Tag: Security

It was a day like any other at the Taiwan office of Microsoft’s Digital Crimes Unit (DCU). Points of data from all corners of the internet flashed across a bank of monitors in a routine way. But then, an analyst spotted something unusual that he thought might be a new malware threat.

His suspicions proved right and triggered a landmark cybersecurity operation by law enforcement officers in Taiwan.

The DCU is at the forefront of Microsoft’s global commitment to protect customers and keep the internet safe. It shares multiple types of threat data — some in near-realtime — with public and private partners around the world.

Just like old-fashioned detectives searching for clues of wrongdoing, the DCU’s ranks of legal experts and analysts watch over our digital world.

They diligently monitor sophisticated intelligence-gathering dashboards and act fast when anything seems awry. It’s a constant 24/7 effort, and it paid off handsomely in Taiwan last August.

Botnet signals

Following DCU Taiwan’s initial observation, the team uncovered an unusual spike of botnet signals that had increased 100 times within one month. (A botnet is a network of computers and devices that a cybercriminal has infected with malicious software or malware. Once infected, criminals can control those computers and devices remotely and use them to commit crimes.)

The DCU team delved deeper by mapping more than 400,000 publicly available IPs and narrowed that information down to 90 suspicious IPs. An open data search of those 90 IPs further refined the analysis and revealed something alarming: One particular IP was associated with dozens of activities related to the distribution of malware, phishing emails, ransomware, and DDoS attacks.

To the team’s surprise, these activities correlated to as much as one terabyte (TB) of malicious content being sent out a week.

Working together

The DCU team alerted and briefed Taiwan’s Ministry of Justice Investigation Bureau (MJIB).

With the intelligence supplied by the DCU, MJIB agents tracked down the illegal VPN IP quickly and efficiently. They discovered that hidden accounts behind the illegal VPN were sending malware attacks from inside an office building in rural northern Taiwan.

Usually, cybercriminals use compromised PCs to launch cyberattacks. But this time, the source was identified as a LED light control console, a seemingly insignificant IoT device. The MJIB quickly shut it down and stopped it from spewing out more malware.

“This case marks a milestone. That’s because we were able to take down the IoT device and secure the breach to a limited range for those compromised computers in Taiwan, which is quite different from our previous global cooperation cases,” says Director Fu-Mei Wu, who leads the MJIB’s Information and Communication Security Division.

“Cyberattacks are getting increasingly serious. Through Microsoft’s efforts to gather intelligence and process data, we can investigate the perpetrators more efficiently, and further take legal action before criminals can get very far. This is a partnership based on mutual trust, and we are thankful that Microsoft is on our side.”

Ready or not, much of the world was thrust into working from home, which means more people and devices are now accessing sensitive corporate data across home networks. Defenders are working round the clock to secure endpoints and ensure the fidelity of not only those endpoints, but also identities, email, and applications, as people are using whatever device they need to get work done. This isn’t something anyone, including our security professionals, were given time to prepare for, yet many customers have been thrust into a new environment and challenged to respond quickly. Microsoft is here to help lighten the load on defenders, offer guidance on what to prioritize to keep your workforce secure, and share resources about the built-in protections of our products.

Attackers are capitalizing on fear. We’re watching them. We’re pushing back.

Our inboxes, mobile alerts, TVs, and news updates are all COVID-19, all the time. It’s overwhelming and attackers know it. They know many are clicking without looking because stress levels are high and they’re taking advantage of that. That’s why we’re seeing an increase in the success of phishing and social engineering attacks. Attackers don’t suddenly have more resources they’re diverting towards tricking users; instead they’re pivoting their existing infrastructure, like ransomware, phishing, and other malware delivery tools, to include COVID-19 keywords that get us to click. Once we click, they can infiltrate our inboxes, steal our credentials, share more malicious links with coworkers across collaboration tools, and lie in wait to steal information that will give them the biggest payout. This is where intelligent solutions that can monitor for malicious activity across – that’s the key word – emails, identities, endpoints, and applications with built-in automation to proactively protect, detect, respond to, and prevent these types of attacks from being successful will help us fight this battle against opportunistic attackers.

Our threat intelligence teams at Microsoft are actively monitoring and responding to this shift in focus. Our data shows that these COVID-19 themed threats are retreads of existing attacks that have been slightly altered to tie to this pandemic. This means we’re seeing a changing of lures, not a surge in attacks. Our intelligence shows that these attacks are settling into a rhythm that is the normal ebb and flow of the threat environment:

• Every country in the world has seen at least one COVID-19 themed attack (see map below). The volume of successful attacks in outbreak-hit countries is increasing, as fear and the desire for information grows. Our telemetry shows that China, the United States, and Russia have been hit the hardest.
• The trendy and pervasive Trickbot and Emotet malware families are very active and rebranding their lures to take advantage of the outbreak. We have observed 76 threat variants to date globally using COVID-19 themed lures (map below).
• Microsoft tracks thousands of email phishing campaigns that cover millions of malicious messages every week. Phishing campaigns are more than just one targeted email at one targeted user. They include potentially hundreds or thousands of malicious emails targeting hundreds or thousands of users, which is why they can be so effective. Of the millions of targeted messages we see each day, roughly 60,000 include COVID-19 related malicious attachments or malicious URLs.
• While that number sounds very large, it’s important to note that that is less than two percent of the total volume of threats we actively track and protect against daily, which reinforces that the overall volume of threats is not increasing but attackers are shifting their techniques to capitalize on fear. Attackers are impersonating established entities like the World Health Organization (WHO), Centers for Disease Control and Prevention (CDC), and the Department of Health to get into inboxes. Here’s an example of what just one of these malicious emails looks like now compared to before the COVID-19 crisis:

• In a single day, SmartScreen sees and processes more than 18,000 malicious COVID-19-themed URLs and IP addresses. This again shows us that attackers are getting more aggressive and agile in the delivery of their attacks – using the same delivery methods, but swapping out the malicious URLs on a more frequent basis in an effort to evade machine learning protections.
• Microsoft Office 365 Advanced Threat Protection prevented a big phishing campaign that used a fake Office 365 sign-in page to capture credentials. Roughly 2,300 unique HTML attachments posing as COVID-19 financial compensation information were caught in 24 hours in this one campaign. We expect to see more campaigns that utilize the economic fear from lost income, as governments widen the mandatory shutdown of their economies and stimulus funds begin to be issued in the U.S.
• Several advanced persistent threat and nation-state actors have been observed targeting healthcare organizations and using COVID-19-themed lures in their campaigns. We continue to identify, track, and build proactive protections against these threats in all of our security products. When customers are affected by these attacks, Microsoft notifies the customer directly to help speed up investigations. We also report malicious COVID-19-themed domains and URLs to the proper authorities so that they can be taken down, and where possible, the individuals behind them prosecuted.

Relative impact of COVID-19 themed attacks across the world by file count (as of April 7, 2020)

From endpoints and identities to the cloud, we have you covered

While phishing email is a common attack vector, it’s only one of the many points of entry for attackers. Defenders need a much broader view and solutions for remediation than visibility into just one entry method. An attacker’s primary goal is to gain entry and expand across domains so they can persist in an organization and lie in wait to steal or encrypt as much sensitive information as they can to reap the biggest payout. Defenders require visibility across each of these domains and automated correlation across emails, identities, endpoints, and cloud applications to see the full scope of compromise. Only with this view can defenders adequately remediate affected assets, apply Conditional Access, and prevent the same or similar attacks from being successful again.

During this trying time, we want to remind our customers what protections you have built into our products and offer guidance for what to prioritize:

• Protect endpoints with Microsoft Defender ATP, which covers licensed users for up to five concurrent devices that can be easily onboarded at any time. Microsoft Defender ATP monitors threats from across platforms, including macOS. Our tech community post includes additional guidance, best practices, onboarding, and licensing information.
• Enable multi-factor authentication (MFA) and Conditional Access through Azure Active Directory to protect identities. This is more important than ever to mitigate credential compromise as users work from home. We recommend connecting all apps to Azure AD for single sign-on – from SaaS to on-premises apps; enabling MFA and applying Conditional Access policies; and extending secure access to contractors and partners. Microsoft also offers a free Azure AD service for single sign-on, including MFA using the Microsoft Authenticator app.
• Safeguard inboxes and email accounts with Office 365 ATP, Microsoft’s cloud-based email filtering service, which shields against phishing and malware, including features to safeguard your organization from messaging-policy violations, targeted attacks, zero-days, and malicious URLs. Intelligent recommendations from Security Policy Advisor can help reduce macro attack surface, and the Office Cloud Policy Service can help you implement security baselines.
• Microsoft Cloud App Security can help protect against shadow IT and unsanctioned app usage, identify and remediate cloud-native attacks, and control how data travels across cloud apps from Microsoft or third-party applications.

Microsoft Threat Protection correlates signals from across each of these domains using Azure ATP, Microsoft Defender ATP, Office 365 ATP, and Microsoft Cloud App Security, to understand the entire attack chain to help defenders prioritize which threats are most critical to address and to auto-heal affected user identities, email inboxes, endpoints, and cloud apps back to a safe state. Our threat intelligence combines signals from not just one attack vector like email phishing, but from across emails, identities, endpoints, and cloud apps to understand how the threat landscape is changing and build that intelligence into our products to prevent attack sprawl and persistence. The built-in, automated remediation capabilities across these solutions can also help reduce the manual workload on defenders that comes from the multitude of new devices and connections.

Azure Sentinel is a cloud-native SIEM that brings together insights from Microsoft Threat Protection and Azure Security Center, along with the whole world of third-party and custom application logs to help security teams gain visibility, triage, and investigate threats across their enterprise. As with all Microsoft Security products, Azure Sentinel customers benefit from Microsoft threat intelligence to detect and hunt for attacks. Azure Sentinel makes it easy to add new data sources and scale existing ones with built-in workbooks, hunting queries, and analytics to help teams identify, prioritize, and respond to threats. We recently shared a threat hunting notebook developed to hunt for COVID-19 related threats in Azure Sentinel.

Cloud-delivered protections are a critical part of staying up to date with the latest security updates and patches. If you don’t already have them turned on, we highly recommend it. We also offer advanced hunting through both Microsoft Threat Protection and Azure Sentinel.

We’ll keep sharing and protecting – stay tuned, stay safe

Remember that we at Microsoft are 3,500 defenders strong. We’re very actively monitoring the threat landscape, we’re here to help: we’re providing resources, guidance, and for dire cases we have support available from services like the Microsoft Detection and Response (DART) team to help investigate and remediate.

All of our guidance related to COVID-19 is and will be posted here. We will continue to share updates across channels to keep you informed. Please stay safe, stay connected, stay informed.

THANK YOU to our defenders who are working tirelessly to keep us secure and connected during this pandemic.

-Rob and all of us from across Microsoft security

To stay up to date with verified information on the COVID-19 crisis, the following sites are available:

As a security advisor working with one to three Chief Information Security Officers (CISOs) each week, the topic of identity comes up often. These are smart people who have often been in industry for decades. They have their own vocabulary of acronyms that only security professionals know such as DDoS, CEH, CERT, RAT, and 0-Day (if you don’t know one or several of these terms, I encourage you to look them up to build your vocabulary), but they often find themselves confused by Microsoft’s own set of acronyms.

This is the first in a blog series that aims to lessen some confusion around identity by sharing with you some of the terms used at Microsoft. Terms like MFA, PIM, PAM, MIM, MAM, MDM, and a few others. What do they mean and how do they relate to each other?

Multi-Factor Authentication or MFA

Let’s start with what identity means to Microsoft. Identity is the ability to clearly and without doubt ensure the identification of a person, device, location, or application. This is done by establishing trust verification and identity verification using what Microsoft calls Multi-Factor Authentication or MFA. This is a combination of capabilities that allow the entity to establish trust and verify who or what they are.

MFA is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: something the user and only the user knows (such as a password or PIN), something the user and only the user has (such as a mobile device or FIDO key), and something the user and only the user is (a biometric such as a fingerprint or iris scan).

Microsoft does this with technologies such as Azure Active Directory (Azure AD) in the cloud combined with Windows Hello. Azure AD is Microsoft’s identity and access management solution. Windows Hello is a Windows capability that allows a user to verify who they are with an image, a pin, or other biometric. The person’s identity is stored via an encrypted hash in the cloud, so it’s never shared in the clear (unencrypted). A cryptographic hash is a checksum that allows someone to proof that they know the original input (e.g., a password) and that the input (e.g., a document) has not been modified.

Privileged Identity Management or PIM

What is Privileged Identity Management or PIM? Organizations use PIM to assign, activate, and approve privileged identities in Azure AD. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions to sensitive resources.

Key features of PIM include:

• Just-in-time privileged access to Azure AD and Azure resources.
• Time-bound access to resources.
• An approval process to activate privileged roles.
• MFA enforcement.
• Justification to understand why users activate.
• Notifications when roles are activated.
• Access reviews and internal and external audit history.

Privileged Access Management or PAM

What is Privileged Access Management or PAM? Often confused with PIM, PAM is a capability to help organizations manage identities for existing on-premises Active Directory environments. PAM is an instance of PIM that is accessed using Microsoft Identity Manager or MIM. Confused? Let me explain.

PAM helps organizations solve a few problems including:

• Making it harder for attackers to penetrate a network and obtain privileged account access.
• Adding protection to privileged groups that control access to domain-joined computers and the applications on those computers.
• Providing monitoring, visibility, and fine-grained controls so organizations can see who their privileged admins are and what they are doing.

PAM gives organizations more insight into how admin accounts are being used in the environment.

Microsoft Identity Manager or MIM

But I also mentioned MIM… What is this? Microsoft Identity Manager or MIM helps organizations manage the users, credentials, policies, and access within their organizations and hybrid environments. With MIM, organizations can simplify identity lifecycle management with automated workflows, business rules, and easy integration with heterogenous platforms across the datacenter. MIM enables Active Directory to have the right users and access rights for on-premises apps. Azure AD Connect can then make those users and permissions available in Azure AD for Office 365 and cloud-hosted apps.

OK, so now we know that:

• PIM is a capability to help companies manage identities in Azure AD.
• PAM is an on-premises capability to manage identities in Active Directory.
• MIM helps organizations manage users, credentials, policies, and on-premises access.

Mobile Application Management or MAM

What’s left… Oh yes: Mobile Application Management or MAM. MAM is important because if organizations can only manage identities—but not the apps then they miss a key aspect of protecting data. MAM is connected to a Microsoft capability called Microsoft Intune and is a suite of management features to publish, push, configure, secure, monitor, and update mobile apps for users.

MAM works with or without enrollment of the device, which means organizations can protect sensitive data on almost any device using MAM-WE (without enrollment). If organizations enable MFA, they can verify the user on the device. MAM also helps manage that apps the trusted user or entity can access. If you add in the Mobile Device Management or MDM feature of Intune, you can force enrollment of devices and then use MAM to manage the apps.

It’s well known that Microsoft has a lot of acronyms. This is the first in a series of blog posts aimed to assist you in navigating the acronym forest created by companies and industry. The Microsoft Platform includes a powerful set of capabilities to help encourage users to make the right decisions and gives security leadership, like you, the ability to manage and monitor identities and control access to critical files and network assets.

Another RSA Conference (RSAC) and another big year for the Microsoft Intelligent Security Association (MISA). MISA was launched at RSAC 2018 with 26 members and a year later we had doubled in size to 53 members. Today, I am excited to share that the association has again doubled in size to 102 members.

New members expand the portfolio of MISA integrations

Our new members include a number of ecosystem partners, like RSA, ServiceNow, and Net Motion, which have developed critical integrations that benefit our shared customers and we look forward to deepening our relationship through MISA engagement.

New MISA member RSA is now using Azure Active Directory’s risky user data and other Microsoft security signals to enrich their risk score engine. Additionally, RSA also leverages the Graph Security API to feed their SIEM solution, RSA NetWitness with alerts from the entire suite of Microsoft Security solutions.

 “RSA is excited to showcase the RSA SecurID and RSA NetWitness integrations with Microsoft Security products. Our integrations with Microsoft Defender ATP, Microsoft Graph Security API, Azure AD, and Microsoft Azure Sentinel, help us to better secure access to our mutual customer’s applications, and detect threats and attacks. We’re excited to formalize the long-standing relationship through RSA Ready and MISA to better defend our customers against a world of increasing threats.”
—Anna Sarnek, Head of Strategic Business Development, Cloud and Identity for RSA

The ServiceNow Security Operations integration with Microsoft Graph Security API enables shared customers to automate incident management and response, leveraging the capabilities of the Now Platform’s single data model to dramatically improve their ability to prioritize and respond to threats generated by all Microsoft Security Solutions and custom alerts from Azure Sentinel.

“ServiceNow is pleased to join the Microsoft Intelligent Security Alliance to accelerate security incident response for our shared customers. The ServiceNow Security Operations integration with Azure Sentinel, via the graph security API, enables shared customers to automate incident management and response, leveraging the capabilities of the Now Platform’s single data model to dramatically improve their ability to prioritize and respond to threats.”
—Lou Fiorello, Head of Security Products for ServiceNow

Microsoft is pleased to welcome NetMotion, a connectivity and security solutions company for the world’s growing mobile workforce, into the security partner program. Using NetMotion’s class-leading VPN, customers not only gain uncompromised connectivity and feature parity, they benefit from a VPN that is compatible with Windows, MacOS, Android and iOS devices. For IT teams, NetMotion delivers visibility and control over the entire connection from endpoint to endpoint, over any network, through integration with Microsoft Endpoint Manager (Microsoft Intune).

“NetMotion is designed from the ground up to protect and enhance the user experience of any mobile device. By delivering plug-and-play integration with Microsoft Endpoint Manager, the mobile workforce can maximize productivity and impact without any disruption to their workflow from day one. For organizations already using or considering Microsoft, the addition of NetMotion’s VPN is an absolute no-brainer.”
—Christopher Kenessey, CEO of NetMotion Software

Expanded partner strategy for Microsoft Defender Advanced Threat Protection (ATP)

The Microsoft Defender ATP team worked with our ecosystem partners to take their rich and complete set of APIs a step further to extend the power of our combined platforms. This helps customers strengthen their network and endpoint security posture, add continuous security validation and attack simulation testing, orchestrate and automate incident correlation and remediation, and add threat intelligence and web content filtering capabilities. Read Extending Microsoft Defender ATP network of partners to learn more about their partner strategy expansion and their open framework philosophy.

New product teams join the association

In addition to growing our membership, MISA expanded to cover 12 of Microsoft’s security solutions, including our latest additions: Azure Security Center for IoT Security and Azure DDoS.

Azure Security Center for IoT Security announces five flagship integration partners

The simple onboarding flow for Azure Security Center for IoT enables you to protect your managed and unmanaged IoT devices, view all security alerts, reduce your attack surface with security posture recommendations, and run unified reports in a single pane of glass.

Through partnering with members like Attivo Networks, CyberMDX, CyberX, Firedome, and SecuriThings, Microsoft is able to leverage their vast knowledge pool to help customers defend against a world of increasing IoT threats in enterprise. These solutions protect managed and unmanaged IoT devices in manufacturing, energy, building management systems, healthcare, transportation, smart cities, smart homes, and more. Read more about IoT security and how these five integration partners are changing IoT security in this blog.

Azure DDoS Protection available to partners to combat DDoS attacks

The first DDoS attack occurred way back on July 22, 1999, when a network of 114 computers infected with a malicious script called Trin00 attacked a computer at the University of Minnesota, according to MIT Technology Review. Even after 20 years DDoS continues to be an ever-growing problem, with the number of DDoS attacks doubling in the last year alone and the types of attacks getting increasingly sophisticated with the explosion of IoT devices.

Azure DDoS Protection provides countermeasures against the most sophisticated DDoS threats. The service provides enhanced DDoS mitigation capabilities for your application and resources deployed in your virtual networks. Technology partners can now protect their customers’ resources natively with Azure DDoS Protection Standard to address the availability and reliability concerns due to DDoS attacks.

“Extending Azure DDoS Protection capabilities to Microsoft Intelligent Security Association will help our shared customers to succeed by leveraging the global scale of Azure Networking to protect their workloads against DDoS attacks”
—Anupam Vij, Principal Product Manager, Azure Networking

Learn more

To see MISA members in action, visit the Microsoft booth at RSA where we have a number of our security partners presenting and demoing throughout the week. To learn more about the Microsoft Intelligent Security Association, visit our webpage or the video playlist of member integrations. For more information on Microsoft security solutions, visit our website.

Today Azure Sphere—Microsoft’s integrated security solution for IoT devices and equipment—is widely available for the development and deployment of secure, connected devices. Azure Sphere’s general availability milestone couldn’t be timelier. From consumer device hacking and botnets to nation state driven cyberterrorism, the complexity of the landscape is accelerating. And as we expand our reliance on IoT devices at home, in our businesses and even in the infrastructure that supports transit and utilities, cybersecurity threats are increasingly real to individuals, businesses and society at large.

From its inception in Microsoft Research to general availability today, Azure Sphere is Microsoft’s answer to these escalating IoT threats. Azure Sphere delivers quick and cost-effective device security for OEMs and organizations to protect the products they sell and the critical equipment that they rely on to drive new business value.

To mark today’s general availability milestone, I sat down with Galen Hunt, distinguished engineer and product leader of Azure Sphere to discuss the world of cybersecurity, the threat landscape that businesses and governments are operating in, and how Microsoft and Azure Sphere are helping organizations confidently and securely take advantage of the opportunities enabled by IoT.

 

ANN JOHNSON: Let me start by asking about a comment I once heard you make, where you refer to the internet as “a cauldron of evil.” Can you give us a little insight into what you mean?

GALEN HUNT: Well, I actually quote James Mickens. James is a former colleague at Microsoft Research, and he’s now a professor at Harvard. Those are his words, the idea of the internet being a cauldron of evil. But I love it, because what it really captures is what the internet really is.

The internet is a place of limitless potential, but when you connect a device to the internet, you’re also creating a two-way street; anybody can come in off the internet and try to attack you.

Everything from nation states to petty criminals to organized crime is out there, operating on the internet. As we think about IoT—which is my favorite topic—being aware of the dangers is the first step to being prepared to address them.

ANN JOHNSON: When you’re thinking about folks that are in charge of security organizations, or even folks who have to secure the environment for themselves, what do you view as the biggest threats, and also the biggest opportunities for companies like Microsoft to address those threats?

GALEN HUNT: I think the biggest threat is—and I’m coming at this from the IoT side of things—as we’re able to connect every single device in an enterprise or every single device in a home to the internet, there’s real risk. By compromising those devices, someone can invade our privacy, they can have access to our data, they can manipulate our environment. Those are real risks.

In the traditional internet, the non-Internet-of-Things internet, the damage that could be done was purely digital. But in a connected IoT environment, remote actors are able to affect or monitor not just the digital environment but also the actual physical environment. So that creates all sorts of risks that need to be addressed.

In response, the power that a company like Microsoft can bring is our deep experience in internet security. We’ve been doing it for years. We can help other organizations leverage that experience. That’s a tremendous opportunity we have to help.

ANN JOHNSON: So, with that, walk us through what Azure Sphere is—how do you see our customers and our partners leveraging the technology?

GALEN HUNT: There are four components to Azure Sphere: three of them are powered by technology and one of them is powered by people. Those components combine to form an end-to-end solution that allows any organization that’s building or connecting devices to have the very best of what we know about making internet-connected devices secure.

Let’s talk about the four components.

The first of the three technical components is the certified chips that are built by our silicon partners, they have the hardware root of trust that Microsoft created. These are chips that provide a foundation of security, starting in the silicon itself, and provide connectivity and compute power for these devices.

The second technical component of Azure Sphere is the Azure Sphere operating system. This runs on the chips and creates a secure software environment.

The third technical component is the cloud-based Azure Sphere security service. The security service connects with every single Azure Sphere chip, with every single Azure Sphere operating system, and works with the operating system and the chip to keep the device secured throughout its lifetime.

ANN JOHNSON: So, you’ve got hardware, software, and the cloud, all working together. What about the human component?

GALEN HUNT: The fourth component of Azure Sphere is our people and all their security expertise. Our team provides ongoing security monitoring of Azure Sphere devices and, actually, of the full ecosystem. As we identify new types of attacks and new emerging security vulnerabilities, we will upgrade our operating system and the cloud services to mitigate against those new kinds of attacks. Then we will deploy updates to every Azure Sphere-based device, globally. So, we’re providing ongoing support, and ongoing security improvements for those devices.

ANN JOHNSON: I want to make this real for folks. Walk me through a use case; where would somebody actually implement and use Azure Sphere? How does their infrastructure or architecture fit in?

GALEN HUNT: Okay, let’s start with a device manufacturer. They say, okay we’re going to create a new device, and we want to have that device be an IoT device. We want it to connect to the internet, so it can be integrated into an organization’s digital feedback loop. And so, they will buy a chip, an Azure Sphere-based microcontroller or SoC, which will serve as the primary processing component, and they build that into their device. The Azure Sphere chip provides the compute power and secured connectivity.

Now, of course not everybody is building a brand-new device from scratch. There are a lot of existing devices out there that are very valuable. Sometimes they’re too valuable to take on the risk of connecting them and exposing them to the internet. One of the things we’ve developed during the Azure Sphere preview period is a new class of device that we call a “guardian module.” The guardian module is a very small device—no larger than the size of a deck of cards—built around an Azure Sphere chip. An organization interested in connecting existing devices can connect through the guardian module and pull data from that existing device and securely connect it to the cloud. The guardian modules, powered by Azure Sphere, are a way to add highly secure connectivity—even to existing devices—that’s protected by Microsoft.

ANN JOHNSON: Interesting, it solves a pretty big problem with device security, especially as we continue to see a massive proliferation of devices in our environment, most of which are unmanaged. What do you think is slowing the broad adoption of security related to connected devices?

GALEN HUNT: Well, there are a couple of things. I think the biggest barrier, up until now, has been the lack of an end-to-end solution. For companies that have had aspirations to build or to buy highly secured devices, each device has been a one-off. Customers have had to completely build a unique solution for each device, and that just takes an incredible amount of expertise and hard work.

The other obstacle I’ve found is that organizations realize that they need secure devices, but they just don’t know where to begin. They don’t know what they should be looking for, from a device security perspective. There’s a bit of a temptation to look for a security feature checklist instead of really understanding what’s required to have a device that’s highly secured.

ANN JOHNSON: I know you’ve given this a lot of consideration and your background gives you a deeper view into what it takes to secure devices. You wrote a paper on the seven properties of highly secure devices, based on a lot of research you’ve done on the topic. How did you coalesce on the seven properties and how customers can implement them securely?

GALEN HUNT: Yes, I’m a computer scientist, and for over 15 years I ran operating systems research in Microsoft Research. About five years ago, someone walked into my office with a schematic, or a floor map, of a brand new—actually, still under development—microcontroller. This was actually the very first of a new class of a microcontroller.

A microcontroller, for anybody who is not familiar, is a single-chip computer that has processer, and storage, memory, and IoT capabilities. Microcontrollers are used in everything from toys, to appliances, even industrial equipment. Well, this was the first time I had seen a microcontroller, a programmable microcontroller, with the physical capabilities required to be able to connect to the internet—built in—and at a price point that was just a couple of dollars.

When I looked at this thing, I realized that for the price of a cup of coffee, anything on the planet that had electricity could be turned into an internet device. I realized I was looking at the fifth generation of computing, and that was a terribly exciting thought. But the person who had come into my office was asking, what kind of code should we run on this so that it would be secure if we did want to build internet-connected devices with it?

And what I realized, really quickly, was that even though it had some great security features, it lacked much of what was required to build a secure device from a software perspective, and that set me off on journey. I imagined this dystopian future where there are nine billion new insecure devices being added to the world’s population, every year.

ANN JOHNSON: Sure, the physical risks of device hacking make nine billion insecure IoT devices a daunting thought.

GALEN HUNT: Well for me, that was a really scary thought. And as a scientist, I said, well we know that Microsoft and our peer companies have built devices that have been out on the internet. They’ve been connected for at least a five-year period and have withstood relentless attacks from hackers and other ne’er-do-wells. The driving question of our next phase of work was: why are some devices highly secure, and what is it that separates them?

And we did a very scientific study of finding these secure devices and trying to figure out the qualities and the properties that they had in common, and this led to our list of these seven properties. We published that paper, which then led to more experiments.

Now, the devices we found that had these seven properties were devices that had hundreds of dollars in electronics in them, and, you know, that’s not going to scale to every device on the planet. You’re not going to be able to add hundreds of dollars of electronics to every device on the planet, like a light bulb, in order to get security.

Then we wondered if we could build a very, very small and a very, very economical solution that contained all seven properties. And that’s what ultimately led us to Azure Sphere. It’s a solution that, really, for just a few dollars, any company can build a device that is highly secured.

ANN JOHNSON: So, the device itself is highly secured; it has all these built-in capabilities, but one of the biggest problems our customers face is fundamentally a talent shortage, right? Is there something that we’re inherently doing here, with Azure Sphere, that could make it easier for customers?

GALEN HUNT: Yes. Fundamentally what we’re trying to do is create a scalable solution, and it is Microsoft talent that helps these companies create these highly secure devices. There’s something like a million-plus openings in the field of security professionals. Globally there’s a huge talent shortage.

With Azure Sphere we allow a company that doesn’t have really deep security expertise to draft off of our security talent. There are a few areas of expertise that one has to have in order to build a highly-secure device with similar capabilities to Azure Sphere.

Sometimes I’ll use the words technology, talent, and tactics. You have to have the technical expertise to actually build a device that has a high degree of security in it. Not just a device with a checklist of features, but with true integration across all components for gap-free security. Then, once the device is built and deployed out into the wild, you need the talent to fight the ongoing security battle. That talent is watching for and detecting emerging security threats and coding up mitigations to address them. And finally, you’ll have to scale out those updates to every device. That’s a really deep set of expertise, talent, and tactics and, for the most part, it’s very much outside of what many companies know how to do.

When building on top of Azure Sphere, instead of staffing or developing all of this expertise outside of their core business, organizations can instead outsource that to Microsoft.

ANN JOHNSON: That’s a really great way to put it. It also gives you that end-to-end security integration, right? Because I would imagine Azure Sphere is going to integrate with all of Microsoft’s infrastructure and services?

GALEN HUNT: In building Azure Sphere, we leveraged pretty deeply a lot of expertise and a lot of talent that we have at Microsoft. Take, for example, the infrastructure that we use to scale out the deployment of new updates. We leveraged the infrastructure that Microsoft created for the Windows update service—and, our operating system is much, much smaller than Windows. So now we have the capability to update billions of devices, globally, per hour. We also have a place where we can tie Azure Sphere into the Azure Security Center for IoT.

We also really drew on all of the expertise around Visual Studios for very scalable software development. We brought that power even to the smaller microcontroller class devices.

And the hardware root of trust that we put inside of every single Azure Sphere chip. That hardware root of trust is not something that we just created, just woke up one day and said, hey, let’s build a hardware root of trust from scratch. We actually built it based on our learning from the Xbox console.

The Xbox console, over 15 years has made three huge generational leaps. Those consoles can live in hostile environments—from a digital security perspective and a physical security perspective. So, we’ve taken everything we’ve learned about how to make those devices highly secured and applied it to building the hardware root of trust inside Azure Sphere. These are some of the ways that we’re really leveraging a lot of Microsoft’s deep expertise.

ANN JOHNSON: Today, marks the general availability of Azure Sphere—which I’m super excited about, by the way! But I know you’ve been thinking for a long time about how we solve some of these bigger problems, particularly the explosion of IoT, and how customers are going to have to think about that within the next two, to three, to five, to ten years from now. What are the challenges you see ahead for us, and what are the benefits our customers will be able to realize?

GALEN HUNT: We’re excited as well—it’s a huge milestone for the team. Even at this point, at GA, we’re only at the beginning of our real journey with our customers. One of our immediate next steps is scaling out the silicon ecosystem. MediaTek is our first silicon partner. Their MT3620 chip is available in volume today, and it’s the perfect chip, especially for guardian modules and adding secure connectivity to many, many devices.

With microcontrollers, there are many, many verticals. They range in everything from toys to home appliances, to big industrial equipment. And no single chip scales across that entire ecosystem effectively, so we’ve engaged other silicon partners. In June, NXP, the world’s number one microcontroller manufacturer, announced their timeline for their very first Azure Sphere chip. And that chip will add much larger compute capabilities. For example, they’ll do AI, and vision, and graphics, and more sophisticated user interfaces. And then in October, Qualcomm announced that they’ll build the very first cellular native Azure Sphere chip.

The other place we see ourselves growing is in adding more enterprise readiness features. As we’ve engaged with some of our early partners, for example, Starbucks, and have helped them deploy Azure Sphere across their stores in North America, we’ve realized that there’s a lot we can do to really help integrate Azure Sphere better with existing enterprise systems to make that very, very smooth.

ANN JOHNSON: There’s a lot of noise about tech regulations, certainly about IoT and different device manufacturing procedures. How are we thinking about innovation in the context of balancing it with regulation?

GALEN HUNT: So, let’s talk about innovation and regulation. There are times when you want to step out of the way and just let people innovate as much as possible. And then there are times as an industry, or as a society we want to make sure we establish a baseline.

Take food safety, for example. The science of food safety is very well established. Having regulations makes sure that no one cuts corners on safety for the sake of economic expediency. Most countries have embraced some kind of regulations around food safety.

IoT is another industry where it’s in everybody’s favor that all devices be secure. If consumers and enterprises can know that every device has a strong foundation of security and trustworthiness, then they’ll be more likely to buy devices, and build devices, and deploy devices.

And so I really see it as an opportunity whereby collectively and, with governments encouraging baseline levels of security, agreeing on a strong foundation of security we’ll all feel confident in our environment, and that’s really a positive thing for everybody.

ANN JOHNSON: That’s really a great perspective, and I think that we’ve always been that way at Microsoft, right? We view regulation in a positive way and thinking that it needs to be the right regulation across a wide variety of things that we’re doing, whether it be AI, just making sure that it’s being used for ethical use cases.

Which brings me to that last-wrap question, what’s next, what are your next big plans, what’s your next big security disruption?

GALEN HUNT: We recently announced new chips from NXP and Qualcomm, we’ll continue our focus on expanding our silicon and hardware ecosystem to deliver more choice for our customers. And then beyond that, our next big plan is to take Azure Sphere everywhere. We’ve demonstrated it’s possible, but I think we’re just starting to scratch the surface of secured IoT. There’s so much ability for innovation, and the devices that people are building, and the way that we’re using devices. When we’re really able to close this digital feedback loop and really interact between the digital world and the physical world, it’s just a tremendous opportunity, and so that’s where I’m going.

ANN JOHNSON: Excellent, well, I really appreciate the conversation. Azure Sphere is a great example of the notion that while cybersecurity is complex, it does not have to be complicated. Azure Sphere helps our customers overcome today’s complicated IoT security challenges. Thank you, Galen, for some great insights into the current IoT security landscape and how Microsoft and Azure Sphere are advancing IoT device security with the broad availability of Azure Sphere today.

If you are interested in learning more about how Azure Sphere can help you securely fast track your next IoT innovation.

About Ann Johnson and Galen Hunt

Ann Johnson is the Corporate Vice President of the Cybersecurity Solutions Group at Microsoft where she oversees the go-to-market strategies of cybersecurity solutions. As part of this charter, she leads and drives the evolution and implementation of Microsoft’s short- and long-term security, compliance, and identity solutions roadmap with alignment across the marketing, engineering, and product teams.

Prior to joining Microsoft, her executive leadership roles included Chief Executive Officer of Boundless Spatial, President and Chief Operating Officer of vulnerability management pioneer Qualys, Inc., and Vice President of World Wide Identity and Fraud Sales at RSA Security, a subsidiary of EMC Corporation.

Dr. Galen Hunt founded and leads the Microsoft team responsible for Azure Sphere. His team’s mission is to ensure that every IoT device on the planet is secure and trustworthy. Previously, Dr. Hunt pioneered technologies ranging from confidential cloud computing to light-weight container virtualization, type-safe operating systems, and video streaming. Dr. Hunt was a member of Microsoft’s founding cloud computing team.

Dr. Hunt holds over 100 patents, a B.S. degree in Physics from University of Utah and Ph.D. and M.S. degrees in Computer Science from the University of Rochester.

If an employee who recently gave two weeks’ notice starts downloading large numbers of files from the company network and copying them to a thumb drive, it is entirely possible that he or she has no malicious intent. The employee could be saving innocuous files related to their employment record or examples of marketing pieces they created.

However, in a small number of cases, the employee could be attempting to take confidential product designs, sensitive legal information, private employee data or trade secrets with them to a rival company.

It can be difficult for a company to even spot these “insider risks,” much less distinguish between routine behavior and the outlier that could destroy a company’s competitive advantage or reputation.

That’s why Microsoft is offering a new Insider Risk Management solution within Microsoft 365 that uses machine learning to intelligently detect potentially risky behavior within a company. It also quickly identifies which activities are most likely to pose real security threats, even inadvertently.

Because mistakes are a larger source of actual risk than insider attacks, the solution was designed to help employees make the right choices and avoid common security lapses. To be effective, engineers knew, the solution also had to help people do their jobs rather than slow them down.

“Fundamentally, a company’s employees are usually trying to do the right thing,” said Bret Arsenault, Microsoft’s chief information security officer and corporate vice president. “But sometimes intention is different than outcome.”

A couple of years ago, the security threats keeping Arsenault awake at night weren’t limited to hackers, cybercriminals or nation state attacks that Microsoft employs a small army of experts and leading-edge technologies to thwart. He increasingly worried about the potential risks, largely unintentional but occasionally malicious, from employees who already have easy access to a company’s most sensitive information.

For instance, that could include someone who inadvertently keeps sensitive information in a folder that’s searchable to anyone in the company, making it vulnerable to theft. Or the person who just hits the wrong button and mistakenly emails a highly confidential document outside the company.

In a recent survey of cybersecurity professionals, 90 percent of organizations indicated that they felt vulnerable to insider risk, and two-thirds considered malicious insider attacks or accidental breaches more likely than external attacks. More than half of organizations reported that they had experienced an insider attack in the past year, according to an insider threat report from Crowd Research Partners.

“In the security industry there has been a disproportionate amount of focus on external adversaries,” Arsenault said. “But with thousands of employees logging into a company’s systems every day, the threat of users — whether with inadvertent or malicious intent — may be a higher risk scenario. And that’s when we realized we needed to expand our focus.”

Arsenault tasked engineers from his security team and Microsoft 365 with creating a solution that leverages machine learning to intelligently detect and prevent internal security breaches, and to eventually turn that into a solution for customers. But it had to be designed with Microsoft core principles in mind: respecting employee privacy, assuming positive intent at the outset and encouraging the free flow of information and collaboration within a company.

The Insider Risk Management solution combines the massive array of signals from Microsoft 365 productivity tools, Windows operating systems and Azure cloud services with machine learning algorithms that can identify anomalous and potentially risky behavior from people using those products.

Product engineers worked closely with internal security analysts, human resources and other experts within Microsoft — and consulted with workers’ advocates in countries that share Microsoft’s strong commitment to privacy — to ensure the solution struck the right balance in respecting employees’ privacy and workflows.

“We knew that insider risk was becoming a more pervasive and expensive challenge, but also that we had to have an entirely different lens for addressing it,” said Erin Miyake, Microsoft’s senior program manager for insider threats, who worked with human resources, compliance and product experts to develop the new solution.

To start, you’re looking at people who already have access to company assets as part of their jobs, so it’s harder to detect, she said.

Then, because you’re analyzing activity from people who are already in your workforce, it’s essential to balance risk management with company culture, privacy, fairness and compliance needs. Those considerations simply don’t come up when you’re protecting a company from faceless cybercriminals in distant countries, said Talhah Mir, principal project manager in the Microsoft 365 security and compliance team.

“Employees absolutely should have access to the things they need for their jobs and shouldn’t feel unnecessary friction,” Mir said. “This is really about taking all these signals that already exist in the background and reasoning over it at scale with machine learning to find that thread in that sea of information that identifies possibly suspicious activities.”

All initial reports of unusual behavior in the Insider Risk Management system can be anonymized at the outset — to protect reputations and prevent any bias from creeping into the process. But because data signals only get you so far, the tool also offers a collaboration platform for investigators, human resource experts or business managers to determine whether the unusual behavior might be malicious or just something outside a person’s normal workflow.

Microsoft engineers working on the Insider Risk Management solution consulted with internal legal and human resources departments to delineate what thresholds would need to be met within Microsoft for anyone involved in an investigation to take necessary next steps.

“The system doesn’t pass any judgment or assume ill intent,” Mir said. “If there is an anomaly, you start from the place that the end user is probably just trying to get their job done, but we’re still going to trust and verify.”

The new solution uses machine learning algorithms to look for patterns of unusual and potentially risky behavior, which might be downloading hundreds of sensitive files from a SharePoint site, copying files to a USB device, disabling security software or emailing sensitive files outside of the company. It leverages Microsoft Graph and other services to look for anomalous signals across Windows, Azure and Office products such as SharePoint, OneDrive, Teams and Outlook.

None of those activities are inherently threatening, as employees do these things each day as part of their jobs. But the patterns become more meaningful as the system draws information from other sources, such as classification and labeling tools offered in Office 365 that can be used to flag sensitive documents and datasets.

That allows the algorithms to begin to distinguish between the risks posed by the employee who might be downloading uncontroversial presentations or documents — perhaps because they’re about to embark on a sales trip — and the employee who’s downloading highly confidential designs for a product under development.

The system can also indicate if downloaded files contain customer banking or credit card information, which would be a red flag for would-be identity theft. And, with the proper permissions, an analyst can see the content of downloaded files to further assess how harmful an outside leak of that information might be.

The Insider Risk Management solution can also plug into third-party human resources software, for instance, to bring in other pertinent data, such as whether an employee has recently resigned.

The algorithms factor in all of that information and assign each unusual activity a numerical “risk score,” which helps people tasked with managing insider risk to easily see where they need to focus additional attention.

That mirrors solutions such as the Azure Secure Score and Azure Security Center, which help Microsoft customers protect their data stored in the cloud by monitoring for, identifying and prioritizing the most serious security vulnerabilities. That could include mistakes in the way a customer configures a firewall that could allow a hacker to gain access and reflects the shared responsibility that both enterprises and cloud providers have to protect data in the cloud from all threats.

Microsoft’s own digital risk security team initially developed the insider risk machine learning algorithms as part of its own in-house solution to better detect potential insider risks from the data that’s already generated by its 150,000 employees around the world. The anomaly detection — which uses audit logs from existing tools — is part of a long line of technologies that have enabled the company to provide better security in ways that are relatively frictionless for employees, Arsenault said.

Among the most common and powerful attack vectors we have seen are those that exploit the daily tradeoff users make between security and productivity. Often, this can be as simple as a document hiding an exploit or a malicious link.

As an industry, we’re used to thinking of security and productivity in tension with each other. Security teams focus on blocking capabilities and reducing access to limit risk; users create workarounds or ignore policies to get their jobs done. Organizations may respond to increasing security threats by layering multiple security point solutions on top of each other, often increasing the complexity security teams manage while encouraging users to look for even more workarounds.

We don’t think this has to be the case.

Today, we‘re announcing two new Microsoft 365 capabilities that will help organizations stay both secure and productive at the same time. The power of these capabilities comes from the seamless integration between Windows 10, Office 365 ProPlus, and Microsoft Defender Advanced Threat Protection (ATP). We previously gave a “sneak peak” at Ignite and are excited to share publicly now.

Safe Documents is now available in public preview, rolling out over the next few days

With Safe Documents, we’re bringing the power of the Intelligent Security Graph down to the desktop to verify that documents are safe at the endpoint itself.

Although Protected View helps secure documents originating outside the organization, too often users would exit this sandbox without great consideration and leave their networks vulnerable. Bringing a minimal trust approach to the Office 365 ProPlus clients, Safe Documents automatically checks the document against known risks and threat profiles before allowing to open. Users are not asked to decide on their own whether a document can be trusted; they can simply focus on the work to be done. This seamless connection between the desktop and the cloud both simplifies the user workflow and helps to keep the network more secure.

Application Guard integration with Office 365 ProPlus is significantly expanding its private preview

With Application Guard, we created a micro-VM based on the same technology that powers the Azure cloud and brought it down to the desktop. We first introduced Application Guard in Edge, bringing hardware-level containerization to the browser.

Now integrated with Office 365 ProPlus, Application Guard provides an upgrade to Protected View that helps desktop users to stay safer and more productive with container-based isolation for Office applications. Application Guard’s enforcement—with a new instance of Windows 10 and separate copy of the kernel—completely blocks access to memory, local storage, installed applications, corporate network endpoints, or any other resources of interest to the attacker.

That means Office users will be able to open an untrusted Word, Excel, or PowerPoint file in a virtualized container. Users can stay productive—make edits, print, and save changes—all while protected with hardware-level security. If the untrusted file is malicious, the attack is contained while user data and identity remains untouched. When a user wants to trust a document to save on the network or start collaborating in real-time, Safe Documents will first check to help ensure the document is safe.

Moreover, both Safe Documents and Application Guard connect to the Microsoft Security Center, providing admins with advanced visibility and response capabilities including alerts, logs, confirmation the attack was contained, and the ability to see and act on similar threats across the enterprise.

Truly Microsoft 365 capabilities

With these new capabilities, we brought together some of the best of Windows 10, Office 365 ProPlus, and Microsoft Defender ATP to help organizations stay both secure and productive. This integration also means that organizations can deploy these features with the change of a setting and manage with existing tools. And with every malicious attack contained, the entire Intelligent Security Graph becomes stronger, benefiting everyone.

Both Safe Documents and Application Guard will be available to customers with Microsoft 365 E5 and E5 Security. We encourage customers to start testing Safe Documents in their environment as it comes available (initially available for tenants in the U.S., U.K., and European Union), and to learn more about Safe Documents and Application Guard.

Microsoft Security 20/20 is nearly here and our team is putting the final touches on what we think will be a memorable event. Microsoft Security 20/20 will put the spotlight on companies and individuals with a clear-eyed view of the security challenges we face and smart solutions to help solve them. By working together, we advance the vision of what’s possible—and our joint customers’ security is stronger because of it.

“Solving our mutual customers’ security challenges is very much a team sport. I’m excited to recognize these leaders in the ecosystem at Microsoft’s inaugural security awards.”
—Andrew Conway, General Manager, Security Product Marketing

About the event

At the inaugural Microsoft Security 20/20 partner awards, we’ll celebrate finalists in 16 award categories that span security integration partners, system integrators, and managed security service providers. The awards gala will take place February 23, 2020—the Sunday before the RSA Conference in San Francisco. All finalists have been invited to attend this private event. Opening remarks from Ann Johnson, Corporate Vice President of the Cybersecurity Solutions Group, will center around Microsoft’s vision for the security ecosystem and how—together—we’ll help our customers get clarity on security.

“The themes for Microsoft Security 20/20 are vision and clarity. Microsoft is focused on protecting our customers and there is no vision for the future that doesn’t involve security partners. We’re hosting the first Microsoft Security 20/20 partner awards gala to honor security partners that are making an impact through technology development and customer enablement.”
—Rob Lefferts, Corporate Vice President, Microsoft Threat Protection

Better together

I passionately believe that the security ecosystem must work together to realize a future where people, information, and companies are safer. Microsoft Security 20/20 honors partners that have developed and delivered exceptional Microsoft-based solutions and services during the past year that put us on the path toward that vision.

The award categories and finalists were selected by a cross functional group within Microsoft. These finalists were chosen among a global field of top Microsoft partners for demonstrating excellence in innovation, integration, and customer implementation. Winners will be chosen based on a vote from a broad swath of Microsoft Security experts, which includes engineers, marketers, partners, managers, security architects, and more.

This blog would not be complete without showcasing each and every one of these amazing companies and visionary industry leaders, because in a kaleidoscope of security threats and news, these finalists offer an inspiring vision for the future.

ISV Partner of the Year

Software vendors that have shown innovation and the ability to drive revenue.

Emerging ISV Disruptor

Partners who show growth potential and have innovative emerging capabilities.

Most Prolific Integration Partner

Partners with numerous integrations across Azure and Microsoft 365 security.

Customer Impact

Independent software vendors (ISVs) that have driven a significant number of customers wins.

Identity Trailblazer

Partners that are driving major identity-related initiatives and educating the market on how to be protect identities.

Security Trailblazer

Partners that are driving major security-related initiatives and educating the market on how to be more secure.

Security Workshop Partner of the Year

Service partners that are driving the most high-quality security workshops.

Azure Security Deployment Partner of the Year

Service providers that are increasing usage and adoption rates for Azure security products.

Microsoft 365 Security Deployment Partner of the Year

Service providers that are increasing usage and adoption rates for Microsoft 365 security products.

Security System Integrator of the Year

System Integrators that are working closely with the Cybersecurity Solutions Group to close deals and integrate Microsoft into customers’ environments.

Security Advisory of the Year

Security advisory firms that are building core competencies on top of Microsoft Security solutions and working closely with the Cybersecurity Solutions Group to act as a trusted advisor to Microsoft customers.

Top Managed SOC/MDR

Security operations centers that are supporting the largest customers in the world and building strong intellectual property that layers on top of Microsoft Security solutions.

MSSP/TDR Disrupter

Threat, detection, and response experts that are changing the game for managed security services.

Top Github Contributor

With input from the GitHub team, we identified individuals who are going above and beyond to support the open source community with their GitHub contributions.

Industry Changemaker

Individuals who are making a standout contribution to improving the security community.

Election Security Partner of the Year

Organizations that are effecting change for one of our most critical global security challenges—election security.

Learn more

To learn more about Microsoft Security partners, see our partners page. To find out more about what Microsoft’s up to at RSA Conference 2020, read this blog.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.