Tag: cybersecurity

As promised, I’m back with a follow-up to my recent post, Rethinking how we learn security, on how we need modernize the learning experience for cybersecurity professionals by gamifying training to make learning fun. Some of you may have attended the recent Microsoft Ignite events in Orlando and Paris. I missed the conferences (ironically, due to attending a cybersecurity certification boot camp) but heard great things about the Microsoft/Circadence joint Into the Breach capture the flag exercise.

If you missed Ignite, we’re planning several additional Microsoft Ignite The Tour events around the world, where you’ll be able to try your hand at this capture the flag experience. Look for me at the Washington, DC event in early February.

In the meantime, due to the great feedback I received from my previous blog—which I do really appreciate, especially if you have ideas for how we should tackle the shortage of cyber professionals—I’ll be digging deeper into the mechanics of learning to understand what it really takes to learn cyber in today’s evolving landscape.

Today, I want to address the important questions of how a new employee could actually ramp up their learning, and how employers can prepare employees for success and track the efficacy of the learning curriculum. Once again, I’m pleased to share this post with Keenan Skelly, chief evangelist at Boulder, Colorado-based Circadence.

Here are some of some of her recommendations from our Q&A:

Q: Keenan, in our last blog, you discussed Circadence’s “Project Ares” cyber learning platform. How do new cyber practitioners get started on Project Ares?

A: The way that Project Ares is set up allows for a user to acquire a variety of different skill levels when launched. It’s important to understand what kind of work roles you’re looking to learn about as a user as well as what kinds of tools you’re looking to understand better before you get started on Project Ares. For example, if I were to take some of my Girls Who Code or Cyber Patriot students and put them into the platform, I would probably have them start in the Battle School. This is where they’re going to learn about basic cybersecurity fundamentals such as ports and protocols, regular expressions, and the cyber kill chain. Then they can transition into Battle Rooms, where they’ll start to learn about very specific tools, tactics, and procedures or TTPs, for a variety of different work roles. If you’re a much more skilled cyber ninja, however, you can probably go ahead and get right into Missions, but we do recommend that everyone who comes into Project Ares does some work in the Battle Rooms first, specifically if they are trying to learn a tool or a skill for their work role.

Project Ares also has a couple of different routes that an expert or an enterprising cybersecurity professional can come into that’s really focused more on their role. For example, we have an assessments area based entirely on the work role. This aligns to the NIST framework and the NICE cybersecurity work roles. For example, if you’re a network defender, you can come into that assessment pathway and have steps laid out before you to identify your skill level in that role as you see below:

Assessment pathway.

Q: What areas within Project Ares do you recommend for enterprise cyber professionals to train against role-based job functions and prepare for cyber certifications?

A: You might start with something simple like understanding very basic things about your work role through a questionnaire in the Battle School arena as seen in the illustrations below. You may then move into a couple of Battle Rooms that tease out very detailed skills in tools that you would be using for that role. And then eventually you’ll get to go into a mission by yourself, and potentially a mission with your entire team to really certify that you are capable in that work role. All this practice helps prepare professionals to take official cyber certifications and exams.

Battle School questionnaire.

Battle School mission.

Q: Describe some of the gamification elements in Project Ares and share how it enhances cyber learning.

A: One of the best things about Project Ares is gamification. Everyone loves to play games, whether it’s on your phone playing Angry Birds, or on your computer or gaming console. So we really tried to put a lot of gaming elements inside Project Ares. Since everything is scored within Project Ares, everything you do from learning about ports and protocols, to battle rooms and missions, gives you experience points. Experience points add up to skill badges. All these things make learning more fun for the user. For example, if you’re a defender, you might have skill badges in infrastructure, network design, network defense, etc. And the way Project Ares is set up, once you have a certain combination of those skill badges you can earn a work role achievement certificate within Project Ares.

This kind of thing is taken very much from Call of Duty and other types of games where you can really build up your skills by doing a very specific skill-based activity and earn points towards badges. One of the other things that is great about Project Ares is it’s quite immersive. For example, Missions allows a user to come into a specific cyber situation or cyber response situation (e.g., water treatment plant cyberattack) and have multimedia effects that demonstrate what is going—very much reflective of that cool guy video look. Being able to talk through challenges in the exercises with our in-game advisor, Athena, adds another element to the learning experience as shown in the illustration below.

Athena was inspired by the trends of personal assistants like Cortana and other such AI-bots, which have been integrated into games. So things like chat bots, narrative storylines, and skill badges are super important for really immersing the individual in the process. It’s so much more fun, and easier to learn things in this way, as opposed to sitting through a static presentation or watching someone on a video and trying to learn the skill passively.

Athena—the in-game advisor.

Q: What kinds of insights and reporting capability can Project Ares deliver to cyber team supervisors and C-Suite leaders to help them assessing cyber readiness?

A: Project Ares offers a couple great features that are good for managers, all the way up to the C-Suite, who are trying to understand how their cybersecurity team is doing. The first one is called Project Ares Trainer View. This is where a supervisor or manager can jump into the Project Ares environment, with the students or with the enterprise team members, and observe in a couple of different ways.

The instructor or the manager can jump into the environment as Athena, so the user doesn’t know that they are there. They can then provide additional insight or help that is needed to a student. A supervisor or leader can also jump in as the opponent, which gives them the ability to see someone who is just breezing by everything and maybe make it a little more challenging. Or they can just observe and leave comments for the individuals. This piece is really helpful when we’re talking about managers who are looking to understand their team’s skill level in much more detail.

The other piece of this is a product we have coming out soon called Dendrite—an analytics tool that looks at everything that happens at Project Ares. We record all the key strokes and chats a user had with Athena or any with other team members while in a mission or battle room. Cyber team leads can then see what’s going on. Users can see what they’re doing well, and not doing well. This feedback can be provided up to the manager level, the senior manager level, and even to the C-Suite level to demonstrate exactly where that individual is in their particular skill path. It helps the cyber team leads understand what tools are being used appropriately and which tools are not being used appropriately.

For example, if you’re a financial institution and you paid quite a bit of money for Tanium, but upon viewing tool use in Dendrite, you find that no one is using it. It might prompt you to rethink your strategy on how to use tools in your organization or look at how you train your folks to use those tools. These types of insights are absolutely critical if you want to understand the best way to grow the individual in cybersecurity and make sure they’re really on top of their game.

The Dendrite assessment and analysis solution.

Q: How can non-technical employees improve their cyber readiness?

A: At Circadence, we don’t just provide learning capabilities for advanced cyber warriors. For mid-range people just coming into the technical side of cybersecurity, we have an entire learning path that starts with a product called inCyt. Now, inCyt is a very fun browser-based game of strategy where players have some hackable devices they must protect—like operating systems and phones. Meanwhile, your opponent has the same objective: protect their devices from attacks. Players continually hack each other by gathering intel on their opponent and then launching different cyberattacks. While they’re doing this, players get a fundamental understanding of the cyber kill chain. They learn things like what reconnaissance means to a hacker, what weaponizing means to a hacker, what deploying that weapon means to a hacker, so they can start to recognize that behavior in their everyday interactions online.

Some people ask why this is important and I always say, “I used to be a bomb technician, and there is no possible way I could defuse an IED or nuclear weapon without understanding how those things are put together.” It’s the same kind of concept.

It’s impossible to assume that someone is going to learn cyber awareness by answering some questions or watching a five-minute phishing tutorial after they have already clicked a link in a suspicious email. Those are very reactive ways of learning cyber. inCyt is very proactive. And we want to teach you in-depth understanding of what to look for, not just for phishing but for all the attacks we’re susceptible to. inCyt is also being used by some of our customers as a preliminary gate track for those who are interested in cybersecurity. So if you demonstrate a very high aptitude within inCyt, we would send you over to our CyberBridge portal where you can start learning some of the basics of cybersecurity to see if it might be the right field for you. Within our CyberBridge access management portal, you can then go into Project Ares Academy, which is just a lighter version of Project Ares.

Professional and Enterprise licenses in Project Ares pave more intricate learning pathways for people to advance in learning, from novice to expert cyber defender. You’ll be able to track all metrics of where you started, how far you came, what kind of skill path you’re on, and what kind of skill path you want to be on. Very crucial items for your own work role pathway.

How to close the cybersecurity talent gap

Keenan’s perspective and the solution offered by Project Ares really helps to understand how to train security professionals and give them the hands-on experience they require and want. We’re in interesting times, right? With innovations in machine learning and artificial intelligence (AI), we’re increasingly able to pivot from reactive cyber defense to get more predictive. Still, right now we’re facing a cybersecurity talent gap of up to 4 million people, depending on which analyst group you follow. The only way that we’re going to get folks interested in cybersecurity is to make it exactly what we have been talking about: a career-long opportunity to learn.

Make it something that they can attain, they can grow in, and see themselves going from a novice to a leader in an organization. This is tough right now because there are relatively few cybersecurity operators compared to demand, and the operators on the front lines are subject to burnout. With uncertain and undefined career paths beyond tactical SecOps, what is there to look forward to?

We need to get better as a community in cybersecurity, not only protect the cybersecurity defenders that we have already, but also help to bring in new cybersecurity defenders and offenders who are really going to push the boundaries of where we’re at today. This is where we have an excellent and transformational opportunity to introduce more immersive and gamified learning to improve the learning experience and put our people in a position to succeed.

Learn more

To learn more about how to close the cybersecurity talent gap, read the e-book: CISO essentials: How to optimize recruiting while strengthening cybersecurity. For more information on Microsoft intelligence security solutions, see Achieve an optimal state of Zero Trust.

You can also watch my full interview with Keenan.

Bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Today we’re sharing that the Microsoft Threat Intelligence Center has recently tracked significant cyberattacks originating from a group we call Strontium, also known as Fancy Bear/APT28, targeting anti-doping authorities and sporting organizations around the world. As the world looks forward with anticipation to the Tokyo Summer Games in 2020, we thought it important to share information about this new round of activity.

At least 16 national and international sporting and anti-doping organizations across three continents were targeted in these attacks which began September 16^th, just before news reports about new potential action being taken by the World Anti-Doping Agency. Some of these attacks were successful, but the majority were not. Microsoft has notified all customers targeted in these attacks and has worked with those who have sought our help to secure compromised accounts or systems.

This is not the first time Strontium has targeted such organizations. The group reportedly released medical records and emails taken from sporting organizations and anti-doping officials in 2016 and 2018, resulting in a 2018 indictment in federal court in the United States.

The methods used in the most recent attacks are similar to those routinely used by Strontium to target governments, militaries, think tanks, law firms, human rights organizations, financial firms and universities around the world. Strontium’s methods include spear-phishing, password spray, exploiting internet-connected devices and the use of both open-source and custom malware.

We’ve previously announced separate Strontium activity we’ve seen targeting organizations involved in the democratic process and have described the legal steps we routinely take to prevent Strontium from using fake Microsoft internet domains to execute its attacks. Additionally, the data and information we learn from our disruption work is used to improve the security and security features of our products and services.

As we’ve said in the past, we believe it’s important to share significant threat activity like that we’re announcing today. We think it’s critical that governments and the private sector are increasingly transparent about nation-state activity so we can all continue the global dialogue about protecting the internet. We also hope publishing this information helps raise awareness among organizations and individuals about steps they can take to protect themselves.

You can protect yourself from these types of attacks in at least three ways. We recommend, first, that you enable two-factor authentication on all business and personal email accounts. Second, learn how to spot phishing schemes and protect yourself from them. Third, enable security alerts about links and files from suspicious websites.

Tags: anti-doping, cyberattacks, cybercrime, cybersecurity, Microsoft Threat Intelligence Center, phishing

Today, with the launch of the CyberPeace Institute, the world will gain an important new ally in understanding the impact of cyberattacks, in working to develop rules for proper conduct in cyberspace and in helping the most vulnerable victims of cyberattacks become more resilient.

Today’s news is important because cybersecurity is one of the more critical issues of our time. The escalating attacks we’ve seen in recent years are not just about computers attacking computers – these attacks threaten and often harm the lives and livelihoods of real people, including their ability to access basic services like heath care, banking and electricity. In May 2017 it took the WannaCry attack just hours to impact more than 300,000 computers in 150 countries including systems that supported the National Health Service in Great Britain. Six weeks later, NotPetya disabled an estimated 10 percent of all computers in Ukraine, crippling businesses, transit systems and banks there before halting the systems of multinational corporations around the world and suspending operations of one of the world’s leading shipping companies. At Microsoft we track cyberattacks by dozens of nation-state actors, and activity continues to increase.

It will take a multi-stakeholder effort to address these issues. The internet is the creation of the private sector, which is primarily responsible for its operation, evolution and security. But governments have an important role to play in observing and enforcing norms for conduct in cyberspace and in deterring damaging attacks by other nations. Governments, the private sector, civil society and academia must be part of discussing solutions and taking concrete steps to protect people. Badly needed in the fight against cyberattacks is a credible source of research and analysis about the impact of cyberattacks around the globe on world citizens. Another important gap is the need for immediate help and advocacy for the most vulnerable victims of these attacks. For years, nongovernmental organizations around the world have provided on-the-ground help and vocal advocacy for victims of wars and natural disasters, and have convened important discussions about protecting the victims they serve. It’s become clear that victims of attacks originating on the internet deserve similar assistance, and the CyberPeace Institute will do just that.

For these reasons, Microsoft has joined the Hewlett Foundation, Mastercard and other leading organizations as initial funders of the institute. The institute will be independent, and we anticipate it will have significant impact in the three core areas where it will function:

• Assistance: Coordinating recovery efforts for the most vulnerable victims of cyberattacks and helping vulnerable communities and organizations become more resilient to attacks.
• Accountability: Facilitating the collective analysis, research and investigation of cyberattacks, including by assessing their harm, and bringing greater transparency to the problem so everyone has better information to inform action.
• Advancement: Promoting responsible behavior in cyberspace and advancing international laws and rules.

While the institute will fill an important unmet need, it joins a range of other critical work underway to help secure the internet. The Cybersecurity Tech Accord, a global voice for the tech community, now includes more than 100 companies committed to principles like protecting all customers around the world and opposing cyberattacks on civilians. The Paris Peace Call for Trust & Security in Cyberspace has signatories from 67 countries, 139 international and civil society organizations, and 358 private companies and entities committed to preventing cyber activity that threatens the availability of the internet, stopping internet-enabled interference in elections and guarding against supply chain attacks. And the United Nations has important processes underway to build consensus on new rules that have the potential of protecting billions.

We’re encouraged by all of these efforts and by the potential the CyberPeace Institute has to improve people’s lives, and we believe that as other companies, nonprofits and individuals see the institute’s progress in the coming months, they will join the effort to back its important work.

Tags: CyberPeace Institute, cybersecurity

The May 23-26 European Parliament elections are fast approaching, and in the run up to these critical elections, many questions have been raised over security, foreign election interference and the role of technology in the process. Canada’s cyber security agency recently found that half of all developed countries holding elections in 2018 reported some form of cyber threat to their democratic processes, a threefold increase since 2015.

Such threats have created concerns around the targeting of digital components of elections, as detailed in previous Microsoft blogs. As a result, some governments have scaled back the use of technology in their election systems, even though many of the high-profile digital attacks have focused on the spread of disinformation on social media rather than targeting the actual election infrastructure.

Governments can respond to election-related cyber threats in a way that embraces technology and creates a system which commands public trust. Estonia implemented the EU’s first country-wide internet voting (i-voting) system in 2005. Two years later, a denial-of-service cyberattack targeted both private and public sector websites. It happened after a Soviet-era statue was relocated, and hit media outlets, banks and government bodies. Estonians could not use cash machines or online banking. Newspapers and broadcasters were unable to reach their audiences.

The scare could have prompted Estonia to roll back on its electronic innovations, but instead it chose to, apply lessons learned, lean into technology, opting for good cybersecurity and technological advancement as the best defense.

Estonia’s i-voting success story is now world renown, with hundreds of foreign delegations visiting to see the system in practice. It serves as a model for governments on how online voting can be done securely and increase trust in the election process. Estonia also demonstrated leadership on election security by co-chairing the group that prepared the Compendium on the Cybersecurity of Election technology that set baseline for the European Commission’s package on Securing Free and Fair European Elections. Tarvi Martens, Chairman of the Estonian Electronic Voting Committee, spoke to Microsoft about the benefits of their system, challenges for the future, and advice to other EU countries.

When and why did Estonia introduce internet voting?

The government began the legislative process in 2001 and introduced the new voting system in 2005. By 2002, Estonia had also introduced an ID card system and by 2005 almost 80% of the electorate had this ID card. At the time, Estonians were saying they did everything with their computer – their banking, taxes, signing documents – and asked: “why not voting?”

Could you talk us through the process of casting a vote online?

The process is actually pretty simple. The voter goes to the elections webpage and downloads an application to cast their vote. Next, the voter identifies his or herself using their ID card inserted into smart card reader or their mobile phone. Once the voter is authenticated with a PIN code it would say “welcome, here is your candidate list.” The voter can then cast their vote for their preferred candidate. The whole process takes around 40 seconds – unless you take more time to decide which candidate to vote for!

How is the internet voting process secured?

Securing the internet voting process is similar to the way we secure other high importance information systems such as banking and critical infrastructure. The trick is to guarantee the secrecy of the votes.

To do this, the ballots are immediately encrypted on the computer when you vote, and they are decrypted centrally by the election commission only once they are anonymized. There is no tag of who voted how, so that’s how we can maintain secrecy and privacy. Our system is like using a double envelope system for a ballot, where we can only count – or decrypt – anonymous votes.

The voter can also check whether his or her vote has arrived at the election commission server properly using a secondary device. After the voter casts their vote online, they can then use an application on their smartphone to scan a QR code from the computer. The QR code enables your device to communicate to the state election servers to show the voter how he or she voted without compromising the privacy of the vote cast.

Finally, there are additional mechanisms to preserve the integrity of the electronic ballot box. Votes are registered with a third party –an accredited trust service provider who issues a timestamp. These timestamps, collected from the trust service provider logs, are later compared with the electronic ballot box to make sure they coincide. That ensures that the administrator of the electronic ballot box cannot delete votes at random or produce extra votes.

What about people’s sense of the integrity of the election? Do people feel safe in Estonia voting on the internet?

Trust in the system is rising continuously. Before this year we had three elections with around 31% of people voting on the internet. During the last elections in March we had a significant increase to 44% of voters using the online system. That is the highest proportion yet of people using i-voting in Estonia.

The further away a voter lives, the more likely they are to vote from home. Also, if you are between the ages of 25 and 45, you are more likely to vote online because young people are more familiar with technology.

Who benefits most from an i-voting system?

There is a correlation between i-voting and how far a voter lives from a polling station. The further away a voter lives, the more likely they are to vote from home. Also, if you are between the ages of 25 and 45, you are more likely to vote online because young people are more familiar with technology. I-voting is also helpful for people with disabilities. While Estonia has long supported making the voting process accessible for people with disabilities through paper-based voting from home, they can now also vote online. And of course, i-voting is pretty much the only option for people travelling or residing out of the country for a longer period.

What about cost? Is an i-voting system cheaper than a paper voting system?

Initially, there are additional costs. For example, as we introduced this additional voting method, we still had to maintain the paper-based voting infrastructure. But once it is set up, it is significantly cheaper. After the fourth election using i-voting, we calculated the costs and found out that the electronic vote is about half the price of a paper vote.

Is the i-voting process easier to manage?

Yes, because it is centralized. We can do things very fast and conveniently.

Have many government delegations come to Estonia to learn about your system?

There is a map of the world in our office, and we have put a pin in every country which has sent a delegation to visit. It’s hard to find a country without a pin in it! During the last election in March, we had over 100 foreign officials visiting Estonia from 30 countries around the world.

Among these government delegations, what are the most common concerns about online voting?

We see a general fear of the unknown. It takes two things to introduce internet voting in a country: First, a kind of ID card or mobile ID – an electronic identity infrastructure.

Second, it takes political will. Politicians are most interested in getting re-elected. They don’t want to mess with the electoral system and the average politician doesn’t know much about the internet and security, so they would say, “let’s not mess with that.” So, it takes courage to start the process.

What advice would you give other EU countries regarding the adoption of technology?

You just have to make a start, at least at a research level. Introducing a new voting method is a wide, society-embracing topic and might take long time. Just have in mind that at some point internet voting will be inevitable.

Has there been interference or targeting of the online platforms in Estonia?

The elections have never been targeted specifically. The cyberattack of 2007 thankfully happened two months after the elections. That attack was regarded as the first countrywide cyberattack targeting all the sectors, both private sector and public sector. But I think our information security was high and we handled it well. There was one and a half days of disturbance and then it was contained.

What did you learn from that experience?

It was a very good exercise. Now we can teach others how to defend against those kinds of attacks. Those attacks and our ability to counter them led to the opening of the NATO Cooperative Cyber Defence Centre of Excellence in Estonia which has been one of the preeminent organizations leading the world’s discussions on the application of international law in cyberspace.

Are there any more technological innovations that you’re planning to implement in future elections?

There have been discussions about introducing voting on mobile devices, but we currently use the mobile device to verify the computer-based vote. If we move to voting from mobile devices, what do we use as second device for verification of the correct behavior of the mobile device? That’s the main challenge that we are thinking through right now. We are analyzing this, and after the European Parliament elections we will systematically research this issue. Overall, I would say that so far, we are proud of what we have achieved.

Tags: cybersecurity, election security, Estonia, EU elections

As the cybersecurity industry has evolved, one dynamic has remained consistent: our industry-“speak”. We use a language that is very unique, difficult for new folks to understand, and oftentimes just plain sensationalistic. While any industry has its own technical terms, our language can also be a barrier to recruitment for many. This should be of concern to all of us in cybersecurity as we look to become more inclusive, rather than exclusive.

Language often reflects and supports a culture. Culture is defined by language norms and values of its people. It is easy to become conditioned to the way we speak and use terminology. As we look to how we can encourage industry growth and maturity, we should strive to evolve the way we use our industry’s nomenclature to be more open and consider how we are defining and shaping our industry’s culture through language. The exciting thing is, the opportunity is right before us, because cybersecurity is constantly evolving.

There are many examples of words that are part of the InfoSec culture – words that do not easily translate to people without a deep industry background. My approach is to avoid hyper technical or sensationalistic terms, and to create a language baseline that is simple and inclusive. Then, I put it to the test: Is the cyber language we’re speaking something my family can understand? Are there other terms we could use to simplify unique technical terms? Can we all agree to search for new words and try them out?

Let’s consider terms like sandboxing, detonation chamber, whitelists, blacklists, and so forth. While each have specific purposes, we should ask ourselves: are there different ways of saying the same things or defining these terms? What would the synonym be for “blacklist” and would “filtering known bad sites” or “risk lists” suffice?

We must also examine and test whether ways that are more easily understood help to make the industry appear more open and accepting to a broader, more diverse audience or talent population. This is not a matter appearing politically correct – it is a matter of being pragmatic and understanding we will not solve the talent shortage in cybersecurity if we do not make some fundamental changes to the industry. One of the simple changes we could make is to make our common industry vernacular less intimidating.

Testing the waters, I fielded this very topic about whether our industry terms are terrifying and/or confusing to those not in the industry. While many shared examples of cyber terms we should explore, there was agreement that most of our vernacular leans to weaponized or militaristic language.

As a technology professional with 30 years of experience working for companies that are not pure security focused, I have spent many hours creating glossaries and explaining InfoSec language to my colleagues. Quite often there are raised eyebrows and snickers at some of the things we consider common language – as well as questioning and commentary on how unique security people are. I have no issue with uniqueness or deep skills, but that does not mean everything the industry does needs to be unique. The days of security by obscurity are dead.

The cyber insiders club we have created for ourselves is not what makes us special. What makes us special is that we are required to adapt quickly, evolve, and grow. If we don’t, we will become extinct. Bad actors are continually changing and modernizing their tools and methods. They recognize the evolution of InfoSec as an opportunity of scale. By allowing more people to easily understand the fundamentals of security and take an active role in shaping its culture, we can and will build better defenses. Imagine how much easier your job would be if you didn’t spend the first 30-minutes of every InfoSec-related meeting developing a common understanding of language.

If we are to truly influence and shape our industry’s culture, I am asking everyone in the industry to examine how and what we communicate, how we can make cybersecurity easier to understand by the language we use. Thus we will become more open and inclusive. We can do so much if we embrace change and growth, and open our arms to those who have so much to contribute, but who may not “speak” our language.

The Cybersecurity Tech Accord’s upcoming webinar and the importance of public-private partnership

Today, cyberattacks from increasingly sophisticated actors threaten organizations across every sector, and whether a Fortune 500 company or a local bakery, organizations of all sizes need to take steps to limit the dangers posed by these threats. This is the core of cybersecurity risk management—understanding potential threats and actively working to mitigate them. But while organizations large and small should protect themselves against such threats, the owners and operators of critical infrastructure have a unique additional obligation to understand risks and improve their cyber resilience in the interests of the communities, and even whole societies, that rely on their industries.

“Critical Infrastructure” refers to the industries and institutions whose continued operation is necessary for the security and stability of a society. Energy, water, and healthcare sectors are often deemed critical infrastructure, as are essential government organizations, transportation sectors, and even entire elections systems. The organizations that own and operate this infrastructure have a responsibility to keep it up and, running in the face of any challenge, require even more careful attention to security, particularly cybersecurity.

It is with this responsibility in mind that we are excited for the upcoming webinar from the senior malware researcher at the IT security firm, ESET, on the latest and most potent cyberthreats to critical infrastructure. The webinar is free to attend and will be hosted by the Cybersecurity Tech Accord on February 4, 2019.

As a signatory to the Cybersecurity Tech Accord, Microsoft is glad to see this diverse coalition of technology companies taking time to address this important issue and highlight the most significant cyberthreats to critical infrastructure. These are the types of challenges that the tech industry should be working collaboratively to address. In fact, Microsoft recently published a white paper titled Risk Management for Cybersecurity: Security Baselines on how policies can improve critical infrastructure protection by establishing outcome-focused security baselines. Such policies mandate how secure critical infrastructure systems must be while allowing industry to innovate and evolve their approaches as necessary to achieve those goals.

Critical infrastructure protection requires cooperation between the public and private sectors because, while the resilience of these sectors is a national security priority, the critical infrastructure itself is most often owned and operated by private industry and dependent on the technologies that are developed and maintained by private companies. In this dynamic, governments play an indispensable role in identifying security needs and standards for success, while industry understands its own technology and how to best meet security objectives.

The benefits of this collaboration are highlighted in the recently published report by the Organization of American States (OAS), developed in partnership with Microsoft, Critical Infrastructure Protection in Latin America and the Caribbean 2018. The report is a tremendous resource for policymakers in the region, as OAS was able to acutely identify the cybersecurity priorities and challenges of its Latin American and the Caribbean member states, while Microsoft was able to provide technical insights on how to best enable critical infrastructure owners and operators to protect their systems based on those priorities.

The upcoming webinar from ESET will doubtlessly shed additional light on the ever-changing nature of cybersecurity threats, especially as they relate to critical infrastructure, further underscoring the importance of cooperative relationships between sectors moving forward. We invite you to attend the live event; and for those who cannot attend on February 4, 2019, the webinar will be recorded and made available on the Cybersecurity Tech Accord website in the days that follow.

For a full list of upcoming webinars, and to access previous sessions on demand, visit the Cybersecurity Tech Accord website.

December was another month of significant development for Microsoft Threat Protection capabilities. As a quick recap, Microsoft Threat Protection is an integrated solution securing the modern workplace across identities, endpoints, user data, cloud apps, and infrastructure. Last month, we shared updates on capabilities for securing identities, endpoints, user data, and cloud apps. This month, we provide an update for Azure Security Center which secures organizations from threats across hybrid cloud workloads. Additionally, we overview a real-world scenario showcasing Microsoft Threat Protection in action.

Enhancing your infrastructure security using Azure Security Center

Azure Security Center is a sophisticated service designed to help organizations:

• Understand their security state across on-premises and cloud workloads.
• Find vulnerabilities and remediate quickly.
• Limit exposure to threats.
• Detect and respond swiftly to attacks.

With modern organizations now adopting hybrid ecosystems, securing the infrastructure across hybrid cloud workloads becomes more critical. Azure Security Center was developed to address the complexities of the modern infrastructure by helping strengthen your security posture and protect against threats to the infrastructure. Azure Security Center can now provide better visibility over an organization’s security state across virtual networks, subnets, and nodes by generating a topology map of the layout of each of these infrastructure components (Figure 1). As admins review the components of the network, Azure Security Center offers recommendations to help quickly respond to detected network issues. Additionally, Azure Security Center continuously analyzes the network security group (NSG) rules in the workload and presents a graph containing the possible reachability of every virtual machine (VM) in that workload.

Figure 1. Network topology map highlighting virtual networks, subnets, and nodes.

Another important enhancement is a new permissions model for “Just in Time (JIT) VM” access (Figure 2). Azure Security Center has updated its required privileges for a user to successfully request JIT access to a VM from write to read, making it easier for customers to follow the “least privileged” Role-Based Access Control (RBAC) model. JIT VM access is used to reduce impact from brute force attacks targeting management ports to gain access to a VM. If successful, an attacker can take control over the VM and establish a foothold into your environment. When JIT access is enabled, Azure Security Center locks down inbound traffic to Azure VMs by creating an NSG rule. Admins select the ports on the VM to which inbound traffic will be locked down. These ports are controlled by the JIT solution. Before, when a user requested access to a VM, Azure Security Center checked a user’s RBAC permissions for write access for the VM, and now the user must only have read access.

Figure 2. The Azure Security Center highlighting the JIT VM access feature.

Microsoft Threat Protection stops threats as envisioned

Security solutions always sound effective in theory, but in practice, often the capabilities do not match the vision. Microsoft Threat Protection was recently put to the test against a real-world threat known as Tropic Trooper (Figure 3), which has been targeting Asian enterprises in the energy and food and beverage industries since 2012.

Figure 3. Tropic Trooper attack chain.

Seamless integration between disparate services is a core differentiator of Microsoft Threat Protection. During the Tropic Trooper campaign, Windows Defender Advanced Threat Protection (ATP), Azure Active Directory (Azure AD), and Office 365 ATP services worked in sync, helping ensure the threat was addressed quickly with no adverse impact. The campaign initiated several Windows Defender ATP alerts triggering its device risk calculation mechanism, which ascribed affected endpoints with high risk scores. These endpoints were put to the top of the list in Windows Defender Security Center leading to early detection and discovery of the attack. Windows Defender ATP seamlessly integrates with Azure AD featuring conditional access. During Tropic Trooper, conditional access blocked high-risk endpoints from accessing sensitive content, protecting other users, devices, and data in the network.

The Windows team examined the alert timeline (Figure 4) to further investigate and ultimately remediated the threat. Investigating the alerts, the Windows team uncovered the malicious document carrying the Tropic Trooper exploit. Since signal is shared between Microsoft Threat Protection services, the Windows team used Office 365 Threat Intelligence’s Threat Explorer to find the specific emails used to distribute the exploit. The investigation also showed that Office 365 ATP blocked the malicious emails at the onset, stopping the attack’s entry point and protecting Office 365 ATP customers. Endpoints remained secure through Windows Defender ATP’s sophisticated automated investigation and remediation capabilities that discovered malicious artifacts on affected endpoints and remediated them. This sequence of actions ensured that the attackers no longer had a foothold on the endpoint ecosystem and that all endpoints returned to normal working state. Importantly, Microsoft Threat Protection services collectively secured identities, endpoints, and Office 365.

Figure 4. Windows Defender ATP alert timeline for Tropic Trooper.

Experience the evolution of Microsoft Threat Protection

Take a moment to learn more about Microsoft Threat Protection. Organizations have already transitioned to Microsoft Threat Protection and partners are leveraging its powerful capabilities. Begin trials of the Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.

Each year, more and more governments are developing policies to address security challenges presented by an increasingly digitized world. And to support those efforts, I’m excited today to announce the release of Microsoft’s new Cybersecurity Policy Framework, a resource for policymakers that provides an overview of the building blocks of effective cybersecurity policies and that is aligned with the best practices from around the globe. Nations coming online today, and building their cybersecurity infrastructures, should not—and need not—be burdened with the stumbling blocks that characterized previous generations of cybersecurity policies. Instead, such nations should be empowered to leapfrog outdated challenges and unnecessary hurdles.

For years, Microsoft has worked with policymakers in advanced and emerging economies, and across many social and political contexts, to support the development of policies to address a wide range of cybersecurity challenges. This new publication captures and distills the important lessons learned from those years of experience partnering with governments. And as increasing numbers of countries wrestle with how to best address cybersecurity challenges, the Cybersecurity Policy Framework is an indispensable resource for the policymakers joining this work.

According to the last analysis provided by the United Nations, half of the countries on earth today either have or are developing national cybersecurity strategies. I have little doubt that in the next decade every single outstanding country will add its name to that list. And this trend highlights the importance of this new resource. The policies established today will impact how technologies are used for years to come and how safe or dangerous the online world becomes for all of us. Truly, there is no going back, only forward.

The Cybersecurity Policy Framework is not one-stop shopping for cybersecurity policymakers, but it does serve as an important “umbrella document,” providing a high-level overview of concepts and priorities that must be top of mind when developing an effective and resilient cybersecurity policy environment.

Specifically, this new resource outlines:

• National strategies for cybersecurity.
• How to establish a national cyber agency.
• How to develop and update cybercrime laws.
• How to develop and update critical infrastructure protections.
• International strategies for cybersecurity.

We at Microsoft have been at this work for a long time and have developed a wide variety of resources to help those who are working to position their industries and nations to capitalize on the benefits of new technologies—so many that they can often be difficult to find! And this highlights another strength of the Cybersecurity Policy Framework, while it is not one-stop shopping, each section does provide an overview of a critical policy topic as well as links to the associated and more in-depth resources my team has developed over the years to assist policymakers. In this way, this new resource serves not only as essential, high-level guidance, but also as a key to a broader catalogue of resources built on years of experience partnering with governments around the world.

Reading through this new resource, I am proud of the work we have done in pursuit of a safer online world. Important progress has been made and these foundational principles underscore much today’s cybersecurity discourse. However, we have—and will always have—more work to do as a result of the changes and innovations in technology always on the horizon, and their implications for cybersecurity. I’m glad to put this resource forward today to support a new generation of policymakers and also look forward to partnering with them to tackle the new challenges we will face together tomorrow.

Download your copy of the Cybersecurity Policy Framework today.