Posted on Leave a comment

Microsoft Security Intelligence Report Volume 24 now available

The 24th edition of the Microsoft Security Intelligence Report (SIR) is now available. And this year, I’m thrilled to share that not only can you download the PDF, but you can also visit an online, interactive version that provides tools to filter and deep dive into the data. This edition of the report is a reflection on last year’s security events and includes an overview of the security landscape, lessons learned from the field, and recommended best practices. I know you may find some of the trends, such as the increase in cryptocurrency mining and supply chain activity, worrisome. But I also hope you’re encouraged to learn that the defensive techniques we’ve taken as a security community are paying off: there is good evidence that bad actors have been forced to change their tactics.

To create this report, the SIR team culled core insights and key trends out of a year’s worth of data from multiple, diverse sources. We analyzed the 6.5 trillion security signals that go through the Microsoft cloud every day. We gathered insights from thousands of security researchers based around the world, and we learned lessons from real-world experiences, like the Ursnif campaign and the Dofoil coin-miner outbreak. There is a lot going on, but the SIR team distilled the data down into four key trends:

  • Ransomware attacks are on the decline.
  • Cryptocurrency mining is prevalent.
  • Software supply chains are at risk.
  • Phishing remains a preferred attack method.

Ransomware attacks are on the decline

The decline of ransomware attacks that we saw in the 2018 data is a great example of how the security community is pushing bad actors to adjust. Just last year, we highlighted the large threat that ransomware played in the 2017 data, so this decline is notable. We believe that attackers have shifted from this highly visible method to more stealth attacks because users have gotten smarter about how they respond.

Cryptocurrency mining is prevalent

The decline in ransomware is good news; however, on the flip side we are seeing cryptocurrency mining to be prevalent. This is one of the methods that attackers have deployed in lieu of ransomware. Mining coins profitably requires an immense amount of computing power to perform complex calculations, so attackers install malware on users’ computers to “steal” the necessary computing power. The SIR report provides a great overview of how cryptocurrency works and other factors driving this trend.

Software supply chains are at risk

Software supply chain attacks are another trend that Microsoft has been tracking for several years. One supply chain tactic used by attackers is to incorporate a compromised component into a legitimate application or update package, which then is distributed to the users via the software. These attacks can be very difficult to detect because they take advantage of the trust that users have in their software vendors. The report includes several examples, including the Dofoil campaign, which illustrates how wide-reaching these types of attacks are and what we are doing to prevent and respond to them.

Phishing remains the preferred method of attack

It’s probably not surprising that phishing continues to be a popular method of attack, and we expect that to continue for the foreseeable future. The good news: much like ransomware, bad actors have shifted tactics in response to the more sophisticated tools and techniques that have been deployed to protect users. We uncovered a lot of details about these new phishing methods that we hope you find useful in your fight to defend against them.

Learn more

When I was a practitioner, I sought out reports like these to help me better understand attacker techniques and plan my defenses accordingly. I hope you find the insights, tips, and best practices that we’ve pulled together just as helpful. Download volume 24 of the Microsoft Security Intelligence Report and then dig into the data specific to your region in the interactive website. The site will be updated monthly, so you can keep up with emerging data and insights throughout the year.

Also, later in March, join me and my colleague, Jonathan Trull, for a webinar where we’ll dissect these trends in more detail and share best practices to help you protect your organization.

The SIR serves to share some of the intelligence and insights that Microsoft generates as part of our broader security operations work, but it is not the whole story. Please also make sure to check out today’s announcements on new Microsoft security innovations aimed at helping defenders capitalize on the latest security intelligence and protections to help them stay ahead in the evolving cybersecurity landscape.

Posted on Leave a comment

New cloud-based technology to empower cyber defenders

Cybersecurity is about people. The frontline defenders who stand between the promise of digital transformation and the daily reality of cyber-attacks need our help. At Microsoft, we’ve made it our mission to empower every person and organization on the planet to achieve more. Today that mission is focused on defenders. We are unveiling two new cloud-based technologies in Microsoft Azure Sentinel and Microsoft Threat Experts that empower security operations teams by reducing the noise, false alarms, time consuming tasks and complexity that are weighing them down. Let me start by sharing some insight into the modern defender experience.

Every day Microsoft security professionals help organizations respond to threats at scale and through targeted incident response. In one recent example from the latest Security Intelligence Report, Microsoft experts were called in to help several financial services organizations deal with attacks launched by a state-sponsored group that had gained administrative access and executed fraudulent transactions, transferring large sums of cash into foreign bank accounts. When the attack group realized they had been detected, they rapidly deployed destructive malware that crippled the customers’ operations for several days. Microsoft experts were on site within hours, working around the clock with the customers’ security teams to restore normal business operations.

Incidents like this are a reminder that many defenders are overwhelmed by threats and alerts – often spending their days chasing down false alarms instead of investigating and solving complex cases. Compounding the problem is a critical shortage of skilled cyber defenders, with an estimated shortfall of 3.5 million security professionals by 2021. With today’s announcements we are unlocking the power of the cloud and AI for security to do what they do best—reason over vast amounts of security signal, spot anomalies and bring global scale to highly trained security professionals.

Too many enterprises still rely on traditional Security Information and Event Management (SIEM) tools that are unable to keep pace with the needs of defenders, volume of data or the agility of adversaries. The cloud enables a new class of intelligent security technologies that reduce complexity and integrate with the platforms and productivity tools you depend on. Today we are pleased to announce Microsoft Azure Sentinel, the first native SIEM within a major cloud platform. Azure Sentinel enables you to protect your entire organization by letting you see and stop threats before they cause harm. With AI on your side it helps reduce noise drastically—we have seen an overall reduction of up to 90 percent in alert fatigue with early adopters. Because it’s built on Azure you can take advantage of nearly limitless cloud speed and scale and invest your time in security and not servers. In just a few clicks you can bring in your Microsoft Office 365 data for free and combine it with your other security data for analysis.

Azure Sentinel is the product of Microsoft’s close partnership with customers on their journey to digital transformation. We worked hand in hand with dozens of customers and partners to rearchitect a modern security tool built from the ground up to help defenders do what they do best – solve complex security problems. Early adopters are finding that Azure Sentinel reduces threat hunting from hours to seconds.

Corey McGarry, Senior Technical Specialist, Enterprise Operations, Tolko Industries, Ltd., told me, “After using Microsoft Azure Sentinel for six months, it has become a go-to resource every morning. We get a clear visual of what’s happening across our network without having to check all our systems and dashboards individually. I haven’t seen an offering like Microsoft Azure Sentinel from any other company.”

Azure Sentinel supports open standards such as Common Event Format (CEF) and broad partner connections, including Microsoft Intelligent Security Association partners such as Check Point, Cisco, F5, Fortinet, Palo Alto and Symantec, as well as broader ecosystem partners such as ServiceNow. You can even bring your own insights and collaborate with a diverse community of defenders. Azure Sentinel blends the insights of Microsoft experts and AI with the unique insights and skills of your own in-house defenders and machine learning tools to uncover the most sophisticated attacks before they take root. Azure Sentinel helps empower SecOps teams to keep their organizations safe by harnessing the power, simplicity and extensibility of Azure to analyze data from Microsoft 365 and security solutions from other vendors. Azure Sentinel is available in preview today from the Azure portal.

screenshot of Azure Sentinel overview page with bar graph, map and other sample data

Our approach to security is not only about applying the cloud and AI to your scale challenges, but also making the security operations experts who defend our cloud available to you. Therefore, we are pleased to announce Microsoft Threat Experts, a new service within Windows Defender ATP which provides managed hunting to extend the capability of your security operations center team. Through this service, Microsoft will proactively hunt over your anonymized security data for the most important threats, such as human adversary intrusions, hands-on-keyboard attacks, and advanced attacks like cyberespionage—helping your team prioritize the most important risks and respond quickly. The service also provides world-class expertise on demand. With the new “Ask a Threat Expert” button, your security operations team can submit questions directly in the product console. To join the public preview of Microsoft Threat Experts, apply in the Windows Defender ATP settings.

There are no easy answers or silver bullets for security, however the cloud is unlocking new capabilities. This is why we are putting the cloud and AI to work to extend and empower the defenders whose unique human insights are key to avoiding cyber threats. Azure Sentinel and Microsoft Threat Experts are two new capabilities that join our broad portfolio of security solutions across identity, endpoints, data, cloud applications and infrastructure. We look forward to showcasing Azure Sentinel and Microsoft Threat Experts at the RSA Conference next week and encourage you to stop by the Microsoft booth on the main show floor or any of our compelling sessions to learn more.

Tags: , , ,

Posted on Leave a comment

Securing the future of AI and machine learning: Early findings from new research paper

Artificial intelligence (AI) and machine learning are making a big impact on how people work, socialize, and live their lives. As consumption of products and services built around AI and machine learning increases, specialized actions must be undertaken to safeguard not only your customers and their data, but also to protect your AI and algorithms from abuse, trolling, and extraction.

We are pleased to announce the release of a research paper, Securing the Future of Artificial Intelligence and Machine Learning at Microsoft, focused on net-new security engineering challenges in the AI and machine learning space, with a strong focus on protecting algorithms, data, and services. This content was developed in partnership with Microsoft’s AI and Research group. It’s referenced in The Future Computed: Artificial Intelligence and its role in society by Brad Smith and Harry Shum, as well as cited in the Responsible bots: 10 guidelines for developers of conversational AI.

This document focuses entirely on security engineering issues unique to the AI and machine learning space, but due to the expansive nature of the InfoSec domain, it’s understood that issues and findings discussed here will overlap to a degree with the domains of privacy and ethics. As this document highlights challenges of strategic importance to the tech industry, the target audience for this document is security engineering leadership industry-wide.

Our early findings suggest that:

  1. Secure development and operations foundations must incorporate the concepts of Resilience and Discretion when protecting AI and the data under its control.
  • AI-specific pivots are required in many traditional security domains such as Authentication, Authorization, Input Validation, and Denial of Service mitigation.
  • Without investments in these areas, AI/machine learning services will continue to fight an uphill battle against adversaries of all skill levels.
  1. Machine learning models are largely unable to discern between malicious input and benign anomalous data. A significant source of training data is derived from un-curated, unmoderated public datasets that may be open to third-party contributions.
  • Attackers don’t need to compromise datasets when they are free to contribute to them. Such dataset poisoning attacks can go unnoticed while model performance inexplicably degrades.
  • Over time, low-confidence malicious data becomes high-confidence trusted data, provided that the data structure/formatting remains correct and the quantity of malicious data points is sufficiently high.
  1. Given the great number of layers of hidden classifiers/neurons that can be leveraged in a deep learning model, too much trust is placed on the output of AI/machine learning decision-making processes and algorithms without a critical understanding of how these decisions were reached.
  • AI/machine learning is increasingly used in support of high-value decision-making processes in medicine and other industries where the wrong decision may result in serious injury or death.
  • AI must have built-in forensic capabilities. This enables enterprises to provide customers with transparency and accountability of their AI, ensuring its actions are not only verifiably correct but also legally defensible.
  • When combined with data provenance/lineage tools, these capabilities can also function as an early form of “AI intrusion detection,” allowing engineers to determine the exact point in time that a decision was made by a classifier, what data influenced it, and whether or not that data was trustworthy.

Our goal is to bring awareness and energy to the issues highlighted in this paper while driving new research investigations and product security investments across Microsoft. Read the Securing the Future of Artificial Intelligence and Machine Learning at Microsoft paper to learn more.

Posted on Leave a comment

Game for Safer Internet Day shows kids how to protect themselves online

[embedded content]

Use unique passwords1. Use complex, unique passwords for different accounts
If someone has your house key, they can enter and burglarize every room in your home. The same is true of passwords and online accounts. Too often we choose passwords that are easy to remember, such as names or birthday dates. But if it’s easy for you to remember, it’s likely to be easy for cybercriminals to guess. If you use the same, simple password for multiple accounts, then cybercriminals can – and will – be able to access all your sensitive personal information.

Use a password manager to save multiple passwords to different accounts safely and make sure that each password is complex; using at least 10 characters and a mixture of numbers, letters, capitalizations and special characters.

Social media icons2. Don’t accept invites from strangers on social media
Not everyone you meet online is who they claim to be. It’s common for cybercriminals to create fake social media profiles to foster relationships with unwary users and pick their cyber pockets – or worse.

If you’re approached by a stranger online, who insists you share personal information or requests money, that should set off alarm bells. If possible, search the person directly to see if the account is authentic. Still unsure about the person’s identity but want to accept their friend request anyway? Just to be on the safe side, limit the information that person can view on your profile using privacy setting.

Remember: the same rules apply online as they do in the real world – don’t share sensitive or private information with strangers.

Personal info icons3. Online actions can have offline consequences
Think of the Internet like a town square or a sidewalk: it’s a public space, where anyone can see or share anything you publish, irrespective of whether it’s meant for them or if you’ve given permission.

Before you post something online, ask yourself; would I want my employer, customer or relative to know this? Even things like your relationship status or home address, which might seem harmless, can be misused if the wrong people see them.

Online action icon4. Protect sensitive and personal information
With a few exceptions, unfortunately there is no permanent delete key for content posted online. Any image, comment or photo you post online is like to remain there forever. Even if you remove the original post, you can’t be sure that others have not made copies or shared your content on other networks. So don’t put anything online that you wouldn’t want others to see.

Careful click icon5. Be careful where you click
A tried-and-tested cybercriminal tactic is to trick you into downloading malware that allows them to steal information. From a popular game to an email offering tech support, malware can be disguised in a variety of different ways.

Avoid downloading apps that look odd or come from an unknown site. Not sure if an email is legitimate? Ask yourself the following questions: Does the sender have a bizarre email address? Is the greeting impersonal? Are there a lot of spelling mistakes? Is there a strange sense of urgency?

If you’re still unsure, get in touch with the brand or company through their official channels such as their website or social media page. It is always better to triple check than risk compromising your security.

Privacy setting icon6. Update your privacy settings & antivirus
If you don’t update your defences, cybercriminals will eventually come up with a way to overcome them. Be sure to stay current with your operating system’s updates and make an effort to check the privacy settings on the applications and browser you use.

Secure connection icon7. Always use a secure connection
When using a public internet connection, such as Wi-Fi in a shopping center, you have no direct control over its security. If you’re unable to establish a secure connection or ensure your device is protected, don’t share sensitive information. It’s safer to wait until you’re at home and using a secure Wi-Fi network.

Ask advice icon8. Ask advice from those you trust
Never feel rushed to click on a link or publish a post. There is nothing more urgent than our online safety.

Navigating online threats can be stressful, but there are plenty of resources to help you out. Whenever you find yourself in a situation where you are unsure or suspicious, always defer to the expertise of those you trust – whether a friend, parent, teacher or even a technology partner.

Looking for a fun way to teach youth about internet safety? Download the free Safer Internet Day chatterbox and discussion guide.

Posted on Leave a comment

Data loss prevention: Human error, insider threats and the in-between

Do you remember the first or last time you found a user had shared sensitive information with the wrong people?

Companies dedicate large amounts of resources and money towards establishing an air tight DLP policy to detect and protect company data and prevent it from getting into the wrong hands, whether deliberately or by mistake. But no matter how good the technology, or how vigilant the security team, there is always a wildcard – end users.

“A company can often detect or control when an outsider (non-employee) tries to access company data either physically or electronically, and can mitigate the threat of an outsider stealing company property. However, the thief who is harder to detect and who could cause the most damage is the insider—the employee with legitimate access. That insider may steal solely for personal gain, or that insider may be a “spy”—someone who is stealing company information or products in order to benefit another organization or country.”

                Introductory guide to identifying malicious insiders, U.S. Federal Bureau of Investigation (FBI)


Figure 1: Statistics from the Insider Threat 2018 Report

From the above data we can see that insider threats are becoming a real concern for most organizations, and that active steps are taken to mitigate the risk inherent to these threats.

In this post we’ll discuss how regular users can expose sensitive data by wrongly classifying documents, how malicious users can take advantage of the encryption to exfiltrate data, and how Microsoft Cloud App Security’s new capability of scanning content in encrypted files, as well as the wider Microsoft Information Protection offering, can help organizations mitigate these risks.

The innocent mistake

While employees in the modern workplace are getting increasingly technologically savvy, and are finding new tools to improve their productivity, they aren’t always aware of the security implications of their actions.

Many of our customers are leveraging Microsoft Information Protection solutions to classify, label and protect their data. To minimize the impact on end users and their ability to be productive, these organizations often choose to empower their users to label documents themselves, by providing automatic suggestions but not auto-labeling or -protecting documents.

A user can inadvertently label a document containing highly confidential information with a low sensitivity label that applies minimal access restrictions. Since the file is already encrypted, it will not be scanned by the DLP solution, but might still be accessible to unauthorized people.

The malicious insider

A bigger threat with a much higher potential for damage, is the malicious insider. A malicious insider who is actively working on exfiltrating sensitive information from the organization, whether for personal gain, corporate espionage or other reasons.

This malicious user might exploit the ability to encrypt files to purposefully classify a file as low sensitivity while inserting highly sensitive data and then sharing it externally. As in the “mistake” scenario this will allow the file to pass the scanning of the DLP solution.

How does Microsoft Cloud App Security handle these risks?

Microsoft Cloud App Security has a wide set of tools targeted at handling insider threats. These include user behavior anomaly detections, cloud discovery anomaly detections, and the newly released ability to scan content of encrypted documents.

User anomaly detection

Microsoft Cloud App Security comes with a wide set of out-of-the-box anomaly detection policies that are activated by default as soon as the product is enabled. These detections look at the activities performed by users in sanctioned apps and define a usage baseline, leveraging UEBA capabilities to automatically identify any anomalous behaviors going forward.

An example of these types of detections, aimed at insider threats, is “Unusual file download activity by user”. This detection will create an alert whenever a user performs file downloads that differ from their usual pattern – a potential indicator of a data exfiltration attempt.

Cloud anomaly detection

In addition to the user anomaly detections for sanctioned apps, Cloud App Security also offers detections aimed at identifying suspicious behavior of users in unsanctioned applications. These detections are based on the data we get and analyze as part of our Cloud Discovery capabilities.

An example for such a detection is “Data exfiltration to unsanctioned apps”, which looks at the amount of data being uploaded by users to unsanctioned applications – one of the most common scenarios of insider threat data exfiltration.

Content inspection of encrypted files

We have recently released the ability for an admin to allow MCAS to scan the content of files that are protected by Azure Information Protection. After enabling this functionality, the admin can define MCAS file policies to inspect the content of encrypted files, and generate an alert, or take an action based on the match.

This functionality ensures that files are handled according to their actual content, even if they are labeled incorrectly; thus, preventing sensitive data from leaving the organization – both by mistake and by design.


Figure 2: Policy setting to allow Microsoft Cloud App Security to scan files protected with AIP

Human error and malicious intent will forever be a part of organizational lifecycles. While we cannot eliminate them completely, it’s our goal to enable IT and Security admins to minimize this risk. With our advanced capabilities and unique set of insights, Microsoft Cloud App Security and the wider Microsoft Information Protection offering help organizations to protect their sensitive information – wherever it lives or travels.

More info and feedback

Learn how to get started with Microsoft Cloud App Security with our detailed technical documentation. Don’t have Microsoft Cloud App Security? Start a free trial today!

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

Learn more about Microsoft Information Protection.

Posted on Leave a comment

Security researchers: Bug bounty program for Azure DevOps added

It is my pleasure to announce another exciting expansion of the Microsoft Bounty Programs. Today, we are adding a security bug bounty program for Azure DevOps in partnership with the Microsoft Security Response Center (MSRC) to our suite of Bounty programs.

Our Bounty program rewards independent security researchers who find flaws and report them to us responsibly. We’ll publicly recognize the researchers who report these security issues, and for high-severity bugs we’ll present payments of up to $20,000 USD.

These rewards help motivate researchers to find security vulnerabilities in our services and let us correct them before they’re exploited by attackers. You can find the details of our Bug Bounty program with MSRC.

Security has always been a passion of mine, and I see this program as a natural complement to our existing security framework. We’ll continue to employ careful code reviews and examine the security of our infrastructure. We’ll still run our security scanning and monitoring tools. And we’ll keep assembling a red team on a regular basis to attack our own systems to identify weaknesses.

If you’re interested in the way our team approaches security and how we continue to evolve our thinking and practices, then I’d encourage you to watch the video of my talk “Mindset shift to a DevSecOps culture.”

This program will help us provide the highest level of security for our customers, protect customer data, and ensure the availability of Azure DevOps. I’m looking forward to seeing what we learn from working more closely with the security community.

Posted on Leave a comment

Microsoft gains strong customer, analyst momentum in cloud access security brokers market

After a strong year of product updates and innovations, we’re excited to so see that Microsoft jumped into the Challenger position in Gartner’s 2018 Magic Quadrant for Cloud Access Security Brokers (CASB) and solidified its leadership position in KuppingerCole’s 2018 Leadership Compass in the same product category, backed by strong customer adoption rates.

CASBs give organizations the ability to securely embrace the possibilities of their cloud apps and services and they can be crucial in driving a successful cloud security strategy.

While the market for CASB is still relatively young, analyst firm Gartner, Inc. predicts that 60 percent of large enterprises will be using CASB technologies by 2020, with independent forecasts expecting to reach a total addressable market of $7.5 billion in the same timeframe.

We have seen a steep increase in the adoption of Microsoft Cloud App Security across all customer segments, ranging from large enterprises such as global energy leader BP, to smaller organizations such as Affinity Workforce. Our internal estimates show that Microsoft Cloud App Security has a current market share of more than 30 percent in the CASB space. This provides us with insights from billions of signals every day—and direct input from the many organizations that we work with—allowing us to continuously improve the product and react to what we’re seeing in the market.

By integrating with leading security, identity, and productivity solutions across Microsoft 365, Microsoft Cloud App Security is uniquely positioned to drive innovation in the CASB space. Recent additions include our native integration with Windows Defender Advanced Threat Protection and our consistent labeling experience via Azure Information Protection. Among many others, these help organizations gain visibility into their cloud apps and services, provide sophisticated analytics to identify and combat cyber threats, and control the travel of sensitive information to equally support Microsoft’s native cloud services, as well as numerous third-party cloud apps and services, such as Dropbox, Salesforce, and others.

Microsoft Cloud App Security’s portfolio of native product integrations.

2018 analyst momentum

In Gartner’s 2018 report, we significantly improved our positioning and moved along both axes, Completeness of Vision as well as Ability to Execute, up from a Niche Player to a Challenger position. We see the substantial improvement as a testimony to our strong ability to execute against our feature roadmap and the momentum we are gaining with customers.

Magic Quadrant for CASB. Source: Gartner (October 2018)*

In its 2018 report, analyst firm KuppingerCole positions Microsoft as a Leader for the second year in a row. This further emphasizes the strength of our native integrations across Microsoft 365, including Azure Active Directory (Azure AD), Office 365, and Azure Security Center, and the significant customer base of Microsoft Cloud App Security.

Leadership Compass for CASB. Source: KuppingerCole (October 2018)

This year’s results confirm Microsoft’s strong commitment and rapid progress in this space—and with the progress of the overall market, the importance for organizations to start considering the use of a CASB continues to increase.

Learn more

We made both these 2018 analyst reports available for review. Download the Gartner Magic Quadrant 2018 for CASBs report and the KuppingerCole Leadership Compass 2018 report.

If you’re not using Microsoft Cloud App Security, start a free trial today and learn how to get started with our detailed technical documentation.

If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

To stay up to date with our latest product innovations, follow our product blog.

*This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Posted on Leave a comment

Microsoft becomes first Fortune 500 company to adopt password-less authentication

Howdy folks,

I’m so excited to share today’s news! We just turned on the ability to securely sign in with your Microsoft account using a standards-based FIDO2 compatible device—no username or password required! FIDO2 enables users to leverage standards-based devices to easily authenticate to online services—in both mobile and desktop environments.

This combination of ease of use, security, and broad industry support is going to be transformational both at home and in the modern workplace. Every month, more than 800 million people use a Microsoft account to create, connect, and share from anywhere to Outlook, Office, OneDrive, Bing, Skype, and Xbox Live for work and play. And now they can all benefit from this simple user experience and greatly improved security.

Starting today, you can use a FIDO2 device or Windows Hello to sign in to your Microsoft account using the Microsoft Edge browser.

Watch this quick video showing how it works:

Microsoft has been on a mission to eliminate passwords and help people protect their data and accounts from threats. As a member of the Fast Identity Online (FIDO) Alliance and the World Wide Web Consortium (W3C), we’ve been working with others to develop open standards for the next generation of authentication. I’m happy to share that Microsoft is the first Fortune 500 company to support password-less authentication using the the WebAuthn and FIDO2 specifications, and Microsoft Edge supports the widest array of authenticators compared to other major browsers.

If you want to know more details on how it works and how to get started, keep reading on.

Get started

To sign in with your Microsoft Account using a FIDO2 security key:

  1. If you haven’t already, make sure you update to Windows 10 October 2018.
  2. Go to the Microsoft account page on Microsoft Edge and sign in as you normally would.
  3. Select Security More security options and under Windows Hello and security keys, you’ll see instructions for setting up a security key. (You can purchase a security key from one of our partners, including Yubico and Feitian Technologies that support the FIDO2 standard.*)
  4. Next time you sign in, you can either click More Options > Use a security key or type in your username. At that point, you’ll be asked to use a security key to sign in.

And as a reminder, here’s how to sign in with your Microsoft account using Windows Hello:

  1. Make sure you’ve updated to Windows 10 October 2018.
  2. If you haven’t already, you’ll need to set up Windows Hello. If you have Windows Hello set up, you’re good to go!
  3. Next time you sign in on Microsoft Edge, you can either click More Options > Use Windows Hello or a security key or type in your username. At that point, you’ll be asked to use Windows Hello or a security to sign in.

If you need more help, check out our detailed help article about how to get set up.

*There are a couple of optional features in the FIDO2 spec that we believe are fundamental to security, so only keys that have implemented those features will work. Read What is a Microsoft-compatible security key? to learn more.

How does it work?

Under the covers, we implemented the WebAuthn and FIDO2 CTAP2 specifications into our services to make this a reality.

Unlike passwords, FIDO2 protects user credentials using public/private key encryption. When you create and register a FIDO2 credential, the device (your PC or the FIDO2 device) generates a private and public key on the device. The private key is stored securely on the device and can only be used after it has been unlocked using a local gesture like biometric or PIN. Note that your biometric or PIN never leaves the device. At the same time that the private key is stored, the public key is sent to the Microsoft account system in the cloud and registered with your user account.

When you later sign in, the Microsoft account system provides a nonce to your PC or FIDO2 device. Your PC or device then uses the private key to sign the nonce. The signed nonce and metadata is sent back to the Microsoft account system, where it is verified using the public key. The signed metadata as specified by the WebAuthn and FIDO2 specs provides information, such as whether the user was present, and verifies the authentication through the local gesture. It’s these properties that make authentication with Windows Hello and FIDO2 devices not “phishable” or easily stolen by malware.

How do Windows Hello and FIDO2 devices implement this? Based on the capabilities of your Windows 10 device, you will either have a built-in secure enclave, known as a hardware trusted platform module (TPM) or a software TPM. The TPM stores the private key, which requires either your face, fingerprint, or PIN to unlock it. Similarly, a FIDO2 device, like a security key, is a small external device with its own built-in secure enclave that stores the private key and requires the biometric or PIN to unlock it. Both options offer two-factor authentication in one step, requiring both a registered device and a biometric or PIN to successfully sign in.

Check out this article on our Identity Standards blog, which goes into all the technical details around the implementation.

What’s next

We have tons of great things coming out as part of our efforts to reduce and even eliminate the use of passwords. We are currently building the same sign-in experience from a browser with security keys for work and school accounts in Azure Active Directory. Enterprise customers will be able to preview this early next year, where they will be able to allow their employees to set up their own security keys for their account to sign in to Windows 10 and the cloud.

Furthermore, as more browsers and platforms start supporting the WebAuthn and FIDO2 standards, the password-less experience—available on Microsoft Edge and Windows today—will be hopefully available everywhere!

Stay tuned for more details early next year!

Best Regards,
Alex Simons (@Twitter: @Alex_A_Simons)
CVP of Program Management
Microsoft Identity Division

Posted on Leave a comment

Brad Smith on the Paris Call: An important step toward peace and security in the digital world

Today, French President Emmanuel Macron launched a global effort among governments, businesses and civil society to protect and defend against threats to the digital infrastructure that runs our daily lives. We’re proud to be one of the 370 signatories of The Paris Call for Trust and Security in Cyberspace. This includes 51 governments from around the world, including all 28 members of the European Union and 27 of the 29 NATO members. It also includes key governments from other parts of the world, including Japan, South Korea, Mexico, Colombia and New Zealand.

The Paris Call is an important step on the path toward digital peace, creating a stronger foundation for progress ahead. It calls for strong commitments in support of clear principles and strong norms to protect citizens and civilian infrastructure from systemic or indiscriminate cyberattacks. Similarly, it calls for governments, tech companies and nongovernmental organizations (NGOs) to work together to protect our democracies and electoral processes from nation-state cyberthreats.

The Paris Call breaks new ground by bringing together to support these steps an unprecedented and broad array of supporters. Its signatories include more than 200 companies and business associations, including leading tech companies such as Microsoft, Google, Facebook, Intel, Ericsson, Samsung, Accenture, Fujitsu, SAP, Salesforce and Hitachi. Importantly, it also includes leading financial services institutions such as Citigroup, Mastercard, Visa, Deutsche Bank, as well as industrial leaders such as Nestle, Lufthansa and Schneider Electric. And it includes almost 100 critical NGOs that span groups across civil society.

All of this is important for a reason. Success in advancing cybersecurity requires an approach that is not only multinational, but multistakeholder in nature. This is because cyberspace, unlike the traditional planes of warfare like land, sea and air, is typically privately owned. Cyberspace in fact consists of concrete elements in the real world, such as datacenters, undersea cables, and laptops and mobile devices. These are designed and manufactured by private companies. And often they are owned and operated by tech companies and others in the private sector.

While the tech sector has the first and highest responsibility to protect this technology and the people who rely upon it, this is an issue that requires that governments, companies and civil society come together. That is the only effective way to protect people from what at times have become military-grade cybersecurity threats.

Increasingly, it is apparent that the people of the world appreciate this as well. This morning in Paris I announced that more than 100,000 individuals from more than 130 countries have now signed the petition calling for Digital Peace Now, spearheaded with Global Citizen. And like the signatories to the Paris Call, this number is continuing to grow.

Today’s announcements came as part of the Paris Peace Forum, an event commemorating the centennial of the Armistice that brought an end to the First World War. As was the case a century ago, the nature of technology and warfare is changing. A century ago, governments and human institutions failed to adapt to the changing world. This century, we need to do better. With the help of clear principles, strong protection and a growing multistakeholder coalition, we can build on today’s milestones and continue to provide the world the strong cybersecurity it deserves.

Tags: , ,

Posted on Leave a comment

Top 10 security steps in Microsoft 365 that political campaigns can take today

The increasing frequency of cyberattacks make clear that more must be done to protect key democratic institutions from cyber-enabled interference. With just a few weeks left before the U.S. midterm elections and early voting under way, campaigns must stay vigilant in protecting against cyberattacks to their online collaboration tools, including email. Microsoft recommends taking action today to protect against phishing, malware, account compromise, and other threats—see Top 10 ways to secure Office 365 and Microsoft 365 Business plans from cyberthreats. These recommendations are tailored for small to mid-sized political campaigns and election-focused stakeholders using Office 365 or Microsoft 365. Any organization—especially those without full-time IT security staff—can benefit from taking these actions.

This guidance provides step-by-step instructions for using 10 high-impact security capabilities. These actions help you implement many of the best practices recommended in the Cybersecurity Campaign Playbook, created by the Defending Digital Democracy program at Harvard Kennedy School’s Belfer Center for Science and International Affairs.

Top 10 cybersecurity recommendations:

  1. Set up two-step verification for all staff.
  2. Train campaign staff to quickly identify phishing attacks.
  3. Use dedicated accounts for administration.
  4. Raise the level of malware protection in mail.
  5. Protect against ransomware.
  6. Prevent emails auto-forwarding outside of the campaign.
  7. Increase encryption for sensitive emails.
  8. Protect your email from phishing attacks.
  9. Protect against malicious attachments in email.
  10. Protect against phishing attacks that include malicious website links in email or other files.

Read Top 10 ways to secure Office 365 and Microsoft 365 Business plans from cyberthreats for details on how to implement each action.

These recommendations are provided as part of Microsoft’s ongoing commitment to the Defending Democracy Program. Qualifying organizations using Office 365 can also take advantage of Microsoft AccountGuard for additional protection to leverage Microsoft’s state-of-the-art threat detection and notification in case of targeted nation-state cyberattacks.