Microsoft Secure Blog In-depth discussion of security, cybersecurity and technology trends affecting trust in computing, as well as timely security news, trends, and practical security guidance 2017-03-22T16:00:16Z https://blogs.microsoft.com/microsoftsecure/feed/atom/ WordPress Microsoft Secure Blog Staff <![CDATA[A new best practice to protect technology supply chain integrity]]> http://blogs.microsoft.com/microsoftsecure/?p=67206 2017-03-22T16:00:16Z 2017-03-22T16:00:10Z Read more »]]> This post is authored by Mark Estberg, Senior Director, Trustworthy Computing. 

The success of digital transformation ultimately relies on trust in the security and integrity of information and communications technology (ICT). As ICT systems become more critical to economic prosperity, governments and organizations around the world are increasingly concerned about threats to the technology supply chain. These concerns stem from fear that an adversary might tamper with or manipulate products during development, manufacture, or delivery. This poses a challenge to the technology industry: If our products are to be fully trusted, we must be able to provide assurance to our customers that the technology they reviewed and approved before deployment is the same software that is running on their computers.

To increase confidence, organizations have increasingly turned to source code analysis through direct inspection of the supply chain by a human expert or an automated tool. Source code is a set of computer instructions written in a programming language that humans can read. This code is converted (or compiled) into a binary file of instructions—a language of zeroes and ones that machines can process and execute, or executable. This conversion of human-readable code to machine-readable code, however, raises the unsettling question of whether the machine code—and ultimately the software program running on computers—was built from the same source code files that the expert or tool analyzed. There has been no efficient and reliable method to answer this, even for open source software. Until now.

At Microsoft, we have developed a way to definitively demonstrate that a compiled machine-readable executable was generated from the same human-readable source code that was reviewed. It’s based on the concept of a “birth certificate” for binary files, which consists of unique numbers (or hash values) that are cryptographically strong enough to identify individual source code files.

As source code is compiled in Visual Studio, the compiler assigns the source code a hash value generated in such a way that it is virtually impossible that any other code will produce the same hash value. By matching hash values from the compiler to those generated from the examined source code files, we can verify that the executable code did indeed result from the original source code files.

This method is described in more detail in Hashing Source Code Files with Visual Studio to Assure File Integrity. The paper gives a full description of the new Visual Studio switch for choosing a hashing algorithm, suggested scenarios where such hashes might prove useful, and how to use Visual Studio to generate these source code hashes.

Microsoft believes that the technology industry must do more to assure its stakeholders of the integrity of software and the digital supply chain. Our work on hashing is both a way to help our customers and a way to further how the industry is addressing this growing problem:

  • This source file hashing can be employed when building C, C++, and C# executable programs in Visual Studio.
  • Technology providers can use unique hash value identifiers in their own software development for tracking, processing, and controlling source code files that definitively demonstrate a strong linkage to the specific executable files.
  • Standards organizations can include in their best practices the requirement to take this very specific and powerful step toward authenticity.

We believe that capabilities such as binary source file hashing are necessary to establish adequate trust to fulfill the potential of digital transformation. Microsoft is committed to building trust in the technology supply chain and will continue to innovate with our customers, partners and other industry stakeholders.

Practical applications of digital birth certificates

There are many practical applications for our binary source file hashing capability, including these:

  • Greater assurance through automated scanning. As an automated analysis tool scans the source code files, it can also generate a hash value for each of the files being scanned. Matching hash values from the compiler with hash values generated by the analysis not only definitively demonstrates that they were compiled into the executable code, but that the source code files were scanned with the approved tool.
  • Improved efficiency in identifying vulnerabilities. If a vulnerability is identified in a source file, the hash value of the source file can be used to search among the birth certificates of all the executable programs to identify programs likely to include the same vulnerability.

To learn more about evolving threats to the ICT supply chain, best practices, and Microsoft’s strategy, check out our webinar, Supply Chain Security: A Framework for Managing Risk.

]]>
Microsoft Secure Blog Staff <![CDATA[3 ways to outsmart attackers by using their own playbook]]> http://blogs.microsoft.com/microsoftsecure/?p=67254 2017-03-21T16:00:06Z 2017-03-21T16:00:44Z Read more »]]> This blog post was authored by Andrej Budja, Frank Brinkmann, Heath Aubin, Jon Sabberton and Jörg Finkeisen from the Cybersecurity Protection Team, part of the Enterprise Cybersecurity Group.

The security landscape has changed.

Attackers often know more about the target network and all the ways they can compromise an organization than the targeted organization itself. As John Lambert writes in his blog, “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win”.

Attackers do think in graphs. Unfortunately, most organizations still think in lists and apply defenses based on asset value, rather than the security relationships between the assets.

So, what can you do to level the playing field? Use the attackers’ playbook against them!

Get ahead by creating your own graph

Start by reading John Lambert’s blog post, then do what attackers do – graph your network. At Microsoft, we are using graphs to identify potential attack paths on our assets by visualizing key assets and security relationships.

While we have not published our internal tools (you can find some similar open source tools on the Internet), we have created a special cybersecurity engagement delivered by our global Microsoft Services team, called Active Directory Hardening (ADH).

The ADH offer uses our tools to help discover and analyze privileged account exposure and provide transition assistance for deviations from the privileged administration recommendations used at Microsoft. The ADH provides assistance by reducing the number of highly privileged Active Directory (AD) administrative accounts and transitioning them into a recommended AD administration model.

Break connections in your graph

Once you have the graph for your AD accounts, you will notice clusters as well as the different paths attackers can use to move laterally on your network. You will want to implement security controls to close those paths. One of the most effective ways to reduce the number of paths is by reducing the number of administrators (this includes users that are local administrators on their workstations) and by using dedicated, hardened workstations for all privileged users – we call these Privileged Access Workstations (PAWs).

These PAWs are deployed from a clean source and make use of modern security controls available in Windows 10. Because PAWs are not used as general purpose workstations (no email and Internet browsing allowed), they provide high security assurances for sensitive accounts and block popular attack techniques. PAWs are recommended for administration of identity systems, cloud services, and private cloud fabric as well as sensitive business functions.

You can develop and deploy PAWs on your own by following our online guide, or you can engage Microsoft Services to help accelerate your adoption of PAWs using our standard PAW offering.

Bolster your defenses

PAWs provide excellent protection for your privileged users. However, they are less effective when your highest privileged accounts (Domain Administrators and Enterprise Administrators) have already been compromised. In this situation, you need to provide Domain Administrators a new, clean, and trusted environment from which they can regain control of the compromised network.

Enhanced Security Administrative Environment (ESAE) builds upon guidance and security controls from PAWs and adds additional controls by hosting highly-privileged accounts and workstations in a dedicated administrative forest. This new, minimal AD forest provides stronger security controls that are not possible in the production environment with PAWs. These controls are used to protect your most privileged production domain accounts. For more information about the ESAE administrative forest and security concepts, please read ESAE Administrative Forest Design Approach.

Conclusion

“If you know your enemy and know yourself you need not to fear the results of hundreds of battles”, Sun Tzu, Chinese general, military strategist, 6th Century BCE.

Protecting your valuable assets against sophisticated adversaries is challenging, but it can be made easier by learning from attackers and using their playbook. Our teams are working daily on the latest cybersecurity challenges and sharing our knowledge and experience. Discover more information in the following resources:

About the Cybersecurity Protection Team

Microsoft invests more than a billion dollars each year to build security into our products and services. One of the investments is the global Enterprise Cybersecurity Group (ECG) which consists of cybersecurity experts helping organizations to confidently move to the cloud and modernize their enterprises.

The Cybersecurity Protection Team (CPT) is part of ECG, and is a global team of Cybersecurity Architects that develops, pilots, and maintains cybersecurity offerings that protect your critical assets. The team works closely with other Microsoft teams, product groups, and customers to develop guidance and services that help protect your assets.

]]>
Microsoft Secure Blog Staff <![CDATA[What’s new in the Windows Defender ATP Creators Update preview]]> http://blogs.microsoft.com/microsoftsecure/?p=67173 2017-03-13T16:00:07Z 2017-03-13T16:00:22Z Read more »]]> This blog is authored by Avi Sagiv, Principal Program Manager, Windows Defender ATP.

Security is top of mind for all our customers. At Microsoft, we’re building a platform that looks holistically across all the critical end-points of today’s cloud and mobile world. Our platform investments across identity, applications, data, devices, and infrastructure take a comprehensive approach that is inclusive of the technologies our customers are using.

As we continue to invest in delivering enhanced security to your endpoints, we wanted to give you an update on what’s new in the Windows Defender ATP Creators Update preview.

We’ve been experiencing great momentum – we now help protect a large number of customers on nearly 2 million devices worldwide. Protecting so many customers brings greater responsibility: we’re diligently tracking advances in sophisticated attacks, and listening to feedback from our Windows Defender ATP customers. We leverage our cloud service to continuously introduce new features, and are adding major enhancements to the OS-integrated sensor technologies in the Windows Creators Update.

Today, we are excited to share details of these enhancements and invite you to register for our Creators Update trial to experience the new capabilities yourself.

Some highlights of what’s inside:

Detection

Windows Creators Update improves our OS memory and kernel sensors to enable detection of attackers who are employing in-memory and kernel-level attacks – shining a light into previously dark spaces where attackers hid from conventional detection tools. We’ve already successfully leveraged this new technology against zero-days attacks on Windows.

Figure 1 Shows the Alert Process Tree of a Token modification 

We continue to upgrade our detections of ransomware and other advanced attacks, applying our behavioral and machine-learning detection library to counter changing attacks trends.
Our historical detection capability ensures new detection rules apply to up to six months of stored data to detect attacks that previously went unnoticed. Customers can also add customized detection rules or IOCs to augment the detection dictionary.

Investigation

Customers asked us for a single pane of glass across the entire Windows security stack. Windows Defender Antivirus detections and Device Guard blocks are the first to surface in the Windows Defender ATP portal interleaved with Windows Defender ATP detections. The new user entity adds identity as a pivot, providing insight into actions, relationships, and alerts that span machines and allow us to track attackers moving laterally across the network.

Figure 2 User Entity page, showing all insights related to a specific user.

Our alert page now includes a new process tree visualization that aggregates multiple detections and related events into a single view that helps security teams reduce the time to resolve cases by providing the information required to understand and resolve incidents without leaving the alert page.

SecOps can hunt for evidence of attacks, such as file names or hashes, IP addresses or URLs, behaviors, machines, or users. They can do this immediately by searching the organization’s cloud inventory, across all machines – and going back up to 6 months in time – even if machines are offline, have been reimaged, or no longer exist.

Response

When detecting an attack, security teams can now take immediate action: isolate machines, ban files from the network, kill and quarantine running processes or files, or retrieve an investigation package from a machine to provide forensic evidence – with a click of a button. Because while detecting advanced attacks is important – shutting them down is even more so.

Figure 3 Machine level response actions 

Come experience these features in the the Creators Update trial – and tell us what you liked – and what you’d like to see in the future. Join us for free.

]]>
Microsoft Secure Blog Staff <![CDATA[What’s new in Microsoft’s SDL]]> http://blogs.microsoft.com/microsoftsecure/?p=67140 2017-02-27T18:11:54Z 2017-02-23T20:00:58Z Read more »]]> This post is authored by Andrew Marshall, Principal Security Program Manager, Security Engineering.

For well over a decade, Microsoft has been committed to designing, developing, and testing software in a secure and trustworthy manner and sharing the Security Development Lifecycle (SDL) methodology and resources with the software development community. We are continuing to make investments into the evolution of the SDL and resources we provide to enable the ecosystem to adapt to new technology and the ever-changing threat landscape.

Today, we’re announcing an important new round of updates and technical content additions to the SDL website. These updates are rolled out to provide up to date guidance and best practices that evolve with the Security Development Lifecycle. We’ve made updates to security tooling guidance, compiler and cryptographic recommendations, and the SDL Developer Starter Kit.

The SDL represents our strategic investment in improving security across the ecosystem and over the next few months we will make additional changes to the Security Development Lifecycle website. Check back for new content detailing how you can implement SDL in the world of Continuous Release/Continuous Development and Dev Ops.

]]>
Microsoft Secure Blog Staff <![CDATA[How to create an effective cyber hygiene program]]> http://blogs.microsoft.com/microsoftsecure/?p=67104 2017-02-20T17:00:26Z 2017-02-20T17:00:25Z Read more »]]> This post is authored by Ann Johnson, Vice-President, Enterprise Cybersecurity Group.


As noted in the 2016 Verizon Data Breach Incident Report, 63% of confirmed breaches involved leveraging weak, default or stolen passwords, 30% of phishing messages were opened in 2015, and 12% of targets clicked on the malicious attachment or link. Given this, organizations of all types can make significant gains in their security posture by educating their user base on best practices for digital engagement and cyber hygiene.

Yet, headlines like this recent story in Dark Reading, The Sorry State Of Cybersecurity Awareness Training, speak to the reality that user education is one of the most under-invested and under-appreciated aspects of cybersecurity. Many organizations require an annual online training program to meet compliance requirements, but rarely invest in broad, robust, ongoing training that contemplates the changing threat landscape and the vastly differing roles of end users.

I’ve seen these same organizations invest heavily in tools to defend and detect within their environment, all the while overlooking the most vulnerable part of the security infrastructure – the end user. Forbes reported “more than 209,000 cybersecurity jobs in the U.S. are unfilled, and postings are up 74% over the past five years according to a 2015 analysis of numbers from the Bureau of Labor Statistics by Peninsula Press” (January, 2016).  Therefore, organizations cannot rely solely on technology or security professionals to keep their data and infrastructure safe and secure. Threats are evolving, spear phishing is increasing, and users are being specifically targeted. It is incumbent upon the industry to also change the way we approach user education.

There are several aspects to consider to educate users:

  • Where do you focus your efforts?
  • What is the risk profile of your user population? Have you classified your users much like you do your data?
  • Is your directory up to date? Are your privileges appropriate?
  • Who is the population, i.e. are they computer literate?
  • What is the user accessing, i.e. classified, sensitive of confidential data?
  • What systems are they using, i.e. company issued, BYOD, managed, unmanaged?
  • How does your team learn best and how do you reinforce learnings?
  • How do you make complex security concepts consumable?

Create an effective cyber hygiene awareness program

  1. Lead by example
    To create a program takes focus, effort and commitment at the executive level to take cybersecurity education seriously. Internal stakeholders can cite numerous studies and use the wide range of industry data points to provide a business case and justification for the training. The average cost of each lost or stolen record containing sensitive information has reached $158USD according to the Ponemon Institute. And this figure does not include loss of business and customer loyalty from damage to the brand. Justifying the benefits of cybersecurity awareness is straightforward. Getting support and buy-in at the highest levels of an organization though more challenging, is key for setting the tone both for adherence to the effort as well as continued investment in it.
  2. Keep it top of mind
    An annual program may be a good start but the lessons learned are too soon forgotten and are not likely to turn into good habits. To truly create a sustainable program, training needs to be ongoing, not just annual. It must be flexible enough to accommodate learnings from new security events and attack types. Outside of the standard red/blue teaming efforts, web based training, employee awareness posters, and scenario drills for the average user are all good methods for staying in the forefront of end users’ minds and practice. In addition, put in place an outspoken executive sponsor for security awareness. It takes someone with enough credibility to foster trust and ongoing dialogue with the CISO as well as employees, on the impact of best practices. Taking it a step further for larger organizations, I recommend creating cyber security champions at the department level to maintain the culture throughout the company’s end user populations and geolocations. If you want to start small, something as simple as requiring privacy screens for anyone handling sensitive data is a good way to raise awareness and encourage employees to educate one another on best practices.
  3. Make it compulsory not perfunctory
    For many employees, online training is a time investment not well spent that takes away from bigger priorities. However, the task of completing frequent security training needs to become a vital job requirement, and viewed as critically important. This can potentially be accomplished by communicating broadly on the number of persons trained and sharing metrics about the security posture of each department, month to month, as well as reporting your security program’s relative standing compared to other training programs in the organization.
  4. Keep it simple
    If a full-blown program is not within reach right away, you can still make significant gains with awareness of the top three security risks. Weak passwords, phishing and thoughtless clicking on attachments, against better judgement, are still the primary ways in for attackers. Remind users of best practices to avoid becoming a victim, and explore ways to automate enforcement so that you can limit the risk to others from infected devices.

There is no silver bullet to addressing rapidly increasing threats. The combination of risk based policies, technology controls, solid audits and user education can go a long way at mitigating your organization’s risk.

]]>
Microsoft Secure Blog Staff <![CDATA[Sharing Microsoft learnings from major cybersecurity incidents]]> http://blogs.microsoft.com/microsoftsecure/?p=66867 2017-02-16T17:07:49Z 2017-02-15T18:00:08Z Read more »]]> This post is authored by Mark Simos, Director of Business Development and Strategy, Enterprise Cybersecurity Group

Microsoft has assisted customers with investigation of, and recovery from cybersecurity attacks for well over a decade. This effort began informally when our IT department and product groups came to the aid of customers encountering attacks in their environment. Since those early days, the volume and complexity of incidents has required Microsoft to scale up its efforts to include full-time professional investigation and recovery teams. These teams are typically engaged on one or more major investigations on any given week throughout the year. If you are experiencing a targeted attack, you can rapidly engage our Global Incident Response and Recovery teams through Microsoft Premier Support.

Incident Response Reference Guide

Because the challenges that our customers face during incident response and recovery are both technical and non-technical, we recently embarked upon an effort with partner organizations, to provide our customers comprehensive incident management guidance.

The results of this effort have been compiled into an Incident Response Reference Guide. It is available for download, and we are distributing a printed version at the Microsoft booth during the RSA conference in San Francisco, this week.

This guidance describes the learnings and recommendations that our organizations have made along the technical, operations, legal, and communications dimensions. It is designed to help you prepare for and meet critical needs during a major cybersecurity incident, as well as to avoid common errors.

The recommendations in this guide can help organizations prepare for, and address many severities of security incidents, though it is primarily focused on major incidents where administrative access has been compromised.

This guidance is designed to enable you to:

  1. Prepare for a crisis by reducing risk to your organization
  2. Better manage a crisis, whether or not you have made prior preparations

The tips and guidance in this document are designed to provide insights to organizations facing their first incident, as well as seasoned professionals that manage persistent adversary operations regularly. It is based on our collective experiences across a wide range of Fortune 1000® companies and government agencies. We would love to hear your feedback on how this document helped you and how to improve it. You can reach us at CyberDocFeedback@microsoft.com.

Beyond the Guide

As our teams travel the globe helping customers and fighting cybercrime, the learnings from this work continuously influences Microsoft products, public guidance, and how we help future customers. Several key pieces of guidance we published have been informed by this experience including, Versions 1 and 2 of Mitigating Pass-the-Hash and Other Credential Theft, Best Practices for Securing Active Directory, and a new type of guidance that outlines a prioritized security strategy for these attacks, Securing Privileged Access (SPA) roadmap (online SPA training available here). Microsoft has also contributed to efforts like the NIST 800-184 Guide for Cybersecurity Event Recovery to share our lessons learned.

Additionally, many of our products and features have been directly influenced by our incident response and recovery experience. These include Windows Defender Advanced Threat Protection (ATP), Advanced Threat Analytics (ATA), Windows Server 2016 Shielded VMs, Virtualization Based Security (VBS) in Windows 10 that includes Credential Guard, Microsoft Identity Manager’s Privileged Access Management Capability (MIM-PAM), and many others.

The measure of what causes an incident to have a major impact to an organization varies, depending on the business or missions. However, we have found most major incidents involve the compromise of administrative access to most or all enterprise IT systems (as happens in targeted attacks frequently reported in the press). Based on the prevalence of credential theft techniques that lead to compromise of administrative rights, Microsoft has open sourced the build instructions for building privileged access workstations (PAWs) that our cybersecurity professional services personnel deliver. This architecture is based on learnings from attacks on our customers as well as experience deploying secure access workstations internally for administrators of our own IT systems.

Learn from over a decade of experience helping our customers recover from major incidents by downloading the Incident Response Reference Guide today.

]]>
Microsoft Secure Blog Staff <![CDATA[Upgraded Microsoft Trust Center adds rich new content]]> http://blogs.microsoft.com/microsoftsecure/?p=66813 2017-02-13T17:00:16Z 2017-02-13T17:00:36Z Read more »]]> This post is authored by David Burt, Senior Product Manager, Cloud Platform Marketing

A little over a year ago, we launched the Microsoft Trust Center at www.microsoft.com/trustcenter, which unified trust-related resources across our enterprise cloud services.  This week, we launched a completely redesigned and greatly expanded site with new content including EU General Data Protection Regulation (GDPR) guidance, audit reports, and security assessments.

The Trust Center is an important part of the Microsoft Trusted Cloud initiative and provides support and resources for information professionals, as well as the legal and compliance community.  The Trust Center offers a rich set of resources, including in-depth information about security, privacy, and compliance offerings, policies, features, and practices across our cloud products, including Azure, Dynamics 365, Office 365, Power BI, Visual Studio Team Services, and Windows Server 2016.  Each content area is supplemented by a curated collection of hundreds of the most applicable and widely-used resources for each topic.

New enhancements to the Trust Center include:

We are committed to providing you with guidance, documentation, and support you need to meet your security, privacy, and compliance goals. We will continuously improve the Trust Center to help make your job easier.

Visit http://www.microsoft.com/TrustCenter

]]>
Microsoft Secure Blog Staff <![CDATA[Detecting cyber threats]]> http://blogs.microsoft.com/microsoftsecure/?p=66798 2017-03-21T17:48:31Z 2017-02-10T18:00:52Z Read more »]]> This post is authored by Joe Faulhaber, Senior Consultant ECG

In today’s cyber threat landscape, it’s not a question of if an attack will occur, but who will attack and when. To keep enterprise data safe against global threats that include attackers as technically sophisticated as any defender, enterprises need to have world-class cyber defenses. This requires strong execution of security fundamentals, in-depth knowledge of the enterprise environment, and working with experts to be ready to detect attacks when they occur.

World-class attackers, your enterprise

Protecting the modern enterprise is challenging because it’s an incredibly dynamic problem. Configurations are in constant flux, hardware is being cycled, software is updating, workloads are moving to the cloud, and users are bringing devices in and out of the network. At the same time, random attacks are entering the system, and there is danger of well-funded, determined external attackers trying to steal valuable data from enterprises as well. Even insiders can be threats, and what an attack looks like can change every day. Cybersecurity is an arms race, with attackers and defenders responding to each other constantly.

Detection in Depth

Protection in depth is the best enterprise defense, because defending just at the host, network edge, or the cloud isn’t sufficient. Similarly, threats that cause damage or pose danger need to be detected in depth as well. When threats or attacks are detected, an appropriate effective response is required. The three pillars of security; Protect, Detect, and Respond are key to a secure enterprise.

Detection in depth means taking a layered approach to find threats all over the enterprise with redundant detection mechanisms, even where there are no protective defenses. It also means verifying the output of detective sensors to build trust in signals.

Some threats are not complicated to detect. Out-of-date software, missing or stale anti-malware protection, and misconfigured policies are all threats that can lead to successful attacks. These threats can be detected easily and are among the fundamental requirements to stay secure.

Other threats are tougher to detect, such as attacks against network infrastructure or insider attacks, and detection often depends on collecting numerous logs and performing analysis. Software supply chain attacks may be particularly successful, especially if users go looking for software on the Internet on their own, and require different detection methods. Knowing your environment well makes it much easier to know if something is out of place or missing.

Even in a well-protected network, there will be successful attacks. Some of them are quite easy to identify – a new variant of an existing and common commodity malware evading anti-malware detection isn’t that hard to find if you know where to look. Even if you’re not familiar with an attack, being curious and knowledgeable enough to think “that’s weird” is often the start of detecting something new. Another key to good detection and analysis is the knowledge and resources to understand the tactics, techniques, and procedures used in today’s attacks. Even the biggest organizations need help to see parts of attacks that happen beyond systems in their control.

Determined Human Adversaries

The most dangerous attacks are targeted and perpetrated by determined human adversaries. These have been called “Advanced Persistent Attacks”, though they may not be particularly advanced or even well targeted. But they are especially perilous because they attack the enterprise, not an individual or computer, and are driven by humans who may have incredible determination and goals only known to the attackers. The adversary may come after what they think an enterprise has, not what it possesses.

Differentiating between a targeted attack and a random commodity attack can be quite difficult, since what works to compromise an organization does not depend on the attacker’s motivations. An expected penetration test and a real attack can look the same or completely different when it comes to detection. Different attacks may use similar methods and a seemingly random attack may turn out to be a determined adversary. This makes knowing previous adversary behavior incredibly important. The first encounter with a new threat can be very confusing, with time wasted chasing irrelevant details or false leads. This confusion is often compounded by the human impact of being targeted, which can bring the emotional impact of a physical attack.

In the worst case of having a determined human adversary attacking your enterprise for the first time, it is essential to have help from those who have detected these types of threats before, and a response plan on how to deal with the attacker.

Becoming World-Class

Detecting cyber threats can seem overwhelming when new threats are constantly making news and older threats are still capable of causing big problems. However, identifying threats can be made much easier by implementing protection and detection in depth. Executing the fundamentals of security daily, knowing what is normal for your enterprise environment, and having expert help in identifying the latest attack methods is key. Solid protection and rapid response capability are tied together by detection and intelligence, and the Microsoft Enterprise Threat Detection (ETD) service enables detection in depth with cybersecurity experts and global intelligence for your enterprise.

Read more at Microsoft Enterprise Threat Detection blog.

 

]]>
Microsoft Secure Blog Staff <![CDATA[Join us at RSA Conference. Here’s your event guide for connecting with Microsoft]]> http://blogs.microsoft.com/microsoftsecure/?p=66750 2017-02-09T16:02:00Z 2017-02-09T16:00:23Z Read more »]]> The RSA Conference is fast approaching and the agenda is packed with the latest technology, trends, and people that help protect our digital data. We’ll be there sharing our unique perspective through keynotes, deep-dive sessions, and on the expo floor.

Since planning your itinerary is a must to get the most out of RSA, here’s a preview of where and when you can learn about how Microsoft can help you be more secure.

Keynote Address by Brad Smith

Protecting and defending against cyber threats in uncertain times | Tuesday, February 14th, 8:35 a.m.
While many cyber attacks are the work of criminals seeking financial gain, new threats continue to emerge targeting civilians, businesses and governments. Microsoft President Brad Smith will share our perspective on what’s needed to protect and defend this critical infrastructure.

Microsoft in North Expo Hall, booth 3501

Come chat with the Microsoft Secure team in the North Expo. We’ll be there throughout the conference to show you how our $1 billion annual investment in security R&D helps organizations secure their environment and protect their customers.

Microsoft sessions at RSA Conference 2017

Tuesday, February 14th

A Vision for Shared, Central Intelligence to Ebb the Growing Torrent of Alerts | 1:15 p.m.– 2:00 p.m.
Despite the positive advancements in machine learning and intelligence, security professionals remain overwhelmed. How is it that we keep wasting time and energy on analyzing and assembling the information presented by our supposedly “intelligent” solutions? This session will explore a conjoint approach that would help our industry climb out of the sea of data that is most certainly going to drown us.

How to Go from Responding to Hunting with Sysinternals Sysmon | 1:15 p.m.–2:00 p.m.
Sysinternals Sysmon can help you precisely detect and track an attacker’s movement inside your Windows networks, but only if you know how to use it effectively. Get a deep dive from Sysmon’s author on its design, capabilities, latest enhancements, and guidance for collecting and alerting on its rich forensic data with popular log analytics services.

Advances in Cloud-Scale Machine Learning for Cyber-Defense | 3:45 p.m.–4:30 p.m.
Picking an attacker’s signals out of billions of log events in near real time from petabyte scale storage is a daunting task, but Microsoft has been using security data science at cloud scale to successfully disrupt attacker. This session presents the latest frameworks, techniques and the unconventional machine learning algorithms that Microsoft uses to protect its infrastructure and customers.

Wednesday, February 15th

Learnings from the Cloud: What to Watch When Watching for a Breach | 2:45 p.m.–3:30 p.m.
Protecting against account breach and misuse when using a cloud service can be challenging, as the cloud service decides what tooling is available, and control may be limited. This session will share learnings and best practices from the Office 365 engineering team: from the patterns observed, what are best practices to protect against account breach?

Securing the Making of the Next Hollywood Blockbuster | 1:30 PM–2:15 PM
Get a look behind the scenes at New Regency, the company that produced the Oscar-winning movie The Revenant to hear how employees collaborate and keep production secrets safe.

Friday, February 17th

Critical Hygiene for Preventing Major Breaches | 10:15 a.m.–11:00 a.m.
Microsoft’s Incident Response teams investigate major breaches week after week and almost always see the exact same pattern of attacks and customer vulnerabilities. Microsoft and the Center for Internet Security (CIS) will share step by step recommendations to defend against these attacks, including information on cybersecurity solutions that Microsoft has open-sourced to protect our customers.

Choose from nearly 40 theater sessions

Attend one of the 20-minute theater sessions in the Expo hall to learn more about a variety of topics including NextGen SOC, Risk Based Identity Protection, Office 365 Threat Intelligence, Detecting Threats from Enterprise Telemetry, Taking Ransomware to Task with Windows 10, and Security in Industrial IoT. Stop by booth #N3501

Explore more about our unique approach to security at Microsoft Secure.

]]>
Microsoft Secure Blog Staff <![CDATA[Stopping cyberthreats in a new era]]> http://blogs.microsoft.com/microsoftsecure/?p=66738 2017-03-21T17:47:01Z 2017-02-02T17:00:38Z Read more »]]> The explosive growth in the scale and sophistication of cyberthreats is remaking the security landscape. Today, it’s not a matter of if your organization’s data will be compromised, but a matter of when. Having a proactive protection strategy that includes pre- and post-breach components is critical to addressing advanced attacks.

Fortunately, Windows 10 has comprehensive pre-breach solutions and with Windows Defender Advanced Threat Protection (ATP) we added a post-breach layer to the Windows Security stack. And the best part? Windows Defender ATP is built in to Windows 10 and designed to provide the best performance experience on your machine. It doesn’t require any additional software deployment and management.

So do you want the good news or the bad news?

Well, here’s the outcome: New hacking techniques are multiplying exponentially and old pre-breach detection techniques can’t keep up. The numbers are alarming—on average it takes an attacker minutes to get in, and security teams more than 140 days to discover it.

With the release of Windows 10 Anniversary Update, Microsoft offers Windows Defender ATP to complement the existing endpoint security stack of Windows Defender, SmartScreen, and various OS hardening features. The new service, purposely built to detect and respond to advanced attacks, leverages a deep behavioral sensor integrated into Windows 10 combined with a powerful security analytics cloud back end to enable enterprises to detect, investigate, and respond to targeted and sophisticated advanced attacks on their networks.

Next-level protection: Post-breach detection and response

Windows Defender ATP goes wide and deep, working to cover all your bases, with a focus on post-breach challenges. It’s like having a black belt team of security defense experts supporting every machine running Windows 10.

Advanced attack detection. Microsoft makes the most of its strong security analytics and rich intelligence capabilities to provide visibility into anomalies and threats from a broad base of sources. We also leverage the Microsoft Security Intelligence Graph to cull data from Windows updates and search engine results that index billions of URLs to generate potential hack alerts immediately.

Investigation and response. The portal gives SecOps tools and capabilities to investigate and respond to threats on their endpoints. You can also proactively explore your network for signs of attacks, perform forensics on specific machines, track attacker actions across machines in your network, get a detailed file footprint across your organization, submit a file for deep analysis, and with the Creators Update isolate machines, kill processes, or ban files from your network.

Threat intelligence. Get internal and external reports and indicators for known attackers and of prominent attacks (Strontium, for example), validated and enriched by an internal team of security black belts and third-party feeds. With the Creators Update, you can add your own TI to define alerts unique to your environment within Windows Defender ATP, based on IOCs.

Windows 10 and Windows Defender ATP helpgs give you the best defense and offense when it comes to potential and actual data breaches. Learn more by downloading the ebook now.

Discover more about how this new strategic approach can make a real difference at Microsoft Secure.

]]>