Start your journey with Microsoft towards quantum-safety.

View the questionnaire

We believe the first step every organization should take toward quantum safety is to be aware of the need to organize, plan, and begin an impact assessment. We recommend prioritizing symmetric encryption where applicable and subsequently adopting post-quantum cryptography (PQC) for asymmetric encryption once standardized and approved by relevant setting bodies and governments, as recommended by cybersecurity agencies globally. Furthermore, we are exploring and experimenting with additional classical and quantum security solution layers through internal experiments, POCs, and collaborations with partners. 

Given that preparing for such an objective will be a multi-year and iterative process that requires strategic foresight, it’s crucial for organizations to start investing time in their planning and execution efforts today. Thanks to our extensive experience in quantum engineering and expertise as a service and security provider, we can serve as a trusted partner to navigate this process across industry and government. 

Tomorrow’s quantum computers threaten today’s data 

In our previous blog post, we discussed the limitations of current quantum computers in terms of breaking today’s encryption technology. In parallel, the emergence of scaled quantum computers with specific algorithms—such as Shor’s algorithm—could put public key encryption at risk and compromise sensitive information. 

While it may take at least 1 million qubits for a quantum computer to break certain encryption algorithms using Shor’s algorithm, today’s long-term and sensitive data could already be at risk: bad actors could carry out a “Harvest Now, Decrypt Later” scenario by recording data today and decrypting it later when cryptographically relevant quantum computers become available. Therefore, knowing which data to secure now is a first step on the path to a quantum-safe future.  

Microsoft’s commitment to keeping our customers and partners secure 

Putting our recommendations into practice, we have taken a comprehensive approach to quantum safety. Because quantum will have a material impact on today’s classical encryption of both hardware and software, we’ve invested time and efforts to set cross-company goals and establish accountability at the most senior levels of our organization. This led to the establishment of the Microsoft Quantum Safe Program, which aims to accelerate and advance all quantum-safe efforts across Microsoft from both technical and business perspectives. The program focuses on Microsoft’s transition to quantum safety and the adoption of PQC algorithms across our products, services, and datacenters. Additionally, it aims to assist and empower our customers and partners on their own journey to quantum safety across their processes, priorities, and requirements.  

As the first step and highest priority, we are ensuring the compliance of our existing symmetric key encryption and hash function algorithms. Symmetric algorithms, such as Advanced Encryption Standard (AES), and hash functions, such as Secure Hash Algorithm (SHA), are resilient to quantum attacks, and can therefore still be used in deployed systems. At Microsoft, we are already using protocols based on symmetric encryption, such as Media Access Control Security (MACsec) point-to-point protocol. 

On top of symmetric encryption, we will prioritize PQC algorithms—still in the process of being standardized by global bodies such as the National Institute of Standards and Technology (NIST), International Standards Organization (ISO), and Internet Engineering Task Force (IETF)—to handle future threats where asymmetric encryption is currently used. Today, much of the internet’s data, from e-commerce to Wi-Fi access, is kept secure by public key, or asymmetric key cryptography. Currently used public key algorithms rely on complex mathematical problems considered infeasible for classical computers to break, but that are a perfect task for quantum computers running Shor’s algorithm. This undermines the effectiveness of public key algorithms like RSA and Elliptic Curve Cryptography (ECC), and means that PQC algorithms will need to be deployed quickly once standardized, starting with hybrid encryption schemes in tandem with classical algorithms to accelerate adoption. 

Empowering and collaborating with the global community 

We see the effort to achieve quantum safety as a collaborative effort, and this is why we invest heavily in our ecosystems, global partnerships, and close collaborations with standards-setting bodies, academia, and industry partners alike to foster continuous innovation in the quantum security landscape. The standardization of PQC algorithms, driven by NIST’s efforts, is a key step to achieving PQC compliance.

Because we believe that PQC adoption is the ideal path to follow, we’re collaborating with standard-setting bodies while conducting experiments and assessments to facilitate the adoption of these algorithms across our services and products as needed.  As an example, we are participating in the NIST/NCCoE Migration to PQC to demonstrate vulnerable cryptography detection and drive PQC experiments and integration capabilities. Those efforts, along with our participation in the Open Quantum Safe project, will allow the members to implement and test PQC candidates together, so we can be ready for adoption once the final specs are out.  

Furthermore, as part of our investment to empower and collaborate with the global security community, we co-authored FrodoKEM, a quantum-safe key encapsulation mechanism that has been selected, together with Kyber and Classic McEliece, to be part of the first international ISO standard for PQC (in addition, we are participating as co-editors of the standard). We also recently submitted SQISign, a new quantum-safe signature scheme that we co-authored with several industry and academia partners, to NIST’s call for additional signature schemes. Lastly, we continue to actively participate as founding members of the new post-quantum cryptography coalition by MITRE and will help to drive progress toward a broader understanding of the public adoption of PQC and NIST’s recommendations. 

While we continue to conduct research to further develop state-of-the-art security solutions, we are also exploring the potential of other classical and quantum technologies, such as Quantum Key Distribution (QKD). Holistically, at the core of our mission is a commitment to achieving quantum-safety and ensuring the security of our customers.

Getting started with your PQC transition today  

To support our customers in preparing for and navigating their quantum-safe journey, we offer assistance and guidance: we invite you to start your path with us by filling out this questionnaire. Based on your responses, we can understand your status and priorities, and provide the necessary support, including access to experts.  

As a first step, we recommend starting with a comprehensive planning process and a definition of your organization’s criteria for what constitutes your critical areas and sensitive information, alongside a cryptography inventory and impact assessment of your essential data, code, cryptographic technologies, and the critical services of your organization. This will help you to identify any asymmetric encryption in use that will need to be replaced with the latest PQC standardized algorithms. This process is especially important to identify critical areas and systems that involve or protect sensitive data with a value that extends beyond 10 years and should be prioritized in migrating to PQC. 

By considering which data and code need to be secured now, and which may become less relevant over time, as well as uncovering specific instances where cryptography could be used inappropriately or not ideally, your organization will have a better understanding of where to best mitigate potential risks as a quantum future approaches. This will enable you to confidently make the switch to the latest PQC standardized algorithms and safeguard your sensitive data for years to come. 

Explore CodeQL  

To help, we are contributing to CodeQL: a next-generation program code analysis tool provided by GitHub in collaboration with organizations including NIST and NCCoE. With CodeQL, we are building out a comprehensive set of detections that can empower users to create a complete inventory of all encryption usage within the application layer, helping to produce a cryptographic bill of materials and identify legacy cryptography that requires remediation. This tool can thus help create a cryptography inventory and impact assessment that will drive operational planning and create understanding and clarity around the timeline, resources, and level of risk for which to account.

Try now the Crypto Experience for Resource Estimator  

Furthermore, we recently launched the Crypto Experience for Azure Quantum Resource Estimator. Drawing on published research from Microsoft, this new interactive cryptography experience will show you why a symmetric key could remain safe from quantum attacks, but the current public key is vulnerable. And because it is integrated with Copilot in Azure Quantum, you can use the universal user interface of natural language to ask, learn, and explore more topics within the intersection of quantum computing and cryptography.  

The opportunity to usher in a quantum, and quantum-safe, future is immense. We see how the collective genius of scientists and businesses will revolutionize the building blocks of everyday products to usher in a new era of innovation and growth in many fields. That’s what motivates us at Microsoft to drive new breakthroughs and empower every person and every organization on the planet. Our commitment to our customers, partners, and ecosystem to become quantum-safe and remain secure has never been stronger. We are accountable for having our products and services quantum-resistant and safe and will support and guide our customers through this journey to quantum safety. 

Learn more

• Start your journey with Microsoft towards quantum-safety by filling out this questionnaire. 
• Learn more about our vision of quantum networking.
• Explore the Open Quantum Safe project for prototyping and evaluating quantum-resistant cryptography.
• Visit the Azure Quantum website and check out the Microsoft Quantum Innovator Series webinars.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (formerly known as “Twitter”) (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Starting your journey to become quantum-safe appeared first on Microsoft Security Blog.

While IoT devices can easily outnumber managed endpoints like laptops and mobile phones, they often lack the same safeguards that would ensure their security. To bad actors, these unmanaged devices can be used as a point of entry, for lateral movement, or evasion. The chart below showcases a typical attack lifecycle involving two IoT devices, where one is used as a point of entry, and another one for lateral movement. Too often, the use of such tactics leads to the exfiltration of sensitive information.

Introducing protection for Enterprise IoT devices in Microsoft Defender for IoT

At the 2021 Microsoft Ignite, we announced the preview of enterprise IoT security capabilities in Microsoft Defender for IoT. With these new capabilities, Defender for IoT adds agentless monitoring to secure enterprise IoT devices connected to IT networks, like Voice over Internet Protocol (VoIP), printers, and smart TVs. A dedicated integration with Microsoft 365 Defender allows Defender for Endpoint customers to extend their extended detection and response (XDR) coverage to include IoT devices. Today, we’re excited to announce the general availability of these capabilities in Defender for IoT.

With this new addition, Defender for IoT now delivers comprehensive security for all endpoint types, applications, identities, and operating systems. The new capabilities allow organizations to get the visibility and insights they need to address complex multi-stage attacks that specifically take advantage of IoT and OT devices to achieve their goals. Customers will now be able to get the same types of vulnerability management, threat detection, response, and other capabilities for enterprise IoT devices that were previously only available for managed endpoints and OT devices.

Further, to make Enterprise IoT security accessible to more customers, we are introducing a dedicated native integration for Microsoft 365 Defender customers. The new integration helps customers to discover and secure IoT devices within Microsoft 365 Defender environments in minutes.

Identifying unmanaged devices

You can’t secure a device if you don’t know it exists. Taking a thorough inventory of all IoT devices can be expensive, challenging, and time-consuming. Employees may connect IoT devices to the network without first notifying IT or operations.

By using the existing Microsoft Defender for Endpoint clients, which are often deployed pervasively across an organization’s infrastructure, we can provide immediate device discovery with no additional deployment or configuration required. For the most complete view of your IoT and OT devices, and specifically for network segments where Defender for Endpoint sensors are not present, Defender for IoT includes a deployable network sensor that can be used to collect all of the network data it needs for discovery, behavioral analytics, and machine learning.

Understanding device vulnerabilities

Knowing all the devices present in your network is a critical step to securing your IoT—but it’s only the first step. To understand the potential risk that those devices pose to your network and organization, you need to be able to stay on top of insecure configurations and vulnerabilities that may be present within your inventory of devices.

These types of devices are often unpatched, misconfigured, and unmonitored, which makes them an immediate target for an attacker. Defender for IoT assesses all your enterprise IoT devices, offering recommendations in the Microsoft 365 console as part of the ongoing investigation flow for network-based alerts. 

New IoT devices are being introduced into an environment all the time. Because of that, the identification and risk assessment processes run continuously within Defender for IoT to ensure maximum visibility and posture at all times.

Securing IoT devices against threats

Threat detection remains one of the most difficult tasks in the IoT domain. Defender for IoT customers benefit from the machine learning and threat intelligence obtained from trillions of signals collected daily across the global Microsoft ecosystem (like email, endpoints, cloud, Microsoft Azure Active Directory, and Microsoft 365), augmented by IoT- and OT-specific intelligence. By applying machine learning and threat intelligence, we help our customers to reduce the alert signal to noise ratio by providing them with prioritized incidents that render end-to-end attacks in complete context rather than giving them an endless list of uncorrelated alerts.

Just recently, this approach enabled Defender for IoT to rank number one in threat visibility coverage in the MITRE ATT&CK for ICS evaluation, successfully detecting malicious activity for 100 percent of major attack steps and 96 percent of all adversary sub-steps, with fewest missed detections of any other vendor.

Defender for IoT: Complete coverage across all IoT/OT

It is certain that the demand for digital transformation and pressure to remain competitive will continue incentivizing organizations to embrace more IoT technologies, whether they are smart TVs in offices or industrial controllers in plants. Chief Information Security Officers will soon be responsible for an attack surface area that is many times larger than their managed device footprint. With the latest release in Defender for IoT, we’re extending coverage to enterprise IoT devices to help customers remain secure across the entire spectrum of their IoT technologies. What’s more, for the first time we’re enabling our Defender for Endpoint customers to gain visibility into their IoT devices within minutes and without buying or deploying any additional technologies or products.

Microsoft Defender for IoT remains a major component of the broader Microsoft SIEM and XDR solutions. Through native integration with Microsoft Defender and Microsoft Sentinel, we can provide customers with the automation and visualization tools they need to address attacks crossing IT and OT network boundaries. These integrations also empower analysts to perform incident response holistically rather than as separate disconnected attacks that require extensive manual investigations to bring together. With these efficiency gains, organizations can stop attacks and bring their environments back to a pre-breach state far more quickly.

We’re excited to reach this major milestone on our journey to securing customers in IoT and OT and invite you to explore how Defender for IoT can help your organization.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Introducing security for unmanaged devices in the Enterprise network with Microsoft Defender for IoT appeared first on Microsoft Security Blog.

Earlier this month, we published the 2021 Microsoft Digital Defense Report to help organizations better understand this evolving threat landscape, as well as provide guidance on securing your supply chain and IoT and OT assets. In the spirit of security for all, some highlights of these chapters are presented here for easy reference.

Securing supply chains

The practice of adopting multiple tools to monitor different tiers of suppliers increases complexity, which in turn increases the odds that a cyberattack can produce a significant return for your adversary. Siloes can create additional problems—different teams have different priorities, which may lead to different risk priorities and practices. This inconsistency can create a duplication of efforts and gaps in risk analysis. Suppliers’ personnel also are a top concern. Organizations want to know who has access to their data; so they can protect themselves from human liability, shadow IT, and other insider threats.

For supplier risk management, an always-on, automated, integrated approach is needed, but current processes aren’t well-suited to the task. To secure your supply chain, it’s important to have a repeatable process that will scale as your organization innovates. At Microsoft, we group our investments into nine secure supply chain (SSC) workstreams to methodically evaluate and mitigate risk in each area:

Figure 1: Nine areas of investment for a secure end-to-end supply chain.

For supply chain risk management, having integrated solutions and greater visibility into who ultimately has access to an organization’s data are top priorities. While there are many places to begin a Zero Trust journey, instituting multifactor authentication (MFA) should be your first step.

From the White House

On May 12, 2021, the White House issued Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity outlining steps for federal agencies and their technology providers to enhance supply chain security. For software providers, the EO calls for requirements to enhance resistance to attack, including secure software development practices, software verification and vulnerability checks, a software bill of materials (SBOM), a vulnerability disclosure program, and other secure practices.

For federal agency users of software with privileged access, EO 14028 calls for implementing security measures published by the National Institute of Standards and Technology (NIST). Microsoft has long been invested in developing best practices for secure software development, and we’ve contributed to efforts to define industry-wide practices and consensus standards, including through SAFECode, ISO/IEC, and NIST’s National Cybersecurity Center of Excellence (NCCoE) on the Implementing a Zero Trust Architecture project.

IoT and OT security

With the prevalence of cloud connectivity, IoT and OT have become another part of your network. And because IoT and OT devices are typically deployed in diverse environments—from inside factories or office buildings to remote worksites or critical infrastructure—they’re exposed in ways that can make them easy targets. When you add in privacy concerns and regulatory compliance, it’s clear that a holistic approach is needed for enabling seamless security and governance across all your devices.

Securing IoT solutions with a Zero Trust security model is built upon five requirements:

• Implement strong identity to authenticate devices: Register devices, issue renewable credentials, employ passwordless authentication, and use a hardware root of trust to ensure identity before making decisions.
• Maintain least privilege access to mitigate blast radius: Implement device and workload access controls to limit any potential damage from identities that may have been compromised, or those running unapproved workloads.
• Monitor device health to gate access or flag for remediation: Check security configurations, assess for vulnerabilities and insecure passwords, and monitor for active threats and anomalous behavioral alerts to build risk profiles.
• Deploy continual updates to keep devices healthy: Utilize a centralized configuration and compliance management solution, as well as a robust update mechanism, to ensure devices are up to date and healthy.
• Maintain security monitoring and response: Employ proactive monitoring to rapidly identify unauthorized or compromised devices.

Figure 2: How an attacker can get into an enterprise through IoT.

“Attackers will choose the ‘soft targets’ as a point of ingress. Spear phishing or similar attacks allow access to IT systems that can then provide a pathway for attackers to reach OT systems, and the reverse is also possible. In one example, attackers used an aquarium system to access a casino’s high-roller databases, demonstrating that any device with connectivity can present a motivated attacker with an opening.”—2021 Microsoft Digital Defense Report

Default passwords cause problems

Microsoft’s sensor network provides us with raw data on more than 280,000 attacks, including password data. Unsurprisingly, we saw that 96 percent of attacks used a password with fewer than 10 characters. Within these password attempts, only 2 percent included a special character and 72 percent didn’t even contain a number. The word “admin” was found more than 20 million times in IoT passwords over a 45 day period.

Figure 3: Prevalence of common passwords in IoT and OT settings.

Maintain your IoT just like IT

It’s essential for organizations to assess the security of their IoT and OT systems with the same rigor applied to IT systems. While PCs are routinely required to have updated certificates, IoT devices are often deployed with factory-default passwords. Attackers are also focusing on how IoT and OT interact, which brings real dangers. Industrial control systems (ICS) are often retrofitted with remote capabilities—meaning, virtual attacks can cause physical harm.

Microsoft supported a research study conducted by the Global Cyber Alliance (GCA) to demonstrate the effectiveness of commonly recommended controls in preventing attacks. GCA’s analysis of real attack data shows that default passwords factory-set by device manufacturers, or weak passwords set by users, represent the most exploited security vulnerability for IoT devices. Their findings can be boiled down to four simple takeaways for IoT and OT security:

1. No default passwords.
2. Implement a vulnerability disclosure policy.
3. Keep software updated.
4. Continuously monitor IoT communication for unauthorized communications and attacks.

Learn more

Learn how Microsoft Defender for IoT can secure your IoT and OT devices.

To find out more about protecting your organization against supply chain and IoT/OT attacks, including the seven properties of highly secured devices, download the 2021 Microsoft Digital Defense Report. Also, see our past blog posts providing information for each themed week of Cybersecurity Awareness Month 2021:

• #BeCyberSmart: When we learn together, we’re more secure together
• How cyberattacks are changing according to new Microsoft Digital Defense Report
• Get career advice from 7 inspiring leaders in cybersecurity
• Defenders wanted—building the new cybersecurity professionals
• New insights on nation-state attacks
• New insights on cybersecurity in the age of hybrid work

Be sure to visit our Cybersecurity Awareness Month page for more resources and information on protecting your organization year-round. Do your part. #BeCyberSmart

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Hackers Breached Colonial Pipeline Using Compromised Password, William Turton, Kartikay Mehrotra, Bloomberg. 4 June 2021.

²Microsoft Warns of 25 Critical Vulnerabilities in IoT, Industrial Devices, Elizabeth Montalbano, Threatpost. 30 April 2021.

³Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop, Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC), Microsoft Cyber Defense Operations Center (CDOC), Microsoft Security. 20 January 2021.

⁴Kaseya ransomware attack sets off race to hack service providers -researchers, Joseph Menn, Reuters. 3 August 2021.

The post Learn how Microsoft strengthens IoT and OT security with Zero Trust appeared first on Microsoft Security Blog.