Sharing Microsoft learnings from major cybersecurity incidents

This post is authored by Mark Simos, Director of Business Development and Strategy, Enterprise Cybersecurity Group

Microsoft has assisted customers with investigation of, and recovery from cybersecurity attacks for well over a decade. This effort began informally when our IT department and product groups came to the aid of customers encountering attacks in their environment. Since those early days, the volume and complexity of incidents has required Microsoft to scale up its efforts to include full-time professional investigation and recovery teams. These teams are typically engaged on one or more major investigations on any given week throughout the year. If you are experiencing a targeted attack, you can rapidly engage our Global Incident Response and Recovery teams through Microsoft Premier Support.

Incident Response Reference Guide

Because the challenges that our customers face during incident response and recovery are both technical and non-technical, we recently embarked upon an effort with partner organizations, to provide our customers comprehensive incident management guidance.

The results of this effort have been compiled into an Incident Response Reference Guide. It is available for download, and we are distributing a printed version at the Microsoft booth during the RSA conference in San Francisco, this week.

This guidance describes the learnings and recommendations that our organizations have made along the technical, operations, legal, and communications dimensions. It is designed to help you prepare for and meet critical needs during a major cybersecurity incident, as well as to avoid common errors.

The recommendations in this guide can help organizations prepare for, and address many severities of security incidents, though it is primarily focused on major incidents where administrative access has been compromised.

This guidance is designed to enable you to:

  1. Prepare for a crisis by reducing risk to your organization
  2.  Better manage a crisis, whether or not you have made prior preparations

The tips and guidance in this document are designed to provide insights to organizations facing their first incident, as well as seasoned professionals that manage persistent adversary operations regularly. It is based on our collective experiences across a wide range of Fortune 1000® companies and government agencies. We would love to hear your feedback on how this document helped you and how to improve it. You can reach us at

Beyond the Guide

As our teams travel the globe helping customers and fighting cybercrime, the learnings from this work continuously influences Microsoft products, public guidance, and how we help future customers. Several key pieces of guidance we published have been informed by this experience including, Versions 1 and 2 of Mitigating Pass-the-Hash and Other Credential Theft, Best Practices for Securing Active Directory, and a new type of guidance that outlines a prioritized security strategy for these attacks, Securing Privileged Access (SPA) roadmap (online SPA training available here). Microsoft has also contributed to efforts like the NIST 800-184 Guide for Cybersecurity Event Recovery to share our lessons learned.

Additionally, many of our products and features have been directly influenced by our incident response and recovery experience. These include Windows Defender Advanced Threat Protection (ATP), Advanced Threat Analytics (ATA), Windows Server 2016 Shielded VMs, Virtualization Based Security (VBS) in Windows 10 that includes Credential Guard, Microsoft Identity Manager’s Privileged Access Management Capability (MIM-PAM), and many others.

The measure of what causes an incident to have a major impact to an organization varies, depending on the business or missions. However, we have found most major incidents involve the compromise of administrative access to most or all enterprise IT systems (as happens in targeted attacks frequently reported in the press). Based on the prevalence of credential theft techniques that lead to compromise of administrative rights, Microsoft has open sourced the build instructions for building privileged access workstations (PAWs) that our cybersecurity professional services personnel deliver. This architecture is based on learnings from attacks on our customers as well as experience deploying secure access workstations internally for administrators of our own IT systems.

Learn from over a decade of experience helping our customers recover from major incidents by downloading the Incident Response Reference Guide today.

Categories: Uncategorized Tags:

Upgraded Microsoft Trust Center adds rich new content

This post is authored by David Burt, Senior Product Manager, Cloud Platform Marketing

A little over a year ago, we launched the Microsoft Trust Center at, which unified trust-related resources across our enterprise cloud services.  This week, we launched a completely redesigned and greatly expanded site with new content including EU General Data Protection Regulation (GDPR) guidance, audit reports, and security assessments.

The Trust Center is an important part of the Microsoft Trusted Cloud initiative and provides support and resources for information professionals, as well as the legal and compliance community.  The Trust Center offers a rich set of resources, including in-depth information about security, privacy, and compliance offerings, policies, features, and practices across our cloud products, including Azure, Dynamics 365, Office 365, Power BI, Visual Studio Team Services, and Windows Server 2016.  Each content area is supplemented by a curated collection of hundreds of the most applicable and widely-used resources for each topic.

New enhancements to the Trust Center include:

We are committed to providing you with guidance, documentation, and support you need to meet your security, privacy, and compliance goals. We will continuously improve the Trust Center to help make your job easier.


Categories: Uncategorized Tags:

Detecting Cyber Threats

This post is authored by Joe Faulhaber, Senior Consultant ECG

In today’s cyber threat landscape, it’s not a question of if an attack will occur, but who will attack and when. To keep enterprise data safe against global threats that include attackers as technically sophisticated as any defender, enterprises need to have world-class cyber defenses. This requires strong execution of security fundamentals, in-depth knowledge of the enterprise environment, and working with experts to be ready to detect attacks when they occur.

World-class attackers, your enterprise

Protecting the modern enterprise is challenging because it’s an incredibly dynamic problem. Configurations are in constant flux, hardware is being cycled, software is updating, workloads are moving to the cloud, and users are bringing devices in and out of the network. At the same time, random attacks are entering the system, and there is danger of well-funded, determined external attackers trying to steal valuable data from enterprises as well. Even insiders can be threats, and what an attack looks like can change every day. Cybersecurity is an arms race, with attackers and defenders responding to each other constantly.

Detection in Depth

Protection in depth is the best enterprise defense, because defending just at the host, network edge, or the cloud isn’t sufficient. Similarly, threats that cause damage or pose danger need to be detected in depth as well. When threats or attacks are detected, an appropriate effective response is required. The three pillars of security; Protect, Detect, and Respond are key to a secure enterprise.

Detection in depth means taking a layered approach to find threats all over the enterprise with redundant detection mechanisms, even where there are no protective defenses. It also means verifying the output of detective sensors to build trust in signals.

Some threats are not complicated to detect. Out-of-date software, missing or stale anti-malware protection, and misconfigured policies are all threats that can lead to successful attacks. These threats can be detected easily and are among the fundamental requirements to stay secure.

Other threats are tougher to detect, such as attacks against network infrastructure or insider attacks, and detection often depends on collecting numerous logs and performing analysis. Software supply chain attacks may be particularly successful, especially if users go looking for software on the Internet on their own, and require different detection methods. Knowing your environment well makes it much easier to know if something is out of place or missing.

Even in a well-protected network, there will be successful attacks. Some of them are quite easy to identify – a new variant of an existing and common commodity malware evading anti-malware detection isn’t that hard to find if you know where to look. Even if you’re not familiar with an attack, being curious and knowledgeable enough to think “that’s weird” is often the start of detecting something new. Another key to good detection and analysis is the knowledge and resources to understand the tactics, techniques, and procedures used in today’s attacks. Even the biggest organizations need help to see parts of attacks that happen beyond systems in their control.

Determined Human Adversaries

The most dangerous attacks are targeted and perpetrated by determined human adversaries. These have been called “Advanced Persistent Attacks”, though they may not be particularly advanced or even well targeted. But they are especially perilous because they attack the enterprise, not an individual or computer, and are driven by humans who may have incredible determination and goals only known to the attackers. The adversary may come after what they think an enterprise has, not what it possesses.

Differentiating between a targeted attack and a random commodity attack can be quite difficult, since what works to compromise an organization does not depend on the attacker’s motivations. An expected penetration test and a real attack can look the same or completely different when it comes to detection. Different attacks may use similar methods and a seemingly random attack may turn out to be a determined adversary. This makes knowing previous adversary behavior incredibly important. The first encounter with a new threat can be very confusing, with time wasted chasing irrelevant details or false leads. This confusion is often compounded by the human impact of being targeted, which can bring the emotional impact of a physical attack.

In the worst case of having a determined human adversary attacking your enterprise for the first time, it is essential to have help from those who have detected these types of threats before, and a response plan on how to deal with the attacker.

Becoming World-Class

Detecting cyber threats can seem overwhelming when new threats are constantly making news and older threats are still capable of causing big problems. However, identifying threats can be made much easier by implementing protection and detection in depth. Executing the fundamentals of security daily, knowing what is normal for your enterprise environment, and having expert help in identifying the latest attack methods is key. Solid protection and rapid response capability are tied together by detection and intelligence, and the Microsoft Enterprise Threat Detection (ETD) service enables detection in depth with cybersecurity experts and global intelligence for your enterprise.

Read more at Microsoft Enterprise Threat Detection blog.


Categories: Uncategorized Tags:

Join us at RSA Conference. Here’s your event guide for connecting with Microsoft

The RSA Conference is fast approaching and the agenda is packed with the latest technology, trends, and people that help protect our digital data. We’ll be there sharing our unique perspective through keynotes, deep-dive sessions, and on the expo floor.

Since planning your itinerary is a must to get the most out of RSA, here’s a preview of where and when you can learn about how Microsoft can help you be more secure.

Keynote Address by Brad Smith

Protecting and defending against cyber threats in uncertain times | Tuesday, February 14th, 8:35 a.m.
While many cyber attacks are the work of criminals seeking financial gain, new threats continue to emerge targeting civilians, businesses and governments. Microsoft President Brad Smith will share our perspective on what’s needed to protect and defend this critical infrastructure.

Microsoft in North Expo Hall, booth 3501

Come chat with the Microsoft Secure team in the North Expo. We’ll be there throughout the conference to show you how our $1 billion annual investment in security R&D helps organizations secure their environment and protect their customers.

Microsoft sessions at RSA Conference 2017

Tuesday, February 14th

A Vision for Shared, Central Intelligence to Ebb the Growing Torrent of Alerts | 1:15 p.m.– 2:00 p.m.
Despite the positive advancements in machine learning and intelligence, security professionals remain overwhelmed. How is it that we keep wasting time and energy on analyzing and assembling the information presented by our supposedly “intelligent” solutions? This session will explore a conjoint approach that would help our industry climb out of the sea of data that is most certainly going to drown us.

How to Go from Responding to Hunting with Sysinternals Sysmon | 1:15 p.m.–2:00 p.m.
Sysinternals Sysmon can help you precisely detect and track an attacker’s movement inside your Windows networks, but only if you know how to use it effectively. Get a deep dive from Sysmon’s author on its design, capabilities, latest enhancements, and guidance for collecting and alerting on its rich forensic data with popular log analytics services.

Advances in Cloud-Scale Machine Learning for Cyber-Defense | 3:45 p.m.–4:30 p.m.
Picking an attacker’s signals out of billions of log events in near real time from petabyte scale storage is a daunting task, but Microsoft has been using security data science at cloud scale to successfully disrupt attacker. This session presents the latest frameworks, techniques and the unconventional machine learning algorithms that Microsoft uses to protect its infrastructure and customers.

Wednesday, February 15th

Learnings from the Cloud: What to Watch When Watching for a Breach | 2:45 p.m.–3:30 p.m.
Protecting against account breach and misuse when using a cloud service can be challenging, as the cloud service decides what tooling is available, and control may be limited. This session will share learnings and best practices from the Office 365 engineering team: from the patterns observed, what are best practices to protect against account breach?

Securing the Making of the Next Hollywood Blockbuster | 1:30 PM–2:15 PM
Get a look behind the scenes at New Regency, the company that produced the Oscar-winning movie The Revenant to hear how employees collaborate and keep production secrets safe.

Friday, February 17th

Critical Hygiene for Preventing Major Breaches | 10:15 a.m.–11:00 a.m.
Microsoft’s Incident Response teams investigate major breaches week after week and almost always see the exact same pattern of attacks and customer vulnerabilities. Microsoft and the Center for Internet Security (CIS) will share step by step recommendations to defend against these attacks, including information on cybersecurity solutions that Microsoft has open-sourced to protect our customers.

Choose from nearly 40 theater sessions

Attend one of the 20-minute theater sessions in the Expo hall to learn more about a variety of topics including NextGen SOC, Risk Based Identity Protection, Office 365 Threat Intelligence, Detecting Threats from Enterprise Telemetry, Taking Ransomware to Task with Windows 10, and Security in Industrial IoT. Stop by booth #N3501

Explore more about our unique approach to security at Microsoft Secure.

Categories: Uncategorized Tags:

Stopping Cyberthreats in a new era

The explosive growth in the scale and sophistication of cyberthreats is remaking the security landscape. Today, it’s not a matter of if your organization’s data will be compromised, but a matter of when. Having a proactive protection strategy that includes pre- and post-breach components is critical to addressing advanced attacks.

Fortunately, Windows 10 has comprehensive pre-breach solutions and with Windows Defender Advanced Threat Protection (ATP) we added a post-breach layer to the Windows Security stack. And the best part? Windows Defender ATP is built in to Windows 10 and designed to provide the best performance experience on your machine. It doesn’t require any additional software deployment and management.

So do you want the good news or the bad news?

Well, here’s the outcome: New hacking techniques are multiplying exponentially and old pre-breach detection techniques can’t keep up. The numbers are alarming—on average it takes an attacker minutes to get in, and security teams more than 140 days to discover it.

With the release of Windows 10 Anniversary Update, Microsoft offers Windows Defender ATP to complement the existing endpoint security stack of Windows Defender, SmartScreen, and various OS hardening features. The new service, purposely built to detect and respond to advanced attacks, leverages a deep behavioral sensor integrated into Windows 10 combined with a powerful security analytics cloud back end to enable enterprises to detect, investigate, and respond to targeted and sophisticated advanced attacks on their networks.

Next-level protection: Post-breach detection and response

Windows Defender ATP goes wide and deep, working to cover all your bases, with a focus on post-breach challenges. It’s like having a black belt team of security defense experts supporting every machine running Windows 10.

Advanced attack detection. Microsoft makes the most of its strong security analytics and rich intelligence capabilities to provide visibility into anomalies and threats from a broad base of sources. We also leverage the Microsoft Security Intelligence Graph to cull data from Windows updates and search engine results that index billions of URLs to generate potential hack alerts immediately.

Investigation and response. The portal gives SecOps tools and capabilities to investigate and respond to threats on their endpoints. You can also proactively explore your network for signs of attacks, perform forensics on specific machines, track attacker actions across machines in your network, get a detailed file footprint across your organization, submit a file for deep analysis, and with the Creators Update isolate machines, kill processes, or ban files from your network.

Threat intelligence. Get internal and external reports and indicators for known attackers and of prominent attacks (Strontium, for example), validated and enriched by an internal team of security black belts and third-party feeds. With the Creators Update, you can add your own TI to define alerts unique to your environment within Windows Defender ATP, based on IOCs.

Windows 10 and Windows Defender ATP helpgs give you the best defense and offense when it comes to potential and actual data breaches. Learn more by downloading the ebook now.

Discover more about how this new strategic approach can make a real difference at Microsoft Secure.

Categories: Uncategorized Tags:

4010983 – Vulnerability in ASP.NET Core MVC 1.1.0 Could Allow Denial of Service – Version: 1.0

Revision Note: V1.0 (January 27, 2017): Advisory published.
Summary: Microsoft is releasing this security advisory to provide information about a vulnerability in the public versions of ASP.NET Core MVC 1.1.0. This advisory also provides guidance on what developers can do to update their applications correctly.

Categories: Uncategorized Tags:

4010983 – Vulnerability in ASP.NET Core MVC 1.1.0 Could Allow Denial of Service – Version: 1.0

Revision Note: V1.0 (January 27, 2017): Advisory published.
Summary: Microsoft is releasing this security advisory to provide information about a vulnerability in the public versions of ASP.NET Core MVC 1.1.0. This advisory also provides guidance on what developers can do to update their applications correctly.

Categories: Uncategorized Tags:

Confidence building measures can make a huge difference to the global online economy

January 18th, 2017 No comments

The continuing advancements of the Internet and associated technologies have brought new opportunities to governments, businesses, and private citizens. At the same time, they have also exposed them to new risks. However, Internet adoption has not been even and countries or economies have come online in different ways and at varied paces. As a result, awareness of cyber risk and approaches to managing it can differ greatly between jurisdictions. This is a particularly true when thinking about emerging economies, which have typically had a very different online journey than developed markets in Europe or United States. One way to ensure we can address this gap is through the use of confidence building measures (CBMs).

CBMs aim to instil good cybersecurity practices across the global online economy, focusing on the critical cybersecurity work that can be done in the early stages of a country’s emergence into cyberspace. Not only can CBMs help reduce vulnerability to cybercrime in general, by embedding best practices in the foundations of a country’s approach to the Internet, but they can also complement the objectives of cybersecurity norms. This is because CBMs seek to diminish the risk of a potential online inter-state escalation by enhancing transparency of government action and encouraging cooperation around areas of common interest. This, combined with their ability to act as vehicles for sharing best practices and delivering cyber-capacity building, makes CBMs worthy of more attention.

CBMs have a particular relevance for economies that have seen very recent but rapid growth of the Internet. Unlike developed economies, which saw it grow incrementally over the past twenty years, users from emerging economies have had little chance to gradually adjust their behaviors online. Typically, increased internet access and more mature technological development is correlated with improvements in cybersecurity. However, our research has suggested that some emerging countries may not be ready to secure their ICT infrastructure in a way that is commensurate with the increased use of computer systems by their citizens and businesses, as well as the government itself. The consequences of this cybersecurity gap for the countries concerned could be very serious. More than this, however, the interconnectedness of the Internet at the global level makes weaknesses in one part of it a potential threat to the rest. Since the majority of the 3+ billion people online today come from the Global South, the problems posed by such gaps represent a weakness for the globe’s overall cybersecurity and, in terms of cyber conflict risks, for its real world security too.

Governments are not oblivious to the challenges outlined above. A cursory glance at a map or a timeline of cybersecurity policies, guidelines, and regulation shows us that over sixty percent of the world is currently developing some sort of cybersecurity framework, hoping to secure their critical systems, or developing laws to help them catch cybercriminals. This is where collaboration on cybersecurity, as envisioned in CBMs, can be particularly beneficial. Moreover, the returns of CBMs are also real for the global online ecosystem itself. Despite government initiatives to limit online criminal activity in its borders, cyberspace continues to be a global endeavour. Improving not only cooperation, but the overall level and consistency of cybersecurity practices is therefore the best way of dealing with cybercriminals who show no respect for traditional borders.

There is considerable economic upside to be gained as well. The digital economy contributed $2.3 trillion to the G20’s GDP in 2010, an estimated $4 trillion in 2016, and is growing at 10% a year. For emerging markets, research suggests that the effect could be even greater. Certainly, the skills developed locally through CBMs and cybersecurity training correspond to the skills needed to enable local businesses to scale up and innovate, without having to rely on outside, more expensive talent.

For all these reasons the case for CBMs is compelling. They can equip countries to navigate the global online environment, as well as to be able to respond operationally to international requests for assistance. They also help the public and private institutions in one country join a broader community of security experts, allowing everyone to engage in a full range of protection, detection, response and recovery activities. However, bringing them into effect is not always easy. We will all need to work together, government to government and business to government – through efforts such as these and these – to create and then promote an international corpus of effective and practical CBMs in order deliver the confidence everyone needs to trust in the Internet and in the technology that is increasingly central to their lives.


Categories: Uncategorized Tags:

Microsoft’s Cyber Defense Operations Center shares best practices

This post is authored by Kristina Laidler, Security Principal, Cyber Security Services and Engineering

Each week seems to bring a new disclosure of a cybersecurity breach somewhere in the world. In 2016 alone, over 3 billion customer data records were breached in several high-profile attacks globally. As we look at current state of cybersecurity challenges today, we see the same types of attacks, but the sophistication and scope of each attack continues to grow and evolve. Cyber adversaries are now changing their tactics and targets based on the current security landscape. For example, as operating systems became more secure, hackers shifted back to credential compromise. As Microsoft Windows continually improves its security, hackers attack other systems and third-party applications.

Both the growth of the internet and the Internet of Things (IoT) is creating more connected devices, many of which are unsecure, to carry out larger Distributed Denial-of-Service (DDoS) attacks. Due to the insecure implementation of internet-connected embedded devices, they are routinely being hacked and used in cyberattacks. Smart TVs and even refrigerators have been used to send out millions of malicious spam emails. Printers and set-top-boxes have been used to mine Bitcoins and cybercriminals have targeted CCTV cameras (common IoT devices), to launch DDoS attacks.

Microsoft has unique visibility into an evolving threat landscape due to our hyper-scaled cloud footprint of more than 200 cloud services, over 100 datacenters, millions of devices, and over a billion customers around the globe and our investment in security professionals focused on secure development as well as protect, detect and respond functions. In an effort to mitigate attacks, Microsoft has developed an automated platform, as part of Microsoft Azure, that provides a rapid response to a DDoS attack. On our software-defined networks, the data plane can be upgraded to respond and stay ahead of network traffic, even while our service or corporate environment is under attack. Our DDoS protection platform analyzes traffic in real-time and has the capability to respond and mitigate an attack within 90 seconds of the detection.


Microsoft Cyber Defense Operations Center operates 24×7 to defend against cyberthreats

In November 2015, we opened the Cyber Defense Operations Center (CDOC) to bring together the company’s cybersecurity specialists and data scientists in a 24×7 facility to combat cyber adversaries.

In the year since opening, we have advanced the policies and practices that accelerate the detection, identification and resolution of cybersecurity threats, and have shared our key learnings with the thousands of enterprise customers who have visited the CDOC. Today, we are sharing a Cyber Defense Operations Center strategy brief that details some of our best practices for how we Protect, Detect and Respond to cyberthreats in real time.

Microsoft’s first commitment is to protect the computing environment used by our customers and employees to ensure the resiliency of our cloud infrastructure and services, products, devices, and the company’s internal corporate resources.

Microsoft’s protect tactics include:

  • Extensive monitoring and controls over the physical environment of our global datacenters, including cameras, personnel screening, fences and barriers and multi-factor authentication for physical access.
  • Software-defined networks that protect our cloud infrastructure from intrusions and distributed denial of service attacks.
  • Multifactor authentication is employed across our infrastructure to control identity and access management.
  • Non-persistent administration using just-in-time (JIT) and just-enough administrator (JEA) privileges to engineering staff managing infrastructure and services. This provides a unique set of credentials for elevated access that automatically expires after a pre-designated duration
  • Proper hygiene is rigorously maintained through up-to-date, anti-malware software and adherence to strict patching and configuration management.
  • Microsoft Malware Protection Center’s team of researchers identify, reverse engineer and develop malware signatures and then deploy them across our infrastructure for advanced detection and defense. These signatures are available to millions of customers using Microsoft anti-malware solutions.
  • Microsoft Security Development Lifecycle is used to harden all applications, online services and products, and to routinely validate its effectiveness through penetration testing and vulnerability scanning.
  • Threat modeling and attack surface analysis ensures that potential threats are assessed, exposed aspects of the service are evaluated, and the attack surface is minimized by restricting services or eliminating unnecessary functions.
  • Classifying data according to its sensitivity—high, medium or low business impact—and taking the appropriate measures to protect it, including encryption in transit and at rest, and enforcing the principle of least-privilege access provides additional protection.
  • Awareness training that fosters a trust relationship between the user and the security team to develop an environment where users will report incidents and anomalies without fear of repercussion

Having a rich set of controls and a defense-in-depth strategy helps ensure that should any one area fail, there are compensating controls in other areas to help maintain the security and privacy of our customers, cloud services, and our own infrastructure environment.

Microsoft operates under an Assume Breach posture. This simply means that despite the confidence we have in the defensive protections in place, we assume adversaries can and will find a way to penetrate security perimeters. It is then critical to detect an adversary rapidly and evict them from the network.

Microsoft’s detect tactics include:

  • Monitoring network and physical environments 24x7x365 for potential cybersecurity events. Behavior profiling, based on usage patterns and an understanding of unique threats to our services.
  • Identity and behavioral analytics are developed to highlight abnormal activity.
  • Machine learning software tools and techniques are routinely used to discover and flag irregularities.
  • Advanced analytical tools and processes are deployed to further identify anomalous activity and innovative correlation capabilities. This enables highly-contextualized detections to be created from the enormous volumes of data in near real-time.
  • Automated software-based processes that are continuously audited and evolved for increased effectiveness.
  • Data scientists and security experts routinely work side-by-side to address escalated events that exhibit unusual characteristics requiring further analysis of targets. They can then determine potential response and remediation efforts.

When we detect something abnormal in our systems, it triggers our response teams to engage.

Microsoft’s respond tactics include:

  • Automated response systems using risk-based algorithms to flag events requiring human intervention.
  • Well-defined, documented and scalable incident response processes within a continuous improvement model helps to keep us ahead of adversaries by making these available to all responders.
  • Subject matter expertise across our teams, in multiple security areas, including crisis management, forensics, and intrusion analysis, and deep understanding of the platforms, services and applications operating in our cloud datacenters provides a diverse skill set for addressing incidents.
  • Wide enterprise searching across both cloud, hybrid and on-premises data and systems to determine the scope of the incident.
  • Deep forensic analysis, for major threats, are performed by specialists to understand incidents and to aid in their containment and eradication.
  • Microsoft’s security software tools, automation and hyper-scale cloud infrastructure enable our security experts to reduce the time to detect, investigate, analyze, respond, and recover from cyberattacks.

There is a lot of data and tips in this strategy brief that I hope you will find useful. You can download the Cyber Defense Operations Center strategy brief to gain more insight into how we work to protect, detect and respond to cybersecurity threats. And I encourage you to visit the Microsoft Secure website to learn more about how we build security into Microsoft’s products and services to help you protect your endpoints, move faster to detect threats, and respond to security breaches.

Categories: Uncategorized Tags:

Rules-making in technology: Examining the past and predicting the future

January 17th, 2017 No comments

Are the rules and regulations being put in place today, from the Chinese cybersecurity law to the EU’s General Data Protection Regulation (GDPR), going to be appropriate for the world 10 years from now? And if not, should this be of concern?  To answer these questions, we need to learn from the past.

The technology concerns of 10 years ago are still with us in some ways, e.g. worries about data being accessed by the wrong people and important systems becoming vulnerable to cyberattacks, but much has changed as the technology has continued to develop and spread through our businesses, communities, governments, and private lives. As a result, the regulations in place in 2006 have had to be replaced, e.g. the US-EU Safe Harbour with Privacy Shield, or have been wholly supplanted, e.g. the emergence of new approaches to cybersecurity and critical infrastructure. Now that I look at it, the world of 10 years ago seems more distant than I expected. Technology was far from ubiquitous and the services offered more limited, the rules familiar but sometimes at a tangent to today’s.

2006 was an important year in technology development: Facebook emerged from university campuses and Google bought YouTube. The policy agendas of governments and regulators were driven by concerns about child online safety, e-skills and lifelong learning, access to broadband, e-commerce and online banking, and, yes, market dominance. This is not to discount the importance of these issues at the time, but cybersecurity then was more often viewed as avoiding exotically named viruses rather than combating the organized cybercrime we now face, whilst privacy was seen as protecting the vulnerable from online exploitation rather than through today’s post-Snowden lens.

Could 2006’s policy-makers have prepared better for the issues we now face? That seems unlikely. For one thing, policy-makers would have been hard-pressed to have predicted the direction of technology; self-driving cars were a near-fringe idea (Google’s first major steps were in 2005), smartphones had not yet taken off (the iPhone was launched on January 9, 2007) and 3D printing was an industrial process (the first commercial printer came out in 2009). For another thing, these policy-makers were not operating in a vacuum; the rules they were putting in place had to deal with immediate challenges and had to be built on structures and laws that dated to the turn of the millennium.

This shortfall may actually have been a good thing for technology in 2016. Regulations and laws define and fix things, disallowing certain behaviors or requiring others. This can be hard enough to do successfully with well-understood issues, but for nascent technologies or business-models it must be exceptionally difficult. Without undue constraints, technology was able to develop “naturally”. They found business models and technical solutions that worked, then built up momentum to emerge at the stage, where today they are robust enough to be more closely scrutinized and, perhaps, regulated.

So, following a similar pattern, should our 2016 efforts at rule-making focus on our immediate issues and leave the future to, in some sense, sort itself out? Perhaps. The emergence of advanced machine learning or of the Internet of Things mean those technologies can’t really be legislated for right now  because we don’t know what they will mean in practical terms for businesses and consumers, criminals and law enforcers, and so on. And yet, on the other hand, the technology of tomorrow is being shaped by the decisions of today. For example, rules currently being considered about data localization or cross-border data flows will shape the future of cloud computing, whilst concerns over privacy or intellectual property will shape big data and machine learning. The wrong choices now could undermine the potential of many technologies and tools.

The answer to whether or not today’s rules are going to be appropriate for 2026 is not, therefore, black and white. We need rules today that reflect technology today, because the old rules aren’t necessarily fit for purpose any more. Equally, we have to acknowledge that rules we create today aren’t always going to last long in the face of technological evolution. This could lead us to conclude we need to have a new way of regulating technology, one that might focus on outcomes for example (and that would be a separate blog), but it could also lead us to conclude that ingenuity and innovation can thrive in the gaps we leave and can even be encouraged by imperfect situations.

Whilst there can be no excuse for making rules that assume the world and technology won’t change over a decade, we also don’t have to constantly second guess our future at the price of having useful rules today. In 2026 we might look back at today with a similar feeling to that we currently experience on looking back at 2006: familiarity, perhaps nostalgia, combined with a sense that things really have moved. This won’t necessarily be a bad thing.

Categories: Uncategorized Tags:

Cybersecurity’s perfect storm

The unprecedented scale and sophistication of modern cyberthreats, combined with the rapidly disappearing IT perimeter, means that while preventing an attack from becoming a breach is ideal, it is no longer realistic.

Microsoft proactively monitors the threat landscape for those emerging threats, to help better protect our customers. This involves observing the activities of targeted activity groups across billion of machines, which are often the first ones to introduce new exploits and techniques that are later used by other attackers.

So how can organizations defend against this triple threat?

Organizations need an approach to security that looks holistically across all critical endpoints, at all stages of a breach—before, during, and after. This means having tools that can not only protect against compromise, but can also detect the early signs of a breach and respond rapidly before it can cause damage to your system.

Windows Defender Advanced Threat Protection is a new post-breach security layer, designed to reduce the time it takes to detect, investigate and respond to advanced attacks. This post-breach layer, assumes breach and is designed to complement prevention technologies in the Windows 10 security stack, such as: Windows Defender Antivirus, SmartScreen, and various other OS hardening features.

By leveraging a combination of deep behavioral sensors, coupled with powerful cloud security analytics, Windows Defender ATP offers unparalleled detection, investigation and response experience. It uses behavioral analytics proven to detect unknown attacks and security data from over 1B machines to establish what’s normal. This is then coupled with support from our own industry leading hunters. Recordings of activity across all endpoints in the last 6 months allow users to go back in time to understand what happened.

Windows 10 has the protection you need, built-in

Windows Defender ATP is built-in to Windows 10, and provides a comprehensive post-breach solution to help security teams identify suspicious threats on your network that pre-breach solutions might miss.

Windows 10 and Windows Defender Advanced Threat Protection give you the future of cybersecurity NOW. Find out more at Microsoft Secure.


Categories: cybersecurity Tags:

Should we retaliate in cyberspace?

This post is authored by Gene Burrus, Assistant General Counsel

The hack of the San Francisco transit system and the subsequent hack back by a third party makes for a twenty-first century morality tale in some ways. The perpetrator of a ransomware blackmail is given a dose of his/her own medicine, undone by his/her own poor security practices. Painted at a larger scale however, is the picture we see equally salutary? Recent accusations of state or state-sponsored hacking during the US Presidential campaign led to threats of retaliation between what are arguably the world’s two preeminent nuclear powers.

At the heart of most thinking about good behavior you are likely to find the concept of consequences for actions, and even the concept of preemptive deterrence of bad actions. Those concepts of consequence and deterrence have not become embedded in our online expectations and behaviors. This may be because cyberspace is still a new “public space” and people are still working out how to behave. It is also likely, perhaps, because cyberspace allows levels of anonymity and remote actions unprecedented in the real world. People do things because they think there will be no consequences, no “pay back”. There is certainly an argument to be made, then, for hackers and cybercriminals being subject to payback in some, if for no other reason than to begin to build underpin a behavioral system in cyberspace of “do as you would be done unto”.

Is this, however, the way forward that we should collectively take? There are after all existing laws that apply to cybercriminals, and new laws are being brought into existence as both technology and criminality evolve. However, the reality of enforcement is that most cyber criminals will never be caught and operate with near impunity.

Is “retaliation” something individuals or even companies should be able to engage in, if there is a functional legal system and a police force to do it in their place? Vigilantism, mob-justice and corporate extra-judicial actions wouldn’t look any more attractive online than they do in the real world. After all, can the retaliator be certain that the right person has been targeted? And if so, what is a proportionate response? If you hack my social media profile, is it fair for me to erase your bank account?

Furthermore, could “attack back” policies open another potential cause of state to state conflict in cyberspace? Certainly that risk might exist if State-Owned-Enterprises (SOEs) became involved, as retaliator or retaliated-against. Even carrying out seemingly simple actions against a hacker might inadvertently breach national laws the target’s jurisdiction, thereby involving “real world” police and state institutions when previously they were not.

On the other hand, there may be ways to ‘hack back’ that fall short of the ‘tit for tat’ retaliation that is commonly thought of, and instead facilitate catching criminals, disrupt their operations, or deprive them of the fruits of their illegal conduct. The challenge is in making cyberspace a less consequence free realm in which criminal predators can seek victims. A colleague of mine recently mentioned the digital equivalent of the “dye packs”; and the ability to trace criminals through what they steal might be helpful. Still, for every measure taken by the forces of law and order, a countermeasure can be developed by criminals and others who operate outside the law. This is not an argument for inaction but for the realization that there is unlikely to be silver bullet to cybercrime through hacking back.

If genuine progress is to be made on this issues, the technology industry, law enforcers, lawyers and concerned society groups will have to consider at least three questions about hack back technologies and actions. First, explore what is technically feasible. Second, consider what is legal and for whom. Will law enforcement or private actors be legally allowed to use certain tools or tactics, and should some laws be changed to accommodate technical innovations that might be used to deter, track or punish criminal activity. And against the backdrop of both of these questions will be the question of what policies and tools will be wise to deploy and not do more harm than good. The intersection of these three questions may show the way forward on making cyberspace a place where crime doesn’t pay.

Categories: Uncategorized Tags:

MS17-002 – Important: Security Update for Microsoft Office (3214291) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (January 10, 2017): Bulletin published
Summary: This security update resolves a vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Categories: Uncategorized Tags:

MS17-JAN – Microsoft Security Bulletin Summary for January 2017 – Version: 1.1

Revision Note: V1.1 (January 10, 2017): Bulletin Summary revised to change the severity of CVE-2017-0003 to Important. This is an informational change only
Summary: This bulletin summary lists security bulletins released for January2017

Categories: Uncategorized Tags:

MS17-004 – Important: Security Update for Local Security Authority Subsystem Service (3216771) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (January 10, 2017): Bulletin Published
Summary: A denial of service vulnerability exists in the way the Local Security Authority Subsystem Service (LSASS) handles authentication requests. An attacker who successfully exploited the vulnerability could cause a denial of service on the target system’s LSASS service, which triggers an automatic reboot of the system.

Categories: Uncategorized Tags:

MS17-001 – Important: Security Update for Microsoft Edge (3214288) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (January 10, 2017): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Edge. This vulnerability could allow elevation of privilege if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerability could elevate privileges in affected versions of Microsoft Edge.

Categories: Uncategorized Tags:

MS17-003 – Critical: Security Update for Adobe Flash Player (3214628) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (January 10, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

Categories: Uncategorized Tags:

MS16-002 – Critical: Security Update for Microsoft Office (3214291) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (January 10, 2017): Bulletin published
Summary: This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Categories: Uncategorized Tags:

3214296 – Vulnerabilities in Identity Model Extensions Token Signing Verification Could Allow Elevation of Privilege – Version: 1.0

Revision Note: V1.0 (January 10, 2017): Advisory published.
Summary: Microsoft is releasing this security advisory to provide information about a vulnerability in the public version of Identity Model Extensions 5.1.0. This advisory also provides guidance on what developers can do to help ensure that their apps are updated correctly.

Categories: Uncategorized Tags:

MS17-JAN – Microsoft Security Bulletin Summary for January 2017 – Version: 1.1

Revision Note: V1.1 (January 10, 2017): Bulletin Summary revised to change the severity of CVE-2017-0003 to Important. This is an informational change only
Summary: This bulletin summary lists security bulletins released for January2017

Categories: Uncategorized Tags: