Attackers haven’t wasted any time capitalizing on the rapid move to hybrid work. Every day cybercriminals and nation-states alike have improved their targeting, speed, and accuracy as the world adapted to working outside the office. These changes have put “cybersecurity issues and risks” at the top of the list when it comes to worries or concerns for business decision-makers in the year ahead, as shown in new data from Microsoft‘s 2022 Work Trend Index.1 Malware, stolen credentials, phishing attacks, devices that lack security updates, user error, and physical attacks on lost or stolen devices are major concerns for security and IT teams as they try to protect their workforce.
In 2021, protections built into Windows, Azure, Microsoft 365, and Microsoft Defender for Office 365 have blocked more than 9.6 billion malware threats, more than 35.7 billion phishing and other malicious emails, and 25.6 billion attempts to hijack our enterprise customers by brute-forcing stolen passwords—that’s more than 800 password attacks per second. The intelligence we get from this, combined with the 8,500 security professionals we have and 24 trillion security signals processed by our cloud every 24 hours, gives us a unique view into what our customers need to protect themselves from threats now and in the future. The combination of modern hardware and software required for Windows 11, delivered alongside our ecosystem partners, is what will enable us to help protect our customers from wherever and however they choose to work.
Security designed for hybrid work
In a future release of Windows 11, you’re going to see significant security updates that add even more protection from the chip to the cloud by combining modern hardware and software. Microsoft has made groundbreaking investments to help secure our Windows customers with hardware security innovations like Secured-core PCs. Our data shows that these devices are 60 percent more resilient to malware than PCs that don’t meet the Secured-core specifications. The stronger protection these devices provide helped build the foundation that the Windows 11 hardware baselines were designed upon. In upcoming releases of Windows, we are advancing security even further with built-in protections to help defend from advanced and targeted phishing attacks. We’re also adding more protection for your applications, personal data, and devices and empowering IT with the ability to lock security configurations as more enterprise devices are sent directly to users. Here’s a look at what’s coming to Windows 11 to help our customers combat the biggest security challenges of distributed work scenarios and the threat landscape of the future.
Zero Trust security, from the chip to the cloud, rooted in hardware
Microsoft Pluton: Built on the principles of Zero Trust, the hardware and silicon-assisted security features in Windows 11—including the TPM 2.0, firmware and identity protection, Direct Memory Access, and Memory Integrity protection—help protect core parts of the OS as well the user’s credentials as soon as the device powers on. While those features provide protection from many attack patterns we see today, we know that attackers have shifted their sights to hardware which is why we’re looking ahead to the Microsoft Pluton Security Processor as an innovative solution to securing that critical layer of computing.
Microsoft Pluton has several key capabilities that stem from its direct integration into the CPU and the OS. First, Pluton is the only security processor which is kept regularly up to date with key security and functionality updates coming through Windows Update just like any other Windows component. This means that Pluton does not require enterprises to take the traditional manual steps to update firmware, making it much easier to stay secure. In addition, the Pluton firmware is developed by the same Windows team that builds the features that use it, like Windows Hello and Bitlocker. This means Pluton is optimized for the best performance and reliability in Windows 11. Pluton also undergoes world-class penetration testing along with external bug bounties to ensure it remains secure. Pluton offers more than just optimized firmware, it also offers protection against physical attacks through its direct integration into the CPU. This avoids any additional attack surface, increasing security and simplifying additional configuration traditionally needed to address physical attacks. Pluton is a testament to the investment in our chip to the cloud security strategy and the success of Secured-core PCs.
App security without the app store from Smart App Control
Smart App Control is a major enhancement to the Windows 11 security model that prevents users from running malicious applications on Windows devices that default blocks untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections and is woven directly into the core of the OS at the process level. Using code signing along with AI, our new Smart App Control only allows processes to run that are predicted to be safe based on either code certificates or an AI model for application trust within the Microsoft cloud. Model inference occurs 24 hours a day on the latest threat intelligence that provides trillions of signals. When a new application is run on Windows 11, its core signing and core features are checked against this model, ensuring only known safe applications are allowed to run. This means Windows 11 users can be confident they are using only safe and reliable applications on their newWindows devices. Smart App Control will ship on new devices with Windows 11 installed. Devices running previous versions of Windows 11 will have to be reset and have a clean installation of Windows 11 to take advantage of this feature.
Increased account and credential security
Enhanced phishing detection and protection with Microsoft Defender SmartScreen: In the last year, we’ve blocked more than 25.6 billion Microsoft Azure Active Directory (Azure AD) brute force authentication attacks and intercepted 35.7 billion phishing emails with Microsoft Defender for Office 365. The enhanced phishing detection and protection built into Windows with Microsoft Defender SmartScreen will help protect users from phishing attacks by identifying and alerting users when they are entering their Microsoft credentials into a malicious application or hacked website. These enhancements will make Windows the world’s first operating system with phishing safeguards built directly into the platform and shipped out-of-box to help users stay productive and secure without having to learn to be their own IT department.
Credential Guard by default: Windows 11 makes use of hardware-backed, virtualization-based security capabilities to help protect systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. In the future, Credential Guard will be enabled by default for organizations using the Enterprise edition of Windows 11.
Additional protection for Local Security Authority (LSA) by default: Windows has several critical processes to verify a user’s identity. The LSA is one of those processes, responsible for authenticating users and verifying Windows logins. It is responsible for handling user credentials, like passwords, and tokens used to provide single sign-on to Microsoft accounts and Azure services. Attackers have developed tools and have abused Microsoft tools to take advantage of this process to steal credentials. To combat this, additional LSA protection will be enabled by default in the future for new, enterprise-joined Windows 11 devices making it significantly more difficult for attackers to steal credentials by ensuring LSA loads only trusted, signed code.
Personal Data Encryption adds a second layer of security for personal data
Forty percent of respondents in Verizon’s 2021 Mobile Security Index said mobile devices are the biggest IT security threat, 97 percent consider remote workers to be at more risk than office workers, and 56 percent were worried about device loss or theft. No matter where users are working, the new Personal Data Encryption coming to Windows 11 provides a platform, available for use by applications and IT, to protect user files and data when the user is not signed into the device. To access the data, the user must first authenticate with Windows Hello for Business, linking data encryption keys with the user’s passwordless credentials so that even if a device is lost or stolen, data is more resistant to attack and sensitive data has another layer of protection built-in.
Protect users from themselves with Config Lock
More than 60 percent of security decision-makers reported that they’re challenged when it comes to implementing security solutions and a big reason for that is the limited control they have once the device is in the hands of the user. Config Lock changes that. This feature, already in Windows 11, monitors registry keys through mobile device management (MDM) policies to help ensure devices in your ecosystem comply with industrial and company security baselines. If Config Lock detects a change in registry keys, it will automatically revert the impacted system to the IT-desired state in seconds. With Config Lock, IT administrators can be confident that devices in their organization are protected, and users have not changed critical security settings.
Block vulnerable drivers by default with HVCI
Hypervisor-Protected Code Integrity (HVCI) default enhancements: Malware attacks over the last few years (RobbinHood, Uroburos, Derusbi, GrayFish, and Sauron)2 have increasingly leveraged driver vulnerabilities to compromise systems. In the next Windows 11 release, HVCI will be enabled by default on a broader set of devices running Windows 11. This feature prevents attackers from injecting their own malicious code (for example, WannaCry)3 and helps ensure that all drivers loaded onto the OS are signed and trustworthy. Using data from the broader security community, the Microsoft Vulnerable and Malicious Driver Reporting Center helps enable Windows to automatically block known vulnerable drivers.
The Microsoft vulnerable driver blocklist leverages Windows Defender Application Control (WDAC) to help prevent advanced persistent threats (APTs) and ransomware attacks abusing and exploiting known vulnerable drivers. The kernel blocklisting feature mitigates these threats by preventing these drivers from being exploited by blocking their load in the Windows kernel. Devices running HVCI or Windows SE have the blocklist enabled by default. Additionally, the feature can be enabled by the new experience in the Core isolation page within the Windows Security App.
Redesigning security from the chip to the cloud
Microsoft is continuously investing in improving the default security baseline for Windows and is focused on closing gaps on top attack vectors like those we shared here today. Those investments are designed to help simplify and deepen the security experience for Windows customers by default. With built-in chip to the cloud protection and layers of security, Windows 11 helps organizations meet the new security challenges of the hybrid workplace, now and in the future. With every release, we are making Windows more secure by default, designing new protections as we continue to power the future of business.
Check out our breakout security session to see how these upcoming Windows Security features help protect you from real-world attacks. And learn more about Windows 11 security in our Windows 11 Security Book.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
1The Work Trend Index survey was conducted by an independent research firm, Edelman Data x Intelligence, among 31,102 full-time employed or self-employed workers across 31 markets between January 7, 2022 and February 16, 2022. Business leaders were asked, “When you think ahead to the next year, what are the biggest obstacles or challenges you’re most worried about?” Cyber security challenges ranked number one; meeting increased customer demands/needs and navigating external factors like supply chain disruptions and inflation ranked two and three.
Kerberoasting, a well-known Active Directory (AD) attack vector, enables threat actors to steal credentials and navigate through devices and networks. Microsoft is sharing recommended actions administrators can take now to help prevent successful Kerberoasting cyberattacks.
Microsoft researchers found multiple vulnerabilities in OpenVPN that could lead to an attack chain allowing remote code execution and local privilege escalation. This attack chain could enable attackers to gain full control over targeted endpoints, potentially resulting in data breaches, system compromise, and unauthorized access to sensitive information.
Today, ahead of the Microsoft Build 2024 conference, we announced a new class of Windows computers, Copilot+ PC. Alongside this exciting new class of computers, we are introducing important security features and updates that make Windows 11 more secure for users and organizations, and give developers the tools to prioritize security.
Discover how to fortify your organization's cybersecurity defense with this practical guide on digital forensics from Microsoft's Incident Response team.