Microsoft Copilot for Security

Powerful new capabilities, new integrations, and industry-leading generative AI—generally available on April 1, 2024.

Learn more

We are inspired by the results of our second Copilot for Security economic study, which shows that experienced security professionals are faster and more accurate when using Copilot, and they overwhelmingly want to continue using Copilot. The gains are truly amazing:

• Experienced security analysts were 22% faster with Copilot.
• They were 7% more accurate across all tasks when using Copilot.
• And, most notably, 97% said they want to use Copilot the next time they do the same task.

This new study focuses on experienced security professionals and expands the randomized controlled trial we published last November, which focused on new-in-career security professionals. Both studies measured the effects on productivity when analysts performed security tasks using Copilot for Security compared to a control group that did not. The combined results of both studies demonstrate that everyone—across all levels of experience and types of expertise—can make gains in security with Copilot. When we put Copilot in the hands of security teams, we can break down barriers to entry and advancement, and improve the work experience for everyone. Copilot enables security for all.

Copilot for Security is now pay-as-you-go

Toward our goal of enabling security for all, Microsoft is also introducing a provisioned pay-as-you-go licensing model that makes Copilot for Security accessible to a wider range of organizations than any other solution on the market. With this flexible, consumption-based pricing model, you can get started quickly, then scale your usage and costs according to your needs and budget. Microsoft Copilot for Security will be available for purchase starting April 1, 2024. Connect with your account representative now so your organization can be among the first to enjoy the incredible gains from Copilot for Security.

Global availability and broad ecosystem

General availability means Copilot for Security will be available worldwide on April 1, 2024. Copilot is multilingual and can process prompts and respond in eight languages with a multilingual interface for 25 different languages, making it ready for all major geographies across North and South America, Europe, and Asia.

Copilot has grown a broad, global ecosystem of more than 100 partners consisting of managed security service providers and independent software vendors. We are so grateful to the partners who continue to play a vital role in empowering everyone to confidently adopt safe and responsible AI.

Partners can learn more about integrating with Copilot.

New Copilot for Security product innovations

Microsoft Copilot for Security helps security and IT professionals amplify their skillsets, collaborate more effectively, see more, and respond faster.

As part of general availability, Copilot for Security includes the following new capabilities:

• Custom promptbooks allow customers to create and save their own series of natural language prompts for common security workstreams and tasks.
• Knowledge base integrations, in preview, empowers you to integrate Copilot for Security with your business context, so you can search and query over your proprietary content.
• Multi-language support now allows Copilot to process prompts and respond in eight different languages with 25 languages supported in the interface.  
• Third-party integrations from global partners who are actively developing integrations and services.
• Connect to your curated external attack surface from Microsoft Defender External Attack Surface Management to identify and analyze the most up-to-date information on your organization’s external attack surface risks.
• Microsoft Entra audit logs and diagnostic logs give additional insight for a security investigation or IT issue analysis of audit logs related to a specific user or event, summarized in natural language.
• Usage reporting provides dashboard insights on how your teams use Copilot so that you can identify even more opportunities for optimization.

To dive deeper into the above announcement and learn about pricing, read the blog on Tech Community. Read the full report to dig into the complete results of our research study or view the infographic. To learn more about Microsoft Copilot for Security, visit our product page or check out our solutions that include Copilot. If you’re interested in a demo or are ready to purchase, please contact your sales representative.

“Threat actors are getting more sophisticated. Things happen fast, so we need to be able to respond fast. With the help of Copilot for Security, we can start focusing on automated responses instead of manual responses. It’s a huge gamechanger for us.” 

—Mario Ferket, Chief Information Security Officer, Dow 

AI-powered security for all

With general availability, Copilot for Security will be available as two rich user experiences: in an immersive standalone portal or embedded into existing security products.

Integration of Copilot with Microsoft Security products will make it even easier for your IT and security professionals to take advantage of speed and accuracy gains demonstrated in our study. Enjoy the product portals you know and love, now enhanced with Copilot capabilities and skills specific to use cases for each product.

The unified security operations platform, coming soon, delivers an embedded Copilot experience within the Microsoft Defender portal for security information and event management (SIEM) and extended detection and response (XDR) that will prompt users as they investigate and respond to threats. Copilot automatically surfaces relevant details for summaries, drives efficiency with guided response, empowers analysts at all levels with natural language to Kusto Query Language (KQL) and script and file analysis, and now includes the ability to assess risks with the latest Microsoft threat intelligence.

Copilot in Microsoft Entra user risk investigation, now in preview, helps you prevent identity compromise and respond to threats quickly. This embedded experience in Microsoft Entra provides a summary in natural language of the user risk indicators and tailored guidance for resolving the risk. Copilot also recommends ways to automate prevention and resolution for future identity attacks, such as with a recommended Microsoft Entra Conditional Access policy, to increase your security posture and keep help desk calls to a minimum.

To help data security and compliance administrators prioritize and address critical alerts more easily, Copilot in Microsoft Purview now provides concise alert summaries, integrated insights, and natural language support within their trusted investigation workflows with the click of a button.

Copilot in Microsoft Intune, now in preview, will help IT professionals and security analysts make better-informed decisions for endpoint management. Copilot in Intune can simplify root cause determination with complete device context, error code analysis, and device configuration comparisons. This makes it possible to detect and remediate issues before they become problems.

Discover, protect, and govern AI usage

As more generative AI services are introduced in the market for all business functions, it is crucial to recognize that as this technology brings new opportunities, it also introduces new challenges and risks. With this in mind, Microsoft is providing customers with greater visibility, protection, and governance over their AI applications, whether they are using Microsoft Copilot or third-party generative AI apps. We want to make it easier for everyone to confidently and securely adopt AI.

To help organizations protect and govern the use of AI, we are enabling the following experiences within our portfolio of products:

• Discover AI risks: Security teams can discover potential risks associated with AI usage, such as sensitive data leaks and users accessing high-risk applications.
• Protect AI apps and data: Security and IT teams can protect the AI applications in use and the sensitive data being reasoned over or generated by them, including the prompts and responses.
• Govern usage: Security teams can govern the use of AI applications by retaining and logging interactions with AI apps, detecting any regulatory or organizational policy violations when using those apps, and investigating any new incidents.

At Microsoft Ignite in November 2023, we introduced the first wave of capabilities to help secure and govern AI usage. Today, we are excited to announce the new out-of-the-box threat detections for Copilot for Microsoft 365 in Defender for Cloud Apps. This capability, along with the data security and compliance controls in Microsoft Purview, strengthens the security of Copilot so organizations can work on all types of data, whether sensitive or not, in a secure and responsible way. Learn more about how to secure and govern AI.

Expanded end-to-end protection to help you secure everything

Microsoft continues to expand on our long-standing commitment to providing customers with the most complete end-to-end protection for your entire digital estate. With the full Microsoft Security portfolio, you can gain even greater visibility, control, and governance—especially as you embrace generative AI—with solutions and pricing that fit your organization. New or recent product features include:

Microsoft Security Exposure Management is a new unified posture and attack surface management solution within the unified security operations platform that gives you insights into your overall assets and recommends priority security initiatives for continuous improvement. You’ll have a comprehensive view of your organization’s exposure to threats and automatic discovery of critical assets to help you proactively improve your security posture and lower the risk of exposure of business-critical assets and sensitive data. Visualization tools give you an attacker’s-eye view to help you investigate exposure attempts and uncover potential attack paths to critical assets through threat modeling and proactive risk exploration. It’s now easier than ever to identify exposure gaps and take action to minimize risk and business disruption.

Adaptive Protection, a feature of Microsoft Purview, is now integrated with Microsoft Entra Conditional Access. This integration allows you to better safeguard your organization from insider risks such as data leakage, intellectual property theft, and confidentiality violations. With this integration, you can create Conditional Access policies to automatically respond to insider risks and block user access to applications to secure your data.

Microsoft Communication Compliance now provides both sentiment indicators and insights to enrich Microsoft Purview Insider Risk Management policies and to identify communication risks across Microsoft Teams, Exchange, Microsoft Viva Exchange, Copilot, and third-party channels. 

Microsoft Intune launched three new solutions in February as part of the Microsoft Intune Suite: Intune Enterprise Application Management, Microsoft Cloud PKI, and Intune Advanced Analytics. Intune Endpoint Privilege Management is also rolling out the option to enable support approved elevations.

Security for all in the age of AI

Microsoft Copilot for Security is a force multiplier for the entire Microsoft Security portfolio, which integrates more than 50 categories within six product families to form one end-to-end Microsoft Security solution. By implementing Copilot for Security, you can protect your environment from every angle, across security, compliance, identity, device management, and privacy. In the age of AI, it’s more important than ever to have a unified solution that eliminates the gaps in protection that are created by siloed tools.

The coming general availability of Copilot on April 1, 2024, is truly a milestone moment. With Copilot, you and your security team can confidently lead your organization into the age of AI. We will continue to deliver on Microsoft’s vision for security: to empower defenders with the advantage of industry-leading generative AI and to provide the tools to safely, responsibly, and securely deploy, use, and govern AI. We are so proud to work together with you to drive this AI transformation and enable security for all.

Join us April 3, 2024, at the Microsoft Secure Tech Accelerator for a deep dive into technical information that will help you and your team implement Copilot. Learn how to secure your AI, see demonstrations, and ask our product team questions. RSVP now.

Microsoft Secure

Watch the second annual Microsoft Secure digital event to learn how to bring world-class threat intelligence, complete end-to-end protection, and industry-leading, responsible AI to your organization.

Watch now

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Cybersecurity and AI news

Discover the latest trends and best practices in cyberthreat protection and AI for cybersecurity.

Get the latest resources

The post Microsoft Copilot for Security is generally available on April 1, 2024, with new capabilities appeared first on Microsoft Security Blog.

Due to the way Microsoft’s deployed Helix Core Server were configured, at no point were any of Microsoft’s internet-facing servers vulnerable to this critical vulnerability. No consumer, customer, or partner data was at risk or leaked.

Microsoft’s commitment to gaming and community security is paramount, and we worked closely with Perforce to report these vulnerabilities and drive remediation. We thank Perforce and are grateful for their team’s quick response in developing and releasing patches for these vulnerabilities.

While the three high severity vulnerabilities could be used to launch attacks such as a denial of service (DoS) against vulnerable systems, vulnerabilities with a CVSS score of 10.0 have the most severe potential impact that can extend beyond the vulnerable component, introducing a risk to software supply chains. The discovered vulnerabilities are summarized in the table below:

Helix Core Server listens on TCP port 1666 by default, though server administrators will often change this port number to hide from scanners or to host Helix Core Server via TLS. Microsoft scanned the internet in November 2023 for TCP port 1666 with a custom Helix Core Server network signature and found over 1,000 exposed Perforce Helix Core Server instances.

In this blog, we detail how we discovered each of the vulnerabilities and highlight the potential impact if exploited. Alongside applying Perforce’s patches, we also include additional mitigation and protection guidance for customers to minimize the risk of exploitation. Lastly, we’re sharing this information with the broader community to drive awareness to further improve protections across the security ecosystem, and to emphasize the importance of responsible disclosure and collaboration to secure platforms and devices.

Discovering the vulnerabilities

To keep Microsoft’s game development studios and their customers safe, we recently conducted an application security review of Helix Core Server, the source code management platform relied on by most of our studios. For our security review, we analyzed Helix Core Server version 2023.1.244.2900 and installed it on Windows 11 22H2. We used Helix Core Server’s default installation options, which resulted by-design in the Helix Core Server service running as LocalSystem:

Recovering debug symbols

In 2014, Perforce open-sourced the code for their CLI Perforce Client, and informed users we can download the code from the bin.tools subdirectory of any given release. While having any source code is invaluable for application security vulnerability research purposes, this source code is specific to the client, not the server. The latter is only distributed in compiled binary form.

The binaries that are installed by Helix Core Server’s installer have their debug symbols stripped (removed from the distributed executable images), which makes it harder to understand the disassembled code during static analysis. To aid our review, we attempted to recover these debug symbols.

Discovering debug symbols

Sometimes applications offer software development kits (SDKs) that can be mined for debug symbol data. In the case of Helix Core Server, Perforce offers a “C/C++ API” package for the Windows (x64) platform that comes in the form of a .zip file containing three directories: include, lib, and sample. The lib directory is especially interesting for us, as it contains about 400 MB of .lib files:

Like .exe files, .lib files are COFF files that can contain debug symbols. By using dumpbin.exe /symbols to inspect each .lib file, we found that the nine .lib files in the package contain a total of 1,251,756 debug symbol entries.

To understand why this is useful to us, let us consider an approximation of how .exe and .lib files are built:

In the diagram above, we can see that the SDK .obj files were linked along with server-specific .obj files to create Helix Core Server’s p4s.exe (“Perforce Service”) file. During that linking process, the debug symbols were stripped. However, the same SDK .obj files had their debug symbols retained when linked into the SDK .lib files. Since the .lib files contain debug symbols, we can match each compiled SDK function in each .lib file to its SDK function name. If we can then find those same compiled SDK functions in Helix Core Server’s .exe and .dll files, we can map the SDK function names to those functions as well, thus simplifying our analysis of the p4s.exe file.

To begin, we must first determine which SDK package to use for our analysis. If we look at the containing directory for the .zip file downloaded from the “C/C++ API” package, we see it contains 144 p4api SDK packages:

The reason we see 144 packages listed is that there is every combination of the following:

That’s nine possible values for compiler, two possible values for linking, two possible values for build type, and four possible values for OpenSSL version. In other words, multiplying those four values together leads us to 144 possible combinations. To map named functions from the SDK’s .lib files to Helix Core Server’s p4s.exe file, we’ll need to choose the correct SDK package, since, for example, a function compiled with Visual Studio 2005 may look very different from the same function compiled with Visual Studio 2022.

So how do we know which compiler, linker option, build type, and OpenSSL version were used for our installed distribution of Helix Core Server? We don’t. We could make some educated guesses and examine artifacts such as the binaries’ Rich Headers to determine the right combination, but instead we chose to use automation to test all possible combinations. (Note that “Rich Headers” is a colloquial term used in the industry, not a Microsoft-official name for this structure.)

Finding the right set of debug symbols

After downloading all of the statically linked p4api archives from Perforce’s website, we used IDA Pro’s F.L.I.R.T. technology to create signatures for each Perforce Helix Core Server SDK package. To do so, we automated the following steps:

1. Use pcf.exe (“parsecoff”) from IDA Pro’s Fast Library Acquisition for Identification and Recognition (FLAIR) SDK to create .pat (“pattern”) files for each Perforce Helix Core Server SDK package’s .lib file.
2. Use sigmake.exe from the FLAIR SDK to create a .sig (“signature”) file for all the .pat files from each given Perforce Helix Core Server SDK package.
3. Use zipsig.exe from the FLAIR SDK to compress each .sig file.
4. Disassemble Helix Core Server’s p4s.exe file with IDA Pro and save the resulting .idb (“IDA database”) file.
5. For each .sig file, open the .idb file, apply the .sig file, count the number of .sig file function matches, and close the .idb file without saving the modifications.
6. Rank the number of function matches for each .sig file.

After following the process above, we found the debug symbols from p4api_vs2017_static_openssl1.1.1.zip had the most function matches in p4s.exe:

The remainder of this blog post leverages these signatures for p4s.exe’s function names and type information.

Investigating the RPC header

Given that Helix Core Server runs as LocalSystem, local elevation of privilege attacks would certainly be worthwhile to explore. However, remote attacks via a network are much more intriguing from a vulnerability research perspective. Our next step is to investigate how Helix Core Server handles data it receives from remote users, or in our case, attackers.

Using TCPView, we can see that p4s.exe is listening for incoming connections on TCP port 1666:

Programs built for Windows that listen on TCP ports for incoming connections almost always use Winsock’s recv() function to receive incoming network data from clients. Using IDA Pro’s cross-references (“CODE XREF”s below), we can see that recv() is called by several functions:

We’re looking to assess how received network data is parsed and handled, and to save time in determining which of the functions above actually receives the connected client data via recv(), we used a debugger to set a breakpoint on recv() and reviewed its thread’s call-stack to reveal the following chain of function calls:

In the call-stack above, “Rpc” is short for “Remote Procedure Call”, a common term used for remotely executing functions.

Although we’re assessing the Helix Core Server, the function RpcTransport::Receive() (in Figure 8) is also included in the client source code discussed above (note that the comments are from Perforce’s developers, not from Microsoft):

The code above does the following:

1. On line 69, calls NetBuffer::Receive() to receive five bytes of data from the connected TCP client. We will refer to these five bytes as the RPC header.
2. On line 72, verifies that the first byte’s value equals the value of the following four bytes using the XOR operation to compute a parity byte checksum.
3. On line 78, interprets those following four bytes as a 32-bit little-endian value named length.
4. On line 85, verifies that length >= 12 and that length < 0x1FFFFFFF.
5. On line 93, allocates memory of size length and receives length bytes from the connected TCP client.

However, there’s a design risk in the code above, in that there’s not sufficient protection against asymmetric resource consumption attacks from remote unauthenticated attackers. An attacker could connect to the Helix Core Server, send a five-byte RPC header specifying a length value of 0x1FFFFFFE, and cause the server to allocate 0x1FFFFFFE bytes (about 537 MB) of memory. An attacker could exploit this vulnerability by establishing numerous connections and requesting these large memory allocations via each connection, quickly consuming all the server’s available memory. Once available memory is exhausted, the next call to Alloc() (step 5 above) will lead Helix Core Server’s memory allocator (which happens to be mimalloc) to throw an unhandled std::bad_alloc() exception from mi_try_new_handler(), causing the Helix Core Server process to crash and not restart. This denial-of-service (DoS) attack is exploitable by remote unauthenticated attackers.

This vulnerability is now identified as CVE-2023-5759 and it has a CVSS score of 7.5.

Investigating RPC handler functions

We showed in the call-stack above that RpcTransport::Receive() is called by Rpc::DispatchOne(). This latter function takes the allocated buffer received by RpcTransport::Receive(), parses it as an RPC command with optional arguments, looks up the handler for the given RPC command, and calls the handler with the received arguments. Many of these RPC commands are mapped to the p4 commands listed here. Specifically, there are 202 formally documented p4 commands, and about 450 defined RPC commands, though not all RPC commands have their handlers registered by default at runtime.

Since we’re most interested in the possibility of remote unprivileged attacks against Helix Core Server in its default configuration, we created our own Perforce client from scratch that attempts to call (without any authentication) each of the approximately 450 RPC commands defined in p4s.exe. Of those, we found that about 360 RPC commands have their handlers registered by default at runtime. This is too high of a count to manually assess in a reasonable amount of time, so we had to find other means to prioritize our RPC command analysis.

We found that p4s.exe statically imports 382 API functions. Of those, we identified the most interesting functions that could potentially achieve remote code execution, assuming an unauthenticated remote attacker could both execute an RPC function that calls one of these API functions and control the arguments to that API function. These functions are:

• CreateFileMapping()
• CreateProcess()
• DeviceIoControl()
• LoadLibrary()
• LoadLibraryEx()
• MapViewOfFile()
• MoveFileEx()
• RegSetValueEx()
• ShellExecuteEx()
• WriteFile()

Assessing this short list of API functions and analyzing code-flow paths from RPC handlers to these functions was a much more tractable problem than manually reviewing each of the approximately 360 registered RPC handlers.

The bgtask command

By reviewing cross-references with IDA Pro, we were able to identify the following call-chain from an RPC command handler to CreateProcess():

According to Perforce’s documentation, the p4 bgtask command “enables a Helix Core superuser on the p4 command-line client to run commands or programs remotely on the server in the background.” It’s thus not surprising that this type of command would end up calling CreateProcess(), but since the documentation states that this command can only be run by a superuser, our only hope of finding a security vulnerability here was if there was a bug in the authentication component or in how the RPC arguments were getting parsed.

To begin our assessment of p4 bgtask, we used the custom Perforce client that we wrote to see how the server would respond if we tried remotely calling bgtask without any authentication. To our surprise, the server didn’t return any errors. In fact, the server ran the command line that we sent to it, and this child process ran as LocalSystem.

Upon further investigation, this is by design, with the manual noting to “Run p4 protect immediately after installing Helix Server for the first time. Before the first call to p4 protect, every Helix Server user is a superuser and thus can access and change anything in the depot”. In this context, “every Helix Server user” also includes unauthenticated anonymous remote users.

If an administrator does not manually perform those post-installation steps, this missing authentication for a critical function allows unauthenticated remote attackers to run arbitrary command lines (including PowerShell command lines with script blocks) as LocalSystem when Helix Core Server is installed with its default configuration.

This vulnerability is now identified as CVE-2023-45849 and it has a CVSS score of 10.0.

The rmt-Shutdown RPC handler

When a user (or attacker) uses the p4 bgtask discussed above with the standard Perforce Client, the client sends the RPC command name user-bgtask to the server to execute that command. However, some RPC command names that are accepted by the server don’t have a corresponding Perforce Client command; one of those RPC command names is rmt-Shutdown.

Although it’s not possible to send the rmt-Shutdown RPC command with the standard Perforce Client (nor the Perforce Admin Tool), and it doesn’t appear to be documented on Perforce’s website, we were able to send the command with our custom Perforce client. We found that the handler for rmt-Shutdown requires a username of remote but doesn’t require any authentication credentials for that username. When the Perforce Helix Core Server receives this command, it terminates the Helix Core Server process, thereby allowing unauthenticated remote attackers to perform DoS attacks against the server.

This vulnerability is now identified as CVE-2023-35767 and it has a CVSS score of 7.5.

The rmt-UpdtFovrCommit RPC handler

Similar to the rmt-Shutdown RPC command name, the RPC command name rmt-UpdtFovrCommit (which is likely short for “remote update failover commit”) cannot be sent via the standard Perforce Client nor Admin Tool and doesn’t appear to be documented on Perforce’s website but can be sent with a custom Perforce client. This RPC function piqued our interest when we first tested for registered RPC handlers, since when our custom-built scanner sent a rmt-UpdtFovrCommit RPC command as an anonymous user and without any command arguments to the Helix Core Server, the Helix Core Server process crashed.

We can see the reason for the crash in the decompiled rmt-UpdtFovrCommit handler code below:

As previously discussed, RPC messages sent from the client to the server contain the RPC function name and can optionally contain RPC function arguments. In the code above, StrDict::GetVar() is used to get the client’s RPC function arguments from the pRpc object. If the given argument name was not provided in the client’s RPC message, then StrDict::GetVar() returns zero. In the first line above, StrDict::GetVar() is used to get the value of the user RPC function argument. However, if the user (or attacker) does not specify a value for user in their RPC message then pStrPtrUser gets set to zero. In the last line above, we see pStrPtrUser passed as the second argument to StrOps::PackOctet(), (the source code for which is available in the client source code discussed above):

As can be seen in the code above, when StrOps::PackOctet() is called with zero as the value for s, StrBuf::Append() gets called with zero as the value for t. This results in StrBuf::Append() trying to dereference the length field of t, where the buffer field of t is at offset 0 relative to the beginning of the t object and the length field of t is at offset 8 relative to the beginning of the t object (since char *buffer is 64-bits). When the value of t is 0, dereferencing length leads to reading from virtual memory address 0x0000000000000008, which results in a read-access violation or segmentation fault. We found that these types of exceptions are not handled gracefully by the server and that such read-exceptions cause the entire server process to crash and not restart. This DoS attack is exploitable by remote unauthenticated attackers.

This vulnerability is now identified as CVE-2023-45319 and it has a CVSS score of 7.5.

Coordinated disclosure

Microsoft reported these four security vulnerabilities to the vendor Perforce at the end of August 2023. Immediately afterwards, on September 1, Perforce acknowledged these four vulnerabilities and began work to investigate and remediate them. Throughout September and October, Perforce communicated status updates to Microsoft on implementing fixes and putting those fixes through their QA processes. Perforce reserved CVE IDs on October 24, 2023, shared those IDs with Microsoft on October 25, 2023, and informed Microsoft at that time that the patches would be published by mid-November 2023. On November 7, 2023, Perforce published Perforce Helix Core Server version 2023.1/2513900, which mitigates these four vulnerabilities. Perforce has also published patches for the older Perforce Helix Core Server versions 2022.2, 2022.1, and 2021.2. Perforce recommends upgrading to the latest Perforce Helix Core Server version 2023.2.

Microsoft would like to thank Perforce for their professionalism and for their rapid response in addressing these security vulnerabilities. Microsoft is grateful for this partnership and for Perforce’s commitment to security.

Mitigation and protection guidance

Microsoft is not aware of any adversaries exploiting these vulnerabilities, but mitigations should be applied by all Helix Core Server customers as soon as possible.

Risk detection

Extend vulnerability and risk detection beyond the firewall with platforms like Microsoft Defender External Attack Surface Management. Customers can identify internet-exposed infrastructure running Perforce Helix Core Server in their inventory and use the insights tile under the Attack Surface Summary dashboard to surface assets vulnerable to CVE-2023-5759, CVE-2023-45849, CVE-2023-35767, and CVE-2023-45319.

What to do now if you’re affected

Update your Perforce Helix Core Server: https://www.perforce.com/downloads/helix-core-p4d.

Defense-in-depth

In addition to following Perforce’s guidance on “Securing the server”, Microsoft recommends adhering to the following defense-in-depth tactics to minimize the risk of exploitation of these or other Perforce Helix Core Server vulnerabilities.

• Regularly monitor for and apply patches for third-party software.
• Use a VPN and/or an IP allow-list to limit who can communicate with your Perforce Helix Core Server.
• Issue TLS certificates to legitimate Perforce users and use a TLS termination proxy in front of Perforce Helix Core Server to validate client’s TLS certificates before allowing them to connect to Perforce Server.
• Log all access to your Helix Core Server, both via your network appliances and via Perforce Helix Core Server itself.
• Configure alerting to notify IT administrators and your security team if the Helix Core Server process crashes.
• Use network segmentation to ensure that if your Helix Core Server is compromised, an attacker’s ability to pivot in your network is limited.

Appendix

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

• CVE-2023-5759
• CVE-2023-45849
• CVE-2023-35767
• CVE-2023-45319

Microsoft 365 Defender Threat analytics 

• Vulnerability profile: Critical remote code execution vulnerability in Perforce Helix Core Server

Jason Geffner

Microsoft Threat Intelligence Community

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5759
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35767
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45319
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45849
• https://ftp.perforce.com/perforce/r23.1/bin.ntx64/
• https://portal.perforce.com/s/article/3925
• https://swarm.workshop.perforce.com/projects/perforce_software-p4
• https://www.perforce.com/downloads/administration-tool
• https://www.perforce.com/downloads/helix-command-line-client-p4
• https://www.perforce.com/downloads/helix-core-c/c-api
• https://www.perforce.com/downloads/helix-core-p4d
• https://www.perforce.com/manuals/cmdref/Content/CmdRef/commands.html
• https://www.perforce.com/manuals/p4sag/Content/P4SAG/protections.when_to_set.html
• https://www.perforce.com/press-releases/perforce-open-sources-popular-version-control-tools

Acknowledgments

Microsoft would like to recognize https://www.keysight.com/blogs/tech/nwvs/2022/06/08/a-sneak-peek-into-the-protocol-behind-perforce for previous work done in analyzing Perforce’s RPC protocol.

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on Twitter at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Patching Perforce perforations: Critical RCE vulnerability discovered in Perforce Helix Core Server appeared first on Microsoft Security Blog.

Attacks are quickly becoming more automated through AI-assisted tools. They are also increasing exponentially—the number of password attacks Microsoft detects has more than tripled in the last 12 months, from 1,287 per second to more than 4,000 per second.¹ Plus, the annual cost of cyberattacks continues to grow. According to the FBI Internet Crime Complaint Center’s (IC3) latest research, reported total losses grew from USD6.9 billion in 2021 to more than USD10.2 billion in 2022.² Such losses are even greater on a global scale. If organizations continue to operate within a fractured security state and only utilize what’s worked in the past, they will leave gaps in their security posture.

Now there is a unique opportunity to harness the power of AI in combination with an end-to-end security solution to build a resilient security posture with defenses that rapidly adapt. There has never been a more important time for specialized cybersecurity expertise, and our partners are critical to preparing customers for the era of AI. According to a Forrester Total Economic Impact study, Microsoft Security partners are realizing a significant increase in their business with more than 14 percent year-over-year growth.³ In small and medium businesses (SMBs), partners are seeing even more dramatic demand with more than 37 percent market expansion just this last year.

Today at Microsoft Inspire 2023, we will discuss AI-powered security during the “Springboard customers into the era of AI with end-to-end security” session. Also, you’ll have an opportunity to ask your most pressing questions at the expert Q&A.

Register for Microsoft Inspire to hear more details on our latest exciting announcements listed in this blog.

Microsoft Inspire 2023

Elevate your business by joining us for Microsoft Inspire, July 18 and 19, 2023, and learn how to accelerate AI transformation in your security practice.

Register now

Coming soon: Microsoft Security Copilot Early Access Program

We are extremely encouraged by the excitement and positive feedback we have received from customers and partners since we announced Microsoft Security Copilot—one of the first generative AI products in the security industry—in March 2023. This fall, we will open our Early Access Program and invite more customers and partners to experience Security Copilot. To help us focus our learning, customers who use Microsoft Defender for Endpoint will be prioritized for early access. Those who also use Microsoft Sentinel will get even more benefit from the program. Security Copilot is designed to work with a broad range of Microsoft and third-party tools, and we will expand the program as we learn.

Our preview is well underway, and the feedback from our preview customers shows that there’s every reason to be excited about the massive potential of this technology to help protect at machine speed and scale:

“Microsoft is spearheading a transformative shift in security operations center (SOC) processes and operations at a truly remarkable speed. By fully integrating these cutting-edge AI technologies, they are pioneering a leap so momentous that by December 2024, SOC operations from 2021 may seem prehistoric in comparison. The surge in productivity could be unparalleled. At Bridgewater, we are thrilled to be helping Microsoft on this voyage, collaboratively propelling Security Copilot’s full potential to the forefront of the industry.”

—Igor Tsyganskiy, President, Bridgewater

New: Security Copilot design advisory council

Today, we are officially kicking off our partner engagement to help you build your own solutions and services powered by Security Copilot. If you are a Microsoft partner, you can start today by helping customers deploy Microsoft Defender for Endpoint and Microsoft Sentinel so that they are prepared to adopt Microsoft Security Copilot. We are excited to join forces with our partners, including members of the Microsoft Intelligent Security Association. Here’s what a couple of our partners have shared already:

“When it comes to cybersecurity, threat actors are increasingly using AI to carry out sophisticated attacks, so why aren’t defenders? We are operating in an era where fighting AI with AI is non-negotiable. By partnering with Microsoft Security Copilot, we can help level the playing field for defenders together. Much of the AI universe sits behind Cloudflare, and acting as the intermediary to allow businesses to harness the power of this technology in a safe way is critical.”

—Matthew Prince, Chief Executive Officer, Cloudflare

“We believe that generative AI will be truly revolutionary and will allow us to become more effective and efficient, by orders of magnitude, in protecting our customers. We expect to see productivity increases from our SOC analysts using Security Copilot when dealing with scenarios like incident response and threat hunting and believe there is potential for upskilling effects, allowing any analyst to complete more advanced tasks quicker than ever before. We are proud to be on this journey with Microsoft and remain excited as they continue to add more compelling capabilities to Security Copilot.”

—Brian Beyer, Chief Executive Officer, Red Canary

“Building on our recent investment to expand and scale our AI offerings, we’re excited to team with Microsoft on bringing Security Copilot to our joint customers, augmenting their ability to predict—prevent—and rapidly respond to security threats. This will help empower all of our customers and provide new opportunities leveraging the responsible use of generative AI.”

—Sean Joyce, Global Cybersecurity and Privacy Leader, PwC

If you are interested in learning how to engage with your customers now to take full advantage of these new AI technologies, we invite you to sign up to receive communications and to be considered for our new Security Copilot design advisory council.

Investments in the managed security service provider community

According to Gartner®, “by 2025, 60 percent of organizations will be actively using remote threat disruption and containment capabilities delivered directly by MDR providers, up from 30 percent today.”⁴ 

To help meet the anticipated demand for these services, we are actively working to recruit more Managed Extended Detection and Response (MXDR) partners alongside our first-party offering. Microsoft is deeply committed to our partner community, and partners will always be the primary path for customers to get the services they need. We are increasing our overall investments for security partners by nearly 50 percent this coming year. A great example of this continued investment is the Microsoft engineering verified MXDR solution status that we launched for partners last year.

Making it easier to better protect small and medium businesses

Small and medium businesses are seeing more cyberattacks, with 82 percent of ransomware attacks targeting small businesses.⁵ Due to a lack of internal security specialists, these businesses often look to IT partners to help secure their IT environments.

We are making it easier for partners to deliver security services to their customers:

• For partners who want to build their own SOC or managed detection and response (MDR) service, we are pleased to announce streaming APIs from Microsoft Defender for Business to enable advanced hunting and attack detection. Available in preview in Defender for Business standalone and as part of Microsoft 365 Business Premium.
• With a 3.4 million-person global shortage in the cyber workforce, partners face staffing challenges as much as their customers do.⁶ For those partners who want to resell security services but do not have the resources to invest in an in-house SOC, we are pleased to announce integrations with leading MDR providers. For example, Blackpoint Cyber now offers both a round-the-clock cloud response MDR service for Microsoft 365 environments, including Microsoft 365 Business Premium, and a managed endpoint detection and response (EDR) service for Defender for Business customers. 
• We’re extending mobile protection to SMB customers who may not have a mobile device management solution with Mobile threat defense for standalone Defender for Business customers—now generally available. The new Defender for Business monthly summary report will show threats prevented, current status from Microsoft Secure Score and recommendations, and will help partners to show value to customers.

For details on our SMB-focused announcements, read our Tech Community blog post.

Expanding comprehensive security with product innovations

We continue to offer one of the most comprehensive security solutions in the market and power it with world-class global threat intelligence. Today we announced the following innovations:

• Microsoft Sentinel: To simplify budgeting, billing, and cost management, the Microsoft Sentinel price now includes the Azure Monitor Log Analytics price. To learn more, read the announcement blog.
• Microsoft Defender Experts for XDR: A new managed service gives customers step-by-step guidance to respond to incidents, receive expertise when they need it, and stay ahead of emerging threats.
• Microsoft Purview Insider Risk Management: With the new bring-your-own-detections capabilities, partners can help their customers create custom indicators by bringing in detections from non-Microsoft sources, such as a customer relationship management system like Salesforce or a developer tool like GitHub.
• Microsoft Defender for Cloud Apps: The new open app connector platform makes it easier for partners to plug their solutions into our platform. New API connectors include the preview of Asana and Miro as well as the general availability of software as a service security posture management capabilities for DocuSign, Citrix, Okta and GitHub.
• Microsoft Defender for Endpoint: The settings management experience is now natively embedded into Microsoft Defender for Endpoint for Windows, Linux, and macOS, removing dependencies on Microsoft Intune and the need to switch between portals.
• Microsoft Defender Threat Intelligence: Graph APIs now enable simple exporting and ingestion of data to Microsoft Defender, Microsoft Sentinel, and third-party applications.
• Microsoft Purview eDiscovery: Now generally available, the Microsoft Graph eDiscovery Export API will enable external applications and partners to integrate the eDiscovery export function through scripting.
• Microsoft Purview Information Protection: With this update, confidential and highly sensitive Excel files that are labeled and protected by Microsoft Purview Information Protection can continue to be protected when imported into Microsoft Power BI datasets and reports throughout their lifecycle. Additionally, documents in SharePoint and OneDrive now support labeled and encrypted documents with user-defined permissions. Co-authoring for Word, Excel, and PowerPoint apps now enables document owners to define permissions for people who can have access to shared sensitive documents that are encrypted.
• Microsoft Purview Data Loss Prevention: Microsoft Purview Data Loss Prevention introduces a new capability to allow security teams to create policies that prevent their users from pasting sensitive data to specific websites or web applications.
• Microsoft Defender for External Attack Surface Management: With External Attack Surface Management, you can leverage new data connections to seamlessly integrate your attack surface data into other Microsoft solutions, including Azure Data Explorer and Log Analytics. These data connections will help you supplement workflows with new insights, which will enable you make informed security decisions based on more comprehensive information.

We have been innovating rapidly across the entire Microsoft Security portfolio. In case you missed them, here are a few of our most recent announcements.

• Two new Security Service Edge solutions: Microsoft Entra Internet Access helps protect access against malicious traffic and threats from the open internet. Microsoft Entra Private Access helps secure access to private apps and resources from any device and network.
• Microsoft Azure Active Directory is now Microsoft Entra ID: To unify our product family, we changed the name of Microsoft Azure Active Directory to Microsoft Entra ID.
• Microsoft Intune Suite: In March 2023, we launched the Intune Suite, which unifies mission-critical advanced endpoint management and security solutions into one simple bundle. The suite’s AI-powered automation empowers IT and security teams to move simply and quickly from reactive to proactive in addressing security challenges.
• Adaptive Protection in Microsoft Purview: In early 2023, we launched Adaptive Protection in Microsoft Purview. This new capability dynamically updates data loss prevention controls and policies, turning them to individual users and helping customers identify and mitigate the most critical risks. This saves security teams valuable time while ensuring better data security. Learn more about the features and benefits of Adaptive Protection.
• Microsoft Sentinel reduces investigation time by 88 percent: This year, we unveiled a new context-focused incident investigation experience for Microsoft Sentinel that enables security analysts to reduce their investigation time by up to 88 percent.⁷ We also delivered the ability to automatically disrupt in-progress attacks in Microsoft 365 Defender to help customers prevent devasting breaches. 

2023 Security Partner of the Year Awards

We are excited to announce our 2023 Security Partner of the Year Award winners.

Security Partner of the Year: BDO Digital

BDO Digital is a global company that offers detection, automation, and reduction of overall cybersecurity risks. Many of BDO’s clients’ legacy tools were not equipped to deal with modern infrastructure, and internal security teams did not have the bandwidth to monitor and triage security events. BDO helped improve its clients’ cybersecurity posture by reducing actionable alerts by over 50 percent.

Compliance Partner of the Year: Epiq

Epiq offers advanced data security technology solutions, such as a unique Chat Connector for Microsoft Teams that allows legal teams to effectively assess data for relevant and privileged content. 

Building securely together

As we all consider what we can accomplish with AI now and in the future, I cannot overstate the importance of end-to-end security. This is exactly where we recommend you start with your customers. Help them strengthen their security posture now so that when they deploy AI, they are not vulnerable to attacks. AI solutions will only ever be as strong as their underlying security.

As with any product design, we hold ourselves to high security standards when building, developing, and deploying AI-powered solutions from platforms to applications to processes. We maintain rigorous responsible AI practices, aimed at understanding and mitigating harms, measuring the quality of responses, and fostering a continuous learning environment from customer feedback. A cornerstone of these standards is our commitment to developing solutions that are “secure by design and secure by default.” However, it is important to note that the robustness of security is significantly enhanced when users actively manage and maintain it. Our focus extends to ensuring robust control over data, meaning it won’t be used to train AI models without explicit permission. We advocate for our partners to adhere to these benchmarks while crafting and implementing AI-based offerings for customers—whether the aim is to enhance productivity, automate a business process, or safeguard against threats.

Connect with us at Microsoft Inspire 2023

Microsoft Inspire 2023 is an incredible opportunity to share all the ways AI can support security efforts with our partner ecosystem. If you haven’t registered, there’s still time to reserve your complimentary spot. There, you’ll hear strategies to prepare your organization for AI with comprehensive security and security posture. Hope to see you in these sessions!

• “Springboard customers into the era of AI with end-to-end security” (FS106): This session will spotlight how AI will transform technology for our customers and their security practices. You can also join a live Q&A with the experts.
• “Investments Microsoft is making to accelerate your security business” (ODBRK117): Learn the latest opportunities to expand the offerings of existing customers over the next 12 months with Microsoft Security.
• “Take advantage of the expanding opportunity with end-to-end security” (OD130): Explore how Microsoft Security’s end-to-end solution helps you get ready and get your customers to fully leverage the massive opportunity in the security market.  
• “Securing the channel: protecting customers’ digital transformation” (OD131): Find out more about Microsoft’s vital role in addressing increasing cyberattacks in hybrid and remote work environments, while also hearing of the role of partners in proactively securing customers’ digital transformation.
• “Bridging the cybersecurity gap: security training for partners” (OD132): In this Level 400 session, you’ll experience a new gamified learning simulation that makes Microsoft Security solutions real for you and your teams through interactive scenarios. 
• “Build Your Security Practice” (OD142): Explore how partners can grow revenue and profitability with managed security services with Microsoft 365 Business Premium and Microsoft Defender for Business. We will discuss key SMB trends, new product innovations, and resources to help partners develop successful security service offerings.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft internal data.

²Internet Crime Report, Federal Bureau of Investigation. 2022.

³The Partner Opportunity For Microsoft Security, Forrester. July 2023.

⁴Gartner® Market Guide for Managed Detection and Response Services, Pete Shoard, Al Price, Mitchell Schneider, Craig Lawson, Andrew Davies. February 14, 2023. 

⁵The Devastating Impact of Ransomware Attacks on Small Businesses, Quinn Cleary. April 4, 2023.

⁶2022 Cybersecurity Workforce Study, (ISC)². 2022.

⁷The Total Economic Impact™ Of Microsoft SIEM And XDR, Forrester. August 2022.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. 

The post Microsoft Inspire: Partner resources to prepare for the future of security with AI appeared first on Microsoft Security Blog.

I had the honor of representing Microsoft at our RSA keynote, “Defending at Machine Speed: Technology’s New Frontier.” AI is having a profound impact in our world, and I believe security is going to be one of AI’s most important use cases. During this session, I shared how AI is causing a paradigm shift, augmenting the essential power of human intuition and expertise and reshaping the future of cybersecurity. For details, watch the full keynote here (video courtesy of RSA Conference).

RSAC is the largest and most important cybersecurity conference in the industry—we value every opportunity to learn directly from our customers, partners, and community, and share how Microsoft Security is empowering our customers to protect everything.

Let’s walk through some of the most memorable moments from RSAC.

Pre-Day with Microsoft

Microsoft Security opened RSAC with the Pre-Day event and reception on Sunday, April 23. Pre-Day was an expansion of our presence at RSAC and amplification of the announcements we made at Microsoft Secure. The presentations helped attendees gain a deeper understanding of what an AI-powered future means for cybersecurity. They also shared comprehensive strategies to help organizations protect everything, highlighted the latest announcements in Threat Intelligence, which is critical to defending against an evolving threat landscape, and gave customers a chance to interact with Microsoft Security business and engineering leaders, as well as network with their peers during an evening reception. I was very pleased to share the stage with Charlie Bell, Executive Vice President, Microsoft Security; Bret Arsenault, CVP, Microsoft Security and Chief Information Security Officer; Kelly Bissell, CVP, Microsoft Security; Andy Elder, CVP, Microsoft Security Solution Area; Jeremy Dallman, Principal Research Director, Microsoft Threat Intelligence; Holly Stewart, Principal Research Director, Microsoft Threat Intelligence; and engineering leaders.

Major product announcements

Microsoft Security Copilot, Microsoft’s new generative AI solution, garnered plenty of buzz during the conference. First announced at Microsoft Secure, Security Copilot combines the latest Open AI large language model with Microsoft’s unique security specific model powered by 65 trillion signals, human intelligence, and cyberskills to help defenders move at the speed and scale of AI. It was wonderful to see the interest from our customers and partners for Security Copilot.

Now in private preview, this groundbreaking technology serves as a true copilot to defenders. It augments a security analyst’s work, continually learning from users and letting them provide feedback and inform future interactions. The AI capabilities you gain include ongoing access to the most advanced OpenAI models, integration with Microsoft’s end-to-end security portfolio, and visibility and evergreen threat intelligence powered by your organization’s security products and the 65 trillion threat signals received by Microsoft every day. Importantly, Security Copilot is built with privacy at its heart. This means your data remains your data, and it is not used to train or enrich foundation AI models. Further, Security Copilot runs on our security and privacy-compliant Azure Cloud hyperscale infrastructure, enabling organizations to truly defend at machine speed.

In other threat intelligence news, Microsoft Defender Threat Intelligence is now available to licensed customers directly within Microsoft 365 Defender. It’s already integrated with Microsoft Sentinel and now has an application programming interface (API) to help enrich incidents, automate incident response, and work with a broad ecosystem of security tools. With this advancement, you get one of the world’s best threat intelligence, integrated with the tools you use every day.

Specific capabilities available as part of a Microsoft Sentinel solutions package—generally available beginning in July—are:

• Microsoft Defender Threat Intelligence enrichment playbooks: Defender Threat Intelligence integrates with all security information and event management (SIEMS) via an API, but playbooks in the Microsoft Sentinel Content hub are available to enrich incidents with reputation data to add context and triage them automatically.
• Microsoft Defender Threat Intelligence data connector: Microsoft threat researchers add indicators of compromise (IOCs) from finished intelligence to the threat intelligence (TI) blade to add massive value to Microsoft Sentinel users by adding critical context and enhancing detections and investigations.
• Microsoft Defender Threat Intelligence analytics rules: This built-in rule takes URLs, domains, and internet protocols (IPs) from a customer environment via log data and checks them against known bad IOCs from Defender Threat Intelligence, creating incidents when there’s a match.

At RSAC, we also had several other major product announcements.

Security researchers and customers are confronted with an overwhelming amount of threat intelligence data—and we want to help by giving them better clarity. Our new threat actor naming taxonomy will offer a more organized, articulate, and easy way to reference adversary groups so that organizations can better prioritize threats and protect against attacks. Microsoft Security also is rolling out a new icon system to make it even easier to identify and remember threat actors. Each icon represents a unique family name and will accompany the threat actor names as a visual aid. 

Microsoft Defender for API is a new offering focused on threat protection for APIs—built for organizations that provide cross-organizational visibility of the Azure API Management inventory, data classification, and coverage to detect exploits of API risks. Classify and understand the API security posture based on cloud security insights and sensitive data exposure. Harden API configuration and prioritize API risk remediation by monitoring for security best practices in a full lifecycle approach, across infrastructure as code templates and runtime environments. Detect and respond to active runtime threats within minutes—using machine learning powered anomalous and suspicious API usage detections. 

Microsoft Defender External Attack Surface Management (MDEASM)—Data Connector provides automated export of attack surface details, updates, and findings to Kusto or Microsoft Sentinel Log Analytics, giving customers the ability to analyze, report, and correlate attack surface information against other data sources and use additional tooling such as Power BI to customize analysis to their organization’s needs. 

Now in general availability as part of the Microsoft Intune Suite and as a standalone add-on, Microsoft Intune Endpoint Privilege Management is a feature that enables admins to set policies that allow standard users to perform tasks normally reserved for an administrator. The feature supports automatic and user-confirmed workflows for elevation as well as insights and reporting. 

RSA Conference highlights

Highlights of our sessions included:

• “Hands-on Tutorial to Red Teaming AI Systems with Open Source Tools”: Microsoft’s Raja Sekhar Rao Dheekonda and Charlotte Siska shared how to use open source tools to red team AI models. These tools can be adapted to multiple environments, models, and data types.
• “Geopolitical Resilience: Why Operational Resilience Is No Longer Enough”: Microsoft’s Ann Johnson and Team8’s Nadav Zafrir spoke about how merging business, social, and political crises necessitates a new approach to resilience. More than operational recovery, organizations have new dimensions of risk to consider, including deglobalization, data sovereignty, sanctions, and forced market exits.

Microsoft Security Hub sessions and activities

Living up to its name, the Microsoft Security Hub was a hubbub of activity throughout RSA Conference. Held at the Ecosystem Coworking Space, the private and semi-private meeting rooms provided fantastic opportunity for us to meet with customers and partners, and there were multiple learning opportunities and networking events.

Microsoft sessions and experiences

• During our session “AI: Shaping Security Today and Into the Future”, Microsoft’s Scott Woodgate discussed how AI is an integral part of Microsoft’s security strategy, helping drive security operations center efficiency with Microsoft Sentinel and Microsoft 365 Defender and now taking it to the next level with Microsoft Security Copilot.
• The Microsoft Threat Intelligence Interactive Experience wowed attendees throughout the conference. The experience invited hundreds of people to explore our unparalleled, 360-degree view of the threat landscape. The 3D-touchscreen globe was unlike anything found at the conference. Customers explored the new threat actor taxonomy with stunning visuals, an interactive quiz to test their cybersecurity knowledge, and attack chain case studies to explore the tactics, techniques, and procedures (TTPs) of threat actors. The experience wowed customers, “This is something only Microsoft would do, this is amazing,” and was moving to others, “This just means a lot being able to see the stuff I work with every day visualized like this.”
• Another popular event was our Threat Intelligence Happy Hour, hosted by Microsoft Security Experts, on April 25. This networking event allowed customers and partners to connect with the many, varied experts from Microsoft Security to talk shop, score swag, and learn more about the new threat actor taxonomy in a casual setting that included drinks aligned to the new weather-themed taxonomy.  
• We kicked off the first day of RSAC with the Diversity Executive Women’s Lunch, where I joined Aarti Borkar, Ann Johnson, Tanya Janca, and Lynn Dohm to discuss what industry, academia, government, and not-for-profits can do together as a community to nurture more women into successful careers in cybersecurity. With an audience of security leaders, not-for-profit representatives, community college students, and educators, this session welcomed an inspiring reflection on the importance of diversity for building a strong workforce, provided calls to action to make real difference, and enabled a great networking moment.

RSA Conference ancillary events

Microsoft Security Excellence Awards (MISA) members gathered on April 24 at The Fairmont Hotel to honor award winners in 11 security categories at the Microsoft Security Excellence Awards. The fourth annual awards give us an opportunity to recognize outstanding contributions of partners in our MISA organization. MISA is a coalition of Microsoft leaders and subject matter experts, independent software vendors, and managed security service providers working together to defend organizations around the world from increasing threats. Watch the awards yourself to see all the excitement!

Two nights later, Microsoft sponsored the 13th Annual Executive Dinner, hosted by Forgepoint Capital and PwC. The event’s theme was “Working Together in the New Era of Transparency and Resilience.” Guests enjoyed dinner, cocktails, and conversation about cybersecurity.

If you attended RSAC and engaged with Microsoft, please take a few minutes to respond to our RSAC 2023 survey so we can continue to improve your experience. My thanks to everyone who attended, and we’ll see you next year!   

Join us for Microsoft Build

We relish any opportunity to connect with customers and partners and hear your stories of how you’re innovating with technology. Thankfully, we don’t have long to wait. Join us in Seattle for Microsoft Build, including pre-day workshops on May 22, 2023, and keynotes, Expert Meet-ups, sessions, demos, and skill labs May 23 to 25, 2023. If you can’t attend in-person, consider attending virtually May 23 to 24, 2023. Register today to reserve your spot.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft Security highlights from RSA Conference 2023 appeared first on Microsoft Security Blog.

Looking at the steady rise in cybercrime, it can feel like there are only gray skies on the horizon. Since September 2021 we saw the number of password attacks rise from 579¹ to 1,287² per second. That’s a staggering increase. But at Microsoft, we’re moving into the new year full of hope and resolution. We center our actions around the belief that cybersecurity is about people—to protect, involve, and empower everyone.

We’re committed to innovating against the threats of today and tomorrow by harnessing AI, machine learning, and cloud technologies all brought together in an end-to-end security cloud. Since July 2022, Microsoft Security has delivered more than 300 product innovations—from minor updates to major launches like Microsoft Entra Workload Identities (November 2022). In addition, we now have more than 15,000 partners integrated across our security ecosystem so customers have the power to choose what works best for them. In a time when security professionals are being asked to do more with less—fewer people, scant resources, and less time—Microsoft has responded with a simplified, comprehensive security approach that protects your entire multicloud, multiplatform digital estate. And we continue to foster a diverse, inclusive new generation of cyber defenders who will keep us all moving ahead—fearlessly. Here’s a look at some of our newest innovations to help you move into the new year with confidence.

Unified innovations to protect you comprehensively and make your job easier

According to Microsoft research, 72 percent of chief information security officers (CISOs) and other C-level security professionals say that it’s very important for a technology vendor to offer a comprehensive set of products across security, compliance, and identity.³ We continue to respond to this need, and over the past year, we’ve streamlined and simplified our security solutions into six integrated product families designed to decrease your costs and enable growth. This simplification makes it easier for you to anticipate vulnerabilities, manage risks, and navigate a rapidly evolving threat landscape and regulatory environment. This comprehensive solution with interconnected product families cover extended detection and response (XDR), security information and event management (SIEM), threat intelligence, identity and access management (IAM), endpoint management, cloud security, and data protection, compliance, and privacy. For organizations that want to extend their ability to defend and manage threats, we’ve added a new line of managed services—Microsoft Security Experts.

Integrated security defense

As cyberattacks become more sophisticated, Microsoft continues to keep pace. We’re always pushing our limits and improving our products to help you eliminate security gaps and protect more with less. During the latter half of 2022, we extended our vision of simplified, unified protection—delivering hundreds of innovations to help protect your entire digital estate. Some of our notable launches over the past six months include:

• Microsoft Defender for IoT adds agentless monitoring to secure enterprise IoT devices like Voice over Internet Protocol (VoIP), printers, and smart TVs—as well as Operational Technology (OT) devices in critical industries like energy, manufacturing, and healthcare.⁴ A dedicated integration with Microsoft 365 Defender adds XDR for Internet of Things (IoT) devices, which means less complexity and greater visibility within one unified security operational center. These entry points can be used to escalate laterally across your network and are often overlooked. 
• Microsoft Defender Cloud Security Posture Management (in preview), helps your security teams save time and remediate critical risks with contextual cloud security. Get a continuous security assessment of your resources running across Microsoft Azure, Amazon Web Services (AWS), Google Cloud, and on-premises systems with new agentless scanning capabilities that provide real-time assessments across hybrid and multicloud environments. 
• Microsoft Defender for DevOps (also in preview) integrates with Defender Cloud Security Posture Management to further connect the dots for security operations (SecOps) teams. Defender for DevOps empowers your team to unify and strengthen DevOps security to minimize vulnerabilities, then effectively prioritize and drive remediation across multipipeline environments. 
• Microsoft Defender External Attack Surface Management also integrates with Defender Cloud Security Posture Management to help provide a better picture of your attack surface, including shadow IT and other unseen assets accumulated through normal business growth. This gives SecOps the ability to discover unknown resources that are accessible from the internet—the same view an attacker has when selecting a target. With this new tool, your team is empowered to maintain a dynamic inventory of external resources across multiple cloud and hybrid environments, helping to monitor unmanaged resources that could serve as potential entry points. 
• Microsoft Defender Threat Intelligence empowers your team to better track threat actor activity and patterns.⁵ Uncover attacker infrastructure so you can accelerate your investigation and remediation with more context, insights, and analysis. Armed with this real-time data, your team can proactively hunt for threats, undertake custom threat intelligence processes and investigations, and even improve the performance of third-party security products.
• Microsoft Defender Experts for Hunting provides a proactive threat-hunting service for customers who would prefer to have Microsoft experts help them hunt down threats using Microsoft Defender data.⁶ This new service covers not only endpoints, but also Microsoft Office 365, cloud applications, and identity. Our experts will investigate anything they find, then hand off contextual alert information and remediation instructions, enabling your team to respond quickly. 

Integrated data and identity protection

A recent industry study found that phishing, password spray, multifactor authentication fatigue, and other identity-driven attacks now account for 61 percent of breaches.⁷ And during the third quarter of 2022, approximately 15 million data records were breached worldwide—a 37 percent increase over the previous quarter.⁸ Because our adversaries aren’t slowing their attacks, we’ve continued to innovate and expand capabilities for Microsoft Entra, Microsoft Intune, and Microsoft Purview to help your team protect user identities, their endpoints, and the precious data that keep your business going.

• Microsoft Entra Permissions Management (formerly CloudKnox Security) is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility and control over permissions for any identity and any resource in Azure, AWS, and Google Cloud.⁹ With Permissions Management, organizations can discover, remediate, and monitor permissions for all identities and resources across multicloud environments. This empowers your team to enforce the Zero Trust principle of least-privilege access at cloud scale using historical data—improving your security without interrupting productivity.
• Microsoft Entra Workload Identities extends advanced capabilities, such as Conditional Access and Identity Protection, to better manage lifecycles with insight into access activities and protect your non-human identities as well. 
• Microsoft Entra Verified ID—for Microsoft Azure Active Directory (Azure AD) subscribers (free and premium)—provides provides an easy option to issue, request, and verify credentials for employment, education, or any other claim.¹⁰ This decentralized identity system offers a convenient, portable way to verify your identity while controlling your own data.
• Microsoft Entra certificate-based authentication (CBA) through Azure AD strengthens access controls and helps organizations reduce infrastructure costs, so even customers who have regulatory requirements for CBA can move authentication to the cloud and eliminate the need for Active Directory Federation Services (AD FS).
• Microsoft Entra Identity Governance is a complete identity cloud-delivered governance solution to ensure that only the right people have access to the right resources. This service includes more advanced tools—lifecycle workflows that automate repetitive tasks like employee onboarding and separation of duties, which introduces checks and balances within entitlements management and provisioning back to your on-premises applications——and capabilities that were already available in Azure AD.
• Microsoft Purview Data Loss Prevention and new capabilities focused on granular policy configuration and context for post-incident investigation on endpoint devices help users make informed decisions and take the right actions while using sensitive data, helping balance security and productivity. A recent survey by MDC Research shows that a majority of customers purchase three or more products to meet their compliance and data protection needs. Stitching together disparate solutions is not only resource-intensive but also could lead to potential blind spots and gaps in an organization’s data protection strategy.¹¹
• Microsoft Purview Information Protection for Adobe Document Cloud provides a rights-management solution that helps you protect your data when shared in documents. This portable data protection solution combines native classification and labeling capabilities with the power of Adobe Acrobat to seamlessly secure PDFs with sensitivity labels and user-defined permissions. Available for Windows and macOS.
• Microsoft Purview Insider Risk Management offers analytics, quicker policy creation capabilities, new file path, keyword, and site URL exclusions to reduce false positives, and a new policy type to help detect risky browsing usage help organizations detect risky insider activities that may lead to a data security incident.¹² Data breaches arising from insider threats cost businesses an average of USD7.5 million annually. Our holistic insider risk management program report showed that the most effective way to address insider risks is to build a program focused on empowering your people, making user privacy a priority, collaborating across leadership, and addressing data protection and insider risk management from multiple lenses.¹³
• Microsoft Purview eDiscovery APIs help organizations lower costs by leveraging automation to streamline repetitive workflows. The automation and extensibility of eDiscovery workflows help reduce staff hours and the likelihood of costly human errors, which is critical for organizations with complex requirements for litigation and investigation.

Looking back, I am appreciative for all we’ve accomplished. These innovations across the Microsoft Security comprehensive solution empower your team to move into this year with confidence—six integrated product families to help you protect what matters most.

Creating a safer world for all is our north star; it’s what drives us toward relentless innovation. We hope you will join us in this goal and discover new ways to stay ahead of the bad actors. Today, Microsoft Security helps to protect billions of people around the globe. Our ability to process trillions of signals daily gives us a unique vantage point to scan the threat landscape and help protect against sophisticated new attacks. As proof, the number of Microsoft Security customers almost doubled in the last year to more than 860,000 worldwide. That’s why Microsoft is driving the future of cybersecurity by continuing to invest in AI, machine learning, and cloud technologies.

Join us at Microsoft Secure to hear about future innovations

Be among the first to hear important security announcements from Microsoft leaders and learn how your organization can eliminate security gaps and cut costs with simplified, comprehensive protection for the new year at Microsoft Secure on March 28, 2023. This new digital event will bring our customers, partners, and the defender community together to share perspectives on navigating the security landscape and to build on real-world experience. Register today!

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹The passwordless future is here for your Microsoft account, Vasu Jakkal. September 15, 2021.

²Microsoft Entra: 5 identity priorities for 2023, Joy Chik. January 9, 2023.

³Microsoft Security audience tracking research, November 2022.

⁴Introducing security for unmanaged devices in the Enterprise network with Microsoft Defender for IoT, Michal Braverman-Blumenstyk and Nir Giller. July 11, 2022.

⁵Microsoft announces new solutions for threat intelligence and attack surface management, Vasu Jakkal. August 2, 2022.

⁶Microsoft Defender Experts for Hunting proactively hunts threats, Microsoft Security Experts. August 3, 2022.

⁷50 Identity And Access Security Stats You Should Know In 2022, Caitlin Jones. January 6, 2023.

⁸Number of data records exposed worldwide from 1st quarter 2020 to 3rd quarter 2022, Statista. November 29, 2022.

⁹Microsoft Entra Permissions Management is now generally available, Alex Simons. July 7, 2022.

¹⁰Microsoft Entra Verified ID now generally available, Ankur Patel. August 8, 2022.

¹¹New capabilities that help proactively secure data with Microsoft Purview Data Loss Prevention, Shilpa Bothra. October 12, 2022.

¹²Detecting and investigating security risks with new capabilities from Insider Risk Management, Talhah Mir. October 12, 2022.

¹³Microsoft publishes new report on holistic insider risk management, Bret Arsenault. October 6, 2022.

The post Microsoft Security innovations from 2022 to help you create a safer world today appeared first on Microsoft Security Blog.

Microsoft is committed to building a safer world together and helping you maximize the security you already have with your Microsoft investments. We’ve built a simplified and comprehensive security solution with six interconnected product families that protect your entire multicloud, multiplatform digital estate and leverage built-in threat intelligence from the 43 trillion signals we capture every day so you can catch what others miss.³ With Microsoft Security’s multicloud solution, you can simplify your approach to security through vendor consolidation and realize up to 60 percent cost savings.⁴ Essentially, you can do more with less.

We’re constantly looking for ways to bring more value and simplicity to our customers. At Microsoft Ignite, we announced five new innovations across our comprehensive portfolio so that you can confront the security threats you face. Customers with existing Microsoft 365 E5 licenses already have access to many of these resources—it’s simply a matter of turning them on. Keep reading for five ways you can do more—and secure more—with what you have in your security stack.  

1. Build in your security from the start

To stay protected across clouds, start secure with cloud-native protection throughout the cloud application lifecycle. As my colleague Shawn Bice explains in his blog post on Microsoft Defender for Cloud innovations, cloud security requires a comprehensive approach and a centralized, integrated solution to mitigate risk from code to cloud.

Unfortunately, too often, cybersecurity and development teams within organizations operate entirely apart from each other. Applications may be deployed without first addressing security in code. This may cause security problems to be discovered right before deployment or, in many cases, in runtime. Development teams then must scramble to reconfigure or rebuild the application to address the security team’s findings, creating inefficiencies.

With more bad actors exploiting vulnerabilities in the code itself, it’s critically important to build in security from the beginning. Microsoft believes secure code development should be the industry standard. We’re introducing Microsoft Defender for DevOps, which empowers security teams to unify, strengthen, and manage DevOps security, so you can minimize vulnerabilities and cloud misconfigurations, and effectively prioritize and drive remediation in code across multi-pipeline environments.

We also announced the preview of Microsoft Defender Cloud Security Posture Management (CSPM) so your security teams can save time and remediate the most critical risks with contextual cloud security. New agentless scanning capabilities provide full coverage and real-time assessments across hybrid and multicloud environments. Then, Defender CSPM connects the dots for security teams, integrating insights from Defender for DevOps, Microsoft Defender External Attack Surface Management (EASM), and your workload protection solutions. Instead of sifting through long lists of vulnerable resources, customers can use the attack path analysis built on the cloud security graph to help reduce recommendation noise by up to 99 percent so you can identify the most critical risk on the most important cloud resources along potential attack paths.

With Microsoft Defender for Cloud, our integrated cloud-native application protection platform (CNAPP), you can seamlessly integrate security from development to runtime and accelerate threat protection across your multicloud environments. Get started today with the preview of these new innovations, available in the Microsoft Defender for Cloud dashboard, to gain comprehensive protection across clouds.

2. Build your trust fabric with flexible and secure access  

Building secure apps is just the start. After all, more people now work outside the office for at least a portion of each week. Some never go into the office at all. This—along with infrastructure as code and the rise in apps and clouds—have made organizations increasingly dynamic, so they need to build a trust fabric in their organizations that includes flexible governance without sacrificing protection.

At Ignite, we announced the preview of Microsoft Entra Identity Governance, which helps your organization ensure that the right people have the right access to the right resources at the right time. This release extends our earlier investments in converged identity governance and access management solutions and delivers a comprehensive identity governance product for both on-premises and cloud-based user directories.

The newly released capabilities include Lifecycle Workflows, which automate repetitive tasks and separation of duties in entitlements management to safeguard against compliance issues. These capabilities complement our existing governance features—access reviews, access certification, entitlement management, and privileged identity management. Customers can begin using these features immediately. Licensing terms will be announced with the general availability of Lifecycle Workflows.

Now, when you choose Microsoft Entra Identity Governance, you can simplify operations, support regulatory requirements, and consolidate multiple identity point solutions. Optimization through consolidation is a major way that organizations can do more with less. Be more efficient by unifying your tools. With Microsoft Entra Identity Governance, you can automate employee, supplier, and business partner access to apps and services—in the cloud and on-premises—at enterprise scale.

3. Decrease insider risk and prevent sensitive data from being shared

Protecting people and devices is not just about threats coming from the outside. Organizations need inside-out protection too. A Microsoft study on insider risks found that companies reported an average of 20 data security incidents a year, with 40 percent of those companies reporting a financial impact of USD500,000 or more per incident. To prevent this, companies must make sure their sensitive data isn’t being inappropriately shared—or even removed—by employees, unintentionally or not.

The report recommends evolving to a holistic insider risk management program that makes it easier to prepare for and mitigate these insider risks. That means deploying a solution that optimizes data protection strategy across the cloud, apps, and devices while reducing complexity—vital to doing more with less in compliance. To support your organization’s efforts to protect against insider risks and keep sensitive data protected, we’re growing the Microsoft Purview family of data governance, risk, and compliance solutions.

Microsoft Purview helps protect sensitive data all along its journey, from data source to point of consumption. We announced the general availability of Microsoft Purview Information Protection for Adobe Document Cloud, combining the power of native classification and labeling with the power of Adobe Acrobat to seamlessly secure PDFs. Also in preview are several new data loss prevention capabilities—including granular policy management and contextual evidence for policy matches on endpoint devices—to prevent the unauthorized sharing or transfer of sensitive data. All of these new capabilities can be enabled in the Microsoft Purview compliance portal by customers with a Microsoft 365 E5 license or with the standalone Microsoft 365 E5 Compliance suite.

4. Manage securely across platforms and clouds

To help protect sensitive data, strong security against both external threats and insider risks relies on well-managed endpoints. In April 2022, we announced a plan to launch a series of premium endpoint management solutions to help bolster endpoint security, improve user experiences, and reduce the total cost of ownership. This suite will bring together mission-critical endpoint and security management tools in Microsoft Intune, our cloud-powered unified management solution, and will help protect endpoints in the cloud, on-premises, and across device platforms.

We have committed to innovating in advanced compliance and advanced security. The evolution of our advanced endpoint management plan is another step in providing a comprehensive solution. The suite will include capabilities such as endpoint privilege management, intelligent automation and data insights, remote help, and automated app patching. All these capabilities will be based on Microsoft Intune so you will benefit from our unified console and integrations with our entire security stack: Microsoft Azure Active Directory (now part of Microsoft Entra), Microsoft Defender, Microsoft Priva, and more. Customers with either a Microsoft 365 E3 or E5 license will be able to take advantage of the new suite once it launches in March 2023.

We’re also excited to announce that Microsoft Intune is now the new name for our expanding family of endpoint management products. We remain committed to our customers using Microsoft Configuration Manager and will meet you where you are in your journey to cloud management. Because hybrid work is here to stay, we will continue to deliver more value for better outcomes, better experiences, and simplified IT and security operations through our cloud solutions.

5. Protect at machine speed

We all know that endpoints are by no means where security stops. We are introducing the preview of automatic attack disruption in Microsoft 365 Defender, which helps protect organizations at machine speed where it all comes together—in the security operations center (SOC). Using the power of extended detection and response (XDR), Microsoft 365 Defender—available in a Microsoft 365 E5 license—correlates trillions of signals across identities, endpoints, email, documents, cloud apps, and more to detect in-progress attacks like ransomware and financial fraud. Automation enables you to be more effective by helping you detect and respond faster and more accurately to external attacks and insider risks.

Once an attack is detected in the environment, affected assets like compromised identities and endpoints are automatically isolated. This game-changing capability limits lateral movement and reduces the overall impact of an attack while leaving the SOC team in control of investigating, remediating, and bringing assets back online.

In addition to attack disruption, we’re going even further to help make your teams’ lives easier. We’ve simplified the investigation experiences in both Microsoft 365 Defender and Microsoft Sentinel to expedite incident response and help defenders stop breaches faster. We do this by reducing context switching.

Besides simplifying investigation experiences, we’re also introducing a new unified search experience and low-cost options of voluminous log storage to enable SOC teams to quickly search massive volumes of historic data. For more hands-on assistance, customers also can now get expert guidance and accelerate their migration to Microsoft Sentinel with Microsoft Sentinel Migration and Modernization Program.

Customers tell us that our tools that support the efforts of their security teams are incredibly valuable. Consider the story of Webber Wentzel, a leading law firm in South Africa. “Security professionals often become disillusioned and disheartened by their work,” said Warren Hero, Chief Information Officer of Webber Wentzel. “With the Microsoft security ecosystem, we now have opportunities for our people to engage in less tedious, more meaningful work while accelerating our security capabilities.”

Endpoint protection for 50 percent less

We know that doing more with less is not just about innovation. It’s also about access. That’s why we are excited to announce a new, limited-time offer to help organizations adapt more easily to the growing threat landscape and macroeconomic pressures. Starting on November 1, 2022, we are giving new and existing customers 50 percent off Microsoft Defender for Endpoint P1 and P2 licenses. This gives organizations looking to modernize their security portfolio the opportunity to move away from legacy antivirus solutions. This is the first step to an integrated security information and event management (SIEM) and XDR solution that improves visibility across identities and endpoints, so they can be more unified and increase SecOps efficiency.

Speaking of efficiency, maximizing the value of your current investments is a fantastic way to operate more efficiently. One of your biggest investments is your people. We can help you educate your employees by providing access to free online security training during Cybersecurity Awareness Month. This free training is available on our Cybersecurity Awareness Month website, along with other resources.

If all these innovations didn’t make it clear, we are absolutely committed to working with defenders and want to give you every tool and resource possible to support your organizations. Our more than 785,000 customers in 120 countries motivate us to maximize value for them by combining six product families into a comprehensive security approach that offers simplified management and built-in threat intelligence that harnesses inputs from 43 trillion signals we process and learn from every single day.³ Do more with whatever you’re already benefiting from, and we’ll continue to strengthen the security of our platform and applications so you can be confident about the security of your data centers and services. To learn more about our innovation announcements, watch the Microsoft Security keynote delivered at Microsoft Ignite 2022.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Gartner® Forecast: Information Security and Risk Management, Worldwide, 2020-2026, 3Q22 Update.  September 28, 2022. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. 

²Cost of a Data Breach , IBM. 2022.

³Cyber Signals, Microsoft. 2022.

⁴Savings based on publicly available estimated pricing for other vendor solutions and web direct and base price shown for Microsoft offerings.​

The post 5 cybersecurity capabilities announced at Microsoft Ignite 2022 to help you secure more with less appeared first on Microsoft Security Blog.

The threat landscape is more sophisticated than ever and damages have soared—the Federal Bureau of Investigation’s 2021 IC3 report found that the cost of cybercrime now totals more than USD6.9 billion.¹ To counter these threats, Microsoft is continuously aggregating signal and threat intelligence across the digital estate, which is enabling us to track threat actors much more closely and to better understand their behavior over time. Today, Microsoft tracks 35 ransomware families, and more than 250 unique nation-states, cybercriminals, and other threat actors. Our cloud also processes and analyzes more than 43 trillion security signals every single day. This massive amount of intelligence derived from our platform and products gives us unique insights to help protect customers from the inside out. In addition, our acquisition of RiskIQ just over a year ago, has allowed us to provide customers unique visibility into threat actor activity, behavior patterns, and targeting. They can also map their digital environment and infrastructure to view their organization as an attacker would. That outside-in view delivers even deeper insights to help organizations predict malicious activity and secure unmanaged resources.

Building on our vision to provide unmatched, actionable threat intelligence, we’re thrilled to announce two new security products that provide deeper context into threat actor activity and help organizations lock down their infrastructure and reduce their overall attack surface:

• Track threat actor activity and patterns with Microsoft Defender Threat Intelligence. Security operations teams can uncover attacker infrastructure and accelerate investigation and remediation with more context, insights, and analysis than ever before. While threat intelligence is already built into the real-time detections of our platform and security products like the Microsoft Defender family and Microsoft Sentinel, this new offering provides direct access to real-time data from Microsoft’s unmatched security signals. Organizations can proactively hunt for threats more broadly in their environments, empower custom threat intelligence processes and investigations, and improve the performance of third-party security products. 
• See your business the way an attacker can with Microsoft Defender External Attack Surface Management. The new Defender External Attack Surface Management gives security teams the ability to discover unknown and unmanaged resources that are visible and accessible from the internet—essentially the same view an attacker has when selecting a target. Defender External Attack Surface Management helps customers discover unmanaged resources that could be potential entry points for an attacker.

These new threat intelligence offerings expand our growing security portfolio, offer deeper insights into threat actors and their behaviors, and help security teams accelerate the identification and prioritization of risks. Keep reading for more detail on these solutions, as well as the new detection and response capabilities for SAP from Microsoft Sentinel. Plus, find out where you can see a live product demo of all of our threat intelligence products at Black Hat.

Unmask your adversaries with Microsoft Defender Threat Intelligence 

Today, any device connected to the internet is susceptible to vulnerabilities. Understanding the gaps that can lead to vulnerabilities is key to building resilience.

Microsoft Defender Threat Intelligence maps the internet every day, providing security teams with the necessary information to understand adversaries and their attack techniques. Customers can access a library of raw threat intelligence detailing adversaries by name, correlating their tools, tactics, and procedures (TTPs), and can see active updates within the portal as new information is distilled from Microsoft’s security signals and experts. Defender Threat Intelligence lifts the veil on the attacker and threat family behavior and helps security teams find, remove, and block hidden adversary tools within their organization.

This depth of threat intelligence is created from the security research teams formerly at RiskIQ with Microsoft’s nation-state tracking team, Microsoft Threat Intelligence Center (MSTIC), and the Microsoft 365 Defender security research teams. The volume, scale, and depth of intelligence is designed to empower security operations centers (SOCs) to understand the specific threats their organization faces and to harden their security posture accordingly. This intelligence also enhances the detection capabilities of Microsoft Sentinel and the family of Microsoft Defender products.

Microsoft recognizes the importance of working together as a security community to help protect the digital world from threats. As such, the existing free edition will continue to be available. And as we look ahead, we’re excited to continue our journey of innovation and integration. Look for more news later this year on the expanding capabilities of our portfolio.  

Discover your vulnerabilities with Microsoft Defender External Attack Surface Management

Organizations need to see their business the way an attacker can so they can eliminate gaps and strengthen their security posture to help reduce the potential for attack. Many businesses have internet-facing assets they may not be aware of or have simply forgotten about. These are often created by shadow IT, mergers, and acquisitions, incomplete cataloging, business partners’ exposure, or simply rapid business growth. 

Microsoft Defender External Attack Surface Management scans the internet and its connections every day. This builds a complete catalog of a customer’s environment, discovering internet-facing resources—even the agentless and unmanaged assets. Continuous monitoring, without the need for agents or credentials, prioritizes new vulnerabilities. With a complete view of the organization, customers can take recommended steps to mitigate risk by bringing these unknown resources, endpoints, and assets under secure management within their security information and event management (SIEM) and extended detection and response (XDR) tools.  

Protect business-critical information within SAP with Microsoft Sentinel 

In the spirit of continuous innovation and bringing as much of the environment under secure management as possible, we are proud to announce the new Microsoft Sentinel solution for SAP. Security teams can now monitor, detect, and respond to SAP alerts, such as privilege escalation and suspicious downloads, all from our cloud-native SIEM. Business-specific risks can be unique and complicated. With the Microsoft Sentinel solution for SAP, customers can build custom detections for the threats they face and reduce the risk of catastrophic interruption.

Learn more

To learn more about these products, join us at Black Hat USA and see live demos at the Microsoft Booth 2340 from August 10 to 11, 2022. You can also register now for the Stop Ransomware with Microsoft Security digital event on September 15, 2022, to watch in-depth demos of the latest threat intelligence technology.  

Explore our new solutions:

• Microsoft Defender Threat Intelligence
• Microsoft Defender External Attack Surface Management

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Internet Crime Report 2021, Internet Crime Complaint Center, Federal Bureau of Investigation. 2021.

The post Microsoft announces new solutions for threat intelligence and attack surface management appeared first on Microsoft Security Blog.