To help us better understand the SMB security needs and trends, Microsoft partnered with Bredin, a company specializing in SMB research and insights, to conduct a survey focused on security for businesses with 25 to 299 employees. As we share these insights below, and initial actions that can take to address them, SMBs can also find additional best practices to stay secure in the Be Cybersmart Kit.  

SMB Cybersecurity Research Report

Read the full report to learn more about how security is continuing to play an important role for SMBs.

Discover more

1. One in three SMBs have been victims of a cyberattack 

With cyberattacks on the rise, SMBs are increasingly affected. Research shows that 31% of SMBs have been victims of cyberattacks such as ransomware, phishing, or data breaches. Despite this, many SMBs still hold misconceptions that increase their risk and vulnerability. Some believe they are too small to be targeted by hackers or assume that compliance equates to security. It is crucial to understand that bad actors pose a threat to businesses of all sizes, and complacency in cybersecurity can lead to significant risks. 

How can SMBs approach this?

Microsoft, in collaborating with the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA), has outlined four simple best practices to creates a strong cybersecurity foundation.

• Use strong passwords and consider a password manager.
• Turn on multifactor authentication.
• Learn to recognize and report phishing.
• Make sure to keep your software updated.

2. Cyberattacks cost SMBs more than $250,000 on average and up to $7,000,000 

The unexpected costs of a cyberattack can be devastating for an SMB and make it difficult to financially recover from. These costs can include expenses incurred for investigation and recovery efforts to resolve the incident, and associated fines related to a data breach. Cyberattacks not only present an immediate financial strain but can also have longer term impacts on an SMB. Diminished customer trust due to a cyberattack can cause broader reputational damage and lead to missed business opportunities in the future. It’s difficult to anticipate the impact of a cyberattack because the time it takes to recover can vary from one day to more than a month. While many SMBs are optimistic about their ability to withstand a cyberattack, some fail to accurately estimate the time needed to restore operations and resume normal business activities 

How can SMBs approach this?

SMBs can conduct a cybersecurity risk assessment to understand gaps in security and determine steps to resolve them. These assessments can help SMBs uncover areas open to attack to minimize them, ensure compliance with regulatory requirements, establish incident response plans, and more. Effectively and proactively planning can help minimize the financial, reputational, and operational costs associated with a cyberattack should one happen. Many organizations provide self-service assessments, and working with a security specialist or security service provider can bring additional expertise and guidance through the process as needed.

3. 81% of SMBs believe AI increases the need for additional security controls

The rapid advancement of AI technologies and the ease of use through simple user interfaces creates notable challenges for SMBs when used by employees. Without the proper tools in place to secure company data, AI use can lead to sensitive or confidential information getting in the wrong hands. Fortunately, more than half of companies currently not using AI security tools intend to implement them within the next six months for more advanced security. 

How can SMBs approach this?

Data security and data governance play a critical role in successful adoption and use of AI. Data security, which includes labeling and encrypting documents and information, can mitigate the chance of restricted information being referenced in AI prompts. Data governance, or the process of managing, understanding, and securing data, can help establish a framework to effectively organize data within.

4. 94% consider cybersecurity critical to their business 

Recognizing the critical importance of cybersecurity, 94% of SMBs consider it essential to their operations. While it was not always considered a top priority given limited resources and in-house expertise, the rise in cyberthreats and increased sophistication of cyberattacks now pose significant risks for SMBs that is largely recognized across the SMB space. Managing work data on personal devices, ransomware, and phishing and more are cited as top challenges that SMBs are facing. 

How can SMBs approach this?

For SMBs that want to get started with available resources to train and educate employees, security topics across Cybersecurity 101, Phishing, and more are provided through Microsoft’s Cybersecurity Awareness site.

5. Less than 30% of SMBs manage their security in-house 

Given the limited resources and in-house expertise within SMBs, many turn to security specialists for assistance. Less than 30% of SMBs manage security in-house and generally rely on security consultants or service providers to manage security needs. These security professionals provide crucial support in researching, selecting, and implementing cybersecurity solutions, ensuring that SMBs are protected from new threats. 

How can SMBs approach this?

Hiring a Managed Service Provider (MSP) is commonly used to supplement internal business operations. MSPs are organizations that help manage broad IT services, including security, and serve as strategic partners to improve efficiency and oversee day-to-day IT activities. Examples of security support can consist of researching and identifying the right security solution for a business based on specific needs and requirements. Additionally, MSPs can implement and manage the solution by configuring security policies and responding to incidents on the SMBs behalf. This model allows more time for SMBs to focus on core business objectives while MSPs keep the business protected.

6. 80% intend to increase their cybersecurity spending, with data protection as top area of spend 

Given the heightened importance of security, 80% of SMBs intend to increase cybersecurity spending. Top motivators are protection from financial losses and safeguards for client and customer data. It’s no surprise that data protection comes in as the top investment area with 65% of SMBs saying that is where increased spending will be allocated, validating the need for additional security with the rise of AI. Other top areas of spending include firewall services, phishing protection, ransomware and device protection, access control, and identity management.  

How can SMBs approach this?

Prioritizing these investments in the areas above, SMBs can improve security posture and reduce the risk of cyberattacks. Solutions such as Data Loss Prevention (DLP) help identify suspicious activity and prevent sensitive data from leaving leaking outside of the business, Endpoint Detection and Response (EDR) help protect devices and defend against threats, and Identity and Access Management (IAM) help ensure only the right people get access to the right information.

7. 68% of SMBs consider secure data access a challenge for remote workers 

The transition to hybrid work models has brought new security challenges for SMBs, and these issues will continue as hybrid work becomes a permanent fixture. With 68% of SMBs employing remote or hybrid workers, ensuring secure access for remote employees is increasingly critical. A significant 75% of SMBs are concerned about data loss on personal devices. To safeguard sensitive information in a hybrid work setting, it is vital to implement device security and management solutions so employees can securely work from anywhere.  

How can SMBs approach this?

Implement measures to protect data and internet-connected devices that include installing software updates immediately, ensuring mobile applications are downloaded from legitimate app stores, and refraining from sharing credentials over email or text, and only doing so over the phone in real-time.

Next steps with Microsoft Security

• Read the full report to learn more about how security is continuing to play an important role for SMBs.

• Get the Be Cybersmart Kit to help educate everyone in your organization with cybersecurity awareness resources.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post ​​7 cybersecurity trends and tips for small and medium businesses to stay protected appeared first on Microsoft Security Blog.

At the same time, the number and complexity of cyberthreats continues to grow. This makes the challenge of securing human and non-human identities urgent and critical. Phishing, ransomware, and both internal and external threats have increased significantly. And threat actors are quickly exploiting newer technologies like generative AI to create and scale their attacks.

In the face of these challenges and the acceleration of AI opportunities and risks, what we think of as traditional identity and access management is no longer enough. We need to ensure the right people, machines, and software components get access to the right resources at the right time, while keeping out any bad actors or cyberthreats. We need to be able to secure access for any trustworthy identity, anywhere, to any app, resource, or AI tool at any time.

We take these challenges very seriously. Our teams have been hard at work, listening to customers and analyzing data—and utilizing the modern technologies enabled by AI—to stay ahead of threats and step up our defenses. This new era demands a comprehensive, adaptive, real-time approach to securing access.

At Microsoft, we call this approach the trust fabric.  

Think global, act local

In years past, the firewall was the clear perimeter of network protection for customers. Then the buzz was “identity is the new perimeter” as people began to work from home and do their work on personal devices. And recently, the term “identity fabric,” coined by industry analysts in 2023, has been used by many to describe identity and access management (IAM) concepts and capabilities. But the move from a network control plane to an identity-centric control plane is just the beginning. Flexible work models, cloud apps and services, digitized business processes, AI, and more can no longer be managed by a single identity control plane. It would slow down the speed of business and become a choke point.

Instead, to meet the needs of our ever-expanding digital estate, we need a “think global, act local” approach. A combination of centralized decisions and policies would determine what is allowed to happen at the edges—the points of interaction—with multiple, distributed control planes at both the identity and network levels. In addition to identity, the network and endpoints are equally critical signals. The controls and policies should be unified with identity to reduce complexity and gaps. This is the distinction between identity fabric and the next step: trust fabric. In this era of ubiquitous, decentralized computing, data centers can serve as the intelligent cloud, facilitating interaction with smart devices and services on the intelligent edge. This decentralized identity model can also help achieve the speed required to authorize so many devices and services at scale. The vision for how to conceptually architect and move forward with this comprehensive defense-in-depth cybersecurity strategy is the same as a trust fabric. As such, Microsoft’s trust fabric concept expands beyond traditional IAM to weave together comprehensive, unified identity, network access, and endpoint controls.

Figure 1. Identity security has evolved from directory services and firewalls to cloud-centered identity services to today’s decentralized trust fabric approach. 

Zero Trust and a trust fabric

Zero Trust is the term for an evolving set of cybersecurity paradigms that move cybersecurity defenses from static, network-based perimeters to focus on users, assets, and resources. The concept of Zero Trust has been around in cybersecurity for some time and is increasingly important as enterprise infrastructure continues to become decentralized and increases in complexity. In 2020, the National Institute of Standards and Technology (NIST) released a security-wide framework or model of Zero Trust based on three core principles: Verify explicitly, ensure least-privileged access, and assume breach. The Zero Trust principles are foundational to how organizations should architect a trust fabric, and instructional for how to build technology to bring the trust fabric to life.

A Zero Trust strategy is a proactive, integrated approach to security across all layers of the digital estate. A modern comprehensive implementation of Zero Trust protects assets wherever they are. It includes solutions for securing access, securing your data, securing all your clouds, defending against threats, and managing risk and privacy. Zero Trust benefits from AI-enabled solutions and provides the agile security required to protect the use of AI technologies. Developing and managing a trust fabric for your organization addresses the need for secure access. It can integrate with and inform each solution in your framework as needed for end-to-end visibility, defense, and optimization.     

The core threads of a trust fabric

The first key word is trust. Trustworthiness of human and non-human identities will be determined by real-time evaluation and verification of valid decentralized identity credentials. It isn’t an idea of “trust but verify.” It’s “actively verify, then trust.” And the second key word is fabric. According to Gartner^®, “Cybersecurity mesh, or cybersecurity mesh architecture (CSMA), is a collaborative ecosystem of tools and controls to secure a modern, distributed enterprise. It builds on a strategy of integrating composable, distributed security tools by centralizing the data and control plane to achieve more effective collaboration between tools. Outcomes include enhanced capabilities for detection, more efficient responses, consistent policy, posture and playbook management, and more adaptive and granular access control—all of which lead to better security”.¹ With a trust fabric, organizations first evaluate the risk level of any identity or action. Then, they apply a universal Conditional Access engine. It meters secure access with smart policies and decisions informed by governance, compliance, and current global cyberthreats. And it takes into account any important factors or anomalies relevant to the situation at any given moment.  

Figure 2. A trust fabric verifies identities, validates access conditions, checks permissions, encrypts the connection channel, and monitors for compromise.

For a trust fabric, the following capabilities and conditions must be continuously evaluated in real-time:   

• Verify the initiating identity is trustworthy, secure, and verified, as well as the resource, person, or AI they’re connecting with.    
• Protect the communication channel that transports data. 
• Ensure access extends no further than needed. 
• Sever the connection the moment fraud or risk is detected. 

The Microsoft trust fabric

At Microsoft, we continue to design and innovate our identity, endpoint, and network access portfolio to make the trust fabric a reality for our customers, today and tomorrow. Microsoft Entra helps our customers create their trust fabric for the era of AI that securely connects any trustworthy identity with anything, anywhere. 

Figure 3. Microsoft Entra is a comprehensive identity and network access solution for securing access for any trustworthy identity to any resource from anywhere.

It’s likely that your organization is already on the journey to create your own trust fabric. To be sure you’ve got the basics covered, we’ve documented the top “quick security wins” in our Microsoft Entra Fundamentals documentation on Microsoft Learn: 

• Enable multifactor authentication.
• Identity secure score.
• Improve your security posture.
• Integrating all your apps with Microsoft Entra ID.
• Security defaults.
• Block less secure authentications.

As organizations learn more about trust fabric and continue to apply Zero Trust principles, we’ll be sharing more of our perspective. To learn more about the four stages of trust fabric maturity and how to assess and plan for each stage, read our follow up blog, focusing on the four stages of trust fabric maturity and how to assess and plan for each stage.

Microsoft Entra

Protect any identity and secure access to any resource with a family of multicloud identity and network access solutions.

Explore products

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Cybersecurity Mesh, Gartner.

The post How implementing a trust fabric strengthens identity and network appeared first on Microsoft Security Blog.

Two decades of evolution

It’s been 20 years since we introduced the Microsoft Security Development Lifecycle (SDL)—a set of practices and tools that help developers build more secure software, now used industry-wide. Mirroring the culture of Microsoft to uphold security and born out of the Trustworthy Computing initiative, the aim of SDL was—and still is—to embed security and privacy principles into technology from the start and prevent vulnerabilities from reaching customers’ environments.

In 20 years, the goal of SDL hasn’t changed. But the software development and cybersecurity landscape has—a lot.

With cloud computing, Agile methodologies, and continuous integration/continuous delivery (CI/CD) pipeline automation, software is shipped faster and more frequently. The software supply chain has become more complex and vulnerable to cyberattacks. And new technologies like AI and quantum computing pose new challenges and opportunities for security.

SDL is now a critical pillar of the Microsoft Secure Future Initiative, a multi-year commitment that advances the way we design, build, test, and operate our Microsoft Cloud technology to ensure that we deliver solutions meeting the highest possible standard of security.

Next generation of the Microsoft SDL

Learn how we're tackling security challenges.

Read the white paper

Continuous evaluation

Microsoft has been evolving the SDL to what we call “continuous SDL”. In short, Microsoft now measures security state more frequently and throughout the development lifecycle. Why? Because times have changed, products are no longer shipped on an annual or biannual basis. With the cloud and CI/CD practices, services are shipped daily or sometimes multiple times a day.

Data-driven methodology

To achieve scale across Microsoft, we automate measurement with a data-driven methodology when possible. Data is collected from various sources, including code analysis tools like CodeQL. Our compliance engine uses this data to trigger actions when needed.

CodeQL: A static analysis engine used by developers to perform security analysis on code outside of a live environment.

While some SDL controls may never be fully automated, the data-driven methodology helps deliver better security outcomes. In pilot deployments of CodeQL, 92% of action items were addressed and resolved in a timely fashion. We also saw a 77% increase in CodeQL onboarding amongst pilot services.

Transparent, traceable evidence

Software supply chain security has become a top priority due to the rise of high-profile attacks and the increase in dependencies on open-source software. Transparency is particularly important, and Microsoft has pioneered traceability and transparency in the SDL for years. Just as one example, in response to Executive Order 14028, we added a requirement to the SDL to generate software bills of material (SBOMs) for greater transparency.

But we didn’t stop there.

To provide transparency into how fixes happen, we now architect the storage of evidence into our tooling and platforms. Our compliance engine collects and stores data and telemetry as evidence. By doing so, when the engine determines that a compliance requirement has been met, we can point to the data used to make that determination. The output is available through an interconnected “graph”, which links together various signals from developer activity and tooling outputs to create high-fidelity insights. This helps us give customers stronger assurances of our security end-to-end.

Modernized practices

Beyond making the SDL automated, data-driven, and transparent, Microsoft is also focused on modernizing the practices that the SDL is built on to keep up with changing technologies and ensure our products and services are secure by design and by default. In 2023, six new requirements were introduced, six were retired, and 19 received major updates. We’re investing in new threat modeling capabilities, accelerating the adoption of new memory-safe languages, and focusing on securing open-source software and the software supply chain.

We’re committed to providing continued assurance to open-source software security, measuring and monitoring open-source code repositories to ensure vulnerabilities are identified and remediated on a continuous basis. Microsoft is also dedicated to bringing responsible AI into the SDL, incorporating AI into our security tooling to help developers identify and fix vulnerabilities faster. We’ve built new capabilities like the AI Red Team to find and fix vulnerabilities in AI systems.

By introducing modernized practices into the SDL, we can stay ahead of attacker innovation, designing faster defenses that protect against new classes of vulnerabilities.

How can continuous SDL benefit you?

Continuous SDL can help you in several ways:

• Peace of mind: You can continue to trust that Microsoft products and services are secure by design, by default, and in deployment. Microsoft follows the continuous SDL for software development to continuously evaluate and improve its security posture.
• Best practices: You can learn from Microsoft’s best practices and tools to apply them to your own software development. Microsoft shares its SDL guidance and resources with the developer community and contributes to open-source security initiatives.
• Empowerment: You can prepare for the future of security. Microsoft invests in new technologies and capabilities that address emerging threats and opportunities, such as post-quantum cryptography, AI security, and memory-safe languages.

Where can you learn more?

For more details and visual demonstrations on continuous SDL, read the full white paper by SDL pioneers Tony Rice and David Ornstein.

Learn more about the Secure Future Initiative and how Microsoft builds security into everything we design, develop, and deploy.

The post Evolving Microsoft Security Development Lifecycle (SDL): How continuous SDL can help you build more secure software appeared first on Microsoft Security Blog.

From the moment a user clicks on a bad hyperlink in a malicious email, it can take as little as 72 minutes before an attacker begins to exfiltrate data. By contrast, it takes an average of 277 days for organizations to identify and contain a data breach.¹ The advantage gap is widening, as nation-state-actors and cybercriminals are actively employing AI to step up their attacks. To cite just one measure: in 2023, password attacks globally increased from three billion to 30 billion per month.²  

HOW GOVERNMENTS ARE LEVELING THE CYBERSECURITY PLAYING FIELD WITH CLOUD AND AIRead the blog 

The good news is that advances in hyperscale cloud and AI technology promise to help shift the balance of cybersecurity power to the defenders. In my previous blog, I examined the strategies governments can take to minimize cybersecurity risk and advance security effectiveness with Microsoft technology. Now, I’d like to explain how Microsoft Copilot for Security offers one of the most powerful new opportunities for governments to make dramatic improvements in cybersecurity, thanks to the power of generative AI.  

Microsoft Copilot for Security

Powerful new capabilities, new integrations, and industry-leading generative AI

Learn more 

The unique cybersecurity challenges facing governments 

Government agencies and critical infrastructure organizations are prime targets for cybercrime, for obvious reasons: the vast amounts of valuable data they hold, the importance of the assets they oversee, and economics involved. Cybercriminals target the public sector for ransomware attacks more than any other sector, and nation-state actors are ramping up their attacks on critical infrastructure and government.   

Making the challenge even more difficult for governments is the growing demand for skilled cybersecurity staff. Worldwide, there is a shortage of 3.4 million cybersecurity professionals, and the problem is especially problematic for governments, who often struggle to attract and retain top talent.²  

Add to this the liabilities of legacy systems, legacy mindsets, and legacy approaches to technology (any of which can hamper governments, despite their most sincere efforts), and the advantage can easily tilt in the direction of cyber adversaries.  

How Microsoft Copilot for Security advances government cybersecurity

Cybercriminals have been quick to embrace generative AI. In underground, gated internet forums—the so-called dark web—attackers share the latest innovations built on ChatGPT, effectively accelerating the ability of bad people and organizations to do bad things. A recent report attributed 85% of the rise in cyberattacks over the past 12 months to bad actors using generative AI.³ The good news is that Microsoft and other technology providers are responding with AI-powered innovations to counter the threat.  

Microsoft Copilot for Security is the first generative AI security product that will help defend organizations at machine speed and scale. It combines the most advanced GPT4 model from OpenAI with a Microsoft-developed security model, powered by Microsoft Security’s unique expertise, global threat intelligence, and comprehensive security products.  

Microsoft Copilot for Security is designed to work seamlessly with the systems and tools used by modern governments, specifically the security operations center (SOC) for managing security on an organizational and technical level, and the security information and event management (SIEM) solution for detecting, analyzing, and responding to threats. 

Imagine an analyst investigating a potential breach in the network. Today, this person would use scripts and manual queries to correlate information from across multiple screens and disparate systems with terabytes and petabytes of data, in an attempt to evaluate security signals and draw valuable conclusions—a “needle-in-the-haystack” exercise that is both slow and unreliable. 

MICROSOFT COPILOT FOR SECURITY PROVIDES IMMEDIATE IMPACT FOR THE MICROSOFT DEFENDER EXPERTS TEAMRead the blog 

By contrast, Copilot for Security enables analysts to use natural language to ask questions, such as, “Can you identify indicators of compromise?” “Where are we seeing suspicious logon attempts?” and so on, to rapidly assess an organization’s security posture. By analyzing and interpreting massive amounts of security data from across heterogenous environments and platforms in real-time, copilot assists the cybersecurity analyst to find detailed, actionable insights and solutions at a speed and reliability that are simply unachievable today using legacy technology. Moreover, Copilot for Security can then easily translate hunting insights or incident responses into PowerPoint slides or emails to quickly inform colleagues or leadership. 

Notably, Copilot for Security empowers analysts to become more effective hunters and responders without specialized technical training. Our early private preview customer research data shows that it saves analysts up to 40 percent of their time on foundational tasks like threat intelligence assessments, and up to 63 percent of their time preparing reports. These efficiency gains free up analysts to focus more on high value tasks to secure the organization, with Tier 1 and Tier 2 analysts potentially performing tasks that would otherwise be reserved for more experienced Tier 3 or Tier 4 professionals. 

Preparing your environment for Microsoft Copilot for Security

Microsoft Copilot for Security is currently available through our Early Access Program and is expected to be released broadly later this year.  

However, now is the time to prepare so that your environment is optimized to take full advantage of Copilot for Security when it becomes available.  

The most impactful move you can make in the near term is to adopt Microsoft Defender XDR (for extended XDR, or extended detection and response), Microsoft Sentinel (a cloud-native SIEM solution), and Microsoft Intune (for endpoint management) as soon as possible. These tools deliver a unified security operations platform that complements most existing environments and investments, and they provide a strong security foundation that leverages Microsoft’s vast security data and expertise.  

Beyond this, it’s important to build a strong partnership between your public sector organization and trusted companies in the private sector. At Microsoft for Government, we are committed to partnering with government customers and our global partner ecosystem to ensure long-term success. With our leading cloud and AI capabilities, our battle-tested understanding of the digital threat landscape, and the wisdom of our more than 10,000 security professionals globally, we are excited to help shift the balance of cybersecurity power from the side of the criminal over to the side of governments.  

Improve cybersecurity with Microsoft technologies

To learn more and get ready for Microsoft Copilot for Security in your organization, work with your Microsoft representative or solutions provider partner to explore an envisioning workshop or plan a national cybersecurity modernization journey roadmap.

Visit the Microsoft for Government page to learn more about how we’re helping governments secure critical environments, protect data, and achieve compliance. For United States customers, see Preparing for Security Copilot in US Government Clouds.  

¹Cost of Data Breach Report 2023, IBM.

²Microsoft issued annual Digital Defense Report: Espionage fuels global cyberattacks, Microsoft.

³Study finds increase in cybersecurity attacks fueled by generative AI, Security Magazine.

The post Microsoft Copilot for Security: The great equalizer for government security appeared first on Microsoft Security Blog.

NIS2 key features 

As we take a closer look at the key features of NIS2, we see the new directive includes risk assessments, multifactor authentication, security procedures for employees with access to sensitive data, and more. NIS2 also includes requirements around supply chain security, incident management, and business recovery plans. In total, the comprehensive framework ups the bar from previous requirements to bring: 

• Stronger requirements and more affected sectors.
• A focus on securing business continuity—including supply chain security.
• Improved and streamlined reporting obligations.
• More serious repercussions—including fines and legal liability for management.
• Localized enforcement in all EU Member States. 

Preparing for NIS2 may take considerable effort for organizations still working through digital transformation. But it doesn’t have to be overwhelming. 

NIS2 guiding principles guide

Get started on your transformation with three guiding principles for preparing for NIS2.

Download the guide today

Proactive defense: The future of cloud security

At Microsoft, our approach to NIS2 readiness is a blend of technical insight, innovative strategies, and deep legal understanding. We’re dedicated to nurturing a security-first mindset—one that’s ingrained in every aspect of our operations and resonates with the tech community’s ethos. Our strategy for NIS2 compliance addresses the full range of risks associated with cloud technology. And we’re committed to ensuring that Microsoft’s cloud services set the benchmark for regulatory compliance and cybersecurity excellence in the tech world. Now more than ever, cloud technology is integral to business operations. With NIS2, organizations are facing a fresh set of security protocols, risk management strategies, and incident response tactics. Microsoft cloud security management tools are designed to tackle these challenges head-on, helping to ensure a secure digital environment for our community.  

NIS2 compliance aligns to the same Zero Trust principles addressed by Microsoft Security solutions, which can help provide a solid wall of protection against cyberthreats across any organization’s entire attack surface. If your security posture is aligned with Zero Trust, you’re well positioned to assess and help assure your organization’s compliance with NIS2. 

For effective cybersecurity, it takes a fully integrated approach to protection and streamlined threat investigation and response. Microsoft Security solutions provide just that, with: 

• Microsoft Sentinel – Gain visibility and manage threats across your entire digital estate with a modern security information and event management (SIEM). 
• Microsoft XDR – Stop attacks and coordinate response across assets with extended detection and response (XDR) built into Microsoft 365 and Azure. 
• Microsoft Defender Threat Intelligence – Expose and eliminate modern threats using dynamic cyberthreat intelligence. 

Next steps for navigating new regulatory terrain 

The introduction of NIS2 is reshaping the cybersecurity landscape. We’re at the forefront of this transformation, equipping tech professionals—especially Chief Information Security Officers and their teams—with the knowledge and tools to excel in this new regulatory environment. To take the next step for NIS2 in your organization, download our NIS2 guiding principles guide or reach out to your Microsoft account team to learn more. 

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

Explore data security resources and trends

Gain insights into the latest data security advancements, including expert guidance, best practices, trends, and solutions.

Get started

The post Navigating NIS2 requirements with Microsoft Security solutions appeared first on Microsoft Security Blog.

In this blog, I will focus on how you can accelerate your transition to cloud native endpoint management. Many of my customer conversations are centered on how best to transition, with the value of a cloud first approach already understood. In many cases, there is a strong desire to move to the cloud, but lack of a step-by-step plan to make the move a reality. I detail below a three-phase approach that simplifies the process of getting to fully cloud-based management. First, modernize all management workloads by moving them from on premises to Intune. Second, hybrid Entra join and enroll your existing PCs in Intune. Third, for new Windows devices, go straight to cloud native. 

Microsoft Intune

Protect and manage endpoints in one place.

Discover more 

This three-phase approach enables you to achieve faster time to value, lessen the experience impact to your users, and finally, simplify your architecture and reduce your total cost of ownership. 

Enabling workloads in Intune

Enabling all management workloads from the cloud is the fastest way to reduce the complexity and cost of current technology and get closer to a single pane of glass. When making the transition from Microsoft Configuration Manager (ConfigMgr) to Intune, there are two types of cloud workloads you will enable. The first are management functions that you move from ConfigMgr to the cloud, such as updates, app deployment, and policy configuration. The second functions are net new capabilities only made possible by the cloud—such as automation, analytics, and generative AI related workloads.

Customers often ask me whether there is a logical order for moving workloads. Given the benefits, all workloads should be moved as soon as you are able, but moving them step-by-step can make sense to align with business goals. In general, you should start by enabling the net new cloud workloads discussed above, then move the existing workloads from ConfigMgr.  

For those existing workloads, a common approach is to start with compliance and security workloads, followed by policy. This helps with Zero Trust initiatives, and ensures you have strong security policies in place during the transition.

For example, Petrobras, the Brazilian energy company that moved to a cloud-native strategy with Intune, saw better policy enforcement for remote devices.

“Despite the increased access by our remote workforce, our recent audits have quite surprisingly revealed that we haven’t had any security incidents or data leakage.” —Alexandre Ribeiro Dantas, Information Security Manager at Petrobras

With security policies in place, we often see customers next move updates (patch) workloads to the cloud to take advantage of the Microsoft modern approach to updating devices on any network, anywhere in the world. National Australia Bank (NAB) is a great example of this. Their goal was to adopt a modern approach to patching.

“Windows 10 was the catalyst for retooling our environment and getting to where we are today, moving patch compliance from 60% to 97% across 45,000 endpoints.”—Andrew Zahradka, Head of Workplace Compute Technology at National Australia Bank

Apps are often the last workload migrated, as there is frequently an advantage to rationalizing application estates before migrating them. When migrating apps, we don’t recommend migrating all apps like-for-like from on-premises to the cloud. Instead, we recommend reviewing the apps and removing unused applications prior to migration. We have seen this result in organizations dropping from thousands of applications to hundreds that need to be migrated.   

Of course, in some instances, there may be one or two workloads that can’t immediately be moved to the cloud. Our recommendation here is not to let one or two laggard workloads stop you from gaining the rest of the benefits from moving to the cloud. Instead, try to manage all workloads natively in the cloud everywhere possible, and use ConfigMgr as a side car helper until you can modernize the laggard workloads.  

Enroll existing Windows devices in Intune 

The next step is to begin to enroll devices—enroll your clients managed by ConfigMgr into Intune and hybrid join them to Microsoft Entra ID (previously Azure Active Directory). 

This is a transitory step, not the end game. It takes time to transition to the cloud and modernize your directory and management solutions. By taking this first step of enrollment and hybrid Entra join, you receive the benefits of the cloud workloads and can transition away from dual management—such as existing devices receiving workloads from on-premise ConfigMgr, and new devices from the cloud.  For identity management, we recommend you hybrid join your existing devices with Entra ID while new devices are joined directly or natively with Entra ID. Hybrid join is the interim step, specifically for your existing Active Directory joined devices. It brings you the benefits of cloud without resetting and reprovisioning the device and disrupting the user. Hybrid devices will then age out of your environment as they are replaced with cloud-native, Entra join new devices through the natural lifecycle at refresh, or opportunistically if there’s an event, such as break-fix, that requires a device be reimaged. 

Microsoft has many partners with deep expertise in migrating Windows to the cloud who have seen success using this approach. They recently held a discussion on some of the lessons they’ve learned in cloud migrations, which I would encourage you to view. Peter Klapwijk, an Infrastructure Engineer, best sums up this stage.

“If a company has the Intune licenses, they should definitely start switching on co-management, to make use of the benefits [of which a single portal, remote actions, and endpoint analytics were mentioned]“—Peter Klapwijk, Infrastructure Engineer at NN Group

With new Windows deployments, go direct to cloud native

As you refresh or reset Windows devices, our recommendation is to manage them as fully cloud native. This represents an opportunity to reimagine what Windows management should look like in your organization. This greenfield approach sets a North Star for your organization’s transition and reduces the risk of recreating outdated legacy approaches in the cloud. 

This is especially true for Windows 11 devices. As the best version of Windows, it makes sense to use Windows 11 for any new devices, regardless of the provisioning method.

“Windows 11 Enterprise with Microsoft Intune has streamlined device provisioning, updates, security configurations, and troubleshooting processes. By centralizing these tasks, we’ve been able to achieve operational efficiencies, optimize resource allocation, and effectively manage our technology environment with a lean IT team.“—Blake T. Lunsford, Director of IT, Alabama Appellate Court System

Many customers opt to skip the co-management phase of migration completely, bringing new devices on as cloud native. These customers use their hardware refresh cycle as the catalyst to move to cloud native. Existing devices remain with on-premises management while new devices are deployed as fully cloud native. After a full hardware refresh cycle over 2-3 years, all Windows devices will eventually be managed exclusively in the cloud. For example, Cognizant empowers all its employees to implement new device setup remotely without any intervention from IT.

“Day one productivity was never the plan. This was a big project that was supposed to be completed over a two-year period. Yet, within a week, we started delivering a successful Autopilot Intune migration. From then on, we delivered laptops from our suppliers directly to employees at home.“—Ramesh Gopalakrishnan, Cognizant’s Director for Digital Workplace Services

Lastly, customers have asked whether they should delay their Windows 11 upgrades if they are not ready to move ahead with management modernization. The guidance here is clear: prioritize rolling out Windows 11 with the management tools and processes you already have in place today, such as ConfigMgr. Or if you have non-Windows 11 capable devices but would like to leverage Windows 11 features and capabilities, you can do so with Windows 365 Cloud PC, until new capable devices have been acquired.  

Next steps

We are excited to be seeing more and more companies move to a fully cloud native approach for endpoint management, so I hope if you’re not there already, this blog helps you identify the proper steps to get there. No matter where you are on the journey, we encourage you to learn more and get your plans set in 2024! Keep a look out for our third and final blog in this series, where I will focus on the process of implementation and communication with stakeholders.  

In the meantime, learn more about Microsoft Intune. 

To continue reading, see the final blog in this series:

• How to achieve cloud-native endpoint management with Microsoft Intune

The post Best practices in moving to cloud native endpoint management appeared first on Microsoft Security Blog.

With that goal in mind, Microsoft has launched a new kind of security webinar “for experts, by experts.” The new Security Experts Roundtable series will serve as an accessible video platform for cyber defenders to learn about some of the latest threats while gaining a big-picture view of the cybersecurity landscape. Our inaugural episode aired on January 25, 2023, with an expert panel consisting of:

• Ping Look, Director, Training and Communications, Microsoft Detection and Response Team (DART)
• Ryan Kivett, Partner Director, Microsoft Defender Experts
• Jeremy Dallman, Principal Research Director, Customer Ready Intelligence
• Rani Lofstrom, Director, Security Incubations

This episode also features a special appearance by Rachel Chernaskey, Director of the Microsoft Digital Threat Analysis Center, who discusses cyber-enabled influence operations. I host a special remote interview with Mark Simos, Lead Cybersecurity Architect at Microsoft, on how to effectively communicate with your board of directors about cybersecurity. We also talk to Peter Anaman, Director and Principal Investigator at the Microsoft Digital Crimes Unit about tracking global cybercrime, and we have a special guest interview with Myrna Soto, Chief Executive Officer (CEO) and Founder of Apogee Executive Advisors, on the state of cybersecurity in the manufacturing sector.

Evolving threats—Expert insights

Back in December 2020, Microsoft investigated a new nation-state attacker now known as Nobelium that became a global cybersecurity threat.³ The following year, the hacker gang Lapsus moved into the spotlight with large-scale social engineering and extortion campaigns directed against multiple organizations.⁴ Those threat groups are still active, but 2022 saw a slowing in their attacks. “We didn’t have too many high-profile mass-casualty events,” Ping points out. “But we did see a continuation of ransomware, identity compromises, and attacks centered on endpoints.”

The ransomware as a service (RaaS) ecosystem has continued to grow.⁵ Jeremy singles out DEV-0401, also known as Bronze Starlight or Emperor Dragon, as a China-based threat actor that’s “shifted their payloads to LockBit 2.0, developing their technology and emerging some of their tradecraft in order to evade detection and target our customers more prolifically.”⁶ Jeremy also calls out DEV-0846 as a provider of custom ransomware,⁷ as well as Russia’s Iridium as a source of ongoing attacks against transportation and logistics industries in Ukraine and Poland.⁸ He also cites Russia-based actor DEV-0586 as using ransomware as a ruse to target customers, then following up with destructive data “wiper” attacks.⁹

In his position as Director of Microsoft Defender Experts, Ryan brings a unique perspective on the changing threat landscape.¹⁰ “It’s been a proliferation of credential theft activity, largely stemming from adversary-in-the-middle attacks.” He points out that this kind of attack “underscores the importance of having a strategy for detection and hunting that’s beyond the endpoint; for example, in the email and identity space.”

“Identity compromises have been on the rise,” Ping concurs. “Attackers are just taking advantage of any vectors of entry that any customer has in their environment. So, it’s really important customers exercise good basic security hygiene.” She stresses that defenders should think of their environment as one organic whole, instead of separate parts. “If you have anything that touches the external world—domain controllers, email—those are all potential vectors of entry by attackers.” In short, protecting against the constantly evolving threats of today (and tomorrow) requires embracing a Zero Trust comprehensive approach to security.¹¹

Understanding cyber-influence operations

Cyber-enabled influence operations don’t grab headlines the way ransomware attacks do, but their effects are more pernicious. In this kind of cybercrime, a nation-state or non-state actor seeks to shift public opinion or change behavior through subversive means online. In Jeremy’s talk with Rachel, she breaks down how these types of attacks unfold in three phases:

1. Pre-positioning: Reconnaissance on a target audience, registering web domains to spread propaganda, or setting up inauthentic social media accounts.
2. Launch: Laundering propaganda narratives through fake organizations or media outlets, coordinated overt media coverage, stoking real-world provocations, or the publishing of leaked or sensitive material.
3. Amplification: Messengers unaffiliated with the actor repeat or repost the content.

The most prolific influence actors are labeled advanced persistent manipulators (APMs). Rachel uses the analogy that “APMs are to the information space what APTs (advanced persistent threats) are to cyberspace.” APMs are usually nation-state actors, though not always. Increasingly, the Microsoft Digital Threat Analysis Center (DTAC) sees non-state or private-sector actors employing the same influence techniques. In this way, a threat actor that wages a successful cyberattack might repurpose that capability for subsequent influence operations.

Rachel explains how DTAC uses the “four M model:” message, messenger, medium, and method. The message is just the rhetoric or the content that an actor seeks to spread, which typically aligns with the nation-state’s geopolitical goals. The messengers include the influencers, correspondence, and propaganda outlets that amplify the message in the digital environment. The mediums are the platforms and technologies used to spread the message, with video typically being the most effective. And finally, the methods consist of anything from a hack-and-leak operation to using bots or computational propaganda, or real-world elements like party-to-party political engagement.

So why should private organizations be concerned with cyber-influence operations? “Influence operations inherently seek to sow distrust, and that creates challenges between businesses and users,” Rachel explains. “Increasingly, our team is looking at the nexus between cyberattacks and subsequent influence operations to understand the full picture and better combat these digital threats.”

Microsoft DCU—Tracking cybercrime across the globe

The Microsoft Digital Crimes Unit (DCU) consists of a global cross-disciplinarian team of lawyers, investigators, data scientists, engineers, analysts, and business professionals.¹² The DCU is committed to fighting cybercrime globally through the application of technology, forensics, civil actions, criminal referrals, public and private partnerships, and the determined assistance of 8,500 Microsoft security researchers and security engineers. The DCU focuses on five key areas: Business Email Compromise (BEC), Ransomware, Malware, Tech Support Fraud, and Malicious Use of Microsoft Azure. According to Peter Anaman, Director and Principal Investigator at DCU, their investigations reveal that cybercriminals are moving away from a “spray-and-pray” approach toward the as a service model. Along with ransomware, cybercriminals are extending their retail services into new areas such as phishing as a service (PhaaS) and distributed denial of service (DDoS).

Threat actors have even created specialized tools to facilitate BEC, including phishing kits and lists of verified email addresses targeting specific roles, such as C-suite leaders or accounts-payable employees. As part of the service, the seller will design the email template and even scrub the responses to make sure they’re valid. “All for a subscription model of, like, USD200 dollars a month,” Peter explains. DCU investigative evidence has observed a more than 70 percent increase in these services.¹ “We’re finding that there’s a higher number of people who are committing these crimes. They have greater know-how on different technologies and online platforms that could be used as part of the [attack] vector.”

Regardless of the type of cybercrime, DCU goes after threat actors by executing on three main strategies:

• Investigate: Track online criminal networks and make criminal referrals to law enforcement, along with civil actions to disrupt key aspects of technical infrastructure used by cybercriminals.
• Share evidence: Assist with victim remediation and allow for the development of technical countermeasures that strengthen the security of Microsoft products and services.
• Use our voice and expertise: Build on our partnerships to inform education campaigns and influence legislation and global cooperation to advance the fight against cybercrime.

In addition to arrest and prosecution, DCU deters cybercrime by disrupting the technical infrastructure used by criminals, causing them to lose their investments. In 2022, DCU helped to take down more than 500,000 unique phishing URLs hosted outside Microsoft while disrupting cybercriminals’ technical infrastructure, such as virtual machines, email, homoglyph domain names, and public blockchain websites.

DCU also works with Microsoft DART to gather intelligence and share it with other security professionals. Some of those indicators—a URL, domain name, or phishing email—may help with future investigations. “That intelligence [we gather] feeds back into our machine learning models,” Peter explains. “If that phishing page or kit is used again there will be better measures to block it at the gate, so our monitoring systems become stronger over time.”

When asked what an organization can do to protect itself, Peter suggests sticking to three cybersecurity basics. First: “Use multifactor authentication,” he stresses. “Ninety percent of [attacks] could have been stopped just by having multifactor authentication.” Second: “Practice [cyber] hygiene. Don’t just click links because you think it comes from a friend.” Cyber hygiene includes installing all software patches and system upgrades as soon as they become available. And third: “You’re really looking at the Zero Trust model,” Peter says. “Enforce least privilege [access]” so people only have access to the information they need. Bonus tip: “Make sure you have the same level of security on your personal email as you do on your work [email].”

Winning in the room—Communicating to the board

In this segment, I have a chance to speak with one of my favorite folks at Microsoft. Mark Simos is Lead Cybersecurity Architect, Microsoft, (and PowerPoint super genius) with more than two decades of experience, so he knows something about dealing with a board of directors. Whether you work for a public or private company, the board is responsible for oversight. That means making sure that the leadership team is not only managing the business but also managing risks. And cybercrime is one of the biggest risks today’s organization contends with.

But for the board to understand the organization’s security positioning, they need to grasp how it relates to the business. Unlike dealing with finances, legal issues, or people management, cybersecurity is a new area for a lot of board members. According to Mark, a big part of winning them over is “making sure that the board members understand that cybersecurity is not just a technical problem to be solved, check, and move on. It’s an ongoing risk.”

In our talk, Mark lays out three basic things the board needs to know:

• Problem or requirement: Frame this in terminology relating to the business.
• Status: How well are you managing risk to your targeted tolerances?
• Solution: What is your plan to get there, and how is it progressing?

Bonus tips:

• Learn about your board. Read their bios and study their backgrounds and professions. These are highly capable and intelligent humans who have mastered demanding disciplines like finance, supply chain management, manufacturing, and more. They are capable of understanding cybersecurity when it’s presented clearly.
• Learn their language. This goes back to framing the cybersecurity problem in concepts they’ll understand, helping you land your points accurately.
• Find a board buddy. Establish a relationship with someone on the board who has an interest in learning cybersecurity. A mutual mentorship can help you learn about the other person’s area of expertise, which can help you make your case in clear terms.

Mark provides a wealth of free resources you can access anytime on Mark’s List.¹³ Also, there’s a chief information security officer (CISO) workshop available as public videos and as a live workshop from Microsoft Unified (formerly Premier Support). The workshop provides plenty of material to help accelerate a productive relationship with your board, including:

• Sample questions the board should be asking of the security team (and you should be proactively answering).
• Roleplay video on how CISOs can engage with hostile business leaders.
• Kaplan-style scorecards based on the familiar approach used in many organizations.

Often board members don’t consider that security decisions can be made by asset owners, not just security teams. Mark suggests stressing the holistic aspect of cybersecurity as a differentiator from typical business unit concerns. “With security, it doesn’t matter where the leak is on the boat; it’s still going to sink,” he says. “So, it’s really important for folks to work together as a team and recognize that ‘I’m not just accepting the risk for me; I’m accepting it for everyone.’”

Security on the edge—Manufacturing and IoT

For the last segment of the webinar, we invited an expert to weigh in on one of the most-attacked industry segments across the globe—manufacturing. Myrna Soto is the CEO and founder of Apogee Executive Advisors, and a board member of prominent companies such as Headspace Health, CMS Energy, Banco Popular, Spirit Airlines, and many more. Cybersecurity in the manufacturing sector carries added urgency because many of these entities are part of the nation’s critical infrastructure—whether it’s manufacturing pharmaceuticals, supporting transportation, or feeding the power grid.

The smart factory has introduced more automation into the manufacturing ecosystem, creating new vulnerabilities. “One of the biggest challenges is the number of third-party connections,” Myrna explains. “It relates to how entities are interacting with one another; how certain companies have either air-gapped their Internet of Things (IoT) networks or not.” Myrna points out that the supply chain is never holistically managed by one entity, which means those third-party interactions are critical. She mentions the ability to encrypt certain data in machine-to-machine communications as a crucial part of securing an interconnected manufacturing ecosystem. “The ability to understand where assets are across the ecosystem is one of the key components that need attention,” she points out.

With the prospect of intellectual property loss, disruption to critical infrastructure, along with health and safety risks, Myra sees manufacturing as one area where security teams and board members need to work together with urgency. I asked her to offer some insights gleaned from time spent on the other side of the table—particularly what not to do. “Probably the most annoying thing is the tendency to provide us a deluge of data without the appropriate business context,” she relates. “I’ve seen my share of charts around malware detections, charts on network penetrations. That is difficult for most non-technical board members to understand.”

Security is a team sport—Join us

Be sure to watch the full Security Experts Roundtable episode. We’ll be doing one of these every other month until they kick us off the stage, so remember to sign up for our May episode. Before we wrap up for today, I’d like to invite you to join us on March 28, 2023, for a brand-new event: Microsoft Secure. This event will bring together a community of defenders, innovators, and security experts in a setting where we can share insights, ideas, and real-world skills to help create a safer world for all. Register today, and I’ll see you there!

For more cybersecurity insights and the latest on threat intelligence, visit Microsoft Security Insider.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2022, Microsoft. 2022.

²Based on internal research conducted by Microsoft Digital Crimes Unit, January 2023.

³The hunt for NOBELIUM, the most sophisticated nation-state attack in history, John Lambert. November 10, 2021.

⁴DEV-0537 criminal actor targeting organizations for data exfiltration and destruction, Microsoft Threat Intelligence Center. March 22, 2022.

⁵Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself, Microsoft Defender Threat Intelligence. May 9, 2022.

⁶Part 1: LockBit 2.0 ransomware bugs and database recovery attempts, Danielle Veluz. March 11, 2022.

⁷Monthly news—January 2023, Heike Ritter. January 11, 2023.

⁸New “Prestige” ransomware impacts organizations in Ukraine and Poland, Microsoft Security Threat Intelligence. October 14, 2022.

⁹Destructive malware targeting Ukrainian organizations, Microsoft Threat Intelligence Center. January 15, 2022.

¹⁰Microsoft Defender Experts for Hunting proactively hunts threats, Microsoft Security Experts. August 3, 2022.

¹¹Implementing a Zero Trust security model at Microsoft, Inside Track staff. January 10, 2023.

¹²Digital Crimes Unit: Leading the fight against cybercrime, Microsoft. May 3, 2022.

¹³Mark’s List, Mark Simos.

The post Microsoft Security Experts discuss evolving threats in roundtable chat appeared first on Microsoft Security Blog.

Attackers will innovate—our response in the defender community needs to be thoughtful and strategic. But we don’t need to panic. We can take as an example ransomware attacks. These are scary and grab headlines because of crippling work stoppages or huge ransoms. But recent studies by Expert Insights confirm what we’ve known for ages—more often than not, attacks like ransomware are the second stage, predicated by an identity compromise. In fact, if you read all the attention-grabbing headlines, you’ll find that most novel techniques rely on compromising identity first. This shows the importance of getting our identity basics right and keeping our eyes on the ball.

Pamela Dingle gave a keynote at Authenticate 2022 in which she discussed identity attacks in terms of waves (and has recapped on LinkedIn—if you haven’t read it, you should). She was kind enough to let me weigh in, and I’m going to borrow the paradigm to frame our guidance. Pam likened escalating identity attacks to threats in a voyage in her talk. These threats decrease in volume as they increase in sophistication and novelty: 

This is an awesome frame for thinking through the attacks, so we’ll use it here to complement her blog with concrete features and guidance. I am adding one more threat to her framework—the critical importance of posture agility that helps us deal with the next “rogue wave.” Hopefully, this framing will help you build out a strategic approach that addresses the critical issues you are facing now, help you invest thoughtfully for emerging threats, and set you up for defensive agility in the year ahead. Let’s dive in.

Password attacks

Simple password attacks are pervasive. They are the water we swim in. I detail these extensively in “Your Password Doesn’t Matter.” The dominant three attacks are:

• Password spray: Guessing common passwords against many accounts.
• Phishing: Convincing someone to type in their credentials at a fake website or in response to a text or email.
• Breach replay: Relying on pervasive password reuse to take passwords compromised on one site and try them against others.

These attacks are effectively free to execute on a massive scale. As a result, Microsoft deflects more than 1,000 password attacks per second in our systems, and more than 99.9 percent of accounts that are compromised don’t have multifactor authentication enabled. Multifactor authentication is one of the most basic defenses against identity attacks today, and despite relentlessly advocating multifactor authentication usage for the past six years, including it in every flavor of Microsoft Azure Active Directory (Azure AD), and innovating in mechanisms from Microsoft Authenticator to FIDO, only 28 percent of users last month had any multifactor authentication session. With such low coverage, attackers increase their attack rate to get what they want. The adoption rate is a demonstration of a critical issue I will return to in this blog—in most organizations, budgets and resources are tight, security staff is overwhelmed, and shiny object syndrome pulls us in many directions, preventing the closure of issues.

Driving more multifactor authentication usage is the most important thing we can do for the ecosystem, and if you aren’t yet requiring multifactor authentication for all users, enable it. Old-fashioned, bolt-on multifactor authentication was clunky, requiring copying codes from phone to computer and getting multiple prompts. Modern multifactor authentication using apps, tokens, or the device itself is very low friction or even invisible to the users. Old-fashioned multifactor authentication had to be bought and deployed separately and at additional cost. Modern multifactor authentication is included in all SKUs, deeply integrated into Azure AD, and requires no additional management.

Our strong position is that all user sessions should be multifactor authentication protected, and we are doing all we can to get there. This is why all new tenants created since 2019 have multifactor authentication enabled by default, and why we are now turning on multifactor authentication on behalf of tenants who have not demonstrated interest in their security settings.

Multifactor authentication attacks

If you have enabled multifactor authentication, you can pat yourself on the back and be happy that you’ve effectively deflected the dominant identity attacks. While still far less than the 100 percent we are striving for, the 28 percent of users who are now protected with multifactor authentication include some who are targets for attackers. To get to these targets, attackers have to attack multifactor authentication itself.

Examples here include:

• SIM-jacking and other telephony vulnerability attacks (why we’re asking you to hang up on telephony multifactor authentication).
• Multifactor authentication hammering or griefing attacks, which is why we’re asking you to move away from simple approvals.
• Adversary-in-the-middle attacks, which trick users into doing the multifactor authentication interaction. This is why phishing-resistant authentication is critical, especially for key assets.

Note these attacks require more effort and attacker investment, and as a result are detected in the tens of thousands per month—not thousands per second. But all the attacks mentioned are on the rise, and we expect to see that continue as basic multifactor authentication coverage increases.

To defeat these attacks, it is critical not just to use multifactor authentication, but to use the right multifactor authentication. We recommend Authenticator, Windows Hello, and FIDO. For organizations with existing personal identity verification card and common access card (PIV and CAC) infrastructure, certificate-based authentication (CBA) is a good phishing-resistant (and executive order-compliant) solution. Bonus: All of these methods are considerably easier to use than passwords or telephony-based multifactor authentication.

Post-authentication attacks

Determined attackers are using malware to steal tokens from devices—allowing a valid user to perform valid multifactor authentication on a valid machine, but then using credential stealers to take the cookies and tokens and use them elsewhere. This method is on the rise and has been used in recent high-profile attacks. Tokens can also be stolen if incorrectly logged or if intercepted by compromised routing infrastructure, but the most common mechanism by far is malware on a machine. If a user is running as admin on a machine, then they are just one click away from token theft. Core Zero Trust principles like running effective endpoint protection, managing devices, and, critically, using least privileged access (meaning, run as a user, not an admin, on your machines) are great defenses. Pay attention to signals that indicate that token theft is occurring, and require re-authentication for critical scenarios like machine enrollment.

Another bypass attack is OAuth consent phishing. This is where someone tricks an existing user into giving an application permission to access on their behalf. Attackers send a link asking for consent (“consent phishing”) and if the user falls for the attack, then the app can access the user’s data even when the user is not present. Like other attacks in this category, they are rare but increasing. We strongly recommend inspecting what apps your users are consenting to and limiting consent to applications from verified publishers.

Infrastructure compromise

As you get more effective at using identity to secure your organizations and build your Zero Trust policies, advanced attackers are attacking identity infrastructure itself—predominantly taking advantage of outdated, unpatched, or otherwise insecure on-premises network vulnerabilities to steal secrets, compromise federation servers, or otherwise subvert the infrastructure we rely on. This mechanism is insidious, because the attackers often take advantage of access to hide their tracks, and once the access control plane is lost, it can be incredibly difficult to effectively evict an actor.

We are working hard to strengthen hybrid and multicloud detections and build automated protection for specific indicators that attackers are moving against identity infrastructure. Critically, because of the incredible difficulty of protecting on-premises deployments from malware, lateral movement, and emerging threats, you should reduce your dependencies on on-premises infrastructure, shifting authority to the cloud where possible. You should specifically isolate your cloud infrastructure from your on-premises environment. Finally, it is critical to partner closely with your security operations center (SOC) to make sure that privileged identity administrators and on-premises servers win special scrutiny. And because today’s sophisticated adversaries will look for any gap in your security, securing user identities also means protecting non-human identities and the infrastructure that stores and manages identities as well.

The rogue wave: Attack velocity and intensity

Our team assists with hundreds of significant cases every year, and one of the most critical issues we see is the difficulty of keeping up with increasing volumes and intensity of attacks. Whether it is assisting customers who are running Windows Server 2008 Domain Controllers or the customers still struggling with multifactor authentication rollout, the rapid pace of attacker innovation is hard to meet for organizations with the tremendous budget, resources, hiring, and political pressure facing them—and that only addresses those organizations that think about security. Our consumer accounts (like those used to access Outlook.com or Xbox) are 50 times less likely to be hacked than enterprise accounts—because, for these consumer accounts, we can manage the multifactor authentication policy, risk mitigations, and other key security aspects. All these capabilities (and more) are available to organizations—but the cost of posture management proves too much for many customers.

Our team is committed not just to reducing costs associated with identity attacks, but to massively reducing the investments required to get and stay secure. This is the common thread that runs through our many investments—whether it is Conditional Access gap analysis, adapting Authenticator to address evolving multifactor authentication fatigue attacks, continuously evolving and expanding our threat detections, or our security defaults program, we are committed to protecting the users, organizations, and systems that depend on identity from unauthorized access and fraud—it is very clear that this must include helping organizations start secure (or get secure) and stay secure, to do more with less.

As you invest in identity security, we encourage you to invest in mechanisms that allow your organization to be agile—automating responses to common threats (for example, auto-blocking or requiring password change), using mechanisms like Authenticator that can evolve and adapt to new threats, shifting authority to the cloud (where detections and mitigations are agile), and being attentive to indications of risk derived from our machine learning systems.  

Fair winds and following seas in 2023

Whether you’re an admin at a major company or launching a startup from your garage, protecting user identities is crucial. Knowing who is accessing your resources and for what purpose provides a foundation of security upon which all else rests. For that reason, it’s imperative to do everything possible to strengthen your identity posture today. The challenges are significant, but defensive strategies and technology are there to help.

If I may be so bold as to propose some New Year’s resolutions for your identity security efforts:

1. Protect all your users with multifactor authentication, always, using Authenticator, Fast Identity Online (FIDO), Windows Hello, or CBA.
2. Apply Conditional Access rules to your applications to defend against application attacks.
3. Use mobile device management and endpoint protection policies—especially prohibiting running as admin on devices—to inhibit token theft attacks.
4. Limit on-premises exposure and integrate your SOC and identity efforts to ensure you are defending your identity infrastructure.
5. Bet hard on agility with a cloud-first approach, adaptable authentication, and deep commitments to automated responses to common problems to save your critical resources for true crises.

Each of these recommendations has value in and of itself, but taken together, they represent an approach to defense-in-depth. Defense-in-depth encourages us to assume that any single control might be overcome by an attacker, so we have multiple layers of defense. In the recommendations listed in this blog, a user with perfect authentication should never be compromised, but we layer in endpoint protection, SOC monitoring, automated responses, and posture agility assuming that no one control is adequate.

To learn more about how you can protect your organization, be sure to read Joy Chik’s blog, Microsoft Entra: 5 identity priorities for 2023. If you’re interested in a comprehensive security solution that includes identity and access management, extended detection and response, and security information and event management, visit the Microsoft Entra page, along with Microsoft Defender for Identity and Microsoft Sentinel, to learn how this family of multicloud identity and security products can protect your organization.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 2023 identity security trends and solutions from Microsoft appeared first on Microsoft Security Blog.

1.  Strong cloud adoption rates will continue

Macroeconomists may be pessimistic about gross domestic product growth in Europe and the United States in 2023, but even in weak macroeconomic scenarios, cloud growth rates remain stellar.¹ Gartner® predicts almost 30 percent growth for infrastructure as a service and almost 25 percent growth for platform as a service in 2023, as compared to 2022 in the worldwide public cloud user spending category. A September 2022 survey of chief technology officers (CTOs) by Evercore-ISI asked the top things they would do in response to reduced budgets or inflationary pressure.² The top answer (from 44 percent of CTOs): increase their use of the cloud. Gartner® predicts that by 2025 more than 90 percent of clients will use cloud-based unified endpoint management (UEM) tools, up from 50 percent in 2022. So, if you have not migrated your UEM to the cloud yet, 2023 is the year to start.

2. Security will remain the top issue for CTOs into 2023

When asked in September about their highest priority project (in terms of incremental spending), 42 percent of CTOs said cloud security. Network security was the second most common response, with analytics third.² Credit Suisse recently polled CTOs on how different categories in their IT budget would grow.³ In 2021 and 2022, security was ranked top, with an 11 percent increase. Asked to predict the growth in security spending in 2026, security again ranked highest, but the expected increase was even more: 14 percent. Underlying factors provide color to the raw growth numbers. The geopolitical storm continues, and new avenues continue to emerge for hackers. I expect to hear even more about deepfake videos and ransomware as a service in 2023. So, how do chief information security officers (CISOs) strengthen their organization’s defenses in 2023? We would propose two initiatives: first, ensure security software is suitably integrated with a unified console to enable fewer points of vulnerability and more automation. By extension, this might mean consolidating vendors. Second, tackle the human aspect: invest in upskilling staff on how best to be aware of potential attacks.⁴

3. Worker mobility will increase further

The past few years have changed the model for knowledge workers. 2023 will see several shifts that will add to the hybrid work from anywhere (and hence, protect everywhere) trend. Next year will see mass adoption of 5G capable devices: Juniper Research estimates that there will be 600 million more 5G connections added in 2023 alone.⁵ Technological trends will be compounded by demographic trends, such as “productivity paranoia,” where workers want to show they are being productive, no matter where they are. What does this mean for CISOs? New working styles, new networks, and new devices mean new attack vectors. In 2023, be ready to protect your workers who are working from anywhere, not just from home.

4. CTOs will need to pay more attention to local factors

There is always a balance between global and local initiatives, but in 2023, we expect that it will be increasingly difficult to just adopt a one-size-fits-all global shortcut. We are seeing an increasing number of national regulations related to data sovereignty, with implications for where that data is stored and secured.⁶ 2023 will see further digital transformation of public sector agencies. These agencies often have more country-specific security or compliance rules compared to their private sector counterparts. As such, CISOs need to ensure their endpoint management solutions (and, indeed, their entire technology architecture) can adapt to handle extra local requirements.

5. Truly transformative technology will rise to the top

My final prediction is that 2023 will see further clarity on the difference between genuinely transformative technology and tech that has been overhyped. One technology that I expect to compare favorably for enterprises in 2023 will be more advanced forms of automation, such as AI. AI start-ups have seen more than USD100 billion in venture capital investment since 2020, in everything from the development of new drugs to new ways to create art and writing (and, perhaps, eventually, transform how blogs are created!).⁷ Security represents a great opportunity for advanced automation and AI, given the nature of the ongoing problems CISOs must grapple with. As such, while new AI-generated images may garner the headlines, away from the limelight we expect many other enterprise software solutions to benefit from both sophisticated AI and simply greater automation.⁸ For example, in endpoint management, Gartner® sees that by 2027, UEM and digital employee experience tools will converge—to drive autonomous endpoint management, reducing human effort by at least 40 percent. The more that security tasks are automated, the more time is freed up for more strategic work by your key staff.

Learn more

I hope you found these 2023 trends thought-provoking. I would encourage you to continue to think about what the macro situation might mean specifically for your organization and translate that into an action plan for your Microsoft Intune assets in 2023. In the meantime, I wish you all a safe and thoughtful holiday season and wish you continued success in the new year.  

Learn more about how Microsoft Intune can simplify your endpoint management:

• Reduce your overall total cost of ownership with a new Microsoft Intune plan.
• Microsoft publishes new report on holistic insider risk management.
• Microsoft Intune blog.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹World Economic Outlook, October 2022: Countering the Cost-of-Living Crisis, IMF. October 15, 2022.

²Evercore-ISI Quarterly Enterprise Technology Spending Survey, September 15, 2022.

³Credit Suisse CIO Survey, Credit Suisse. October 6, 2022.

⁴What cybersecurity trends are expected in 2023? Muhammad Zulhusni, November 29, 2022.

⁵5G Service Revenue to Reach $315 Billion Globally in 2023, Juniper Research. October 23, 2022.

⁶Microsoft launches its Cloud for Sovereignty, Frederic Lardinois. July 19, 2022.

⁷State of AI Q2’22 Report, CB Insights. August 10, 2022.

⁸How a computer designed this week’s cover, The Economist. June 11, 2022.

The post Microsoft Intune: 5 endpoint management predictions for 2023 appeared first on Microsoft Security Blog.

With threats like ransomware increasing in volume and complexity, it’s never been more important for chief information security officers (CISOs) to invest in solutions that will keep their companies safe and running. As the threat landscape continues to proliferate, cloud-native security information and event management (SIEM) solutions like Microsoft Sentinel have become a central part of a SecOps solution and have evolved to meet the new needs of customers to move faster.

We believe this placement validates our continued investment in Microsoft Sentinel, security research, and threat intelligence. We take it as a vote of confidence in our ability to keep our customers safe and working fearlessly. Microsoft Security is named a leader on seven different Forrester Wave™ reports and continues to invest in innovative solutions that work together to keep our customers’ businesses safer.

Microsoft was evaluated on several capabilities that empower customers to move faster to identify, investigate, and remediate threats. Some particularly important features include:

• Providing flexibility to customers to create their own rules using Kusto Query Language (KQL) or by bringing their own machine learning. This allows security operations center (SOC) teams to build automations that work for their organization and reduces the amount of time spent on repetitive tasks.
• Comprehensive threat intelligence that empowers customers to keep up with the evolving threat landscape.
• Scaled search and storage of large volumes of data allow customers to protect their digital ecosystems at scale and monitor all their clouds, platforms, and endpoints in one place.  

The Microsoft Sentinel strategy

Microsoft Sentinel is a next-generation SIEM solution that collects security data across multicloud, multi-platform data sources. The comprehensive SOC platform provides user entity and behavior analytics (UEBA), threat intelligence, and security orchestration, automation, and response (SOAR) capabilities, along with deep integrations into Microsoft Defender threat protection products’ comprehensive coverage across SIEM and extended detection and response (XDR). Sentinel empowers companies to leverage cloud-scale, innovative AI and automation to move at machine speed and stay ahead of evolving threats.  

What makes the Microsoft suite of security solutions unique is the native integrations of SIEM with XDR to provide quick setup, more comprehensive coverage and context, and faster response time. Customers who leverage Microsoft Defender XDR products may be eligible for discounts on Microsoft Sentinel data ingestion.  

Over the past year, Microsoft has invested in many new capabilities, including content for Internet of Things (IoT) devices, business application coverage including SAP, enhanced SOAR capabilities, and improved workflow management. These capabilities help our customers to protect more of their digital ecosystem, automate responses to more types of threats, and build an efficient and collaborative SOC.

What’s next in Microsoft Security

Microsoft is dedicated to continued leadership in security. Continued investments will provide customers with the intelligence, automation, and scalability they need to protect their businesses and work efficiently. Upcoming enhancements include the integration of more threat intelligence, new ways to hunt across large sets of data, and more context and prioritization guidance in alerts. New AI solutions will allow SecOps teams to more easily identify the most urgent issues and give guidance on how similar customers have reacted to similar incidents. The Microsoft vision is to provide a central platform for SOCs to understand the health of their entire business and quickly act on issues.

Learn more

Read the The Forrester Wave™: Security Analytics Platforms, Q4 2022 report.

Microsoft Security is committed to empowering SecOps teams with security tools and platforms that enable the critical protection your users rely on. To experience Microsoft Sentinel at your organization, get started with a free trial today.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Forrester names Microsoft a Leader in Q4 2022 Security Analytics Platforms Wave report appeared first on Microsoft Security Blog.