The evolving threat landscape has highlighted how attackers are refining their tactics and techniques. It also shows just how far they’re willing to go to disrupt organisations with cyberattacks.

Let’s take the example of human-operated ransomware, and the deliberate targeting of critical infrastructure. This is designed to cause as much financial, operational and societal impact as possible. Additionally, this is often compounded by the pressure from consumers, media and government – and one where core supply chains are cut off or severely disrupted. While the motivation of the cyberattack varies, there is a rise of recklessness. Attackers go beyond disruption into destruction as they learn how to combat and evade security defences. This puts business leaders in a position where they feel they have limited options. With the response likely to play out in the public domain, they often feel like they must pay the extortion demands either to restore services or prevent further disruption.

Enterprise resilience is needed to recover from human-operated cyberattacks. This goes beyond just cyber resilience. It requires a multi-faceted business, technology and operational response to recover services as quickly and effectively as possible across all domains. Resilience is the ability of the business to recover from failures and continue to function, in adverse conditions. It’s not about avoiding failures. It’s about taking proactive action to detect and respond to failures in a way that reduces downtime or data loss.

In the Microsoft Societal Resilience research program, we define resilience as the capacity to anticipate, absorb, and adapt to disruption. As Dr Peter Lee, Microsoft CVP of Research and innovations, says: “If we don’t acknowledge our risks, we can’t anticipate and prepare for them”. This is especially true in today’s world of radical innovation, where the threat actors often move faster than organisations do.

Planning for enterprise resilience against cyberattacks

Business continuity and information protection are absolute requirements for every business. But it can often entail cost, complexity, compliance, and resource to maintain. Using a cloud-based strategy helps to mitigate many of these issues. Building reliable and secure systems in the cloud is a shared responsibility. The reliability ‘of ‘the cloud is the responsibility of the cloud service provider. The reliability ‘in’ the cloud is the responsibility of the organisation. However, according to the National Cyber Security Centre, only three in 10 businesses have business continuity plans that cover cybersecurity.

How to build a secure cloud strategy

Those new to cloud should begin with Azure’s Cloud Adoption Framework, to determine business drivers and strategy. The Microsoft Azure Well-Architected Framework is a set of guiding tenants that architects, developers and solution owners can use to build and optimise reliable, secure and resilient services in the cloud.

Design for reliability and security

Designing for reliability requires an assume failure mindset. Designing for security requires an assume compromise mindset.

Cybersecurity is hard to mitigate for. Adversaries are working to counteract the business continuity strategy by actively adapting and navigating the controls that the business has implemented. If a plan is too rigid and does not anticipate change, it can often fail as the business is not able to react and pivot quickly enough to the ferocity of change or cyberattacks.

Machine learning and AI can take the pressure off IT or security teams with real-time threat detection and automation. This allows them to focus on higher value tasks, such as designing resilient workloads.

Choose the right workload

Designing workloads that are resistant to both natural disasters and malicious human intervention such as cyberattacks requires a thoughtful combination of high availability, disaster recovery and backup solutions. Across the whole environment, you need to consider how likely the primary control is to fail and the potential organisational risk if it does. Additionally, you need to counteract any of these with mitigating factors.

• High availability (HA): The ability of the application or service to continue running in a healthy state, without significant downtime.
• Disaster recovery (DR): The ability to recover from rare but wide-scale failures. For example, service disruption that affects an entire region.
• Data backup: A critical part of resiliency, distinct from storage redundancy solutions.

You can specifically address HA and DR needs with storage redundancy solutions that simultaneously replicate data and services to an alternative location. However, a secondary location can be impacted at the same time a near-real-time attack encrypts data in a primary location. This results in data loss or corruption.

When designing a backup solution for business-critical data in the cloud consider a tertiary, immutable backup (write-once-read-many). This is both physically and logically held away from any primary and secondary backups. As a result, there is another layer of protection against data loss, corruption, or malicious encryption. This is a good option for highly sensitive and regulated entities who are required to legally hold data. Azure Backup provides security features to help protect backup data even after deletion; one such feature is soft delete. If a backup is accidentally or maliciously deleted, soft delete retains it for an extra 14 days. Remember, regularly validate and test backup and restore procedures.

Protect privileged identities against cyberattacks

Often one of the most overlooked part of resilience is protecting the identities that have access to backups. As a result, compromised accounts can be used maliciously to encrypt or delete backups. Even in the example of soft delete, a compromised account with the appropriate rights can disable the feature before deleting backups.

Attackers deliberately target these resources because it impacts the ability to recover. Mitigate this by granting accounts the minimum privilege required to accomplish their assigned tasks. Limit the number of accounts with access to backups (but with a break-glass account included). Protect these with multi-factor authentication (MFA), which stops 99.9% of account compromise attacks. You should also consider just-in-time and just-enough access using dedicated privileged access workstations (PAWS). Log and monitor all changes for verification and compliance.

Validate your response to cyberattacks

To truly know if your strategy can hold up against cyberattacks, you need to successfully measure reliability and security to and understand the resilience of that system. This means testing end-to-end workloads against a range of severe but plausible scenarios.

Chaos engineering is the practice of subjecting cloud applications and services to real world failures and dependency disruptions to build, measure and improve resilience. Fault injection is the deliberate introduction of a failure into a system to validate robustness and error handling.

We use fault injection at Microsoft to induce a major failure or disaster and validate both the recovery and incident management processes. We place strict access controls around this capability to prevent accidents or malicious attacker abuse to safeguard and limit the impact of the testing. This enables the business and IT to consider and prepare for a range of scenarios that determine the robustness and design of the overall solution in a safe environment. It also increases the resilience and confidence in Azure and our services.

Microsoft Ignite 2021 provided a first look at Azure Chaos Studio which is our upcoming native chaos engineering and fault injection service. This will help organisations to measure, understand, and improve the resilience of their Azure applications.

Anticipate and adapt

Organisations require a level of preparedness that anticipates and adapts to a range of scenarios, whether accidental or malicious. The strategy needs to be flexible to adapt to the evolving threat landscape and be capable of delivering effective and scalable enterprise-wide recovery.

The good news is that cloud architectures can help improve enterprise resilience goals whilst enabling effective business continuity.

Find out more

Learn more about backup and disaster recovery

Human-operated ransomware attacks: A preventable disaster

Rapidly protect against ransomware and extortion

Resources to empower your development team

Cybersecurity best practices to implement highly secured devices

Introduction to cybersecurity learning path 

Data discovery, classification and protection learning path

About the authors

Sarah Armstrong-Smith is Chief Security Advisor in Microsoft’s Cybersecurity Solutions Area. She principally works with  strategic customers across Europe, to help them evolve their security strategy and capabilities to support digital transformation and cloud adoption.

Sarah has a background in business continuity, disaster recovery, data protection and privacy, as well as crisis management. Combining these elements means she operates holistically to understand the cybersecurity landscape, and how this can be proactively enabled to deliver effective operational resilience.

Sarah is recognised as one of the most influential women in UK Tech and UK cybersecurity. She regularly contributes to thought leadership and industry publications.

Previously lead investigator for Microsoft’s detection and response team (DART), Lesley Kipling has spent more than 17 years responding to our customers’ largest and most impactful cybersecurity incidents. As Chief Cybersecurity Advisor, she now provides customers, partners and agencies around the globe with deep insights into how and why security incidents happen, how to harden defences and more importantly, how to automate response and contain attacks with the power of the cloud and machine learning. She holds a Master of Science in Forensic Computing from Cranfield University in the United Kingdom.

The post How to future-proof and secure your organisation against cyberattacks appeared first on Microsoft Industry Blogs - United Kingdom.

Multi-factor authentication adds another layer of protection to the sign-in process. After all, if you only use a password to authenticate users, it leaves an insecure vector for attack. What if the password was weak? Or if it was exposed elsewhere? Are you sure that person signing in is really the user? When you require a second form of authentication that isn’t easy to obtain, you are building another layer of security.

Therefore, ensuring you use the right type of MFA service is of critical importance. Different MFA solutions can have a dramatic impact on cost, user experience and your resilience to service outages and attacks. In this post we’re going to look at some of these factors and make some recommendations to ensure your MFA solution enables your organisation, and your people, to be productive safely.

1.      Optimise security processes to bring down costs

A vulnerable entry point for cyber attackers is to use credential-based attacks to access networks and steal data or spread ransomware. However, multi-factor authentication stops 99.9 percent of credential-based attacks. That’s why MFA really is one of the most fundamental security measures. At Microsoft, we deploy MFA to protect our customers, our data, systems, and our business. Azure AD MFA is used across our consumer platforms like Outlook.com and Xbox, as well as thousands of other online services. In fact, its foundational to our five steps to secure your identity infrastructure.

Online retailer Asos uses Azure AD (including MFA) to protect identity as the new perimeter. By automating, provisioning and deprovisioning user accounts across its SaaS landscape, they have reduced costs and errors, all while improving productivity.

“Our service desk spends much less time setting up users and creating or deleting accounts, which gets our costs down,” says Mark Lewis, Infrastructure Architect at ASOS. “We made our lives easier by adopting Azure Active Directory—we’ve saved time and money, improved the employee experience, and enhanced the security of our entire SaaS ecosystem.”

Where cost may be a blocking factor, in Azure AD the options to use SMS and phone-based MFA are free. In the case where certain users might be specifically targeted, you can selectively upgrade people to P1 or P2 licensing models and nudge people towards using the Microsoft Authenticator app with a one-time-password or notification-based MFA.

These days, it’s easy to enable MFA for all with one click. However, you don’t have to take a single, big-bang approach. You can onboard users into MFA in batches that are digestible by your service desk. Typically, 10 percent of any given batch will need support, so the ability to onboard in batches has a dramatic impact on the cost of deploying MFA. For employees, using multi-factor authentication when paired with single sign-on can increase productivity as they can access everything they need without re-entering passwords.

And if there is still resistance, this is one of those measures which business leaders should by now expect. We’ve seen the reports of the cost and reputational damages that security breaches can have on organisations. Leaders should be challenging IT to ensure the safety of their customers, employees, systems and data. And MFA is one of the critical elements to delivering that.

2.      Balance security and productivity with multi-factor authentication

Pre-cloud, security was ring-fenced around the data centre and the physical office, with the network perimeter as the main defence. Often, these featured early methods of MFA – such as one-time passcode fobs or smart cards. However, on-premise environments can be open to attack through misconfigured web and VPN services, lack of patching, as well as credential hygiene issues.

As organisations move to hybrid cloud-based environments, they can take advantage of existing Zero Trust capabilities with the knowledge that we will be investing a further $20 billion in our security solutions over the next five years to help defend against ransomware and other threats. With MFA in Azure AD you are consolidating your identity services into a strong and highly trusted environment. You’re not only increasing your resilience to ransomware and supply chain attacks, but also other outages that can occur on-premises.

For Durham University, they used MFA and Azure AD to ensure their staff and students could keep learning remotely. They use single sign-on to access everything they need whilst keeping their intellectual property secure. “By migrating to Azure AD, we’ve moved the responsibility of high availability to Microsoft, who, let’s face it, are scaled to do a better job than we could. Our services are much more resilient.” Says Craig Churchward, Technical Specialist for Windows Platform.

You can also maximise your ability to take advantage of new features as they are delivered, without any concerns for integration and support across vendors. Additionally, older platforms often involve backend server infrastructure, physical tokens and the man-hours needed to issue, replace and troubleshoot those tokens. With Azure AD MFA, users no longer need physical tokens. Additionally, there’s no server infrastructure to maintain. Your IT and security teams can focus on high-value tasks.

3.      Multi-factor authentication empowers secure hybrid working

A core tenant of Zero Trust is to never trust – always verify. Regardless of where the request originates or what resource it accesses, it is always fully authenticated, authorised, and encrypted before granting access. This helps build secure hybrid working. It makes it easier for employees to connect from anywhere, on different devices while protecting organisational data.

MFA and Conditional Access are key to Rabobank’s mobility strategy. “We require multi-factor authentication for mobile access today and have Conditional Access policies set up to require new device enrollments to happen on the corporate network. Most importantly, people can enroll and get access quickly—which is good, because we didn’t want to create this digital workplace and slow people down with security,” says Abe Boersma, Global Head of Workplace Services.

Identity is now recognised as one of the core services we use to secure the enterprise. Your identity stack, including your MFA service, is a key component of Microsoft’s security control plane. You can discover more in the guidance found in the Microsoft Cybersecurity Reference Architectures (MCRA) and Enterprise Admin Model.

4.      Build a strong security culture

A human-first security culture will help employees stay productive and secure in the hybrid workplace. One factor of this to have a strong password policy. At Microsoft, we see over 10 million username/password pair attacks every day. Build your strategy on updated password policy guidance from NIST, NCSC and Microsoft. Using technology such as Windows Hello for Business, the Microsoft Authenticator app and FIDO2 tokens alongside MFA will help to reduce successful credential attacks You can find out more about passwordless tech from Microsoft Security Team member, Alex Weinert in his blog; Your Pa$$word doesn’t matter.

If passwords are going to be with you for the foreseeable future, Azure AD Password Protection helps users select passwords that are not commonly known and Azure AD Self-Service Password reset will minimise the operational cost of passwords.

5.      Close the door on insecure legacies

From our research, we’ve seen most opportunistic attacks target legacy authentication protocols that bypass MFA. But there is an effective control to prevent this. Disabling legacy authentication and enabling MFA is one of the most impactful things you can do to prevent credentials from being compromised. Microsoft provides the tools to you accomplish this. In new Azure tenants, legacy authentication protocols are disabled by default, but many existing tenants still have this enabled.

Building a secure hybrid workforce

Multi Factor Authentication is becoming increasing important for an organisation’s cybersecurity. To stay resilient, organisations need to ensure employees can securely and easily access their work across devices, no matter where they are. MFA helps achieve this. Also, by modernising MFA organisations can increase resilience to attacks and service outages. They can also improve agility in adopting new features while supporting legacy systems.

Find out more

Build a modern security strategy

Security and mobility

Discover MFA

Resources to empower your development team

Secure Azure Active Directory users with Multi Factor Authentication

Manage identity and access in Azure Active Directory 

How Multi Factor Authentication provides secure access to resources

About the author

Gavin works within the Customer Success team at Microsoft. His aim is to make customers more productive, more secure, and ultimately more successful through features like Azure AD. Having seen what modern ransomware attacks can do up close, Gavin is passionate about helping keep an organisation’s customers, staff, systems and data safe. He is also a keen cyclist (on and off road), husband and father to three young children. You can catch him on Twitter @gvnshtn and on LinkedIn.

The post How multi-factor authentication empowers secure hybrid working appeared first on Microsoft Industry Blogs - United Kingdom.