Ensuring security of your Microsoft Teams apps with Microsoft Cloud App Security

Microsoft Malware Protection Center - Wed, 06/12/2019 - 12:00pm

Apps in Microsoft Teams allow you to leverage additional capabilities, enhance your experience, and make Teams work for you by adding your favorite Microsoft and third-party services.

Today, hundreds of ecosystem apps provide a great way to enhance and customize Teams, but to enable applications and services in an organization, they often need to be reviewed across a wide range of security and compliance criteria.

At Microsoft Build 2019, we announced the app certification program, which will streamline the process of gathering app information related to security, data handling, and compliance practices from our partners powered by Microsoft’s Cloud Access Security Broker and gives customers the ability to review this information in one central location.

App certification program

The goal of the app certification program is to provide customers with a reliable, unified, and publicly accessible cloud app risk assessment catalog via Microsoft AppSource and within the relevant admin portals. At the same time, we give partners the ability to work directly with Microsoft to provide the most up-to-date information about their apps’ security and compliance and certify these apps for business readiness.

In the first stage of this program, we’ll work closely with solution providers of Teams apps to ensure that the information is up to date, and allow them to self-attest their apps against more than 80 risk factors provided by Microsoft Cloud App Security, as well as leverage their security and compliance information submitted in CSA STAR.

In the future, we’ll expand this program beyond Teams to include our entire app ecosystem across Microsoft 365. We’ll also look into opportunities that would allow customers to easily identify apps that can enhance their experience in Teams, while meeting certain security and compliance requirements. A central app certification program could provide developers the ability to receive a “business ready” badge for each app and simplify the selection process for organizations.

Public risk assessment information for Teams apps.

Microsoft Cloud App Security

Microsoft Cloud App Security is a multimode Cloud Access Security Broker (CASB). It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your cloud services.

The Microsoft Cloud App Security cloud app catalog is the basis for the new certification program. Today, it includes an extensive and continuously growing catalog of more than 16,000 cloud apps that have each been assessed against more than 80 risk factors spanning security, compliance, and legal frameworks.

Risk assessment information for apps inside of Microsoft Cloud App Security.

Today, the cloud app catalog is kept updated through automated advanced data extraction, continuous analysis by the Microsoft Cloud App Security analyst team, and customer-based revision requests. Going forward, we’ll automatically update the information based on our partners’ self-attestation as they engage in the new app certification program.

The new app certification program provides a transparent way to our customers to review apps and ensure they meet internal security and compliance guidelines before approving them for use in their tenant.

This program is currently in its pilot phase. To assess and manage the risk of using Teams apps, check out the security and compliance content now available via Microsoft Docs.

Selection of the partners currently covered under the app certification program.

The post Ensuring security of your Microsoft Teams apps with Microsoft Cloud App Security appeared first on Microsoft Security.

4 best practices to help you integrate security into DevOps

Microsoft Malware Protection Center - Tue, 06/11/2019 - 12:00pm

Microsoft’s transition of its corporate resources to the cloud required us to rethink how we integrate security into the agile development environment. In the old process, we often worked on 6- to 12-month development cycles for internal products. The security operations team was separate from the application development team and was responsible for ensuring that applications met security requirements. There was time to troubleshoot security between the two teams. Once we shifted to a shorter development cycle, we had to compress the new process to bake security into DevOps.

Our experience has led us to adopt four best practices that guide our thinking about integrating security with DevOps:

  1. Inventory your cloud resources.
  2. Establish a governance structure for cloud services.
  3. Give DevOps accountability for security.
  4. Redefine centralized security.

This post walks you through these tenets with some advice we hope you can apply to your own organization.

Inventory your cloud resources

Cloud subscriptions are so easy to spin up that many organizations don’t have a comprehensive understanding of which teams are using which services. This makes it challenging to manage your costs and enforce security policies. If you are uncertain which services you are currently paying for, billing is good place to start.

Establish a governance structure for cloud services

Once you understand your cloud inventory, you can begin the work of making sure your investments align with your business strategies. This may mean limiting which services your organization uses to maximize the ones that will help you meet your business goals. Then, align your organization to your cloud strategy by defining a governing structure:

  • Develop business scenarios that define acceptable use and configuration of cloud resources.
  • Define architecture and patterns for the cloud services you plan to use.
  • Limit who can create new subscriptions.
Give DevOps accountability for security

The only way to effectively enforce security policies in a short development cycle is to integrate security into the application development process. Early in our evolution, we dropped security team members into application development teams to create a single team with shared goals. This revealed cultural challenges and unexamined assumptions. Initially, both the application developers and the security team expected to conduct their jobs as they had in the past. Application developers wrote code and then security operations queued up issues to address. This proved unworkable for two reasons. Security analysts were queuing up too many security tasks to fit within the cycle. The application developers were often confused because security operations underestimated how well they understood the nuances of security.

The only way to meet our goals was to shift accountability for security to the DevOps teams. We wanted application developers to try to solve security issues as part of their process. This required education, but we also implemented some practices that encouraged the team to take on that responsibility:

  • Secure DevOps Kit for Azure—The Secure DevOps Kit for Azure provides scripts that can be configured for each resource. During development and before production, DevOps can easily validate that security controls are at the right level.
  • Security scorecard—The scorecard highlights which members of the team are skilled at addressing security and encourages people to improve and collaborate with each other.
  • Penetration testing—When a red team conducts a penetration test of an application, the results typically inspire the team to take security more seriously.
Redefine centralized security

We experimented with eliminating a central security team entirely, but ultimately, we realized that we needed a centralized team to monitor the big picture and set baselines. They establish our risk tolerance and measure security controls across subscriptions. They also automate as much of the security controls as they can. This includes configuring the Secure DevOps Kit for Azure. This team also needed training to better understand the vulnerabilities of the cloud. Tabletop exercises to talk through possible attacks with red teams was one way they got up to speed.

As our evolving process suggests, our biggest challenge was shifting culture and mindset. We recommend that you take time to define roles and start with a small team. You can expect to continuously discover better ways to improve teamwork and the security of your process and your applications.

Get started

For more details on how we evolved our security process for the cloud, watch the Speaking of security: Cloud migration webinar and get the Secure DevOps Kit for Azure.

The post 4 best practices to help you integrate security into DevOps appeared first on Microsoft Security.

Advancing Windows 10 as a passwordless platform

Microsoft Malware Protection Center - Mon, 06/10/2019 - 12:00pm

Passwords can be frustrating, difficult to remember, and easily hacked or stolen. That’s why our vision for Windows is one of a passwordless platform—a world where users don’t have to deal with the pains of a password.

With the release of Windows 10, version 1903, we’re bringing Windows 10 closer to delivering our passwordless user and security promises, with new features that we’re excited for you to try out:

  • Adding a passwordless phone number Microsoft account to Windows.
  • Passwordless sign-in to Windows for the first time with the Microsoft Authenticator app.
  • Windows Hello certified as a FIDO2 authenticator for passwordless sign-in on the web.
  • Streamlined Windows Hello PIN recovery above the lock screen.

Figure 1. Passwordless Windows Hello sign-in to Windows 10.

Adding a passwordless phone number Microsoft account to Windows

A passwordless phone number Microsoft account is exactly what it sounds like—a Microsoft account that can be created with just your phone number in mobile Office apps like Word, OneNote, or Outlook on your iOS or Android device. It unlocks all the benefits of a Microsoft account, and most importantly, it doesn’t require a password.

Figure 2. Creating a passwordless phone number Microsoft account for Word Mobile on an iOS device.

Now for the first time ever, you can go to Settings and add a passwordless phone number Microsoft account to your device and use the Microsoft Authenticator app, or an SMS code roundtrip, to sign in for the first time—no password needed! This is enabled with an added web sign-in capability on the Windows lock screen. After that, Windows Hello is set up for an end-to-end passwordless experience.

Figure 3. Adding a Microsoft account to Windows through the Settings app.

Passwordless sign-in to Windows for the first time with the Microsoft Authenticator app

In addition to supporting passwordless phone number Microsoft account sign-in, the web sign-in capability can be used with any Microsoft account—even if it’s just a regular email account. You can try it out by adding a Microsoft account to Windows, signing in for the first time with the Microsoft Authenticator app (make sure it’s already set up for your Microsoft account), and setting up Windows Hello face, fingerprint, or PIN for later sign-ins—all without a password!

Figure 4. First time Microsoft account sign-in to Windows with the Microsoft Authenticator app.

Windows Hello certified as a FIDO2 authenticator for passwordless sign-in on the web

In November 2018, we announced the ability to use Windows Hello and FIDO2 compliant Microsoft-compatible security keys for passwordless sign-in on the web with a Microsoft account. Additionally, the FIDO Alliance recently announced that with Windows 10, version 1903, Windows Hello is a FIDO2 certified authenticator.

With this announcement, you can use Windows Hello or FIDO2 compliant Microsoft-compatible security keys for sign-in to the web on Windows 10. This is available on Mozilla Firefox version 66 and above and will soon be supported on Chromium-based browsers, including Microsoft Edge on Chromium, when signing in to a Microsoft account and other websites supporting FIDO authentication.

Figure 5. Using Windows Hello to sign in to a Microsoft account on Firefox.

To learn how to enable FIDO authentication, watch Enabling your application and services to use passwordless authentication and read Windows Hello FIDO2 certification gets you closer to passwordless.

Streamlined Windows Hello PIN recovery above the lock screen

We know that users occasionally forget their Windows Hello PIN, so we wanted to provide our Microsoft account users with a revamped “I forgot my PIN” experience above the Windows lock screen with the same look and feel as signing in on the web. Just like first time sign-in, you can use the Microsoft Authenticator app instead of a password to reset your PIN when signing in.

Figure 6: Streamlined Windows Hello PIN recovery experience above lock.

Let us know what you think

While there’s still a ways to go in our passwordless platform journey, we’re excited for you to try these new features and let us know what you think. Comments, questions, and feedback are all welcome! You can reach out to us at or by posting in the Windows 10 Feedback Hub app.

The post Advancing Windows 10 as a passwordless platform appeared first on Microsoft Security.

Lessons learned from the Microsoft SOC Part 2b: Career paths and readiness

Microsoft Malware Protection Center - Thu, 06/06/2019 - 12:00pm

The “Lessons learned from the Microsoft SOC” blog series is designed to share our approach and experience with security operations center (SOC) operations, so you can use what we learned to improve your SOC. The learnings in the series come primarily from Microsoft’s corporate IT security operation team, one of several specialized teams in the Microsoft Cyber Defense Operations Center (CDOC). We’ve also included lessons our Detection and Response Team (DART) have learned helping our customers respond to major incidents and insights from the other internal SOC teams.

Today, we wrap up our discussion on people—our most valuable resource in the SOC. In the first part of our discussion, Part 2a: Organizing people, we covered how to set up people in the security operations center (SOC) for success. Today, we talk about our investments into readiness programs and career paths for our SOC analysts as well as recruiting for success. We’ll close the series with discussions about the technology that enables our people to accomplish their mission.

Something new every day

When an analyst walks into our SOC for a shift, they never know what to expect. They must be ready for anything as they face off with intelligent, adaptable, and well-funded adversaries who are intent on evading our defenses. For each problem, they must apply their unique knowledge and experience, the accumulated learnings from our SOC, and the expertise of their SOC teammates.

Our investments into readiness programs, career paths, and recruitment strategies are designed so our SOC analysts are prepared to succeed in their duties, increase mastery of their discipline, and grow as individuals. This ensures that our SOC staff brings their best to every shift, every time.

You may have to adapt some of these practices to the unique needs of your security operations team to be successful. We’re fortunate to have dedicated security operations teams, dedicated facilities, and experienced peers to learn from already on staff, but understand not all security organizations have these resources available.

Analyst roles and career paths

Empowering humans means investing in them. A SOC analyst is a high stress job and we know our success is built upon actively engaged people applying their experience and problem solving creativity. The longer our analysts do this work the better they get, so it’s important to nurture a long-running, sustainable workforce. This starts by clearly defining a career path. Our tier model not only organizes the work of the SOC, but also guides our analysts in building their knowledge and skills and shapes their careers with increasing levels of skills and different challenges.

Because we strive to empower and attract smart people with a continuous learning mindset, we’re motivated to promote from within. An analyst’s career path typically progresses from Tier 1 to Tier 2 to Tier 3 or to incident response, program management, security product engineering, or leadership tracks. There are exceptions, but this tends to be the norm.

  • Tier 1—Analysts acquire and refine core skills including attacker mindset and techniques, using detection and investigation tools, working with internal teams and processes, and calmly applying a thoughtful approach in a high pressure situation. This is similar to martial arts where beginners acquire basic competencies (marked by a progression of colored belts) until they have achieved their black belt and move to the next stage of skills. Similarly, transition from Tier 1 to Tier 2 is a key turning point in the career of an analyst.
  • Tier 2—Analysts continue to hone their skills as they move from executing well-defined playbooks for (mostly) predictable incidents at Tier 1 to investigating advanced incidents with greater unpredictability. Tier 2 analysts investigate attack operations conducted by organized groups with specialized skills and a specific targeted goal. Analysts investigating these incidents continue growing skills while learning from Tier 2 peer analysts and the incidents themselves. Over time, senior Tier 2 analysts often shadow different Tier 3 teams as they try out potential career paths and/or prepare for the next stage of their career.
  • Tier 3—At this level, the analyst career paths typically start to diverge more into deeper specialties. Analysts can choose to pursue mastery of a particular skill or increasing competency/mastery across multiple skills. Tier 3 is increasingly requiring more data analytic skillsets on the team. This is because proactive hunting, investigation of advanced attacks, and automation development frequently require navigating many datasets with massive amounts of information.
Careful balancing

Defining a clear career path is important, but like all disciplines dealing with people, we must carefully balance and manage some nuances along the way.

  • Balancing short and long term goals—As our analysts learn new skills and progress through their career, they learn to balance goals, such as ensuring alerts and cases are handled as top priority while simultaneously developing creative solutions that can reduce toil and increase efficiency over the long term.
  • Balancing empowerment and guidance—Managers and senior personnel need to strike this careful balance as they mentor analysts in their career. This is particularly important for key transition points like when an analyst first begins onboarding a new role. Much like we see in many marital arts films when the talented but “not fully trained” student has an overabundance of confidence and tries to take on more than they can handle, we see a similar dynamic as analysts begin shadowing Tier 3 roles. In this situation, we have to be careful not to discourage this creative impulse (offering a feedback channel for ideas) while coaching and guiding analysts to complete their learning from seasoned professionals and focusing on the journey ahead.
Recruiting for success

Recruiting people and developing their skills is one of the most critical aspects of the SOC’s success. The biggest challenges in this space are the scarcity of people with the right skillsets, the speed at which skillsets must evolve, the potential for analyst burnout, and the need to blend diverse skills and perspectives to address both the human and technical aspects of attacks.

Much has been written about the scarcity of cybersecurity skills. We recommend reading a relevant blog on this topic that offers different ways of addressing the scarcity of talent in security. Additionally, you may want to watch a recent RSA Conference Keynote from Ann Johnson (Corporate Vice President of Cybersecurity Solutions Group at Microsoft), which addresses many related topics including the mental health and burnout risks our industry faces.

The evolving skillset challenge is particularly acute for our SOC because classic SOCs tend to be network centric, but our detection and investigation have evolved to rely primarily on device, identity, and application specific tooling. While we still have and use advanced network security tools, we’ve seen the utility of these network tools diminish significantly over the years to supporting investigation and advanced hunting. As of the writing of this blog, it’s been over two years since the last primary detection of an attack on our corporate environment came in from a network tool. We expect this trend to continue and have oriented our analyst readiness accordingly.

When it comes to recruiting and building skilled analysts, we’ve found that we require a combination of diverse perspectives and some common traits. As with any role, success requires having a diverse team with different backgrounds, mindsets, and skillsets to bring more perspective to the problems at hand and surface better solutions faster. We’ve also found certain personality traits tend to make analysts more successful in a fast-paced high-pressure work environment of a SOC.

Its critical to note that the following observations are general trends and not absolute rules. The primary factor of success in hiring an individual into a role is most heavily reliant upon that particular person and how well they fit that role. With that said, we tend to look for people with a kind of “grace under pressure” as we find it’s easier to train technical and security skills to people with a growth mindset and calm demeanor under pressure than it is to do the reverse.

For example, we have found that people with military experience are often a good fit because they have experience focusing on the mission despite the strong distractions in ambiguous situations with active hostile adversaries.

We’ve also had success with recruiting and investing into people early in their careers who are eager to learn and have few preconceptions. We’ve had good results with integrating seasoned professionals, but there are simply not enough available for the needs of the marketplace today.

An interesting aspect of the SOC attracting mission-oriented personalities is that when we have a major incident off hours, we more often get too many people volunteering to help versus not enough—a good “problem” to have!

Building skills and job readiness

Because of the high complexity required to be an effective SOC analyst, it’s difficult to educate new analysts in the ways of the SOC through formal training alone. We’ve tried different training approaches to build skills over the years and have found the apprenticeship model to be most effective at rapidly and consistently building skills. For new analysts we take an “I do, we do, you do” approach that progresses from observation to hands on with supervision of a seasoned analyst to independent investigation with support from peers and mentors.

This is similar to other industries with a need to transfer rich context and nuance during real world practice, such as an internship or a residency during a medical career.

The readiness process focuses on building understanding and competency in three domains:

  1. Technical tools/capabilities.
  2. Our organization (mission and assets being protected).
  3. Attackers (motivations, tools, techniques, habits, etc.).

These competencies map well to established doctrine on human conflict. Sun Tzu’s advice to “know thyself” and “know thy enemy” map well to the second and third domains. Our SOC processes also map well to thinking from Colonel John Boyd’s OODA ‘loop’ on real-time human conflict: observe, orient, decide, act.

Beyond the competencies, we also need to train our analysts to be big picture thinkers and maintain an end-to-end view of the attack. It’s not enough to focus on a single threat, but to also “look left and right.” We need our analysts to think about how else the attacker might be trying to gain access and what else they may be after. For example, a password spray may be a potential entry to a multi-stage attack. An attacker may be using a distributed denial-of-service (DDoS) attack to provide a smokescreen to distract from their real objective.

We supplement this apprenticeship model with structured, formal training on topics, such as new products or features and SOC procedures. We also encourage attendance at conferences and work hard to ensure our staffing model supports these and other learning opportunities, so they aren’t empty promises.

This approach has been successful allowing us to train new Tier 1 analysts in approximately 10–12 weeks and we’re continuously looking for ways to improve our readiness processes. In addition, our staffing approach has been critical at mitigating burnout risk.

Learn more

For a visual depiction of our SOC philosophy, download our Minutes matter poster. Also, read previous posts in the “Lessons learned from the Microsoft SOC” series, including Part 1: Organization and Part 2a: Organizing people as well as see our full CISO series to learn more.

For more discussion on some of these topics, see John and Kristina’s session (starting at 1:05:48) at Microsoft’s recent Virtual Security Summit.

Stayed tuned for the next segment in “Lessons learned from the Microsoft SOC” where we discuss the technology that enables our people to accomplish their mission.

The post Lessons learned from the Microsoft SOC Part 2b: Career paths and readiness appeared first on Microsoft Security.

Step 10. Detect and investigate security incidents: top 10 actions to secure your environment

Microsoft Malware Protection Center - Tue, 06/04/2019 - 12:00pm

“Step 10. Detect and investigate security incidents” is the final installment in the Top 10 actions to secure your environment blog series. Here we walk you through how to set up Azure Advanced Threat Protection (Azure ATP) to secure identities in the cloud and on-premises.

Azure ATP is a service in the Microsoft Threat Protection solution, which integrates with Azure Identity Protection and Microsoft Cloud App Security and leverages your on-premises Active Directory signals to identify suspicious user and device activity with both known-technique detection and behavioral analytics. It protects user identities and credentials stored in Active Directory and allows you to view clear attack information on a simple timeline for fast triage. Integration with Windows Defender Advanced Threat Protection (Windows Defender ATP) provides a single interface to monitor multiple entry points.

Azure ATP works by analyzing data sent by Azure ATP sensors that parse network traffic from domain controllers (Figure 1). In this blog, we share resources and advice that will help you install and configure the Azure ATP sensors following these steps:

  • Plan your Azure ATP capacity.
  • Install the Azure ATP sensor package.
  • Configure Azure ATP sensor.
  • Detect alerts.

Figure 1: Azure ATP sensors parse network traffic from domain controllers and send it to Azure ATP for analysis.

Plan your Azure ATP capacity

Before you begin your Azure ATP deployment, you’ll need to determine what resources are required to support your Azure ATP sensors. An Azure ATP sensor analyzes network traffic and reads events locally, without the need to purchase and maintain additional hardware or configurations. The Azure ATP sensor also supports Event Tracing for Windows (ETW), which provides the information for multiple detections. ETW-based detections include suspected DCShadow attacks that attempt to use domain controller replication requests and domain controller promotion.

The recommended and simplest way to determine capacity for your Azure ATP deployment is to use the Azure ATP sizing tool. Once you download and run the tool, the details in the “Busy Packets/sec” field will help you determine the resources required for your sensors.

Next, you create your Azure Advanced Threat Protection instance and connect to your Azure Directory forest. You’ll need an Azure Active Directory (Azure AD) tenant with at least one global/security administrator. Each Azure ATP instance supports a multiple Active Directory forest boundary and Forest Functional Level (FFL) of Windows 2003 and above.

Install the Azure ATP sensor package

Once Azure ATP is connected to Azure Directory, you can download the sensor package. Click Download from the Azure ATP portal to begin the process. You need to copy the access key for use when you install the sensor (Figure 2).

Figure 2: The access key is used in installation.

Next, verify the domain controller(s) on which you intend to install Azure ATP sensors have internet connectivity to the Azure ATP Cloud Service. These URLs automatically map to the correct service location for your Azure ATP instance:

  • For console connectivity: <your-instance-name> (For example, “”)
  • For sensors connectivity: <your-instance-name> (For example, “”)

Note: There is no “.” Between <your-instance-name> and “sensorapi”.

Extract the files from the ZIP and run the Azure ATP sensor setup.exe, which initiates the installation wizard. When you get to the Configure the Sensor screen, enter the access key you copied during the download.

Note that all domain controllers in your environment should be covered by an Azure ATP sensor. The Azure ATP sensor supports the use of a proxy.

For more information on proxy configuration, see Configuring a proxy for Azure ATP.

Configure the Azure ATP sensor

The domain synchronizer is responsible for synchronization between Azure ATP and your Active Directory domain. Depending on the size of the domain, the initial synchronization may take time and is resource intensive. We recommend setting at least one domain controller as the domain synchronizer candidate per domain. This ensures Azure ATP is actively scanning your network at all times. By default, Azure ATP sensors aren’t domain synchronizer candidates. To manually set an Azure ATP sensor as a domain synchronizer candidate, switch the domain synchronizer candidate toggle option to ON in the configuration screen (Figure 3).

Figure 3: The domain synchronizer candidate toggle option set to ON in the configuration screen.

Next, manually tag groups or accounts as sensitive to enhance detections. This is important because some Azure ATP detections, such as sensitive group modification detection and lateral movement paths, rely on sensitive groups and accounts.

We also recommend that you integrate Azure ATP with Windows Defender ATP. Windows Defender ATP monitors your endpoints and the integration provides a single interface to monitor and protect your environment. It is easy to turn on the integration from the Azure ATP portal (Figure 4).

Figure 4: A simple toggle enables integration with Windows Defender ATP.

You can also integrate with your VPN solution to collect additional user information, such as the IP addresses and locations where connections originated. This complements the investigation process by providing additional information on user activity as well as a new detection for abnormal VPN connections.

Detect alerts

After you set up Azure ATP, we recommend that you set up an Azure ATP security alert lab to help you better understand the alerts which may be generated in your environment. The lab includes a reconnaissance playbook that shows how Azure ATP identifies and detects suspicious activities from potential attacks. The lateral movement playbook allows you to see lateral movement path threat detections and security alerts services of Azure ATP. In the domain dominance playbook, you’ll simulate some common domain dominance methods. For best results set up your lab as close as possible to the instructions in the tutorial.

When Azure ATP is configured, you will be able to manage security alerts in the Security Alerts Timeline of the Azure ATP portal. Azure ATP security alerts provide tools to discover which suspicious activities were identified on your network and the actors and computers involved in the threats. Alerts are organized by threat phase, graded for severity, and color-coded to make them easy to visually filter.

Learn more

This completes our series, “Top 10 actions to secure your environment.” Review the entire series for advice on setting up other Microsoft 365 security products, such as Azure AD or Microsoft Cloud App Security.


The post Step 10. Detect and investigate security incidents: top 10 actions to secure your environment appeared first on Microsoft Security.

Secure your journey to the cloud with free DMARC monitoring for Office 365

Microsoft Malware Protection Center - Mon, 06/03/2019 - 12:00pm

Not knowing who is sending email “from” your organization is an enormous problem for IT managers for two reasons.

One problem is “shadow IT”—cloud services that employees have signed up for without IT oversight. Many of these services send mail—to employees, customers, or marketing prospects—which appear to come from your organization, opening you to legal and security risks. Identifying these services and getting them under control is a critical step in any cloud migration project.

The second problem is phishing, which plays a role in over 90 percent of all cyberattacks. For phishers, there’s not a more valuable tool than the ability to impersonate senders. These scammers rely on the fact that there is little stopping them from spoofing any domain they like in the “from” field of their phishing messages.

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an essential tool for solving both of these problems. When an organization gets its domains to a quarantine or reject policy—what’s known as DMARC enforcement—it gains complete visibility into and control over all email purporting to be from that organization. For more on DMARC policies and how they pertain to inbound mail, read the “Best practices on implementing DMARC in Office 365” section in the Microsoft article Using DMARC to validate email in Office 365.

Before a company can get to an enforcement policy, it needs to identify all the email senders using its domain. If this crucial and potentially challenging step is omitted, it may wind up inadvertently blocking legitimate email sources (like a payroll provider or your CRM tool), simply because it hasn’t specifically authorized them.

While the benefits of DMARC are clear, many organizations have had trouble with the implementation of this open standard. DMARC directs receiving mail servers to send aggregate reports back to domain owners, so they can analyze which services are sending mail on their behalf. This data is valuable for both cloud migration and anti-phishing projects.

But it can be difficult to extract actionable intelligence from these reports, which are typically large XML files containing long lists of IP addresses. Companies need to do extensive “detective work” to figure out which services correspond to those IPs and which people within their organization are responsible for using those services, which includes updating the corresponding DMARC, Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) records to ensure that the services are properly authorized. What’s more, every change requires updating the Domain Name System (DNS), which itself can be an involved process.

What if you don’t have the time and resources to allocate to this long-term, sometimes tedious technical analysis?

Valimail Monitor for Office 365 can make this part of the DMARC journey much easier. Instead of manually parsing the massive amount of XML-based IP address data you get in DMARC reports, Valimail Monitor for Office 365 digests DMARC aggregate reports and turns them into an easily readable list of named services. In addition, for each of these services, Valimail shows how many messages are passing authentication and how many are failing and provides overall stats on DMARC authentications and authentication failures. This greatly simplifies this critical stage of the DMARC journey.

The challenge is identification

Setting up a DMARC record isn’t difficult—it’s a simple txt record in DNS—and there are only three tags needed to configure a correct DMARC record. Once configured, the domain owner receives daily aggregate reports, via email, from virtually every mail receiver worldwide that gets mail from that domain.

The challenging part, as noted above, is using those DMARC aggregate reports to identify all those services that are sending email “as” the domain.

Here’s why it’s hard: In the era of cloud IT, it’s quite common for organizations to have dozens of third-party services sending email on their behalf. For example, an organization may have CRM, HR, support, payroll, and other workflow services that are core to its business. The one thing that ties all these services together is that they all rely on the company’s domain name to send email—notifications, invoices, receipts, and the like—which all need to come “from” the company. Their use of a domain name is a defacto standard that leverages the implicit trust employees, customers, and partners have when they do business with a company. (Watch a short one-minute video explaining why so many DMARC projects run into trouble.)

Before moving to a policy of enforcement, a company needs to have the confidence that it has correctly identified all these senders and white-listed them in its SPF configuration, and/or configured their DKIM keys correctly.

DMARC is incredibly useful to block phishing attacks and protect the brand, but many Office 365 customers who have implemented DMARC have not reached enforcement. They’ve manually parsed DMARC reports with self-help tools or consulting support. They’ve looked at millions of lines of XML to extract IP addresses which they then need to translate to named services. These services themselves may live on multi-tenant clouds, so discerning the true identity of a given service is further challenging because the underlying cloud infrastructure could be shared and may change without notice.

A fully automated, free service

Valimail Monitor for Office 365 makes the service-discovery component of DMARC implementation far easier, providing a fully automated visibility service, free of charge. With Valimail, Office 365 users can easily see all third-party services sending on their behalf, as well as potential imposters that are spoofing their brand. It eliminates the need to wade through XML-based aggregate reports or try to interpret which IP addresses correspond to which cloud services. Valimail Monitor for Office 365 provides a clean, clear, human-readable interface that lists services and their email volume on the domain in plain English.

With full visibility, Office 365 customers will be armed with all the information they need to determine which services are legitimate and authorized. From there, they’ll be in a position to confidently move their organization to full DMARC enforcement, where all unauthenticated traffic is blocked. Valimail makes this easy as well, with an upgrade path to Valimail Enforce, which fully automates DMARC enforcement.

As a member of the Microsoft Intelligent Security Association, Valimail provides a critical free service for Office 365 customers who want the benefits of DMARC enforcement. DMARC enforcement, together with the anti-spoofing and anti-phishing capabilities in Office 365, will effectively stop an entire class of phishing attacks.

Configuring Valimail Monitor for Office 365

Here’s how to get started with Valimail Monitor for Office 365:

  1. Sign up at the Valimail Monitor for Office 365 website.
    Note: This is a free service for Office 365 customers. Once you sign up, Valimail will email you the simple configuration instructions.
  2. Set aside five minutes to make the change in DNS to send your DMARC reports to Valimail (this has no impact on your email flow, deliverability, or any other aspect of your DNS).

Within two weeks, Valimail Monitor will provide you a list of senders using your domain, and it will keep the list updated in real-time as DMARC reports continue to flow in. It also shows you where in the world emails sent using your domain are coming from. Don’t have an office or server in Brazil? That might just be the red flag you need to shut down a phisher impersonating your brand.

Using the Valimail dashboard, you’ll have the intelligence you need to know who is sending email using your domain and from where, so you can focus your time and resources on more complex activities to protect your organization.

Sign up for free at:

The post Secure your journey to the cloud with free DMARC monitoring for Office 365 appeared first on Microsoft Security.

Demystifying Password Hash Sync

Microsoft Malware Protection Center - Thu, 05/30/2019 - 12:00pm

This blog is part of a series of posts providing a behind-the-scenes look of Microsoft’s Detection and Response Team (DART). While responding to cybersecurity incidents around the world, DART engages with customers who are wary about using Password Hash Sync (PHS) or are not utilizing this service’s full capabilities. As customers can gain tremendous security benefits using the full capabilities of this service, we want to demystify PHS.

What PHS is and is not

What is PHS? First, let’s start with what it is not. PHS doesn’t sync actual passwords. Rather, it syncs the hashes of passwords, which have all undergone a per-user salt and 1,000 iterations of the HMAC-SHA256 key hashing algorithm, before being sent to Azure Active Directory (Azure AD). Through our hands-on experiences, we’ve learned that many companies believe that Microsoft may have access to users’ passwords. Microsoft is committed to protecting your privacy, and it’s important to note that the SHA256 hash cannot be decrypted—so the plain-text version of the password is never and can never be exposed to Microsoft.

The second important consideration of PHS is that, with PHS your Identity Management provider is moved from your current provider to Azure AD. This allows the organization to move from an Identity Management provider—which is typically an on-premises server and requires maintenance and potentially server downtime—to a platform-as-a-service (PaaS) provider.

From a security perspective, organizations gain significant reliability advantages and improved capabilities by moving to PHS, including Smart Lockout, IP Lockout, and the ability to discover leaked credentials, as well as the benefits of utilizing Microsoft’s billions of worldwide data points as additional layers of security to your organization’s environment.

More about these key features:

  • Smart Lockout assists in blocking bad actors who are attempting to brute force passwords. By default, Smart Lockout locks the account from sign-in attempts for one minute after ten failed attempts. Smart Lockout tracks the last three bad password hashes to avoid re-incrementing the lockout counter. For more information Smart Lockout, see Azure AD Smart Lockout.
  • IP Lockout works by analyzing those billions of sign-ins to assess the quality of traffic from each IP address hitting Microsoft’s systems. With that analysis, IP Lockout finds IP addresses acting maliciously, such as an IP that is password spraying the tenant, and blocks those sign-ins in real-time, while allowing the real user to continue to successfully sign in.
  • Microsoft Leaked Credentials Service acquires username/password pairs by monitoring public web sites and the Dark Web and by working with:
    • Researchers
    • Law enforcement
    • Microsoft Security teams
    • Other trusted sources

When the service acquires username/password pairs, the passwords are sent through the same hashing algorithm and are checked against Azure AD users’ password hashes. When a match is found (indicating a compromised credential), a “Leaked Credentials Risk Event” is created. Please see Azure AD Risk Events for additional information regarding Leaked Credentials.

Another important benefit to PHS is that, should your tenant experience a Denial of Service (DoS) and/or Password Spray attack, Microsoft will take the brunt of that traffic. That traffic is directed at Microsoft, not your on-premises Active Directory Federated Services (AD FS). When authentication happens via on-premises AD FS your server is responsible for managing the load and potentially causing downtime.

Moving an organization’s identity management provider to Azure AD and utilizing Password Hash Sync allows for both an increase in overall security posture and reduced management overhead. The security benefits, including leaked credentials, IP lockout, and Smart Lockout, all utilize Microsoft’s telemetry that gives organizations the power of Microsoft’s intelligence.

NOTE: If PHS is the secondary authentication method and, if you choose to take advantage of Smart Lockout and IP Lockout, the primary authentication method must support these functionalities. PHS is recommended as secondary in a hybrid environment if Federated or Pass-through Authentication is primary as a redundancy mechanism, as well as the ability to collect information for Leaked Credentials.

Learn more

To learn more about DART, our engagements, and how they are delivered by experienced cybersecurity professionals who devote 100 percent of their time to providing cybersecurity solutions to customers worldwide, please contact your account executive. Also, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Read DART: the Microsoft cybersecurity team we hope you never meet for more about the DART team.

The post Demystifying Password Hash Sync appeared first on Microsoft Security.

Uncovering Linux based cyberattack using Azure Security Center

Microsoft Malware Protection Center - Thu, 05/23/2019 - 2:30pm

As more and more enterprises move to the cloud, they also bring their own set of security challenges. Today, almost half of Azure virtual machines (VMs) are running on Linux, and as the Linux server population grows, so are the attacks targeting them. As detection capabilities advance, attackers are using new and stealthier techniques to stay undetected and persist with their motives. Azure Security Center, Microsoft’s cloud-based cyber solution, helps customers safeguard their cloud workloads as well as protect them from these threats.

In this blog post, we detail a real-world Linux attack whose purpose initially looked like crypto mining, but it turned out that the attacker’s intent was to use the compromised host as a launchpad for further large-scale attacks.

Incident details

After the initial successful SSH brute force compromise, the attacker proceeds to download a first stage ‘’ script using utilities like ‘wget’ that delivers further payload to the host. Azure Security Center surfaces this behavior via a “Detected suspicious file download” alert.

Post stage 1 download, the attacker executed the script to find ‘dota.tar.gz’ by enumerating multiple hosting URLs. Once a live hosting IP was found, the second stage file gets delivered in directory ‘/tmp/.mountfs.’ Most of these exploitation and persistence techniques are observed from the /tmp folder. In this case all activities were tracked under /tmp/.mountfs and /tmp/.mountfs/.rsync directories. Creating directories with a dot keeps the activity hidden from the user interface, a common technique used by attackers.

Later, we see traffic to different mining pools including ‘’ but nothing further that would confirm the purpose as mining cryptocurrency. The “Detected suspicious network activity” analytic triggered on this activity along with “Digital currency mining” analytic. This was followed by reconnaissance grep activity used by the attacker to get more information on the target machine to see if it had already been compromised and in use by other actors.

The attackers then used a bash script to search and kill processes on some of the above-mentioned miners that they grepped using command:

“ps auxf|grep -v grep|grep “xmrig” | awk ‘{print $2}’|xargs kill -9”

Let’s talk more about what this command does. The first command helps to show a tree view of parent-child processes in the output of ps (process status).The first grep removes the grep process from this list and the second grep will extract any xmrig (a well-known miner) process in the filtered list. Awk pattern matches the specified pattern and xargs executes the SIGKILL signal.

What follows next is a series of pkill commands to kill processes using couple of techniques that:

  1. Match the entire process and argument list pattern.
  2. Forcefully terminate a process.

To get the maximum CPU usage and efficiency, attackers generally start deleting the existing coin miner instances and focus on deploying new instances of mining payload.

Generally, after this activity, the traces of cryptocurrency wallet or other activities related to mining becomes evident but what followed next was a little surprise.

It turns out that this machine appeared to have been used to target 20,000 different endpoints based on our timeline of attack analysis detailed below:

Azure Security Center caught most of the suspicious activities observed above that triggered security alerts. To further our investigation, we collaborated with our internal memory forensics team. The analysis of the ELF payload unfolded even more details in this attack campaign:

  • The payload had three important components:
    • tsm64: An ELF executable.
    • Libraries that tsm64 relied on for execution.
    • tsm: Code used to launch the tsm64 executable.
  • To ensure that the attacker payload was able to run on most distributions, the attackers supplied the libraries tsm64, which was dependent on for successful execution.
  • tsm: tsm is renamed. is a helper program that loads the shared libraries needed by the program executable, prepares the program to run, and then runs it.
  • Dependent libraries: The dependency analysis of the tsm64 executable showed that it needed four libraries at the runtime. Namely,,,, and
  • tsm64: This is the executable that the attacker eventually wants to run. Turns out, tsm64 is a multi-threaded SSH brute force tool that can attack a set of IP’s with provided passwords.
  • The analysis of the Procedure Linkage Table (PLTs) for tsm64 showed the multi-threaded, network communication, and password file reading capabilities. A subset of the system apis are listed below:
    • Networking: setsockopt, getsockopt, getsockname, connect, gethostname, socket, inet_ntoa, recvfrom, recv, bind, getaddrinfo, inet_pton, getpeername
    • Multi-threaded (pthread): pthread_getspecific, pthread_setspecific, pthread_cond_signal, pthread_mutex_init, pthread_create, pthread_cond_init, pthread_key_delete, pthread_self, pthread_join, pthread_equal, pthread_cond_wait, pthread_detach, pthread_once, pthread_mutex_lock, pthread_key_create, pthread_mutex_destroy, pthread_cond_broadcast, pthread_mutex_unlock, pthread_kill
    • Password file entry: getpwnam, getpwnam_r, getpwuid_r
  • The IP address list and user credentials to be used for the brute force attack were downloaded into innocuous sounding file names ‘a’ and ‘b.’ File ‘a’ contained a list of 20,000 different IP addresses while file ‘b’ had a listing of credentials. These files were later renamed to ‘ip’ and ‘p’ respectively and passed into tsm64.
  • Using the inbuilt timeout utility, the tool was programmed to run for a maximum time of 90 minutes.

Adversaries are always finding new and novel ways to evade detection. As cyber defenders, we need to constantly innovate and track these latest threats in order to thwart new and deceptive attacks that are making rounds in the cloud cyber world.

Recommended actions
  • Azure Security Center can automatically correlate such multiple triggered alerts into a single security incident. This capability provides a single overview of any attack campaign and all the related alerts to understand the action attackers took and what resources were impacted.
  • While Azure Security Center alerted on the activity, the intrusion could have been prevented through good password hygiene. It’s recommended to utilize passwords and passphrases that are not easily guessed. Some of our previous blogs cover this topic: Just In Time (JIT) , Password-less sign-in, and Azure Key Vault.
  • Azure Security Center alerts can also be integrated in existing SIEM solution for a centralized view of security posture across your organization or with Microsoft’s new SIEM Azure Sentinel.
Learn more

To learn more about the Azure Security Center, see the following:

The post Uncovering Linux based cyberattack using Azure Security Center appeared first on Microsoft Security.

UK launches cyberstrategy with long-term relevance

Microsoft Malware Protection Center - Thu, 05/23/2019 - 12:00pm

Like most major global economies, the United Kingdom continues to place cybersecurity issues front and center. The National Cyber Security Strategy: 2016-2021 document—published by the UK Government and released nearly two years ago—describes the plan to make the UK secure and resilient in cyberspace. It’s the most frequently referenced document and project in any cybersecurity discussion. After two years, and with recent updates, it’s worthwhile to revisit the document to assess its importance in securing digital transformation across the UK’s economy. Moreover, the National Security Capability Review (NSCR) March 2018 update to the National Cyber Security Strategy makes the timing for a review of this all the more relevant, as the 80-page document is well-written, thorough, and remains useful and relevant. The cyberstrategy’s core pillars—defend, deter, and develop—are described in detail and address a wide array of important topics, including education, international cooperation, and public-private collaboration.

Specifically, the cybersecurity document does an excellent job in the following areas:

  • Insider threats—This type of threat is highlighted throughout the document; something that is not always emphasized sufficiently. For example, “Insider threats remain a cyber risk to organizations in the UK. Malicious insiders, who are trusted employees of an organization and have access to critical systems and data, pose the greatest threat.” We continue to hear about this problem from customers in nearly all industries and in all countries. This bold and clear statement makes it clear that this problem is front and center for the UK strategy, as it should be.
  • Public incidents—It’s refreshing to see major incidents that impact companies and organizations in the UK highlighted rather than hidden from public view. The document includes several incidents, such as the 2015 TalkTalk breach, and the 2016 attack on the Society for Worldwide Interbank Financial Telecommunication (SWIFT) payment system in Bangladesh, the Philippines, and the Ukrainian power grid incident. While these incidents did not all occur on UK soil or directly to UK organizations, their impact was still felt in the UK.
  • Diversity and inclusion—The UK is committed to increasing diversity while also addressing its cybersecurity skills shortage. The document states emphatically that “we will address the gender imbalance in cyber-focused professions, and reach people from more diverse backgrounds to make sure we are drawing from the widest available talent pool.” The need is so critical that cybersecurity has become known as a wonderful field for younger professionals to embark on a new career, even if it is not something that is well-known.
  • Public-private collaboration—Cybersecurity is a “team sport” and working together across private and public sectors is essential. Openly admitting this and accepting government responsibility is a key tenet of this strategy, described as, “Government has a clear leadership role, but we will also foster a wider commercial ecosystem, recognizing where industry can innovate faster than us.” The document also states, “We will set out more clearly the respective roles of government and industry, including how these might evolve over time.”

As we look at other areas that the strategy may wish to consider expanding into or elaborating upon in the coming years, three specific areas come to mind:

  • Links to money laundering and terrorist financing—While the initial 2016 version did not mention how the flow of money impacts and funds cybercrime, the NSCR March 2018 update did, with three specific references to money laundering and terrorist financing, explaining, “We will take a whole-of-government approach including with the Devolved Administrations to tackle serious and organized crime and publish an updated Serious and Organized Crime Strategy in 2018.” It also stated, “We remain a leading player in developing and applying economic sanctions [… and will] … continue using sanctions smartly to deliver national security outcomes after we have left the EU.”
  • Returning military veterans—Whether it be from armed conflicts or peace-keeping missions or other such activities, one way the UK could shrink the gap in cybersecurity skills would be to help military veterans transition into this field. The strategy states, “This skills gap represents a national vulnerability that must be resolved.” To that end, there are multiple paths that other countries have pursued that could be applied here.
  • Cloud computing—The terms “cloud” and “cloud computing” are not mentioned in the original 2016 strategy document or in the NSCR March 2018 update. Cloud-based security offerings are a mainstay of any cybersecurity strategy and bring with them enormous benefits, speed, operational efficiencies, and more.

Looking ahead, it is inspiring to see that in the NSCR March 2018 update to the National Cyber Security Strategy there is a real commitment to maintaining the course with the original 2016 strategy. The 2018 update states quite openly that “the NSCR cyber project confirms that our overarching strategic objectives still stand” and “We will continue to implement the National Cyber Security Strategy and ensure it keeps pace with the threat.”

Clearly the UK will stay the course with its original cybersecurity strategy with additional changes and enhancements. Moreover, with all eyes on the UK transition out of the EU, it’s important to demonstrate to the world community that cybersecurity strategy can not only exist but in fact can thrive even amid a massive overhaul in international geopolitics.

The post UK launches cyberstrategy with long-term relevance appeared first on Microsoft Security.

New browser extensions for integrating Microsoft’s hardware-based isolation

Microsoft Malware Protection Center - Thu, 05/23/2019 - 11:50am

The hardware-based isolation technology on Windows 10 that allows Microsoft Edge to isolate browser-based attacks is now available as a browser extension for Google Chrome and Mozilla Firefox.

We introduced the container technology in 2017. Since then, we have been evolving the technology and engaging with customers to understand how hardware-based isolation can best help solve their security concerns. We know that many of our customers depend on multi-browser environments to allow enterprise apps to meet various compatibility requirements and enable productivity. And while modern browsers are continuously working to mitigate vulnerabilities, there are still exposures across these complex engines that can lead to irreversible and costly damages.

To provide customers with a comprehensive solution to isolate potential browser-based attacks, we have designed and developed Windows Defender Application Guard extensions, now generally available, to allow customers to integrate hardware-based isolation with Google Chrome and Mozilla Firefox.

How it works

The extensions for Google Chrome and Mozilla Firefox automatically redirect untrusted navigations to Windows Defender Application Guard for Microsoft Edge. The extension relies on a native application that we’ve built to support the communication between the browser and the device’s Application Guard settings.

When users navigate to a site, the extension checks the URL against a list of enterprise sites defined by enterprise administrators. If the site is determined to be untrusted, the user is redirected to an isolated Microsoft Edge session. In the isolated Microsoft Edge session, the user can freely navigate to any site that has not been explicitly defined as enterprise-trusted by their organization without any risk to the rest of system. With our upcoming dynamic switching capability, if the user tries to go to an enterprise site while in an isolated Microsoft Edge session, the user is taken back to the default browser.

To configure the Application Guard extension under managed mode, enterprise administrators can follow these recommended steps:

  1. Ensure devices meet requirements.
  2. Turn on Windows Defender Application Guard.
  3. Define the network isolation settings to ensure a set of enterprise sites is in place.
  4. Install the new Windows Defender Application Guard companion application from the Microsoft Store.
  5. Install the extension for Google Chrome or Mozilla Firefox browsers provided by Microsoft.
  6. Restart the device.
Intuitive user experience

We designed the user interface to be transparent to users about Windows Defender Application Guard being installed on their devices and what it does. We want to ensure that users are fully aware that their untrusted navigations will be isolated and why.

  1. When users initially open Google Chrome or Mozilla Firefox after the extension is deployed and configured properly, they will see a Windows Defender Application Guard landing page. 
  2. If there are any problems with the configuration, users will get instructions for resolving any configuration errors. 
  3. Users can initiate an Application Guard session without entering a URL or clicking on a link by clicking the extension icon on the menu bar of the browser.

Commitment to keep enterprise users and data safe

Hardware-based isolation is one of the innovations that enhance platform security on Windows 10. It is a critical component of the attack surface reduction capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) and the broader unified security in Microsoft Threat Protection. With the new Application Guard extension for Google Chrome and Mozilla Firefox, customers can extend the security benefits of isolation in their environments and further reduce attack surface. Customers can confidently navigate the expansive internet with protection for enterprise and personal data.

The Windows Defender Application Guard extensions for Google Chrome and Mozilla Firefox are now available for Windows 10 Professional, Enterprise, and Education SKUs, version 1803 and later with latest updates.


Rona Song
Windows platform security team



Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Follow us on Twitter @MsftSecIntel.

The post New browser extensions for integrating Microsoft’s hardware-based isolation appeared first on Microsoft Security.

Step 9. Protect your OS: top 10 actions to secure your environment

Microsoft Malware Protection Center - Tue, 05/21/2019 - 12:00pm

In “Step 9. Protect your OS” of the Top 10 actions to secure your environment blog series, we provide resources to help you configure Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) to defend your Windows, macOS, Linux, iOS, and Android devices from advanced threats.

In an advanced threat, hackers and cybercriminals infiltrate your network through compromised users or vulnerable endpoints and can stay undetected for weeks—or even months—while they attempt to exfiltrate data and move laterally to gain more privileges. Microsoft Defender ATP helps you detect these threats early and take action immediately.

Enabling Microsoft Defender ATP and related products will help you:

  • Mitigate vulnerabilities.
  • Reduce your attack surface.
  • Enable next generation protection from the most advanced attacks.
  • Detect endpoint attacks in real-time and respond immediately.
  • Automate investigation and remediation.
Threat & Vulnerability Management

Threat & Vulnerability Management is a new component of Microsoft Defender ATP that provides:

  • Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities.
  • Linked machine vulnerability and security configuration assessment data in the context of exposure discovery.
  • Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager.

To use Threat & Vulnerability Management, you’ll need to turn on the Microsoft Defender ATP preview features.

Attack surface reduction

Attack surface reduction limits the number of attack vectors that a malicious actor can use to gain entry. You can configure attack surface reduction through the following:

  • Microsoft Intune
  • System Center Configuration Manager
  • Group Policy
  • PowerShell cmdlets

Enable these capabilities to reduce your attack surface:

Hardware-based isolation Configure Microsoft Defender Application Guard to protect your company while your employees browse the internet. You define which websites, cloud resources, and internal networks are trusted. Everything not on your list is considered untrusted. Application control Restrict the applications that your users can run and require that applications earn trust in order to run. Device control Configure Windows 10 hardware and software to “lock down” Windows systems so they operate with properties of mobile devices. Use configurable code to restrict devices to only run authorized apps. Exploit protection Configure Microsoft Defender Exploit Guard to manage and reduce the attack surface of apps used by your employees. Network protection Use network protection to prevent employees from using an application to access dangerous domains that may host phishing scams, exploits, and other malicious content. Controlled folder access Prevent apps that Microsoft Defender Antivirus determines are malicious or suspicious from making changes to files in protected folder. Network firewall Block unauthorized network traffic from flowing into or out of the local device. Attack surface reduction controls Prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Next generation protection

The Intelligent Security Graph powers the antivirus capabilities of Microsoft Defender Antivirus, which works with Microsoft Defender ATP to protect desktops, laptops, and servers from the most advanced ransomware, fileless malware, and other types of attacks.

Configure Microsoft Defender Antivirus capabilities to:

Enable cloud-delivered protection Leverage artificial intelligence (AI) and machine learning algorithms to analyze the billions of signals on the Intelligent Security Graph and identify and block attacks within seconds. Specify the cloud-delivered protection level Define the amount of information to be shared with the cloud and how aggressively new files are blocked. Configure and validate network connections for Microsoft Defender Antivirus Configure firewall or network filtering rules to allow required URLs. Configure the block at first sight feature Block new malware within seconds. Endpoint detection and response

Microsoft Defender ATP endpoint detection and response capabilities detect advanced attacks in real-time and give you the power to respond immediately. Microsoft Defender ATP correlates alerts and aggregates them into an incident, so you can understand cross-entity attacks (Figure 1).

Alerts are grouped into an incident based on these criteria:

  • Automated investigation triggered the linked alert while investigating the original alert.
  • File characteristics associated with the alert are similar.
  • Manual association by a user to link the alerts.
  • Proximate time of alerts triggered on the same machine falls within a certain timeframe.
  • Same file is associated with different alerts.

Figure 1. Microsoft Defender ATP correlates alerts and aggregate them into incidents.

Review your alerts and incidents on the security operations dashboard. You can customize and filter the incident queue to help you focus on what matters most to your organization (Figure 2). You can also customize the alert queue view and the machine alerts view to make it easier for you to manage.

Figure 2. Default incident queue displays incidents seen in the last 30 days, with the most recent incident showing at the top of the list.

Once you detect an attack that requires remediation, you can take the following actions:

Auto investigation and remediation

Microsoft Defender ATP can be configured to automatically investigate and remediate alerts (Figure 3), which will reduce the number of alerts your Security Operations team will need to investigate manually.

Figure 3. You can view the details of an automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.

Create and manage machine groups in Microsoft Defender ATP to define automation levels:

Automation level Description Not protected. Machines will not get any automated investigations run on them. Semi – require approval for any remediation. This is the default automation level.
An approval is needed for any remediation action. Semi – require approval for non-temp folders remediation. An approval is required on files or executables that are not in temporary folders. Files or executables in temporary folders, such as the user’s download folder or the user’s temp folder, will automatically be remediated if needed. Semi – require approval for core folders remediation. An approval is required on files or executables that are in the operating system directories such as Windows folder and program files folder. Files or executables in all other folders will automatically be remediated if needed. Full – remediate threats automatically. All remediation actions will be performed automatically. Microsoft Threat Experts

Microsoft Threat Experts is a new, managed threat hunting service that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately with two capabilities:

  1. Targeted attack notifications—Alerts that are tailored to organizations provide as much information as can be quickly delivered to bring attention to critical network threats, including the timeline, scope of breach, and the methods of intrusion.
  2. Experts on demand—When a threat exceeds your SOC’s capability to investigate, or when more actionable information is needed, security experts provide technical consultation on relevant detections and adversaries. In cases where a full incident response becomes necessary, seamless transition to Microsoft incident response services is available.

Microsoft Defender ATP customers can register for Microsoft Threat Experts and we will reach out to notify you via email when you’ve been selected.

Learn more

Check back in a few weeks for our final blog post in the series, “Step 10. Detect and investigate security threats,” which will give you tips to deploy Azure Advanced Threat Protection to detect suspicious activity in real-time.


The post Step 9. Protect your OS: top 10 actions to secure your environment appeared first on Microsoft Security.