Microsoft Secure Blog In-depth discussion of security, cybersecurity and technology trends affecting trust in computing, as well as timely security news, trends, and practical security guidance 2017-01-17T20:13:26Z WordPress Microsoft Secure Blog Staff <![CDATA[Microsoft’s Cyber Defense Operations Center shares best practices]]> 2017-01-17T20:13:26Z 2017-01-17T18:00:03Z Read more »]]> This post is authored by Kristina Laidler, Security Principal, Cyber Security Services and Engineering

Each week seems to bring a new disclosure of a cybersecurity breach somewhere in the world. In 2016 alone, over 3 billion customer data records were breached in several high-profile attacks globally. As we look at current state of cybersecurity challenges today, we see the same types of attacks, but the sophistication and scope of each attack continues to grow and evolve. Cyber adversaries are now changing their tactics and targets based on the current security landscape. For example, as operating systems became more secure, hackers shifted back to credential compromise. As Microsoft Windows continually improves its security, hackers attack other systems and third-party applications.

Both the growth of the internet and the Internet of Things (IoT) is creating more connected devices, many of which are unsecure, to carry out larger Distributed Denial-of-Service (DDoS) attacks. Due to the insecure implementation of internet-connected embedded devices, they are routinely being hacked and used in cyberattacks. Smart TVs and even refrigerators have been used to send out millions of malicious spam emails. Printers and set-top-boxes have been used to mine Bitcoins and cybercriminals have targeted CCTV cameras (common IoT devices), to launch DDoS attacks.

Microsoft has unique visibility into an evolving threat landscape due to our hyper-scaled cloud footprint of more than 200 cloud services, over 100 datacenters, millions of devices, and over a billion customers around the globe and our investment in security professionals focused on secure development as well as protect, detect and respond functions. In an effort to mitigate attacks, Microsoft has developed an automated platform, as part of Microsoft Azure, that provides a rapid response to a DDoS attack. On our software-defined networks, the data plane can be upgraded to respond and stay ahead of network traffic, even while our service or corporate environment is under attack. Our DDoS protection platform analyzes traffic in real-time and has the capability to respond and mitigate an attack within 90 seconds of the detection.


Microsoft Cyber Defense Operations Center operates 24×7 to defend against cyberthreats

In November 2015, we opened the Cyber Defense Operations Center (CDOC) to bring together the company’s cybersecurity specialists and data scientists in a 24×7 facility to combat cyber adversaries.

In the year since opening, we have advanced the policies and practices that accelerate the detection, identification and resolution of cybersecurity threats, and have shared our key learnings with the thousands of enterprise customers who have visited the CDOC. Today, we are sharing a Cyber Defense Operations Center strategy brief that details some of our best practices for how we Protect, Detect and Respond to cyberthreats in real time.

Microsoft’s first commitment is to protect the computing environment used by our customers and employees to ensure the resiliency of our cloud infrastructure and services, products, devices, and the company’s internal corporate resources.

Microsoft’s protect tactics include:

  • Extensive monitoring and controls over the physical environment of our global datacenters, including cameras, personnel screening, fences and barriers and multi-factor authentication for physical access.
  • Software-defined networks that protect our cloud infrastructure from intrusions and distributed denial of service attacks.
  • Multifactor authentication is employed across our infrastructure to control identity and access management.
  • Non-persistent administration using just-in-time (JIT) and just-enough administrator (JEA) privileges to engineering staff managing infrastructure and services. This provides a unique set of credentials for elevated access that automatically expires after a pre-designated duration
  • Proper hygiene is rigorously maintained through up-to-date, anti-malware software and adherence to strict patching and configuration management.
  • Microsoft Malware Protection Center’s team of researchers identify, reverse engineer and develop malware signatures and then deploy them across our infrastructure for advanced detection and defense. These signatures are available to millions of customers using Microsoft anti-malware solutions.
  • Microsoft Security Development Lifecycle is used to harden all applications, online services and products, and to routinely validate its effectiveness through penetration testing and vulnerability scanning.
  • Threat modeling and attack surface analysis ensures that potential threats are assessed, exposed aspects of the service are evaluated, and the attack surface is minimized by restricting services or eliminating unnecessary functions.
  • Classifying data according to its sensitivity—high, medium or low business impact—and taking the appropriate measures to protect it, including encryption in transit and at rest, and enforcing the principle of least-privilege access provides additional protection.
  • Awareness training that fosters a trust relationship between the user and the security team to develop an environment where users will report incidents and anomalies without fear of repercussion

Having a rich set of controls and a defense-in-depth strategy helps ensure that should any one area fail, there are compensating controls in other areas to help maintain the security and privacy of our customers, cloud services, and our own infrastructure environment.

Microsoft operates under an Assume Breach posture. This simply means that despite the confidence we have in the defensive protections in place, we assume adversaries can and will find a way to penetrate security perimeters. It is then critical to detect an adversary rapidly and evict them from the network.

Microsoft’s detect tactics include:

  • Monitoring network and physical environments 24x7x365 for potential cybersecurity events. Behavior profiling, based on usage patterns and an understanding of unique threats to our services.
  • Identity and behavioral analytics are developed to highlight abnormal activity.
  • Machine learning software tools and techniques are routinely used to discover and flag irregularities.
  • Advanced analytical tools and processes are deployed to further identify anomalous activity and innovative correlation capabilities. This enables highly-contextualized detections to be created from the enormous volumes of data in near real-time.
  • Automated software-based processes that are continuously audited and evolved for increased effectiveness.
  • Data scientists and security experts routinely work side-by-side to address escalated events that exhibit unusual characteristics requiring further analysis of targets. They can then determine potential response and remediation efforts.

When we detect something abnormal in our systems, it triggers our response teams to engage.

Microsoft’s respond tactics include:

  • Automated response systems using risk-based algorithms to flag events requiring human intervention.
  • Well-defined, documented and scalable incident response processes within a continuous improvement model helps to keep us ahead of adversaries by making these available to all responders.
  • Subject matter expertise across our teams, in multiple security areas, including crisis management, forensics, and intrusion analysis, and deep understanding of the platforms, services and applications operating in our cloud datacenters provides a diverse skill set for addressing incidents.
  • Wide enterprise searching across both cloud, hybrid and on-premises data and systems to determine the scope of the incident.
  • Deep forensic analysis, for major threats, are performed by specialists to understand incidents and to aid in their containment and eradication.
  • Microsoft’s security software tools, automation and hyper-scale cloud infrastructure enable our security experts to reduce the time to detect, investigate, analyze, respond, and recover from cyberattacks.

There is a lot of data and tips in this strategy brief that I hope you will find useful. You can download the Cyber Defense Operations Center strategy brief to gain more insight into how we work to protect, detect and respond to cybersecurity threats. And I encourage you to visit the Microsoft Secure website to learn more about how we build security into Microsoft’s products and services to help you protect your endpoints, move faster to detect threats, and respond to security breaches.

Paul Nicholas <![CDATA[Rules-making in technology: Examining the past and predicting the future]]> 2017-01-17T17:03:03Z 2017-01-17T17:00:56Z Read more »]]> Are the rules and regulations being put in place today, from the Chinese cybersecurity law to the EU’s General Data Protection Regulation (GDPR), going to be appropriate for the world 10 years from now? And if not, should this be of concern?  To answer these questions, we need to learn from the past.

The technology concerns of 10 years ago are still with us in some ways, e.g. worries about data being accessed by the wrong people and important systems becoming vulnerable to cyberattacks, but much has changed as the technology has continued to develop and spread through our businesses, communities, governments, and private lives. As a result, the regulations in place in 2006 have had to be replaced, e.g. the US-EU Safe Harbour with Privacy Shield, or have been wholly supplanted, e.g. the emergence of new approaches to cybersecurity and critical infrastructure. Now that I look at it, the world of 10 years ago seems more distant than I expected. Technology was far from ubiquitous and the services offered more limited, the rules familiar but sometimes at a tangent to today’s.

2006 was an important year in technology development: Facebook emerged from university campuses and Google bought YouTube. The policy agendas of governments and regulators were driven by concerns about child online safety, e-skills and lifelong learning, access to broadband, e-commerce and online banking, and, yes, market dominance. This is not to discount the importance of these issues at the time, but cybersecurity then was more often viewed as avoiding exotically named viruses rather than combating the organized cybercrime we now face, whilst privacy was seen as protecting the vulnerable from online exploitation rather than through today’s post-Snowden lens.

Could 2006’s policy-makers have prepared better for the issues we now face? That seems unlikely. For one thing, policy-makers would have been hard-pressed to have predicted the direction of technology; self-driving cars were a near-fringe idea (Google’s first major steps were in 2005), smartphones had not yet taken off (the iPhone was launched on January 9, 2007) and 3D printing was an industrial process (the first commercial printer came out in 2009). For another thing, these policy-makers were not operating in a vacuum; the rules they were putting in place had to deal with immediate challenges and had to be built on structures and laws that dated to the turn of the millennium.

This shortfall may actually have been a good thing for technology in 2016. Regulations and laws define and fix things, disallowing certain behaviors or requiring others. This can be hard enough to do successfully with well-understood issues, but for nascent technologies or business-models it must be exceptionally difficult. Without undue constraints, technology was able to develop “naturally”. They found business models and technical solutions that worked, then built up momentum to emerge at the stage, where today they are robust enough to be more closely scrutinized and, perhaps, regulated.

So, following a similar pattern, should our 2016 efforts at rule-making focus on our immediate issues and leave the future to, in some sense, sort itself out? Perhaps. The emergence of advanced machine learning or of the Internet of Things mean those technologies can’t really be legislated for right now  because we don’t know what they will mean in practical terms for businesses and consumers, criminals and law enforcers, and so on. And yet, on the other hand, the technology of tomorrow is being shaped by the decisions of today. For example, rules currently being considered about data localization or cross-border data flows will shape the future of cloud computing, whilst concerns over privacy or intellectual property will shape big data and machine learning. The wrong choices now could undermine the potential of many technologies and tools.

The answer to whether or not today’s rules are going to be appropriate for 2026 is not, therefore, black and white. We need rules today that reflect technology today, because the old rules aren’t necessarily fit for purpose any more. Equally, we have to acknowledge that rules we create today aren’t always going to last long in the face of technological evolution. This could lead us to conclude we need to have a new way of regulating technology, one that might focus on outcomes for example (and that would be a separate blog), but it could also lead us to conclude that ingenuity and innovation can thrive in the gaps we leave and can even be encouraged by imperfect situations.

Whilst there can be no excuse for making rules that assume the world and technology won’t change over a decade, we also don’t have to constantly second guess our future at the price of having useful rules today. In 2026 we might look back at today with a similar feeling to that we currently experience on looking back at 2006: familiarity, perhaps nostalgia, combined with a sense that things really have moved. This won’t necessarily be a bad thing.

Microsoft Secure Blog Staff <![CDATA[Cybersecurity’s perfect storm]]> 2017-01-16T17:01:27Z 2017-01-16T17:00:30Z Read more »]]> The unprecedented scale and sophistication of modern cyberthreats, combined with the rapidly disappearing IT perimeter, means that while preventing an attack from becoming a breach is ideal, it is no longer realistic.

Microsoft proactively monitors the threat landscape for those emerging threats, to help better protect our customers. This involves observing the activities of targeted activity groups across billion of machines, which are often the first ones to introduce new exploits and techniques that are later used by other attackers.

So how can organizations defend against this triple threat?

Organizations need an approach to security that looks holistically across all critical endpoints, at all stages of a breach—before, during, and after. This means having tools that can not only protect against compromise, but can also detect the early signs of a breach and respond rapidly before it can cause damage to your system.

Windows Defender Advanced Threat Protection is a new post-breach security layer, designed to reduce the time it takes to detect, investigate and respond to advanced attacks. This post-breach layer, assumes breach and is designed to complement prevention technologies in the Windows 10 security stack, such as: Windows Defender Antivirus, SmartScreen, and various other OS hardening features.

By leveraging a combination of deep behavioral sensors, coupled with powerful cloud security analytics, Windows Defender ATP offers unparalleled detection, investigation and response experience. It uses behavioral analytics proven to detect unknown attacks and security data from over 1B machines to establish what’s normal. This is then coupled with support from our own industry leading hunters. Recordings of activity across all endpoints in the last 6 months allow users to go back in time to understand what happened.

Windows 10 has the protection you need, built-in

Windows Defender ATP is built-in to Windows 10, and provides a comprehensive post-breach solution to help security teams identify suspicious threats on your network that pre-breach solutions might miss.

Windows 10 and Windows Defender Advanced Threat Protection give you the future of cybersecurity NOW. Find out more at Microsoft Secure.


Microsoft Secure Blog Staff <![CDATA[Should we retaliate in cyberspace?]]> 2017-01-12T17:02:27Z 2017-01-12T17:00:12Z Read more »]]> This post is authored by Gene Burrus, Assistant General Counsel

The hack of the San Francisco transit system and the subsequent hack back by a third party makes for a twenty-first century morality tale in some ways. The perpetrator of a ransomware blackmail is given a dose of his/her own medicine, undone by his/her own poor security practices. Painted at a larger scale however, is the picture we see equally salutary? Recent accusations of state or state-sponsored hacking during the US Presidential campaign led to threats of retaliation between what are arguably the world’s two preeminent nuclear powers.

At the heart of most thinking about good behavior you are likely to find the concept of consequences for actions, and even the concept of preemptive deterrence of bad actions. Those concepts of consequence and deterrence have not become embedded in our online expectations and behaviors. This may be because cyberspace is still a new “public space” and people are still working out how to behave. It is also likely, perhaps, because cyberspace allows levels of anonymity and remote actions unprecedented in the real world. People do things because they think there will be no consequences, no “pay back”. There is certainly an argument to be made, then, for hackers and cybercriminals being subject to payback in some, if for no other reason than to begin to build underpin a behavioral system in cyberspace of “do as you would be done unto”.

Is this, however, the way forward that we should collectively take? There are after all existing laws that apply to cybercriminals, and new laws are being brought into existence as both technology and criminality evolve. However, the reality of enforcement is that most cyber criminals will never be caught and operate with near impunity.

Is “retaliation” something individuals or even companies should be able to engage in, if there is a functional legal system and a police force to do it in their place? Vigilantism, mob-justice and corporate extra-judicial actions wouldn’t look any more attractive online than they do in the real world. After all, can the retaliator be certain that the right person has been targeted? And if so, what is a proportionate response? If you hack my social media profile, is it fair for me to erase your bank account?

Furthermore, could “attack back” policies open another potential cause of state to state conflict in cyberspace? Certainly that risk might exist if State-Owned-Enterprises (SOEs) became involved, as retaliator or retaliated-against. Even carrying out seemingly simple actions against a hacker might inadvertently breach national laws the target’s jurisdiction, thereby involving “real world” police and state institutions when previously they were not.

On the other hand, there may be ways to ‘hack back’ that fall short of the ‘tit for tat’ retaliation that is commonly thought of, and instead facilitate catching criminals, disrupt their operations, or deprive them of the fruits of their illegal conduct. The challenge is in making cyberspace a less consequence free realm in which criminal predators can seek victims. A colleague of mine recently mentioned the digital equivalent of the “dye packs”; and the ability to trace criminals through what they steal might be helpful. Still, for every measure taken by the forces of law and order, a countermeasure can be developed by criminals and others who operate outside the law. This is not an argument for inaction but for the realization that there is unlikely to be silver bullet to cybercrime through hacking back.

If genuine progress is to be made on this issues, the technology industry, law enforcers, lawyers and concerned society groups will have to consider at least three questions about hack back technologies and actions. First, explore what is technically feasible. Second, consider what is legal and for whom. Will law enforcement or private actors be legally allowed to use certain tools or tactics, and should some laws be changed to accommodate technical innovations that might be used to deter, track or punish criminal activity. And against the backdrop of both of these questions will be the question of what policies and tools will be wise to deploy and not do more harm than good. The intersection of these three questions may show the way forward on making cyberspace a place where crime doesn’t pay.

Microsoft Secure Blog Staff <![CDATA[Microsoft Enterprise Threat Detection]]> 2017-01-09T17:00:44Z 2017-01-09T17:00:23Z Read more »]]> This post is authored by Joe Faulhaber, Senior Consultant ECG


The Microsoft Enterprise Cybersecurity Group (ECG) consists of three pillars: Protect, Detect, and Respond. Protection in depth is always the best defense, and being able to respond to incidents and recover is key to business continuity. Solid protection and rapid response capability are tied together by detection and intelligence, and the Enterprise Threat Detection (ETD) service enables detection in depth with global intelligence.

The detection technologies and intelligence data of ETD are brought together by a dedicated global team of cybersecurity analysts compounded by machine analytics. The analyst team merges deep knowledge of Windows and cyber threats with specific understanding of customer environments, becoming a virtual cybersecurity team for the enterprise. They provide in-depth technical knowledge along with reach-back into the vast resources of Microsoft. The ETD analyst team is tightly integrated with all cybersecurity teams in Microsoft, including ECG Global Incident Response and Recovery, the Microsoft Malware Protection Center, Azure Security Center, and the Microsoft Cyber Defense Operations Center. This brings the enterprise unparalleled access to Microsoft’s entire cyber security organization, enabling best-in-class detection, analysis, and actionable intelligence to detect the latest APT and other attacks.

In addition to the analyst team, the ETD service leverages machine analytics which uses built-in Windows features to enable powerful detection that adversaries find very difficult to avoid. These unique detection capabilities are just part of the ETD story, however, customers also benefit from global ecosystem visibility from the largest malware telemetry system in the world, as well as recommended actions specific to each customer environment from Microsoft threat analysts.

The service includes immediate alerts in the case of detection of threats. If a determined human adversary is suspected, an ETD analyst contacts the customer to further discuss the identified threat details and response steps, including the Microsoft Global Incident Response and Recovery team if required. Regular summary reports are delivered in discussion meetings with ETD analysts that cover actionable intelligence and insights. Additional analysis support is also provided as needed.

Together, these capabilities, alerts and reports provide benefits to enterprises at all levels of cybersecurity sophistication, from those with no dedicated cyber security personnel to enterprises with world-class cybersecurity capabilities.

Components of Enterprise Threat Detection Service

Corporate Error Reporting

ETD leverages Windows Error Reporting to analyze system error reports to determine if malicious code has been run on the system. This powerful technology has been a core Windows operating system component since Windows XP. It has been used extensively by Microsoft and select customers to detect novel, known, and targeted attacks across the threat lifecycle.

ETD also extends error reporting with additional capabilities and attack detection fidelity, even for processes that never generate a Windows error event. And since the feature is built natively into Windows and runs by default, configuring endpoints for ETD is achieved through policy configuration alone.

When employed alongside the Enhanced Mitigation Experience Toolkit, ETD can detect attempted exploits at 3 times the normal detection rate.

Cyber Threat Intelligence (CTI)

Cyber Threat Intelligence is a key component of Microsoft’s commitment to defending Windows and Azure customers.  With an ETD subscription, the CTI data is used to provide a view into an enterprise’s security posture and enables discovery and understanding of emerging threat events in the global ecosystem.

Microsoft’s threat intelligence includes information from all Microsoft antimalware products, resulting in a vast global data set from over a billion computers and 86 billion files. It also includes URL intelligence from SmartScreen and Bing, as well as network intelligence and indicators of compromise from the Microsoft Advanced Persistent Threat hunter teams.

Personalized information for enterprises from Microsoft’s Digital Crimes Unit’s (DCU) Cyber Threat Intelligence Program is also included in the ETD data set, which includes sinkhole data from DCU botnet takedown operations.

Coordinating Microsoft Products and Services

Advanced Threat Analytics (ATA)

ATA enables detection across identities in the enterprise, which ETD advises over and enriches with endpoint information to inform even more powerful and actionable detections.

Windows Defender Advanced Threat Protection (WD-ATP)

Microsoft has taken the approach used by ETD in previous versions of Windows and perfected it for Windows 10.  WD-ATP enables full behavioral monitoring in an enterprise with built-in sensors. ETD analysts have deep understanding of the WD-ATP data stream, and can help manage the comprehensive data to separate commodity malware events from targeted events.


ETD provides world-class threat detection capabilities leveraging proprietary technologies and cyber threat data sources that complement any enterprise’s cyber security strategy and deployment.  Along with custom analysis, the service, benefits enterprises at any stage of cybersecurity maturity.

Microsoft Secure Blog Staff <![CDATA[Azure Backup protects against ransomware]]> 2017-01-05T18:41:08Z 2017-01-05T20:00:20Z Read more »]]> According to the most recent CRN Quarterly Ransomware Report, malicious infrastructure attacks increased 3500% in 2016 and the percentage is expected to increase in 2017. One important way that organizations can help protect against losses in a ransomware attack is to have a backup of business critical information in case other defenses fail. Since ransomware attackers have invested heavily into neutralizing backup applications and operating system features like volume shadow copy, it is critical to have backups that are inaccessible to a malicious attacker.

The start of a new year is the perfect time to reassess your current backup strategy and policies and the impact to your business if your backup data is compromised. As security remains a high priority for our customers, Operations Management Suite (OMS) continues its commitment to offering holistic security capabilities. To demonstrate our continued investments in OMS, Azure Backup released a set of new features to protect your on-premises to cloud backups from ransomware.

Your backups need to be protected from sophisticated bot and malware attacks. Permanent loss of data can have significant cost and time implications to your business. To help protect against this, Azure Backup guards against malicious attacks through deeper security, faster notifications, and extended recoverability.

For deeper security, only users with valid Azure credentials will receive a security PIN generated by the Azure portal to allow them to backup data. If a critical backup operation is authorized, such as “delete backup data,” a notification is immediately sent so you can engage and minimize the impact to your business. If a hacker does delete backup data, Azure Backup will store the deleted backup data for up to 14 days after deletion.

To ensure this year is your data’s most secure year yet, make revisiting your backup policy one of your new year’s resolutions.

If you are an IT professional, you can explore the new Azure Backup capabilities by creating a free Microsoft Operations Management Suite account.

Finally, to learn more about ransomware and strategies you can employ to protect against it, watch our webinar Protecting Against Ransomware Threats.


Microsoft Secure Blog Staff <![CDATA[Microsoft Security Intelligence Report Volume 21 is now available]]> 2016-12-14T15:35:39Z 2016-12-14T15:35:39Z Read more »]]> The latest volume of the Microsoft Security Intelligence Report is now available for free download at

This new volume of the report includes threat data from the first half of 2016 as well as longer term trend data on industry vulnerabilities, exploits, malware, and malicious websites. The report also provides specific threat data for over 100 countries/regions.

Our Featured Intelligence content for this volume of the report includes three deep dive sections:

Protecting cloud infrastructure; detecting and mitigating threats using Azure Security Center:
As organizations move workloads to cloud-based services it is important that security teams keep abreast of changes in their threat posture. New threats can be encountered when adopting solutions that are fully cloud based, or when connecting on-premises environments to cloud services. This section of the report details common threats that organizations may encounter, and explains how security teams can use Azure Security Center to protect, detect, and respond to security threats against Azure cloud-based resources.

PROMETHIUM and NEODYMIUM: parallel zero-day attacks targeting individuals in Europe:
Microsoft proactively monitors the threat landscape for emerging threats, including observing the activities of targeted activity groups. The new report chronicles two activity groups, code-named PROMETHIUM and NEODYMIUM, both of which target individuals in a specific area of Europe. Both attack groups launched attack campaigns in May 2016 using the same zero-day exploit to seek information about specific individuals. Microsoft is sharing information about these groups to raise awareness of their activities, and to help individuals and organizations implement existing mitigation options that significantly reduce risk from these attack groups and other similar groups.

Ten years of exploits: a long-term study of exploitation of vulnerabilities in Microsoft software:
Microsoft researchers conducted a study of security vulnerabilities and the exploitation of the most severe vulnerabilities in Microsoft software over a 10-year period ending in 2015. In the past five years vulnerability disclosures have increased across the entire industry. However, the number of remote code execution (RCE) and elevation of privilege (EOP) vulnerabilities in Microsoft software has declined significantly. The results of the study suggest that while the risk posed by vulnerabilities appeared to increase in recent years, the actualized risk of exploited vulnerabilities in Microsoft software has steadily declined.

There is a lot of other new data in this report that I hope you’ll find useful.

You can download Volume 21 of the Microsoft Security Intelligence Report at

Ken Malcolmson
Executive Security Advisor, Microsoft Enterprise Cybersecurity Group

Paul Nicholas <![CDATA[Cybersecurity norms challenge remains]]> 2016-12-07T22:55:44Z 2016-12-08T17:00:27Z Read more »]]> Despite the differences that exist between governments, there is a growing recognition around the world that attacks on the security and stability of the Internet threaten all nations’ interests. The reality driving this alignment is that both emerging and developed economies are internet-dependent and, equally significantly, that malicious actors can use ubiquitous technologies to attack critical systems and infrastructure.

While cybercrime by non-state actors must be dealt with, it is also increasingly clear that governments need to carefully consider the impacts of their own military and intelligence actions in cyberspace, as well as those of their peers. Without some norms of state behavior in cyberspace the world could experience weakening of international security, national security, and even public safety. The potential erosion of trust citizens, consumers, and businesses have in globally interconnected information technology systems could significantly undermine our global economy.

Against this background, the United Nations Group of Governmental Experts (UN GGE) began its next round of discussions on cybersecurity norms and confidence building measures in New York at the end of August. This new session, due to report back to the UN General Assembly in September 2017, will have to tackle a wide range of thorny issues, one of which will be the question of applicability of international law to cyberspace. How can concepts such as “use of force” be applied? How should cyberweapons be classified – as conventional weapons, weapons of mass destruction, or something else? And, as if these questions weren’t complex enough, the UN GGE is going to have to consider valid ways to handle non-state actors or quasi-non-state actors when they threaten a nation’s critical systems.

The re-convening of the UN GGE also represents an opportunity to take stock of the norms debate so far, as well as to explore the different roles government and private sector could play in enhancing global online security. Microsoft has for some time argued that a decision-making framework is needed to help governments balance their roles as users, protectors, and exploiters of the internet. This is not an easy task for governments as they can be confronted with seemingly conflicting priorities, e.g. securing immediate economic advantages or ensuring longer-term growth of a digital economy.

Two years ago, Microsoft set out our own proposals around a cyber-norms framework. Our view, then and now, is that government decisions should be interrogated through the lens of the various actors in cyberspace. Each actors’ objectives, the actions they could take in pursuit of those objectives, and the potential impacts of a particular decision all need to be considered. Framed this way, the norms conversation can become more precise, focusing on discussing acceptable and unacceptable objectives, which actions may be taken in pursuit of those objectives, what the possible impacts of those actions are, and whether they are acceptable for a civilized, connected society.

Microsoft will, of course, make what contributions we can to the UN GGE and the other processes taking place to build a secure and lasting global approach to cyberspace. Our collective progress towards that goal can, I think, be judged against four key criteria. First, the approach must be practicable, rather than technically very challenging to achieve. Second, risks from complex cyber events and disruptions that could lead to conflict should be demonstrably reduced. Third, observable behavioural change needs to occur, change that clearly enhances the security of cyberspace for states, enterprises, civil society, and individual stakeholders and users. Fourth, and finally, existing risk-management concepts should be harnessed to help mitigate against escalation or to manage the potential actions of involved parties if escalation is unavoidable. Only when these criteria, or ones much like them, are met can the world feel confident in the future of the Internet, and in the economies and societies that are now dependent upon it.

Microsoft Secure Blog Staff <![CDATA[How much time do you spend on false security alerts?]]> 2016-11-21T17:52:57Z 2016-12-05T16:00:50Z Read more »]]> The latest data on global threats—from malicious websites and untrusted IPs to malware and beyond—can help a company detect threats and rapidly respond. The challenge is that threat intelligence feeds are, at best, uneven in quality.

Close to 70 percent of information security professionals say current threat feeds have a significant issue with timeliness, and only 31 percent rated their threat intelligence as very accurate.

This lack of accuracy means IT staff must deal with vetting the feeds themselves. And this not only takes time, it takes IT resources: 68% of security professionals say their time is consumed chasing down false alerts and sifting through more than 17,000 malware alerts each week.

The solution to reducing this flood of data to only the most relevant alerts is not less data, it’s better data. There are three key areas to helping your security team become more efficient, and the security solution within Operations Management Suite (OMS) can help you with each.

  • Increase the diversity, scale, and variety of data
  • Implement machine learning and behavioral analytics
  • Utilize simple tools that make mitigation more efficient


The Operations Management Suite dashboard gives you a comprehensive and holistic view of all your environments, helping you turn raw data into actionable insights.

Microsoft Threat Intelligence: a global view of the threat landscape

To start, you must have the right data from a diverse spectrum of sources to get a true understanding of what is happening. Microsoft Threat Intelligence gathers data from the entire Microsoft footprint.

We have trillions of data points coming in from billions of endpoints, and it’s that ability to understand and gain insight and take action based on that data that can make the difference,” said Brad Smith, President and Chief Legal Officer for Microsoft.

In addition to this, between our Digital Crimes Unit (DCU), the Cyber Defense Operations Command Center (CDOC), and the greater company, we employ thousands of the smartest security experts to protect our environments like Azure and Office 365. Through OMS, we share the information they gather with you, giving you unparalleled insights into the rapidly evolving threat landscape.

Analytics: Separate the signal from the noise

Operations Management Suite collects data from across your datacenters—Windows, Linux, Azure, on-premises, and AWS—and correlates it with the latest Microsoft threat intelligence to detect attacks targeting your organization. Not a list that is days old, but one that is updated in real time. It also applies behavioral analysis and anomaly detection to identify new threats, which align to known patterns of attack. You are provided with a list of the most pressing issues, immediately actionable and conveniently prioritized by the potential threat they pose.


A visual map of network traffic to known malicious IP addresses lets you quickly find and understand where real threats lie.

Tools: Take swift and efficient action

The demand for qualified information security staff has never been higher. In 2016, one million information security openings are expected worldwide.4 While we can’t directly help you with hiring more security personnel, the threat intelligence within Operations Management Suite empowers your IT resources to be more efficient and helps reduce the time it takes to identify and respond to cyberthreats.

For example:

Operations Management Suite detects one of your computers communicating with known malicious IPs. The outgoing traffic is particularly alarming. With just a few clicks you can:

  • Isolate that specific machine
  • Block communication network-wide to the IPs
  • Use rapid search to find other actions taken by the attacker anywhere in your network

Learn more about Operations Management Suite and our approach to security.

To find out how attackers are targeting organizations today, read Anatomy of a Breach.

Microsoft Secure Blog Staff <![CDATA[Security in agile development]]> 2016-12-01T16:12:02Z 2016-12-01T16:00:53Z Read more »]]> This post is authored by Talhah Mir, Principal PM Manager, WWIT CP ISRM ACE

Most enterprises’ security strategies today are multifaceted – encompassing securing a variety of elements of their IT environment including identities, applications, data, devices, and infrastructure. This also includes driving or supporting security training and changes in culture and behavior for a more secure enterprise. But, security really starts at the fundamental core, at the software development level. It’s here that security can be “built in” to ensure that applications meet the security requirements of enterprises today and are aligned to a holistic, end to end security strategy.

We recently published a white paper titled, “Security for Modern Engineering,” which outlines some of the security best practices and learnings we have had on our journey to support modern engineering.  Software engineering teams everywhere are trying to achieve greater effectiveness and efficiency as they face climbing competitive pressures for differentiation, and constantly evolving customer demands. This is driving the need for significantly shorter time-to-market schedules that don’t compromise on the quality of software applications and services. To address this demand, modern engineering teams like those in Microsoft IT, are adopting agile development methodologies, embracing DevOps (a merging of development and operations), and maintaining development infrastructure that support continuous integration/continuous delivery. Today, a more secure application can be a differentiator as users of applications are becoming more aware and concerned about security.

There has never been a better time to push security automation and develop integrated security services for engineering teams as they think about operating in a modern engineering environment. Similar to how development, test, and operation roles have merged to shape today’s modern engineer, we, at Microsoft, continue to believe that a software security assurance program can yield much better results if the processes are baked seamlessly into the engineering process. This is what we advocated with the development of Microsoft Security Development Lifecycle (SDL) which to this day, continues to be a priority for a modern engineering practice. Security teams should leverage the momentum of automation to further enhance the security posture of their line-of-business application portfolio within their organization – helping to drive an effective, efficient, and competitive business.