Today, organizations face an attacker ecosystem that is highly economically motivated to exploit security issues with your multicloud and hybrid workloads—as made evident in the rise in human-operated ransomware, with hackers launching an average of 50 million password attacks every day (579 per second), the rise of web shell attacks,¹ and increasing firmware attacks.² As with most attack vectors in this evolving threat landscape, prevention and detection are critical.

These threats can present a growing challenge for organizations using a combination of on-premises, hybrid, and multicloud infrastructure and workloads. With this distributed infrastructure, it can be a challenge to protect resources against motivated attackers when security management, policies, and signals are not unified.

Securing your multicloud and hybrid infrastructure in 3 steps

Securing infrastructure is fundamental to the business—for every business. So, what does a solution for multicloud, on-premises, and hybrid infrastructure security look like? A powerful defense must be unified, simplified, and actionable. It must make it easier to enable digital transformation and not slow progress in this crucial area. For businesses who need to secure multicloud, on-premises, and hybrid infrastructure, an increased security stance can start with three simple steps:

1. Connecting your hybrid infrastructure to Azure Arc.
2. Enhancing security for your Azure Arc-connected hybrid infrastructure using Microsoft Defender for Cloud.
3. Further enhancing the security of on-premises workloads with Secured-core for Azure Stack HCI.

1. Connect your on-premises and hybrid infrastructure to Microsoft security services using Azure Arc

Many organizations today are challenged with the growing complexity of securing their infrastructure with disparate tools across multicloud, hybrid, and edge environments. To begin securing these assets, you can use Azure Arc to connect your resources to Microsoft Azure from wherever they are deployed, making them addressable by Azure security services and enabling you to manage them from a single pane of glass in Azure Resource Manager. Azure Arc extends the control plane to these resources so that they can be managed and secured centrally with tools including our cloud extended detection and response (XDR) solution, Microsoft Defender for Cloud, or the secure key management tool, Azure Key Vault.

“When you see how Azure security and compliance features benefit your on-premises infrastructure, it helps put your mind at ease regarding the capabilities and benefits of the cloud. It also makes you a harder target for would-be attackers, and that’s what we’re hoping to achieve.”—Lody Mustamu, Manager of Marketing and Sales, ASAPCLOUD.

Read more about how ASAPCLOUD’s story here.

2. Secure your Azure Arc-enabled infrastructure using Microsoft Defender for Cloud

Once these distributed multicloud and hybrid environments are connected through Azure Arc, Microsoft Defender for Cloud enables you to find weak spots across your configuration, helps strengthen the overall security posture, and can help you meet any relevant compliance requirements for your resources across Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).

While prevention is critical, at the same time, the increasing sophistication of attacks requires that organizations have a comprehensive threat protection strategy in place. Microsoft Defender for Cloud provides vulnerability assessment with insights from industry-leading security research and provides advanced threat protection for a broad range of workloads across cloud and on-premises including virtual machines, containers, databases, storage, and more.

“The choice made sense to us because Microsoft Defender connects so tightly and automatically to Azure Arc,” says Iñigo Martinez Lasala, Director of Technology and Systems at Prosegur. “There are other tools out there, but Microsoft Defender provides additional functionality that other tools don’t have, such as establishing rules of compliance, hardening servers, and launching scripts to fix server issues.” 

Read more about how Prosegur’s story here.

Get started by enabling Microsoft Defender for Cloud for your Azure subscriptions and easily onboard other environments to understand your current security posture. You can then enable the enhanced features to protect and manage the security of all relevant workloads across your cloud and on-premises environments from a central place, all connected through Azure Arc.

Figure 1. Protect your workloads with Microsoft Defender for Cloud.

3. Further secure your on-premises and hybrid infrastructure using Secured-core for Azure Stack HCI

As security threats continue to become more sophisticated, they are moving lower in the stack to the operating system, firmware, and hardware level, so there is a growing need for additional security at these lower levels. One way to gain additional protection against these attacks is an integrated solution called Secured-core, now available for Azure Stack HCI. Secured-core servers provide out-of-box safeguards with enhanced protections. For example, Secured-core servers help stop attacks in the event of a successful web application compromise with features like virtualization-based security (VBS) and hypervisor-based code integrity (HVCI). Credential protection in Azure Stack HCI helps mitigate the common attack of credential theft by using VBS to isolate credentials in their own virtual machine, a feature that is on by default in Secured-core servers. These features help prevent what could otherwise be a much larger breach.

Secured-core servers have three focused pillars:

1. Protect with hardware root of trust: Trusted platform modules (TPMs) ensure that even firmware malware cannot tamper hardware recordings of what firmware ran on the device.
2. Defend against firmware level attack: System guard secured VBS protects by not relying on firmware for trust.
3. Prevent access to unverified code: HVCI protects against both known vulnerable drivers and entire classes of problems

All these capabilities built into Secured-core servers ensure that your servers are protected out-of-box, giving you confidence in your hardware. And managing the status and configuration of Secured-core servers is easy from the browser-based Windows Admin Center for both Windows Server and Azure Stack HCI solutions.

Figure 2. Secured-core server cluster management in Windows Admin Center.

“To help our customers remain secure and accelerate their business outcomes, Hewlett Packard Enterprise (HPE) is excited to release the new Gen 10 Plus (v2) products for Azure Stack HCI 21H2 and Windows Server 2022 which can be delivered with the HPE GreenLake edge-to-cloud platform,” said Keith White, Senior Vice President and General Manager, GreenLake Cloud Services Commercial Business. “These offer unprecedented host protection by combining HPE’s security technologies with Secured-core server functionalities for a secure, hybrid implementation.”

Take steps today to secure your on-premises and hybrid infrastructure

• Connect your on-premises workloads to Azure Arc:
  • How to add a Server to Azure Arc
  • Plan and deploy Azure Arc-enabled servers
• Activate Microsoft Defender for Cloud and other applicable Microsoft Defender Products on your on-premises workloads.
• Ask for Secured-core servers for your HCI solutions.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Web shell attacks continue to rise, Detection and Response Team (DART), Microsoft 365 Defender Research Team, Microsoft Security. February 11, 2021.

²New Security Signals study shows firmware attacks on the rise; here’s how Microsoft is working to help eliminate this entire class of threats, Microsoft Security Team, Microsoft Security. March 30, 2021.

The post 3 steps to secure your multicloud and hybrid infrastructure with Azure Arc appeared first on Microsoft Security Blog.

As the number and scope of privacy standards have proliferated, privacy becomes an expectation of customers and stakeholders to enable a trusted business. Many of the large organizations I work with are mature in their privacy compliance processes. Some have had to be GDPR compliant since 2018. Even those without GDPR compliance obligations saw GDPR as a watershed event, recognizing that broader privacy regulation was coming. Organizations have now shifted their focus from privacy compliance to privacy leadership in order to provide value to their customers and their brands. To assist organizations on their privacy journey, we introduced Microsoft Priva in October 2021 to help customers safeguard personal data and respect privacy rights.

The concept of respecting an individual’s privacy rights has been emphasized by the Organization for Economic Cooperation and Development (OECD) as “The Individual Participation Principle” in the Fair Information Practice Principles (FIPPs) since 1980.² The principle includes an individual’s right to access and control their own data. In some cases, they have the right to have this data corrected or deleted. Since GDPR went into effect, the concept has become more mainstream, known as data subject requests or subject rights requests. In the United States, 12 states have laws passed or active bills that mandate a subject’s right to data access.³

Subject rights requests (SRRs) management is time-consuming and costly

Responding to subject rights requests (SRRs) can be resource-intensive, costly, and difficult to manage. There are challenging time frames for a response, with GDPR mandating a response time of 30 days and California Privacy Rights Act (CPRA) allowing 45 days. More than half of organizations handle SRRs manually, while one in three has automated the process.⁴ According to Gartner®, most organizations process between 51 and 100 SRRs per month at a cost of more than USD1,500 per request.⁵ As more privacy regulations come into force and the public becomes more informed about their rights, the volume of SRRs is expected to grow substantially, impacting organizations’ resources even further.

Figure 1. Approximately one in three organizations have partially automated subject rights requests.

Scaling SRR management is challenging

To process an SRR, an organization must verify the data subject to make sure that the individual is who they say they are and has the rights to the information, then collect the information, review, redact where appropriate, and provide the response to the requester in an auditable manner.

Most organizations have processes in place for SRR responses but rely on email for collaboration, eDiscovery tools for search, and manual reviews to identify data conflicts like a file containing multiple people’s privacy relevant data. These processes can work but they don’t scale. They also create data sprawl and additional security and compliance risk.

Manage at scale and respond with confidence with Microsoft Priva

To help organizations deal with these challenges, Microsoft has created Microsoft Priva, a privacy management solution that helps safeguard and respect privacy while streamlining the process for responding to SRRs.

Microsoft Priva SRRs helps gather a subject’s data from the Microsoft 365 environment automatically, including emails, messages, documents, spreadsheets, and more that contain the requestor’s personal data. It then detects and flags conflicts like the personal data of others or confidential information included in the collected files. Automated data collection and detection can help you capture conflicts more accurately to avoid any data leakage.

Additionally, the solution allows collaboration in a protected platform for stakeholders to review, triage, and redact collected files in their native views. Unlike other solutions that might only provide you with a report of file paths, Microsoft Priva can bring the files to you and save you time and effort manually copying and pasting the file paths in your browser, or emailing and messaging files to others to review.

Figure 2. Review, triage, and redact collected files in their native views when multiple people’s data is detected.

Privacy admins can also leverage Microsoft Teams and Power Automate, integrated with the Microsoft Priva solution, to work with HR, legal, and other departments in an efficient, compliant, and auditable way. All your collaboration data is centralized in one platform that ensures security and compliance along the way. Microsoft Priva SRRs helps organizations manage SRRs at scale with confidence while avoiding personal data sprawl.

Figure 3. Microsoft Priva SRRs helps manage requests at scale and with confidence.

The solution dashboard provides visualization of SRR metrics and the ability to filter and manage requests to completion. This establishes to internal stakeholders and regulators that SRR responses were made with compliant processes in the required timeframe. 

Figure 4: Microsoft Priva SRRs helps provide insights on SRR progress and show trends over time.

Integrate with your privacy solutions

Many organizations are using other tools to manage SRRs. We want to bring the value of Microsoft Priva and its native integration with Microsoft 365 to them as well to provide a better-together solution. Part of this is to integrate Microsoft Priva with the solutions of other software vendors and customers’ homegrown solutions through our Microsoft Graph subject rights request API. The API allows integration with privacy independent software vendors (ISVs), like OneTrust, Securiti.ai, and WireWheel, to automate the SRR handling process and provide a response that encompasses the organization’s entire data estate.

For example, an organization can use the API to send a request they received in their homegrown application to Microsoft Priva, which then collects the subject’s personal data automatically, enables collaboration to review and redact files, creates a link to the data package, and sends it back to the homegrown application through the API. The organization then can combine all the reports and data from various environments together to respond to the requestor.

Figure 5. Microsoft Graph API enables organizations to leverage Microsoft Priva along with their existing privacy tools.

Learn more

We are excited to help ease the complexity of SRR management. To learn more about how to manage SRRs at scale, download the e-book Five tips from Microsoft to automate your SRRs or join our webinar on April 19, 2022.

Microsoft Priva solutions are generally available for customers as an add-on to all Microsoft 365 or Office 365 enterprise subscriptions. You can try out Microsoft Priva SRRs for 90 days or create up to 50 subject rights requests (whichever limit expires first) at no cost.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹UNCTAD Data Protection and Privacy Legislation Worldwide

²OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, OECD. 2013.

³US State Privacy Legislation Tracker, Taylor Kay Lively, iapp. March 3, 2022.

⁴IAPP-EY Consulting and Annual Privacy Governance Report for 2021, iapp, EY. 2021.

⁵Market Guide for Subject Rights Request Automation, Gartner. November 2021.

The post Manage subject rights requests at scale with Microsoft Priva appeared first on Microsoft Security Blog.

Any device in a medical setting must be designed with one core priority in mind: delivering patient care. Medical professionals need instant access to data from devices with minimal friction so they can focus on what they do best. But at the same time, any device holding sensitive medical records must be secure.

To balance these needs, security software for medical devices must be lightweight enough to maximize the performance of the device without overloading the processor, taxing battery life, or putting the user through cumbersome processes. It must be high-performing and reliable with great battery life, so the device is always ready and works every time it’s needed.  

Recently, Microsoft and global technology services firm HCL Technologies teamed up to help solve the security challenge with a high-performance solution for medical devices. The result is a new reference architecture and platform for building secure medical devices and services based on HCL’s Connected Assets in Regulated Environment (CARE), Microsoft Defender for IoT, and Azure IoT.

By freeing medical device manufacturers from the need to build security solutions and cloud services, this new platform will enable them to focus on their own core mission and strengths, which are healthcare-related innovation and patient care, even as they build new, better, and more secure medical devices.

Combining HCL’s CARE and Microsoft Defender for IoT

As a long-time Microsoft partner, HCL brings deep expertise in applications, systems integration, network engineering, and managed services.

Built on Microsoft Azure, HCL’s CARE Platform has been designed and developed with security best practices and standards in mind. The platform provides the foundation and platform that medical device manufacturers need to develop innovative high-performance healthcare services and devices while ensuring an integrated security approach from the cloud to the network edge.

By including Microsoft Defender for IoT in the device itself, device builders are able to create secure-by-design, managed IoT devices. Defender for IoT offers continuous asset discovery, vulnerability management, and threat detection—continually reducing risk with real-time security posture monitoring across the device’s operating system and applications.

Partner Director of Enterprise and OS Security for Azure Edge and Platform at Microsoft, David Weston, highlighted the value of this collaboration saying, “By partnering with HCL to incorporate Defender for IoT into HCL’s CARE, we see a bright future for medical device manufacturers to build secured medical devices, with minimal effort.” Sunil Aggarwal, Senior Vice President at HCL and Client Partner for Microsoft, added, “HCL’s CARE enables medical original design manufactures (ODMs) and original equipment manufacturers (OEMs) to quickly develop new devices and solutions focused on patients’ needs. By including Defender for IoT, those devices benefit from Microsoft’s deep security expertise, thousands of security professionals, and trillions of security signals captured each day.”

The combined Microsoft and HCL solution for healthcare IoT provides the high-performance security needed to protect the sensitive data on the medical device—in transit and in the cloud. By using a combination of endpoint and network security signals, the system can monitor what’s happening on the network, in the operating system, and at the application layer while keeping a pulse on the integrity of the device. This combination of external and internal security signals yields advanced security not often found on medical devices, which are typically monitored using only network data.   

Advanced threat detection with Defender for IoT

CARE’s use of Defender for IoT offers the best possible security using Defender’s agent-based monitoring. This means security is built directly into IoT devices with the Microsoft Defender for IoT security agent, which supports a wide range of operating systems including popular Linux distributions. With an agent, richer asset inventory, vulnerability management, and threat detection and response is possible.  

Figure 1. Devices are monitored and assessed for vulnerabilities and security recommendations. The combination of network and endpoint signals enables a deeper assessment and a broader range of detections.

Defender for IoT security monitors the security of the device and enables the following scenarios for medical device manufacturers using HCL’s CARE with Defender for IoT:

• Asset inventory: Gain visibility to all your IoT devices so operators can manage a complete inventory of their entire healthcare IoT fleet.
• Posture management: Identify and prioritize misconfigurations based on industry benchmarks and software vulnerabilities or anomalies in the software bill of materials (SBOM) that may arise from supply chain attacks and use integrated workflows to bring devices into a more secure state.
• Threat detection and response: Leverage behavioral analytics, machine learning, and threat intelligence based on trillions of signals to detect attacks through anomalous or unauthorized activity.  
• Microsoft Security integration: Defender for IoT is part of the Microsoft security information and event management (SIEM) and extended detection and response (XDR) offering, enabling quick detection and response capabilities for multistage attacks that may move across network boundaries.
• Third-party integration: Integrates with third-party tools you’re already using, including SIEM, ticketing, configuration management database (CMDB), firewall, and other tools.

Powerful automated services for detection and response

HCL’s CARE Gateway and CARE Device Agent complement Defender for IoT’s security and can help capture application-level security events and send them into Defender for IoT analytics services, such as an attempt to connect an unknown device, use of invalid provisioning credentials, attempts to run unauthorized commands remotely, short-and-lengthy remote access sessions, anomalies related to data transfer rate, event sequence anomalies, and more.

Figure 2. Medical devices send security and other types of events to HCL’s CARE Gateway which forwards data to the Azure IoT hub. Security events are forwarded to the Defender for IoT cloud services while non-security-related events are sent to HCL’s CARE Core and business app.

Integrating HCL’s CARE with Defender for IoT can protect and monitor connected medical devices and gateways too. The CARE Platform integrated with Defender for IoT provides a powerful solution to secure healthcare devices:

• CARE Cloud runs in Azure, utilizing Azure cloud security services to ensure that customers’ health data is secure and accessible only to authorized persons.

• CARE Device Gateway keeps devices isolated from the public internet.

• The Defender for IoT micro agent can help to capture events at the system level and push them to Defender for IoT analytics services, along with the service level events captured by gateway itself.

• Device Agent connects to Device Gateway to get events out. It can also capture device software level events and push them to Defender for IoT analytics services through the Device Gateway.

• CARE Cloud can make critical events captured at Defender for IoT analytics services actionable, such as gracefully isolating medical devices from the network and alerting device owners.

• CARE Reusable Modules and design guidelines make the application and connected device secure by enabling secure design, development, and deployment. This includes static and dynamic application security testing and software composition analysis.

• CARE can also act on critical events by alerting the device owners’ IT security, and sending commands to devices for network isolation, graceful shutdown, and other preconfigured actions.

Find out more

Both Microsoft and HCL are excited to bring this new platform and security technologies to the medical device industry, and we invite you to learn more about how HCL’s CARE and Defender for IoT deliver the security that medical device manufacturers need. Using these technologies, manufacturers can focus more on medical and patient innovation and the quicker delivery of new solutions to the marketplace.

These new security capabilities are available today. Medical device manufacturers and OEMs should check out HCL’s CARE, Microsoft Defender for IoT, and Microsoft’s recently announced Edge Secured-core preview.  

If you are an IoT solution builder, reach out to the Azure Certified Device team. We are ready to work with you!

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Secure your healthcare devices with Microsoft Defender for IoT and HCL’s CARE appeared first on Microsoft Security Blog.

In recent years, malicious actors have started attacking industrial control systems and key sectors of nations’ critical infrastructure to inflict damage that transcends the cyber world and traditional IT assets. The risk to public safety cannot be overstated, as these types of cyberattacks have real-world potential to inflict harm on humans. These “industrial control systems” that control the many facets of our nation’s critical infrastructure are more commonly known as operational technology (OT) devices. The same goes for IoT devices and industrial internet of things (IIoT) devices. IoT is the network of physical objects that contain embedded technology to communicate, sense, or interact with the internal or external state of its environment. The public and private sectors have many OT and IoT devices in industries such as defense, power generation, robotics, chemical and pharmaceutical production, oil production, transportation, and mining—to name a few. OT devices are hardware and software that monitor or control physical equipment, assets, and processes—and they are being compromised at an increasing rate.¹

Alarmingly, in 2021 there were two incidents of local water treatment plants in the US being a target of cyberattacks. One cyberattack occurred in the San Francisco Bay area in January 2021² and another occurred in February 2021 in Oldsmar, Florida.³ In the Oldsmar, Florida cyberattack, the malicious actors attempted to increase the amount of sodium hydroxide in the water supply to potentially dangerous levels. Thankfully, the attack was thwarted by a plant supervisor who caught the act in real-time and reverted the changes. These cyberattacks occurred on OT devices used for critical infrastructure at local level, but similar cyberattacks are playing out in the real world on a national level as well.

On May 7, 2021, Colonial Pipeline, an American oil pipeline system responsible for 45 percent of all fuel consumed on the US East Coast, suffered a ransomware cyberattack that crippled all pipeline operations for about six days.⁴ The aftermath of this attack caused fuel shortages in six US states as well as the US capital, Washington D.C.

These cyberattacks on OT devices may not be new, but they underscore how dangerous the threat is to our critical infrastructure, as well as how great the risk is to our overall public safety.

The US government has taken notice of the increased threat against OT systems and has responded accordingly. Per the President’s Executive Order on Improving the Nation’s Cybersecurity issued on May 12, 2021, “The Federal Government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid.⁵ The scope of protection and security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)).” The Quzara Cybertorch^TM solution, in conjunction with Microsoft Defender for IoT and Microsoft Sentinel, help agencies meet compliance with various aspects of this executive order. This includes, but is not limited to, providing agencies a means to monitor IT and OT operations and alerts, respond to attempted and actual cyber incidents, and facilitate logging, log retention, and log management. 

With the threat of cyberattacks impacting OT and IoT devices on the rise, it is important now more than ever for national, state, local governments, and their private sector partners to be vigilant in securing their OT and IoT devices that operate or assist critical infrastructure.

The current state of cybersecurity in OT and IoT environments

While it is encouraging that the US Government is giving greater emphasis to secure OT and IoT infrastructure, they and private corporations with OT and IoT devices face an uphill battle. This is because many OT and IoT environments use outdated (and therefore, unsecure) operating systems and software. A comprehensive report from CyberX (acquired by Microsoft) in June 2020 titled Global IoT and ICS Risk Report was compiled based on data gathered from 1,821 production OT and IoT networks using passive, agentless monitoring with patented deep packet inspection (DPI) and network traffic analysis (NTA) algorithms. These production networks spanned diverse IoT and ICS systems—including robotics, refrigeration, chemical, and pharmaceutical production, power generation, oil production, transportation, mining, and building management systems (heating, ventilation, and air conditioning (HVAC), closed-circuit television (CCTV), and more). These are the findings in the report:

• 71 percent had outdated or unsupported operating systems.
• 64 percent had unencrypted passwords.
• 54 percent were remotely accessible.
• 22 percent had indicators of threats.
• 27 percent had direct internet connections.
• 66 percent had no automatic updates.

Figure 1. CyberX report high-level findings.

Securing and monitoring OT and IoT devices

It is critical for national, state, local governments, and their private sector partners to secure their OT and IoT environments from cyberattacks—but first, security must be made easier to incorporate. To make it easier for these entities to incorporate OT and IoT security, Quzara Cybertorch^TM, a managed security service provider (MSSP), partnered up with Microsoft to leverage Microsoft Defender for IoT. By leveraging Microsoft Defender for IoT, Quzara Cybertorch^TM is able to discover all OT and IoT devices in an environment, identify vulnerabilities present on these devices, and provide continuous security monitoring of these devices.

Automated asset inventory

Microsoft Defender for IoT is an agent-less solution that—connecting to a mirroring port on a network’s switch—passively listens to real-time OT and IoT traffic in the industrial network. Quzara Cybertorch^TM uses this tool to quickly create an “Asset Inventory Map” that shows all assets on the network, identifies which machines are interacting with each other, and at which layer of the Purdue model they operate.⁶

Figure 2. Auto-generated Asset Inventory Map in Purdue model layout.

By identifying which assets communicate with each other in a Purdue model format, valuable information is gathered that depicts which machines can communicate out to the internet from the OT network. These internet-connected machines are the ones we prioritize locking down and monitor more closely for suspicious traffic. Identifying internet-connected assets is just one example of what the Asset Inventory Map can display. The Asset Inventory Map also reveals any shadow devices that are on the OT and IoT network. In other words, by revealing all assets on the OT network, the Asset Inventory Map will identify any IT, OT, and IoT devices that the IT department may not be officially aware of. Furthermore, the Asset Inventory Map helps IT security teams identify “single points of failure” in their environment based on the network topology and architecture. Quzara Cybertorch^TM encourages hardening these assets that are “single points of failure” and creating redundancy to ensure operations aren’t disrupted if these assets were to ever go down unexpectedly.

Vulnerability management of OT and IoT devices

Quzara Cybertorch^TM can identify known vulnerabilities on OT and IoT devices by leveraging Microsoft Defender for IoT. Microsoft Defender for IoT proactively identifies vulnerabilities such as unpatched devices, unauthorized Internet connections, and subnet connections. Beyond identifying vulnerabilities, Microsoft Defender for IoT also identifies changes to device configurations, programmable logic controller (PLC) code, and firmware. Quzara Cybertorch^TM consolidates all this information and generates executive summary reports listing out all the vulnerabilities for all OT and IoT devices in a network—which includes prioritized remediation steps. Prioritized remediation steps may include prioritizing fixes based on risk scoring (for example, through common vulnerability scoring system (CVSS) scores and other factors) and automated threat modeling. These reports contain an overall security score for the OT and IoT devices on the network. As remediation occurs, continuous improvement can be measured by subsequent reports showing the overall security score improving.

Figure 3. Vulnerabilities present on an OT workstation.

Continuous monitoring for OT and IoT devices

Quzara Cybertorch^TM is a security operations center as a service that leverages Microsoft Sentinel to continuously monitor IT environments as well as OT and IoT environments. Microsoft Sentinel is a security information and event management (SIEM) tool with security orchestration, automation, and response (SOAR) capabilities. Microsoft Sentinel has native interoperability with Microsoft Defender for IoT and is cloud native. Using Microsoft Sentinel, Quzara Cybertorch^TM can ingest logs from IT, OT, and IoT devices, creating a unified bird’s-eye view across IT and OT boundaries and empowering our security operations center (SOC) analysts to then analyze for signs of malicious activity.

When using other products, typically a lot of work and expertise is required to create rules that aggregate disparate alerts into consolidated incidents. Quzara Cybertorch^TM greatly reduces the work that is required to create targeted rules for OT and IoT incidents, as Microsoft Sentinel has pre-built analytics rules for OT and IoT devices when used in conjunction with Microsoft Defender for IoT. Functionality also exists to create custom rules and playbooks from these OT and IoT alerts. This functionality empowers our SOC analysts to help detect, alert, and assist personnel in mitigating vulnerabilities on OT and IoT devices.

Figure 4. Microsoft Defender for IoT analytics rules in Microsoft Sentinel.

If your team, company, or clients have an OT or IoT environment and are interested in obtaining an OT or IoT cybersecurity risk assessment, please reach out to Quzara Cybertorch^TM or by email here.

About Quzara Cybertorch™

Quzara Cybertorch™ is a security operations center as a service and managed detection and response (MDR) purpose-built to meet the needs of U.S. Civilian, Department of Defense (DoD), and Defense Industrial Base (DIB) customers for extended detection and response (XDR), Vulnerability Management, OT and IoT monitoring, and security monitoring needs. Their security operations center as a service, vulnerability management, and XDR capabilities are based on the National Institute of Standards and Technology (NIST) 800-53 FedRAMP HIGH controls. Their entire technology stack leverages FedRAMP HIGH Authorized systems. Quzara Cybertorch’s™ team of Security Analysts are all based and operate within the US, with emphasis on security clearances and government support experience. Explore Quzara Cybertorch ™ and visit the Quzara Cybertorch ™ listing in the Microsoft commercial marketplace.

Learn more

• Explore Microsoft Defender for IoT.
• Start using Microsoft Sentinel today.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Crimes of Opportunity: Increasing Frequency of Low Sophistication Operational Technology Compromises, Mandiant, May 25, 2021.

²Hackers Tried to Poison California Water Supply in Major Cyber Attack, News Week, June 18, 2021.

³The Florida water plant attack signals a new era of digital warfare—it’s time to fight back, Darktrace, February 16, 2021.

⁴Ransomware Attack Shuts Down A Top U.S. Gasoline Pipeline, NPR, May 9, 2021.

⁵Executive Order on Improving the Nation’s Cybersecurity, The White House. May 12, 2021.

⁶The “Purdue Model” is a structural model for industrial control system security concerning physical processes, systems, and the IT machines that manage or interact with them.

The post Secure your OT and IoT devices with Microsoft Defender for IoT and Quzara Cybertorch™ appeared first on Microsoft Security Blog.

Sensitive data is confidential information collected by organizations from customers, prospects, partners, and employees. Common types of sensitive data include credit card numbers, personally identifiable information (PII) like a home address and date of birth, Social Security Numbers (SSNs), corporate intellectual property (IP) like product schematics, protected health information (PHI), and medical record information that could be used to identify an individual.

Every level of an organization—from IT operations and red and blue teams to the board of directors— could be affected by a data breach. How do organizations identify sensitive data at scale and prevent accidental exposure of that data? Let’s look at four of the biggest challenges of sensitive data and strategies for protecting it.

1. Discovering where sensitive data lives

The data discovery process can surprise organizations—sometimes in unpleasant ways. Sensitive data can live in unexpected places within your organization. For instance, an employee may have stored a customer’s SSN in an unprotected Microsoft 365 site or third-party cloud without your knowledge. Of an estimated 294 million people hacked in 2021, about 164 million were at risk because of data exposure events—when sensitive data is left vulnerable online.³   

The only way to ensure that your sensitive data is stored properly is with a thorough data discovery process. Scans for data will pick up those surprise storage locations. However, it’s close to impossible to handle manually.

2. Classifying data to learn what’s most important

That leads right into data classification. Once the data is located, you must assign a value to it as a starting point for governance. The data classification process involves determining data’s sensitivity and business impact so you can knowledgeably assess the risks. This will make it easier to manage sensitive data in ways to protect it from theft or loss.

Microsoft uses the following classifications:

• Non-business: Data from your personal life that doesn’t belong to Microsoft.
• Public: Business data freely available and approved for public consumption.
• General: Business data not meant for a public audience.
• Confidential: Business data that can cause harm to Microsoft if overshared.
• Highly confidential: Business data that would cause extensive harm to Microsoft if overshared.

Identifying data at scale is a major challenge, as is enforcing a process so employees manually mark documents as sensitive. Leveraging security products that enable auto-labeling of sensitive data across an enterprise is one method, among several that help overcome these data challenges.

3. Protecting important data

After classifying data as confidential or highly confidential, you must protect it against exposure to nefarious actors. Ultimately, the responsibility of preventing accidental data exposure falls on the Chief Information Security Officer (CISO) and Chief Data Officer. They are accountable for protecting information and sharing data via processes and workflows that enable protection, while also not hindering workplace productivity.

Data leakage protection is a fast-emerging need in the industry. The Allianz Risk Barometer is an annual report that identifies the top risks for companies over the next 12 months. For the 2022 report, Allianz gathered insights from 2,650 risk management experts from 89 countries and territories. Cyber incidents topped the barometer for only the second time in the survey’s history. At 44 percent, cyber incidents ranked higher than business interruptions at 42 percent, natural catastrophes at 25 percent, and pandemic outbreaks at 22 percent.⁴

4. Governing data to reduce unnecessary data risks

Data governance ensures that your data is discoverable, accurate, trusted, and can be protected. Successfully managing the lifecycle of data requires that you keep data for the right amount of time. You don’t want to store data longer than necessary because that increases the amount of data that could be exposed in a data breach. And you don’t want to delete data too quickly and put your organization at risk of regulatory violations. Sometimes, organizations collect personal data to provide better services or other business value. For instance, you may collect personal data from customers who want to learn more about your services. To abide by the data minimization principle, once the data is no longer serving its purpose, it must be deleted.

How to approach sensitive data

The fallout from not addressing these challenges can be serious. Organizations can face big financial or legal consequences from violating laws or requirements. A couple of well-known brands, for instance, were fined hundreds of millions of euros in 2021. One of these fines was related to violating the GDPR’s personal data processing requirements. Another was because of insufficient detail to consumers in a privacy policy about data processing practices. The data protection authorities have issued a total of $1.25 billion in fines over breaches of the GDPR since January 28, 2021.⁵

Considering the potentially costly consequences, how do you protect sensitive data? As mentioned earlier, data discovery requires locating all the places where your sensitive data is stored. This is much easier with support for sensitive data types that can identify data using built-in or custom regular expressions or functions. Since sensitive data is everywhere, we recommend looking for a multicloud, multi-platform solution that enables you to leverage automation.

For data classification, we advise enforcing a plan through technology rather than relying on users. After all, people are busy, can overlook things, or make errors. Also, organizations can have thousands of sensitive documents, making manual identification and classification of data untenable because the process would be too slow and inaccurate. Look for data classification technology solutions that allow auto-labeling, auto-classification, and enforcement of classification across an organization. Trainable classifiers identify sensitive data using data examples.

Some solution providers divorce productivity and compliance and try to merely bolt-on data protection. Instead, we recommend an approach that integrates data protection into your existing processes to protect sensitive data. When considering plan protections, ask: Who can access the data? Where should the data live and where shouldn’t it live? How can the data be used?

Microsoft solutions offer audit capability where data can be watched and monitored but doesn’t have to be blocked. It can be overridden too so it doesn’t get in the way of the business. Also, consider standing access (identity governance) versus protecting files. Data leakage protection tools can protect sensitive documents, which is important because laws and regulations make companies accountable. 

Explore data protection strategies

Security breaches are very costly. Data discovery, data classification, and data protection strategies can help you find and better protect your company’s sensitive data. Learn more about how to protect sensitive data.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Cost of a Data Breach Report 2021, Ponemon Institute, IBM. 2021.

²Cyberattacks Against Health Plans, Business Associates Increase, Jill McKeon, HealthITSecurity xtelligent Healthcare Media. January 31, 2022.

³Despite Decades of Hacking Attacks, Companies Leave Vast Amounts of Sensitive Data Unprotected, Cezary Podkul, ProPublica. January 25, 2022.

⁴Allianz Risk Barometer 2022: Cyber perils outrank Covid-19 and broken supply chains as top global business risk, Allianz Risk Barometer. January 18, 2022.

⁶Fines for breaches of EU privacy law spike sevenfold to $1.2 billion, as Big Tech bears the brunt, Ryan Browne, CNBC. January 17, 2022.

The post Microsoft shares 4 challenges of protecting sensitive data and how to overcome them appeared first on Microsoft Security Blog.

Protecting customers is core to Microsoft’s mission. With more than 8,500 Microsoft security experts from across 77 countries, dedicated red and blue teams, 24/7 security operations centers, and thousands of partners across the industry, we continue to learn and evolve to meet the changing global threat landscape.

In 2003, we consolidated our security update process into the first Patch Tuesday to provide more predictability and transparency for customers. In 2008, we published the Security Development Lifecycle to describe Microsoft’s approach to security and privacy considerations throughout all phases of the development process.

Of course, the Trustworthy Computing initiative would not be where it is today without the incredible collaboration of the industry and community. In 2005, Microsoft held its first-ever “Blue Hat” security conference, where we invited external security researchers to talk directly to the Microsoft executives and engineers behind the products they were researching.

Today, the Microsoft Security Response Center (MSRC) works with thousands of internal and external security researchers and professionals to quickly address security vulnerabilities in released products. Over the past 20 years, MSRC has triaged more than 70,000 potential security vulnerability cases shared by thousands of external security researchers and industry partners through Coordinated Vulnerability Disclosure (CVD) we’ve since issued more than 7,600 CVEs to help keep customers secure.

Beginning in 2011 with the first Bluehat Award, we have rewarded more than $40 million through the Microsoft Bug Bounty Program to recognize these vital partnerships with the global security research community in over 60 countries.

The security journey that began with TwC has involved many thousands of people across Microsoft and the industry. To celebrate 20 years of this commitment, partnership, and learning in customer security, we’re sharing the thoughts and stories of some of these employees, industry partners, experts, and contributors that helped make this journey possible.

—Aanchal Gupta, VP of Microsoft Security Response Center

The genesis of Trustworthy Computing

In 2001 a small number of us “security people” started moving away from “security products” to think more about “securing features.” Many people think of ‘security’ as security products, like antimalware and firewalls. But this is not the whole picture. We formed a team named the Secure Windows Initiative (SWI) and worked closely with individual development teams to infuse more thought about securing their features.

It worked well, but, it simply wasn’t scalable.

David LeBlanc and I talked about things we had found working with various teams. We noticed we got asked the same code-level security questions time and again. So, we decided to write a book on the topic to cover the basics so we could focus on the hard stuff.

That book was Writing Secure Code.

During 2001, a couple of worms hit Microsoft products: CodeRed and Nimda. These two worms led some customers to rethink their use of Internet Information Services. Many of the learnings from this episode went into our book and made the book better. The worms also caused the C++ compiler team to start thinking about how they could add more defenses to the compiled code automatically. Microsoft Research began work on analysis tools to find security bugs. I could feel a change in the company.

In October, I was asked by the .NET security team to look at some security bugs they had found. Because of how great these findings were, we decided to pause development, equip everybody with the latest in security training, and go looking for more security bugs. A part of my job was to train the engineering staff and to triage bugs as they came in. We fixed bugs and added extra defenses to .NET and ASP.NET. This event was known as the “.NET Security Stand Down.”

Around the end of the Stand Down, I heard that Craig Mundie (who reported to Bill) was working on ‘something’ to move the company in a more security-focused direction. At the time, that’s all I knew.

In December 2001, Writing Secure Code finally came, and I was asked to present at a two-hour meeting with Bill Gates to explain the nuances of security vulnerabilities. At the end of the meeting, I gave him a copy of Writing Secure Code. The following Monday he emailed me to say he had read the book and loved it. A few days later, Craig Mundie shared what he had been thinking about. He wanted the company to focus on Security, Privacy, Reliability, and Business Practices. These became the four pillars of Trustworthy Computing. Bill was sold on it and this all led to the now-famous BillG Trustworthy Computing memo of January 2002.

—Michael Howard, Senior Principal Cybersecurity Consultant

The evolution of the Security Development Lifecycle

The Security Development Lifecycle (SDL) is around 20 years old now and has evolved significantly since its beginning with Windows. When we started to roll out the SDL across all products back then we often received criticism from teams that it was too Windows-centric. So, the first step was to make the SDL applicable to all teams—keeping the design goal of one SDL but understanding that requirements would vary based on features and product types. We shared our experiences and made the SDL public, followed by the release of tooling we developed including the Threat Modeling Tool, Attack Surface Analyzer (ASA), and DevSkim (these last two we published on GitHub as Open Source projects).

As Microsoft started to adopt agile development methodologies and build its cloud businesses, the SDL needed to evolve to embrace this new environment and paradigm. That meant major changes to key foundations of the SDL like the bug bar, our approach to threat modeling, and how tools are integrated into engineering environments. It also presented new challenges in keeping to the one SDL principle while realizing that cloud environments are very different from the on-premises software we had traditionally shipped to customers.

We have embraced new technologies such as IoT and made further adaptions to the SDL to handle non-Windows operating systems such as Linux and macOS. A huge change was Microsoft’s adoption of Open Source which extended the need for SDL coverage to many different development environments, languages, and platforms. More recently we have incorporated new SDL content to cover the development of Artificial Intelligence and Machine Learning solutions which bring a whole new set of attack vectors.

The SDL has evolved and adapted over the last 20 years but it remains, as always, one SDL.

—Mark Cartwright, Security Group Program Manager

Securing Windows

I started my career at Microsoft as a pen tester in Windows during one of the first releases to fully implement the SDL. I cherish that experience. Every day it felt like I was on the front lines of security. We had an incredible group of people—from superstar pen testers to superstar developers all working together to implement a security process for one of the world’s largest security products. It was a vibrant time and one of the first times I saw a truly cross-disciplinary team of security engineers, developers, and product managers all working together toward a common goal. This left a long-lasting and powerful impression on me personally and on the Windows security culture.

For me, the key lesson learned from Trustworthy Computing is that good security is a byproduct of good engineering. In my naïve view before this experience, I assumed that the best way to get security in a product is to keep hiring security engineers until security improves. In reality, that approach is not possible. There will never be enough scale with security engineers and simply put good security requires engineering expertise that pen testing alone cannot achieve.

—David Weston, Partner Director of OS Security and Enterprise

An ever-changing industry

The security industry is amazing in that it never stops changing. What’s even more amazing to me is that the core philosophies of the Trustworthy Computing initiative have continued to hold true—even during 20 years of drastic change.

Compilers are a great foundational example of this. 

In the early days of the Trustworthy Computing initiative, Microsoft and the broader security industry explored groundbreaking features to protect against buffer overflows, including StackGuard, ProPolice, and the /GS flag in Microsoft Visual Studio. As attacks evolved, the guiding principles of Trustworthy Computing led to Microsoft continuously evolving the foundational building blocks of secure software as well: Data Execution Protection (DEP), Address Space Layout Randomization (ASLR), Control-flow Enforcement Technology (CET) to defend against Return-Oriented Programming (ROP), and speculative execution protections, just to name a few. 

Just by compiling software with a few switches, everyday developers could protect themselves against entire classes of exploits. Matt Miller gives a fascinating overview of this history in his BlueHat Israel talk.

At a higher level, one of the things that I’ve been happiest to see change is the evolution away from security absolutism. 

In 2001, there was a lot of energy behind the “10 Immutable Laws of Security”, including several variants of “If an attacker can run a program on your computer, it’s not your computer anymore”. 

The real world, it turns out, is shades of grey. The landscape has evolved, and it’s not game over until defenders say it is. 

We have a rich industry that continually innovates around logging, auditing, forensics, incident response, and have evolved our strategies to include Assume Breach, Defense in Depth, “Impose Cost”, and more. For example: as dynamic runtimes have come of age (PowerShell, Python, C#), those that have evolved during the Trustworthy Computing era have become truly excellent examples of software that actively tilts the field in favor of defenders. 

While you may not be able to prevent all attacks, you can certainly make attackers regret using certain tools and regret landing on your systems. For a great overview of PowerShell’s journey, check out Defending Against PowerShell Attacks—PowerShell Team. 

When we launched the Trustworthy Computing effort, we never could have imagined the complexity of attacks the industry would be fending off in 2022—nor the incredible capability of Blue Teams defending against them. But by constantly refining and improving security as threats evolve, the world is far more secure today than it was 20 years ago.

—Lee Holmes, Principal Security Architect, Azure Security

The cloud is born

The TWC initiative and the SDL that it created recognized that security is a fundamental pillar of earning and keeping customer trust—so must be infused into all of Microsoft’s product development.

Since it was created, however, software has evolved from physical packages that Microsoft offers for customers to install, configure, and secure—to now include cloud services that Microsoft fully deploys and operates on behalf of customers. Microsoft’s responsibility to customers now includes not just developing secure software—but also operating it in a secure manner.

It also extends to ensuring that services and operational practices meet customer privacy promises and government privacy regulations. 

Microsoft Azure leveraged the SDL framework and Trustworthy Computing principles from the very beginning to incorporate these additional aspects of software security and privacy. Having this foundation in place meant that instead of starting from scratch, we could enhance and extend the tools and processes that were already there for box-product software. Tools and processes like Threat Modeling and static and dynamic analysis were incredibly useful all the way to cloud scenarios like hostile multi-tenancy and DevOps.

As we created, validated, and refined, we and other Microsoft cloud service teams contributed back to the SDL and tooling—including publishing many of these for use by our customers. It’s not an understatement to say that Microsoft Azure’s security and privacy traces its roots directly back to the TWC initiative launch 20 years ago.

The cloud is constantly changing with the addition of new application architectures, programming models, security controls, and technologies like confidential computing. Static analysis tools like CodeQL provide better detections and CI/CD pipeline checks like CredScan help prevent entirely new forms of vulnerabilities that are specific to services.

At the same time, the threat landscape continues to get more sophisticated. Software that does not necessarily follow SDL processes is now a critical part of every company’s supply chain.

Just as the SDL today is much more sophisticated and encompasses far more aspects of the software lifecycle than it did 20 years ago, Microsoft will continue to invest in the SDL to address tomorrow’s software lifecycle and threats.

—Mark Russinovich, Chief Technology Officer and Technical Fellow, Microsoft Azure

An amazing community of researchers

The introduction of the Trustworthy Computing initiative coincided with my first serious forays into Windows security research. For that reason, it has defined how I view the problems and challenges of information security, not just on Windows but across the industry. Many things that I take for granted, such as security-focused development practices or automatic updates were given new impetus from the expectations laid down 20 years ago. 

The fact that I’m still a Windows security researcher after all this time might give you the impression that the TwC initiative failed, but I think that’s an unfair characterization. The challenges of information security have not been static because the computing industry has not been static. Few would have envisaged quite how pervasive computing would be in our lives, and every connected endpoint can represent an additional security risk. 

For every security improvement a product makes, there’s usually a corresponding increase in system complexity which adds an additional attack surface. Finding exploitable bugs is IMO definitely harder than it was 20 years ago, and yet there are more places to look. No initiative is likely to be able to remove all security bugs from a product, at least not in anything of sufficient complexity. 

I feel the lasting legacy of the TwC initiative is not that it brought in a utopia of utmost security, regular news reports make it clear we’re not there yet. Instead, it brought security to the forefront, enabling it to become a first-class citizen in the defining industry of the 21^st century. 

—James Forshaw, First Bluehat Mitigation Bounty Winner 

What I learned about Threat Intelligence from Trustworthy Computing

I spent 10 years at Microsoft in Trustworthy Computing (TwC). I remember being at the meeting with Bill Gates where we talked about the need for a memo on security. From the Windows security stand-down, to XP SP2, to the creation of the Security Development Lifecycle and driving it across every product, to meeting security researchers all over the world and learning from their brilliance and passion, the Trustworthy Computing initiative shaped my entire career. One aspect of security that carries forward with me to this day is about the attacks that take place. Spending time finding and fixing security bugs leads to the world of zero-day exploits and the attackers behind them. Today I run the Microsoft Threat Intelligence Center (MSTIC) and our focus is uncovering attacks by actors all over the globe and what we can do to protect customers from them.

One thing I took from my time in TwC was how important community is. No one company or organization can do it alone. That is certainly true in threat intelligence. It often feels like we hear about attacks as an industry, but defend alone. Yet when defenders work together, something amazing happens. We contribute our understanding of an attack from our respective vantage points and the picture suddenly gets clearer. Researchers contribute new attacker techniques to MITRE ATT&CK building our collective understanding. They publish detections in the form of Sigma and Yara rules, making knowledge executable. Analysts can create Jupyter notebooks so their expert analysis becomes repeatable by other defenders. A community-based approach can speed all defenders.

While much of my work in TwC was focused inward on Microsoft and the engineering of our products and services, today’s attacks really put customers and fellow defenders at the center. Defense is a global mission and I am excited and hopeful about the opportunity to work on today’s most challenging problems with the world’s defenders.

—John Lambert, Distinguished Engineer, Microsoft Threat Intelligence Center

Learn more

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. 

The post Celebrating 20 Years of Trustworthy Computing appeared first on Microsoft Security Blog.