Tag: Security

The risk landscape for organizations has changed significantly in the past few years. The amount of data captured, copied, and consumed is expected to grow to more than 180 zettabytes through 2025.¹  Traditional ways of identifying and mitigating risks don’t always work. Historically, organizations have focused on external threats; however, risks from within the organization can be just as prevalent and harmful. These internal risks include unprotected and ungoverned data, accidental or intentional data oversharing, as well as the risks for failing to meet ever-changing regulations. Not to mention, with more than 300 million people working remotely, data is being created, accessed, shared, and stored outside of the traditional borders of business.

Core to a security team’s mission is protecting the company’s assets, especially its data. Strong data protection requires securing the most sensitive or critical data, preventing that data from leaving the organization, and managing potential risks inside and outside of your environment.

And managing internal risks can be challenging because it requires analyzing millions of daily signals to detect potentially risky user actions that may lead to a data security incident. For example, what confidential files are your users sharing or accessing? Are users sharing sensitive files externally? Are they downloading files to unapproved devices or uploading them to unapproved locations? All the while, you must balance security controls and productivity, and ensure user privacy is built into your program.

To be effective in addressing insider risks, it’s critical that organizations start thinking about how and why they should be implementing a holistic data protection strategy across their entire organization that encompasses people, processes, training, and tools. At Microsoft, we transitioned from a fragmented insider risk management approach to one in which we addressed it holistically by taking a more comprehensive approach, getting more buy-in from organizational leadership, and making sure user privacy is built in from the get-go.

Following our own transition, Microsoft wanted to better understand how organizations are approaching insider risk management, specifically how some of these security and compliance teams were thinking about insider risk management holistically. Today we’re publishing our first Microsoft report specifically addressing insider risk, “Building a Holistic Insider Risk Management program.”

This Microsoft-commissioned report lays out several new insights about how organizations go from a fragmented approach to insider risk management to a holistic one, addressing potential risks from multiple lenses as part of a greater data protection strategy, with cross-leadership buy-in. For example, we found that more than 90 percent of holistic organizations believe privacy controls should be used in the early stages of investigations. Holistic organizations also get more buy-in on their risk programs from other departments, like legal, HR, or compliance teams, which is critical to building a culture of security. Furthermore, they put a greater emphasis on training with 92 percent agreeing that “training and education are vital to proactively address and reduce insider risks,” compared with 50 percent of fragmented organizations.

The report also shares best practices for organizations who endeavor to approach insider risk management more holistically and build a program that fosters trust, empowers users, and makes privacy a priority.

You can read the full report here.

Learn more

Learn more about Microsoft Purview.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹Volume of data/information created, captured, copied, and consumed worldwide from 2010 to 2020, with forecasts from 2021 to 2025, Statista. September 8, 2022.

October is Cybersecurity Awareness Month, and I’m excited about what Microsoft and our partners in the industry have planned to help everyone stay #CyberSmart. 2022 may have offered some respite from the previous year’s rush to enable a remote and hybrid workforce, but the increased use of personal devices also left security professionals with even more endpoints to manage and secure. As illustrated by breaches like the March 2022 attack on Shields Health Care Group¹ that impacted two million people and the April ransomware attack that became a national emergency for the Costa Rican government,² we all need to be cyber defenders to protect what matters.

Technology can only do so much; it’s people who remain our greatest strength. That’s why Microsoft is taking this opportunity during Cybersecurity Awareness Month to help security professionals educate their employees on fundamentals highlighted by the National Cybersecurity Alliance, such as protecting their identities, updating their software and devices, and not falling prey to phishing schemes.³ Be sure to explore the resources and skilling opportunities in our Cybersecurity Awareness Month website, such as the #BeCyberSmart education kit with assets to help people to protect their data both at work and at home.

People have become the primary attack vector for cyber attackers around the world, so humans rather than technology now represent the greatest risk to organizations.

—SANS 2022 Security Awareness Report

Security starts with awareness

In today’s boundaryless workplace, comprehensive security is essential. That kind of 360-degree protection requires education and awareness to safeguard identities, data, and devices. Awareness programs help enable security teams to effectively manage their human risk by changing how people think about cybersecurity and helping them practice secure behaviors. The SANS 2022 Security Awareness Report analyzed data from more than a thousand security professionals from around the world to identify how organizations are managing their human risk. The report found that more than 69 percent of security awareness professionals are part-time, meaning that they spend less than half their time on security awareness.

According to the SANS report, cybersecurity awareness professionals should endeavor to:

• Engage leadership by focusing on terms that resonate with them and demonstrate support for their strategic priorities. “Don’t talk about what you are doing, talk about why you are doing it.”
• Consider having a 10-to-1 ratio of technical security professionals to human-focused security professionals.
• Partner with other departments in the organization—such as communications, human resources, and business operations—to help engage and communicate with your workforce.
• Make the training simple to understand and follow. “Just like working out—it’s the frequency that’s important.” And dedicate time to collecting information about the impact of your awareness programs.

It’s up to each of us to #BeCyberSmart

In 2022, the most common causes of cyberattacks are still malware (22 percent) and phishing (20 percent).⁴ Even with the rise of ransomware as a service (RaaS) and other sophisticated tools, human beings remain the most reliable, low-cost attack vector for cybercriminals worldwide. For that reason, it’s vital that we all stay informed about how to prevent breaches and defend ourselves, both at work and at home.

Here are some basic steps we can all take to #BeCyberSmart:

Phishing: Deceptive emails, phony websites, fake text messages—these kinds of phishing scams accounted for 30 percent of attacks in 2021.⁵ During Terranova’s annual Gone Phishing Tournament last year, 19.8 percent of participants clicked on the phishing email link, while 14.4 percent downloaded the fake document.⁶ So, how can we avoid taking the bait?

• Check the sender’s email address for verifiable contact information. Common phishing tip-offs include a misspelled or unrelated sender address. If in doubt, do not reply. Instead, create a new email to respond.
• Don’t click on links or open email attachments unless you have verified the sender.
• For more tips, visit the Federal Trade Commission phishing site.

Devices and software: Unpatched, out-of-date devices and software are a leading access point for cybercriminals. That’s why practicing good cyber hygiene is so important for avoiding destructive malware that can steal users’ personal information. To help keep your devices safe:

• Enable the lock feature on all your mobile devices.
• Activate multifactor authentication on your sensitive apps and accounts.
• Run antivirus software and install system updates immediately.

Scams: Criminals will often contact you seeking to “fix” a nonexistent problem. The email or text message will contain a sense of urgency, such as “Act now to avoid having your account locked!” If you see this type of message, do not click the link. And remember to always report any suspected scam so the organization can take action. A few tips to remember:

• Be skeptical of unsolicited tech support calls or error messages requesting urgent action.
• Do not follow any prompts to download software from any third-party website.
• When in doubt, open a separate browser page and go directly to the company’s webpage.

Passwords: Passwords are our first line of defense against unauthorized access to accounts, devices, and files. However, the average person now has more than 150 online accounts; password fatigue is always a danger. Some tips on how to protect your passwords include:

Fostering a more diverse cybersecurity workforce

As of April 2022, there are more than 700,000 vacant cybersecurity positions in the United States, with a predicted 3.5 million cybersecurity positions going unfilled worldwide by 2025.⁷ That’s why Microsoft continues to reach out to students, veterans, people re-entering the workforce—anyone with an interest in becoming a cybersecurity defender. This year for Cybersecurity Awareness Month, we’re also acting on Microsoft’s initiatives to increase cybersecurity education access and help close the workforce gap. In partnership with the Last Mile Education Fund, Microsoft aims to reach at least 25,000 students by 2025 with scholarships and additional resources related to cybersecurity pathways.  

On October 7, 2022, we’re again hosting the Microsoft Student Summit, a virtual skills event designed to inspire higher education students toward a career in tech. This one-day event offers students the opportunity to engage with the Microsoft student developer community, hopefully providing inspiration and stoking a passion for innovation. We’re also continuing to help students move into real-world employment by offering learning sessions aligned to Microsoft certifications for security, compliance, and identity. Eligible students can take up to eight fundamental certification exams for free this academic year.

Helping to create the next generation of cybersecurity defenders is critically important, and we want to make sure the doors are open to everyone. That’s why we’re continuing our partnership with Girl Security, helping to empower adolescent girls, women, and gender minorities by demystifying cybersecurity and developing the in-demand skills needed for employment. Microsoft is also partnering with other organizations to leverage the message from this moment in October 2022 to bring more women to the industry, with a Community College Pathways to Cybersecurity Success webinar with Women in Cybersecurity (WiCys) and a virtual event with the Executive Women’s Forum focused on cybersecurity careers at Microsoft.

We’re always working on new educational initiatives, so stay tuned to our Security blog and check for updates on our cybersecurity awareness and education website.

Stay cyber smart year-round

Cybersecurity Awareness Month is a special time for us as we collectively come together—industry, academia, and government—to promote the importance of a secure online environment. We know that cybercriminals are persistent and driven, working all day, every day with no days off. That’s why we need to work together on awareness and education year-round and build a culture of cyber defenders. Please continue to visit our cybersecurity awareness and education website to learn more about cybersecurity education programs from Microsoft, and get our new cybersecurity education kit to use in your organization. Everyone has a role to play in cybersecurity, and when we learn together, we are more secure together.

Learn more

Explore our best practices and educational resources with our Cybersecurity Awareness website.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹Shields Health Care Group data breach affects 2 million patients, Bill Toulas. June 7, 2022.

²A massive cyberattack in Costa Rica leaves citizens hurting, Carla Rosch. June 1, 2022.

³National Cybersecurity Alliance.

⁴Alarming Cyber Statistics For Mid-Year 2022 That You Need To Know, Chuck Brooks. June 3, 2022.

⁵Verizon 2021 Data Breach Investigation Report, Verizon. 2021.

⁶Gone Phishing Tournament, Terranova Security.

⁷Ten Hard-hitting Cybersecurity Statistics for 2022, Cody Cornell. August 25, 2022.

Why should you care about the behavioral risk of your employees?

Eighty-two percent of breaches include (and often start with) user behavior.¹ Not all are phishing, but a majority of them are just that. Phishing is, and has been for many years, the cheapest and most reliable way for an attacker of any motivation (nation-state actors down to simple script-kiddie scammers) to establish a toehold in an organization. Social engineering and phishing are used for initial breach tactics, lateral movement, and elevation of privilege, and, in many cases, they directly lead to data exfiltration.

Worse, breaches cost companies a lot of time and money. Several security research companies have determined that the average data breach costs a company about USD4 million per incident.² Averting even a handful of breach events in any given year can save you millions of dollars and thousands of hours of valuable security operators’ time.

So, how does behavior play into this? Doesn’t my company spend a bunch of money every year on technical solutions to prevent those phishing attacks from making it through? Don’t we have detection and response capabilities that find and fix those breaches quickly? Any organization that cares about its data certainly should invest in exactly those capabilities, but the strategy is incomplete for a few reasons:

• Technical solutions never have and likely never will provide perfect protection. Humans are capable of incredibly creative and intuitive thinking. Attackers with even a passing understanding of how protective solutions work can easily find gaps and workarounds. Decades of breaches have shown us that any determined attacker will find a way in. Assume breach principles hold that organizations should assume that their ecosystems are breached, that they should not automatically trust their existing protection boundaries, and that they should invest in detection and response mechanisms in equal measure to prevention. This, Microsoft believes, is the most effective approach to mitigating organizational risk.
• Humans are the most valuable part of any organization’s mission. They make all the data. They derive all the most valuable insights. They integrate and maintain all the complicated systems that make up any modern enterprise. An attacker can go after systems to get to data, but the inherent fallibility of humans provides a much more malleable target. You can’t insulate the people in your organization from that risk because they are almost always the ones responsible for creating the asset in the first place. Attackers know that and almost always incorporate social engineering into their plans.
• Human behavior, especially as it relates to risk, is an incredibly complicated and nuanced process. It is probabilistic in nature, and attackers know that. Factors include the context in which the behavioral choice is made, the knowledge of the human, the attitudes and motivations of the person, externalities such as time pressures and adjacent choices, and the past experience of the human. Any of those factors can change day-to-day, and so a phishing attack that a user correctly identifies and avoids might not work today but would fail to detect in some other context.

With that in mind, in partnership with Microsoft, Terranova created the Gone Phishing Tournament, an online phishing initiative that uses real-world simulations to establish accurate phishing clickthrough rates and additional benchmarking statistics for user behaviors. With this opportunity, you will be able to drive effective behavior change and build a strong security-aware organizational culture with free, in-depth phishing simulation benchmarking data.

Given this context, why should an organization care about user behavior? One reason is that even small changes in behavior can result in significant reductions in risk and every breach you avoid saves you literal millions of dollars. Admittedly, behavior change is hard. The security awareness business has been working to help educate users for decades now, and the human behavior risk portion of the overall risk pie remains large. We think the capabilities that modern solutions are bringing to bear are the beginning of a major shift in the industry. Some key capabilities to consider:

• You must measure something to move it. Phish susceptibility assessment is a core part of any security awareness program, and we think authentic simulation is the best way to measure real-world phishing risk behavior.
• Teaching is more than just telling. One of the reasons why effective security awareness programs focus so much on simulation is because it gives users the experience of an attack (safely). Doing something hands-on and experiencing it directly sticks in human brains much more effectively than just seeing or hearing a description of it.
• Life in organizations already includes a lot of formal learning, so you must find new, differentiated, and contextual ways to engage your people in learning experiences. Games, nudges, and social rewards systems educate without lecturing and bring an element of fun that helps the important messages stick.
• Everybody is at a different place in their journey. Look for solutions that allow you to differentiate learning based on what the user already knows, or what you think is going to be especially problematic for them.
• Security Awareness training has evolved most commonly to be a twice-yearly simulation with a five- to seven-minute video. This formula is usually manageable by organizations to execute, but it rarely produces desired results. Look for solutions that give you the ability to vary the frequency, targeting variations, payload variability, and training experiences. Some of your people might just need reminders twice a year, but many will need more frequent experiences to maintain behavioral alignment.

Every major organization on earth is in the same boat. User behavior risk is high, difficult to change, and exploited every day by attackers. Take the time to learn from each other. Participate in conferences. Make connections with people at other companies that are doing the same role. Engage with the solutions that you leverage and give those product teams feedback about what is and is not working. 

Knowledge is power when it comes to being cybersmart, and there are many ways to prepare yourself and your organization to be safer online and fight cyber threats. October will be Cybersecurity Awareness Month, and you will be able to take advantage of Microsoft’s expertise with several resources that will be made available by Microsoft Security.  

Stay tuned for Microsoft’s best practices on Cybersecurity Awareness Month and don’t forget to register for Terranova Security Gone Phishing Tournament. Let’s #BeCyberSmart together! 

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹2022 Data Breach Investigations Report, Verizon. 2022.

²How Much Does a Data Breach Cost?, Embroker. September 2, 2022.

One of the biggest challenges in security today is visibility. And by visibility, I don’t just mean keeping an eye on ever-evolving cyberthreats, but also seeing your own security environment clearly—especially where you’re vulnerable.

For defenders who are working hard to manage threats across multiple clouds, platforms, and devices, research and investigation is a time-consuming and difficult challenge. Thankfully, we’ve recently launched two new security solutions designed to give you a comprehensive view of the security threats to your business—and track what’s changing day-to-day.

I’m really excited about these new products and invite you to learn more about them at our next digital event—Stop Ransomware with Microsoft Security—on September 15, 2022.

See the latest threat intelligence solutions in action

We have a lot to look forward to at this event. Charlie Bell, Executive Vice President of Microsoft Security, and Vasu Jakkal, Corporate Vice President of Microsoft Security, Compliance, Identity, and Privacy Business, will join other security experts to discuss how to get ahead of ransomware and proactively prepare for even the most sophisticated attacks.

But this event goes beyond strategies and thought leadership—you’ll also get an exciting, in-depth look at two innovative new security products:

• Microsoft Defender Threat Intelligence
• Microsoft Defender External Attack Surface Management

These new security solutions work together to help you understand both your adversaries and your own security environment. With more visibility into your infrastructure and better insights into breaches and potential threats, you’ll be able to prioritize the right response tactics and keep pace with an ever-changing threat environment.

Register for the Stop Ransomware with Microsoft Security digital event to learn more.

Stay ahead of adversaries

Let’s start with Microsoft Defender Threat Intelligence. This solution works by analyzing signals from across the internet, then enriching this data with powerful machine learning algorithms to extract insights relevant to your organization.

When you attend this free digital event, you’ll learn exactly how to use this new solution to dive deep into a breach and really understand the nature of the attack and the assets affected.

Elevate your security posture

While Microsoft Defender Threat Intelligence can help you understand the threat landscape, Microsoft Defender External Attack Surface Management gives you greater knowledge of your attack surface.

With the help of this tool, you can build a more complete understanding of your security posture and locate unknown, unmanaged resources that are visible from the internet—the same view an attacker has when selecting a target. 

Throughout the Stop Ransomware with Microsoft Security digital event, we’ll be demonstrating both Microsoft Defender Threat Intelligence and Microsoft Defender External Attack Surface Management. Join us to learn how you can bolster your security strategy by integrating both products into your own security operation center—or connect with cybersecurity professionals during a live question and answer chat if you have questions.

Learn from the experts firsthand

We crafted every session in the Stop Ransomware with Microsoft Security digital event to empower you with the tools and insights you need to make the most of threat intelligence. Join your fellow cybersecurity professionals in the following sessions:

• Ransomware, threat intelligence, and the state of security: Join Vasu Jakkal and Charlie Bell as they discuss the Microsoft approach to security, including what analysts are seeing in the threat landscape and how threat intelligence can help organizations prepare for the worst.
• Unmask adversaries with Microsoft Defender Threat Intelligence: Threat intelligence is the foundation of effective cybersecurity. As threats like ransomware increase in sophistication, it becomes even more critical to understand adversaries and their infrastructure. Learn how threat intelligence can enhance incident response and give your business the insights you need to stay ahead of threats.
• Locate and secure your external attack surface: The external attack surface is constantly changing, and unknown, unsecured resources may fall outside your security coverage. Learn how to view your organization from the outside in—the same way an attacker does—and not only locate unmanaged assets but also protect them.
• Threat intelligence is the cornerstone of solid security: Explore common use cases for threat intelligence and discover real-world applications to learn how you can enhance your existing security solutions and stop ransomware in its tracks.

Don’t just react to threats. Get ahead of them.

Join the Stop Ransomware with Microsoft Security digital event to learn how to safeguard your organization from today’s attacks—and be ready for tomorrow’s.

At this digital event, you’ll:

• Hear key insights from Microsoft’s leadership, including a fireside conversation between Charlie Bell, Executive Vice President of Microsoft Security, and Vasu Jakkal, Corporate Vice President of Microsoft Security, Compliance, Identity, and Privacy Business.
• Learn about two new security solutions: Microsoft Defender Threat Intelligence and Microsoft Defender External Attack Surface Management.
• See threat intelligence from Microsoft Security in action and learn how to use it to prevent and remove even the most sophisticated ransomware.
• Get your questions answered by threat protection experts during a live question and answer chat.

Secure everything. Limit nothing. Be fearless.

Register now.

Stop Ransomware with Microsoft Security
September 15, 2022
9:00 AM-10:30 AM PT

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Black Hat USA 2022 marked the twenty-fifth year that security researchers, security architects, and other security professionals have gathered to share the latest research, developments, and trends. Microsoft was among the companies participating in the conference, which was from August 6 to 11, 2022, in Las Vegas, Nevada. This year’s event was hybrid, with some attendees attending in-person and others joining online.

We were excited to join members of the Black Hat security community representing 111 countries.¹ Along with more than 17,000 in-person attendees—and more than 15,000 virtual attendees—we heard security insights and shared the latest in Microsoft Security solutions, including two new security solutions—Microsoft Defender Threat Intelligence to track threat actor activity and Microsoft Defender External Attack Surface Management to discover unknown and unmanaged resources that are visible and accessible from the internet.

Booth excitement

What energizes us the most about conferences like Black Hat is the opportunity to meet people. During the conference, we welcomed hundreds of security professionals to our booth. There, we talked about cybersecurity threats, shared our perspective on the need for comprehensive security, listened to their stories of cybersecurity challenges, and gave them demonstrations of the latest innovations from Microsoft Security in the threat intelligence and protection space, including Microsoft Defender Experts for Hunting.

We’re passionate about security and it’s always a thrill to be among others who feel the same way. Our team in the booth was kept happily busy. Some attendees chatted in groups of two or more while others crowded around four demo stations—Microsoft Security Experts, threat protection, threat intelligence, and identity and access management—to see how Microsoft product solutions can help catch what others miss.

During our Diversity and Inclusion Hour on Wednesday, Black Hat attendees gathered in the Microsoft booth to socialize and talk about diversity, equality, and inclusion in the workplace. As a bonus, Microsoft enlisted a professional photographer to take headshots for anyone who attended and wanted to update their LinkedIn profiles.

Conference sessions

Microsoft Security team members stay up on the latest news, solutions, and strategies in the security world. We were thrilled when several of these security professionals received the opportunity to share their thought leadership insights with Black Hat attendees.

• “Advancing Investigations with Threat Intelligence”: Microsoft Incident Response Consultant MacKenzie Brown shared how Microsoft’s Detection and Response Team (DART) harnesses the power of threat intelligence while in the trenches helping customers challenged by cyberattacks. MacKenzie also walked through how DART responded to recent threats from the North Korean nation-state actor believed to be behind HolyGh0st and Lapus$. 163 attendees viewed the session virtually.
• “AAD Joined Machines—The New Lateral Movement”: Microsoft Senior Security Researcher Mor Rubin talked about new research about a mechanism designed to allow authentication between Microsoft Azure Active Directory-joined machines. Mor also explored the foundation of the new network protocol, presented a way (and a tool) to perform pass-the-certificate attacks, and talked through an open-source solution that can help companies hunt for attacks.
• “CastGuard: Mitigating Type Confusion in C++”: Microsoft Software Security Engineer Joe Bialek discussed type confusion vulnerabilities, which have incredibly powerful primitives to exploit writers. Joe introduced a new mitigation called CastGuard that’s being deployed to a set of Windows components (with more in the works). With a tiny instruction sequence and the virtual function table pointer of an object, CastGuard helps prevent illegal static down-casts in C++ code.
• “Malware Classification With Machine Learning Enhanced by Windows Kernel Emulation”: Microsoft Security Software Engineer Dmitrijs Trizna presented a hybrid machine learning architecture that combines static and dynamic malware analysis methodologies. This architecture surpasses the capabilities of the modern AI classifiers and records a detection rate of 96.7 percent with a fixed false positive rate of 0.1 percent.

Conference social events

It wouldn’t be a conference without plenty of fun social events to get everyone chatting, networking, and celebrating the achievements of security professionals. At the Cybersecurity Women of the Year Awards (CSWY Awards) on August 9, 2022, attendees gathered at the Luxor, enjoyed a gourmet meal, and toasted to female cybersecurity and privacy leaders who are changing the world.

“The CSWY Awards recognize women protecting businesses, schools, and governments from cyber threats actors,” said Carmen Marsh, creator of the CSWY Awards. “We give security pros the opportunity to talk about what’s happening or not happening in cybersecurity and how to make it better. It’s wonderful to bring women from around the world to Las Vegas for this important event while creating inspiring role models for the new generation of cybersecurity professionals.”

As a Signature Sponsor, Microsoft was honored to recognize three barrier breakers serving as role models for future generations of cybersecurity professionals. Microsoft Corporate Vice President of Cloud and Microsoft 365 Security, Aanchal Gupta gave out the Cybersecurity Woman Privacy Woman Law Professional of the Year 2022 award, while Microsoft Senior Director of Security Narrative and Strategy, Shelli Strand awarded the Cybersecurity Woman Influencer of the Year 2022 award. Abhilasha Bhargav-Spantzel, Microsoft Partner Security Architect, gave out the Cybersecurity Woman Volunteer of the Year award.

After dinner and the awards ceremony, attendees networked and danced to a DJ spinning hits.

“Today, we have an incredible opportunity to attract a talented and impassioned generation of defenders and to change the deep gender disparity in our industry. I am so grateful to the Cybersecurity Woman of the Year program organizers for spotlighting the amazing work being done by those superheroes who are setting a powerful example for us all,” said Vasu Jakkal, Microsoft Corporate Vice President of Security, Compliance, Identity, Management, and Privacy, “Microsoft is proud to take part in an event that is helping to cultivate inclusivity, inspire and facilitate mentorship, and celebrate the important field of cybersecurity.”

On August 10, 2022, Microsoft Security Response Center (MSRC) hosted Microsoft’s annual Researcher Celebration event at the Illuminarium in Las Vegas, Nevada. The event brought together some of Microsoft’s Most Valuable Researchers (MVRs), and many security leaders and professionals. Attendees met with the head of MSRC, Aanchal Gupta, MSRC leadership, and other key Microsoft attendees to thank the MVRs and researcher community for their contributions. Check out the list of MSRC 2022 Most Valuable Researchers!

Throughout the evening, more than 500 guests from more than 200 organizations across the information security community participated in space-themed activities and experiences while connecting and re-connecting in person for the first time in many years. Thanks to everyone that attended and helped make the event memorable.

More threat intelligence resources

We can’t wait for future opportunities to connect with everyone again in person. Until then, there are a few ways for you to stay connected and up to date on the latest from Microsoft in threat intelligence solutions:

• Join us on September 15, 2022, for the free digital event Stop Ransomware with Microsoft Security to hear key insights from Microsoft’s leadership, including a fireside conversation between Charlie Bell, Executive Vice President of Microsoft Security, and Vasu Jakkal, Corporate Vice President of Microsoft Security, Compliance, Identity, and Privacy Business.
• Explore details on Microsoft’s threat intelligence solution in our blog post about new solutions for threat intelligence and attack surface management.
• Check out the latest Cyber Signals report.
• If you attended Black Hat and interacted with Microsoft, please share your feedback with us. 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹Black Hat USA 2022 Closes on a Record Breaking Event in Las Vegas & Online, AP News. August 19, 2022.

The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. In the latest post of our Community Voices blog series, Microsoft Security Senior Product Marketing Manager Brooke Lynn Weenig talks with Runa Sandvik, Former Senior Director of Information Security at The New York Times and member of CISA’s Technical Advisory Council. She recently was interviewed about her new startup, Granitt, in TechCrunch.¹ The thoughts below reflect Runa’s views, not the views of Microsoft, and are not legal advice. In this blog post, Runa talks about security for journalists and media organizations.

Brooke: How did you get into cybersecurity?

Runa: I got my first computer when I was 15. I studied for a bachelor’s in computer science at a university in Norway, where I’m from. One thing I really enjoy about this industry is that within computer science and cybersecurity, there are so many different challenges to take on. There are so many problems that you can work on and so many things to be curious about and I’ve always really loved that.

During the summer of 2009, before the last year of my bachelor’s, I worked for the Tor Project as part of Google Summer of Code. Once that internship wrapped up, I stayed on with the Tor project and I volunteered to continue maintaining my project. Over time, Tor offered me a part-time contract and later, a full-time contract.

A lot of the work that I do today has been shaped by the four years that I spent working with the Tor project. When I first heard about Tor, I thought it was cool that you could be anonymous online by using a piece of technology. I didn’t consider who’s using it or for what reason. But over the four years with Tor, I got to meet not only other people working in the same space but also people around the world who told me about their experiences with the tool and what it enabled them to do, which was a hugely positive experience for me.

Brooke: What excites you the most about protecting journalists?

Runa: Around 2011, four projects got funding to train reporters on how to use the Tor browser and I ended up leading that project. We were building out a curriculum and we felt very quickly that it was not super helpful to teach someone how to use a Tor browser to be safe online if they’re not also familiar with general security best practices, like passwords and two-factor authentication and the importance of software updates. So, we built a curriculum around that. I later took that experience with me to the Freedom of the Press Foundation and The New York Times.

The work that I’ve done with journalists was something that I stumbled into, but looking at it now, I think investigative journalism has a lot of the same themes as security research. It has the same puzzles, same challenges, and the same digging that gets me really curious and really interested. It also has this incredibly important mission behind it.

Brooke: What do you do to protect journalists and at-risk groups or organizations?

Runa: For an individual to work safely or securely, I consider digital security, physical security, emotional safety, and legal issues. Journalism security really needs to encompass all four buckets, so some of the work that I do has been one-on-one discussions with reporters who want everyday security guidance, and I help them figure out what they can do to improve. They are usually preparing for a specific investigative project or preparing for a trip to an at-risk area.

I have worked closely with groups of people at media organizations that are a mix of reporters, IT, security, and legal to produce a security plan based on the challenges they face and the kind of support the newsroom needs. Years ago, if you were a big enterprise like The New York Times, Washington Post, Microsoft, or Google, there were a lot of big, complex cybersecurity frameworks to help you get a baseline and the steps to take to improve moving forward.

If you’re an individual looking to improve your security, there are guides from the Electronic Frontier Foundation and the Freedom of the Press Foundation giving you information like “here’s how you use a password manager” and “here’s how you set up two-factor authentication,” but Ford Foundation fellow, Matt Mitchell, found that if you’re a small organization or small team, there’s not a good option available. He put together a committee to develop the Ford Foundation Cybersecurity Assessment Tool, which is designed for smaller organizations. It is a really effective way to figure out where I am today and where the focus should be on the next year or two.

Brooke: What are the biggest threats you’ve seen in your line of work?

Runa: If we are talking about security issues that a journalist as an individual might face, we could talk about online account takeover and phishing scams. I recently gave a talk at Paranoia in Oslo about how the media gets hacked and the root cause behind all these issues. If we are talking about the organization that the journalist works for, it comes down to a lack of two-factor authentication credential stuffing, poor passwords, phishing, and outdated systems.

Over the years, my work has focused on the individual, but 10 years ago, Tor was clunky and complex. We had VPNs. We had tools to fully encrypt the drive in your laptop, but they were clunky to use. There was a long text of steps to get it all up and running. People needed a lot of help to use it. These days, we have all the tools and they’re either free or not super expensive. What is missing now is that buy-in from leadership to create the processes and the workflows to ensure that the newsrooms have all these tools provided to them. Currently, it is more of a building-the-bridges type of challenge. I don’t think we are necessarily missing any tools. We just need to figure out how to piece it together.

Brooke: What are the biggest security challenges for journalists?

Runa: A journalist is a journalist all day, every day. That is not just a job, it is an identity. They are journalists, whether they are in a movie theater with a personal phone or at work with their company laptop. Regardless of the device they are using, the time of day, and location in the world, they are still journalists, and they are going to report if there is something to report on. In a corporate context, historically, we have been focused on securing corporate accounts, corporate systems, and corporate devices, but for roles like journalism and other activist groups, which starts to break down a bit. I think there needs to be a greater conversation around how we go about securing identities as opposed to just the 9-to-5 corporate bits and bobs.

Another big challenge is building sufficient support on the business side of the company to be able to provide adequate support to the newsroom. Reporters who I have talked to are not questioning that they need to be more secure and that they need processes or tools. Once that is provided, they are very willing to try things. You just need to build that bridge and help the business side understand the challenges in the newsroom and the potential challenges that presents for the business, whether from a physical, digital, or legal standpoint, and then produce ways to address that.

Supporting the work that the newsroom is doing means developing products, developing the content management system (CMS), getting stories out, producing new ways to report, retaining subscribers, and funding reporters who go out on investigative trips. All of these things are incredibly important and sometimes more important than security. The challenge is where do I spend my resources knowing that everything is so strapped?

There are a lot of diverse ways that you could improve security at your organization and even if you do not have the resources currently for the best and biggest and greatest product, there are still small things that you can do. It is a matter of figuring out how to focus on this one thing you do have to focus on, even if it’s just one person, two people, or a small team. At this point, not focusing on cybersecurity is not an option.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹Runa Sandvik’s new startup Granitt secures at-risk people from hackers and nation states, Zack Whittaker. July 15, 2022.

Today, Microsoft is excited to publish our second edition of Cyber Signals, spotlighting security trends and insights gathered from Microsoft’s 43 trillion security signals and 8,500 security experts. In this edition, we pull back the curtain on the evolving cybercrime economy and the rise of Ransomware-as-a-service (RaaS). Instead of relying on what cybercriminals say about themselves through extortion attempts, forum posts, or chat leaks, Microsoft threat intelligence gives us visibility into threat actors’ actions.

RaaS is often an arrangement between an operator, who develops and maintains the malware and attack infrastructure necessary to power extortion operations, and “affiliates” who sign on to deploy the ransomware payload against targets. Affiliates purchase initial access from brokers or hit lists of vulnerable organizations, such as those with exposed credentials or already having malware footholds on their networks. Cybercriminals then use these footholds as a launchpad to deploy a ransomware payload against targets.

The impact of RaaS dramatically lowers the barrier to entry for attackers, obfuscating those behind initial access brokering, infrastructure, and ransoming. Because RaaS actors sell their expertise to anyone willing to pay, budding cybercriminals without the technical prowess required to use backdoors or invent their own tools can simply access a victim by using ready-made penetration testing and system administrator applications to perform attacks.

The endless list of stolen credentials available online means that without basic defenses like multifactor authentication (MFA), organizations are at a disadvantage in combating ransomware’s infiltration routes before the malware deployment stage. Once it’s widely known among cybercriminals that access to your network is for sale, RaaS threat actors can create a commoditized attack chain, allowing themselves and others to profit from your vulnerabilities.

While many organizations consider it too costly to implement enhanced security protocols, security hardening actually saves money. Not only will your systems become more secure, but your organization will spend less on security costs and less time responding to threats, leaving more time to focus on incoming incidents.

Businesses are experiencing an increase in both the volume and sophistication of cyberattacks. The Federal Bureau of Investigation’s 2021 Internet Crime Report found that the cost of cybercrime in the United States totaled more than USD6.9 billion.¹ The European Union Agency for Cybersecurity (ENISA) reports that between May 2021 and June 2022, about 10 terabytes of data were stolen each month by ransomware threat actors, with 58.2 percent of stolen files including employees’ personal data.²

It takes new levels of collaboration to meet the ransomware challenge. The best defenses begin with clarity and prioritization, which means more sharing of information across and between the public and private sectors and a collective resolve to help each other make the world safer for all. At Microsoft, we take that responsibility to heart because we believe security is a team sport. You can explore the latest cybersecurity insights and updates at our threat intelligence hub Security Insider. 

With a broad view of the threat landscape—informed by 43 trillion threat signals analyzed daily, combined with the human intelligence of our more than 8,500 experts—threat hunters, forensics investigators, malware engineers, and researchers, we see first-hand what organizations are facing and we’re committed to helping you put that information into action to pre-empt and disrupt extortion threats.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹Internet Crime Report, Federal Bureau of Investigation. 2021.

²Ransomware: Publicly Reported Incidents are only the tip of the iceberg, European Union Agency for Cybersecurity. July 29, 2022.

The transition to a remote and hybrid workforce happened fast during a time of uncertainty, and IT professionals rose to the challenge with ingenuity and dedication. But two years in, many IT teams are still responding with patchwork solutions to enforce identity and access management (IAM) across a newly decentralized, multiple-endpoint ecosystem. It’s clear that new IAM strategies are needed to accommodate these major shifts in the workplace, as well as meet new organizational priorities and user expectations.

In that spirit of discovery, we’re looking forward to joining the IAM community at the Gartner Identity & Access Management Summit, August 22 to 24, 2022, in Las Vegas, Nevada. We’ll be sharing some of Microsoft’s recent insights about strengthening lifecycle and permissions management, stopping attacks on identity infrastructure, and moving to a cloud-based identity platform. With the recently announced Microsoft Entra, identity threat detection and response (ITDR), and our security information and event management (SIEM) and extended detection and response (XDR) solutions, we’re committed to providing end-to-end protection for your organization. Be sure to visit Microsoft Booth #304 and connect with our frontline defenders.

Gartner IAM Summit—Microsoft sessions

We’re excited to meet with our customers, colleagues, and peers at the 2022 Gartner Identity & Access Management Summit. Microsoft will present three research-backed sessions led by senior product managers, including a special look at ITDR led by Alex Weinert, Director of Identity Security at Microsoft.

Title: Manage, Secure, and Govern Identities Across Multicloud Infrastructures
Speaker: Balaji Parimi, Partner General Manager
Date/Time: Monday, August 22, 2022 | 11:45 AM to 12:15 PM PT
Synopsis: Going multicloud makes you more agile and resilient. But it also creates more complexity and blind spots for your security and identity teams. It’s time to reimagine how we manage, secure, and govern identities, and enforce least-privileged access consistently across cloud platforms. In this session, we’ll explore how cloud infrastructure entitlement management (CIEM) can strengthen your Zero Trust security in a multicloud world.

Title: Beyond the Firewall: Upgrading from On-Premises to the Microsoft Cloud Identity
Speaker: Brjann Brekkan, Group Program Manager, Identity and Network Access
Date/Time: Monday, August 22, 2022 | 1:15 PM to 1:35 PM PT
Synopsis: Today’s new normal of “work from anywhere” and “on any device” has exposed the challenges of using on-premises authentication technologies and platforms as the control plane for enterprise applications and collaboration. You’re invited to join the Microsoft Identity product group for this interactive session. We’ll discuss the latest trends and platform capabilities to accelerate and simplify the journey of adopting a modern cloud-based identity platform.

Title: Identity Threat Prevention, Detection, and Response—Essential Defenses for a New Generation of Attacks
Speaker: Alex Weinert, Director of Identity Security
Date/Time: Tuesday, August 23, 2022 | 11:15 AM to 11:45 AM PT
Synopsis: Attacks against identity infrastructure are accelerating. Instead of trying to compromise individual accounts, today’s attackers seek to gain unrestricted access to multicloud environments and workloads wherever they’re deployed. For that reason, protecting accounts is not enough—organizations need robust protections for the identity infrastructure itself. In this session, we’ll share how Microsoft envisions the future of ITDR, including what an effective identity and security collaboration should look like to help your organization grow fearlessly.

Bridging the IAM and SOC divide

Even as we approach another IAM summit, many organizations are still shocked to learn the reality of how most identity breaches occur. According to the 2022 Verizon Data Breach Investigations Report, 65 percent of breaches are caused by credential misuse, while only 4 percent caused are by system vulnerabilities.¹ A full 82 percent of breaches involve the human element, including social engineering attacks, user errors, and data misuse.

As I will discuss in my Tuesday session, ITDR offers a way of reimagining the scope and collaboration between the SOC and identity admins that can help stop more of these credential-based attacks. IAM requires a lot of the same telemetry and inventory that SOC teams have, but the two groups rarely share tools. That’s because each team buys tools for different reasons. Operations and identity admins want stable, predictable operations and high uptime. Security analysts aren’t concerned with uptime; they care about identifying threats. In other words, IAM is mostly focused on letting only the good guys in, but it also needs an equal capability for keeping the bad guys out.

So, how do we reduce that staggering 65 percent of breaches that result from account-takeover attacks? And how do we know if and when the architecture itself is faulty? The solution lies in unifying more signals and more controls into a holistic solution. Microsoft is positioned to bridge the chasm between SOC and IAM because Microsoft Azure Active Directory (Azure AD) is already the foundation identity that so many organizations rely on. In addition, Microsoft Sentinel provides a cloud-native SIEM and SOAR solution with built-in user entity and behavior analytics (UEBA), while Microsoft Defender provides XDR capabilities for user environments, and Microsoft Defender for Cloud provides XDR for infrastructure and multicloud platforms.

Microsoft Entra: The way in is the way forward

Along with bridging the SOC and IAM relationship, Microsoft Entra is a vital component of Microsoft’s approach to ITDR. The products in the Entra family help provide secure access by providing IAM, CIEM, and identity verification in one solution.

Entra encompasses all of Microsoft’s existing IAM capabilities and integrates two new product categories: Microsoft Entra Permissions Management is a CIEM solution that empowers customers to discover, remediate, and monitor permission risks across all major public cloud platforms (such as Amazon Web Services, Azure, and Google Cloud Platform) from a unified interface. Microsoft Entra Verified ID provides a decentralized identity service based on open standards, safeguarding your organization by allowing admins to seamlessly customize and issue verifiable credentials in all your apps and services. 

Microsoft is working with our customers to reimagine IAM for our new decentralized workplace, and we’re committed to providing end-to-end protection for your organization with Microsoft Entra and SIEM and XDR. We look forward to meeting with you at Gartner Identity & Access Management Summit, August 22 to 24, 2022, in Las Vegas, Nevada. Be sure to stop and chat with us at Microsoft Booth #304.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹2022 Data Breach Investigations Report, Verizon. 2022.

---

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. 

Today, we announced the general availability of Microsoft Defender Experts for Hunting to support organizations and their cybersecurity employees with proactive threat hunting.

Defender Experts for Hunting was created for customers who have a robust security operations center but want Microsoft to help them proactively hunt threats using Microsoft Defender data. Defender Experts for Hunting is a proactive threat hunting service that goes beyond the endpoint to hunt across endpoints, Microsoft Office 365, cloud applications, and identity. Our experts will investigate anything they find, then hand off the contextual alert information along with remediation instructions so you can quickly respond. Our Defender Experts for Hunting explainer video walks you through how it works.

Capabilities include:

• Threat hunting and analysis—Defender Experts look deeper to expose advanced threats and identify the scope and impact of malicious activity associated with human adversaries or hands-on-keyboard attacks.
• Defender Experts Notifications—Notifications show up as incidents in Microsoft 365 Defender, helping to improve your security operations’ incident response with specific information about the scope and method of entry.
• Experts on Demand—Click the “Ask Defender Experts” button in the Microsoft 365 Defender portal to get expert advice about threats your organization is facing. You can ask for help on a specific incident, nation-state actor, or attack vector.
• Hunter-trained AI—Defender Experts share their learning back into the automated tools they use to improve threat discovery and prioritization.
• Reports—An interactive report summarizing what we hunted and what we found.

Bridgewater Associates, the world’s largest hedge fund and one of Microsoft’s first customers to implement a Zero Trust framework, helped Microsoft develop Defender Experts for Hunting, contributing decades of knowledge on how to keep intellectual property and investment data secure. The firm now uses Defender Experts for Hunting to extend its security teams so they can focus on the most complex and immediate security issues. Igor Tsyganskiy, Chief Technology Officer at Bridgewater Associates, believes in working together to protect one another from threats.

“Cybersecurity is a cooperative rather than a competitive area,” he said. “It takes a village to keep us all safer…We are living in a digital world that is completely interconnected, and protecting ourselves singularly, separately from each other, is not going to work.”

More threats—not enough defenders

Modern adversaries are well-organized and possess skills and resources that can challenge even organizations without open cybersecurity roles. These adversaries are also relentless. Microsoft Security blocked more than 9.6 billion malware threats and more than 35.7 billion phishing and malicious emails in 2021. They’ve extended their attack focus from endpoints to identity, cloud apps, and email.

It’s getting harder every day for organizations to build and maintain a full security team, let alone one with the ever-expanding skillset required to meet the range of today’s security demands. Proactive threat hunting—one of the best ways to identify and respond to security threats—is time-consuming, and most security teams are too busy with alert triage and security posture improvement efforts to spend time on proactive hunting.

Additionally, organizations are struggling to recruit top security talent—more important than ever since cybercrime is expected to cost the world USD10.5 trillion a year by 2025 (a 75 percent increase from the USD6 trillion in 2021).¹ With one in three security jobs in the United States unfilled, cybersecurity employees often face huge workloads once hired. As a result, the average detection of a breach has been pushed out to 287 days as the number and impact of attacks continue to grow.²

Technology alone is not enough to fight cybercrime

Many companies don’t face daily security attacks but need deep experience with threat hunting when they do, according to Tsyganskiy.  

“To manage security on its own, a company must sustain a very large and growing team,” he said. “It’s like trying to maintain your own police force. Given the low frequency of the most sophisticated attacks, this is an insane misallocation of resources 90 percent of the time.”

Microsoft is uniquely positioned to help customers meet today’s security challenges. We secure devices, identities, apps, and clouds—the fundamental fabric of our customers’ lives—with the full scale of our comprehensive multicloud, multiplatform solutions. Plus, we understand today’s security challenges because we live this fight ourselves every single day.

Now, our security expertise is your security expertise.

How Microsoft Defender Experts for Hunting works

Every day at Microsoft, threat hunters work alongside advanced systems to analyze billions of signals, looking for threats that might affect customers. Due to the sheer volume of data, we’re meticulous about surfacing threats that customers need to be notified about as quickly and accurately as possible. 

How we hunt:

• Step 1: Microsoft Defender Experts monitor telemetry and look for malicious activity across the Microsoft 365 Defender platform associated with human adversaries or hands-on-keyboard attacks.
• Step 2: If a threat is found to be valid, analysts conduct a deep-dive investigation, harnessing machine learning and gathering threat details, including scope and method of entry, to help protect your organization’s endpoints, email, cloud apps, and identities.
• Step 3: Our AI system and human hunters prioritize threat signals. Defender expert notifications appear in Microsoft 365 Defender, alerting you to the threat and sharing threat details.

Get started

To start your proactive threat hunting journey with Microsoft Defender Experts for Hunting, please complete the customer interest form to request a follow-up from our field team. To learn more, visit the Defender Experts for Hunting product page, download the datasheet, or watch a short video.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹Cybercrime To Cost The World USD10.5 Trillion Annually By 2025, Steve Morgan. November 13, 2020.

²Cost of a Data Breach Report 2021, IBM. 2021.