Figure 1. This graphic shows how software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS) work together in a comprehensive security strategy.

Microsoft Security—extending our multicloud reach

At Microsoft, we have long embraced our commitment to protecting our customers’ multicloud environments. The journey began in July 2021, when we acquired CloudKnox Security to help customers manage permissions across clouds and strengthen their Zero Trust strategy.² That cloud infrastructure entitlement management (CIEM) solution has evolved to become Microsoft Entra Permissions Management, and is part of our comprehensive identity product family: Microsoft Entra. In February 2022, Microsoft Defender for Cloud expanded to include GCP and AWS, becoming the first cloud provider to offer integrated cloud-native application protection (CNAPP) for the three main public clouds—from development to runtime.³ This past March, we introduced Microsoft Defender Cloud Security Posture Management for multicloud environments, including new data-aware security posture management capabilities to help customers identify risks across their data estate, and an improved multicloud security benchmark to better unify security and compliance across services. And finally, earlier this year we announced enhancements to Microsoft Purview to continue building on the promise of securing both structured and unstructured data wherever it lives.

Figure 2. Timeline of Microsoft Security’s journey to multicloud, starting in 2021 with the acquisition of CloudKnox Security, to the launch of Microsoft Entra and the extension of Microsoft Defender for Cloud to GCP and AWS in 2022, continuing with enhancements to Microsoft Purview in 2023, with more capabilities to come.

Securing your data wherever it travels

The amount of data being created and transferred is growing exponentially. This is taking place at a time when employees don’t just gather around the water cooler; they’re communicating across digital channels on personal and corporate devices. Modern workforces are distributed, and the digital fabric of any given organization is made up of multiple threads, adding layers of complexity. Additionally, the shift to multicloud makes the surface area of your data even larger. Without unified visibility across your multicloud data security posture, the shift adds to the complexity of identifying risks such as misconfigured object storage and databases.⁴ You can hear more about this in the most recent Uncovering Hidden Risks podcast, which discusses the risks of running a multicloud strategy as customers accelerate their digital transformation. Organizations looking to proactively protect and manage multicloud environments often face challenges around data risk, data protection, and data compliance.

Data Risk—Data doesn’t move itself; people move and interact with data, and that’s where the majority of data security risks stem from. In fact, data security incidents are commonly caused by insider actions, accounting for nearly 35 percent of all unauthorized incidents.⁴ Even the strongest cybersecurity programs can be undermined by insiders who either intentionally or unintentionally compromise an enterprise. To assist you in identifying data risks across various environments, we are pleased to share that you can now bring your own risk detections into Microsoft Purview Insider Risk Management. For example, you can import events from customer relationship management (CRM) systems, such as Salesforce, or developer tools like GitHub. These user activities can then be used as custom indicators in insider risk policies, combined with other built-in indicators, offering organizations a comprehensive view and understanding of potential data security risks posed by an insider. You can learn more about it from our blog “Manage insider risks in multicloud environments.”

Data Protection—The loss of sensitive data remains the top security concern for IT and security professionals. This often leads to the deployment of multiple solutions to manage data loss across different environments, which could lead to both blind spots and data leakage. It is crucial to have integrated solutions that can protect sensitive data across your digital landscape. In addition to supporting Microsoft 365 apps, services, Microsoft Edge, and Windows endpoints, Microsoft Purview Data Loss Prevention (Purview DLP) supports macOS endpoints, as well as virtualized environments such as Citrix, Windows Virtual Desktop, Amazon Workspaces, and Hyper-V platforms, as well as Google Chrome and Firefox browsers. We are continuing to expand our capabilities to allow you to cover all egress risks. Today we are excited to announce that organizations can now leverage Purview DLP to prevent their users from pasting sensitive content in websites on supported browsers. For example, let’s say a user copies customer information from an internal CRM system or SQL database, and pastes it into personal email, social media sites, or generative AI prompts on a supported browser like Microsoft Edge, Google Chrome, or Firefox. Based on the pre-set policy, Purview DLP will audit, warn, or block the action to prevent leaking sensitive information. Learn more in our blog here.

Data Compliance—The compounding impact of a complex regulatory environment and the growing adoption of cloud services makes it increasingly difficult for organizations to identify compliance risks. We are excited to share that you can now run multicloud assessments in Microsoft Purview Compliance Manager. This feature lets you assess your compliance posture across your organization’s multicloud estate, including Azure, AWS, GCP, and services like Zoom and Salesforce. For example, for a regulation such as Payment Card Industry Data Security Standard, you can aggregate and automate your compliance posture across all in-scope services. You can learn more about it in our latest blog.

Be sure to explore our videos on Multicloud Assessments from Microsoft Mechanics, and delve into the latest overview of Microsoft Defender for Cloud by Microsoft Solution Architect, John Savill. This is the first of a series of exciting multicloud innovations, with more in store over the next few months. Stay tuned!

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹2023 State of the Cloud Report, Flexera. 2023.

²Microsoft acquires CloudKnox Security to offer unified privileged access and cloud entitlement management, Microsoft Security Team. July 21, 2021.

³Microsoft Announces new Security Capabilities for the Multicloud World, Microsoft Stories Asia. February 24, 2022.

⁴Insider threat peaks to highest level in Q3 2022, Maria Henriquez. November 10, 2022.

The post Expanding horizons—Microsoft Security’s continued commitment to multicloud appeared first on Microsoft Security Blog.

In the first half of 2022, the cyberthreat landscape was focused around the war in Ukraine and the rise of nation state attacks and hacktivism across the world. In February, Ukraine was hit with the largest distributed denial of service (DDoS) attack ever in the country’s history, impacting government websites and banking web services. As the conflict continued, there was a ripple effect to western countries, including the UK, US, and Germany. UK financial services firms experienced a significant increase in DDoS attacks as they were heavily targeted by nation state attackers and hacktivists looking to disrupt Ukraine’s allies.

Hacktivism continued to be rampant throughout the year, including Taiwanese websites experiencing outages in August 2022 due to DDoS attacks ahead of House Speaker Nancy Pelosi’s arrival in Taiwan. Beyond attacks with political motives, DDoS attacks also impacted a wide range of industries. In particular, the gaming industry continued to be highly targeted. In March 2022, a DDoS attack brought down the game servers of Among Us, preventing players from accessing the popular multiplayer game for a few days. A new version of RapperBot (heavily inspired by the Mirai botnet) was used in the second half of 2022 to target game servers running Grand Theft Auto: San Andreas.

In this blog, we share trends and insights into DDoS attacks we observed and mitigated throughout 2022.

2022 DDoS attack trends

Large volume of attacks during the holiday season

In 2022, Microsoft mitigated an average of 1,435 attacks per day. The maximum number of attacks in a day recorded was 2,215 attacks on September 22, 2022. The minimum number of attacks in a day was 680 on August 22, 2022. In total, we mitigated upwards of 520,000 unique attacks against our global infrastructure during 2022.

This year, we saw a lower volume of attacks in June through August and a high volume of attacks during the holiday season until the last week of December. This is in line with attacks trends we have seen in the last few years, except for 2021 where there were fewer attacks during the holiday season. In May, we mitigated a 3.25 terabits per second (TBps) attack in Azure, the largest attack in 2022.

DDoS protection tip: Make sure to avoid having a single virtual machine backend so it is less likely to get overwhelmed. Azure DDoS Protection covers scaled out costs incurred for all resources during an attack, so configure autoscaling to absorb the initial burst of attack traffic while mitigation kicks in.

TCP attacks remain the most common attack vector

TCP attacks were the most frequent form of DDoS attack encountered in 2022, comprising 63% of all attack traffic, which includes all TCP attack vectors: TCP SYN, TCP ACK, TCP floods, etc. Since TCP remains the most common networking protocol, we expect TCP-based attacks to continue to make up most DDoS attacks. UDP attacks were significant as well with 22% of all attacks (combined for UDP flood and UDP amplification attacks), while Packet anomaly attacks made up 15% of attacks.

Out of UDP flood attacks, spoofed floods consumed most of the attack volume with 53%. The remaining attack vectors were reflected amplification attacks, with the main types being CLDAP, NTP, and DNS.

We observed TCP reflected amplification attacks becoming more prevalent, with attacks on Azure resources using diverse types of reflectors and attack vectors. This new attack vector is taking advantage of improper TCP stack implementation in middleboxes, such as firewalls and deep packet inspection devices, to elicit amplified responses that can reach infinite amplification in some cases. As an example, in April 2022, we monitored a reflected amplified SYN+ACK attack on an Azure resource in Asia. The attack reached 30 million packets per second (pps) and lasted 15 seconds. Attack throughput was not very high, however there were 900 reflectors involved, each with retransmissions, resulting in high pps rate that can bring down the host and other network infrastructure.

DDoS protection tip: To protect against UDP and TCP attacks, we recommend using Azure DDoS Protection. For gaming customers, consider using A10 virtual appliances and Azure Gateway Load Balancers to help with volume-based attacks.

Shorter attacks continue to be popular

Shorter duration attacks were more commonly observed this past year, with 89% of attacks lasting less than one hour. Attacks spanning one to two minutes made up 26% of the attacks seen this year. This is not a new trend as attacks that are shorter require less resources and are more challenging to mitigate for legacy DDoS defenses. Attackers often use multiple short attacks over the span of multiple hours to make the most impact while using the fewest number of resources.

Short attacks take advantage of the time it takes systems to detect the attack and for mitigation to kick in. While time to mitigation may only take one or two minutes, the information from those short attacks can make it into the backend of services, impacting legitimate usage. If a short attack can cause a reboot of the systems, this can then trigger multiple internal attacks as every legitimate user tries to reconnect at the same time.

DDoS protection tip: Use Azure Web Application Firewall to protect web applications.

US, India, and East Asia top regions targeted by attacks

As with previous years, most attacks were launched against US-based resources, with India, East Asia, and Europe making up a large portion of remaining attacks. The rising adoption of smartphones and popularity of online gaming in Asia will likely contribute to increased exposure to DDoS attacks. This also applies to countries accelerating digital transformation and cloud adoption.

DDoS Protection Tip: Frequent and regular DDoS simulation testing done by any of our testing partners helps ensure consistent protection for services.

Hacktivism is back

We saw politically motivated DDoS attacks ramping up on a large scale in 2022. Notably, a hacking group named Killnet targeted western government, healthcare, education, and financial firms. Killnet has been a vocal supporter of Russia’s war in Ukraine, using DDoS attacks as its primary weapon to create chaos in western countries. The Cybersecurity & Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis (MS-ISAC) published a guide to help governments and organizations respond effectively against DDoS attacks, especially those launched by hacker groups like Killnet.

IoT devices increasingly used to launch DDoS attacks

In 2022, Internet of Things (IoT) devices were consistently used in DDoS attacks, which expanded into use in cyber warfare, such as in Ukraine. A growing number of attacks repurposed existing malware or leveraged the modular nature of botnets to carry out these attacks. Threat actors have also turned to a growing criminal black market to purchase malware and solutions to grow their malicious toolkit.

Well-known botnets, such as Mirai, have also been observed in use by nation-state threat actors and growing criminal enterprises. The persistence of malware like Mirai from year to year has highlighted its adaptability and its potential to infect a wide range of IoT devices and compromise new attack vectors. While Mirai is still a major player in the field of botnets, the threat landscape in the field of IoT malware is evolving, with new botnets emerging such as Zerobot and MCCrash.

What’s ahead for 2023?

In 2023, cybercrime will likely continue to rise as new threats and attack techniques emerge. We increasingly see DDoS attacks becoming used as distractions to hide more sophisticated attacks happening at the same time, such as extortion and data theft. New IoT DDoS botnets will emerge and attacks from them will continue to be prevalent and cause significant disruption. We are also observing a rise in DDoS attacks from account takeovers where malicious actors gain unauthorized access to resources to launch DDoS attacks. As geopolitical tensions continue to emerge globally, we will likely continue to see DDoS being used as a primary tool for cyberattacks by hacktivists.

With DDoS attacks becoming more frequent, sophisticated, and inexpensive to launch, it’s important for organizations of all sizes to be proactive, stay protected all year round, and develop a DDoS response strategy.

Cloud-native DDoS protection at any scale

Azure provides comprehensive solutions to protect your valuable data and resources from the most sophisticated DDoS attacks at any scale. Azure DDoS Protection provides always-on traffic monitoring to automatically mitigate an attack when detected, adaptive real time tuning that compares your actual traffic against predefined thresholds, and full visibility on DDoS attacks with real-time telemetry, monitoring, and alerts. Customers using Azure DDoS Protection have access to the DDoS Rapid Response support (DRR) team to engage experts for help during an active attack. Protection is simple to enable and designed to meet the needs of all organizations, including a cost-effective SKU for small and medium businesses (SMBs).

For more insights on the latest threat intelligence, visit Security Insider.

References

• https://venturebeat.com/security/ddos-attack-was-largest-ever-in-ukraine-russia-suspected/
• https://www.finextra.com/newsarticle/40955/uk-finance-suffers-surge-in-ddos-attacks
• https://www.nbcnews.com/tech/security/taiwanese-websites-hit-ddos-attacks-pelosi-begins-visit-rcna41144
• https://www.pcmag.com/news/ddos-attack-takes-among-us-servers-offline-for-entire-weekend
• https://thehackernews.com/2022/11/warning-new-rapperbot-campaign-aims-to.html

The post 2022 in review: DDoS attack trends and insights appeared first on Microsoft Security Blog.

Authentication and authorization

Operating Azure Cosmos DB databases requires valid credentials to be provided for each request. The main type of credentials is a pair of access keys, known as primary and secondary, which are generated as part of the Azure Cosmos DB account creation and can be retrieved through management API using the ListKeys operation. These keys provide full control over the account, including configuration of databases, deployment of server-side logic, and common read and write data transactions. The keys are generated as a pair to enable continuous availability during key rotations. When the primary key is in use, the secondary key is being rotated, and vice versa.

Another type of authentication and access control supported by Azure Cosmos DB is the role-based access control (RBAC) mechanism based on Microsoft Azure Active Directory (Azure AD).¹ Principals authenticated in Azure AD can be assigned distinct roles that grant specific permissions to the databases and various objects in the Cosmos DB account. The roles can be chosen from several built-in alternatives or customized by the account owner.

Secured architecture controls

When an application design contains a database there are access control security practices that should be applied to improve the security posture. These practices are well known in database security and should be implemented through the built-in capabilities of Azure Cosmos DB. Here are two examples:

1. Employ three-tier architecture to restrict access to databases only by application servers but not directly by clients. Implementation of such a design can be achieved by properly configuring the Cosmos DB firewall to provide access only to specific IP addresses or subnets.
2. Assign least privileged access to the entities that communicate with the databases. By using RBAC authorization, as mentioned previously, it is possible to set a strict access model to Azure Cosmos DB and minimize its attack surface. Application servers that perform data transactions should be authorized to perform those, but not environment configuration activities such as deleting collections or uploading stored procedures. On the other hand, authorization to deployment operations can be given to engineering teams and continuous integration and continuous delivery (CI/CD) systems. When all the entities are configured with proper roles and access, it is advised to disable the access keys to mitigate a leaked key threat.

Cloud-based attack vector

With all the aforementioned security controls in place, there is another attack vector that needs to be addressed when securing a cloud application. The potential threat can be realized through authorized control plane access to Azure Resource Manager (ARM), which is responsible for resource provisioning and their configuration. In the context of Azure Cosmos DB, ARM can be queried to retrieve Cosmos DB access keys, as well as handle requests for changes in the database firewall rules. Bypassing the access control of the management interface is a high barrier for threat actors, so their widely adopted tactic is to get credentials through attacks on the users. Therefore, a supplemental layer of security against compromised customer accounts is achieved by continuous monitoring of authorized operations.

If the access keys are disabled according to security practices, then the key leakage scenario is not valid. An interesting point to note is that in these cases there are no entities that should perform the ListKeys operation. Thus, if it is monitored by a security service it serves as a detection of a potential compromise of the acting identity.

Monitoring suspicious key extractions

Data traffic of your Azure Cosmos DB accounts—including any attempts to access, read, or change the stored data—is monitored by Microsoft Defender for Azure Cosmos DB. Defender contains a growing collection of detections that cover various security scenarios. For example, signals are triggered when the account is accessed from an anomalous or suspicious location, an abnormally high amount of data is extracted, or a potentially malicious query is executed. In case a significantly suspicious pattern is detected, a security alert is sent to the account’s security administrator, with descriptive information and suggested steps to mitigate the detected threats and prevent future attacks. Securing and monitoring access to Azure Cosmos DB content is important and should be augmented with monitoring of control plane operations. In modern databases, such as Cosmos DB, authentication is provided using shared keys. If keys are leaked or compromised, their use by malicious actors blends among legitimate usage—as no individual user profile is visible in the data plane logs. Additionally, in case of attacks (such as data exfiltration for theft and data encryption for ransomware), early detection increases the effectiveness of incident response and reduces the damage.

Control plane monitoring enables the analyses of management activities of resources (such as changing access policies, and listing and setting access keys) and allows mapping them to authorized users. It is important to monitor management operations that are relevant for security scenarios. For example, accessing data in Azure Cosmos DB requires getting access keys, which appear as ListKeys operation in the control plane log. Other examples of operations include encryption and changing access policies or keys.

These operations are important, but in most cases they are normal and legitimate. However, if the operation is significantly anomalous (performed from an unexpected IP address, by a seldomly seen user, or using weak authentication, for example), it might indicate a malicious attempt to access the account and should be investigated by the resource owner. Alternatively, massive execution of such operations could indicate a breach even if no anomalous pattern exists.

We recommend flagging suspicious important management operations based on several types of indicators:

1. New anomalous entity, such as previously unseen and unexpected source IP, application, and authentication type. In case the set of known entities is small enough, and no new entities are routinely appearing, any new entity is deemed unexpected. Thus, it might indicate either addition of a legitimate entity or the appearance of a malicious actor, and should be investigated.
2. Anomalous pairing indicates an anomalous connection between two existing variables. For example, an important operation performed by a known user who previously never worked on a related resource group might indicate something like a compromised identity, or a connection between the source device and target resource that have never communicated before. This can be detected by modeling the probability of similarity of connection between meaningful pairs of variables.
3. Suspicious indicators, such as source IPs flagged with threat intelligence signals, operation patterns resembling known penetration testing, or attack tool usage. Additional secondary indicators that increase the likelihood of potential misuse should be monitored as well. Examples include operations performed using weak authentication (no multifactor authentication) and suspicious errors (indicating potential reconnaissance efforts). These indicators are commonly derived from security research of known vulnerabilities and attack patterns.
4. Mass operation: Even in case no anomalous indicators exist, a sufficiently high amount of successful or failed operations should be investigated due to potential high impact. Such an event can indicate enumerating or gaining access to resources en masse. Even though a substantial number of failed operations is a weaker signal, it is important, since it can be an early indication of an attack that employs blind scanning.

Various indicators can be integrated into cumulative anomaly scores for individual operations or a batch, depending on the scenario. Since the monitored operations are important, high anomaly scores may indicate a malicious access attempt and need to be investigated promptly. In the case of a true positive, real damage can be prevented before a malicious payload is executed. In the case of a false positive, the item can be quickly dismissed by the resource owner after steps for future prevention of such cases are considered.

Detect security threats with Microsoft Defender for Azure Cosmos DB

Microsoft Defender for Azure Cosmos DB is a part of Microsoft Defender for Cloud. It covers alerts on both the data plane and the control plane, detecting potential SQL injections, known bad actors based on Microsoft threat intelligence, suspicious access patterns, and potential exploitation of databases by compromised identities or malicious insiders. Read Overview of Defender for Azure Cosmos DB to learn about its capabilities and detections.

Microsoft encourages you to develop a security strategy for your deployments in the cloud and protect Cosmos DB instances with the proposed detection solution.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Early RBAC capabilities are also provided by a legacy authentication method based on resource token, but it is largely obsolete now.

The post Detecting malicious key extractions by compromised identities for Azure Cosmos DB appeared first on Microsoft Security Blog.

Subsequently, we did a survey to understand the top concerns around the security of IoT devices, and we shared the findings in a previous blog about best practices for managing IoT security concerns. The following list summarizes the top security concerns from companies that have adopted IoT solutions:

• Ensuring data privacy (46 percent).
• Ensuring network-level security (40 percent).
• Security endpoints for each IoT device (39 percent).
• Tracking and managing each IoT device (36 percent).
• Making sure all existing software is updated (35 percent).
• Updating firmware and other software on devices (34 percent).
• Performing hardware/software tests and device evaluation (34 percent).
• Updating encryption protocols (34 percent).
• Conducting comprehensive training programs for employees involved in IoT environment (33 percent).
• Securely provisioning devices (33 percent).
• Shifting from device-level to identity-level control (29 percent).
• Changing default passwords and credentials (29 percent).

To help address these concerns, Microsoft is thrilled to announce today the general availability of the extension of our Secured-core platform to IoT devices along with new Edge Secured-core certified devices from our partners Aaeon, Asus, Lenovo and Intel in the Azure certified device catalog. We have added this new device certification for our Edge Secured-core platform so customers can more easily select IoT devices that meet this advanced security designation.   

As outlined in Microsoft’s Zero Trust paper, a key investment, especially around new devices, is to choose devices with built-in security. Devices built with Azure Sphere benefit from industry-leading built-in security, with servicing by Microsoft.

Announcements for Edge Secured-core

Edge Secured-core is a certification in the Azure Certified Device program for IoT devices. Devices that have achieved this certification provide enterprises the confidence that the devices they’re purchasing deliver the following security benefits:

• Hardware-based device identity: In addition to the various security properties that a hardware-based device identity provides, this also enables the use of the hardware-backed identity when connecting to Azure IoT Hub and using the IoT Hub device provisioning service.  
• Capable of enforcing system integrity: Using a combination of processor, firmware, and OS support to facilitate measurement of system integrity to help ensure the device works well with Microsoft Azure Attestation.
• Stays up-to-date and is remotely manageable: Receives the necessary device updates for a period of at least 60 months from the date of submission.
• Provides data-at-rest encryption: The device provides built-in support for encrypting the data at rest using up-to-date protocols and algorithms.
• Provides data-in-transit encryption: IoT devices such as gateways, which are often used to connect downstream devices to the cloud, need inherent support for protecting data in transit. Edge Secured-core devices help support up-to-date protocols and algorithms that are used for data-in-transit encryption.
• Built-in security agent and hardening: Edge Secured-core devices are hardened to help reduce the attack surface and include a built-in security agent to help secure from threats.

In addition to addressing many of the top concerns that we’ve heard from customers around the security of their IoT devices, our data shows that Secured-core PCs are 60 percent more resilient to malware than PCs that don’t meet the Secured-core specifications. We’ve brought the learnings from Secured-core PCs to define the requirements for Edge secured-core devices.

Today, we’re excited to announce the availability of Windows IoT Edge Secured-core devices available in the Azure Certified Device catalog.

Additionally, Microsoft invests with semiconductor partners to build IoT-connected industry-certified MCU security platforms that align with Microsoft’s security standards.  

Get started with Microsoft Security

Email us to request a call for more information about Azure Sphere, Edge Secured-core devices, or industry-certified devices. Learn more about Azure IoT security.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Securing your IoT with Edge Secured-core devices appeared first on Microsoft Security Blog.

In this blog, we start by surveying the anatomy and landscape of amplification attacks, while providing statistics from Azure on most common attack vectors, volumes, and distribution. We then describe some of the countermeasures taken in Azure to mitigate amplification attacks. 

DDoS amplification attacks, what are they? 

Reflection attacks involve three parties: an attacker, a reflector, and a target. The attacker spoofs the IP address of the target to send a request to a reflector (e.g., open server, middlebox) that responds to the target, a virtual machine (VM) in this case. For the attack to be amplified the response should be larger than the request, resulting in a reflected amplification attack. The attacker’s motivation is to create the largest reflection out of the smallest requests. Attackers achieve this goal by finding many reflectors and crafting the requests that result in the highest amplification. 

The root cause for reflected amplification attacks is that an attacker can force reflectors to respond to targets by spoofing the source IP address. If spoofing was not possible, this attack vector would be mitigated. Lots of effort has thus been made on disabling IP source address spoofing, and many organizations prevent spoofing nowadays so that attackers cannot leverage their networks for amplification attacks. Unfortunately, a significant number of organizations still allow source spoofing. The Spoofer project shows that a third of the IPv4 autonomous systems allow or partially allow spoofing.  

UDP and TCP amplification attacks 

Most attackers utilize UDP to launch amplification attacks since reflection of traffic with spoofed IP source address is possible due to the lack of proper handshake.  

While UDP makes it easy to launch reflected amplification attacks, TCP has a 3-way handshake that complicates spoofing attacks. As a result, IP source address spoofing is restricted to the start of the handshake. Although the TCP handshake allows for reflection, it does not allow for easy amplification since TCP SYN+ACK response is not larger than TCP SYN. Moreover, since the TCP SYN+ACK response is sent to the target, the attacker never receives it and can’t learn critical information contained in the TCP SYN+ACK needed to complete the 3-way handshake successfully to continue making requests on behalf of the target. 

In recent years, however, reflection and amplification attacks based on TCP have started emerging.  

Independent research found newer TCP reflected amplification vectors that utilize middleboxes, such as nation-state censorship firewalls and other deep packet inspection devices, to launch volumetric floods. Middleboxes devices may be deployed in asymmetric routing environments, where they only see one side of the TCP connection (e.g., packets from clients to servers). To overcome this asymmetry, such middleboxes often implement non-compliant TCP stack. Attackers take advantage of this misbehavior – they do not need to complete the 3-way handshake. They can generate a sequence of requests that elicit amplified responses from middleboxes and can reach infinite amplification in some cases. The industry has started witnessing these kinds of attacks from censorship and enterprise middle boxes, such as firewalls and IDPS devices, and we expect to see this trend growing as attackers look for more ways to create havoc utilizing DDoS as a primary weapon.  

Carpet bombing is another example of a reflected amplification attack. It often utilizes UDP reflection, and in recent years TCP reflection as well. With carpet bombing, instead of focusing the attack on a single or few destinations, the attacker attacks many destinations within a specific subnet or classless inter-domain routing (CIDR) block (for example /22). This will make it more difficult to detect the attack and to mitigate it, since such attacks can fly below prevalent baseline-based detection mechanisms. 

One example of TCP carpet bombing is TCP SYN+ACK reflection, where attacker sends spoofed SYN to a wide range of random or pre-selected reflectors. In this attack, amplification is a result of reflectors that retransmit the TCP SYN+ACK when they do not get a response. The amplification of the TCP SYN+ACK response itself may not be large, and it depends on the number of retransmissions sent by the reflector. In Figure 3, the reflected attack traffic towards each of the target virtual machines (VMs) may not be enough to bring them down, however, collectively, the traffic may well overwhelm the targets’ network. 

UDP and TCP amplification attacks in Azure 

In Azure, we continuously work to mitigate inbound (from internet to Azure) and outbound (from Azure to internet) amplification attacks. In the last 12 months, we mitigated approximately 175,000 UDP reflected amplification attacks. We monitored more than 10 attack vectors, where the most common ones are NTP with 49,700 attacks, DNS with 42,600 attacks, SSDP with 27,100 attacks, and Memcached with 18,200 attacks. These protocols can demonstrate amplification factors of up to x4,670, x98, x76 and x9,000 respectively. 

We measured the maximum attack throughput in packets per second for a single attack across all attack vectors. The highest throughput was a 58 million packets per second (pps) SSDP flood in August last year, in a short attack campaign that lasted 20 minutes on a single resource in Azure. 

TCP reflected amplification attacks are becoming more prevalent, with new attack vectors discovered. We encounter these attacks on Azure resources utilizing diverse types of reflectors and attack vectors. 

One such example is a TCP reflected amplification attack of TCP SYN+ACK on an Azure resource in Asia. Attack reached 30 million pps and lasted 15 minutes. Attack throughput was not high, however there were approximately 900 reflectors involved, each with retransmissions, resulting in a high pps rate that can bring down the host and other network infrastructure elements. 

We see many TCP SYN+ACK retransmissions associated with the reflector that doesn’t get the ACK response from the spoofed source. Here is an example of such a retransmission: 

The retransmitted packet was sent 60 seconds after the first. 

Mitigating amplification attacks in Azure 

Reflected amplification attacks are here to stay and pose a serious challenge for the internet community. They continue to evolve and exploit new vulnerabilities in protocols and software implementations to bypass conventional countermeasures. Amplification attacks require collaboration across the industry to minimize their effect. It is not enough to mitigate such attacks at a certain location, with a pinpoint mitigation strategy. It requires intertwining of network and DDoS mitigation capabilities. 

Azure’s network is one of the largest on the globe. We combine multiple DDoS strategies across our network and DDoS mitigation pipeline to combat reflected amplification DDOS attacks.  

On the network side, we continuously optimize and implement various traffic monitoring, traffic engineering and quality of service (QoS) techniques to block reflected amplification attacks right at the routing infrastructure. We implement these mechanisms at the edge and core of our wide area networks (WAN) network, as well as within the data centers. For inbound traffic (from the Internet), it allows us to mitigate attacks right at the edge of our network. Similarly, outbound attacks (those that originate from within our network) will be blocked right at the data center, without exhausting our WAN and leaving our network. 

On top of that, our dedicated DDoS mitigation pipeline continuously evolves to offer advanced mitigation techniques against such attacks. This mitigation pipeline offers another layer of protection, on top of our DDoS networking strategies. Together, these two protection layers provide comprehensive coverage against the largest and most sophisticated reflected amplification attacks.  

Since reflected amplification attacks are typically volumetric, it is not only enough to implement advanced mitigation strategies, but also to maintain a highly scalable mitigation pipeline to be able to cope with the largest attacks. Our mitigation pipeline can mitigate more than 60Tbps globally, and we continue to evolve it by adding mitigation capacity across all network layers.  

Different attack vectors require different treatment 

UDP-based reflected amplification attacks are tracked, monitored, detected, and mitigated for all attack vectors. There are various mitigation techniques to combat these attacks, including anomaly detection across attacked IP addresses, L4 protocols, and tracking of spoofed source IPs. Since UDP reflected amplification attacks often create fragmented packets, we monitor IP fragments to mitigate them successfully.  

TCP-based reflected amplification attacks take advantage of poor TCP stack implementations, and large set of reflectors and targets, to launch such attacks. We adopt our mitigation strategies to be able to detect and block attacks from attackers and reflectors. We employ a set of mitigations to address TCP SYN, TCP SYN+ACK, TCP ACK, and other TCP-based attacks. Mitigation combines TCP authentication mechanisms that identify spoofed packets, as well as anomaly detection to block attack traffic when data is appended to TCP packets to trigger amplification with reflectors.  

Get started with Azure DDoS Protection to protect against amplification attacks 

Azure’s DDoS mitigation platform mitigated the largest ever DDoS attacks in history by employing a globally distributed DDoS protection platform that scales beyond 60Tbps. We ensure our platform and customers’ workloads are always protected against DDoS attacks. To enhance our DDoS posture, we continuously collaborate with other industry players to fight reflected amplification attacks. 

Azure customers are protected against Layer 3 and Layer 4 DDoS attacks as part of protecting our infrastructure and cloud platform. However, Azure DDoS Protection Standard provides comprehensive protection for customers by auto-tuning the detection policy to the specific traffic patterns of the protected application. This ensures that whenever there are changes in traffic patterns, such as in the case of flash crowd event, the DDoS policy is automatically updated to reflect those changes for optimal protection. When a reflected amplification attack is launched against a protected application, our detection pipeline detects it automatically based on the auto-tuned policy. The mitigation policy, that is automatically set for customers, without their need to manually configure or change it, includes the needed countermeasures to block reflected amplification attacks. 

Protection is simple to enable on any new or existing virtual network and does not require any application or resource changes. Our recently released Azure built-in policies allow for better management of network security compliance by providing great ease of onboarding across all your virtual network resources and configuration of logs. 

To strengthen the security posture of applications, Azure’s network security services can work in tandem to secure your workloads, where DDoS protection is one of the tools we provide. Organizations that pursue zero trust architecture can benefit from our services to achieve better protection. 

Learn more about Azure DDoS Protection Standard 

• Azure DDoS Protection product page. 
• Azure DDoS Protection Standard documentation. 
• Azure DDoS Protection Standard reference architectures. 
• DDoS Protection best practices. 
• Azure DDoS Rapid Response.  
• Protect your on-premises resources. 

Amir Dahan and Syed Pasha
Azure Networking Team

References 

1 The Spoofer project 

2 Weaponizing Middleboxes for TCP Reflected Amplification 

The post Anatomy of a DDoS amplification attack appeared first on Microsoft Security Blog.

The acceleration of cloud journeys fueled by the pandemic and ever-increasing concerns about data security and information privacy have made access management one of the hottest topics in application security and Zero Trust architecture discussions. Over the last several years, the industry has made tremendous progress on identity and access management, and Microsoft Azure Active Directory (Azure AD), with its focus on Zero Trust comprehensive cloud-based identity services, is a perfect example of this.

Achieving a secure environment is top of mind for both public and private sector organizations, with research firm markets anticipating the global Zero Trust security market will grow from USD19.6 billion in 2020 to USD51.6 billion by 2026. The United States government has mandated a federal Zero Trust architecture strategy, while businesses of every size are working to implement modern identity and access management solutions that support single sign-on (SSO), multifactor authentication, and many other key features, including adaptive and context-aware policies, governance intelligence, and automation.¹

To achieve Zero Trust for applications and services, we must ensure people are who they say they are and that only the right people have access to sensitive information. This is the only way to comply with evolving data privacy regulations such as General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Consequently, companies must create a comprehensive, manageable way to authenticate and authorize every attempt to access data—based on a least-privileged access principle—while still providing users with the secure self-service access they need.

Datawiza, a cloud-delivered, no-code platform for easily implementing both authentication and authorization for all types of applications and APIs, works with Azure AD to help IT accelerate this key area of the journey to Zero Trust and get the most value from their hybrid multicloud environments.

As an access management as a service (AMaaS) platform, Datawiza dramatically reduces the time and engineering costs required to integrate applications with Azure AD, eliminating months of development effort thanks to its no-code approach. Developers don’t have to learn complex modern SSO protocols like OpenID Connect (OIDC), OAuth, and Security Assertions Markup Language (SAML), or use different software development kits (such as .NET, Java, and PHP) to write integration code for each application.

Leveraging Datawiza with Azure AD supports comprehensive SSO and multifactor authentication across applications, with fine-grained access controls. The application types can include:

• Homegrown applications that are written in different programming languages such as Java, PHP, and Python. These applications can reside in multicloud environments or on-premises.
• Legacy applications, such as those from Oracle, that were never designed for the cloud and may still rely on a legacy identity solution, such as Symantec SiteMinder, on-premises Lightweight Directory Access Protocol (LDAP), or custom-built basic authentication. In fact, Datawiza can empower companies to retire their legacy identity solutions.
• Business-to-business (B2B) multi-tenant applications available to customers using Azure AD, as well as other identity platforms.
• Open-source tools that would otherwise require expensive enterprise license fees from the vendor to use the SSO feature to connect with Azure AD.

Options for integrating homegrown and legacy applications with Azure AD

Integrating homegrown or legacy applications with Azure AD is imperative. Not doing so leads to critical security gaps. It also causes frustration for users who need to sign into multiple applications, as well as administrators who must constantly update user profiles in multiple locations.

Integrating these applications with Azure AD requires coding and security expertise. And whether you use your developer resources or legacy on-premises gateways, as we hear from our customers, it usually takes more time and resources than anticipated—distracting development and DevOps teams from their strategic tasks. If your organization relies on a hybrid multicloud environment, the challenges are even greater. You may also consider using a free open-source software proxy, such as OAuth2-proxy, but this is still time-consuming, providing little benefit compared to the do-it-yourself approach. Further, with each of these approaches, all the effort that goes into integrating a single application must be repeated for each additional application.

How the Datawiza No-Code platform works

The Datawiza No-Code platform offers a new approach, providing authentication and authorization as a service, so it can be implemented quickly, without the need to deploy any hardware or heavyweight enterprise software, or having to rewrite applications or write new code. Datawiza uses a lightweight, cloud-delivered proxy for connecting any application and service to Azure AD, and it can also integrate across other public and private clouds.

Integrating each application takes only minutes, so the more applications you need to integrate, the more time you save—all with a single Datawiza license. And with security expertise built-in, the Datawiza AMaaS platform eliminates the need to hire an expensive new resource or consultant, while also facilitating improved governance by providing policy-defined, URL-level access controls based on detailed user and device attributes, such as group, role, IP, or browser.

How Datawiza and Azure AD work together

1. When a user attempts to log into any application, Datawiza intercepts the access request and authenticates it using a built-in connection to Azure AD through OIDC or SAML protocols. 
2. The user signs in through the Azure AD login page, and the OIDC or SAML message exchanges with Azure AD and Datawiza are automatically completed on behalf of the application. 
3. Datawiza authorizes the request based on the fine-grained access policies configured in the management console and user attributes from Azure AD. 
4. Datawiza then sends the correct credentials to the application, which uses the fine-grained access policies configured in the management console to display only the appropriate information.
5. An IT administrator configures the platform, applications, and access policies using the Datawiza management console, instead of having to deal with the configuration files scattered in hybrid multicloud environments. 

Datawiza, the no-code path to Zero Trust access management

The Datawiza No-Code platform can accelerate your Azure AD journey to Zero Trust for your applications and APIs by eliminating the need for developers to extend controls to support Zero Trust requirements such as SSO and multifactor authentication. Datawiza authenticates and authorizes every employee, customer, contractor, or partner each time they access an application or API—with fine-grained access controls—and supports every type of application in hybrid multicloud environments. With Datawiza, policy administrators can leverage “change once, propagate everywhere” to keep policies, roles, and permissions updated and synced across hundreds or thousands of datasets. And Datawiza maintains the relationships between applications and Azure AD as the applications are updated, future-proofing your environment.

Learn more

Learn more about Microsoft identity and access management.

The Datawiza Platform is available in the Microsoft Azure Marketplace. More information and a free trial are also available on the Datawiza website.

To learn more about MISA, visit our MISA website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products. 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹ Why companies are moving to a ‘zero trust’ model of cyber security, Bob Violino. March 3, 2022.

The post Easy authentication and authorization in Azure Active Directory with No-Code Datawiza appeared first on Microsoft Security Blog.

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA.

There are certain pain points in the average security operations center (SOC) that, no matter what else changes in the security landscape, stay among the most entrenched problems. You can probably name them off the top of your head: an overwhelming amount of security alerts; the ongoing shortage of skilled cybersecurity professionals; the inability to detect and respond to increasingly sophisticated attacks; and the proliferation of tools (76 in the average enterprise SOC) that do not always work well together.¹ But these challenges have something else in common other than being the primary causes of headaches among security pros: they are all alleviated by security orchestration, automation, and response—better known as SOAR.² Learn how D3 Security’s Smart SOAR integrates with Microsoft Sentinel and hundreds of other tools to help customers overcome SOC Analyst fatigue and disparate toolsets in this blog post. 

What is SOAR? 

Let’s start with the basics. SOAR is a category of powerful tools that integrate with other security systems, such as security information and event management (SIEM), endpoint detection and response (EDR), and firewalls, to ingest alerts, enrich them with contextual intelligence, and orchestrate remediation actions across the environment. SOAR tools use playbooks to automate and codify workflows to accelerate mean time to respond (MTTR) and standardize responses to common incident types. 

D3 Smart SOAR is a fully vendor-agnostic SOAR solution, which means it can maintain dozens of deep integrations with Microsoft tools—including Sentinel—and bring automation to security workflows in any environment. 

How Microsoft Sentinel customers use D3’s Event Pipeline to stay focused on real threats 

What does integrating D3 Smart SOAR with Microsoft tools mean for customers? Let’s take one narrow example and look at how D3’s Event Pipeline—a unique offering among SOAR platforms—acts on Microsoft Sentinel events to make the lives of security analysts much easier.³ 

D3 ingests Microsoft Sentinel events for investigation and response. But as any SIEM operator knows, it is a delicate balance to configure your SIEM, and other alert-generating tools, so that you are capturing all the important incidents without an overwhelming amount of noise. That’s where D3’s Event Pipeline comes in. 

When a Microsoft Sentinel event comes into D3, it goes through the Event Pipeline, a global automated playbook that acts on every incoming event or alert from a detection tool. The Event Pipeline works in three stages:

• First, the data from the incoming event is normalized. The artifacts, such as IP addresses, user IDs, and URLs, are extracted, and metadata tagging is performed. 

• Next is the triage stage. The event is deduplicated and correlated against other events. The artifacts are checked against integrated threat intelligence sources to determine risk, and MITRE ATT&CK tactic, technique, and procedure (TTP) labels are applied. 

• In the final stage, the Microsoft Sentinel event is either dismissed as a false positive or escalated and assigned to an analyst. Dismissal and escalation rules are set by the user, based on criteria such as the risk scores from threat intelligence enrichment or the presence of key assets in the artifacts. 

The result of adding D3’s Event Pipeline to Microsoft Sentinel incident investigations is that 90 percent or more of Microsoft Sentinel events can be safely filtered out before they reach a human analyst, allowing the genuine threats to be properly investigated. 

Key Microsoft integrations 

D3’s integration with Microsoft Sentinel is just one of 33 integrations between D3 Smart SOAR and Microsoft tools. Twenty-two of those integrations are from the Azure suite. Some of the key integrations for common security operations use cases include Microsoft Defender for Endpoint, Microsoft 365, and Azure Active Directory (Azure AD). 

Microsoft Defender for Endpoint 

Microsoft Defender users can orchestrate 26 different actions from D3, including fetching events, enriching incidents with endpoint data, and quarantining infected hosts. This creates an automation-powered process for any endpoint security incident that acts quickly and conclusively before threats get out of control. 

Microsoft 365 

Phishing is still the entry point for most cyberattacks, which makes email a critical part of cybersecurity incident response. When a potential phishing email is detected, D3 can retrieve the email and attachments, parse out the artifacts, check the reputations of the artifacts against threat intelligence and past incidents, and determine if the email is a genuine threat. If it is, D3 can then find other instances of the email across the company’s inboxes and delete them. 

Azure Active Directory 

You may have heard it said that “identity is the new perimeter,” which underscores the importance of being able to act quickly in Azure AD during a security incident. Companies using Azure AD (and on-premises AD) can enrich D3 incidents with user and group information, manage users and groups from D3, and quickly orchestrate remediation actions like forcing a password reset or revoking a sign-in session.  

Security orchestration for MSSPs 

Managed security service providers (MSSPs) get similar benefits from D3 and Microsoft’s joint solutions as SOCs do, but at a greater scale.⁴ At D3, they have found that MSSPs are not always given direct access to all their clients’ tools, or they may not want to become experts in every single tool their clients use if all they’re doing with those tools is managing alerts. Instead, clients give their MSSP access to D3, from which they can manage the alerts from all their detection tools from a single interface.  

This makes D3 a useful operations hub for MSSPs with clients that rely on Azure systems or other Microsoft tools. The MSSP can leverage D3’s integrations with Microsoft Sentinel, Microsoft Defender for Endpoint, Microsoft 365, and others, to handle alerts and even orchestrate response actions—without needing full access to their clients’ tools.⁵ The Event Pipeline is also a valuable tool in this scenario, allowing MSSPs to handle a much higher volume of alerts, without adding resources. 

Better together: Use cases for Microsoft and D3 Smart SOAR 

Use case 1: Investigation and orchestration across hybrid environments 

More companies are moving their systems and servers to cloud services like Microsoft Azure, but many retain a hybrid environment, with some systems still hosted on-premises. This hybrid model creates an issue around security because the company is left managing two sets of security tools—one in the cloud and one on-premises. 

D3 can integrate with Microsoft Sentinel, 21 other tools in the Azure stack, and hundreds of on-premise tools to create a single security operations (SecOps) interface for the entire hybrid environment. Joint users of Microsoft Sentinel and D3 can enrich alerts with threat intelligence, identify MITRE ATT&CK techniques, run automation-powered playbooks to respond to incidents, and much more—across cloud and on-premise systems simultaneously. 

For example, in a phishing attack that resulted in a potentially infected endpoint, an analyst using D3 could disable the user’s access in Azure AD, query Microsoft Sentinel for additional data, search across Microsoft 365 mailboxes for more instances of the phishing email and quarantine the affected endpoint using Microsoft Defender for Endpoint.⁶ 

Having D3 SOAR integrated with both your Azure tools and your on-premise tools can reduce your work—and your risk—by half. Because of the ability to monitor and act across your entire hybrid environment, you will not lose sight of incidents that move between environments, and you will always be able to execute your entire response without having to switch between tools. 

Use case 2: Compromised credentials 

When an employee’s credentials are compromised, hacked, or leaked, they can turn up on lists provided by threat intelligence platforms. Security teams need ways to streamline their ability to learn of compromised credentials, match the credentials to the employee’s other information, determine which machines the credentials could be used on, and take action to prevent unauthorized access. D3 integrates with AD (Azure or on-premise), threat intelligence platforms, and other tools, to orchestrate this process. 

D3 can ingest lists of leaked credentials from integrated threat intelligence platforms. When an employee’s credentials are included in a list, D3 can query Active Directory to match the credentials to other information related to the employee, including the list of machines to which they have access. D3 can get the user’s login history from Active Directory to look for unusual activity, temporarily deactivate the user if necessary, and orchestrate a password change.  

The sky’s the limit 

These are just a couple of the use cases that D3 users can orchestrate across their Microsoft tools and systems. With more than 30 integrations and hundreds of commands, there is an extremely high ceiling on what sophisticated users can accomplish with D3 and Microsoft’s combined capabilities. Don’t let that intimidate you though. With codeless, out-of-the-box playbooks for common incident types, even less technical users can immediately realize the benefits of the joint solutions.  

About D3 Security 

D3 Security’s Smart SOAR platform combines automation and orchestration across more than 500 integrated tools with an automated event pipeline that reduces event volume by 90 percent or more.² D3’s codeless playbooks automate enrichment and remediation tasks while making it easy for anyone to build, modify, and scale workflows for security operations, incident response, and threat hunting. 

With more than 30 Microsoft integrations, D3 Security has been a Microsoft Intelligent Security Association (MISA) member since 2020. Visit the Azure Marketplace page here. You can learn more about how D3 works with Microsoft on D3’s technology partners page.⁵ 

Learn more

To learn more about MISA, visit our MISA website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products. 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹ Security leaders are still in the dark with asset visibility while a lack of insight is driving control failures, Panaseer. 2022.

² Smart SOAR platform, D3 Security.

³ Smart SOAR Event Pipeline, D3 Security.

⁴ Security Automation and Orchestration for MSSPs, D3 Security.

⁵ Microsoft Azure Sentinel Integration, D3 Security.

⁶ D3 Smart SOAR for Phishing Attacks, D3 Security.

The post Automating your Microsoft security suite with D3 Smart SOAR   appeared first on Microsoft Security Blog.

Today, organizations face an attacker ecosystem that is highly economically motivated to exploit security issues with your multicloud and hybrid workloads—as made evident in the rise in human-operated ransomware, with hackers launching an average of 50 million password attacks every day (579 per second), the rise of web shell attacks,¹ and increasing firmware attacks.² As with most attack vectors in this evolving threat landscape, prevention and detection are critical.

These threats can present a growing challenge for organizations using a combination of on-premises, hybrid, and multicloud infrastructure and workloads. With this distributed infrastructure, it can be a challenge to protect resources against motivated attackers when security management, policies, and signals are not unified.

Securing your multicloud and hybrid infrastructure in 3 steps

Securing infrastructure is fundamental to the business—for every business. So, what does a solution for multicloud, on-premises, and hybrid infrastructure security look like? A powerful defense must be unified, simplified, and actionable. It must make it easier to enable digital transformation and not slow progress in this crucial area. For businesses who need to secure multicloud, on-premises, and hybrid infrastructure, an increased security stance can start with three simple steps:

1. Connecting your hybrid infrastructure to Azure Arc.
2. Enhancing security for your Azure Arc-connected hybrid infrastructure using Microsoft Defender for Cloud.
3. Further enhancing the security of on-premises workloads with Secured-core for Azure Stack HCI.

1. Connect your on-premises and hybrid infrastructure to Microsoft security services using Azure Arc

Many organizations today are challenged with the growing complexity of securing their infrastructure with disparate tools across multicloud, hybrid, and edge environments. To begin securing these assets, you can use Azure Arc to connect your resources to Microsoft Azure from wherever they are deployed, making them addressable by Azure security services and enabling you to manage them from a single pane of glass in Azure Resource Manager. Azure Arc extends the control plane to these resources so that they can be managed and secured centrally with tools including our cloud extended detection and response (XDR) solution, Microsoft Defender for Cloud, or the secure key management tool, Azure Key Vault.

“When you see how Azure security and compliance features benefit your on-premises infrastructure, it helps put your mind at ease regarding the capabilities and benefits of the cloud. It also makes you a harder target for would-be attackers, and that’s what we’re hoping to achieve.”—Lody Mustamu, Manager of Marketing and Sales, ASAPCLOUD.

Read more about how ASAPCLOUD’s story here.

2. Secure your Azure Arc-enabled infrastructure using Microsoft Defender for Cloud

Once these distributed multicloud and hybrid environments are connected through Azure Arc, Microsoft Defender for Cloud enables you to find weak spots across your configuration, helps strengthen the overall security posture, and can help you meet any relevant compliance requirements for your resources across Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).

While prevention is critical, at the same time, the increasing sophistication of attacks requires that organizations have a comprehensive threat protection strategy in place. Microsoft Defender for Cloud provides vulnerability assessment with insights from industry-leading security research and provides advanced threat protection for a broad range of workloads across cloud and on-premises including virtual machines, containers, databases, storage, and more.

“The choice made sense to us because Microsoft Defender connects so tightly and automatically to Azure Arc,” says Iñigo Martinez Lasala, Director of Technology and Systems at Prosegur. “There are other tools out there, but Microsoft Defender provides additional functionality that other tools don’t have, such as establishing rules of compliance, hardening servers, and launching scripts to fix server issues.” 

Read more about how Prosegur’s story here.

Get started by enabling Microsoft Defender for Cloud for your Azure subscriptions and easily onboard other environments to understand your current security posture. You can then enable the enhanced features to protect and manage the security of all relevant workloads across your cloud and on-premises environments from a central place, all connected through Azure Arc.

Figure 1. Protect your workloads with Microsoft Defender for Cloud.

3. Further secure your on-premises and hybrid infrastructure using Secured-core for Azure Stack HCI

As security threats continue to become more sophisticated, they are moving lower in the stack to the operating system, firmware, and hardware level, so there is a growing need for additional security at these lower levels. One way to gain additional protection against these attacks is an integrated solution called Secured-core, now available for Azure Stack HCI. Secured-core servers provide out-of-box safeguards with enhanced protections. For example, Secured-core servers help stop attacks in the event of a successful web application compromise with features like virtualization-based security (VBS) and hypervisor-based code integrity (HVCI). Credential protection in Azure Stack HCI helps mitigate the common attack of credential theft by using VBS to isolate credentials in their own virtual machine, a feature that is on by default in Secured-core servers. These features help prevent what could otherwise be a much larger breach.

Secured-core servers have three focused pillars:

1. Protect with hardware root of trust: Trusted platform modules (TPMs) ensure that even firmware malware cannot tamper hardware recordings of what firmware ran on the device.
2. Defend against firmware level attack: System guard secured VBS protects by not relying on firmware for trust.
3. Prevent access to unverified code: HVCI protects against both known vulnerable drivers and entire classes of problems

All these capabilities built into Secured-core servers ensure that your servers are protected out-of-box, giving you confidence in your hardware. And managing the status and configuration of Secured-core servers is easy from the browser-based Windows Admin Center for both Windows Server and Azure Stack HCI solutions.

Figure 2. Secured-core server cluster management in Windows Admin Center.

“To help our customers remain secure and accelerate their business outcomes, Hewlett Packard Enterprise (HPE) is excited to release the new Gen 10 Plus (v2) products for Azure Stack HCI 21H2 and Windows Server 2022 which can be delivered with the HPE GreenLake edge-to-cloud platform,” said Keith White, Senior Vice President and General Manager, GreenLake Cloud Services Commercial Business. “These offer unprecedented host protection by combining HPE’s security technologies with Secured-core server functionalities for a secure, hybrid implementation.”

Take steps today to secure your on-premises and hybrid infrastructure

• Connect your on-premises workloads to Azure Arc:
  • How to add a Server to Azure Arc
  • Plan and deploy Azure Arc-enabled servers
• Activate Microsoft Defender for Cloud and other applicable Microsoft Defender Products on your on-premises workloads.
• Ask for Secured-core servers for your HCI solutions.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Web shell attacks continue to rise, Detection and Response Team (DART), Microsoft 365 Defender Research Team, Microsoft Security. February 11, 2021.

²New Security Signals study shows firmware attacks on the rise; here’s how Microsoft is working to help eliminate this entire class of threats, Microsoft Security Team, Microsoft Security. March 30, 2021.

The post 3 steps to secure your multicloud and hybrid infrastructure with Azure Arc appeared first on Microsoft Security Blog.

In some ways our stories are parallel. We both emigrated from China to study computer science in the United States and joined Microsoft full-time to work on technology that was just getting started—I worked on Remote Desktop while she worked on real-time communications. We both got to experience what it’s like to build a business over many years and then transition our skills to a very different area. Until recently, Huiwen led a group working on one of the most critical aspects of our service: platform resilience. She shares her expertise and experience with the next generation by mentoring them in math.

Huiwen’s interview with Nadim took place before she moved to her new role. It has been edited for clarity and length. We’ve included some video snippets so you can learn more about her personal journey, the work she did for Microsoft identity and access management, and why she finds being a mentor so fulfilling.

Nadim: Huiwen, I’m very pleased to share your experiences of getting into computer science, getting into the industry, and the work you do at Microsoft. What first got you into computer science?

Huiwen: When I was a little girl, I had always been good at math. In both middle and high school, I really enjoyed participating in math competitions. When I applied for college, since math was my best subject, I thought, “I’m just going to study math.” But then my brother said, “No, math is too boring and it’s too hard. Look at how many girls study math. It’s not a great path for you, and other new fields are booming. You should try computer science.” I listened to him, and I’ve never regretted it.

Nadim: What was the first programming language you learned that showed you how much you liked development and coding?

Huiwen: I learned BASIC in high school. Then I entered Tsinghua University, which was ranked both number one in engineering and in computer science in China. The first programming language we learned was Pascal.

Nadim: Cool. So, you went to the number one school, did computer science, and you liked it. What was your journey from there to Microsoft?

Huiwen: At that time, the top students in China would come to the United States for advanced study after graduating. I worked for Motorola China for a couple of years first. Then I came to the University of North Carolina at Chapel Hill for my PhD degree. The job market was so good that instead of doing my PhD I started working at a company in Newport Beach, California. But then a college classmate from Tsinghua University who had joined Microsoft submitted my resume. That’s how I came to Microsoft.

Nadim: And you worked on a number of products before you got to Azure Active Directory (Azure AD)?

Huiwen: I joined Windows networking 22 years ago in 1999 and soon transferred to Office real-time communications. That team merged into Windows networking, which also had a real-time communications group. I think it was called the Office Communications Server, which evolved into Lync Server. Today, it’s Skype services. I was in this group for 15 or 16 years.

When I joined, the product was almost starting from zero. It was like a startup. Back then people relied heavily on email, but people with insight saw the importance of real-time communication over chat, as well as video and audio for meetings and collaboration integrated with your presence, status availability, and all of that. This was the future of communication. So, from version one to version two, through many different milestones, we quickly evolved into a billion-dollar business. I stayed in this team for a very long time, but though it’s just one team, the experience was pretty rich because we grew from a very small business into a very large one, from an on-premises service that shipped once every two to three years to an online service.

Nadim: It’s an interesting journey and certainly one that speaks to the variety of experiences that are possible even in one space, because the space itself evolves so much. You grew and developed a whole set of skills, including transitioning from on-premises software to cloud. You now work on one of the world’s largest services and certainly the world’s largest commercial identity system, Azure AD. Tell us about your role.

Huiwen:
I came over three years ago. I was working in cloud services as part of Office 365. It was all bare metal machines with 32 cores, but the deployment and everything was super slow. So, I wanted to get a real taste of Azure, where things are fast and there are virtual machines. And that’s why I landed here.

I saw the job posted on the career website looking for the skills I had, so I applied. I was very fortunate to land a job working on a service called evolved security token service (ESTS), which is a token service for authentication security. It’s one of the most critical services for identity, and there are a lot of interesting problems to solve! I own the fundamentals area, which can be pretty broad. It covers performance, cost of goods sold (COGS), and also some key architectural migration. Basically, my team is in charge of how we run the service effectively with high reliability and at a low cost. This includes the tooling, frameworks, and pipelines.

Nadim: You were one of the people who led a fundamental restructuring of this service to improve its reliability. Could you tell us about the work you did on cell-based architecture? First of all, what is cell-based architecture and why is it so important?

Huiwen: Before this architecture–at least for ESTS, which is one of the largest identity services—we had over 10,000 nodes worldwide on any given day. And these nodes were separated into about 12 regions in three major geographies. Some larger regions had 2,000 nodes and some smaller regions had maybe 600 nodes. A customer’s request could hit any of the nodes in a particular region. This is a very coarse-grained isolation of the service. Now, if a misbehaving application or some data corruption on the backend causes a retry storm in a tenant, you’ll suddenly have millions of requests coming at you, which can destroy your entire capacity in that region. Before I joined, some of our largest tenants were hit by this issue.

With the cell-based architecture, we try to divide tenants into smaller cells, so that each tenant is only handled in one cell. If a tenant has a misbehaving app, then at worst it impacts co-tenants in the same cell while the other cells stay intact. So far, we have divided all the tenants into over 100 cells. This is a very significant improvement in our reliability and resilience.

Nadim: No more than 2 percent of users in our system are in any one cell. This is a unique capability, given the scale we run at, and it’s an example of the innovation that we’re continuing to drive. So, thank you for your leadership on that project and many others like it.

Switching topics, I heard you mentor and coach people even outside of work.

Huiwen: I had been a mentor with my previous team, in some cases for female employees and in others for my fellow Chinese employees. They have had quite good career growth—some are now managers or are going into senior or principal levels.

Then I started coaching math students. It started with 10 kids, most of them girls. It grew to 20 to 30 kids from my son’s school and other schools in the same school district. They formed math clubs and went to math competitions. This lasted for four years. I feel very lucky that I’m a Microsoft employee because we did the weekend classes in Microsoft buildings. We used Microsoft conference rooms with very nice large whiteboards. The kids all liked to have classes at Microsoft. It was really fun.

Nadim: That’s wonderful.

Huiwen: And I have more good news to share. This past summer, when I met with some of my students, they told me they started a math workshop for younger kids. One student used the materials I used when I taught her in my math class. I found this really rewarding.

I do feel kind of obligated to help the people who need help, especially back in my home country. I have given time and money for many years to an organization in China that helps kids in rural areas finish their education, sends them from high school through college, and provides guidance to the direction of their career or answers their questions about what to do in college to prepare themselves for their careers.

Nadim: What gets you excited to come to work every day?

Huiwen: I’d say it’s the impact we have on people around the world through the product we deliver. The work is really, really critical. Even my son signs in through our service to do his schoolwork in Microsoft Teams. This sense of impact and its importance is really rewarding. I’m also a first-tier manager. I see how working with junior team members as their mentor or coach influences their early careers. The impact I have on their career growth is very, very important to me.

Nadim: That’s very near and dear to my heart as well, including the criticality of what we work on and the responsibility we have to our customers. Thanks for sharing your story.

Huiwen: Thank you, Nadim. I’m very honored to have the opportunity.

Learn more

Learn more about Microsoft identity and access management.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How a leading Microsoft engineer extends culture to service resiliency appeared first on Microsoft Security Blog.

Any device in a medical setting must be designed with one core priority in mind: delivering patient care. Medical professionals need instant access to data from devices with minimal friction so they can focus on what they do best. But at the same time, any device holding sensitive medical records must be secure.

To balance these needs, security software for medical devices must be lightweight enough to maximize the performance of the device without overloading the processor, taxing battery life, or putting the user through cumbersome processes. It must be high-performing and reliable with great battery life, so the device is always ready and works every time it’s needed.  

Recently, Microsoft and global technology services firm HCL Technologies teamed up to help solve the security challenge with a high-performance solution for medical devices. The result is a new reference architecture and platform for building secure medical devices and services based on HCL’s Connected Assets in Regulated Environment (CARE), Microsoft Defender for IoT, and Azure IoT.

By freeing medical device manufacturers from the need to build security solutions and cloud services, this new platform will enable them to focus on their own core mission and strengths, which are healthcare-related innovation and patient care, even as they build new, better, and more secure medical devices.

Combining HCL’s CARE and Microsoft Defender for IoT

As a long-time Microsoft partner, HCL brings deep expertise in applications, systems integration, network engineering, and managed services.

Built on Microsoft Azure, HCL’s CARE Platform has been designed and developed with security best practices and standards in mind. The platform provides the foundation and platform that medical device manufacturers need to develop innovative high-performance healthcare services and devices while ensuring an integrated security approach from the cloud to the network edge.

By including Microsoft Defender for IoT in the device itself, device builders are able to create secure-by-design, managed IoT devices. Defender for IoT offers continuous asset discovery, vulnerability management, and threat detection—continually reducing risk with real-time security posture monitoring across the device’s operating system and applications.

Partner Director of Enterprise and OS Security for Azure Edge and Platform at Microsoft, David Weston, highlighted the value of this collaboration saying, “By partnering with HCL to incorporate Defender for IoT into HCL’s CARE, we see a bright future for medical device manufacturers to build secured medical devices, with minimal effort.” Sunil Aggarwal, Senior Vice President at HCL and Client Partner for Microsoft, added, “HCL’s CARE enables medical original design manufactures (ODMs) and original equipment manufacturers (OEMs) to quickly develop new devices and solutions focused on patients’ needs. By including Defender for IoT, those devices benefit from Microsoft’s deep security expertise, thousands of security professionals, and trillions of security signals captured each day.”

The combined Microsoft and HCL solution for healthcare IoT provides the high-performance security needed to protect the sensitive data on the medical device—in transit and in the cloud. By using a combination of endpoint and network security signals, the system can monitor what’s happening on the network, in the operating system, and at the application layer while keeping a pulse on the integrity of the device. This combination of external and internal security signals yields advanced security not often found on medical devices, which are typically monitored using only network data.   

Advanced threat detection with Defender for IoT

CARE’s use of Defender for IoT offers the best possible security using Defender’s agent-based monitoring. This means security is built directly into IoT devices with the Microsoft Defender for IoT security agent, which supports a wide range of operating systems including popular Linux distributions. With an agent, richer asset inventory, vulnerability management, and threat detection and response is possible.  

Figure 1. Devices are monitored and assessed for vulnerabilities and security recommendations. The combination of network and endpoint signals enables a deeper assessment and a broader range of detections.

Defender for IoT security monitors the security of the device and enables the following scenarios for medical device manufacturers using HCL’s CARE with Defender for IoT:

• Asset inventory: Gain visibility to all your IoT devices so operators can manage a complete inventory of their entire healthcare IoT fleet.
• Posture management: Identify and prioritize misconfigurations based on industry benchmarks and software vulnerabilities or anomalies in the software bill of materials (SBOM) that may arise from supply chain attacks and use integrated workflows to bring devices into a more secure state.
• Threat detection and response: Leverage behavioral analytics, machine learning, and threat intelligence based on trillions of signals to detect attacks through anomalous or unauthorized activity.  
• Microsoft Security integration: Defender for IoT is part of the Microsoft security information and event management (SIEM) and extended detection and response (XDR) offering, enabling quick detection and response capabilities for multistage attacks that may move across network boundaries.
• Third-party integration: Integrates with third-party tools you’re already using, including SIEM, ticketing, configuration management database (CMDB), firewall, and other tools.

Powerful automated services for detection and response

HCL’s CARE Gateway and CARE Device Agent complement Defender for IoT’s security and can help capture application-level security events and send them into Defender for IoT analytics services, such as an attempt to connect an unknown device, use of invalid provisioning credentials, attempts to run unauthorized commands remotely, short-and-lengthy remote access sessions, anomalies related to data transfer rate, event sequence anomalies, and more.

Figure 2. Medical devices send security and other types of events to HCL’s CARE Gateway which forwards data to the Azure IoT hub. Security events are forwarded to the Defender for IoT cloud services while non-security-related events are sent to HCL’s CARE Core and business app.

Integrating HCL’s CARE with Defender for IoT can protect and monitor connected medical devices and gateways too. The CARE Platform integrated with Defender for IoT provides a powerful solution to secure healthcare devices:

• CARE Cloud runs in Azure, utilizing Azure cloud security services to ensure that customers’ health data is secure and accessible only to authorized persons.

• CARE Device Gateway keeps devices isolated from the public internet.

• The Defender for IoT micro agent can help to capture events at the system level and push them to Defender for IoT analytics services, along with the service level events captured by gateway itself.

• Device Agent connects to Device Gateway to get events out. It can also capture device software level events and push them to Defender for IoT analytics services through the Device Gateway.

• CARE Cloud can make critical events captured at Defender for IoT analytics services actionable, such as gracefully isolating medical devices from the network and alerting device owners.

• CARE Reusable Modules and design guidelines make the application and connected device secure by enabling secure design, development, and deployment. This includes static and dynamic application security testing and software composition analysis.

• CARE can also act on critical events by alerting the device owners’ IT security, and sending commands to devices for network isolation, graceful shutdown, and other preconfigured actions.

Find out more

Both Microsoft and HCL are excited to bring this new platform and security technologies to the medical device industry, and we invite you to learn more about how HCL’s CARE and Defender for IoT deliver the security that medical device manufacturers need. Using these technologies, manufacturers can focus more on medical and patient innovation and the quicker delivery of new solutions to the marketplace.

These new security capabilities are available today. Medical device manufacturers and OEMs should check out HCL’s CARE, Microsoft Defender for IoT, and Microsoft’s recently announced Edge Secured-core preview.  

If you are an IoT solution builder, reach out to the Azure Certified Device team. We are ready to work with you!

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Secure your healthcare devices with Microsoft Defender for IoT and HCL’s CARE appeared first on Microsoft Security Blog.