloud app usage and one-click enforcement of app usage policies across iOS, Android, and Windows devices.

App designated as risky or unsanctioned within the Cloud App Security portal are automatically blocked by Corrata on the mobile endpoint. This capability is delivered using Corrata’s patented SafePathML technology which uses Machine Learning to accurately assess the probability of a domain being unsafe. With SafePathML, Corrata can block threats even before the wider cyber security community has identified them.

If you’re an existing or prospective Corrata or Microsoft Cloud App Security customer, you can learn more here about how to harness the advantages of endpoint-based discovery and control for cloud apps.

Corrata is a member of the Microsoft Intelligent Security Association.

Find the Corrata Microsoft Cloud App Security Solution on the Azure Marketplace here.

To learn more about the Microsoft Intelligent Security Association (MISA) #MISA, visit our website where you can learn more about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn more about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft and Corrata integrate to extend cloud app security to mobile endpoints appeared first on Microsoft Security.

Taking Transport Layer Security (TLS) to the next level with TLS 1.3

August 20th, 2020 No comments

Transport Layer Security (TLS) 1.3 is now enabled by default on Windows 10 Insider Preview builds, starting with Build 20170, the first step in a broader rollout to Windows 10 systems. TLS 1.3 is the latest version of the internet’s most deployed security protocol, which encrypts data to provide a secure communication channel between two endpoints. TLS 1.3 eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the handshake as possible.

Security and performance enhancements in TLS 1.3

TLS 1.3 now uses just 3 cipher suites, all with perfect forward secrecy (PFS), authenticated encryption and additional data (AEAD), and modern algorithms. This addresses challenges with the IANA TLS registry defining hundreds of cipher suite code points, which often resulted in uncertain security properties or broken interoperability.

The new TLS version also improves privacy by using a minimal set of cleartext protocol bits on the wire, which helps prevent protocol ossification and will facilitate the deployment of future TLS versions. In addition, in TLS 1.3, content length hiding is enabled by a minimal set of cleartext protocol bits. This means that less user information is visible on the network.

In previous TLS versions, client authentication exposed client identity on the network unless it was accomplished via renegotiation, which entailed extra round trips and CPU costs. In TLS 1.3, client authentication is always confidential.

Integrating your application or service with TLS 1.3 protocol

We highly recommend for developers to start testing TLS 1.3 in their applications and services. The streamlined list of supported cipher suites reduces complexity and guarantees certain security properties, such as forward secrecy (FS). These are the supported cipher suites in Windows TLS stack (Note: TLS_CHACHA20_POLY1305_SHA256 is disabled by default):

  1. TLS_AES_128_GCM_SHA256
  2. TLS_AES_256_GCM_SHA384
  3. TLS_CHACHA20_POLY1305_SHA256

The protocol enables encryption earlier in the handshake, providing better confidentiality and preventing interference from poorly designed middle boxes. TLS 1.3 encrypts the client certificate, so client identity remains private and renegotiation is not required for secure client authentication.

Enabling TLS 1.3

TLS 1.3 is enabled by default in IIS/HTTP.SYS. Microsoft Edge Legacy and Internet Explorer can be configured to enable TLS 1.3 via the Internet options > Advanced settings. (Note: The browser needs to be restarted after TLS 1.3 is enabled.)

Screenshot of Advanced settings tab in Internet options menu, showing TLS 1.3 option

The Chromium-based Microsoft Edge does not use the Windows TLS stack and is configured independently using the Edge://flags dialog.

Security support provider interface (SSPI) callers can use TLS 1.3 by passing the new crypto-agile SCH_CREDENTIALS structure when calling AcquireCredentialsHandle, which will enable TLS 1.3 by default. SSPI callers using TLS 1.3 need to make sure their code correctly handles SEC_I_RENEGOTIATE.

TLS 1.3 support will also be added to .NET beginning with version 5.0.

For more information about TLS 1.3, refer to the Microsoft TLS 1.3 support reference.

 

Sunny Zankharia

Program Manager, Enterprise and OS Security

Andrei Popov

Principal Software Engineer, Enterprise and OS Security

 

The post Taking Transport Layer Security (TLS) to the next level with TLS 1.3 appeared first on Microsoft Security.

Gartner announces the 2020 Magic Quadrant for Unified Endpoint Management

August 20th, 2020 No comments

I’m excited to announce that, earlier today, Gartner listed Microsoft as a Leader in its 2020 Magic Quadrant for Unified Endpoint Management. You can read the entire report here, and you can see a snapshot of the Magic Quadrant below.

You will note that we improved on both the “Ability to Execute” and “Completeness of Vision” axes.

A major culture principle within the Microsoft Endpoint Manager team has been to place the ultimate measure of value on usage, and we have built our products accordingly. We extend this principle in our belief that customers choose to run their businesses with the products that offer IT the best combination of value and functionality, and provide the organization with the best user experience.

Our desire is to be an organization that constantly listens to and learns from our customers. Our successes are the result of very concrete changes we’ve made to the way we operate. The acceleration of customer value and simpler solutions are the result of very deliberate changes we made in engineering focus and in the things we choose to celebrate. When we stopped celebrating the shipment of a new product and instead started throwing all our energy into supporting our customers’ usage goals, our customers experienced greater value and benefit.

It isn’t about shipping. It isn’t about revenue. It’s usage that will always be the foremost leading indicator of the value for our customers—and it is by making the effort to focus our team on customer usage that enabled us to create and sustain an organization-wide culture that recognizes and rewards the behaviors that guarantee your long-term success.

To be clear, we have always considered Configuration Manager and Intune to be one solution—but we made it official in the last year bringing them together as Microsoft Endpoint Manager.

This made all the difference in our progress with Endpoint Manager reflected in this report. We are innovating faster, we have more customer empathy, and we are delivering more value than ever before to more customers than we ever thought possible.

According to the Gartner report, “Drastic change and a global pandemic marked a tumultuous year in the UEM market. The past 12 months magnified legacy CMT limitations and drove I&O leaders to UEM for reduced complexity, location-agnostic device management, and analytics to track and improve device performance and end-user experience.”

Maximize what you learn from the Magic Quadrant

As you evaluate these conclusions and determine the best course of action for your company, consider what trends and market forces were driving the ultimate conclusions made by Gartner, and superimpose this perspective on the unique needs of your organization.

Also, of course, don’t hesitate to reach out to Microsoft for more information, or, as always, go ahead and reach out to me on Twitter or LinkedIn.

Image of the Magic Quadrant.

Gartner, Magic Quadrant for Unified Endpoint Management, August 11, 2020.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Follow @MSIntune for the latest news on endpoint management.

The post Gartner announces the 2020 Magic Quadrant for Unified Endpoint Management appeared first on Microsoft Security.

New data from Microsoft shows how the pandemic is accelerating the digital transformation of cyber-security

August 19th, 2020 No comments

An image showing the pandemic's effect on budgets.

The importance of cybersecurity in facilitating productive remote work was a significant catalyst for the two years-worth of digital transformation we observed in the first two months of the COVID-19 pandemic. In this era of ubiquitous computing, security solutions don’t just sniff out threats, they serve as control planes for improving productivity and collaboration by giving end-users easier access to more corporate resources. Microsoft recently concluded a survey of nearly 800 business leaders of companies of more than 500 employees in India (IN), Germany (DE), the United Kingdom (UK) and the United States (US) to better understand their views of the pandemic threat landscape, implications for budgets and staffing, and how they feel the pandemic could reshape the cyber-security long-term.

Among the key insights are data showing that an alarming number of businesses are still impacted by phishing scams, security budgets, and hiring increased in response to COVID-19, and cloud-based technologies and architectures like Zero Trust are significant areas of investment moving forward.

Improving Productivity & Mitigating Threats

Security and IT teams have been working overtime to meet business goals while simultaneously staying ahead of new threats and scams. “Providing secure remote access to resources, apps, and data” is the #1 challenge reported by security leaders. For many businesses, the limits of the trust model they had been using, which leaned heavily on company-managed devices, physical access to buildings, and limited remote access to select line-of-business apps, got exposed early on in the pandemic. This paradigm shift has been most acute in the limitations of basic username/password authentication. As a result, when asked to identify the top security investment made during the pandemic the top response was Multi-factor authentication (MFA).

An graph of the Top 5 Cybersecurity Investments Since Beginning of Pandemic.

In other ways, pandemic security risks feel all too familiar. Asked to identify their best pre-pandemic security investment, most identified anti-phishing technology.  Microsoft Threat Intelligence teams reported a spike in COVID-19 attacks in early March as cybercriminals applied pandemic themed lures to known scams and malware. Business leaders reported phishing threats as the biggest risk to security in that same timeframe, with 90% of indicating that phishing attacks have impacted their organization. More than half said clicking on phishing emails was the highest risk behavior they observed and a full 28% admitted that attackers had successfully phished their users.  Notably, successful phishing attacks were reported in significantly higher numbers from organizations that described their resources as mostly on-premises (36%) as opposed to being more cloud-based.

A graphic of the prevalence of successful phishing attacks.

An image of prevalence of successful phishing attacks

Security Impacting Budgets and Staffing

The role of security in remote work is having a direct impact on security budgets and staffing in 2020 as businesses scale existing solutions, enabling critical new capabilities like MFA, and implement a Zero Trust strategy. In order to adapt to the many business implications of the pandemic, a majority of business leaders reported budget increases for security (58%) and compliance (65%). At the same time, 81% also report feeling pressure to lower overall security costs.  Business leaders from organizations with resources mostly on-premises are especially likely to feel budget pressure, with roughly 1/3rd feeling ‘very pressured.’

To rein in expenses in the short-term, leaders say they are working to improve integrated threat protection to reduce the risk of costly breaches and acquire security solutions with self-help options for users to drive efficiency. In the longer-term, nearly 40% of businesses say they are prioritizing investments in Cloud Security (Cloud Access Security Broker, Cloud Workload Protection Platform, Cloud Security Posture Management), followed by Data & Information Security (28%) and anti-phishing tools (26%).

A graph of cybersecurity budget changes in response to the pandemic.

Technology alone cannot keep pace with the threats and demands facing businesses and their largely remote workforces. Human security expertise is at a premium with more than 80% of companies adding security professionals in response to COVID-19.

A graph of changes to cybersecurity staffing due to pandemic.

5 Ways the Pandemic is Changing Cybersecurity long-term

The pandemic has accelerated digital transformation is several ways that are likely to change the security paradigm for the foreseeable future.

1. Security has proven to be the foundation for digital empathy in a remote workforce during the pandemic. When billions of people formed the largest remote workforce in history, overnight, teams learned much more than how to scale Virtual Private Networks. Companies were reminded that security technology is fundamentally about improving productivity and collaboration through inclusive end-user experiences. Improving end-user experience and productivity while working remotely is the top priority of security business leaders (41%), with “extend security to more apps for remote work” identified as the most positively received action by users. Not surprisingly, then, “providing secure remote access to resources, apps, and data” is the biggest challenge. For many businesses, the journey begins with MFA adoption.

2. Everyone is on a Zero Trust journey. Zero Trust shifted from an option to a business priority in the early days of the pandemic. In light of the growth in remote work, 51% of business leaders are speeding up the deployment of Zero Trust capabilities. The Zero Trust architecture will eventually become the industry standard, which means everyone is on a Zero Trust journey. That reality is reflected in the numbers like 94% of companies report that they are in the process of deploying new Zero Trust capabilities to some extent.

An graph of the impact of pandemic on organizational view of Zero Trust.

3. Diverse data sets mean better Threat Intelligence. The pandemic illustrated the power and scale of the cloud as Microsoft tracked more than 8 trillion daily threat signals from a diverse set of products, services, and feeds around the globe. A blend of automated tools and human insights helped to identify new COVID-19 themed threats before they reached customers – sometimes in a fraction of a second. In other cases, cloud-based filters and detections alert security teams to suspicious behavior. Not surprisingly, 54% of security leaders reported an increase in phishing attacks since the beginning of the pandemic.

4. Cyber resilience is fundamental to business operations. Cybersecurity provides the underpinning to operationally resiliency as more organizations enable secure remote work options. To maintain cyber resilience, businesses need to regularly evaluate their risk threshold and ability to execute cyber resilience processes through a combination of human efforts and technology products and services. The cloud makes developing a comprehensive Cyber Resilience strategy and preparing for a wide range of contingencies simpler.

More than half of cloud forward and hybrid companies report having cyber-resilience strategy for most risk scenarios compared to 40% of primarily on-premises organization. 19% of companies relying primarily upon on-premises technology do not expect to maintain a documented cyber-resilience plan.

5. The cloud is a security imperative. Where people often thought about security as a solution to deploy on top of existing infrastructure, events like Covid-19 showcase the need for truly integrated security for companies of all sizes. As a result, integrated security solutions are now seen as imperative.

A graph of the top 5 cybersecurity investments through the end of 2020.

These insights from security leaders echo many of the best practices that Microsoft has been sharing with customers and working around the clock to help them implement. The bottom line is that the pandemic is clearly accelerating the digital transformation of cyber-security. Microsoft is here to help.  If any of the insights we’ve shared today resonate with you and your teams, here are a few things you should consider

  • Listen to employees and take steps to build digital empathy. Enabling self-help options is a win-win for end-users and IT.
  • Hire diverse security talent and empower them with great threat intelligence and tools.
  • Embrace the reality that remote work is having a lasting impact on the security paradigm. Lean into the power of the cloud for built-in security spanning endpoints to the cloud.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post New data from Microsoft shows how the pandemic is accelerating the digital transformation of cyber-security appeared first on Microsoft Security.

Control Flow Guard for Clang/LLVM and Rust

August 17th, 2020 No comments

As part of our ongoing efforts towards safer systems programming, we’re pleased to announce that Windows Control Flow Guard (CFG) support is now available in the Clang C/C++ compiler and Rust. What is Control Flow Guard? CFG is a platform security technology designed to enforce control flow integrity. It has been available since Windows 8.1 …

Control Flow Guard for Clang/LLVM and Rust Read More »

The post Control Flow Guard for Clang/LLVM and Rust appeared first on Microsoft Security Response Center.

New Forrester study shows customers who deploy Microsoft Azure AD benefit from 123% ROI.

August 13th, 2020 No comments

Over the past six months, organizations around the world have accelerated digital transformation efforts to rapidly enable a remote workforce. As more employees than ever access apps via their home networks, the corporate network perimeter has truly disappeared, making identity the control plane for effective and secure access across all users and digital resources.

Businesses have responded to the pandemic by increasing budgets, adding staff, and accelerating deployment of cloud-based security technologies to stay ahead of phishing scams and to enable Zero Trust architectures. But the pressure to reduce costs is also real. Given COVID-19 and uncertain economic conditions, many of you are prioritizing security investments. But how should you allocate them? According to a new study, The Total Economic Impact™ of Securing Apps with Microsoft Azure Active Directory, investing in identity can not only help you accelerate your Zero Trust journey, it can also save you money and deliver more value. In this commissioned study, Forrester Consulting interviewed four customers in different industries who have used Azure AD for years. Forrester used these interviews to develop a composite organization. They found that customers securing apps with Azure AD can benefit from a 123 percent return on investment over three years in a payback period of six months.

An image showing the total econmic impact of securing apps with Microsoft Azure AD.

The customers interviewed improved user productivity, reduced costs, and gained IT efficiencies in the following areas[1]:

Increased worker productivity with secure and seamless access to all apps

Employees expect to collaborate on any project from anywhere using any app—especially now, when so many are working from home. But they find signing into multiple applications throughout the day frustrating and time-consuming. When you connect all your apps to Azure AD, employees sign in once using single sign-on (SSO). From there, they can easily access Microsoft apps like Microsoft Teams, software as a service (SaaS) apps like Box, on-premises apps like SAP Hana, and various custom line-of-business apps. Forrester estimates that consolidating to a single identity and access management solution and providing one set of credentials saves each employee 10 minutes a week on average, valued at USD 7.1 million over three years.

“Our CIO really didn’t like that anybody onboarding with our company was receiving—and this is not an exaggeration—two dozen credentials. In the executive branch, they took up to two weeks to get a new hire on their feet.” –Director of workplace technology, Electronics

Reduced costs by reducing the risk of a data breach

A data breach can be incredibly expensive for victims, who must recover not only their environments but also their reputations. Breaches often start with a compromised account, which is why it’s so important to protect your identities.

With Azure AD, you can secure all your applications and make it harder for attackers to acquire and use stolen credentials. You can ban common passwords, block legacy authentication, and protect your privileged identities. You can implement adaptive risk-based policies and enforce multi-factor authentication to ensure that only the right users have the right access. Forrester found that using these Azure AD features can help organizations reduce the risk of a data breach, saving them an estimated USD 2.2 million over a three-year period.

“Conditional Access was non-negotiable as we moved to the cloud. We had to be able to apply policies that scoped applications, users, devices, and risk states. You can’t let a compromised user walk into a cloud app anymore. It’s unacceptable.” –Information security services, manufacturing

Empowered workers to reset their own passwords

If you have a help desk, your employees likely make thousands of password reset requests per month. Locked out users can’t be productive, and their pleas for help eat up valuable time help desk workers could spend on other priority tasks. One organization told Forrester it costs them between USD500,000 and USD700,000 per year just to reset passwords.

With Azure AD Self-Service Password Reset, employees can reset their own passwords without help desk intervention. Forrester estimates that with this feature, customers can decrease the number of password reset calls per month by 75 percent, yielding a three-year adjusted present value of USD 1.7 million.

Unlocked efficiency gains by consolidating their identity infrastructure

Many enterprises use several solutions to manage identity and access management: an on-premises solution for legacy applications, a SaaS-based solution for modern cloud applications, and Azure AD for Microsoft applications. Maintaining this complex infrastructure requires multiple servers and licenses, not to mention people who understand the various systems. Migrating authentication for all your apps to Azure AD can significantly reduce hardware and licensing fees. Forrester estimates savings at a three-year adjusted present value of USD 1.9 million.

Consolidating your identity infrastructure to Azure AD gives you the benefits of cloud-based identity and access management solutions and frees your team to focus on other priorities. IT and identity teams in the study reduced time and effort spent provisioning/deprovisioning accounts, integrating new applications, and addressing issues related to IAM infrastructure. They also experienced less system downtime. Forrester estimated the value of IT efficiency gains at USD 3.0 million over three years.

Integrating with Azure AD also benefits software vendors

As part of the TEI, Forrester interviewed two Independent Software Vendors (ISVs), Zscaler and Workplace from Facebook. They documented their findings in the spotlight, Software Vendors Boost Adoption by Integrating Their Apps with Microsoft Azure Active Directory. Integrating their applications with Azure AD helped the two ISVs interviewed accelerate their sales cycles, as well as product adoption. Seamless integration with Azure AD helps ISVs reach the more than 200,000 organizations that use Azure AD. ISVs can easily give their customers and prospects single sign-on, automated user provisioning, and enhanced security through the security features built into Azure AD, while focusing their energies on enhancing their own solution.

“There is a shorter sales cycle for our platform. Many of our customers are already AD FS-based users, and our integration with Azure AD makes the case for our services that much more compelling. It also allows us to be more agile in helping customers get things implemented more quickly. Essentially, there’re fewer barriers to entry for customers.” – Vice President, product management, Zscaler

“We have a strong mutual customer base with Microsoft, which is why we’ve built such a great partnership with them over the years. Obviously, Azure AD is widely used by our customers, so it makes sense to leverage it.” – Platform Partnerships Manager, Workplace from Facebook

Learn more

COVID-19 has ushered in a new normal of remote work and conservative budgets, but that doesn’t mean you have to sacrifice security or the user experience. By integrating all your apps with Azure AD you can add value—like giving your employees a more convenient and secure work from home experience—while preserving valuable resources.

Find out how Azure AD can help secure all your apps and read the full Forrester Consulting study, The Total Economic Impact™ of securing apps with Microsoft Azure Active Directory and Software vendors boost adoption by integrating their apps with Microsoft Azure Active spotlight.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

[1] Forrester based all savings estimates on the composite organization developed for its TEI study.

The post New Forrester study shows customers who deploy Microsoft Azure AD benefit from 123% ROI. appeared first on Microsoft Security.

Microsoft Office 365—Do you have a false sense of cloud security?

August 11th, 2020 No comments

Through difficult times, some adversaries will find opportunities and COVID-19 has proven to be a ripe opportunity for them to target a new, expanding, remote workforce. While these threats morph and evolve, Microsoft’s Detection and Response Team (DART) finds ways to endure and help organizations become more resilient

Cloud environments are continuously being put to the test during this challenging period. DART has seen various security configurations in our customers’ cloud tenants. The one commonality:  administrators flip the switch on a few security tasks without genuinely understanding the process and procedures needed to ensure everything works as designed and consequently create gaps in defenses and opportunities for attackers to circumvent security controls. When it comes to defense-in-depth, these controls must work in concert with one another.

Three measures you should employ to improve the security of your cloud environment

This post describes three security measures you should employ for your Azure AD/Office 365 environment when first setting up a new tenant, or when tightening the reins on a well-established tenant.

  1. Create an emergency Global Administration account.
  2. Enable Multi-factor Authentication (MFA).
  3. Block legacy authentication.

1. Create an emergency Global Administrator account

An emergency Global Administrator account, also known as a “Break Glass Account”, is critical to the overall security posture of your tenant, and it prevents you from being accidentally locked out of your Azure Active Directory (Azure AD). Think about the consequences of your administrators getting locked out; you cannot sign in, activate users, assign licenses, or validate the actions happening in your tenant. Emergency access accounts are highly privileged and not assigned to specific users. These accounts must be excluded from your current security controls, and must have compensatory controls. These controls might include the following:

  • Only allowing the “Break Glass Account” to log in from a particular IP address range.
  • Implementing detection controls like enhanced alerting and/or monitoring the use of these accounts.

Use of emergency access accounts should be limited to true emergencies, when standard administrative accounts cannot be used. For detailed information, please see  https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-access.

2. Enable Multi-Factor Authentication (MFA)

Enabling MFA seems straightforward, right? Sadly, even today, it isn’t. You allow the Conditional Access Policy for the enablement of MFA, but for the sake of convenience,  permit exclusions to these policies, such as not enabling MFA for the Global Administrators or any of the other O365 workload (Exchange, SharePoint, OneDrive) Administrators and continue to enable Basic/Legacy Authentication. As a result, you now host an ineffective policy that puts your organization at tremendous risk. For detailed information, please see  https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa.

Real-World Scenario—A large company enabled MFA for all global administrators. Unbeknownst to the rest of the team, a user modified the policy to exclude a global administrator account. This user’s act put the company at considerable risk; the account was eventually compromised using a trivial Password Spray attack. It is bad enough when a standard user with no elevated privileges is compromised— Global Administrator accounts have access to all of Azure AD and Office 365, so when this account was affected, the organization’s entire tenant was compromised. Monitoring and alerting for the implementation of persistence mechanisms, such as the creation of a new mailbox forwarding rule, would have also triggered a security alert and a full incident response investigation of the modified tenant. This incident also could have been easily avoided by merely monitoring and alerting for the creation of Global Administrator accounts and any changes to these accounts. The threat actor has leveraged all these techniques to essentially gain and maintain access to the organization’s tenant to achieve their mission objective for data exposure and exfiltration.

3. Block Legacy Authentication

Legacy authentication refers to protocols that use basic authentication, such as Exchange Web Services (EWS), POP, SMTP, IMAP, and MAPI. These protocols cannot enforce any type of second-factor authentication (e.g., MFA), which makes them a popular entry point for bad actors. As such, for MFA to be useful, you also need to block legacy authentication.

There are still risks once you’ve disabled legacy authentication and enabled MFA. From an operational standpoint, understanding the implications of disabling legacy authentication is critical. You could disrupt essential workflows and disrupt access to applications not written to support modern authentication (including dated Outlook clients).

So, what can you do? Identify which users and applications are currently using legacy authentication in your tenant via Azure AD Sign-in logs. Configure exclusions for applications that cannot be modified to support modern authentication. Also, ensure you configure the policies granularly for more robust security configurations, such as only allowing specific users and a particular IP range to use legacy authentication. This way, you can make access to legacy authentication more stringent where you must use it, and you can block legacy authentication in other scenarios. Configure your conditional access policy to be in a report-only mode to ensure you understand what will happen when you flip on the policy. For more information, please see https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication.

Bricks laid, next: the mortar

There is a multitude of adversary tactics and techniques for the infiltration of a cloud environment. Based on DART’s observations from the frontlines, implementing these three security controls will help ensure the front and back doors to your organization’s cloud environment remain locked. DART recommends assessing these vulnerability points regularly so that when a real threat strikes, your defense-in-depth approach of technical controls, detection-in-depth, and monitoring and alerts will prepare your staff to jump into action quickly.

In an upcoming blog post, we’ll dive into what we like to call the “Easy Button” approach to security defaults. These pre-configured security settings help defend your organization against frequent identity-related attacks, such as password spray, replay, and phishing, and provide additional mortar towards the security foundation of your cloud environment.

Want to learn more about DART (Detection and Response Team)? Read our past blog posts here.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Office 365—Do you have a false sense of cloud security? appeared first on Microsoft Security.