Microsoft Secure Blog In-depth discussion of security, cybersecurity and technology trends affecting trust in computing, as well as timely security news, trends, and practical security guidance Wed, 26 Apr 2017 16:00:34 +0000 en-US hourly 1 Supply chain security demands closer attention Wed, 26 Apr 2017 16:00:34 +0000 Read more »]]> Often in dangerous situations we initially look outwards and upwards for the greatest threats. Sometimes we should instead be looking inwards and downwards. Supply chain security in information and communication technology (ICT) is exactly one of those situations where detailed introspection could be of benefit to all concerned. The smallest security breach can have disastrous implications, irrespective of whether the attackers’ entry point is within one’s own system or within that of a supplier. ATM breaches, which can expose hundreds of millions of people’s personal information, are one example of how an attack can occur via a contractor.

My experience over the last fifteen or more years of cybersecurity policy work is that in a diverse, globalized and interconnected world, supply chains can pose a major cybersecurity threat if left unmanaged. Many products are built up from elements that are created and modified by different companies in different places. This is as true of software as it is of hardware. Global supply chains create opportunities for the introduction of counterfeit elements or malicious code. The problem is not concentrated in one region and the consequences can be global.

The situation not wholly new nor is it wholly unknown. From Microsoft’s perspective, based on our experience in the cyber supply chain risk management (C-SCRM) space and in line with our broad approach to all cybersecurity issues, the best approach to validating ICT products and components is risk-based. If I was to put forward basic elements of a supply chain risk management stance they would include:

  • A clear understanding of the critical supply chain risks that need to be mitigated, which will require regular evaluation and adjustment as threats or technologies change;
  • Principles and practices that take account of the lifecycle of threats whilst promoting transparency, accountability and trust between companies themselves and between companies and the authorities;
  • An understanding that flexibility is critical, given i) vendors’ differing business models and markets, and ii) that seemingly simple changes in technology can rapid change threat models; and,
  • A holistic approach to C-SRCM-based technical controls, operational controls, and vendor & personnel controls.

In addition to effective risk management, I can see a clear case for international standards in international supply chains. If we recognize that even the smallest weakness in a jurisdiction “over there” might be a way in for cyber criminals “over here”, international standards would be a common basis for judging whether or not a supply chain can be secure in its fundamentals.

Governments considering how to make their ICT supply chains more secure need to solicit industry feedback on their proposals. Indeed, I would argue that public-private partnerships to develop supply chain proposals are the best way to approach the issue. Both states and companies gain by cooperating in the fight against supply chain-led cyberattacks.

Microsoft depends on the trust our customers place in our products and as a multinational company, we understand the relevance of secure cross-border supply chains. So, even if C-SCRM is rarely the first thing considered when looking at cybersecurity, we will continue to make the case for a comprehensive and global approach to securing ICT supply chains that is risk-based, transparent, flexible and standards-led.

How future policy and regulations will challenge AI Tue, 25 Apr 2017 16:00:31 +0000 Read more »]]> I recently wrote about how radical the incorporation of artificial intelligence (AI) to cybersecurity will be. Technological revolutions are however frequently not as rapid as we think. We tend to see specific moments, from Sputnik in 1957 to the iPhone in 2007, and call them “game changing” – without appreciating the intervening stages of innovation, implementation and regulation, which ultimately result in that breakthrough moment. What can we therefore expect from this iterative and less eye-catching part of AI’s development, looking not just at the technological progress, but its interaction with national policy-making process?

I can see two overlapping, but distinct, perspectives. The first relates to the reality that information and communication technology (ICT) and its applications develop faster than laws. In recent years, examples of social media and/or ride hailing apps have seen this translate into the following regulatory experience:

  1. Innovation: R&D processes arrive at one or many practical options for a technology;
  2. Implementation: These options are applied in the real world, are refined through experience, and begin to spread through major global markets;
  3. Regulation: Governments intervene to defend the status quo or to respond to new categories of problem, e.g. cross-border data flows;
  4. Unanticipated consequences: Policy and technology’s interaction inadvertently harms one or both, e.g. the Wassenaar’s impact on cybersecurity R&D.

AI could follow a similar path. However, unlike e-commerce or the shared economy (but like nanotechnology or genetic engineering) AI actively scares people, so early regulatory interventions are likely. For example, a limited focus on using AI in certain sectors, e.g. defense or pharmaceuticals, might be positioned as more easily managed and controlled than AI’s general application. However, could such a limit really be imposed, particularly in the light of potential for transformative creative leaps that AI seems to promise? I say that would be unlikely – resulting in yet more controls. Leaving aside the fourth stage of unknown unknowns of unanticipated consequences, the third phase, i.e. regulation, would almost inevitably run into trouble of its own by virtue to having to legally define something as unprecedented and mutable as AI. It seems to me, therefore, that even the basic phases of AI’s interaction with regulation could be fraught with problems for innovators, implementers and regulators.

The second, more AI-specific perspective is driven by the way its capabilities will emerge, which I feel will break down into three basic stages:

  1. Distinction: Creation of smarter sensors;
  2. Direction: Automation of human-initiated decision-making;
  3. Delegation: Enablement of entirely independent decision-making.

Smarter sensors will come in various forms, not least as part of the Internet of Things (IoT), and their aggregated data will have implications for privacy. 20th century “dumb lenses” are already being connected to systems that can pick out number plates or human faces but truly smart sensors could know almost anything about us, from what is in our fridge and on our grocery list, to where we are going and whom we will meet. It is this aggregated, networked aspect of smarter sensors that will be at the core of the first AI challenge for policy-makers. As they become discriminating enough to anticipate what we might do next, e.g. in order to offer us useful information ahead of time, they create an inadvertent panopticon that the unscrupulous and actively criminal can exploit.

Moving past this challenge, AI will become able to support and enhance human decision-making. Human input will still be essential but it might be as limited as a “go/no go” on an AI-generated proposal. From a legal perspective, mens rea or scope of liability might not be wholly thrown into confusion, as a human decision-maker remains. Narrow applications in certain highly technical areas, e.g. medicine or engineering, might be practical but day-to-day users could be flummoxed if every choice had unreadable but legally essential Terms & Conditions. The policy-making response may be to use tort/liability law, obligatory insurance for AI providers/users, or new risk management systems to hedge the downside of AI-enhanced decision-making without losing the full utility of the technology.

Once decision-making is possible without human input, we begin to enter the realm of speculation.  However, it is important to remember that there are already high-frequency trading (HFT) systems in financial markets that operate independent of direct human oversight, following algorithmic instructions. The suggested linkages between “flash crash” events and HFT highlight, nonetheless, the problems policy-makers and regulators will face. It may be hard to foresee what even a “limited” AI might do in certain circumstances, and the ex-ante legal liability controls mentioned above may seem insufficient to policy-makers should a system get out of control, either in the narrow sense of being out of the control of those people legally responsible for it, or in the general sense of it being out of control of anybody.

These three stages would suggest significant challenges for policy-makers, with existing legal processes losing their applicability as AI moves further away from direct human responsibility. The law is, however adaptable, and solutions could emerge. In extremis we might, for example, be willing to add to the concept of “corporate persons” with a concept of “artificial persons”. Would any of us feel safer if we could assign legal liability to the AIs themselves and then sue them as we do corporations and businesses? Maybe.

In summary then, the true challenges for AI’s development may not exist solely in the big ticket moments of beating chess masters or passing Turing Tests. Instead, there will be any number of roadblocks caused by the needs of regulatory and policy processes systems still rooted in the 19th and 20th centuries. And, odd though this may sound from a technologist like me, that delay might be a good thing, given the potential transformative power of AI.


4 steps to managing shadow IT Mon, 24 Apr 2017 16:00:37 +0000 Read more »]]> Shadow IT is on the rise. More than 80 percent of employees report using apps that weren’t sanctioned by IT. Shadow IT includes any unapproved hardware or software, but SaaS is the primary cause in its rapid rise. Today, attempting to block it is an outdated, ineffective approach. Employees find ways around IT controls.

How can you empower your employees and still maintain visibility and protection? Here are four steps to help you manage SaaS apps and shadow IT.

Step 1: Find out what people are actually using

The first step is to get a detailed picture of how employees use the cloud. Which applications are they using? What data is uploaded and downloaded? Who are the top users? Is a particular app too risky? These insights provide information that can help you develop a strategy for cloud app use in your organization, as well as indicate whether an account has been compromised or a worker is taking unauthorized actions.

Step 2: Control data through granular policies

Once you have comprehensive visibility and understanding of the apps your organization uses, you can begin to monitor users’ activities and implement custom policies tailored to your organization’s security needs. Policies like restricting certain data types or alerts for unexpectedly high rates of an activity. You can take actions when there are violations against your policy. For instance, you can take a public link and make it private or create a user quarantine.

Step 3: Protect your data at the file level

Protecting data at the file level is especially important when data is accessed via unknown applications. Data loss prevention (DLP) policies can help ensure that employees don’t accidentally send sensitive information, such as personally identifiable information (PII) data, credit card numbers, and financial results outside of your corporate network. Today, there are solutions that help make that even easier.

Step 4: Use behavioral analytics to protect apps and data

Through machine learning and behavioral analytics, innovative threat detection technologies analyze how each user interacts with the SaaS applications and assess the risks through deep analysis. This helps you to identify anomalies that may indicate a data breach, such as simultaneous logons from two countries, the sudden download of terabytes of data, or multiple failed-logon attempts that may signify a brute force attack.

Where can you start?

Consider a Cloud Access Security Broker (CASB). These solutions are designed to help you achieve each of these steps in a simple, manageable way. They provide deeper visibility, comprehensive controls, and improved protection for the cloud applications your employees use—sanctioned or unsanctioned.

To learn why CASBs are becoming a necessity, read our new e-book. It outlines the common issues surrounding shadow IT and how a CASB can be a helpful tool in your enterprise security strategy.

Read Bring Shadow IT into the Light.


Navigating cybersecurity in the New Age Thu, 20 Apr 2017 16:00:11 +0000 Read more »]]>

In today’s rapidly evolving tech landscape, tools, gadgets, and platforms aren’t the only things advancing. Cyberattacks are becoming more powerful, wide-ranging, and harmful to organizations around the globe.

For any enterprise, cybersecurity is one of the most essential factors to business success. With new and emerging technology, leaders have to explore modern security needs via stronger, more intelligent solutions. Today, the modern security officers must:

  • Recognize the intricacies of the cyberspace and the cyberattacks that threaten it
  • Take advantage of machine learning and cloud platforms that enhance security
  • Gain insights to top trends and the future of the cybersecurity industry

Navigating today’s advanced cyber threats is a team effort. Organizations must learn new skills to protect themselves from cyber criminals and ensure infrastructure security. It takes a team of security experts, analysts, IT specialists, and risk assessors to restructure and refine cybersecurity.

On May 10th, Microsoft will live stream from the Security Summit, an invitation-only event for Chief Information Security Officers.  Attend the live, Virtual Security Summit to hear from leading security experts about best practices and solutions to keep your organization safe.

Don’t miss out on the opportunity to gain insights and learn how to protect your organization, detect, and respond to evolving cyberattacks.



Is social engineering the biggest threat to your organization? Wed, 19 Apr 2017 16:00:24 +0000 Read more »]]>

“Always remember: Amateurs hack systems. Professionals hack people.” –Bruce Schneier, CTO, Counterpane Internet Security, Inc.

All over the globe, social engineering is a dominant and growing threat to organizational security. Since January 2015, the number of social engineering victims identified by the FBI has increased 270%, costing businesses more than $2.3 billion.

Social engineering happens when a hacker uses manipulation, influence, or deception to get another person to release information or to perform some sort of action that benefits them. Essentially it just comes down to tricking people into breaking normal security procedures such as divulging a password.

Some common types of social engineering include:

  • Spear phishing – sending an email that appears to be from someone you trust, such as the CEO or corporate IT, requesting you to take an action that makes confidential information vulnerable.
  • Dumpster diving – rummaging through the trash to try to find confidential information like design documents with IP information, marketing plans, employee performance plans, or even organizational charts and phone lists.
  • 10 degrees of separation – appearing to have a shared connection you trust to make you feel more secure about discussing confidential information.

No matter how strong your technical security is, your organization’s people are often the most vulnerable link in the chain. But, with thorough, thoughtful, and regular education, they can also be your biggest asset in your fight against social engineering.

To learn how to implement strong security policies and build a security-aware culture to help protect your organization from social engineering risks, check out the Insider’s Guide to Social Engineering.

Strategies to build your cybersecurity posture Tue, 18 Apr 2017 16:00:05 +0000 Read more »]]> This post is authored by Michael Montoya, Executive Advisor, Enterprise Cybersecurity Group Asia Region.

“You clicked on an infected message…” In my prior life of managing an enterprise email environment, I started thousands of messages with that response to the victims of the infamous “love bug” email.

Looking back, this was a simple task compared to what we now face. Over the past 20 years, I have been on the front lines of the cybersecurity battlefield and fortunate to serve among some of the greatest professionals in our industry. During this time, I have witnessed the landscape shift from annoying hacker hobbyists to the advanced tactics of nation-states and well-funded organized cyber-criminals. The evolution of attacks is advancing at a record pace, and we are at full throttle inside a digital transformation, I don’t suspect any slowing of the pace of innovation coming from threat actors. In fact, trends indicate the opposite. We have the rise of cyber-terrorists, improving anti-forensics approaches, and non-malware approaches to attacks using in-memory, PowerShell-based, and WMI-based, to name a few.

“How do we stop these new threat actors?” is a common question I am asked. Unfortunately, the landscape is far too complex for a simple answer, and the more appropriate question is “How can we maximize the cost of an attack, for the attackers, so these threat actors leave us alone?” Similarly, if your home is more difficult to rob than your neighbor, you become a much less attractive target. Therefore, how can we increase our security posture in a world where the “identity” is the new network edge, all the while that identity works in coffee shops, airports and wifi hotspots around the globe? If your security posture relies on a human firewall to determine if a website or document is malicious, then you may be the most desirable house in the neighborhood for criminals.

In my years of leading operational teams and working among many of the greatest minds and enterprises, I have picked up keen insights that can improve security hygiene and increase the difficulty for any attacker. Before we dive in, state one truth loud and clear: “I am already breached”. This doesn’t necessarily translate to you being under a hostile attack, but the “assume breach” posture sets a very important tone, and unfortunately is likely to be your reality.

In Asia, we especially find enterprise security is commonly based on firewalls and legacy antivirus technologies. Given this reality, we find that an overwhelming, and I mean OVERWHELMING, majority of endpoints have evidence of malicious artifacts, i.e. they have already been breached.

According to a recent FireEye report, we find that a majority of attacks in Asia go undetected for as many as 520 days and 55% of the time are detected by external entities, not by our firewalls and antivirus technologies! Our numbers in Asia are improving, as well as globally, but not fast enough.

Now that we have assumed breach, how can we increase the cost of an attack? Here are 5 essentials that I have witnessed make a difference:

  1. Hygiene matters. Remember our parents always saying, “wash your hands”? Turns out they were right! Same is true in technology. Here are the minimum operating guidelines and the operational security equivalent to washing your hands:
    • Know your environment, especially your high value assets
    • Patch and install maintenance updates, prioritize your high value assets
    • Use complex passwords and encryption
    • Implement hardened administration and networks
    • Maintain logging
  2. Endpoint modernization. Many of us have modernized in a siloed and bolted-on approach. We have signature-based antivirus, some compliance encryption that drives up our helpdesk calls, and for a few, an endpoint detection and response technology. Each of these likely requires agents consuming critical resources and making our end users shout our names unkindly. The siloed approach requires our operations teams to stitch together and inundate an already overworked Security Info & Event Management system, aka SIEM. A modern endpoint fully integrates these functions and leverages virtualization and container technologies for isolation. The essentials of modern endpoint protection are to:
    • Perform the basics of anti-virus
    • Protect a user’s identity and contain lateral movement
    • Contain ransomware encryption
    • Leverage an intelligence platform to detect indicators of attack and compromise
    • Capture critical information to replay a breach in motion for advanced forensics
  3. Email application protection. There is a common saying in the USA that a “bad day fishing is better than a good day at work”. Allow me to iterate with “a bad day of phishing is a great day at work”. According to the Verizon Data Breach Investigations Report, 77% of modern attacks start with an email where it is too easy to find patient zero. I am surprised by enterprises that continue to implement hygiene services for anti-spam and anti-virus but don’t employ sandboxing or URL rewrite capabilities. Unless we want the human firewall to continue to be our last line of defense, email is a critical application to secure. Vital features are:
    • Anti-Spam/Anti-Virus
    • Sandbox detonation of attachments
    • URL re-write
  4. Intelligence platform. Today’s modern attacks are based on unknowns. This is why signature based technologies like antivirus are not succeeding. Intelligence must be based on a vast data set that can model indicators of attack and indicators of compromise quickly, then deliver these through technology. Enterprises that have developed this platform are at a distinct advantage to better hunt and detect the unknown behaviors that may result in an attack.
  5. Cybersecurity response and operations. People remain a critical component to success. There is no ignoring the shortage of professionals in security, and the demand continues to grow. According to Michael Brown, CEO of Symantec, to help defend us in this new space, “The demand for the (cybersecurity) workforce is expected to rise to 6 million (globally) by 2019.…” In a recent post, Ann Johnson, VP of the Enterprise Cybersecurity Group at Microsoft, championed an important best practice and case for change to help us address this shortage. Ensuring readiness, training and advanced operations are in place is critical. I am never surprised with the silence I often receive when I ask: “What is your first step in your cyberbreach response plan when you have detected a breach?” This needs to be a top priority of any CISO and CIO. Microsoft recently published a reference guide to address incident response. The response plan must include the technology team, executives, legal, marketing, risk and other relevant business stakeholders. Too many times these plans include only the technology teams. Next, enterprises must reduce the noise of alerts and ensure that their detection efficacy is feeding them the alerts that matter. The operations teams must move from reactive alert management to proactive hunting by sweeping endpoints and environments for malicious behavior and artifacts. The latest innovation in threats is non-malware attacks – where threat actors leverage system processes like WMI and Powershell to fly beneath the radar. Identifying these abnormalities with managed sweeps is a new critical operational process. Additionally, the operations teams must consistently run red team/blue team drills to refine their skills and identify potential weak points. Furthermore, adopt an Incident Command System (ICS) for Crisis Management and include executives, legal, marketing, finance, risk and other critical business functions in the incident response plans. Enterprises who have adopted these tactics are at a distinct advantage.

The positives of digital transformation far outweigh the risks and changing threat landscape. We must all assume we have been breached and transform our people, technology and processes to decrease the time it takes to detect a compromise and remediate. Making it more expensive for a threat actor is the biggest deterrence and the steps above significantly increase the hacker cost per comprise.

Michael Montoya is a 20-year veteran of the IT industry, currently serving an Executive Security Advisor in the Asia Pacific Region in the Enterprise Cybersecurity Group at Microsoft.  In this role, he regularly consults enterprise executives and governments in cybersecurity issues, and is a frequent featured speaker at IT conferences around the globe.

How to protect yourself from cloud attacks Mon, 17 Apr 2017 19:00:29 +0000 Read more »]]> As organizations are rapidly making the move to the cloud, safeguarding cloud resources against advanced cyber threats has become a top priority. Sophisticated attack vectors require a new approach to security. How can you leverage unique insights into a variety of threats to help defend against cloud attacks?

To learn more about how to keep your cloud secure—especially in this ever-present era of cybercrime—join our webinar, Take your cloud security to the next level: How to protect yourself from cloud attacks on April 18, 2017 at 10:00 AM PST. Register now.

This webinar will explore the threat landscape and the anatomy of common cloud attacks, how to detect, prevent and rapidly respond to attacks and leverage insights and analytics to defend yourself against threats. You will learn how Azure Security Center + Operations Management Suite can help you gain visibility and control, prevent and detect cyber-attacks and leverage analytics to help prevent future attacks.

There will be live Q&A with some of Microsoft’s foremost security experts. You don’t want to miss out—reserve your webinar seat today.

Explore more about our unique approach to security at Microsoft Secure.

How Microsoft is securing the information and communication supply chain Mon, 17 Apr 2017 16:00:05 +0000 Generally speaking, scrutiny of supply chain security for critical infrastructure is on the rise. Governments around the globe are increasingly paying attention to this issue, a fact which is reflected in recently developed and currently developing policies. That being said, the same principled and risk-based approach applies to managing risk in the supply chains of critical infrastructure as in those in supply chains more generally. The most effective requirements in this space result from governing bodies leveraging expertise by utilizing an open, collaborative, and iterative process that engages a range of stakeholders. One example of this approach in action is the National Institute of Standards and Technology’s (NIST) “Framework for Improving Critical Infrastructure Cybersecurity.” V 1.1 of this Framework, which is currently out for public comment, contains updates focused largely on supply chain security.

We recently heard from Microsoft leaders on the methods and policies for securing the information and communication technology (ICT) supply chain in our webinar “Supply chain security: A framework for managing risk”. In this blog, we will cover some of the fantastic questions our customers asked and how we responded.

How frequently does Microsoft conduct ‘red team’ pen testing of its products before vs. after fielding?
There are several pen test events that are carried out against our products and services annually, some of which are tied to competitions and educational events. Some of these are open to the hacking community, but many are closed events to ensure product and services integrity and availability.

Supply chain logistics today has to have close to real-time access to personal information to deliver products & services to meet customer demands. What changes do you see coming to protect that information?
Cloud based information protection and the broad application of access controls in a consistent and automated way is the best and most realistic way forward. The General Data Protection Regulation (GDPR), which takes effect on May 25, 2018, will require significant changes by organizations all over the world – including Microsoft and our customers. The GDPR represents a paradigm shift in global privacy requirements governing how you respect and protect personal data – no matter where it is sent, processed, or stored. Fundamentally, the GDPR is about protecting and enabling individuals’ rights to privacy, and its goals align with Microsoft’s enduring commitment to a cloud you can trust.

With fraud and piracy increasing in sophistication & capability how will the industry stay ahead of the curve?
Microsoft has a Digital Crimes Unit which is an international team of attorneys, investigators, data scientists, engineers, analysts, and business professionals working together to transform the fight against cybercrime. In the future, similar means will have the benefit of the kind of automated identification that machine learning can provide to do this at even greater scale.

If the customer requested it, do you have the ability to do external auditing on their behalf? Have you ever had that in a contract internally or with vendors (do you audit vendor security)?
We do not provide audit services to our customers for their consumption. We do perform onsite assessments for our critical suppliers.

Can the panel elaborate on the due diligence Microsoft does on their “fourth party” suppliers, or subcontractors of contractors?
For our suppliers, we ensure that the contracts are clear on our expectations and security requirements not only for them but the suppliers they use as well. Accountability is with the supplier Microsoft contracts with, and if they choose to use a subcontractor, that does not change.

How do I convince my organization to implement supply chain security?
Whether you are working for an organization that provides products or services to governments, enterprises, or consumers, the trust of the purchaser in your output is going to be critical to sales. A principled approach to supply chain risk management can help you establish and/or enhance that trust by demonstrating your commitment to the quality of what you are selling.

Any statistics on actual breaches relating to points of breach?
There are several good reports including Verizon’s annual Data Breach Investigations Report. This report for the most part identifies people as the weakest link with phishing and easy passwords as the first point of breach.

What are the primary components of Microsoft’s vetting process to ensure a reliable vendor? Is there a way that vendors can obtain these requirements beforehand? If so, does that increase or decrease Microsoft’s likelihood of incurring risk?
Vendor onboarding is subject to a mutually agreed upon set of directives for vetting and qualification. These are tailored to Microsoft needs and requirements, so they may vary for other organizations. It is a good practice to discuss these requirements with the vendor prior to onboarding.

If you would like to hear more about the methods and policies for securing the ICT supply chain, watch our webinar Supply Chain Security: A Framework for Managing Risk on-demand.

Learn more about Microsoft’s strategic approach to security at Microsoft Secure.


The two-pronged approach to detecting persistent adversaries Thu, 13 Apr 2017 16:00:00 +0000 Read more »]]> Advanced Persistent Threats use two primary methods of persistence: compromised endpoints and compromised credentials. It is critical that you use tools to detect both simultaneously. With only one or the other in place, you give adversaries more opportunities to remain on your network.

There are many attack vectors within these two main categories, including the use of zero-day attacks, exploiting vulnerabilities or weak defenses, using social engineering, creating hand-crafted malware via malicious implants, and harvesting legitimate credentials. Many cybersecurity tools have incomplete detection controls for these attacks and very little capability to detect harvested credential use. Microsoft has invested heavily in creating tools that empower organizations to address both problems.

Many initial attacks still arrive via e-mail attachment, so e-mail based protection tools are an important first line of defense. Office 365 Advanced Threat Protection helps you protect your mailboxes against new, sophisticated attacks in real time. By protecting against unsafe attachments and malicious links, it can keep e-mail borne attacks at bay.

But not all attacks are carried by e-mail. Windows Defender Advanced Threat Protection (Windows Defender ATP) enables enterprise customers to detect, investigate, and respond to advanced and zero day attacks on their endpoints. It uses built-in behavioral sensors, and machine learning and analytics to detect attacks that have made it past other defenses. Unparalleled threat optics, deep OS security, and big data expertise provide Security Operations (SecOps) correlated, actionable alerts. SecOps can investigate up to six months of historical data in a single timeline and use one-click response actions to effectively contain an incident and remediate infected endpoints. Windows Defender ATP has sensors to trace file, registry, network, processes, memory and kernel activities to help defenders understand what’s happening on the endpoint.

To complement these endpoint detection capabilities, Microsoft Advanced Threat Analytics offers critical insights into suspicious and anomalous user behavior, detecting lateral movement, credential theft activities and indicators of known techniques used by attackers. This is typically the blind spot for network defenders and digital forensics and incident response teams.  By collecting network traffic and events in an environment, and by using machine learning capabilities together with detection of known techniques, Advanced Threat Analytics transforms the noise into relevant Suspicious Activities,  simplifying the task for incident response teams. The earlier response teams can detect the adversary, the better they can prevent the attacker from gaining persistent access on your network.

It is equally important for incident response teams to detect abnormal activities on endpoints directly as well as compromised credentials.

Let’s walk through a practical example.

With the above diagram, an incident response team sees that Windows Defender ATP detected a user level exploit (assuming the application ran in user mode) and raised the first alert for this attack. When the attacker attempts to access the domain controller using a forged Privilege Attribute Certificate (PAC), the attack fails because you have patched your domain controllers for MS14-068. Advanced Threat Analytics detects the failed forged PAC attempt, which is a sign the adversary is active in your environment and attempting to escalate privileges.

Many responders would only inspect User-Workstation-B as Advanced Threat Analytics would identify that asset as the “source computer” of the attack. However, to fully understand the scope of this breach they will have to investigate all machines used by this user to find “patient zero” as well as other impacted endpoints.  By adhering to the “pivot wide” rules of digital forensics and incident response, and with the right tools in place, network defenders would quickly be able to identify the connection from User-Workstation-A to User-Workstation-B and follow that back to the initial compromise.

Without detecting both advanced attacks on the endpoint and compromised credentials, a response and recovery effort would be inadequate.  If you only clean up targeted endpoints but do not reset the affected credentials, the adversary could still have access to the environment.  If you only reset affected credentials, the adversary could still have access to the environment (and would simply re-harvest the new credentials on the systems they have access to)! In both cases, the eviction would fail, and even worse, the security team would report to the corporate board they had addressed the threat and the environment was now secure.

Combining the data and insights from Windows Defender ATP and Advanced Threat Analytics might indeed change your recovery strategy and drive a full investigation.

Using these two capabilities in concert can be game-changing for digital forensics and incident response teams: they can instantaneously search and explore 6 months of historical data across endpoints, visually investigate forensic evidence and deep analysis, quickly respond to contain the attack and prevent reoccurrence.

The power of Microsoft’s unique capabilities is amplified through the Microsoft Intelligent Security Graph.  This is the nexus of information on Indicators of Compromise, authentications, emails, etc.  Threats detected, blocked, and remediated from Windows Defender ATP, Advanced Threat Analytics, and other Microsoft products are added to the Intelligent Security Graph.  As a result, when persistent threats are captured and remediated by one solution, others can immediately start protecting against these threats.

As you evaluate your methods and tools for protecting against Advanced Persistent Threats, consider how you can move away from traditional detection tools that look at a single alert, axis, input or variable. Look for integrated tools, which can help the defender with increased speed and accuracy along with meta-event analysis.

Ask your questions and join the discussion with our team on the Microsoft Advanced Threat Analytics Tech Community site or the Windows Defender ATP team in the TechNet Forum. To learn more about Microsoft’s approach and vision for cybersecurity, visit the Microsoft Secure web site.

Are my IoT deployments secure? Mon, 10 Apr 2017 20:00:10 +0000 Read more »]]> According to IDC, there will be 28.1 billion connected Internet of Things (IoT) devices by 2020. Considering the numerous benefits of IoT—connected assets, predictive analytics, real-time intelligence—this isn’t all that surprising. But what about the inherent risks? IoT-based infrastructure is a wonderful intelligence tool, but, if not properly secured, can open the door for cyberattacks. A recent example of this is the massive hacking operation that brought down Twitter, Reddit, Spotify, and AirBnb in a single night. So, if you want to reap IoT benefits, how can you do it safely?

To learn more about how to keep your IoT deployment secure—especially in this ever-present era of cybercrime—join our webinar, Are my IoT deployments secure? on April 11, 2017 at 10:00 AM PST. Register now.

This webinar will explore the key vulnerabilities hackers exploit to breach your infrastructure, as well as arm you with tips for designing, developing, deploying, and operating an IoT infrastructure you can trust using Azure IoT. You’ll also have the opportunity to participate in a live Q&A with some of Microsoft’s foremost IoT and security experts.

You don’t want to miss out—reserve your webinar seat today.

Explore more about our unique approach to security at Microsoft Secure.