How Axonius integrates with Microsoft to help customers solve the cybersecurity asset management challenge

Microsoft Malware Protection Center - Tue, 08/13/2019 - 12:00pm

Despite the amazing and futuristic progression of technologies in cybersecurity, it’s still incredibly hard to answer the most basic of questions like: how many assets do I have, and do they adhere to my security policy? Somewhere along the line, asset management became very mundane compared to the other initiatives we’re responsible for in cybersecurity. Yet everything in cybersecurity lies on a foundation of understanding our devices, cloud instances, users, and the solutions that cover them.

So why is asset management—a problem that has persisted for decades—still an issue in 2019? Today, we look at why asset management remains a challenge, the Axonius approach to cybersecurity asset management, and how integrations with several Microsoft technologies are key to solving the problem and delivering value to organizations around the world.

The cybersecurity solution paradox

The more devices you have, the more solutions you implement to manage and secure them. Although one might think that the more security and management solutions at an organization the better, that’s not always the case. We call this the cybersecurity solution paradox: the idea that the more solutions you have, the harder it actually becomes to get answers to very basic questions. All of the information exists in separate silos, making it more difficult to aggregate the data, correlate it, and derive context and meaning.

Watch this short video outlining today’s asset management challenge.

The Axonius approach

If we were to outline an approach to asset management, we’d want a product to:

  1. Understand which assets are unmanaged—Those devices and cloud instances not being managed or secured by the tools outlined in our security policies.
  2. Understand which managed assets are missing agents—For example, which Windows 10 devices are missing an endpoint agent?
  3. Discover new devices—Any time a new device hits the network, we’d want to know whether it adheres to our security policies.
  4. Give context—If our security operations team gets an alert about a device, we would want to understand what the device is, what’s installed, its patch level, known vulnerabilities, which users have signed in, etc.

To get this information, a product would need to be very simple, agentless, and it would:

  1. Connect to every security and management solution that knows about assets.
  2. Collect and normalize all relevant asset and user information.
  3. Correlate the information to know that every asset is unique.
  4. Understand the relationship between users, devices, cloud instances, and the solutions that manage and secure them.

This is exactly the approach we took in building the Axonius cybersecurity asset management platform. By connecting to over 130 management and security solutions, Axonius is able to:

  • Give customers a credible, comprehensive asset inventory—We include every desktop, laptop, mobile device, virtual machine, server, cloud instance, and IoT device that is managed and unmanaged, cloud or on-premises.
  • Uncover security solution coverage gaps—Using pre-built and custom queries, customers can understand how every asset stacks up against their policies.
  • Automatically validate and enforce security policies—Customers can create automated enforcement sets to take action whenever assets do not adhere to their security policies.

Axonius is integrated with Microsoft Intune and Azure Active Directory (Azure AD), core products in the Microsoft Intelligent Security Association (MISA). To help customers better understand exactly what assets they have and whether their assets and users adhere to their security policies, Axonius builds upon Intune by connecting to networking gear itself to learn about assets that aren’t being managed. If your policy states that every mobile device needs to have another security or management solution, Axonius can easily identify those devices that aren’t being protected.

Let’s look at two specific examples that show how Axonius customers use integrations with Microsoft to solve their asset management challenges.

How Appsflyer uses Axonius for better asset management

When Guy Flechter, joined mobile attribution and analytics leader AppsFlyer in January 2018 as their chief information security officer, he began implementing a wide-ranging cybersecurity program to protect his heterogenous environment. After implementing the best security tools for every device type, the AppsFlyer team realized that they needed an automated way to ensure that every device had the required solutions installed, and that users had the correct permissions to adhere to the overall security policy.

“We needed an easy and automated way to have clear visibility into which agents were missing from each device, and a way to know when users had rights that conflicted with our security policies. For example, I want to immediately see all Windows devices missing an endpoint agent and unmanaged devices in various VLANs. These are really foundational elements of any cybersecurity program, and there were no good ways to get the answers,” said Flechter.

Using simple queries in Axonius, Flechter was able to get this level of visibility in minutes:

Moving from configuration manager to Intune: No device left behind

As part of their initiative to be nimble and cloud first, AppsFlyer wanted to move from on-premises Microsoft System Center Configuration Manager (ConfigMgr) to Intune, yet the team needed a way to make sure that no devices were left behind. Using queries from Axonius, Flechter was able to easily monitor the switch to Intune and could prioritize which assets should be moved and in what order. Watch this video to learn more.

Understanding user permissions

In addition to devices, Axonius customers are able to understand how each user compares to the overall security policy. Using information from Active Directory, Azure AD, and other IAM providers, customers are able to understand whenever a user account deviates from what is expected.

Example query showing users with bad configurations.

Learn more

To learn more about how the Axonius cybersecurity asset management platform and its many integrations with Microsoft and other leading security and management providers can help your organization, visit Also, visit the MISA website to learn more about how top security companies are partnering with Microsoft to defend against increasingly sophisticated cyberthreats.

About Axonius

Axonius is the cybersecurity asset management platform that gives organizations a comprehensive asset inventory, uncovers security solution coverage gaps, and automatically validates and enforces security policies. By seamlessly integrating with more than 130 security and management solutions, Axonius is deployed in minutes, improving cyber hygiene immediately. Covering millions of devices at customers like the New York Times, Schneider Electric, and AppsFlyer, Axonius was named the Most Innovative Startup of 2019 at the prestigious RSAC Innovation Sandbox and was named Rookie Security Company of the Year by SC Magazine. For more visit



The post How Axonius integrates with Microsoft to help customers solve the cybersecurity asset management challenge appeared first on Microsoft Security.

From unstructured data to actionable intelligence: Using machine learning for threat intelligence

Microsoft Malware Protection Center - Thu, 08/08/2019 - 12:30pm

The security community has become proficient in using indicators of compromise (IoC) feeds for threat intelligence. Automated feeds have simplified the task of extracting and sharing IoCs. However, IoCs like IP addresses, domain names, and file hashes are in the lowest levels of the threat intelligence pyramid; they are relatively easy to access and consume, but they’re also easy for attackers to change to evade detection. IoCs are not enough.

Tactics, techniques, and procedures (TTPs) can enable organizations to extract valuable insights like patterns of attack on an enterprise or industry vertical, or trends of attacker techniques in the overall ecosystem. However, TTPs are at the highest level of the threat intelligence pyramid; this information often comes in the form of unstructured texts like blogs, research papers, and incident response (IR) reports, and the process of gathering and sharing these high-level indicators has remained largely manual.

Automating the processing of unstructured text for threat intelligence can benefit threat analysts and customers alike. At my Black Hat session “Death to the IOC: What’s Next in Threat Intelligence“, I presented a system that automates this process using machine learning and natural language processing (NLP) to identify and extract high-level patterns of attack from unstructured text.

Figure 1. Basic structure of system

Trained on documentation of known threats, this system takes unstructured text as input and extracts threat actors, attack techniques, malware families, and relationships to create attacker graphs and timelines.

Data extraction and machine learning

In natural language processing, named entity extraction is a task that aims to classify phrases into pre-defined categories. This is usually a preprocessing step for other more complex tasks like identifying aliases, relationship extraction between actors and TTPs, etc. In our use case, the categories we want to identify are threat actors, malware families, attack techniques, and relationships between entities.

To train our model, our corpus was comprised of about 2,700 publicly available documents that describe the actions, behaviors, and tools of various threat actors. On average, each document in this corpus contained about two thousand tokens.

Figure 2. Training data distributions

We also see that the distribution of tokens that fall into one of our predefined categories is very low. On average, only 1% of the tokens are relevant entities. This tells us that we have class imbalance in our data.

Therefore, in addition to using traditional features that are common to natural language processing tasks (for example, lemma, part of speech, orthographic features), we experimented with using custom word embeddings, which allow the identification of relationships between two words that mean the same thing or are used in similar contexts.

Word embeddings are vector representations of words such that the semantic context in which a word appears is captured in the numeric vector. If two words mean the same thing, or are used in the same context frequently, then we would expect the cosine similarity of their word embedding vectors to be high. In other words, in a graphical representation, datapoints for words that mean the same thing or are used in the same context frequently would be relatively close together.

For example, we looked at some clusters of points formed around APT28 and found that the four closest points to it were either aliases (Sofacy, TG-4127) of the threat or were related by attribution (APT29, Dymalloy).

Figure 3. Tensorboard visualization of custom trained embeddings

We experimented with several models that are suited for a sequence labelling problem and measured performance in two ways—on the test dataset and on only the unseen tokens in the test dataset. We found that the experiments trained using conditional random fields (CRFs) trained on traditional and word embedding features have the best performance for both these scenarios.

Figure 4. Architecture of training pipeline for extractor system

Machine learning for insightful, actionable intelligence

Using the system we developed, we automatically extracted the techniques known to be used by Emotet, a prominent commodity malware family, as well as a spread of APT actors that public documents refer to as Saffron Rose, Snake, and Muddy Water, and generated the following graph, which shows that there is a significant overlap between some techniques used by commodity malware and those used by APTs.

Figure 5. Overlaps in techniques used by commodity malware and APTs

In this graph, we can see that techniques like obfuscated PowerShell, spear-phishing, and process hollowing are not restricted to APTs, but are prevalent in commodity malware. Insights like this can be used by organizations to guide security investments. Organizations can place defensive choke points to detect or prevent these attacker techniques so that they can stop not only annoying commodity malware, but also the high-profile targeted attacks.

At Microsoft, we are continuing to push the boundaries on how machine learning can improve the security posture of our customers. The output of machine learning-backed threat intelligence will show up in the effectiveness of the protection we deliver through Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) and the broader Microsoft Threat Protection.

In recent months, we have extensively discussed how we’re using machine learning to continuously innovate protections in Microsoft Defender ATP, particularly in hardening against evasion and adversarial attacks. In this blog we showed another application of machine learning: processing the vast amounts of threat intelligence that organizations receive and identifying high-level patterns. More importantly, we’re sharing our approaches so organizations can be inspired to explore more applications of machine learning to improve overall security.


Bhavna Soman (@bsoman3)
Microsoft Defender ATP Research



Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

The post From unstructured data to actionable intelligence: Using machine learning for threat intelligence appeared first on Microsoft Security.

Protect against BlueKeep

Microsoft Malware Protection Center - Thu, 08/08/2019 - 12:00pm

Worms are the cause of many cyber headaches. They can easily replicate themselves to spread malicious malware to other computers in your network. As the field responders providing Microsoft enterprise customers with onsite assistance to serious cybersecurity threats, our Detection and Response Team (DART) has seen quite a few worms. If you’ve met the DART Team, then you know your worms are our concern and that’s why we keep an eye out for BlueKeep.

Protect against BlueKeep

This summer, the DART team has been preparing for CVE-2019-0708, colloquially known as BlueKeep, and has some advice on how you can protect your network. The BlueKeep vulnerability is “wormable,” meaning it creates the risk of a large-scale outbreak due to its ability to replicate and propagate, similar to Conficker and WannaCry. Conficker has been widely estimated to have impacted 10- to 12-million computer systems worldwide. WannaCry was responsible for approximately $300 million in damages at just one global enterprise.

To protect against BlueKeep, we strongly recommend you apply the Windows Update, which includes a patch for the vulnerability. If you use Remote Desktop in your environment, it’s very important to apply all the updates. If you have Remote Desktop Protocol (RDP) listening on the internet, we also strongly encourage you to move the RDP listener behind some type of second factor authentication, such as VPN, SSL Tunnel, or RDP gateway.

You also want to enable Network Level Authentication (NLA), which is a mitigation to prevent un-authenticated access to the RDP tunnel. NLA forces users to authenticate before connecting to remote systems, which dramatically decreases the chance of success for RDP-based worms. The DART team highly recommends you enable NLA regardless of this patch, as it mitigates a whole slew of other attacks against RDP.

If you’re already aware of the BlueKeep remediation methods, but are thinking about testing it before going live, we recommend that you deploy the patch. It’s important to note that the exploit code is now publicly and widely available to everyone, including malicious actors. By exploiting a vulnerable RDP system, attackers will also have access to all user credentials used on the RDP system.

Why the urgency?

Via open source telemetry, we see more than 400,000 endpoints lacking any form of network level authentication, which puts each of these systems potentially at risk from a worm-based weaponization of the BlueKeep vulnerability.

The timeline between patch release and the appearance of a worm outbreak is difficult to predict and varies from case to case. As always, the DART team is ready for the worst-case scenario. We also want to help our customers be prepared, so we’re sharing a few previous worms and the timeline from patch to attack. Hopefully, this will encourage everyone to patch immediately.

Learn more

To learn more about DART, our engagements, and how they are delivered by experienced cybersecurity professionals who devote 100 percent of their time to providing cybersecurity solutions to customers worldwide, please contact your account executive. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

This document is for informational purposes only and Microsoft makes no warranties, express or implied, in this blog.

The post Protect against BlueKeep appeared first on Microsoft Security.

A case study in industry collaboration: Poisoned RDP vulnerability disclosure and response

Microsoft Malware Protection Center - Wed, 08/07/2019 - 7:50pm

Earlier this year, I reached out to Check Point researcher Eyal Itkin, who had published multiple flaws in several Remote Desktop Protocol (RDP) clients, including a vulnerability in mstsc.exe, the built-in RDP client application in Windows. While there were no active exploits detected in the wild, it was important for me and my team at Microsoft to analyze the vulnerability, do further variant analysis and investigations, and build defenses, including cloud-based post-breach detection in addition to the operating system fix.

The cross-company collaboration that followed was especially critical in this case, because the attack technique is quite tricky to detect. The vulnerability exists in the shared clipboard mechanism. Unlike other RDP vulnerabilities that could allow an attacker to connect to target machines using the RDP protocol, in this case, an attacker would wait for a user to connect to a compromised machine, and then start the attack through the vulnerability. RDP anomaly detection wouldn’t be useful, because exploit behavior doesn’t stand out as unusual.

The vulnerability, called Poisoned RDP vulnerability and designated as CVE-2019-0887, has been fixed, but it serves as a good case study for industry collaboration leading to better and speedier response to security issues. In this blog, we’ll share an overview of the vulnerability and how we worked with Check Point to build the defenses using Windows telemetry.

Path traversal vulnerability in shared clipboard

A typical RDP scenario is connecting an RDP client to an RDP server installed on a remote computer. After successfully connecting, the client gains access to the remote server. Depending on the user’s permissions, the client can then control the server. What happens if it’s the other way around, where a remote server can attack and gain control of a client?

In his research into reverse RDP attacks, Eyal Itkin found that for mstsc.exe, this technique, also referred to as lazy lateral movement, was possible through the clipboard sharing channel. The shared clipboard allows a user to copy a group of files from one computer and paste the said files in another computer. If the client fails to properly canonicalize and sanitize the file paths it receives, it could be vulnerable to a path traversal attack, allowing a malicious RDP server to drop arbitrary files in arbitrary paths on the client machine.

Figure 1. Architecture of clipboard sharing in Microsoft RDP (source: Reverse RDP Attack: Code Execution on RDP Clients)

Moreover, every time a clipboard is updated on either side of the RDP connection, a message is sent to the other side to notify it about the new clipboard formats that are now available. This means that a malicious server is notified whenever the client copies something to the clipboard, which the server can then query and read.

The server can also notify the client about a fake clipboard update without an actual copy operation inside the RDP window, thus completely controlling the client’s clipboard without the user being noticed.

Eyal also found that, because Hyper-V uses RDP, it inherits the security vulnerabilities in RDP. Hyper-V uses RDP behind the scenes for managing the VM, meaning that the vulnerability could be used to escape a Hyper-V VM, resulting in a guest-to-host sandbox escape vulnerability.

Cloud-based post-breach detection

While we worked on fixing the vulnerability, it was important for us to develop a post-breach detection in order to protect customers from attacks that might exploit the vulnerability. For this effort, we worked closely with Eyal, whose cooperation was critical to the development of these solutions.

Given the details of the vulnerability, we worked under the following conditions:

  • To be effective, the detections would need to use existing optics available to all Windows 10 versions.
  • The detection logic should spot the threat from the machine where the RDP client—the one that initiates the RDP connection—is installed. We should be able to detect files that are transformed from the compromised machine—where the RDP server is installed—to the client machine. This means that we must rely solely on telemetry that is triggered on the client machine.
  • RDP anomaly detection is not useful in this scenario. Since the RDP connection is initiated by the client machine—more specifically, by the user—we don’t expect an abnormal connection to occur.

For this purpose, Event Tracing for Windows (ETW), a built-in Windows 10 feature, provides the kernel-level tracing that’s useful in detecting this threat. Using ETW events, specifically RDP connection events (provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS) and clipboard events (provider: Microsoft.Windows.OLE.Clipboard), as well as file creation events, we created a detection logic that:

  1. Observes RDP session events
  2. Observes multiple files being pasted within a short period of time
  3. Correlates file creation and pasting timestamps
  4. Raises an alert if the corelated files are in different directories

These detections are added to the Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) endpoint detection and response. These detections raise an alert in Microsoft Defender Security Center, which security operations personnel can then use to investigate attacks.

In addition, given that this is a new attack scenario, we explored additional detection logic that is as general as possible to help counter corner cases and account for tweaks to the attack scenario. These detections would cover the end-to-end attack, focusing on behaviors pertinent to the attack scenario:

  • Monitoring the Startup folder. This includes anomaly detection for file creation events under the Startup folder using multiple features like file signature, creation process, etc. In addition, files created in the Startup folder can be verified using scanning capabilities.
  • Identifying anomalous file pasting from the clipboard. Machine learning-based detections can recognize files that are pasted in different locations within a short period of time. The anomaly features can be the number of pasted files or file directories.
  • Detecting file creation anomalies. Machine-learning based detections can recognize anomalies in file creation paths. The anomaly features can be file path, creation time, and file name. Note: This detection covers a broad scenario, regardless of method.
Security update

Microsoft Security Response Center (MSRC) worked with Check Point to further investigate and address the vulnerability. The fix for CVE-2019-0887 was released as part of the July 2019 security update. We encourage customers to keep systems up-to-date.

Conclusion: Lessons from CVE-2019-0887

The responsible disclosure of CVE-2019-0887 by Check Point and the subsequent collaboration with Microsoft teaches us several lessons in security. From design perspective, there’s a lesson to be learned from how the clipboard, which was originally designed to be used locally, was applied in new environments.

Meanwhile, our research into post-breach defenses given the unique characteristics of this attack scenario highlighted the importance of Windows telemetry in detecting malicious behavior. ETW is a powerful defender tool that allows the creation of new detection mechanisms that don’t require an OS update.

Overall, this cross-company, cross-continent teamwork demonstrates the benefits of industry collaboration. We discovered a vulnerability, secured customers, and developed fix, all while learning important lessons that we can share with the industry.

Eyal and I shared these lessons in our Black Hat USA 2019 session, “He Said, She Said – Poisoned RDP Offense and Defense”.


Dana Baril (@dana_baril)

Microsoft Defender ATP Research Team 



Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

The post A case study in industry collaboration: Poisoned RDP vulnerability disclosure and response appeared first on Microsoft Security.

How Windows Defender Antivirus integrates hardware-based system integrity for informed, extensive endpoint protection

Microsoft Malware Protection Center - Wed, 07/31/2019 - 12:30pm

Detecting and stopping attacks that tamper with kernel-mode agents at the hypervisor level is a critical component of the unified endpoint protection platform in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). It’s not without challenges, but the deep integration of Windows Defender Antivirus with hardware-based isolation capabilities allows the detection of artifacts of such attacks.

Recently, the Microsoft Defender ATP research team found a malicious system driver enabling a token swap attack that could lead to privilege escalation. In this blog, we’ll share our analysis of the said attack and discuss how Windows Defender Antivirus uses its unique visibility into system behaviors to detect dangerous kernel threats.

Hardware-based root of trust

Windows Defender System Guard, a hardware-based system integrity capability in Microsoft Defender ATP, has a runtime measurement component called runtime attestation. This runtime measurement component includes a sub-engine called assertion engine (see Figure 1), which continuously measures and asserts the integrity of the Windows kernel, providing supplementary signals about any abnormal system behavior.

Figure 1. High-level Windows Defender System Guard runtime attestation architecture

Architecturally, the solution is collectively referred to as the Windows Defender System Guard runtime monitor and consists of the following client-side components:

  • The VTL-1 runtime assertion engine itself
  • A VTL-0 kernel-mode agent
  • A VTL-0 process we call the ‘broker’ to host the assertion engine

The goal is to detect artifacts of data corruption attacks and other threats that tamper with kernel-mode agents at the hypervisor level. Windows Defender Antivirus, the next-generation component of Microsoft Defender ATP, integrates with Windows Defender System Guard runtime attestation and consumes signals from the assertion engine.

Detecting token theft attacks

Every Windows process has a primary token that describes the security context of the user account associated with the process. The information in the token includes the identity and privileges of the user account associated with the process or thread. Token theft attacks are rampant because they can allow adversaries to use access tokens to operate using different user accounts or under different system security contexts to perform malicious actions and evade detection.

The Microsoft Defender ATP Research team recently uncovered and analyzed signals from Windows Defender System Guard assertion engine that indicated manipulation of a primary token, causing token swap – a distinctly suspicious activity, given that the aspects of a primary token are immutable once the process starts running.

Further analysis of Windows Defender Antivirus telemetry identified the offending malicious system driver responsible for the invariant token swap attack. The sample containing the system driver was signed with a compromised certificate (thumbprint: 31e5380e1e0e1dd841f0c1741b38556b252e6231) that’s commonly misused in the wild.

Figure 2. Revoked certificate used by malicious system driver

The driver exhibited the following rootkit behavior:

  • Token swap
  • Tampering EPROCESS structure in kernel mode and PEB to disguise a process as svchost.exe

In this scenario, Windows Defender System Guard raised an initial assertion failure signal for the token swap. Windows Defender Antivirus consumed the signal and applied intelligence to discover that the suspicious activity was being orchestrated by a system driver.

Figure 3. Decompiled malicious driver code for token theft

Using a Microsoft cloud service that that keeps track of stolen or revoked PKI certificates worldwide, Windows Defender Antivirus found that the driver was indeed signed by a revoked or stolen certificate, which was communicating with the infected binary to perform the token swap.

Windows Defender Antivirus works seamlessly with Microsoft cloud services, such as the one that flags binaries signed by stolen or revoked certificates. Signals like these enrich the protection delivered by multiple next-generation protection engines in Windows Defender Antivirus to provide near-instant, automated defense against new and emerging threats. With cloud-delivered protection, next-generation technologies provide rapid identification and blocking of attacks, typically even before a single machine is infected.

Device integrity for broader security

The goal of Windows System Guard runtime attestation is to provide its consumers with a trustworthy assessment of the security posture and integrity of devices. Apps and services can take advantage of this attestation technology to ensure that the system is free from tampering and that critical processes are running as expected. Runtime attestation can help in many scenarios, including:

  • Providing supplementary signals for endpoint detection and response (EDR) and antivirus vendors (including full integration with the Microsoft Defender ATP stack)
  • Detecting artifacts of kernel tampering, rootkits, and exploits
  • Protected game anti-cheat scenarios (for example, detection of process-protection bypasses that can lead to game-state modification)
  • Securing sensitive transactions (banking apps, trading platforms)
  • Conditional access (enabling and enhancing device security-based access policies)

The assertion engine can detect attacks that can reasonably be performed under the most restrictive attack conditions, such as when system has been already hardened with hypervisor-protected code integrity (HVCI) and enforced kernel mode code integrity (KMCI).

The case study has shown how Microsoft Defender ATP – hence, the broader Microsoft Threat Protection – reaps significant security benefits from Windows Defender System Guard runtime attestation. We invite the industry to do the same.

To learn more, read our blog about Windows Defender System Guard runtime attestation.



Abhijat Singh, Enterprise & Security
David Kaplan (@depletionmode), Microsoft Defender ATP Research
Chun Feng, Microsoft Defender ATP Research
Hermineh Sanossian, Enterprise & Security



Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

The post How Windows Defender Antivirus integrates hardware-based system integrity for informed, extensive endpoint protection appeared first on Microsoft Security.

CISO series: Better cybersecurity requires a diverse and inclusive approach to AI and machine learning

Microsoft Malware Protection Center - Wed, 07/31/2019 - 12:00pm

Artificial Intelligence (AI) and machine learning have created lots of buzz with vendors. Being cast as the superheroes of technology is great for getting attention. But even Superman and Supergirl had their kryptonite.* Could the lack of diversity and inclusiveness in the design teams and data types weaken these two superhero technologies, like kryptonite weakened our friends from Krypton? Now is the time to shine a spotlight on problems that arise from the lack of inclusiveness and diversity in these areas to make sure that we are not automating existing biases in data or design.

Lack of diversity and inclusivity hurts products, profits, and people

Discrimination and non-inclusiveness in product development can be harmful—and dangerous—to those who suffer its consequences. Car airbags serve as a poignant example. Designed to save the lives of an average-sized male, airbags were deadly for children and petite women. Even the crash-test dummies the industry used until 2012 were average-man-sized, so it was impossible to test airbag safety for broader populations.

When workforces are not diverse and inclusive, problems stemming from various types of bias may occur. For example, women might not get a fair shot at a position because hiring standards have been set to match the pool of traits exhibited by current employees—who are predominately men.

Datasets can be at fault, as well, especially when populations are skewed because of social issues or the biases of system designers. Take the case of raw data used to predict criminality. Since the current justice system is biased against African Americans, who are incarcerated at a rate which is five times that of Caucasians, the dataset will be biased, too.

A diverse and inclusive team is a more productive team

AI and machine learning require a collaborative, inclusive approach that is ethical and respectful of the values each employee brings to the table. But diversity and inclusiveness are not only about ethnicity, gender, and gender-orientation. It’s also about a diversity of viewpoints and ways of examining issues and problem solving.

Lack of team diversity can hurt productivity. Homogenous teams may outperform diverse teams initially, but over time, the productivity of diverse teams increases. This is due, in part, to the strength gained from a variety of perspectives brought to the problem-solving process.

For example: A lawyer brings a unique awareness and mindset to problem-solving that differs from the mindset of privacy experts, mathematicians, data scientists, ethicists, and more. These different viewpoints and skillsets create stronger solutions and practices. Furthermore, diverse viewpoints ensure that the values of fairness, reliability, safety, security, privacy, inclusiveness, transparency, and accountability are included in any data model.

Be aware that if diversity comes in many forms, bias does as well. Companies should work hard to remove biases based on culture, geography, income bracket, educational background, and ageism in addition to those already mentioned.

How does this connect to better cybersecurity?

In creating resilient models that better detect and respond to cybersecurity issues, the greater the team diversity, the greater the resilience to attack and perturbation the models may be. Potentially, these more diverse models will provide us with a greater variety of insights and tools as well.

We’re already seeing that diversity in teams creates diversity in AI and machine learning models, which in turn increases the speed and precision of detection. For example, as part of the Microsoft Threat Protection solution using machine learning, Emotet was detected and blocked in milliseconds.

Since cybercriminals are varied in background and skillset, there is no one type of cyberattack we can defend against and no single machine learning model to find and stop all cyberattacks. But by working with diverse and inclusive design teams and using diverse, layered machine learning models, we’re increasing our ability to find and stop attacks quickly.

If you want more resilient cybersecurity, looking to a superhero isn’t really an option. Instead, rely on the diversity of the cyberheroes you hire and put the power of inclusivity to work for you.

I encourage you to read the report in this companion book, Microsoft: The Future Computed—the first of a series to explore AI, the future of the workforce, ethics, and policies related to individual industries. Also, read more of our CISO series blogs.

*Superman and Supergirl are characters owned by DC Comics, Inc.

The post CISO series: Better cybersecurity requires a diverse and inclusive approach to AI and machine learning appeared first on Microsoft Security.

Council of EU Law Enforcement Protocol improves cross-border cooperation

Microsoft Malware Protection Center - Tue, 07/30/2019 - 12:00pm

Last March, the Council of the European Union announced the new EU Law Enforcement Emergency Response Protocol to address the growing problem of planning and coordinating between governments, agencies, and companies when cyberattacks occur across international boundaries. Remember well-known incidents such as NotPetya and WannaCry? They’re good examples of how cyberattacks can simultaneously impact organizations and other entities in two or more countries. This especially applies to multinational corporations since they have footprints in multiple jurisdictions.

In reading through the Protocol, a few key items are worth noting:

  • There’s a focus on process—It’s so good to see them focusing on process (and not only on technology). Too many regulations and rulesets talk about technology as if it’s the sole solution to all problems. To truly resolve cybersecurity attacks and to mitigate downstream implications quickly, it takes the combination of technology + people + process.
  • Operational Technology (OT) systems and risks need more attention—For many years, OT systems have been increasingly attacked by adversaries. While the focus on IT in the Protocol is logical, the omission of OT factors keeps it from being an even stronger and more robust document. The new Protocol explicitly calls out this problem when it says, “…to establish the criminal nature of the attack, it’s fundamental that the first responders perform all required measures … to preserve the electronic evidence that could be found within the IT systems affected by the attack, which are essential for any criminal investigation or judicial procedure.” This omission of OT systems is all the more confusing when the website announcing the Protocol states that, “The possibility of a large-scale cyber-attack having serious repercussions in the physical world and crippling an entire sector or society, is no longer unthinkable.”
  • Operational alignment is well-executed—Praise is deserved for the outstanding effort to coordinate multi-stakeholder processes using existing resources and teams. For instance, a partial list of the entities working on these issues in Europe includes Europol’s European Cybercrime Centre (EC3), the European Union’s Cybersecurity Incident Response Team (CSIRT) Network, the European Union Agency for Network and Information Security (ENISA), and other EU member law enforcement groups. While everyone has the best interest of preventing and responding to cyberattacks at heart, ensuring the alignment and optimal use of existing resources makes very good sense.
  • Important cross-border thinking adds value—Cyber-adversaries pay no attention to boundaries, so it’s important to defend against these problems with a similar mindset that embraces diverse thinking. Countries that cooperate and coordinate their efforts are likely to detect and identify cyber-adversaries faster and more comprehensively if they approach the problem as a united front. This cross-border way of thinking should be an example for other regions of the world.

The improvements to the EU Law Enforcement Emergency Response Protocol are invaluable. By streamlining and strengthening their cross-border approaches, protocols, and ways of communicating, efforts to thwart attacks can begin immediately and proceed more effectively.

Preserving electronic evidence makes finding and punishing the perpetrators a priority. However, work still must be done on developing plans and protocols to mitigate damage to OT systems, and I hope they prioritize this focus for their next iteration.

Learn more
  • Complete an offline assessment of your Active DirectoryAssess your Active Directory security posture and reduce support costs by exposing and remediating configuration and operational security issues before they affect your business.
  • Learn more about the cybersecurity risk landscape—Watch this Microsoft Digital Crimes Unit overview video to learn more about how Microsoft is working with public and private partners.
  • Discover how the Microsoft Incident Response and Recovery Process can help—Read about our expert security services that are available in case an incident occurs.

The post Council of EU Law Enforcement Protocol improves cross-border cooperation appeared first on Microsoft Security.

The evolution of Microsoft Threat Protection—July update

Microsoft Malware Protection Center - Mon, 07/29/2019 - 12:00pm

Modern security teams need to proactively, efficiently, and effectively hunt for threats across multiple attack vectors. To address this need, today we’re excited to give you a glimpse of a new threat hunting capability coming soon to Microsoft Threat Protection. Building off the threat hunting technology currently available in Microsoft Defender Advanced Threat Protection (ATP), we are adding the ability to hunt for threats across endpoints and email (Figure 1).

The new Microsoft Threat Protection advanced threat hunting allows:

  • Easy access to telemetry—The telemetry data is accessible in easy to use tables for you to query.
  • Enhanced portal experience—Certain query results, such as machine name, link directly to the relevant portal, consolidating the hunting query experience and the portal investigation experience.
  • Detailed query templates—A welcome page provides examples designed to get you started and get you familiar with the tables and the query language.

The example in Figure 1 demonstrates how Microsoft Threat Protection enables hunting for red teams leveraging a compromised account to store a payload on a local SharePoint site and for sending emails to individuals within the organization. Having the email come from an internal sender and pointing to a local SharePoint site guarantees a high click-through rate. With the advanced hunting capability in Microsoft Threat Protection, this scenario easier to identity, discover, and ultimately remediate. As Microsoft Threat Protection evolves, we’ll continue to extend the advanced hunting capability across the enterprise. Look for more details on threat hunting across endpoints and email in the coming weeks.

Figure 1. Hunting query example: Find the red team!

Connecting the dots to protect your users

As we’ve discussed previously, securing enterprise identities is paramount for effective threat protection in modern organizations. Microsoft Threat Protection is built on best-in-class identity protection, and we’re pleased to announce the general availability of our new identity threat investigation experience, which correlates identity events from Microsoft Cloud App Security, Azure Advanced Threat Protection, and Azure Active Directory Identity Protection into a single investigation experience for security analysts and hunters alike.

Leverage state-of-the-art User and Entity Behavior Analytics (UEBA) capabilities to provide a risk score and rich contextual information for individual users across on-premises and cloud services. With the high volume of threat signals today’s security teams must analyze, it’s a challenge to know which users and threats to prioritize for deeper investigations (Figure 2). The new identity threat investigation experience enables security analysts to prioritize their investigations, helping reduce investigation times and eliminating the need to toggle between identity security solutions.

For more details check out our blog and get a deeper dive in our technical documentation.

Figure 2. Top user view by investigation priority.

Delivering on our promise to empower defenders

Earlier this year, we announced two capabilities for email security with the public preview of Threat & Vulnerability Management and the extension of our endpoint security capabilities to macOS. We’re excited to deliver on the promise of both these milestones for our endpoint security, which further empower defenders relying on our services to secure their organizations.

At the end of June, we announced the general availability of our endpoint security for macOS. Offered through Microsoft Defender ATP, it enables integrated experiences in Microsoft Defender Security Center across Windows and macOS clients. It supports the three latest versions of macOS: Mojave, High Sierra, and Sierra. Customers can use Microsoft Intune and Jamf to deploy and manage Microsoft Defender ATP for Mac. Just like with Microsoft Office applications on macOS, Microsoft Auto Update is used to manage Microsoft Defender ATP for Mac updates. Check out the public documentation to see what’s available now.

We further enhanced endpoint security with the general availability of Threat & Vulnerability Management for endpoints (Figure 3), which offers customers:

  • Continuous discovery of vulnerabilities and misconfigurations.
  • Prioritization based on business context and dynamic threat landscape.
  • Seamless correlation of vulnerabilities providing enhanced breach insights.
  • Ability to assess vulnerability at the single-machine level to enrich and provide greater detail on incident investigations.
  • Built-in remediation processes through unique integration with Intune and Microsoft System Center Configuration Manager.

Figure 3. The Threat & Vulnerability Management dashboard.

This month, we also enriched the experience for security teams managing email security by introducing an email submission feature offered through Office 365 ATP. Microsoft is home to 3,500 security professionals, and now your organization can leverage their expertise to get quick and accurate analysis of potential email threats with the click of a button (Figure 4). The submission process is easy to use, and our Microsoft experts provide quick feedback, including insights on configurations that may have caused a false positive or false negative, reducing the time to investigate issues and improving overall effectiveness.

The new submission process allows admins to:

  • Submit suspicious emails, files, and URLs to Microsoft for analysis.
  • Find and remove rules allowing malicious content into the tenant.
  • Find and remove rules blocking good content into the tenant.

Here’s a quick run-through of the experience. You can also learn more about it in our technical docs.

Figure 4. Admin submission experience with Office 365 ATP.

Experience the evolution of Microsoft Threat Protection

Take a moment to learn more about Microsoft Threat Protection, read our previous monthly updates, and visit the Microsoft Threat Protection webpage. Organizations like Telit have already transitioned to Microsoft Threat Protection, and partners are leveraging its powerful capabilities.

Begin a trial of Microsoft Threat Protection services, which also includes our newly launched SIEM and Azure Sentinel, to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.

The post The evolution of Microsoft Threat Protection—July update appeared first on Microsoft Security.

New machine learning model sifts through the good to unearth the bad in evasive malware

Microsoft Malware Protection Center - Thu, 07/25/2019 - 12:30pm

We continuously harden machine learning protections against evasion and adversarial attacks. One of the latest innovations in our protection technology is the addition of a class of hardened malware detection machine learning models called monotonic models to Microsoft Defender ATP‘s Antivirus.

Historically, detection evasion has followed a common pattern: attackers would build new versions of their malware and test them offline against antivirus solutions. They’d keep making adjustments until the malware can evade antivirus products. Attackers then carry out their campaign knowing that the malware won’t initially be blocked by AV solutions, which are then forced to catch up by adding detections for the malware. In the cybercriminal underground, antivirus evasion services are available to make this process easier for attackers.

Microsoft Defender ATP’s Antivirus has significantly advanced in becoming resistant to attacker tactics like this. A sizeable portion of the protection we deliver are powered by machine learning models hosted in the cloud. The cloud protection service breaks attackers’ ability to test and adapt to our defenses in an offline environment, because attackers must either forgo testing, or test against our defenses in the cloud, where we can observe them and react even before they begin.

Hardening our defenses against adversarial attacks doesn’t end there. In this blog we’ll discuss a new class of cloud-based ML models that further harden our protections against detection evasion.

Most machine learning models are trained on a mix of malicious and clean features. Attackers routinely try to throw these models off balance by stuffing clean features into malware.

Monotonic models are resistant against adversarial attacks because they are trained differently: they only look for malicious features. The magic is this: Attackers can’t evade a monotonic model by adding clean features. To evade a monotonic model, an attacker would have to remove malicious features.

Monotonic models explained

Last summer, researchers from UC Berkeley (Incer, Inigo, et al, “Adversarially robust malware detection using monotonic classification”, Proceedings of the Fourth ACM International Workshop on Security and Privacy Analytics, ACM, 2018) proposed applying a technique of adding monotonic constraints to malware detection machine learning models to make models robust against adversaries. Simply put, the said technique only allows the machine learning model to leverage malicious features when considering a file – it’s not allowed to use any clean features.

Figure 1. Features used by a baseline versus a monotonic constrained logistic regression classifier. The monotonic classifier does not use cleanly-weighted features so that it’s more robust to adversaries.

Inspired by the academic research, we deployed our first monotonic logistic regression models to Microsoft Defender ATP cloud protection service in late 2018. Since then, they’ve played an important part in protecting against attacks.

Figure 2 below illustrates the production performance of the monotonic classifiers versus the baseline unconstrained model. Monotonic-constrained models expectedly have lower outcome in detecting malware overall compared to classic models. However, they can detect malware attacks that otherwise would have been missed because of clean features.

Figure 2. Malware detection machine learning classifiers comparing the unconstrained baseline classifier versus the monotonic constrained classifier in customer protection.

The monotonic classifiers don’t replace baseline classifiers; they run in addition to the baseline and add additional protection. We combine all our classifiers using stacked classifier ensembles–monotonic classifiers add significant value because of the unique classification they provide.

How Microsoft Defender ATP uses monotonic models to stop adversarial attacks

One common way for attackers to add clean features to malware is to digitally code-sign malware with trusted certificates. Malware families like ShadowHammer, Kovter, and Balamid are known to abuse certificates to evade detection. In many of these cases, the attackers impersonate legitimate registered businesses to defraud certificate authorities into issuing them trusted code-signing certificates.

LockerGoga, a strain of ransomware that’s known for being used in targeted attacks, is another example of malware that uses digital certificates. LockerGoga emerged in early 2019 and has been used by attackers in high-profile campaigns that targeted organizations in the industrial sector. Once attackers are able breach a target network, they use LockerGoga to encrypt enterprise data en masse and demand ransom.

Figure 3. LockerGoga variant digitally code-signed with a trusted CA

When Microsoft Defender ATP encounters a new threat like LockerGoga, the client sends a featurized description of the file to the cloud protection service for real-time classification. An array of machine learning classifiers processes the features describing the content, including whether attackers had digitally code-signed the malware with a trusted code-signing certificate that chains to a trusted CA. By ignoring certificates and other clean features, monotonic models in Microsoft Defender ATP can correctly identify attacks that otherwise would have slipped through defenses.

Very recently, researchers demonstrated an adversarial attack that appends a large volume of clean strings from a computer game executable to several well-known malware and credential dumping tools – essentially adding clean features to the malicious files – to evade detection. The researchers showed how this technique can successfully impact machine learning prediction scores so that the malware files are not classified as malware. The monotonic model hardening that we’ve deployed in Microsoft Defender ATP is key to preventing this type of attack, because, for a monotonic classifier, adding features to a file can only increase the malicious score.

Given how they significantly harden defenses, monotonic models are now standard components of machine learning protections in Microsoft Defender ATP‘s Antivirus. One of our monotonic models uniquely blocks malware on an average of 200,000 distinct devices every month. We now have three different monotonic classifiers deployed, protecting against different attack scenarios.

Monotonic models are just the latest enhancements to Microsoft Defender ATP’s Antivirus. We continue to evolve machine learning-based protections to be more resilient to adversarial attacks. More effective protections against malware and other threats on endpoints increases defense across the entire Microsoft Threat Protection. By unifying and enabling signal-sharing across Microsoft’s security services, Microsoft Threat Protection secures identities, endpoints, email and data, apps, and infrastructure.


Geoff McDonald (@glmcdona),Microsoft Defender ATP Research team
with Taylor Spangler, Windows Data Science team



Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Follow us on Twitter @MsftSecIntel.

The post New machine learning model sifts through the good to unearth the bad in evasive malware appeared first on Microsoft Security.