The evolution of Microsoft Threat Protection, RSA edition

Last week, the Microsoft Security team attended the RSA conference in San Francisco, California. We made several key announcements about Microsoft Threat Protection, the solution which provides end users optimal security from the moment they log in, use email, work on documents, or utilize cloud applications and offers security professionals the benefit of minimal complexity while staying ahead of threats to their organization. As we previously alluded to, Microsoft Threat Protection is on a journey to provide organizations seamless, integrated, and comprehensive security across multiple attack vectors. In this RSA edition, we want to share where we are in this journey, the most recent new capabilities launched, and the vision of where we’re going as we continue executing toward our goal of offering best-in-class security for modern organizations.

The journey taken

Microsoft Threat Protection is supported by tremendous investment and focus across multiple engineering teams. Each month, we report discrete enhancements to the solution, but Figure 1 shows the many years of strategic investments and designed capabilities which helped create the solution we offer today. As the timeline demonstrates, each discrete enhancement is tied to the larger vision of Microsoft Threat Protection and our effort to ensure customers are offered the best and most secure threat protection available on the market. The roots of Microsoft Threat Protection stretch back to 2014, with the launch of advanced identity protection capabilities offered in Azure Active Directory Premium. Development of the Microsoft Intelligent Security Graph, which weaves our security services together, began shortly thereafter. Building on these strong foundations in identity protection (including security for on-premises identities) and intelligence, we then launched services securing email and documents, cloud apps, endpoints, and infrastructure. Over the last few years, we have leveraged the connectivity of the Intelligent Security Graph to integrate and seamlessly correlate signals across all our services, to help provide an optimized security experience with minimal complexity for customers.

Figure 1. The development timeline of Microsoft Threat Protection.

The journey is continuing, as we further enhance and develop capabilities which secure customers with Microsoft Threat Protection. Next, we look at announcements made at RSA this year, which are significant strides on our evolution toward the full potential Microsoft Threat Protection.

Tomorrow’s SIEM, available today

Many organizations leverage Security Information and Events Management (SIEM) products to support their digital transformation. As the value of digital information continues to increase, so does the volume and sophistication of attacks. Several customers have told us their existing SIEM products are unable to keep pace.

To address this need, at RSA we announced the launch of Microsoft Azure Sentinel, which adds the benefits of a next-gen SIEM to the Microsoft Threat Protection solution. Azure Sentinel is a cloud-native solution, providing intelligent security analytics for the entire organization. With Azure Sentinel (Figure 2), collection of security data across the entire hybrid organization from devices, to users, to apps, to servers on any cloud is easy. It includes built-in artificial intelligence (AI) to help ensure threats are identified quickly and significantly reduces the burden of traditional SIEMs by eliminating the need to spend time setting up, maintaining, and scaling infrastructure. Since it is built on Azure, it offers nearly limitless cloud scale and speed to address your security needs. Traditional SIEMs are also expensive to own and operate, often requiring high upfront costs and continued high costs for infrastructure maintenance and data ingestion. With Azure Sentinel there are no upfront costs as you pay for what you use.  Additionally, organizations can bring their Office 365 activity data to Azure Sentinel for free. It takes just a few clicks to retain your Office 365 data within the Microsoft cloud. Learn more about Azure Sentinel and opt in for a trial today.

Figure 2. The Azure Sentinel – Overview portal.

Combining artificial intelligence with human expertise for unparalleled security

Human expertise will always be pivotal for strong security. However, by 2021, there will be an estimated shortage of 3.5 million security professionals. To help organizations benefit from the knowledge of seasoned security analysts, we announced Microsoft Threat Experts at RSA adding another significant capability to Microsoft Threat Protection to augment customers Security Operation Centers (SOCs). Microsoft Threat Experts is currently offered as part of our endpoint security service, Windows Defender ATP and blends the benefits of human analysts with our industry leading endpoint security service. Soon, Threat Experts will extend to cover more components of Microsoft Threat Protection. It is a new managed threat hunting service providing proactive hunting, prioritization, and additional context and data-driven insights, further helping SOCs identify and respond to threats quickly and accurately. Microsoft Threat Experts enables SOCs to jump-start threat investigations by providing context-rich intelligence. The feature offers:

  • Targeted attack notifications: Offers monitoring by Microsoft’s threat experts and provides notifications to customers in case a breach is identified. In cases where a full incident response becomes necessary, seamless transition to Microsoft incident response (IR) services is available.
  • Experts on demand (Figure 3): Security experts provide technical consultation on relevant detections and adversaries.

Figure 3. Microsoft Threat Experts “Ask a Threat Expert” button.

Learn more about Microsoft Threat Experts and check out these case studies that showcase the significant benefit of combined human and artificial intelligence. Get started on a Windows Defender ATP trial and begin your preview of Microsoft Threat Experts.

Experience the evolution of Microsoft Threat Protection

Take a moment to learn more about Microsoft Threat Protection, read our previous monthly updates, and visit Integrated and automated securityOrganizations have already transitioned to Microsoft Threat Protection and partners are leveraging its powerful capabilities. Begin a trial of Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace. And check out part 2 of this blog, where we discuss a new unified SecOps experience, powerful new features to strengthen your cloud app security, unique automation capabilities launching in Office 365, and an early look at the full vision and scope of Microsoft Threat Protection.


Secure your digital transformation through simplicity with help from a new Forrester study

Sometimes, technology can make things overly complex.

Even with the best of intentions, there can be too much of a good thing. In the world of cybersecurity, complexity has been a mainstay, but in recent years, it has grown beyond its breaking point and has become a liability for security practitioners.

The Forrester study, titled Security Through Simplicity (Dec. 2018)—commissioned by the Microsoft Security team—clearly shows that digital transformation, while necessary for business success, compounds the complexity of an already tangled security threat landscape. However, the study also found a correlation between vendor consolidation and strategy modernization to reduce security complexity.

Digital transformation introduces new levels of complexity

Digital transformation is a critical shift under which businesses are using data-powered platforms and applications to improve nearly every aspect of their business operations. New open ecosystems and the democratization of data means more users in varied locations sharing data across more applications, devices, platforms, and environments—both internally and externally.

As businesses continue to digitize processes, security teams must contend with an increase in attack vectors and more complicated management, all while keeping pace with increasingly sophisticated attackers. In the face of this massive challenge, security teams must evaluate and refresh their legacy security procedures, tools, and skill sets to accommodate a new and adaptable approach to enterprise security.

In the study, paid for by Microsoft, Forrester asked 481 IT security decision makers, “How challenging are the following security goals/objectives to achieve?” and found them all to be highly or extremely challenging:

Infographic showing 59% correlate security alerts from disparate technologies to detect actual threats, 57% hire trained IT security staff, 57% modernize their organization's IT security strategies, and 60% retrain IT security staff.

Reducing security complexity

So how are enterprise IT security teams successfully reducing complexity to improve their security efforts in the face of digital transformation? The study found an interesting correlation between vendor consolidation and strategy modernization in successfully achieving both business and security initiatives, when executed in concert with each other.

A high number of disparate security solutions in place for on-premises and cloud infrastructure and applications makes visibility and central management extremely difficult. Reducing the number of disparate security point solutions that must interact with each other—particularly older, legacy ones—brings complexity down to a manageable level and allows businesses the visibility, security, and control to expand their digital adoption with confidence. Vendor consolidation and modernization can also yield cost savings by lowering technology budgets, increasing management efficiencies, and avoiding the costs of a data breach or regulatory noncompliance.

A small subset (11 percent) of enterprises that have successfully achieved both critical initiatives, modernization, and vendor consolidation, have been able to reduce complexity and reap the rewards of digital transformation. These organization are:

  • 54 percent more likely to feel that their IT security strategy helps them to digitally transform their organization.
  • 42 percent more likely to feel that their IT security strategy helps reduce risk of a customer data breach.
  • 33 percent more likely to feel that their IT security strategy improves their customers’ experiences.

Key recommendations

Companies undergoing digital transformation seek new ways to engage with customers, create additional revenue streams, and place innovation at the forefront of their corporate strategy. Failing to secure their digital assets can lead to those same organizations forfeiting hard-won successes.

Forrester’s in-depth survey of 481 IT security decision makers yielded several important recommendations:

  • Implement security by design.
  • Consolidate security vendors and security solutions.
  • Increase measurement, analytics, and reporting capabilities.
  • Discover and manage shadow IT.
  • Adapt security to users.

Get your copy of the full study.


Helping security professionals do more, better at this week’s RSA Conference in San Francisco

I’m on my way to the RSA Conference in San Francisco, California, and am looking forward to connecting with our customers and partners there. We have a lot to talk about. Last week, Ann Johnson announced two new services that we now offer to help empower our customers as they deal with the industry-wide cybersecurity talent crunch: Microsoft Azure Sentinel and Microsoft Threat Experts. Today, I’m excited to share more news about our work in security.

Leading integration across the industry

In the face of the cybersecurity talent shortage, our customers are increasingly reliant on their tools working together. We are part of a broad, heterogeneous ecosystem of technology providers, and we take seriously our responsibility to lead integration across them.

We’ve made progress to report on three fronts:

  • There are now 50 partners participating in the Microsoft Intelligent Security Association, a group of technology providers who have integrated their solutions with Microsoft products to provide customers better protection, detection, and response. New members include: Sophos, Citrix, Adobe, and Symantec.
  • The Microsoft Graph Security API now has new capabilities that allow you to share threat indicators to extend detection, easily invoke powerful investigation and remediation activities, and build better connected security apps and workflows without the need to code.
  • Azure Active Directory (Azure AD), which already provides authentication for more than 810,000 applications for our enterprise customers, now integrates with several Zscaler applications. With both Azure AD and Zscaler supporting the SCIM 2.0 standard, our joint customers can now use the Azure AD provisioning service to automate the lifecycle of user and group accounts, giving you a more secure and scalable way to allow user access to Zscaler applications.

Added security controls for Azure and Microsoft 365

In our own security products, we continue to invest heavily in capabilities that take advantage of the cloud and artificial intelligence (AI) to empower your team and let them focus on the most important tasks to protect against threats and keep information secure. We made several key strides in security to strengthen protection for our customers:

  • Threat intelligence-based filtering is now available for Azure Firewall. This addition enables customers to alert or deny traffic from/to malicious IP addresses and domains based on the near real-time data feed powered by the Microsoft Intelligent Security Graph.
  • Azure Security Center now leverages machine learning to reduce the attack surface of internet-facing virtual machines, and its application whitelisting controls have been extended to Linux and on-premises servers. The network map in Azure Security Center extends support for Virtual Network peering, a commonly used networking configuration in which traffic flows between Azure Virtual Networks through the Microsoft backbone.
  • Microsoft Threat Protection now provides automated investigation and remediation in the Microsoft Security Center, a unified console that helps SecOps teams spend their limited time on the most high-value tasks, like proactive hunting and strategic improvements.
  • We are extending our unique, native integration between Microsoft Cloud App Security and Azure AD conditional access. Out-of-the box templates now enable organizations to configure some of our most popular policies, such as blocking the download of sensitive content in real-time, within seconds.
  • New native capabilities in the Microsoft Office 365 version of Office client applications help document and email authors apply the right classification and sensitivity labels, helping you ensure information is protected in accordance with your organization’s policies.

Securing the Internet of Things (IoT)

IoT deployments can help organizations cut costs with predictive maintenance or to create new revenue streams from connected products. Unfortunately, the security pro talent shortage makes it difficult to successfully plan the IoT security controls necessary. We worked with the Industrial Internet Consortium to produce a new IoT Security Maturity Model that provides clear industry best practices for evaluating your IoT risk profile and planning the remediation you need. We’ve also added a new deployment method to Azure Sphere to help you reduce risk across your entire fleet of IoT devices. The new guardian modules built on Azure Sphere bring the security of Azure Sphere to brownfield IoT devices, allowing your business groups to complete IoT deployments without increasing risk for your organization.

Connect with us at RSA

I’m proud to be part of the team driving all this innovation, but technology is not a silver bullet. Its role is simply to empower you—the defenders. On Wednesday, March 6, at 10:30 AM PST, Ann Johnson will speak in her keynote about other ways we, as an industry, can empower people. I encourage you to attend, if you’re at the conference. You can learn more about Microsoft security at booth 6059. We’d love to connect with you there, or in one of the sessions we’ll be leading—find out more about our activities at


Azure Security Center now leverages machine learning to reduce vulnerabilities of virtual machines

This is an exciting week for us at Microsoft. At RSA Conference 2019, we are announcing new and exciting capabilities in Azure and Microsoft 365. With this blog post, we wanted to share with you what we have been working on for Azure Security Center. Azure Security Center now leverages machine learning to reduce the attack surface of internet facing virtual machines. Its adaptive application controls have been extended to Linux and on-premises servers, and extends the network map support to peered virtual network (VNet) configurations.

Leveraging machine learning to reduce attack surface

One of the biggest attack surfaces for workloads running in the public cloud are connections to and from the public Internet. Our customers find it hard to know which Network Security Group (NSG) rules should be in place to make sure that Azure workloads are only available to required source ranges. Security Center can now learn the network traffic and connectivity patterns of your Azure workload and provide you with NSG rule recommendations for your internet facing virtual machines. This helps you better configure your network access policies and limit your exposure to attacks.

Azure Security Center uses machine learning to fully automate this process, including an automated enforcement mechanism, enabling its customers to better protect their internet facing virtual machines with only a few clicks. These recommendations also use Microsoft’s extensive threat intelligence reports to make sure that known bad actors are blocked.

Extending adaptive application controls

Adaptive application control is an intelligent, automated end-to-end application whitelisting solution from Azure Security Center. It helps you control which applications can run on your VMs located in Azure, which, among other benefits, helps harden your VMs against malware. Security Center uses machine learning to analyze the applications running on your VMs and helps you apply the specific whitelisting rules using this intelligence.

We are extending adaptive application controls in Azure Security Center to include Linux VMs and servers/VMs external to Azure (Windows and Linux) in audit mode. This means that Azure Security Center will identify applications running on your servers which are not in compliance with the Azure Security Center generated whitelisting rules and will audit those violations. This will enable you to  detect threats that might otherwise be missed by antimalware solutions; to comply with your organization’s security policy that dictates the use of only licensed software and to audit unwanted software that is being used in your environment.

Network map support for VNet peering

Azure Security Center’s network map has added support for virtual network peering, a configuration in which traffic flows between Azure Virtual Networks through the Microsoft backbone, as if they were virtual machines in the same virtual network, through private IP addresses only. The support includes displaying allowed traffic flows between peered VNets and peering related information on Security Center’s network map.

With these additions, Azure Security Center strengthens its role as the unified security management and advanced threat protection solution for your hybrid cloud workloads. We encourage you to take advantage of these new capabilities for all your Internet-exposed Azure resources. If you have not started using Azure Security Center in your Azure subscription, get started today.


Microsoft Threat Experts introduced to augment customer security operations

We’re excited to introduce Microsoft Threat Experts, an additional layer of expertise and optics that Microsoft customers can utilize to augment security operations capabilities as part of Microsoft 365. This new managed threat hunting service in Windows Defender Advanced Threat Protection provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately.

Microsoft Threat Experts enables SOCs to jump-start threat investigations by providing context-rich intelligence. This release of the service includes 2 capabilities:

  1. Targeted attack notifications: Alerts that are tailored to organizations provide as much information as can be quickly delivered to bring attention to critical threats in their network, including the timeline, scope of breach, and the methods of intrusion.
  2. Experts on demand: When a threat exceeds the SOC’s capability to investigate, or when more actionable information is needed, security experts provide technical consultation on relevant detections and adversaries. In cases where a full incident response becomes necessary, seamless transition to Microsoft incident response (IR) services is available.

Microsoft Threat Experts

With Microsoft Threat Experts, SOCs can further improve defenses by tapping into our world-class security analysts. These experts deeply understand the security landscape and attacker techniques, have intimate knowledge of operating systems, and know how to get the most out of Windows Defender ATP’s features and capabilities. Our experience in battling attackers across more than a billion devices worldwide, together with the artificial intelligence (AI) necessary to harness such unprecedented optics and scale, makes our expert team unique and unmatched in the industry.

The next sections describe the two components of this new service in more detail.

Targeted attack notifications

Microsoft Threat Experts provides proactive hunting for the most important threats, such as human adversary intrusions, hands-on-keyboard attacks, and advanced attacks like cyberespionage. The managed threat hunting service includes:

  • Threat monitoring and analysis, reducing attacker dwell time and risk to business
  • Hunter-trained AI to discover and prioritize both known and unknown attacks
  • Identifying the most important risks, helping SOCs maximize time and energy
  • Scope of compromise and as much context as can be quickly delivered to enable fast SOC response

Custom Threat Experts alert in Windows Defender Security Center

Custom Threat Experts alert in Windows Defender Security Center

Experts on demand

Customers can partner with Microsoft security experts, who can be engaged directly from within Windows Defender Security Center, for timely and accurate response. Experts provide insights needed to better understand complex threats, from the latest zero-day exploit to the root cause of a suspicious network connection. Through Microsoft Threat Experts, customers can:

  • Get additional clarification on alerts including root cause or scope of the incident
  • Gain clarity into suspicious machine behavior and recommended next steps if faced with an advanced attacker
  • Determine risk and protection regarding threat actors, campaigns, or emerging attacker techniques
  • Seamlessly transition to Microsoft Incident Response (IR) services when necessary

Ask a Threat Expert button in Windows Defender Security Center

Ask a Threat Expert button in Windows Defender Security Center

Partnership for improved security

In today’s climate of cybersecurity challenges, organizations must fend off relentless attacks even as they go through their journey of building and maturing their security capabilities. Through Microsoft Threat Experts, customers can partner with Microsoft throughout this journey to augment security operations capabilities to prevent, detect, and respond to threats. Customers and Microsoft can build upon each other’s expertise, intelligence, and insight through this partnership, forming stronger defense against adversaries.

To illustrate the depth of intelligence and the value of the service to customers’ security defenses and overall security posture, we published two case studies for Microsoft Threat Experts on (1) human adversary-based activities related to a zero-day vulnerability and (2) complex “living off the land” threats.

Windows Defender ATP customers can now apply for preview through the Windows Defender Security Center. We will contact customers via email to confirm their participation.

Not yet reaping the benefits of Windows Defender ATP’s industry-leading optics and detection capabilities? Sign up for free trial today.

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Windows Defender ATP community.

Follow us on Twitter @WDSecurity.


Microsoft Security Intelligence Report Volume 24 now available

The 24th edition of the Microsoft Security Intelligence Report (SIR) is now available. And this year, I’m thrilled to share that not only can you download the PDF, but you can also visit an online, interactive version that provides tools to filter and deep dive into the data. This edition of the report is a reflection on last year’s security events and includes an overview of the security landscape, lessons learned from the field, and recommended best practices. I know you may find some of the trends, such as the increase in cryptocurrency mining and supply chain activity, worrisome. But I also hope you’re encouraged to learn that the defensive techniques we’ve taken as a security community are paying off: there is good evidence that bad actors have been forced to change their tactics.

To create this report, the SIR team culled core insights and key trends out of a year’s worth of data from multiple, diverse sources. We analyzed the 6.5 trillion security signals that go through the Microsoft cloud every day. We gathered insights from thousands of security researchers based around the world, and we learned lessons from real-world experiences, like the Ursnif campaign and the Dofoil coin-miner outbreak. There is a lot going on, but the SIR team distilled the data down into four key trends:

  • Ransomware attacks are on the decline.
  • Cryptocurrency mining is prevalent.
  • Software supply chains are at risk.
  • Phishing remains a preferred attack method.

Ransomware attacks are on the decline

The decline of ransomware attacks that we saw in the 2018 data is a great example of how the security community is pushing bad actors to adjust. Just last year, we highlighted the large threat that ransomware played in the 2017 data, so this decline is notable. We believe that attackers have shifted from this highly visible method to more stealth attacks because users have gotten smarter about how they respond.

Cryptocurrency mining is prevalent

The decline in ransomware is good news; however, on the flip side we are seeing cryptocurrency mining to be prevalent. This is one of the methods that attackers have deployed in lieu of ransomware. Mining coins profitably requires an immense amount of computing power to perform complex calculations, so attackers install malware on users’ computers to “steal” the necessary computing power. The SIR report provides a great overview of how cryptocurrency works and other factors driving this trend.

Software supply chains are at risk

Software supply chain attacks are another trend that Microsoft has been tracking for several years. One supply chain tactic used by attackers is to incorporate a compromised component into a legitimate application or update package, which then is distributed to the users via the software. These attacks can be very difficult to detect because they take advantage of the trust that users have in their software vendors. The report includes several examples, including the Dofoil campaign, which illustrates how wide-reaching these types of attacks are and what we are doing to prevent and respond to them.

Phishing remains the preferred method of attack

It’s probably not surprising that phishing continues to be a popular method of attack, and we expect that to continue for the foreseeable future. The good news: much like ransomware, bad actors have shifted tactics in response to the more sophisticated tools and techniques that have been deployed to protect users. We uncovered a lot of details about these new phishing methods that we hope you find useful in your fight to defend against them.

Learn more

When I was a practitioner, I sought out reports like these to help me better understand attacker techniques and plan my defenses accordingly. I hope you find the insights, tips, and best practices that we’ve pulled together just as helpful. Download volume 24 of the Microsoft Security Intelligence Report and then dig into the data specific to your region in the interactive website. The site will be updated monthly, so you can keep up with emerging data and insights throughout the year.

Also, later in March, join me and my colleague, Jonathan Trull, for a webinar where we’ll dissect these trends in more detail and share best practices to help you protect your organization.

The SIR serves to share some of the intelligence and insights that Microsoft generates as part of our broader security operations work, but it is not the whole story. Please also make sure to check out today’s announcements on new Microsoft security innovations aimed at helping defenders capitalize on the latest security intelligence and protections to help them stay ahead in the evolving cybersecurity landscape.


New cloud-based technology to empower cyber defenders

Cybersecurity is about people. The frontline defenders who stand between the promise of digital transformation and the daily reality of cyber-attacks need our help. At Microsoft, we’ve made it our mission to empower every person and organization on the planet to achieve more. Today that mission is focused on defenders. We are unveiling two new cloud-based technologies in Microsoft Azure Sentinel and Microsoft Threat Experts that empower security operations teams by reducing the noise, false alarms, time consuming tasks and complexity that are weighing them down. Let me start by sharing some insight into the modern defender experience.

Every day Microsoft security professionals help organizations respond to threats at scale and through targeted incident response. In one recent example from the latest Security Intelligence Report, Microsoft experts were called in to help several financial services organizations deal with attacks launched by a state-sponsored group that had gained administrative access and executed fraudulent transactions, transferring large sums of cash into foreign bank accounts. When the attack group realized they had been detected, they rapidly deployed destructive malware that crippled the customers’ operations for several days. Microsoft experts were on site within hours, working around the clock with the customers’ security teams to restore normal business operations.

Incidents like this are a reminder that many defenders are overwhelmed by threats and alerts – often spending their days chasing down false alarms instead of investigating and solving complex cases. Compounding the problem is a critical shortage of skilled cyber defenders, with an estimated shortfall of 3.5 million security professionals by 2021. With today’s announcements we are unlocking the power of the cloud and AI for security to do what they do best—reason over vast amounts of security signal, spot anomalies and bring global scale to highly trained security professionals.

Too many enterprises still rely on traditional Security Information and Event Management (SIEM) tools that are unable to keep pace with the needs of defenders, volume of data or the agility of adversaries. The cloud enables a new class of intelligent security technologies that reduce complexity and integrate with the platforms and productivity tools you depend on. Today we are pleased to announce Microsoft Azure Sentinel, the first native SIEM within a major cloud platform. Azure Sentinel enables you to protect your entire organization by letting you see and stop threats before they cause harm. With AI on your side it helps reduce noise drastically—we have seen an overall reduction of up to 90 percent in alert fatigue with early adopters. Because it’s built on Azure you can take advantage of nearly limitless cloud speed and scale and invest your time in security and not servers. In just a few clicks you can bring in your Microsoft Office 365 data for free and combine it with your other security data for analysis.

Azure Sentinel is the product of Microsoft’s close partnership with customers on their journey to digital transformation. We worked hand in hand with dozens of customers and partners to rearchitect a modern security tool built from the ground up to help defenders do what they do best – solve complex security problems. Early adopters are finding that Azure Sentinel reduces threat hunting from hours to seconds.

Corey McGarry, Senior Technical Specialist, Enterprise Operations, Tolko Industries, Ltd., told me, “After using Microsoft Azure Sentinel for six months, it has become a go-to resource every morning. We get a clear visual of what’s happening across our network without having to check all our systems and dashboards individually. I haven’t seen an offering like Microsoft Azure Sentinel from any other company.”

Azure Sentinel supports open standards such as Common Event Format (CEF) and broad partner connections, including Microsoft Intelligent Security Association partners such as Check Point, Cisco, F5, Fortinet, Palo Alto and Symantec, as well as broader ecosystem partners such as ServiceNow. You can even bring your own insights and collaborate with a diverse community of defenders. Azure Sentinel blends the insights of Microsoft experts and AI with the unique insights and skills of your own in-house defenders and machine learning tools to uncover the most sophisticated attacks before they take root. Azure Sentinel helps empower SecOps teams to keep their organizations safe by harnessing the power, simplicity and extensibility of Azure to analyze data from Microsoft 365 and security solutions from other vendors. Azure Sentinel is available in preview today from the Azure portal.

screenshot of Azure Sentinel overview page with bar graph, map and other sample data

Our approach to security is not only about applying the cloud and AI to your scale challenges, but also making the security operations experts who defend our cloud available to you. Therefore, we are pleased to announce Microsoft Threat Experts, a new service within Windows Defender ATP which provides managed hunting to extend the capability of your security operations center team. Through this service, Microsoft will proactively hunt over your anonymized security data for the most important threats, such as human adversary intrusions, hands-on-keyboard attacks, and advanced attacks like cyberespionage—helping your team prioritize the most important risks and respond quickly. The service also provides world-class expertise on demand. With the new “Ask a Threat Expert” button, your security operations team can submit questions directly in the product console. To join the public preview of Microsoft Threat Experts, apply in the Windows Defender ATP settings.

There are no easy answers or silver bullets for security, however the cloud is unlocking new capabilities. This is why we are putting the cloud and AI to work to extend and empower the defenders whose unique human insights are key to avoiding cyber threats. Azure Sentinel and Microsoft Threat Experts are two new capabilities that join our broad portfolio of security solutions across identity, endpoints, data, cloud applications and infrastructure. We look forward to showcasing Azure Sentinel and Microsoft Threat Experts at the RSA Conference next week and encourage you to stop by the Microsoft booth on the main show floor or any of our compelling sessions to learn more.

Tags: , , ,


Securing the future of AI and machine learning: Early findings from new research paper

Artificial intelligence (AI) and machine learning are making a big impact on how people work, socialize, and live their lives. As consumption of products and services built around AI and machine learning increases, specialized actions must be undertaken to safeguard not only your customers and their data, but also to protect your AI and algorithms from abuse, trolling, and extraction.

We are pleased to announce the release of a research paper, Securing the Future of Artificial Intelligence and Machine Learning at Microsoft, focused on net-new security engineering challenges in the AI and machine learning space, with a strong focus on protecting algorithms, data, and services. This content was developed in partnership with Microsoft’s AI and Research group. It’s referenced in The Future Computed: Artificial Intelligence and its role in society by Brad Smith and Harry Shum, as well as cited in the Responsible bots: 10 guidelines for developers of conversational AI.

This document focuses entirely on security engineering issues unique to the AI and machine learning space, but due to the expansive nature of the InfoSec domain, it’s understood that issues and findings discussed here will overlap to a degree with the domains of privacy and ethics. As this document highlights challenges of strategic importance to the tech industry, the target audience for this document is security engineering leadership industry-wide.

Our early findings suggest that:

  1. Secure development and operations foundations must incorporate the concepts of Resilience and Discretion when protecting AI and the data under its control.
  • AI-specific pivots are required in many traditional security domains such as Authentication, Authorization, Input Validation, and Denial of Service mitigation.
  • Without investments in these areas, AI/machine learning services will continue to fight an uphill battle against adversaries of all skill levels.
  1. Machine learning models are largely unable to discern between malicious input and benign anomalous data. A significant source of training data is derived from un-curated, unmoderated public datasets that may be open to third-party contributions.
  • Attackers don’t need to compromise datasets when they are free to contribute to them. Such dataset poisoning attacks can go unnoticed while model performance inexplicably degrades.
  • Over time, low-confidence malicious data becomes high-confidence trusted data, provided that the data structure/formatting remains correct and the quantity of malicious data points is sufficiently high.
  1. Given the great number of layers of hidden classifiers/neurons that can be leveraged in a deep learning model, too much trust is placed on the output of AI/machine learning decision-making processes and algorithms without a critical understanding of how these decisions were reached.
  • AI/machine learning is increasingly used in support of high-value decision-making processes in medicine and other industries where the wrong decision may result in serious injury or death.
  • AI must have built-in forensic capabilities. This enables enterprises to provide customers with transparency and accountability of their AI, ensuring its actions are not only verifiably correct but also legally defensible.
  • When combined with data provenance/lineage tools, these capabilities can also function as an early form of “AI intrusion detection,” allowing engineers to determine the exact point in time that a decision was made by a classifier, what data influenced it, and whether or not that data was trustworthy.

Our goal is to bring awareness and energy to the issues highlighted in this paper while driving new research investigations and product security investments across Microsoft. Read the Securing the Future of Artificial Intelligence and Machine Learning at Microsoft paper to learn more.


Game for Safer Internet Day shows kids how to protect themselves online

[embedded content]

Use unique passwords1. Use complex, unique passwords for different accounts
If someone has your house key, they can enter and burglarize every room in your home. The same is true of passwords and online accounts. Too often we choose passwords that are easy to remember, such as names or birthday dates. But if it’s easy for you to remember, it’s likely to be easy for cybercriminals to guess. If you use the same, simple password for multiple accounts, then cybercriminals can – and will – be able to access all your sensitive personal information.

Use a password manager to save multiple passwords to different accounts safely and make sure that each password is complex; using at least 10 characters and a mixture of numbers, letters, capitalizations and special characters.

Social media icons2. Don’t accept invites from strangers on social media
Not everyone you meet online is who they claim to be. It’s common for cybercriminals to create fake social media profiles to foster relationships with unwary users and pick their cyber pockets – or worse.

If you’re approached by a stranger online, who insists you share personal information or requests money, that should set off alarm bells. If possible, search the person directly to see if the account is authentic. Still unsure about the person’s identity but want to accept their friend request anyway? Just to be on the safe side, limit the information that person can view on your profile using privacy setting.

Remember: the same rules apply online as they do in the real world – don’t share sensitive or private information with strangers.

Personal info icons3. Online actions can have offline consequences
Think of the Internet like a town square or a sidewalk: it’s a public space, where anyone can see or share anything you publish, irrespective of whether it’s meant for them or if you’ve given permission.

Before you post something online, ask yourself; would I want my employer, customer or relative to know this? Even things like your relationship status or home address, which might seem harmless, can be misused if the wrong people see them.

Online action icon4. Protect sensitive and personal information
With a few exceptions, unfortunately there is no permanent delete key for content posted online. Any image, comment or photo you post online is like to remain there forever. Even if you remove the original post, you can’t be sure that others have not made copies or shared your content on other networks. So don’t put anything online that you wouldn’t want others to see.

Careful click icon5. Be careful where you click
A tried-and-tested cybercriminal tactic is to trick you into downloading malware that allows them to steal information. From a popular game to an email offering tech support, malware can be disguised in a variety of different ways.

Avoid downloading apps that look odd or come from an unknown site. Not sure if an email is legitimate? Ask yourself the following questions: Does the sender have a bizarre email address? Is the greeting impersonal? Are there a lot of spelling mistakes? Is there a strange sense of urgency?

If you’re still unsure, get in touch with the brand or company through their official channels such as their website or social media page. It is always better to triple check than risk compromising your security.

Privacy setting icon6. Update your privacy settings & antivirus
If you don’t update your defences, cybercriminals will eventually come up with a way to overcome them. Be sure to stay current with your operating system’s updates and make an effort to check the privacy settings on the applications and browser you use.

Secure connection icon7. Always use a secure connection
When using a public internet connection, such as Wi-Fi in a shopping center, you have no direct control over its security. If you’re unable to establish a secure connection or ensure your device is protected, don’t share sensitive information. It’s safer to wait until you’re at home and using a secure Wi-Fi network.

Ask advice icon8. Ask advice from those you trust
Never feel rushed to click on a link or publish a post. There is nothing more urgent than our online safety.

Navigating online threats can be stressful, but there are plenty of resources to help you out. Whenever you find yourself in a situation where you are unsure or suspicious, always defer to the expertise of those you trust – whether a friend, parent, teacher or even a technology partner.

Looking for a fun way to teach youth about internet safety? Download the free Safer Internet Day chatterbox and discussion guide.


Data loss prevention: Human error, insider threats and the in-between

Do you remember the first or last time you found a user had shared sensitive information with the wrong people?

Companies dedicate large amounts of resources and money towards establishing an air tight DLP policy to detect and protect company data and prevent it from getting into the wrong hands, whether deliberately or by mistake. But no matter how good the technology, or how vigilant the security team, there is always a wildcard – end users.

“A company can often detect or control when an outsider (non-employee) tries to access company data either physically or electronically, and can mitigate the threat of an outsider stealing company property. However, the thief who is harder to detect and who could cause the most damage is the insider—the employee with legitimate access. That insider may steal solely for personal gain, or that insider may be a “spy”—someone who is stealing company information or products in order to benefit another organization or country.”

                Introductory guide to identifying malicious insiders, U.S. Federal Bureau of Investigation (FBI)


Figure 1: Statistics from the Insider Threat 2018 Report

From the above data we can see that insider threats are becoming a real concern for most organizations, and that active steps are taken to mitigate the risk inherent to these threats.

In this post we’ll discuss how regular users can expose sensitive data by wrongly classifying documents, how malicious users can take advantage of the encryption to exfiltrate data, and how Microsoft Cloud App Security’s new capability of scanning content in encrypted files, as well as the wider Microsoft Information Protection offering, can help organizations mitigate these risks.

The innocent mistake

While employees in the modern workplace are getting increasingly technologically savvy, and are finding new tools to improve their productivity, they aren’t always aware of the security implications of their actions.

Many of our customers are leveraging Microsoft Information Protection solutions to classify, label and protect their data. To minimize the impact on end users and their ability to be productive, these organizations often choose to empower their users to label documents themselves, by providing automatic suggestions but not auto-labeling or -protecting documents.

A user can inadvertently label a document containing highly confidential information with a low sensitivity label that applies minimal access restrictions. Since the file is already encrypted, it will not be scanned by the DLP solution, but might still be accessible to unauthorized people.

The malicious insider

A bigger threat with a much higher potential for damage, is the malicious insider. A malicious insider who is actively working on exfiltrating sensitive information from the organization, whether for personal gain, corporate espionage or other reasons.

This malicious user might exploit the ability to encrypt files to purposefully classify a file as low sensitivity while inserting highly sensitive data and then sharing it externally. As in the “mistake” scenario this will allow the file to pass the scanning of the DLP solution.

How does Microsoft Cloud App Security handle these risks?

Microsoft Cloud App Security has a wide set of tools targeted at handling insider threats. These include user behavior anomaly detections, cloud discovery anomaly detections, and the newly released ability to scan content of encrypted documents.

User anomaly detection

Microsoft Cloud App Security comes with a wide set of out-of-the-box anomaly detection policies that are activated by default as soon as the product is enabled. These detections look at the activities performed by users in sanctioned apps and define a usage baseline, leveraging UEBA capabilities to automatically identify any anomalous behaviors going forward.

An example of these types of detections, aimed at insider threats, is “Unusual file download activity by user”. This detection will create an alert whenever a user performs file downloads that differ from their usual pattern – a potential indicator of a data exfiltration attempt.

Cloud anomaly detection

In addition to the user anomaly detections for sanctioned apps, Cloud App Security also offers detections aimed at identifying suspicious behavior of users in unsanctioned applications. These detections are based on the data we get and analyze as part of our Cloud Discovery capabilities.

An example for such a detection is “Data exfiltration to unsanctioned apps”, which looks at the amount of data being uploaded by users to unsanctioned applications – one of the most common scenarios of insider threat data exfiltration.

Content inspection of encrypted files

We have recently released the ability for an admin to allow MCAS to scan the content of files that are protected by Azure Information Protection. After enabling this functionality, the admin can define MCAS file policies to inspect the content of encrypted files, and generate an alert, or take an action based on the match.

This functionality ensures that files are handled according to their actual content, even if they are labeled incorrectly; thus, preventing sensitive data from leaving the organization – both by mistake and by design.


Figure 2: Policy setting to allow Microsoft Cloud App Security to scan files protected with AIP

Human error and malicious intent will forever be a part of organizational lifecycles. While we cannot eliminate them completely, it’s our goal to enable IT and Security admins to minimize this risk. With our advanced capabilities and unique set of insights, Microsoft Cloud App Security and the wider Microsoft Information Protection offering help organizations to protect their sensitive information – wherever it lives or travels.

More info and feedback

Learn how to get started with Microsoft Cloud App Security with our detailed technical documentation. Don’t have Microsoft Cloud App Security? Start a free trial today!

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

Learn more about Microsoft Information Protection.