Microsoft Intune

Enhance security and IT efficiency with the Microsoft Intune Suite.

Learn more

The broad value of the Intune Suite

While the solutions of the Intune Suite launched at different points in time, three fundamental principles have been there from the beginning.

First, one place for workloads adjacent to Unified Endpoint Management. If you’re currently using a mix of third-party solutions, the integrated experience in Microsoft Intune provides security and efficiency on multiple levels. First, one unified solution means fewer integrations to manage across third parties, meaning fewer attack vectors for malicious actors. And second, on a deeper level, the broader Intune proposition (both Intune Suite and Intune) is integrated with Microsoft 365 and Microsoft Security solutions. This provides a consolidated and seamless experience for IT professionals with a single pane of glass for end-to-end endpoint management.

Second, all parts of the Intune Suite are ready to support your cloud and AI-enabled future. Intune Suite will help accelerate organizations’ digital transformation to cloud native and simplify their IT operations. Additionally, data from Intune Suite are consolidated with other Intune and security data, meaning complete visibility across the device estate, informing and improving emerging technologies like Microsoft Copilot for Security. The more interrelated data that Copilot can use, the more it can proactively advise on the next best action.

Lastly, Intune Suite is available in a single unified plan. So, rather than having separate solutions for remote assistance, privilege management, analytics, and more, these advanced solutions can all be consolidated and simplified into one. This provides value in two ways: directly, by reducing the overall licensing cost, as the cost of Intune Suite is less than purchasing separate solutions; and the economic value of the Intune Suite is also in indirect savings: no need to manage separate vendors, train IT admins on separate tools, or maintain costly on-premises public key infrastructure (PKI). The Intune Suite makes it easier for IT admins, reducing overhead costs.

“With what we get out of Intune Suite, we can eliminate other products that our customers need. It’s now a suite of many components that enable customers who want to consolidate solutions and save money.”

—Mattias Melkersen Kalvåg, Mobility and Windows Management Consultant at MINDCORE, and| Microsoft Certified Professional & MVP

From today: A comprehensive suite across applications, access needs, and support

Let’s get into specifics. For application security, Enterprise App Management helps you find, deploy, and update your enterprise apps. And Endpoint Privilege Management lets you manage elevation rules on a per-app basis so that even standard users can run approved privileged apps. Cloud PKI lets you manage certificates from the cloud in lieu of complex, on-premises PKI infrastructure. And Microsoft Tunnel for Mobile Application Management (MAM) is perfect for unenrolled, personal mobile devices, to help broker secure access to line of business apps. Advanced Analytics gives you data-rich insights across your endpoints. And Remote Help lets you view and control your PCs, Mac computers, and specialized mobile devices, right from the Intune admin center. Let us take each of those three product areas in turn.

Increase endpoint security with Enterprise App Management and Endpoint Privilege Management

Enterprise App Management gives you a new app catalog, allowing you to easily distribute managed apps, but also keep them patched and always up to date. With this initial release, you will be able to discover and deploy highly popular, pre-packaged apps, so you no longer need to scour the Internet to find their installation files, repackage, and upload them into Intune. Simply add and deploy the apps directly from their app publishers. You can also allow the apps you trust to self-update, and when a new update is available, it is just one click to update all your devices with that app installed. We will continuously expand and enrich the app catalog functionality in future releases to further advance your endpoint security posture and simplify operations. 

“I’m very excited about Enterprise App Management as it’s powered by a strong app catalog and natively integrated in Intune. This single pane of glass experience is what we’re all looking for.”

—Niklas Tinner, Microsoft MVP and Senior Endpoint Engineer at baseVISION AG

For more control over your apps, with Endpoint Privilege Management, you can scope temporary privilege elevation, based on approved apps and processes. Then, as a user in scope for this policy, you can elevate only the processes and apps that have been approved. For example, users can only run a single app for a short period of time as an administrator. Unlike other approaches that give local admin permissions or virtually unlimited scope, you can selectively allow a user to elevate in a one-off scenario by requesting Intune admin approval, without you needing to define the policy ahead of time.

“Endpoint Privilege Management offers tight integration into the operating system. And the focus that Microsoft has over only elevating specific actions and apps versus making you an admin for a period of time—this is security at its best, going for the least privileged access.”

—Michael Mardahl, Cloud Architect at Apento

Cloud PKI and Microsoft Tunnel for MAM powers secure access

With Cloud PKI, providing both root and issuing Certificate Authorities (CA) in the cloud, you can simply set up a PKI in minutes, manage the certificate lifecycle, reduce the need for extensive technical expertise and tools, and minimize the effort and cost of maintaining on-premises infrastructure. In addition, support for Bring-Your-Own CA is available, allowing you to anchor Intune’s Issuing CA to your own private CA. Certificates can be deployed automatically to Intune-managed devices for scenarios such as authentication to Wi-Fi, VPN, and more; a modern PKI management option that works well to secure access with Microsoft Entra certificate-based authentication. In the initial release, Cloud PKI will also work with your current Active Directory Certificate Services for SSL and TLS certificates, but you do not need to deploy certificate revocation lists, Intune certificate connectors, Network Device Enrollment Service (NDES) servers, or any reverse proxy infrastructure. You can issue, renew, or revoke certificates directly from the Intune admin center automatically or manually. 

Microsoft Tunnel for MAM helps secure mobile access to your private resources. Microsoft Tunnel for MAM works similarly to Microsoft Tunnel for managed devices; however, with this advanced solution, Microsoft Tunnel for MAM works with user-owned (non-enrolled) iOS and Android devices. Microsoft Tunnel for MAM provides secure VPN access at the app level, for just the apps and browser (including Microsoft Edge) your IT admin explicitly authorizes. So, for personally owned devices, the user can access approved apps, without your company’s data moving onto the user’s personal device. App protection policies protect the data within the apps, preventing unauthorized data leakage to other apps or cloud storage locations.

“Cloud PKI within the Intune Suite allows you to go cloud native in terms of certificate deployment, which means you can provision PKIs with just a few clicks—that’s a blessing for all the IT administrators. With this built-in service, Microsoft hosts everything for you to manage certificates.”  

—Niklas Tinner

Resolve support issues quicker with Advanced Analytics and Remote Help

Advanced Analytics in Intune is a powerful set of tools for actionable reporting and AI-driven analytics. It provides deep, near real-time insights into your connected devices and managed apps that help you understand, anticipate, and proactively improve the user experience. We continue to infuse AI and machine learning into our analytics products. For example, you can get ahead of battery degradation in your device fleet through our advanced statistical analysis and use that information to prioritize hardware updates. Intune Suite now includes real-time device querying on-demand using Kusto Query Language for individual devices, useful for troubleshooting and resolving support calls quicker.

With Remote Help, you can also streamline the way you remotely view and interact with your managed devices, for both user-requested or unattended sessions. As a help desk technician, you can securely connect to both enrolled and unenrolled devices. Users also have peace of mind in being able to validate the technician’s identity, to avoid help desk spoofing attempts. Right now, Remote Help works for remote viewing and controlling in Windows PCs and Android dedicated Enterprise devices, and supports remote viewing for macOS. Especially useful for frontline workers, Remote Help for Android allows help desk administrators to configure and troubleshoot unattended devices, meaning issues can be revolved off-shift.

“Remote Help takes away the requirement and the need for third-party remote help tools. Remote Help is native, it’s interactive, and you don’t have to worry about installing anything, it’s already there. It’s part of Intune, it’s part of the build.”

—Matthew Czarnoch, Cloud and Infrastructure Operations Manager at RLS (Registration and Licensing Services)

To see many of these new capabilities in action, we invite you to watch this new Microsoft Mechanics video.

Analyst recognition for Microsoft

With the additions to the Intune Suite now available, IT can power a more secure and productive future at an important time as AI comes online. Notably, analyst recognition is validating the importance of its value. For example, Microsoft again assumes the strongest leadership position in the Omdia Universe: Digital Workspace Management and Unified Endpoint Management Platforms 2024. Omdia wrote: “Microsoft is focused on reducing management costs by utilizing the Microsoft Intune Suite and integrating different solutions with it.” They added: “The company plans to invest in Endpoint Analytics and Security Copilot to introduce data-driven management, helping IT professionals shift from reactive, repetitive tasks to strategic ones by utilizing Endpoint Analytics and automation.” Omdia’s recognition follows that from others like Forrester, who named Microsoft as a Leader in The Forrester Wave™ for Unified Endpoint Management, Q4 2023.

Get started with consolidated endpoint management solutions with the Microsoft Intune Suite

The February 2024 release of the solutions in the Intune Suite marks a key milestone, offering a consolidated, comprehensive solution set together in a cost-effective bundle (and available as individual add-on solutions) for any plan that includes Intune. And in April 2024, they will also be available to organizations and agencies of the United States government community cloud. We look forward to hearing your reactions to the new Intune Suite.

• Microsoft Intune News at Microsoft Ignite 2023.
• Learn more about Microsoft Intune.
• Omdia Universe: Digital Workspace Management/Unified Endpoint Management Platforms 2024.
• Forrester Wave™ for Unified Endpoint Management, Q4 2023. 
• Microsoft Cloud PKI blog announcement at Microsoft Ignite 2023.
• Microsoft Intune Enterprise App Management blog announcement at Microsoft Ignite 2023.
• Microsoft Intune Advanced Analytics blog announcement at Microsoft Ignite 2023.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Ease the burden of managing and protecting endpoints with Microsoft advanced solutions, Dilip Radhakrishnan and Gideon Bibliowicz. April 5, 2022.

The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester’s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave™. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

The Forrester Wave™: Unified Endpoint Management, Q4 2023, Andrew Hewitt, Glen O’Donnell, Angela Lozada, Rachel Birrell. November 19, 2023.

The post 3 new ways the Microsoft Intune Suite offers security, simplification, and savings appeared first on Microsoft Security Blog.

Microsoft’s leadership

Zero Trust has become the industry standard for securing complex, highly distributed digital estates. And Microsoft is in a unique position to help customers with their security needs, as Microsoft delivers end-to-end cross-cloud, cross-platform security solutions, which integrate more than 50 different categories across security, compliance, identity, device management, and privacy, informed by more than 65 trillion threat signals we see each day. Microsoft is actively engaged with the National Institute of Standards and Technology (NIST), most recently providing public commentary for the NIST National Cybersecurity Center of Excellence (NCCoE) and participating in The Open Group where we co-chaired the Zero Trust Architecture (ZTE) forum. As we look to the future, Microsoft recognizes that customers are entering the era of AI. And by combining the principles of Zero Trust with the capabilities of AI, organizations will have the potential to create a formidable defense against modern cyberthreats. In this blog, we will explore Forrester’s latest evaluation of the Microsoft end-to-end Zero Trust architecture and what the future will hold by leveraging the power of AI.

Forrester Wave™: Zero Trust Platforms report

See why Forrester recognizes Microsoft as a Leader in Zero Trust.

Read the report

Comprehensive end-to-end protection

Its Copilot theme carries over to a notable vision to provide end-to-end, step-by-step guidance for implementing ZT while leveraging AI. This means customer can take their ZT journey with Microsoft in lockstep.

Forrester Wave™: Zero Trust Platforms, Q3 2023 report

We are proud that the Microsoft Zero Trust platform has been recognized as a Leader in the Forrester Wave™: Zero Trust Platforms, Q3 2023 report, which we believe demonstrates Microsoft’s strong track record for being a comprehensive end-to-end platform.

The Forrester Wave™ report evaluates Zero Trust platforms based on criteria that include network security, centralized management and usability, data security, device security, automation, orchestration, people, and identity security—along with both on-premises and cloud deployments. In the latest evaluation for Q3 2023, the Microsoft end-to-end Zero Trust architecture has demonstrated its excellence in these areas by being named a Leader in this inaugural Forrester Wave™ report evaluating Zero Trust Platform Providers. The Microsoft end-to-end Zero Trust model received the highest possible score in the following categories based on the Forrester analyst criteria: people and identity security, device security, enabling and protecting the hybrid workforce, data security, automation and orchestration, visibility, and analytics.

Zero Trust in the age of AI

In an era where AI is rapidly transforming how we work, its convergence with cybersecurity brings both immense opportunities and new challenges. Here’s why Zero Trust becomes even more crucial:

1. Sophistication of threats: As cyberattacks have become more sophisticated and capable of evading traditional security measures, Zero Trust, with its emphasis on continuous verification, explicit verification, and least privileged access, offers a more effective defense against these advanced threats with or without AI capabilities.
2. Data protection and privacy: AI relies on vast amounts of customers’ data to help the user be more productive, and safeguarding this data is paramount. Zero Trust’s data-centric approach ensures that access to sensitive data is highly controlled, mitigating the risk of unauthorized AI-driven breaches.
3. Automated responses: AI-enabled security can provide rapid automated responses to threats. When integrated with Zero Trust, AI-driven responses become even more effective by improving alert fatigue, adapting access controls in real-time, minimizing damage, and containing potential breaches.

Looking to the future

Microsoft’s leadership in Zero Trust, as shown by the latest Forrester Wave™, highlights our commitment to continuously evolving cybersecurity to meet the security demands of the digital age. With AI becoming a cornerstone of modern threats and defenses, the Zero Trust principles of assume breach, least privileged access, and continual explicit verification are more crucial than ever. As organizations navigate the evolving landscape of cyberthreats, the synergy between Microsoft’s end-to-end Zero Trust strategy and the capability of AI provides a formidable defense mechanism that is both forward-looking and resilient.

For more information on this recognition, check out the full Forrester Wave™: Zero Trust Platforms, Q3 2023 report. 

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester’s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave™. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

Forrester Wave™: Zero Trust Platform Providers, Q3 2023, Carlos Rivera and Heath Mullins, September 19^th, 2023

The post Forrester names Microsoft a Leader in the 2023 Zero Trust Platform Providers Wave™ report appeared first on Microsoft Security Blog.

The importance of being prepared for the AI era

The immediate challenge of securing remote employees due to the pandemic may have passed, but the CISO remains as strategic as ever, especially given challenges with resources and the notable amount of open headcount security positions. With these limited resources, the CISO already had to manage the complexities of human actor-operated ransomware and breaches, with more password attacks than ever. However, the proliferation of AI increases the complexity of potential threats for the organization multifold.

Innovations like Microsoft Security Copilot will provide a holistic view of your endpoint security and management data. Using generative AI will help bolster enterprise defenses, especially when using the data available from your endpoint manager’s view of your digital estate. A holistic view of what is happening in your environment is critical to dealing properly with security threats and is optimized by receiving signals for all your endpoints. Endpoint management is no longer just mobile device management, but today is responsible for all devices, managed and unmanaged, and provides a powerful way to feed data into AI large language models.

Did you know? With Security Copilot, you will be able to leverage generative AI to reason over data across the Microsoft Security portfolio and in turn strengthen the security posture of your enterprise.

How an organization designs and implements its endpoint management strategy is key to maximizing the AI opportunity for productivity and security enhancements. Both security and employee productivity are vital for any solution; one without the other is futile. The correct endpoint management implementation optimizes the future value of AI for your organization by providing the broadest signal possible to feed into your large language models.  

In this blog, we want to urge all CISOs to redouble their endpoint management efforts; both to bolster security through Zero Trust and to ensure the large language models underpinning AI are as powerful as they can be by getting the best, most consistent data from a single source.

Zero Trust for the AI era

The coming AI era will increase the importance of Zero Trust, not decrease it. AI can magnify what an organization can do, so making sure that employees, devices, and data stay secure is more important than ever. And AI can be used to both defend and attack organizations, so Zero Trust deployed properly helps defenses remain as robust as possible.

Microsoft’s comprehensive Zero Trust approach rests on three core principles: verify explicitly, use least-privilege access, and assume breach. Microsoft is making progress across all facets of Zero Trust; one example is our latest enhancements to Microsoft Defender Threat Intelligence. Our backgrounds are in endpoint security and multi-factor authentication, so we know how vital identity is in Zero Trust issues. For example, enabling multifactor authentication universally is step one in cutting down phishing and other account compromise attacks.

However, to further drive Zero Trust across the whole organization, you need security policies in force at the endpoint. This might mean Microsoft Defender for Endpoint being up-to-date, or having firewall policies, local drive encryption, or local boot all applied on the device. Without all the appropriate security policies in place, the identity system won’t let the user in, thus strengthening enterprise security.

You can’t have Zero Trust if you don’t have a strongly managed endpoint. Making sure you are using the most up-to-date endpoint management now will help lay the right foundations for security in the age of AI.

Using modern endpoint management to ensure your AI models have the best data inputs

Security is not the only reason to make sure your endpoint management solution is up-to-date.

Did you know? You can use the analytical AI features in the Microsoft Intune Suite to detect patterns and anomalies, and analyze events on a device timeline. Identify potential security threats and vulnerabilities and take proactive steps to address them. 

The alerts and indicators that are picked up from endpoint management solutions will, if used correctly, be a key driver in how effectively your organization can harness AI. The best indicators won’t just come from as many sources as possible; not just managed devices but those that are not enrolled too. For example, let’s say you have built a sophisticated AI model to predict when employees are more susceptible to phishing attacks. If you’re only taking data from your email system, without understanding whether those phishing emails are being opened from a smartphone or a computer, you are not analyzing the full range of the potential problem. A fuller AI model to stop phishing attacks would include the device, user, time of day, previous user behavior, and many other data sources available from endpoint management logs. AI models are only as powerful as the data you feed them. If your data is locked away in silos or there is too much noise to signal in the data, that will not set you up effectively to harness the true potential of AI. Data aggregation is, at its core, the foundation for setting yourself up for the future. But first, let’s look at your data in terms of endpoint management.  

Endpoint management has evolved substantially from separate solutions that tracked computer endpoints and mobile device management. The next iteration, Unified Endpoint Management (UEM), took signals from all devices—laptops, smartphones, and specialized devices. Now, increasingly, management and security are converging in the cloud, and endpoint management means keeping every device in the organization visible and secure, and ensuring every user can be as productive as possible.

Automated and predictable security is complex, and what works for one industry vertical or company size or company architecture or region or worker role may not work for others—there is no “one size fits all.” As such, the more data signals you can feed your AI models from across your digital estate, the better the AI’s ability to predict potential threats. And the longer you can gather the training data, the better the predictions.

This thought goes beyond core endpoint management data: other related data from products adjacent to UEM (such as from Endpoint Privilege Management, which uses the principle of least privilege to improve security, and Remote Help, which produces a data exhaust key to identify trouble spots) is also incredibly valuable to your AI model, but only useful for AI models if it is accessible, structured, and consistent with the data exhaust provided by the UEM solution so that there is a single source of truth. So, consolidating diverse endpoint tools so that there is one consistent data flow should move up your CISO agenda.

Getting prepared for the AI future now

Generative AI is garnering many headlines right now, but many other forms of AI will also add great value. For example, intelligent applications are using AI to push the boundaries in predicting which employees will be a great fit when recruiting, or when a supplier’s predicted delivery date is at risk. Natural language processing helps users ask potentially complex questions the way they would typically speak, opening up analytics beyond those who know how to code a query correctly.

Did you know? Generative AI and analytical AI help organizations to analyze and leverage their data in new ways, helping to bridge the gap between IT and security operations teams. 

Microsoft’s scale of signal intelligence gives it a powerful perspective here, as does the fact that Microsoft Intune leads the endpoint management market in terms of volume and absolute endpoint growth. We’re passionate about helping our customers get ready to seize the opportunity that AI is bringing to enterprise security and society.

Now is the time to start getting prepared for AI, and modernizing your endpoint management approach is key. Even though Zero Trust may have been used for a few years now, it has increased in importance because of AI. Endpoint management can help provide data to help customize your AI models, allowing your organization to become more secure and productive faster.

Microsoft is bringing the power of AI to you, whether that’s through integrating Intune with Security Copilot or improving our anomaly detection capabilities. Throughout, we are committed to advancing the principles and practice of responsible AI, which puts security and trust as central in all our AI solutions.

With industries, job descriptions, and technology advancing rapidly, the C-suite must ask how to seize the full potential of AI, while safeguarding your business, your data, and your employees. Today, there is an opportunity to lay the foundation for your organization’s AI transformation, and endpoint management is a key component of that. We’re thrilled to share more with you in the future as we continue this journey. We hope you’ll join us.

Microsoft Intune Suite

Strengthen your Zero Trust architecture and build resiliency with a new suite of advanced endpoint management and security solutions.

Learn more

Learn more

Learn more about the launch of the Microsoft Intune Suite.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Security Insider.

The post Why endpoint management is key to securing an AI-powered future appeared first on Microsoft Security Blog.

Cloud development challenges conventional thinking about risk. A “perimeter” was always the abstraction that security teams could start from—defining their perimeter and exposing the cracks in firewalls and network access. With more and more infrastructure represented as ephemeral code, protecting your perimeter is no longer a matter of software vulnerabilities and network checks. It’s a complex web of interconnected risks that can exacerbate network gaps or workload vulnerabilities.

When it comes to remediating risks, context is always king, and siloed pillars of cloud security—identity, data, platform, and workloads—kill context. Protecting a broad Microsoft Azure footprint means having a deep understanding of how these risks can combine to create unintended access to your company’s sensitive data, and then prioritizing threats based on potential business impact. This means understanding identity, workload, platform configuration, and data security through a single pane of glass providing visibility across the entire digital estate.

Sonrai integrates with Microsoft Sentinel and Microsoft Defender for Cloud to uncover and remediate sophisticated threats in a timely manner.

Microsoft released Defender for Cloud to protect across hybrid and multicloud environments. Sonrai works with Defender for Cloud’s infrastructure and operational controls for powerful event logging to ingest all information and bring context into one place. Sonrai’s patented analytics evaluate how identity and data risks compound with platform and workload risks to create access to sensitive data within Azure.

To help Azure customers understand the true blast radius of every vulnerability, Sonrai integrates with Microsoft Sentinel to monitor threats across vectors and automate responses by leveraging security orchestration, automation, and response (SOAR) playbooks, and Defender for Cloud to provide visibility across the entire digital estate by identifying possible attack paths and remediating vulnerabilities.

Backed by these insights, an organization can successfully operationalize a risk remediation practice. They are additionally able to enable DevOps and security teams to fully harness the digital transformation and time-to-delivery benefits that Azure can power, without worrying about sacrificing speed for security.

Microsoft Defender for Cloud

Secure multicloud and hybrid environments.

Learn more

Identity as perimeter, data as prioritizer

A consistent research finding is that most cloud data breaches involve a compromised identity—one study cites 81 percent of breaches¹ involve exploiting an overprivileged identity, while another claims that 74 percent of breaches² surveyed started with privileged credential abuse. It’s clear that the way we use identity now in the cloud—as a de facto “perimeter” and locus of privileges and access—makes it imperative to put identity at the center of any enterprise security strategy.

The behavior and management of non-people identities (think: service principles) are conceptually much different than when we managed a list of users from Microsoft Azure Active Directory. The main reason? The majority of identities in a given cloud represent services, devices, and applications—not employees. For example, your cloud may have many identities representing Azure Serverless compute, which may only exist for a few minutes a day, rely on assuming access from a role, and being capable of cross-organization access. The privileges associated with this identity might be in a policy several degrees of separation away through a nested group. Using managed identities and, ideally, the enforcement of the Principle of Least Privilege, is a good place to start. The harder part is the hidden relationships that don’t show in a traditional identity management tool.

Especially as DevOps gets more sophisticated with infrastructure as code (IaC) provisioning, these complex relationships become commonplace. Templatized infrastructure means further nested rights and inheritances through complex relationships.

Continuous monitoring and analytics of identity trust chains become imperative for understanding what privileges any identity truly has. The most important thing is: How do these identities tie back to sensitive data?

Data is the pot of gold at the end of an attacker’s rainbow. In the cloud, identity is the stepping stone attackers can leverage to move laterally and find ways to your data. Exposed data and overprivileged identities are red flags organizations need to look for when considering vulnerabilities and posture misconfigurations. Sonrai Security’s Workload Protection Platform refers to these red flags as “Risk Amplifiers.” In the next section, we’ll address why understanding how threats tie back to identity and data risks matter.

Vulnerabilities: Which are relevant?

Cloud development has changed how we look at vulnerabilities. Distributed, rapid, and open source-fueled continuous integration and continuous delivery (CI/CD) pipelines can introduce more vulnerabilities to staging and production environments, lending enterprises to deal with thousands of common vulnerabilities and exposures (CVEs) regularly. If cloud innovation continues at such a rapid pace, and developers leverage public libraries and prioritize speed over security, CVEs will proliferate. The question is: which ones should we care about first?

Traditionally, information about the vulnerability itself would determine its priority for patching. A common vulnerability scoring system score, its age, and known exploits would give you a picture of how likely it was to lead to a breach. But this tells only half the story: the context of the workload that vulnerability is on tells you what the potential blast radius could be, and therefore gives you the true potential impact on the business.

A vulnerability on a deadened workload shouldn’t be prioritized before one with a Service Principal on it that can self-escalate privileges and access sensitive data. This prioritization is critical, otherwise, your security operations center (SOC) team might be chasing alerts that would never impact the business, but meet the traditional definition of a risk. Fixing it will close a ticket, but “tickets closed” is a poor stand-in for real risk reduction.

Connecting the dots: Analyzing an Azure attack path

Let’s piece this story together by examining an example of a typical path that a bad actor might take to access data.

We’ll start with a vulnerability, let’s say one from Microsoft Defender for Cloud’s agentless vulnerability scanner in Microsoft Defender Cloud Security Posture Management.

Figure 1. Sonrai platform displaying a vulnerability with risk amplifiers including network and identity risks.

There are a few things to review examining Figure 1. First, Sonrai has detected multiple network-related risk amplifiers, showing a path into the environment from an exposed Azure Virtual Machine open to the internet.

This basic risk aggregation is critical to have network issues detected and remediated through Defender Cloud Security Posture Management (or through Sonrai). You can see a visualization of the “Azure Port 22 Host with Ingress from Internet” in Figure 2.

Figure 2. Sonrai platform permission chain showing how a machine identity connects to a network misconfiguration.

Next, this alert is rated with critical severity, but it’s on a sandbox account. Normally, a vulnerability in a sandbox environment without sensitive data wouldn’t trigger critical severity, so there must be something deeper. Looking further at Figure 1, there’s an “additionally impacted swimlane” (Sonrai’s grouping mechanism for cloud environments) named “creditapp-production.” Now, looking at the identity-related risk amplifiers from Figure 1, we see there are several sources for this.

One of the identity amplifiers listed is “Compute has access to sensitive data in Azure.” How is it possible that Compute in a sandbox account ends up accessing Production data? Let’s examine Figure 3. There are multiple complex potential routes that could be leading this Compute to sensitive data. Once the Compute is attached to the user, or service principle, it has access to several nested groups and policies. To learn exactly where Sonrai finds data access, let’s go a step further.

Figure 3. Sonrai platform complex permission chaining, revealing how a machine identity holds covert privileges.

By examining the piece of Compute in the Sonrai Security Platform “Node” view, the platform tells us exactly the subscriptions the Compute has access to, among them being “creditapp-production”—what we’re concerned with currently. Within prod, we can see in Figure 4, all the data accessible to the Compute and what actions it can take.

Figure 4. Sonrai platform data node view displaying every asset a particular identity can access.

Finally, we see in Figure 5 an exact path of how the Compute ended up accessing production data. You can consider this an Azure attack path waiting to be exploited.

Figure 5. Sonrai platform permission chain revealing how compute access data through nested groups and policies.

Ultimately, we have a typical vulnerability on our hands, but what’s impactful is knowing how both an identity and platform misconfiguration severely exacerbate the severity of this vulnerability and created an exploitable attack path.

This is useful when you consider the scale of vulnerabilities and security tickets your typical environment is experiencing. It begs the question of how security and cloud ops teams can keep up with remediating them all. When you can understand each security threat’s risk amplifiers and how they tie back to platform, identity, and data risks, your team can chip away at the highest priority threats based on potential business impact.

Microsoft and Sonrai Security make cloud security better together.

About Sonrai Security

Sonrai offers a total public cloud security solution for Microsoft Azure. Sonrai has been a MISA member since 2021 and works with Microsoft Defender for Cloud, Advanced Data Security, Microsoft Sentinel, Azure Active Directory, and many other Azure Services.

The Sonrai Security Platform is available on the Azure Marketplace and offers a Shared Responsibility Model with Azure.

Sonrai Security has offices in New York and New Brunswick, Canada and is backed by ISTARI, Menlo Ventures, Polaris Partners, and TenEleven Ventures. For more information, visit their website.

Learn more

Learn more about Microsoft Sentinel and Microsoft Defender for Cloud.

To learn more about the Microsoft Intelligent Security Association (MISA), visit the website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.  

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹IBM’s 2018 Data Breach Study Shows Why We’re In A Zero Trust World Now, Louis Columbus. July 27, 2018.

²74% Of Data Breaches Start With Privileged Credential Abuse, Louis Columbus. February 26, 2019.

The post How Microsoft and Sonrai integrate to eliminate attack paths appeared first on Microsoft Security Blog.

To evaluate the net effects of moving to Microsoft’s cloud-native identity and access management (IAM) solution, Forrester Consulting has conducted a commissioned study on behalf of Microsoft: The Total Economic Impact™ Of Microsoft Entra. Forrester interviewed 10 representatives from eight existing Microsoft customers that are currently using three products in the Microsoft Entra family: Azure Active Directory (Azure AD), Microsoft Entra Permissions Management, and Microsoft Entra Verified ID.  

In total, Forrester’s financial analysis found that a composite organization based on these interviewed customers experienced benefits of USD12.14 million over three years, versus costs of USD3.57 million. This adds up to a net present value of USD8.57 million and a return on investment (ROI) of 240 percent. Forrester left no stone unturned in examining the financial impact of Microsoft Entra. The results were divided into five categories common to most organizations. Here’s an overview of their findings:

Modernizing identity and consolidating vendors

Before Microsoft Entra, interviewed organizations managed identity and access using multiple-point solutions. This patchwork approach came up short in providing adequate security and introduced high complexity and costs. With Microsoft Entra, organizations could retire some of these solutions as well as sunset legacy on-premises infrastructure such as Active Directory Federation Services (AD FS). After consolidating with Microsoft Entra, Forrester determined that composite organization’s cost savings totaled USD2,084,082.

“We wanted to centralize all of our IAM tools, and we decided to use Microsoft Entra because of what Microsoft offered in terms of its security and enterprise relationships, and also [because of] the fact that our chief information security officer felt comfortable about having our identity managed by Microsoft.”

—Identity and access team lead, software industry

Increasing identity team efficiency

By securing access for all their identities to any app and resource, the surveyed organizations were able to implement granular risk-based policies. With multifactor authentication, they protected against phishing, credential stuffing, and other attacks that exploit user credentials. Permissions Management enabled organizations to discover and remediate security risks caused by excessive and unused permissions in their multicloud environments. Forrester found that the composite organization was able to reduce the likelihood of a breach by 20 percent over three years. This also helped ensure compliance with regulatory standards. All these improvements yielded a three-year, risk-adjusted total of USD1,521,840.

Accelerating development velocity

Surveyed organizations shared that for security purposes developers were required to request permissions every time they needed new access, and this tended to have a negative impact on product-development speed. A developer’s work on a project could get interrupted by up to several days while the developer was waiting for access, and any project as a whole could get delayed by weeks or even months as those interruptions added up. Adopting Permissions Management improved product development velocity from days to hours, which helped keep development projects on schedule. Forrester calculated that wait time for developers was reduced by 90 percent. This sped-up development yields a total of USD922,422 in benefits over three years.

“What previously took two to three days is now handled in a couple of hours at most.”

—Head of enterprise security architecture, insurance industry

Increasing worker productivity and reducing IT friction

Employees expect to collaborate on any project from anywhere using any app—especially now that hybrid work is the new normal. But they find signing into multiple applications throughout the day frustrating and time-consuming. Interviewees shared that one of their primary goals for their organizations was to improve user experience by enabling single sign-on for applications from almost any device or location. According to Forrester’s calculations, with Microsoft Entra, each employee saved 13 hours per year on average and the composite organization saved USD4,048,685 over three years. If you have a help desk, your employees likely make thousands of password reset requests per month. Locked-out users can’t be productive, and their pleas for help eat up valuable time help desk workers could spend on other priority tasks. With Microsoft Entra, employees can reset their own passwords without help desk intervention. Forrester estimates that customers can decrease the number of password reset calls per year by 75 percent, yielding a three-year adjusted present value of USD251,794.

“If you have your applications integrated with Azure AD, you can have a really, really sweet user experience, security model, and simple administration.”
—Senior security engineer, software industry

Security for all

At Microsoft Security, we’re committed to being a trusted partner for IAM and security teams like those who shared their experiences for this study. We believe a holistic approach to security can help you protect what matters without slowing productivity. To get the full analysis on how cloud-native, scalable Microsoft Entra can deliver significant, be sure to download The Total Economic Impact™ Of Microsoft Entra and share its accompanying infographic for fast insights.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Verizon 2022 Data Breach Investigations Report

The post Microsoft Entra delivers 240 percent ROI, according to new Forrester study appeared first on Microsoft Security Blog.

Zero Trust is a proactive, integrated approach to security across the digital estate that explicitly and continuously verifies every transaction, asserts least privilege access, and relies on intelligence, advanced detection, and real-time response in the face of threats.

Adopting an end-to-end Zero Trust security strategy, and implementing Zero Trust security pillars, promotes the most secure and optimized access for users in the modern hybrid workforce. Organizations need to adapt to stay competitive, and cybersecurity remains a top concern as work environments continue to shift toward hybrid and remote settings.

Enable a more productive hybrid or remote workplace

Hybrid work introduces significant challenges for security teams as employees spend more time outside the traditional network perimeter where visibility, control, and consistency are harder to enforce. This impacts security teams who work to secure sensitive data and devices.

Figure 1. Hybrid and remote workers can enable more productive, secure workflows in both global and local locations with a comprehensive Zero Trust strategy in place.

Embracing a Zero Trust security model provides your organization with the necessary tools and framework to more effectively secure hybrid work environments. Adopting an end-to-end Zero Trust strategy also comes with several other business benefits in this new world of work, including:

• Improved employee experience and productivity.
• Increased organizational agility and adaptability.
• Strengthened talent retention.

One of the first steps organizations must take to modernize and equip themselves with proper data security measures is to determine if they:

• Know the types of sensitive information they have and where it lives.
• Protect and prevent loss of sensitive data across environments.
• Have a method for managing insider risks to understand user intent.

Answering these questions can help organizations discern how well they match up to today’s evolving security risks and how they could improve their security posture by implementing a Zero Trust architecture.

A Zero Trust framework helps organizations strengthen their defenses, giving employees the flexibility to work from anywhere and use applications that live outside of traditional corporate network protections. Zero Trust makes securing data across multiple channels, such as emails, messages, shared storage, cloud apps, and devices much easier. And, with hybrid workforces, data security incidents can happen anytime, anywhere.

A simplified security architecture through Zero Trust improves business agility across many types of workplaces, including hybrid. Through efficient system management and user access, organizations can move quickly to pursue business opportunities and support remote work while assessing and managing risk. This is particularly important since collaborating across multiple environments and devices due to remote and hybrid work can result in severe data security incidents, especially if your organization does not have visibility into its data or if a user has malicious intent to exfiltrate the data or share sensitive information and make it visible. Instituting Zero Trust architecture also improves security posture and reduces the risk of data breaches, even for people, resources, and data outside the corporate network perimeter.

Figure 2. Teams must collaborate with each other to implement a comprehensive, cross-cloud Zero Trust framework into their security practices.

Innovate and rapidly modernize your organization’s security posture

Zero Trust is designed to modernize your security posture and ensure comprehensive security across all identities. A comprehensive Zero Trust approach also helps break down siloes between IT teams and systems, enabling better visibility and protection across your entire IT stack. Using tools like Microsoft Purview Compliance Manager, your security team can also measure the security posture of your assets against industry benchmarks and best practices. Analyzing productivity and security signals helps your team better evaluate your security culture, identifying areas for improvement or best practices for compliance.

Today’s security leaders must balance the challenges of hybrid or remote access, protecting sensitive data, and compliance requirements with the business need to collaborate, innovate, and grow. Rapidly modernizing your security posture by implementing a Zero Trust framework will not only help your organization to meet and exceed regulatory and compliance requirements, but it will also help enable your organization to protect against a fast-changing threat landscape. As your organization begins this journey, remember that teams must:

• Collaborate on how to address the most critical threats they face.
  • This involves continuous improvement and evaluation across the entire digital estate to increase visibility. Teams can automate tasks that slow down team efforts, such as implementing IT help desk support, which saves teams time and money to use for proactively addressing serious security problems.
• Simultaneously defend their organizations against attacks and other security threats.
  • As a part of defending against security attacks and threats, security teams should ask themselves how they protect data and identities, while also evaluating and managing endpoint device health. This can help teams evaluate attacks that may occur while determining insider risk alongside user behavior analysis.
• Strive for continuous security improvement.
  • Because of the ever-evolving threat landscape, security teams must also continuously improve and check in on their security status, including continuous monitoring for threats that otherwise would not or could not be detected proactively. Zero Trust allows teams to protect against bad actors and potential security threats automatically and proactively through multistep defense across identities and endpoints.
• Prioritize their need for end-to-end visibility.
  • Another component of defending against security attacks and threats is increasing the security team’s visibility throughout the entire digital estate. Organizations should adopt specific policies to ensure data and identities are protected and meet compliance requirements, as necessary, and set alerts for attacks to enable quick remediation.

Consider the Rapid Modernization Plan guidance Microsoft uses to implement Zero Trust, which allows teams to use a set of specified initiatives for successful and quick deployment. The process goes as follows:

1. Validate trust for all access requests from identities, endpoints, apps, and networks.
2. Prepare and enable ransomware recovery.
3. Protect on-premises and cloud data from malicious access.
4. Streamline threat response.
5. Unify visibility across all security pillars.
6. Reduce manual effort on security teams.

Adopting a Zero Trust model enables end-to-end visibility across the security estate. The automated response that the Zero Trust approach takes protects assets, remediates threats, and supports investigations, ultimately empowering security teams to respond more quickly to threats across all pillars.

Secure your organization’s digital estate through a comprehensive Zero Trust approach

Adopting an end-to-end Zero Trust strategy is a critical step that organizations can take to increase productivity in, innovate, and modernize their hybrid work environments. We look forward to diving into additional scenarios in our next Zero Trust blog.

To learn more about protecting your business:

• Get started with our Zero Trust assessment tool.
• 5 reasons to adopt a Zero Trust security strategy for your business.
• Securely work from anywhere.
• Safeguard your most critical assets.
• Meet regulatory and compliance requirements.
• Minimize the impact of internal or external bad actors.
• Rapidly modernize your security posture.

And, to dive deeper into Microsoft Security solutions, join us on April 13, 2023, for Microsoft Secure Technical Accelerator. During this event, you can engage with our product and engineering teams through a live Q&A during each session, learn best practices, build community with your security peers, and get prescriptive technical guidance that will help you and your organization implement our comprehensive security solutions. 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Secure hybrid and remote workplaces with a Zero Trust approach appeared first on Microsoft Security Blog.

In many organizations, however, too many identities not only lack fundamental protections, but also end up with too many access permissions that they keep for too long. Our new State of Cloud Permissions Risks Report reveals some sobering statistics that drive home the importance of carefully protecting and managing your identities to reduce both risk and opportunities for cybercriminals.

Across multicloud, more than half of all identities are admin and workload identities that have all access rights and all permissions to cloud resources. This is dangerous because overall, identities are using only 1 percent of the permissions granted to them. Some don’t use their permissions at all. In fact, more than 60 percent of all identities with permissions to cloud resources are completely inactive. At 80 percent, the proportion of inactive workload identities is even higher—and workload identities outnumber human identities 10 to 1.

While this report summarizes issues with cloud permissions, we see similar issues for business users.

At the recent Microsoft Secure event, I shared ways to strengthen your identity defenses using the latest innovations we’re delivering in Microsoft Entra. These include new governance controls and real-time access protections to help you secure identities and the resources they access.

A new, faster way to onboard with Microsoft Entra Identity Governance and Microsoft Entra Verified ID

Good identity practices start during onboarding, a process that often frustrates IT admins and users alike.

The goal of onboarding is to give new users the right access to the right resources for the right amount of time—adhering to the Zero Trust principle of “least privilege access”—on day one. However, traditional onboarding still requires loads of redundant paperwork and online forms that require manual review and approval before new users can start work and get access to resources. This can delay hiring and increase ramp-up time.

Eighty-two percent of organizations Microsoft surveyed want a better—and less manual—way to do identity verification, and now they have one.³ Microsoft Entra Identity Governance and Microsoft Entra Verified ID now work together to simplify onboarding. Instead of spending weeks collecting and verifying pre-hire documentation such as education and industry certifications, organizations can validate everything digitally using Verified ID credentials issued by trusted authorities.

When you use entitlement management in Identity Governance to create an access package with specific applications and expiration settings, you can now require a Verified ID as part of the approval workflow.⁴ With entitlement management, you can make the onboarding process completely digital and self-serve—no admin required.⁵ New users get an automated welcome email with a link to the My Access portal. Once they share the required Verified ID and their manager approves their access request, they get all their workplace access permissions at once. When their permissions expire, they can easily prove their identity again using their Verified ID without going through a lengthy renewal process.

This streamlined onboarding process is faster, safer, and less resource intensive. Organizations will spend less time validating credentials on paper and approving access requests manually, and more time collaborating and innovating. Plus, other Identity Governance features, such as automation of routine joiner, leaver, and mover tasks, help keep permissions the right size over time.

New protections to help secure access

Once a new user is on board, then Microsoft Entra helps you secure their access. This starts with proactive controls such as enforcing multifactor authentication.

Strong sign-in defenses make you less attractive—and less vulnerable—to most attackers, who don’t have the technical prowess, funding, or resources of more sophisticated groups. Credential attacks are the most common because they cost relatively little to perform, but you can interrupt them with multifactor authentication.⁶ Our data shows that more than 99.9 percent of compromised accounts don’t have multifactor authentication enabled.

However, sophisticated attackers are trying to work around multifactor authentication with techniques such as SIM jacking and multifactor authentication fatigue attacks. To counter these techniques, Microsoft Entra supports phishing-resistant multifactor authentication methods. These include passwordless options such as Windows Hello for Business and FIDO2 security keys. Certificate-based authentication is also available for organizations standardized on it.

When you enable multifactor authentication, by all means, adopt the strongest methods. Older methods, such as SMS and voice calls, are simply less secure.

Phishing-resistant features in Microsoft Authenticator further strengthen your multifactor authentication defenses.⁷ Number Matching requires users to enter a number displayed on the sign-in screen, making it harder to accidentally approve a request. To help users confirm that they’re approving an access request they (and not an attacker) made, application context shows them which application they’re signing into, while location context displays their sign-in location based on the IP address of their device.

And now, with Conditional Access authentication strengths, admins can set policy on the strength of multifactor authentication required—and base that policy on the sensitivity of the apps and resources a user is trying to access.⁸ In tandem, we’re extending phishing-resistant multifactor authentication to more scenarios. For example, you can require phishing-resistant multifactor authentication for Microsoft Azure virtual machines to protect remote sign-ins and to provide end-to-end coverage for dev, testing, and production environments. You can also require it for external users and for users who have to move between different Microsoft cloud instances to collaborate, for example, between government and commercial clouds.⁹

In addition, with Conditional Access for high-risk actions, you can now require phishing-resistant multifactor authentication for sensitive actions, such as modifying access policies, and coming soon, adding a new credential to an application or changing federated trust configuration. You can also restrict high-risk actions based on device compliance or location.

New countermeasures to help prevent lateral movement

Once a new user has signed in, Microsoft Entra helps you take a proactive “assume breach” stance to protect their credentials and prevent lateral movement. This is essential because post-authentication attacks, such as token theft through malware, mining poorly configured logs, and compromising routing infrastructure, are on the rise.¹⁰

Attackers replay stolen tokens to impersonate an authenticated user. Just as thieves copy a credit card number or read its RFID code and then go on a shopping spree until the bank notices and freezes the card, attackers steal tokens to access your digital resources—and cause a lot of damage—until that token expires.

Two new capabilities in Microsoft Entra are closing the token replay window.

First, strict enforcement of location policies lets resource providers use continuous access evaluation (CAE) to immediately revoke tokens that run afoul of location policies. Until now, a stolen token could stay valid for an hour or more, even if an attacker tried to replay it outside of the location range that policy allows.

Exchange Online, SharePoint, and Microsoft Graph can now respond to network change events by revoking tokens in near real-time. Since CAE is part of the Microsoft identity platform, hundreds of apps have adopted it to benefit from the enforcement of location policies and other CAE events. This includes Microsoft 365 apps such as Outlook, Microsoft Teams, and OneDrive, as well as the built-in Mail app on Mac, iPhone, and iPads. Third-party apps can adopt CAE through Microsoft Services Authentication Library.¹¹

While closing the token replay window is a big step forward, we’re also working to make sure it never opens in the first place through a new capability called Token Protection.¹² This adds a cryptographic key to issued tokens that blocks attackers from replaying them on a different device, which is like having a credit card that instantly deactivates if someone steals it from your wallet.

As a first step, we’re adding this capability for sign-in sessions on Windows (version 10 or later). Next, we’ll extend this capability to other platforms and address more Windows scenarios, such as app sessions and workload cookies.

A new dashboard to help close policy gaps

The new identity protections described above are just part of what’s available for creating granular Conditional Access policies. To help you find vulnerable areas in your environment, we’re adding an overview dashboard to the Microsoft Azure Active Directory Conditional Access blade that summarizes your policy posture, identifies unprotected users and apps, provides insights and recommendations on Conditional Access coverage based on sign-in activity, and helps you investigate the impact of individual policies. This will help you more quickly identify where you need to better enforce Zero Trust principles, so you can strengthen your defenses.

Good permissions governance and protecting against identity compromise are essential strategies for keeping your people and resources safe.

Learn more

Learn more about Microsoft Entra.

To learn more about the new governance and identity protection capabilities described in this blog post, check out these Microsoft Secure sessions. To review all the new innovations announced at Microsoft Secure, read Vasu Jakkal’s blog post.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹2023 identity security trends and solutions from Microsoft, Alex Weinert. January 26, 2023.

²Verizon 2022 Data Breach Investigations Report. 2022.

³Microsoft survey of 3,000 United States-based companies with more than 500 users. 2021.

⁴Add a Verified ID requirement (Preview), Microsoft Learn. January 24, 2023.

⁵What is entitlement management? Microsoft Learn. March 9, 2023.

⁶Navigating the ever-evolving authentication landscape, Pamela Dingle. January 10, 2023.

⁷Defend your users from MFA fatigue attacks, Alex Weinert. September 28, 2022.

⁸Conditional Access authentication strength, Microsoft Learn. January 29, 2023.

⁹Configure Microsoft cloud settings for B2B collaboration, Microsoft Learn. March 9, 2023.

¹⁰Token tactics: How to prevent, detect, and respond to cloud token theft, Microsoft Security Experts and Microsoft Incident Response. November 16, 2022.

¹¹How to use Continuous Access Evaluation enabled APIs in your applications, Microsoft Learn. March 2, 2023.

¹²Conditional Access: Token protection, Microsoft Learn. March 8, 2023.

The post Latest Microsoft Entra advancements strengthen identity security appeared first on Microsoft Security Blog.

Whether you’ve already begun your journey to adopt Zero Trust architecture or are just wanting to learn more, the Microsoft Zero Trust Maturity Assessment Quiz can help shed light on possible vulnerabilities within your organization. In this blog, we’ll focus on how your business can benefit by presenting five practical scenarios in which enabling Zero Trust can help you do more with less so you can move forward fearlessly.

1. Enabling a more productive workplace through remote or hybrid work

According to the Zero Trust Adoption Report, 81 percent of enterprise organizations surveyed had already started moving toward a hybrid workplace. This massive shift has forced organizations to adapt rapidly, often in ad-hoc fashion. Employees are getting work done at home, in an airport or hotel room, or at the gym—all while collaborating through cloud services, sharing data on corporate and home networks, and switching between business and personal devices.

Protecting your organization means that the three principles of Zero Trust need to be enforced while monitoring networks, data, and apps across all connected devices. Every device with access to corporate resources—company-owned or personal—should be managed by your IT. Your security operations (SecOps) team can protect remote users’ devices against credential compromise with tools like multifactor authentication¹ and risk assessment using Identity Protection in Microsoft Azure Active Directory,² as well as Microsoft Intune app-protection policies.³

A Zero Trust approach not only protects against security gaps from remote work, but it also helps deliver tangible business benefits, including:

• Improving employee experience and productivity: A Zero Trust approach allows your employees to safely work from home, enroll new devices from anywhere, hold secure meetings, and achieve greater productivity. Implementing single sign-on, enabling passwordless authentication, and eliminating VPN clients reduces day-to-day friction and improves the user experience.

• Increasing agility and adaptation: A Zero Trust model empowers users and admins alike to execute with confidence and agility. Device health, antimalware status, and security are constantly monitored and validated. By engaging the principles of “assume breach” and “least-privilege access” for each user’s role, you help secure your business and empower employees to work from anywhere.

• Strengthening talent retention: In today’s competitive hiring market, embracing flexibility is critical to attracting and retaining the people you want. According to the 2022 Work Trend Index, 52 percent of respondents said they are likely to consider shifting to hybrid or remote work in the year ahead.⁴ Adopting Zero Trust security empowers employees to work productively and securely wherever they’re comfortable.

2. Preventing or reducing business damage from a breach

The days of perimeter-based security are not coming back. Unlike the old security models that rely on castle walls to keep threats out, having the right Zero Trust strategy can help you move your organization away from static, network-based defenses to focus on users, assets, and resources. A Zero Trust security model follows three principles: verify explicitly, use least-privilege access, and assume breach.

Adhering to these three Zero Trust principles helps your SecOps team maintain visibility across all assets and endpoints so they can quickly triage alerts, correlate additional threat signals, and initiate remediation. Any change in your network automatically triggers analysis, which results in a reduction in risk exposure. This responsive, flexible approach to security brings several business benefits, including:

• Reducing the blast radius: The principle of assume breach helps minimize the impact of an external or insider attack. It enhances your organization’s ability to detect and respond to threats in real-time and reduces damage by restricting an attacker’s lateral movement.
• Controlling damage to your reputation: Unauthorized access to confidential data can cause financial harm, damage to your brand, theft of intellectual property, and disruption to the customer experience. Zero Trust security helps protect your organization by continuously monitoring and analyzing your network while updating policies automatically when risks are identified.
• Lowering cyber insurance premiums: Zero Trust security enables greater control, visibility, and governance, including real-time analysis for protecting your network and endpoints. Detecting and removing gaps in your overall security posture demonstrates to insurers that your security team has proactive strategies and systems in place, which can help prevent a costly breach.  

3. Identifying and protecting sensitive business data and identities  

The Zero Trust approach for data protection and governance helps to maximize the business value of your data while minimizing security and compliance risks. It helps protect data and user identities by enforcing strong governance—enabling employees to share data safely with partners, vendors, and customers.

This kind of boundaryless collaboration ensures that only authorized individuals and devices have access to your sensitive data while helping to mitigate data breaches through network segmentation. Data encryption and access and identity control enable your organization to gain additional protections by limiting which data can be accessed, as well as limiting actions taken by authorized users. Micro-segmentation further limits attackers’ ability to access or share sensitive data.      

Identifying risks and guiding policy configuration requires understanding the volume, location, and inventory of sensitive data. From there, your team can discover risk vectors and rank their severity. You’ll want to classify, inventory, and label sensitive data to ensure greater control by monitoring which users interact with it and how they do so. Your team can also apply real-time policies based on context, such as encryption or restricting third-party apps and services. In addition, automating the data classification and labeling processes can mitigate the impact of human error.

4. Proactively meeting regulatory requirements  

A 2022 survey of United States-based decision-makers showed that almost 80 percent of organizations purchased multiple products to meet their compliance and data-protection needs.⁵ Regulations such as the European Union’s General Data Protection Regulation (GDPR),⁶ California Consumer Privacy Act (CCPA),⁷ and data residency requirements all require strict data privacy and management controls. Legacy solutions often don’t work together seamlessly, exposing infrastructure gaps and increasing operational costs.

Implementing a comprehensive Zero Trust architecture helps solve these issues by proactively getting ahead of regulatory and compliance requirements. It enables end-to-end visibility and discovery of critical assets to help protect and manage your organization’s entire data estate with unified data governance and risk management. Even better, Zero Trust strategies often exceed other regulatory requirements and require fewer systemwide changes to meet new regulations; empowering your business to grow with agility and efficiency.

A comprehensive Zero Trust approach also helps break down siloes between IT teams and systems, enabling better visibility and protection across your entire IT stack. Real-time visibility allows automatic discovery of assets and workloads, while compliance mandates can be applied through classification and sensitivity labeling. Analyzing productivity and security signals also helps your team better evaluate your security culture, identifying areas for improvement or best practices for compliance. Beyond reducing risks from lateral movement, network segmentation also enables greater visibility and helps your team segment compliance-critical workflows.

A Zero Trust model makes it easier to audit your environment and understand the policies needed to comply with governance requirements. It enables continuous assessments—from taking inventory of data risks to implementing controls and staying current with regulations and certifications. This allows your compliance personnel to better retain and recall necessary documentation, improving audit accuracy and reducing time. Using tool assessments like compliance score, your security team can also measure the security posture of your assets against industry benchmarks and best practices.⁸

5. Zero Trust takes care of security so your organization can focus on innovation

Today’s security leaders must balance the challenges of hybrid and remote access, protecting sensitive data, and compliance requirements with the business need to collaborate, innovate, and grow. Along with protecting against a fast-changing threat landscape, Zero Trust architecture helps you earn the trust of stakeholders across your enterprise.

Backed by the Microsoft Secure Score and analytics, your team can continuously monitor security scores to understand your risk and determine which assets are vulnerable.⁹ This helps your team specify actions, as well as the level of effort involved and how such actions will affect users. Providing this kind of clear evidence demonstrates impact to your board of directors and supports your security strategy. Enabling Zero Trust also carries business benefits such as:

• Driving innovation and enriching partner relationships: A Zero Trust model unifies security policies in-house while examining breaches that may occur externally during partner interactions. This helps to minimize vulnerabilities created by the weak security practices of outside vendors while ensuring that authenticated users have appropriate access to resources and assets. Enabling secure access for specific partners and contractors—regardless of location, device, or network—can help establish trust relationships that benefit the business.

• Increasing security team morale: A Zero Trust approach enables your security team to simplify their cybersecurity strategy and retire legacy solutions. Being able to apply policies across environments from a single platform, as well as reduce complexity and quickly remediate concerns—all of it can help boost your security team’s confidence and prevent job burnout.

• Enabling an agile response to business scenarios: By providing your security team with automatic discoverability, centralized visibility, practical guidance, and control of assets, you free up your IT team to spend less time maintaining infrastructure and more time furthering business needs.

Having measurable data added to your regular reporting and security key performance indicators readily demonstrates your security progress, and that helps build confidence among board members, leaders, partners, and customers.

Learn more

We’ve looked at how the security landscape is rapidly changing due to the widespread adoption of hybrid and remote work, increasing cyberattacks, and evolving regulatory oversight. A Zero Trust approach effectively balances risk with achieving your business goals, making it a practical solution for today’s decentralized enterprise. To learn more about how your organization can improve its Zero Trust position, remember to take the Microsoft Zero Trust Maturity Assessment Quiz. In the coming weeks, we’ll be sharing additional blog posts and specialized e-books on each of these business scenarios.

And remember to mark your calendar for Microsoft Secure on March 28, 2023. This new digital event will bring together customers, partners, and the defender community to learn and share comprehensive strategies across security, compliance, identity, management, and privacy. We’ll cover important topics such as the changing threat landscape, how Microsoft defends itself and its customers, challenges security teams face daily, confidential computing, and what an AI-powered future means for cybersecurity. Register today.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹How it works: Azure AD Multi-Factor Authentication, Microsoft Learn. January 30, 2023.

²Risk-based access policies, Microsoft Learn. November 16, 2022.

³How to create and assign app protection policies, Microsoft Learn. February 21, 2023.

⁴Work Trend Index 2022, Microsoft. March 16, 2022.

⁵The future of compliance and data governance is here: Introducing Microsoft Purview, Alym Rayani. April 19, 2022.

6What is GDPR, the EU’s new data protection law? GDPR.

⁷California Consumer Privacy Act (CCPA), State of California Department of Justice. February 15, 2023.

⁸Compliance score calculation, Microsoft Learn. February 17, 2023.

⁹Track and respond to emerging threats through threat analytics, Microsoft Learn. February 7, 2023.

The post 5 reasons to adopt a Zero Trust security strategy for your business appeared first on Microsoft Security Blog.

Microsoft has worked with organizations globally to protect against ransomware and phishing and is excited to announce that SE Labs named Microsoft Defender for Office 365 the Best Email Security Service of 2023.

Microsoft Defender for Office 365 provides comprehensive email protection from attacks such as credential phishing, business email compromise, and ransomware. Using advanced machine learning, an unparalleled massive database of threat signals, and other innovative heuristics, Microsoft Defender for Office 365 is capable of identifying phishing attacks across the entire organization, while also offering sophisticated prevention, detection, and response features that are seamlessly integrated into Office 365. By seamlessly integrating with Office, Microsoft Defender is able to provide a user experience that feels native, easy to use, and minimizes processing overhead, without compromising on security.

Technology is key, but users are often the weak link in phishing attacks, so training is a critical element to make sure that phishing links remain untouched by your employees. Microsoft Defender for Office 365 includes built-in phishing simulation training to educate employees and senior leaders to decrease the chance of real-world attacks. Furthermore, SecOps teams are given powerful tools that enable them to customize simulation training, based on detailed insights into where there are knowledge gaps in the organization.

SE Labs testing, methodology, and award results

For this award, Microsoft Defender for Office 365 was evaluated on a combination of quantitative and qualitative factors alongside other cybersecurity vendors. For quantitative testing, SE Labs created simulated attacks based on the current, most up-to-date threat intelligence. SE Labs then measured how many of these malicious messages were appropriately filtered out by Microsoft Defender for Office 365 as well as other email security systems. SE Labs has been building and refining this test since 2017.

In the quantitative test, Microsoft received a rating of AAA, the highest possible. Microsoft Defender for Office 365 was able to correctly identify and block 98 percent of emails containing malicious content like malware or phishing, demonstrating its state-of-the-art capability in protecting customers from business email compromise. Furthermore, once deployed, the Microsoft Defender for Office 365 engine is always learning from email traffic in its environment and makes adjustments accordingly. Learn more about this test and its results.

In addition to quantitative testing, SE Labs conducted a comprehensive evaluation by also gathering qualitative feedback from organizations. Through this approach, SE Labs gained valuable insights into the real-world efficacy of email security solutions. We are humbled that the results indicate that Microsoft Defender for Office 365 received the highest levels of customer satisfaction, compared to other vendors in the evaluation.

While not one of the customers that provided feedback as part of the SE Labs research evaluation, here’s what Rx.Health, a large digital solutions provider for healthcare systems, had to say about their experience with Microsoft Defender for Office 365:

“Defender for Office 365 is the silent component that gives us peace of mind.”—Saurabh Gupta, Director of Engineering and Technology, Rx.Health.

For more on what Rx.Health has to say about Microsoft’s Security solutions, read the full story.

Protect against sophisticated attacks like business email compromise and ransomware with Microsoft’s XDR

Email security is embedded into Microsoft’s unified extended detection and response (XDR) solution: Microsoft 365 Defender. The cross-domain XDR technology uses signals across email, endpoint, on-premises and cloud identities, as well as cloud apps to illuminate the entire kill chain and protect your organization more effectively from modern threats like ransomware and business email compromise. While it delivers game-changing capabilities like automatic attack disruption, which stops active threats early and stops them from progressing, prevention is another critical XDR component to stop threats at the front door. That’s why Microsoft recommends that you evaluate XDR solutions that provide phishing protection through email security and identity access management.

Thank you to SE Labs for their important and impactful testing of email security solutions, in addition to all of our customers who provided their feedback as part of this research.

At Microsoft, we understand the vital importance of robust cybersecurity in the modern digital landscape. That’s why we remain steadfastly dedicated to delivering exceptional security products and services, like Microsoft Defender for Office 365, backed by our team of world-class security researchers and industry-leading threat intelligence. Our advanced AI technology further adapts to the continuous and ever-evolving threat environment, helping to keep your organization safe and secure, so you can focus on driving success and growth.

Learn more

• Read the full SE Labs report for additional information on the methodology used in their tests, and background on how this award was issued.
• Learn more about leading email security capabilities from Microsoft Defender for Office 365.
• Ready to get started? Check out our documentation for step-by-step information.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Annual Report 2023, SE Labs.

The post Microsoft Defender for Office 365 named Best Email Security Service of 2023 by SE Labs appeared first on Microsoft Security Blog.

“Because Microsoft designed the security model of Windows 11 from the ground up to assume that some component has already been compromised, threat actors will find it orders of magnitude more difficult to remain undetected [and persist] in the environment than in traditional architectures.”

–SANS Institute

Protection that evolves with the threat landscape

Today, we’re proud to announce that the security features you heard about in April 2022 are now available on Windows 11.

Application Control

We’ve added features that give people the flexibility to choose their own applications, while still maintaining tight security. Smart App Control is a new feature for individuals or small businesses designed to help prevent scripting attacks and protect users from running untrusted or unsigned applications often associated with malware or attack tools.³ This feature creates an AI model using intelligence, based on the 43 trillion security signals gathered daily, to predict if an app is safe. App control is known to be one of the most effective approaches to protecting against malware but can be complex to deploy. Windows 11 uses the power of AI to generate a continually updated app control policy that allows common and known safe apps to run while blocking unknown apps often associated with new malware. Our customers have asked us to make this simpler and we have responded.

The Smart App Control approach achieves the goal of making advanced app control protection widely available. Smart App Control is built on the same same OS core capabilities used in Windows Defender Application Control. Smart App Control is provided on all Windows client editions with clean installations of Windows 11 2022 Update. Alternatively, for enterprises, your IT team can use Microsoft Intune with Windows Defender Application Control to remotely apply policies to control what apps run on workplace devices.

Vulnerable driver protection

Malware increasingly targets drivers to exploit vulnerabilities, disable security agents, and compromise systems. Window 11 uses virtualization-based security (VBS) for enhanced kernel protection against potential threats.

• Hypervisor-protected code integrity (HVCI), also called memory integrity, will be enabled by default on all new Windows 11 devices. HVCI uses VBS to run kernel mode code integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel mode code such as drivers. The KMCI role is to check that all kernel code is properly signed and hasn’t been tampered with before it is allowed to run.

HVCI ensures that only validated code can be executed in kernel mode. The hypervisor leverages processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that has not been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can help prevent the injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs.

• The Microsoft vulnerable driver block list is another important safeguard against advanced persistent threats and ransomware attacks that exploit known vulnerable drivers. Beginning with the 2022 Update, the block policy is now on by default for all new Windows computers, and users can opt in to enforce the policy from the Windows Security app.

The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Taking advantage of Windows Defender Application Control, the kernel blocklisting feature prevents vulnerable versions of drivers from running. Microsoft works with ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers. Users who want the highest level of protection can still specify an allow list to implement driver control.

Enhanced identity protection and simplified password management

With Windows 11, you can protect your valuable data and enable secure hybrid work with the latest advanced security that small or medium-sized businesses say results in 2.8 times fewer instances of identity theft.⁵ Here are a few enhancements that can help you stay secure now and in the future:

• Windows Defender Credential Guard is enabled by default with Windows 11 Enterprise. Credential Guard uses hardware-backed, virtualization security to help protect against credential theft techniques such as pass-the-hash or pass-the-ticket. In addition, this feature helps prevent malware from accessing system secrets even if the process is running with admin privileges.
• Credential isolation with Local Security Authority (LSA) protection enabled by default provides extra protection to new, enterprise-joined Windows 11 devices. LSA is one of the critical processes that verify a user’s identity. With LSA protection, Windows will load only trusted, signed code, making it significantly more difficult for attackers to steal credentials.
• Enhanced phishing protection in Microsoft Defender Smartscreen can detect and warn you when you’re entering your password into a known compromised app or website. It also promotes good credential hygiene by warning users when they try to re-use passwords or store them in an unsafe location such as a text file. This goes beyond browser-based protection to build advanced phishing protection into the operating system itself, empowering users to take proactive action before passwords can be used against them or their organization. IT admins can customize alerts using a mobile device management (MDM) solution like Microsoft Intune.⁴
• Go Passwordless with Windows Hello for Business. With built-in protection already enabled, Windows 11 helps block software and firmware attack from the moment you turn on your device. And for secure, convenient single sign-on (SSO), you can take advantage of the protection and convenience of passwordless authentication using Windows Hello for Business and a unique identifier such as your face, fingerprint, or PIN. These unique identifiers are bound to your device and can only be used by you from that device for secure, convenient SSO across your computer and cloud services.
• We’ve also made Windows Hello for Business much easier to deploy. For example, we’ve removed requirements for public key infrastructure (PKI). Look into this deployment model for an easy, secure way to set up a modern, passwordless sign-in experience.
• And if you’re going passwordless, you’ll be able to take advantage of presence sensing for hands-free secure sign-in. Presence detection sensors work with Windows Hello to sign you in when you approach, and lock when you leave.⁵ The feature is optional and can be easily enabled on devices equipped with presence sensors.

Locking down IT policy and compliance

• Config lock, available only on Secured-core PCs that are designed for added security, helps prevent the configuration drift that occurs when users with local admin rights change settings and put devices out-of-sync with IT security policies. With config lock, Windows 11 monitors the registry keys that configure each feature even when the device isn’t connected to the internet. When a drift is detected, the device immediately reverts to the IT-desired Secured-core computer state.

Config lock builds on the security fundamentals of Windows 11 and is, in part, secured by specific hardware features. The feature monitors a pre-configured set of configuration service providers (CSPs) and policies. If you assign any of these policies to devices in your tenant, enabling config lock will maintain your defined settings.

Ongoing innovation to improve security for all

We’re continuing to add protection from chip to cloud, with an emphasis on the benefits of using new, modern devices with hardware features optimized for security and hybrid work.

For example, if you work in data-sensitive scenarios, Secured-core PCs with Windows 11 can be a great choice. These devices come with additional safeguards enabled, including advanced firmware protection, for the highest level of Windows security. We also will now detect if a device is capable of Windows Defender System Guard and alert users in the Windows Security app that the feature can be enabled. This update to the Windows Security app is currently available to the Windows Insider population and will be broadly available soon.

The Microsoft Pluton security processor, designed by Microsoft and our silicon partners, directly integrates into the silicon of the CPU, providing protection for sensitive assets like credentials and encryption keys by isolating them from the rest of the system. The Pluton firmware also gets security updates straight from the cloud through the Windows updates process which helps security and IT teams simplify management and ensure they have the latest, ongoing protection against threats. 

We’re all working together toward a more secure future, and we look forward to delivering more innovation that will not only detect threats but help prevent them. Microsoft has committed a USD20 billion investment in security research and development over five years.⁴ We’re committed to your security and to continuously improving the foundational security provided by Windows with default security baselines to help you thrive now and in the future.

To get more information on Windows 11 chip-to-cloud security, visit our website and check out the Windows 11 Security Book details on how Microsoft optimizes Windows 11 for Zero Trust.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Cyber Signals: 3 strategies for protection against ransomware, Vasu Jakkal. August 30, 2022.

²MORSE security team takes proactive approach to finding bugs, Elliott Smith. August 3, 2022.

³Availability may vary by region.

⁴Microsoft has a $20 billion hacking plan, but cybersecurity has a big spending problem, Eric Rosenbaum. September 8, 2021.

⁵Hardware dependent.

The post New Windows 11 security features are designed for hybrid work appeared first on Microsoft Security Blog.