Category Archives: Zero Trust

Improve cyber supply chain risk management with Microsoft Azure

For years, Microsoft has tracked threat actors exploiting federal cyber supply chain vulnerabilities. Supply chain attacks target software developers, systems integrators, and technology companies. Tactics often include obtaining source code, build processes, or update mechanisms to compromise legitimate applications. This is a key concern for government cybersecurity in the cloud, as the expanding digital estate requires movement towards a Zero Trust security model.

There are several techniques to attack cyber supply chains in Information Communications and Technology (ICT) products and services. Supply chain attacks are most concerning because they target vulnerabilities in your infrastructure before you even deploy your assets and software.

Attackers can:

  • Compromise software building tools to ensure that their malware is imprinted into all software generated from the building tools.
  • Replace software update repositories with malicious replicas that distribute malware across entire software ecosystems.
  • Steal code-signing certificates to make malicious software appear as legitimate code.
  • Intercept hardware shipments to inject malicious code into hardware, firmware, and field-programmable gate arrays (FPGAs).
  • Pre-install malware onto IoT devices before they arrive to target organizations.

Managing Supply Chain Risk Management (SCRM) to defend against supply chain attacks

Defending against supply chain attacks requires a comprehensive approach to managing Supply Chain Risk Management (SCRM). Federal risk managers must deploy strong code integrity policies and technical screening controls to ensure their software complies with organizational directives such as applying NIST SP 800-53A security controls for Federal Information Security Management Act (FISMA) compliance. Code integrity requires full non-repudiation of software to validate information producer associations, identity, and chain of custody for systems and components (NIST SP 800-161, 2015). One critical opportunity for addressing code integrity in your supply chain is to implement and adhere to a secure software development lifecycle for applications that you develop in-house and that you acquire from third-party supply chain partners.

Microsoft continues to use the Security Development Lifecycle, a fundamental process of continuous learning and improvement in the security, integrity, and resiliency of our enterprise applications. We require supply chain providers to adhere to these practices as well.

Organizations should employ asset monitoring and tracking systems such as radio-frequency identification (RFID) and digital signatures to track hardware and software from producers to consumers to ensure system and component integrity. FIPS 200 specifies that federal organizations “must identify, report, and correct information and information system flaws in a timely manner while providing protection from malicious code at appropriate locations within organizational information systems” (FIPS 200, 2006).

How Microsoft fights against malware

Microsoft understands how to fight malware and have worked hard for many years to offer our customers leading endpoint protection to defend against increasingly sophisticated attacks across a variety of devices. These efforts have been recognized, for example, in this year’s 2019 Gartner Endpoint Protection Platforms Magic Quadrant. In addition, Microsoft Defender Advanced Threat Protection (ATP) integrates directly with Microsoft Azure Security Center to alert your security teams of threat actors exploiting your vulnerabilities.

Magic Quadrant for Endpoint Protection Platforms.*

Endpoint Protection Platforms can support software development and fight malware, but government organizations must follow recommendations for software vendors and developers by applying patches for operating systems and software, implementing mandatory integrity controls, and requiring Multi-Factor Authentication (MFA) for administrators.

Azure Security Center Recommendations help government organizations eliminate security vulnerabilities before an attack occurs by facilitating actions to secure resources, including OS vulnerability detection, mandatory controls, and enforcing authentication with MFA and secure access with just-in-time (JIT) virtual machine access.

When you remediate recommendations, your Secure Score and your workloads’ security postures improve. Azure Security Center automatically discovers new resources you deploy, assesses them against your security policy, and provides new recommendations for securing them.

Azure Security Center also facilitates cyber learning through gamification. Secure Score allows your SecOps and Security Governance Risk & Compliance (SGRC) teams to remediate vulnerabilities through a points-based system. This capability can enhance system configurations and reinforce supply chain risk management in a single pane of glass for your infrastructure security posture, and even includes a regulatory and compliance dashboard to facilitate federal compliance requirements and can be tailored to your organization.

Security of federal information systems requires compliance with stringent standards such as NIST SP 800-53, FISMA, CIS Benchmarks, and FedRAMP Moderate. Azure Blueprints facilitates compliance with these standards ensuring a secure-by-design approach to federal information security. Azure Blueprints enable cloud architects and information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements.

Azure Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as role assignments, policy assignments, and Azure Resource Manager templates. Azure Blueprints also provide recommendations and a framework to directly apply compliance requirements to your environment while monitoring configurations through Continuous Monitoring (CM).

Employing a comprehensive monitoring program

Protecting your supply chain also requires a comprehensive monitoring program with cyber incident response and security operations capabilities. Azure Sentinel is a cloud-native security information and event manager (SIEM) platform that uses built-in artificial intelligence (AI) to help analyze large volumes of data across an enterprise—fast. Azure Sentinel aggregates data from all sources, including users, applications, servers, and devices running on-premises or in any cloud, letting you reason over millions of records in a few seconds.

Azure Sentinel leverages the Microsoft Graph, which detects threats, reduces false positives, and puts your responders on target. Azure Sentinel Workbooks optimize productivity with dozens of built in dashboards to enhance security monitoring.

Azure Sentinel Analytics allow your cyber defenders to employ proactive alerting to detect threats impacting your supply chain security. Azure Sentinel Playbooks includes over 200 connectors to leverage full automation through Azure Logic Apps. This powerful capability allows federal agencies to compensate for the cyber talent gap with Security Automation & Orchestration Response (SOAR) capabilities while leveraging machine learning and AI capabilities. Azure Sentinel deep investigation allows your incident response teams to dig into incidents and identify the root cause of attacks.

Azure Sentinel’s powerful hunting search-and-query tools are based in the MITRE ATT&K Framework, allowing your responders to proactively hunt threats across the network before alerts are triggered. The Azure Sentinel community is growing on GitHub and allows your team to collaborate with the information security community for best practices, efficiencies, and security innovation.

Azure Sentinel

Intelligent security analytics for your entire enterprise.

Learn more

Cyber Supply Chain Risk Management (SCRM) is a growing concern within the federal sector. Microsoft is committed to bolstering government cybersecurity in the cloud. Microsoft Azure goes the distance to protect your network against supply chain attacks through Microsoft Defender ATP’s industry leading Endpoint Protection Platform, Azure Security Center’s comprehensive continuous monitoring platform, Azure Blueprints approach to rapidly deploying a compliant cloud, and Azure Sentinel’s cloud-native SIEM that harnesses the limitless power of the cloud through threat intelligence, machine learning, AI, and automation.

Learn more about government cybersecurity in the cloud with Microsoft

Here are some of the best resource to learn more about government cybersecurity in the cloud with Microsoft:

Also, join us for the Microsoft Ignite Government Tour in Washington, D.C., February 6, 2020.

Bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity or visit our website for the latest news and updates on cybersecurity.

Are you a federal government agency that needs help with cybersecurity? Reach out to TJ Banasik or Mark McIntyre for additional details on the content above, or if you have any other questions about Microsoft’s cybersecurity investments for the federal government.


*This graphic was published by Gartner, Inc. as part of larger research documents and should be evaluated in the context of the entire document. The Gartner documents are available upon request from Microsoft. Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

The post Improve cyber supply chain risk management with Microsoft Azure appeared first on Microsoft Security.

What is the Zero Trust Model?

In today’s ever-evolving threat landscape, the traditional “trust, but verify” approach does not seem to be working anymore. Especially now since it has become increasingly common for threats to originate from within an organization. According to Verizon, 34% of data breaches in 2018 involved internal actors. This is the reason why more and more companies have started to implement a different security model: Zero Trust.

The “Zero Trust” concept is relatively new and was coined in 2010 by John Kindervag, a former Forrester analyst. Its architecture allows companies to map out both external and internal security threats and maximize the chances of timely mitigation.

In case you are not familiar with Zero Trust, in this article, I’m going to try to answer some burning questions such as:

  • What is Zero Trust and why is it relevant for your organization?
  • What principles is Zero Trust based on?
  • How can you implement the Zero Trust model?

Defining Zero Trust

As indicated by its name, Zero Trust is a concept based on the notion that organizations should not trust anyone or any device by default and thus, they must verify every single connection before allowing access to their network. This model came as a response to former security approaches founded on the assumption that insider threat was nonexistent and that they were only focused on defending organizations from external threats.

Potential malicious actors aren’t the only driver for the Zero Trust initiative. As more and more companies are choosing to move their workloads to the cloud or follow the hybrid approach of using both on-premises and cloud applications, the popularity of the Zero Trust model has skyrocketed. Now, an increasing number of employees and their internal and external stakeholders are accessing resources from worldwide locations. And since the security perimeter is no longer contained within an office building and remote users are connecting to cloud applications from various locations, cyber-criminals have multiple points of access.

Therefore, the need for a different approach has grown.

According to the Zero Trust model, nothing neither inside nor outside an organization’s security perimeter should be trusted by default. Businesses that use the “traditional” security model, which implies that everything contained inside their network can be automatically trusted, oftentimes fail to defend themselves. In this case, malicious hackers, once they manage to get past a company’s firewall, are able to easily move through their systems. Their antiquated security architectures only aim to stop threats from entering an organization and once an infected network is left unsupervised, an organization’s sensitive data remains exposed.

On the other hand, the Zero Trust Model runs on the belief that one should “never trust and always verify”.

Traditional security architecture vs. Zero Trust architecture

The traditional security architecture is often referred to as the perimeter model after the castle-with-moat approach encountered in physical security. Through this model, protection is given by building multiple lines of defenses that attackers must go past before eventually gaining access, while possible insider threats are not taken into account.

The traditional network security architecture divides networks into zones within one or more firewalls. In this case, each zone is assigned a certain level of trust, that decides which network resources are allowed to reach. Through this model, high-risk resources (like web servers connected to the public internet) are put into an exclusion zone (oftentimes known as “DMZ” or “demilitarized zone”). Here, traffic can be closely monitored and controlled.

Below you can see a representation of standard security architecture:

What standard security architecture looks like

Source: Traditional network security architecture, Zero Trust Networks by Doug Barth, Evan Gilman

By contrast, this is what a Zero Trust network would look like:

An example of zero trust architecture design

Source: Traditional network security architecture, Zero Trust Networks by Doug Barth, Evan Gilman

Here, the supporting system is called the control plane, and every other component is referred to as the data plane, which is being coordinated and configured by the control plane. The latter allows requests for access to restricted resources only from authenticated and authorized devices and users. At this layer, fine-grained policies based on “role in the organization, time of day, or type of device” can be applied. Furthermore, accessing even more secure resources can require stronger authentication.

As soon as the control plane has granted access to a request, the data plane will be configured to accept traffic from that client only.

The main idea here is that even though some compromises in regards to the strength of these measures can be made, a third party is given permission to authenticate based on a variety of inputs.

The Principles Behind Zero Trust and How to Implement It

According to John Kindervag, Zero Trust is based on three main ideas:

  1. All resources must be accessed in a secure manner regardless of location
  2. Access control is on a “need-to-know” basis and strictly enforced
  3. All traffic must be inspected and logged

Zero Trust can be linked to technologies such as multifactor authentication, encryption, and privileged access management (PAM).

PAM has been founded on the principle of least privilege, which is based on the notion that you should be giving your users only the access they need in order to avoid exposing your users to as less sensitive information as you can. For a complete overview of the term, check out our latest guide on the principle of least privilege. Also, feel free to check out our PAM solution, Thor AdminPrivilege™, that helps you stay on top of your user rights management.

Zero trust networks also employ micro-segmentation, which stands for the practice of dividing perimeters into small areas so that certain parts of your network have separate access. Consequently, if any data breaches occur, micro-segmentation will limit further exploitation of networks by malicious actors.

The UK National Cyber Security Center (NCSS) has released an alfa version of the Zero trust architecture design on GitHub. The following ten principles can be used as a starting point for building the foundation of a Zero Trust architecture:

#1. Know your architecture

The first and most important thing you should do is create an inventory of your assets and know everything about every single component of your architecture, including your users, their devices, and the data they are accessing.

Moreover, before transitioning to a Zero Trust architecture, you need to take into account all your existing services since they may not have been designed for the Zero Trust scenario and therefore may be unsafe in front of potential attackers.

#2. Create a single strong user identity

Your organization should use a single user directory and know which accounts are connected to which individuals. For granular access control, you should be creating specific roles for each user.

This way, in case of an attack, it’s crucial for you to understand exactly which user is responsible, what they are trying to access, and if they do have the necessary permissions to access certain data.

#3. Create a strong device identity

Besides users and accounts, every device owned by your organization should be uniquely identifiable in a single device directory.

Furthermore, zero trust systems have to monitor what devices are trying to access their network and make sure that every single one of them is authorized. This practice will further minimize the attack surface of your network.

#4. Authenticate everywhere

In your zero trust architecture, all connections should require authentication. At the same time, authentication should be stronger than just a username and password. Multi-factor (or two-factor) authentication is considered to be a core value of Zero Trust. So, besides entering a password, users should be able to provide additional proof that they are who they claim to be, for instance, through submitting a code received on their mobile device as evidence.

#5. Know the health of your devices and services

To be able to know the health of your devices and services in real-time is crucial. You should be asking yourself different questions, such as: Are the latest operating system updates installed? Are the latest software patches applied? Do I have a complete overview of my environment available at all times?

Your systems need to be kept up-to-date with the latest patches and you should be able to determine the version and patch level of the services you are using. For instance, a tool like X-Ploit Resilience can help you automate both Windows and 3rd party software updates.

#6. Focus your monitoring on devices and services

Given that devices and services are more exposed to network attacks than in traditional architectures it’s important that comprehensive monitoring for attacks is carried out.

#7. Set policies according to the value of services or data

The access policies you set up define the power of your zero trust architecture. This means that your policies should be defined in accordance with the value of the data accessed or taken action. For instance, actions such as creating new admin roles should require a stricter policy than low impact operations, like checking out the lunch menu, NCSS is saying.

#8. Control access to your services and data

You should not be granting your users access to a service unless the request is authorized against a policy. What’s more, always make sure your transmitted data is protected with encryption.

#9. Don’t trust the network, including the local network

In order to remove trust from the network, you need to build trust in the devices and services.

Do not automatically trust any network between the device and the service it is trying to access, including your local network. Devices should be configured to prevent DNS spoofing, Man in the Middle attacks, unsolicited inbound connections, etc.

#10. Choose services designed for zero trust

Last but not least, always opt for services specifically designed to support Zero Trust. Keep in mind that legacy services may require additional components to enable Zero Trust, so always make sure you have the resources to handle this.


Zero Trust is quite a new approach to network security and at the same time, it’s also part of a broader philosophy, which implies that you must not automatically trust your network. Instead, you should first think that any connection can potentially be malicious, and only after you’ve verified it, you can be confident that you can trust it. So, consider redesigning and rebuilding your security strategy based on the Zero Trust concept to reduce the chances of breaches and strengthen your defenses.

The post What is the Zero Trust Model? appeared first on Heimdal Security Blog.

Preventing insider threats, data loss and damage through zero trust

With the proliferation of mobile devices and BYOD, ubiquitous and always available internet connectivity and the widespread use of private, public and hybrid cloud solutions, eventually all organizations will be forced to come to terms with these realities: There is no such thing as a traditional security perimeter anymore There is virtually no difference between internal and external threats. Binding activity to the user’s identity and endpoint is essential Whether they are malicious actors focused … More

The post Preventing insider threats, data loss and damage through zero trust appeared first on Help Net Security.

Zero Trust strategy—what good looks like

Zero Trust has managed to both inspire and confuse the cybersecurity industry at the same time. A significant reason for the confusion is that Zero Trust isn’t a specific technology, but a security strategy (and arguably the first formal strategy, as I recently heard Dr. Chase Cunningham, Principal Analyst at Forrester, aptly point out).

Microsoft believes that the Zero Trust strategy should be woven throughout your organization’s architectures, technology selections, operational processes, as well as the throughout the culture of your organization and mindset of your people.

Zero Trust will build on many of your existing security investments, so you may already have made progress on this journey. Microsoft is publishing learnings and guidance from many perspectives to help organizations understand, anticipate, and manage the implications of this new strategy. This guidance will continue to grow as we learn more. A few highlights include:

In previous posts of this series, we described Microsoft’s vision for an optimal Zero Trust model and the journey of our own IT organization from a classic enterprise security to Zero Trust. Today, we focus on what a good strategy looks like and recommended prioritization (with a bit of history for context).

Zero Trust security continuously validates trustworthiness of each entity in your enterprise (identities, applications and services, devices) starting each with a trust level of zero.

Evolution of security strategy

The central challenge of cybersecurity is that the IT environment we defend is highly complex, leading security departments (often with limited budgets/resources) to find efficient ways to mitigate risk of advanced, intelligent, and continuously evolving attackers.

Most enterprises started with the use of a “trusted enterprise network,” but have since found fundamental limitations of that broad trust approach. This creates a natural pressure to remove the “shortcut” of a trusted enterprise network and do the hard work of measuring and acting on the trustworthiness of each entity.

Network or identity? Both (and more)!

The earliest coherent descriptions of the Zero Trust idea can be traced to proposals in the wake of the major wave of cybersecurity attacks. Beginning in the early 2000s, businesses and IT organizations were rocked by worms like ILOVEYOU, Nimda, and SQL Slammer. While painful, these experiences were a catalyst for positive security initiatives like Microsoft’s Security Development Lifecycle (SDL) and began serious discussions on improving computer security. The strategy discussions during this timeframe formed into two main schools of thought—network and identity:

  • Network—This school of thought doubled down on using network controls for security by creating smaller network segments and measuring trust of devices before network controls allow access to resources. While promising, this approach was highly complex and saw limited uptake outside a few bright spots like Google’s BeyondCorp.
  • Identity—Another approach, advocated by the Jericho Forum, pushed to move away from network security controls entirely with a “de-perimeterisation” approach. This approach was largely beyond the reach of technology available at the time but planted important seeds for the Zero Trust of today.

Microsoft ultimately recommends an approach that includes both schools of thought that leverage the transformation of the cloud to mitigate risk spanning the modern assets and (multiple generations of) legacy technology in most enterprises.

Prioritizing and planning Zero Trust

Microsoft recommends rigorous prioritization of Zero Trust efforts to maximize security return on investment (ROI). This default prioritization is based on learnings from our experience, our customers, and others in the industry.

  1. Align strategies and teams—Your first priority should be to get all the technical teams on the same page and establish a single enterprise segmentation strategy aligned to business needs. We often find that network, identity, and application teams each have different approaches of logically dividing up the enterprise that are incompatible with each other, creating confusion and conflict. See the CISO workshop video, Module 3 Part 3: Strategy and Priorities, for more discussion of this topic.
  2. Build identity-based perimeter—Starting immediately (in parallel to priority #1), your organization should adopt identity controls like Multi-Factor Authentication (MFA) and passwordless to better protect your identities. You should quickly grow this into a phased plan that measures (and enforces) trustworthiness of users and devices accessing resources, and eventually validating trust of each resource being accessed. See the CISO workshop video, Module 3 Part 6: Build an Identity Perimeter, for more information on identity perimeters.
  3. Refine network perimeter—The next priority is to refine your network security strategy. Depending on your current segmentation and security posture, this could include:
    • Basic segmentation/alignment—Adopt a clear enterprise segmentation model (built in #1) from a “flat network” or fragmented/non-aligned segmentation strategy. Implementing this is often a significant undertaking that requires extensive discovery of assets and communication patterns to limit operational downtime. It’s often easier to do this as you migrate to the cloud (which naturally includes this discovery) than it is to retrofit to an existing on-premises environment.
    • Micro-segmenting datacenter—Implement increasingly granular controls on your datacenter network to increase attacker cost. This requires detailed knowledge of applications in the datacenter to avoid operational downtime. Like basic segmentation, this can be added during a cloud migration or a net new cloud deployment easier than retrofitting to an on-premises datacenter.
    • Internet first clients—A simple but significant shift is when you move client endpoints from being on the internet part-time to full-time (versus sometimes on corporate network and sometimes remote). This is a straightforward concept, but it requires having already established a strong identity perimeter, strong endpoint security and management over the internet, publishing legacy applications to your internet clients, dedicated administrative workstations, and potentially other initiatives before “rolling back” the firewalls from clients.

What good looks like

Zero Trust is a model that will ultimately be infused throughout your enterprise and should inform virtually all access decisions and interactions between systems.

Expanding on the three principles of Zero Trust from the Zero Trust vision paper—Verify Explicitly, Least Privilege Access, and Assume Breach—the hallmarks of a good enterprise Zero Trust strategy include:

  • Continuously measure trust and risk—Ensure all users and devices attempting to access resources are validated as trustworthy enough to access the target resource (based on sensitivity of target resource). As technology becomes available to do it, you should also validate the trustworthiness of the target resources.
  • Enterprise-wide consistency—Ensure that you have a single Zero Trust policy engine to consistently apply your organizations policy to all of your resources (versus multiple engines whose configuration could diverge). Most organizations shouldn’t expect to cover all resources immediately but should invest in technology that can apply policy to all modern and legacy assets.
  • Enable productivity—For successful adoption and usage, ensure that the both security and business productivity goals are appropriately represented in the policy. Make sure to include all relevant business, IT, and security stakeholders in policy design and refine the policy as the needs of the organization and threat landscape evolve. For more information, see Meet Productivity and Security Goals.
  • Maximize signal to increase cost of attack—The more measurements you include in a trust decision—which reflect good/normal behavior—the more difficult/expensive it is for attackers to mimic legitimate sign-ins and activities, deterring or degrading an attacker’s ability to damage your organization.
  • Fail safe—The system operation should always stay in a safe state, even after a failed/incorrect decision (for example, preserve life/safety and business value via confidentiality, integrity, and availability assurances). Consider the possible and likely failures (for example, mobile device unavailable or biometrics unsuccessful) and design fallbacks to safely handle failures for both:
    • Security (for example, detection and response processes).
    • Productivity (remediation mechanisms via helpdesk/support systems).
  • Contain risk of attacker movement into smaller zones—This is particularly important when you’re reliant on legacy/static controls that cannot dynamically measure and enforce trustworthiness of inbound access attempts (for example, static network controls for legacy applications/servers/devices).

Into the future

Over time, we expect Zero Trust will become accepted and commonplace where people simply learn it in “Security 101” (much like the least privilege principle today). Zero Trust is expected to evolve as we all become more comfortable with what this new normal entails and have ideas on how to optimize efficiency and address the attackers’ ongoing attempts to find a chink in the new armor.

Zero Trust

Reach the optimal state in your Zero Trust journey.

Learn more

Our next blog will discuss how to make Zero Trust real in your enterprise starting with technology available today, which you may already have deployed or have access to! In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zero Trust strategy—what good looks like appeared first on Microsoft Security.

Establishing Device Trust to Secure the Workforce

Challenges of Protecting Endpoints

With an estimated 70% of breaches starting on endpoints – laptops, workstations, servers, and mobile devices – organizations need visibility into the devices connecting to applications both on the network and in the cloud. Organizations need the ability to establish trust in the devices connecting to resources containing sensitive information.

Curious how you can determine if you can trust the endpoints that are connecting to your business resources? Ask yourself a few quick questions:

  • Are you able to automatically notify users of out-of-date software to reduce your help desk tickets or block devices that have been compromised? Or automatically quarantine malicious files from infecting your entire network?
  • Can you enforce endpoint controls for risky devices or corporate-owned devices? What about contractor devices or external third parties connecting to your network?
  • Can you enforce access policies based on the application risk or whether the device is a known healthy device that meets security guidelines?


Establishing Trust in Endpoints

In order to effectively establish trust in user devices, organizations should have device-based policies in place to prevent access by any risky or unknown devices. By validating the device is both healthy and meets security policies, you can ensure they’re trustworthy – key components of the Cisco Zero Trust security approach for the workforce.

Cisco implements zero trust with a three-step methodology across the workforce, workloads and workplace by:

  1. Establishing trust of a user, device, application, etc. – before granting access or allowing connections or communications.
  2. Enforcing trust-based policies with granular controls based on changing context – such as the security posture of devices and the behavior of applications
  3. Continuously verifying trust by monitoring for risky devices, policy noncompliance, behavior deviations and software vulnerabilities

With Duo and Cisco® Advanced Malware Protection (AMP) for Endpoints, organizations have the tools in place to effectively establish trust in users’ devices connecting to protected applications. The ability to prevent, detect and respond are key elements when considering device trust in a zero-trust security approach for the workforce.

Trust Through Protection and Detection

Establishing trust extends beyond managing the status of the device to include inspecting the device and controlling access based on risk evaluations to ensure only devices that are healthy and meet your security controls are able to gain access to your corporate systems. With Duo Trusted Endpoints, you can enforce controls and policies to keep risky endpoints from accessing your applications. This includes devices that are unmanaged; don’t meet OS requirements; status of enabled security features (configured or disabled); full disk encryption.

AMP for Endpoints offers endpoint protection, advanced endpoint detection and response capabilities and a holistic view of your endpoints, regardless of operating system. AMP continuously monitors and analyzes all file and process activity within your network to find and automatically block threats that other solutions miss. It has more than 15 built-in protection and detection mechanisms to prevent threats from compromising your business. With a few clicks in AMP’s browser-based management console, the file can be blocked from running on all endpoints. AMP knows every other endpoint the file has reached, so it can quarantine the file for all users.

Available Soon – Integration between Duo Security and AMP for Endpoints

Adding AMP for Endpoints as a Trusted Endpoint in Duo provides the ability to protect applications from devices that have been flagged by AMP as an infected endpoint containing malware. This prevents access to any application that contains sensitive data reducing the risk of data loss.

Duo’s access policies will allow admins to entirely block access to devices flagged by AMP without blocking the user entirely, permitting them to access applications from an alternate device to ensure continued productivity.

The automatic isolation and blocking of compromised devices provides organizations the ability to quickly remediate potential threats, reducing their risk surface without completely interrupting user productivity.

How Duo detects and responds to potential threats from endpoint devices

Duo and AMP provide organizations with comprehensive tools to prevent, detect and respond to potential threats from endpoint devices, helping to establish trust in those devices.

Learn more about Cisco Zero Trust,  and get started with a free trial of Duo and Cisco AMP for Endpoints to start establishing trust in your endpoints today.


The post Establishing Device Trust to Secure the Workforce appeared first on Cisco Blogs.

Securing Your Future by Innovating Today

At a time when cybercrime costs three times more than natural disasters globally1, the demands on security are constantly growing. Whether you’re asked to protect a workforce that roams anywhere, a workplace that is digitized, or workloads that run wherever, your disparate security solutions are creating discord and an untenable level of complexity.

At Cisco, we’ve been on a quest to change that, and we believe we’re uniquely positioned to redefine security. As you’re innovating to build your future, we’re innovating to keep it secure — by creating a comprehensive platform approach and continuously evolving our security technologies.

That’s why I’m excited today to share some of the recent innovations across our security portfolio. With a cloud-powered platform approach in mind, these enhancements are designed to break down silos between SecOps, NetOps, and ITOps and free up your time by:

  • Simplifying your firewalling experience with more consistent policy management with cloud-native environments and cloud-based logging.
  • Accelerating your cloud adoption with new secure web gateway and firewall services in the cloud, deployed through a single IPsec tunnel.
  • Future-proofing your security with an industry-validated zero-trust approach for your workforce, workloads, and workplace, while integrating threat context.
  • Simplifying your breach defense experience with more visibility and actions for threat response, plus new services delivered by Cisco experts to help augment your team.


Security Operations made easier so you can focus on what matters


Experience the future of firewalling

As you’re moving applications into the cloud, the NetOps’ job is expanding to include cloud-native firewalls. Securing all control points across this multicloud environment should not feel like reinventing the wheel. We’re simplifying the experience and enabling NetOps to maintain consistent policies across firewalls, and into the cloud, starting with support for AWS, with more cloud providers roadmapped. Additionally, to help you easily maintain consistent policies as you’re adopting SD-WAN, we’ve simplified policy management for Meraki MX, one of our SD-WAN solutions. Just a few clicks, that’s all it takes to seamlessly harmonize policies across your hybrid environment.

We’re also improving visibility and making compliance easier with cloud-based logging for our NGFWs. This new capability aggregates and centralizes the on-prem and cloud logs so you can search, filter, and sort them, accelerating investigations while ensuring your organization complies with industry regulations.

The increased user connectivity to the cloud creates new demands for faster speeds, so we’re raising the bar with our appliances as well. The latest models of our NGFWs offer a 3X performance boost over previous appliances and optimize the performance-to-price ratio to keep your network — and business — running smoothly and securely.

Accelerate cloud adoption securely

To help you transition to the cloud successfully— and protect any user, anywhere they connect to the internet — while saving a considerable amount of resources, we’ve consolidated a broad range of security services into a single, cloud-delivered security solution and dashboard. Alongside DNS-layer security, CASB, and interactive threat intelligence services, we’ve added secure web gateway and firewall services to our cloud security solution to deliver deeper visibility and control over all ports and protocols, even encrypted web traffic.

The secure web gateway (full proxy) provides complete web traffic visibility, control, and protection — with capabilities like decrypting and scanning files on any site, filtering out inappropriate or malicious URLs, sandboxing unknown files, and blocking applications or app functions.

With this comprehensive set of functionalities, you can rely on us for the full security stack at smaller branches as you adopt SD-WAN. A single configuration in our networking product dashboards deploys DNS-layer security across hundreds of network devices, including SD-WAN. Additionally, a single IPsec tunnel deploys secure web gateway and firewall from any network device, including SD-WAN. Our integrated approach and Anycast routing can efficiently protect your branch users, connected devices, and application usage from all internet breakouts with 100% business uptime.

Secure access with a zero-trust approach

We have been working over the past year to create a more comprehensive zero-trust framework. Based on customer feedback, we focused on securing three key pillars: workforce, workloads, and workplace. We are thrilled that Forrester recognized our strides and named Cisco a leader in the recently released Forrester Wave among Zero Trust eXtended Ecosystem Platform Providers. As the analyst report noted, “Cisco excels in zero trust with a renewed and targeted focus … and is well-positioned as a prominent zero-trust player.”

We continue to innovate in this space and are reducing risks based on device trust by integrating our threat-detection capabilities with multi-factor authentication. The majority of breaches originate on the endpoint, but what if ITOps could establish trust in a user device before it’s allowed any access to sensitive resources? By safeguarding against vulnerable or compromised endpoints and blocking their access, you’ll be able to better detect and respond to malware threats as well as prevent data breaches.

Adopt breach defense everywhere

Taking endpoint defense one step farther, we added the ability to isolate an endpoint, which stops malware from spreading while giving SecOps time to remediate without losing forensics data, or simply giving ITOps time to troubleshoot an unknown issue. Making breach defense less overwhelming, endpoint isolation empowers incident investigators to uncover endpoint data that wasn’t available before — using advanced search with more than 300 query parameters, such as listing applications with high memory utilization.

Malware is also a growing problem at the network level because adversaries have learned to hide behind encrypted traffic. We’ve extended the capability to analyze encrypted traffic behavior into the cloud, providing higher fidelity of threat protection and enabling cryptographic compliance. At the same time, we’re simplifying investigations, giving you deeper visibility at multiple layers, and helping you respond quicker across different vectors by integrating network security analytics with our unified threat response application.

If you need help preparing for and responding to attacks, you can augment your team with our incident response services, now part of Talos. You know Talos as the team who’s constantly researching new threats on your behalf, and now they can integrate that intel even faster across our entire portfolio — benefitting not only retainer customers but everyone. For even leaner teams that need next-level support, we’re adding managed threat detection and response services to help you leverage your Cisco Security investments 24x7x365.

Several of these innovations are industry firsts, and we’re excited to offer customers new ways to better manage their growing business demands. I encourage you to take a closer look at these enhancements and discover how they can make your security an enabler rather than a barrier.

Get Started

Ready to experience for yourself how Cisco can simplify your experience, accelerate your success, and secure your future?




1 Allianz Risk Barometer, 2019


The post Securing Your Future by Innovating Today appeared first on Cisco Blogs.

Further enhancing security from Microsoft, not just for Microsoft

Legacy infrastructure. Bolted-on security solutions. Application sprawl. Multi-cloud environments. Company data stored across devices and apps. IT and security resource constraints. Uncertainty of where and when the next attack or leak will come, including from the inside. These are just a few of the things that keep our customers up at night.

When security is only as strong as your weakest link and your environments continue to expand, there’s little room for error. The challenge is real: in this incredibly complex world, you must prevent every attack, every time. Attackers must only land their exploit once. They have the upper hand. To get that control back, we must pair the power of your defenders and human intuition with artificial intelligence (AI) and machine learning that help cut through the noise, prioritize the work, and help you protect, detect, and respond smarter and faster.

Microsoft Threat Protection brings this level of control and security to the modern workplace by analyzing signal intelligence across identities, endpoints, data, cloud applications, and infrastructure.

Today, at the Microsoft Ignite Conference in Orlando, Florida, I’m thrilled to share the significant progress we’re making on delivering endpoint security from Microsoft, not just for Microsoft. The Microsoft Intelligent Security Association (MISA), formed just last year, has already grown to more than 80 members and climbing! These partnerships along with the invaluable feedback we get from our customers have positioned us as leaders in recent analyst reports, including Gartner’s Endpoint Protection Platform Magic Quadrant, Gartner’s Cloud Access Security Broker (CASB) Magic Quadrant and Forrester’s Endpoint Security Suites Wave and more.

As we continue to focus on delivering security innovation for our customers, we are:

  • Reducing the noise with Azure Sentinel—Generally available now, our cloud-native SIEM, Azure Sentinel, enables customers to proactively hunt for threats using the latest queries, see connections between threats with the investigation graph, and automate incident remediation with playbooks.
  • Discovering and controlling Shadow IT with Microsoft Cloud App Security and Microsoft Defender Advanced Threat Protection (ATP)—With a single click, you can discover cloud apps, detect and block risky apps, and coach users.
  • Enhancing hardware security with our partners—We worked across our partner ecosystem to offer stronger protections built into hardware with Secured-core PCs, available now and this holiday season.
  • Offering Application Guard container protection, coming to Office 365—In limited preview now, we will extend the same protections available in Edge today to Office 365.
  • Building automation into Office 365 Advanced Threat Protection for more proactive protection and increased visibility into the email attacker kill chain—We’re giving SecOps teams increased visibility into the attacker kill chain to better stop the spread of attacks by amplifying your ability to detect breaches through new enhanced compromise detection and response in Office 365 ATP, in public preview now. And later this year, we’re adding campaign views to allow security teams to see the full phish campaign and derive key insights for further protection and hunting.
  • Getting a little help from your friends—Sometimes you need another set of eyes, sometimes you need more advanced investigators. Available now, with the new experts on demand service, you can extend the capabilities of your security operations center (SOC) with additional help through Microsoft Defender ATP.
  • Improving your Secure Score—Back up the strength of your team with numbers. New enhancements in Secure Score will make it easier for you to understand, benchmark, and track your progress. We also added new planning capabilities that help you set goals and predict score improvements, and new CISO Metrics & Trends reports that show the impact your work is having on the health of your organization in real-time.
  • Taking another step in cross-platform protection—This month, we’re expanding our promise to offer protections beyond Windows with Enterprise Detection and Response for Apple Macs and Threat and Vulnerability Management for servers.

Microsoft Ignite

Join us online November 4–8, 2019 to livestream keynotes, watch selected sessions on-demand, and more.

Learn more

Infographic showing the Microsoft Intelligent Security Graph: unique insights, informed by trillions of signals from Outlook, OneDrive, Windows, Bing, Xbox Live, Azure, and Microsoft accounts.

There’s no way one person, or even one team, no matter how large could tackle this volume of alerts on a daily basis. The Microsoft Intelligent Security Graph, the foundation for our security solutions, processes 8.2 trillion signals every day. We ground our solutions in this intelligence and build in protections through automation that’s delivered through our cloud-powered solutions, evolving as the threat landscape does. Only this combination will enable us to take back control and deliver on a Zero Trust network with more intelligent proactive protection.

Here’s a bit more about some of the solutions shared above:

Discovering and controlling cloud apps natively on your endpoints

As the volume of cloud applications continues to grow, security and IT departments need more visibility and control to prevent Shadow IT. At last year’s Ignite, we announced the native integration of Microsoft Cloud App Security and Microsoft Defender ATP, which enables our Cloud Access Security Broker (CASB) to leverage the traffic information collected by the endpoint, regardless of the network from which users are accessing their cloud apps. This seamless integration gives security admins a complete view of cloud application and services usage in their organization.

At this year’s Ignite, we’re extending this capability, now in preview, with native access controls based on Microsoft Defender ATP network protection that allows you to block access to risky and non-complaint cloud apps. We also added the ability to coach users who attempt to access restricted apps and provide guidance on how to use cloud apps securely.

Building stronger protections starting with hardware

As we continue to build in stronger protections at the operating system level, we’ve seen attackers shift their techniques to focus on firmware—a near 5x increase in the last three years. That’s why we worked across our vast silicon and first- and third-party PC manufacturing partner ecosystem to build in stronger protections at the hardware level in what we call Secured-core PCs to protect against these kind of targeted attacks. Secured-core PCs combine identity, virtualization, operating system, hardware, and firmware protection to add another layer of security underneath the operating system.

Application Guard container protections coming to Office 365

Secured-core PCs deliver on the Zero Trust model, and we want to further build on those concepts of isolation and minimizing trust. That’s why I’m thrilled to share that the same hardware-level containerization we brought to the browser with Application Guard integrated with Microsoft Edge will be available for Office 365.

This year at Ignite, we are providing an early view of Application Guard capabilities integrated with Office 365 ProPlus. You will be able to open an untrusted Word, Excel, or PowerPoint file in a virtualized container. View, print, edit, and save changes to untrusted Office documents—all while benefiting from that same hardware-level security. If the untrusted file is malicious, the attack is contained and the host machine untouched. A new container is created every time you log in, providing a clean start as well as peace of mind.

When you want to consider the document “trusted,” files are automatically checked against the Microsoft Defender ATP threat cloud before they’re released. This integration with Microsoft Defender ATP provides admins with advanced visibility and response capabilities—providing alerts, logs, confirmation the attack was contained, and visibility into similar threats across the enterprise. To learn more or participate, see the Limited Preview Sign Up.

Automation and impact analysis reinvent Threat and Vulnerability Management

More than two billion vulnerabilities are detected every day by Microsoft Defender ATP and the included Threat and Vulnerability Management capabilities, and we’re adding even more capabilities to this solution.

Going into public preview this month, we have several enhancements, including: vulnerability assessment support for Windows Server 2008R2 and above; integration with Service Now to further improve the communication across IT and security teams; role-based access controls; advanced hunting across vulnerability data; and automated user impact analysis to give you the ability to simulate and test how a configuration change will impact users.

Automation in Office 365 ATP blocked 13.5 billion malicious emails this year

In September, we announced the general availability of Automated Incident Response, a new capability in Office 365 ATP that enables security teams to efficiently detect, investigate, and respond to security alerts. We’re building on that announcement, using the breadth of signals from the Intelligent Security Graph to amplify your ability to detect breaches through new enhanced compromise user detection and response capabilities in Office 365 ATP.

Now in public preview, the solution leverages the insights from mail flow patterns and Office 365 activities to detect impacted users and alert security teams. Automated playbooks then investigate those alerts, look for possible sources of compromise, assess impact, and make recommendations for remediation.

Campaign detections coming to Office 365 ATP

Attackers think in terms of campaigns. They continuously morph their email exploits by changing attributes like sending domains and IP addresses, payloads (URLs and attachments), and email templates attempting to evade detection. With campaign views in Office 365 ATP, you’ll be able to see the entire scope of the campaign targeted at your organization. This includes deep insights into how the protection stack held up against the attack—including where portions of the campaign might have gotten through due to tenant overrides thereby exposing users. This view helps you quickly identify configuration flaws, targeted users, and potentially comprised users to take corrective action and identify training opportunities. Security researchers will be able to use the full list of indicators of compromise involved in the campaign to go hunt further. This capability will be in preview by the end of the year.

Protection across platforms: enterprise detection and response (EDR) for Mac

Work doesn’t happen in just one place. We know that people use a variety of devices and apps from various locations throughout the day, taking business data with them along the way. That means more complexity and a larger attack surface to protect. Microsoft’s Intelligent Security Graph detects five billion threats on devices every month. To strengthen enterprise detection and response (EDR) capabilities for endpoints, we’re adding EDR capabilities to Microsoft Defender ATP for Mac, entering public preview this week. Moving forward, we plan to offer Microsoft Defender ATP for Linux servers, providing additional protection for our customers’ heterogeneous networks.

We understand the pressure defenders are under to keep pace with these evolving threats. We are grateful for the trust you’re putting in Microsoft to help ease the burdens on your teams and help focus your priority work.

Related links

The post Further enhancing security from Microsoft, not just for Microsoft appeared first on Microsoft Security.

Improve security with a Zero Trust access model

Zero Trust is a security model that I believe can begin to turn the tide in the cybersecurity battles. Traditional perimeter-based network security has proved insufficient because it assumes that if a user is inside the corporate perimeter, they can be trusted. We’ve learned that this isn’t true. Bad actors use methods like password spray and phishing to take advantage of a workforce that must remember too many usernames and passwords. Once behind the corporate firewall, a malicious user can often move freely, gaining higher privileges and access to sensitive data. We simply can’t trust users based on a network as the control plane.

The good news is that there is a solution. Zero Trust is a security strategy that upends the current broad trust model. Instead of assuming trustworthiness, it requires validation at every step of the process. This means that all touchpoints in a system—identities, devices, and services—are verified before they are considered trustworthy. It also means that user access is limited to only the data, systems, and applications required for their role. By moving from a model that assumes trust to one that requires verification, we can reduce the number and severity of security breaches.

You can begin implementing a Zero Trust access model now. Expect this to be a multi-year process, but with every action, you’ll make incremental progress that improves your security posture. Start with implementing Multi-Factor Authentication (MFA) to better protect your identities and then develop a phased plan to address identity access, device access, and network access. This is the approach that Microsoft has taken.

Take a look at our Zero Trust access model implementation plan for more ideas on how to structure each phase. You can also look at my advice on preparing your organization for passwordless for tips on better securing your identities.

We are on this journey together. I will continue to share insights and advice in the coming months and years.

The post Improve security with a Zero Trust access model appeared first on Microsoft Security.