While the Zero Trust security model is continuing to gain momentum, customers regularly ask for guidance on how to deploy this model effectively using today’s available technology. Microsoft participating in an ongoing collaboration led by the National Institute of Standards and Technology’s (NIST’s) NCCoE. Microsoft joined this effort to support this important mission and to help answer our customer’s need for references on Zero Trust implementations.   

Since 2022, the NCCoE has collaborated with 24 vendors, including Microsoft, on developing a practice guide with practical steps for organizations eager to implement cybersecurity reference designs for Zero Trust. Zero Trust principles include assuming compromise (assuming breach) to drive a holistic and practical security approach, verifying trust explicitly before granting access to assets, and limiting the blast radius by granting the least privilege necessary. The Zero Trust model describes a collaborative comprehensive approach for end-to-end security that is required to keep up with continuous changes in threats, technology, and business.

“The NCCoE strives to launch initiatives that directly benefit organizations facing modern cybersecurity challenges. The lessons learned from integrating various products and services contributed by collaborators like Microsoft is an invaluable contribution toward this effort.”

—Alper Kerman of NIST

Security isn’t easy—it’s always been an extremely complex and challenging discipline and Zero Trust is now transforming how many aspects of that discipline are done. While there is much more to do, we are encouraged by seeing customers make rapid progress on Zero Trust and getting meaningful benefits from it.

NIST: Implementing a Zero Trust Architecture

This guide from NIST shares practical guidance to implement Zero Trust from the NCCoE labs.

Read the guide

Microsoft and the NIST NCCoE: United in prioritizing Zero Trust model

Both Microsoft and the NCCoE have been strong advocates of the Zero Trust model for years. This diagram illustrates how Microsoft technology maps to the NIST Zero Trust model:

NIST’s role in cybersecurity cannot be overstated. In addition to publishing security standards for decades, NIST’s collaborative hub, called the NCCoE, has brought clarity on how to design and implement Zero Trust by publishing how-to guides, practice guides, and business case examples.  

“The NCCoE is dedicated to helping organizations strengthen their cybersecurity. A major way we do this is by translating existing security standards into example implementation guidance, so organizations know exactly what they need to do to protect their most critical assets. By simplifying the process, we can get more organizations benefiting from Zero Trust principles.”

—Alper Kerman of NIST

The Microsoft and NIST NCCoE collaboration

Microsoft has participated for decades in NIST’s open and transparent process for standards development and in particular supported NIST NCCoE ‘s mission to develop practical, interoperable cybersecurity approaches that show how the components of Zero Trust architectures can securely mitigate risks and meet industry sectors’ compliance requirements. Microsoft has been impressed by NIST’s role serving as a credible and clear voice in the security industry. When we found out about this latest collaboration opportunity, we knew we wanted to play a part. 

In October 2020, when the NCCoE sought industry partners to support the implementation of the Zero Trust architecture project, we jumped at the opportunity. The NCCoE’s Zero Trust architecture project is its largest to date with 24 participating organizations, seventeen different builds, and a rich set of practical documentation. The goal of this NCCoE project is to demonstrate several example zero trust architecture solutions—applied to a conventional, general-purpose enterprise IT infrastructure—that are designed and deployed according to the concepts and tenets documented in NIST Special Publication (SP) 800-207, Zero Trust Architecture. The documents from this work effectively demonstrate how to practically implement Zero Trust principles using today’s technology.  

The project addresses several common scenarios you may face: 

• An employee seeks access to corporate resources to complete their work.
• An employee seeks access to internet resources from enterprise devices to complete tasks. 
• A contractor tries to access corporate resources and internet resources. 
• Servers within an enterprise are communicating with each other. 
• An organization is collaborating with a business partner and wants to securely access specific resources. 
• An organization wants to integrate monitoring and security information and event management (SIEM) systems with the policy engine for more precise trust scores.

As part of this effort, the NCCoE just announced the general availability of the Zero Trust Architecture 1800-35 practice guide in conjunction with the Zero Trust architecture project. The practice guide details a standards-based implementation of Zero Trust architecture. The guide offers a learning pathway to greater understanding of the Zero Trust security model, and includes practical use cases and various example implementations and associated documentation. It was developed to be simple, usable, and practical.

Collaboration brings learning and value

These resources help Microsoft customers support end-to-end integrations that lead to significant value over time. Our Zero Trust implementation with the NCCoE has already helped us evolve Microsoft technology and guidance for a successful Zero Trust product deployment and will continue to do so. 

What the future of Zero Trust will bring

Both Microsoft and NIST are investigating opportunities to leverage this foundational work to support other use case scenarios that will benefit from ZT deployment model. Microsoft is excited by the government’s deep commitment to Zero Trust architecture and have been closely monitoring US Executive Order 14028 on Cybersecurity and the OMB Implementation Strategy.

Microsoft is continuously working to achieve an integrated set of offerings to enable customers to more easily and comprehensively address the security challenges they face. Microsoft is also continuously integrating lessons learned from cyberattacks on ourselves as well as on our customer into our guidance and technology. The growth of AI and its close relationship to Zero Trust make this transformation an even more critical effort—a network perimeter can’t secure your AI or your data.

Explore strategies for implementing Zero Trust

We know that adopting a Zero Trust approach is challenging as it requires a shift in mindset, strategy, and architecture as well as a lot of engineering work. We are encouraged by the positive progress and feedback from our customers on this journey, from industry analysts, and other sources. Microsoft is working to ease these challenges through NIST’s NCCoE Zero Trust Architecture consortium, with our Security Adoption Framework (SAF), The Open Group Zero Trust Standards, and other security guidance. 

Learn more

Learn more about Zero Trust.

You can follow Mark Simos on LinkedIn and explore Mark’s List of commonly shared cybersecurity resources.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

About the National Cybersecurity Center of Excellence

The NCCoE, a part of NIST, is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity issues. This public-private partnership enables the creation of practical cybersecurity solutions for specific industries, as well as for broad, cross-sector technology challenges. Through consortia under CRADAs, including technology partners—from Fortune 50 market leaders to smaller companies specializing in information technology and operational technology security—the NCCoE applies standards and best practices to develop modular, easily adaptable example cybersecurity solutions by using commercially available technology. The NCCoE documents these example solutions in the NIST Special Publication 1800 series, which maps capabilities to the NIST Cybersecurity Framework and details the steps needed for another entity to re-create the example solution. The NCCoE was established in 2012 by NIST in partnership with the State of Maryland and Montgomery County, Maryland. Information is available at https://www.nccoe.nist.gov.

The post How Microsoft and NIST are collaborating to advance the Zero Trust Implementation appeared first on Microsoft Security Blog.

This first blog will draw on the past, present, and future to bring a clear vision while keeping our feet planted firmly on the ground of reality.

We start off with some observations and insights on how people are seeing Zero Trust, then highlight some great work at the National Institute of Standards and Technology (NIST) to make Zero Trust real using products available today, and then highlight work being done at The Open Group to standardize Zero Trust (including an origin story of The Jericho Forum from Steve Whitlock).

Perceptions and scope: How people see Zero Trust

As we talk to customers and partners, it’s become clear that most people see Zero Trust as either a strategic security transformation or as a specific initiative to modernize access control.

While Zero Trust principles are critical to securing access control to the cloud and digital assets, Zero Trust’s scope doesn’t stop there. The urgent need to modernize security beyond the classic perimeter approach extends to:

• Detecting and responding to threats to your assets in the security operations center (SOC).
• Protecting data anywhere it goes.
• Continuously monitoring and improving IT infrastructure security posture.
• Integrating security into application development processes like development operations (DevOps).
• Continuously reporting and remediating compliance risks.
• Extending these capabilities across IoT and operational technology (OT) assets that are frequently targeted by attackers.

The confusion comes because access control is almost always the first priority to solve, whether or not you are planning a major strategic overhaul. As business-critical assets move outside the perimeter to cloud and mobile, the first priority is always to rapidly put in controls to ensure only authorized people can access these business assets. Additional focus is added to this initiative as attackers have learned to reliably get past perimeter access controls with phishing and credential theft attacks.

Access control is urgent but it isn’t the only security problem to solve across this transforming technical estate.

NIST: Zero Trust capabilities available today

The National Cybersecurity Center of Excellence (NCCoE) is bringing many vendors into the lab to implement their solutions for Zero Trust to create actionable guidance. This is creating clarity by implementing the actual technical capabilities of today in a highly transparent process.

I also witnessed how this effort is driving consistency in the industry during my participation as a member of the Microsoft team supporting this effort. I watched many vendors share their vision of Zero Trust to the collective project team during the kickoff (which was like a condensed version of the RSA conference show floor). The only thing I saw in common among these presentations was that each vendor used the NIST Zero Trust diagram (often mapping their solutions to it). While this illustrated how challenging it is to get a common view of Zero Trust, it also showcases how valuable NIST’s efforts are at creating much-needed consistency for Zero Trust.

For more information, read our blog Microsoft and NIST collaborate on EO to drive Zero Trust adoption or visit the NCCoE project page.

The Open Group: Standardizing Zero Trust

The Open Group is well on the path to defining Zero Trust as a global standard, similar to The Open Group Architecture Framework (TOGAF), Open FAIR, and others. This rigorous process is focused on clearly defining the scope of Zero Trust, what it is, what it isn’t, and how to link Zero Trust (and security) to business goals and priorities. This top-down approach complements the NIST technology-up approach to provide additional clarity for Zero Trust.

Some historical context from the Jericho Forum^®

The Open Group is no stranger to Zero Trust as they host the (now-retired) Jericho Forum® which is widely recognized as planting the seeds for what became the modern Zero Trust movement. The Open Group’s Zero Trust work builds on this work from almost 20 years ago and focuses on the challenges faced by modern enterprises today.

Before we get into the current work, we thought it would be helpful to do a quick review of the Jericho Forum® origin story. While the world was different back then in many ways, this effort was born of the truth that perimeter approaches were failing to meet security needs even back then.

Steve Whitlock is one of the original Jericho Forum® members and graciously shared this origin story:

The mid to late 1990s—By all measures, security costs were rising but the solutions weren’t actually solving the problems. A few Chief Information Security Officers (CISOs) of large enterprises based in the United Kingdom met periodically to try and figure out what was going on. While their perspective didn’t fit the accepted norm of “protect the network,” these CISOs were not novices. One CISO of a large United Kingdom-based energy company had been among the first professional CISOs in Britain and trained many people who would go on to run information security at other corporations. Another at a European energy company had written an internal document that evolved into the ISO 2700 series of security and risk management standards.

In January of 2004, these four CISOs formed the Jericho Forum® to focus on defining the issue, termed de-perimeterisation, and proposing a way forward. Their efforts quickly attracted other strategic thinkers. In 2005, the first Jericho Forum® conference was held and a visioning white paper was released. This was followed in 2006 by the Jericho Forum® Commandments. This set of strategic principles is designed to enable an organization to survive in a world without traditional perimeters. The Jericho Forum® went on to issue a series of papers on related topics including cloud security, secure collaboration, security protocols, Voice over Internet Protocol (VoIP), wireless, and data security. And a second set of commandments concerning identity, entitlement, and access management was released in 2011.

Later, the Jericho Forum® was fully absorbed into The Open Group, and having laid out its principles for change, formally shut down in 2013. The Jericho Forum® articulated the need for better data protection, including the use of smart data, and one of its founders created a global organization to define the parts of a global digital identity ecosystem. Others from the Jericho Forum® contributed to a cloud security organization’s guidance documents.

The Zero Trust Commandments and beyond

The current work of The Open Group builds upon those hard-won lessons and updates them today with recent best practices, current trends, and expected future trends:

• This started with the Zero Trust Core Principles that defined Zero Trust, including key drivers and core principles.
• This continued into the Zero Trust Commandments that updated the original Jericho Forum® Commandments, defining a non-negotiable list of criteria for Zero Trust.
• Work is now underway in The Open Group to build on these commandments and provide a full technical standard for a Zero Trust reference model.

The Zero Trust commandments are one of the clearest ways available today to identify if something is Zero Trust or not. If you hear a claim of Zero trust, you can ask:

• Does this action support one or more commandments?
  If yes, it can be part of Zero Trust.
• Does this action violate a commandment?
  Anything that violates a commandment is not Zero Trust (and is probably counterproductive to business goals, security, or both).

We will dive deeper into the Zero Trust Commandments through several upcoming blogs in this series.

In the meantime, we encourage you to read up on the Zero Trust Commandments and use them to guide your Zero Trust planning and help filter out what is and isn’t actually Zero Trust.

Embrace proactive security with a Zero Trust framework

• Read the full Forrester Consulting study commissioned by Microsoft, The Total Economic Impact™ of Zero Trust Solutions From Microsoft, and learn more about the return on investment (ROI) of implementing a Zero Trust framework with Microsoft.
• Read our whitepaper, Evolving Zero Trust, for key insights, Zero Trust architecture, and a maturity model to help accelerate your adoption.

Join other cybersecurity professionals at the Microsoft Security Summit digital event on May 12, 2022. Get fresh security insights during a live chat Q&A with cyber strategy and threat intelligence experts and discover solutions you can use to lay the foundation for a safer and more innovative future. Register now.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post A clearer lens on Zero Trust security strategy: Part 1 appeared first on Microsoft Security Blog.

Clarifying attack terminology and scope

One common misconception about ransomware attacks is that they only involve ransomware—”pay me to get your systems and data back”—but these attacks have actually evolved into general extortion attacks. While ransom is still the main monetization angle, attackers are also stealing sensitive data (yours and your customers’) and threatening to disclose or sell it on the dark web or internet (often while holding onto it for later extortion attempts and future attacks).

We’re also seeing a widespread perception that ransomware is still constrained to basic cryptolocker style attacks, first seen in 2013, that only affect a single computer at a time (also known as the commodity model). Today’s attackers have evolved far beyond this—using toolkits and sophisticated affiliate business models to enable human operators to target whole organizations, deliberately steal admin credentials, and maximize the threat of business damage to targeted organizations. The ransomware operators often buy login credentials to organizations from other attack groups, rapidly turning what seems like low-priority malware infections into significant business risks.

Simple, prioritized guidance

We’ve also seen that many organizations still struggle with where to start, especially smaller operations with limited staff and experience. We believe all organizations should begin with simple and straightforward prioritization of efforts (three steps) and we have published this, along with why each priority is important.

Figure 1: Recommended mitigation prioritization.

Create detailed instructions

Microsoft has also found that many organizations struggle with the next level of the planning process. As a result, we built guidance to make following these steps as clear and easy as possible. Microsoft already works with NIST NCCoE on several efforts, including the Zero Trust effort, which supports Presidential Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity. We welcome the opportunity for any additional ransomware-related work by providing clarifying guidance using whatever tools and technologies organizations have available.

Figure 2: Secure backup instructions from Microsoft’s human-operated ransomware page.

Microsoft’s recommended mitigation prioritization

Based on our experience with ransomware attacks, we’ve found that prioritization should focus on these three steps: prepare, limit, and prevent. This may seem counterintuitive since most people want to simply prevent an attack and move on. But the unfortunate truth is that we must assume breach (a key Zero Trust principle) and focus on reliably mitigating the most damage first. This prioritization is critical because of the high likelihood of a worst-case scenario with ransomware. While it’s not a pleasant truth to accept, we’re facing creative and motivated human attackers who are adept at finding a way to control the complex real-world environments in which we operate. Against that reality, it’s important to prepare for the worst and establish frameworks to contain and prevent attackers’ abilities to get what they’re after.

While these priorities should govern what to do first, we encourage organizations to run as many steps in parallel as possible (including pulling quick wins forward from step three whenever you can).

Step 1. Prepare a recovery plan: Recover without paying

• What: Plan for the worst-case scenario and expect that it will happen at any level of the organization.
• Why: This will help your organization:
  • Limit damage for the worst-case scenario: Restoring all systems from backups is highly disruptive to business, but it’s still more efficient than trying to do recovery using low-quality attacker-provided decryption tools after paying to get the key. Remember: paying is an uncertain path; you have no guarantee that the attackers’ key will work on all your files, that the tools will work effectively, or the attacker—who may be an amateur using a professional’s toolkit—will act in good faith.
  • Limit the financial return for attackers: If an organization can restore business operations without paying, the attack has effectively failed and resulted in zero return on investment for the attackers. This makes it less likely they will target your organization again in the future (and deprives them of funding to attack others). Remember: attackers may still attempt to extort your organization through data disclosure or abusing/selling the stolen data, but this gives them less leverage than possessing the only means of accessing your data and systems.
• How: Organizations should ensure they:
  • Register risk. Add ransomware to the risk register as a high-likelihood and high-impact scenario. Track mitigation status via your Enterprise Risk Management (ERM) assessment cycle.
  • Define and backup critical business assets. Automatically back up critical assets on a regular schedule, including correct backup of critical dependencies, such as Microsoft Active Directory.
  • Protect backups. To safeguard against deliberate erasure and encryption, use offline storage, immutable storage, and/or out-of-band steps (multifactor authentication or PIN) before modifying or erasing online backups.
  • Test ‘recover from zero’ scenario. Ensure that your business continuity and disaster recovery (BC/DR) can rapidly bring critical business operations online from zero functionality (all systems down). Conduct practice exercises to validate cross-team processes and technical procedures, including out-of-band employee and customer communications (assume all email and chat are down). Important: protect (or print) supporting documents and systems required for recovery, including restoration-procedure documents, configuration management databases (CMDBs), network diagrams, and SolarWinds instances. Attackers regularly destroy these documents.
  • Reduce on-premises exposure. Move data to cloud services with automatic backup and self-service rollback.

Step 2. Limit the scope of damage: Protect privileged roles (starting with IT admins)

• What: Ensure you have strong controls (prevent, detect, respond) for privileged accounts, such as IT admins and other roles with control of business-critical systems.
• Why: This slows or blocks attackers from gaining complete access to steal and encrypt your resources. Taking away the attacker’s ability to use IT admin accounts as a shortcut to resources will drastically lower the chances that they’ll be successful in controlling enough resources to impact your business and demand payment.
• How: Enable elevated security for privileged accounts—tightly protect, closely monitor, and rapidly respond to incidents related to these roles. See Microsoft’s recommended steps that:
  • Cover end-to-end session security (including multifactor authentication for admins).
  • Protect and monitor identity systems.
  • Mitigate lateral traversal.
  • Promote rapid threat response.

Step 3. Make it harder to get in: Incrementally remove risks

• What: Prevent a ransomware attacker from entering your environment, as well as rapidly respond to incidents and remove attacker access before they can steal and encrypt data.
• Why: This causes attackers to fail earlier and more often, undermining their profits. While prevention is the preferred outcome, it may not be possible to achieve 100 percent prevention and rapid response across a real-world organization with a complex multi-platform, multi-cloud estate and distributed IT responsibilities.
• How: Identify and execute quick wins that strengthen security controls to prevent entry and rapidly detect and evict attackers, while implementing a sustained program that helps you stay secure. Microsoft recommends following the principles outlined in the Zero Trust strategy. Against ransomware, organizations should prioritize:
  • Improving security hygiene by reducing the attack surface and focusing on vulnerability management for assets in their estate.
  • Implementing protection, detection, and response controls for digital assets, as well as providing visibility and alerting on attacker activity while responding to active threats.

The takeaway

To counter the threat of ransomware, it’s critical to identify, secure, and be ready to recover high-value assets—whether data or infrastructure—in the likely event of an attack. This requires a sustained effort involving obtaining buy-in from the top level of your organization (like the board) to get IT and security stakeholders working together asking nuanced questions. For example, what are the critical parts of the business that could be disrupted? Which digital assets map to these business segments (files, systems, databases)? How can we secure these assets? This process may be challenging, but it will help set up your organization to make impactful changes using the steps recommended above.

To learn more, visit our page on how to rapidly protect against ransomware and extortion.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹National Cybersecurity Center of Excellence.

²National Institute of Standards and Technology, US Department of Commerce.

³Virtual Workshop on Preventing and Recovering from Ransomware and Other Destructive Cyber Events, National Cybersecurity Center of Excellence, 14 July 2021.

The post 3 steps to prevent and recover from ransomware appeared first on Microsoft Security Blog.

As businesses begin reimagining their future in a post-pandemic world, most are pivoting to a digital-first approach to take full advantage of technological innovation (much of which was adopted in haste). The pandemic has accelerated three existing trends and the tension between them: how to remain relevant against a backdrop of consumer and market demands, how to react and respond to evolving cyber threats, and how to do this reliably while reducing complexity and cost.

Becoming a resilient organization requires collaboration between business and security leaders and a lifecycle approach to continuous improvement.

Figure 1. The cyclical stages of an incident.

In this blog, we delve deeper into specific themes in recent cyberattack trends—how and why they work so effectively—and strategies to mitigate them.

On-premises vs. cloud security

As we’ve seen from the progression of headline-grabbing attacks over the course of this blog series, today’s attackers have choices. They can remain on-premises and have a better chance of lingering unseen in the complexity of multiple generations of legacy technology, or they can elevate privileges and move to the cloud, where there’s a higher risk of detection. In the most recent nation-state attack, HAFNIUM took the path of least resistance and targeted organizations through on-premises Microsoft Exchange Servers, leveraging a zero-day exploit to gain backdoor access to data centers. After Microsoft released critical out-of-band updates, attackers were quick to seek out and compromise unpatched servers in a race to take advantage of the situation before those doors were closed.

The Exchange attack illustrates challenges faced by companies in managing a complex hybrid of on-premises and cloud that spans many generations of technology. For many organizations, it can be a costly operation to upgrade systems; so, security teams are often asked to protect both old and new technology at the same time. Organizations need to simplify the management of this complex mix because attackers are always looking for vulnerabilities. The good news is that cloud security is no longer just for cloud resources; it’s extending to cover on-premises resources, up to and including the 50 to 100-year-old operational technology (OT) equipment that’s controlled by computer technology retrofitted 30 to 50 years ago.

Your security team can reduce risk by prioritizing the cloud as the preferred source of security technology. This will simplify adoption, reduce maintenance overhead, ensure the latest innovations and capabilities, and provide unified visibility and control across multiple generations of technology. No longer are we just referring to cloud security, but rather security delivered from the cloud.

Ransomware

Criminal organizations are increasingly relying on cybercrime as a high-reward, low-risk (illicit) line of business. However, it’s the evolution of human-operated ransomware that’s now driving the business need to address longstanding security hygiene and maintenance issues. Ransomware’s evolution can be traced to WannaCry and NotPetya malware, which fused large-scale compromise techniques with an encryption payload that demanded ransom payments in exchange for a decryption key. Sometime around June 2019, the new generation of human-operated ransomware started infecting systems, expanding into an enterprise-scale operation that blends targeted attacks and extortion.

What makes human-operated ransomware so dangerous? Unlike most cyber threats, these are not preprogrammed attacks. Human attackers know the weaknesses in your networks and how to exploit them. Attacks are multistage and opportunistic—they might gain access via remote desktop protocol (RDP) brute force or through banking trojans, then decide which networks are most profitable. Like nation-state attacks, these breaches can have dwell times lasting from minutes to months. Human operators may also deliver other malicious payloads, steal credentials, or exfiltrate data. Some known human-operated ransomware campaigns that Microsoft actively monitors include REvil, Samas, Bitpaymer, and Ryuk.

Figure 2: Human-operated ransomware—attack paths.

Human-operated ransomware is an extortion model that can use any one of multiple attack vectors. These attacks are often highly damaging and disruptive to an organization because of the combination of:

1. Broad access to business-critical assets: Attackers rapidly gain broad enterprise access and control through credential theft.
2. Disrupt business operations: The extortion business model requires inflicting the maximum pain on the organization (while still allowing recovery) in order to make paying the ransom attractive.

By denying access to business-critical data and systems across the enterprise, the attackers are more likely to profit, and organizations are more likely to suffer significant or material impact.

In the same way COVID-19 has shifted industry perceptions regarding bring-your-own-device (BYOD) policies and remote work, human-operated ransomware is poised to trigger seismic shifts in cybersecurity. Organizations who fail to prepare for these evolving threats face the prospect of performing mass restores of systems and data or paying the ransom (not recommended).

This is particularly true if they have any of these commonly held (and dangerous) false beliefs:

• Attackers aren’t interested in us because we’re just: a small organization, don’t have secrets, not a government, or other seemingly relevant characteristics.
• We are safe because we have firewalls.
• A password is good enough for admins; so multifactor authentication (MFA) can be deferred.
• Attackers won’t find unpatched VPNs and operating systems; so, maintenance can be deferred.
• We don’t apply security updates to internal systems like domain controllers to avoid impacting availability and performance.
• Security operations (SecOps) can manually write every alert and respond using a SIEM and a firewall; so, modernization with high-quality XDR detections and SOAR can be deferred.

If your organization is targeted, we strongly discourage paying any ransom, since this will incentivize future attacks. Also, there’s no guarantee that payment will get you the promised decryption key, or even that the attackers won’t sell your data on the dark web anyway. For a specific plan of how to address ransomware, see our downloadable Ransomware recommendations PowerPoint.

On the upside, having a business continuity and disaster recovery (BCDR) solution can provide a crucial safety net. Datto’s Global Ransomware Report 2020 indicates that three-out-of-four managed service providers (MSPs) report that clients with BCDR solutions recovered from a ransomware attack within 24 hours. However, just having a BCDR plan is not enough; you need an immutable backup that cannot be corrupted or deleted as attackers try to corrupt these backups.

This control needs to be implemented effectively across all generations of technology, including on-premises and in the cloud. Information protection and file encryption can also make data unreadable, even if exfiltrated.

Insider threats

Many data leaks can be attributed to accidents by insiders, but the risk posed by deliberate internal threats is on the rise as well—68 percent of organizations feel “moderately to extremely vulnerable” to all kinds of insider attacks. The same percentage confirms that insider attacks are becoming more frequent. Anyone who has access to an organization’s confidential data, IT, or network resources is a potential risk, whether they intend to do harm or not. This could include employees, consultants, vendors, former employees, business partners, or even a board member.

Recent examples include a former Amazon finance manager charged in a $1.4 million insider trading scheme, a Shopify data breach carried out by two employees, and an insider attack at Stradis Healthcare carried out by the former vice president of finance that “disrupted the delivery of personal protective equipment in the middle of a global pandemic.” Deliberate insider threats straddle both the physical and digital workspace, but organizations can protect themselves by looking for signs, including:

Digital warning signs

• Accessing data not associated with their job function.
• Using unauthorized storage devices.
• Network crawling and searches for sensitive data.
• Data hoarding or copying sensitive files.
• Emailing sensitive data outside the organization.

Behavioral warning signs

• Attempts to bypass security.
• Frequently in the office during off-hours.
• Displays disgruntled behavior.
• Violates corporate policies.
• Discusses resigning or new opportunities.

The key to preventing insider threats is to detect a violation before it happens. This means being empathetic to your organization’s changing environment and managing potential stressors that could lead to aberrant behavior. Being cognizant of employee wellbeing is not only in the best interests of your staff, it also drastically reduces the occurrence of insider threats for your organization. Microsoft invests in mitigating both accidental and deliberate insider threats with insider risk management, policy tips, and more.

Overcoming analyst fatigue

As the dust settles after the double-impact of the Nobelium and Hafnium attacks, we’re returning to a “normal baseline” of steadily increasing impact, volume, and sophistication of attacks. This lack of relief hits security professionals hardest, particularly analysts in security operations responding to these incidents.

The talented security professionals who silently bear the burden of attackers’ profit models often experience a high likelihood of burnout. According to PsyberResilience, the list of reasons for burnout among security professionals is long: fear of letting the organization down by missing that one threat amongst thousands every day; exhausting work schedules; fatigue from trying to keep up with new threats and technologies; the emotional toll of facing down criminals and witnessing their lack of morality.

Security teams need real help, and they need to feel supported and connected to the mission. Here are a few tips that can go a long way:

• Show your appreciation: The first minimum step for business leaders is to thank these hardworking people and get a basic understanding of what it’s like to experience these attacks from the ground level. Just as CEOs and business leaders should take time out to meet the people who make business operations work (like factory workers, truck drivers, nurses, doctors, cooks, engineers, and scientists), they should also do the same with security operations personnel to show the importance of the work to keep the organization safe every day.
• Enable automation and orchestration: This is critical to removing redundant, repetitive workflows or steps that burn up work hours and burn out employees. Azure Sentinel and Microsoft 365 Defender automate investigation and remediation tasks for many incidents, reducing the burden of repetitive work on analysts. Different security solutions in your enterprise need to see and share threat intelligence, driving a unified response across on-premises and multi-cloud environments.
• Bring in help: Many companies find it difficult to recruit and retain security professionals, especially organizations that have a smaller security team. Supplementing your team with experts from service providers can help you bring in top talent for the limited times you need them or help scale the experts you have by shifting high-volume frontline analyst work to the service provider.
• Take a collaborative approach: Reach out to peers in other industries to learn about their challenges. How do hospitals secure their patient data? How is cybersecurity done in retail operations, airlines, or government offices? Looking into different verticals might offer some new ideas and inspiration. An army of interconnected defenders provides more clarity and oversight than any single organization can maintain. For more technical information about how this works, learn about the community-based approach to information security.

Augmented intelligence and deepfakes

Using machine learning and automation has proven to be an incredible tool for defenders to detect and respond to threats faster. However, attackers also have access to similar technology and are leveraging this to their advantage. In another example of the cyber and physical worlds coming together, cybercriminals were able to create a near-perfect impersonation of a chief executive’s voice using deepfake technology—tricking the company into transferring $243,000 to their bank account. Attackers combined machine learning and AI with social engineering to convince people to move the money.

While still rare, AI and machine learning attacks like this are becoming more common. Attackers can make deepfake using public recordings of their target from earnings calls, interviews, and speeches, mimicking their mannerisms and using the technology as a kind of mask. Despite the advanced technology required for one of these attacks, the defense may be refreshingly straightforward and non-technical—if in doubt, call the person back. Using a secondary authentication for high-value transactions can also provide an additional secure step in the approval process, making it difficult for attackers to anticipate and fake out all of the channels at once.

With the use of AI and machine learning becoming more prolific in the defender’s kit bag, cybercriminals have also taken to attacking and poisoning the algorithms that are used to detect anomalies; often flooding the algorithm with data to skew results or generate false positives. In short, the human intelligence layer remains critical to providing contextual awareness and understanding of new cyber threats, helping to decipher the evolving tactics and techniques designed to evade detection.

Stay tuned

The next post in this series will focus on how your organization can pull all these concepts together into a security strategy that integrates with your business priorities, risk frameworks, and processes.

If you want to read ahead, you can check out the secure methodology in the cloud adoption framework.

Learn more

Read the previous blogs in this series:

• Becoming resilient by understanding cybersecurity risks: Part 1
• Becoming resilient by understanding cybersecurity risks: Part 2
• Becoming resilient by understanding cybersecurity risks: Part 3—a security pro’s perspective

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Becoming resilient by understanding cybersecurity risks: Part 4—navigating current threats appeared first on Microsoft Security Blog.

In part three of this series, we will further explore what it takes for security leaders to pivot their program from looking at their mission as purely defending against technical attacks to one that focuses on protecting valuable business assets, data, and applications. This pivot will enable business and cybersecurity leaders to remain better aligned and more resilient to a broader spectrum of attack vectors and attacker motivations.

What problem do we face?

First, let’s set a quick baseline on the characteristics of human-operated cyberattacks.

This diagram depicts commonalities and differences between for-profit ransomware and espionage campaigns:

Figure 1: Comparison of human-operated attack campaigns.

Typically, the attackers are:

• Flexible: Utilize more than one attack vector to gain entry to the network.
• Objective driven: Achieve a defined purpose from accessing your environment. This could be specific to your people, data, or applications, but you may also just fit a class of targets like “a profitable company that is likely to pay to restore access to their data and systems.”
• Stealthy: Take precautions to remove evidence or obfuscate their tracks (though at different investment and priority levels, see figure one)
• Patient: Take time to perform reconnaissance to understand the infrastructure and business environment.
• Well-resourced and skilled in the technologies they are targeting (though the depth of skill can vary).
• Experienced: They use established techniques and tools to gain elevated privileges to access or control different aspects of the estate (which grants them the privileges they need to fulfill their objective).

There are variations in the attack style depending on the motivation and objective, but the core methodology is the same. In some ways, this is analogous to the difference between a modern electric car versus a “Mad Max” style vehicle assembled from whatever spare parts were readily and cheaply available.

What to do about it?

Because human attackers are adaptable, a static technology-focused strategy won’t provide the flexibility and agility you need to keep up with (and get ahead of) these attacks. Historically, cybersecurity has tended to focus on the infrastructure, networks, and devices—without necessarily understanding how these technical elements correlate to business objectives and risk.

By understanding the value of information as a business asset, we can take concerted action to prevent compromise and limit risk exposure. Take email, for example, every employee in the company typically uses it, and the majority of communications have limited value to attackers. However, it also contains potentially highly sensitive and legally privileged information (which is why email is often the ultimate target of many sophisticated attacks). Categorizing email through only a technical lens would incorrectly categorize email as either a high-value asset (correct for those few very important items, but impossible to scale) or a low-value asset (correct for most items, but misses the “crown” jewels in email).

Figure 2: Business-centric security.

Security leaders must step back from the technical lens, learn what assets and data are important to business leaders, and prioritize how teams spend their time, attention, and budget through the lens of business importance. The technical lens will be re-applied as the security, and IT teams work through solutions, but looking at this only as a technology problem runs a high risk of solving the wrong problems.

It is a journey to fully understand how business value translates to technical assets, but it’s critical to get started and make this a top priority to end the eternal game of ‘whack-a-mole’ that security plays today.

Security leaders should focus on enabling this transformation by:

1. Aligning the business in a two-way relationship:

• Communicate in their language: explain security threats in business-friendly language and terminology that helps to quantify the risk and impact to the overall business strategy and mission.
• Participate in active listening and learning: talk to people across the business to understand the important business services and information and the impact if that were compromised or breached. This will provide clear insight into prioritizing the investment in policies, standards, training, and security controls.

2. Translating learnings about business priorities and risks into concrete and sustainable actions:

• Short term focus on dealing with burning priorities:
  • Protecting critical assets and high-value information with appropriate security controls (that increases security while enabling business productivity)
  • Focus on immediate and emerging threats that are most likely to cause business impact.
  • Monitoring changes in business strategies and initiatives to stay in alignment.

• Long term set direction and priorities to make steady progress over time, to improve overall security posture:
  • Zero Trust: Create a clear vision, strategy, plan, and architecture for reducing risks in your organization aligned to the zero trust principles of assuming breach, least privilege, and explicit verification. Adopting these principles shifts from static controls to more dynamic risk-based decisions that are based on real-time detections of anomalous behavior irrespective of where the threat derived.
  • Burndown technical debt as a consistent strategy by operating security best practices across the organization such as replacing password-based authentication with passwordless and multi-factor authentication (MFA), applying security patches, and retiring (or isolating) legacy systems. Just like paying off a mortgage, you need to make steady payments to realize the full benefit and value of your investments.
  • Apply data classifications, sensitivity labels, and role-based access controls to protect data from loss or compromise throughout its lifecycle. While these can’t completely capture the dynamic nature and richness of business context and insight, they are key enablers to guide information protection and governance, limiting the potential impact of an attack.

3. Establishing a healthy security culture by explicitly practicing, communicating, and publicly modeling the right behavior. The culture should focus on open collaboration between business, IT, and security colleagues and applying a ‘growth mindset’ of continuous learning. Culture changes should be focused on removing siloes from security, IT, and the larger business organization to achieve greater knowledge sharing and resilience levels.

You can read more on Microsoft’s recommendations for security strategy and culture here.

In the next blog of the series, we will explore the most common attack vectors, how and why they work so effectively, and the strategies to mitigate evolving cybersecurity threats.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Becoming resilient by understanding cybersecurity risks: Part 3—a security pro’s perspective appeared first on Microsoft Security Blog.

For this blog, we will use the example of a current cybersecurity threat that spans every organization in every industry as an example of how to put this into practice. The emergence of human-operated ransomware has created an organizational risk at a pace we have not seen before in cybersecurity. In these extortion attacks, attackers are studying target organizations carefully to learn what critical business processes they can stop to force organizations to pay, and what weaknesses in the IT infrastructure they can exploit to do it.

This type of threat enables attackers to stop most or all critical business operations and demand ransom to restore them by combining:

• A highly lucrative extortion business model.
• Organization-wide impact utilizing well-establish tools and techniques.

Whilst this may be uncomfortable reading, the ability to pre-empt and respond quickly to these cyberattacks is now an organizational imperative that requires a level of close collaboration and integration throughout your organization (which may not have happened to date).

Because these attacks directly monetize stopping your business operations, you must:

• Identify and prioritize monitoring and protection for critical business assets and processes.
• Restore business operations as fast as possible, when attacked.

Applying this in a complex organization requires you to:

1. Know thyself: The first step towards resilience is identifying your critical business assets and processes and ensuring appropriate team members truly understand them so that appropriate controls can be implemented to protect and rapidly restore them. These controls should include business and technical measures such as ensuring immutable or offline backups (as attackers try to eliminate all viable alternatives to paying the ransom, including anti-tampering mechanisms).
2. This is not a one-time event: Your business and technical teams need to work together to continuously evaluate your security posture relative to the changing threat landscape. This enables you to refine priorities, build mutual trust and strong relationships, and build organizational muscle memory.
3. Focus on high-impact users: Just as your executives and senior managers have control and access over massive amounts of sensitive and proprietary information that can damage the organization if exposed; IT administrators also have access and control over the business systems and networks that host that information. Ransomware attackers traverse your network and target IT administrator accounts, making the seizure of privileged access a critical component of their attack success. See Microsoft’s guidance on this topic
4. Build and sustain good hygiene: As we discussed in our first blog, maintaining and updating software and following good security practices is critical to building resilience to these attacks. Because organizations have a backlog of technical debt, it’s critical to prioritize this work to pay off the most important debt first.
5. Ruthlessly prioritize: Ruthless prioritization applies a calm but urgent mindset to prioritizing tasks to stay on mission. This practice focuses on the most effective actions with the fastest time to value regardless of whether those efforts fit pre-existing plans, perceptions, and habits.
6. Look through an attacker’s lens: The best way to prioritize your work is to put yourself in the perspective of an attacker. Establishing what information would be valuable to an attacker (or malicious insider), how they would enter your organization and access it, and how they would extract it will give you invaluable insights into how to prioritize your investments and response. Assess the gaps, weaknesses, and vulnerabilities that could be exploited by attackers across the end-to-end business processes and the backend infrastructure that supports them. By modeling the process and systems and what threats attackers can pose to them, you can take the most effective actions to remove or reduce risk to your organization.
7. Exercise and stress test: This strategy will be tested by attackers in the real world, so you must proactively stress test to find and fix the weaknesses before the attackers find and exploit them. This stress testing must extend to both business processes and technical systems so that organizations build overall resilience to this major risk. This requires systematically removing assumptions in favor of known facts that can be relied upon in a major incident. This should be prioritized based on scenarios that are high impact and high likelihood like human-operated ransomware.

Whilst it’s tempting for experienced leaders and technical professionals to get caught up in how things have been done before, cybersecurity is a fundamentally disruptive force that requires organizations to work collaboratively and adopt and adapt the practices documented in Microsoft’s guidance.

“We cannot solve our problems with the same thinking we used when we created them.”—Albert Einstein

For all this to be successful, your organization must work together as a single coherent entity, sharing insights and resources from business, technical, and security teams to leverage diverse viewpoints and experiences. This approach will help you plan and execute pragmatically and effectively against evolving threats that impact all parts of your organization.

In our next blog, we will continue to explore how to effectively manage risk from the perspective of business and cybersecurity leaders and the capabilities and information required to stay resilient against cyberattacks.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Becoming resilient by understanding cybersecurity risks: Part 2 appeared first on Microsoft Security Blog.

We are committed to helping customers plan and deploy Zero Trust. Last month, we announced our Zero Trust Deployment Center, a repository of resources to help accelerate the deployment of Zero Trust across data, applications, network, identity, infrastructure, and devices.

This month, we’re excited to share the release of our Zero Trust Business Plan. This document captures lessons learned from leaders who sponsored, guided, and oversaw the adoption of Zero Trust within customers’ organizations. This document will provide guidance across the full lifecycle of your Zero Trust initiative:

• Plan: Build a business case focused on the outcomes that are most closely aligned with your organization’s risks and strategic goals.
• Implement: Create a multi-year strategy for your Zero Trust deployment and prioritize early actions based on business needs.
• Measure: Track the success of your Zero Trust deployment to provide confidence that the implementation of Zero Trust provides measurable improvements.

Other resources

Check out our growing repository of resources ready to help you with Zero Trust—regardless of where you are in your journey. Our Zero Trust assessment tool is a great way to measure your overall maturity and progress to Zero Trust (including your existing capabilities). This new business plan provides a practical guide to implementing a Zero Trust framework. Our Zero Trust deployment guidance provides clear technical implementation guidance. Visit our Zero Trust page to stay up-to-date on how the latest Microsoft products, features, and resources that can help you implement Zero Trust principles in your organization.

Bookmark the Security blog to keep up with our expert coverage on security matters. And follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Building a Zero Trust business plan appeared first on Microsoft Security Blog.

The Jericho Forum promoted a new concept of security called de-perimeterisation that focused on how to protect enterprise data flowing in and out of your enterprise network boundary instead of striving to convince users and the business to keep it on the corporate network. This shift to “secure assets where they are” proved quite prophetic, especially when you consider that the original iPhone didn’t release until 2007 (which triggered the sea change of user preferences shaping enterprise technology decisions that is now just normal).

One CISO: Our network has become a mini-internet

A lot has changed since the days when we knew exactly what is on our network. A CISO of a multinational organization once remarked that its corporate network has become a miniature internet. With hundreds of thousands of devices connected at all hours including many unmanaged devices, the network has lost its ability to create trust for the devices on it. While network controls still have a place in a security strategy, they are no longer the foundation upon which we can build the assurances we need to protect business assets.

In this blog, we will examine how these concepts (captured succinctly in the Jericho® Forum Commandments) have helped shape what has become Zero Trust today, including Microsoft’s Zero Trust vision and technology.

Accepting de-perimeterisation frees security architects and defenders to re-think their approach to securing data. Securing data where it is (vs. artificially confining it to a network) also naturally more aligned to the business and enables the business to securely operate.

Blocking is a blunt instrument

While security folks love the idea of keeping an organization safe by blocking every risk, the real world needs flexible solutions to gracefully handle the grey areas and nuances.

The classic approach of applying security exclusively at the network level limits what context security sees (e.g. what the user/application trying to do at this moment) and usually limits the response options to only blocking or allowing.

This is comparable to a parent filtering content for their children by blocking specific TV channels or entire sites like YouTube. Just like blocking sites in security, the rough grain blocking causes issues when kids need YouTube to do their online classes or find websites and other TV channels with inappropriate content.

We have found that it’s better to offer users a safe path to be productive rather than just blocking a connection or issuing an “access denied.” Microsoft has invested heavily in zero trust to address both the usability and security needs in this grey area

• Providing easy ways to prove trustworthiness using multi-factor authentication (MFA) and Passwordless authentication that do not repeatedly prompt for validation if risk has not changed as well as hardware security assurances that silently protect their devices.
• Enabling users to be productive in the grey areas – Users must be productive for their jobs even if they are working from unmanaged networks or unusual locations. Microsoft allows users to increase their trust with MFA prompts and enables organizations to limit or monitor sessions to mitigate risk without blocking productivity.

While it’s tempting to think “but it’s just safer if we block it entirely”, beware of this dangerous fallacy. Users today control how they work and they will find a way to work in a modern way, even if they must use devices and cloud services completely outside the control of IT and security departments. Additionally, attackers are adept at infiltrating approved communication channels that are supposed to be safe (legitimate websites, DNS (Domain Name Servers) traffic, email, etc.).

The Jericho Forum recognized emerging trends that are now simply part of normal daily life. As we make security investments in the future, we must embrace new ways of working, stop confining assets unnaturally to a network they do not belong on, and secure those assets and users where they are and wherever they go.

Learn more about Why Zero Trust. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Back to the future: What the Jericho Forum taught us about modern security appeared first on Microsoft Security Blog.

This rule of thumb on who should be accountable for risk helps illustrate this relationship:

The person who owns (and accepts) the risk is the one who will stand in front of the news cameras and explain to the world why the worst case scenario happened.

This is the first in a series of blogs exploring how to manage challenges associated with keeping an organization resilient against cyberattacks and data breaches. This series will examine both the business and security perspectives and then look at the powerful trends shaping the future.

This blog series is unabashedly trying to help you build a stronger bridge between cybersecurity and your organizational leadership.

Organizations face two major trends driving both opportunity and risk:

• Digital disruption: We are living through the fourth industrial revolution, characterized by the fusion of the physical, biological, and digital worlds. This is having a profound impact on all of us as much as the use of steam and electricity changed the lives of farmers and factory owners during early industrialization.
  Tech-disruptors like Netflix and Uber are obvious examples of using the digital revolution to disrupt existing industries, which spurred many industries to adopt digital innovation strategies of their own to stay relevant. Most organizations are rethinking their products, customer engagement, and business processes to stay current with a changing market.
• Cybersecurity: Organizations face a constant threat to revenue and reputation from organized crime, rogue nations, and freelance attackers who all have their eyes on your organization’s technology and data, which is being compounded by an evolving set of insider risks.

Organizations that understand and manage risk without constraining their digital transformation will gain a competitive edge over their industry peers.

Cybersecurity is both old and new

As your organization pulls cybersecurity into your existing risk framework and portfolio, it is critical to keep in mind that:

• Cybersecurity is still relatively new: Unlike responding to natural disasters or economic downturns with decades of historical data and analysis, cybersecurity is an emerging and rapidly evolving discipline. Our understanding of the risks and how to manage them must evolve with every innovation in technology and every shift in attacker techniques.
• Cybersecurity is about human conflict: While managing cyber threats may be relatively new, human conflict has been around as long as there have been humans. Much can be learned by adapting existing knowledge on war, crime, economics, psychology, and sociology. Cybersecurity is also tied to the global economic, social, and political environments and can’t be separated from those.
• Cybersecurity evolves fast (and has no boundaries): Once a technology infrastructure is in place, there are few limits on the velocity of scaling an idea or software into a global presence (whether helpful or malicious), mirroring the history of rail and road infrastructures. While infrastructure enables commerce and productivity, it also enables criminal or malicious elements to leverage the same scale and speed in their actions. These bad actors don’t face the many constraints of legitimate useage, including regulations, legality, or morality in the pursuit of their illicit goals. These low barriers to entry on the internet help to increase the volume, speed, and sophistication of cyberattack techniques soon after they are conceived and proven. This puts us in the position of continuously playing catch up to their latest ideas.
• Cybersecurity requires asset maintenance: The most important and overlooked aspect of cybersecurity is the need to invest in ‘hygiene’ tasks to ensure consistent application of critically important practices.
  One aspect that surprises many people is that software ‘ages’ differently than other assets and equipment, silently accumulating security issues with time. Like a brittle metal, these silent issues suddenly become massive failures when attackers find them. This makes it critical for proactive business leadership to proactively support ongoing technology maintenance (despite no previous visible signs of failure).

Stay pragmatic

In an interconnected world, a certain amount of playing catch-up is inevitable, but we should minimize the impact and probabilities of business impact events with a proactive stance.

Organizations should build and adapt their risk and resilience strategy, including:

1. Keeping threats in perspective: Ensuring stakeholders are thinking holistically in the context of business priorities, realistic threat scenarios, and reasonable evaluation of potential impact.
2. Building trust and relationships: We’ve learned that the most important cybersecurity approach for organizations is to think and act symbiotically—working in unison with a shared vision and goal.
   Like any other critical resource, trust and relationships can be strained in a crisis. It’s critical to invest in building strong and collaborative relationships between security and business stakeholders who have to make difficult decisions in a complex environment with incomplete information that is continuously changing.
3. Modernizing security to protect business operations wherever they are: This approach is often referred to as Zero Trust and helps security enable the business, particularly digital transformation initiatives (including remote work during COVID-19) versus the traditional role as an inflexible quality function.

One organization, one vision

As organizations become digital, they effectively become technology companies and inherit both the natural advantages (customer engagement, rapid scale) and difficulties (maintenance and patching, cyberattack). We must accept this and learn to manage this risk as a team, sharing the challenges and adapting to the continuous evolution.

In the coming blogs, we will explore these topics from the perspective of business leaders and from cybersecurity leaders, sharing lessons learned on framing, prioritizing, and managing risk to stay resilient against cyberattacks.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Becoming resilient by understanding cybersecurity risks: Part 1 appeared first on Microsoft Security Blog.

With billions of people around the globe working from home, changes to the daily practice of cybersecurity are accelerating. Organizations are shifting from defending a traditional network perimeter (keeping business assets in a safe place) to more effective zero trust strategies (protect users, data, and business assets where they are). This transformation brings technology changes and also opens up questions of what people’s roles and responsibilities will look like in this new world.

At the same time, continuous delivery models are requiring security teams to engage more closely during business planning and application development to effectively manage cyber risks (vs. the traditional ‘arms-length’ security approaches). This requires security professionals to better understand the business context and to collaborate more closely with stakeholders outside of security.

In this new world, traditional job descriptions and security tools won’t set your team up for success. Leaders must create role clarity in this transformation to help their teams navigate uncertainty. This will reduce distractions and stress, as well as help people focus on the important tasks that make the whole team shine.

While each organization and each person will have a unique journey, we have seen common patterns for successfully transforming roles and responsibilities. To help security leaders and practitioners plan for this transformation, Microsoft has defined common security functions, how they are evolving, and key relationships. In this blog, we’ll provide a summary of our recommendations to help you get started.

Security roles must evolve to confront today’s challenges

Security functions represent the human portion of a cybersecurity system. They are the tasks and duties that members of your team perform to help secure the organization. Depending on your company size and culture, individuals may be responsible for a single function or multiple functions; in some cases, multiple people might be assigned to a single function as a team.

High performing security teams understand their individual roles, but also see themselves as a larger team working together to defend against adversaries (see Figure 1). The following functions represent a fully populated enterprise security team, which may be aspirational for some organizations. Organizations often need to prioritize where to invest first based on their risk profile, available resources, and needs.

Figure 1: Each function works as part of a whole security team within the organization, which is part of a larger security community defending against the same adversaries.

Policy and standards

This team develops, approves, and publishes security policy and standards to guide security decisions within the organization and inspire change. This team must take into account cloud platforms, DevOps processes and tools, and relevant regulations, among other factors. Read more about security policy and standards function.

Security operations center (SOC)

A security operations center (SOC) detects, responds to, and remediates active attacks on enterprise assets. SOCs are currently undergoing significant change, including an elevation of the function to business risk management, changes in the types of metrics tracked, new technologies, and a greater emphasis on threat hunting. Read more about the SOC function.

Security architecture

Security architecture translates the organization’s business and assurance goals into a security vision, providing documentation and diagrams to guide technical security decisions. A modern architecture function needs to consider continuous delivery, identity-centric security solutions for cloud assets, cloud-based security solutions, and more. Read more about the security architecture function.

Security compliance management

The objective of cloud security compliance management is to ensure that the organization is compliant with regulatory requirements and internal policies. As you modernize this function, consider the role that cloud providers play in compliance status, how you link compliance to risk management, and cloud-based compliance tools. Read more about the security compliance management function.

People security

People security protects the organization from inadvertent human mistakes and malicious insider actions. The cloud and changing threat landscape require this function to consider how to effectively engage employees in security, organizational culture change, and identification of insider threats. Read more about the people security function.

Application security and DevSecOps

The objective of application security and DevSecOps is to integrate security assurances into development processes and custom line of business applications.

Cloud services and APIs have enabled a faster delivery cadence and influenced the creation of the DevOps team model, driving a number of changes. The biggest change we see is the integration of security into the development process, which requires culture and process adjustments as each specialty adopt the best of each other’s culture. This function must also adopt an agile mindset and stay up to date on new tools and technologies. Read more about the application security and DevSecOps function.

Data security

The main objective for a data security team is to provide security protections and monitoring for sensitive enterprise data in any format or location. New regulations and data loss prevention models are influencing the evolution of this function, and the sheer volume of data being stored on numerous devices and cloud services has also had a significant impact. Read more about the data security function.

Infrastructure and endpoint security

The infrastructure and endpoint security function is responsible for security protection to the data center infrastructure, network components, and user endpoint devices. Software-defined datacenters and other cloud technologies are helping solve longstanding data center security challenges, and cloud services are transforming the security of user endpoint devices. Read more about the infrastructure and endpoint security function.

Identity and keys

The main objective of a security team working on identity management, is to provide authentication and authorization of humans, services, devices, and applications. Key and certification management provides secure distribution and access to key material for cryptographic operations (which often support similar outcomes as identity management).

One of the big changes is that identity and key/certification management disciplines are coming closer together as they both provide assurances on the identity of entities and enable secure communications. This function also plays a significant role in modernizing security by establishing an identity-based perimeter that is a keystone of a zero-trust access control strategy. Read more about the identity and keys function.

Threat intelligence

Security threat intelligence provides context and actionable insights on active attacks and potential threats to empower organizational leaders and security teams to make better (data-driven) decisions. Threat intelligence usually grows from a technical scope into servicing the larger organization with strategic, tactical, and operational (technical) threat intelligence. Read more about the threat intelligence function.

Posture management

Posture management builds on existing functions like vulnerability management and focuses on continuously monitoring and improving the security posture of the organization. Posture management is typically one of the largest changes because it supports decisions in many other functions using information that only recently became available because of the heavy instrumentation of cloud technology. This function includes zero-trust based access controls, real-time risk scoring, threat and vulnerability management, and threat modeling, among others. Read more about the posture management function.

Incident preparation

The primary objective for the incident preparation function is to build process maturity and muscle memory for responding to major incidents throughout the organization, including security teams, executive leadership, and many others outside of security. These practice exercises have become powerful tools to ensure stakeholders are informed and familiar with their role in a major security incident. Read more about the incident preparation function.

Looking forward

In the beginning of the journey, clarity is critical to shine a light on the path forward and the journey ahead. As you walk the path, healthy doses of empathy and continuous learning are key to maintaining forward momentum. Organizations should invest in both formal training and supporting self-directed exploration to ensure people get the knowledge they need and have the confidence to take the risks required to transform.

In addition to the cloud security functions guidance, Microsoft has also invested in training and documentation to help with your journey—see the CISO Workshop, Microsoft Security Best Practices,  recommendations for defining a security strategy, and security documentation site.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How to organize your security team: The evolution of cybersecurity roles and responsibilities appeared first on Microsoft Security Blog.