One year ago, we launched Microsoft Security Copilot to empower defenders to detect, investigate, and respond to security incidents swiftly and accurately. Now, we are excited to announce the next evolution of Security Copilot with AI agents designed to autonomously assist with critical areas such as phishing, data security, and identity management. The relentless pace and complexity of cyberattacks have surpassed human capacity and establishing AI agents is a necessity for modern security.

For example, phishing attacks remain one of the most common and damaging cyberthreats. Between January and December 2024, Microsoft detected more than 30 billion phishing emails targeting customers.¹ The volume of these cyberattacks overwhelms security teams relying on manual processes and fragmented defenses, making it difficult to both triage malicious messages promptly and leverage data-driven insights for broader cyber risk management.

The phishing triage agent in Microsoft Security Copilot being unveiled today can handle routine phishing alerts and cyberattacks, freeing up human defenders to focus on more complex cyberthreats and proactive security measures. This is just one way agents can transform security.

Additionally, securing and governing AI continues to be the top priority for organizations, and we are excited to advance our purpose-built solutions with new innovations across Microsoft Defender, Microsoft Entra, and Microsoft Purview. 

Read on to learn about other agents we are introducing to Security Copilot and important developments in securing AI. 

Expanding Microsoft Security Copilot with AI agentic capabilities

Microsoft Threat Intelligence now processes 84 trillion signals per day, revealing the exponential growth in cyberattacks, including 7,000 password attacks per second.¹ Scaling cyber defenses through AI agents is now an imperative to keep pace with this threat landscape. We are expanding Security Copilot with six security agents built by Microsoft and five security agents built by our partners—available for preview in April 2025.

Six new agentic solutions from Microsoft Security

Building on the transformative capabilities of Security Copilot, the six Microsoft Security Copilot agents enable teams to autonomously handle high-volume security and IT tasks while seamlessly integrating with Microsoft Security solutions. Purpose-built for security, agents learn from feedback, adapt to workflows, and operate securely—aligned to Microsoft’s Zero Trust framework. With security teams fully in control, agents accelerate responses, prioritize risks, and drive efficiency to enable proactive protection and strengthen an organization’s security posture.

Security Copilot agents will be available across the Microsoft end-to-end security platform, designed for the following:

• Phishing Triage Agent in Microsoft Defender triages phishing alerts with accuracy to identify real cyberthreats and false alarms. It provides easy-to-understand explanations for its decisions and improves detection based on admin feedback.

• Alert Triage Agents in Microsoft Purview triage data loss prevention and insider risk alerts, prioritize critical incidents, and continuously improve accuracy based on admin feedback.

• Conditional Access Optimization Agent in Microsoft Entra monitors for new users or apps not covered by existing policies, identifies necessary updates to close security gaps, and recommends quick fixes for identity teams to apply with a single click.

• Vulnerability Remediation Agent in Microsoft Intune monitors and prioritizes vulnerabilities and remediation tasks to address app and policy configuration issues and expedites Windows OS patches with admin approval.

• Threat Intelligence Briefing Agent in Security Copilot automatically curates relevant and timely threat intelligence based on an organization’s unique attributes and cyberthreat exposure.

Security Copilot’s agentic capabilities are an example of how we continue to deliver innovation leveraging our decades of AI research. See how agents work.

“This is just the beginning; our security AI research is pushing the boundaries of innovation, and we are eager to continuously bring even greater value to our customers at the speed of AI.”  

—Alexander Stojanovic, Vice President of Microsoft Security AI Applied Research

Five new agentic solutions from Microsoft Security partners

Security is a team sport and Microsoft is committed to empowering our security ecosystem with an open platform upon which partners can build to deliver value to customers. In this spirit, the following five AI agents from our partners will be available in Security Copilot:

• Privacy Breach Response Agent by OneTrust analyzes data breaches to generate guidance for the privacy team on how to meet regulatory requirements.
• Network Supervisor Agent by Aviatrix performs root cause analysis and summarizes issues related to VPN, gateway, or Site2Cloud connection outages and failures.
• SecOps Tooling Agent by BlueVoyant assesses a security operations center (SOC) and state of controls to make recommendations that help optimize security operations and improve controls, efficacy, and compliance.
• Alert Triage Agent by Tanium provides analysts with the necessary context to quickly and confidently make decisions on each alert.
• Task Optimizer Agent by Fletch helps organizations forecast and prioritize the most critical cyberthreat alerts to reduce alert fatigue and improve security.

“An agentic approach to privacy will be game-changing for the industry. Autonomous AI agents will help our customers scale, augment, and increase the effectiveness of their privacy operations. Built using Microsoft Security Copilot, the OneTrust Privacy Breach Response Agent demonstrates how privacy teams can analyze and meet increasingly complex regulatory requirements in a fraction of the time required historically.”

—Blake Brannon, Chief Product and Strategy Officer, OneTrust

Learn more about Security Copilot agents and get started with Security Copilot. Current Security Copilot customers can join our Customer Connection Program for the latest updates.

New AI-powered data security investigations and analysis   

We are also announcing Microsoft Purview data security investigations to help data security teams quickly understand and mitigate risks associated with sensitive data exposure. Data security investigations introduce AI-powered deep content analysis, which identifies sensitive data and other risks linked to incidents. Incident investigators can use these insights to collaborate securely with partner teams and simplify complex and time-consuming tasks, thus improving mitigation. This solution links data security investigations to Defender incidents and Purview insider risk cases—available for preview starting April 2025.  

Further advances in securing and governing generative AI

Successful AI transformation requires a strong cybersecurity foundation. As organizations rapidly adopt generative AI, there is growing urgency to secure and govern the creation, adoption, and use of AI in the workplace. According to our new report, “Secure employee access in the age of AI,” 57% of organizations report an increase in security incidents from AI usage. And while most organizations recognize the need for AI controls, 60% have not yet started.

Securing AI is still a relatively new challenge, and leaders share some specific concerns: how to prevent data oversharing and leakage; how to minimize new AI threats and vulnerabilities; and how to comply with shifting regulatory compliance requirements. Microsoft Security solutions are purpose-built for AI to help every organization address these concerns. We’re announcing new advanced capabilities so that organizations can secure their AI investments—both Microsoft AI and other AI.

AI security posture management for multimodel and multicloud environments

Organizations developing their own custom AI solutions will need to strengthen the security posture for AI that they source from multiple models, running in multiple AI platforms and clouds. To address this need, Microsoft Defender has extended AI security posture management beyond Microsoft Azure and Amazon Web Services to include Google VertexAI and all models in the Azure AI Foundry model catalog. Available for preview in May 2025, this coverage includes Gemini, Gemma, Meta Llama, Mistral, and custom models. With new multicloud interoperability, organizations will gain broader code-to-runtime AI security posture visibility across Microsoft Azure, Amazon Web Services, and Google Cloud. Microsoft Defender can give organizations a jumpstart to securing AI posture across multimodel and multicloud environments.

New detection and protection for emerging AI threats

With AI comes new risks, including new cyberattack surfaces and unknown vulnerabilities. The Open Worldwide Application Security Project (OWASP) identifies the highest priority risks and mitigations for generative AI apps. Starting in May 2025, new and enriched AI detections for several risks identified by OWASP such as indirect prompt injection attacks, sensitive data exposure, and wallet abuse will be generally available in Microsoft Defender. With these new detections, SOC analysts can better protect and defend custom-built AI apps with new safeguards for Azure OpenAI Service and models found in the Azure AI Foundry catalog.

New controls to prevent risky access and data leaks into shadow AI apps

With the rapid user adoption of generative AI, many organizations are uncovering widespread use of AI apps that have not yet been approved by IT or security teams. This unsanctioned, unprotected use of AI has created a “shadow AI” phenomenon, which has drastically increased the risk of sensitive data leakage. We are announcing general availability of AI web category filter in Microsoft Entra internet access to help enforce granular access controls that can curb the risk of shadow AI by enforcing policies governing which users and groups have access to different types of AI applications.

With policy enforcement in place to govern authorized access to AI apps, the next layer of defense is to prevent users from leaking sensitive data into AI apps. To address this, we are announcing the preview of Microsoft Purview browser data loss prevention (DLP) controls built into Microsoft Edge for Business. This helps security teams enforce DLP policies to prevent sensitive data from being typed into generative AI apps, starting with ChatGPT, Copilot Chat, DeepSeek, and Google Gemini.

Learn more about our new innovations in Security for AI.

New phishing protection in Microsoft Teams for safer collaboration

While email continues to be the primary cyberthreat vector for phishing, collaboration software has become a common target. Generally available in April 2025, Microsoft Defender for Office 365 will protect users against phishing and other advanced cyberthreats within Teams. With inline protection, Teams will have better protection against malicious URLs, including real-time detonation of attachments and links. And to give SOC teams full visibility into related attempts and incidents, alerts and data will be available in Microsoft Defender. 

Agile innovation to build a safer world

We continue to innovate across the Microsoft Security portfolio, applying the principles of our Secure Future Initiative, to deliver powerful, end-to-end protection to give defenders industry-leading AI, and to empower every organization with the tools to secure and govern AI. We are grateful for our customers and partners and together, with them, we look forward to building a more secure world for all.

Microsoft Secure

To see these innovations in action, join us on April 9, 2025 for Microsoft Secure, a digital event focused on security in the age of AI. 

Register now

Learn with Microsoft Security

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Based on Microsoft internal data.

The post Microsoft unveils Microsoft Security Copilot agents and new protections for AI appeared first on Microsoft Security Blog.

We are excited to announce that Gartner has named Microsoft a Leader in the 2025 Gartner^®Magic Quadrant™ for Cyber Physical Systems Protection Platforms. Gartner defines cyber-physical systems (CPS) as “engineered systems that orchestrate sensing, computation, control, networking and analytics” that connect the digital and physical worlds. They span industrial control systems (ICS), OT devices, Internet of Things (IoT) devices, and more.   

CPS devices are an inherent component to any security strategy, and as the only security platform vendor now recognized as a Leader in both endpoint and CPS security, it highlights, in our opinion, our commitment to providing customers with holistic endpoint security on any platform. Our cross-platform strategy is key to making continued progress in helping organizations protect their endpoints against the latest, and most sophisticated cyberattacks as they span operating systems and cross into CPS infrastructure, while driving continued efficiency for security operations center (SOC) teams. Read the report here.  

Meeting the unique OT security needs of organizations in every major industry  

The core of Microsoft’s CPS offering to help secure OT environments is Microsoft Defender for IoT, which provides CPS capabilities though purpose-built sensors, and combined with Defender for Endpoint, helps provide holistic endpoint security to organizations worldwide. Both are native components of our unified security operations platform.  

CPS security is deeply embedded into Microsoft’s approach to securing devices across the platforms our customers operate on. Defender for Endpoint uses its network traffic insights to discover devices that it centralizes in a unified device inventor; we provide holistic vulnerability management for software on both user, as well as CPS devices, and bring information together in a unified incident investigation experience to enable analysts to investigate endpoint-focused attacks end-to-end.

Further, Microsoft is deeply committed to helping customers achieve cost efficiencies through our strategic Microsoft 365 E5 Security bundles, while equally allowing maximum purchasing flexibility through our standalone offers for each solution.  

Innovations that drive better defense strategies  

Over the last 12 months, Microsoft has delivered significant innovations that help defenders gain the upper hand against OT and other cyberthreats including:   

Microsoft’s unified security operations platform brings the foundational tools a SOC needs into a single experience, with a consistent data model, unified capabilities, and broad protection. This unified experience helps SOCs close critical security gaps and streamline their operations, delivering better overall protection, reducing their response time by 88%, and improving overall efficiency.² Defender for IoT is core to this platform, which combines the power of leading solutions in security information and event management (SIEM), extended detection and response (XDR), and Generative AI for security. It enables security teams to detect and respond to cyberthreats across OT environments and get key insights into their OT security posture, detect cyberthreats, and understand them in context of broader incidents.  

The unified agent combines protection across endpoints, OT devices, identities and data loss prevention (DLP) to help security teams streamline deployment and protection. The sensor is the software component that monitors and protects critical infrastructure, serving as one of the first lines of defense against cyberthreat actors. With our platform approach that brings together Microsoft Sentinel and Microsoft Defender XDR, we now have the first platform-level platform-level agent that unifies protection across four solution areas. The streamlined agent simplifies how you activate and manage core capabilities to more easily and swiftly reap the benefits of our AI-powered protection. Read more about the unified agent platform on the Microsoft Defender for Endpoint blog.  

Microsoft Security Exposure Management is part of the unified security operations portal and provides a unified view of security posture across company assets and workloads. Security initiatives are an experience that provides a simple way to assess security readiness for a specific security area or workload, and to constantly track and measure exposure risk over time. The OT Security initiative improves your OT site security posture by monitoring and protecting OT environments in the organization, and employing network layer monitoring. This initiative identifies devices and ensures that systems are working correctly, and data is protected. Your security teams can use the OT Security initiative to identify unprotected devices and harden posture across sites through vulnerability assessments, with actionable guidance to help remediate at-risk devices. Read more about security initiatives.   

Thank you to all our customers. You inspire us as together we work to create a safer world.  

Learn more with Microsoft Security

Visit Microsoft Defender for IoT to learn how your organization can get real-time asset discovery, vulnerability management, and cyberthreat protection for your Internet of Things (IoT) and industrial infrastructure, such as industrial control systems (ICS) and operational technology (OT).   

Are you a regular user of Microsoft Defender for Endpoint or Defender for IoT? Review your experience on Gartner Peer Insights™ and get a $25 gift card.      

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.  

¹Microsoft Digital Defense Report, Microsoft. 2024.
²The Total Economic Impact™ Of Microsoft SIEM And XDR, August 2022.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.  

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.  

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.  

Gartner, Magic Quadrant for CPS Protection Platforms, 17 February 2025, By Katell Thielemann, Wam Voster, Ruggero Contu.  

The post Microsoft is named a Leader in the 2025 Gartner® Magic Quadrant™ for cyber-physical systems protection platforms​​ appeared first on Microsoft Security Blog.

At Microsoft, we are ready to help our customers do two things at once: innovate with AI and comply with the EU AI Act. We are building our products and services to comply with our obligations under the EU AI Act and working with our customers to help them deploy and use the technology compliantly. We are also engaged with European policymakers to support the development of efficient and effective implementation practices under the EU AI Act that are aligned with emerging international norms.  

Below, we go into more detail on these efforts. Since the dates for compliance with the EU AI Act are staggered and key implementation details are not yet finalized, we will be publishing information and tools on an ongoing basis. You can consult our EU AI Act documentation on the Microsoft Trust Center to stay up to date. 

Building Microsoft products and services that comply with the EU AI Act 

Organizations around the world use Microsoft products and services for innovative AI solutions that empower them to achieve more. For these customers, particularly those operating globally and across different jurisdictions, regulatory compliance is of paramount importance. This is why, in every customer agreement, Microsoft has committed to comply with all laws and regulations applicable to Microsoft. This includes the EU AI Act. It is also why we made early decisions to build and continue to invest in our AI governance program. 

As outlined in our inaugural Transparency Report, we have adopted a risk management approach that spans the entire AI development lifecycle. We use practices like impact assessments and red-teaming to help us identify potential risks and ensure that teams building the highest-risk models and systems receive additional oversight and support through governance processes, like our Sensitive Uses program. After mapping risks, we use systematic measurement to evaluate the prevalence and severity of risks against defined metrics. We manage risks by implementing mitigations like the classifiers that form part of Azure AI Content Safety and ensuring ongoing monitoring and incident response.  

Our framework for guiding engineering teams building Microsoft AI solutions—the Responsible AI Standard—was drafted with an early version of the EU AI Act in mind.  

Building on these foundational components of our program, we have devoted significant resources to implementing the EU AI Act across Microsoft. Cross-functional working groups combining AI governance, engineering, legal, and public policy experts have been working for months to identify whether and how our internal standards and practices should be updated to reflect the final text of the EU AI Act as well as early indications of implementation details. They have also been identifying any additional engineering work needed to ensure readiness.  

For example, the EU AI Act’s prohibited practices provisions are among the first provisions to come into effect in February 2025. Ahead of the European Commission’s newly established AI Office providing additional guidance, we have taken a proactive, layered approach to compliance. This includes:​ 

• Conducting a thorough review of Microsoft-owned systems already on the market to identify any places where we might need to adjust our approach, including by updating documentation or implementing technical mitigations.​ To do this, we developed a series of questions designed to elicit whether an AI system could implicate a prohibited practice and dispatched this survey to our engineering teams via our central tooling. Relevant experts reviewed the responses and followed up with teams directly where further clarity or additional steps were necessary. These screening questions remain in our central responsible AI workflow tool on an ongoing basis, so that teams working on new AI systems answer them and engage the review workflow as needed.  
• Creating new restricted uses in our internal company policy to ensure Microsoft does not design or deploy AI systems for uses prohibited by the EU AI Act.​ We are also developing specific marketing and sales guidance to ensure that our general-purpose AI technologies are not marketed or sold for uses that could implicate the EU AI Act’s prohibited practices.  
• Updating our contracts, including our Generative AI Code of Conduct, so that our customers clearly understand they cannot engage in any prohibited practices.​ For example, the Generative AI Code of Conduct now has an express prohibition on the use of the services for social scoring. 

We were also among the first organizations to sign up to the three core commitments in the AI Pact, a set of voluntary pledges developed by the AI Office to support regulatory readiness ahead of some of the upcoming compliance deadlines for the EU AI Act. In addition to our regular rhythm of publishing annual Responsible AI Transparency Reports, you can find an overview of our approach to the EU AI Act and a more detailed summary of how we are implementing the prohibited practices provisions on the Microsoft Trust Center. 

Working with customers to help them deploy and use Microsoft products and services in compliance with the EU AI Act 

One of the core concepts of the EU AI Act is that obligations need to be allocated across the AI supply chain. This means that an upstream regulated actor, like Microsoft in its capacity as a provider of AI tools, services, and components, must support downstream regulated actors, like our enterprise customers, when they integrate a Microsoft tool into a high-risk AI system. We embrace this concept of shared responsibility and aim to support our customers with their AI development and deployment activities by sharing our knowledge, providing documentation, and offering tooling. This all ladders up to the AI Customer Commitments that we made in June of last year to support our customers on their responsible AI journeys. 

We will continue to publish documentation and resources related to the EU AI Act on the Microsoft Trust Center to provide updates and address customer questions. Our Responsible AI Resources site is also a rich source of tools, practices, templates, and information that we believe will help many of our customers establish the foundations of good governance to support EU AI Act compliance.  

On the documentation front, the 33 Transparency Notes that we have published since 2019 provide essential information about the capabilities and limitations of our AI tools, components, and services that our customers rely on as downstream deployers of Microsoft AI platform services. We have also published documentation for our AI systems, such as answers to frequently asked questions. Our Transparency Note for the Azure OpenAI Service, an AI platform service, and FAQ for Copilot, an AI system, are examples of our approach. 

We expect that several of the secondary regulatory efforts under the EU AI Act will provide additional guidance on model- and system-level documentation. These norms for documentation and transparency are still maturing and would benefit from further definition consistent with efforts like the Reporting Framework for the Hiroshima AI Process International Code of Conduct for Organizations Developing Advanced AI Systems. Microsoft has been pleased to contribute to this Reporting Framework through a process convened by the OECD and looks forward to its forthcoming public release. 

Finally, because tooling is necessary to achieve consistent and efficient compliance, we make available to our customers versions of the tools that we use for our own internal purposes. These tools include Microsoft Purview Compliance Manager, which helps customers understand and take steps to improve compliance capabilities across many regulatory domains, including the EU AI Act; Azure AI Content Safety to help mitigate content-based harms; Azure AI Foundry to help with evaluations of generative AI applications; and Python Risk Identification Tool or PyRIT, an open innovation framework that our independent AI Red Team uses to help identify potential harms associated with our highest-risk AI models and systems. 

Helping to develop efficient, effective, and interoperable implementation practices 

A unique feature of the EU AI Act is that there are more than 60 secondary regulatory efforts that will have a material impact on defining implementation expectations and directing organizational compliance. Since many of these efforts are in progress or yet to get underway, we are in a key window of opportunity to help establish implementation practices that are efficient, effective, and aligned with emerging international norms. 

Microsoft is engaged with the central EU regulator, the AI Office, and other relevant authorities in EU Member States to share insights from our AI development, governance, and compliance experience, seek clarity on open questions, and advocate for practical outcomes. We are also participating in the development of the Code of Practice for general-purpose AI model providers, and we remain longstanding contributors to the technical standards being developed by European Standards organizations, such as CEN and CENELEC, to address high-risk AI system requirements in the EU AI Act. 

Our customers also have a key role to play in these implementation efforts. By engaging with policymakers and industry groups to understand the evolving requirements and have a say on them, our customers have the opportunity to contribute their valuable insights and help shape implementation practices that better reflect their circumstances and needs, recognizing the broad range of organizations in Europe that are energized by the opportunity to innovate and grow with AI. In the coming months, a key question to be resolved is when organizations that substantially fine-tune AI models become downstream providers due to comply with general-purpose AI model obligations in August. 

Going forward 

Microsoft will continue to make significant product, tooling, and governance investments to help our customers innovate with AI in line with new laws like the EU AI Act. Implementation practices that are efficient, effective, and interoperable internationally are going to be key to supporting useful and trustworthy innovation on a global scale, so we will continue to lean into regulatory processes in Europe and around the world. We are excited to see the projects that animated our Microsoft AI Tour events in Brussels, Paris, and Berlin improve people’s lives and earn their trust, and we welcome feedback on how we can continue to support our customers in their efforts to comply with new laws like the EU AI Act. 

The post Innovating in line with the European Union’s AI Act  appeared first on Microsoft Security Blog.

The results are in, and they might be surprising. Of the study’s 156 respondents, those whose companies have implemented greater quantities of security solutions are experiencing a higher average number of security incidents—15.3 incidents versus 10.5 incidents for organizations with fewer security tools. That’s more than a 31% increase in self-reported incidents. You can read up on the full results in the e-book The unified security platform era is here.

This reinforces the observations Microsoft made based on its own telemetry. The security teams we see that prioritize deploying a diverse portfolio of “category leaders” often have overlapping policies and controls that create weak points. The silos created by separate solutions also make it hard to coordinate an effective defense before breaches happen, uncover the true scope of incidents, or to respond quickly.

The unified security platform era is here

Read the e-book to gain research-driven insights into securing your organization with a unified security platform.

Get the e-book

Why consolidated security wins

The initial stages of cyberattacks remain fairly consistent year over year—with brute force identity attacks, phishing and social engineering, and internet-exposed vulnerabilities continuing to be the most common. Threat actors are still largely using opportunity-based tactics for these first few steps. It’s only once someone’s credentials are obtained by bad actors that they begin taking more targeted action against a company’s infrastructure. When they do this, the would-be cyberattackers often conduct significant reconnaissance, demonstrating a tremendous understanding of the enterprise environment by targeting the seams between security solutions and taking advantage of technical debt. Examples of this could include a test app from an untracked satellite tenant that doesn’t enforce multifactor authentication, devices infected with malware, or legacy authentication protocols.

Diverse tool portfolios are very likely to lack the integration and signal sharing required to help security teams to understand how, or even if, cyberattackers are exploiting their infrastructure. As a result, cyberattackers have more seams they can exploit, they can remain undetected longer, and security teams will have a harder time ensuring they’ve fully removed the attackers’ access.

While there will never be a single comprehensive security tool, organizations that streamline their security stacks by adopting a security platform that integrates controls, policies, and signals will have a more resilient and comprehensively protected environment that can respond to cyberthreats more effectively. The research done by Foundry and Microsoft shows how this unified security approach helps security teams act more efficiently, reduce core metrics like mean time to repair and mean time to acknowledge, and improve their overall security posture. By eliminating many of the potential seams between standalone solutions, these companies were able to prevent, detect, and respond to many more security threats as they emerged.

A streamlined, unified security approach like the Microsoft unified security operations platform, which provides its users with a consistent data model and reduced silos, can also generate better results from automation and AI—both of which are powerful tools that help security operations (SecOps) teams close critical security gaps through improved exposure management, resiliency, and incident detection and response. Equally, SecOps teams that gain a single, centralized, and contextualized view of their company’s cyberthreat exposure are better able to measure and improve their security posture. By gaining the visibility and tools to conduct this kind of exposure management, these teams are able to shift from traditional, reactive detection and response-based security postures to more proactive postures that prioritize exposure-mitigating actions across devices, identities, applications, data, and their multicloud infrastructure.

Unified security means fewer cyberattacks and improved posture

The two biggest reported challenges facing respondents who were looking to improve their security posture were the complexity of their current environment and poor visibility across their security landscape. In fact, these challenges have become so universally apparent to the Foundry study’s survey participants that 91% of respondents operating a best-of-breed security approach are prioritizing vendor consolidation in the next 12 months. The same is true of 79% of respondents using 10 or more security tools. This strategy helps shift toward a more proactive security posture, and the Foundry study shows that it can also have a dramatically positive effect on the average number of security incidents a company faces.  

As 2024 has shown, keeping software up to date and installing strong security measures isn’t enough. It is nearly impossible for any organization to “out-patch” threat actors. Everyone needs to shift away from working through lists of vulnerabilities and to focus more on thinking like a cyberattacker—viewing vulnerabilities not as a list, but as elements that could be chained together to breach our environments in order to reach critical assets.

This is made much more difficult when using a diverse array of security vendors for each of your main security domains. Gaining visibility into possible attack paths, prioritizing based on potential incident severity, and then confidently removing the vulnerabilities is all made vastly more difficult when the work needs to be done manually across dozens of silos.

A unified platform changes how risk exposure can be handled. For example, security teams can use attack paths to remove vulnerabilities as if they’re responding to security incidents—with a prioritized list, systematically addressed based on variables like sensitivity of data, importance of critical assets, and severity of exposure. And with the native integrations of a platform, this value can be extended beyond just managing vulnerabilities. If you’re investigating a new incident and you’re shown that one of the compromised entities could lead to critical assets, that context could make the difference between routine remediation and a board-level briefing.

Setting out on your unified security platform journey

Reducing and consolidating security tools around a unified security platform is no small feat, either technologically or culturally. To get started, target a few small but key areas. This will give your security operations center (SOC) team a few quick wins and prove the value of consolidation to you and your stakeholders. You’ll also be able to customize and refine your new environment, ensuring necessary integrations are in place for end-to-end visibility without disrupting operations. You may also want to focus on change management early on, reskilling team members in a way that provides ample time for them to ramp up before going live.

Moving to a unified security platform is not just about improving defenses, so don’t forget to lend some of your time to maintaining positive employee experiences. Reducing friction across endpoint devices, apps, identities, and networks will make it easier for employees to access the systems and data they need. It also reduces the chance that employees will try to bypass new security policies in the interest of maintaining learned behaviors. To learn more about consolidating your security platform, the current state of threat protection, where organizations and security professionals are focusing with their current practices, and where they see opportunities for using AI in security operations, check out the new e-book The unified security platform era is here. And head over to the Microsoft Security web page for more information about how Microsoft is innovating in the security space, including through the use of responsible AI.

Learn more

Learn more about the Microsoft unified security operations platform.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

About the research 

Foundry conducted an online study to understand the current state of cyberthreat protection, where organizations and security professionals are focusing with their current practices, and where they see opportunities for using AI in security operations.  

The study, commissioned by Microsoft, was conducted in June 2024. The 156 respondents comprised senior-level IT decision-makers with a primary role in security management, at organizations with 500 or more employees.  

¹Microsoft Digital Defense Report 2024.

The post Foundry study highlights the benefits of a unified security platform in new e-book appeared first on Microsoft Security Blog.

Historically, organizations have relied on the traditional approach to data security and governance, largely involving stitching together fragmented solutions. According to Gartner®, “75% of security leaders are actively pursuing a security vendor consolidation strategy as of 2022.”² Consolidation, however, is no easy feat. In a recent study, more than 95% of security leaders acknowledge that unifying the handling of data security, compliance, and privacy across teams and tools is both a priority and a challenge.³ These approaches often fall short because of duplicate data, redundant alerts, and siloed investigations, ultimately leading to increased data risks. Over time, this approach has been increasingly difficult for organizations to maintain.

Unify how you protect and govern your data with Microsoft Purview

Unlike traditional data security and governance strategies that require disparate solutions to achieve comprehensive data protection, Microsoft Purview is purpose-built to unify data security, governance, and compliance into a single platform experience. This integration aims to reduce complexity, simplify management, and mitigate risk, while helping enhance efficiency across teams to support a culture of collaboration. With Microsoft Purview you can:

• Enable comprehensive data protection.
• Support compliance and regulatory requirements.
• Help safeguard AI Innovation.

What’s new in Microsoft Purview?

To meet our growing customer needs, the team has been delivering a lot of innovation at a rapid pace. In this blog, we’re excited to recap all the new capabilities we announced at Microsoft Ignite last month.

Enable comprehensive data protection

Microsoft Purview enables you to discover, secure, and govern data across Microsoft and third-party sources. Today, Microsoft Purview delivers rich data security capabilities through Microsoft Purview Data Loss Prevention, Microsoft Purview Information Protection, and Microsoft Purview Insider Risk Management, enhanced with AI-powered Adaptive Protection. To drive AI transformation, you need to build and maintain a strong data foundation, categorized by data that is not just secured but also governed. Microsoft Purview also addresses your data governance needs with the newly reimagined Microsoft Purview Unified Catalog. These data security and data governance products leverage shared capabilities such as a common data catalog, connectors, classifications, and audit logs—helping reduce inconsistencies, inefficiencies, and exposure gaps, commonly experienced by using disparate tools.

Introducing Microsoft Purview Data Security Posture Management

Microsoft Purview Data Security Posture Management (DSPM) provides visibility into data security risks and recommends controls to protect that data. DSPM provides contextual insights, usage analysis, and continuous risk assessments of your data, helping you mitigate risks and enhance data security. With DSPM, you get a shared understanding of key risks through a series of reports that correlate insights across location and type of sensitive data, risky user activities, and common exfiltration channels. In addition, DSPM provides actionable, scenario-based recommendations for detection and protection policies. For example, DSPM can help you create an Insider Risk Management policy that identifies risky behavior such as downgrading labels in documents followed by exfiltration, and a data loss prevention (DLP) policy to block that exfiltration at the same time.

DSPM also brings a view of historical trends and insights based on sensitivity labels applied, sensitive assets covered by at least one DLP policy, and potentially risky users so show the effectiveness of your data security policies over time. And finally, DSPM leverages the power of generative AI through its deep integration with Microsoft Security Copilot. With this integration, you can easily uncover risks that might not be immediately apparent and drive efficient and richer investigations—all in natural language.

With DSPM, you can easily identify possible labeling and policy gaps such as unlabeled content and users that aren’t scoped in a DLP policy, unusual patterns and activities that might indicate potential risks, as well as opportunities to adapt and strengthen your data security program.

Figure 1. DSPM overview page provides centralized visibility across data, users, and activities, as well as access to reports.

Learn more about this announcement in the Data Security Posture Management blog.

Increasing data security and security operations center integration

Understanding data and user context is vital for improving security operations and prioritizing investigations, especially when sensitive data is at stake. By integrating insights such as data classification, access controls, and user activity into the security operations center (SOC) experience, organizations can better assess the impact of security incidents, reduce false alerts, and enhance containment efforts. In addition to the already present DLP alerts in the Microsoft Defender XDR incident investigation and data security remediation actions enabled directly from Defender XDR, we’ve also added Insider Risk Management context to the user entity page to provide a more comprehensive view of user activities.

With Microsoft Purview’s latest integration with Microsoft Defender, now in preview, you get insider risk alerts in Defender XDR and can correlate them with incidents. This gives you critical user context for your security investigations. SOC teams can now better distinguish internal incidents from external cyberattacks and refine their response strategies. For more complex analysis to identify risks such as attack patterns, we are integrating insider risk signals into Defender XDR’s Advanced Hunting, giving you deeper insights and allowing you to improve your policies in partnership with data security teams. Together, these advancements allow your organization to stay ahead of evolving cyberthreats, providing a collaborative and data-driven approach to security.

Learn more about this announcement in the Purview Insider Risk Management blog.

Protecting data and preventing sensitive data loss

As AI generates new data in unprecedented volumes, the need to secure that data and prevent the loss of sensitive information has become even more crucial. Our new DLP capabilities help you effectively investigate DLP incidents, fortify existing protections, and refine your overall DLP program. You can now customize Purview DLP to the established processes of your organization with the Microsoft Power Automate connector in preview. This lets you automate and customize your DLP policy actions through Power Automate workflows to integrate your DLP incidents into new or established IT, security, and business operations workflows, like stakeholder awareness or incident remediation.

DLP policy insights in Security Copilot, also in preview, summarize existing DLP policies in natural language and helps you understand any gaps in policy coverage across your environment. This makes it easier for you to quickly and easily understand the full breadth of DLP policy coverage across your organization and address gaps in protection. We are also enhancing DLP protections on endpoints by expanding our file type coverage from more than 40 to more than 110 file types. Users can also now store and view full files on Windows devices as evidence for forensic investigations using Microsoft-managed storage. With the Microsoft-managed option, your admins can save time otherwise spent configuring additional settings, assigning permissions, and selecting the storage in the policy workflow. Finally, you can now enforce blanket protections on file types that cannot currently be scanned or classified by endpoint DLP, such as blocking copy to removable media for all computer-aided design (CAD) files regardless of those files’ contents. This helps ensure that the diverse range of file types found in your environment are still protected even if they cannot currently be scanned and classified by Microsoft Purview endpoint DLP. 

Learn more about these announcements in our Microsoft Purview Data Loss Prevention blog.

Microsoft Purview Data Governance innovations to drive greater business value

Research indicates that data practitioners spend 80% of their time finding, cleaning, and organizing data, leaving only 20% of time to process and analyze it.⁴ To simplify the data governance practice in the age of AI, the Microsoft Purview Unified Catalog is a comprehensive enterprise catalog that automatically inventories and tags your organization’s critical data assets. This gives your business users the ability to search for specific business data when building analytics reports or AI models. The Unified Catalog gives you visibility and confidence in your data across your disparate data sources and local catalogs with built-in data quality management and end-to-end lineage. You can integrate metadata from diverse catalogs such as Fabric OneLake, Databricks Unity, and Snowflake Polaris, into a unified catalog for all your data stewards, data owners, and business users.

Now in preview, Unified Catalog provides deeper data quality through a new scan engine that supports open standard file and table formats for big data platforms, including Microsoft Fabric, Databricks Unity Catalog, Snowflake, Google Big Query, and Amazon S3. This new scan engine enables rich data quality management at the asset level for improved data quality management at the asset level for overall improved data quality health. Lastly, Microsoft Purview Analytics in OneLake (preview) allows you to extract tenant-specific metadata from the Unified Catalog and export it directly into OneLake. You can then use Microsoft Power BI to analyze the metadata to further understand and report on your data’s quality and lineage.

Learn more about these announcements in our Microsoft Purview Data Governance blog.

Support compliance and regulatory requirements

As regulatory requirements evolve with the proliferation of AI, it is more critical than ever for businesses to keep compliance and privacy top of mind. However, adhering to requirements is becoming increasingly complex, while consequences for non-compliance are growing more severe. Microsoft Purview empowers you to address regulatory demands and comply with corporate policies by offering compliance and privacy controls that are both scalable and adaptable to changing needs.

New templates in Compliance Manager to help simplify compliance

Microsoft Purview Compliance Manager provides insights into your organization’s compliance status through compliance templates and provides suggested actions and next steps to help you along your compliance journey. Compliance Manager continues to add new templates to help you address new and evolving regulations, including templates for the European Union AI Act (EUAI Act), NIST 2 AI, ISO 42001, ISO 23894, Digital Operations Resiliency Act (DORA), and additional industry and regional regulations. Compliance Manager now includes historical records that help track your organization’s compliance and provides actionable next steps to understand how new regulations or policies affect your compliance score over time. In addition, you can now leverage custom templates to address both regulatory and your organization’s specific policies and preferences.

Figure 2. EUAI Act Assessment in Compliance Manager.

Learn more about this announcement in the Microsoft Purview Compliance Manager blog.

New Microsoft Purview controls for ChatGPT Enterprise with integration with OpenAI for improved compliance

Microsoft Purview now integrates with ChatGPT Enterprise, allowing you to gain visibility and govern the prompts and responses of your ChatGPT Enterprise interactions. This integration, currently in preview, includes Microsoft Purview Audit for auditing ChatGPT Enterprise interactions, Microsoft Purview Data Lifecycle Management for enabling retention and deletion policies, Microsoft Purview Communication Compliance to proactively detect regulatory and corporate policy violations, and Microsoft Purview eDiscovery to streamline legal investigations.

Learn more about all these announcements in our Security for AI blog.   

Microsoft Purview is built to help safeguard AI Innovation

With the rapid adoption of AI, new vulnerabilities have emerged, highlighting the need for strong data security and governance of AI workloads. Microsoft Purview is built to secure and govern data related to pre-built and custom-built AI apps.

Introducing Microsoft Data Security Posture Management for AI (DSPM for AI)

Security teams often find themselves in the dark when it comes to data security and compliance risks associated with AI usage. Without proper visibility, organizations often struggle to safeguard their AI assets effectively. DSPM for AI, now generally available, gives you visibility through a centralized dashboard and reports, enables you to proactively discover and manage your AI-related data risks, such as sensitive data in user prompts, and gives you actionable recommendations and real-time insights to respond effectively to security incidents.

Microsoft Purview controls for Microsoft 365 Copilot help prevent data oversharing

Data oversharing occurs when users have access to more data than necessary for their job duties. Organizations need effective data security controls to help mitigate this risk. At Microsoft Ignite we announced a number of new Microsoft Purview capabilities in preview to prevent data oversharing in Microsoft 365 Copilot.

Data oversharing assessments: Discover data that is at risk of oversharing by scanning files containing sensitive data, identifying risky data sources such as SharePoint sites with overly permissive user access, and by providing recommendations such as auto-labeling policies and default labels to prevent sensitive data from being overshared. The oversharing assessment report can identify unlabeled files accessed by users before deploying Copilot or can be run post-deployment to identify sensitive data referenced in Copilot responses. 

Label-based permissions: Microsoft 365 Copilot honors permissions based on sensitivity labels assigned by Microsoft Purview when referencing sensitive documents.

Purview DLP for Microsoft 365 Copilot: You can create DLP policies to exclude documents with specified sensitivity labels from being processed, summarized, or used in responses in Microsoft 365 Copilot, preventing sensitive data from being inadvertently overshared.

New Microsoft Purview capabilities to detect risky activities in Microsoft 365 Copilot

Security teams need ways to detect risky use of AI applications like deliberate or accidental access to sensitive data, jailbreaks, and copyright violations. Insider Risk Management and Communication Compliance now provide risky AI usage indicators, a policy template, and an analytics report in preview to help detect and investigate the risky use of AI. These new capabilities not only help detect risky activities and prompts but also integrate with Microsoft Defender XDR, enabling your security teams to investigate new AI-related risks holistically alongside other risks, such as identity risks through Microsoft Entra and data oversharing and data loss risks through Purview DLP.

New Microsoft Purview capabilities for agents built with Microsoft Copilot Studio

When new and citizen developers are building low code or no-code AI, they often lack security expertise and tools to enable security and compliance controls. Microsoft Purview now provides data controls for agents built in Copilot Studio to enable low code and no-code developers to build more secure agents. For example, when an agent built with Copilot Studio accesses sensitive data, it will recognize and honor the sensitivity labels of the data being accessed. Microsoft Purview will also protect sensitive data generated by the agent through label inheritance and will enforce label permissions, ensuring only authorized users have access.

Data security admins also get visibility into the sensitivity of data in user prompts and agent responses within DSPM for AI. Moreover, Microsoft Purview will enable you to detect anomalous user activity and risky or non-compliant AI use and apply retention or deletion policies on your agent prompts and responses. These new controls give you visibility and and insights into risks for your agents built with Copilot Studio, strengthening your data security posture.

Learn more about all these announcements in our Security for AI blog.   

Unified solutions that empower your organization

As you navigate the complexities of AI proliferation, regulatory requirements, and security threats, we are excited to innovate, invest in, and expand the capabilities of Microsoft Purview to address your most pressing data security, governance, and compliance challenges.

Get started with Microsoft Purview today

To get started, we invite you to try Microsoft Purview free and to learn more about Microsoft Purview today.

• Read the Data Security Index report.
• Read our new whitepaper: Accelerating AI transformation by prioritizing security, a path to implementing effective security for AI that enables innovation.
• Watch Microsoft Purview sessions from Microsoft Ignite.
• Try Microsoft Purview for free.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft internal research, May 2023. 

²Gartner, Innovation Insight for Security Platforms, Peter Firstbrook, Craig Lawson. October 16, 2024. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. 

³Microsoft internal research, August 2024. 

⁴Overcoming the 80/20 Rule in Data Science, Pragmatic Institute.

The post New Microsoft Purview features help protect and govern your data in the era of AI appeared first on Microsoft Security Blog.

Delivering on identity and access management for customers

We believe our 2024 Gartner® Magic Quadrant™ recognition validates our commitment to delivering a comprehensive, AI-powered and automated identity portfolio to customers, with Microsoft Entra. It empowers customers to protect their digital everything with a simplified user experience that makes identity and access management (IAM) easier than ever before. And it’s informed by our customers and partners—to whom we thank and share this honor.

Microsoft Entra is a unified identity and network access solution that protects any identity and secures access to any application or resource, in any cloud or on-premises. It’s a single place with a simplified user experience for security professionals. Microsoft Entra allows organizations to: 

• Use adaptive identity and network access controls to secure access to any app or resource, from anywhere. 
• Protect and verify every identity with consistent security policies for every user—employees, frontline workers, customers, and partners—as well as apps, devices, and workloads across multicloud and hybrid environments. 
• Provide only the access necessary with right-size permissions, access lifecycle management, and least-privilege access for any identity. 

We’re especially proud of this recognition in our eighth year recognized as a Leader, and share our thanks to our customers, partners, and team members for their contributions and support.

Looking to the future

As we celebrate this year’s recognition, we’re also hard at work on new and expanded features—looking ahead to meet customers’ changing IAM needs as our collective threat landscape continues to evolve.

Microsoft Entra ID currently supports device-bound passkeys stored on FIDO2 security keys and in Microsoft Authenticator. And we’re investing in both synced and device-bound passkeys for work accounts. For enterprises that use passwords today, passkeys provide a seamless way for workers to authenticate without entering a username or password. Passkeys provide improved productivity for workers and have better security. Read more about requirements and instructions to enable passkeys for your organization. 

Microsoft Security Copilot, now in public preview, is embedded in Microsoft Entra—helping customers investigate and resolve identity risks, assess identities and access with AI-powered intelligence, and complete complex tasks quickly. Built on top of real-time machine learning, Copilot in Microsoft Entra can help your teams find gaps in access policies, generate identity workflows, and troubleshoot faster. You can also unlock new skills that allow admins at all levels to complete complex tasks such as incident investigation, sign-in log analysis, and more, to gain savings in time and resources. Read more about the key features of Copilot in Microsoft Entra. 

Microsoft is working with a diverse community to create a decentralized identity solution that puts individuals in charge of their own digital identities, providing a secure and private way to manage identity data without relying on centralized authorities or intermediaries. With Face Check with Microsoft Entra Verified ID, enterprises can perform high-assurance verifications securely, simply, and at scale. Powered by Azure AI services, Face Check adds a critical layer of trust by performing facial matching between a user’s real-time selfie and a photo. Read more about the prerequisites and set up requirements for Face Check with Microsoft Entra Verified ID.

Learn more

You can learn more by reading the full 2024 Gartner® Magic Quadrant™ for Access Management report. To learn more about the Microsoft Entra portfolio and its products, visit our website. 

 Are you a regular user of Microsoft Entra ID? Review your experience on Gartner Peer Insights™ and get a $25 gift card. 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

¹Microsoft Digital Defense Report, Microsoft. 2024.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft. 

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. 

Gartner, Magic Quadrant for Access Management, 2 December 2024, By Brian Guthrie, Nathan Harris, Abhyuday Data, Josh Murphy.  

The post ​​8 years as a Leader in the Gartner® Magic Quadrant™ for Access Management​​ appeared first on Microsoft Security Blog.

We are announcing a resource to help our customers answer these questions: The Microsoft Zero Trust Workshop, a self-service tool to help you plan and execute your Zero Trust journey guide by yourself or with the guidance of a partner.

The Zero Trust Workshop lets you customize your organization’s end-to-end security deployment to your unique business needs and your environment with a powerful tool that: provides a comprehensive assessment of zero trust capabilities learned from hundreds of deployments; guides you with a visual easy-to-use tool that explains each step of the journey; and delivers a digital artifact that you and your team can use to plan and prioritize your next steps and to compare and measure progress regularly. 

Zero Trust Workshop

A comprehensive technical guide to help customers and partners adopt a Zero Trust strategy and deploy security solutions end-to-end to secure their organizations.

Learn more

How our workshop helps customers and partners solidify their Zero Trust strategy 

Over the past year, we have piloted this workshop with more than 30 customers and partners. They have consistently told us that this provides them with the clarity, coverage, and actionable guidance they need to secure their organization within each Zero Trust pillar and across the pillars. When asked how likely they are to recommend the workshop to their partner teams or to other customers, customers give the workshop a net promoter score of 73.

The layout and question structure is fantastic as it provokes a fair amount of thought around adding each of the capabilities to take a multi-faceted approach to authentication and authorization.

—Senior vice president at a major financial institution

Security is a team sport, and we recognize that customers often need security partners to help them plan and execute their security strategy. This is why we partnered with several deployment partners across the pillars of Zero Trust to get their feedback on the workshop and how they would use it to help their customers.

The Zero Trust Workshop is a great starting point for our customers who want to embrace Zero Trust principles, but don’t know how to align the technology they already own. Furthermore, the workshop allows our customers to measure the progress they’ve made and aim for the next incremental hardening of the Zero Trust model, which is part and parcel of the Zero Trust manner of thinking. As a Microsoft partner and as an MVP, I advocate that customers use the materials provided by Microsoft, including these workshops, to measure and further their security posture.

—Nicolas Blank, NBConsult

[The Zero Trust workshop] has enabled Slalom to help clients accelerate their efforts towards a comprehensive cyber resilience strategy. It provides a clear picture of an organization’s current state and provides a template for order of operations and best practices in a very tidy package. It’s an easy-to-use tool with a huge impact, and our clients and workshop participants have been very impressed by how it organizes and prioritizes a complex set of operations in an approachable and manageable way.

—Slalom

How to start using the workshop to plan your Zero Trust journey

The Zero Trust Workshop is comprised of two main components, all in one handy file you can download and use to drive these conversations: 

• The Zero Trust Basic Assessment (optional): For customers starting on their Zero Trust journey, the assessment is a foundational tool that customers can run before the workshop to check for common misconfigurations and gaps in settings (for example, having too many global admins) to remediate before starting to enable the security features and capabilities of a Zero Trust journey.  

• The Zero Trust Strategy workshop: This is a guided breakdown of the Zero Trust areas according to the standard Zero Trust pillars (Identity, Devices, Data, Network, Infrastructure and Application, and Security Operations). For each pillar, we walk you through the associated areas with a proposed “do this first, consider this then, think about this next” order to how you should tackle them. For each area and capability, you have guidance on why it matters and options to address it and then can discuss it with your stakeholder and decide if this is something you already did, something you are going to do, or something you do not plan to implement at this time. As you progress through the different boxes and areas, you create an artifact for your organization on how well-deployed you are in this Zero Trust pillar and what are the next areas to tackle.  

Now, we are launching the Identity, Devices, and Data pillars. We will add the Network, Infrastructure and Application, and Security Operations in the coming few months. The website for the workshop will announce these as they become available.

I invite you to check out the Zero Trust Workshop site where we have detailed training videos and content. 

For our valued security deployment partners, the workshop is also included in the recently launched Zero Trust Partner kit where, as a partner, you can take the workshop material and customize it for your customer engagements based on your needs. 

Closing thoughts

We all need to work together to help secure the world we live in and keep people safe with the intention of collective defense. As shared in the most recent Microsoft Digital Defense Report, the cyber threat landscape is ever-growing and requires a collaborative approach between product vendors, security experts, and customers to help protect everyone. In the spirit of working with the wider ecosystem to help secure all customers, we recently partnered with NIST’s NCCoE and more than 20 security vendors to publish a guide on how to adopt NIST’s Zero Trust reference architecture using Microsoft’s Security products and this is another example of us working with all of you deploying security out there to help secure the ecosystem. 

We would love to hear how you are using it. Use the feedback form on the site to share with us how we can improve it to help your organization implement a Zero Trust journey. 

Additional resources to accelerate your Zero Trust journey 

This joins a library of other resources to guide your security modernization and Zero Trust journey, including: 

• The Zero Trust Guidance center

• The Microsoft Security Adoption Framework (SAF) which includes the Microsoft Cybersecurity Reference Architecture and the Chief Information Security Officer (CISO) Workshop.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. 

The post ​​Zero Trust Workshop: Advance your knowledge with an online resource appeared first on Microsoft Security Blog.

A Leader in the market with an innovative solution for the SOC  

Microsoft Sentinel provides a unique experience for customers to help them act faster and stay safer while managing the scaling costs of security. Customers choose our SIEM in order to:  

Protect everything with a comprehensive SIEM solution. Microsoft Sentinel is a cloud-native solution that supports detection, investigation, and response across multi-cloud and multi-platform data sources with 340+ out-of-the-box connectors A strength of Microsoft’s offering is its breadth, which includes user entity and behavior analytics (UEBA), threat intelligence and security orchestration, automation, and response (SOAR) capabilities, along with native integrations into Microsoft Defender threat protection products. 

• Enhance security with a unified security operations platform. Customers get the best protection when pairing Microsoft Sentinel with Defender XDR in Microsoft’s unified security operations platform. The integration not only brings the two products together into one experience but combines functionalities across each to maximize efficiency and security. One example is the unified correlation engine which delivers 50% faster alerting between first- and third-party data, custom detections and threat intelligence.³ Customers can stay safer with a unified approach, with capabilities like automatic attack disruption—which contains attacks in progress, limiting their impact at machine speed.   

• Address any scenario. As the first cloud-native SIEM, Microsoft Sentinel helps customers observe threats across their digital estate with the flexibility required for today’s challenges. Our content hub offerings include over 200 Microsoft- created solutions and over 280 community contributions. The ability to adapt to the unique use cases of an organization is something called out in both the Forrester and Gartner reports.  

• Scale your security coverage with cloud flexibility. Compared with legacy, on-premises SIEM solutions, Microsoft Sentinel customers see up to a 234% return on investment (ROI).¹ This makes it an attractive option for customers looking for a scalable offering to meet the evolving needs of their business while managing the costs of data. We’ve recently launched a new, low-cost data tier called Auxiliary Logs to help customers increase the visibility of their digital environment, while keeping their budgets in check. In addition, Microsoft’s SOC Optimizations feature, a first of its kind offering, provides targeted recommendations to users on how to better leverage their security data to manage costs and maximize their protection, based on their specific environment and using frameworks like the MITRE attack map  

• Respond quickly to emergent threats with AI. Security Copilot is a GenAI tool that can help analysts increase the speed of their response, uplevel their skills, and improve the quality of their work. 92% of analysts reported using Copilot helped make them more productive and 93% reported an improvement in the quality of their work.²  

What’s next in Microsoft Security 

Microsoft is dedicated to continued leadership in security through ongoing investment to provide customers with the intelligence, automation, and scalability they need to protect their businesses and work efficiently. New and upcoming enhancements include more unified features across SIEM and XDR, exposure management and cloud security in the unified security operations platform, and our SIEM migration tool—which now supports conversion of Splunk detections to Microsoft Sentinel analytics rules and additional Copilot skills to help analysts do their job better.  

​​CTA​: To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

^[1] The Total Economic Impact™ Of Microsoft Sentinel (forrester.com) 

^[2] Microsoft Copilot for Security randomized controlled trial (RCT) with experienced security analysts conducted by Microsoft Office of the Chief Economist, January 2024 

³Microsoft internal data 

Gartner, Magic Quadrant for Security Information and Event Management, By Andrew Davies, Mitchell Schneider, Rustam Malik, Eric Ahlm, 8 May 2024 

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. 

The post ​​Microsoft now a Leader in three major analyst reports for SIEM appeared first on Microsoft Security Blog.

We must find a way to stem the tide of this malicious cyber activity. That includes continuing to harden our digital domains to protect our networks, data, and people at all levels. However, this challenge will not be accomplished solely by executing a checklist of cyber hygiene measures but only through a focus on and commitment to the foundations of cyber defense from the individual user to the corporate executive and to government leaders.  

These are some of the insights from the fifth annual Microsoft Digital Defense Report <link>, which covers trends between July 2023 and June 2024. 

State-affiliated actors increasingly are using cybercriminals and their tools.  

Over the last year, Microsoft observed nation state actors conduct operations for financial gain, enlist cybercriminals to collect intelligence, particularly on the Ukrainian military, and make use of the same infostealers, command and control frameworks, and other tools favored by the cybercriminal community. Specifically:  

• Russian threat actors appear to have outsourced some of their cyberespionage operations to criminal groups, especially operations targeting Ukraine. In June 2024, a suspected cybercrime group used commodity malware to compromise at least 50 Ukrainian military devices.  

• Iranian nation state actors used ransomware in a cyber-enabled influence operation, marketing stolen Israeli dating website data. They offered to remove specific individual profiles from their data repository for a fee. 

• North Korea is getting into the ransomware game. A newly-identified North Korean actor developed a custom ransomware variant called FakePenny, which it deployed at organizations in aerospace and defense after exfiltrating data from the impacted networks—demonstrating both intelligence gathering and monetization motivations.  

Nation state activity was heavily concentrated around sites of active military conflict or regional tension 

Aside from the United States and the United Kingdom, most of the nation-state-affiliated cyber threat activity we observed was concentrated around Israel, Ukraine, the United Arab Emirates, and Taiwan. In addition, Iran and Russia have used both the Russia-Ukraine war and the Israel-Hamas conflict to spread divisive and misleading messages through propaganda campaigns that extend their influence beyond the geographical boundaries of the conflict zones, demonstrating the globalized nature of hybrid warfare.  

• Approximately 75% of Russian targets were in Ukraine or a NATO member state, as Moscow seeks to collect intelligence on the West’s policies on the war. 

• Chinese threat actors’ targeting efforts remain similar to the last few years in terms of geographies targeted—Taiwan being a focus, as well as countries within Southeast Asia—and intensity of targeting per location. 

• Iran placed significant focus on Israel, especially after the outbreak of the Israel-Hamas war. Iranian actors continued to target the US and Gulf countries, including the UAE and Bahrain, in part because of their normalization of ties with Israel and Tehran’s perception that they are both enabling Israel’s war efforts. 

Example of Iran’s targeting shift following the start of the Israel-Hamas conflict.  

Russia, Iran, and China focus in on the U.S. election 

Russia, Iran, and China have all used ongoing geopolitical matters to drive discord on sensitive domestic issues leading up to the U.S. election, seeking to sway audiences in the U.S. to one party or candidate over another, or to degrade confidence in elections as a foundation of democracy. As we’ve reported, Iran and Russia have been the most active, and we expect this activity to continue to accelerate over the next two weeks ahead of the U.S. election.  

In addition, Microsoft has observed a surge in election-related homoglyph domains—or spoofed links—delivering phishing and malware payloads. We believe these domains are examples both of cybercriminal activity driven by profit and of reconnaissance by nation-state threat actors in pursuit of political goals. At present, we are monitoring over 10,000 homoglyphs to detect possible impersonations. Our objective is to ensure Microsoft is not hosting malicious infrastructure and inform customers who might be victims of such impersonation threats.  

Financially motivated cybercrime and fraud remain a persistent threat  

While nation-state attacks continue to be a concern, so are financially motivated cyberattacks. In the past year Microsoft observed:   

• A 2.75x increase year over year in ransomware attacks. Importantly, however, there was a threefold decrease in ransom attacks reaching the encryption stage. The most prevalent initial access techniques continue to be social engineering—specifically email phishing, SMS phishing, and voice phishing—but also identity compromise and exploiting vulnerabilities in public facing applications or unpatched operating systems. 

• Tech scams skyrocketed 400% since 2022. In the past year, Microsoft observed a significant uptick in tech scam traffic with daily frequency surging from 7,000 in 2023 to 100,000 in 2024. Over 70% of malicious infrastructure was active for less than two hours, meaning they may be gone before they’re even detected. This rapid turnover rate underscores the need for more agile and effective cybersecurity measures. 

Threat actors are experimenting with generative AI 

Last year, we started to see threat actors—both cybercriminals and nation states—experimenting with AI. Just as AI is increasingly used to help people be more efficient, threat actors are learning how they can use AI efficiencies to target victims. With influence operations, China-affiliated actors favor AI-generated imagery, while Russia-affiliated actors use audio-focused AI across mediums. So far, we have not observed this content being effective in swaying audiences.  

Nation-state adversarial use of AI in influence operations. 

But the story of AI and cybersecurity is also a potentially optimistic one. While still in its early days, AI has shown its benefits to cybersecurity professionals by acting as a tool to help respond in a fraction of the time it would take a person to manually process a multitude of alerts, malicious code files, and corresponding impact analysis. We continue to innovate our technology to find new ways that AI can benefit and strengthen cybersecurity.   

Collaboration remains crucial to strengthening cybersecurity. 

With more than 600 million attacks per day targeting Microsoft customers alone, there must be countervailing pressure to reduce the overall number of attacks online. Effective deterrence can be achieved in two ways: by denial of intrusions or by imposing consequences for malicious behavior. Microsoft continues to do our part to reduce intrusions and has committed to taking steps to protect ourselves and our customers through our Secure Future Initiative. 

While the industry must do more to deny the efforts of attackers via better cybersecurity, this needs to be paired with government action to impose consequences that further discourage the most harmful cyberattacks. Success can only be achieved by combining defense with deterrence. In recent years, a great deal of attention has been given to the development of international norms of conduct in cyberspace. However, those norms so far lack meaningful consequence for their violation, and nation-state attacks have been undeterred, increasing in volume and aggression. To shift the playing field, it will take conscientiousness and commitment by both the public and private sectors so that attackers no longer have the advantage.  

Microsoft continues to share important threat intelligence with the community, including our recent Cyber Signals research looking at cyber risks in the education sector. 

The post Escalating cyber threats demand stronger global defense and cooperation appeared first on Microsoft Security Blog.

Microsoft Defender for Cloud, the integrated CNAPP from Microsoft, delivers comprehensive security and compliance from code to runtime, enhanced by generative AI and threat intelligence to help you secure your hybrid and multicloud environments. With Defender for Cloud, organizations can support secure development, minimize risks with contextual posture management, and protect workloads and applications from modern threats in a unified security operations (SecOps) experience.  

Defender for Cloud not only transcends traditional security silos and extends its end-to-end security across multicloud and hybrid infrastructure, it delivers advanced security posture management and threat remediation capabilities as well. In order to prove the solution’s business benefits, Microsoft commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study. The study aims to provide business leaders and decision-makers with a solid framework with which they can evaluate the benefits and potential financial impact of Defender for Cloud on their organizations.

Through the course of the study, participating interviewees reported experiencing a wide variety of benefits related to Defender for Cloud, including reduced operational risk, a compressed, more secure development lifecycle, and reduced time to investigate and remediate threats faster.

All told, the study found that the benefits of Defender for Cloud add up to a significant net present value (NPV) of $4.25 million over three years. But that’s not the whole story. Here are some other key takeaways mentioned by Forrester’s interviewees.

1. Shorter threat investigation and remediation times

“[Defender for Cloud] just takes out the weird stuff happening on our network that ends up on the cybersecurity desk. We’ve already probably cut back about 60% of the workload, and a lot of that revolves around false positives, so I can get better data. The systems assess the data properly…I’m not even going to give it to the analyst. I’m going to auto-close.”

—Chief technology officer, Life Sciences

Defender for Cloud was found to register 50% fewer false positives than legacy security solutions. Simultaneously, the solution reduced the investigation and remediation times of legitimate threats by 30%. Due to these dramatic improvements, study participants avoided 36,000 investigation and remediation hours on average. By reallocating the corresponding $796,000 of SecOps labor to proactive threat hunting and other high-value activities, companies were able to further improve their security performance.

2. Improved security operations center (SOC) productivity

“[With Defender for Cloud], if the tools are configured properly, the [global] efficiencies in your SOC can probably be up to 30% for a fine-tuned environment.”

—Technical manager, Business-to-business Software

By broadening the number and types of workloads protected by Defender for Cloud, participating businesses saw an average 30% improvement in SecOps productivity. This boost was a combination of consolidating duplicative multicloud security policies, replacing patching processes and other similar time-consuming procedures with automation, and embracing the efficiency gains of a better-integrated Microsoft ecosystem. In financial terms, these productivity gains translate to a $5.6 million savings over three years.

3. Lower total cost of ownership

“[Without Defender for Cloud], it would be so much more complex. It would cost us double to maintain [our multicloud security stack].”

—Cyberdefense leader, Materials

Interviewees reported that Defender for Cloud reduced their licensing costs by 10% when compared to legacy security solutions. This savings is the result of eliminating the licensing and management costs associated with five legacy security solutions over three years—made possible because of the breadth of workloads protected by Defender for Cloud. Interviewees also reported 1,700-hour reduction in security stack administrative work thanks to their ability to consolidate workloads across their multicloud infrastructures. These adjustments together yielded more than $1 million in cost savings.

4. More comprehensive cyberthreat coverage and prioritization

“Microsoft is capturing 10% of real incidents [not caught by other solutions deployed], reducing our attack surface by 10%.“

—Chief information security officer (CISO), Technology

Defender for Cloud caught 10% more legitimate cyberthreats than the prior security environments study participants had been using, on average. Each of these threats required a response and would have been missed. Interviewees defined the incidents they had previously lacked the capacity to address a mix of increasingly complex and overlapping cyberthreats that included but were not limited to runtime container risk, overprovisioning container privileges, malware, phishing and social engineering efforts, and shadow IT. Not only did Defender for Cloud identify these incidents, it provided greater context surrounding them, improving threat prioritization and avoiding $292,000 in costs related to data breaches.

5. Lower compliance costs

“[Defender for Cloud] is capable of saving up to 5% of [my organization’s] engineering overhead around [audit and compliance] meetings and collaboration.”  

—CISO, Technology

With Defender for Cloud, participating organizations decreased their compliance-related costs. Auditing fees were avoided and compliance-related meeting schedules were streamlined, reducing reliance on outside auditing services. Over three years, the average savings related to these process improvements was $857,000, a 15% reduction in audit compliance overhead.

The advantages of Microsoft Defender for Cloud

Overall, the Forrester study found that Defender for Cloud markedly enhanced the security, compliance, and operational efficiency of each company participating in the TEI study. Through representative interviews and financial analysis, Forrester determined that a composite organization experiencing the aggregate benefits of the study’s participants received $8.52 million in financial benefits over three years. In balancing these benefits against $4.27 million in costs over the same period, Forrester determined that Defender for Cloud represents a net present value (NPV) of $4.25 million.

Interviewees participating in the study went beyond the financial benefits in their praise of Defender for Cloud. After adopting the solution, participants saw reduced risk and improvements to both their security and compliance postures at scale. Even as regulatory and compliance landscapes shifted beneath their feet, these organizations were better able to use the added context of Microsoft cloud security benchmarks to stay on solid ground—remaining compliant when others might not have.

Additionally, interviewees noted that Defender for Cloud helped them more securely collaborate with their technology partners and to establish more secure, more efficient software development pipelines. These benefits, interviewees emphasized, would have further benefits down the road as well, including reduced development times, improved time-to-value, and ultimately greater potential for business growth.

Learn more

To learn more about the business value of Microsoft Defender for Cloud, explore the Total Economic Impact™ Of Microsoft Defender for Cloud study for further analysis and findings, as well as the perspectives of Defender for Cloud users interviewed in the study. Also, register for the webinar featuring Forrester on top cloud security trends, key considerations, and quantifying the business value of CNAPP.

Learn more about Microsoft Cloud Security Solutions.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft Defender for Cloud remediated threats 30% faster than other solutions, according to Forrester TEI study appeared first on Microsoft Security Blog.