At the same time, the number and complexity of cyberthreats continues to grow. This makes the challenge of securing human and non-human identities urgent and critical. Phishing, ransomware, and both internal and external threats have increased significantly. And threat actors are quickly exploiting newer technologies like generative AI to create and scale their attacks.

In the face of these challenges and the acceleration of AI opportunities and risks, what we think of as traditional identity and access management is no longer enough. We need to ensure the right people, machines, and software components get access to the right resources at the right time, while keeping out any bad actors or cyberthreats. We need to be able to secure access for any trustworthy identity, anywhere, to any app, resource, or AI tool at any time.

We take these challenges very seriously. Our teams have been hard at work, listening to customers and analyzing data—and utilizing the modern technologies enabled by AI—to stay ahead of threats and step up our defenses. This new era demands a comprehensive, adaptive, real-time approach to securing access.

At Microsoft, we call this approach the trust fabric.  

Think global, act local

In years past, the firewall was the clear perimeter of network protection for customers. Then the buzz was “identity is the new perimeter” as people began to work from home and do their work on personal devices. And recently, the term “identity fabric,” coined by industry analysts in 2023, has been used by many to describe identity and access management (IAM) concepts and capabilities. But the move from a network control plane to an identity-centric control plane is just the beginning. Flexible work models, cloud apps and services, digitized business processes, AI, and more can no longer be managed by a single identity control plane. It would slow down the speed of business and become a choke point.

Instead, to meet the needs of our ever-expanding digital estate, we need a “think global, act local” approach. A combination of centralized decisions and policies would determine what is allowed to happen at the edges—the points of interaction—with multiple, distributed control planes at both the identity and network levels. In addition to identity, the network and endpoints are equally critical signals. The controls and policies should be unified with identity to reduce complexity and gaps. This is the distinction between identity fabric and the next step: trust fabric. In this era of ubiquitous, decentralized computing, data centers can serve as the intelligent cloud, facilitating interaction with smart devices and services on the intelligent edge. This decentralized identity model can also help achieve the speed required to authorize so many devices and services at scale. The vision for how to conceptually architect and move forward with this comprehensive defense-in-depth cybersecurity strategy is the same as a trust fabric. As such, Microsoft’s trust fabric concept expands beyond traditional IAM to weave together comprehensive, unified identity, network access, and endpoint controls.

Figure 1. Identity security has evolved from directory services and firewalls to cloud-centered identity services to today’s decentralized trust fabric approach. 

Zero Trust and a trust fabric

Zero Trust is the term for an evolving set of cybersecurity paradigms that move cybersecurity defenses from static, network-based perimeters to focus on users, assets, and resources. The concept of Zero Trust has been around in cybersecurity for some time and is increasingly important as enterprise infrastructure continues to become decentralized and increases in complexity. In 2020, the National Institute of Standards and Technology (NIST) released a security-wide framework or model of Zero Trust based on three core principles: Verify explicitly, ensure least-privileged access, and assume breach. The Zero Trust principles are foundational to how organizations should architect a trust fabric, and instructional for how to build technology to bring the trust fabric to life.

A Zero Trust strategy is a proactive, integrated approach to security across all layers of the digital estate. A modern comprehensive implementation of Zero Trust protects assets wherever they are. It includes solutions for securing access, securing your data, securing all your clouds, defending against threats, and managing risk and privacy. Zero Trust benefits from AI-enabled solutions and provides the agile security required to protect the use of AI technologies. Developing and managing a trust fabric for your organization addresses the need for secure access. It can integrate with and inform each solution in your framework as needed for end-to-end visibility, defense, and optimization.     

The core threads of a trust fabric

The first key word is trust. Trustworthiness of human and non-human identities will be determined by real-time evaluation and verification of valid decentralized identity credentials. It isn’t an idea of “trust but verify.” It’s “actively verify, then trust.” And the second key word is fabric. According to Gartner^®, “Cybersecurity mesh, or cybersecurity mesh architecture (CSMA), is a collaborative ecosystem of tools and controls to secure a modern, distributed enterprise. It builds on a strategy of integrating composable, distributed security tools by centralizing the data and control plane to achieve more effective collaboration between tools. Outcomes include enhanced capabilities for detection, more efficient responses, consistent policy, posture and playbook management, and more adaptive and granular access control—all of which lead to better security”.¹ With a trust fabric, organizations first evaluate the risk level of any identity or action. Then, they apply a universal Conditional Access engine. It meters secure access with smart policies and decisions informed by governance, compliance, and current global cyberthreats. And it takes into account any important factors or anomalies relevant to the situation at any given moment.  

Figure 2. A trust fabric verifies identities, validates access conditions, checks permissions, encrypts the connection channel, and monitors for compromise.

For a trust fabric, the following capabilities and conditions must be continuously evaluated in real-time:   

• Verify the initiating identity is trustworthy, secure, and verified, as well as the resource, person, or AI they’re connecting with.    
• Protect the communication channel that transports data. 
• Ensure access extends no further than needed. 
• Sever the connection the moment fraud or risk is detected. 

The Microsoft trust fabric

At Microsoft, we continue to design and innovate our identity, endpoint, and network access portfolio to make the trust fabric a reality for our customers, today and tomorrow. Microsoft Entra helps our customers create their trust fabric for the era of AI that securely connects any trustworthy identity with anything, anywhere. 

Figure 3. Microsoft Entra is a comprehensive identity and network access solution for securing access for any trustworthy identity to any resource from anywhere.

It’s likely that your organization is already on the journey to create your own trust fabric. To be sure you’ve got the basics covered, we’ve documented the top “quick security wins” in our Microsoft Entra Fundamentals documentation on Microsoft Learn: 

• Enable multifactor authentication.
• Identity secure score.
• Improve your security posture.
• Integrating all your apps with Microsoft Entra ID.
• Security defaults.
• Block less secure authentications.

As organizations learn more about trust fabric and continue to apply Zero Trust principles, we’ll be sharing more of our perspective. To learn more about the four stages of trust fabric maturity and how to assess and plan for each stage, read our follow up blog, focusing on the four stages of trust fabric maturity and how to assess and plan for each stage.

Microsoft Entra

Protect any identity and secure access to any resource with a family of multicloud identity and network access solutions.

Explore products

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Cybersecurity Mesh, Gartner.

The post How implementing a trust fabric strengthens identity and network appeared first on Microsoft Security Blog.

Two decades of evolution

It’s been 20 years since we introduced the Microsoft Security Development Lifecycle (SDL)—a set of practices and tools that help developers build more secure software, now used industry-wide. Mirroring the culture of Microsoft to uphold security and born out of the Trustworthy Computing initiative, the aim of SDL was—and still is—to embed security and privacy principles into technology from the start and prevent vulnerabilities from reaching customers’ environments.

In 20 years, the goal of SDL hasn’t changed. But the software development and cybersecurity landscape has—a lot.

With cloud computing, Agile methodologies, and continuous integration/continuous delivery (CI/CD) pipeline automation, software is shipped faster and more frequently. The software supply chain has become more complex and vulnerable to cyberattacks. And new technologies like AI and quantum computing pose new challenges and opportunities for security.

SDL is now a critical pillar of the Microsoft Secure Future Initiative, a multi-year commitment that advances the way we design, build, test, and operate our Microsoft Cloud technology to ensure that we deliver solutions meeting the highest possible standard of security.

Next generation of the Microsoft SDL

Learn how we're tackling security challenges.

Read the white paper

Continuous evaluation

Microsoft has been evolving the SDL to what we call “continuous SDL”. In short, Microsoft now measures security state more frequently and throughout the development lifecycle. Why? Because times have changed, products are no longer shipped on an annual or biannual basis. With the cloud and CI/CD practices, services are shipped daily or sometimes multiple times a day.

Data-driven methodology

To achieve scale across Microsoft, we automate measurement with a data-driven methodology when possible. Data is collected from various sources, including code analysis tools like CodeQL. Our compliance engine uses this data to trigger actions when needed.

CodeQL: A static analysis engine used by developers to perform security analysis on code outside of a live environment.

While some SDL controls may never be fully automated, the data-driven methodology helps deliver better security outcomes. In pilot deployments of CodeQL, 92% of action items were addressed and resolved in a timely fashion. We also saw a 77% increase in CodeQL onboarding amongst pilot services.

Transparent, traceable evidence

Software supply chain security has become a top priority due to the rise of high-profile attacks and the increase in dependencies on open-source software. Transparency is particularly important, and Microsoft has pioneered traceability and transparency in the SDL for years. Just as one example, in response to Executive Order 14028, we added a requirement to the SDL to generate software bills of material (SBOMs) for greater transparency.

But we didn’t stop there.

To provide transparency into how fixes happen, we now architect the storage of evidence into our tooling and platforms. Our compliance engine collects and stores data and telemetry as evidence. By doing so, when the engine determines that a compliance requirement has been met, we can point to the data used to make that determination. The output is available through an interconnected “graph”, which links together various signals from developer activity and tooling outputs to create high-fidelity insights. This helps us give customers stronger assurances of our security end-to-end.

Modernized practices

Beyond making the SDL automated, data-driven, and transparent, Microsoft is also focused on modernizing the practices that the SDL is built on to keep up with changing technologies and ensure our products and services are secure by design and by default. In 2023, six new requirements were introduced, six were retired, and 19 received major updates. We’re investing in new threat modeling capabilities, accelerating the adoption of new memory-safe languages, and focusing on securing open-source software and the software supply chain.

We’re committed to providing continued assurance to open-source software security, measuring and monitoring open-source code repositories to ensure vulnerabilities are identified and remediated on a continuous basis. Microsoft is also dedicated to bringing responsible AI into the SDL, incorporating AI into our security tooling to help developers identify and fix vulnerabilities faster. We’ve built new capabilities like the AI Red Team to find and fix vulnerabilities in AI systems.

By introducing modernized practices into the SDL, we can stay ahead of attacker innovation, designing faster defenses that protect against new classes of vulnerabilities.

How can continuous SDL benefit you?

Continuous SDL can help you in several ways:

• Peace of mind: You can continue to trust that Microsoft products and services are secure by design, by default, and in deployment. Microsoft follows the continuous SDL for software development to continuously evaluate and improve its security posture.
• Best practices: You can learn from Microsoft’s best practices and tools to apply them to your own software development. Microsoft shares its SDL guidance and resources with the developer community and contributes to open-source security initiatives.
• Empowerment: You can prepare for the future of security. Microsoft invests in new technologies and capabilities that address emerging threats and opportunities, such as post-quantum cryptography, AI security, and memory-safe languages.

Where can you learn more?

For more details and visual demonstrations on continuous SDL, read the full white paper by SDL pioneers Tony Rice and David Ornstein.

Learn more about the Secure Future Initiative and how Microsoft builds security into everything we design, develop, and deploy.

The post Evolving Microsoft Security Development Lifecycle (SDL): How continuous SDL can help you build more secure software appeared first on Microsoft Security Blog.

NIS2 key features 

As we take a closer look at the key features of NIS2, we see the new directive includes risk assessments, multifactor authentication, security procedures for employees with access to sensitive data, and more. NIS2 also includes requirements around supply chain security, incident management, and business recovery plans. In total, the comprehensive framework ups the bar from previous requirements to bring: 

• Stronger requirements and more affected sectors.
• A focus on securing business continuity—including supply chain security.
• Improved and streamlined reporting obligations.
• More serious repercussions—including fines and legal liability for management.
• Localized enforcement in all EU Member States. 

Preparing for NIS2 may take considerable effort for organizations still working through digital transformation. But it doesn’t have to be overwhelming. 

NIS2 guiding principles guide

Get started on your transformation with three guiding principles for preparing for NIS2.

Download the guide today

Proactive defense: The future of cloud security

At Microsoft, our approach to NIS2 readiness is a blend of technical insight, innovative strategies, and deep legal understanding. We’re dedicated to nurturing a security-first mindset—one that’s ingrained in every aspect of our operations and resonates with the tech community’s ethos. Our strategy for NIS2 compliance addresses the full range of risks associated with cloud technology. And we’re committed to ensuring that Microsoft’s cloud services set the benchmark for regulatory compliance and cybersecurity excellence in the tech world. Now more than ever, cloud technology is integral to business operations. With NIS2, organizations are facing a fresh set of security protocols, risk management strategies, and incident response tactics. Microsoft cloud security management tools are designed to tackle these challenges head-on, helping to ensure a secure digital environment for our community.  

NIS2 compliance aligns to the same Zero Trust principles addressed by Microsoft Security solutions, which can help provide a solid wall of protection against cyberthreats across any organization’s entire attack surface. If your security posture is aligned with Zero Trust, you’re well positioned to assess and help assure your organization’s compliance with NIS2. 

For effective cybersecurity, it takes a fully integrated approach to protection and streamlined threat investigation and response. Microsoft Security solutions provide just that, with: 

• Microsoft Sentinel – Gain visibility and manage threats across your entire digital estate with a modern security information and event management (SIEM). 
• Microsoft XDR – Stop attacks and coordinate response across assets with extended detection and response (XDR) built into Microsoft 365 and Azure. 
• Microsoft Defender Threat Intelligence – Expose and eliminate modern threats using dynamic cyberthreat intelligence. 

Next steps for navigating new regulatory terrain 

The introduction of NIS2 is reshaping the cybersecurity landscape. We’re at the forefront of this transformation, equipping tech professionals—especially Chief Information Security Officers and their teams—with the knowledge and tools to excel in this new regulatory environment. To take the next step for NIS2 in your organization, download our NIS2 guiding principles guide or reach out to your Microsoft account team to learn more. 

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post Navigating NIS2 requirements with Microsoft Security solutions appeared first on Microsoft Security Blog.

With that goal in mind, Microsoft has launched a new kind of security webinar “for experts, by experts.” The new Security Experts Roundtable series will serve as an accessible video platform for cyber defenders to learn about some of the latest threats while gaining a big-picture view of the cybersecurity landscape. Our inaugural episode aired on January 25, 2023, with an expert panel consisting of:

• Ping Look, Director, Training and Communications, Microsoft Detection and Response Team (DART)
• Ryan Kivett, Partner Director, Microsoft Defender Experts
• Jeremy Dallman, Principal Research Director, Customer Ready Intelligence
• Rani Lofstrom, Director, Security Incubations

This episode also features a special appearance by Rachel Chernaskey, Director of the Microsoft Digital Threat Analysis Center, who discusses cyber-enabled influence operations. I host a special remote interview with Mark Simos, Lead Cybersecurity Architect at Microsoft, on how to effectively communicate with your board of directors about cybersecurity. We also talk to Peter Anaman, Director and Principal Investigator at the Microsoft Digital Crimes Unit about tracking global cybercrime, and we have a special guest interview with Myrna Soto, Chief Executive Officer (CEO) and Founder of Apogee Executive Advisors, on the state of cybersecurity in the manufacturing sector.

Evolving threats—Expert insights

Back in December 2020, Microsoft investigated a new nation-state attacker now known as Nobelium that became a global cybersecurity threat.³ The following year, the hacker gang Lapsus moved into the spotlight with large-scale social engineering and extortion campaigns directed against multiple organizations.⁴ Those threat groups are still active, but 2022 saw a slowing in their attacks. “We didn’t have too many high-profile mass-casualty events,” Ping points out. “But we did see a continuation of ransomware, identity compromises, and attacks centered on endpoints.”

The ransomware as a service (RaaS) ecosystem has continued to grow.⁵ Jeremy singles out DEV-0401, also known as Bronze Starlight or Emperor Dragon, as a China-based threat actor that’s “shifted their payloads to LockBit 2.0, developing their technology and emerging some of their tradecraft in order to evade detection and target our customers more prolifically.”⁶ Jeremy also calls out DEV-0846 as a provider of custom ransomware,⁷ as well as Russia’s Iridium as a source of ongoing attacks against transportation and logistics industries in Ukraine and Poland.⁸ He also cites Russia-based actor DEV-0586 as using ransomware as a ruse to target customers, then following up with destructive data “wiper” attacks.⁹

In his position as Director of Microsoft Defender Experts, Ryan brings a unique perspective on the changing threat landscape.¹⁰ “It’s been a proliferation of credential theft activity, largely stemming from adversary-in-the-middle attacks.” He points out that this kind of attack “underscores the importance of having a strategy for detection and hunting that’s beyond the endpoint; for example, in the email and identity space.”

“Identity compromises have been on the rise,” Ping concurs. “Attackers are just taking advantage of any vectors of entry that any customer has in their environment. So, it’s really important customers exercise good basic security hygiene.” She stresses that defenders should think of their environment as one organic whole, instead of separate parts. “If you have anything that touches the external world—domain controllers, email—those are all potential vectors of entry by attackers.” In short, protecting against the constantly evolving threats of today (and tomorrow) requires embracing a Zero Trust comprehensive approach to security.¹¹

Understanding cyber-influence operations

Cyber-enabled influence operations don’t grab headlines the way ransomware attacks do, but their effects are more pernicious. In this kind of cybercrime, a nation-state or non-state actor seeks to shift public opinion or change behavior through subversive means online. In Jeremy’s talk with Rachel, she breaks down how these types of attacks unfold in three phases:

1. Pre-positioning: Reconnaissance on a target audience, registering web domains to spread propaganda, or setting up inauthentic social media accounts.
2. Launch: Laundering propaganda narratives through fake organizations or media outlets, coordinated overt media coverage, stoking real-world provocations, or the publishing of leaked or sensitive material.
3. Amplification: Messengers unaffiliated with the actor repeat or repost the content.

The most prolific influence actors are labeled advanced persistent manipulators (APMs). Rachel uses the analogy that “APMs are to the information space what APTs (advanced persistent threats) are to cyberspace.” APMs are usually nation-state actors, though not always. Increasingly, the Microsoft Digital Threat Analysis Center (DTAC) sees non-state or private-sector actors employing the same influence techniques. In this way, a threat actor that wages a successful cyberattack might repurpose that capability for subsequent influence operations.

Rachel explains how DTAC uses the “four M model:” message, messenger, medium, and method. The message is just the rhetoric or the content that an actor seeks to spread, which typically aligns with the nation-state’s geopolitical goals. The messengers include the influencers, correspondence, and propaganda outlets that amplify the message in the digital environment. The mediums are the platforms and technologies used to spread the message, with video typically being the most effective. And finally, the methods consist of anything from a hack-and-leak operation to using bots or computational propaganda, or real-world elements like party-to-party political engagement.

So why should private organizations be concerned with cyber-influence operations? “Influence operations inherently seek to sow distrust, and that creates challenges between businesses and users,” Rachel explains. “Increasingly, our team is looking at the nexus between cyberattacks and subsequent influence operations to understand the full picture and better combat these digital threats.”

Microsoft DCU—Tracking cybercrime across the globe

The Microsoft Digital Crimes Unit (DCU) consists of a global cross-disciplinarian team of lawyers, investigators, data scientists, engineers, analysts, and business professionals.¹² The DCU is committed to fighting cybercrime globally through the application of technology, forensics, civil actions, criminal referrals, public and private partnerships, and the determined assistance of 8,500 Microsoft security researchers and security engineers. The DCU focuses on five key areas: Business Email Compromise (BEC), Ransomware, Malware, Tech Support Fraud, and Malicious Use of Microsoft Azure. According to Peter Anaman, Director and Principal Investigator at DCU, their investigations reveal that cybercriminals are moving away from a “spray-and-pray” approach toward the as a service model. Along with ransomware, cybercriminals are extending their retail services into new areas such as phishing as a service (PhaaS) and distributed denial of service (DDoS).

Threat actors have even created specialized tools to facilitate BEC, including phishing kits and lists of verified email addresses targeting specific roles, such as C-suite leaders or accounts-payable employees. As part of the service, the seller will design the email template and even scrub the responses to make sure they’re valid. “All for a subscription model of, like, USD200 dollars a month,” Peter explains. DCU investigative evidence has observed a more than 70 percent increase in these services.¹ “We’re finding that there’s a higher number of people who are committing these crimes. They have greater know-how on different technologies and online platforms that could be used as part of the [attack] vector.”

Regardless of the type of cybercrime, DCU goes after threat actors by executing on three main strategies:

• Investigate: Track online criminal networks and make criminal referrals to law enforcement, along with civil actions to disrupt key aspects of technical infrastructure used by cybercriminals.
• Share evidence: Assist with victim remediation and allow for the development of technical countermeasures that strengthen the security of Microsoft products and services.
• Use our voice and expertise: Build on our partnerships to inform education campaigns and influence legislation and global cooperation to advance the fight against cybercrime.

In addition to arrest and prosecution, DCU deters cybercrime by disrupting the technical infrastructure used by criminals, causing them to lose their investments. In 2022, DCU helped to take down more than 500,000 unique phishing URLs hosted outside Microsoft while disrupting cybercriminals’ technical infrastructure, such as virtual machines, email, homoglyph domain names, and public blockchain websites.

DCU also works with Microsoft DART to gather intelligence and share it with other security professionals. Some of those indicators—a URL, domain name, or phishing email—may help with future investigations. “That intelligence [we gather] feeds back into our machine learning models,” Peter explains. “If that phishing page or kit is used again there will be better measures to block it at the gate, so our monitoring systems become stronger over time.”

When asked what an organization can do to protect itself, Peter suggests sticking to three cybersecurity basics. First: “Use multifactor authentication,” he stresses. “Ninety percent of [attacks] could have been stopped just by having multifactor authentication.” Second: “Practice [cyber] hygiene. Don’t just click links because you think it comes from a friend.” Cyber hygiene includes installing all software patches and system upgrades as soon as they become available. And third: “You’re really looking at the Zero Trust model,” Peter says. “Enforce least privilege [access]” so people only have access to the information they need. Bonus tip: “Make sure you have the same level of security on your personal email as you do on your work [email].”

Winning in the room—Communicating to the board

In this segment, I have a chance to speak with one of my favorite folks at Microsoft. Mark Simos is Lead Cybersecurity Architect, Microsoft, (and PowerPoint super genius) with more than two decades of experience, so he knows something about dealing with a board of directors. Whether you work for a public or private company, the board is responsible for oversight. That means making sure that the leadership team is not only managing the business but also managing risks. And cybercrime is one of the biggest risks today’s organization contends with.

But for the board to understand the organization’s security positioning, they need to grasp how it relates to the business. Unlike dealing with finances, legal issues, or people management, cybersecurity is a new area for a lot of board members. According to Mark, a big part of winning them over is “making sure that the board members understand that cybersecurity is not just a technical problem to be solved, check, and move on. It’s an ongoing risk.”

In our talk, Mark lays out three basic things the board needs to know:

• Problem or requirement: Frame this in terminology relating to the business.
• Status: How well are you managing risk to your targeted tolerances?
• Solution: What is your plan to get there, and how is it progressing?

Bonus tips:

• Learn about your board. Read their bios and study their backgrounds and professions. These are highly capable and intelligent humans who have mastered demanding disciplines like finance, supply chain management, manufacturing, and more. They are capable of understanding cybersecurity when it’s presented clearly.
• Learn their language. This goes back to framing the cybersecurity problem in concepts they’ll understand, helping you land your points accurately.
• Find a board buddy. Establish a relationship with someone on the board who has an interest in learning cybersecurity. A mutual mentorship can help you learn about the other person’s area of expertise, which can help you make your case in clear terms.

Mark provides a wealth of free resources you can access anytime on Mark’s List.¹³ Also, there’s a chief information security officer (CISO) workshop available as public videos and as a live workshop from Microsoft Unified (formerly Premier Support). The workshop provides plenty of material to help accelerate a productive relationship with your board, including:

• Sample questions the board should be asking of the security team (and you should be proactively answering).
• Roleplay video on how CISOs can engage with hostile business leaders.
• Kaplan-style scorecards based on the familiar approach used in many organizations.

Often board members don’t consider that security decisions can be made by asset owners, not just security teams. Mark suggests stressing the holistic aspect of cybersecurity as a differentiator from typical business unit concerns. “With security, it doesn’t matter where the leak is on the boat; it’s still going to sink,” he says. “So, it’s really important for folks to work together as a team and recognize that ‘I’m not just accepting the risk for me; I’m accepting it for everyone.’”

Security on the edge—Manufacturing and IoT

For the last segment of the webinar, we invited an expert to weigh in on one of the most-attacked industry segments across the globe—manufacturing. Myrna Soto is the CEO and founder of Apogee Executive Advisors, and a board member of prominent companies such as Headspace Health, CMS Energy, Banco Popular, Spirit Airlines, and many more. Cybersecurity in the manufacturing sector carries added urgency because many of these entities are part of the nation’s critical infrastructure—whether it’s manufacturing pharmaceuticals, supporting transportation, or feeding the power grid.

The smart factory has introduced more automation into the manufacturing ecosystem, creating new vulnerabilities. “One of the biggest challenges is the number of third-party connections,” Myrna explains. “It relates to how entities are interacting with one another; how certain companies have either air-gapped their Internet of Things (IoT) networks or not.” Myrna points out that the supply chain is never holistically managed by one entity, which means those third-party interactions are critical. She mentions the ability to encrypt certain data in machine-to-machine communications as a crucial part of securing an interconnected manufacturing ecosystem. “The ability to understand where assets are across the ecosystem is one of the key components that need attention,” she points out.

With the prospect of intellectual property loss, disruption to critical infrastructure, along with health and safety risks, Myra sees manufacturing as one area where security teams and board members need to work together with urgency. I asked her to offer some insights gleaned from time spent on the other side of the table—particularly what not to do. “Probably the most annoying thing is the tendency to provide us a deluge of data without the appropriate business context,” she relates. “I’ve seen my share of charts around malware detections, charts on network penetrations. That is difficult for most non-technical board members to understand.”

Security is a team sport—Join us

Be sure to watch the full Security Experts Roundtable episode. We’ll be doing one of these every other month until they kick us off the stage, so remember to sign up for our May episode. Before we wrap up for today, I’d like to invite you to join us on March 28, 2023, for a brand-new event: Microsoft Secure. This event will bring together a community of defenders, innovators, and security experts in a setting where we can share insights, ideas, and real-world skills to help create a safer world for all. Register today, and I’ll see you there!

For more cybersecurity insights and the latest on threat intelligence, visit Microsoft Security Insider.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2022, Microsoft. 2022.

²Based on internal research conducted by Microsoft Digital Crimes Unit, January 2023.

³The hunt for NOBELIUM, the most sophisticated nation-state attack in history, John Lambert. November 10, 2021.

⁴DEV-0537 criminal actor targeting organizations for data exfiltration and destruction, Microsoft Threat Intelligence Center. March 22, 2022.

⁵Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself, Microsoft Defender Threat Intelligence. May 9, 2022.

⁶Part 1: LockBit 2.0 ransomware bugs and database recovery attempts, Danielle Veluz. March 11, 2022.

⁷Monthly news—January 2023, Heike Ritter. January 11, 2023.

⁸New “Prestige” ransomware impacts organizations in Ukraine and Poland, Microsoft Security Threat Intelligence. October 14, 2022.

⁹Destructive malware targeting Ukrainian organizations, Microsoft Threat Intelligence Center. January 15, 2022.

¹⁰Microsoft Defender Experts for Hunting proactively hunts threats, Microsoft Security Experts. August 3, 2022.

¹¹Implementing a Zero Trust security model at Microsoft, Inside Track staff. January 10, 2023.

¹²Digital Crimes Unit: Leading the fight against cybercrime, Microsoft. May 3, 2022.

¹³Mark’s List, Mark Simos.

The post Microsoft Security Experts discuss evolving threats in roundtable chat appeared first on Microsoft Security Blog.

Attackers will innovate—our response in the defender community needs to be thoughtful and strategic. But we don’t need to panic. We can take as an example ransomware attacks. These are scary and grab headlines because of crippling work stoppages or huge ransoms. But recent studies by Expert Insights confirm what we’ve known for ages—more often than not, attacks like ransomware are the second stage, predicated by an identity compromise. In fact, if you read all the attention-grabbing headlines, you’ll find that most novel techniques rely on compromising identity first. This shows the importance of getting our identity basics right and keeping our eyes on the ball.

Pamela Dingle gave a keynote at Authenticate 2022 in which she discussed identity attacks in terms of waves (and has recapped on LinkedIn—if you haven’t read it, you should). She was kind enough to let me weigh in, and I’m going to borrow the paradigm to frame our guidance. Pam likened escalating identity attacks to threats in a voyage in her talk. These threats decrease in volume as they increase in sophistication and novelty: 

This is an awesome frame for thinking through the attacks, so we’ll use it here to complement her blog with concrete features and guidance. I am adding one more threat to her framework—the critical importance of posture agility that helps us deal with the next “rogue wave.” Hopefully, this framing will help you build out a strategic approach that addresses the critical issues you are facing now, help you invest thoughtfully for emerging threats, and set you up for defensive agility in the year ahead. Let’s dive in.

Password attacks

Simple password attacks are pervasive. They are the water we swim in. I detail these extensively in “Your Password Doesn’t Matter.” The dominant three attacks are:

• Password spray: Guessing common passwords against many accounts.
• Phishing: Convincing someone to type in their credentials at a fake website or in response to a text or email.
• Breach replay: Relying on pervasive password reuse to take passwords compromised on one site and try them against others.

These attacks are effectively free to execute on a massive scale. As a result, Microsoft deflects more than 1,000 password attacks per second in our systems, and more than 99.9 percent of accounts that are compromised don’t have multifactor authentication enabled. Multifactor authentication is one of the most basic defenses against identity attacks today, and despite relentlessly advocating multifactor authentication usage for the past six years, including it in every flavor of Microsoft Azure Active Directory (Azure AD), and innovating in mechanisms from Microsoft Authenticator to FIDO, only 28 percent of users last month had any multifactor authentication session. With such low coverage, attackers increase their attack rate to get what they want. The adoption rate is a demonstration of a critical issue I will return to in this blog—in most organizations, budgets and resources are tight, security staff is overwhelmed, and shiny object syndrome pulls us in many directions, preventing the closure of issues.

Driving more multifactor authentication usage is the most important thing we can do for the ecosystem, and if you aren’t yet requiring multifactor authentication for all users, enable it. Old-fashioned, bolt-on multifactor authentication was clunky, requiring copying codes from phone to computer and getting multiple prompts. Modern multifactor authentication using apps, tokens, or the device itself is very low friction or even invisible to the users. Old-fashioned multifactor authentication had to be bought and deployed separately and at additional cost. Modern multifactor authentication is included in all SKUs, deeply integrated into Azure AD, and requires no additional management.

Our strong position is that all user sessions should be multifactor authentication protected, and we are doing all we can to get there. This is why all new tenants created since 2019 have multifactor authentication enabled by default, and why we are now turning on multifactor authentication on behalf of tenants who have not demonstrated interest in their security settings.

Multifactor authentication attacks

If you have enabled multifactor authentication, you can pat yourself on the back and be happy that you’ve effectively deflected the dominant identity attacks. While still far less than the 100 percent we are striving for, the 28 percent of users who are now protected with multifactor authentication include some who are targets for attackers. To get to these targets, attackers have to attack multifactor authentication itself.

Examples here include:

• SIM-jacking and other telephony vulnerability attacks (why we’re asking you to hang up on telephony multifactor authentication).
• Multifactor authentication hammering or griefing attacks, which is why we’re asking you to move away from simple approvals.
• Adversary-in-the-middle attacks, which trick users into doing the multifactor authentication interaction. This is why phishing-resistant authentication is critical, especially for key assets.

Note these attacks require more effort and attacker investment, and as a result are detected in the tens of thousands per month—not thousands per second. But all the attacks mentioned are on the rise, and we expect to see that continue as basic multifactor authentication coverage increases.

To defeat these attacks, it is critical not just to use multifactor authentication, but to use the right multifactor authentication. We recommend Authenticator, Windows Hello, and FIDO. For organizations with existing personal identity verification card and common access card (PIV and CAC) infrastructure, certificate-based authentication (CBA) is a good phishing-resistant (and executive order-compliant) solution. Bonus: All of these methods are considerably easier to use than passwords or telephony-based multifactor authentication.

Post-authentication attacks

Determined attackers are using malware to steal tokens from devices—allowing a valid user to perform valid multifactor authentication on a valid machine, but then using credential stealers to take the cookies and tokens and use them elsewhere. This method is on the rise and has been used in recent high-profile attacks. Tokens can also be stolen if incorrectly logged or if intercepted by compromised routing infrastructure, but the most common mechanism by far is malware on a machine. If a user is running as admin on a machine, then they are just one click away from token theft. Core Zero Trust principles like running effective endpoint protection, managing devices, and, critically, using least privileged access (meaning, run as a user, not an admin, on your machines) are great defenses. Pay attention to signals that indicate that token theft is occurring, and require re-authentication for critical scenarios like machine enrollment.

Another bypass attack is OAuth consent phishing. This is where someone tricks an existing user into giving an application permission to access on their behalf. Attackers send a link asking for consent (“consent phishing”) and if the user falls for the attack, then the app can access the user’s data even when the user is not present. Like other attacks in this category, they are rare but increasing. We strongly recommend inspecting what apps your users are consenting to and limiting consent to applications from verified publishers.

Infrastructure compromise

As you get more effective at using identity to secure your organizations and build your Zero Trust policies, advanced attackers are attacking identity infrastructure itself—predominantly taking advantage of outdated, unpatched, or otherwise insecure on-premises network vulnerabilities to steal secrets, compromise federation servers, or otherwise subvert the infrastructure we rely on. This mechanism is insidious, because the attackers often take advantage of access to hide their tracks, and once the access control plane is lost, it can be incredibly difficult to effectively evict an actor.

We are working hard to strengthen hybrid and multicloud detections and build automated protection for specific indicators that attackers are moving against identity infrastructure. Critically, because of the incredible difficulty of protecting on-premises deployments from malware, lateral movement, and emerging threats, you should reduce your dependencies on on-premises infrastructure, shifting authority to the cloud where possible. You should specifically isolate your cloud infrastructure from your on-premises environment. Finally, it is critical to partner closely with your security operations center (SOC) to make sure that privileged identity administrators and on-premises servers win special scrutiny. And because today’s sophisticated adversaries will look for any gap in your security, securing user identities also means protecting non-human identities and the infrastructure that stores and manages identities as well.

The rogue wave: Attack velocity and intensity

Our team assists with hundreds of significant cases every year, and one of the most critical issues we see is the difficulty of keeping up with increasing volumes and intensity of attacks. Whether it is assisting customers who are running Windows Server 2008 Domain Controllers or the customers still struggling with multifactor authentication rollout, the rapid pace of attacker innovation is hard to meet for organizations with the tremendous budget, resources, hiring, and political pressure facing them—and that only addresses those organizations that think about security. Our consumer accounts (like those used to access Outlook.com or Xbox) are 50 times less likely to be hacked than enterprise accounts—because, for these consumer accounts, we can manage the multifactor authentication policy, risk mitigations, and other key security aspects. All these capabilities (and more) are available to organizations—but the cost of posture management proves too much for many customers.

Our team is committed not just to reducing costs associated with identity attacks, but to massively reducing the investments required to get and stay secure. This is the common thread that runs through our many investments—whether it is Conditional Access gap analysis, adapting Authenticator to address evolving multifactor authentication fatigue attacks, continuously evolving and expanding our threat detections, or our security defaults program, we are committed to protecting the users, organizations, and systems that depend on identity from unauthorized access and fraud—it is very clear that this must include helping organizations start secure (or get secure) and stay secure, to do more with less.

As you invest in identity security, we encourage you to invest in mechanisms that allow your organization to be agile—automating responses to common threats (for example, auto-blocking or requiring password change), using mechanisms like Authenticator that can evolve and adapt to new threats, shifting authority to the cloud (where detections and mitigations are agile), and being attentive to indications of risk derived from our machine learning systems.  

Fair winds and following seas in 2023

Whether you’re an admin at a major company or launching a startup from your garage, protecting user identities is crucial. Knowing who is accessing your resources and for what purpose provides a foundation of security upon which all else rests. For that reason, it’s imperative to do everything possible to strengthen your identity posture today. The challenges are significant, but defensive strategies and technology are there to help.

If I may be so bold as to propose some New Year’s resolutions for your identity security efforts:

1. Protect all your users with multifactor authentication, always, using Authenticator, Fast Identity Online (FIDO), Windows Hello, or CBA.
2. Apply Conditional Access rules to your applications to defend against application attacks.
3. Use mobile device management and endpoint protection policies—especially prohibiting running as admin on devices—to inhibit token theft attacks.
4. Limit on-premises exposure and integrate your SOC and identity efforts to ensure you are defending your identity infrastructure.
5. Bet hard on agility with a cloud-first approach, adaptable authentication, and deep commitments to automated responses to common problems to save your critical resources for true crises.

Each of these recommendations has value in and of itself, but taken together, they represent an approach to defense-in-depth. Defense-in-depth encourages us to assume that any single control might be overcome by an attacker, so we have multiple layers of defense. In the recommendations listed in this blog, a user with perfect authentication should never be compromised, but we layer in endpoint protection, SOC monitoring, automated responses, and posture agility assuming that no one control is adequate.

To learn more about how you can protect your organization, be sure to read Joy Chik’s blog, Microsoft Entra: 5 identity priorities for 2023. If you’re interested in a comprehensive security solution that includes identity and access management, extended detection and response, and security information and event management, visit the Microsoft Entra page, along with Microsoft Defender for Identity and Microsoft Sentinel, to learn how this family of multicloud identity and security products can protect your organization.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 2023 identity security trends and solutions from Microsoft appeared first on Microsoft Security Blog.

1.  Strong cloud adoption rates will continue

Macroeconomists may be pessimistic about gross domestic product growth in Europe and the United States in 2023, but even in weak macroeconomic scenarios, cloud growth rates remain stellar.¹ Gartner® predicts almost 30 percent growth for infrastructure as a service and almost 25 percent growth for platform as a service in 2023, as compared to 2022 in the worldwide public cloud user spending category. A September 2022 survey of chief technology officers (CTOs) by Evercore-ISI asked the top things they would do in response to reduced budgets or inflationary pressure.² The top answer (from 44 percent of CTOs): increase their use of the cloud. Gartner® predicts that by 2025 more than 90 percent of clients will use cloud-based unified endpoint management (UEM) tools, up from 50 percent in 2022. So, if you have not migrated your UEM to the cloud yet, 2023 is the year to start.

2. Security will remain the top issue for CTOs into 2023

When asked in September about their highest priority project (in terms of incremental spending), 42 percent of CTOs said cloud security. Network security was the second most common response, with analytics third.² Credit Suisse recently polled CTOs on how different categories in their IT budget would grow.³ In 2021 and 2022, security was ranked top, with an 11 percent increase. Asked to predict the growth in security spending in 2026, security again ranked highest, but the expected increase was even more: 14 percent. Underlying factors provide color to the raw growth numbers. The geopolitical storm continues, and new avenues continue to emerge for hackers. I expect to hear even more about deepfake videos and ransomware as a service in 2023. So, how do chief information security officers (CISOs) strengthen their organization’s defenses in 2023? We would propose two initiatives: first, ensure security software is suitably integrated with a unified console to enable fewer points of vulnerability and more automation. By extension, this might mean consolidating vendors. Second, tackle the human aspect: invest in upskilling staff on how best to be aware of potential attacks.⁴

3. Worker mobility will increase further

The past few years have changed the model for knowledge workers. 2023 will see several shifts that will add to the hybrid work from anywhere (and hence, protect everywhere) trend. Next year will see mass adoption of 5G capable devices: Juniper Research estimates that there will be 600 million more 5G connections added in 2023 alone.⁵ Technological trends will be compounded by demographic trends, such as “productivity paranoia,” where workers want to show they are being productive, no matter where they are. What does this mean for CISOs? New working styles, new networks, and new devices mean new attack vectors. In 2023, be ready to protect your workers who are working from anywhere, not just from home.

4. CTOs will need to pay more attention to local factors

There is always a balance between global and local initiatives, but in 2023, we expect that it will be increasingly difficult to just adopt a one-size-fits-all global shortcut. We are seeing an increasing number of national regulations related to data sovereignty, with implications for where that data is stored and secured.⁶ 2023 will see further digital transformation of public sector agencies. These agencies often have more country-specific security or compliance rules compared to their private sector counterparts. As such, CISOs need to ensure their endpoint management solutions (and, indeed, their entire technology architecture) can adapt to handle extra local requirements.

5. Truly transformative technology will rise to the top

My final prediction is that 2023 will see further clarity on the difference between genuinely transformative technology and tech that has been overhyped. One technology that I expect to compare favorably for enterprises in 2023 will be more advanced forms of automation, such as AI. AI start-ups have seen more than USD100 billion in venture capital investment since 2020, in everything from the development of new drugs to new ways to create art and writing (and, perhaps, eventually, transform how blogs are created!).⁷ Security represents a great opportunity for advanced automation and AI, given the nature of the ongoing problems CISOs must grapple with. As such, while new AI-generated images may garner the headlines, away from the limelight we expect many other enterprise software solutions to benefit from both sophisticated AI and simply greater automation.⁸ For example, in endpoint management, Gartner® sees that by 2027, UEM and digital employee experience tools will converge—to drive autonomous endpoint management, reducing human effort by at least 40 percent. The more that security tasks are automated, the more time is freed up for more strategic work by your key staff.

Learn more

I hope you found these 2023 trends thought-provoking. I would encourage you to continue to think about what the macro situation might mean specifically for your organization and translate that into an action plan for your Microsoft Intune assets in 2023. In the meantime, I wish you all a safe and thoughtful holiday season and wish you continued success in the new year.  

Learn more about how Microsoft Intune can simplify your endpoint management:

• Reduce your overall total cost of ownership with a new Microsoft Intune plan.
• Microsoft publishes new report on holistic insider risk management.
• Microsoft Intune blog.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹World Economic Outlook, October 2022: Countering the Cost-of-Living Crisis, IMF. October 15, 2022.

²Evercore-ISI Quarterly Enterprise Technology Spending Survey, September 15, 2022.

³Credit Suisse CIO Survey, Credit Suisse. October 6, 2022.

⁴What cybersecurity trends are expected in 2023? Muhammad Zulhusni, November 29, 2022.

⁵5G Service Revenue to Reach $315 Billion Globally in 2023, Juniper Research. October 23, 2022.

⁶Microsoft launches its Cloud for Sovereignty, Frederic Lardinois. July 19, 2022.

⁷State of AI Q2’22 Report, CB Insights. August 10, 2022.

⁸How a computer designed this week’s cover, The Economist. June 11, 2022.

The post Microsoft Intune: 5 endpoint management predictions for 2023 appeared first on Microsoft Security Blog.

With threats like ransomware increasing in volume and complexity, it’s never been more important for chief information security officers (CISOs) to invest in solutions that will keep their companies safe and running. As the threat landscape continues to proliferate, cloud-native security information and event management (SIEM) solutions like Microsoft Sentinel have become a central part of a SecOps solution and have evolved to meet the new needs of customers to move faster.

We believe this placement validates our continued investment in Microsoft Sentinel, security research, and threat intelligence. We take it as a vote of confidence in our ability to keep our customers safe and working fearlessly. Microsoft Security is named a leader on seven different Forrester Wave™ reports and continues to invest in innovative solutions that work together to keep our customers’ businesses safer.

Microsoft was evaluated on several capabilities that empower customers to move faster to identify, investigate, and remediate threats. Some particularly important features include:

• Providing flexibility to customers to create their own rules using Kusto Query Language (KQL) or by bringing their own machine learning. This allows security operations center (SOC) teams to build automations that work for their organization and reduces the amount of time spent on repetitive tasks.
• Comprehensive threat intelligence that empowers customers to keep up with the evolving threat landscape.
• Scaled search and storage of large volumes of data allow customers to protect their digital ecosystems at scale and monitor all their clouds, platforms, and endpoints in one place.  

The Microsoft Sentinel strategy

Microsoft Sentinel is a next-generation SIEM solution that collects security data across multicloud, multi-platform data sources. The comprehensive SOC platform provides user entity and behavior analytics (UEBA), threat intelligence, and security orchestration, automation, and response (SOAR) capabilities, along with deep integrations into Microsoft Defender threat protection products’ comprehensive coverage across SIEM and extended detection and response (XDR). Sentinel empowers companies to leverage cloud-scale, innovative AI and automation to move at machine speed and stay ahead of evolving threats.  

What makes the Microsoft suite of security solutions unique is the native integrations of SIEM with XDR to provide quick setup, more comprehensive coverage and context, and faster response time. Customers who leverage Microsoft Defender XDR products may be eligible for discounts on Microsoft Sentinel data ingestion.  

Over the past year, Microsoft has invested in many new capabilities, including content for Internet of Things (IoT) devices, business application coverage including SAP, enhanced SOAR capabilities, and improved workflow management. These capabilities help our customers to protect more of their digital ecosystem, automate responses to more types of threats, and build an efficient and collaborative SOC.

What’s next in Microsoft Security

Microsoft is dedicated to continued leadership in security. Continued investments will provide customers with the intelligence, automation, and scalability they need to protect their businesses and work efficiently. Upcoming enhancements include the integration of more threat intelligence, new ways to hunt across large sets of data, and more context and prioritization guidance in alerts. New AI solutions will allow SecOps teams to more easily identify the most urgent issues and give guidance on how similar customers have reacted to similar incidents. The Microsoft vision is to provide a central platform for SOCs to understand the health of their entire business and quickly act on issues.

Learn more

Read the The Forrester Wave™: Security Analytics Platforms, Q4 2022 report.

Microsoft Security is committed to empowering SecOps teams with security tools and platforms that enable the critical protection your users rely on. To experience Microsoft Sentinel at your organization, get started with a free trial today.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Forrester names Microsoft a Leader in Q4 2022 Security Analytics Platforms Wave report appeared first on Microsoft Security Blog.

There’s a reason Microsoft Security generated more than USD15 billion in revenue during 2021 with 45 percent growth.² We’re a Leader in four Gartner® Magic Quadrant™ reports,³  eight Forrester Wave™ reports,⁴ and six IDC MarketScape reports.⁵ As we head into another year marked by rapid change, Microsoft Security continues to deliver industry-leading protection across Zero Trust pillars, including identity, endpoints, applications, infrastructure, and data. Read on to see how we can help you move forward fearlessly with Cloud Security Services.

Strengthen identity verification

Zero Trust security starts with strong identity verification. That means determining that only those people, devices, and processes you’ve authorized can access resources on your systems. As the cornerstone of Microsoft’s identity solutions, Microsoft Azure Active Directory (Azure AD) provides a single identity control plane with common authentication and authorization for all your apps and services, even many non-Microsoft apps. Built-in conditional access in Azure AD lets you set policies to assess the risk levels for a user, device, sign-in location, or app. Admins can also make point-of-logon decisions and enforce access policies in real-time—blocking access, requiring a password reset, or granting access with an additional authentication factor.

Gartner recognized Microsoft as a 2021 Leader in Gartner Magic Quadrant for Access Management.⁶ Microsoft was also named as a Leader in the IDC MarketScape: Worldwide Advanced Authentication for Identity Security 2021 Vendor Assessment. From the IDC MarketScape report: “As telemetry is the rocket fuel for AI- and machine learning-infused endpoint security solutions, Microsoft’s breadth and volume are unequaled geographically and across customer segments. With the support of macOS, iOS, and Android, Microsoft’s telemetry pool is expanding and diversifying.”

“The difference we’ve experienced in visibility and threat detection since deploying Microsoft Security solutions is like night and day.”—Raoul Van Der Voort, Global Service Owner, Rabobank.

Comprehensive endpoint management

Microsoft Endpoint Manager combines both Microsoft Intune and Microsoft Configuration Manager to enable all user devices and their installed apps (corporate and personal) to meet your security and compliance policies—whether connecting from inside the network perimeter, over a VPN, or from the public internet. We believe this comprehensive coverage led to Microsoft being named a Leader in the 2021 Gartner Magic Quadrant for Unified Endpoint Management Tools,⁷ including Microsoft 365 Defender with extended detection and response (XDR) capabilities and its easy integration with Microsoft 365 apps.

Endpoint Manager also ranked as a Leader in the 2021 Forrester Wave™: Unified Endpoint Management Q4 2021. As the Forrester report states: “Endpoint Manager excels at helping customers migrate to modern endpoint management, with differentiating features, such as policy analysis, to determine readiness for cloud management, templated group policy migration, and pre-canned reports for co-management eligibility.” In the 2021 IDC MarketScape Vendor Assessments, Microsoft was again named as a Leader in five categories, including Worldwide Modern Endpoint Security for Enterprises⁸ and Small and Midsize Businesses,⁹ as well as Worldwide Unified Endpoint Management Software,¹⁰ Worldwide Unified Endpoint Management Software for Ruggedized/Internet of Things Deployment,¹¹ and Worldwide Unified Endpoint Management Software for Small and Medium-Sized Businesses.¹²

“Our team are the enablers for Zero Trust prinicpals at Heineken, so by using the latest security technologies to provide a safe way for our business to innovate—like technology that helps reduce our carbon footprint and save water—we really can brew a better world.”—Marina Marceta, Security Incident Manager, Heineken.

Endpoint security and protection

Microsoft Defender for Endpoint was named Leader in the 2021 Gartner Magic Quadrant for Endpoint Protection Platforms,¹³ as well as being recognized as a Leader in The Forrester Wave™: Endpoint Security Software as a Service, Q2 2021. In the Forrester report, Defender for Endpoint received the highest possible scores in the criteria of control, data security, and mobile security, as well as in the criteria for Zero Trust framework alignment. As Forrester reported: “Third-party labs and customer reference scores both point to continued improvement over antimalware and anti-exploit efficacy where Microsoft frequently outperforms third-party competitors.”

Microsoft 365 Defender again made the top ranks later in the same year, placing as a Leader in The Forrester New Wave™: Extended Detection and Response (XDR), Q4 2021. “[Microsoft 365 Defender] offers robust, native endpoint, identity, cloud, and O365 [Microsoft Office 365] correlation… singular and cross-telemetry detection, investigation, and response for Microsoft’s native offerings in one platform.”

Application usage and management

Knowing which apps are being accessed by the people in your organization is critical to mitigating threats. This is especially true for apps that might be acquired independently for use by individuals or teams, also known as shadow IT. Microsoft Defender for Office 365 was named a Leader in The Forrester Wave™: Enterprise Email Security, Q2 2021, and received the highest possible score in the incident response, threat intelligence, and endpoint detection and response (EDR) solutions integration criteria. Defender for Office 365 also received the highest possible scores in the product strategy, support and customer success, and performance and operations criteria.

Microsoft 365 Defender was again recognized by Forrester as a Leader in The Forrester New Wave™: Extended Detection and Response (XDR), Q4 2021. Forrester found that Defender “offers robust, native endpoint, identity, cloud, and Office 365 correlation… [and] provides singular and cross-telemetry detection, investigation, and response for Microsoft’s native offerings in one platform.” Forrester also stated that Microsoft Defender for Endpoint’s “rich native telemetry yields tailored detection, investigation, response, and mitigation capabilities.”

Microsoft is committed to helping you gain visibility of your cloud apps and protect sensitive information anywhere in the cloud, as well as assess compliance and discover shadow IT. We’re proud to report that Microsoft Defender for Cloud Apps ranked as a Leader in The Forrester Wave™: Cloud Security Gateways, Q2 2021, receiving the highest score in the strategy category.

Secure your network

Today’s modern architectures span on-premises systems, multiple cloud and hybrid services, VPNs, and more. Microsoft provides the scalable solutions needed to help secure any size network, including our cloud-native Microsoft Azure Firewall and Microsoft Azure DDoS Protection. Our XDR, security information and event management (SIEM), and security orchestration, automation, and response (SOAR) solutions—Microsoft 365 Defender and Microsoft Sentinel—empower your security operations centers (SOCs) to hunt for threats and easily coordinate your response from a single dashboard. 

“The reason Microsoft provides such a powerful security solution is that it seeks to meet your needs holistically. Each security layer talks to everything else, including those data sources you might be using that are external to Microsoft.”—Martin Sloan, Security Director, Drax Group.

On-premises and cloud infrastructure

Accurate infrastructure monitoring is critical for detecting vulnerabilities, attacks, or any anomaly that could leave your organization vulnerable. Staying on top of configuration management and software updates is especially important to meet your security and policy requirements.

Because today’s SOC is tasked with protecting a decentralized digital estate, Microsoft Sentinel was created as a cloud-native SIEM and SOAR solution, designed to protect both on-premises and cloud infrastructure. Only a year after its introduction, Microsoft was named a Leader in The Forrester Wave™: Security Analytics Platforms, Q4 2020. By using graph-based machine learning and a probabilistic kill chain to produce high-fidelity alerts, Microsoft Sentinel reduces alert fatigue by 90 percent. Forrester reported that customers “note the ease of integration across other Microsoft products like Azure, Microsoft 365, and Defender for Endpoint as a big benefit… [and] call out automation as another strength.”

Limit access to your data

Limiting access to your data means upholding the three pillars of Zero Trust security—verify explicitly, apply least privileged access, and assume breach—across all files, wherever they reside. With Microsoft Information Protection, built-in labeling helps you maintain accurate classification, and machine learning-based trainable classifiers help deliver an exact data match. Microsoft Information Governance provides capabilities to govern your data for compliance or regulatory requirements, and Microsoft Data Loss Prevention empowers you to apply a consistent set of policies across the cloud, on-premises environments, and endpoints to monitor, prevent, and remediate risky activity.

In the field of data protection, Microsoft was named a Leader in the 2022 Gartner Magic Quadrant for Information Archiving,¹⁴ as well as a Leader in The Forrester Wave™: Unstructured Data Security Platforms, Q2 2021. Forrester gave Microsoft the highest score in the strategy category, as well as the highest score possible in APIs and integrations, data security execution roadmap, performance, planned enhancements, Zero Trust enabling partner ecosystem, and eight other criteria.

The comprehensive coverage you need with Microsoft Security

Competing in today’s business environment means being able to move forward without constantly looking over your shoulder for the latest cyber threat. An effective Zero Trust architecture helps make that possible through a combination of comprehensive coverage, easy integration, built-in intelligence, and simplified management. Microsoft Security does all four—integrating more than 40 disparate products for security, compliance, identity, and management across clouds, platforms, endpoints, and devices—so you can move forward—fearless.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Why Security Can’t Live In A Silo, Douglas Albert, Forbes Technology Council, Forbes. October 5, 2020.

²Microsoft beats on earnings and revenue, delivers upbeat forecast for fiscal third quarter, Jordan Novet, CNBC. January 25, 2022.

³Microsoft Security is a Leader in four Gartner® Magic Quadrant™ reports, Microsoft Security.

⁴Microsoft Security is a Leader in eight Forrester Wave™ categories, Microsoft Security.

⁵IDC MarketScape: Worldwide Advanced Authentication for Identity Security 2021 Vendor Assessment, Doc # US46178720. July 2021

IDC MarketScape: Worldwide Modern Endpoint Security for Enterprises 2021 Vendor Assessment, Doc # US48306021. November 2021

IDC MarketScape: Worldwide Modern Endpoint Security for Small and Midsize Businesses 2021 Vendor Assessment, Doc #48304721. November 2021.

IDC MarketScape: Worldwide Unified Endpoint Management Software 2021 Vendor Assessment, Doc # US46957820. January 2021.

IDC MarketScape: Worldwide Unified Endpoint Management Software for Small and Medium-Sized Businesses 2021 Vendor Assessment, Doc # US46965720. January 2021

IDC MarketScape: Worldwide Unified Endpoint Management Software for Ruggedized/Internet of Things Deployment 2021 Vendor Assessment, Doc # US46957920. January 2021

⁶Gartner, Magic Quadrant for Access Management, Henrique Teixeira, Abhyuday Data, Michael Kelley, 1 November 2021.

⁷Gartner, Magic Quadrant for Unified Endpoint Management Tools, Dan Wilson, Chris Silva, Tom Cipolla, 16 August 2021.

⁸IDC MarketScape: Worldwide Modern Endpoint Security for Enterprises 2021 Vendor Assessment, Michael Suby, IDC. November 2021.

⁹Microsoft named a Leader in IDC MarketScape for Modern Endpoint Security for Enterprise and Small and Midsize Businesses, Rob Lefferts, Microsoft Security Blog, Microsoft. November 18, 2021.

¹⁰IDC MarketScape: Worldwide Unified Endpoint Management Software 2021 Vendor Assessment, Phil Hochmuth, IDC. January 2021.

¹¹IDC MarketScape: Worldwide Unified Endpoint Management Software for Ruggedized/Internet of Things Deployment 2021 Vendor Assessment, Phil Hochmuth. January 2021.

¹²IDC MarketScape: Worldwide Unified Endpoint Management Software for Small and Medium-Sized Businesses 2021 Vendor Assessment, Phil Hochmuth. January 2021.

¹³Gartner, Magic Quadrant for Endpoint Protection Platforms, Paul Webber, Peter Firstbrook, Rob Smith, Mark Harris, Prateek Bhajanka, Updated 5 January 2022, Published 5 May 2021.

¹⁴Gartner, Magic Quadrant for Enterprise Information Archiving, Michael Hoeck, Jeff Vogel, Chandra Mukhyala, 24 January 2022.

Gartner and Magic Quadrant are registered trademarks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post A Leader in multiple Zero Trust security categories: Industry analysts weigh in appeared first on Microsoft Security Blog.