Author Archives: Todd VanderArk

One simple action you can take to prevent 99.9 percent of attacks on your accounts

There are over 300 million fraudulent sign-in attempts to our cloud services every day. Cyberattacks aren’t slowing down, and it’s worth noting that many attacks have been successful without the use of advanced technology. All it takes is one compromised credential or one legacy application to cause a data breach. This underscores how critical it is to ensure password security and strong authentication. Read on to learn about common vulnerabilities and the single action you can take to protect your accounts from attacks.

Animated image showing the number of malware attacks and data breaches organizations face every day. 4,000 daily ransomware attacks. 300,000,000 fraudulent sign-in attempts. 167,000,000 daily malware attacks. 81% of breaches are caused by credential theft. 73% of passwords are duplicates. 50% of employees use apps that aren't approved by the enterprise. 99.9% of attacks can be blocked with multi-factor authentication.

Common vulnerabilities

In a recent paper from the SANS Software Security Institute, the most common vulnerabilities include:

  • Business email compromise, where an attacker gains access to a corporate email account, such as through phishing or spoofing, and uses it to exploit the system and steal money. Accounts that are protected with only a password are easy targets.
  • Legacy protocols can create a major vulnerability because applications that use basic protocols, such as SMTP, were not designed to manage Multi-Factor Authentication (MFA). So even if you require MFA for most use cases, attackers will search for opportunities to use outdated browsers or email applications to force the use of less secure protocols.
  • Password reuse, where password spray and credential stuffing attacks come into play. Common passwords and credentials compromised by attackers in public breaches are used against corporate accounts to try to gain access. Considering that up to 73 percent of passwords are duplicates, this has been a successful strategy for many attackers and it’s easy to do.

What you can do to protect your company

You can help prevent some of these attacks by banning the use of bad passwords, blocking legacy authentication, and training employees on phishing. However, one of the best things you can do is to just turn on MFA. By providing an extra barrier and layer of security that makes it incredibly difficult for attackers to get past, MFA can block over 99.9 percent of account compromise attacks. With MFA, knowing or cracking the password won’t be enough to gain access. To learn more, read Your Pa$$word doesn’t matter.

MFA is easier than you think

According to the SANS Software Security Institute there are two primary obstacles to adopting MFA implementations today:

  1. Misconception that MFA requires external hardware devices.
  2. Concern about potential user disruption or concern over what may break.

Matt Bromiley, SANS Digital Forensics and Incident Response instructor, says, “It doesn’t have to be an all-or-nothing approach. There are different approaches your organization could use to limit the disruption while moving to a more advanced state of authentication.” These include a role-based or by application approach—starting with a small group and expanding from there. Bret Arsenault shares his advice on transitioning to a passwordless model in Preparing your enterprise to eliminate passwords.

Take a leap and go passwordless

Industry protocols such as WebAuthn and CTAP2, ratified in 2018, have made it possible to remove passwords from the equation altogether. These standards, collectively known as the FIDO2 standard, ensure that user credentials are protected end-to-end and strengthen the entire security chain. The use of biometrics has become more mainstream, popularized on mobile devices and laptops, so it’s a familiar technology for many users and one that is often preferred to passwords anyway. Passwordless authentication technologies are not only more convenient for people but are extremely difficult and costly for hackers to compromise. Learn more about Microsoft passwordless authentication solutions in a variety of form factors to meet user needs.

Convince your boss

Download the SANS white paper Bye Bye Passwords: New Ways to Authenticate to read more on guidance for companies ready to take the next step to better protect their environments from password risk. Remember, talk is easy, action gets results!

The post One simple action you can take to prevent 99.9 percent of attacks on your accounts appeared first on Microsoft Security.

Protect against BlueKeep

Worms are the cause of many cyber headaches. They can easily replicate themselves to spread malicious malware to other computers in your network. As the field responders providing Microsoft enterprise customers with onsite assistance to serious cybersecurity threats, our Detection and Response Team (DART) has seen quite a few worms. If you’ve met the DART Team, then you know your worms are our concern and that’s why we keep an eye out for BlueKeep.

Protect against BlueKeep

This summer, the DART team has been preparing for CVE-2019-0708, colloquially known as BlueKeep, and has some advice on how you can protect your network. The BlueKeep vulnerability is “wormable,” meaning it creates the risk of a large-scale outbreak due to its ability to replicate and propagate, similar to Conficker and WannaCry. Conficker has been widely estimated to have impacted 10- to 12-million computer systems worldwide. WannaCry was responsible for approximately $300 million in damages at just one global enterprise.

To protect against BlueKeep, we strongly recommend you apply the Windows Update, which includes a patch for the vulnerability. If you use Remote Desktop in your environment, it’s very important to apply all the updates. If you have Remote Desktop Protocol (RDP) listening on the internet, we also strongly encourage you to move the RDP listener behind some type of second factor authentication, such as VPN, SSL Tunnel, or RDP gateway.

You also want to enable Network Level Authentication (NLA), which is a mitigation to prevent un-authenticated access to the RDP tunnel. NLA forces users to authenticate before connecting to remote systems, which dramatically decreases the chance of success for RDP-based worms. The DART team highly recommends you enable NLA regardless of this patch, as it mitigates a whole slew of other attacks against RDP.

If you’re already aware of the BlueKeep remediation methods, but are thinking about testing it before going live, we recommend that you deploy the patch. It’s important to note that the exploit code is now publicly and widely available to everyone, including malicious actors. By exploiting a vulnerable RDP system, attackers will also have access to all user credentials used on the RDP system.

Why the urgency?

Via open source telemetry, we see more than 400,000 endpoints lacking any form of network level authentication, which puts each of these systems potentially at risk from a worm-based weaponization of the BlueKeep vulnerability.

The timeline between patch release and the appearance of a worm outbreak is difficult to predict and varies from case to case. As always, the DART team is ready for the worst-case scenario. We also want to help our customers be prepared, so we’re sharing a few previous worms and the timeline from patch to attack. Hopefully, this will encourage everyone to patch immediately.

Chart showing vulnerability, patch release, and outbreak. Vulnerability: MS08-067; Patch release: October 23, 2008; Outbreak: late December 2008. Vulnerability: MS17-010; Patch release: March 14, 2017; Outbreak: May 12, 2017. Vulnerability: CVE-2019-0708; Patch release: May 13, 2019; Outbreak column shows three question marks.

Learn more

To learn more about DART, our engagements, and how they are delivered by experienced cybersecurity professionals who devote 100 percent of their time to providing cybersecurity solutions to customers worldwide, please contact your account executive. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

This document is for informational purposes only and Microsoft makes no warranties, express or implied, in this blog.

The post Protect against BlueKeep appeared first on Microsoft Security.

CISO series: Better cybersecurity requires a diverse and inclusive approach to AI and machine learning

Artificial Intelligence (AI) and machine learning have created lots of buzz with vendors. Being cast as the superheroes of technology is great for getting attention. But even Superman and Supergirl had their kryptonite.* Could the lack of diversity and inclusiveness in the design teams and data types weaken these two superhero technologies, like kryptonite weakened our friends from Krypton? Now is the time to shine a spotlight on problems that arise from the lack of inclusiveness and diversity in these areas to make sure that we are not automating existing biases in data or design.

Lack of diversity and inclusivity hurts products, profits, and people

Discrimination and non-inclusiveness in product development can be harmful—and dangerous—to those who suffer its consequences. Car airbags serve as a poignant example. Designed to save the lives of an average-sized male, airbags were deadly for children and petite women. Even the crash-test dummies the industry used until 2012 were average-man-sized, so it was impossible to test airbag safety for broader populations.

When workforces are not diverse and inclusive, problems stemming from various types of bias may occur. For example, women might not get a fair shot at a position because hiring standards have been set to match the pool of traits exhibited by current employees—who are predominately men.

Datasets can be at fault, as well, especially when populations are skewed because of social issues or the biases of system designers. Take the case of raw data used to predict criminality. Since the current justice system is biased against African Americans, who are incarcerated at a rate which is five times that of Caucasians, the dataset will be biased, too.

A diverse and inclusive team is a more productive team

AI and machine learning require a collaborative, inclusive approach that is ethical and respectful of the values each employee brings to the table. But diversity and inclusiveness are not only about ethnicity, gender, and gender-orientation. It’s also about a diversity of viewpoints and ways of examining issues and problem solving.

Lack of team diversity can hurt productivity. Homogenous teams may outperform diverse teams initially, but over time, the productivity of diverse teams increases. This is due, in part, to the strength gained from a variety of perspectives brought to the problem-solving process.

For example: A lawyer brings a unique awareness and mindset to problem-solving that differs from the mindset of privacy experts, mathematicians, data scientists, ethicists, and more. These different viewpoints and skillsets create stronger solutions and practices. Furthermore, diverse viewpoints ensure that the values of fairness, reliability, safety, security, privacy, inclusiveness, transparency, and accountability are included in any data model.

Be aware that if diversity comes in many forms, bias does as well. Companies should work hard to remove biases based on culture, geography, income bracket, educational background, and ageism in addition to those already mentioned.

How does this connect to better cybersecurity?

In creating resilient models that better detect and respond to cybersecurity issues, the greater the team diversity, the greater the resilience to attack and perturbation the models may be. Potentially, these more diverse models will provide us with a greater variety of insights and tools as well.

We’re already seeing that diversity in teams creates diversity in AI and machine learning models, which in turn increases the speed and precision of detection. For example, as part of the Microsoft Threat Protection solution using machine learning, Emotet was detected and blocked in milliseconds.

Since cybercriminals are varied in background and skillset, there is no one type of cyberattack we can defend against and no single machine learning model to find and stop all cyberattacks. But by working with diverse and inclusive design teams and using diverse, layered machine learning models, we’re increasing our ability to find and stop attacks quickly.

If you want more resilient cybersecurity, looking to a superhero isn’t really an option. Instead, rely on the diversity of the cyberheroes you hire and put the power of inclusivity to work for you.

I encourage you to read the report in this companion book, Microsoft: The Future Computed—the first of a series to explore AI, the future of the workforce, ethics, and policies related to individual industries. Also, read more of our CISO series blogs.

*Superman and Supergirl are characters owned by DC Comics, Inc.

The post CISO series: Better cybersecurity requires a diverse and inclusive approach to AI and machine learning appeared first on Microsoft Security.

Council of EU Law Enforcement Protocol improves cross-border cooperation

Last March, the Council of the European Union announced the new EU Law Enforcement Emergency Response Protocol to address the growing problem of planning and coordinating between governments, agencies, and companies when cyberattacks occur across international boundaries. Remember well-known incidents such as NotPetya and WannaCry? They’re good examples of how cyberattacks can simultaneously impact organizations and other entities in two or more countries. This especially applies to multinational corporations since they have footprints in multiple jurisdictions.

In reading through the Protocol, a few key items are worth noting:

  • There’s a focus on process—It’s so good to see them focusing on process (and not only on technology). Too many regulations and rulesets talk about technology as if it’s the sole solution to all problems. To truly resolve cybersecurity attacks and to mitigate downstream implications quickly, it takes the combination of technology + people + process.
  • Operational Technology (OT) systems and risks need more attention—For many years, OT systems have been increasingly attacked by adversaries. While the focus on IT in the Protocol is logical, the omission of OT factors keeps it from being an even stronger and more robust document. The new Protocol explicitly calls out this problem when it says, “…to establish the criminal nature of the attack, it’s fundamental that the first responders perform all required measures … to preserve the electronic evidence that could be found within the IT systems affected by the attack, which are essential for any criminal investigation or judicial procedure.” This omission of OT systems is all the more confusing when the website announcing the Protocol states that, “The possibility of a large-scale cyber-attack having serious repercussions in the physical world and crippling an entire sector or society, is no longer unthinkable.”
  • Operational alignment is well-executed—Praise is deserved for the outstanding effort to coordinate multi-stakeholder processes using existing resources and teams. For instance, a partial list of the entities working on these issues in Europe includes Europol’s European Cybercrime Centre (EC3), the European Union’s Cybersecurity Incident Response Team (CSIRT) Network, the European Union Agency for Network and Information Security (ENISA), and other EU member law enforcement groups. While everyone has the best interest of preventing and responding to cyberattacks at heart, ensuring the alignment and optimal use of existing resources makes very good sense.
  • Important cross-border thinking adds value—Cyber-adversaries pay no attention to boundaries, so it’s important to defend against these problems with a similar mindset that embraces diverse thinking. Countries that cooperate and coordinate their efforts are likely to detect and identify cyber-adversaries faster and more comprehensively if they approach the problem as a united front. This cross-border way of thinking should be an example for other regions of the world.

The improvements to the EU Law Enforcement Emergency Response Protocol are invaluable. By streamlining and strengthening their cross-border approaches, protocols, and ways of communicating, efforts to thwart attacks can begin immediately and proceed more effectively.

Preserving electronic evidence makes finding and punishing the perpetrators a priority. However, work still must be done on developing plans and protocols to mitigate damage to OT systems, and I hope they prioritize this focus for their next iteration.

Learn more

  • Complete an offline assessment of your Active DirectoryAssess your Active Directory security posture and reduce support costs by exposing and remediating configuration and operational security issues before they affect your business.
  • Learn more about the cybersecurity risk landscape—Watch this Microsoft Digital Crimes Unit overview video to learn more about how Microsoft is working with public and private partners.
  • Discover how the Microsoft Incident Response and Recovery Process can help—Read about our expert security services that are available in case an incident occurs.

The post Council of EU Law Enforcement Protocol improves cross-border cooperation appeared first on Microsoft Security.

The evolution of Microsoft Threat Protection—July update

Modern security teams need to proactively, efficiently, and effectively hunt for threats across multiple attack vectors. To address this need, today we’re excited to give you a glimpse of a new threat hunting capability coming soon to Microsoft Threat Protection. Building off the threat hunting technology currently available in Microsoft Defender Advanced Threat Protection (ATP), we are adding the ability to hunt for threats across endpoints and email (Figure 1).

The new Microsoft Threat Protection advanced threat hunting allows:

  • Easy access to telemetry—The telemetry data is accessible in easy to use tables for you to query.
  • Enhanced portal experience—Certain query results, such as machine name, link directly to the relevant portal, consolidating the hunting query experience and the portal investigation experience.
  • Detailed query templates—A welcome page provides examples designed to get you started and get you familiar with the tables and the query language.

The example in Figure 1 demonstrates how Microsoft Threat Protection enables hunting for red teams leveraging a compromised account to store a payload on a local SharePoint site and for sending emails to individuals within the organization. Having the email come from an internal sender and pointing to a local SharePoint site guarantees a high click-through rate. With the advanced hunting capability in Microsoft Threat Protection, this scenario easier to identity, discover, and ultimately remediate. As Microsoft Threat Protection evolves, we’ll continue to extend the advanced hunting capability across the enterprise. Look for more details on threat hunting across endpoints and email in the coming weeks.

Figure 1. Hunting query example: Find the red team!

Connecting the dots to protect your users

As we’ve discussed previously, securing enterprise identities is paramount for effective threat protection in modern organizations. Microsoft Threat Protection is built on best-in-class identity protection, and we’re pleased to announce the general availability of our new identity threat investigation experience, which correlates identity events from Microsoft Cloud App Security, Azure Advanced Threat Protection, and Azure Active Directory Identity Protection into a single investigation experience for security analysts and hunters alike.

Leverage state-of-the-art User and Entity Behavior Analytics (UEBA) capabilities to provide a risk score and rich contextual information for individual users across on-premises and cloud services. With the high volume of threat signals today’s security teams must analyze, it’s a challenge to know which users and threats to prioritize for deeper investigations (Figure 2). The new identity threat investigation experience enables security analysts to prioritize their investigations, helping reduce investigation times and eliminating the need to toggle between identity security solutions.

For more details check out our blog and get a deeper dive in our technical documentation.

Figure 2. Top user view by investigation priority.

Delivering on our promise to empower defenders

Earlier this year, we announced two capabilities for email security with the public preview of Threat & Vulnerability Management and the extension of our endpoint security capabilities to macOS. We’re excited to deliver on the promise of both these milestones for our endpoint security, which further empower defenders relying on our services to secure their organizations.

At the end of June, we announced the general availability of our endpoint security for macOS. Offered through Microsoft Defender ATP, it enables integrated experiences in Microsoft Defender Security Center across Windows and macOS clients. It supports the three latest versions of macOS: Mojave, High Sierra, and Sierra. Customers can use Microsoft Intune and Jamf to deploy and manage Microsoft Defender ATP for Mac. Just like with Microsoft Office applications on macOS, Microsoft Auto Update is used to manage Microsoft Defender ATP for Mac updates. Check out the public documentation to see what’s available now.

We further enhanced endpoint security with the general availability of Threat & Vulnerability Management for endpoints (Figure 3), which offers customers:

  • Continuous discovery of vulnerabilities and misconfigurations.
  • Prioritization based on business context and dynamic threat landscape.
  • Seamless correlation of vulnerabilities providing enhanced breach insights.
  • Ability to assess vulnerability at the single-machine level to enrich and provide greater detail on incident investigations.
  • Built-in remediation processes through unique integration with Intune and Microsoft System Center Configuration Manager.

Figure 3. The Threat & Vulnerability Management dashboard.

This month, we also enriched the experience for security teams managing email security by introducing an email submission feature offered through Office 365 ATP. Microsoft is home to 3,500 security professionals, and now your organization can leverage their expertise to get quick and accurate analysis of potential email threats with the click of a button (Figure 4). The submission process is easy to use, and our Microsoft experts provide quick feedback, including insights on configurations that may have caused a false positive or false negative, reducing the time to investigate issues and improving overall effectiveness.

The new submission process allows admins to:

  • Submit suspicious emails, files, and URLs to Microsoft for analysis.
  • Find and remove rules allowing malicious content into the tenant.
  • Find and remove rules blocking good content into the tenant.

Here’s a quick run-through of the experience. You can also learn more about it in our technical docs.

Figure 4. Admin submission experience with Office 365 ATP.

Experience the evolution of Microsoft Threat Protection

Take a moment to learn more about Microsoft Threat Protection, read our previous monthly updates, and visit the Microsoft Threat Protection webpage. Organizations like Telit have already transitioned to Microsoft Threat Protection, and partners are leveraging its powerful capabilities.

Begin a trial of Microsoft Threat Protection services, which also includes our newly launched SIEM and Azure Sentinel, to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.

The post The evolution of Microsoft Threat Protection—July update appeared first on Microsoft Security.

How to cost-effectively manage and secure a mobile ecosystem

Today’s post was written by Roxane Suau, Vice President of Marketing for Pradeo.

In the corporate environment, mobile devices and applications are at the center of communications, enhancing collaborators’ productivity with 24/7 access to information. But at the same time, they represent thousands of direct entry points to organizations’ information systems, exposing critical data to the wide spectrum of mobile threats.

Our increasingly connected world is driving up the volume of cyberattacks targeting mobility. In 2017, there were 42 million attack attempts on mobile devices registered globally, and this number keeps growing.

While data protection laws urge companies to ensure mobile data privacy, security teams are struck with the challenge of protecting mobile devices, applications, and files while maintaining the flexibility collaborators need to be efficient.

The booming of mobility

According to a Gartner survey, nearly 80 percent of employees haven’t received employer-issued smartphones and more than 50 percent of them exclusively use their personal mobile device in the workplace (BYOD).

As organizations are more and more flexible regarding working tools and locations, employees often access business data and applications from home or public space using their mobile device, by connecting to unsecure networks.

Usually, cybercriminals leverage three vectors to infiltrate mobile devices: applications, the network, and the operating system (OS). Threats operating at the applicative level, such as leaky and malicious applications, are by far the most common and represent 78 percent of all attacks. Attacks perpetrated through the network and the OS count for 12 percent and 10 percent, respectively.

Enterprise mobility has led to the obsolescence of standard network security solutions historically used by companies, as they don’t cover the perimeter of mobile devices and applications. In recent years, the Mobile Threat Defense (MTD) technology has taken over.

Microsoft Intune unified endpoint management + Pradeo Security Mobile Threat Defense

Microsoft and Pradeo (a member of the Microsoft Intelligent Security Association) joined forces a few years ago to pursue a common goal: enable a productive and safe connected workspace.

To help companies set up a more secure and compliant environment, Microsoft Intune, a unified endpoint management platform, offers the functionalities necessary to manage and secure mobile devices and applications. Furthermore, it extends the activation of mobile security capabilities through partner integrations.

Pradeo Security Mobile Threat Defense (MTD) is designed to work with Intune to protect smartphones, tablets, mobile apps, and data. The solution relies on a behavioral analysis engine to precisely detect all actions performed on mobile devices (malware, data leakage, network exploit, OS manipulation). When activated in Intune, customers deploy the Pradeo Security agent on mobile devices to ensure their 360-degree real-time protection.

Pradeo stands out from other MTD solutions, which perform score-based risk evaluation, by being the only vendor on the market that offers an accurate mobile threat detection. Intune customers benefit from Pradeo’s precise threat detection directly in their UEM platform, strengthening their organization’s mobile security posture in the most cost-efficient way.

About Pradeo

Pradeo is a global leader of mobile security and a member of the Microsoft Intelligent Security Association. It offers services to protect the data handled on mobile devices and applications, and tools to collect, process, and get value out of mobile security events.

Pradeo’s cutting-edge technology has been recognized as one of the most advanced mobile security technology by Gartner, IDC, and 37 other research firms in 2018. It provides a reliable detection of mobile threats to prevent breaches and reinforce compliance with data privacy regulations.

For more details, visit or write to

Note: Users must be entitled separately to Pradeo and Microsoft licenses as appropriate.

The post How to cost-effectively manage and secure a mobile ecosystem appeared first on Microsoft Security.

Facing the cold chills

Have you ever felt the cold chill in your spine when the “fix engine” light comes on in your car? How about when one of your children turns pale and gets their first fever? It’s a feeling of helplessness and concern regarding what could be wrong. Then there’s the feeling of relief that comes with understanding, even if it’s only partial understanding. We give the child medicine and the fever fades. We add oil to the engine and the light goes off. The human mind often wants to take the easiest path away from fear and stress. But these solutions only fix the symptoms, leaving the cause of the issue unaddressed. The same thing is true in security related situations.

The Microsoft Detection and Response Team (DART) recently worked with a customer who had been subject to a targeted compromise, one where the entity was intently and purposefully attempting to get into their systems. The attack came through one of the customer’s child organizations, who was initially compromised. The parent organization shares a trust with the child organization. During an investigation of the child organization, the parent organization was notified that attackers had migrated their access foothold into the parent network. The parent organization was able to take immediate steps to stop the malicious activities, just before things could have gotten very serious.

From a security perspective, the customer has addressed the symptom (a known compromise) but missed the opportunity to address the core issues that allowed the compromise. It’s not unusual for an organization to shift to the perspective that everything is now better. But it’s never quite so simple.

For DART, one of our key responsibilities is helping our customers understand what happened, how it happened, how long it’s been happening, the potential impact to the organization, and how the customer can improve their protection, detection, and response mechanisms to be better prepared in the future.

Understanding a compromise

Let’s dissect this story a bit more to better understand what happened. The example customer is a global company, with dozens of child organizations around the globe, all connected to the same Active Directory architecture. From a customer perspective, the IT and security functions are decentralized at each child, with each region retaining autonomous control over the operation of their data resources. This takes the pressure off the parent organization by delegating administrative processes like patching, account management, and configuration management to administrators at the child organization; and allowing the parent to focus primarily on critical business operations and their own IT and security.

Infographic of parent org and child org relationship. The child orgs surround the parent org, which is in the cloud, and is made vulnerable as the child orgs are made vulnerable.

Each of the child organizations operates their own Active Directory forest for their users and systems, and a majority of these organizations have a two-way trust with the Active Directory in the parent organization. Roughly half of these trusts have no security identifier (SID) filtering in place to restrict account movement between the various forests. The parent organization’s incident was possible because a compromised account was allowed to move into their network, unhindered. In fact, a compromise in any of the other child organizations would have the same result, creating legitimate risk for the parent and all the other connected child organizations.

How DART helps customers address underlying risks

DART spent days trying to weave a story for the customer explaining the real risk to the organization, even though this specific attack had been blocked. There are a number of systemic issues that worked together to create the risk to the customer networks. Patching was sporadic, and due to the decentralized nature of both the information technology (IT) and security processes across the various organizations, there were large numbers of systems with known vulnerabilities. The decentralized nature of the network also created blind spots in security monitoring across the various forest and network boundaries. The customer could not have detected the lateral movement of bad actors on the network because they weren’t watching those boundaries.

Finally, the lack of configuration management across the company allowed users to have excessive account privileges and to install unsafe software packages. This resulted in large numbers of dangerous software packages to be installed on user systems with privileged access—simply because users opened email attachments, clicked a link, or installed questionable software downloaded from the internet, such as key generators for commercial software products.

The large number of potentially unwanted applications (PUAs) and malware present on the network was clear evidence of the issues facing the customer. A compromised user in one segment of the customer organization creates risk for the entire company. Faced with the reality of the situation, the customer shifted perspectives to improving the security of their environment.

To start, the customer needed to get a handle on the configuration and security of the various arms of the organization. Centralizing IT and security functions would allow for consistent patching, secure account management, and security monitoring. Two-way trusts putting the organization at risk should be managed with appropriate SID filtering, reduced to one-way trusts as needed, or removed from a trust relationship altogether, depending on business need. Standardized security software, such as anti-malware solutions with automatic updates, would provide detection of malware much more quickly on endpoints. Security monitoring at all key network boundaries would create immediate alerts when malicious software or bad actors attempt to move across the environment or create persistence points. A sensible and centralized management plan would enable the customer to protect, detect, and respond to incidents.

It’s easy to get forget security incidents are sometimes symptoms of a bigger problem facing the organization. Leadership would benefit from taking a step back from current events to work with their team and determine where the real security issues exist, and what’s needed to make the organization more secure. In essence, a security aspirin will help lower our fever, but it’s a temporary fix. The fever will return, and it could be worse. It’s more effective in the long run to obtain the needed X-rays or take appropriate blood tests to determine how sick the network is, and what treatment options will remove the key risks to network health.

Learn more

To learn more about DART, our engagements, and how they are delivered by experienced cybersecurity professionals who devote 100 percent of their time to providing cybersecurity solutions to customers worldwide, please contact your account executive. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Facing the cold chills appeared first on Microsoft Security.

Preparing your enterprise to eliminate passwords

Anyone who uses the internet knows the hassles of using a user name and password to access their own information, whether it’s their banking, online shopping, social media, medical information, etc. If you’re a CIO, a CISO, or any other exec at a company who is thinking about digital security, the user name/password paradigm is more than a hassle, it’s a true security challenge, which keeps many of us up at night.

I can tell you that deploying a companywide strategy for eliminating passwords isn’t easy, but it’s also probably not as hard as you think, either. When I told our senior leaders that we’d be eliminating passwords in about 24 months, they applauded. When I said getting there would temporarily disrupt support for select line of business apps and devices, they had questions. What I share with you today is based on what we’ve learned in this process.

I’ve been talking about eliminating passwords for a while now, aligning to our principles for identity strategy, and the most common response I get from my peers is: “Great, how can I do it at my company?” Today, I’m outlining the basic steps necessary to eliminate passwords, with the acknowledgement that we’re still on the journey. I believe we’ve mapped out the right path, but we aren’t finished yet.

The first step is to segment the user population in your network. You’ll have to bifurcate your users into two groups: 1) those users in a compliance boundary (for example, people who handle credit card/payment information); and 2) everyone else. This segmentation is necessary because there are compliance requirements in some industries that essentially require using user names and passwords. Until the regulations catch up with the technology, the people in this segment will be forced to continue using passwords. The good news is that the rest of your user population is probably quite sizable and can move forward on the journey towards eliminating passwords.

Once the user population is segmented, the remaining steps can be pursued, and they don’t have to be done sequentially. If you follow these steps, you’ll have a vastly superior user experience for your employees and a more secure network while you’re on the path to ending passwords in your own environment:

  • Banned passwords—Create a list of banned passwords that your user population is prevented from using. These are passwords that are commonly used, such as qwerty123, 123456, password1, and those that are easily guessable, like sports teams and month/year combinations. This list can be created using Azure Active Directory (Azure AD) password protection, which works in a hybrid environment and leverages machine learning from 650B authorizations every month. You could also create a list via other service offerings available in the industry.
  • Use MultiFactor Authentication (MFA)—MFA, or two-factor authentication, is a secure authentication method in which a user is only granted access after successfully presenting at least two separate pieces of evidence to an authentication mechanism. Using MFA is the single most effective security practice that companies are NOT employing. We employ MFA in our environment via Windows Hello, Microsoft Authenticator, and/or Azure MFA, but there are multiple options for implementing MFA including FIDO keys, smart cards, and tokens. In fact, we recently announced that companies can now go passwordless with the public preview of FIDO2 security keys support in Azure AD, making it even easier to implement MFA. And, contrary to popular belief, we are not a Microsoft-only environment; our network includes every operating system and platform available.
  • Modernize hardware—Ideally, you would update your hardware to add biometric reader capabilities and Trusted Platform Module 2.0 (TPM2.0), or FIDO 2.0 and above. Biometrics can replace passwords and create a nearly friction-free experience for users. There are other hardware options that support MFA, which don’t provide a user experience as smooth as biometrics, but still support MFA and offer much better security. TPM technology provides hardware-based, security-related functions which can also be used in place of traditional passwords.
  • Legacy authentication—The final and most difficult step in the process is eliminating the use of legacy authentication. This includes all protocols that use basic authentication and can’t enforce any type of second factor authentication. This step is time consuming, laborious, and can create headaches when it occasionally breaks services. If your company is already completely in the cloud, and doesn’t have any legacy authentication anywhere, you can eliminate passwords very quickly. For the rest of us, it will take longer. There are features in Azure AD that allow a view into the audit logs and help identify the applications which are using legacy authentication. One approach to this step is to block legacy authentication through conditional access.

My last advice is to think carefully about how you engage with users to implement all the steps I outlined in this blog. Promote the user benefits at the outset of your program. This is a lesson I learned the hard way. When we first started on this path, I started promoting the use of “MFA everywhere” to our employees. People interpreted this as requiring smart cards everywhere. They saw this as one more technical, cumbersome requirement from the IT department. Eventually I figured out that our employees were universally excited about eliminating passwords, so I communicated with them about how each step helped us with that goal. I got a much more positive response. When people see that our efforts make their experience better, it is easy to get their enthusiastic participation.

As I mentioned above, we’re still on this journey, and we’re wrestling with the same challenges everyone else faces. One thing I try to remember is the adage about not letting perfection stand in the way of progress. Taking any of the steps I’ve outlined above will help improve your security environment, even if the total elimination of passwords is something you won’t achieve for years. We haven’t achieved our end goal, but we’re making progress and currently over 90 percent of our employees are able to sign in to our network without entering a password. Once our users no longer need to enter a password for anything, we can eliminate passwords entirely. We believe we’ll achieve this in about 18-24 months. As we make progress on our quest to eliminate passwords, I’ll continue to share what we’ve learned.

To learn more about going passwordless visit The end of passwords.

The post Preparing your enterprise to eliminate passwords appeared first on Microsoft Security.

Microsoft Intelligent Security Association welcomes members of the Microsoft Virus Initiative

As we head into our annual partner conference, Microsoft Inspire, I’m excited to make a major announcement! The Microsoft Virus Initiative (MVI) is formally joining the Microsoft Intelligent Security Association (MISA).

For more than 20 years, Microsoft and our antimalware partners have collaborated through MVI to help develop integrated and compatible solutions for Windows. MISA was created as an ecosystem of independent software vendors that have integrated their security solutions to help defend against a world of increasing threats. Our mission is to provide better security for our shared customers by integrating across the security ecosystem to gain more signals, increase visibility, and better protect against threats. That’s why we’re thrilled to welcome members of MVI!

Stopping malware at scale with the power of the cloud

Antivirus and antimalware products have long been the backbone of security solutions. As modern security products evolve, more antimalware providers are taking advantage of the power of the cloud, transforming how we protect, detect, and respond to threats at scale. Antimalware products play a key role in achieving our shared vision of collaboration that reduces security complexity and delivers better protection to customers.

By joining MISA, Microsoft’s antimalware partners will help break down silos and help customers realize the benefit of using solutions from multiple vendors in harmony. This is done by connecting the security ecosystem to gain more signal, increase visibility, and protect against threats.

At the annual MVI Partner Forum in Redmond, Washington, Microsoft reiterated that we’re investing heavily in both security and partnerships throughout the upcoming fiscal year. This includes expanding the size of the association and adding additional member benefits.

As a security provider to 95 percent of the Fortune 500, our customers are diverse and have different needs and configurations. In 2018, we created MISA to build an ecosystem of intelligent security solutions that better defend against a world of increased threats by sharing security signals across the Microsoft security stack. Since its launch, the organization has more than doubled, and we now have 59 members. Most recently, as part of Microsoft’s participation in the FIDO2 alliance, we welcomed new FIDO key partners Feitian and HID Global. You can read more about these partnerships in this recent blog.

Security ISVs interested in joining MISA can get started by building an integration with of the Microsoft security products included in MISA.

The post Microsoft Intelligent Security Association welcomes members of the Microsoft Virus Initiative appeared first on Microsoft Security.

3 strategies for building an information protection program

Five years ago, we started on a journey to update and simplify information protection at Microsoft. We had a manual data classification process that our users didn’t use effectively and didn’t work with our data storage or database technology. We had to find ways to re-classify data and build effective tools while protecting our most important asset, customer, and employee information.

We’ve learned a lot about data protection and tools and today we’re sharing some of our best practices for:

  • Laying the groundwork for protecting information.
  • Protecting trade secrets.
  • Starting your information protection journey.

Laying the groundwork for protecting information

Identifying the location of data—The first step to creating a strategy is discovering where your data and major storage places are so you can create a data landscape. Do you have data on your endpoints? Start by looking across your organization to identify your customer data, regulatory data, and other sensitive information.

Classifying the data—Classifying data is the most important and most difficult step. At Microsoft, we used a custom three-level manual label classification process but found that no one understood how to apply them correctly. We worked with legal, HR, and other groups to identify labels that made sense for our company with a goal that they could be applied automatically.

Our objective is to ensure that our data and our customer data is handled properly, classified correctly, and is protected. We’re a global company and the General Data Protection Regulation (GDPR) is the baseline—and one of our key tenets—for how we think about our information and how we protect it. We replaced the manual classification labels with a more intuitive labeling taxonomy that better aligns with industry standards:

  • Non-Business: Data that is non-business related and doesn’t belong to Microsoft.
  • Public: Data designed for public consumption.
  • General: Business data not meant for public consumption.
  • Confidential: Sensitive business data that could cause business harm if over-shared.
  • Highly Confidential: Very sensitive business data that would certainly cause the business harm if over-shared.

Identifying and resolving old data—Before you roll out new tools, there may be old data that you need to review and resolve. For example, you may need to clean up, delete, or protect your data. When reviewing data, consider the age of the data and if anyone is still using a document. Prioritize and create rules for saving, deleting, and protecting data.

Protecting the data—You want to protect the data based on classification. Protecting customer and personal information is at the core of what we’re trying to protect at Microsoft. For smaller companies—or companies just starting to develop an information protection program—your biggest return will be finding customer data so you can protect it. Building customer trust and protecting customer information is key to an information protection program.

Protecting trade secrets

Protecting our identities is an extremely important part of the information protection journey. But what if you come across a document with trade secret information? You should probably work with the group that handles trade secrets at your company. We have a white glove program with HR where we build specific programs for specific business units. Using products like Key Vault can help protect sensitive data.

Starting your information protection journey

If you’re just starting to build an information protection program, we recommend the following three-step process:

  1. Governance, risk, and compliance—Have your legal and HR teams help you define the types of information you need to defend. Always focus on customer data and sensitive information.
  2. Education and awareness—Labels are always important because they’re foundation for identifying the difference between confidential and general business data. Use terminology that’s easy for users to understand. Train them and use tools to implement your solutions. We used education campaigns and we also built tool tips and right management service (RMS) templates into our products. For example, if I’m working in an Office experience, I might get a tool tip prompting me to classify a document as confidential. We found that 50 percent of the time, users will increase the confidentiality of the document.
  3. Tools roll out—When you’re working with tools, remember that you’re typically interacting with customer and employee information. It’s an opportunity to build trust as a company. Some of the information protection tools we use include Office 365 Information Protection and Azure Information Protection, which provides labeling functionality we can push to endpoints, as well as label and tool tips for Office documents. We also use the file share scanner and Windows Information Protection (which is still in pilot phase).

Building an information protection program is not one-size-fits-all, but if you choose classification terms, terms that are easy to understand and implement, proactively educate users, and bake information protection into existing processes to minimize impact, you can increase the success of the program.

For more information about how Microsoft has implemented these strategies, watch the IT Showcase webinar, Speaking of security: Information protection.

The post 3 strategies for building an information protection program appeared first on Microsoft Security.

5 principles driving a customer-obsessed identity strategy at Microsoft

The cloud era has fundamentally changed the way businesses must think about security. For a long time, we built security around the perimeter. But today, the boundaryless landscape demands that we start with the individual.

In our journey with customers co-designing our products and services, Microsoft has learned that our identity solutions need to do more than just support employee productivity. We have to take things further to ensure our solutions empower our customers to work more closely with their business partners and nurture deeper relationships with their customers, who want help not just securing their personal information, but also protecting their privacy. The problems our customers need to solve, and the scenarios they want enabled for the future, have shaped the design principles guiding our identity strategy.

Embrace open standards

The world of cloud and devices is inherently heterogenous. Our customers, their partners, and their customers will use many devices, apps, and services from many different vendors. The complexity of managing and securing such a mixed environment could be overwhelming if not for open standards. For example, OAuth 2.0, OIDC, and SAML enable single sign-on across apps and clouds from multiple vendors, SCIM enables automated user provisioning, and the new standards from the FIDO alliance make signing in more secure. This is why every API and protocol Azure AD supports is based on open standards and why Microsoft is actively engaged in all the major identity standards bodies.

Offer industry-leading security

Our goal is to create an identity system that’s secure and private from the ground up. This means blocking every avenue of attack that we can. Enabling MFA reduces credential-based security breaches by more than 99 percent, but there’s still risk from people mishandling their passwords or getting tricked into handing them over. Adopting FIDO with the recently ratified WebAuthN standard makes it possible to eliminate passwords altogether, replacing them with a biometric device or a phone. If you have a Microsoft Account, you can go passwordless today. Soon, passwordless sign-in will be an option on every Microsoft platform and application, as well as for third party applications that integrate with Azure AD.

We now put the full power of the cloud behind every authentication request. Using Azure AD Conditional Access as a starting point, organizations can implement a Zero Trust security strategy that examines not only the identity of the user, but also the type and health of their device, the properties and reputation of the network they’re connecting from, the app they’re using, and the sensitivity of the data they’re trying to access. This not only makes security stronger, it also improves the user experience. For example, we can employ cloud-scale machine learning algorithms, which process trillions of signals daily, to learn each user’s common behavioral patterns and flag authentication attempts that are abnormal or high risk. This way, policies invoke MFA or other additional measures only when necessary, making the experience less interruptive to users.

Make governance easier and more automatic

Implementing strong governance strengthens security guardrails, but most customers find the task daunting. Granting access is easy. Remembering months later to remove access for each person who may have changed roles is not. Identity systems should make it easier to assign the right access to the right people, for example, by automating user access provisioning and deprovisioning based on a user role, location, and business unit. It should be easier for employees and partners to request access when they need it. And most importantly, the system should prompt administrators to review access permissions on a regular cadence or when people change roles. And all of these processes should be driven and informed by world class machine learning and AI which constantly monitor for unusual patterns and unrecognized risks.

Deliver a comprehensive solution, not building blocks

One of the key things we’ve learned from our enterprise customers is that they’re sick and tired of cobbling together identity solutions based on mix and match sets of identity building blocks acquired from a myriad of vendors. They want a holistic solution that supports all their applications and all their different identities while giving them security and control without the gaps that inevitably occur when multiple point solutions are patched together. We’ll do this by delivering a completely integrated identity and access management suite that gives them a single place to go to manage—and protect—all identities, whether they belong to employees, business partners, or customers and all of the resources, they need to access.

Give people control over their information

A holistic solution that accepts identities people bring with them is a necessary prerequisite to the vision of decentralized identity. Microsoft believes everyone has the right to own and control their digital identity—one that securely and privately stores all personal data. To achieve this vision, we need to augment existing cloud identity systems with one that individuals, organizations, and devices can own so they can control their digital identity and data. We believe a standards-based decentralized identity system can unlock a new set of experiences that empowers users and organizations to have greater control over their data—and deliver a higher degree of trust and security.

Taking the next step

Everyone in the identity division at Microsoft is passionately committed to ensuring the systems we build empower people to do their best work and live their best lives.

If one thing is clear, though, these identity initiatives are a journey. Over the coming months, we’ll invite you to participate in a series of technology previews, where your feedback will help shape how identity services will take us closer to a world without passwords, where organizations can easily manage and secure complex environments, and individuals can worry less and stop making trade-offs among ease of use, privacy, and security. Working together as an industry, we’re building a better path to security and privacy, anchored around the one constant in this fast-moving, heterogenous world—you.

The post 5 principles driving a customer-obsessed identity strategy at Microsoft appeared first on Microsoft Security.

The evolution of Microsoft Threat Protection, June update

Since our announcement of Microsoft Threat Protection at Microsoft Ignite, our goal has been to execute and deliver on our promise of helping organizations protect themselves from today’s sophisticated and complex threat landscape. As we close out our fiscal year, we’ve continued progress on developing Microsoft Threat Protection, launching new capabilities and services. Hopefully, you’ve had a chance to follow our monthly updates.

As we previously shared, Microsoft Threat Protection enables your organization to:

This month, we want to share new capabilities that are starting public previews.

Efficient remediation and response for identity threats

Presently, efficient and effective response to identity threats is crucial, and Microsoft Threat Protection is built on the industry’s most widely used and comprehensive identity security service. As more organizations adopt hybrid environments, data is spread across multiple applications, is on-premises and in the cloud, and is accessed by multiple devices (often personal devices) and users. Most organizations no longer have a defined network perimeter, making traditional security tools obsolete. Identity is the control plane that is consistent across all elements of the modern organization.

At RSA, we announced a new unified Identity Threat Investigation experience between Azure Active Directory (Azure AD) Identity Protection, Azure Advanced Threat Protection (ATP), and Microsoft Cloud App Security. This experience will go into public preview this month.

Part of the new experience is enabled through Azure AD’s new integration with Azure ATP. Also, integration between Azure AD and Microsoft Cloud App Security enables continuous monitoring of user behavior from sign-in through the entire session. Microsoft Threat Protection’s identity services leverage user behavior analytics to create a dynamic investigation priority score (Figure 1) based off signal from Azure AD, Microsoft Cloud App Security, and Azure ATP. The investigation priority is calculated by assessing security alerts, abnormal activities, and potential business and asset impact related to each user. This score can help Security Operations (SecOps) teams focus and respond to the top user threats in the organization.

Figure 1. The investigation priority view.

To learn more, read Investigating identity threats in hybrid cloud environments.

Game-changing capabilities for endpoint security

Every month, Microsoft Threat Protection detects over 5 billion endpoint threats through its Microsoft Defender ATP service. Customers have long asked us to extend our industry-leading endpoint security beyond the Windows OS. This was a major driving force for us to deliver endpoint security natively for macOS in limited preview earlier this year. We’re excited to announce that Microsoft Defender ATP for macOS is in public preview.

Microsoft Threat Protection customers who have turned on the Microsoft Defender ATP preview features can access Microsoft Defender ATP for Mac via the onboarding section in the Microsoft Defender Security Center. For more information and resources, including system requirements, prerequisites, and a list of improvements and new features, check out the Microsoft Defender ATP for Mac documentation.

To further enhance your endpoint security, “live response,” our new incident response action for SecOps teams, is currently in public preview. Today, your employees often work beyond the corporate network boundary, whether from home or while traveling. The risk for compromise is potentially higher when a user is remote. Imagine the executive who connects their laptop to hotel Wi-Fi and is compromised. With current endpoint security services, SecOps would need to wait until the executive got back to the office, leaving a high-value laptop exposed. With our new live response, SecOps teams gain instant access to a compromised machine regardless of location, as well as the ability to gather any required forensic information.

This powerful feature allows you to:

  • Gather a snapshot of connections, drivers, scheduled tasks, and services, as well as search for specific files or request file analysis to reach a verdict (clean, malicious, or suspicious).
  • Download malware files for reverse-engineering.
  • Create a tenant-level library of forensic tools like PowerShell scripts and third-party binaries that allows SecOps to gather forensic information like the MFT table, firewall logs, event logs, process memory dumps, and more.
  • Run remediation activities such as quarantine file, stop process, remove registry, remove scheduled task, and more.

To learn more, try the live response DIY or read Investigate entities on machines using live response.

Figure 2. Run remediation commands.

Experience the evolution of Microsoft Threat Protection

Take a moment to learn more about Microsoft Threat Protection, read our previous monthly updates, and visit the Microsoft Threat Protection webpage. Organizations, like Telit, have already transitioned to Microsoft Threat Protection and our partners are also leveraging its powerful capabilities.

Begin a trial of Microsoft Threat Protection services, which also includes our newly launched SIEM, Azure Sentinel, to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.

The post The evolution of Microsoft Threat Protection, June update appeared first on Microsoft Security.