Microsoft Secure Blog In-depth discussion of security, cybersecurity and technology trends affecting trust in computing, as well as timely security news, trends, and practical security guidance Tue, 28 Mar 2017 16:00:58 +0000 en-US hourly 1 Germany steps up leadership in cybersecurity Tue, 28 Mar 2017 16:00:56 +0000 Read more »]]> Cyberattacks are on the rise worldwide, but many countries are making strides in promoting and developing cybersecurity by developing policy frameworks, encouraging investment in research and development, and by driving awareness of cybersecurity best practices. Germany is one of the countries that has been trying to increase the cybersecurity of its broader online ecosystem for a number of years and is today more committed to that goal than ever. And what Germany does matters not just because it is one of the top five global economies, but because it is one of the leading European Union (EU) member states. What German policy-makers think and feel can have a major effect on the EU, a trading block of 500 million people with a GDP – on a par with the USA.

Microsoft’s Security Intelligence Report (SIR) shows Germany performs well compared to the global average when it comes to encounters with malware and the scale of infected computers (see the regional breakdown specific to Germany). Overall, the SIR shows the ongoing nature of the conflict between those delivering cybersecurity and those trying to break through, and even in the Germany of 2016 there was an uneven but upwards trend in encounters and infections.

A fundamental part of responding to these threats and the potentially significant economic damage they pose is, in my view, cooperation between government and the private sector. The new cybersecurity strategy seems to indicate that this is also the view of German policy-makers. Germany’s recognition of the importance of developing and implementing effective cyber security norms – along with the necessary means of verification/attribution – is very encouraging. And German support and leadership in the pertinent multi-lateral discussions will be crucial. In this context, it is worth noting that German leadership, during its 2016 Chairmanship of the Organization for Security and Co-operation in Europe, yielded concrete positive results in the related field of developing cybersecurity related confidence-building measures – which critically rely on different segments of society working together.

The strategy builds on Germany’s IT Security Law (IT-SiG), passed in 2015, which promoted cooperation between the German Federal Office for Information Security (BSI) and the industry in protecting critical infrastructure. Infrastructure protection is, of course, only one aspect of cybersecurity, and cooperation between governments and the private sector is only one part of the overall solution (for example, my Microsoft colleagues have also been arguing strongly for risk-based approaches to cybersecurity). Nonetheless, both the IT-SiG and the proposed strategy seem to be steps in the right direction. Cooperation between states and the private sector, including those who create information and communication technology (ICT) products and those who use them, seems like a very good way to develop effective cybersecurity policies and practices. What is true for Germany should be equally true for other EU member states.

The challenge is that, currently, not all companies may be happy about information exchange with the authorities (only 13 percent of companies in Germany are). It would be a terrible irony that just as governments realize the need for public-private partnerships in cybersecurity, companies start to step back from the opportunity. To prevent such a development, IT regulators will have to demonstrate the added value of receiving this information. They can do this by anonymizing it, and then sharing it with those private sector entities that need to know about it, and then acting on it to protect their systems and their customers.

Looking ahead, in order to enhance IT security in general and increase the protection of critical infrastructure in particular, public-private partnerships are essential, but they require commitment and buy-in from both sides. Microsoft is ready to play its part.


Giving CISOs assurance in the cloud Mon, 27 Mar 2017 19:00:52 +0000 Read more »]]> This post is authored by Mark McIntyre, Chief Security Advisor, Enterprise Cybersecurity Group.

Recently, I hosted a Chief Information Security Officer roundtable in Washington, DC. Executives from several US government agencies and systems integrators attended to share cloud security concerns and challenges, such as balancing collaboration and productivity against data protection needs, cyber threat detection, and compliance. Toward the end of the day, one CISO reminded me he needed assurance. He asked, “How can we trust Microsoft to protect our data? And, how can I believe what you say?”

This post provides an opportunity to share important updates and assurances about practices and resources that Microsoft uses to protect data and user privacy in the Cloud. It also offers information on resources available to CISOs and others, that demonstrate our continuing investments in transparency.

Security at scale

Increasingly, government officials as well as industry analysts and executives are recognizing and evangelizing the security benefits of moving to hyper-scale cloud service providers.  Microsoft works at this scale, investing $15B in the public cloud.  The internet user maps below provide useful insight into why and where we are making these investments. Figure 1 represents internet usage in 2015. The size of the boxes reflect numbers of users.  The colors indicate the percentage of people with access to the internet.

Figure 1, source “Cyberspace 2025: Today’s Decisions, Tomorrow’s Terrain

Now look at Figure 2, showing expected internet usage in 2025.  As you can see, global internet use and accompanying economic activity will continue to grow.

Figure 2

In addition to serving millions of people around the world, we are also moving Microsoft’s 100,000+ employees and our corporate infrastructure and data to the Cloud. We must therefore be confident that we can protect our resources as well as our users’.

How do we do it?  Microsoft invests over $1B per year in cybersecurity and data protection.  We start by ensuring that the software powering our data centers is designed, built and maintained as securely as possible. This video illustrates the world-class security Microsoft applies to data center protection.  We also continue to improve on years of development investments in the Security Development Lifecycle (SDL), to ensure that security is addressed at the very beginning stages of any product or service.  In the Cloud, the Operational Security Assurance framework capitalizes on the SDL and on Microsoft’s deep insights into the cybersecurity threat landscape.

One way that Microsoft detects cybersecurity activity in our data centers is the Intelligent Security Graph. Microsoft has incredible breadth and depth of signal and information we analyze from 450B authentications per month across our cloud services, 400B emails scanned for spam and malware, over a billion enterprise and consumer devices updated monthly, and 18B+ Bing scans per month. This intelligence, enhanced by rich expertise of Microsoft’s world class talent of security researchers, analysts, hunters, and engineers, is built into our products and our platform – enabling customers, and Microsoft, to detect and respond to threats more quickly. (Figures 3 & 4).  Microsoft security teams use the graph to correlate large-scale critical security events, using innovative cloud-first machine learning and behavior and anomaly-based search queries, to surface actionable intelligence.  The graph enables teams to collaborate internally and apply preventive measures or mitigations in near real-time to counter cyber threats.  This supports protection for users around the world, and assures CISOs that Microsoft has the breadth and scale to monitor and protect users’ identities, devices, apps and data, and infrastructure.

Figure 3

Figure 4

Access to data

Technology is critical for advancing security at hyper-scale, therefore Microsoft continues to evolve the ways in which administrators access corporate assets.  The role of network administrators is significant. In our cloud services, we employ Just Enough and Just Enough Administration access, under which admins are provided the bare minimum window of time and physical and logical access to carry out a validated task.  No admin may create or approve their own ticket, either. Further, Windows Server 2016 clients can implement these policies internally. Security and managing data centers at scale is an ever evolving process based on the needs of our customers, the changing threat landscape, regulatory environments and more.


Microsoft works with auditors and regulators around the world to ensure that we operate data centers at the highest levels of security and operational excellence.  We maintain the largest compliance portfolio in the industry, for example against the ISO 22301 privacy standard. In addition, Microsoft maintains certifications such as CSA STAR Certification, HITRUST, FACT and CDSA which many of our cloud competitors do not.  For more about Microsoft certifications, visit the Microsoft Trust Center Compliance page.


Being compliant with local, industry, and international standards establishes that Microsoft is trustworthy, but our goal is to be trusted.  Toward that end—and to ensure we address the needs of CISOs, Microsoft provides a wealth of information about cloud services, designed to provide direct and customer self-service opportunities to answer three key questions:

  • How is may data secured and protected?
  • How does Microsoft Cloud help me be compliant with my regulatory needs?
  • How does Microsoft manage privacy around my data?

The comments at our roundtable that prompted this blog show that our cloud security and compliance resources can be difficult to find, so while we double down on our efforts to raise awareness, bookmark this update and read below.  We operate the following portals, designed to facilitate self-service access to security and compliance information, FAQs and white papers, in convenient formats, and tailored to an organization’s geography, industry and subscription(s):

  • The Microsoft Trust Center, a centralized resource for enterprise customers to find answers about what Microsoft is doing to protect data, comply with regulatory requirements, and verify that we are doing what we say.
  • The Service Trust Portal (STP) is available for organizations under nondisclosure to current and potential Microsoft customers. It includes hundreds of important third-party audit reports, information on certifications, and internal security documents, for Azure, O365, Dynamics CRM Online, and Yammer. Examples include SOC and ISO audits reports.
  • The Service Assurance Portal, available to current O365 users, offers the same level of access but directly through the O365 subscription. This is a unique “transparency window” to provide customers with in-depth understanding in how we implement and test controls to manage confidentiality, integrity, availability, reliability, and privacy around customer data. Not only do we share the “what” about controls, but also the “how” about testing and implementation.

Government Security Program

Microsoft also participates in the Government Security Program as another key transparency initiative. Through the GSP, national governments (including regulators) may access deep architecture details about our products and services, up to and including source code. The GSP also provides participants with opportunities to visit Microsoft headquarters in Redmond to meet face to face with the teams that operate, monitor, and defend our company and products and services—including data centers—from cyber threats. They can also visit any of our Transparency Centers in Redmond, Brussels, Brasilia, and Singapore. Several dozen governments around the world use the GSP to obtain greater insight into how Microsoft builds, operates and defends its data centers, and by extension, how we protect users.

Microsoft stands ready to work with CISOs to raise awareness and ensure access to the resources discussed above. Visit the following sites to learn more. Microsoft has also created a dedicated team of cybersecurity professionals to help move you securely to the Cloud and protect your data. Learn more about the Enterprise Cybersecurity Group, or contact your local Microsoft representative.

Blogs: Microsoft Secure Blog and Microsoft On the Issues
Learn more about the Microsoft Enterprise Cloud
Read the Microsoft Security Intelligence Report
Follow us on Twitter: @MSFTSecurity

What you need to know about CASBs Mon, 27 Mar 2017 16:00:57 +0000 Read more »]]> Per Frost & Sullivan, more than 80 percent of employees admit to using non-approved SaaS apps in their jobs. The number of cloud services used by corporate employees is also quickly outpacing internal IT estimates. While IT groups typically estimate that employees are using 51 different services, the actual number is 15 times greater.

And it’s not just individual employees that are turning to shadow IT. Increasingly, non-approved SaaS applications are being adopted by entire work groups or departments, without IT’s knowledge, and with little consideration for the security risks they bring.

As employees continue to reach for tools and services that may not be IT-approved, IT professionals know they need to balance security risk tolerance while empowering departments and teams to achieve higher productivity.

How can you secure critical data without compromising productivity?

While the urge to block shadow IT is understandable, it’s at best, a short-term solution. Not only does it reduce an organization’s ability to innovate, it inevitably results in employees finding ways around the restrictions.

Rather than blocking users from accessing the services they need to do their jobs efficiently, IT administrators need to find ways to monitor these services, analyze their risk profile, and offer alternatives for apps that fail to meet security or compliance needs.

Cloud Access Security Brokers: Flexibility meets control

According to Gartner, Cloud Access Security Brokers (CASBs) are “on-premises or cloud-based security policy enforcement points that are placed between cloud service consumers and cloud service providers.”

They give organizations a detailed picture of how their employees are using the cloud.

  • Which apps are they using?
  • Are these apps risky for my organization?
  • Who are the top users?
  • What does the upload/download traffic look like?
  • Are there any anomalies in user behavior such as: impossible travel, failed logon attempts, suspicious IPs?

Such behaviors can indicate whether their account has been compromised or whether the worker is taking unauthorized actions.

Along with better threat protection, CASBs offer IT professionals better visibility and control over the apps used in their environment. Once you have discovered the full extent of the apps used in your environment, you can then set policies that control the data stored in these apps for data loss prevention.

Exploring a CASB solution can be a great step to enhancing your security environment. With better visibility, protection, and management over your shadow IT, you can give employees the choice to use the apps they need, without sacrificing the security and compliance your organization demands.

To learn more about shadow IT and how CASBs can help your organization, download the e-book.

A new best practice to protect technology supply chain integrity Wed, 22 Mar 2017 16:00:10 +0000 Read more »]]> This post is authored by Mark Estberg, Senior Director, Trustworthy Computing. 

The success of digital transformation ultimately relies on trust in the security and integrity of information and communications technology (ICT). As ICT systems become more critical to economic prosperity, governments and organizations around the world are increasingly concerned about threats to the technology supply chain. These concerns stem from fear that an adversary might tamper with or manipulate products during development, manufacture, or delivery. This poses a challenge to the technology industry: If our products are to be fully trusted, we must be able to provide assurance to our customers that the technology they reviewed and approved before deployment is the same software that is running on their computers.

To increase confidence, organizations have increasingly turned to source code analysis through direct inspection of the supply chain by a human expert or an automated tool. Source code is a set of computer instructions written in a programming language that humans can read. This code is converted (or compiled) into a binary file of instructions—a language of zeroes and ones that machines can process and execute, or executable. This conversion of human-readable code to machine-readable code, however, raises the unsettling question of whether the machine code—and ultimately the software program running on computers—was built from the same source code files that the expert or tool analyzed. There has been no efficient and reliable method to answer this, even for open source software. Until now.

At Microsoft, we have developed a way to definitively demonstrate that a compiled machine-readable executable was generated from the same human-readable source code that was reviewed. It’s based on the concept of a “birth certificate” for binary files, which consists of unique numbers (or hash values) that are cryptographically strong enough to identify individual source code files.

As source code is compiled in Visual Studio, the compiler assigns the source code a hash value generated in such a way that it is virtually impossible that any other code will produce the same hash value. By matching hash values from the compiler to those generated from the examined source code files, we can verify that the executable code did indeed result from the original source code files.

This method is described in more detail in Hashing Source Code Files with Visual Studio to Assure File Integrity. The paper gives a full description of the new Visual Studio switch for choosing a hashing algorithm, suggested scenarios where such hashes might prove useful, and how to use Visual Studio to generate these source code hashes.

Microsoft believes that the technology industry must do more to assure its stakeholders of the integrity of software and the digital supply chain. Our work on hashing is both a way to help our customers and a way to further how the industry is addressing this growing problem:

  • This source file hashing can be employed when building C, C++, and C# executable programs in Visual Studio.
  • Technology providers can use unique hash value identifiers in their own software development for tracking, processing, and controlling source code files that definitively demonstrate a strong linkage to the specific executable files.
  • Standards organizations can include in their best practices the requirement to take this very specific and powerful step toward authenticity.

We believe that capabilities such as binary source file hashing are necessary to establish adequate trust to fulfill the potential of digital transformation. Microsoft is committed to building trust in the technology supply chain and will continue to innovate with our customers, partners and other industry stakeholders.

Practical applications of digital birth certificates

There are many practical applications for our binary source file hashing capability, including these:

  • Greater assurance through automated scanning. As an automated analysis tool scans the source code files, it can also generate a hash value for each of the files being scanned. Matching hash values from the compiler with hash values generated by the analysis not only definitively demonstrates that they were compiled into the executable code, but that the source code files were scanned with the approved tool.
  • Improved efficiency in identifying vulnerabilities. If a vulnerability is identified in a source file, the hash value of the source file can be used to search among the birth certificates of all the executable programs to identify programs likely to include the same vulnerability.

To learn more about evolving threats to the ICT supply chain, best practices, and Microsoft’s strategy, check out our webinar, Supply Chain Security: A Framework for Managing Risk.

3 ways to outsmart attackers by using their own playbook Tue, 21 Mar 2017 16:00:44 +0000 Read more »]]> This blog post was authored by Andrej Budja, Frank Brinkmann, Heath Aubin, Jon Sabberton and Jörg Finkeisen from the Cybersecurity Protection Team, part of the Enterprise Cybersecurity Group.

The security landscape has changed.

Attackers often know more about the target network and all the ways they can compromise an organization than the targeted organization itself. As John Lambert writes in his blog, “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win”.

Attackers do think in graphs. Unfortunately, most organizations still think in lists and apply defenses based on asset value, rather than the security relationships between the assets.

So, what can you do to level the playing field? Use the attackers’ playbook against them!

Get ahead by creating your own graph

Start by reading John Lambert’s blog post, then do what attackers do – graph your network. At Microsoft, we are using graphs to identify potential attack paths on our assets by visualizing key assets and security relationships.

While we have not published our internal tools (you can find some similar open source tools on the Internet), we have created a special cybersecurity engagement delivered by our global Microsoft Services team, called Active Directory Hardening (ADH).

The ADH offer uses our tools to help discover and analyze privileged account exposure and provide transition assistance for deviations from the privileged administration recommendations used at Microsoft. The ADH provides assistance by reducing the number of highly privileged Active Directory (AD) administrative accounts and transitioning them into a recommended AD administration model.

Break connections in your graph

Once you have the graph for your AD accounts, you will notice clusters as well as the different paths attackers can use to move laterally on your network. You will want to implement security controls to close those paths. One of the most effective ways to reduce the number of paths is by reducing the number of administrators (this includes users that are local administrators on their workstations) and by using dedicated, hardened workstations for all privileged users – we call these Privileged Access Workstations (PAWs).

These PAWs are deployed from a clean source and make use of modern security controls available in Windows 10. Because PAWs are not used as general purpose workstations (no email and Internet browsing allowed), they provide high security assurances for sensitive accounts and block popular attack techniques. PAWs are recommended for administration of identity systems, cloud services, and private cloud fabric as well as sensitive business functions.

You can develop and deploy PAWs on your own by following our online guide, or you can engage Microsoft Services to help accelerate your adoption of PAWs using our standard PAW offering.

Bolster your defenses

PAWs provide excellent protection for your privileged users. However, they are less effective when your highest privileged accounts (Domain Administrators and Enterprise Administrators) have already been compromised. In this situation, you need to provide Domain Administrators a new, clean, and trusted environment from which they can regain control of the compromised network.

Enhanced Security Administrative Environment (ESAE) builds upon guidance and security controls from PAWs and adds additional controls by hosting highly-privileged accounts and workstations in a dedicated administrative forest. This new, minimal AD forest provides stronger security controls that are not possible in the production environment with PAWs. These controls are used to protect your most privileged production domain accounts. For more information about the ESAE administrative forest and security concepts, please read ESAE Administrative Forest Design Approach.


“If you know your enemy and know yourself you need not to fear the results of hundreds of battles”, Sun Tzu, Chinese general, military strategist, 6th Century BCE.

Protecting your valuable assets against sophisticated adversaries is challenging, but it can be made easier by learning from attackers and using their playbook. Our teams are working daily on the latest cybersecurity challenges and sharing our knowledge and experience. Discover more information in the following resources:

About the Cybersecurity Protection Team

Microsoft invests more than a billion dollars each year to build security into our products and services. One of the investments is the global Enterprise Cybersecurity Group (ECG) which consists of cybersecurity experts helping organizations to confidently move to the cloud and modernize their enterprises.

The Cybersecurity Protection Team (CPT) is part of ECG, and is a global team of Cybersecurity Architects that develops, pilots, and maintains cybersecurity offerings that protect your critical assets. The team works closely with other Microsoft teams, product groups, and customers to develop guidance and services that help protect your assets.

What’s new in the Windows Defender ATP Creators Update preview Mon, 13 Mar 2017 16:00:22 +0000 Read more »]]> This blog is authored by Avi Sagiv, Principal Program Manager, Windows Defender ATP.

Security is top of mind for all our customers. At Microsoft, we’re building a platform that looks holistically across all the critical end-points of today’s cloud and mobile world. Our platform investments across identity, applications, data, devices, and infrastructure take a comprehensive approach that is inclusive of the technologies our customers are using.

As we continue to invest in delivering enhanced security to your endpoints, we wanted to give you an update on what’s new in the Windows Defender ATP Creators Update preview.

We’ve been experiencing great momentum – we now help protect a large number of customers on nearly 2 million devices worldwide. Protecting so many customers brings greater responsibility: we’re diligently tracking advances in sophisticated attacks, and listening to feedback from our Windows Defender ATP customers. We leverage our cloud service to continuously introduce new features, and are adding major enhancements to the OS-integrated sensor technologies in the Windows Creators Update.

Today, we are excited to share details of these enhancements and invite you to register for our Creators Update trial to experience the new capabilities yourself.

Some highlights of what’s inside:


Windows Creators Update improves our OS memory and kernel sensors to enable detection of attackers who are employing in-memory and kernel-level attacks – shining a light into previously dark spaces where attackers hid from conventional detection tools. We’ve already successfully leveraged this new technology against zero-days attacks on Windows.

Figure 1 Shows the Alert Process Tree of a Token modification 

We continue to upgrade our detections of ransomware and other advanced attacks, applying our behavioral and machine-learning detection library to counter changing attacks trends.
Our historical detection capability ensures new detection rules apply to up to six months of stored data to detect attacks that previously went unnoticed. Customers can also add customized detection rules or IOCs to augment the detection dictionary.


Customers asked us for a single pane of glass across the entire Windows security stack. Windows Defender Antivirus detections and Device Guard blocks are the first to surface in the Windows Defender ATP portal interleaved with Windows Defender ATP detections. The new user entity adds identity as a pivot, providing insight into actions, relationships, and alerts that span machines and allow us to track attackers moving laterally across the network.

Figure 2 User Entity page, showing all insights related to a specific user.

Our alert page now includes a new process tree visualization that aggregates multiple detections and related events into a single view that helps security teams reduce the time to resolve cases by providing the information required to understand and resolve incidents without leaving the alert page.

SecOps can hunt for evidence of attacks, such as file names or hashes, IP addresses or URLs, behaviors, machines, or users. They can do this immediately by searching the organization’s cloud inventory, across all machines – and going back up to 6 months in time – even if machines are offline, have been reimaged, or no longer exist.


When detecting an attack, security teams can now take immediate action: isolate machines, ban files from the network, kill and quarantine running processes or files, or retrieve an investigation package from a machine to provide forensic evidence – with a click of a button. Because while detecting advanced attacks is important – shutting them down is even more so.

Figure 3 Machine level response actions 

Come experience these features in the the Creators Update trial – and tell us what you liked – and what you’d like to see in the future. Join us for free.

What’s new in Microsoft’s SDL Thu, 23 Feb 2017 20:00:58 +0000 Read more »]]> This post is authored by Andrew Marshall, Principal Security Program Manager, Security Engineering.

For well over a decade, Microsoft has been committed to designing, developing, and testing software in a secure and trustworthy manner and sharing the Security Development Lifecycle (SDL) methodology and resources with the software development community. We are continuing to make investments into the evolution of the SDL and resources we provide to enable the ecosystem to adapt to new technology and the ever-changing threat landscape.

Today, we’re announcing an important new round of updates and technical content additions to the SDL website. These updates are rolled out to provide up to date guidance and best practices that evolve with the Security Development Lifecycle. We’ve made updates to security tooling guidance, compiler and cryptographic recommendations, and the SDL Developer Starter Kit.

The SDL represents our strategic investment in improving security across the ecosystem and over the next few months we will make additional changes to the Security Development Lifecycle website. Check back for new content detailing how you can implement SDL in the world of Continuous Release/Continuous Development and Dev Ops.

How to create an effective cyber hygiene program Mon, 20 Feb 2017 17:00:25 +0000 Read more »]]> This post is authored by Ann Johnson, Vice-President, Enterprise Cybersecurity Group.

As noted in the 2016 Verizon Data Breach Incident Report, 63% of confirmed breaches involved leveraging weak, default or stolen passwords, 30% of phishing messages were opened in 2015, and 12% of targets clicked on the malicious attachment or link. Given this, organizations of all types can make significant gains in their security posture by educating their user base on best practices for digital engagement and cyber hygiene.

Yet, headlines like this recent story in Dark Reading, The Sorry State Of Cybersecurity Awareness Training, speak to the reality that user education is one of the most under-invested and under-appreciated aspects of cybersecurity. Many organizations require an annual online training program to meet compliance requirements, but rarely invest in broad, robust, ongoing training that contemplates the changing threat landscape and the vastly differing roles of end users.

I’ve seen these same organizations invest heavily in tools to defend and detect within their environment, all the while overlooking the most vulnerable part of the security infrastructure – the end user. Forbes reported “more than 209,000 cybersecurity jobs in the U.S. are unfilled, and postings are up 74% over the past five years according to a 2015 analysis of numbers from the Bureau of Labor Statistics by Peninsula Press” (January, 2016).  Therefore, organizations cannot rely solely on technology or security professionals to keep their data and infrastructure safe and secure. Threats are evolving, spear phishing is increasing, and users are being specifically targeted. It is incumbent upon the industry to also change the way we approach user education.

There are several aspects to consider to educate users:

  • Where do you focus your efforts?
  • What is the risk profile of your user population? Have you classified your users much like you do your data?
  • Is your directory up to date? Are your privileges appropriate?
  • Who is the population, i.e. are they computer literate?
  • What is the user accessing, i.e. classified, sensitive of confidential data?
  • What systems are they using, i.e. company issued, BYOD, managed, unmanaged?
  • How does your team learn best and how do you reinforce learnings?
  • How do you make complex security concepts consumable?

Create an effective cyber hygiene awareness program

  1. Lead by example
    To create a program takes focus, effort and commitment at the executive level to take cybersecurity education seriously. Internal stakeholders can cite numerous studies and use the wide range of industry data points to provide a business case and justification for the training. The average cost of each lost or stolen record containing sensitive information has reached $158USD according to the Ponemon Institute. And this figure does not include loss of business and customer loyalty from damage to the brand. Justifying the benefits of cybersecurity awareness is straightforward. Getting support and buy-in at the highest levels of an organization though more challenging, is key for setting the tone both for adherence to the effort as well as continued investment in it.
  2. Keep it top of mind
    An annual program may be a good start but the lessons learned are too soon forgotten and are not likely to turn into good habits. To truly create a sustainable program, training needs to be ongoing, not just annual. It must be flexible enough to accommodate learnings from new security events and attack types. Outside of the standard red/blue teaming efforts, web based training, employee awareness posters, and scenario drills for the average user are all good methods for staying in the forefront of end users’ minds and practice. In addition, put in place an outspoken executive sponsor for security awareness. It takes someone with enough credibility to foster trust and ongoing dialogue with the CISO as well as employees, on the impact of best practices. Taking it a step further for larger organizations, I recommend creating cyber security champions at the department level to maintain the culture throughout the company’s end user populations and geolocations. If you want to start small, something as simple as requiring privacy screens for anyone handling sensitive data is a good way to raise awareness and encourage employees to educate one another on best practices.
  3. Make it compulsory not perfunctory
    For many employees, online training is a time investment not well spent that takes away from bigger priorities. However, the task of completing frequent security training needs to become a vital job requirement, and viewed as critically important. This can potentially be accomplished by communicating broadly on the number of persons trained and sharing metrics about the security posture of each department, month to month, as well as reporting your security program’s relative standing compared to other training programs in the organization.
  4. Keep it simple
    If a full-blown program is not within reach right away, you can still make significant gains with awareness of the top three security risks. Weak passwords, phishing and thoughtless clicking on attachments, against better judgement, are still the primary ways in for attackers. Remind users of best practices to avoid becoming a victim, and explore ways to automate enforcement so that you can limit the risk to others from infected devices.

There is no silver bullet to addressing rapidly increasing threats. The combination of risk based policies, technology controls, solid audits and user education can go a long way at mitigating your organization’s risk.

Sharing Microsoft learnings from major cybersecurity incidents Wed, 15 Feb 2017 18:00:08 +0000 Read more »]]> This post is authored by Mark Simos, Director of Business Development and Strategy, Enterprise Cybersecurity Group

Microsoft has assisted customers with investigation of, and recovery from cybersecurity attacks for well over a decade. This effort began informally when our IT department and product groups came to the aid of customers encountering attacks in their environment. Since those early days, the volume and complexity of incidents has required Microsoft to scale up its efforts to include full-time professional investigation and recovery teams. These teams are typically engaged on one or more major investigations on any given week throughout the year. If you are experiencing a targeted attack, you can rapidly engage our Global Incident Response and Recovery teams through Microsoft Premier Support.

Incident Response Reference Guide

Because the challenges that our customers face during incident response and recovery are both technical and non-technical, we recently embarked upon an effort with partner organizations, to provide our customers comprehensive incident management guidance.

The results of this effort have been compiled into an Incident Response Reference Guide. It is available for download, and we are distributing a printed version at the Microsoft booth during the RSA conference in San Francisco, this week.

This guidance describes the learnings and recommendations that our organizations have made along the technical, operations, legal, and communications dimensions. It is designed to help you prepare for and meet critical needs during a major cybersecurity incident, as well as to avoid common errors.

The recommendations in this guide can help organizations prepare for, and address many severities of security incidents, though it is primarily focused on major incidents where administrative access has been compromised.

This guidance is designed to enable you to:

  1. Prepare for a crisis by reducing risk to your organization
  2. Better manage a crisis, whether or not you have made prior preparations

The tips and guidance in this document are designed to provide insights to organizations facing their first incident, as well as seasoned professionals that manage persistent adversary operations regularly. It is based on our collective experiences across a wide range of Fortune 1000® companies and government agencies. We would love to hear your feedback on how this document helped you and how to improve it. You can reach us at

Beyond the Guide

As our teams travel the globe helping customers and fighting cybercrime, the learnings from this work continuously influences Microsoft products, public guidance, and how we help future customers. Several key pieces of guidance we published have been informed by this experience including, Versions 1 and 2 of Mitigating Pass-the-Hash and Other Credential Theft, Best Practices for Securing Active Directory, and a new type of guidance that outlines a prioritized security strategy for these attacks, Securing Privileged Access (SPA) roadmap (online SPA training available here). Microsoft has also contributed to efforts like the NIST 800-184 Guide for Cybersecurity Event Recovery to share our lessons learned.

Additionally, many of our products and features have been directly influenced by our incident response and recovery experience. These include Windows Defender Advanced Threat Protection (ATP), Advanced Threat Analytics (ATA), Windows Server 2016 Shielded VMs, Virtualization Based Security (VBS) in Windows 10 that includes Credential Guard, Microsoft Identity Manager’s Privileged Access Management Capability (MIM-PAM), and many others.

The measure of what causes an incident to have a major impact to an organization varies, depending on the business or missions. However, we have found most major incidents involve the compromise of administrative access to most or all enterprise IT systems (as happens in targeted attacks frequently reported in the press). Based on the prevalence of credential theft techniques that lead to compromise of administrative rights, Microsoft has open sourced the build instructions for building privileged access workstations (PAWs) that our cybersecurity professional services personnel deliver. This architecture is based on learnings from attacks on our customers as well as experience deploying secure access workstations internally for administrators of our own IT systems.

Learn from over a decade of experience helping our customers recover from major incidents by downloading the Incident Response Reference Guide today.

Upgraded Microsoft Trust Center adds rich new content Mon, 13 Feb 2017 17:00:36 +0000 Read more »]]> This post is authored by David Burt, Senior Product Manager, Cloud Platform Marketing

A little over a year ago, we launched the Microsoft Trust Center at, which unified trust-related resources across our enterprise cloud services.  This week, we launched a completely redesigned and greatly expanded site with new content including EU General Data Protection Regulation (GDPR) guidance, audit reports, and security assessments.

The Trust Center is an important part of the Microsoft Trusted Cloud initiative and provides support and resources for information professionals, as well as the legal and compliance community.  The Trust Center offers a rich set of resources, including in-depth information about security, privacy, and compliance offerings, policies, features, and practices across our cloud products, including Azure, Dynamics 365, Office 365, Power BI, Visual Studio Team Services, and Windows Server 2016.  Each content area is supplemented by a curated collection of hundreds of the most applicable and widely-used resources for each topic.

New enhancements to the Trust Center include:

We are committed to providing you with guidance, documentation, and support you need to meet your security, privacy, and compliance goals. We will continuously improve the Trust Center to help make your job easier.