Understanding influences shaping the cybersecurity landscape, enabling digital transformation, and helping to protect our planet

Microsoft Malware Protection Center - Thu, 12/03/2020 - 12:00pm

The accelerated rate of digital transformation we have seen this past year presents both challenges and endless opportunities for individuals, organizations, businesses, and governments around the world. Cybersecurity is the underpinning of helping protect these opportunities. By examining the influences that are shaping the cyber landscape, and hearing from security experts, industry thought leaders, our customers, and partners—we help strengthen how Microsoft can protect these opportunities.

This month we wrapped season three of Afternoon Cyber Tea with Ann Johnson where Sandra Joyce, a threat intelligence expert joined me for the concluding episode to talk about election security and protecting ourselves against misinformation. Our discussion was incredibly illuminating, and it is a perfect example of the ground we continue to cover in these thoughtful conversations.

Each episode has surfaced perspectives on how our collective approach to cybersecurity ties directly to some of society’s most pressing issues, including the need for more diverse voices in the industry, the impact of a global health emergency, and the urgent need to reframe how we think about security.

The impact of a pandemic on global operations

James Turner, an industry analyst who works to support chief information security officers (CISOs) and strengthen the resilience of the economies for Australia and New Zealand shared his insights in this season’s first episode. He reminded us of that cybersecurity is everyone’s business, using the banking industry to emphasize collaboration between organizations on matters of security, even if those organizations are competitors. “The security operating centers at large banks are on speed dial with each other all the time because the attack against Company A hits Company B the next day.” 

Even during a global pandemic, which James has seen as a tremendous catalyst for information-sharing amid budget cuts and workforce impact, he says simply reaching out to peers remains critical to understanding and preventing threats.

For Microsoft’s Chief Information Security Officer, Bret Arsenault, the pandemic has also reinforced the importance of planning and testing emergency scenarios to combat bad actors who attempt to exploit human vulnerabilities and new realities of life and work online.

“We’ve seen a really big increase in ransomware and a lot of activity against Remote Desktop Protocol because so many people are remoting in. When you see broad usage, you will see broad bad actor campaigns against those things.”—Microsoft’s Chief Information Security Officer, Bret Arsenault, Microsoft

So as companies advance their digital transformation, the best way to enable a productive workforce is to secure it with a solid strategy to mitigate opportunism. And while a little digital empathy goes a long way, getting employees to think responsibly about their own security can help remote workforces avoid risk, too.

Reframing cybersecurity as a business imperative

The human side of cybersecurity remains one of the trickiest but most critical areas to tackle in the industry. Many guests said it’s integral to how they advise organizations on threat prevention and mitigation.

Jules Okafor, CEO and founder of RevolutionCyber, built her entire company on the premise of transforming institutional cyber mindset to drive behavior change among employees after seeing too many organizations focused on selling security products instead of solving problems.

That’s not a cyber mindset. It’s more about how do you surround people with cybersecurity in a way that helps them understand it will make them do their jobs better? Cybersecurity has to be better at aligning with the way people think.”—Jules Okafor, CEO and founder, RevolutionCyber

And I think all of my guests would agree cybersecurity should be prioritized throughout all levels and departments of an organization. Some companies are innovating how they do just that.

“Honestly, some of the most successful cybersecurity internal departments I’ve seen have reported out of risk or finance, not technology.”Tarah Wheeler, Security Researcher and Fulbright Scholar

Defining cybersecurity as one of the pillars of a business Tarah says, demonstrates that it is critical to your success and more than just an afterthought.

This prioritization reflects a level of understanding that Sandra, my most recent guest, said has become paramount in today’s threat landscape.

As the head of Mandiant Intelligence at FireEye, Sandra discourages a prevention-only mindset. Instead, she advises organizations to assume attacks will happen and to conduct threat profiles that help them strategize how to mitigate the damage when breaches occur.

“If you can understand where you sit in the ecosystem, you can prioritize more and, at the very least, get more efficient” she says. “Don’t just look at the initial intrusion. Don’t let the first day of an attack be the day you determine how to manage it.”

But these steps are not limited to organizations. Theresa Payton, CEO of Fortalice Solutions, and author of Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth, also offered individuals advice on how to guard against the influence of misinformation campaigns. Our conversation touched on the personal data collected by our devices, too, and what we trade for convenience and insights about the patterns of our lives.

That ubiquitous nature of technology in our lives right now really does have an implication on both privacy but also the risk-versus-reward tradeoff when that data could be really helpful,” she said.

While AI-enabled voice assistants, intelligent appliances, and more can benefit users—think, for example, of discovering an underlying health condition revealed by data collected by your smartwatch—Theresa cautioned against the innumerable unknowns about how that data could be used. And she called on organizations and governing bodies to build security into design and guardrails that prevent helpful technology from hurting us.

The pressing need for more diverse voices in cybersecurity

I am grateful for the chance to talk with guests of unique backgrounds and experiences to hear what inspires them and how they are shaking up the white, male-dominated cybersecurity industry. It became clear that promoting diverse voices goes beyond tapping into a cultural moment—it’s about strengthening the entire industry.

Camille Stewart, head of security policy and election integrity for Android and Google Play, may have put it best when she said, “Racism is inherently a cybersecurity issue because people are at the core of how security controls are adopted and how technology is used. If we do not address issues of systemic racism, the processes and institutions that we are building security into are inherently vulnerable.”

In other words, diversity is threat mitigation, in and of itself.

That is why Camille’s collaboration with Lauren Zabierek, executive director of the Cyber Project at Harvard Kennedy School’s Belfer Center for Science and International Affairs is so compelling. Together, they launched the #ShareTheMicInCyber campaign to amplify diverse, expert voices in cybersecurity and share insights to help organizations identify blind spots.

It is an important reminder that the cybersecurity industry is a community and that our ability to protect against threats is only as strong as our ability to identify them—together.

This is something I have so valued this season. The diversity of expertise, experiences, and backgrounds reflected in these episodes are, on a grander scale, helping to shape and improve our collective understanding of cybersecurity. I hope you will find useful takeaways from these leaders who are at the fore of securing and strengthening our industry.

Thank you to all who listened to season three of Afternoon Cyber Tea. All episodes are available to stream and download on PodcastOne, Spotify, and Apple Podcasts.

To learn more about Microsoft Security solutions visit our website. To learn more about CISO topics and solutions, watch the Microsoft CISO Spotlight Series with our host Theresa Payton. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Understanding influences shaping the cybersecurity landscape, enabling digital transformation, and helping to protect our planet appeared first on Microsoft Security.

Manage, govern, and get more value out of your data with Azure Purview

Microsoft Malware Protection Center - Thu, 12/03/2020 - 11:00am

Data is the currency of today’s economy. Data is being created faster than ever in more locations than organizations can track. In fact, IDC has predicted that global data will grow to more than 175 zettabytes by 2025. To put that into context, that’s 175 trillion 1GB USB drives. At the same time, businesses are under significant pressure to turn that data into timely and trustworthy insights, while also maintaining regulatory compliance requirements. But to truly get the insights you need, while keeping up with compliance requirements, you need to know what data you have, where it resides, and how to govern it. For most organizations, this creates arduous ongoing challenges.

We want to help companies overcome that challenge. Many of you already use Microsoft Information Protection to help you to protect the sensitive data that resides in Microsoft 365 and have asked us to extend the reach of Microsoft Information Protection beyond Microsoft 365 to cover more of your digital estate. Today we are excited to announce Azure Purview, a unified data governance service that sets the foundation for data governance across your operational and analytical data estate that is available today in preview. Let’s dive into what that means for your organization.

Manage and govern your data with Azure Purview

Azure Purview enables you to map, catalog, understand, classify, and manage your operational and analytical data—whether on-premises, across your multicloud environment, or within SaaS applications.

With Azure Purview Data Map, you can automate the metadata scanning of on-premises, multicloud, and SaaS data and applications so that you can find and classify this data using built-in, custom classifiers, and Microsoft Information Protection sensitivity labels. With Purview Data Catalog, you can now search, understand the underlying sensitivity, and view how data is being used across the organization with data lineage.

Building on the power of Microsoft Information Protection

At Microsoft, we have long invested in developing information protection solutions for our customers. We started with Microsoft Information Protection, a built-in, intelligent, unified, and extensible solution that understands and classifies your data, keeps it protected, and prevents data loss across Microsoft 365 Apps (including Word, PowerPoint, Excel, Outlook), services (such as Microsoft Teams, SharePoint, Exchange, Power BI), third-party SaaS applications, and more—on-premises or in the cloud.

Azure Purview builds on the same sensitivity labels and data classification taxonomy in Microsoft Information Protection. By extending Microsoft Information Protection’s sensitivity labels with Azure Purview, organizations can now automatically discover, classify, and get insight into sensitivity across a broader range of data sources such as SQL Server, SAP, Teradata, Azure Data Services, and Amazon AWS S3, helping to minimize compliance risk.

Microsoft 365 compliance center and Azure Purview Studio show how an organization’s labels are used consistently across data types and data locations.

Governing your data, wherever it lives, is more critical than ever before, and we are committed to helping you every step of the way. To get started right now with Microsoft Information Protection, you can sign up for a trial of Microsoft 365 E5 or navigate to the Microsoft 365 compliance center. To start using the preview of Azure Purview, visit the Azure Purview page.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Manage, govern, and get more value out of your data with Azure Purview appeared first on Microsoft Security.

Protect your SQL server on premises, in Azure and in multi-cloud

Microsoft Malware Protection Center - Wed, 12/02/2020 - 12:00pm

Azure Defender for SQL is now generally available for use with SQL Server on premises, in multi-cloud deployments on Amazon Web Services (AWS), and Google Cloud Platform (GCP), and in virtual machines on Azure. Azure Defender for SQL constantly monitors your SQL Server for known vulnerabilities and threats. Microsoft recommends that customers protect their production instances of SQL with Azure Defender for SQL as part of their overall security strategy.

See how Azure Defender for SQL can help you avoid, detect and respond to a popular attack

Attackers often laterally traverse within organizations to discover and exfiltrate data, making data sources including SQL Server popular targets. Customers should implement the standard security best practices for SQL Server including encryption and network security. Because threats are constantly evolving, it is also important to monitor your SQL Server for threats and that’s where Azure Defender for SQL plays an important role. Today’s new announcements coupled with the previously released support for Azure SQL Database means that Azure Defender can protect Microsoft SQL wherever you are running it.

Just a few examples of top security issues identified by Azure Defender for SQL include potential SQL injections, brute force attacks, anomalous database access, and suspicious activities based on threat intelligence enrichment. Here are just two cases discovered and resolved by customers during the preview of Azure Defender for SQL:

  • A customer who was experiencing recurring ransomware attacks used Azure Defender for SQL to discover that the attacker’s access point was the SQL Server. The customer then mitigated the active ransomware attack which started by brute-forcing a weak password in SQL Server and then executing shell scripts.
  • A securely configured SQL Server behind a firewall showed only known legitimate logins. Azure Defender for SQL detected that a machine behind a gateway with allowed access to the SQL Server was also communicating with a honeypot and had been breached.

Azure Defender for SQL Server also includes vulnerability assessment with baseline configuration to customize the service to your environment, benchmark information, and remediation scripts to help you mitigate identified risks.


The diagram below shows how Azure Defender for SQL works for Azure Arc enabled SQL Server. Azure Defender for SQL makes it easy to monitor on-premises and multi-cloud servers leveraging Azure Arc and you can view all of your protected SQL Servers regardless of where they are running in a single pane of glass in Azure.

Figure 1: Integration of Azure Arc enabled SQL Server and Azure Defender.

Azure Defender for SQL is just one component of the Azure Defender stack, which also protects virtual machines, storage, and containers. In addition, you will benefit from centralized management for security, integration with Azure Secure Score, and native integration with Azure Sentinel.

Get started today

We recommend that you protect your SQL Servers today, whether they are in Azure, on premises, or in other clouds with Azure Defender for SQL. To learn more visit our documentation page.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


Thanks to Roy Levin and Andrey Karpovsky from Azure Security Center research team for their contributions to this article.

The post Protect your SQL server on premises, in Azure and in multi-cloud appeared first on Microsoft Security.

Azure Sentinel achieves a Leader placement in Forrester Wave, with top ranking in Strategy

Microsoft Malware Protection Center - Tue, 12/01/2020 - 12:00pm

I’m thrilled to announce Forrester Research has named Microsoft Azure Sentinel as a “Leader” in The Forrester Wave: Security Analytics Platform Providers, Q4 2020. When we released Azure Sentinel almost a year ago—the industry’s first cloud-native SIEM on a major public cloud—our goal was to provide a new, innovative approach to help organizations modernize security operations. We’ve been excited and humbled to see enthusiastic adoption across verticals like IT, financial services, e-commerce, big data, and other industries. It’s been particularly fulfilling to work alongside many of you to see the unique ways that Azure Sentinel can improve your security operations.

Today—and this year more than ever—security operations centers (SOCs) are being asked to do more with less, all while protecting a decentralized digital estate. We’re honored that in this time of transformative change, Azure Sentinel can help security teams achieve this goal.

The Azure Sentinel vision

We are especially honored to see that Azure Sentinel received the top ranking in the “Strategy” category because one of our core values is to enable SecOps teams to do more with less by offering a different path forward than traditional, on-premises SIEMs. The key lies in Azure Sentinel’s cloud-native nature. For many of our customers, moving to the cloud has been a transformative change. At Avanade, for example, moving to Azure Sentinel enabled the security team to shift their focus from on-premises management and instead spend time on strategic work to make their organization safer. As a cloud-native SIEM, Azure Sentinel makes it easy to deploy, scale, and use. You can collect, correlate, and analyze data across users, devices, applications, and infrastructure at cloud scale—on premises and in multiple clouds. And instead of investing time and money into inflexible infrastructure, you only pay for the resources you need.

Most importantly, by eliminating the infrastructure and maintenance of an on-premises SIEM, you empower your team to focus on what’s most important: protecting your organization.

Azure Sentinel helps you detect and investigate threats more efficiently by harnessing AI. Azure Sentinel uses a technique called Fusion to find threats that fly under the radar by combining low fidelity, “yellow” anomalous activities into high fidelity “red” incidents. Fusion combines data from disparate data sets across both Microsoft and partner data sources, then uses graph-based machine learning and a probabilistic kill chain to produce high-fidelity alerts. This process reduces alert fatigue by 90 percent, ensuring that SecOps teams are only spending time on real, actionable alerts. And with integrated automation, it further optimizes your team’s time by automating responses to common tasks.

With these innovations, we’ve helped our customers protect their organizations more efficiently—like at ASOS, where the SecOps team cut issue resolution times in half, or at ABM Industries, where the security team reduced the number of alerts they analyze by 50 percent.

Our goals are not just limited to transforming the SIEM market. In September, we shared our vision for how organizations can get fight threats in today’s complex landscape with integrated SIEM and Extended Detection and Response (XDR) from a single vendor. With this combination, you get the best of both worlds—end-to-end threat visibility across all your resources; correlated, prioritized alerts based on Microsoft’s deep understanding of specific resources with AI that stitches that signal together; and coordinated action across the organization. That’s why we’ve optimized Azure Sentinel for ease of integration across Microsoft products, provide many sources of Microsoft 365 data ingestion for free, and have recently launched a Microsoft 365 data grant benefit to help you realize even more value from integrated security.

Just getting started

We’re constantly working with partners and customers on ways to improve Azure Sentinel—and we’re only just getting started. Here are just a few of the innovations we announced at Microsoft Ignite 2020:

  • User and Entity Behavioral Analytics (UEBA), to pinpoint unknown and insider threats.
  • The ability to build your own ML models.
  • Threat Intelligence improvements, including threat indicator management.
  • Watchlists to eliminate time-consuming manual analysis of external data sources, enabling you to correlate security events with other non-security data sources.
  • Many new connectors to simplify data collection.

We have no plans to slow down. With innovations still to come, the best days of Azure Sentinel are still ahead of us.

In the meantime, Azure Sentinel’s performance in the Forrester Wave is an encouraging sign that we’re on the right track with our journey to streamline and strengthen your security—eliminating the complexity of an on-premises infrastructure, saving costs, and enabling SecOps to be more efficient than ever.

To all our customers, thanks for coming with us on this journey. Keep the feedback coming—Eric

Click here to read a courtesy copy of The Forrester Wave: Security Analytics Platform Providers, Q4 2020.

If you’re ready to get started with Azure Sentinel, we invite you to sign up for a trial today.

With integrated SIEM and XDR, you get the best of both worlds. To help you take advantage of this integrated security approach, Microsoft is currently running an Azure Sentinel benefit for Microsoft 365 E5 customers.

From November 1, 2020, through May 1, 2021, Microsoft 365 E5 and Microsoft 365 E5 Security customers can get Azure credits for the cost of up to 100MB per user per month of included Microsoft 365 data ingestion into Azure Sentinel. Data sources included in this benefit include:

  • Azure Active Directory (Azure AD) sign-in and audit logs.
  • Microsoft Cloud App Security shadow IT discovery logs.
  • Microsoft Information Protection logs.
  • Microsoft 365 advanced hunting data (including Microsoft Defender for Endpoint logs).

With these credits, a standard 3,500 seat deployment can see estimated savings of up to $1,500 per month. This offer is available to new and existing customers who have Enterprise (EA) or Enterprise Subscription (EAS) Agreements and Enrollments, and you can begin accruing credits in your first month of eligibility. You can learn more about the offer here.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The Forrester Wave is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester Research, Inc. The Forrester Wave is a graphical representation of Forrester’s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

The post Azure Sentinel achieves a Leader placement in Forrester Wave, with top ranking in Strategy appeared first on Microsoft Security.

Threat actor leverages coin miner techniques to stay under the radar – here’s how to spot them

Microsoft Malware Protection Center - Mon, 11/30/2020 - 5:30pm

Cryptocurrency miners are typically associated with cybercriminal operations, not sophisticated nation state actor activity. They are not the most sophisticated type of threats, which also means that they are not among the most critical security issues that defenders address with urgency. Recent campaigns from the nation-state actor BISMUTH take advantage of the low-priority alerts coin miners cause to try and fly under the radar and establish persistence.

BISMUTH, which shares similarities with OceanLotus or APT32, has been running increasingly complex cyberespionage attacks as early as 2012, using both custom and open-source tooling to target large multinational corporations, governments, financial services, educational institutions, and human and civil rights organizations. But in campaigns from July to August 2020, the group deployed Monero coin miners in attacks that targeted both the private sector and government institutions in France and Vietnam.

Because BISMUTH’s attacks involved techniques that ranged from typical to more advanced, devices with common threat activities like phishing and coin mining should be elevated and inspected for advanced threats. More importantly, organizations should prioritize reducing attack surface and hardening networks against the full range of attacks. In this blog, we’ll provide in-depth technical details about the BISMUTH attacks in July and August 2020 and mitigation recommendations for building organizational resilience.

While this actor’s operational goals remained the same—establish continuous monitoring and espionage, exfiltrating useful information as is it surfaced—their deployment of coin miners in their recent campaigns provided another way for the attackers to monetize compromised networks. Considering some of the group’s traditional targets are human and civil rights organizations, BISMUTH attacks demonstrate how attackers give little regard to services they impact.

The use of coin miners by BISMUTH was unexpected, but it was consistent with the group’s longtime methods of blending in. This pattern of blending in is particularly evident in these recent attacks, starting from the initial access stage: spear-phishing emails that were specially crafted for one specific recipient per target organization and showed signs of prior reconnaissance. In some instances, the group even corresponded with the targets, building even more believability to convince targets to open the malicious attachment and start the infection chain.

The other way that BISMUTH attempted to blend in and hide in plain sight was the heavy use of DLL side-loading, a technique in which a legitimate DLL is replaced with a malicious one so that the latter is loaded when the associated application is run. In their recent attacks, BISMUTH utilized copies of various legitimate software to load malicious DLL files and perform tasks in the context of these legitimate applications. To perform DLL sideloading, BISMUTH introduced outdated versions of various applications, including Microsoft Defender Antivirus. They also leveraged the Sysinternals DebugView tool, the McAfee on-demand scanner, and Microsoft Word 2007.

Blending in was important for BISMUTH because the group spent long periods of time performing discovery on compromised networks until they could access and move laterally to high-value targets like servers, where they installed various tools to further propagate or perform more actions. At this point in the attack, the group relied heavily on evasive PowerShell scripts, making their activities even more covert.

The coin miners also allowed BISMUTH to hide its more nefarious activities behind threats that may be perceived to be less alarming because they’re “commodity” malware. If we learned anything from “commodity” banking trojans that bring in human-operated ransomware, we know that common malware infections can be indicators of more sophisticated cyberattacks and should be treated with urgency and investigated and resolved comprehensively.

Initial access

BISMUTH attempted to gain initial access by sending specially crafted malicious emails from a Gmail account that appears to have been made specifically for this campaign. It’s likely the group conducted reconnaissance using publicly available sources and chose individual targets based on their job function. Each email was sent to only one recipient at each target organization and used tailored subject lines and lure themes, for example:

  • Dự thảo hợp đồng (translates from Vietnamese to “Draft Contract”)
  • Ứng tuyển – Trưởng ban nghiên cứu thị trường (translates from Vietnamese to “Application form – Head of Market Research”)

Of note, the group sent several replies to one of these emails, which indicated that they corresponded with some targets before convincing them to open the malicious document attachment and inadvertently launch the payload. When opened, the malicious .doc file dropped several files in the hidden ProgramData folder: (1) MpSvc.dll, a malicious DLL with the same name as a legitimate Microsoft Defender Antivirus DLL, and (2) a copy of MsMpEng.exe the legitimate Microsoft Defender Antivirus executable.

The malicious document then added a scheduled task that launched the MsMpEng.exe copy and sideloaded the malicious MpSvc.dll. Because the latest versions of Microsoft Defender Antivirus are no longer susceptible to DLL sideloading, BISMUTH used an older copy to load the malicious DLL and establish a persistent command-and-control (C2) channel to the compromised device and consequently the network.

Using the newly established channel, the group dropped several files for the next stages of the attack, including a .7z archive, a copy of Word 2007, and another DLL, wwlib.dll. While it used the same name as a legitimate Microsoft Word DLL, wwlib.dll was a copy of KerrDown, a family of custom malware exclusive to BISMUTH. This file was subsequently sideloaded by the dropped copy of Word 2007—a technique used by BISMUTH extensively to load malicious code from a DLL file in the context of a legitimate process like winword.exe.

BISMUTH established another persistence method by dropping another copy of Word 2007 in a subfolder in ProgramData. The group then created a scheduled task that launched that copy in the same malicious manner every 60 minutes – further increasing their chances of going undetected and maintaining their presence.


Once established as a scheduled task, the co-opted Word 2007 process dropped and loaded a scanning tool popular among attackers, NbtScan.exe. BISMUTH then immediately used the scanning tool to scan an IP address range within the organization. Following this network scan, the Word 2007 process launched a malicious script using a living-off-the-land-binary, rundll32.exe, resulting in a scan on a myriad of common ports, including 21, 22, 389, 139, and 1433. BISMUTH listed devices with open ports in a .csv file.

While network scanning was underway, the group performed other reconnaissance activities. They gathered information about domain and local administrators, checked whether users had local administrative privileges, and collected device information—aggregating results in a .csv for exfiltration. In addition, the group once again used MsMpEng.exe with the malicious sideloaded DLL to connect to another device that appears to have been designated by BISMUTH at some point during the attack as an internal C2 foothold and exfiltration staging device.

Continued lateral movement, discovery, and intel gathering

After a month of continual discovery on compromised devices, the group moved laterally to a server and copied over a malicious DLL that masqueraded as the system file mpr.dll and a copy of the Sysinternals DebugView tool. They dropped the tool onto different devices using SMB remote file copy, using file names related to popular Japanese video game characters and a seemingly random word. The actors then registered and launched malicious services multiple times, launching DebugView tool to connect to multiple Yahoo websites and confirm Internet connectivity, followed by a connection to their C2 infrastructure.

At this point, BISMUTH switched to running their attacks using PowerShell, quickly launching multiple script cmdlets. First, they dumped credentials from the Security Account Manager (SAM) database using the Empire PowerDump command and then quickly deleted PowerShell event logs to erase records generated by Script Block Logging. They then continued their discovery efforts using a PowerShell script that gathered user and group information and sent the gathered data to .csv files.

The script collected the following information about each user:

description, distinguishedname, lastlogontimestamp, logoncount, mail, name, primarygroupid, pwdlastset, samaccountname, userprincipalname, whenchanged, whencreated

And the following information about each domain group:

adspath, description, distinguishedname, groupType, instancetype, mail, member, memberof, name, objectsid, samaccountname,whenchanged, whencreated

Next, the group exported directory forest and domain organizational unit (OU) information. They then started connecting to dozens of devices using WMI. Following that, they collected credentials by dumping security logs under Event ID 680, possibly targeting logs related to NTLM fallbacks. Lastly, the group used the system tool Nltest.exe to gather domain trust info and pinged multiple servers they have identified by name during reconnaissance. Some of these servers appear to be database and file servers that could have contained high-value information for espionage objectives typically pursued by BISMUTH.

BISMUTH then installed a Cobalt Strike beacon. The group dropped a .rar file and extracted its contents—McOds.exe, which is a copy of the McAfee on-demand scanner, and a malicious DLL—into the SysWOW64 folder. The group then created a scheduled task that launched the copy of the McAfee on-demand scanner with SYSTEM privileges and sideloaded the malicious DLL. This persistence mechanism established a connection to their Cobalt Strike server infrastructure. To clean up evidence, they deleted the dropped McAfee binary.

In terms of targets for this campaign, there were some commonalities among targets located in Vietnam that Microsoft has assessed to be tied to their previous designation as state-owned enterprises (SOEs). The observed BISMUTH activity in Vietnam targeted organizations that included former SOEs previously operated by the government of Vietnam, entities that have acquired a significant portion of a former SOE, and entities that conduct transactions with a Vietnamese government agency. Although the group’s specific objectives for these recent attacks cannot be defined with high confidence, BISMUTH’s past activities have included operations in support of broader espionage goals.

Coin miner deployment and credential theft

As mentioned, BISMUTH deployed coin miners during these attacks. To do this, they first dropped a .dat file and loaded the file using rundll32.exe, which in turn downloaded a copy of the 7-zip tool named 7za.exe and a ZIP file. They then used 7-Zip to extract a Monero coin miner from the ZIP file and registered the miner as a service named after a common Virtual Machine process. Each coin miner they deployed had a unique wallet address that earned over a thousand U.S. dollars combined during the attacks.

After deploying coin miners as their distraction technique, BISMUTH then focused much of its efforts on credential theft. They registered multiple malicious services that used %comspec%—a relative reference to cmd.exe commonly used by attackers—to run the renamed DebugView tool while loading a malicious DLL. The group used DebugView and the malicious DLL in a fairly unexpected fashion to launch Base64-encoded Mimikatz commands using one of several Windows processes: makecab.exe, systray.exe, w32tm.exe, bootcfg.exe, diskperf.exe, esentutl.exe, and typeperf.exe.

They ran the following Mimikatz commands that require SYSTEM or Debug privileges:

  • sekurlsa::logonpasswords full–lists all account and user password hashes, typically user and computer credentials for recently logged on users
  • lsadump::lsa /inject—injects LSASS to retrieve credentials and request the LSA Server to grab credentials from the Security Account Manager (SAM) database and Active Directory (AD)

After running these commands, the co-opted DebugView tool connected to multiple attacker-controlled domains, likely to exfiltrate stolen credentials.

As the affected organizations worked to evict BISMUTH from their networks, Microsoft security researchers saw continued activity involving lateral movement to other devices, credential dumping, and planting of multiple persistence methods. This highlights the complexity of responding to a full-blown intrusion and the significance of taking quick action to resolve alerts that flag initial stages of an attack.

Building organizational resilience against attacks that blend in

BISMUTH attacks put strong emphasis on hiding in plain sight by blending in with normal network activity or common threats that attackers anticipate will get low-priority attention. The combination of social engineering and use of legitimate applications to sideload malicious DLLs entail multiple layers of protection focused on stopping threats at the earliest possible stage and mitigating the progression of attacks if they manage to slip through. Here are mitigation recommendations that organizations can implement to limit exposure:

Limit the attack surface that attackers can leverage for initial access:

  • Educate end users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear-phishing email, and reporting of reconnaissance attempts and other suspicious activity.
  • Configure Office 365 email filtering settings to ensure blocking of phishing & spoofed emails, spam, and emails with malware. Set Office 365 to recheck links on click and delete sent mail to benefit from newly acquired threat intelligence.
  • Turn on attack surface reduction rules, including rules that can block advanced macro activity, executable content, process creation, and process injection initiated by Office applications.
  • Disallow macros or allow only macros from trusted locations. See the latest security baselines for Office and Office 365.
  • Check perimeter firewall and proxy to restrict servers from making arbitrary connections to the internet to browse or download files. Such restrictions help inhibit malware downloads and command-and-control activity.

Build credential hygiene to reduce risk during discovery stage:

  • Enforce strong, randomized local administrator passwords. Use tools like LAPS.
  • Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts.
  • Require multi-factor authentication through Windows Hello.

Stop attack sprawl and contain attacker movement:

  • Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
  • Turn on tamper protection features to prevent attackers from stopping security services.
  • Monitor for clearing of event logs. Windows generates security event ID 1102 when this occurs.
  • Determine where highly privileged accounts are logging on and exposing credentials. Monitor and investigate logon events (event ID 4624) for logon type attributes. Highly privileged accounts should not be present on workstations.
  • Utilize the Microsoft Defender Firewall, intrusion prevention devices, and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.

To better defend organizations against attacks that do everything to blend in once they gain access to a network, organizations can build defenses for preventing and blocking attacks at the initial access stage. Microsoft Defender for Office 365 provides defense capabilities that protect organizations from threats like credential phishing, business email compromise, and cyberattacks that begin with spear-phishing emails. Safe attachments and Safe links provide real-time protection using a combination of detonation, automated analysis, and machine learning, which are especially useful for highly targeted, specially crafted emails. Campaign views show the complete picture of email campaigns, including timelines, sending patterns, impact to the organization, and details like IP addresses, senders, URLs.

The broader Microsoft 365 Defender presents cross-domain threat intelligence and actionable information in consolidated incidents view, empowering security operations teams to comprehensively respond to attacks. For critical threats like BISMUTH campaigns, Microsoft researchers publish threat analytics reports that contain technical details, detection info, and mitigation status. Investigation tools like advanced hunting allow security teams to perform additional inspection of the environment for related or similar threats. Threat and vulnerability management data show mitigation recommendations, including enabling relevant attack surface reduction rules, that organizations can take to reduce risks.

These industry-leading capabilities in Microsoft 365 Defender are backed by Microsoft’s network of researchers and security experts who monitor the threat landscape and track threat actors like BISMUTH. Through Microsoft 365 Defender, we transform threat intelligence into protections and rich investigation tools that organizations can use to build organizational resilience. Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.


Justin Carroll and Emily Hacker, Microsoft 365 Defender Threat Intelligence Team

with Microsoft Threat Intelligence Center (MSTIC)


MITRE ATT&CK techniques observed

Initial access



Privilege escalation

Defense evasion

Credential access



Data exfiltration

The post Threat actor leverages coin miner techniques to stay under the radar – here’s how to spot them appeared first on Microsoft Security.

Zerologon is now detected by Microsoft Defender for Identity

Microsoft Malware Protection Center - Mon, 11/30/2020 - 12:00pm

There has been a huge focus on the recently patched CVE-2020-1472 Netlogon Elevation of Privilege vulnerability, widely known as ZeroLogon. While Microsoft strongly recommends that you deploy the latest security updates to your servers and devices, we also want to provide you with the best detection coverage possible for your domain controllers. Microsoft Defender for Identity along with other Microsoft 365 Defender solutions detect adversaries as they try to exploit this vulnerability against your domain controllers.

Here is a sneak peek into our detection lifecycle

Whenever a vulnerability or attack surface is disclosed, our research teams immediately investigate exploits and produce various methods for detecting attacks. This is highlighted in our response to suspected WannaCry attacks and with the alert for Suspected SMB (Small and Medium Businesses) packet manipulation (CVE-2020-0796 exploitation). These detection methods are tested in our lab environment, and experimental detectors are deployed to Microsoft Defender for Identity to assess performance and accuracy and find possible attacker activity.

Over the past two months since CVE-2020-1472 was first disclosed, interest in this detection rapidly increased. This happened even if we did not observe any activity matching exploitation of this vulnerability in the initial weeks after the August security updates. It generally takes a while before disclosed vulnerabilities are successfully reverse-engineered and corresponding mechanisms are built.

This lack of activity changed on September 13, when we triggered a surge in alerts. Simultaneously, this increase in activity was followed by the publication of several proof-of-concept tools and demo exploits that can leverage the vulnerability.

Figure 1: Orgs with ZeroLogon exploitation attempts by red teams and real attackers starting September 13, 2020

Microsoft Defender for Identity can detect this vulnerability early on. It covers both the aspects of exploitation and traffic inspection of the Netlogon channel.

Figure 2: Alert page experience

With this Microsoft Defender for Identity alert, you will be able to identify:

  • The device that attempted the impersonation.
  • The domain controller.
  • The targeted asset.
  • Whether the impersonation attempts were successful.

Finally, customers using Microsoft 365 Defender can take full advantage of the power of the signals and alerts from Microsoft Defender for Identity, combined with behavioral events and detections from Microsoft Defender for Endpoint. This coordinated protection enables you not just to observe Netlogon exploitation attempts over network protocols, but also to see device process and file activity associated with the exploitation.

A close look at some of the earliest ZeroLogon attacks

ZeroLogon is a powerful vulnerability for attackers to leverage, but in a normal attack scenario, it will require an initial entry vector inside an organization to facilitate exploitation against domain controllers. During initial monitoring of security signals, Microsoft Threat Experts observed ZeroLogon exploitation activity in multiple organizations. In many cases, it was clear that the activity was originated from red teams or pen testers using automated vulnerability scanners to locate vulnerable servers. However, Microsoft researchers were also able to identify a few limited cases of real attackers jumping on the ZeroLogon train to expand their perimeter into organizations that, after a month of a patch being available, were still running unpatched domain controllers.

Figure 3: Typical Zerologon exploitation activity generated by a vulnerability scanner or a red team testing domain controller at scale

One of the adversaries noticed by our analysts was interesting because the attacker leveraged an older vulnerability for SharePoint (CVE-2019-0604) to exploit remotely unpatched servers (typically Windows Server 2008 and Windows Server 2012) and then implant a web shell to gain persistent access and code execution. Following the web shell installation, this attacker quickly deployed a Cobalt Strike based payload and immediately started exploring the network perimeter and targeting domain controllers found with the ZeroLogon exploit.

Using the @MsftSecIntel Twitter handle, we publicly shared some file indicators used during the attack. We also shared the variations of the ZeroLogon exploits we detected, many of which were recompiled versions of well-known, publicly available proof-of-concept code. Microsoft Defender for Endpoint can also detect certain file-based versions of the CVE-2020-1472 exploit when executed on devices protected by Microsoft Defender for Endpoints.

Hunting for ZeroLogon in Microsoft 365 Defender

Combining signals from Microsoft Defender for Endpoint with the ZeroLogon alerts from Microsoft Defender for Identity can help assess the nature of the alert quickly. Microsoft 365 Defender automatically leverages signals from both products. It has logic that constantly attempts to combine alerts and events using a variety of correlation logic based on knowledge of cause-effect attack flows, the MITRE ATT&CK framework, and machine learning models.

In this section, we provide an example (in the simplified form of an advanced hunting query) of how Microsoft 365 Defender correlation logic operates behind-the-scenes to combine alerts, reducing Security Operations Centers (SOC) fatigue and facilitating investigation.

The following Microsoft 365 Defender advanced hunting queries identify process and network connection details from the source device suspected to have launched the NetLogon exploit.

First, we gather the relevant details on recent Netlogon exploit attempts from Microsoft Defender for Identity alerts. This will help populate the AlertId for the second query.

// Find all Netlogon exploit attempt alerts containing source devices
let queryWindow = 3d;
| where Timestamp > ago(queryWindow)
| where ServiceSource == "Azure ATP"
| where Title == "Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation)"
| join (AlertEvidence
| where Timestamp > ago(queryWindow)
| where EntityType == "Machine"
| where EvidenceDirection == "Source"
| where isnotempty(DeviceId)
) on AlertId
| summarize by AlertId, DeviceId, Timestamp

Next, populate one AlertId from the prior query into NLAlertId in the next query to hunt for the likely process that launched the exploit and its network connection to the domain controller:

// Find potential endpoint Netlogon exploit evidence from AlertId
let NLAlertId = "insert alert ID here";
let lookAhead = 1m;
let lookBehind = 6m;
let NLEvidence = AlertEvidence
| where AlertId == NLAlertId
| where EntityType == "Machine"
| where EvidenceDirection == "Source"
| where isnotempty(DeviceId)
| summarize Timestamp=arg_min(Timestamp, *) by DeviceId;
let sourceMachine = NLEvidence | distinct DeviceId;
let alertTime = todatetime(toscalar(ZLEvidence | distinct Timestamp));
| where Timestamp between ((alertTime - lookBehind) .. (alertTime + lookAhead))
| where DeviceId in (sourceMachine)
| where RemotePort == 135 or RemotePort between (49670 .. 49680)
| summarize (Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid)=arg_min(ReportId, Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid), TargetDevicePorts=make_set(RemotePort) by DeviceId, DeviceName, RemoteIP, RemoteUrl
| project-rename SourceComputerName=DeviceName, SourceDeviceId=DeviceId, TargetDeviceIP=RemoteIP, TargetComputerName=RemoteUrl

This query can return a result that looks like this:

Tying Microsoft Defender for Endpoint data together with the original Microsoft Defender for Identity alert can give a clearer picture as to what happened on the device suspected of launching the exploit. This could save SOC analysts time when investigating alerts, because the relevant details are there to determine if it was caused by a curious researcher or from an actual attack.

Defend against ZeroLogon

Learn more about the alert here, along with information on all the alerts Defender for Identity uses to help you stay protected from identity-based attacks.

Also, feel free to review our guidance on managing changes in Netlogon secure channel connections and how you can prevent this vulnerability

Customers with Microsoft Defender for Endpoint can get additional guidance from the threat analytics article available in Microsoft Defender Security Center.

Get started today

Are you just starting your Microsoft Defender for Identity journey? Begin a trial of Microsoft 365 Defender to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for your organization.

Join the Microsoft Defender for Identity Tech Community for the latest updates and news about Identity Security Posture Management assessments, detections, and other updates.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zerologon is now detected by Microsoft Defender for Identity appeared first on Microsoft Security.

Go inside the new Azure Defender for IoT including CyberX

Microsoft Malware Protection Center - Wed, 11/25/2020 - 2:00pm

In 2020, the move toward digital transformation and Industry 4.0 took on new urgency with manufacturing and other critical infrastructure sectors under pressure to increase operational efficiency and reduce costs. But the cybersecurity model for operational technology (OT) was already shown to be lacking before the pandemic. A series of major cyberattacks across industries served as a wake-up call that the traditional “air-gapped” model for OT cybersecurity had become outdated in the era of IT/OT convergence and initiatives such as Smart Manufacturing and Smart Buildings. And the IoT and Industrial Internet of things (IIoT) are only getting bigger. Analysts predict we’ll have billions of IoT devices connected worldwide in a few years, drastically increasing the surface area for attacks.

Company boards and management teams are understandably concerned about increased safety and corporate liability risks as well as the financial impact of crippling downtime posed by IoT/OT breaches. They’re also concerned about losing sensitive IP such as proprietary formulas and product designs, since manufacturers are eight times more likely to be attacked for cyberespionage than other sectors, according to the 2020 Verizon DBIR.1

In my recent Microsoft Ignite presentation, Azure Defender for IoT including CyberX, I was joined by Nir Krumer, Principal PM Manager at Microsoft, to examine how the new Azure Defender for IoT incorporates CyberX’s agentless technology and IoT/OT-aware behavioral analytics, minimizing those risks by providing IT teams with continuous IoT/OT visibility into their industrial and critical infrastructure networks. You’re invited to view the full presentation and review some highlights below.

IT versus OT

Unlike information technology (IT) security, OT security is focused on securing physical processes and assets rather than digital assets like containers and SQL databases. Physical assets include devices like turbines, mixing tanks, HVAC systems in smart buildings and data centers, factory-floor machines, and more. In OT, the top focus is always on safety and availability. Availability means that your production facilities must be resilient and keep operating, because that’s where the revenue comes from. However, the biggest difference from IT security is that most chief information security officers (CISOs) and SOC teams today have little or no visibility into their OT risk, because they don’t have the multiple layers of controls and telemetry as we have in IT environments. And OT risk translates directly into business risk.

As recent history shows, attacks on OT are already underway. The TRITON attack on the safety controllers in a Middle East petrochemical facility was intended to cause major structural damage to the facility and possible loss of life. The attackers got their initial foothold in the IT network but subsequently used living-off-the-land (LOTL) tactics to gain remote access to the OT network, where they deployed their purpose-built malware. As this attack demonstrated, increased connectivity between IT and OT networks gives adversaries new ways of compromising unmanaged OT devices, which historically haven’t supported agents and are typically invisible to IT teams.

Figure 1: Purdue Model traversal in TRITON attack.

How Azure Defender for IoT works for you

By incorporating agentless technology from Microsoft’s recent acquisition of CyberX, Azure Defender for IoT enables IT and OT teams to identify critical vulnerabilities and detect threats using IoT/OT-aware behavioral analytics and machine learning—all without impacting availability or performance.

In our Ignite presentation, we broke down five key capabilities provided by the product’s agentless security for unmanaged IoT/OT devices:

  • Asset discovery: Because you cannot protect what you do not know you have, Azure Defender tells you what IoT/OT devices are in your network and how they’re communicating with each other. Also, if you’re implementing a Zero Trust policy, you need to know how these devices are connected so you can segment them onto their own network and manage granular access to them.
  • Risk and vulnerability management: Azure Defender helps you identify vulnerabilities such as unauthorized devices, unpatched systems, unauthorized internet connections, and devices with unused open ports—so you can take a prioritized approach to mitigating IoT/OT risk for your crown jewel assets. These are the critical devices whose compromise would have a major impact on your organization, such as a safety incident, loss of revenue, or theft of sensitive IP.
  • Continuous IoT threat monitoring and response: Azure Defender continuously monitors the OT network using Layer 7 Deep Packet Inspection (DPI), informing you immediately when there has been unusual or unauthorized behavior, and empowering you to mitigate an attack before it causes a production failure or safety incident. It incorporates a deep understanding of all major industrial protocols (including Modbus, DNP3, Siemens S7, Ethernet/IP CIP, GE-SRTP, and Yokogawa) and patented, IoT/OT-aware behavioral analytics to detect threats faster and more accurately, with a far shorter learning period than generic baselining algorithms.
  • Operational efficiency: When you have malfunctioning or misconfigured equipment, you need to quickly figure out what went wrong. By providing deep visibility into what’s going on in the network—such as a misconfigured engineering workstation that’s constantly scanning the network—you can help your IoT/OT engineers quickly identify and address the root cause of those issues.
  • Unified IT/OT security monitoring and governance: Azure Defender for IoT is deeply integrated with Azure Sentinel and also supports third-party tools such as Splunk, IBM QRadar, and ServiceNow. This helps break down silos that slow communication between IT and OT teams, and creates a common language between them to quickly resolve issues. It also enables you to quickly address attacks that cross IT/OT boundaries (like TRITON), as well as leverage the workflows and training you spent years building in your security operations center (SOC)—so you can apply them to IoT and OT security as well.
Deployment Architecture

So, how does this system get deployed? Azure Defender for IoT uses a network sensor to capture a copy of the network traffic through the switch port analyzer (SPAN). It uses a technique called passive monitoring or network traffic analysis (NTA) to identify assets, vulnerabilities, and threats without impacting the performance or reliability of the IoT/OT network. The solution can be 100 percent on-premises, connected to Azure, or a hybrid of the two (for example, by forwarding alerts to Azure Sentinel).

Figure 2: Azure Defender for IoT uses an on-premises network sensor to capture and analyze all IoT/OT traffic. The solution can be deployed fully on-premises, or connected to Azure, or in hybrid environments where the SIEM is cloud-based, as with Azure Sentinel.

Azure Sentinel integration

To enable rapid detection and response for attacks that cross IT/OT boundaries, Azure Defender is deeply integrated with Azure Sentinel—Microsoft’s cloud-native SIEM/SOAR platform. As a SaaS-based solution, Azure Sentinel delivers reduced complexity, built-in scalability, lower total cost of ownership (TCO), and continuous threat intelligence and software updates. It also provides built-in IoT/OT security capabilities, including:

  • Deep integration with Azure Defender for IoT: Azure Sentinel provides rich contextual information about specialized OT devices and behaviors detected by Azure Defender—enabling your SOC teams to correlate and detect modern kill-chains that move laterally across IT/OT boundaries.
  • IoT/OT-specific SOAR playbooks: Sample playbooks enable automated actions to swiftly remediate IoT/OT threats.
  • IoT/OT-specific threat intelligence: In addition to the trillions of signals collected daily, Azure Sentinel now incorporates IoT/OT-specific threat intelligence provided by Section 52, our specialized security research team focused on IoT/OT malware, campaigns, and adversaries.

You are invited to watch our Microsoft Ignite presentation to learn more about Azure Defender for IoT, including a live demo of how deep integration with Azure Sentinel can be used to investigate multistage IT/OT attacks like TRITON.

Visit the Azure Defender for IoT website to learn more and try it for free during Public Preview. You can also learn more about Microsoft Security solutions by visiting our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1 2020 Verizon DBIR, pages 36 and 59.

The post Go inside the new Azure Defender for IoT including CyberX appeared first on Microsoft Security.

Microsoft Azure Active Directory again a “Leader” in Gartner Magic Quadrant for Access Management

Microsoft Malware Protection Center - Tue, 11/24/2020 - 12:00pm

Howdy folks,

I’m proud to announce that for the fourth year in a row, Microsoft Azure Active Directory (Azure AD) has been recognized as a “Leader” in Gartner Magic Quadrant for Access Management, Worldwide.

Earlier this year, my boss, Joy Chik, CVP of Identity Engineering shared Microsoft’s guiding principles of our identity and access management (IAM) strategy, emphasizing our commitment to delivering a secure and scalable identity solution. Azure AD safeguards access to your apps by enforcing strong authentication and adaptive risk-based access policies, providing seamless user access with single sign-on (SSO) and reduced IT costs. We envision Azure AD as the key to embracing a Zero Trust security model, enabling secure application access and greater productivity across users, apps, and devices.

Consistently landing in Gartner Magic Quadrant for the past four years tells us that we’re executing on our vision and making a difference for you, our customers.

We’ve learned from your resilience in adapting to remote work over the past year, and your direct feedback has shaped our advancements in several areas:

  • Adaptive security: Azure AD natively offers comprehensive logging, dashboard, and reporting capabilities, as well as identity analytics with Azure AD Identity Protection.
  • Secure application access: Azure AD supports out-of-the-box single sign-on (SSO) and provisioning connectors to thousands of SaaS apps, as well as authentication for legacy on-premises applications through App Proxy and secure hybrid-access partnerships.
  • Report-only mode: The report-only (or audit-only) mode enables administrators to evaluate the impact of Conditional Access policies before enabling them for users.
  • Web Content Accessibility Guidelines: We’re proud of our commitment to inclusion and accessibility by design, which goes beyond meeting Web Content Accessibility Guidelines (WCAG) compliance to providing a positive experience for all users.
  • API access control: We offer built-in centralized policy management, management of security tokens, token translation, and developer self-service support. In addition, Azure AD offers native integration with the Azure API Management service or with third-party API gateway products for more advanced API security.
  • Open standards: Azure AD offers support for all major identity standards, including SAML 2.0, WS-Fed, OIDC, OAuth 2.0, and password vaulting with JavaScript-based login form filling.

We’re honored to place this well for the fourth time and believe it reflects the energy and passion we’ve put into partnering with our customers to help them successfully digital transform their businesses. That said, there’s lots more work to do, and we look forward to continuing to partner with you, our customers, to assure the products we build keep your organizations secure and productive. We’re grateful for your trust, and I look forward to seeing what we can accomplish together in the coming year.

To learn more about Microsoft Identity solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @AzureAD and @MSFTSecurity for the latest news and updates on identity and cybersecurity.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post Microsoft Azure Active Directory again a “Leader” in Gartner Magic Quadrant for Access Management appeared first on Microsoft Security.

IoT security: how Microsoft protects Azure Datacenters

Microsoft Malware Protection Center - Mon, 11/23/2020 - 12:00pm

Azure Sphere first entered the IoT Security market in 2018 with a clear mission—to empower every organization on the planet to connect and create secure and trustworthy IoT devices. Security is the foundation for durable innovation and business resilience. Every industry investing in IoT must consider the vulnerabilities of the cyberthreat landscape. For our customers, Azure Sphere has helped unlock opportunities for new insights and to deliver magical new experiences simply by providing a secured foundation for IoT.

Our customers are leading innovations across industries, and they are our strongest resource when it comes to security needs. One of the most significant blockers for customers is the risk assumed by connecting business-critical devices and equipment to the internet. Datacenters are a notable example. When you look at the datacenter’s essential infrastructure, the most critical functions of maintaining the environment have been intentionally kept offline to protect and preserve them. While the servers and network of a datacenter function as this powerful hub of innovation that drives global computing, the mechanical, and electrical systems that they depend on are, out of necessity, air gapped.

Mike Czamara, a General Manager at Microsoft, leads a team dedicated to the critical environment and availability of Azure Datacenters worldwide. “We approach datacenters with a necessarily conservative methodology. There’s the shell and there’s the critical space,” he says. Mike describes the shell as the building, the walls, the roof, the electrical system, the mechanical systems; everything that functions around the critical spaces or in service of them. The core is the servers and all the networking. The shell’s multiple systems operate simultaneously, but not always symbiotically since they are not digitally connected. Connecting critical equipment is a substantial risk for a datacenter focused on reducing, if not eliminating downtime.

However, disruptions happen. Outages happen. Mike’s team was finding that there were sometimes problems across building automation systems or power monitoring systems running code written by a third party. These issues sometimes lead to breakdowns. But, because the code at the heart of the issue was controlled by a third party, as Mike puts it, “Part of our destiny, and that of our customers, was out of our control.” Having greater control over the datacenter environment promised better outcomes for customers. The need for more control over the datacenter environment was nested in a larger challenge: the datacenter ecosystem itself.

Taking the first step

We’re at the very beginning. We’re just walking up to the starting line. IoT was the first step,” says Mike. Really, the first step was an email. Adolfo Ferreira, a Senior Principal Technical Program Manager on Mike’s team, learned about Azure Sphere from the public announcement in April 2018. Adolfo immediately emailed Galen Hunt, the Managing Director of Azure Sphere. “I wrote him, begging him to give me a development kit. I told him what I wanted to do with it, and he took a kit away from one of his developers to give to me.” As Mike puts it, “From that point, it was game on.

Azure Sphere really triggered this big opportunity for us,” says Adolfo. At the time he discovered Azure Sphere, Adolfo and his team were looking to develop secured data acquisition from the mechanical and electrical systems, which have always been “read-only” systems. Azure Sphere gave them a way to securely connect these systems. The end-to-end solution includes secured hardware, the custom-built Azure Sphere OS, the cloud-based Azure Sphere Security Service, and ongoing servicing by Microsoft security experts for more than ten years. “I understood what Azure Sphere was trying to do, I knew the security was the highest level in the industry. I knew nothing could come close to the level of security Azure Sphere could offer,” says Adolfo.

For every Azure datacenter, security is the greatest priority, and the security requirements are spectacularly stringent. “Our data centers are not just running Microsoft’s businesses, but other tens of thousands of other company’s businesses within them. The Azure Sphere guardian module has layers and layers of security. The guardian module had no problem meeting our bar,” says Mike.

With Azure Sphere, the team started connecting mechanical and electrical systems—air handling units, power distribution units—to collect telemetry from the devices. In parallel, they started collecting data from servers and network devices. By using guardian modules powered by Azure Sphere, the team was able to confidently connect their most critical equipment when before the risk had been too great.

The team is exploring multiple scenarios that Azure Sphere has made possible. Maintenance, for example, is probably the most substantial commitment required of a datacenter. The standard approach is to have a regular, planned maintenance schedule to prevent problems. Sometimes it’s necessary, but often it’s just scheduled and so it just happens even when there’s no apparent need. Mike estimates that by staying on top of this sort of “blind maintenance” routine, only about 15 percent of maintenance will be reactive, meaning in response to an immediate need.

Informed by telemetry from connected systems, maintenance can become incisive, truly predictive, and can reduce reactive maintenance to as little as five percent. This can make a dramatic difference for organizations that forecast a budget one to five years out. Says Mike, “We are not spending money in hopes of preventing an outage. Our spend can become more targeted.”

Unlocking insights

Mike envisions a future of diagnostics in the datacenter. He sees a cache of information in every piece of equipment, “When we unlock that, it’s data that can create a wealth of knowledge. When I can see that a specific component in a certain generator is acting funny, and I can see how it affects performance health, I can make a more informed choice of what to do.” But he is thinking bigger than just generators or even just one datacenter. The knowledge gained from a single issue or incident in one datacenter can inform and improve performance for all the other datacenters located around the world.

But Mike is still thinking bigger than that—bigger than Microsoft. Having access to diverse sets of data, from partners and, maybe one day, from other organizations running equipment securely connected with Azure Sphere, can drive more informed decisions, and improve safety.

Smarter and safer

Mike’s team has been pioneering new safety measures enabled by Azure Sphere. Anytime a person must go into a datacenter to work on a piece of equipment, it is a point of risk. “There’s a problem of human error when a person goes into the wrong panel. They might turn off the wrong panel, which disrupts our customers.” In addition to the risk of uptime, there is also a serious risk to personal safety. Datacenters use a ton of power. A single datacenter uses between thirty-two and forty megawatts of power, roughly equivalent to six thousand homes. Panels have power sensors that will trip a warning siren when necessary, but a person’s instinctive reaction is to immediately shut the panel to turn off the alarm, potentially leaving problems unresolved. The team had to think about the problem, safety risk, and human behavior.

The team paired a klaxon siren with an Andon light and using a board built with Azure Sphere connected to the power sensor and datacenter control system. This setup made it possible to send the step-by-step of a work order, called a digital method of procedure (DMOP), directly to the panel requiring work. When a DMOP is released, the Andon light for the specific panel will change color to identify it as the panel requiring work. As the person goes through the DMOP for the work order, step by step, the light will reflect their progress. If the person misses a step, the light will signal the mistake and the klaxon will sound. Says Mike, “It’s exactly like bowling with bumpers.

The team went a step further and integrated their electrical power monitoring system and their incident monitoring system. If a person working in the datacenter opens the wrong panel, a security alert is automatically sent, and a ticket is cut to a manager. “We immediately know when something has gone off-script if someone has put themselves or the datacenter in jeopardy. We can stop all work and figure out what’s going on,” says Mike.

Azure Sphere made it possible to securely coordinate multiple systems to create a new safety process. The connected panels do more than just help ensure correct and safe execution of processes, they also capture data when things go wrong so that the team can learn from incidents and resolve problems. “We’re creating systems that will keep us within the lines of safety and security and that help us adjust and refine those lines,” says Mike.

Impressive too is that Adolfo’s team developed the first of these safer electrical panels in only two months. “The Azure Sphere SDK made it possible for us to move fast and develop a complete solution from scratch, that was fully integrated with Azure Cloud Services,” he says. “With Azure Sphere, we can quickly turn any idea into a proof of concept.”

Strategic advantages

Adolfo’s team is focused on developing systems to increase reliability, security, and safety, and to optimize the building and systems that make up the “shell” of the datacenters. The total Azure Sphere offering, particularly the ongoing servicing by Microsoft security experts for more than ten years, has amplified the team’s ability to deliver business value. The cloud-based Azure Sphere Security Service automatically delivers OS and security updates to every device, so Adolfo and his team never have to worry about patching. “That’s all taken care of by Azure Sphere,” he says. And when the team needs to push new firmware to devices, Adolfo says it’s incredibly straightforward to do that at scale. Plus, Azure Sphere attestation guarantees the right firmware version is running on all their devices. “The services and support that Azure Sphere just provides have taken away the burden on my team,” he says.

Handling all that work at scale, especially security, would have required building out a dedicated team. “Having a whole team just for upkeep doesn’t actually add business value. Instead, we can spend our time on how to implement technology to improve availability, to reduce costs, to increase visibility into operations—that’s really how we add value. It’s a huge advantage. We have the opportunity to set the new standard in the datacenter industry, using Azure Sphere,” says Adolfo.

The business case for creativity

Mike sees the true value of Azure Sphere in how it enables innovation on a much larger scale of influence: “This tiny little thing is enabling us to evolve—not iterate anymore—evolve our space, our industry. It’s going to make our datacenters much more predictable, more usable, so that our customers reap the benefits and rewards of everything we’re doing.”

Mike started out by giving one engineer, Adolfo, total freedom to innovate with that first Azure Sphere development kit. Now Adolfo leads a team of ten whose only job is to create, to invent, to explore. “Because we were seeing such gains with one, two, then three people driving innovation, I was able to make a legitimate business case to bring on more people,” says Mike.

One of the reasons why Mike can confidently turn his team loose, without rails (“you can’t really have rails if you want to innovate,” he says), is because Azure Sphere offers a secured platform. The team’s grounding principles are safety, security, uptime, and cost. It must be safe. It must be secure. It cannot impact the customer. And it has to be affordable. Says Mike, “Azure Sphere delivers it all. It gives us this great foundation to work through wild ideas and opportunities.

Get started with Azure Sphere today to build and test innovative, secured solutions for your organization, even while you’re working remotely.

The post IoT security: how Microsoft protects Azure Datacenters appeared first on Microsoft Security.

Modernize secure access for your on-premises resources with Zero Trust

Microsoft Malware Protection Center - Thu, 11/19/2020 - 2:00pm

Change came quickly in 2020. More likely than not, a big chunk of your workforce has been forced into remote access. And with remote work came an explosion of bring-your-own-device (BYOD) scenarios, requiring your organization to extend the bounds of your network to include the entire internet (and the added security risks that come with it).

At this year’s Microsoft Ignite, we demonstrated how to bring your legacy on-premises resources into a Zero Trust security model that provides seamless access to all—SaaS, IaaS, PaaS, and on-premises—with a global presence and no extra steps to remember. You’re invited to watch our full presentation and review the highlights below.

The new decentralized workplace

Organizations that steadfastly relied on the “flat network” approach of firewalls and VPNs to regulate access now find themselves lacking the visibility, solution integration, and agility needed to deliver end-to-end security. A new model needed to adapt to a remote workforce, protecting people, devices, applications, and data—from anywhere.

Figure 1: Legacy access model

In a Zero Trust security model, every access request is strongly inspected for anomalies before granting access. Everything from the user’s identity to the application’s hosting environment is authenticated and authorized using micro-segmentation and least privileged-access principles to minimize lateral movement.

Zero Trust means adhering to three cohesive principles:

  • Verify explicitly: Always authenticate and authorize based on all available data points, including—user identity, location, device health, service or workload, data classification, and anomalies.
  • Use least privileged access: Limit user access with just-in-time (JIT) and just-enough-access (JEA), risk-based adaptive polices, and data protection to help secure both data and productivity.
  • Assume breach: Minimize the blast radius and prevent lateral movement by segmenting access by network, user, devices, and app awareness. Verify all sessions are encrypted and use analytics to gain visibility, drive threat detection, and improve defenses.

Figure 2: Microsoft Zero Trust model

In the diagram above, you can see how access is unified across users, devices, and networks; all the various conditions that feed into the risk of a session. Acting as a gateway, the access policy is unified across your resources—SaaS, IaaS, PaaS, on-premises, or in the cloud. This is true whether it’s Azure, Amazon Web services (AWS), Google Cloud Platform (GCP) or some other cloud. In the event of a breach, rich intelligence, and analytics help us identify what happened and how to prevent it from happening again.

Cybersecurity for our time

The right security solution for our new perimeterless workplace employs the principles of Zero Trust, allowing users access only to the specific applications they need rather than the entire network. Because Zero Trust access is tied to the user’s identity, it allows IT departments to quickly onboard new and remote users, often on non-corporate devices, scoping permissions appropriately.

A cybersecurity model for today’s digital estate should include:

For the end-user:

  • Access to all resources: SaaS, IaaS, PaaS, on-premises.
  • Seamless experience: No extra steps or unique URLs to remember.
  • Great performance: Proxy services should have a global presence and use geo-location.

For the security/IT admin:

  • Segmentation by app, not network.
  • Adaptive access based on the principles of Zero Trust.
  • Reduce infrastructure complexity and maintenance.
Connect apps to an identity based, secure access solution

With Microsoft Azure Active Directory (Azure AD), it’s easy to connect all your applications through a single identity-based control plane. When it comes to cloud apps, Azure AD supports standard authentication modes such as Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). To accommodate new apps your organization may be developing, Azure AD also provides tools and software development kits (SDK) to help you integrate these as well.

Figure 3: Microsoft Azure Active Directory

When it comes to classic or on-premises applications, Azure AD Application Proxy enables your security team to easily apply the same policies and security controls used for cloud apps to your on-premises apps. All that’s needed is to install a lightweight agent called a connector onto your Windows server, allowing a connection point to your on-premises network. In this way, one connector group can be configured to serve multiple back-end applications, giving you the freedom to architect a truly micro-segmented solution.

Figure 4: Azure Active Directory Application Proxy

Azure AD Application Proxy Connectors use outbound connections as well; meaning, no additional inbound firewall rules need to be opened. Also, it doesn’t require placement in a demilitarized zone (DMZ), as was the case with the legacy Purdue Model. Your apps won’t need to change, and Azure AD Application Proxy also supports multiple authentication modes; so your users can still get a single sign-on (SSO) experience. Users can then access the app from an external URL using any device—no VPN required.

Azure AD pre-authenticates every request, ensuring that only verified traffic ever gets to your app; thus giving you another layer of protection. In addition, any conditional access policies you’ve set up can be enforced at that point.

Protecting you in real-time

Microsoft Cloud App Security integrates natively with Azure AD conditional access to extend real-time security into the session for both your cloud and on-premises applications. This native Microsoft solution stack ensures that your on-premises applications will still boot up quickly and look the same. The difference is you’re now able to control granular actions, such as uploads, downloads, and cut, copy, and paste, based on the sensitivity of the data. For example, users accessing an on-premises instance of Team Foundation Server (TFS) through the App Proxy can use Cloud App Security to enable developers to make code changes but block their ability to download files onto an unmanaged device. Many other scenarios are supported like, blocking malware in file upload attempts to ensure that your on-premises infrastructure remains secure.

Figure 5: Malware detection screen

See what else Azure AD and Microsoft Cloud App Security can do

At Microsoft, we believe that tight integration between identity and security is pivotal to your Zero Trust strategy, and we are constantly innovating in this area. To see some of the existing capabilities described in this blog come to life, watch the archived presentation for demonstrations of the powerful capabilities that Microsoft identity and security tools enable for your on-premises applications. Learn how you can easily set controls to allow or block access, require a password reset, block legacy authorization, require multifactor authentication, control sessions in real-time, and more.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Modernize secure access for your on-premises resources with Zero Trust appeared first on Microsoft Security.

Cyberattacks targeting health care must stop

Microsoft Malware Protection Center - Wed, 11/18/2020 - 2:00pm

In recent months, we’ve detected cyberattacks from three nation-state actors targeting seven prominent companies directly involved in researching vaccines and treatments for COVID-19. The targets include leading pharmaceutical companies and vaccine researchers in Canada, France, India, South Korea, and the United States. The attacks came from Strontium, an actor originating from Russia, and two actors originating from North Korea that we call Zinc and Cerium.

Learn more at the official Microsoft blog.


The post Cyberattacks targeting health care must stop appeared first on Microsoft Security.

Gartner names Microsoft a Leader in the 2020 Magic Quadrant for Cloud Access Security Brokers

Microsoft Malware Protection Center - Wed, 11/18/2020 - 12:00pm

The past few months have changed the way we work in many ways, working from home, social distancing, and remote operations have all had impacts on our previously known ways of life. At Microsoft, we have been working hard to assist our customers adjust to this rapidly changing and evolving work environment. As has been the case for a while now, this is anchored in the framework of Zero Trust, an approach that we believe is critical to a strong security posture. At its heart, Zero Trust is all about applying visibility, adhering to governance requirements, and enforcing control of cloud apps, services, assets and workloads.

As businesses adapt to the increase in remote work and unmanaged device use, Cloud Access Security Broker (CASB) use has accelerated. According to the most recent report from Gartner, “CASBs (have become) essential elements of cloud security strategies.”

We believe that Cloud App Security is a critical component of any security portfolio to enable a Zero Trust security approach. Organizations across all customer segments are securing their apps with Microsoft Cloud App Security, from large enterprises in professional services like Accenture to health organizations such as St. Luke’s.

According to a recent Total Economic Impact (TEI) study commissioned from Forrester Consulting, customers can save time, resources, and improve security with Microsoft Cloud App Security. The Forrester study shows a three-year 151 percent return on investment (ROI) less than a three-month payback on Cloud App Security investment. Indeed, at Microsoft Cloud App Security is leveraged internally and it has been great to see the momentum across our customers, where we crossed the threshold of protecting 100 million users in the summer of 2020. We have been building to deliver a unique perspective from which customers can leverage control and governance has been recognized with this year’s Gartner Magic Quadrant for Cloud Access Security Brokers (CASB).

Microsoft Cloud App Security is Microsoft’s CASB. This essential productivity and security enabler helps organizations gain visibility into their cloud apps and services. It provides sophisticated analytics to identify and combat cyberthreats and control the travel of sensitive information to equally support Microsoft’s native cloud services, as well as numerous third party cloud apps and services, such as Dropbox, Salesforce, and others.

Our vision for the CASB category is to push beyond just controlling SaaS apps and into IaaS and PaaS posture recommendations and management. We believe it is incumbent on us to provide our customers with a holistic security solution that acknowledges their security estate across platforms and clouds. We deliver this vision through five key capabilities:

  • Shadow IT Discovery enables customers to see clearly into the opaque space of cloud usage; in addition to traditional proxy and firewall logs, we extend this discovery to the endpoint with an integration with Microsoft Defender for Endpoint. This integration also powers Endpoint CASB capabilities, allowing Cloud App Security to enforce threat protection and information protection policies on every supported endpoint. Once visibility into cloud resource usage is in place, customers can start applying control and management policies.
  • Information Protection capabilities, identifying the most critical information, and applying policy and access controls, are significant investments for customers. Through deep integration with Microsoft Information Protection, together with the reverse proxy capabilities of Cloud App Security, customers have the power to enforce complex information and DLP (Data Loss Prevention) policies across Microsoft and 3rd party enterprise apps.
  • Threat Protection leverages Microsoft Defender for Identity to provide a unified view into the identities of an organization across on-premises and cloud resources and monitor behaviors and highlight abnormalities, in addition to blocking nefarious content and malicious payloads.
  • Secure Access capabilities provided by Cloud App Security are deeply connected with Azure Active Directory (Azure AD) allowing customers to enforce and monitor access and session policies across all managed cloud resources.
  • Cloud Security Posture Management (CSPM) assessment and governance, which is founded in close collaboration with Azure Security Center, providing Multi-Cloud security posture (AWS, GCP, and more) to customers.

Microsoft remains committed to Cloud App Security and we are actively looking at which areas of investment are the most beneficial to our customers. For example, we will extend multi-application SaaS Security Posture Management (SSPM) capabilities as a core scenario across our security offerings, and we will continue to listen to our customers on how we can best help them in their efforts to maintain a strong security posture.

Learn more

Read this complimentary copy of the Gartner Magic Quadrant for Cloud Access Security Brokers for the analysis behind Microsoft’s position as a Leader.

You can also read Forrester’s Total Economic Impact of Microsoft Cloud App Security for details on how Cloud App Security can save time and money.

For more information about our CASB solution, visit our website and stay up to date with our blog. Want to see our CASB in action? Start a free trial today and learn how to get started with our detailed technical documentation.

* Gartner Magic Quadrant for Cloud Access Security Brokers, Craig Lawson, Steve Riley, October 28, 2020.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post Gartner names Microsoft a Leader in the 2020 Magic Quadrant for Cloud Access Security Brokers appeared first on Microsoft Security.

Key layers for developing a smarter SOC with CyberProof-managed Microsoft Azure security services

Microsoft Malware Protection Center - Tue, 11/17/2020 - 12:00pm

This blog post is part of the Microsoft Intelligent Security Association (MISA) guest blog series. Learn more about MISA here 

Security teams are struggling to reduce the time to detect and respond to threats due to the complexity and volume of alerts being generated from multiple security technologies.

With more workloads being migrated to the cloud, this brings an additional perimeter, which requires constant vigilance for early signs of a cyber-attack. New security challenges also emerge due to its elastic nature and the constant provisioning of new services.

How CyberProof is working with Microsoft to solve these challenges

CyberProof partnered with Microsoft to provide customers with cloud-scalable security monitoring, detection, and response services across the endpoint, network, identities, SaaS applications, and Azure cloud infrastructure.

With the CyberProof Defense Center (CDC) service delivery platform pre-integrated with Microsoft’s cloud-native SIEM, Azure Sentinel, CyberProof’s built-in virtual analyst, SeeMo, automates up to 80 percent of tier one and two activities such as monitoring, enrichment, incident handling, and remediation. This frees up your team to focus on the most critical business issues.

Key Layers to Building a Smarter SOC

We recommend that security operations center teams implement the following three key layers of a smarter system on a chip (SOC) architecture when looking to generate continuous value from your Azure security stack with managed security services.

Each layer includes the integrations between Microsoft and CyberProof that help facilitate this architecture. For more information, check out our on-demand webinar—which we ran in collaboration with Microsoft’s Chief Security Advisor EMEA, Cyril Voisin.

1. Data collection and integration layer—enrichment of security data from multiple sources

This is particularly useful for enterprise-grade SOCs that collect and parse relevant data from multiple business units before going into a data lake. Organizing and classifying all of this data will save time and money when you start introducing integration and automation technologies, as the information will already be structured in an optimum way. Here’s how log collection, normalization, and analysis work:

  1. Integration: An organization identifies the assets, tools, technologies, and applications that need to be integrated.
  2. Data normalization: Enterprise SOCs need to parse data before it enters the data lake—to tag and filter it—so the right information is being fed into the SOC in the most efficient way.
  3. Data collection and analysis: Using a solution such as Microsoft’s Azure Monitor Log Analytics and scalable storage such as Azure Data Lake, terabytes of data can be ingested in order to query and manage at scale. Machine learning can be used for the identification of anomalies and monitoring whether log sources are operating correctly, as well as to support threat hunting.

At CyberProof, we leverage Azure Monitor Log Analytics and CyberProof Log Collection (CLC) SaaS technology to pull logs from all sources of data. These include a customer’s existing Microsoft investments—including on-premises, SaaS, and Azure assets—and existing Microsoft security controls that generate alerts across identities, endpoints, data, and email, and cloud apps.

2. Security analytics layer—generating contextual alerts and minimizing false positives

The traditional on-premises SIEM architecture has limited scalability—such as, infrastructure costs are incurred up-front, based on peak requirements rather than on-demand provisioning that scales with current demand and growth over time. Also, effectively mapping logs from all ecosystems can be a time-consuming endeavor when having to correlate rules and create clear reporting.

The world of security data collection has evolved. It is no longer a single query or rule that triggers the discovery of an incident. Typically, security monitoring identifies the proverbial “needle in the haystack”—and to do this type of threat detection requires broad visibility across the enterprise. This requires more processing power and data collection, in order to establish what the baseline really looks like. These are attributes are best accomplished by implementing security in the cloud.

That’s where Azure Sentinel comes in, supplying correlation and analytics rules and filtering massive volumes of events to obtain high-context alerts. Azure Sentinel uses machine learning to proactively find anomalies hidden within acceptable user behavior and generate alerts.

Microsoft Azure Sentinel is fully integrated with CyberProof CDC platform, so customers can work from a single console to manage high-context alerts, carry out investigations, and handle incidents.

3. Orchestration, automation, and collaboration layer—facilitating faster threat detection and response

Forrester’s recent assessment of midsized MSSPs notes that orchestration and security automation plays a vital role for overburdened SOC staff.

By automating tier one and two activities like monitoring, enrichment, investigation, and incident handling, our CDC platform takes much of the strain out of the process. Essentially, the CDC platform provides our IP as a service—helping customers avoid the expenditure necessary to develop their own IP for a next-generation SOC.

The CDC platform gives customers a “single pane of glass” view from which to manage high context alerts, incidents, and report generation for stakeholders. It integrates the functionality of Azure Sentinel as well as other security investments.

The CDC platform’s benefits include:

  • Orchestration: Integrates external intelligence sources, enrichment sources, the IT service management system, and more into a single view.
  • Automation: Leverages CyberProof virtual analyst, SeeMo, who uses our Use Case Factory—a catalog of attack uses cases consisting of prevention, detection rules, and response playbooks all aligned to the MITRE ATT&CK framework—to continuously update playbooks.
  • Collaboration: Facilitates real-time communication with our nation-state level analysts to help remediate incidents.
  • Hybrid engagement: Supports collaboration of CyberProof experts with the customer’s team to remediate incidents and upskill the customer’s team.
Customers can start benefiting now

CyberProof solution, used in tandem with Azure Sentinel provides 24/7 security monitoring, which frees up SOC teams to focus on critical incidents.

The platform’s use of machine learning and behavioral analysis can reduce alert fatigue and false positives by up to 90 percent. It offers large-scale collection and correlation of data from the endpoint, cloud network, and users—facilitating high-context alerts.

These capabilities, as well as the platform’s high-level collaboration abilities and up-to-date response playbooks, contribute to greater efficiency in threat detection and in responding to validated incidents.

Yet, it doesn’t take a lot of time to transition to CyberProof solution. CyberProof has a defined onboarding process that’s based on each customer’s requirements.

As a managed service provider, we find that we can help customers get through the transition much more quickly than they would have on their own—accelerating the process and shortening the time needed to start reaping the benefits of the solutions.

Want more information? Check out our Azure Security Services page and the CDC platform from CyberProof. Or contact us to learn more about how we can help you transition to a smarter SOC.

To learn more about the Microsoft Intelligent Security Association (MISA), visit the Microsoft Intelligent Security Association website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

For more information about Microsoft Security Solutions, visit the Microsoft Security website. Bookmark the Security blog to keep up with our expert coverage of security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Key layers for developing a smarter SOC with CyberProof-managed Microsoft Azure security services appeared first on Microsoft Security.

Meet the Microsoft Pluton processor – The security chip designed for the future of Windows PCs

Microsoft Malware Protection Center - Tue, 11/17/2020 - 9:00am

The role of the Windows PC and trust in technology are more important than ever as our devices keep us connected and productive across work and life. Windows 10 is the most secure version of Windows ever, built with end-to-end security for protection from the edge to the cloud all the way down to the hardware. Advancements like Windows Hello biometric facial recognition, built-in Microsoft Defender Antivirus, and firmware protections and advanced system capabilities like System Guard, Application Control for Windows and more have helped Microsoft keep pace with the evolving threat landscape.

While cloud-delivered protections and AI advancements to the Windows OS have made it increasingly more difficult and expensive for attackers, they are rapidly evolving, moving to new targets: the seams between hardware and software that can’t currently be reached or monitored for breaches. We have already taken steps to combat these sophisticated cybercriminals and nation state actors with our partners through innovations like secured-core PCs that offer advanced identity, OS, and hardware protection.

Today, Microsoft alongside our biggest silicon partners are announcing a new vision for Windows security to help ensure our customers are protected today and in the future. In collaboration with leading silicon partners AMD, Intel, and Qualcomm Technologies, Inc., we are announcing the Microsoft Pluton security processor. This chip-to-cloud security technology, pioneered in Xbox and Azure Sphere, will bring even more security advancements to future Windows PCs and signals the beginning of a journey with ecosystem and OEM partners.

Our vision for the future of Windows PCs is security at the very core, built into the CPU, where hardware and software are tightly integrated in a unified approach designed to eliminate entire vectors of attack. This revolutionary security processor design will make it significantly more difficult for attackers to hide beneath the operating system, and improve our ability to guard against physical attacks, prevent the theft of credential and encryption keys, and provide the ability to recover from software bugs.

Pluton design redefines Windows security at the CPU

Today, the heart of operating system security on most PCs lives in a chip separate from the CPU, called the Trusted Platform Module (TPM). The TPM is a hardware component which is used to help securely store keys and measurements that verify the integrity of the system. TPMs have been supported in Windows for more than 10 years and power many critical technologies such as Windows Hello and BitLocker. Given the effectiveness of the TPM at performing critical security tasks, attackers have begun to innovate ways to attack it, particularly in situations where an attacker can steal or temporarily gain physical access to a PC. These sophisticated attack techniques target the communication channel between the CPU and TPM, which is typically a bus interface. This bus interface provides the ability to share information between the main CPU and security processor, but it also provides an opportunity for attackers to steal or modify information in-transit using a physical attack.

The Pluton design removes the potential for that communication channel to be attacked by building security directly into the CPU. Windows PCs using the Pluton architecture will first emulate a TPM that works with the existing TPM specifications and APIs, which will allow customers to immediately benefit from enhanced security for Windows features that rely on TPMs like BitLocker and System Guard. Windows devices with Pluton will use the Pluton security processor to protect credentials, user identities, encryption keys, and personal data. None of this information can be removed from Pluton even if an attacker has installed malware or has complete physical possession of the PC.

This is accomplished by storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helping to ensure that emerging attack techniques, like speculative execution, cannot access key material. Pluton also provides the unique Secure Hardware Cryptography Key (SHACK) technology that helps ensure keys are never exposed outside of the protected hardware, even to the Pluton firmware itself, providing an unprecedented level of security for Windows customers.

The Pluton security processor complements work Microsoft has done with the community, including Project Cerberus, by providing a secure identity for the CPU that can be attested by Cerberus, thus enhancing the security of the overall platform.

One of the other major security problems solved by Pluton is keeping the system firmware up to date across the entire PC ecosystem. Today customers receive updates to their security firmware from a variety of different sources than can be difficult to manage, resulting in widespread patching issues.  Pluton provides a flexible, updateable platform for running firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. Pluton for Windows computers will be integrated with the Windows Update process in the same way that the Azure Sphere Security Service connects to IoT devices.

The fusion of Microsoft’s OS security improvements, innovations like secured-core PCs and Azure Sphere, and hardware innovation from our silicon partners provides the capability for Microsoft to protect against sophisticated attacks across Windows PCs, the Azure cloud, and Azure intelligent edge devices.

Innovating with our partners to enhance chip-to-cloud security

The PC owes its success largely to an immensely vibrant ecosystem with OS, silicon, and OEM partners all working together to solve tough problems through collaborative innovation. This was demonstrated over 10 years ago with the successful introduction of the TPM, the first broadly available hardware root of trust. Since that milestone, Microsoft and partners have continued to collaborate on next generation security technologies that take full advantage of the latest OS and silicon innovations to solve the most challenging problems in security. This better together approach is how we intend to make the PC ecosystem the most secure available.

The Microsoft Pluton design technology incorporates all of the learnings from delivering hardware root-of-trust-enabled devices to hundreds of millions of PCs. The Pluton design was introduced as part of the integrated hardware and OS security capabilities in the Xbox One console released in 2013 by Microsoft in partnership with AMD and also within Azure Sphere. The introduction of Microsoft’s IP technology directly into the CPU silicon helped guard against physical attacks, prevent the discovery of keys, and provide the ability to recover from software bugs.

With the effectiveness of the initial Pluton design we’ve learned a lot about how to use hardware to mitigate a range of physical attacks. Now, we are taking what we learned from this to deliver on a chip-to-cloud security vision to bring even more security innovation to the future of Windows PCs (more details in this talk from Microsoft BlueHat). Azure Sphere leveraged a similar security approach to become the first IoT product to meet the “Seven properties of highly secure devices.”

The shared Pluton root-of-trust technology will maximize the health and security of the entire Windows PC ecosystem by leveraging the security expertise and technologies from the companies involved. The Pluton security processor will provide next generation hardware security protection to Windows PCs through future chips from AMD, Intel, and Qualcomm Technologies.

“At AMD, security is our top priority and we are proud to have been at the forefront of hardware security platform design to support features that help safeguard users from the most sophisticated attacks. As a part of that vigilance, AMD and Microsoft have been closely partnering to develop and continuously improve processor-based security solutions, beginning with the Xbox One console and now in the PC. We design and build our products with security in mind and bringing Microsoft’s Pluton technology to the chip level will enhance the already strong security capabilities of our processors.” – Jason Thomas, head of product security, AMD

“Intel continues to partner with Microsoft to advance the security of Windows PC platforms. The introduction of Microsoft Pluton into future Intel CPUs will further enable integration between Intel hardware and the Windows operating system.” – Mike Nordquist, Sr. Director, Commercial Client Security, Intel

“Qualcomm Technologies is pleased to continue its work with Microsoft to help make a slew of devices and use cases more secure. We believe an on-die, hardware-based Root-of-Trust like the Microsoft Pluton is an important component in securing multiple use cases and the devices enabling them.” – Asaf Shen, senior director of product management at Qualcomm Technologies, Inc.

We believe that processors with built-in security like Pluton are the future of computing hardware. With Pluton, our vision is to provide a more secure foundation for the intelligent edge and the intelligent cloud by extending this level of built-in trust to devices, and things everywhere.

Our work with the community helps Microsoft continuously innovate and enhance security at every layer. We’re excited to make this revolutionary security design a reality with the biggest names in the silicon industry as we continuously work to enhance security for all.

The post Meet the Microsoft Pluton processor – The security chip designed for the future of Windows PCs appeared first on Microsoft Security.

Forrester TEI study: Azure Sentinel delivers 201 percent ROI over 3 years and a payback of less than 6 months

Microsoft Malware Protection Center - Mon, 11/16/2020 - 12:00pm

2020 has been a transitional year, ushering in broad changes in how, and where, we work. Security operations (SecOps) teams face more significant challenges than ever as they protect the organization in this rapidly changing environment. These teams need a flexible, cost-effective, and efficient solution to empower their employees, improve security, and optimize costs against rapidly-changing demands. As a unified, scalable, cloud-native, security information event management (SIEM), Forrester Consulting found that Azure Sentinel delivers on these needs. Providing alert detection, threat visibility, proactive hunting, and threat response across your enterprise, the commissioned study, The Total Economic Impact of Microsoft Azure Sentinel, conducted by Forrester Consulting shows that Azure Sentinel delivers:

  • A three-year 201 percent return on investment (ROI) with a payback period of less than six months.
  • A 48 percent reduction in costs compared to legacy SIEM solutions, saving on expenses like licensing, storage, and infrastructure costs.
  • A 79 percent reduction in false positives and 80 percent reduction in the amount of labor associated with investigation, reducing mean time to resolution (MTTR) over three years.
  • A 67 percent decrease in time to deployment compared to legacy on-premises SIEMs.

The Forrester study provides an accessible framework for organizations wanting to evaluate the financial impact of Azure Sentinel relative to an on-premises cybersecurity solution. Forrester concluded that Azure Sentinel reduces SIEM costs at scale, simplifies SIEM management, and improves the efficiency and effectiveness of the Security Operations Center (SOC).

Organizational benefits

Forester interviewed four organizations who, before switching to Azure Sentinel, were using an on-premises SIEM or an internal, custom-built solution with a managed service provider (MSP) to replicate SIEM infrastructure. These four organizations serve global markets in the industries of IT services, big data, financial services, and e-commerce. To give readers a clear comparison, Forrester aggregated the results for all four into a single composite organization. According to the aggregated data, Azure Sentinel demonstrated:

  • Increased SOC efficiency by cutting false positives up to 79 percent and reducing the amount of labor needed for advanced investigations by 80 percent—leading to $2 million in efficiency gains.
  • A 48 percent reduction in costs compared to the legacy SIEM solution, including savings on licensing, storage, and infrastructure totaling $4.9 million.
  • Reduced management efforts by 56 percent, saving $1.2 million. Automatic updates, an intuitive centralized platform, and reduced maintenance meant organizations could shift talent away from servicing infrastructure and concentrate on value-adding initiatives.
  • Accelerated deployment by 67 percent with out-of-the-box functionality, simple connections to data sources, and pre-built SIEM content saving $602K.
Cost savings

Most vendors offer annual or multi-year contracts with capped ingestion and storage limits. This forces organizations to choose between paying more for capacity or putting a cap on the amount of data ingested, limiting visibility into their network.

By moving to Azure Sentinel’s cloud-based SIEM, organizations could eliminate their legacy SIEM vendor, reducing licensing expenditures and eliminating costly on-premises infrastructure needed to store security log data. And with Azure Sentinel’s flexible, consumption-based pricing, they were no longer locked into long-term contracts or capacity limits.

Azure Sentinel users experienced cost savings of $4.9 million when moving from legacy SIEM—a 48 percent decrease. Forrester found that an organization experienced benefits of $8.7 million over three years versus costs of $2.9 million. As mentioned earlier, this adds up to an ROI of 201 percent with payback in less than 6 months. Management efficiencies saved $1.2 million, with Azure Sentinel’s reduced time to deploy saving an additional $602K.

“If you take costs for Azure Sentinel and compare it to the costs that we had to simply run our legacy solution, we are seeing a 15 percent savings with Azure Sentinel and we are getting more.”—Sr. Director of Security Technology and Operations, IT services

Efficiency gains

The organizations in Forrester’s study reported that, with legacy SIEM solutions, alerts were previously not well correlated; meaning, a single event could trigger multiple others with no easy way for the SOC analyst to resolve false positives.

With Azure Sentinel, SOC teams can view all security logs, alerts, and incidents through a single pane of glass. Azure Sentinel’s AI-powered correlation engine and user-behavior analytics give analysts a prioritized view of the alerts, elevating high-priority threats and reducing false positives—enabling the SOC team to respond more efficiently.

Azure Sentinel’s cloud-based SIEM reduces the size and complexity of on-premises infrastructure. This enabled organizations in the study to reallocate infrastructure professionals and legacy solution specialists, reducing management efforts by 56 percent while freeing staff to serve business interests with value-added tasks.

“Thanks to the management efficiencies with Azure Sentinel, I was able to reprogram the work effort of around four FTEs. They no longer had to be firefighters—and we got to cancel a managed operations and maintenance contract simply because we now have the resources to do it ourselves.”—Senior VP of Global Threat Management, financial services

Ease of deployment

All four organizations reported that deploying Azure Sentinel was faster and easier than deploying legacy SIEM. Because Azure Sentinel features a pre-built playbook, queries, and data connections—along with free ingestion for Office 365 audit logs, Azure activity logs, and alerts from Microsoft Threat Protection (MTP) solutions—most organizations can start for free and scale up.

Using Azure Sentinel, organizations were able to add more data connections and sources, allowing them to ingest more data faster, covering a larger percentage of their network compared to legacy solutions. Azure Sentinel supports open standards such as Common Event Format (CEF) and broad partner connections, including Check Point, Cisco, F5, Fortinet, Palo Alto Networks, and Symantec, as well as ecosystem partners such as ServiceNow.

 “Azure Sentinel today covers far more, 400 percent more of our network than our legacy solution ever did.”—CISO, e-commerce

Modernize your security operations today

Azure Sentinel helps defenders to combat rapidly evolving threats with increased efficiency. Its performance across all metrics deployed in the Forrester TEI study lets us know we’re executing on our vision to streamline and strengthen our customers’ security. Getting started with Azure Sentinel is easy. If you are not using Azure Sentinel, we welcome you to start a trial.

More recently, we shared our unique approach that empowers security professionals to get ahead of today’s complex threat landscape with integrated SIEM and Extended Detection and Response (XDR) solutions from a single vendor. With this combination, you get the best of both worlds—end-to-end threat visibility across all of your resources; correlated, prioritized alerts based on Microsoft’s deep understanding of specific resources with AI that stitches that signal together; and coordinated action across the organization.

To help you take advantage of this integrated security approach, Microsoft is currently running a new Azure Sentinel benefit for Microsoft 365 E5 customers.

From November 1, 2020, through May 1, 2021, Microsoft 365 E5 and Microsoft 365 E5 Security customers can get Azure credits for the cost of up to 100MB per user per month of included Microsoft 365 data ingestion into Azure Sentinel. Data sources included in this benefit include:

  • Azure Active Directory (Azure AD) sign-in and audit logs.
  • Microsoft Cloud App Security shadow IT discovery logs.
  • Microsoft Information Protection logs.
  • Microsoft 365 advanced hunting data (including Microsoft Defender for Endpoint logs).

With these credits, a standard 3,500 seat deployment can see estimated savings of up to $1,500 per month1. This offer is available to new and existing customers who have Enterprise (EA) or Enterprise Subscription (EAS) Agreements and Enrollments, and you can begin accruing credits in your first month of eligibility. You can learn more about the offer here.

Download the full Forrester Total Economic Impact of Microsoft Azure Sentinel study. Get started and learn more about Azure Sentinel.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

1 Calculation based on pay-as-you-go prices for Azure Sentinel and Azure Monitor Log Analytics for US East region.

The post Forrester TEI study: Azure Sentinel delivers 201 percent ROI over 3 years and a payback of less than 6 months appeared first on Microsoft Security.

System Management Mode deep dive: How SMM isolation hardens the platform

Microsoft Malware Protection Center - Thu, 11/12/2020 - 12:00pm

Ensuring that the platform firmware is healthy and trustworthy is fundamental to guaranteeing that powerful platform security features like Hypervisor-protected code integrity (HVCI) and Windows Defender Credential Guard are functioning as expected. Windows 10 achieves this by leveraging a hardware-based root of trust that ensures unauthorized code like Unified Extensible Firmware Interface (UEFI) malware cannot take root before the Windows bootloader launches.

Key to defending the hypervisor, and by extension the rest of the OS, from such low-level threats is protecting System Management Mode (SMM), an execution mode in x86-based processors that runs at a higher effective privilege than the hypervisor. Because of its traditionally unfettered access to memory and device resources, SMM is a known vector of attack for gaining access to the OS and hardware. SMM is particularly vulnerable to threats like confused deputy attacks, in which malicious code tricks another code with higher privileges to perform certain activities. One could have perfect code in SMM and still be affected by behavior like trampolining into secure kernel code.

Sometimes referred to as “Ring -2”, SMM is used by OEMs to interact with hardware like NV RAM, emulate hardware functionality, handle hardware interrupts or errata, and perform other functions. SMM runs in the form of interrupt handlers that are triggered by timers or access to certain memory, registers, or hardware resources. OEM drivers and runtime firmware services may explicitly trap SMM to control certain hardware functionality.

To stop sophisticated attacks from taking control of the system through SMM, the OS must have enforcement or oversight of SMM’s behavior. As part of Secured-core PCs and System Guard, Intel and AMD have developed mechanisms to isolate SMM from the OS by enforcing and reporting what resources SMM has access to.

SMM isolation

Isolating SMM is implemented in three parts: OEMs implement a policy that states what they require access to; the chip vendor enforces this policy on SMIs; and the chip vendor reports compliance to this policy to the OS.

The policy provided by the OEM is a list detailing the resources that the SMI handlers require access to. This policy is validated and enforced by the chipset vendors’ specific enforcement mechanism detailed later. The OS does not have any control over what the policy is; it is only guaranteed enforcement of the policy stated.

Trusted Computing Base (Tcb) Launch, introduced in the Windows implementation of Dynamic Root of Trust (DRTM), gets the enforced policy from the chip vendor’s reporting mechanism. Because resource access is specific to a platform’s needs, Tcb Launch compares the OEM’s SMM access policy with several levels of Windows SMM isolation requirements to determine the level of isolation provided. The isolation level achieved by the OEM’s policy is measured for attestation and is reported to the OS.

The isolation levels consist of increasing restrictions on what SMIs may access, as well as enforcement capabilities required on the system. An example of an isolation requirement is that SMIs may not access memory owned by the OS. Additionally, these requirements can include restrictions on the following resources:

  1. SMM page configuration lockdown
  2. Static page tables
  3. Model-Specific Register (MSR) access
  4. IO port access
  5. Processor state save access

In order to ensure a consistent security promise for customers using Secured-core PCs if the  minimum requirements are not met, the DRTM measurements are capped, and local and remote attestation fail. SMM isolation is tied with DRTM because without DRTM, the OS cannot trust anything evaluated by the boot environment as it is not protected from the influence of SMM. SMIs are suspended during DRTM, so the new root of trust established by DRTM can evaluate the security of the SMM access policy.

Not only are these protections utilized by Windows for local secrets protection, but remote attestation tools can also leverage this information to determine the security posture of a specific device. This attestation report can be used to prevent access to sensitive network files, for example, unless a certain combination of features is present.

AMD solution (SMM Supervisor)

During UEFI boot phase, the SMM Supervisor is loaded as a UEFI driver. This driver is signed by AMD and authenticated by the Platform Security Processor (PSP) at the time of DRTM launch. Failure of authentication will fail DRTM. (It is also under firmware anti-rollback protection by PSP.)

SMM Supervisor provides and initializes the SMI entry routine (the first code block executed after SMI is triggered). This routine is also signed by AMD and authenticated by PSP at the time of DRTM launch. Upon DRTM event, PSP also verifies that the SMI entry is properly configured to this authenticated block. Failure of this authentication will also result in DRTM failure.

SMM Supervisor marks critical pages—including SMM Supervisor code block, internal data, the page table itself, exception handler, as well as processor save state—as supervisor pages, accessible only  from current privilege level 0 (CPL0, the most privileged level).

Immediately after SMI is triggered, the SMI entry routine demotes the system to execute under CPL3 (least privileged level) before executing any third party SMI handlers. From CPL3 environment, MSR, IO, and supervisor pages access, critical register changes such as CR3, as well as privileged instructions such as “hlt” and “cli” all end up as General Protection Fault enforced by CPU hardware.

In order for SMI handlers under CPL3 to access privileged data and register, SMM Supervisor provides syscall interface to allow third-party SMI handlers to make such requests. The backend of the syscall interface, which resides in SMM supervisor, is controlled by SMM secure policy. The said policy is a deny list that can be customized per platform to determine which MSRs, IOs, or memory regions can be accessed from CPL3. SMM secure policy is reported to and verified by OS secure loader during DRTM event.

Intel Hardware Shield

Intel® Hardware Shield, a part of the Intel vPro® platform, uses CPU hardware and firmware to enforce the platform’s SMM access policy. Generationally, these capabilities evolve using new CPU hardware features in conjunction with existing CPU capabilities to strengthen related micro-architectural flows and provide new register locks in support of related firmware hardening*.

  • Intel vPro® platform with 8th Generation Intel® Core vPro® processors introduced firmware hardening and hardware-locked static page table support to reduce SMM privilege with regard to memory and to lock the memory configuration. These new locks include: CR3 lock, MSEG lock, SMBASE lock, etc.
  • Intel vPro platform with 9th Generation Intel Core vPro processors added an Intel signed SMM module enables attestation of the SMM memory configuration using Intel® Trusted Execution Technology (Intel® TXT), a component of Intel® Hardware Shield, via PCR17. The module first verifies the integrity of the hardened SMM code used to enforce the SMM access policy. It then reports this, as well as the details of the policy, back to the OS. Therefore, the OS can verify the trustworthiness of SMM and evaluate the platform’s SMM access policy without the possibility of interference from SMI handlers.
  • Intel vPro platform with 10th Generation Intel Core vPro processors enhanced the verified CPL0 SMM components to create a privilege separation with SMI handlers in order to extend policy enforcement to MSRs, IO ports, and SMM state save (access policy may vary by platform). The reporting mechanism was extended to include these capabilities as well.

*No product or component can be absolutely secure.

Secured-core PCs give the simplest experience for customers to get Secure Launch and SMM protection

Enabling SMM protection and System Guard Secure Launch may be achieved when the following support is present:

  • Intel, AMD, or ARM virtualization extensions
  • Trusted Platform Module (TPM) 2.0
  • On Intel: TXT support in the BIOS
  • On AMD: SKINIT package must be integrated in the Windows system image
  • On Qualcomm: Implements DRTM TrustZone application and supports SMC memory protections.
  • Kernel DMA Protection (learn more)

Further configuration information and requirements can be found here.On Secured-core PCs, virtualization-based security is supported, and hardware-backed security features like System Guard Secure Launch with SMM Protections are enabled by default. Customers do not need to worry about  configuring the necessary functionality as Secured-core PCs come with the right configurations from OEMs, thereby providing the simplest path to the most secure Windows 10 systems. Learn more about the line of Secured-core PCs available today.


The post System Management Mode deep dive: How SMM isolation hardens the platform appeared first on Microsoft Security.

Empowering employees to securely work from anywhere with an internet-first model and Zero Trust

Microsoft Malware Protection Center - Wed, 11/11/2020 - 12:00pm

Like many this year, our Microsoft workforce had to quickly transition to a work from the home model in response to COVID-19. While nobody could have predicted the world’s current state, it has provided a very real-world test of the investments we have made implementing a Zero Trust security model internally. We had about 97 percent of our workforce at the peak successfully working from home, either on a Microsoft issued or personal device. 

Much of the credit for this success goes to the Zero Trust journey we started over three years ago. Zero Trust has been critical in making this transition to a work-from-home model relatively friction-free. One of the major components to our Zero Trust implementation is ensuring our employees have access to applications and resources regardless of their location. We enable employees to be productive from anywhere, whether they’re at home, a coffee shop, or at the office.  

To make this happen, we needed to make sure most of our resources were accessible over any internet connection. The preferred method to achieve this is through modernizing applications and services using the cloud and modern authentication systems. For legacy applications or services unable to migrate to the cloud, we use an application proxy service which serves as a broker to connect to the on-premise environment while still enforcing strong authentication principles.  

Strong authentication and adaptive access policies are critical components in the validation process. A big part of this validation process included enrolling devices in our device management system to ensure only known and healthy devices are directly accessing our resources. For users on devices that are not enrolled in our management system, we have developed virtualization options that allow them to access resources on an unmanaged device. One of the early impacts of COVID-19 was device shortages and the inability to procure new hardware. Our virtualization implementation also helped provide secure access for new employees while they waited for their device’s arrival. 

The output of these efforts, combined with a VPN configuration that enables split tunneling for access to the few remaining on-premises applications, has made it possible for Microsoft employees to work anywhere in a time when it is most critical. 

Implementing an internet-first model for your applications

In this blog, I will share some recommendations on implementing an internet-first approach plus a few of the things we learned in our efforts here at Microsoft. Because every company has its own unique culture, environments, infrastructure, and threshold for change, there is no one-size-fits-all approach. Hopefully, you will find some of this information useful, even if only to validate you are already on the right path. 

Before I jump in, I just want to mention that this blog will assume you’ve completed some of the foundational elements needed for a Zero Trust security model. These include modernizing your identity system, verifying sign-ins with multi-factor authentication (MFA), registering devices, and ensuring compliance with IT security policies, etc. Without these protections in place, moving to an internet-first posture is not possible. 

As previously mentioned, your apps will need to be modernized by migrating them to the cloud and implementing modern authentication services. This is the optimal path to internet accessibility. For apps that can’t be modernized or moved to the cloud (think legacy on-premises apps), you can leverage an app proxy to allow the connection over the internet and still maintain the strong authentication principles. 

Secure access via adaptive access policies

 Once your apps are accessible via the public internet, you will want to control access based on conditions you select to enforce. At Microsoft, we use Conditional Access policies to enforce granular access control, such as requiring multi-factor authentication, based upon user context, device, location, and session risk information. We also enforce device management and health policies to ensure the employee comes from a known and healthy device once they have successfully achieved strong authentication. 

 Depending on your organization’s size, you might want to start slow by implementing multi-factor authentication and device enrollment first, then ramping up to biometric authentication and full device health enforcement. Check out our Zero Trust guidance for identities and devices that we follow internally for some additional recommendations. 

 When we rolled out our device enrollment policy, we learned that using data to measure the policy’s impact allowed us to tailor our messaging and deployment schedule. We enabled “logging mode”, which let us enable the policies and collect data on who would be impacted when we moved to enforcement. Using this data, we first targeted users who were already using compliant devices. For users that we knew were going to be impacted, we crafted targeted messaging alerting them of the upcoming changes and how they would be impacted. This slower, more measured deployment approach allowed us to monitor and respond to issues more quickly. Using this data to shape our rollout helped us minimize the impact of significant policy implementation. 

Start with a hero application

Picking your first application to move out to the public internet can be done in a few different ways. Do you want to start with something small and non-critical? Or perhaps you want to “flip the switch” to cover everything at once? We decided to start with a hero application that proved it works at scale. Office 365 was the obvious choice because it provided the broadest coverage since most employees use it daily, regardless of what role they are in. We were confident if we could implement Office 365 successfully, we could be successful with most of our portfolio. 

Ultimately, it will boil down to your environment, threshold for support engagements, and company culture. Choose the path that works best for you and push forward. All paths will help provide valuable data and experience that will help later.  

Prioritize your remaining apps and services

Prioritizing the apps and services you modernize next can be challenging, especially without granular visibility into what employees are accessing in your environment. When we began our journey, we had theories about what people were accessing but no data to back it up. We built a dashboard that reported actual traffic volumes to applications and services still routing to on-premises applications and services to provide the visibility we lacked. This gave us much-needed information to help prioritize apps and services based on impact, complexity, risk, and more.  

We also used this dashboard to identify which application or service owners we needed to coordinate with to modernize their resources. To coordinate with these owners, we created work items in our task tracking system and assigned the owner a deadline to provide a plan to either modernize or implement a proxy front end solution. We also created a tracking dashboard for all these tasks and their status to make reporting easier.  

We then worked closely with owners to provide guidance and best practices to drive their success. We conduct weekly office hours where application and service owners can ask questions. The partnership between these application and service owners and the teams working on Zero Trust helps us all drive towards the same common goals—frictionless access for our employees. 

A quick note on what we learned through the dashboard—the on-premises applications and services people were still accessing were not what we were expecting. The dashboard surfaced several items we were unaware people were still using. Fortunately, the dashboard helped remove a layer of fog we were unaware even existed and has been invaluable in driving our prioritization efforts. 

As I mentioned at the beginning of this blog, every company is unique. As such, how you think about Zero Trust and your investments might be different than the company across the street. I hope some of the insight provided above was helpful, even if it is just to get you thinking about how you would approach solving some of these challenges inside your own organization.  

 To learn more about how Microsoft IT (Information Technology), check out IT Showcase. To learn more about Microsoft Security Solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news on cybersecurity.  

The post Empowering employees to securely work from anywhere with an internet-first model and Zero Trust appeared first on Microsoft Security.

Extend data loss prevention to your devices with Microsoft Endpoint Data Loss Prevention, now generally available

Microsoft Malware Protection Center - Tue, 11/10/2020 - 9:00am
Microsoft Endpoint Data Loss Prevention

Endpoint Data Loss Prevention (DLP) | What it is and how to set it up in Microsoft 365.

Watch today

Managing and protecting data is critical to any organization. Data is growing exponentially, and remote work is making it even harder to manage risks around data. In fact, a recent Microsoft survey of security and compliance decision-makers found that data leaks are the top concern in remote and hybrid work scenarios.

To help our customers to address this challenge, today we are excited to announce the general availability of Microsoft Endpoint Data Loss Prevention (DLP).

A unified approach to data loss prevention

At Microsoft, we have long invested in developing information protection solutions for our customers. Microsoft Information Protection (MIP) is a built-in, intelligent, unified, and extensible solution that understands and classifies your data, keeps it protected, and prevents data loss across Microsoft 365 Apps (including Word, PowerPoint, Excel, and Outlook), services (including Microsoft Teams, SharePoint, and Exchange), third-party SaaS applications, and more—on premises or in the cloud. This unified data loss prevention approach provides simplicity, enabling you to set a DLP policy once and have it enforced across services, devices, and first-and third-party apps.

Endpoint DLP builds on the labeling and classification in Microsoft Information Protection and extends the existing DLP capabilities in Microsoft 365, helping you to meet compliance requirements and protect sensitive information on endpoints. It’s built into Windows 10, the Microsoft 365 Apps, and Microsoft Edge—without the need to deploy additional software on the device, which eliminates friction and makes it far easier to have visibility into your data. For users, it ensures security, without compromising productivity. Endpoint DLP provides policy tips to help educate users when they are about to violate a policy. It’s also integrated with Microsoft Defender for Endpoint (formerly known as Microsoft Defender Advanced Threat Protection), which can help you prioritize incident response based on additional factors.

New capabilities based on public preview feedback

With the general availability today, we’re happy to share that we’ve added additional capabilities as a part of the public preview program based on valuable feedback from our customers.

Last month, we also announced the addition of integration of unified data loss prevention with Microsoft Cloud App Security (MCAS) in public preview, allowing you to extend data protection to non-Microsoft cloud apps. For example, say a user is trying to share a document in a third-party app on his or her mobile device. Because Microsoft Cloud App Security helps protect cloud apps, the same DLP policy will be triggered, both the end-user and the admin will receive a notification, and in this case, the link will be automatically disabled.

In addition, we heard feedback from some of you that you’d like to be able to leverage your existing security investments. Endpoint DLP integrates with Microsoft Defender for Endpoint, but it is also compatible with most anti-virus software, which enables you to have a choice and extend the investments you’ve already made.

Today’s general availability announcement is only the beginning. We are also excited to announce some new capabilities going into preview today:

  • Sensitivity labels are now included as a condition for Microsoft Data Loss Prevention (DLP) policies. This lets you define new enforcement actions and locations within Endpoint DLP that take into account the sensitivity context of information to better meet protection requirements.

Figure 1: Using sensitivity labeling as a condition of a policy in Endpoint DLP.

  • A new dashboard within Microsoft 365 compliance center helps you to manage DLP alerts. Alerts provide details about DLP events—including the sensitive information types detected in the content, confidence score rating, and event count—to help DLP reviewers quickly identify high-risk events so they can more effectively triage and remediate events.

Figure 2: Data loss prevention event alerts show in the new dashboard in Microsoft 365 compliance center.

  • New conditions and exceptions announced in public preview enhance the already existing predicate capabilities in DLP. Mail flow predicates provide a high degree of flexibility to configure the applicable ‘include’ and ‘exclude’ conditions in DLP policies to ensure that specific policies are applied to emails that only match the defined conditions.

Figure 3: New conditions and exceptions you can extend to your DLP policies to email messages.

You can learn a lot more about these new public preview capabilities in the TechCommunity blog.

Protecting your data

We continue to invest in providing you with the tools and visibility you need to help to protect your most precious asset – your data.

Endpoint DLP general availability will start rolling out to customers’ tenants in Microsoft 365 E5/A5, Microsoft 365 E5/A5 Compliance, and Microsoft 365 E5/A5 Information Protection and Governance starting today. Learn more about Endpoint DLP by reading the TechCommunity blog and visiting our documentation. You can sign up for a trial of Microsoft 365 E5 or navigate to the Microsoft 365 compliance center to get started today.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Extend data loss prevention to your devices with Microsoft Endpoint Data Loss Prevention, now generally available appeared first on Microsoft Security.