Microsoft Security Intelligence Report Volume 22 is now available

The latest volume of the Microsoft Security Intelligence Report is now available for free download at www.microsoft.com/sir.

This new volume of the report includes threat data from the first quarter of 2017. The report also provides specific threat data for over 100 countries/regions. As mentioned in a recent blog, using the tremendous breadth and depth of signal and intelligence from our various cloud and on-premises solutions deployed globally, we investigate threats and vulnerabilities and regularly publish this report to educate enterprise organizations on the current state of threats and recommended best practices and solutions.

In this 22nd volume, we’ve made two significant changes:

  • We have organized the data sets into two categories, cloud and endpoint. Today, most enterprises now have hybrid environments and it’s important to provide more holistic visibility.
  • We are sharing data from a shorter time period, one quarter (January 2017 – March 2017), instead of the typical six months, as we shift our focus to delivering improved and more frequent updates in the future.

The threat landscape is constantly changing. Going forward, we plan to improve how we share the insights, and plan to share data on a more frequent basis – so that you can have more timely visibility into the latest threat insights. We are committed to continuing our investment in researching and sharing the latest security intelligence with you, as we have for over a decade. This shift in our approach is rooted in a principle that guides Microsoft technology investments: to leverage vast data and unique intelligence to help our customers respond to threats faster.

Here are 3 key findings from the report:

As organizations migrate more and more to the cloud, the frequency and sophistication of attacks on consumer and enterprise accounts in the cloud is growing.

  • There was a 300 percent increase in Microsoft cloud-based user accounts attacked year-over-year (Q1-2016 to Q1-2017).
  • The number of account sign-ins attempted from malicious IP addresses has increased by 44 percent year over year in Q1-2017.

Cloud services such as Microsoft Azure are perennial targets for attackers seeking to compromise and weaponize virtual machines and other services, and these attacks are taking place across the globe.

  • Over two-thirds of incoming attacks on Azure services in Q1-2017 came from IP addresses in China and the United States, at 35.1 percent and 32.5 percent, respectively. Korea was third at 3.1 percent, followed by 116 other countries and regions.

Ransomware is affecting different parts of the world to varying degrees.

  • Ransomware encounter rates are the lowest in Japan (0.012 percent in March 2017), China (0.014 percent), and the United States (0.02 percent).
  • Ransomware encounter rates are the highest in Europe vs. the rest of the world in Q1-2017.
    • Multiple European countries, including the Czech Republic (0.17 percent), Italy (0.14 percent), Hungary (0.14 percent), Spain (0.14 percent), Romania (0.13 percent), Croatia (0.13 percent), and Greece (0.12 percent) had much higher ransomware encounter rates than the worldwide average in March 2017.

Download Volume 22 of the Microsoft Security Intelligence Report today to access additional insights: www.microsoft.com/sir.

Categories: Uncategorized Tags:

MS17-007 – Critical: Cumulative Security Update for Microsoft Edge (4013071) – Version: 2.0

Severity Rating: Critical
Revision Note: V2.0 (August 8, 2017): To comprehensively address CVE-2017-0071, Microsoft released the July security updates for all versions of Windows 10. Note that Windows 10 for 32-bit Systems, Windows 10 for x64-based Systems, Windows 10 Version 1703 for 32-bit Systems, and Windows 10 Version 1703 for x64-based Systems have been added to the Affected Products table as they are also affected by this vulnerability. Microsoft recommends that customers who have not already done so install the July 2017 security updates to be fully protected from this vulnerability.
Summary: This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited these vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Categories: Uncategorized Tags:

MS17-MAR – Microsoft Security Bulletin Summary for March 2017 – Version: 4.0

Revision Note: V4.0 (August 8, 2017): For MS17-007, to comprehensively address CVE-2017-0071, Microsoft released the July security updates for all versions of Windows 10. Note that Windows 10 for 32-bit Systems, Windows 10 for x64-based Systems, Windows 10 Version 1703 for 32-bit Systems, and Windows 10 Version 1703 for x64-based Systems have been added to the Affected Products table as they are also affected by this vulnerability. Microsoft recommends that customers who have not already done so install the July 2017 security updates to be fully protected from this vulnerability
Summary: This bulletin summary lists security bulletins released for March 2017

Categories: Uncategorized Tags:

MS17-MAR – Microsoft Security Bulletin Summary for March 2017 – Version: 4.0

Revision Note: V4.0 (August 8, 2017): For MS17-007, to comprehensively address CVE-2017-0071, Microsoft released the July security updates for all versions of Windows 10. Note that Windows 10 for 32-bit Systems, Windows 10 for x64-based Systems, Windows 10 Version 1703 for 32-bit Systems, and Windows 10 Version 1703 for x64-based Systems have been added to the Affected Products table as they are also affected by this vulnerability. Microsoft recommends that customers who have not already done so install the July 2017 security updates to be fully protected from this vulnerability
Summary: This bulletin summary lists security bulletins released for March 2017

Categories: Uncategorized Tags:

MS17-007 – Critical: Cumulative Security Update for Microsoft Edge (4013071) – Version: 2.0

Severity Rating: Critical
Revision Note: V2.0 (August 8, 2017): To comprehensively address CVE-2017-0071, Microsoft released the July security updates for all versions of Windows 10. Note that Windows 10 for 32-bit Systems, Windows 10 for x64-based Systems, Windows 10 Version 1703 for 32-bit Systems, and Windows 10 Version 1703 for x64-based Systems have been added to the Affected Products table as they are also affected by this vulnerability. Microsoft recommends that customers who have not already done so install the July 2017 security updates to be fully protected from this vulnerability.
Summary: This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited these vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Categories: Uncategorized Tags:

4038556 – Guidance for securing applications that host the WebBrowser Control – Version: 1.0

Revision Note: V1.0 (August 8, 2017): Advisory published.
Summary: Microsoft is releasing this security advisory to provide information regarding security settings for applications developed with the Microsoft Internet Explorer layout engine, also known as the Trident layout engine. This advisory also provides guidance on what developers and individuals can do to ensure that their applications hosting the WebBrowser Control are properly secured.

Categories: Uncategorized Tags:

4038556 – Guidance for securing applications that host the WebBrowser Control – Version: 1.0

Revision Note: V1.0 (August 8, 2017): Advisory published.
Summary: Microsoft is releasing this security advisory to provide information regarding security settings for applications developed with the Microsoft Internet Explorer layout engine, also known as the Trident layout engine. This advisory also provides guidance on what developers and individuals can do to ensure that their applications hosting the WebBrowser Control are properly secured.

Categories: Uncategorized Tags:

The world of eroding privacy: tips on how to stay secure

At the intersection of limes, teenagers, and privacy

This post is authored by Ann Johnson, Vice President, Enterprise Cybersecurity Group.

We will come to limes later in this blog, and they are relevant. But let me begin with one defining statement: I am the parent of a teenager, and the year is 2017.

As the parent of an age group that is best described as unpredictable on good days, one thing is consistent. Research has shown us that this generation does not have the same expectation of privacy as my generation. I remember vigorously debating in a college class my inherent right to privacy as protected by the 4th Amendment. Regardless of whether my argument was flawed or simply not factual, my fundamental belief was I had a legal privacy right, and no institution or government could impede upon it.

My teenager and his friends appear to have a different belief, illustrated by their vigorous use of social media to publish their photos, food, routine life events, even to share their entire belief systems. Bruce Schneier, a fellow at Harvard’s Berkman Klein Center for Internet & Society, has covered the topic of teens, social media, and privacy in the past. His conclusion is that teens desire privacy, but they also have a need to safely share with each other using their own language and coding. In 2014, Fast Company compiled and commented on varied research regarding teenagers, young adults and expectations of privacy. Whilst one study concluded “online privacy is dead,” other studies determined it truly depends on how you define privacy. Teenagers may not care if their Facebook friends or Twitter followers know their religion or gender identity, but they certainly care if their parents monitor their social feeds. Teenagers and young adults have grown up in the digital age, so they are much more likely to understand how to set and control privacy settings on their devices and accounts – and they do so to segment their audiences. When I conducted my own informal study and asked my teen if a government agency, that suspected him of wrong doing or associated him with an unlawful activity, could search his phone or computer, the reply was “get a warrant.” So is this generation really any different from prior generations on expectations of privacy? Or, do the differences lie in the complexity of the information sharing platforms to which they feel dependent and entitled? And, how do these beliefs and values shape privacy regulation and laws, and intersect with security in the modern digital era? Are there learnings we can adopt from the next generation’s implementation of technology and privacy controls?

Now about those limes…I have a Twitter account (@ajohnsocyber). I opine about cybersecurity, post about my beloved Chicago Blackhawks and Dallas Cowboys, engage in animated communication with coworkers and friends and advocate for animal fostering and LGBTQ rights. I also have a Facebook account – mainly to catch up with far away family and share pictures. I have a LinkedIn profile too, but it’s for work and I am a purist about my posts there. So, I have an on-line footprint. That online footprint will tell you the names of my dogs, things about my belief system, expose my awful attempts at humor, and my preference for seedless Persian Limes on the occasions when I need something to accompany a cocktail. The Persian limes were a recent addition based on a Twitter conversation with two people I haven’t actually met IRL, so you can say my social interactions are fruitful. The point of all of this is that I share enough for someone to assemble a fairly detailed profile of me from my social media footprint and with it, attempt to social engineer or password hack me. Yet I willingly give up some of my privacy to interact with other humans in cyber space. As a security professional, I should know better, right? Well, not necessarily. All social media use does not lead to a path of hacker victim, and I am fully aware of which information to share and which to protect and how.

My social sharing is guided by some core principles:

  • The Internet is perpetuity. My digital footprint is unlikely to go away in the foreseeable future.
  • Hackers will keep hacking, and even the best defenses can’t always prevent persistent and sophisticated attempts. Think back to the relentless attempts on Brian Krebs in 2016.
  • Multi-factor authentication  (MFA) on my personal and professional accounts is a must.
  • Most of the information I choose to disclose is already available in some way either via public record or through friends with no special instruction for secrecy.
  • I can concurrently assert my right to privacy, and my privilege to waive that right.
  • I encrypt sensitive personal data.
  • I have provisioned defense in depth controls and alerts for critical information.

Because in reality, our hyper-connected world of powerful search engines, and abundant compute and storage, make it possible for reams of data about your entire life to be mined by anyone with a strong desire and a credit card. Oddly though, the majority of breaches still start with a phish rather than a targeted social engineering attack. In fact, phishing is the number one delivery method of malicious software. Compromises of sensitive data are most often tracked back to: weak authentication, poor data classification/encryption policies, lax privilege management, absent or weak admin controls and lack of user education on phishing. We can opine all day about privacy and the need to hold sensitive information close to increase security, but in today’s society, from our youth to the millions of adults using social media, including many of the top cyber professionals in the world, very little is truly private.

Add to this a climate of perpetual information sharing and consumption and you can pretty much throw privacy expectations out the window. What you can and should do – personally and professionally – is make certain you distinguish the personal and private from that which is critically important and know your options to protect each. For technology, consumers deploy basic security hygiene, strong passwords and regular updating. Organizations have additional responsibilities to educate users, patch, use all available access controls and invest in proven detection solutions as well as human hunters so that the now. This way, all but inevitable breaches can be detected quickly.

Because, guess what, notwithstanding the controls required by regulations, the right to be forgotten or have data forgotten in our ever-connected world maybe a right, but it needs your active participation if there is to be anything left to debate.

Categories: Uncategorized Tags:

Top 5 best practices to automate security operations

This post is authored by Jonathan Trull, Worldwide Executive Cybersecurity Advisor, Enterprise Cybersecurity Group. And by Vidhi Agarwal, Senior Security Program Manager, Microsoft Security Response Center (MSRC). 

Within the information security community, one of the emerging areas of focus and investment is the concept of security automation and orchestration. Although the topic is not necessarily new, it has taken on increased importance due to several industry trends. Before diving into the industry trends, we should first define exactly what security automation and security orchestration mean.

Security automation – the use of information technology in place of manual processes for cyber incident response and security event management.

Security orchestration – the integration of security and information technology tools designed to streamline processes and drive security automation.

Industry trends driving the need for increased automation and orchestration

There are two primary trends driving the focus on the automation and orchestration of security event management and incident response. First, there are simply not enough skilled security professionals to support the need. A recent cybersecurity jobs report found that there will be 3.5 million unfilled cybersecurity positions by 2021.

The second industry trend driving further investments in security automation and orchestration is based on the volume, velocity, and complexity of attacks. As shown in Figure 1 below, our information environments are extremely complex and vast. They are also often beyond the capabilities of a human to perceive, visualize, calculate, and understand the interconnections. Therefore, it is difficult to accurately project risk in different scenarios. The velocity at which attacks transpire is also driving the need for automation. Based on recent examples from the Microsoft Global Incident Response and Recovery Team, we have seen situations where attackers move from an initial endpoint infection via a phishing email, to full domain control within 24 hours. Lastly, the sheer volume of cyberattacks and security events triaged daily by security operations centers continues to grow, making it nearly impossible for humans to keep pace.

Figure 1 Sources include https://nvd.nist.gov, Verizon Data Breach Report & Microsoft Incident Response Data

Security automation and orchestration at the Microsoft Cyber Defense Operations Center

Daily, the Microsoft Cyber Defense Operations Center (CDOC) receives alerts from a multitude of data collection systems and detection platforms across the 200+ cloud and online services. The key challenge they face is taking the huge volume of data on potential security events and reducing them down from thousands of high fidelity alerts, to hundreds of qualified cases that can be managed daily by the cyber defenders in the Microsoft CDOC. Automation solutions include the use of machine learning and custom software tools to handle an increasing number of events, without relying on a commensurate growth in headcount. It also accelerates Microsoft’s ability to identify those cases which need human intervention to remediate and evict adversaries fast.

Figure 2 The Cyber Defense Operations Center’s data scientists and analysts work 24×7 protecting, detecting, and responding to attacks

Microsoft Cyber Defense Operations Center workflow automation framework and engineering addresses all aspects of the job of a security responder and includes the following components:

  • Automated Ingestion: With an increasing number of specialized detection platforms across host, network, identity, and service detections, CDOC has an automated ingestion process leading to a single case management system for triage and investigations.
  • Stacking: Compression of alerts from thousands to hundreds of cases includes automated stacking based on time window or objects such as IP address, host name, user or subscription ID. In certain cases, alerts are aggregated or de-duplicated to reduce the noise coming to the SOC.
  • Enrichment: Often defenders need to go to multiple tools and databases to get contextual information. Adding contextual metadata to alerts from systems such as asset management, configuration management, vulnerability management and logs such as application logs, DNS and network traffic logs save defenders triage time and reduces overall Mean Time to Resolve (MTTR). Furthermore, this data helps the automation system make decisions and enable appropriate actions.
  • Decisions: Based on conditional logic, the automation engine determines what workflow would be invoked to initiate the desired action.
  • Actions: Actions such as such as send e-mail, create a ticket, reset password, disable a VM, block an IP address, run a script to initiate processes in other tools and systems are automated.

Based on the degree of automation implemented, there is a corresponding reduction in MTTR and an ability for a defender to close more cases. The automation maturity model below highlights the automation journey for the Microsoft CDOC. Not all scenarios will need to be at Level 5. Each level accrues, achieving automation goals your organization may have.

Figure 3: The automation maturity model and automation journey, Copyright Microsoft Corporation

Measuring automation success

The goal for any security operations center automation efforts is to reduce Mean Time to Detect and Mean Time to Remediate while not having a linear growth in headcount with the growth in business. The key is to not only measure automation results and SOC efficiency, but to also gain insights to determine where automation efforts need to be spent to improve the security posture of your organization. Some fundamentals to measure include:

  • Noise Reduction: Most Security Operations Centers struggle with the signal-to-noise ratio. A key measure for this is the stacking ratio that measures the compression from alerts to cases and is an indicator of reduction in triage activity needed.
  • Automate High Fidelity Signals: It is critical to ensure that automation efforts are spent on high fidelity alerts and the right response processes. Measuring detection efficacy by determining true positive and false positive alerts enables a continuous feedback loop and improvement in detection signals. Understanding false negatives identifies monitoring and security response gaps.
  • Address Top Offenders: It is common for security response teams to be drowned in repetitive signals and the same tasks repeatedly. Identifying and tracking top offenders over time provides insights on what needs to be further automated or prevented through better monitoring, controls and engineering solutions.
  • Automation Outcomes: Validating the outcomes for automation efforts is essential to right size efforts. With increased automation teams seeing that their TTx (Time to Detect, Triage, Remediate and others) goes down and the SOC investigator efficiency increases, as the number of cases each defender can successfully resolve goes up.

Security automation and orchestration best practices

Recently, we had the opportunity to share the lessons we have learned working with our customers and from the Microsoft Cyber Defense Operations Center at RSA Asia Pacific and Japan 2017. These best practices include:

  • Move as much of the work as possible to your detectors. Select and deploy sensors that automate, correlate, and interlink their findings prior to sending them to an analyst.
  • Automate alert collection. The SOC analyst should have everything they need to triage and respond to an alert without performing any additional information collection, such as querying systems that may or may not be offline or collecting information from additional sources such as asset management systems or network devices.
  • Automate alert prioritization. Real time analytics should be leveraged to prioritize events based on threat intelligence feeds, asset information, and attack indicators. Analysts and incident responders should be focused on the highest severity alerts.
  • Automate tasks and processes. Target common, repetitive, and time-consuming administrative processes first and standardize response procedures. Once the response is standardized, automate the SOC analyst workflow to remove any human intervention where possible.
  • Continuous Improvement. Monitor the key metrics we discussed earlier in this article and tune your sensors and workflows to drive incremental changes.

Microsoft is committed to our customers’ success and has applied these best practices not only internally within the CDOC but also into our Advanced Threat Protection offerings to help enterprises stay ahead of cyberattacks. In addition, our recent acquisition of Hexadite will build on the successful work already done to help commercial Windows 10 customers detect, investigate and respond to advanced attacks on their networks with Windows Defender Advanced Threat Protection (WDATP).

Microsoft’s Advanced Threat Protection offering will now include artificial intelligence-based automatic investigation and remediation capabilities, making response and remediation faster and more effective.

In addition, Azure Security Center offers advanced threat detection capabilities that utilize artificial intelligence to automate and orchestrate detection and response for a customer’s Azure workloads. This makes it easier for Azure customers to not only identify and respond to attacks against their cloud assets, but it also provides intelligent recommendations to help prevent future attacks.

Read more about the work Microsoft is doing to automate and orchestrate security workloads by learning about the capabilities within WDATP, Azure Security Center and Microsoft Security.

 

Categories: Uncategorized Tags:

5 Reasons why Microsoft should be your cybersecurity ally

When you think about cybersecurity, does Microsoft come to mind? Probably not.

Here are 5 reasons why enterprises should consider partnering with Microsoft on cybersecurity:

1. Strong Commitment to Cybersecurity

  • Significant security investments. Microsoft invests over $1 billion annually on security. Microsoft has invested significantly towards building security into our core technologies like Windows, Office, and Azure, and in making strategic acquisitions of security technologies that enhance the investments customers have already made in Microsoft. We operate the Microsoft Cyber Defense Operations Center (CDOC), a 24×7 cybersecurity and defense facility with leading security experts and data scientists that protect, detect, and respond to threats to Microsoft’s cloud infrastructure, products and devices, and internal resources.
  • Microsoft powered by Microsoft. We use our own hosted cloud and security solutions. Microsoft runs its business on the same multi-tenant cloud services as our customers, including those from highly regulated industries and governments.
  • World class security talent and expertise. Our dedicated engineers, researchers, forensics experts, threat hunters, and data scientists work together to make our products and services better for you. The global incident response team works around the clock to help our customers respond and recover from breaches, and our team of Executive Security Advisors, including former CISOs, leverage extensive real-world experience to partner with customers on planning and implementing sound security programs.

2. Holistic Security Approach

Microsoft takes a three-fold security approach for customers to enable their business’ digital transformation.

  • A Comprehensive Platform – Microsoft’s platform looks holistically across all the critical end-points of today’s cloud & mobile world. By building security into Microsoft products and services from the start, we can deliver a comprehensive, agile platform to better protect your organization, move faster to detect threats, and respond to security breaches across even the largest of organizations. The platform serves as the framework for protecting enterprise organizations in four ways:
    • Identity and Access Management: protect users’ identities and control access to valuable resources based on user risk level
    • Threat Protection: protect against advanced threats and help you recover quickly when attacked
    • Information Protection: help ensure documents and emails are seen only by the people you authorize
    • Security Management: gain visibility and control over your security resources, workflows, and policies, as well as recommendations on improving your security posture
  • Vast Intelligence – Our intelligence, which is built upon a massive amount of security related-signals from the consumer and commercial services that we operate on a global scale, powers Microsoft solutions to enable you to protect, detect, and respond to threats more effectively. Each month we:
    • Scan 400 billion emails across outlook.com and Office 365 for phishing and malware
    • Process 450 billion authentications across all cloud services
    • Execute 18+ billion Bing webpage scans
    • Update 1+ billion Windows devices

Using the tremendous breadth and depth of signal and intelligence from our various on-premises and cloud solutions deployed globally, we investigate threats and vulnerabilities and regularly publish the Microsoft Security Intelligence Report (SIR) to educate enterprise organizations on the current state of threats and recommended best practices and solutions.

  • Broad Partnerships – We’re committed to being a leader in this space, but security is not a problem we can address alone. Our commitment is to make sure our products work with technology you already use. Microsoft is fostering a vibrant ecosystem of partners who help us raise the bar across the industry. We also collaborate extensively with customers and industry standards bodies to help us meet specific customer needs and industry regulations.

3. Trust-aligned Corporate Mission

Microsoft’s mission is to empower every person and every organization on the planet to achieve more. As our CEO, Satya Nadella, stated, “Businesses and users are going to embrace technology only if they can trust it”, and therefore we want to make sure our customers can trust the digital technology that they use, backed with the assurances they need. We’ve made investments in privacy and control, compliance, and transparency, and especially those features that matter the most to our customers.

For example, for our cloud services, we are committed to: helping you have control over your data, enabling you to comply with applicable laws, regulations and key international standards, and being transparent with you about the collection and use of your data. Last, but not least, we are committed to safeguarding your data from hackers and unauthorized access using state-of-the-art technology, process and certifications.

To learn more about Microsoft’s commitment to security, privacy, compliance, and transparency of our products and services, visit the Microsoft Trust Center at www.microsoft.com/trustcenter.

4. Leadership in Cybersecurity Best Practice Sharing

Microsoft collaborates extensively with governments and organizations around the world in sharing industry standards, providing guidance on cybersecurity best practices, and engaging in protecting critical infrastructure sectors.

For example, even before the launch of the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF), Microsoft provided a response to the RFI and subsequently, NIST used our recommendations of focusing on protect, detect, respond, and recover functions in the NIST CSF. Microsoft’s deep engagement with the Framework has allowed us to be agile in adopting it for our enterprise risk-management program, to inform and influence our security risk practices. It is also a key component in how we track security assurance and communicate about security maturity.

Additionally, the Microsoft Security Development Lifecycle (SDL), established as a mandatory policy in 2004, has been designed as an integral part of the software development process at Microsoft. Combining a holistic and practical approach, the SDL introduces security and privacy early and throughout all phases of the development process. The industry has accepted practices aligned with the SDL, and we continue to adapt it to new technologies and changes in the threat landscape. Microsoft has developed guidance papers, tools, training and resources to help organizations understand and adopt the SDL.

We are committed to disseminating such best practices (NIST CSF, SDL, etc.) internationally also.

5. Deep Customer Interaction

The Enterprise Cybersecurity Group (ECG) inside of Microsoft has been deeply engaging with customers across the globe to educate them on Microsoft’s cybersecurity approach and services. To further help customers with their cybersecurity strategies, ECG partnered with a variety teams (Digital Crimes Unit, Cyber Defense Operations Center, Digital Risk and Security Engineering team, Cloud & Enterprise Security, Windows Security, and others) to launch a cybersecurity executive briefing center (EBC) experience. This invitation only program is designed to provide an executive level security experience for our customers’ CISOs and their teams.

Key benefits of the EBC experience for customers:

  1. Attendees receive a comprehensive overview of Microsoft’s cybersecurity products and services aligned thematically to the Protect, Detect, and Respond framework, a common approach followed by enterprise organizations.
  2. They meet face-to-face with Microsoft security experts and leaders from engineering, product management, threat intelligence, cyber security services, information security and risk management, and more to learn about approaches, ask questions, and provide feedback in real time.
  3. Attendees learn how to improve their cyber security posture and come away with a stronger relationship with Microsoft as a trusted advisor and partner.

To learn about Microsoft’s security strategy and solutions, visit: www.microsoft.com/security.

Categories: Uncategorized Tags:

TLS 1.2 Support added to Windows Server 2008

This post is authored by Arden White, Senior Program Manager, Windows Servicing and Delivery.

As a follow-up to our announcement regarding TLS 1.2 support at Microsoft we are announcing that support for TLS1.1/TLS 1.2 on Windows Server 2008 is now available for download as of July 18th, 2017. We’re offering this support in recognition that our customers have a strong demand for support for these newer protocols in their environment and in recognition of the extended lifetime of Windows Server 2008 under the Windows Server Premium Assurance offering.

This update for Windows Server 2008 will include support for both TLS 1.1 and TLS 1.2. For application compatibility purposes, these protocols will be disabled by default in a manner similar to the TLS 1.1/TLS 1.2 support that was disabled by default in Windows 7 and Windows Server 2008 R2. After downloading and installing the update these protocols can be enabled by setting the registry keys described in KB4019276.

This update is being made available on the following timeline:

Release Date Channels Classification
July 18, 2017 Microsoft Catalog
August 15, 2017 Windows Update/WSUS/Catalog Optional
September 12, 2017 Windows Update/WSUS/Catalog Recommended
Categories: Uncategorized Tags:

A commitment to security and transparency at Microsoft Inspire 2017

Microsoft Inspire (formerly Worldwide Partner Conference) gathered 16,000 attendees from around the world last week in Washington DC. At the event, Microsoft reaffirmed its commitment to its partners and its mission to “empower people to be more productive”. To kick off an exciting week, CEO Satya Nadella made five major announcements during the first vision keynote, including the introduction of Microsoft 365.

Commitment to security and transparency

During the vision keynote on day two, President and Chief Legal Officer Brad Smith provided updates and affirmation of Microsoft’s commitment to security and privacy. Smith promised dedication to security, saying, “Technology for technology’s sake isn’t particularly valuable. Applying technology towards solving human problems is where you unlock the value”. Smith presented a four-part integrated approach to confront ever-evolving cybersecurity threats: Platform, Intelligence, Partners, and Policies. With the cloud being bigger than ever before, Smith says every business has a digital opportunity. Microsoft has committed “new energy, new focus, new resources” to responding to security threats faster and better than ever before. These cloud principles and improved security features in Microsoft 365 will give partners better end to end security management. Better security and transparency help Microsoft and its partners build trust, and “move technology forward without leaving people behind”.

Security focused product announcements

Microsoft 365

Microsoft 365 is a new solution that combines software, management, and security options into a single subscription. Partners can choose from two solutions, Microsoft 365 Enterprise and Microsoft 365 Business. Both options provide productivity and security capabilities and a cohesive experience across applications and devices, while simplifying delivery and management for IT.

  • Microsoft 365 Enterprise
    • Includes Office 365 Enterprise, Windows 10 Enterprise, and Enterprise Mobility + Security
    • Available in two plans, as Microsoft 365 E3 and Microsoft 365 E5
    • Available August 1
  • Microsoft 365 Business 
    • Includes Office 365 Business Premium, security and management features for Office apps and Windows 10 devices, upgrade rights to Windows 10, and a centralized IT console
    • For small and medium-sized businesses
    • Available in public preview on August 2

GDPR

Partners can play a vital role in General Data Protection Regulation, or GDPR, by assessing customers’ readiness and helping them adapt to it.

Security Partner Playbook

Help your customers protect against breaches, detect breaches, and respond to breaches with a comprehensive security solution. This playbook focuses coverage on Microsoft products and services that play a critical role in securing this environment. Download the playbook here.

Microsoft Introduces the New Secure Productive Enterprise Offer

Microsoft recently announced its new hero offer called Secure Productive Enterprise (SPE). SPE provides the latest technology across Windows, Office 365, and Enterprise Mobility + Security (EMS). Frankly, it couldn’t come at a better time as businesses and consumers are increasingly aware of cybersecurity concerns. Here’s what partners can expect in terms of security capabilities from the innovative Microsoft stack and how they can leverage those capabilities to serve customers.

Conclusion

Inspire was surely an inspiring week for the partners who attended. With continued advances in the cloud and a better way for partners to build a modern, cohesive, and secure work environment with Microsoft 365, it should also be an exciting year.

Categories: Uncategorized Tags:

MS16-111 – Important: Security Update for Windows Kernel (3186973) – Version: 2.0

Severity Rating: Important
Revision Note: V2.0 (July 11, 2017): Revised Windows Affected Software and Vulnerability Severity Ratings table to include Windows 10 Version 1703 for 32-bit Systems and Windows 10 Version 1703 for x64-based Systems because they are affected by CVE-2016-3305. Microsoft recommends that customers running Windows 10 Version 1703 should install update 4025342 to be protected from this vulnerability.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker runs a specially crafted application on a target system.

Categories: Uncategorized Tags:

MS16-SEP – Microsoft Security Bulletin Summary for September 2016 – Version: 2.0

Revision Note: V2.0 (July 11, 2017): Revised Windows Affected Software and Vulnerability Severity Ratings table to include Windows 10 Version 1703 for 32-bit Systems and Windows 10 Version 1703 for x64-based Systems because they are affected by CVE-2016-3305. Microsoft recommends that customers running Windows 10 Version 1703 should install update 4025342 to be protected from this vulnerability.
Summary: This bulletin summary lists security bulletins released for September 2016.

Categories: Uncategorized Tags:

MS16-SEP – Microsoft Security Bulletin Summary for September 2016 – Version: 2.0

Revision Note: V2.0 (July 11, 2017): Revised Windows Affected Software and Vulnerability Severity Ratings table to include Windows 10 Version 1703 for 32-bit Systems and Windows 10 Version 1703 for x64-based Systems because they are affected by CVE-2016-3305. Microsoft recommends that customers running Windows 10 Version 1703 should install update 4025342 to be protected from this vulnerability.
Summary: This bulletin summary lists security bulletins released for September 2016.

Categories: Uncategorized Tags:

MS16-111 – Important: Security Update for Windows Kernel (3186973) – Version: 2.0

Severity Rating: Important
Revision Note: V2.0 (July 11, 2017): Revised Windows Affected Software and Vulnerability Severity Ratings table to include Windows 10 Version 1703 for 32-bit Systems and Windows 10 Version 1703 for x64-based Systems because they are affected by CVE-2016-3305. Microsoft recommends that customers running Windows 10 Version 1703 should install update 4025342 to be protected from this vulnerability.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker runs a specially crafted application on a target system.

Categories: Uncategorized Tags:

Holistic security strategy: how greater integration improves detection and response time

Today’s attackers have moved beyond “smash and grab” tactics to more sophisticated methods intended to maintain a long-term presence. These evolving threats complicate detection efforts as many organizations have variety of point solutions that make it difficult to effectively detect advanced threats and attack campaigns.

Piecemeal approaches create challenges and might hamper security. Each new solution deploys unique vendor-specific dashboards, consoles, and logs that don’t always integrate well. Because of these communication blind spots, industry reports indicate that some threats can go undetected for about 100 days.

Rapid detection and response are critical in modern cloud and hybrid environments. Some organizations use Security Information and Event Management (SIEM) solutions to better correlate the information from a variety of tools. SIEM solutions aren’t without shortcomings—they rely on human analysis which can stretch the capacity of a workforce.

So, what can you do to improve security and more quickly respond to threats? To begin, it’s important to develop a security ecosystem around solutions that integrate and provide a holistic view of your environment – across users, data, apps, devices, and infrastructure. By working with technology vendors who create solutions that you can connect and integrate, you can improve your organization’s response times.

Getting—and staying—in front of today’s evolving threats requires more meaningful, comprehensive visibility, regardless of the products or endpoints or vendor partner. This is the kind of holistic view you need to detect and respond to threats with greater speed and accuracy.

We discuss security integration in greater detail in our latest eBook, 7 steps to a holistic security strategyDownload it today to learn more about security integration and other strategies for holistic security.

To learn more about Microsoft’s holistic approach to security, visit Microsoft Secure.

Categories: Uncategorized Tags:

Latin America is stepping up to the plate in cybersecurity policy

July 6th, 2017 No comments

A year ago Inter-American Development Bank (IDB) and the Organization of American States (OAS) asked themselves a question about cybersecurity: “Are We Ready in Latin America and the Caribbean?”. The conclusion of their 200 page report was essentially “No”, raising an alarm about Latin America’s critical situation in the cybersecurity arena. The report showed that Latin America was extremely vulnerable to potentially devastating cyber-attacks. Four in five states did not have cybersecurity strategies or plans for protecting critical infrastructure. Two in three lacked a any sort of command and control center for cybersecurity crises. Enforcement of laws against cyber-attacks was almost universally weak.

The last 12 months have seen the start of what looks like a remarkable turnaround. Take as an example Argentina, which will host the G20 in 2018. Only a few weeks ago, Argentine President Macri met with American President Trump to start bilateral work on cybersecurity, uniting the two states against cybercriminals and aiming to make cyberspace open, reliable and safe. The basis of this cooperation is not novel per se. The two allies are seeking to increase the coordination of their cyber politics, to share information and to foster private-public partnerships in the protection of key infrastructure. It may not be a novel approach but what matters most is that it is happening and that for the Argentine government it is real rather than window-dressing.

The IDB and OAS 2016 report noted the importance of legislative frameworks, investigation, the processing of electronic evidence, and the training of judges and prosecutors in the field of cybersecurity. It also urged states to inform public and private sector organizations when vulnerabilities are identified. Fortunately, this call to action did not fall on deaf ears and, within the past year, we have seen accelerating improvements in Latin America’s approach to cybercrime and cybersecurity legislation. The capstone of this was April 2017’s OAS resolution to increase cooperation, transparency, predictability, and stability in cyberspace. As well as aligning themselves with the global approach to cybersecurity outlined by the UNGGE, the OAS decided to establish a working group to drive enhancements to members’ cybersecurity legislation.

This OAS resolution is matched by a range of other actions that prove the good intentions of the different Latin American countries involved. In May, a group of military and government cyber experts from Latin America, the Caribbean, and the United States met at the “Partner Nation Command, Control, Communications, Computers and Cyberspace Symposium” (PNC5S). Their aim was to discuss the different strategies they could adopt in the face of every escalating threats in cyberspace. This type of regional cooperation is essential to tackling cybercrime and also to building up the resilience of cyberspace in the face to ever escalating cyberattacks.

All of this effort by Latin American governments does not matter simply because the United States or the European Union or China or the United Nations think it matters. Nor is the promotion of this agenda simply a convenient way to ensure Latin America isn’t a “weak link” in global approaches to dealing with cyberthreats and cybercrime. No, rather, these steps taken by Latin American governments matter because technology and cyberspace are becoming increasingly central to the interests of Latin America itself. For example, ICT industry revenues in Latin America are expected to increase by 20.3% from 2016 to 2017. Guadalajara, Mexico is being touted as a new Silicon Valley, driving billions in ICT exports and attracting investment from around the world. The International Conference on Software Engineering was held in the region for the first time in 2017 (in Buenos Aires).

The tide of change that has hit Europe, the US and Asia has not missed out Latin America. Governments from this part of the world have come to realize that lagging behind the curve is not an option, and it is reassuring to see those same governments stepping up to the plate. By learning from other parts of the world and from each other, countries across Latin America will assure their citizens, businesses, and public sector organizations can secure the economic, social, and even political benefits of technologies such as cloud, big data, and the Internet of Things. If in a year from now the IDB and the OAS were to ask again if Latin America is ready for this new future, the answer would likely be far more positive.

Categories: Uncategorized Tags:

Security Data Scientists Without Borders – Thoughts from our first Colloquium

The move to the cloud is changing the security landscape. As a result, there is a surging interest in applying data-driven methods to security. In fact, there is a growing community of talented people focused on security data science. We’ve been shedding our respective “badges” and meeting informally for years, but recently decided to see how much progress we might make against some of our bigger challenges with a more structured and formal exchange of ideas in Redmond. The results far exceeded our expectations. Here’s a bit of what we learned.

The first thing to understand is that academia and industry both focus largely on security detection, but the emphasis is almost always on the algorithmic machinery powering the systems. We at Microsoft are transparent with our algorithm research and in fact are the only cloud provider to openly share the machine learning algorithms securing our cloud service. In order to build on that research and learn more about best practices for putting security data science solutions in production, we reached out to our peers in the industry.

We started by meeting with some friends at Google to swap ideas for keeping our cloud services and mutual customers secure. That one-time exercise proved so valuable that it soon turned into a recurring meeting wherein we learned that despite different approaches to data modeling, we face similar challenges. Last week, we opened the doors at Microsoft to the broader community. At first, we weren’t sure if companies would take us up the offer to discuss security data science issues in the open – nothing could have been farther from the truth. We quickly had delegates from Facebook, Salesforce, Crowdstrike, Google, LinkedIn, Endgame, Sqrrl, the Federal Reserve and researchers from the University of Washington. What was supposed to be an hour-long meetup, morphed into a full-blown conference – so much so, we had to give it a name – “Security Data Science Colloquium”.

The goal of the colloquium was simple: share learnings of how different cloud providers/services secure their systems using machine learning. No NDAs, no complicated back and forth paperwork. Our only constraint: keep it technical and be honest. This way, we could ensure that that the 300+ applied Machine Learning (ML) engineers, security analysts, and incident responders who signed up, had a collaborative environment to discuss freely!

Security Data Science > Security + Data Science

Operationalizing security and machine learning solutions is tricky, not only because security data science solutions are inherently complex from both fields, but also because their intersection poses new challenges. For instance, compliance restrictions that dictate data cannot be exported from specific geographic locations have a downstream effect on model design, deployment, evaluation, and management strategies (a data science constraint). As Adam Fuchs, CTO of Sqrrl, pointed out in his lecture, this complicated machinery requires a variety of actors to land an operational solution: threat hunters, data scientists, computer scientists and security analysts, in addition to the standard development crew of program managers, developers and service engineers.

Security Data Scientists ❤ Rules

To quote Sven Krasser (@SvenKrasser), Chief Scientist at Crowdstrike, “Rules are awesome”. This may come as a surprise to machine learning puritans who have long berated rules as futile tools. But as Sven noted in his talk, rules are very good at finding known maliciousness and we as a community must not shy away from them. During our smaller brainstorm discussions, we discussed various ways to combine rules and machine learning. For instance, at Microsoft, we have had success in using Markov Logic Networks to combine the domain knowledge of our security analysts and model them into probabilistic graphs.

Adversarial Machine Learning is Mainstream and We Don’t Know How to Solve It

Hyrum Anderson (@drhyrum) and Robert Filar’s (@filar) riveting talk on how adversaries can subvert machine learning solutions made defenders in the room uncomfortable (in a good way!). They showed different ways that attackers can successfully manipulate machine learning models, from partial to no access to the system. While instances of such attacks have been known since spammers have tried to evade detection, or when adversaries attempt to dodge antivirus systems, the biggest takeaway here is the Machine learning current system, like any system, is susceptible to attacks. For instance, attackers can use the labels alert outputs, or the decision label (such as malware or not), and work around these defenses. While this has been happening for some time, the game changer is that this feedback is instantaneous: the data that was designed as a way for defenders to act swiftly is now exploited by attackers. Research in this area is nascent, and we still don’t know how to bridge this gap.

Call for standardization and benchmarks

At our breakout sessions, we heard the need for a standardized benchmark dataset à la ImageNet – for instance, how do we know if the newest detection for anomalous process creation performs under various test cases. An interesting observation made by the “Security Platform” discussion group, was the need for something along the lines of “GitHub for feature engineering”. They reckoned that many teams waste time managing feature pipelines and sometimes re-computing the same feature, and wanted an effective management system that will make teams more efficient and code more maintainable.

The colloquium, thanks to the enthusiastic participation of our peers, ended up as a marketplace of security data science ideas – we discussed, agreed, and challenged one another with the intention of learning. My favorite quote about the conference, comes from a Salesforce participant, who remarked “we are all batting for the same team”. It particularly resonated with me, because despite our organizational boundaries, we all have a common goal: protect our customers from adversaries.

This is our commitment to share what we have learned – success and failures, so that you don’t have to waste time going down the wrong path. Given the overwhelming support from the security analytics community, my colleagues have already started planning on the next edition of the colloquium. If you are interested in participating, have ideas to make it better, or want to lend a helping hand in organizing, drop a note at ramk@microsoft.com or reach out to me on Twitter – @ram_ssk.

Categories: Uncategorized Tags:

What are Confidence building measures (CBMs) and how can they improve cybersecurity?

June 29th, 2017 No comments

Cyberspace security is too often viewed through a prism of technological terms and concepts. In my experience, even supposedly non-technical discussions of cyberspace quickly devolve into heated debates about “vulnerability coordination”, “the latest malware”, “the best analytical tools”, “threat information sharing”, and so on. While these are interesting and important topics, it is ultimately people and their personal perspectives – not technology – that largely shape governments’ political, diplomatic and military choices in cyberspace.

At the heart of government’s “human” decision-making in cyberspace are understanding and trust. The two are not the same. It’s possible for one state to understand another’s capabilities in cyberspace but not to trust their intentions. The reverse is also true, with trust existing outside of understanding another’s capabilities. But, by and large, some level of understanding about what another state can and can’t do in cyberspace should at least reduce distrust. And that can help governments make rational judgments about each other’s behaviors as well as de-escalate tensions between and among states.

One significant complication in building understanding and diffusing distrust is the fact that many systems useful in cyber-defense can also be used in cyber-offense. When a state invests in cyber to defend itself, its rivals might instead see a growth in offensive capabilities. This is not a question of technical understanding but rather of reading the intent of others. A very human response to someone seemingly gearing up for conflict is to build at the very least one’s own defenses (and to, potentially, even increase one’s offensive as well as retaliatory capabilities). Such a move is, however, equally liable to misinterpretation by others. Thus, escalation spreads, trust evaporates, and distrust balloons, leaving cyberspace, on which so much of modern life depends, akin to a powder keg, ready to explode. The potential for a cyber arms race is as real as it is dangerous.

An essential response to this critical challenge is the use of confidence building measures (CBMs) between states. Today, CBMs are still generally seen as vectors for instilling good cybersecurity practices, especially during a country’s early entry into cyberspace. Certainly, CBMs can help such countries counter the threat of cybercrime, and can also help promote international consistency in cybersecurity approaches, which is an essential part of combating cybercrime. However, CBMs are much more than this.

Coming of age under the threat of Cold War nuclear annihilation, CBMs enable states to minimize exactly the kind of misunderstandings that fuel distrust and exacerbate tensions. In many ways, they are akin to pressure valves for states to use before a situation escalates into conflict. CBMs can help states step back from thinking, “We need to get our cyber-retaliation in first”. They may not lead directly to trust but what they provide is manifestly better than its absence. They have a manifest role to play in ensuring the safety and stability of cyberspace by reducing the risk of cyberwar from breaking out. As such, they can be a necessary prerequisite to building trust.

CBMs are already being built into critical state-to-state cyberspace agreements. The UNGGE 2015 (voluntary) norms placed CBMs at the core of responsible state behavior in cyberspace. In the UNGGE’s words, they “allow the international community to assess the activities and intention of States”. That assessment of actions and intent is absolutely essential to addressing the human perspective. The UNGGE leveraged previous work done in the framework of the Organization for Security and Co-operation in Europe (OSCE), namely its 2013 CBMs. In this respect, it is significant that just last year the OSCE expanded on its CBM work precisely because, “events in cyberspace often leave room for ambiguity, speculation and misunderstanding. The worry is that miscalculations and misperceptions between states arising from activities in cyberspace could escalate, leading to serious consequences for citizens as well as for the economy and administration, and potentially fueling political tensions.”

A failure to mature and refine CBMs globally adds to distrust and militarization in cyberspace, i.e. the aforementioned cyber arms race. The consequences of the “miscalculations and misperceptions” that the OSCE warned of can easily move from the virtual world to the real one. For example, 2010’s so-called “Pakistan-India cyberwar” saw “cyber armies” from each country vandalizing official websites, exacerbating serious diplomatic and military tensions after the 2008 Mumbai terror attacks. Furthermore, recent tensions between parts of the West and Russia, North Korea or even China all feature strong elements of “cyber-distrust”. The danger, of course, is that once there is “cyber-distrust” among states it is likely spread into other spheres, if left unchecked, and vice versa.

So, if the human perspective matters at least as much as the technology when it comes to government decision-making about cyberspace, all parties should take every opportunity to promote understanding and reduced distrust between states. We should use whatever tools seem most appropriate to do so, . CBMs are essential in this regard. They are and remain a key tool in the cyber peacebuilder’s toolkit.

 

Categories: Uncategorized Tags: