Microsoft Malware Protection Center

Subscribe to Microsoft Malware Protection Center feed
Expert coverage of cybersecurity topics
Updated: 10 min 15 sec ago

The foundation for responsible analytics with Microsoft Purview

Tue, 03/26/2024 - 11:00am

We live in a world where data is constantly multiplying. According to IDC, the global datasphere, which is the amount of data created, captured, or replicated, will double every four years.1 As AI becomes more prevalent in various domains, organizations face the challenge of securing their growing data assets, while trying to activate their data to drive better business outcomes. We know data is the fuel that powers AI, but the real question is, is your data estate ready?

Fragmentation is in the way

The market has responded with dozens of products that address this challenge locally. Security and governance teams often bolt on security controls to protect individual data stores, having to stitch together a patchwork of solutions. This approach not only strains resources but is also ineffective. Security outcomes are worse—audits are failed and brand reputations are damaged.

In Microsoft’s most recent Data Security Index report, we found that 74% of organizations experienced some sensitive data exposure in the past year. Similarly, 68% of companies reported not being able to gather the right data insights, leading to poor data quality.2 And even though organizations are quickly adopting generative AI, less than half of business leaders are confident in their organization’s ability to mitigate AI risks and adhere to its upcoming regulations.3 In the era of AI, before unlocking the power of data, organizations are looking for integrated security and governance solutions to help them confidently activate their data estate.

“In the age of data-driven decision making, organizations must recognize that governance practices are prerequisites for extracting trusted and responsible insights from their data. Without proper security and governance, analytics initiatives are at risk of producing unreliable or compromised results, which in turn negatively impacts business outcomes.”

—Chandana Gopal, Research Director, Enterprise Intelligence, IDC Microsoft Purview—Seamlessly securing and confidently activating your data estate

The rise of generative AI and data democratization in the form of new analytics tools has made organizations look inward to adopt responsible analytics practices. At Microsoft, we believe that the key to responsible analytics is in adopting integrated solutions to secure your data, so you can confidently activate it. Security and governance are no longer an aftermath to data deployments, they are table stakes.

The future of compliance and data governance is here: Introducing Microsoft Purview

Read more

In 2022, we introduced Microsoft Purview, a comprehensive set of solutions that let you secure, govern, and ensure compliance across your data estate. Since then, the teams have worked tirelessly to bring this vision to life. With a unified approach, Microsoft Purview combines a variety of capabilities to allow customers to seamlessly secure, and confidently activate data, while adhering to regulatory requirements in one single solution built on a shared set of AI-powered data governance, classification, and audit logging, all under a unified management experience.

Seamlessly secure your data with built-in controls

With the rapid adoption of platforms such as Microsoft Fabric, we are excited to announce new innovations—all in preview—to help organizations adopt built-in data security across their most utilized systems. Starting today, we are enabling the following experiences:

  • Built-in protections: Business users can now apply label-based protections—a familiar concept to the millions of users who employ Microsoft 365 labels and data loss prevention (DLP) policies, into Microsoft Fabric workloads. 
  • Consistent enforcements: Admins can now extend their label-based protections across structured and unstructured data stores, including Microsoft Azure SQL, Microsoft Azure Data Lake Storage, and Amazon S3 buckets.
  • Data risk detections: Data doesn’t move itself. People move data. Security teams can now ingest signals coming from Microsoft Fabric into the millions of signals across Microsoft Purview Insider Risk Management.

Click here to watch the Microsoft Mechanics video to see this scenario in action!

These capabilities enable a confident approach to data democratization as organizations work on all types of data, whether sensitive or not, in a secure and responsible way. Learn more about how to seamlessly secure your data estate with our new capabilities.

Confidently activate your data with modern data governance

We are thrilled to introduce the new Microsoft Purview Data Governance experience. This new reimagined software as a service (SaaS) solution offers sophisticated yet simple business-friendly interaction, integration across your multicloud data estate, and actionable insights that help data leaders to responsibly unlock business value within their data estate. The new experience is:

  • Business-friendly, federated, multicloud: Purpose-built for federated governance with efficient data office management and oversight that offers customizable business terms, roles, and policies for your multisource, multicloud data estate.
  • Designed for business efficiency: Scan and search data assets and accelerate your practice with built-in templates, terms, and policy recommendations served up based on your metadata. Define data quality policies that follow the data through your governance practice.
  • Actionable and informative: Aggregated actions and health insights help you put the practice in data governance by showcasing the overall health of your governed estate through built-in reports while interactive summarized actions help you improve the overall posture of your data governance practice.

Click here to learn more about our new modern Data Governance experience.

Expanding across your data estate

These innovations, all in public preview, are just the beginning of our journey to provide you with an integrated solution to secure and govern your data estate. We invite you to try them out and share your feedback with us. These capabilities will come in a new pay-as-you-go consumptive model, available at no additional cost during preview in the near term, with pricing details to follow in the future.

Join us at the Fabric Community Conference

Please join us at the first ever Microsoft Fabric Community Conference in Las Vegas. If you’re attending, don’t miss the “Microsoft Purview for the Age of AI” keynote and our sessions on Microsoft Purview. Explore more details on how Microsoft Purview can help you and read our e-book “Crash Course in Microsoft Purview: A guide to securing and managing your data estate.”

Microsoft Purview

Secure and govern data across your data estate while reducing risk and meeting compliance requirements.

Learn more Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on X at @MSFTSecurity for the latest news and updates on cybersecurity.

1Worldwide Global DataSphere and Global StorageSphere Structured and Unstructured, DOC #US50397723, Data Forecast, 2023–2027 Market Forecast. June 13, 2023.

22022 Chief Data Officer survey, Deloitte. September 2022.

3ISMG First Annual Generative AI Study: Business rewards vs. Security Risks. January 31, 2024.

The post The foundation for responsible analytics with Microsoft Purview appeared first on Microsoft Security Blog.

Categories: Microsoft

​​Frost & Sullivan names Microsoft a Leader in the Frost Radar™: Managed Detection and Response, 2024

Mon, 03/25/2024 - 12:00pm

We are excited to share that Microsoft has been named a Leader by Frost & Sullivan in the Frost Radar™: Managed Detection and Response, 2024, leading in innovation and among the top two in growth. Frost & Sullivan highlighted Microsoft Defender Experts for XDR as a key component of Microsoft’s managed detection and response (MDR) offering, which delivers a managed extended detection and response service that triages, investigates, and responds to incidents to help organizations stop cyberattackers and prevent future compromise.

According to Frost & Sullivan, the market for MDR is growing rapidly, with a growth rate of 35.2%, as evidenced with 22 MDR vendors plotted in this year’s analysis. This growth is expected to continue as Frost & Sullivan cited that “faced with a lack of access to professionals and an inability to protect their business-critical data effectively, organizations are outsourcing to alleviate the issue.”

Figure 1. Frost RadarTM for Managed Detection and Response 2024 showing Microsoft as a leader.

Advancing cybersecurity frontiers with Defender Experts

Designated as one of the companies to be considered first for investment, partnerships, or benchmarking by Frost & Sullivan, Microsoft is a recent entrant in the MDR space, but with its focus on AI and machine learning, “especially the development of Microsoft Copilot for Security, coupled with its top-tier threat detection and response capabilities, allows it to maintain an innovation edge over other world-class competitors.”1 Our Defender Experts for XDR service helps our customers boost their security operations centers (SOCs) with security expertise and around-the-clock coverage to detect and accurately respond to incidents that matter across their varied Microsoft Defender XDR workloads.

What is Managed Detection and Response?

Learn more

The Frost & Sullivan report emphasizes the comprehensive capabilities of our Defender Experts for XDR service, which brings together human expertise with AI and automation powered by our Defender XDR suite. The service provides cross-domain MDR services with visibility over endpoints, email, cloud, and identity. In addition, Defender Experts for XDR “delivers 24/7 monitoring, detection, and response, and proactive threat hunting, combined with its world-class threat intelligence, security posture assessments, and access to its expert team.”

Charting new horizons—the convergence of managed services and generative AI

The report highlights the key innovation that Microsoft offers to customers, which is the ability to use both human-led expertise and generative AI in cybersecurity. As organizations continue to adopt MDR services to enhance their SOC efforts, the appearance of generative AI in cybersecurity solutions also offers more potential to those who want to improve their SOC teams. According to Frost & Sullivan, “AI, [machine learning], and automation have become increasingly integral to cybersecurity solutions. These technologies enhance detection and response and allow SOC analysts to focus on what’s important instead of chasing down false alerts.”

The report also recognizes Microsoft Copilot for Security as a pivotal AI assistant that enhances the capabilities of security analysts. It streamlines complex data into concise summaries, offers insights, aids in detection, accelerates response, and contextualizes alerts and incidents. This tool is instrumental in supporting both novice and seasoned analysts, enabling them to make well-informed decisions with greater confidence and speed.

Building on this, the Defender Experts team has found the utilization of Copilot for Security not only boosts productivity and streamlines workflows, but also significantly enhances threat detection and response. Insights from team leaders and real-world applications, such as script analysis and incident summaries, are detailed in a recent blog post. These examples underscore Copilot’s role in elevating the skills of analysts and enriching threat intelligence, and empowering security teams to leverage AI’s full potential in safeguarding their organizations. Microsoft will continue to invest in generative AI and unlock its potential for Defender Experts and our customers.

Microsoft Defender Experts for XDR

Give your security operations center team coverage with leading end-to-end protection and expertise.

See features Empower your SOC with managed XDR

Frost & Sullivan’s report praises Microsoft Defender Experts for XDR for its capacity to expedite SOC operations through expert triage and investigation, provide robust protection through human-led response and proactive remediation, offer around-the-clock access to Defender Experts for real-time consultations, and provide strategic recommendations to fortify defenses and mitigate future cyberthreats, all underscored by the transformative integration of generative AI with human expertise.

We know that a single provider can’t meet the unique needs of every organization, so we frequently collaborate with our ecosystem of partners that provide customers the flexibility to choose what works for them—and to leverage those trusted relationships for the best outcomes and returns on their investment. To date, we’ve added more than 50 partners to our Microsoft-verified MXDR program and invite you to review their offerings.

Learn more

To learn more about our service, visit the Microsoft Defender Experts for XDR web page, read the Defender Experts for XDR docs page, and subscribe to our ongoing news at the Microsoft Security Experts blog home.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

1Frost & Sullivan, Frost Radar™: Managed Detection and Response, 2024, Lucas Ferreyra. March 2024.

The post ​​Frost & Sullivan names Microsoft a Leader in the Frost Radar™: Managed Detection and Response, 2024 appeared first on Microsoft Security Blog.

Categories: Microsoft

How Microsoft Incident Response and Microsoft Defender for Identity work together to detect and respond to cyberthreats

Thu, 03/21/2024 - 12:00pm

Identity-based cyberthreats are on the rise. 2023 saw a tenfold increase in threats including phishing, ransomware, and more.1 And bad actors continue to evolve their techniques—making them more sophisticated, more overwhelming, and more believable. From an employee’s viewpoint, every ping, click, swipe, buzz, ding, text, and tap takes time and attention—which can add up to a loss of focus, alert fatigue, and increased risk. In this post, we’ll look at a human-operated ransomware attack that began with one malicious link in one user’s email. Then we’ll share how Microsoft Incident Response helped facilitate collaboration among security, identity, and incident response teams to help a customer evict the bad actor from their environment and build resilience for future threats.

Microsoft Incident Response

Strengthen your security with an end-to-end portfolio of proactive and reactive cybersecurity incident response services.

Explore services One click opens the door to a threat actor

We know that 50% of Microsoft cybersecurity recovery engagements relate to ransomware,2 and 61% of all breaches involve credentials.3 Identity attacks continue to be a challenge for businesses because humans continue to be a central risk vector in social engineering identity attacks. People click links without thinking. Too often, users open attachments by habit, thereby opening the door to threat actors. Even when employees recognize credential harvesting attempts, they’re often still susceptible to drive-by URL attacks. And teams focused on incident response are often disconnected from teams that manage corporate identities. In this incident, one click on a malicious link led a large customer to reach out to Microsoft Incident Response for help.

Figure 1. Diagram of a threat actor’s malware moving through the network.

The malicious link the employee clicked infected their device with Qakbot. Qakbot is a modular malware that has been evolving for more than a decade. It’s a multipurpose malware that unfortunately gives attackers a wide range of capabilities. Once the identity-focused threat actor had established multiple avenues of persistence in the network and seemed to be preparing to deploy ransomware, the customer’s administrators and security operations staff were overwhelmed with tactical recovery and containment. That’s when they called Microsoft.

Your first call before, during, and after a cybersecurity incident

Microsoft Incident Response stepped in and deployed Microsoft Defender for Identity—a cloud-based security solution that helps detect and respond to identity-related threats. Bringing identity monitoring into incident response early helped an overwhelmed security operations team regain control. This first step helped to identify the scope of the incident and impacted accounts, take action to protect critical infrastructure, and work on evicting the threat actor. Then, by leveraging Microsoft Defender for Endpoint alongside Defender for Identity, Microsoft Incident Response was able to trace the threat actor’s movements and disrupt their attempts to use compromised accounts to reenter the environment. And once the tactical containment was complete and full administrative control over the environment was restored, Microsoft Incident Response worked with the customer to move forward to build better resiliency to help prevent future cyberattacks. More information about the incident and remediation details can be found on our technical post titled “Follow the Breadcrumbs with Microsoft Incident Response and Microsoft Defender for Identity: Working Together to Fight Identity-Based Attacks.”

Strengthen your identity posture with defense in depth

We know protecting user identities can help prevent incidents before they happen. But that protection can take many forms. Multiple, collaborative layers of defense—or defense in depth—can help build up protection so no single control must shoulder the entire defense. These layers include multifactor authentication, conditional access rules, mobile device and endpoint protection policies, and even new tools—like Microsoft Copilot for Security. Defense in depth can help prevent many cyberattacks—or at least make them difficult to execute—through the implementation and maintenance of layers of basic security controls.

In a recent Cyberattack Series blog post and report, we go more in depth on how to protect credentials against social engineering attacks. The cyberattack series case involved Octo Tempest—a highly active cyberthreat actor group which utilizes varying social engineering campaigns with the goal of financial extortion across many business sectors through means of data exfiltration and ransomware. Octo Tempest compromised a customer with a targeted phishing and smishing (text-based phishing) attack. That customer then reached out to Microsoft Incident Response for help to contain, evict, and detect any further threats. By collaborating closely with the victim organization’s IT and security teams, the compromised systems were isolated and contained. Throughout the entire process, effective communication and coordination between the incident response team and the affected organization is crucial. The team provides regular updates on their progress, shares threat intelligence, and offers guidance on remediation and prevention strategies. By working together seamlessly, the incident response team and the affected organization can mitigate the immediate cyberthreat, eradicate the cyberattacker’s presence, and strengthen the organization’s defenses against future cyberattacks.

Honeytokens: A sweet way to defend against identity-based attacks

Another layer of protection for user identities is the decoy account. These accounts are set up expressly to lure attackers, diverting their attention away from real targets and harmful activities—like accessing sensitive resources or escalating privileges. The decoy accounts are called honeytokens, and they can provide security teams with a unique opportunity to detect, deflect, or study attempted identity attacks. The best honeytokens are existing accounts with histories that can help hide their true nature. Honeytokens can also be a great way to monitor in-progress attacks, helping to discover where attackers are coming from and where they may be positioned in the network. For more detailed instructions on how to tag an account as a honeytoken and best practices for honeytoken use, read our tech community post titled “Deceptive defense: best practices for identity based honeytokens in Microsoft Defender for Identity.”

Working together to build better resilience

Microsoft Incident Response is the first call for customers who want to access dedicated experts before, during, and after any cybersecurity incident. With on-site and remote assistance on a global scale, unprecedented access to product engineering, and the depth and breadth of Microsoft Threat Intelligence, it encompasses both proactive and reactive incident response services. Collaboration is key. Microsoft Incident Response works with the tools and teams available to support incident response—like Defender for Identity, Defender for Endpoint, and now Copilot for Security—to defend against identity-based attacks, together. And that collaboration helps ensure better outcomes for customers. Learn more about the Microsoft Incident Response proactive and reactive response services or see it in action in the fourth installment of our ongoing Cyberattack Series.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

1Microsoft Digital Defense Report, Microsoft. 2023.

2Microsoft Digital Defense Report, Microsoft. 2022.

32023 Data Breach Investigations Report, Verizon.

4Microsoft Entra: 5 identity priorities for 2023, Joy Chik. January 9, 2023.

The post How Microsoft Incident Response and Microsoft Defender for Identity work together to detect and respond to cyberthreats appeared first on Microsoft Security Blog.

Categories: Microsoft

Microsoft Threat Intelligence unveils targets and innovative tactics amidst tax season

Wed, 03/20/2024 - 9:00am

Cybercriminals use social engineering during holidays and important events like tax season to steal user information. Our new Microsoft Threat Intelligence tax season report outlines some of the various techniques that threat actors use to craft their campaigns and mislead taxpayers into revealing sensitive information, making payments to fake services, or installing malicious payloads. These include phishing emails, text message phishing (smishing), malicious advertising, and voice phishing (vishing). The Microsoft Threat Intelligence tax season report also shows how threat actors impersonate tax payment processors in phishing emails, what cybercriminals are looking for and who they are targeting, how they can get your data, and, most importantly, how you and your organization can stay safe. Although these are well-known, longstanding techniques, they’re still highly effective and are amplified even more during this time of year.  

Tax-related fraud campaigns 

Although everyone is susceptible to tax-season phishing, we have noted that certain groups of people are more vulnerable than others. Prime targets include individuals who may be less informed about government tax procedures and methods—green card holders, small business owners, new taxpayers under the age of 25, and older taxpayers over 60.  

At the end of January 2024, Microsoft Threat Intelligence observed a campaign using lures masquerading as tax-related documents provided by employers. The phishing email contained an HTML attachment that directed the user to a fake landing page. This page hosted malicious executables and once the target clicked on the “Download Documents” prompt, malware installed on their computer.  

Figure 1. Phishing email using tax lures.

The malicious executable file dropped on the target’s machine had information stealer capabilities. Once in the environment, it attempted to collect information including login credentials.

Be diligent around phishing emails 

Phishing email campaigns around tax season use a variety of tactics to trick users into believing they represent legitimate sources. These include spoofing the landing pages of genuine services or websites, using homoglyph domains, and customizing phishing links for each user. Threat actors typically impersonate employers and human resources personnel, the Internal Revenue Service (IRS), or taxation-related entities such as state tax organizations or tax preparation services.  

Phishing emails may contain malicious attachments like HTML files, PDF files, or ZIP archives. The cybercriminal tries to exploit the recipients’ trust in the perceived sender to trick them into opening these attachments. When they do, malware is automatically downloaded onto their machine. Threat actors also commonly send URLs that direct users to fraudulent websites that host malware. 

Tax season cybersecurity best practices 

The best defense against cybercriminals, both at tax season and throughout the year, is education and good cyber hygiene. Education means phishing awareness—knowing what phishing attempts look like and what to do when they’re encountered. Good cyber hygiene means implementing basic security measures like multifactor authentication for financial and email accounts. With multifactor authentication enabled, you can prevent 99.9% of attacks on your accounts.  

Ways to help protect yourself from phishing 

Falling for a phishing attack can lead to a number of unwanted outcomes including leaked confidential information, infected networks, financial demands, corrupted data, and more. Here are a few tips to help protect yourself:  

  • Inspect the sender’s email address. Is everything in order? A misplaced character or unusual spelling could signal a fake.  
  • Be wary of emails with generic greetings (“Dear customer,” for example) that ask you to act urgently. 
  • Look for verifiable sender contact information. If in doubt, do not reply. Start a new email to respond instead. 
  • Never send sensitive information by email. If you must convey private information, use the phone. 
  • Think twice about clicking unexpected links, especially if they direct you to sign into your account. To be safe, log in from the official website instead.  
  • Avoid opening email attachments from unknown senders or friends who do not usually send you attachments. 
  • Install a phishing filter for your email apps and enable the spam filter on your email accounts. 

To learn more about the latest observed tax season phishing campaigns, social engineering fraud, and tips on how to stay ahead of these types of attacks during tax season and other holidays, read the Microsoft Threat Intelligence tax season report. For a deeper look into social engineering fraud tactics, read Feeding from the trust economy: social engineering fraud, and watch the session from Microsoft Ignite 2023 called The risk of trust: Social engineering threats and cyber defense.

Keeping a pulse on today’s threats

The Microsoft Threat Intelligence team tracks hundreds of threat actor groups worldwide, with more than 10,000 security experts analyzing more than 78 trillion signals daily to uncover the latest insights. Microsoft Threat Intelligence’s global network of security and intelligence teams includes engineers, researchers, data scientists, cybersecurity experts, threat hunters, geopolitical analysts, investigators, and frontline responders across 77 countries. These experts come together to help share timely insights about the ever-expanding attack surface and provide actionable guidance through resources like the annual Microsoft Digital Defense Report, nation-state reports, the Microsoft Threat Intelligence podcast, Cyber Signals report, and digital briefings. To read the latest reports, threat briefs, or learn about the tactics and techniques from some of the more than 300 threat actors that we monitor and to get behind the scenes and watch interviews with threat intelligence experts, visit Security Insider.

Microsoft Threat Intelligence

Read the new tax season report to learn about the techniques that threat actors use to mislead taxpayers.

Read the report

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft Threat Intelligence unveils targets and innovative tactics amidst tax season appeared first on Microsoft Security Blog.

Categories: Microsoft

Microsoft Sentinel delivered 234% ROI, according to new Forrester study

Tue, 03/19/2024 - 12:00pm

In an era defined by rapid technological advancements and digital transformation, protecting it all remains a top challenge. From sophisticated hacking attempts by state-sponsored actors to opportunistic cybercriminals exploiting weaknesses in software and infrastructure, cyberthreats demand constant vigilance and innovative solutions. Traditional security information and event management (SIEM) solutions are complex to implement and have high costs associated with deploying, maintaining, and scaling. They struggle to collect, correlate, and analyze data from disparate sources in real-time, making them an inefficient choice for modern security operations.

To protect your entire multicloud, multiplatform digital estate, consider Microsoft Sentinel, a modern, comprehensive SIEM solution built on the cloud and enriched by AI to rapidly uncover sophisticated cyberthreats and respond at machine speed. Microsoft Sentinel offers a complete security operations solution that is powerful, highly efficient and economic than other SIEM solutions.

To evaluate the benefits of Microsoft Sentinel, Microsoft commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study. Using the methodology of the TEI framework, Forrester consultants evaluated the cost, benefits, and flexibility of Microsoft Sentinel and developed a framework that organizations can use to evaluate the potential financial impact on their organizations.

In this study, Forrester found that interviewees achieved some notable advantages from their investment in Microsoft Sentinel, including increasing the productivity of their security teams, simplifying operations, decreasing their total cost of ownership, and realizing a return on investment (ROI) of 234%. Here are some other major findings for a composite organization based on what interviewed organizations reported.

1. Reducing time-to-value compared to other SIEM solutions 

Deploying Microsoft Sentinel—and finessing it after implementation—is faster because of the solution’s prebuilt playbooks, automation, and other SIEM tools. Microsoft Sentinel reduced the time to configure and deploy new connections by 93%, with time saved in configuration valued at $618,000 during the three-year period Forrester analyzed.  

“It took us about five years to get to be a six terabyte on-prem customer [with out previous solution]. It took us two months to set up Microsoft Sentinel and another two months to be at data-ingestion parity. It was insane.”

—CISO, financial services

This out-of-the-box functionality also includes simplified data connections and integrations that make it easier and faster to connect Microsoft Sentinel with your non-Microsoft systems, saving the time that employees might otherwise spend doing integration work. Valuable connections can be made across users, devices, apps, and infrastructure. Find even more integrations with Copilot for Security

2. Increasing the efficiency of the SOC 

Microsoft Sentinel makes it easier for security practitioners at all levels of expertise to detect, investigate, and respond effectively to cyberthreats. The solution harnesses an AI-driven correlation engine and offers a unified set of tools to more easily monitor, manage, and respond to incidents. Those interviewed praised Microsoft Sentinel’s interface for being easy to use (no specialized security expertise necessary). Because of Sentinel’s process automation, security professionals with less IT knowledge can effectively use the platform to detect and respond to cyberthreats.  

The total value of efficiency improvements to the security operations center of a composite organization was $1.5 million over three years. The solution is intuitive enough to use that junior analysts can tackle investigation basics while senior analytics tackle higher-priority tasks, according to Forrester findings. A prebuilt playbook helps further.  

Microsoft Sentinel capabilities, including its behavior-based analytics, enable you to boost the mean time to respond (MTTR) as you decrease false positives and minimize the work required of advanced investigations. In fact, Forrester found that Microsoft Sentinel helped to reduce false positives by up to 79% and decrease the work required for advanced, multitouch investigations by 85%. These are critical metrics when every second counts in triage and response.

The reason we have Microsoft Sentinel is because of its proactive predictive abilities. It is able to respond to threats faster than a human can. We actually were able to stop significant threats that hit other organizations and keep our organization running. Microsoft Sentinel was one of the tools in our Microsoft tool bag that really kept us running as an organization. It kept our operations running.”

—CISO, healthcare 3. Reduce total cost of operation 

Implementing Microsoft Sentinel offers several cost savings opportunities, according to interviewees. One quantified benefit from the study found that the composite organization’s potential cost savings gained by discounting their current legacy SIEM solution and switching to Microsoft Sentinel could account for realized savings of up to $5.1 million over three years. This is attributed to Microsoft Sentinel’s lower per-GB data ingestion and licensing costs that enables customers to avoid the capital investments necessary to store logs on-premises. 

Microsoft Sentinel offers smoother deployment because of its prebuilt playbooks, queries, data connections, and free ingestion for certain Microsoft logs including Office 365 audit logs, Azure activity logs, and Microsoft Threat Protection alerts. The more intuitive nature of Microsoft Sentinel makes it easier to onboard employees to the technology.  

Compared to [our on-premises solution] when we were paying for infrastructure, the savings are significant. Essentially one year of [legacy solution] costs are three years of Microsoft Sentinel costs.”

—CISO, financial services

Interviewees also shared that Microsoft Sentinel helped them decrease compliance costs. They did this by streamlining compliance reporting through the automation capabilities of Sentinel for security data collection and analysis. The alternative option would likely have been to bring in external consultants.  

4. Minimizing management effort 

In interviews with management teams at the organizations, they reported saving time on planning and maintenance, allowing for more time on other critical projects. That’s due to the way the solution decreased the size and complexity of their on-premises infrastructure. The value of this reduced management amounts to $1.1 million for a composite organization over three years and enabled the redeployment of 50% of infrastructure services professionals and 16% of legacy SIEM specialists. Automatic updates and the platform’s intuitive and centralized nature contribute to lessening the demand for labor.  

In the raw maintenance of the SIEM, it’s pretty hands off. When there is an issue, we open up a case with Microsoft and they assume the burden of trying to fix the issue. I don’t have to maintain staff for that anymore.”

—CISO, financial services The advantages of Microsoft Sentinel 

With its modern, cloud-native features and innovations, Microsoft Sentinel has helped organizations like yours deploy faster, increase the efficiency of their threat investigations, save on deployment and training, and gain efficiency in security management. Explore the Total Economic Impact™ Of Microsoft Sentinel Study for more analyst findings as well as to read the perspectives of Sentinel users interviewed in the study.

And to learn more about Microsoft Security, see:

Microsoft Sentinel

See and stop cyberthreats across your entire enterprise with intelligent security analytics.

Learn more Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists vendors in communicating the value proposition of their products and services to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of IT initiatives to both senior management and other key business stakeholders. 

The post Microsoft Sentinel delivered 234% ROI, according to new Forrester study appeared first on Microsoft Security Blog.

Categories: Microsoft

Microsoft Copilot for Security is generally available on April 1, 2024, with new capabilities

Wed, 03/13/2024 - 12:00pm

Today, we are excited to announce that Microsoft Copilot for Security will be generally available worldwide on April 1, 2024. The industry’s first generative AI solution will help security and IT professionals catch what others miss, move faster, and strengthen team expertise. Copilot is informed by large-scale data and threat intelligence, including more than 78 trillion security signals processed by Microsoft each day, and coupled with large language models to deliver tailored insights and guide next steps. With Copilot, you can protect at the speed and scale of AI and transform your security operations.

Microsoft Copilot for Security

Powerful new capabilities, new integrations, and industry-leading generative AI—generally available on April 1, 2024.

Learn more

We are inspired by the results of our second Copilot for Security economic study, which shows that experienced security professionals are faster and more accurate when using Copilot, and they overwhelmingly want to continue using Copilot. The gains are truly amazing:

  • Experienced security analysts were 22% faster with Copilot.
  • They were 7% more accurate across all tasks when using Copilot.
  • And, most notably, 97% said they want to use Copilot the next time they do the same task.

This new study focuses on experienced security professionals and expands the randomized controlled trial we published last November, which focused on new-in-career security professionals. Both studies measured the effects on productivity when analysts performed security tasks using Copilot for Security compared to a control group that did not. The combined results of both studies demonstrate that everyone—across all levels of experience and types of expertise—can make gains in security with Copilot. When we put Copilot in the hands of security teams, we can break down barriers to entry and advancement, and improve the work experience for everyone. Copilot enables security for all.

Copilot for Security is now pay-as-you-go

Toward our goal of enabling security for all, Microsoft is also introducing a provisioned pay-as-you-go licensing model that makes Copilot for Security accessible to a wider range of organizations than any other solution on the market. With this flexible, consumption-based pricing model, you can get started quickly, then scale your usage and costs according to your needs and budget. Microsoft Copilot for Security will be available for purchase starting April 1, 2024. Connect with your account representative now so your organization can be among the first to enjoy the incredible gains from Copilot for Security.

Global availability and broad ecosystem

General availability means Copilot for Security will be available worldwide on April 1, 2024. Copilot is multilingual and can process prompts and respond in eight languages with a multilingual interface for 25 different languages, making it ready for all major geographies across North and South America, Europe, and Asia.

Copilot has grown a broad, global ecosystem of more than 100 partners consisting of managed security service providers and independent software vendors. We are so grateful to the partners who continue to play a vital role in empowering everyone to confidently adopt safe and responsible AI.

Partners can learn more about integrating with Copilot.

New Copilot for Security product innovations

Microsoft Copilot for Security helps security and IT professionals amplify their skillsets, collaborate more effectively, see more, and respond faster.

As part of general availability, Copilot for Security includes the following new capabilities:

  • Custom promptbooks allow customers to create and save their own series of natural language prompts for common security workstreams and tasks.
  • Knowledgebase integrations, in preview, empowers you to integrate Copilot for Security with your business logic and perform activities based on your own step-by-step guides.
  • Multi-language support now allows Copilot to process prompts and respond in eight different languages with 25 languages supported in the interface.  
  • Third-party integrations from global partners who are actively developing integrations and services.
  • Connect to your curated external attack surface from Microsoft Defender External Attack Surface Management to identify and analyze the most up-to-date information on your organization’s external attack surface risks.
  • Microsoft Entra audit logs and diagnostic logs give additional insight for a security investigation or IT issue analysis of audit logs related to a specific user or event, summarized in natural language.
  • Usage reporting provides dashboard insights on how your teams use Copilot so that you can identify even more opportunities for optimization.

To dive deeper into the above announcement and learn about pricing, read the blog on Tech Community. Read the full report to dig into the complete results of our research study or view the infographic. To learn more about Microsoft Copilot for Security, visit our product page or check out our solutions that include Copilot. If you’re interested in a demo or are ready to purchase, please contact your sales representative.

“Threat actors are getting more sophisticated. Things happen fast, so we need to be able to respond fast. With the help of Copilot for Security, we can start focusing on automated responses instead of manual responses. It’s a huge gamechanger for us.” 

—Mario Ferket, Chief Information Security Officer, Dow  AI-powered security for all

With general availability, Copilot for Security will be available as two rich user experiences: in an immersive standalone portal or embedded into existing security products.

Integration of Copilot with Microsoft Security products will make it even easier for your IT and security professionals to take advantage of speed and accuracy gains demonstrated in our study. Enjoy the product portals you know and love, now enhanced with Copilot capabilities and skills specific to use cases for each product.

The unified security operations platform, coming soon, delivers an embedded Copilot experience within the Microsoft Defender portal for security information and event management (SIEM) and extended detection and response (XDR) that will prompt users as they investigate and respond to threats. Copilot automatically surfaces relevant details for summaries, drives efficiency with guided response, empowers analysts at all levels with natural language to Kusto Query Language (KQL) and script and file analysis, and now includes the ability to assess risks with the latest Microsoft threat intelligence.

Copilot in Microsoft Entra user risk investigation, now in preview, helps you prevent identity compromise and respond to threats quickly. This embedded experience in Microsoft Entra provides a summary in natural language of the user risk indicators and tailored guidance for resolving the risk. Copilot also recommends ways to automate prevention and resolution for future identity attacks, such as with a recommended Microsoft Entra Conditional Access policy, to increase your security posture and keep help desk calls to a minimum.

To help data security and compliance administrators prioritize and address critical alerts more easily, Copilot in Microsoft Purview now provides concise alert summaries, integrated insights, and natural language support within their trusted investigation workflows with the click of a button.

Copilot in Microsoft Intune, now in preview, will help IT professionals and security analysts make better-informed decisions for endpoint management. Copilot in Intune can simplify root cause determination with complete device context, error code analysis, and device configuration comparisons. This makes it possible to detect and remediate issues before they become problems.

Discover, protect, and govern AI usage

As more generative AI services are introduced in the market for all business functions, it is crucial to recognize that as this technology brings new opportunities, it also introduces new challenges and risks. With this in mind, Microsoft is providing customers with greater visibility, protection, and governance over their AI applications, whether they are using Microsoft Copilot or third-party generative AI apps. We want to make it easier for everyone to confidently and securely adopt AI.

To help organizations protect and govern the use of AI, we are enabling the following experiences within our portfolio of products:

  • Discover AI risks: Security teams can discover potential risks associated with AI usage, such as sensitive data leaks and users accessing high-risk applications.
  • Protect AI apps and data: Security and IT teams can protect the AI applications in use and the sensitive data being reasoned over or generated by them, including the prompts and responses.
  • Govern usage: Security teams can govern the use of AI applications by retaining and logging interactions with AI apps, detecting any regulatory or organizational policy violations when using those apps, and investigating any new incidents.

At Microsoft Ignite in November 2023, we introduced the first wave of capabilities to help secure and govern AI usage. Today, we are excited to announce the new out-of-the-box threat detections for Copilot for Microsoft 365 in Defender for Cloud Apps. This capability, along with the data security and compliance controls in Microsoft Purview, strengthens the security of Copilot so organizations can work on all types of data, whether sensitive or not, in a secure and responsible way. Learn more about how to secure and govern AI.

Expanded end-to-end protection to help you secure everything

Microsoft continues to expand on our long-standing commitment to providing customers with the most complete end-to-end protection for your entire digital estate. With the full Microsoft Security portfolio, you can gain even greater visibility, control, and governance—especially as you embrace generative AI—with solutions and pricing that fit your organization. New or recent product features include:

Microsoft Security Exposure Management is a new unified posture and attack surface management solution within the unified security operations platform that gives you insights into your overall assets and recommends priority security initiatives for continuous improvement. You’ll have a comprehensive view of your organization’s exposure to threats and automatic discovery of critical assets to help you proactively improve your security posture and lower the risk of exposure of business-critical assets and sensitive data. Visualization tools give you an attacker’s-eye view to help you investigate exposure attempts and uncover potential attack paths to critical assets through threat modeling and proactive risk exploration. It’s now easier than ever to identify exposure gaps and take action to minimize risk and business disruption.

Adaptive Protection, a feature of Microsoft Purview, is now integrated with Microsoft Entra Conditional Access. This integration allows you to better safeguard your organization from insider risks such as data leakage, intellectual property theft, and confidentiality violations. With this integration, you can create Conditional Access policies to automatically respond to insider risks and block user access to applications to secure your data.

Microsoft Communication Compliance now provides both sentiment indicators and insights to enrich Microsoft Purview Insider Risk Management policies and to identify communication risks across Microsoft Teams, Exchange, Microsoft Viva Exchange, Copilot, and third-party channels. 

Microsoft Intune launched three new solutions in February as part of the Microsoft Intune Suite: Intune Enterprise Application Management, Microsoft Cloud PKI, and Intune Advanced Analytics. Intune Endpoint Privilege Management is also rolling out the option to enable support approved elevations.

Security for all in the age of AI

Microsoft Copilot for Security is a force multiplier for the entire Microsoft Security portfolio, which integrates more than 50 categories within six product families to form one end-to-end Microsoft Security solution. By implementing Copilot for Security, you can protect your environment from every angle, across security, compliance, identity, device management, and privacy. In the age of AI, it’s more important than ever to have a unified solution that eliminates the gaps in protection that are created by siloed tools.

The coming general availability of Copilot on April 1, 2024, is truly a milestone moment. With Copilot, you and your security team can confidently lead your organization into the age of AI. We will continue to deliver on Microsoft’s vision for security: to empower defenders with the advantage of industry-leading generative AI and to provide the tools to safely, responsibly, and securely deploy, use, and govern AI. We are so proud to work together with you to drive this AI transformation and enable security for all.

Join us April 3, 2024, at the Microsoft Secure Tech Accelerator for a deep dive into technical information that will help you and your team implement Copilot. Learn how to secure your AI, see demonstrations, and ask our product team questions. RSVP now.

Microsoft Secure

Watch the second annual Microsoft Secure digital event to learn how to bring world-class threat intelligence, complete end-to-end protection, and industry-leading, responsible AI to your organization.

Watch now

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft Copilot for Security is generally available on April 1, 2024, with new capabilities appeared first on Microsoft Security Blog.

Categories: Microsoft

International Women’s Day: Expanding cybersecurity opportunities in the era of AI

Fri, 03/08/2024 - 12:00pm

March is a meaningful month for me personally as we honor Women’s History Month and International Women’s Day. Some of the most powerful role models in my own life are the women who raised me and the community of women who’ve provided the support and encouragement that continues to empower me to believe that I can be anything I aspire to. In security, this is particularly important because women are still underrepresented and so critical to the future of our industry. I’ve had the great fortune of working with many wonderful women throughout my career and one of the things I find so often to be true is that the path to a career in security does not have to be a linear one. There is no right way to come into this industry, no one background or training ground required. In fact, diversity of experiences and perspectives are the critical secret sauce to building a safer world for everyone.  

Here are just a few examples of incredible women at Microsoft who may never have envisioned cybersecurity as their destination when they were starting out:

  • In our recent Cyber Signals briefing, I had the privilege of talking to Homa Hayatyfar, Principal Detection Analytics Manager, Microsoft, who has seen how her pathway to a career in cybersecurity was nonlinear. She arrived at her career in cybersecurity by way of a research background in biochemistry and molecular biology—along with a passion for solving complex puzzles—and she believes that may be what the industry needs more of.
  • From our threat intelligence team, Fanta Orr, Intelligence Analysis Director, who improves the understanding of and protection against nation-state cyberthreats to Microsoft customers and the global digital ecosystem. She’s a seasoned foreign affair professional, who spent well over a decade in United States government service before pivoting over to cyberthreat analysis.
  • When Sherrod DeGrippo, Director of Threat Intelligence Strategy, began studying fine arts in college, internet access was a rare luxury and the cybersecurity field as we know it today was just emerging. She developed a dual interest in the new world of online communication and do-it-yourself computing after her first experience with bulletin board systems at 14 years old. She thinks her fine arts education helps her discover new ideas and methods for threat intelligence, after more than 20 years in cybersecurity and an unplanned role in incident response. 

“Threat intelligence is about taking subjective information and turning it into objective protections. Ultimately, it’s data-driven intuition and it’s extremely powerful. Women learn this skill early, and in so many areas of life they’re natural threat intelligence analysts.”

—Sherrod DeGrippo, Director of Threat Intelligence Strategy, Microsoft

These cyberdefenders work every day to keep our world safe and also support and mentor other women to create their own trails and pathways. I invite you to follow them on LinkedIn and attend the Women in Cybersecurity (WyCiS) conference presentations and RSA Conference, where many of these amazing women will share their stories over the next few months.

We have made a lot of progress, but there is still much more opportunity

A huge opportunity still exists to welcome more women into cybersecurity. More than 4 million cybersecurity jobs are available globally.2 These are roles that women can help fill and triumph in, but we must lay the groundwork to make such roles an attractive and available career option, and to help change the perception of what it takes to succeed.

While there’s been steady progress over the past few years, women fill just 21% of cybersecurity leadership roles and only 17% of board member positions in cybersecurity.3 In 2022, Microsoft Security commissioned a survey to explore the reasons behind the gender gap in cybersecurity skills. Just 44% of women who responded said they feel adequately represented in the industry.

Several factors contribute to fewer women joining the cybersecurity profession than men:

  • 28% of respondents believed parents were more encouraging of sons than daughters to explore technology and cybersecurity fields.
  • Women lacking cybersecurity role models, including women in leadership roles.
  • Implicit bias in the hiring process and a belief that men are a better fit for roles related to technology.
We need to create a pathway to success

By fostering an environment that welcomes women into cybersecurity, we break down barriers and build stronger, more resilient cyber defense mechanisms. Diversity isn’t about filling quotas; it’s about building resilient, innovative teams capable of outthinking and outmaneuvering cyberadversaries. It’s up to us to shift the view that cybersecurity is too demanding—especially as AI can help to alter this balance. And it’s past time to change the perception that cybersecurity is a field of hacker men in hoodies in their basement.

We need to continue to be role models and allies for underrepresented groups, especially for those from underprivileged backgrounds. There is often no easy way for underprivileged aspiring entrants to practice their craft from a young age and eventually enter science, technology, engineering, and mathematics (STEM) fields, regardless of other factors. To change this, we need to invest and support the many not-for-profits that help those from underprivileged backgrounds.

Inspiring the next generation of cybersecurity professionals

During the past year, Microsoft has partnered with many organizations similarly committed to building a more diverse cybersecurity workforce. One huge way these organizations are doing that is by offering training to girls so they can become the next generation of cybersecurity professionals through programs like GirlSecurity, TechTogether, and IGNITE Worldwide (Inspiring Girls Now in Technology Evolution).

Another initiative we support through partnerships offers training to women interested in switching careers or upskilling their cybersecurity knowledge through programs like WiCyS and Executive Women’s Forum (EWF). We also partner with global education programs, including CyberShikshaa in India and WOMCY in Latin America, to empower women and minorities in cybersecurity.

These programs and initiatives have a tremendous impact on encouraging more girls to consider careers in cybersecurity and getting more women to join the cybersecurity workforce. Among other benefits, they help girls and women build confidence, meet female cybersecurity role models, develop or enhance their skills, and gain experience to add to their resumes.

To further develop women’s careers, Microsoft Philanthropies and Women in Cloud jointly sponsor the Women in Cloud Cybersecurity Scholarship to provide women with structured skills development, certification opportunities, and employability readiness coaching. By 2025, more than 5,100 scholarships will be awarded.

The momentum is due in part to community-wide efforts to increase the number of women and diverse employees in cybersecurity roles. Community organizations like Blacks in Cybersecurity (BIC) and WiCyS play a crucial role in providing pipelines for marginalized groups to enter the cybersecurity field.

AI as an ally in cybersecurity diversity

AI is revolutionizing how we approach cybersecurity, from predictive analytics to automated threat detection. Yet beyond algorithms and data models, there’s an urgent need for human insight. According to a study from Utica University, women with their unique perspective also have strong analytical and problem-solving skills, which are essential for identifying and addressing security threats, and tend to have a more risk-averse approach, which can help to reduce the likelihood of human error in security operations.4 These unique perspectives help to shape our AI for security and help to ensure that AI is inclusive, fair, reliable, and safe, transparent and inclusive. We also believe that creators of AI, as well as its users, must hold themselves to a standard of accountability. And within that context, the possibilities for this exciting technology are limitless.

Happy International Women’s Day! While progress is being made—and opportunities are opening—for women and minorities in cybersecurity, much can still be done to overcome barriers to entry for these groups. Let’s continue to work for more representation in cybersecurity by forging new paths with more allies.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

1Women to Watch in Cybersecurity, Forbes. October 26, 2022.

2How the Economy, Skills Gap and Artificial Intelligence are Challenging the Global Cybersecurity Workforce, ISC2. 2023.

3International Women’s Day: Only One-Fifth of Cybersecurity Leadership Roles Filled by Women, IT Security Guru. March 8, 2023.

4Why we need more women in cybersecurity TechBeacon.

The post International Women’s Day: Expanding cybersecurity opportunities in the era of AI appeared first on Microsoft Security Blog.

Categories: Microsoft

Evolving Microsoft Security Development Lifecycle (SDL): How continuous SDL can help you build more secure software

Thu, 03/07/2024 - 12:00pm

The software developers and systems engineers at Microsoft work with large-scale, complex systems, requiring collaboration among diverse and global teams, all while navigating the demands of rapid technological advancement, and today we’re sharing how they’re tackling security challenges in the white paper: “Building the next generation of the Microsoft Security Development Lifecycle (SDL)”, created by pioneers of future software development practices.

Two decades of evolution

It’s been 20 years since we introduced the Microsoft Security Development Lifecycle (SDL)—a set of practices and tools that help developers build more secure software, now used industry-wide. Mirroring the culture of Microsoft to uphold security and born out of the Trustworthy Computing initiative, the aim of SDL was—and still is—to embed security and privacy principles into technology from the start and prevent vulnerabilities from reaching customers’ environments.

In 20 years, the goal of SDL hasn’t changed. But the software development and cybersecurity landscape has—a lot.

With cloud computing, Agile methodologies, and continuous integration/continuous delivery (CI/CD) pipeline automation, software is shipped faster and more frequently. The software supply chain has become more complex and vulnerable to cyberattacks. And new technologies like AI and quantum computing pose new challenges and opportunities for security.

SDL is now a critical pillar of the Microsoft Secure Future Initiative, a multi-year commitment that advances the way we design, build, test, and operate our Microsoft Cloud technology to ensure that we deliver solutions meeting the highest possible standard of security.

Next generation of the Microsoft SDL

Learn how we're tackling security challenges.

Read the white paper Continuous evaluation

Microsoft has been evolving the SDL to what we call “continuous SDL”. In short, Microsoft now measures security state more frequently and throughout the development lifecycle. Why? Because times have changed, products are no longer shipped on an annual or biannual basis. With the cloud and CI/CD practices, services are shipped daily or sometimes multiple times a day.

Data-driven methodology

To achieve scale across Microsoft, we automate measurement with a data-driven methodology when possible. Data is collected from various sources, including code analysis tools like CodeQL. Our compliance engine uses this data to trigger actions when needed.

CodeQL: A static analysis engine used by developers to perform security analysis on code outside of a live environment.

While some SDL controls may never be fully automated, the data-driven methodology helps deliver better security outcomes. In pilot deployments of CodeQL, 92% of action items were addressed and resolved in a timely fashion. We also saw a 77% increase in CodeQL onboarding amongst pilot services.

Transparent, traceable evidence

Software supply chain security has become a top priority due to the rise of high-profile attacks and the increase in dependencies on open-source software. Transparency is particularly important, and Microsoft has pioneered traceability and transparency in the SDL for years. Just as one example, in response to Executive Order 14028, we added a requirement to the SDL to generate software bills of material (SBOMs) for greater transparency.

But we didn’t stop there.

To provide transparency into how fixes happen, we now architect the storage of evidence into our tooling and platforms. Our compliance engine collects and stores data and telemetry as evidence. By doing so, when the engine determines that a compliance requirement has been met, we can point to the data used to make that determination. The output is available through an interconnected “graph”, which links together various signals from developer activity and tooling outputs to create high-fidelity insights. This helps us give customers stronger assurances of our security end-to-end.

Modernized practices

Beyond making the SDL automated, data-driven, and transparent, Microsoft is also focused on modernizing the practices that the SDL is built on to keep up with changing technologies and ensure our products and services are secure by design and by default. In 2023, six new requirements were introduced, six were retired, and 19 received major updates. We’re investing in new threat modeling capabilities, accelerating the adoption of new memory-safe languages, and focusing on securing open-source software and the software supply chain.

We’re committed to providing continued assurance to open-source software security, measuring and monitoring open-source code repositories to ensure vulnerabilities are identified and remediated on a continuous basis. Microsoft is also dedicated to bringing responsible AI into the SDL, incorporating AI into our security tooling to help developers identify and fix vulnerabilities faster. We’ve built new capabilities like the AI Red Team to find and fix vulnerabilities in AI systems.

By introducing modernized practices into the SDL, we can stay ahead of attacker innovation, designing faster defenses that protect against new classes of vulnerabilities.

How can continuous SDL benefit you?

Continuous SDL can help you in several ways:

  • Peace of mind: You can continue to trust that Microsoft products and services are secure by design, by default, and in deployment. Microsoft follows the continuous SDL for software development to continuously evaluate and improve its security posture.
  • Best practices: You can learn from Microsoft’s best practices and tools to apply them to your own software development. Microsoft shares its SDL guidance and resources with the developer community and contributes to open-source security initiatives.
  • Empowerment: You can prepare for the future of security. Microsoft invests in new technologies and capabilities that address emerging threats and opportunities, such as post-quantum cryptography, AI security, and memory-safe languages.
Where can you learn more?

For more details and visual demonstrations on continuous SDL, read the full white paper by SDL pioneers Tony Rice and David Ornstein.

Learn more about the Secure Future Initiative and how Microsoft builds security into everything we design, develop, and deploy.

The post Evolving Microsoft Security Development Lifecycle (SDL): How continuous SDL can help you build more secure software appeared first on Microsoft Security Blog.

Categories: Microsoft

Enhancing protection: Updates on Microsoft’s Secure Future Initiative

Wed, 03/06/2024 - 12:00pm

At Microsoft, we’re continually evolving our cybersecurity strategy to stay ahead of threats targeting our products and customers. As part of our efforts to prioritize transparency and accountability, we’re launching a regular series on milestones and progress of the Secure Future Initiative (SFI)—a multi-year commitment advancing the way we design, build, test, and operate our technology to help ensure that we deliver secure, reliable, and trustworthy products and services, enabling our customers to achieve their digital transformation goals and protect their data and assets from malicious actors. 

Secure Future Initiative

A new world of security.

Learn more

Microsoft’s mission to empower every person and every organization on the planet to achieve more depends on security. We recognize that when Microsoft plays a role in pioneering cutting-edge technology, we also have the responsibility to lead the way in protecting our customers and our own infrastructure from cyberthreats. Against the exponentially increasing pace, scale, and complexity of the security landscape, it’s critical that we evolve to be more dynamic, proactive, and integrated in our security model to continue meeting the changing needs and expectations of our customers and the market. Our rich history in innovation is a testament to our commitment to delivering impactful and trustworthy products and services that that shape industries and transform lives. This legacy continues as we consistently work to set new benchmarks for safeguarding our digital future.

Expanding upon our foundation of built-in security, in November 2023 we launched the Secure Future Initiative (SFI) to directly address the escalating speed, scale, and sophistication of cyberattacks we’re witnessing today. This initiative is an anticipatory strategy reflecting the actions we are taking to “build better and respond better” in security, using automation and AI to scale this work, and strengthen identity protection against highly sophisticated cyberattacks. It’s not about tailoring our defenses to a single cyberattack: SFI underscores the importance of a continually and proactively evolving security model that adapts to the ever-changing digital landscape.

Four months have passed since we introduced SFI, and the achievements in our engineering developments demonstrate the concrete actions we’ve implemented to make sure that Microsoft’s security infrastructure stays strong in a constantly changing digital environment.  Read more below for updates on the initiative.

Transforming software development with automation and AI

As noted in our November 2, 2023 SFI announcement, we’re evolving our security development lifecycle (SDL) to continuous SDL—which we define as applying systematic processes to continuously integrate cybersecurity protection against emerging threat patterns as our engineers code, test, deploy, and operate our systems and service. Read more about continuous SDL here.

As part of our evolution to continuous SDL, we’re deploying CodeQL for code analysis to 100% of our commercial products. CodeQL is a powerful static analysis tool in the software security space. It offers advanced capabilities across numerous programming languages that detect complex security mistakes within source code. While our code repos go through rigorous SDL assessment leveraging traditional tooling, as part of our SFI work we now use CodeQL to cover 86% of our Azure DevOps code repositories from our commercial businesses in our Cloud and AI, enterprise and devices, security and strategic missions, and technology groups. We are expanding this further and anticipate that completing the consolidation process of the last 14% will be a complex, multi-year journey due to specific code repositories and engineering tools requiring additional work. In 2023, we onboarded more than one billion lines of source code to CodeQL, which highlights our commitment toward progress.

As part of efforts to broaden adoption of memory safe languages, we donated USD1 million in December 2023 to the Rust Foundation, an integral partner in stewarding the Rust programming language. Additionally, we’re providing an additional USD3.2 million to the Alpha-Omega project. In partnership with the Open Source Security Foundation (OpenSSF) and co-led with Google and Amazon, Alpha-Omega’s mission is to catalyze security improvements to the most widely deployed open source software projects and ecosystems critical to global infrastructure. Our contribution this year will help expand coverage, more than doubling the number of widely deployed open source projects we analyze, including 100 of the most commonly used open source AI libraries. The Alpha-Omega 2023 Annual Report highlights security and process improvements from last year and strides toward fostering a sustainable culture of security within open source communities.  

Together, our SFI-driven advances in expanding continuous SDL, fostering secure open source updates, and adopting memory safe languages strengthen the foundation of software throughout Microsoft’s own products and platforms, as well as the wider industry.

Strengthening identity protection against highly sophisticated attacks

As part of our SFI engineering advances, we’re enforcing the use of standard identity libraries such as the Microsoft Authentication Library (MSAL) enterprise-wide across Microsoft. This initiative is pivotal in achieving a cohesive and reliable identity verification framework. It facilitates seamless, policy-compliant management of user, device, and service identities across all Microsoft platforms and products, ensuring a fortified and consistent security posture.

Our efforts have already seen noteworthy achievements in several key areas. We’ve reached a major milestone with full integration of MSAL into Microsoft 365 across all four major platforms: Windows, macOS, iOS, and Android marking a significant advancement toward universal standardization. This integration ensures that Microsoft 365 applications are underpinned by a unified authentication mechanism. In the Azure ecosystem, encompassing critical tools such as Microsoft Visual Studio, Azure SDK, and Microsoft Azure CLI, MSAL has been fully adopted, underscoring our commitment to secure and streamlined authentication processes within our development tools. Furthermore, over 99% of internal service-to-service authentication requests, using Microsoft Entra for authorization, now utilize MSAL, highlighting our dedication to boosting security and efficiency in inter-service communications. Ultimately, these milestones further harden identity and authorization across our vast estate, making it increasingly difficult for threats and intruders to move between users and systems.

Looking ahead, we’re setting ambitious objectives to further bolster our security infrastructure. By the end of this year, we aim to fully automate the management of Microsoft Entra ID and Microsoft Account (MSA) keys. This process will include rapid rotation and secure storage of keys within Hardware Security Modules (HSMs), significantly enhancing our security measures. Additionally, we’re on track to ensure that Microsoft’s most widely used applications transition to standard identity libraries by the end of the year. Through these collective efforts we aim to not only enhance security but also improve the user experience and streamline authentication processes across our product suite.

Stay up to date on the latest Secure Future Initiative updates

As we forge ahead with the SFI, Microsoft remains unwavering in its commitment to continuously evolve our security posture and provide transparency in our communications. We’re dedicated to innovating, protecting, and leading in an era where digital threats are constantly changing. The progress we’ve shared today is only a fraction of our comprehensive strategy to safeguard the digital infrastructure and our customers who rely on it.

In the coming months, we will continue to share our progress on enhancing our capabilities, deploying innovative technologies, and strengthening our collaborations to address the complexities of cybersecurity. We’re committed to building a safer, more resilient digital world, with a focus on transparency and safety in every step.

To learn more  about the Microsoft SFI and read more details on our three engineering advances, visit our built-in security site.

Learn more about Microsoft Security solutions and bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Enhancing protection: Updates on Microsoft’s Secure Future Initiative appeared first on Microsoft Security Blog.

Categories: Microsoft

​​Secure SaaS applications with Valence Security and Microsoft Security​​

Tue, 03/05/2024 - 12:00pm

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA.  

Software as a service (SaaS) adoption has accelerated at a lightning speed, enabling collaboration, automation, and innovation for businesses large and small across every industry vertical—from government, education, financial service to tech companies. Every SaaS application is now expanding its offering to allow better integration with the enterprise ecosystem and advanced collaboration features, becoming more of a “platform” than an “application.” To further complicate the security landscape, business users are managing these SaaS applications with little to no security oversight, creating a decentralized administration model. All this is leading to a growing risk surface with complex misconfigurations that can expose organization’s identities, sensitive data, and business processes to malicious actors. 

To combat this challenge, Valence and Microsoft Security work together to ensure that SaaS applications are configured according to the best security practices and improve the security posture of identities configured in each individual SaaS application. Together, Valence and Microsoft:  

  • Centrally manage SaaS identities permissions and access.
  • Enforce strong authentication by ensuring proper MFA (multi-factor authentication) and SSO (single sign-on) enrollment and managing local SaaS users.
  • Detect and revoke unauthorized non-human SaaS identities such as APIs, service accounts, and tokens.
  • Incorporate SaaS threat detection capabilities to improve SaaS incident response.

As most of the sensitive corporate data shifted from on-prem devices to the cloud, security teams need to ensure they manage the risks of how this data is being accessed and managed. Integrating Valence’s SaaS Security with the Microsoft Security ecosystem now provides a winning solution. 

SaaS applications are prime targets  

Recent high profile breaches have shown that attackers are targeting SaaS applications and are leveraging misconfigurations and human errors to gain high privilege access to sensitive applications and data. While many organizations have implemented SSO and MFA as their main line of defense when it comes to SaaS, recent major breaches have proven otherwise. Attackers have identified that MFA fatigue, social engineering and targeting the SaaS providers themselves can bypass many of the existing mechanisms that security teams have put in place. These add to high-profile breaches where attackers leveraged legitimate third-party open authorization (OAuth) tokens to gain unauthorized access to SaaS applications, and many more attack examples. 

State of SaaS security risks 

According to our 2023 SaaS Security Report which analyzed real SaaS environments to measure their security posture before they implemented an effective SaaS security program. The results showed that every organization didn’t enforce MFA on 100% of their identities—there are some exceptions, such as service accounts, contractors, and shared accounts, or simply lack of effective monitoring of drift. In addition, one out of eight SaaS accounts are dormant and not actively used. Offboarding users is not only important to save costs, but attackers also like to target these accounts for account takeover attacks since they are typically less monitored. Other key stats were that 90% of externally shared files haven’t been used by external collaborators for at least 90 days and that every organization has granted multiple third-party vendors organization-wide access to their emails, files, and calendars. 

Figure 1. Top SaaS Security gaps identified in the 2023 State of SaaS Security Report.

Holistic SaaS security strategy 

Establishing a holistic SaaS security strategy requires to bring together many elements—from shadow SaaS discovery, through strong authentication, identity management of both humans and non-humans, managing and remediating SaaS misconfigurations, enforcing data leakage prevention policies, and finally, establishing scalable incident response. Valence and Microsoft take security teams one step further toward a more holistic approach. 

Valence joined the Microsoft Intelligence Security Association (MISA) and integrated with Microsoft security products—Microsoft Entra ID and ​​​​Microsoft Sentinel—to enhance customers’ capabilities to manage their SaaS risks, effectively remediate them, and respond to SaaS breaches. The Valence SaaS Security Platform provides insight and context on SaaS risks such as misconfigurations, identities, data shares, and SaaS-to-SaaS integrations. Extending existing controls with SaaS Security Posture Management (SSPM) capabilities and SaaS risk remediation capabilities. Valence is also a proud participant of the Partner Private Preview of Microsoft Copilot for Security. This involves working with Microsoft product teams to help shape Copilot for Security product development in several ways, including validation and refinement of new and upcoming scenarios, providing feedback on product development and operations to be incorporated into future product releases, and validation and feedback of APIs to assist with Copilot for Security’s extensibility. 

Figure 2. Illustrative data: The Valence Platform provides a single pane of glass to find and fix SaaS risk across four core use cases: data protection, SaaS to SaaS governance, identity security, and configuration management. 

Secure SaaS human and non-human identities

In the modern identity-first environment, most attackers focus on targeting high privilege users, dormant accounts, and other risks. Enforcing zero trust access has become a core strategy for many security teams. Security teams need to identify all the identities they need to secure. Microsoft Entra SSO management combined with Valence’s SaaS application monitoring—to detect accounts created—provides a holistic view into human identities and non-human (Enterprise Applications, service accounts, APIs, OAuth and 3rd party apps).  

Microsoft Entra ID centrally enforces strong authentication such as MFA and Valence discovers enforcement gaps or users that are not managed by the central SSO. Valence also monitors the SaaS applications themselves to discover the privileges granted to each identity and provides recommendations on how to enforce least privilege with minimal administrative access. To continuously validate verification based on risks, the final piece of zero trust strategy, Valence leverages the risky users and service principals signals from Microsoft Entra ID and combines them with signals from other SaaS applications for a holistic view into identity risks. 

Protect SaaS applications 

Microsoft has a wide SaaS offering that is fueling enterprise innovation. These services are central to core business functions and employee collaboration, cover many use cases, and are spread across multiple business units, but are tied together in many cases such as identity and access management, and therefore their security posture is often related as well. Managing the security posture of SaaS services can be complex because of the multiple configurations and the potential cross service effects that require security teams to build their expertise across a wide range of SaaS.  

Many security teams view SaaS apps as part of their more holistic view into SaaS security posture management and would like to create cross-SaaS security policies and enforce them. Valence’s platform integrates with Microsoft Entra ID and other SaaS services using Microsoft via Microsoft Graph to normalize the complex data sets and enable security teams to closely monitor the security posture of their SaaS applications in Microsoft alongside the rest of their SaaS environment. 

Enhance SaaS threat detection and incident response 

Improving SaaS security posture proactively reduces the chances of a breach, but unfortunately SaaS breaches can still occur, and organizations need to prepare their threat detection coverage and incident response plans. The built in human and non-human identity threat detection capabilities of Microsoft Entra ID, combined with Microsoft Sentinel log correlation and security automation, and Microsoft Copilot for Security’s advanced AI capabilities, create a powerful combination to detect and respond to threats. Valence expands existing detections from compromised endpoint and identity with important SaaS context—for example, did the compromise device belong to a SaaS admin user? Did the compromised identity perform suspicious activities in other SaaS applications? The expanded detections provide critical insights to prioritize and assess the blast radius of breaches. Additionally, Valence’s SaaS threat detection can trigger threat detection workflows in Microsoft products based on its unique indicator of compromise monitoring. 

Together, Valence and Microsoft combine the best of all worlds when it comes to SaaS security. From SaaS discovery, through SaaS security posture management, remediating risks, and detecting threats—Valence and Microsoft enable secure adoption of SaaS applications. Modern SaaS risks and security challenges require a holistic view into SaaS risk management and remediation. Get started today

About Valence Security 

Valence is a leading SaaS security company that combines SSPM and advanced remediation with business user collaboration to find and fix SaaS security risks. SaaS applications are becoming decentrally managed and more complex, which is introducing misconfiguration, identity, data, and SaaS-to-SaaS integration risks. The Valence SaaS Security Platform provides visibility and remediation capabilities for business-critical SaaS applications. With Valence, security teams can empower their business to securely adopt SaaS. Valence is backed by leading cybersecurity investors like Microsoft’s M12 and YL Ventures, and is trusted by leading organizations. Valence is available for purchase through Azure Marketplace. For more information, visit their website

Be among the first to hear about new products, capabilities, and offerings at Microsoft Secure digital event on March 13, 2024.​ Learn from industry luminaries and influencers. Register today.

Learn more

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products. 

​​To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post ​​Secure SaaS applications with Valence Security and Microsoft Security​​ appeared first on Microsoft Security Blog.

Categories: Microsoft

Microsoft Secure: Learn expert AI strategy at our online event

Mon, 03/04/2024 - 1:00pm

As the most influential technology of our lifetime, AI has the power to reshape how organizations secure their environments. AI’s impact on cybersecurity and the efforts of Microsoft to bring generative AI to organizations worldwide will be a major topic at the Microsoft Secure digital event on March 13, 2024 from 9:00 AM-1:00 AM PT. Register today to secure your spot so you can be among the first to hear the latest Microsoft Security technology innovations designed to empower cybersecurity teams. 

Microsoft Secure is a two-hour digital showcase that will focus on product announcements and immediate use cases for new capabilities. Join thousands of other cybersecurity professionals inspired by AI’s promise and eager to gain product knowledge for an advantage over bad actors.  

Watch the video for details from Microsoft Security’s Vice President, Security Marketing, Alym Rayani, on how Microsoft Secure will empower you and your cybersecurity efforts. 

Here’s a sneak preview of what you can expect at the event. 

A keynote with AI product updates across the Microsoft Security portfolio  

At Microsoft, we understand what is required to create and operate AI applications securely at scale. We understand the opportunity we have to empower everyone to develop AI that is safe and reliable. That’s why we are committed to putting secure and responsible AI solutions in the hands of security professionals everywhere—AI is transforming security. 

Hear all about our latest features and capabilities at the Microsoft Secure welcome keynote by Vasu Jakkal, Corporate Vice President, Microsoft Security Business, and Charlie Bell, Executive Vice President, Microsoft Security, along with other product leaders. They will share product innovations across the Microsoft Security portfolio and the advantages that help you address the changing threat landscape:   

  • AI for security: We’ll share exciting news about Microsoft Copilot for Security, learnings from our early access program, new features, and new ways to try the solution. Copilot for Security puts generative AI in the hands of security and IT professionals to help them supercharge their skills, collaborate more, see more, and respond faster—all informed by threat intelligence.  
  • Securing and governing AI: Explore how the features of Microsoft Purview, Microsoft Defender, and Microsoft Entra make it easier to secure and govern AI. Across the Microsoft Security portfolio, we are innovating rapidly to give our customers a new category of critical tools for securing AI that deliver greater visibility, control, and governance as you embrace generative AI.  
  • Expanded end-to-end security: Gain broad visibility and control for your digital estate with and protect your environment from every angle, across security, compliance, identity, device management, and privacy. We integrate more than 50 categories within six product families to form one end-to-end Microsoft Security solution. These product families work together, each powering the next with more context and integrated controls.
Real-world Microsoft Security applications from a customer

Don’t miss a conversation with Dow Chief Information Security Officer (CISO), Mario Ferket, on his experience using the Microsoft Security portfolio, hosted by Irina Nechaeva, General Manager, Product Marketing, Identity, and Access. Hear real-world applications from a leader at a manufacturing company on how they are leveraging AI to defend their enterprise.

Demos to practically inform your cybersecurity strategy 

After the keynote and customer story, our product experts will host three informative demo sessions to offer deeper understanding of the latest cybersecurity innovations from Microsoft.  

  • 9:30-10 AM PT: Microsoft Copilot for Security: Tailoring defense with AI—Principal Product Manager, Brandon Dixon, and Senior Director, Microsoft Security Business, Scott Woodgate, will show you Copilot for Security in action and share how to initiate Copilot and use customizable features to fit your security needs.  
  • 10-10:30 AM PT: Secure and govern AI to enable responsible adoption—Principal Product Manager, Neta Haiby, and General Manager of Data Security, Compliance, and Privacy, Herain Oberoi, will offer guidance on how to leverage built-in security and compliance controls to secure and govern your AI stack. They’ll address AI adoption challenges we see in the market such as preventing oversharing, data leaks, and misuse.   
  • 10:30-11 AM PT: Stay ahead of threats with proactive posture management—Alym Rayani, Vice President, Security Marketing, and Tomer Teller, Group Project Manager for Exposure Management, will explore how to detect, disrupt, and prevent threats in near real time with Microsoft Exposure Management solutions. Stopping cyberattacks at machine speed is crucial, but prevention is even more powerful. 
Register for Microsoft Secure today 

Register to watch the live Microsoft Secure digital event. If you can’t join us live, watch on-demand content after March 13, 2024​.  

For a more technical deep-dive into Microsoft Secure announcements, mark your calendar on April 3, 2024 for the Microsoft Secure Tech Accelerator to get live demos of how Microsoft Security products help secure your AI, and ask our product team questions.

And if you’re attending RSA Conference 2024 in San Francisco, join us for Microsoft Pre-Day, on May 5, 2024, to connect with our product experts in-person and be the first to hear even more announcements from Microsoft Security. ​ 

See you at Microsoft Secure!

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post Microsoft Secure: Learn expert AI strategy at our online event appeared first on Microsoft Security Blog.

Categories: Microsoft

Defend against human-operated ransomware attacks with Microsoft Copilot for Security​​

Mon, 03/04/2024 - 12:00pm

Organizations everywhere are seeing an increase in human-operated ransomware threats, with Microsoft’s own telemetry showing a 200% increase in threats since September 2022.1 When an entire organization is attacked, they need every advantage they can get to protect against skilled, coordinated cyber threats. The availability of Microsoft Copilot for Security, brings SecOps teams a new tool with the power of generative AI to help outpace and outsmart threat actors. In the following demonstration videos, we take a detailed, step-by-step look at how it can help surface, contain, and mitigate a human-operated ransomware attack. 

Microsoft Copilot for Security

Powerful new capabilities, new integrations, and industry-leading generative AI.

Learn more The power of Microsoft Defender XDR with Microsoft Copilot for Security  

Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email applications, and the cloud to provide integrated protection against sophisticated ransomware threats. In this series of demonstration videos, we share real-world scenarios where Copilot is helping SecOps teams navigate threat detection, investigation, and managed response. To begin, we look at a situation where a human-operated ransomware attack has just taken place. The incident started with suspicious activity on two devices, where a credential theft tool was detected and stopped by automatic attack disruption within Microsoft Defender XDR. 

Watch the video: (Humor) Human Operate Ransomware 

Respond at the speed and scale of AI   

Bad actors can move through a system with damaging speed. And with the ever-increasing frequency and sophistication of attacks—paired with the ongoing shortage of security talent—it can be difficult for leaders to staff security teams completely. When every second counts—like during an active ransomware incident—Copilot for Security brings together critical context so security professionals can share clear, concise, and comprehensive summaries of active incidents—giving affected parties a deep understanding of the situation, even when an incident happens after business hours. With the power of AI, Copilot is helping analysts write up these incident narratives 90% faster than in the past.2  

Endpoint Security

Learn more 

In the case of this human-operated ransomware incident, Microsoft Defender for Endpoints had the first alert, detecting possible human operated malicious activity on a device. Many complex and sophisticated attacks like ransomware use scripts and tools like PowerShell and Mimikatz to access and manipulate files, tamper with system recovery settings, and delete file backups. In this incident, attackers also attempted to access Primary Refresh Tokens (PRT) and used Windows Sysinternals tools for evasion. But with line-by-line script examination in Copilot, security analysts could immediately understand what each section of code does, to quickly identify a script as malicious or benign. This Copilot capability directly helps junior security analysts “upskill” their expertise by learning the context behind the code.    

Gain critical incident context  

When faced with a complex attack, Copilot for Security can help analysts understand what’s happening quickly, so they can protect and defend their organization at machine speed and scale. In an examination of the same ransomware incident, our next demonstration video shows how the Copilot incident summary focused in on a PowerShell script, leading analysts to a critical piece of the incident puzzle.  

Watch the video: Defender Embed to Standalone Copilot  

 Without enough time and without PowerShell expertise, it could be difficult for a security analyst to fully understand the ramifications of an attack like this. But this is where Copilot can help—it quickly analyzes the PowerShell script, providing a plain English explanation of key steps within it. This helps analysts gain a full understanding of the incident and prioritize the containment and mitigation work that matters most. Copilot also works with Microsoft Defender Threat Intelligence to investigate the script hosting, determine it’s malicious and share evidence connecting the script to a known threat actor. Moving from Microsoft Defender to the stand alone Copilot experience allows analysts to connect to Microsoft Sentinel and Microsoft Intune, surfacing a key piece of information in this serious incident—a device that was noncompliant with current security policies, missing a key compliance update that may have prevented this attack. In just a few minutes, Copilot surfaced the right information to provide remediation steps and advance organizational understanding to proactively prepare for (and hopefully prevent) future attacks.   

Augment critical expertise and upskill analysts 

In our last demonstration video, we look at how security teams can utilize Copilot to stretch their skill sets, understand incidents more completely, and gain an extra hand when resources are hard to come by. 

Watch the video: User account research

Copilot for Security enables junior security analysts to complete more complex tasks with skills like natural language to Kusto Query Language translation and malicious script analysis. In this ransomware incident, analysts used Copilot to generate a PowerShell script to validate the configuration of all affected systems. By then looking at a compromised device, analysts learn the source of the compromise and discover the device wasn’t compliant because it was mis-grouped when it was first assigned. With this information and more, surfaced and organized at the speed of AI by Copilot, analysts now have a more complete understanding of how the ransomware attack happened and how it can be prevented in the future. When a single ransomware incident can turn any organization upside down, security analysts can lean on Copilot for global threat intelligence, industry best practices, and tailored insights to outpace and outsmart adversaries. 

Learn more 

Join us online at Microsoft Secure on March 13, 2024, to discover new ways to try Microsoft Copilot for Security. Experience world-class threat intelligence, end-to-end protection, and industry-leading, responsible AI through hands-on demos. And register now for our three-part webinar series “Intro to Microsoft Copilot for Security.” The first of three webinars takes place on March 19th on the basics of generative AI, followed by the second webinar on March 26th about how to get started with Copilot for Security. And lastly, the third webinar will take place on April 2nd and delves into Copilot for Security best practices. 

Learn more about how Microsoft Copilot for Security can help your team protect at the speed and scale of AI. And for more helpful tips and information, view the Copilot for Security Playlist on the Microsoft Security Channel on YouTube.  

​​To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

1Microsoft Digital Defense Report 2023 (MDDR) | Microsoft Security Insider

2 Randomized Controlled Trial for Microsoft Security Copilot, Benjamin G. Edelman, James Bono, Sida Peng, Roberto Rodriguez, Sandra Ho. November 29, 2023.

The post Defend against human-operated ransomware attacks with Microsoft Copilot for Security​​ appeared first on Microsoft Security Blog.

Categories: Microsoft