To learn more about this cyberattack series and how to protect your organization, please read the third cyberattack series report. The report provides detailed information about the vulnerability, how it was exploited, and how organizations can mitigate the risk. It also includes recommendations for how organizations can improve their security posture to prevent similar attacks in the future.

Examining the remote ransomware attack

In the third installment of our ongoing Cyberattack Series, we examine this remote access ransomware attack and look at how Microsoft Incident Response thwarted it. We then delve further into the details with a timeline of events and how it all unfolded—using reverse engineering to learn where and when the threat actor first targeted the vulnerable server. We also explore the proactive steps that customers can take to prevent many similar incidents, and the actions necessary to contain and recover from attacks once they occur.

More than half of known network vulnerabilities found in 2021 were found to be lacking a patch. Plus, 68 percent of organizations impacted by ransomware did not have an effective vulnerability and patch management process, and many had a high dependence on manual processes versus automated patching capabilities. With today’s threat landscape, it was only a matter of time before this zero-day vulnerability was exploited.

To compound the issue, the ways in which threat actors are working together now makes patch exploits more likely than ever before. Not only are attacks happening faster, they’re more coordinated. We have also observed a reduction in the time between the announcement of a vulnerability and the commoditization of that vulnerability. Threat actors are organized and cooperating to exploit vulnerabilities faster, and this adds to the urgency that organizations face to patch exploits immediately.

The “commoditization” of vulnerabilities

While zero-day vulnerability attacks often initially target a limited set of organizations, they are quickly adopted into the larger threat actor ecosystem. This kicks off a race for threat actors to exploit the vulnerability as widely as possible before their potential targets install patches. Cybercrime as a Service or Ransomware as a Service websites routinely automate access to compromised accounts to ensure the validity of compromised credentials and share them easily. One set of cybercriminals will gain access to a compromised app then sell that access to multiple other bad actors to exploit.

The importance of cybersecurity hygiene

The most effective defenses against ransomware include multifactor authentication, frequent security patches, and Zero Trust principles across network architecture. Attackers usually take advantage of an organization’s poor cybersecurity hygiene, from infrequent patching to failure to implement multifactor authentication.

Cybersecurity hygiene becomes even more critical as actors rapidly exploit unpatched vulnerabilities, using both sophisticated and brute force techniques to steal credentials, then obfuscating their operations by using open source or legitimate software. Zero-day exploits are both discovered by other threat actors and sold to other threat actors, then reused broadly in a short period of time leaving unpatched systems at risk. While zero-day exploitation can be difficult to detect, actors’ post-exploit actions are often easier to notice. And if they’re coming from fully patched software, it can act as a warning sign of a compromise and minimize impact to the business.

Read the report to go deeper into the details of the attack, including the threat actor’s tactics, the response activity, and lessons that other organizations can learn from this case.

Examining a ransomware attack

Learn how Microsoft Incident Response thwarted a remote access ransomware attack.

Read the detailed report

What is the Cyberattack Series?

With this Cyberattack Series, customers will discover how Microsoft incident responders investigate unique and notable exploits. For each attack story, we will share:

• How the attack happened.
• How the breach was discovered.
• Microsoft’s investigation and eviction of the threat actor.
• Strategies to avoid similar attacks.

Read the first two blogs in the Cyberattack Series: Solving one of NOBELIUM’s most novel attacks and Healthy security habits to fight credential breaches.

Learn More

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus, Microsoft Threat Intelligence. November 8, 2021.

Source for all statistics in post: Microsoft Digital Defense

The post Patch me if you can: Cyberattack Series appeared first on Microsoft Security Blog.

The importance of being prepared for the AI era

The immediate challenge of securing remote employees due to the pandemic may have passed, but the CISO remains as strategic as ever, especially given challenges with resources and the notable amount of open headcount security positions. With these limited resources, the CISO already had to manage the complexities of human actor-operated ransomware and breaches, with more password attacks than ever. However, the proliferation of AI increases the complexity of potential threats for the organization multifold.

Innovations like Microsoft Security Copilot will provide a holistic view of your endpoint security and management data. Using generative AI will help bolster enterprise defenses, especially when using the data available from your endpoint manager’s view of your digital estate. A holistic view of what is happening in your environment is critical to dealing properly with security threats and is optimized by receiving signals for all your endpoints. Endpoint management is no longer just mobile device management, but today is responsible for all devices, managed and unmanaged, and provides a powerful way to feed data into AI large language models.

Did you know? With Security Copilot, you will be able to leverage generative AI to reason over data across the Microsoft Security portfolio and in turn strengthen the security posture of your enterprise.

How an organization designs and implements its endpoint management strategy is key to maximizing the AI opportunity for productivity and security enhancements. Both security and employee productivity are vital for any solution; one without the other is futile. The correct endpoint management implementation optimizes the future value of AI for your organization by providing the broadest signal possible to feed into your large language models.  

In this blog, we want to urge all CISOs to redouble their endpoint management efforts; both to bolster security through Zero Trust and to ensure the large language models underpinning AI are as powerful as they can be by getting the best, most consistent data from a single source.

Zero Trust for the AI era

The coming AI era will increase the importance of Zero Trust, not decrease it. AI can magnify what an organization can do, so making sure that employees, devices, and data stay secure is more important than ever. And AI can be used to both defend and attack organizations, so Zero Trust deployed properly helps defenses remain as robust as possible.

Microsoft’s comprehensive Zero Trust approach rests on three core principles: verify explicitly, use least-privilege access, and assume breach. Microsoft is making progress across all facets of Zero Trust; one example is our latest enhancements to Microsoft Defender Threat Intelligence. Our backgrounds are in endpoint security and multi-factor authentication, so we know how vital identity is in Zero Trust issues. For example, enabling multifactor authentication universally is step one in cutting down phishing and other account compromise attacks.

However, to further drive Zero Trust across the whole organization, you need security policies in force at the endpoint. This might mean Microsoft Defender for Endpoint being up-to-date, or having firewall policies, local drive encryption, or local boot all applied on the device. Without all the appropriate security policies in place, the identity system won’t let the user in, thus strengthening enterprise security.

You can’t have Zero Trust if you don’t have a strongly managed endpoint. Making sure you are using the most up-to-date endpoint management now will help lay the right foundations for security in the age of AI.

Using modern endpoint management to ensure your AI models have the best data inputs

Security is not the only reason to make sure your endpoint management solution is up-to-date.

Did you know? You can use the analytical AI features in the Microsoft Intune Suite to detect patterns and anomalies, and analyze events on a device timeline. Identify potential security threats and vulnerabilities and take proactive steps to address them. 

The alerts and indicators that are picked up from endpoint management solutions will, if used correctly, be a key driver in how effectively your organization can harness AI. The best indicators won’t just come from as many sources as possible; not just managed devices but those that are not enrolled too. For example, let’s say you have built a sophisticated AI model to predict when employees are more susceptible to phishing attacks. If you’re only taking data from your email system, without understanding whether those phishing emails are being opened from a smartphone or a computer, you are not analyzing the full range of the potential problem. A fuller AI model to stop phishing attacks would include the device, user, time of day, previous user behavior, and many other data sources available from endpoint management logs. AI models are only as powerful as the data you feed them. If your data is locked away in silos or there is too much noise to signal in the data, that will not set you up effectively to harness the true potential of AI. Data aggregation is, at its core, the foundation for setting yourself up for the future. But first, let’s look at your data in terms of endpoint management.  

Endpoint management has evolved substantially from separate solutions that tracked computer endpoints and mobile device management. The next iteration, Unified Endpoint Management (UEM), took signals from all devices—laptops, smartphones, and specialized devices. Now, increasingly, management and security are converging in the cloud, and endpoint management means keeping every device in the organization visible and secure, and ensuring every user can be as productive as possible.

Automated and predictable security is complex, and what works for one industry vertical or company size or company architecture or region or worker role may not work for others—there is no “one size fits all.” As such, the more data signals you can feed your AI models from across your digital estate, the better the AI’s ability to predict potential threats. And the longer you can gather the training data, the better the predictions.

This thought goes beyond core endpoint management data: other related data from products adjacent to UEM (such as from Endpoint Privilege Management, which uses the principle of least privilege to improve security, and Remote Help, which produces a data exhaust key to identify trouble spots) is also incredibly valuable to your AI model, but only useful for AI models if it is accessible, structured, and consistent with the data exhaust provided by the UEM solution so that there is a single source of truth. So, consolidating diverse endpoint tools so that there is one consistent data flow should move up your CISO agenda.

Getting prepared for the AI future now

Generative AI is garnering many headlines right now, but many other forms of AI will also add great value. For example, intelligent applications are using AI to push the boundaries in predicting which employees will be a great fit when recruiting, or when a supplier’s predicted delivery date is at risk. Natural language processing helps users ask potentially complex questions the way they would typically speak, opening up analytics beyond those who know how to code a query correctly.

Did you know? Generative AI and analytical AI help organizations to analyze and leverage their data in new ways, helping to bridge the gap between IT and security operations teams. 

Microsoft’s scale of signal intelligence gives it a powerful perspective here, as does the fact that Microsoft Intune leads the endpoint management market in terms of volume and absolute endpoint growth. We’re passionate about helping our customers get ready to seize the opportunity that AI is bringing to enterprise security and society.

Now is the time to start getting prepared for AI, and modernizing your endpoint management approach is key. Even though Zero Trust may have been used for a few years now, it has increased in importance because of AI. Endpoint management can help provide data to help customize your AI models, allowing your organization to become more secure and productive faster.

Microsoft is bringing the power of AI to you, whether that’s through integrating Intune with Security Copilot or improving our anomaly detection capabilities. Throughout, we are committed to advancing the principles and practice of responsible AI, which puts security and trust as central in all our AI solutions.

With industries, job descriptions, and technology advancing rapidly, the C-suite must ask how to seize the full potential of AI, while safeguarding your business, your data, and your employees. Today, there is an opportunity to lay the foundation for your organization’s AI transformation, and endpoint management is a key component of that. We’re thrilled to share more with you in the future as we continue this journey. We hope you’ll join us.

Microsoft Intune Suite

Strengthen your Zero Trust architecture and build resiliency with a new suite of advanced endpoint management and security solutions.

Learn more

Learn more

Learn more about the launch of the Microsoft Intune Suite.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Security Insider.

The post Why endpoint management is key to securing an AI-powered future appeared first on Microsoft Security Blog.

Successful BEC attacks cost organizations hundreds of millions of dollars annually. In 2022, the FBI’s Recovery Asset Team (RAT) initiated the Financial Fraud Kill Chain (FFKC) on 2,838 BEC complaints involving domestic transactions with potential losses of more than USD590 million.²  

BEC attacks stand apart in the cybercrime industry for their emphasis on social engineering and the art of deception. Between April 2022 and April 2023, Microsoft Threat Intelligence detected and investigated 35 million BEC attempts with an adjusted average of 156,000 attempts daily. 

Cyber Signals

Microsoft’s Digital Crimes Unit has observed a 38 percent increase in cybercrime as a service targeting business email between 2019 and 2022.

Read the report

Common BEC tactics

Threat actors’ BEC attempts can take many forms—including via phone calls, text messages, emails, or social media. Spoofing authentication request messages and impersonating individuals and companies are also common tactics. 

Instead of exploiting vulnerabilities in unpatched devices, BEC operators seek to exploit the daily sea of email traffic and other messages to lure victims into providing financial information, or taking direct action like unknowingly sending funds to money mule accounts that help criminals perform fraudulent money transfers.  

Unlike a “noisy” ransomware attack featuring disruptive extortion messages, BEC operators play a quiet confidence game using contrived deadlines and urgency to spur recipients who may be distracted or accustomed to these types of urgent requests. Instead of novel malware, BEC adversaries align their tactics to focus on tools improving the scale, plausibility, and in-box success rate of malicious messages. 

Microsoft observes a significant trend in attackers’ use of platforms like BulletProftLink, a popular service for creating industrial-scale malicious mail campaigns, which sells an end-to-end service including templates, hosting, and automated services for BEC. Adversaries using this CaaS are also provided with IP addresses to help guide BEC targeting.   

BulletProftLink’s decentralized gateway design, which includes Internet Computer blockchain nodes to host phishing and BEC sites, creates an even more sophisticated decentralized web offering that’s much harder to disrupt. Distributing these sites’ infrastructure across the complexity and evolving growth of public blockchains makes identifying them, and aligning takedown actions, more complex.  

While there have been several high-profile attacks that take advantage of residential IP addresses, Microsoft shares law enforcement and other organizations’ concern that this trend can be rapidly scaled, making it difficult to detect activity with traditional alarms or notifications.  

Although, threat actors have created specialized tools to facilitate BEC, including phishing kits and lists of verified email addresses targeting C-suite leaders, accounts payable leads, and other specific roles, there are methods that enterprises can employ to preempt attacks and mitigate risk.  

BEC attacks offer a great example of why cyber risk needs to be addressed in a cross-functional way with IT, compliance, and cyber risk officers at the table alongside executives and leaders, finance employees, human resource managers, and others with access to employee records like social security numbers, tax statements, contact information, and schedules.   

Recommendations to combat BEC

• Use a secure email solution: Today’s cloud platforms for email use AI capabilities like machine learning to enhance defenses, adding advanced phishing protection and suspicious forwarding detection. Cloud apps for email and productivity also offer the advantages of continuous, automatic software updates and centralized management of security policies.  

• Secure Identities to prohibit lateral movement: Protecting identities is a key pillar to combating BEC. Control access to apps and data with Zero Trust and automated identity governance.  

• Adopt a secure payment platform: Consider switching from emailed invoices to a system specifically designed to authenticate payments.  

• Train employees to spot warning signs: Continuously educate employees to spot fraudulent and other malicious emails, such as a mismatch in domain and email addresses, and the risk and cost associated with successful BEC attacks.  

Learn more

Read the fourth edition of Cyber Signals today.

For more threat intelligence insights and guidance including past issues of Cyber Signals, visit Security Insider. 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

End notes

¹Cyber Signals, Microsoft.

²Internet Crime Complaint Center Releases 2022 Statistics, FBI.

The post Cyber Signals: Shifting tactics fuel surge in business email compromise appeared first on Microsoft Security Blog.

I had the honor of representing Microsoft at our RSA keynote, “Defending at Machine Speed: Technology’s New Frontier.” AI is having a profound impact in our world, and I believe security is going to be one of AI’s most important use cases. During this session, I shared how AI is causing a paradigm shift, augmenting the essential power of human intuition and expertise and reshaping the future of cybersecurity. For details, watch the full keynote here (video courtesy of RSA Conference).

RSAC is the largest and most important cybersecurity conference in the industry—we value every opportunity to learn directly from our customers, partners, and community, and share how Microsoft Security is empowering our customers to protect everything.

Let’s walk through some of the most memorable moments from RSAC.

Pre-Day with Microsoft

Microsoft Security opened RSAC with the Pre-Day event and reception on Sunday, April 23. Pre-Day was an expansion of our presence at RSAC and amplification of the announcements we made at Microsoft Secure. The presentations helped attendees gain a deeper understanding of what an AI-powered future means for cybersecurity. They also shared comprehensive strategies to help organizations protect everything, highlighted the latest announcements in Threat Intelligence, which is critical to defending against an evolving threat landscape, and gave customers a chance to interact with Microsoft Security business and engineering leaders, as well as network with their peers during an evening reception. I was very pleased to share the stage with Charlie Bell, Executive Vice President, Microsoft Security; Bret Arsenault, CVP, Microsoft Security and Chief Information Security Officer; Kelly Bissell, CVP, Microsoft Security; Andy Elder, CVP, Microsoft Security Solution Area; Jeremy Dallman, Principal Research Director, Microsoft Threat Intelligence; Holly Stewart, Principal Research Director, Microsoft Threat Intelligence; and engineering leaders.

Major product announcements

Microsoft Security Copilot, Microsoft’s new generative AI solution, garnered plenty of buzz during the conference. First announced at Microsoft Secure, Security Copilot combines the latest Open AI large language model with Microsoft’s unique security specific model powered by 65 trillion signals, human intelligence, and cyberskills to help defenders move at the speed and scale of AI. It was wonderful to see the interest from our customers and partners for Security Copilot.

Now in private preview, this groundbreaking technology serves as a true copilot to defenders. It augments a security analyst’s work, continually learning from users and letting them provide feedback and inform future interactions. The AI capabilities you gain include ongoing access to the most advanced OpenAI models, integration with Microsoft’s end-to-end security portfolio, and visibility and evergreen threat intelligence powered by your organization’s security products and the 65 trillion threat signals received by Microsoft every day. Importantly, Security Copilot is built with privacy at its heart. This means your data remains your data, and it is not used to train or enrich foundation AI models. Further, Security Copilot runs on our security and privacy-compliant Azure Cloud hyperscale infrastructure, enabling organizations to truly defend at machine speed.

In other threat intelligence news, Microsoft Defender Threat Intelligence is now available to licensed customers directly within Microsoft 365 Defender. It’s already integrated with Microsoft Sentinel and now has an application programming interface (API) to help enrich incidents, automate incident response, and work with a broad ecosystem of security tools. With this advancement, you get one of the world’s best threat intelligence, integrated with the tools you use every day.

Specific capabilities available as part of a Microsoft Sentinel solutions package—generally available beginning in July—are:

• Microsoft Defender Threat Intelligence enrichment playbooks: Defender Threat Intelligence integrates with all security information and event management (SIEMS) via an API, but playbooks in the Microsoft Sentinel Content hub are available to enrich incidents with reputation data to add context and triage them automatically.
• Microsoft Defender Threat Intelligence data connector: Microsoft threat researchers add indicators of compromise (IOCs) from finished intelligence to the threat intelligence (TI) blade to add massive value to Microsoft Sentinel users by adding critical context and enhancing detections and investigations.
• Microsoft Defender Threat Intelligence analytics rules: This built-in rule takes URLs, domains, and internet protocols (IPs) from a customer environment via log data and checks them against known bad IOCs from Defender Threat Intelligence, creating incidents when there’s a match.

At RSAC, we also had several other major product announcements.

Security researchers and customers are confronted with an overwhelming amount of threat intelligence data—and we want to help by giving them better clarity. Our new threat actor naming taxonomy will offer a more organized, articulate, and easy way to reference adversary groups so that organizations can better prioritize threats and protect against attacks. Microsoft Security also is rolling out a new icon system to make it even easier to identify and remember threat actors. Each icon represents a unique family name and will accompany the threat actor names as a visual aid. 

Microsoft Defender for API is a new offering focused on threat protection for APIs—built for organizations that provide cross-organizational visibility of the Azure API Management inventory, data classification, and coverage to detect exploits of API risks. Classify and understand the API security posture based on cloud security insights and sensitive data exposure. Harden API configuration and prioritize API risk remediation by monitoring for security best practices in a full lifecycle approach, across infrastructure as code templates and runtime environments. Detect and respond to active runtime threats within minutes—using machine learning powered anomalous and suspicious API usage detections. 

Microsoft Defender External Attack Surface Management (MDEASM)—Data Connector provides automated export of attack surface details, updates, and findings to Kusto or Microsoft Sentinel Log Analytics, giving customers the ability to analyze, report, and correlate attack surface information against other data sources and use additional tooling such as Power BI to customize analysis to their organization’s needs. 

Now in general availability as part of the Microsoft Intune Suite and as a standalone add-on, Microsoft Intune Endpoint Privilege Management is a feature that enables admins to set policies that allow standard users to perform tasks normally reserved for an administrator. The feature supports automatic and user-confirmed workflows for elevation as well as insights and reporting. 

RSA Conference highlights

Highlights of our sessions included:

• “Hands-on Tutorial to Red Teaming AI Systems with Open Source Tools”: Microsoft’s Raja Sekhar Rao Dheekonda and Charlotte Siska shared how to use open source tools to red team AI models. These tools can be adapted to multiple environments, models, and data types.
• “Geopolitical Resilience: Why Operational Resilience Is No Longer Enough”: Microsoft’s Ann Johnson and Team8’s Nadav Zafrir spoke about how merging business, social, and political crises necessitates a new approach to resilience. More than operational recovery, organizations have new dimensions of risk to consider, including deglobalization, data sovereignty, sanctions, and forced market exits.

Microsoft Security Hub sessions and activities

Living up to its name, the Microsoft Security Hub was a hubbub of activity throughout RSA Conference. Held at the Ecosystem Coworking Space, the private and semi-private meeting rooms provided fantastic opportunity for us to meet with customers and partners, and there were multiple learning opportunities and networking events.

Microsoft sessions and experiences

• During our session “AI: Shaping Security Today and Into the Future”, Microsoft’s Scott Woodgate discussed how AI is an integral part of Microsoft’s security strategy, helping drive security operations center efficiency with Microsoft Sentinel and Microsoft 365 Defender and now taking it to the next level with Microsoft Security Copilot.
• The Microsoft Threat Intelligence Interactive Experience wowed attendees throughout the conference. The experience invited hundreds of people to explore our unparalleled, 360-degree view of the threat landscape. The 3D-touchscreen globe was unlike anything found at the conference. Customers explored the new threat actor taxonomy with stunning visuals, an interactive quiz to test their cybersecurity knowledge, and attack chain case studies to explore the tactics, techniques, and procedures (TTPs) of threat actors. The experience wowed customers, “This is something only Microsoft would do, this is amazing,” and was moving to others, “This just means a lot being able to see the stuff I work with every day visualized like this.”
• Another popular event was our Threat Intelligence Happy Hour, hosted by Microsoft Security Experts, on April 25. This networking event allowed customers and partners to connect with the many, varied experts from Microsoft Security to talk shop, score swag, and learn more about the new threat actor taxonomy in a casual setting that included drinks aligned to the new weather-themed taxonomy.  
• We kicked off the first day of RSAC with the Diversity Executive Women’s Lunch, where I joined Aarti Borkar, Ann Johnson, Tanya Janca, and Lynn Dohm to discuss what industry, academia, government, and not-for-profits can do together as a community to nurture more women into successful careers in cybersecurity. With an audience of security leaders, not-for-profit representatives, community college students, and educators, this session welcomed an inspiring reflection on the importance of diversity for building a strong workforce, provided calls to action to make real difference, and enabled a great networking moment.

RSA Conference ancillary events

Microsoft Security Excellence Awards (MISA) members gathered on April 24 at The Fairmont Hotel to honor award winners in 11 security categories at the Microsoft Security Excellence Awards. The fourth annual awards give us an opportunity to recognize outstanding contributions of partners in our MISA organization. MISA is a coalition of Microsoft leaders and subject matter experts, independent software vendors, and managed security service providers working together to defend organizations around the world from increasing threats. Watch the awards yourself to see all the excitement!

Two nights later, Microsoft sponsored the 13th Annual Executive Dinner, hosted by Forgepoint Capital and PwC. The event’s theme was “Working Together in the New Era of Transparency and Resilience.” Guests enjoyed dinner, cocktails, and conversation about cybersecurity.

If you attended RSAC and engaged with Microsoft, please take a few minutes to respond to our RSAC 2023 survey so we can continue to improve your experience. My thanks to everyone who attended, and we’ll see you next year!   

Join us for Microsoft Build

We relish any opportunity to connect with customers and partners and hear your stories of how you’re innovating with technology. Thankfully, we don’t have long to wait. Join us in Seattle for Microsoft Build, including pre-day workshops on May 22, 2023, and keynotes, Expert Meet-ups, sessions, demos, and skill labs May 23 to 25, 2023. If you can’t attend in-person, consider attending virtually May 23 to 24, 2023. Register today to reserve your spot.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft Security highlights from RSA Conference 2023 appeared first on Microsoft Security Blog.

Women are vital to the industry and have played—and will continue to play—a key role in advancing technology and cybersecurity. I’ve been honored to meet and learn from incredible women doing amazing work in the areas of threat intelligence, policy and privacy, security and AI, and more. Yet, as we’ve shared before, women represent a mere 25 percent of the cybersecurity workforce. In an International Women’s Day Microsoft survey, we uncovered the reasons for this to be because of stereotyping of women and gender bias, not enough female mentors and role models in cybersecurity, insufficient training and education opportunities, and uncertainty about cybersecurity career pathways.³

This is concerning, considering that women provide strong skills perfect for cybersecurity such as diverse points of view, deep analytic and risk assessment skills, along with emotional intelligence. While the industry has made enormous strides, there is still work to be done. Together, academia, the tech industry, and government agencies are working on programs and new technologies to overcome these challenges, while encouraging more girls to envision cybersecurity careers.  

“Security is not just processes and policies, but there’s also the care work that comes into talking to people and understanding their issues. It helped me bring other people in our organization up to a place where you make it easier for women, specifically in security, to exist.”

—Abir Ghattas, Director of Information Security, Human Rights Watch

Internal career development, community, and sponsorship for women in cybersecurity

Each of us can do our part in supporting women in cybersecurity in our own way. At Microsoft, building a stronger future for women in cybersecurity begins with a strong foundation here at our Microsoft home. All women within Microsoft Security deserve the resources necessary to feel connected, thriving, and empowered to achieve more. Microsoft has been focusing on building a strong community internally to make this a reality. This initiative includes:

• Creating an Employee Resource Group for women within Microsoft Security that aims to create supportive allyship and an inclusive culture for women at the company.
• Offering safe forums, mentorship programs, and learning opportunities to support personal and professional development.
• Encouraging the growth of women as leaders within Microsoft Security by ensuring they have advocates and leadership team sponsors.

These efforts already have led to impressive progress, as the industry is already recognizing several Microsoft Security women in their fields, such as Kate Maxwell, Senior Director of Defense and Intelligence, considered one of the 100 Women in Tech Leaders to Watch in 2023 by Women Tech Network,⁴ and Edna Conway, Vice President of Security, Risk, and Compliance, chosen the 2021 Executive of the Year by the Executive Women’s Forum.⁵

Fanta Orr, Intelligence Analysis Director at Microsoft, says that curiosity is one of the factors that make someone successful in the industry. “People who take initiative to solve problems and drive investigations do well. Also, if you’ve been a woman in this field for any amount of time, it means you’ve got grit and wit. On top of that, women are generally great at systems thinking, which is vital both in the policy and technical defense aspects of cybersecurity,” she says.

Partnering with external organizations and initiatives to enable and empower diversity

We care about the entire industry and the promise of the next generation. With our solid foundation of support for female professionals at Microsoft, we are in a stronger position to give back to the community by supporting, coaching, and mentoring women in cybersecurity. We do this by partnering with organizations and projects that practice similar values and focus on diversity for cybersecurity education. The following are a few of the organizations we support by providing resources, mentors, and education:

• Women in Cybersecurity (WiCyS) program aims to increase the number of women in cybersecurity roles by providing mentorship, networking opportunities, and access to training and resources. Established in 2012, this global community with more than 7,000 members in more than 70 countries creates opportunities for women in cybersecurity through professional development programs, conferences, student chapters, and career fairs. WiCyS gives women the confidence and support they need to continue their path in cybersecurity as Aimee Reyes, Microsoft Last Mile Cybersecurity Scholarship recipient and former WiCyS Student Chapter president, has said “For anyone who thinks that cybersecurity is a male profession, I would say you’re going to see a lot of men. It doesn’t mean you can’t make your own table, make your own seat. It doesn’t mean that you don’t belong, because you do.”

• Girl Security Partnership provides training and resources to girls and young women to help them explore careers in cybersecurity and gain the skills they need to succeed in the field. Since its inception, Girl Security’s mentorship program has served almost 1,000 mentees and aims to drive change in national security through education, mentoring, and workforce training.

• DigiGirlz gives middle and high school girls opportunities to learn about careers in technology and connect with Microsoft employees. The DigiGirlz program gives high school girls the chance to participate in hands-on computer and technology workshops and learn about careers in technology. More than 65,000 students have attended the Microsoft DigiGirlz Technology Program since its inception in 2000.

• Executive Women’s Forum: Woman-founded in 2002, the Executive Women’s Forum (EWF) is fiercely devoted to engaging, developing, and advancing all women in the information security, IT risk management, and privacy industries, through education, leadership development and the creation of trusted relationships. A powerful community and caring sisterhood, the EWF focuses on building women leaders at every stage of their career.

• Cybersecurity education global expansion: Microsoft is also partnering with diverse worldwide organizations to equip educators, students, and professionals to empower women and minorities in cybersecurity. Programs developed with non-governmental organizations such as CyberShikshaa in India and WOMCY in Latin America have been providing mentorship, courses, certifications, and resources to women from all backgrounds to pursue careers in cybersecurity. This enables women early in their careers to explore the possibilities just like Eva Nassery, a mentee from the Microsoft-supported CyberSchool program in France, did. “I never imagined that I could take a path, a career in cybersecurity. But I decided to change my career and when I started to look for training, I discovered that cybersecurity gives huge work opportunities. That’s when I noticed I could do it myself, too,” Eva says.

Thriving together as we nurture the next generation of cyber defenders

If we want to thrive as an industry, we must become allies and advocate for each other every chance we get. I am grateful that we have this opportunity during Women’s History Month to lift each other up and that I get to share with you some of the stories from women with whom I have had the pleasure of working over the past years. However, it doesn’t just end after March, as learning about others’ perspectives and transferring your privileges to support each other whether at work, in an interview, or a public place is the essence of being an actionable ally. Allyship is truly a journey as we support and nurture women at every stage of their career. And this means not only mentoring or coaching other women, but also becoming strong advocates when they may not have a strong voice or be at the table to share their perspective. It means being inclusive and welcoming women into your meetings, decision making, events, and recognition. We know that when we do this we will thrive and grow as a community of cyber defenders.

Please join me along with many other women leaders in cybersecurity at our  marquee event Microsoft Secure on March 28, 2023, where we will talk about what we are doing to ready the security workforce and how we can inspire the next generation of cybersecurity professionals. We’ll  talk about how Microsoft defends itself and its customers, the challenges security teams face daily, and the future of security innovation. Register now.

If you’re interested in learning more about the many opportunities and next steps in cybersecurity, please join us on March 15, 2023, for a podcast called Secure the Job: Breaking into Cybersecurity, hosted by three young cybersecurity professionals at Microsoft. They will interview executives, leaders in cybersecurity, and frontline defenders to understand more about the cybersecurity landscape, roles, pathways, and skills needed to be successful.

Also, check out our website for volunteer opportunities with some of the incredible organizations we partner with. Whether you are a student or already a cybersecurity professional, you can find educational resources and career pathways on this web page along with mentoring opportunities. Together, we can inspire and support each other to build the next generation of women cyber defenders.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Pioneering Women in Cryptology, Lou Leto and Jen Wilcox. March 29, 2018.

²10 pioneering women in information security, Deb Radcliff. March 30, 2021.

³Results based on March 2022 IWD Survey commissioned by Microsoft in partnership with WE Communications.

⁴100 Women in Tech Leaders to Watch in 2022, Women Tech Network.

⁵The Executive Women’s Forum Announces the 2021 Recipients of the EWF Women of Influence Awards and E, EWF. October 26, 2021.

The post International Women’s Day: The power of diversity to build stronger cybersecurity teams appeared first on Microsoft Security Blog.

Microsoft applauds the DoD’s ongoing efforts to modernize and innovate its approach to cybersecurity. The DoD released its initial Zero Trust reference architecture shortly before last year’s White House executive order on cybersecurity² and quickly followed with Version 2.0 in July 2022.³ The latest update provides crucial details for implementing the Zero Trust strategy, including clear guidance for the DoD and its vendors regarding 45 separate capabilities and 152 total activities. 

While Zero Trust initiatives have been underway for years across various departments, this updated strategy seeks to unify efforts to achieve a strong, proven defensive posture against adversary tactics. Collaborating on Zero Trust has been a challenge across the industry as it can be difficult to compare Zero Trust implementations across organizations and technology stacks. However, the level of detail found in the DoD’s strategy provides a vendor-agnostic, common lens to evaluate the maturity of a variety of existing and planned implementations that were derived from the DoD’s unique insights into cyberspace operations.

Furthermore, the DoD’s shift from a compliance and controls-based approach to an outcomes-focused methodology—meaning the job is done when the adversary stops, not just when the controls are in place—stands out as a best practice not seen elsewhere to this extent.

Building a secure foundation for Zero Trust together

Strong industry and public sector partnerships are at the heart of our approach, which is why Microsoft was invited by the DoD to discuss how its Zero Trust definitions would map to new and existing computing environments.

Microsoft is uniquely suited to support the DoD in its Zero Trust mission as both a leading cloud service provider to the government and a security company. Microsoft is recognized as a Leader in five Gartner® Magic Quadrant™ reports^4,5,6,7,8,9 and seven Forrester Wave™ categories,^{10,11,12,13,14,15,16} representing a full array of fit-for-purpose security tools to achieve Zero Trust outcomes. These components are pre-integrated to provide a strong baseline and a fast path to comprehensive coverage across the DoD’s seven pillars and 45 capabilities of Zero Trust to achieve both target and advanced activities.

Beyond comprehensive coverage of the DoD’s latest capabilities requirements, our strong baseline is further enhanced by an open ecosystem of more than 90 partner Zero Trust solutions from leading security companies that integrate directly with our platform. To name a few:

• Tenable and Microsoft are working together to integrate Tenable.io with Microsoft Defender for Cloud and Microsoft Sentinel solutions to support vulnerability assessments for hybrid cloud workloads.
• Yubico and Microsoft recently announced the release of certificate-based authentication (CBA) for Microsoft Azure Active Directory on Windows, iOS, and Android devices through a hardware security key known as YubiKey to fight against phishing attacks.
• Conquest Cyber launched the ARMED™ Platform built on Microsoft Sentinel to help agencies configure and manage solutions to address cyber risk with real-time visibility of their posture, guided by compliance, maturity, and effectiveness.

Lastly, Microsoft is deeply committed to promoting cyber resilience and strengthening our nation’s cyber defenses. This responsibility is demonstrated by our work with the National Institute of Standards and Technology’s (NIST’s) National Cybersecurity Center of Excellence (NCCoE) to develop practical, interoperable Zero Trust approaches and architectures, as well as our continued participation in the Joint Cyber Defense Collaborative established by Cybersecurity & Infrastructure Security Agency (CISA).

Real-world pilots and implementations are driving continuous learning and improvement

Zero Trust philosophy is deeply rooted in lessons learned, and the DoD has embraced this aspect by evaluating ongoing pilots and assessments as a research and development activity. Over the past years, Microsoft has partnered with various departments across the DoD to accelerate Zero Trust adoption through several pilot and production implementations, providing agencies with a predictable path to achieving target objectives.

One such example is the United States Navy’s innovative Flank Speed program, which incorporates key federal and DoD efforts to protect nearly 500,000 identities and devices while improving user experience. The Navy’s large-scale deployment—encompassing components including continuous authorization, big data, and comply-to-connect (C2C)—is already utilizing many of the Zero Trust activities put forth in the DoD’s strategy.

Learn more

Embrace proactive security with Zero Trust.

For more deployment information, tools, and resources as we work together to improve our nation’s cybersecurity, visit the Microsoft cybersecurity for government page.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2022, Microsoft. 2022.

²The Cybersecurity Executive Order: What’s Next for Federal Agencies, Jason Payne, Microsoft. June 17, 2021.

³Department of Defense (DoD) Zero Trust Reference Architecture Version 2.0, Defense Information Systems Agency (DISA), National Security Agency (NSA) Zero Trust Engineering Team. July 2022.

⁴Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER and Magic Quadrant are registered trademarks and service marks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

⁵Gartner Magic Quadrant for Security Information and Event Management, Pete Shoard, Andrew Davies, Mitchell Schneider, 10 October 2022.

⁶Gartner Magic Quadrant for Access Management, Henrique Teixeira, Abhyuday Data, Michael Kelly, James Hoover, Brian Guthrie, 1 November 2022.

⁷Gartner Magic Quadrant for Enterprise Information Archiving, Michael Hoeff, Jeff Vogel, 24 January 2022.

⁸Gartner Magic Quadrant for Endpoint Protection Platforms, Peter Firstbrook, Dionisio Zumerle, Prateek Bhajanka, Lawrence Pingree, Paul Webber, 5 May 2021.

⁹Gartner Magic Quadrant for Unified Endpoint Management Tools, Tom Cipolla, Dan Wilson, Chris Silva, Craig Fisler, 1 August 2022.

¹⁰The Forrester Wave™: Endpoint Detection And Response Providers, Q2 2022. Allie Mellen. April 2022.

¹¹The Forrester New Wave™: Extended Detection And Response (XDR), Q4 2021. Allie Mellen. October 2021.

¹²The Forrester Wave™: Security Analytics Platforms, Q4 2020. Joseph Blankenship, Claire O’Malley. December 2020.

¹³The Forrester Wave™: Enterprise Email Security, Q2 2021. Joseph Blankenship, Claire O’Malley with Stephanie Balaouras, Allie Mellen, Shannon Fish, Peggy Dostie. May 2021.

¹⁴The Forrester Wave™: Endpoint Security Software As A Service, Q2 2021. Chris Sherman with Merritt Maxim, Allie Mellen, Shannon Fish, Peggy Dostie. May 2021.

¹⁵The Forrester Wave™: Unstructured Data Security Platforms, Q2 2021. Heidi Shey. May 2021.

¹⁶The Forrester Wave™: Cloud Security Gateways, Q2 2021. Andras Cser. May 2021.

The post Microsoft supports the DoD’s Zero Trust strategy appeared first on Microsoft Security Blog.

What is the S2C2F?

We built the S2C2F as a consumption-focused framework that uses a threat-based, risk-reduction approach to mitigate real-world threats. One of its primary strengths is how well it pairs with any producer-focused framework, such as SLSA.¹ The framework enumerates a list of real-world supply chain threats specific to OSS and explains how the framework’s requirements mitigate those threats. It also includes a high-level platform- and software-agnostic set of focuses that are divided into eight different areas of practice:

Each of the eight practices are comprised of requirements to address the threats and reduce risk. The requirements are organized into four levels of maturity. We have seen massive success with both internal and external projects who have adopted this framework. Using the S2C2F, teams and organizations can more efficiently prioritize their efforts in accordance with the maturity model. The ability to target a specific level of compliance within the framework means teams can make intentional and incremental progress toward reducing their supply chain risk.

Each maturity level has a theme represented in Levels (1 to 4). Level 1 represents the previous conventional wisdom of inventorying your OSS, scanning for known vulnerabilities, and then updating OSS dependencies, which is the minimum necessary for an OSS governance program. Level 2 builds upon Level 1 by leveraging technology that helps improve your mean time to remediate (MTTR) vulnerabilities in OSS with the goal of patching faster than the adversary can operate. Level 3 is focused on proactive security analysis combined with preventative controls that mitigate against accidental consumption of compromised or malicious OSS. Level 4 represents controls that mitigate against the most sophisticated attacks but are also the controls that are the most difficult to implement at scale—therefore, these should be considered aspirational and reserved for your dependencies in your most critical projects.

The S2C2F includes a guide to assess your organization’s maturity, and an implementation guide that recommends tools from across the industry to help meet the framework requirements. For example, both GitHub Advanced Security (GHAS) and GHAS on Azure DevOps (ADO) already provide a suite of security tools that will help teams and organizations achieve S2C2F Level 2 compliance.

The S2C2F is critical to the future of supply chain security

According to Sonatype’s 2022 State of the Software Supply Chain report,² supply chain attacks specifically targeting OSS have increased by 742 percent annually over the past three years. The S2C2F is designed from the ground up to protect developers from accidentally consuming malicious and compromised packages helping to mitigate supply chain attacks by decreasing consumption-based attack surfaces. As new threats emerge, the OpenSSF S2C2F SIG under the Supply Chain Integrity Working Group, led by a team from Microsoft, is committed to reviewing and maintaining the set of S2C2F requirements to address them.

Learn more

View the S2C2F requirements or download the guide now to see how you can improve the security of your OSS consumption practices in your team or organization. Come join the S2C2F community discussion within the OpenSSF Supply Chain Integrity Working Group.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Supply chain Levels for Software Artifacts (SLSA).

²8^th Annual State of the Software Supply Chain Report, Sonatype.

The post Microsoft contributes S2C2F to OpenSSF to improve supply chain security appeared first on Microsoft Security Blog.

April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather.

• BROMINE is now tracked as Ghost Blizzard
• DEV-0401 is now tracked as Cinnamon Tempest
• GALLIUM is now tracked as Granite Typhoon
• DEV-0062 is now tracked as Storm-0062
• ZINC is now tracked as Diamond Sleet

To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.

At CyberWarCon 2022, Microsoft and LinkedIn analysts presented several sessions detailing analysis across multiple sets of actors and related activity. This blog is intended to summarize the content of the research covered in these presentations and demonstrates Microsoft Threat Intelligence Center’s (MSTIC) ongoing efforts to track threat actors, protect customers from the associated threats, and share intelligence with the security community.

The CyberWarCon sessions summarized below include:

• “They are still berserk: Recent activities of BROMINE” – a lightning talk covering MSTIC’s analysis of BROMINE (aka Berserk Bear), recent observed activities, and potential changes in targeting and tactics.
• “The phantom menace: A tale of Chinese nation-state hackers” – a deep dive into several of the Chinese nation-state actor sets, their operational security patterns, and case studies on related tactics, techniques, and procedures (TTPs).
• “ZINC weaponizing open-source software” – a lighting talk on MSTIC and LinkedIn’s analysis of ZINC, a North Korea-based actor. This will be their first public joint presentation, demonstrating collaboration between MSTIC and LinkedIn’s threat intelligence teams.

MSTIC consistently tracks threat actor activity, including the groups discussed in this blog, and works across Microsoft Security products and services to build detections and improve customer protections. As with any observed nation-state actor activity, Microsoft has directly notified customers that have been targeted or compromised, providing them with the information they need to help secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.

They are still berserk: Recent activities of BROMINE

BROMINE overlaps with the threat group publicly tracked as Berserk Bear. In our talk, MSTIC provided insights into the actor’s recent activities observed by Microsoft. Some of the recent activities presented include:

• Targeting and compromise of dissidents, political opponents, Russian citizens, and foreign diplomats. These activities have spanned multiple methods and techniques, ranging from the use of a custom malicious capability to credential phishing leveraging consumer mail platforms. In some cases, MSTIC has identified the abuse of Azure free trial subscriptions and worked with the Azure team to quickly take action against the abuse.
• Continued targeting of organizations in the manufacturing and industrial technology space. These sectors have been continuous targets of the group for years and represent one of the most durable interests.
• An opportunistic campaign focused on exploiting datacenter infrastructure management interfaces, likely for the purpose of access to technical information of value.
• Targeting and compromise of diplomatic sector organizations focused on personnel assigned to Eastern Europe.
• Compromise of a Ukrainian nuclear safety organization previously referenced in our June 2022 Special Report on Defending Ukraine (https://aka.ms/ukrainespecialreport).

Overall, our findings continue to demonstrate that BROMINE is an elusive threat actor with a variety of potential objectives, yet sporadic insights from various organizations, including Microsoft, demonstrate there is almost certainly more to find. Additionally, our observations show that as a technology platform provider, threat intelligence enables Microsoft’s ability to protect both enterprises and consumers and disrupt threat activity affecting our customers.

The phantom menace: A tale of China-based nation state hackers

Over the past few years, MSTIC has observed a gradual evolution of the TTPs employed by China-based threat actors. At CyberWarCon 2022, Microsoft analysts presented their analysis of these trends in Chinese nation-state actor activity, covering:

• Information about new tactics that these threat actors have adopted to improve their operational security, as well as a deeper look into their techniques, such as leveraging vulnerable SOHO devices for obfuscating their operations.
• Three different case studies, including China-based DEV-0401 and nation-state threat actors GALLIUM and DEV-0062, walking through (a) the initial vector (compromise of public-facing application servers, with the actors showing rapid adoption of proofs of concept for vulnerabilities in an array of products), (b) how these threat actors maintained persistence on the victims (some groups dropping web shells, backdoors, or custom malware), and (c) the objectives of their operations: intelligence collection for espionage.
• A threat landscape overview of the top five industries that these actors have targeted—governments worldwide, non-government organizations (NGO)s and think tanks, communication infrastructure, information technology (IT), and financial services – displaying the global nature of China’s cyber operations in the span of one year.

As demonstrated in the presentation, China-based threat actors have targeted entities nearly globally, employing techniques and using different methodologies to make attribution increasingly harder. Microsoft analysts assess that China’s cyber operations will continue to move along their geopolitical agenda, likely continuing to use some of the techniques mentioned in the presentation to conduct their intelligence collection. The graphic below illustrates how quickly we observe China-based threat actors and others exploiting zero-day vulnerabilities and then those exploits becoming broadly available in the wild.

ZINC weaponizing open-source software

In this talk, Microsoft and LinkedIn analysts detail recent activity of a North-Korea based nation-state threat actor we track as ZINC. Analysts detailed the findings of their investigation (previously covered in this blog) and walked through the series of observed ZINC attacks that targeted 125 different victims spanning 34 countries, noting the attacks appear to be motivated by traditional cyber-espionage and theft of personal and corporate data. A few highlights include:

• In September 2022, Microsoft disclosed detection of a wide range of social engineering campaigns using weaponized legitimate open-source software. MSTIC observed activity targeting employees in organizations across multiple industries including media, defense and aerospace, and IT services in the US, UK, India, and Russia.
• Based on the observed tradecraft, infrastructure, tooling, and account affiliations, MSTIC attributes this campaign with high confidence to ZINC, a state-sponsored group based out of North Korea with objectives focused on espionage, data theft, financial gain, and network destruction.
• When analyzing the data from an industry sector perspective, we observed that ZINC chose to deliver malware most likely to succeed in a specific environment, for example, targeting IT service providers with terminal tools and targeting media and defense companies with fake job offers to be loaded into weaponized PDF readers.
• ZINC has successfully compromised numerous organizations since June 2022, when the actor began employing traditional social engineering tactics by initially connecting with individuals on LinkedIn to establish a level of trust with their targets.
• Upon successful connection, ZINC encouraged continued communication over WhatsApp, which acted as the means of delivery for their malicious payloads. MSTIC observed ZINC weaponizing a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks. ZINC was observed attempting to move laterally across victim networks and exfiltrate collected information from.

As the threat landscape continues to evolve, Microsoft strives to continuously improve security for all, through collaboration with customers and partners and by sharing our research with the larger security community. We would like to extend our thanks to CyberWarCon and LinkedIn for their community partnership.

The post Microsoft threat intelligence presented at CyberWarCon 2022  appeared first on Microsoft Security Blog.

A Parent company can take several approaches to integrating the Acquisition within the organization’s IT environment. These include migrating the Acquisition’s services and users into the Parent’s IT environment or directly connecting the Acquisition’s IT environment through technical means. (See Figure 1.)

The first option has long-term security benefits, given that only selected elements of the Acquisition are incorporated into the Parent environment. On the other hand, depending on the complexity of both parties, this process can be time-consuming and costly.

The second option can be quicker to execute and reduce disruption to the operations of both parties; however, there may be hidden security and technical debt that may be costly to address in the long term.

So, what should an organization consider when determining the best plan of action for security in a merger or acquisition?

Figure 1. Two avenues IT leadership can take with mergers and acquisitions.

Security risks in mergers and acquisitions

It is common for a Parent to make the decision based solely on economic considerations driven by the costs of time and effort; however, there are significant cybersecurity considerations that should be factored into the decision-making process to ensure the long-term security of both the Parent and the Acquisition.

These include:

• Technical debt: Understand how much technical debt you will inherit. Every organization carries some technical debt, and the key in mergers and acquisitions is transparency. It is critical for a Parent to understand the technical debt it will be inheriting to understand how it will compound the Parent’s own technical debt and assist in quantifying any remediation costs.
• Existing security (not exclusive to cybersecurity): Consider how the two parties will consolidate key security capabilities, such as endpoint detection and response (EDR) tools or antivirus. Also consider how they both coordinate Security teams, such as security operations and security engineering, to avoid carrying numerous capabilities, tools, and data sources.
• Compliance and regulatory implications: Research how the Acquisition handles personally identifiable information (PII), like bank account numbers, and know the regulations it must abide by, its compliance procedures, and compliance history, including any regulatory violations. If the Acquisition is in a different country or region with stricter data privacy regulations, for instance, those are the ones both Parent and Acquisition should follow in relation to shared data.
• Misconfiguration and misutilization of existing systems: Review the configuration of systems at the Acquisition because they may have been set up incorrectly, perhaps due to complexity or a lack of accountability, or they may be insufficiently utilized because of incomplete deployment, or no one has the skills to use it. You may find that the misconfiguration slipped through because there’s no testing of new systems before they are introduced. That’s a serious issue because security misconfigurations become the Parent’s liabilities.           
• Identity: Enable multifactor authentication (MFA) flow and other identity controls. Security teams should review the identity configuration, which may be bypassed because it wasn’t architected in a way that works for both companies.
• Network: Evaluate how to connect legacy devices. In a merger or acquisition, it may not be possible to connect legacy devices with each other (for example, if a customer has devices that are not considered next-generation firewalls). With older firewalls, you lose the ability to apply security controls and logging isn’t as enhanced.
• Cloud: Check whether Microsoft Azure subscriptions have MFA enabled, ports that are open in Azure infrastructure as a service, and the controls for federated identities with other providers. Conditional Access policies may cancel each other out.
• Password Management: Consider who has more access—the threat actor or you? To help ensure it’s you, secure access to your data using Privileged Identity Management and Privileged Access Management tools.
• New threats: Anticipate new threats and new-to-you threats. A small manufacturer, for example, may not know of a large-scale security threat but once acquired by a global corporation, it could become a target. Threat actors may see an acquisition as an opportunity to access the Parent through the Acquisition.

The two most common avenues of risk are:

• Current actor persistence in the acquired environment: The actor’s already there and you’re giving them an opportunity to enter the Parent environment when you connect them. This is the most obvious and ideal path.
• The security architecture of the acquired environment: It’s too hard to go against the Parent environment directly because its security posture is simply too costly for an attacker to go after, given what they could potentially gain in value. Instead, a threat actor targets the Acquisition.

If a threat actor knows about a pending acquisition, they can do reconnaissance on the acquired company to see if its security posture is weaker than the Parent’s. It may be a more attractive target to gain access to the Parent through the weaker acquisition environment.

The Acquisition likely receives support from multiple service providers. If any of those service providers are compromised, a threat actor could move into the Acquisition’s environment and then gain access to the Parent. Carefully consider the connections you have with vendors because they could bring a potentially unknown compromise and introduce security vulnerabilities and architectural weaknesses.

Deeper due diligence is key

The due diligence processes each company undergoes when making an investment will vary depending on the company, industry, and region. While there is no universal standard, it is critical that companies get it right and understand potential areas of concern they may be inheriting.

Ultimately, your organization is acquiring whatever unknowns are present in that environment. So that’s why it is important to ask questions before, during, and after a merger and acquisition. Anything persistent and any open backdoors affecting your environment provide a direct path into the Parent organization.

Security questions to ask before a merger or acquisition

Both parties need to foster open and honest communication and share technical data. Commit to transparency. From the exploratory phase to the official merger and acquisition negotiation process, both parties should understand the expectations, so they don’t miss details during the merger or acquisition.

Mergers and acquisitions are dynamic and complex. To achieve the economic goals of mergers and acquisitions, business leaders must understand the attack surface they’re onboarding. Discovering and cataloging the partner company’s resources and digital assets, from within the corporate perimeter to the entire internet, is a critical step of any due diligence process. These include known and unknown assets, including resources developed outside the purview of security and IT teams, like shadow IT. These audits can’t be outsourced or done just for compliance. They are top priorities every executive needs to consider to future-proof their investments.

The first step is to establish a baseline set of known facts. Ask these questions during your initial discovery phase and as part of a proactive assessment:

• What is your basic security structure?
• What is your antivirus and is it up to date?
• What is your EDR solution?
• How are you managing identity protection?
• How are you managing data access protection?
• Does the acquired company meet the current security standards of the Parent?
• How are security issues triaged?
• Do you have a form of central logging (security information and event management; security orchestration, automation, and response) solution?
• How are you tracking and repairing your online vulnerabilities and compliance risks (unmanaged assets or those that have been forgotten)?

As you get deeper into the due diligence phases, ask these questions to understand their compromise history:

• What is your history of security compromise?
• When did these compromise(s) occur?
• What are the details?
• What are the root causes of those security compromises?
• How were the threats mitigated?
• Do you have a post-incident review process? What were the results?

After this disclosure, the most important question to ask is, “Did you remediate it?” If the Acquisition had a ransomware attack or other cyberattack, what happened? If the Acquisition had an unpatched vulnerability and was able to privilege-escalate to domain admin and deploy the ransomware, we ask, what is your patching?

Before setting up legal frameworks, disclose past events and understand how to remediate what caused them. Ignore this recommendation to avoid fireworks of the non-celebratory kind.

Security questions to ask after a merger or acquisition

Arguably, the greatest risk to mergers and acquisitions security is establishing trust relationships or merging hundreds or thousands of systems into the Parent company’s enterprise infrastructure. The health and configuration of those systems should be evaluated for security risks. The presence of any malware or advanced persistent threat (APT) backdoors in the subsidiary company can threaten the Parent company after the merger. Security misconfigurations and risky decisions become the Parent company’s liabilities. Also, threat profiles need to be re-evaluated to include any geopolitical changes caused by the mergers and acquisitions process. For example, a small parts manufacturer would not be expected to be aware of risks from larger known threat actors (such as Phineas Phisher²), but after being acquired by a global oil company, it would need to be.

Take the information gathered during the pre-merger question and answer session, including compromise exposures and an analysis of the Acquisition’s existing security posture against a reference standard, and decide how to integrate that environment into yours, along with detailing the necessary technical steps. To integrate the acquired company into your environment, you’ll need to bring its security posture to your level. The Parent company will have to implement basic security practices. Here are steps to evaluate and prioritize:

1. Assess existing systems that will be part of the acquisition and the risks associated.
2. Conduct remediation based on those results.
3. Understand the timeline for integrating the networks and know whether the data is located on-premises or in the cloud.
4. Learn the process for asset refresh and retirement of systems.
5. Conduct a penetration test or risk assessment and evaluate security policies and security gaps.

What actions should companies take?

The Microsoft Detection and Response Team (DART) has worked on incident response cases where companies were breached within an hour of completing a post-merger integration. In these cases, the threat actor’s subsidiary backdoor was granted two-way trust access to the Parent company’s Microsoft Azure Active Directory (Azure AD), third-party identity providers with any form of federation, and on-premise Active Directory forest.

DART has also had to explain to customers the probable connection between an APT actor’s backdoor uncovered in its environment, and the fact that its new Parent company’s bid was the lowest amount—to the dollar—that they were willing to accept during an acquisition. For these reasons and others, many of DART’s customers ask for security assessments before, during, or immediately after completing mergers and acquisitions.

Take these steps:

1. Set the expectations of disclosure and the level of information shared about security issues early in the talks. Make this a standard part of the exploratory process when setting up the legal framework of how the merger and acquisition will run.
2. Do a pre-mergers and acquisitions security assessment, whether a proactive threat hunt that includes cross-platform systems (Mac and Linux) and third-party identity providers, or an Azure AD security assessment, or an evaluation of the maturity of the environment’s security posture.
3. Focus on evaluating and improving security visibility and logging early in the mergers and acquisitions process. This allows first-party and third-party security teams to assess and react to security issues promptly. For mergers and acquisitions-related threats, focus first on securing identity, access control, and communications. 
4. Focus security and risk audits on cataloging the company’s resources and digital assets, including the company’s external attack surface, or catalog of internet-facing assets that an attacker could leverage to gain a foothold for an attack. External attack surface management (EASM) products can highlight a range of hygiene issues, corresponding indicators of compromise and vulnerabilities, and compliance issues, giving mergers and acquisitions teams the baseline they need to conduct a cyber risk assessment and drive post-mergers and acquisitions program.

Cybersecurity risk in mergers and acquisitions is an increasing issue for both IT security and business decision-makers. Giving the IT security teams sufficient time to do thorough assessments, due diligence, inventories, and putting more controls in place will determine how much of that risk can be mitigated.

Learn more

Leverage Microsoft Security Experts today.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹The Role of Cybersecurity in Mergers and Acquisitions Diligence, Forescout. 2019.

²Hacker who hacked Hacking Team published DIY how-to guide, Ms. Smith, CSO. April 17, 2016.

The post Microsoft Security tips for mitigating risk in mergers and acquisitions appeared first on Microsoft Security Blog.

The great news is we have an opportunity to not only grow our community of defenders but strengthen it by breaking down barriers, being more inclusive, and making careers in cybersecurity more accessible to all.

Strengthening security through diverse viewpoints

To meet the current and future challenges, the defender community needs to be as diverse as the attackers we face. Unfortunately, while progress is being made, many groups are still underrepresented in the field of cybersecurity. Less than 25 percent of the cyber workforce are women and, in 2021, only 9 percent of cybersecurity workers were Black and only 4 percent Hispanic.² Not only is the current underrepresentation among these groups a wildly missed opportunity, but it also means we don’t have the benefit of diverse viewpoints as we try to address complex cybersecurity issues.

Fortunately, the seeds of change are here, and it’s up to all of us to nurture their growth. According to a study commissioned by Microsoft, 82 percent of American women believe there is an opportunity for them in the cybersecurity industry. And they’re right! Cybersecurity is an incredible career path, one that’s interesting and challenging, and where you can make a real difference in the world, every single day. Still, 71 percent of women feel that cybersecurity is “too complex” of a career, and that perception is something we simply must change. At Microsoft, we’re working hard to do just that. Aimee Reyes, who received a cybersecurity scholarship through Microsoft’s partnership with the Last Mile Education Fund, summed up her experience this way: “For anyone who thinks that cybersecurity is a male profession, I would say you’re going to see a lot of men. It doesn’t mean you can’t make your own table, make your own seat. It doesn’t mean that you don’t belong, because you do.”

I could not agree more!

Making cybersecurity training accessible to more students

In 2021, Microsoft launched its cybersecurity jobs campaign to help community colleges in the United States train the next generation of cyber defenders. The campaign aims to fill thousands of cybersecurity jobs by 2025 by providing free cybersecurity curricula to accredited higher education institutions, along with training for faculty and financial aid for low-income students.

Since its inception, more than 1,000 low-income community college students across 47 states have benefited from the Microsoft Cybersecurity Scholarship Program in partnership with the Last Mile Education Fund. This scholarship program has been very effective in reaching a talent pool that may not have had access to further education. According to a student named Justin: “Without this grant, there is no way I could have started this semester. I’ve already put my family through too much trying to make this happen to risk any chance of not finishing. Thank you for believing in me.” Because of feedback like this and strong results, Microsoft has expanded its cybersecurity jobs campaign to an additional 24 countries, all of which have a skills gap in their cybersecurity workforces, both in numbers and diversity.

Also, to help provide girls with real-world inspiration, we created Microsoft DigiGirlz, which offers female middle and high school students an early opportunity to learn about careers in technology, as well as connect with Microsoft employees and participate in hands-on technology workshops. And for students who want to showcase their skills, Microsoft has created the Imagine Cup, which allows entrants to access exclusive training, gain mentorship opportunities, compete to win great prizes, and collaborate on creating new technologies that make a difference.

I absolutely love that these programs help inspire and empower students. And I’m so excited that Microsoft is partnering with some amazing organizations to help empower educators, as well. 

Providing educators with cybersecurity tools and curricula

Through the Microsoft Learn for Educators program, we’re also providing access to certification course materials for Security, Compliance, and Identity Fundamentals (SC-900), and Microsoft Azure Security Technologies (AZ-500). Additional support for faculty includes free practice exams, curriculum integration, and course-prep sessions led by Microsoft trainers. In addition, we’re expanding access to cybersecurity courses to educational institutions through LinkedIn Learning, and there are even more security skilling opportunities available through our Microsoft Learn platform.

Microsoft is also partnering with the National Cybersecurity Training & Education Center (NCyTE) to provide faculty with professional development opportunities as well as support colleges in attaining the Center of Academic Excellence in Cyber Defense (CAE-CD) designation. This support will provide a foundation for cybersecurity training at nearly 15 percent of community colleges across the United States. In a recent interview with Fortune magazine, Naria Santa Lucia, Senior Director of Digital Skills and Employability at Microsoft Philanthropies, explained our approach in simple terms: “Community colleges are so affordable, and they are everywhere. That system has a lot of women and lots of students of color. If we can really tap that infrastructure to start getting that message out, that’s a good start to diversifying the talent pipeline.”⁴

Still going strong, Microsoft Technology Education and Learning Support (TEALS) has been helping to build sustainable computer science education programs since 2009. TEALS helps teachers learn to teach computer science by pairing them with industry volunteers and proven curricula. Since the program began, more than 95,000 students have received computer science education. TEALS currently supports more than 500 high schools in the United States and British Columbia, Canada. In the past year, Microsoft has expanded the TEALS program course offerings to include cybersecurity at 37 schools.

Forging partnerships to foster new cyber defenders

Security is a team sport, and partnership is critical to our success as a defender community. Microsoft continues to partner with organizations that practice similar values and focus on diversity for cybersecurity education.

In the United States, only eight percent of information security analysts are African American.³ Microsoft is working to raise that number through its participation in the HBCU Cybersecurity Industry Collaboration Initiative Pilot.⁵ The initiative is designed to develop students for careers in cybersecurity and engineering through research collaborations, guest lecturers, and mentoring programs in collaboration with four historically Black colleges and universities (HBCUs): Hampton University, North Carolina A&T State University, Prairie View A&M University, and Virginia State University. Separately, the Blacks at Microsoft (BAM) program will also award 45 scholarships this year totaling USD182,500. 

Microsoft has also partnered with Girl Security to “create career pathways for girls, women, and gender minorities to shape solutions to our most pressing security challenges” through mentorship programs, summer programming, trainings, and specific curriculum for high school students and early-in-career women. Microsoft also provides support for all women, allies, and advocates through partnership with WiCyS (Women in CyberSecurity). Through this partnership, Microsoft is helping to globally empower the recruitment, retention, and advancement of women with mentorship, professional development programs, scholarships, conferences, and job fairs. This includes partnering with WiCyS on the expansion of their student chapters in more than 20 countries.

The only thing missing is you

Microsoft is committed to making cybersecurity a viable career path for everyone. Creating a safer online world requires all of us—from every background—to bring to this mission the superpowers, the diverse skills, perspectives, and life experiences we each embody to defeat tomorrow’s cyberthreats. In the spirit of Cybersecurity Awareness Month, I hope you’ll share this post with friends, family, colleagues, or anyone with an interest in exploring a career in cybersecurity. There is so much opportunity to be a cyber defender.

Learn more

To learn about educational and professional cybersecurity opportunities at Microsoft, make sure to check out our Cybersecurity Awareness website for education resources.  

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Cybersecurity Skills Gap Report, Fortinet. 2022.

²Innovation Through Inclusion: The Multicultural Cybersecurity Workforce, Frost & Sullivan. 2018.

³Information Security Analyst Demographics and Statistics in the US, Zippia. September 9, 2022.

⁴Microsoft builds fast-track to six-figure cybersecurity jobs at more than 180 colleges, Meghan Malas. September 8, 2022.

⁵Microsoft Joins Abbott, Raytheon to Prepare HBCU Students for Cybersecurity Roles, Mikayla Gruber. June 6, 2022.

The post The door is open for anyone to become a cyber defender appeared first on Microsoft Security Blog.